What settings do you use when creating PAR2 files? I'm using QuickPar under Win32.
I do it with the *nix command line utility, so what I do probably won't help you much.
But basically I have a script (or group of scripts, actually) that calculates how much space the DVD has, and fills it with par2 files (if you're going to write a DVD, it might as well be almost 100% full.) Once it determines the space available for par2 files, it gets a list of files and feeds that to par2create, which creates the files in it's own directory. It also creates a file with sizes, names, CRC32 and md5sums for each file on the DVD so one can easily determine (without using par) if a file is corrupt. And finally, it makes the iso, burns it, then verifies that everything was written correctly.
I usually aim for 5% pars on a DVD, about 250 MB, and creating 250 MB of par2 files takes about 45 minutes of cpu time on an Athlon 64 3000+ (it took about four hours on the p3/700 that preceeded it.) And of course if the data is important, it gets written to more than one DVD, with the multiple copies kept in different locations.
It would be very tedious to do by hand.
With CD-R media, assuming that the media is not physically abused in any manner, the usual form of degredation that I've seen is that bits here and there will get corrupted after many years, but most of the data is still valid and readable. But it's important to be able to tell the difference between valid and invalid data, hence the md5sum (yes, I know it's been cracked, but for this that doesn't really matter, though maybe I'll go to SHA-1 soon) file, and the par2 files help me recover it. I assume that DVD-R media will degrade similarly, but I haven't really had enough time to see for real.
Assuming that I need to recover something a DVD that's degraded over the years, I copy everything to the local hard disk, then compare the md5sums agaisnt the files. If they match, great! -- I'm done. If not, then I run par2repair and hope it can recover it. If not, then if I have other copies of the DVD, I throw them into the par2repair mix and hopefully it can recover (since the exact bits that are corrupted are likely to vary.) And if all else fails, I can at least tell which files are valid and which files are not. So far, I've not had to do this very often.
there is an implicit assumption that the work being completed is worth the electricity being used and the fuel expended.
Yes, but I think that most people who do this sort of thing don't even realize that it does use additional power. Instead, they think `hey, my computer is already on, let's let it do something!', and don't realize that the power consumption goes up if it's not idle.
Or if they do realize that power consumption goes up, they don't actually do the research and math needed to determine that `SETI is costing me $0.92/day' (or whatever).
since the majority of Linux servers out there are running on distros downloaded free of charge.
I do believe that this is true overall, but I wonder if it's true with servers where they might be replaced with Windows Server 2000 or 2003? From what I've seen, businesses who are using Linux, especially those who are running expensive commercial software on these Linux distributions, tend to really like RHEL, and it's not something you can download for free (well, you're not supposed to.)
As a rule of thumb, the more critical a Linux box is to your orgnaization, the more likely it is that you paid somebody for the Linux distribution and/or that you pay for support. Just a rule of thumb, perhaps even common sense, but it wouldn't surprise me if the figures for the big honkin' servers that large businesses rely on are over 50%.
Microsoft wants everyone to believe that their TCO is lower than Linux when everyone knows it's not.
No, everyone doesn't `know it's not'.
Certainly, in some cases, the TCO of Linux in a certain role at a certain location will be more than the TCO of a Windows server (or group of servers) serving the same rule. I'm not saying that this is always the case, or even that it's usually the case, but at least some of the time, this will be true.
Is it just me, or did Microsoft pretty much `invent' the TCO term strictly to counter free software like Linux? Did the term exist before Linux did, or was it just Microsoft making it popular?
In any event, I'm not here to argue that Windows has a lower TCO than Linux. I'm just saying that it's not as `obviously' wrong as you make it sound.
Scarhead nailed it. I do most of these things, even creating par2 files.
The key steps are 2) verify that your writes are correct and 3) make multiple copies and store them in multiple places. These steps are important no matter what media you use, though verification is less important on hard disks (since they're far more reliable than optical media.)
Personally, I don't really bother with high qualify DVD-R media -- I go for the cheap ones. Though to be fair, I do throw away a fair number of them just because they fail verification. But as long as you have the par2 files and multiple copies of the data, it's probably good enough.
