Except that SHA is a hash, not an encryption scheme.
Any hash function can be turned into a stream cipher by running it in counter mode. This construction, called "Snuffle" by Daniel J. Bernstein, was the insight that led to the United States loosening its cryptography export regulations in the late 1990s. See Bernstein v. US .
Why would your grandmad do it manually? Instead of you running a script over SSH, like a COMPUTER user.
Running a script over SSH doesn't help if the problem is in the computer's networking configuration, or if the computer is behind an ISP that applies carrier-grade network address translation (CGNAT) because it lacks enough IPv4 addresses for all of its home subscribers.
"Performance of a contract" is explicitly one of the six bases listed in Article 6 of the GDPR for holding and processing personal data. In this case, the contract would involve the user providing pseudonymous daily usage logs in exchange for access to the game at a discount off full retail or before the general availability date. The user can request a copy of these logs at any time by choosing "Download Your Replays" from the game's menu.
How does Jamendo make sure that this "open licensed music from independent artists" doesn't contain accidental infringement, comparable to the "My Sweet Lord" case (Bright Tunes Music v. Harrisongs Music)?
Correct, I do not know the financial norms of a public beta test. Is it acceptable to charge beta testers? If a public beta is instead required to be without charge, what prevents everybody from participating in public beta as a substitute for purchasing the release?
In a well-engineered system, [obtaining a FQDN through a DDNS service] would be excusable.
No it wouldn't. Not without asking consent first.
"If you do not consent, return this product to the seller per the seller's return policy."
Security for a device like HDHomeRun is rather pointless. Nobody is asking for HTTPS certificates.
Several JavaScript APIs are available only to HTTPS scheme or localhost (127/8, not 192.168/16) per the Secure Contexts specification. Among JavaScript APIs related to video recording or streaming, the Presentation API is already restricted to secure contexts, and browser makers plan to restrict the Fullscreen API similarly to deter phishing attacks that involve spoofing the window manager and browser.
To send encrypted all it needs is a TLS stack and a root certificate. It doesn't need an FQDN or any such bullshit.
Obtaining the certificate needs an FQDN. The CAB Forum's Baseline Requirements forbid issuing in private TLDs, such as.local used by mDNS. Otherwise, you'll have to run your own CA, issue a certificate to the device, and install your CA's root certificate into the web browser on every device from which you plan to view. Some popular mobile browsers don't make that very convenient.
Apart from the fact that the skill sets of people who regularly participate in "focus groups and play testing" are unrepresentative: Is there a good way for a smaller studio to pay for thorough "focus groups and play testing", particularly before it has two games' worth of sales revenue?
HDHomeRun calls home every 10 minutes uploading a complete list of available channels and device information including internal IP address of HDHomeRun devices.
In a well-engineered system, this would be excusable. In order to obtain an HTTPS certificate for a device on a LAN that the web browser on each of the end user's devices will trust, an internal device needs its own fully qualified domain name (FQDN). To obtain a FQDN, a device would need to upload its internal IP address to some DNS service, be it a dynamic DNS service operated by the device's manufacturer or the zone host of a domain that the end user owns. The latter may cost $15 per year, or $75 over the 5-year expected service life of a device. I imagine that most end users, especially non-technical ones, don't already own a domain and aren't willing to pay an extra $75 just to skip the manufacturer's dynamic DNS service.
I agree with you that sending it in cleartext is not excusable. Nor are some of the other intrusions that you describe. But sending the IP address in some (reversibly encrypted) form is necessary as a step toward allowing the user to access the device as "https://some.internal.device.example".
the user perceives it to see you using their resources that they've paid for to to help your business at their expense by siphoning off data without them knowing.
To address "at their expense" and "without them knowing": Does an offer to license the game at half price if the user opts into analytics make sense?
My view: good software is clean software, it does nothing without your knowledge
A strict interpretation of that view would require the video game to be distributed as source code, so that the end user has access to knowledge about what the program does. Though Id Software has released its games' engines as free software five years later, I haven't seen a workable business model for funding the development of a game larger than hobby-scale for distribution under a free software license from day one.
