Re:Everything bad for you is good for you again
on
Drink Decaf and Die
·
· Score: 1
the French (yes, we hate them, yawn)
Why do you hate the French? I'm assuming you're American here but the French are one of your most important allies.
They gave you the Statue of Liberty as a present, they helped you defeat us (the British) to build an independant state, you've stood shoulder to shoulder with them while you fought two World War with them and they gave you tremendous support throughout the Cold War.
If you're pissed off because they didn't support the ill-fated invasion of Iraq then you need to take a reality check. France is the western world's friend; A good, honest friend at that. It is a sign of a true friend when they stand up to you when they think your doing something stupid and tell you what they think. France did exactly this and the American's ostracise them for it.
France had more courage then our Prime Minister who followed Bush blindly in to a unwinnable conflict. I salute the French for showing excellent judgement once again.
Let me get this straight. One company decides what is malware and what isn't. Ask yourself this, would Sony's rootkit have been considered a safe download? I think you'd find the answer is yes. This isn't an objective panel of experts deciding what is safe or what isn't, it's a company and this inherently flawed.
I find it hard to believe that any company, regardless of their otherwise good intentions, would refuse money from a company as Sony. In short, it may work in stoping the small spyware vendor but this is not nearly enough.
What we need is a law that makes research a defence to copyright infringement. It's important that malware authors can't use the force of the law to hide. Hopefully a judge will do the right thing an establish case law in this area that defends us from this scum.
Throughout history, this has always been the way. Can't stop people stealing in droves? Make stealing punishable by death. Can't stop people blasphemy? Mak the crime punishable by death!
It is a natural reaction to make the laws tougher when people start to defy the law in droves but I urge people to ignore that reflex because often it is more instructive to look at root causes. Why do people pirate? Because the CDs are overpriced. Your average individual actually prefers the boxed CD to an MP3 but is not prepared to spend £15 on it. If you priced your CDs to reflect this desire then you could reverse the decline in CD sales.
Often, real change does not come from politics but from the sound of a million feet. Politicans still believe that people want the artist to be compensated to the tune of £15 for a crappy manufactured album. The people do not. In the end the people will win; they always do. The question is how much political capital are they willing to spend fighting this change?
The Internet has changed everything. I was working a project for a band a fairly high profile band in the UK who have totally ditched their record label in favour of a web-based approach. I can't blame them! Why get 1% of the CD record sales when I can get 100% and make more money than the labels were are paying?
Another thing, They REFUSED to use DRM. Saying that DRM protects the artist is rubbish. It protects the label's reveune stream, that's all. This band understands the internet. They're saying they want you to copy because it's a bonus to them just to get heard by that one new fan. That one new fan might spend £50 on a ticket to see you at a concert. They may even by the tracks off the site just to support you. It builds loyalty when you trust your fans rather than hold them in contempt.
The future is just getting started and we're about to see the big labels get their wing clipped.
Generally they try to capture a complete computer containing all the algos used for the steganography. That way they don't have to search for a needle in a haystack.
It's a bit like the code devices of WWII. It was always easier to capture a code machine than try to brute force the code itself
This is actually wrong. Kirchoff's principle applies as equally to steganography as it does to cryptography; even with completly knowledge of the algorithm it should be computationally infeasible to determine a secret message is implanted in the cover text.
He's alive and well as far as I know. I saw him at Toorcon this year, but didn't speak to him.. (He was a speaker and gave a good talk on Reverse Engineering)
I know that he has a new job and I while I obviously can't speak for him, I got the impression that he felt as if he did his duty the security community. As an amateur member of that community, I'd thought that he put principle before pay and deserves our respect.
Simon.
Transformation through OSS
on
Pepping Up Windows
·
· Score: 5, Insightful
Don't forget UnixTools, GVim, Password Safe, Paint.NET, Cruise Control, Subversion the list goes on to infinity. This is a bitter-sweet pill. It's great that OSS is making the Windows platform so rich, it bad that it's creating inertia to change platform entirely.
I'd have switched to Linux a long time ago if the application stack for Windows hadn't been so greatly improved by the army of budding OSS developers. Progress is being made though. I'll never use Microsoft Office again now that I've fallen in love with Open Office 2.0.
It's no so much Open Office that made my mind up, it's the fact that we've got OpenDocument. OpenDocument is far more important that anyone really realises right now. Why is it important? Well, I used to work for a company that wanted a web based way of doing sales quotes. The problem is that you need a nice document at the end where they can enter a bunch of text so that it feels tailored to that particular contract.
With Word this involved a bunch of mailmerging with the horrible Telemagic database with a bunch of Macros to create the document. With OpenDocument I can generate the base document itself from the database using any language of my choice. I can even add my own XML namespace so I can denote sections of the document that were generated automatically and those that were added by the user.
The power of OpenDocument is not just in the ability to switch Office suites although that is obviously nice. It's in the ability for application developers to author and manipulate documents in powerful ways that simply aren't possible with macros or mail-merges.
OSS, through it's openness, is threatening to transform computing just like the PC transformed business. It's fucking awesome.
In other news, Microsoft said today that: "Anbody who doesn't buy Microsoft Office is more likely to commit arson or criminal damage".. I mean seriously.. The Canadian record industry telling us that making infringing copies of their music is bad for society is... well.. not exactly news now is it?
Let the market decide? Oh give me a freaking break. There is no market, not in the free market economics sense of the word anyway.
I can buy petrol, gas, cars, PCs, coal, condoms or even a blowjob from any number of suppliers. This competition drives down prices and
forces companies to compete on quality and price. Copyright guarentees as monopoly on your product. If I want to buy the latest white-stripes
album I can only buy it from one label: V2 Records. Sure I can go to different stores to try and hunt down a lower prices but V2 set the price.
The consumer only has one choice: buy it, or don't buy it. In a real free market economy the consumer has a third, more powerful option, to find a cheaper supplier.