Note that backing up to hard disks is going to be a lot more convenient, and more reliable. But keeping at least two copies in two different physical locations is still a key ingredient.
If your pictures are good enough, you could just do what Linus suggested --
"Only wimps use tape backup: _real_ men just upload their important stuff on ftp, and let the rest of the world mirror it;)" (1996)
(though note that tape backups are notorious for not lasting more than a few years, and I suspect that optical media are actually worse. For now, the best long term data storage option that I'm aware of are going to be large hard drives, though 20 years from now it might be hard to find a computer that can connect to your miniscule 400 GB ATA (parallel or serial) drive. Keeping up to date and copying data to whatever the newest media is seems like a very good plan for very long term archival.)
No it's not (obvious). The number of cylinders doesn't really matter -- it's the total displacement. Now, if the cylinders are of equal size, then a V8 will have 33% more displacement than the V6, but that's not always the case. But there's no reason why a two cylinder engine can't put out more power than an eight cylinder engine.
(And of course, displacement isn't the only factor either. But it's a lot better thing to look at than just the number of cylinders.)
Of course, even if you'd said displacement instead of V8 vs. V6, your analogy would have still been very poor. V6s and V8s function almost identically. Using a heating element vs. a microwave to heat water, that's very different. Perhaps the microwave can turn on and off quicker, but it will also cost several times as much, be less efficient (than your conventional on-demand water heater) and be much more complicated.
And as for the radiation killing germs, people are confused. It's ionizing radiation that kills germs. Microwaves are not ionizing. You'll certainly kill germs by heating water to near boiling, and not allowing water to stagnate will certainly help (but if you use hot water every day, water doesn't stagnate in conventional water heaters with a resevoir either.)
Personally, this new hot water heater doesn't sound like such a wonderful idea to me. Obviously it works, but it just doesn't seem to be worthwhile. Perhaps it'll be useful in some niche markets, but I don't see it replacing the existing water heaters (either resevoir based or on-demand) in any great numbers.
I find it a rather disturbing statement that the slot machines are more effectively audited than the vote count
Votes are supposed to be anonymous. Slot machines really aren't. Remove the absolute anonymous nature of voting, and suddenly they could audit votes down to the exact vote. You could even look up online how your vote was tallied after making it.
(Not that this will ever happen, mind you, but it's still something to consider.)
Where there's money involved, everything is audited VERY carefully. Especially when it's the private sector's money (the government is a lot more lax about things.)
But even so, there's a lot that could be done with voting machines. Hopefully this is a good next (first?) step.
the land of the free.
It's just some words in the Star Spangled Banner. We haven't lived in the `Land of the Free' in quite some time. I'm not sure we ever did (though it's way worse than it ever was.)
The only way to make any election truely free, all procedures, protocols, and source code HAVE to be provided.
That sounds great in theory, and I'd love to agree with you, but I can't.
Ok, supposed that you were provided source code. So how do you know that this is the actual source code that generated the code that's actually being used? (And it's not restricted to source code -- the same argument applies to the procedures and protocols that you mentioned.)
Personally, I'd be happy with a paper trail, where you can visually inspect your paper ballot before it's cast. Sure, the machine can keep tallies internally, but when there's a recount, the paper ballots are counted. Anything more complicated is just too easy to tamper with, source code
As long as voting is anonymous, there will be no way to verify that your vote was cast and counted properly, but allowing you to view a piece of paper before it's put into the locked box is the next best thing that I can think of.
(But we could certainly greatly improve the accuracy of the voting process by removing the absolute anonyminity requirement. Accounting methods (I was going to say `modern', but really, I don't think it's changed much recently) would work very nicely if applied to voting. Yes, your bank may occasionally make an error on your checking account, but it can be found and corrected. Under the current voting system, there's very little room to correct anything.)
Actually it may not be, and other comments in this thread have given examples of similar types of upgrades causing problems.
Not really. I read through the thread, and the closest thing I saw was using the `upgrade in place' option of Thunderbird. Using something similar to stow would have no problems like those described in the thread.
Changing productions systems, while they're in production - particularly in the whip-the-tablecloth-out-from-underneath manner suggested - is just *asking* to get your arse kicked.