That means no DRM
All current video game console platforms have digital restrictions management, as does Apple iOS, and will ordinarily not execute a DRM-free program at all. Offline DRM is still DRM. How should a game be distributed DRM-free? Are you trying to imply, for example, that developers should no longer develop for Nintendo, PlayStation, Xbox, or iOS platforms at all, or alternatively develop unlicensed games for retro consoles (more than 20 years old)? And even if so, what should a developer do to deter mass casual copyright infringement in order to sell more than one copy?
Then you install and run that shit during testing.
I'm curious as to how a 1-, 2-, or 3-man team developing a video game without access to venture capital can make large-scale testing of system compatibility and game balance practical. Do you have any suggestions?
It is intractable for the developer of a game for GNU/Linux, Windows, or Android to test the game for compatibility with every combination of PC or Android device components. Or would you prefer that most games be console-only?
Heat maps don't need to know who died [...] As a developer you'd want to know if a particular part of your game is too hard and kills the majority of players trying to get past it.
Sometimes people who died at position A also died at position B. This may help the level designer identify a pattern of elements that impose an unduly steep skill gradient for players with a particular play style. In order to track this, the developer needs to at least associate an identifier with each loss.
Nor can provision of service be conditional on consent as defined in GDPR. Thus controllers have started to drop a "consent" interpretation of terms of use in favor of a "contract" interpretation.
Those were the two main reasons my company dropped our web site and went to only an iOS app.
That's a possibility, but then you have to make your application compelling enough that prospective users are willing to spend $299 for an iPad mini on which to run your application in addition to what your company charges for a license to use your application.
In what sense? Last I checked, PayPal went from being an eBay subsidiary to a second IPO as PYPL on Nasdaq back in July 2015 (source). Does eBay retain a controlling interest in PYPL, with the remainder publicly traded or something?
The mortgage, gas and electrical bills are paid with a stamp.
Would you continue to do this even if the utilities in your area start giving a $60 per year or $5 per month discount on your bill for having both email billing and automatic withdrawal enabled?
Do bookmarks let you store a cached copy of a website for later reading while you are offline, such as while you are riding transit to and from work without a subscription to tetherable cellular data? That's why I installed Pocket in the first place before Mozilla included it in the Firefox distribution.
Claiming that the "second world" exists is an explicit claim that the Cold War never ended.
That or defining the Second World as countries that were Warsaw Pact members as of mid-1975, which is what the lead section of Wikipedia's article about the Second World does. It'll take years for Second World mindsets to die off as people who grew up in the Cold War era do the same. So yes, I believe in the lingering effects of ex-Soviet Putinland.
Just like every homeowner is expected to buy connectivity and addressing from their isp?
And when smartphones were new, a lot of people were reluctant to buy a cellular data plan because they were already buying connectivity from their home ISP. Some householders just don't want yet another perpetual utility bill, which means yet another company dipping into the family's checking account and potentially exposing said account to accidental or fraudulent withdrawals that cause overdrafts.
if you're content to use the same domain as thousands of others then there are many free options
and nothing to stop the isp from allocating a subdomain to their customers.
Of course there is: The major last mile ISPs have a business policy not to let home users run servers in the first place. I concede that ISPs have power to amend this policy, but you'd have to show ISPs a good case for amending this policy, as upgrades to more expensive business-class service make them money.
Plus there is always.local and llmnr/mdns if you don't need global reachability of your hostnames.
Neither Let's Encrypt nor any other trusted-by-default HTTPS certificate authority does.local. It violates the CAB Forum's Baseline Requirements.
Slashdot Mirror
Do they play Concentration at these camps?
Except that SHA is a hash, not an encryption scheme.
Any hash function can be turned into a stream cipher by running it in counter mode. This construction, called "Snuffle" by Daniel J. Bernstein, was the insight that led to the United States loosening its cryptography export regulations in the late 1990s. See Bernstein v. US .
Why would your grandmad do it manually? Instead of you running a script over SSH, like a COMPUTER user.