This is terrible for the consumer and almost always leads to disproportionate prices. Rather than supply and demand setting the price of the music, V2 can simply mandate it and then
it will be so. The market becomes distorted and everybody loses except the labels. There's this idea that the artist somehow needs to be compensated for his work and that's fine but why not do it off ticket sales for concerts? I don't see why we need these artists need these government granted monopolies to make money!
But all that enables you to do is replace an MD5'd file with garbage that happens to have the same MD5 sum. It's hard to deliver a payload when you're limited to tricking a target into downloading what would be (essentially) a random string of ones and zeroes.
At Toorcon this year, Dan Kaminsky showed how to generate two valid, nicely rendered, html files with the same hash . Basically, he injects javascript into the page to remove the rubbish at the begining of the file. But how often to do you view the source of a page you're visiting. It'd be hard for a layperson to notice this. Make no mistake about it, the collision attack is very dangerous.
No it is not. The newer hashes, such as Whirlpool, do not have this problem. You're correct in saying this is a "well known result" and every cryptographer worth his salt says that this fact constitutes a break of the algorithm. We've known since the middle of the nineties that breaking MD5 was within reach. The fact there has been so much inertia in getting people to change is quite incredible really.
At Toorcon this year, Dan Kaminsky showed a way to create two different webpages that render properly in a browser but have the same MD5 hash. Anybody who thinks this attack is theortical and ignorable is grossly mistaken.
If you contract your file from x bytes down to a fixed size, no matter what algorithm you use, you will always have collisions.
Unless you start to give your hash keys as the same size as the original file, there is not anything that can be done about it, ever.
While this technical correct it is slightly misleading. The aim of a hash function is to make it has hard as possible to find a collision. For an n-bit has it takes roughly 2^(n/2) operations to find a collision. Any attack faster than this is considered a break of the hash function. It typically takes less than five minutes to break MD5 so it is horribly broken.
While removing the possibility of collision all together is provably impossible you can design a hash function for which finding a collision is computationally infeasible. The standard size to achieve this today is 256-bits and the better designed functions like Whirlpool use this hash length.
The security of a web-browser is in no way related to the number of vulnerabilities found per year.
There are two mystical numbers out in the ether which related to the exact number of security flaws in Firefox and IE.
Now not all vunerabilities are created equally. IE could have ten minor vulnerabities for every major vulnerability
found in Firefox and IE could still come out on top. What I'm trying to say is the number of vulnerabilities is a very poor
metric for security.
This vunerability is yet another heap based attack. Another attack that could have been avoided if people compiled
the programs with the various heap/stack protection switchs. Please don't bitch about how it makes pointer arithmetic too slow. It just isn't true,
what you should be doing is compiling the entire program with the switch then if it turns out to be too slow, factor out the code in to a seperate
library and compile it without the switch. You can then do focused code reviews on this unsafe code to hunt out overflows/heap.
If you remember nothing else today remember this sentence: "Security costs CPU cycles..". Guess what gents? XOR is a really fast cipher
but it doesn't give you any security. You need a whole bunch more clock cycles to get it. The funny thing is people only apply this thinking to cryptography when
in fact it's a general security principle. All the string checks you do cost CPU cycles as the program will function just fine without them. You decide to spend CPU cycles
on this task to get security because you feel it is important. To get security you have to spend a metric-fuckton of CPU cycles. Fact. What I want people to recognise is that
it is worth making your programs slower to consign buffer overflows to the history book.
For a web-browser on a PC there is really no excuse because we have multi-GHz computers
that are sat around idling most of the time. For all the naysayers who prounce almost with religious zeal that
the performance hit will be dramatic and thus be unaccepetable. I ask them two questions:
Did you actually compile the program with the switch and profile it against the compiled program without the switch? Was the performance degradation even noticeable?
You may think slowing the program down is unacceptable but is leaving your customers at risk from an easily preventable class of vulnerabities more acceptable?
Join me and spread the word. Tell the world to spend CPU cycles on getting security because it hurts us all that we have such insecure software. Remember, "Security costs CPU cycles"
Vista (n) -"A distant view or prospect, especially one seen through an opening, as between rows of buildings or trees"
How apt, because I'm struggling to see through the Microsoft PR to see what Vista really is. We had this problem about
five years ago when the marketing team got hold of.NET..NET was mentioned everywhere from in the server family, to Office, to
development tools. When PR gave way to reality,.NET was a only a development tool and was really just Microsoft's (good) answer to Java. Nothing
like the revolution the PR machine would have you believe.
They question is whether Windows Vista going to solve a problem for me? The one thing that made XP a solution to my family was the welcome screen.
Once they could select their username from a list that made it possible to give each family member an individual and run them
in low privileged accounts. This has turned the family computer maintainence problem from a daily hastle to a once in a year activity.
What is Vista going to give me to make my job any easier? The only thing I would have bought Vista for is IE7 because of its nice anti-phishing features
but this is going to be available in XP too. Even if this was ever a reason to upgrade, Firefox will likely have these features too in the next
couple of months negating the need for Vista.
Feature after feature has been culled from Vista. We've got all these security "enhancements" in it but I can achieve the same in XP by following the
NSA's Hardening Guide. Okay, this same level of hardening may be easier
for the laymen to achieve in Vista but the layman doesn't care about security. When his PC fucks up due to a huge malware problem he just buys
a new computer.
The man off the street does not need vista. In fact the man on the street doesn't even need XP. There are plenty of people still using Windows 98 and having a good time. Lord knows how they keep malware
off their machine but they do it.
And what about business. WinFS might have been useful, but it was cut. Monad might have been useful, but it was cut too. They've wasted time with Maestro when the open, widely deployed PDF format already exists.
A reorganisation of Microsoft will not help these problems and I suspect the PR team will not save them from interia this time..
This last area is very important. We know the theory of writing secure computer programs. We are close to knowing how to create provably secure computer systems (some would argue we can--e.g. EROS). The big hurdles left are writing usable, managable, provably secure systems, and the user.