`Production' is a very broad brush. A computer controlling the trajectory of the Space Shuttle as it lands is certainly a system in production. As is a laptop that a person uses each day and takes home each night. I wouldn't suggest doing anything to the first until it's done, but that second computer probably is `in production' 100% of the time it's on your network. (IT doesn't know when you go to lunch, for example.)
And I'm guessing that most of the computers at a company that IT manages, desktop machines, they don't really have a maintenance window. Sure, you can define one in the middle of the night, but that doesn't do you much good if somebody takes their laptop home or turns off their computer. And what if somebody works late? Maintenance windows make sense for mission critical machines that can't afford unscheduled downtime, but forcing such a limitation on everything seems silly.
I'm struggling to think of any justifiable reasons at all for doing it apart from "because I can and it works most of the time".
Why struggle? If the consequences of a botched upgrade are minor (as they usually are for a desktop machine and certain sorts of servers) and it works 99% of the time, it seems reasonable to me to do it that way. (And for something like Linux, it's going to be far more reliable and less painful than a similar in-place upgrade for Windows. Sure, there may be a few gotchas, but if you use something like stow, you're already bypassing most of those.)
I think we're lucky in that the timescales are such that any P2P system would not have used MD5 for situations that need a secure hash. MD5 has been known to be on shaky ground (it was in pretty much the same situation SHA1 is now) for IIRC over a decade now.
I just realized something that does use MD5 files that would matter -- par2 files, usually used on Usenet. Fortunately any attack involving them won't be as devastating as one against p2p clients.
almost, it's IIRC something like 1.5x as many cycles to generate 3, 1.75x as much to generate 4 and so on
I don't really have enough information to figure out the progression here. How long would it take to generate 2^64 files with the same MD5. How about 2^128? I'm guessing it would be a huge amount of time.
So if we're e.g. taking MD5 and MD4, they're IIRC both 64-bit hashes, so we start by saying we'll have a 128-bit xxxxxx string. Using our MD5 attack we generate (approximately) 2^64 of them with the same MD5.
Ok, but they're 128 bit, not 64 bit. But even so, 2^64 is a huge figure. Even 2^32 for a CRC32 ought to make the MD5+CRC32 attack several orders of magnitude more difficult, though not 4 billion times more difficult if the MD5 attack really does let you generate additional collisions cheaply.
In any event, I'll look for the `Joux Multicollision paper from 2004 CRYPTO' for more. Thanks for the pointers.
The problem here is that your IT department is full of cowboys like the GP, who think it's "cool" to change production systems while they're in use.
It's cute that you throw the word `cowboy' out there, like he's some sort of trigger happy renegade, but in fact what the GP (assuming this is the right GP for your statement) said ---
On the Linux side, I simply rsync software to all our of workstations. I can even upgrade software people are using right at that moment (like rsyncing the newest thunderbird to/usr/local/thunderbird-1.0.7 while they use the thunderbird in/usr/local/thunderbird-1.0.6, and then moving the/usr/local/bin/thunderbird symbolic link to point to the new version).
... is perfectly safe to do while the system is in use, even if Thunderbird itself is in use right then. The equivilent could be done in Windows, but as far as I know, nobody does it that way.
Now, comparing that to a service pack upgrade isn't really fair. In that case, the old version of Thunderbird is still there, and will continue being used until they restart. When you install a service pack, all sorts of system files are swapped out. Linux will let you upgrade glibc while the system is up (thanks to how you can delete a file and it won't go away until all references are gone) but it can be a bit dangerous on a system that's being used -- for example, if there's updated libraries that depend on other updated libraries, then there will be a small window where one library is updated and not the other, so any new processes spawned during that period that use both will probably crash.
But in any event, the Thunderbird upgrade done like this is perfectly safe. Most people don't do it that way (I do, but not most) but done that way is very nice. stow is a very simple and yet very convenient program for maintaing/usr/local like that.
No, multiple hash routines *does not work*, as is said in every single hash related thread.