Running a script over SSH doesn't help if the problem is in the computer's networking configuration, or if the computer is behind an ISP that applies carrier-grade network address translation (CGNAT) because it lacks enough IPv4 addresses for all of its home subscribers.
"Performance of a contract" is explicitly one of the six bases listed in Article 6 of the GDPR for holding and processing personal data. In this case, the contract would involve the user providing pseudonymous daily usage logs in exchange for access to the game at a discount off full retail or before the general availability date. The user can request a copy of these logs at any time by choosing "Download Your Replays" from the game's menu.
The very concept of DRM didn't exist in the 80's and 90's
Not under that name, but what's CSS on DVD Video?
How does Jamendo make sure that this "open licensed music from independent artists" doesn't contain accidental infringement, comparable to the "My Sweet Lord" case (Bright Tunes Music v. Harrisongs Music)?
Do you not know how public Beta tests work?
Correct, I do not know the financial norms of a public beta test. Is it acceptable to charge beta testers? If a public beta is instead required to be without charge, what prevents everybody from participating in public beta as a substitute for purchasing the release?
In a well-engineered system, [obtaining a FQDN through a DDNS service] would be excusable.
No it wouldn't. Not without asking consent first.
"If you do not consent, return this product to the seller per the seller's return policy."
Security for a device like HDHomeRun is rather pointless. Nobody is asking for HTTPS certificates.
Several JavaScript APIs are available only to HTTPS scheme or localhost (127/8, not 192.168/16) per the Secure Contexts specification. Among JavaScript APIs related to video recording or streaming, the Presentation API is already restricted to secure contexts, and browser makers plan to restrict the Fullscreen API similarly to deter phishing attacks that involve spoofing the window manager and browser.
To send encrypted all it needs is a TLS stack and a root certificate. It doesn't need an FQDN or any such bullshit.
Obtaining the certificate needs an FQDN. The CAB Forum's Baseline Requirements forbid issuing in private TLDs, such as .local used by mDNS. Otherwise, you'll have to run your own CA, issue a certificate to the device, and install your CA's root certificate into the web browser on every device from which you plan to view. Some popular mobile browsers don't make that very convenient.
Apart from the fact that the skill sets of people who regularly participate in "focus groups and play testing" are unrepresentative: Is there a good way for a smaller studio to pay for thorough "focus groups and play testing", particularly before it has two games' worth of sales revenue?
If everybody followed your advice to "pirate all games", what would fund the development of new games?
HDHomeRun calls home every 10 minutes uploading a complete list of available channels and device information including internal IP address of HDHomeRun devices.
In a well-engineered system, this would be excusable. In order to obtain an HTTPS certificate for a device on a LAN that the web browser on each of the end user's devices will trust, an internal device needs its own fully qualified domain name (FQDN). To obtain a FQDN, a device would need to upload its internal IP address to some DNS service, be it a dynamic DNS service operated by the device's manufacturer or the zone host of a domain that the end user owns. The latter may cost $15 per year, or $75 over the 5-year expected service life of a device. I imagine that most end users, especially non-technical ones, don't already own a domain and aren't willing to pay an extra $75 just to skip the manufacturer's dynamic DNS service.
I agree with you that sending it in cleartext is not excusable. Nor are some of the other intrusions that you describe. But sending the IP address in some (reversibly encrypted) form is necessary as a step toward allowing the user to access the device as "https://some.internal.device.example".
"Digital restrictions management" has a broader definition than the sense you're using, which would be more widely understood as "online-only DRM".
Where does a small self-funded studio get the money for comprehensive QA on its first two games?
the user perceives it to see you using their resources that they've paid for to to help your business at their expense by siphoning off data without them knowing.
To address "at their expense" and "without them knowing": Does an offer to license the game at half price if the user opts into analytics make sense?
My view: good software is clean software, it does nothing without your knowledge
A strict interpretation of that view would require the video game to be distributed as source code, so that the end user has access to knowledge about what the program does. Though Id Software has released its games' engines as free software five years later, I haven't seen a workable business model for funding the development of a game larger than hobby-scale for distribution under a free software license from day one.