It may be possible to establish "limited" proofs of security which are tightly defines in small areas but a provably
secure operating system is impossible. It's impossible on so many levels that I expect that Alan Cox doesn't understand the
issues deeply enough.
There are a number of problems with creating a secure operating system. One is the amount of code it takes.
You can't create a security proof on huge volumes on code. Hundreds of lines? probably. Thousands of line.. maybe..
hundred of thousands? no chance.
The next problem is that we haven't figured out a way to make security modularise. You can't say "method 1 is secure, method 2
is secure therefore using method 1 after method 2 is secure. It just doesn't work like this. You can put two secure pieces of code
and get insecurity. This means you have to treat the whole operating system as one huge program all of which needs to be proven secure.
The third problem is that even you establish a proof of security this still isn't enough. Your proof is based on some formalisation of the language but the compiler itself might be buggy (either by accident or on purpose) and might compile in a way that breaks your proof. Ouch!
cuO
Too often we strive to absolutes in security. Security is not binary. It is not a zero or one but a complex set of trade-offs and risk mitigation.
No, this should not be attempted. Not now, not ever. Weather has one of the key properties of a chaos: Sensative dependance
on initial conditions. This property gives rise to the proveriable butterfly flapping it's wings in China could cause a hurricane
in the US. People make the mistake of thinking that if we could just introduce a tiny change to counteract the butterflies
wings we could easily avoid the hurricane. This is wrong headed. Sure, me breathing on my keyboard right now may well stop a
hurricane occuring in the US but I have no way of knowing this. The same errors that make weather prediction so difficult
also apply to weather prevention. You can't really predict how your changes will effect the weather any longer than a few days
in to the future and this makes it essentially useless.
That's not all. Think of the political implications. Say the US was unable to stop a hurricane but could divert it in
to Mexico instead. This could be considered an act of war. A hurricane's energy is equal to detonating a low yield nuclear war head every
second for hours on end. Diverting this incredible destructive energy to impact on another country would almost certainly lead to war.
Finally, hurricanes occur naturally. Even the strong ones, like Katrina, are a neccessary saftey valve on global climate.
If you could in principle dissipate the energy of a strong hurricane that energy has to go somewhere and I bet it stays in the
Atmosphere. It's like the fire safety camapaigns in the states where they put out forest fires all through the 60-80s. Eventually,
there was so much debris on the forest flaw that when it inevitably caught fire we got huge "superfires" that were very difficult
to put out and damaged a lot of property. I would conjecture that if we did somehow manage to stop hurricanes, eventually, we'd get a super
hurricane of incredible strength that releases all that unspent energy. Not a nice prospect..
Which is fastest for comparing two strings (ignoring case):
string1.ToLower() == string2.ToLower()
string.Compare(string1, string2, true) == 0
Learning the syntax is the easy part. Learning how to use the syntax effectively is a different ball game all together. It's this aspect of coding that takes a lot of time to develop. I agree that once you can program to a high level in one language you can transfer to another much more quickly but it still takes a while to really understand the language. It's this knowledge that can determine the success or faliure of your project.
A degree is an academic certification and as such it should not cover topics simply because they're trendy in CS related jobs at the moment. It should teach a curriculum that gives CS students a good background in a wide range of topics and above all else it should be interesting and set up a good basis for more advanced academic training.
It is not surprising that sometimes what is good course academically is not necessarily a good course from a business standpoint. As a professional programmer I think that CS graduates are typically no better than someone with no degree at all. I understand that this is a pretty damning thing to say considering the majority of slashdotters probably have a CS degree but in reality the CS degree gives you nothing in terms the ability to write good code.
In fact, a CS degree typically makes for a more dangerous coder due to their belief that the few programing projects they did on their course makes them a professional programmer. It also trains the wrong instincts. Academic coding is about producing beautiful programs - business coding is about being pragmatic. Often they have a hard time rejecting these academic instincts.
I liken programming to playing chess. Anybody can learn the game in a day but to become a master takes dedication, a willingness to learn and a lot of time. I've stressed the "lot of time" point because I think this is a key problem with CS students. You get the typical line out of them at an interview "I didn't learn C# in Comp Science but I could learn it in an afternoon.." I'm a young guy (22) and I've been programing professionally for nearly four years and I can tell you that this is simply false. Make no mistake about it, I'm still no coding grand-master and probably wont be for another ten years. When somebody says that they can learn a language in an afternoon it doesn't make me think they're lying, it just makes it blatantly obvious how ignorant they are of intricacies of writing code.
In conclusion.. I think that having a CS degree is no real advantage over having a physics, chemistry or maths degree. What a degree shows you is the person in-front of you applied themselves to a long term project and got a result. The same conclusion can be drawn from a person sat across from me without a degree but three years of experience. Really, both routes are equally valid and I hold neither higher than the other.
Technology changes the balance between victim and attacker. Fact. Occasionally, it is prudent
to create new laws to redress the balance. At first, breaking into a computer wasn't a crime. The laws in
many countries decide (rightfully, imo) to make this an offense.
The problem comes when the law makers don't really think through the consquences of the laws they write. The
start with the assumption that criminals are dumb. Most of the time this is actually a fairly good assumption.
However, it is a mistake to right off all criminals as being stupid. The people behind 9/11 were certainly not dumb and it's these
type of people we are drafting laws to stop.
. The first question a legislator should be asking themselves when faced with a security decision is "How could an attacker
make this law useless". On the subject of wiretapping the first thing that springs to mind is encrypting the connection. How can
you wiretap an encrypted connection? Of course, they could try and use RIPA to get the keys off you but RIPA is badly drafted (as I discuss here) and
can be circumvented easily provided you use a signed Diffie-Helman key exchange to determine the session key.
Give the fact that the law can be dodged completely it only serves to make us all less secure.
It removes a check and balance from our society and opens up to abuses by the Police and other
government organsiations. (As an aside, Law should be drafted in that they should fail in the safest possible way
when being used by a corrupt Police force).
I'll finish this comment with a point I feel is important. In July, fifty or so people were killed by terrorists.