I must have missed it. I'll assume that you know what you're talking about here, but some more detail would be nice. MD5 has been broken (or at least collisions can be generated relatively easily now), MD4 is broken, and CRC32 is almost trivially broken (since it's a hash, but not an appropriate hash for cryptographic work.) In any event, if I have CRC32, MD4 and MD5 hashes for a given string, wouldn't it be massively more difficult to find another string with the same values for all three hashes, even though each hash has been `cracked' individually? (A citation to some sort of discussion would be useful, rather than just saying `no'.) (And if three hashes is too much, feel free to pick any two hashes from that list, though of course I'd be more impressed by breaking MD5+MD4 than MD5+CRC32, if not only because there's 96 more bits to worry about.)
Fortunately I'm pretty sure BT uses a newer hash already.
I was assuming that it used MD5, but apparantly it's SHA-1 (judging from the other responses to my post.) But isn't SHA-1 just a few steps further from the grave than MD5 (for lack of a better way of putting it?) That, and BT wasn't the only thing I was thinking of, though maybe none of the p2p systems use MD5.
That's what I was thinking -- this being used to break torrents and other p2p setups.
Though to be fair, most games seem to come in the form of a compressed archive of some sort -- either a bunch of.rar files (for warez) or a.exe file with.cab files (for Windows installers) or something similar. In that case, the corruption would be detected at installation, though it wouldn't be easy to determine from the torrent exactly which blocks are corrupt.
In short, MD5 being broken (and now the code being available) is very bad. I expect to see the anti-piracy vigilantes jumping on this very quickly to create code to totally break bit torrent and similar things -- it would come up and look like a seed, but would be spewing garbage that the other clients couldn't detect as garbage. Of course, such poisoning would also end up being used to corrupt completely legitimate torrents as well, just because people think it's fun.
(The fix? Update things like bittorrent to use hash routines that haven't been cracked yet, or to use multiple hash routines on the same blocks.)
To expand on that, what's really important to me as a `requirement' is that it be uniform, for everybody. If you have to carry a bill of sale for your bike, that's fine, but only if EVERYBODY has to carry a bill of sale for you bike, not just vietnamese people.
Ultimately, racial profiling is wrong. Now, I'm not overly naive -- I understand that racial profiling works -- but it's still fundamentally wrong, and I'm not willing to condone any actions that targets an entire race (or religion) of people just because it might give me a little more security.
There's the old joke... You see a white man pushing a white cadillac down the street. What's that? White power. A black man pushing a black cadillac down the street? Black power. A mexican pushing a black cadillac down the street? Grand Theft Auto. There's some small amount of truth (i.e. that crime rates among hispanics are higher than whites, though I don't know about blacks) to the joke, offensive as it is, but I still can't condone the police actually pulling somebody over merely because they're a certain color and have an expensive vehicle.
It makes two things easier: 1) showing that you're licensed to drive, and 2) proving who you are (and as a side note, how old you are.) Everything else is an extension of those things.
As for the subject of `Not seeing what I'm saying', you're just not saying it very correctly. For example --
That's basically a documetn saying it's OK to raom around freely in the US
What you're referring to are called `travelling papers'. And they're not required in the US, at least not yet. An ID does not say it's `OK to roam freely'. It says `I am Doug, and I am licensed to drive'. (And the bill of sale to your bike is not a `license to roam freely' either, even if it can help.)
It may sound like we're arguing about a tiny difference, but I think it's an important difference.
And if I was the Vietnemese man, I'd be seriously pissed off. I'd contact the ACLU, the local press, local ambulence chaser, and see what could be done. There's some names for what's going on there -- racism, profiling, etc. -- and they're generally not legal and/or moral for the police to engage in.
And you've still not answered what EXACTLY is a kind of document that you would not want selected police to see, even if it meant months less of prison time, that is not illegal.
I didn't realize I was required to. There's lots of things I wouldn't want the police to see, even things that aren't illegal. Pictures of me finger painting in the tub at 2 years old? Mom used to show them to girlfriends, much to my dismay, and I wouldn't want the police seeing them. The stash of gay porn in the closet? Legal, but I wouldn't want the police to see it. Love letters between me and RuPaul? Scandal! But if it meant keeping me out of prision for months, ultimately I'd let the police see it all, since months of incarceration would cost me my job, my family, my house... just about everything. Standing up for your convictions is important, but at some point the personal cost is just too high.