That means no DRM
All current video game console platforms have digital restrictions management, as does Apple iOS, and will ordinarily not execute a DRM-free program at all. Offline DRM is still DRM. How should a game be distributed DRM-free? Are you trying to imply, for example, that developers should no longer develop for Nintendo, PlayStation, Xbox, or iOS platforms at all, or alternatively develop unlicensed games for retro consoles (more than 20 years old)? And even if so, what should a developer do to deter mass casual copyright infringement in order to sell more than one copy?
Then you install and run that shit during testing.
I'm curious as to how a 1-, 2-, or 3-man team developing a video game without access to venture capital can make large-scale testing of system compatibility and game balance practical. Do you have any suggestions?
It is intractable for the developer of a game for GNU/Linux, Windows, or Android to test the game for compatibility with every combination of PC or Android device components. Or would you prefer that most games be console-only?
Heat maps don't need to know who died [...] As a developer you'd want to know if a particular part of your game is too hard and kills the majority of players trying to get past it.
Sometimes people who died at position A also died at position B. This may help the level designer identify a pattern of elements that impose an unduly steep skill gradient for players with a particular play style. In order to track this, the developer needs to at least associate an identifier with each loss.
Nor can provision of service be conditional on consent as defined in GDPR. Thus controllers have started to drop a "consent" interpretation of terms of use in favor of a "contract" interpretation.
There is absolutely no reason for something like Venmo to be a native mobile app. They should be moving toward a Progressive Web App
That largely depends on whether Apple has recently closed the gaps in Apple WebKit's support for Progressive Web App APIs.
Those were the two main reasons my company dropped our web site and went to only an iOS app.
That's a possibility, but then you have to make your application compelling enough that prospective users are willing to spend $299 for an iPad mini on which to run your application in addition to what your company charges for a license to use your application.
PayPal is owned by eBay.
In what sense? Last I checked, PayPal went from being an eBay subsidiary to a second IPO as PYPL on Nasdaq back in July 2015 (source). Does eBay retain a controlling interest in PYPL, with the remainder publicly traded or something?
The mortgage, gas and electrical bills are paid with a stamp.
Would you continue to do this even if the utilities in your area start giving a $60 per year or $5 per month discount on your bill for having both email billing and automatic withdrawal enabled?
Do bookmarks let you store a cached copy of a website for later reading while you are offline, such as while you are riding transit to and from work without a subscription to tetherable cellular data? That's why I installed Pocket in the first place before Mozilla included it in the Firefox distribution.
Claiming that the "second world" exists is an explicit claim that the Cold War never ended.
That or defining the Second World as countries that were Warsaw Pact members as of mid-1975, which is what the lead section of Wikipedia's article about the Second World does. It'll take years for Second World mindsets to die off as people who grew up in the Cold War era do the same. So yes, I believe in the lingering effects of ex-Soviet Putinland.
Just like every homeowner is expected to buy connectivity and addressing from their isp?
And when smartphones were new, a lot of people were reluctant to buy a cellular data plan because they were already buying connectivity from their home ISP. Some householders just don't want yet another perpetual utility bill, which means yet another company dipping into the family's checking account and potentially exposing said account to accidental or fraudulent withdrawals that cause overdrafts.
if you're content to use the same domain as thousands of others then there are many free options
You mean free dynamic DNS? One drawback of this has been that Let's Encrypt issues only 20 certificates per registrable domain per week. The dynamic DNS provider has to apply to Mozilla for inclusion on the Public Suffix List, which is administered on a Microsoft-run website. Some are unwilling, and last I checked, others' applications were in a months-long backlog.
and nothing to stop the isp from allocating a subdomain to their customers.
Of course there is: The major last mile ISPs have a business policy not to let home users run servers in the first place. I concede that ISPs have power to amend this policy, but you'd have to show ISPs a good case for amending this policy, as upgrades to more expensive business-class service make them money.
Plus there is always .local and llmnr/mdns if you don't need global reachability of your hostnames.
Neither Let's Encrypt nor any other trusted-by-default HTTPS certificate authority does .local. It violates the CAB Forum's Baseline Requirements.