That was the first major terrorist attack since the IRA declared a cease-fire and it was alost the biggest terrorist act
in (recent) British history. As much as it is a tragedy that those lives were lost, is it worth changing the relationship
between citizen and state for the sake of fifty dead? The same can also be said about 9/11 or the madrid bombings. Yes four thousand people were killed
in 9/11 but four times as many die per year in US due to gun fatalities. In terms of a threat to the average citizen of any particular state, the
threat posed by terrorism is right down in the noise level. It is my belief that a greater threat to our liberty is posed by the onerous legislation being passed worldwide than by
terrorism.
I think they deliberately misunderstand the issue. The issue here is not functionality.
Yes opendoc may actually be less functional than the
word-format but guess what Microsoft? I haven't used any of this additional functionality
since 1997 and neither has the US government.
The battle for features is over and what's replaced it is a lot more important. What we have today is a battle of ideology.
Don't you think there's something a little perverse in a government investing huge amounts of tax payers money in creating
all this intellectual property but having made this tremendous investment in time and resources they have to pay a private
corporation to get the tools to access that investment?
To be fair, it's not just Microsoft who are perverse like this. Sage Line 50 is a great example of corporate greed. You pay £800
for the piece of software but lord if you want to insert or update information in a third-party program you need to pay around £1500 a year for
the developer license. It was this that made me wake up to the reality of the situation: Our company is paying nearly a hundred thousand pounds a year
in accountants who enter data in to your software package yet we have to pay you AGAIN to update that data? It's us that paid money to put the
data in there in the first place, why should we have to pay you again just to use it from a homegrown program?
It's this greed that the US government is rejecting. In the early days everbody wanted software to help deliver the tremendous
savings that computers can bring to a business. They would be a license from whatever vendor they would sacrifice much to get it.
Now companies are starting to expect software to deliver a return on investment and they're not willing to tie themselves
in to one company. Having many suppliers after your business drives down prices. This is as true with IT as it is with any other sector.
The way to ensure you can get many suppliers knocking for your business is to make sure it's easy to switch. Open Office might be a pain
at first but the opendoc standard will make it easier to switch. It's a good move in the long run.
Microsoft, Sage or any other company do not have the automatic right to make a
profit. The lesson to Microsoft is simple: you were beaten here not because your product was inferior but because you failed
to allow people to compete with you effectively. The role of a government in a capitalist society is to promote competition not subtract
from it. In this case Massachusetts has done everyone a favour by telling Microsoft that it can cram its vendor-lockin into a bloody big
pipe and smoke it.
It would obviously be a huge evolutionary advantage -- unless there are some pretty grim side effects.
There is a grim side effect: It takes an enormas amount of energy. Growing an entirely new adult leg is probably a bigger job than growing a baby
The amount of energy this takes would put you at a huge disadvantage when there isn't alot of food around. For almost all of human history, famine has never been far away so we're well adapted to cope.
Ever wanted a shave in the shower but your hand-held mirror fogs up? Rather than buying this patented glass you
can resort to a low-tech solution: Rub a little shaving foam over the glass and the wash the excess off so you have a thin, clear,
greasy film on the glass.You'll find that the mirror no longer steams up.
The reason this works is because the greasy film causes much larger drops to coalesce on the mirror than you would
normally get. These larger drops don't refract the light nearly and as a result are essentially transparent.
This simple trick allows me to insure my sideburns are the same length even when under the most horrendous time presure.
See, who says that Physics can't be useful in everyday situations?
Why does a Hydrogen Bomb produce far more energy in the fusion phase than is put in during the fission phase? My only guess is that the extra energy is coming from the energy released by the nuclear bonds during the forceful disintegration of the atom. Any physics majors care to chime in?
Ever wonder why all those protons like to sit happily in the nucleus together even though they're all positively charged? Well it turns out that at REALLY small scales there is a force called (aptly) "the strong nuclear force" which is about a million times as strong as electromagnetism.
The amount of energy it takes to liberate a single nucleon from a nucleus is called the "binding energy per nucleon". . For different elements this value is different. The reason fusion and fission can both release energy is due to change in this binding energy per nucleon from the start of the reaction to the end of the reaction.
If you look at this
graph you will see that at the begining of the graph it rises very steeply. The change from Hydrogen to Helium looks about 10MEV. This energy has to go somewhere and it's released as heat and light.
At around Iron the graph flattens out and then slowly starts to decend. Uranium sits right down at the bottom tail of the graph. Energy is released in fission because the end products sit further up the curve than Uranium.
Per reaction, Uranium fission produces a lot more energy than Hydrogen. Fission release around 250MeV and fusion releases around 17.6MeV. So why do we get so much additional power from a Hygrogen bomb? Well one mole of Uranium weighs 238 grams. In contrast, one mole of hydrogen weighs only 1 gram. The conclusion? We have a lot more hydrogen atoms per unit mass than we do Uranium. This means that we get 17 times more energy per unit kilogram than we do from Uranium . This is the reason the primary power source for the Hydrogen bomb is the Hydrogen and not the Uranium starter charge.
There's a saying that I hear a lot of religious people say: "You reap what you sow". Ironic then that in this case
America gets precisely what it sows. You teach kids that ID is science and you get crappy scientists. You cut the percentage of
GDP spent on RND and you get less nobel prize winners. You ignore the science of economics and you end up with a huge current account deficit
which will take a decade to repay. You ignore the *fact* that human produced carbon dioxide is warming the earth and
you wreck your environment just in time for your grandchildren.
America is at a cross-roads of sorts. It can choose to be the The Christian Republic of America or the
United States of America. It seems as time goes on these options are becoming more and more mutually exclusive. The
religious fanatics are intent on replacing the textbook with the Bible. The atheist fanatics (yes they do exist) are intent
on removing any shred of religion from public life.
The next fifty years are going to be interesting. Will the US continue to train world class scientists
and be a home for the creative? Or will the US sink in to irrevelence through placing religious dogma before pragmatism.