I'll settle for legally having to carry ID (but I'm glad that I legally don't, unless I'm driving.) But having to carry the bill of sale for your bike just because you're of a specific race? Fuck that. After it's shown to be a pattern, I'd have a lawyer send them a letter, and if it continues, sue their collective ass. The local police department can tell every officer that there's a vietnemese man with an expensive bike, and he's to be left alone.
Take it as flippantly as you like, but security holes appear frequently, even in algorithms that are believed to be sound. SHA-1 is a pretty good example.
No, SHA-1 is a terrible example. It's a cryptographic hash function, not an encryption method to be decrypted. (After all, context tells us that we're talking about decrypting a hard disk.)
Yes, hashes have been found to have weaknesses (MD5 is the most recent once I've heard of) but that doesn't really help you decrypt somebody's hard disk. (It's useful for other things, which I won't get into here.)
So you don't carry around a drivers licence ever? That's basically a documetn saying it's OK to raom around freely in the US and do all sorts of things.
No, it's a document that shows that you're licensed to drive a motor vehicle, and has also been co-opted to provide identification. (Though you can generally get an ID card that does not show that you're licensed to drive a car.)
In many (most?) states you don't need to have an ID of any sort of `roam around freely'. You don't even have to provide identification to police if they ask you for it (unless you're driving, of course) though of course lying about who you are is generally illegal, and they may detain you until they can verify that you are who you say you are. And the officer may very well think that you're legally required to carry identification even when you're not. But in much (most?) of the country, that is not the case.
If true, then of the business will lose in the court of law and the court of public opinion.
If true, then it'll never even go to trial -- the company will gracefully decide to drop the issue. (She may countersue, however.)
If false, they will win in both.
Naive much? It's the big bad company pressuring the innocent mother. Even if they win, even if they prove that everything she said was wrong, they've lost. Most SLAPP lawsuits don't get `outed' like this one was, and I'm sure the company wasn't banking on this, but now that it's happened, the damage to their reputation is done. A victory in a courtroom would help, yes, but many people still won't buy it.
"The truth" was a solid defense against libel claims?
It is in the US. I don't know much about Canadian law, but it wouldn't surprise me if it was there too.
But how much truth can you afford? Lawsuits are expensive, for both sides. Though if her story is 100% true (and I see little reason think it's not, though of course I only know what I've read on her site and the news) it's unlikely that this will ever even go to trial. But of course, a lawsuit doesn't have to go to trial to have the desired effect...
Don't fret too much about her right now. With all the publicity this story has gotten, she will probably have no problems defending herself against the lawsuit, and the company itself is probably already regretting the lawsuit -- even if they're 100% innocent, they've already been tried and found guilty in the court of public opinion.
A more accurate statement would be that `several states have enacted legislation to provide some protection against SLAPP lawsuits'. These laws do not 1) cover the entire US, and 2) do not generally make SLAPP lawsuits illegal. Instead, they change things a little to make it easier to defend against these sorts of lawsuits.
And of course, the woman is in Canada, so US law generally doesn't apply there. (We didn't invade yet, did we?)
It's not how long it takes to crack, it's how long it takes to make a copy. Then cracking can be at your lesuire.
Probably an insightful comment, and any single drive can be copied in a few hours. Though the police might have a hard time copying 100+ TB of drives...
But really, the problem is that the police don't like to release their suspects before they're sure they're not guilty of something. Even if the drives couldn't be copied without decrypting them first, the police could just take the hardware and release it when they're ready, but release the suspect quickly. But they don't want to do that -- he could be a terrorist! (or he could be totally innocent, but of course police don't make that sort of mistake.)
Though personally I think the 90 days thing is just a crock. It's also obviously just those pesky civil rights that are keeping law enforcement from turning this world into a paradise without crime, terrorism or software piracy overnight -- or at least that's sometimes how they seem to act.
Well then, I'm glad the BBB came through for you. But you should be aware that you were lucky -- it doesn't come through for everybody, probably not even for most. The BBB does not work for you -- it works for the businesses that are it's members. Sometimes things work out in your favor in spite of that, but not always.