The condom policy in Africa makes me think the latter rather than the former.
Slashdot Mirror
the French (yes, we hate them, yawn)
Why do you hate the French? I'm assuming you're American here but the French are one of your most important allies. They gave you the Statue of Liberty as a present, they helped you defeat us (the British) to build an independant state, you've stood shoulder to shoulder with them while you fought two World War with them and they gave you tremendous support throughout the Cold War.
If you're pissed off because they didn't support the ill-fated invasion of Iraq then you need to take a reality check. France is the western world's friend; A good, honest friend at that. It is a sign of a true friend when they stand up to you when they think your doing something stupid and tell you what they think. France did exactly this and the American's ostracise them for it.
France had more courage then our Prime Minister who followed Bush blindly in to a unwinnable conflict. I salute the French for showing excellent judgement once again.
Simon
Let me get this straight. One company decides what is malware and what isn't. Ask yourself this, would Sony's rootkit have been considered a safe download? I think you'd find the answer is yes. This isn't an objective panel of experts deciding what is safe or what isn't, it's a company and this inherently flawed.
I find it hard to believe that any company, regardless of their otherwise good intentions, would refuse money from a company as Sony. In short, it may work in stoping the small spyware vendor but this is not nearly enough.
Simon.
What we need is a law that makes research a defence to copyright infringement. It's important that malware authors can't use the force of the law to hide. Hopefully a judge will do the right thing an establish case law in this area that defends us from this scum.
Simon.
Throughout history, this has always been the way. Can't stop people stealing in droves? Make stealing punishable by death. Can't stop people blasphemy? Mak the crime punishable by death!
It is a natural reaction to make the laws tougher when people start to defy the law in droves but I urge people to ignore that reflex because often it is more instructive to look at root causes. Why do people pirate? Because the CDs are overpriced. Your average individual actually prefers the boxed CD to an MP3 but is not prepared to spend £15 on it. If you priced your CDs to reflect this desire then you could reverse the decline in CD sales.
Often, real change does not come from politics but from the sound of a million feet. Politicans still believe that people want the artist to be compensated to the tune of £15 for a crappy manufactured album. The people do not. In the end the people will win; they always do. The question is how much political capital are they willing to spend fighting this change?
The Internet has changed everything. I was working a project for a band a fairly high profile band in the UK who have totally ditched their record label in favour of a web-based approach. I can't blame them! Why get 1% of the CD record sales when I can get 100% and make more money than the labels were are paying?
Another thing, They REFUSED to use DRM. Saying that DRM protects the artist is rubbish. It protects the label's reveune stream, that's all. This band understands the internet. They're saying they want you to copy because it's a bonus to them just to get heard by that one new fan. That one new fan might spend £50 on a ticket to see you at a concert. They may even by the tracks off the site just to support you. It builds loyalty when you trust your fans rather than hold them in contempt.
The future is just getting started and we're about to see the big labels get their wing clipped.
Simon.
Generally they try to capture a complete computer containing all the algos used for the steganography. That way they don't have to search for a needle in a haystack. It's a bit like the code devices of WWII. It was always easier to capture a code machine than try to brute force the code itself
This is actually wrong. Kirchoff's principle applies as equally to steganography as it does to cryptography; even with completly knowledge of the algorithm it should be computationally infeasible to determine a secret message is implanted in the cover text.
Secure stegangraphy is truly undetectable.
Simon.
He's alive and well as far as I know. I saw him at Toorcon this year, but didn't speak to him.. (He was a speaker and gave a good talk on Reverse Engineering)
I know that he has a new job and I while I obviously can't speak for him, I got the impression that he felt as if he did his duty the security community. As an amateur member of that community, I'd thought that he put principle before pay and deserves our respect.
Simon.
Don't forget UnixTools, GVim, Password Safe, Paint .NET, Cruise Control, Subversion the list goes on to infinity.
This is a bitter-sweet pill. It's great that OSS is making the Windows platform so rich, it bad that it's creating inertia to change platform entirely.
I'd have switched to Linux a long time ago if the application stack for Windows hadn't been so greatly improved
by the army of budding OSS developers. Progress is being made though. I'll never use Microsoft Office again now that
I've fallen in love with Open Office 2.0.
It's no so much Open Office that made my mind up, it's the fact that we've got OpenDocument. OpenDocument is far more important that anyone really realises right now.
Why is it important? Well, I used to work for a company that wanted a web based way of doing sales quotes. The problem is that you need a nice document at the end where they can enter a bunch of text so that it feels tailored to that particular contract.
With Word this involved a bunch of mailmerging with the horrible Telemagic database with a bunch of Macros to create the document. With OpenDocument I can generate the base document itself from the database using any language of my choice. I can even add my own XML namespace so I can denote sections of the document that
were generated automatically and those that were added by the user.
The power of OpenDocument is not just in the ability to switch Office suites although that is obviously nice. It's in the ability for application developers to author and manipulate documents in powerful ways that simply aren't possible with macros or mail-merges.
OSS, through it's openness, is threatening to transform computing just like the PC transformed business. It's fucking awesome.
Simon.
In other news, Microsoft said today that: "Anbody who doesn't buy Microsoft Office is more likely to commit arson or criminal damage".. I mean seriously.. The Canadian record industry telling us that making infringing copies of their music is bad for society is ... well.. not exactly news now is it?
Simon.
Let the market decide? Oh give me a freaking break. There is no market, not in the free market economics sense of the word anyway. I can buy petrol, gas, cars, PCs, coal, condoms or even a blowjob from any number of suppliers. This competition drives down prices and forces companies to compete on quality and price. Copyright guarentees as monopoly on your product. If I want to buy the latest white-stripes album I can only buy it from one label: V2 Records. Sure I can go to different stores to try and hunt down a lower prices but V2 set the price. The consumer only has one choice: buy it, or don't buy it. In a real free market economy the consumer has a third, more powerful option, to find a cheaper supplier.
This is terrible for the consumer and almost always leads to disproportionate prices. Rather than supply and demand setting the price of the music, V2 can simply mandate it and then it will be so. The market becomes distorted and everybody loses except the labels. There's this idea that the artist somehow needs to be compensated for his work and that's fine but why not do it off ticket sales for concerts? I don't see why we need these artists need these government granted monopolies to make money!
Simon
But all that enables you to do is replace an MD5'd file with garbage that happens to have the same MD5 sum. It's hard to deliver a payload when you're limited to tricking a target into downloading what would be (essentially) a random string of ones and zeroes.
At Toorcon this year, Dan Kaminsky showed how to generate two valid, nicely rendered, html files with the same hash . Basically, he injects javascript into the page to remove the rubbish at the begining of the file. But how often to do you view the source of a page you're visiting. It'd be hard for a layperson to notice this. Make no mistake about it, the collision attack is very dangerous.
Simon
Is this true for other popular hash functions?
No it is not. The newer hashes, such as Whirlpool, do not have this problem. You're correct in saying this is a "well known result" and every cryptographer worth his salt says that this fact constitutes a break of the algorithm. We've known since the middle of the nineties that breaking MD5 was within reach. The fact there has been so much inertia in getting people to change is quite incredible really.
At Toorcon this year, Dan Kaminsky showed a way to create two different webpages that render properly in a browser but have the same MD5 hash. Anybody who thinks this attack is theortical and ignorable is grossly mistaken.
Simon
If you contract your file from x bytes down to a fixed size, no matter what algorithm you use, you will always have collisions. Unless you start to give your hash keys as the same size as the original file, there is not anything that can be done about it, ever.
While this technical correct it is slightly misleading. The aim of a hash function is to make it has hard as possible to find a collision. For an n-bit has it takes roughly 2^(n/2) operations to find a collision. Any attack faster than this is considered a break of the hash function. It typically takes less than five minutes to break MD5 so it is horribly broken.
While removing the possibility of collision all together is provably impossible you can design a hash function for which finding a collision is computationally infeasible. The standard size to achieve this today is 256-bits and the better designed functions like Whirlpool use this hash length.
Simon
The security of a web-browser is in no way related to the number of vulnerabilities found per year. There are two mystical numbers out in the ether which related to the exact number of security flaws in Firefox and IE. Now not all vunerabilities are created equally. IE could have ten minor vulnerabities for every major vulnerability found in Firefox and IE could still come out on top. What I'm trying to say is the number of vulnerabilities is a very poor metric for security.
This vunerability is yet another heap based attack. Another attack that could have been avoided if people compiled the programs with the various heap/stack protection switchs. Please don't bitch about how it makes pointer arithmetic too slow. It just isn't true, what you should be doing is compiling the entire program with the switch then if it turns out to be too slow, factor out the code in to a seperate library and compile it without the switch. You can then do focused code reviews on this unsafe code to hunt out overflows/heap.
If you remember nothing else today remember this sentence: "Security costs CPU cycles..". Guess what gents? XOR is a really fast cipher but it doesn't give you any security. You need a whole bunch more clock cycles to get it. The funny thing is people only apply this thinking to cryptography when in fact it's a general security principle. All the string checks you do cost CPU cycles as the program will function just fine without them. You decide to spend CPU cycles on this task to get security because you feel it is important. To get security you have to spend a metric-fuckton of CPU cycles. Fact. What I want people to recognise is that it is worth making your programs slower to consign buffer overflows to the history book.
For a web-browser on a PC there is really no excuse because we have multi-GHz computers that are sat around idling most of the time. For all the naysayers who prounce almost with religious zeal that the performance hit will be dramatic and thus be unaccepetable. I ask them two questions:
Join me and spread the word. Tell the world to spend CPU cycles on getting security because it hurts us all that we have such insecure software. Remember, "Security costs CPU cycles"
Simon.
Vista (n) -"A distant view or prospect, especially one seen through an opening, as between rows of buildings or trees"
How apt, because I'm struggling to see through the Microsoft PR to see what Vista really is. We had this problem about five years ago when the marketing team got hold of .NET. .NET was mentioned everywhere from in the server family, to Office, to
development tools. When PR gave way to reality, .NET was a only a development tool and was really just Microsoft's (good) answer to Java. Nothing
like the revolution the PR machine would have you believe.
They question is whether Windows Vista going to solve a problem for me? The one thing that made XP a solution to my family was the welcome screen. Once they could select their username from a list that made it possible to give each family member an individual and run them in low privileged accounts. This has turned the family computer maintainence problem from a daily hastle to a once in a year activity.
What is Vista going to give me to make my job any easier? The only thing I would have bought Vista for is IE7 because of its nice anti-phishing features but this is going to be available in XP too. Even if this was ever a reason to upgrade, Firefox will likely have these features too in the next couple of months negating the need for Vista.
Feature after feature has been culled from Vista. We've got all these security "enhancements" in it but I can achieve the same in XP by following the NSA's Hardening Guide. Okay, this same level of hardening may be easier for the laymen to achieve in Vista but the layman doesn't care about security. When his PC fucks up due to a huge malware problem he just buys a new computer.
The man off the street does not need vista. In fact the man on the street doesn't even need XP. There are plenty of people still using Windows 98 and having a good time. Lord knows how they keep malware off their machine but they do it.
And what about business. WinFS might have been useful, but it was cut. Monad might have been useful, but it was cut too. They've wasted time with Maestro when the open, widely deployed PDF format already exists.
A reorganisation of Microsoft will not help these problems and I suspect the PR team will not save them from interia this time..
Simon
Ahhh.. you have to ask former microsoft employee why..
This man needs +5 insightful tattooed on his fore-head.
Simon
This last area is very important. We know the theory of writing secure computer programs. We are close to knowing how to create provably secure computer systems (some would argue we can--e.g. EROS). The big hurdles left are writing usable, managable, provably secure systems, and the user.