Slashdot Mirror
But basically I have a script (or group of scripts, actually) that calculates how much space the DVD has, and fills it with par2 files (if you're going to write a DVD, it might as well be almost 100% full.) Once it determines the space available for par2 files, it gets a list of files and feeds that to par2create, which creates the files in it's own directory. It also creates a file with sizes, names, CRC32 and md5sums for each file on the DVD so one can easily determine (without using par) if a file is corrupt. And finally, it makes the iso, burns it, then verifies that everything was written correctly.
I usually aim for 5% pars on a DVD, about 250 MB, and creating 250 MB of par2 files takes about 45 minutes of cpu time on an Athlon 64 3000+ (it took about four hours on the p3/700 that preceeded it.) And of course if the data is important, it gets written to more than one DVD, with the multiple copies kept in different locations.
It would be very tedious to do by hand.
With CD-R media, assuming that the media is not physically abused in any manner, the usual form of degredation that I've seen is that bits here and there will get corrupted after many years, but most of the data is still valid and readable. But it's important to be able to tell the difference between valid and invalid data, hence the md5sum (yes, I know it's been cracked, but for this that doesn't really matter, though maybe I'll go to SHA-1 soon) file, and the par2 files help me recover it. I assume that DVD-R media will degrade similarly, but I haven't really had enough time to see for real.
Assuming that I need to recover something a DVD that's degraded over the years, I copy everything to the local hard disk, then compare the md5sums agaisnt the files. If they match, great! -- I'm done. If not, then I run par2repair and hope it can recover it. If not, then if I have other copies of the DVD, I throw them into the par2repair mix and hopefully it can recover (since the exact bits that are corrupted are likely to vary.) And if all else fails, I can at least tell which files are valid and which files are not. So far, I've not had to do this very often.
Or if they do realize that power consumption goes up, they don't actually do the research and math needed to determine that `SETI is costing me $0.92/day' (or whatever).
As a rule of thumb, the more critical a Linux box is to your orgnaization, the more likely it is that you paid somebody for the Linux distribution and/or that you pay for support. Just a rule of thumb, perhaps even common sense, but it wouldn't surprise me if the figures for the big honkin' servers that large businesses rely on are over 50%.
Certainly, in some cases, the TCO of Linux in a certain role at a certain location will be more than the TCO of a Windows server (or group of servers) serving the same rule. I'm not saying that this is always the case, or even that it's usually the case, but at least some of the time, this will be true.
Is it just me, or did Microsoft pretty much `invent' the TCO term strictly to counter free software like Linux? Did the term exist before Linux did, or was it just Microsoft making it popular?
In any event, I'm not here to argue that Windows has a lower TCO than Linux. I'm just saying that it's not as `obviously' wrong as you make it sound.
The key steps are 2) verify that your writes are correct and 3) make multiple copies and store them in multiple places. These steps are important no matter what media you use, though verification is less important on hard disks (since they're far more reliable than optical media.)
Personally, I don't really bother with high qualify DVD-R media -- I go for the cheap ones. Though to be fair, I do throw away a fair number of them just because they fail verification. But as long as you have the par2 files and multiple copies of the data, it's probably good enough.
Note that backing up to hard disks is going to be a lot more convenient, and more reliable. But keeping at least two copies in two different physical locations is still a key ingredient.
If your pictures are good enough, you could just do what Linus suggested --
(though note that tape backups are notorious for not lasting more than a few years, and I suspect that optical media are actually worse. For now, the best long term data storage option that I'm aware of are going to be large hard drives, though 20 years from now it might be hard to find a computer that can connect to your miniscule 400 GB ATA (parallel or serial) drive. Keeping up to date and copying data to whatever the newest media is seems like a very good plan for very long term archival.)(And of course, displacement isn't the only factor either. But it's a lot better thing to look at than just the number of cylinders.)
Of course, even if you'd said displacement instead of V8 vs. V6, your analogy would have still been very poor. V6s and V8s function almost identically. Using a heating element vs. a microwave to heat water, that's very different. Perhaps the microwave can turn on and off quicker, but it will also cost several times as much, be less efficient (than your conventional on-demand water heater) and be much more complicated.