It may be possible to establish "limited" proofs of security which are tightly defines in small areas but a provably secure operating system is impossible. It's impossible on so many levels that I expect that Alan Cox doesn't understand the issues deeply enough.
There are a number of problems with creating a secure operating system. One is the amount of code it takes. You can't create a security proof on huge volumes on code. Hundreds of lines? probably. Thousands of line.. maybe.. hundred of thousands? no chance.
The next problem is that we haven't figured out a way to make security modularise. You can't say "method 1 is secure, method 2 is secure therefore using method 1 after method 2 is secure. It just doesn't work like this. You can put two secure pieces of code and get insecurity. This means you have to treat the whole operating system as one huge program all of which needs to be proven secure.
The third problem is that even you establish a proof of security this still isn't enough. Your proof is based on some formalisation of the language but the compiler itself might be buggy (either by accident or on purpose) and might compile in a way that breaks your proof. Ouch! cuO
Too often we strive to absolutes in security. Security is not binary. It is not a zero or one but a complex set of trade-offs and risk mitigation.
Simon.
No, this should not be attempted. Not now, not ever. Weather has one of the key properties of a chaos: Sensative dependance on initial conditions. This property gives rise to the proveriable butterfly flapping it's wings in China could cause a hurricane in the US. People make the mistake of thinking that if we could just introduce a tiny change to counteract the butterflies wings we could easily avoid the hurricane. This is wrong headed. Sure, me breathing on my keyboard right now may well stop a hurricane occuring in the US but I have no way of knowing this. The same errors that make weather prediction so difficult also apply to weather prevention. You can't really predict how your changes will effect the weather any longer than a few days in to the future and this makes it essentially useless.
That's not all. Think of the political implications. Say the US was unable to stop a hurricane but could divert it in to Mexico instead. This could be considered an act of war. A hurricane's energy is equal to detonating a low yield nuclear war head every second for hours on end. Diverting this incredible destructive energy to impact on another country would almost certainly lead to war.
Finally, hurricanes occur naturally. Even the strong ones, like Katrina, are a neccessary saftey valve on global climate. If you could in principle dissipate the energy of a strong hurricane that energy has to go somewhere and I bet it stays in the Atmosphere. It's like the fire safety camapaigns in the states where they put out forest fires all through the 60-80s. Eventually, there was so much debris on the forest flaw that when it inevitably caught fire we got huge "superfires" that were very difficult to put out and damaged a lot of property. I would conjecture that if we did somehow manage to stop hurricanes, eventually, we'd get a super hurricane of incredible strength that releases all that unspent energy. Not a nice prospect..
Simon
Which is fastest for comparing two strings (ignoring case):
string1.ToLower() == string2.ToLower()
string.Compare(string1, string2, true) == 0
Learning the syntax is the easy part. Learning how to use the syntax effectively is a different ball game all together. It's this aspect of coding that takes a lot of time to develop. I agree that once you can program to a high level in one language you can transfer to another much more quickly but it still takes a while to really understand the language. It's this knowledge that can determine the success or faliure of your project.
Simon.
A degree is an academic certification and as such it should not cover topics simply because they're trendy in CS related jobs at the moment. It should teach a curriculum that gives CS students a good background in a wide range of topics and above all else it should be interesting and set up a good basis for more advanced academic training.
It is not surprising that sometimes what is good course academically is not necessarily a good course from a business standpoint. As a professional programmer I think that CS graduates are typically no better than someone with no degree at all. I understand that this is a pretty damning thing to say considering the majority of slashdotters probably have a CS degree but in reality the CS degree gives you nothing in terms the ability to write good code.
In fact, a CS degree typically makes for a more dangerous coder due to their belief that the few programing projects they did on their course makes them a professional programmer. It also trains the wrong instincts. Academic coding is about producing beautiful programs - business coding is about being pragmatic. Often they have a hard time rejecting these academic instincts.
I liken programming to playing chess. Anybody can learn the game in a day but to become a master takes dedication, a willingness to learn and a lot of time. I've stressed the "lot of time" point because I think this is a key problem with CS students. You get the typical line out of them at an interview "I didn't learn C# in Comp Science but I could learn it in an afternoon.." I'm a young guy (22) and I've been programing professionally for nearly four years and I can tell you that this is simply false. Make no mistake about it, I'm still no coding grand-master and probably wont be for another ten years. When somebody says that they can learn a language in an afternoon it doesn't make me think they're lying, it just makes it blatantly obvious how ignorant they are of intricacies of writing code.
In conclusion.. I think that having a CS degree is no real advantage over having a physics, chemistry or maths degree. What a degree shows you is the person in-front of you applied themselves to a long term project and got a result. The same conclusion can be drawn from a person sat across from me without a degree but three years of experience. Really, both routes are equally valid and I hold neither higher than the other.
Simon.
Technology changes the balance between victim and attacker. Fact. Occasionally, it is prudent to create new laws to redress the balance. At first, breaking into a computer wasn't a crime. The laws in many countries decide (rightfully, imo) to make this an offense.
The problem comes when the law makers don't really think through the consquences of the laws they write. The start with the assumption that criminals are dumb. Most of the time this is actually a fairly good assumption. However, it is a mistake to right off all criminals as being stupid. The people behind 9/11 were certainly not dumb and it's these type of people we are drafting laws to stop.
. The first question a legislator should be asking themselves when faced with a security decision is "How could an attacker make this law useless". On the subject of wiretapping the first thing that springs to mind is encrypting the connection. How can you wiretap an encrypted connection? Of course, they could try and use RIPA to get the keys off you but RIPA is badly drafted (as I discuss here) and can be circumvented easily provided you use a signed Diffie-Helman key exchange to determine the session key.
Give the fact that the law can be dodged completely it only serves to make us all less secure. It removes a check and balance from our society and opens up to abuses by the Police and other government organsiations. (As an aside, Law should be drafted in that they should fail in the safest possible way when being used by a corrupt Police force).
I'll finish this comment with a point I feel is important. In July, fifty or so people were killed by terrorists. That was the first major terrorist attack since the IRA declared a cease-fire and it was alost the biggest terrorist act in (recent) British history. As much as it is a tragedy that those lives were lost, is it worth changing the relationship between citizen and state for the sake of fifty dead? The same can also be said about 9/11 or the madrid bombings. Yes four thousand people were killed in 9/11 but four times as many die per year in US due to gun fatalities. In terms of a threat to the average citizen of any particular state, the threat posed by terrorism is right down in the noise level. It is my belief that a greater threat to our liberty is posed by the onerous legislation being passed worldwide than by terrorism.
Simon.
I think they deliberately misunderstand the issue. The issue here is not functionality. Yes opendoc may actually be less functional than the word-format but guess what Microsoft? I haven't used any of this additional functionality since 1997 and neither has the US government.
The battle for features is over and what's replaced it is a lot more important. What we have today is a battle of ideology. Don't you think there's something a little perverse in a government investing huge amounts of tax payers money in creating all this intellectual property but having made this tremendous investment in time and resources they have to pay a private corporation to get the tools to access that investment?
To be fair, it's not just Microsoft who are perverse like this. Sage Line 50 is a great example of corporate greed. You pay £800 for the piece of software but lord if you want to insert or update information in a third-party program you need to pay around £1500 a year for the developer license. It was this that made me wake up to the reality of the situation: Our company is paying nearly a hundred thousand pounds a year in accountants who enter data in to your software package yet we have to pay you AGAIN to update that data? It's us that paid money to put the data in there in the first place, why should we have to pay you again just to use it from a homegrown program?
It's this greed that the US government is rejecting. In the early days everbody wanted software to help deliver the tremendous savings that computers can bring to a business. They would be a license from whatever vendor they would sacrifice much to get it. Now companies are starting to expect software to deliver a return on investment and they're not willing to tie themselves in to one company. Having many suppliers after your business drives down prices. This is as true with IT as it is with any other sector. The way to ensure you can get many suppliers knocking for your business is to make sure it's easy to switch. Open Office might be a pain at first but the opendoc standard will make it easier to switch. It's a good move in the long run.
Microsoft, Sage or any other company do not have the automatic right to make a profit. The lesson to Microsoft is simple: you were beaten here not because your product was inferior but because you failed to allow people to compete with you effectively. The role of a government in a capitalist society is to promote competition not subtract from it. In this case Massachusetts has done everyone a favour by telling Microsoft that it can cram its vendor-lockin into a bloody big pipe and smoke it.
Simon.
It would obviously be a huge evolutionary advantage -- unless there are some pretty grim side effects.
There is a grim side effect: It takes an enormas amount of energy. Growing an entirely new adult leg is probably a bigger job than growing a baby
The amount of energy this takes would put you at a huge disadvantage when there isn't alot of food around. For almost all of human history, famine has never been far away so we're well adapted to cope.
Simon
oofEver wanted a shave in the shower but your hand-held mirror fogs up? Rather than buying this patented glass you can resort to a low-tech solution: Rub a little shaving foam over the glass and the wash the excess off so you have a thin, clear, greasy film on the glass.You'll find that the mirror no longer steams up.
The reason this works is because the greasy film causes much larger drops to coalesce on the mirror than you would normally get. These larger drops don't refract the light nearly and as a result are essentially transparent. This simple trick allows me to insure my sideburns are the same length even when under the most horrendous time presure.
See, who says that Physics can't be useful in everyday situations?
Simon
Why does a Hydrogen Bomb produce far more energy in the fusion phase than is put in during the fission phase? My only guess is that the extra energy is coming from the energy released by the nuclear bonds during the forceful disintegration of the atom. Any physics majors care to chime in?
Ever wonder why all those protons like to sit happily in the nucleus together even though they're all positively charged? Well it turns out that at REALLY small scales there is a force called (aptly) "the strong nuclear force" which is about a million times as strong as electromagnetism.
The amount of energy it takes to liberate a single nucleon from a nucleus is called the "binding energy per nucleon". . For different elements this value is different. The reason fusion and fission can both release energy is due to change in this binding energy per nucleon from the start of the reaction to the end of the reaction.
If you look at this graph you will see that at the begining of the graph it rises very steeply. The change from Hydrogen to Helium looks about 10MEV. This energy has to go somewhere and it's released as heat and light.
At around Iron the graph flattens out and then slowly starts to decend. Uranium sits right down at the bottom tail of the graph. Energy is released in fission because the end products sit further up the curve than Uranium.
Per reaction, Uranium fission produces a lot more energy than Hydrogen. Fission release around 250MeV and fusion releases around 17.6MeV. So why do we get so much additional power from a Hygrogen bomb? Well one mole of Uranium weighs 238 grams. In contrast, one mole of hydrogen weighs only 1 gram. The conclusion? We have a lot more hydrogen atoms per unit mass than we do Uranium. This means that we get 17 times more energy per unit kilogram than we do from Uranium . This is the reason the primary power source for the Hydrogen bomb is the Hydrogen and not the Uranium starter charge.
Simon.
There's a saying that I hear a lot of religious people say: "You reap what you sow". Ironic then that in this case America gets precisely what it sows. You teach kids that ID is science and you get crappy scientists. You cut the percentage of GDP spent on RND and you get less nobel prize winners. You ignore the science of economics and you end up with a huge current account deficit which will take a decade to repay. You ignore the *fact* that human produced carbon dioxide is warming the earth and you wreck your environment just in time for your grandchildren.
America is at a cross-roads of sorts. It can choose to be the The Christian Republic of America or the United States of America. It seems as time goes on these options are becoming more and more mutually exclusive. The religious fanatics are intent on replacing the textbook with the Bible. The atheist fanatics (yes they do exist) are intent on removing any shred of religion from public life.
The next fifty years are going to be interesting. Will the US continue to train world class scientists and be a home for the creative? Or will the US sink in to irrevelence through placing religious dogma before pragmatism.
The condom policy in Africa makes me think the latter rather than the former.
Simon.