And as for the radiation killing germs, people are confused. It's ionizing radiation that kills germs. Microwaves are not ionizing. You'll certainly kill germs by heating water to near boiling, and not allowing water to stagnate will certainly help (but if you use hot water every day, water doesn't stagnate in conventional water heaters with a resevoir either.)
Personally, this new hot water heater doesn't sound like such a wonderful idea to me. Obviously it works, but it just doesn't seem to be worthwhile. Perhaps it'll be useful in some niche markets, but I don't see it replacing the existing water heaters (either resevoir based or on-demand) in any great numbers.
(Not that this will ever happen, mind you, but it's still something to consider.)
Where there's money involved, everything is audited VERY carefully. Especially when it's the private sector's money (the government is a lot more lax about things.)
But even so, there's a lot that could be done with voting machines. Hopefully this is a good next (first?) step.
It's just some words in the Star Spangled Banner. We haven't lived in the `Land of the Free' in quite some time. I'm not sure we ever did (though it's way worse than it ever was.)Ok, supposed that you were provided source code. So how do you know that this is the actual source code that generated the code that's actually being used? (And it's not restricted to source code -- the same argument applies to the procedures and protocols that you mentioned.)
Personally, I'd be happy with a paper trail, where you can visually inspect your paper ballot before it's cast. Sure, the machine can keep tallies internally, but when there's a recount, the paper ballots are counted. Anything more complicated is just too easy to tamper with, source code
As long as voting is anonymous, there will be no way to verify that your vote was cast and counted properly, but allowing you to view a piece of paper before it's put into the locked box is the next best thing that I can think of.
(But we could certainly greatly improve the accuracy of the voting process by removing the absolute anonyminity requirement. Accounting methods (I was going to say `modern', but really, I don't think it's changed much recently) would work very nicely if applied to voting. Yes, your bank may occasionally make an error on your checking account, but it can be found and corrected. Under the current voting system, there's very little room to correct anything.)
And I'm guessing that most of the computers at a company that IT manages, desktop machines, they don't really have a maintenance window. Sure, you can define one in the middle of the night, but that doesn't do you much good if somebody takes their laptop home or turns off their computer. And what if somebody works late? Maintenance windows make sense for mission critical machines that can't afford unscheduled downtime, but forcing such a limitation on everything seems silly.
Why struggle? If the consequences of a botched upgrade are minor (as they usually are for a desktop machine and certain sorts of servers) and it works 99% of the time, it seems reasonable to me to do it that way. (And for something like Linux, it's going to be far more reliable and less painful than a similar in-place upgrade for Windows. Sure, there may be a few gotchas, but if you use something like stow, you're already bypassing most of those.)In any event, I'll look for the `Joux Multicollision paper from 2004 CRYPTO' for more. Thanks for the pointers.
Now, comparing that to a service pack upgrade isn't really fair. In that case, the old version of Thunderbird is still there, and will continue being used until they restart. When you install a service pack, all sorts of system files are swapped out. Linux will let you upgrade glibc while the system is up (thanks to how you can delete a file and it won't go away until all references are gone) but it can be a bit dangerous on a system that's being used -- for example, if there's updated libraries that depend on other updated libraries, then there will be a small window where one library is updated and not the other, so any new processes spawned during that period that use both will probably crash.
But in any event, the Thunderbird upgrade done like this is perfectly safe. Most people don't do it that way (I do, but not most) but done that way is very nice. stow is a very simple and yet very convenient program for maintaing /usr/local like that.
Though to be fair, most games seem to come in the form of a compressed archive of some sort -- either a bunch of .rar files (for warez) or a .exe file with .cab files (for Windows installers) or something similar. In that case, the corruption would be detected at installation, though it wouldn't be easy to determine from the torrent exactly which blocks are corrupt.
In short, MD5 being broken (and now the code being available) is very bad. I expect to see the anti-piracy vigilantes jumping on this very quickly to create code to totally break bit torrent and similar things -- it would come up and look like a seed, but would be spewing garbage that the other clients couldn't detect as garbage. Of course, such poisoning would also end up being used to corrupt completely legitimate torrents as well, just because people think it's fun.
(The fix? Update things like bittorrent to use hash routines that haven't been cracked yet, or to use multiple hash routines on the same blocks.)
Ultimately, racial profiling is wrong. Now, I'm not overly naive -- I understand that racial profiling works -- but it's still fundamentally wrong, and I'm not willing to condone any actions that targets an entire race (or religion) of people just because it might give me a little more security.
There's the old joke ... You see a white man pushing a white cadillac down the street. What's that? White power. A black man pushing a black cadillac down the street? Black power. A mexican pushing a black cadillac down the street? Grand Theft Auto. There's some small amount of truth (i.e. that crime rates among hispanics are higher than whites, though I don't know about blacks) to the joke, offensive as it is, but I still can't condone the police actually pulling somebody over merely because they're a certain color and have an expensive vehicle.
As for the subject of `Not seeing what I'm saying', you're just not saying it very correctly. For example --
What you're referring to are called `travelling papers'. And they're not required in the US, at least not yet. An ID does not say it's `OK to roam freely'. It says `I am Doug, and I am licensed to drive'. (And the bill of sale to your bike is not a `license to roam freely' either, even if it can help.)It may sound like we're arguing about a tiny difference, but I think it's an important difference.
And if I was the Vietnemese man, I'd be seriously pissed off. I'd contact the ACLU, the local press, local ambulence chaser, and see what could be done. There's some names for what's going on there -- racism, profiling, etc. -- and they're generally not legal and/or moral for the police to engage in.
I didn't realize I was required to. There's lots of things I wouldn't want the police to see, even things that aren't illegal. Pictures of me finger painting in the tub at 2 years old? Mom used to show them to girlfriends, much to my dismay, and I wouldn't want the police seeing them. The stash of gay porn in the closet? Legal, but I wouldn't want the police to see it. Love letters between me and RuPaul? Scandal! But if it meant keeping me out of prision for months, ultimately I'd let the police see it all, since months of incarceration would cost me my job, my family, my houseI'll settle for legally having to carry ID (but I'm glad that I legally don't, unless I'm driving.) But having to carry the bill of sale for your bike just because you're of a specific race? Fuck that. After it's shown to be a pattern, I'd have a lawyer send them a letter, and if it continues, sue their collective ass. The local police department can tell every officer that there's a vietnemese man with an expensive bike, and he's to be left alone.
Yes, hashes have been found to have weaknesses (MD5 is the most recent once I've heard of) but that doesn't really help you decrypt somebody's hard disk. (It's useful for other things, which I won't get into here.)
In many (most?) states you don't need to have an ID of any sort of `roam around freely'. You don't even have to provide identification to police if they ask you for it (unless you're driving, of course) though of course lying about who you are is generally illegal, and they may detain you until they can verify that you are who you say you are. And the officer may very well think that you're legally required to carry identification even when you're not. But in much (most?) of the country, that is not the case.
But how much truth can you afford? Lawsuits are expensive, for both sides. Though if her story is 100% true (and I see little reason think it's not, though of course I only know what I've read on her site and the news) it's unlikely that this will ever even go to trial. But of course, a lawsuit doesn't have to go to trial to have the desired effect ...
Don't fret too much about her right now. With all the publicity this story has gotten, she will probably have no problems defending herself against the lawsuit, and the company itself is probably already regretting the lawsuit -- even if they're 100% innocent, they've already been tried and found guilty in the court of public opinion.
A more accurate statement would be that `several states have enacted legislation to provide some protection against SLAPP lawsuits'. These laws do not 1) cover the entire US, and 2) do not generally make SLAPP lawsuits illegal. Instead, they change things a little to make it easier to defend against these sorts of lawsuits.
And of course, the woman is in Canada, so US law generally doesn't apply there. (We didn't invade yet, did we?)
But really, the problem is that the police don't like to release their suspects before they're sure they're not guilty of something. Even if the drives couldn't be copied without decrypting them first, the police could just take the hardware and release it when they're ready, but release the suspect quickly. But they don't want to do that -- he could be a terrorist! (or he could be totally innocent, but of course police don't make that sort of mistake.)
Though personally I think the 90 days thing is just a crock. It's also obviously just those pesky civil rights that are keeping law enforcement from turning this world into a paradise without crime, terrorism or software piracy overnight -- or at least that's sometimes how they seem to act.