This was certainly not the case on PC's. You began to see advantages as early as 1G because that is when some memory had to be moved away from permanently mapped memory on 32-bit. You ended up with a less than 200MB high memory area which was difficult to use effectively and you had to pay the PAE overhead to get it. Best option was to run a non-PAE kernel and forget about that last bit of memory (or run a custom memory split, if you like compiling your own kernel).
2GB was more or less ok and 3GB was a bit of a sweet spot (but who has that?). 4GB brought the extra pain of having to deal with 32-bit devices and DMA32 memory, or you did the sane thing and just gave up on a few hundred MB again to avoid bounce buffers. To be fair, DMA32 plagues 64-bit Linux as well, but it should not be much of an issue on modern hardware anymore.
Anyway, Android uses a 1GB/3GB memory split, so 1GB is still an unfortunate amount of memory, and all current Android devices are 32-bit.
Russia doesn't have the logistics to go to conventional war with EU. There is no way it could get its supply lines running to handle that kind of campaign. Even if they did gain air superiority, there are too many anti-air systems in the EU to allow them air supremacy, and without air supremacy the campaign would eventually grind to a halt. Hopefully such all-out conflicts are a thing of the past.
The EU's problem is that it has practically no force projection capability itself. France could handle Mali, but that is approximately the limit. Even an EU where everyone agreed for once would not be able to do anything useful about Syria. Libya showed how dependent the EU is on the US; EU ran out of bombs in no time at all and the operations would be impossible without the US providing information from e.g. satellites and AWACS.
Well on the upside someone actually had to hack their way in. In at least one other country, the telecoms incumbent was sold off, and the national ID registry was outsourced to an American company. When the NSA wants access to either, they will not have to be nearly as crude about it.
With digital TV providing multiple TV channels per MUX, it is a lot cheaper to buy the amount of cards necessary to receive everything. In most cases you can even decrypt a whole bunch of channels with just one subscription card. You will not necessarily get all the fancy features that SnapStream provides, but it is a very affordable solution. HTS-TVHeadend can handle some of the practical details like recording each program into a separate file.
Getting enough disk bandwidth might be a challenge of course, but you need a lot of drives anyway to handle the space requirements. Transcoding is not really practical with that many channels unless you do like SnapStream and use dedicated co-processors per channel.
The Danish experiment was the subject of extended debate on the Danish Engineer's Weekly newspaper (Ingeniøren). Many readers attempted to replicate the experiment, but success was extremely limited. Even the school itself did the exact same experiment again with the opposite result:
"Faktisk kan man her til aften måle at karsen er højst netop lige ud for routeren. I fredags kunne vi se at karsen længst fra routeren var lidt grønnere - end tæt på routeren. Men her til aften vokser den helt jævnt over hele linjen."
"Actually it is possible this evening to measure that the cress is tallest precisely right next to the router. Last Friday we were able to see that the cress furthest away from the router was slightly greener - than close to the router. But tonight it grows evenly along the whole length."
Look, you really don't know if the ultimate result of the S-box tweak was enhanced privacy or decreased. You only know about the effect on differential attacks. The problem with that are the "unknown unknowns."
DES has been attacked time and time again. It is completely certain that DES without the S-box tweak would have been useless as soon as differential attacks were discovered in the academic world. Outside NSA, DES has held up pretty well until the key length made it obsolete, with the best theoretical attacks somewhere in the region of 2^39 chosen plaintexts. This is pretty lousy by the standards of any modern cipher, but it is more effort in practice than just brute-forcing a 56-bit key.
So yes, I am completely confident that the S-box tweak enhanced privacy, simply because the cipher was so horribly broken without the tweak.
It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES.
The S-box tweak made DES resistant (well, more resistant) to differential attacks. The shortened key length did not improve security, it reduced security.
Raptor Eagle Firewall, which later became the Symantec Enterprise Firewall (but by then the code was hopefully gone). Due to export restrictions, its DES encryption revealed 24 bits that the US authorities could somehow extract. At least that was the explanation given to resellers. This code presumably existed only in the export version. Eventually the export restrictions were lifted and hopefully the code was removed.
I think it is unfair to single out that product though, since every US vendor complied with the same restriction somehow. Others chose to implement IBM's CDMF 40-bit degrade of DES instead.
There are some nice "QuickSSL" products from the various CAs, which offer to generate certificates without the hassle of you making your own secret key. For those, having the CA in your back pocket is extremely useful.
The claim is VPNs and SSL... so either a break in RSA or AES, either way SSH would be covered.
You do not need to break RSA or AES to break a lot of VPNs. I.e. if you use aggressive mode IKEv1 PSK (typically plus XAUTH, but that does not actually help), the shared private key can be recovered by offline attacks. NSA supercomputers should have no problem handling most keys. Alternatively, if certificates are used, many organizations buy premade certificates including secret keys instead of going through the trouble of generating their own secret keys. That means the NSA only has to compromise the few certificate vendors.
And this is just the passive attacks the NSA can do. If they actively interfere, they can use downgrade attacks or (for HTTPS) the various TLS vulnerabilities or use proper fake vendor certificates or all sorts of other mischief. That is harder to pull off unnoticed of course.
Very little equipment supports IKEv1 with "raw" RSA keys (no certificates), even though that takes the whole PKI problem away and avoids aggressive mode. I'm only aware of (free|open|libre|strong)SWAN and RouterOS. IKEv2 is almost non-existent, and what little equipment supports it tends to only support the equivalent of IKEv1 main mode with PSK or certificates -- precisely the areas where IKEv1 is already good enough.
For those of us who use proprietary encryption acceleration: how do we know that the session keys are chosen securely and not divulged with steganography somehow? I know that products have existed which did exactly that, revealing part of the encryption key in the encrypted data stream (and I know that because the vendor was fairly open about the practice).
SPECint and SPECfp are a bit useless, they only test a single core and with modern CPUs you cannot just multiply that number by the number of cores and get a meaningful result.
SPEC has attempted to fix that simply by running multiple copies of the benchmark and aggregating the result as "SPECrate". Whether that measures anything which is useful for actual workloads is debatable. It certainly does not reflect a modern multithreaded workload.
White phosphorus burns for a long time. It is not a particularly fast process, unless you happen to be exposed to a lot of the stuff. You cannot extinguish a white phosphorus fire by cooling it down, so water is generally useless for that purpose -- even if you deprive the affected area of oxygen, it will start burning again as soon as you remove the water.
However, burning people alive is considered a legal form of combat, so white phosphorus, napalm, and flame throwers are not in general forbidden weapons.
They do not really interconnect. They do not accept incoming calls. They probably do not show the original number on caller ID when dialing out, although that can be done with caller ID spoofing in many cases.
Because I can possibly decide that per capita allocations of resources encourage states to grow their populations, and penalize those who whether by accident of history or design have a smaller population.
Your excuses for your ridiculous overconsumption (while still maintaining only a second world median living standard) ring increasingly hollow. You just want to avoid shouldering your responsibility and you are looking for any loophole you can find.
China is working on reducing carbon emissions and poverty while doing more than any other country to lower population. The US in comparison has not even discovered insulation.
If the total CO2 going into the atmosphere matters, and the average American puts more CO2 into the atmosphere than the average Chinese person, how can you possibly say that China is a worse offender? That kind of thinking lets every small nation (or state or city) off the hook, just because of how borders happen to be drawn.
And no one is asking the US to sacrifice itself. Is the living standard of Northern Europe really all that horrible? That can be done, almost without trying, at half the CO2 emissions per capita of the US. But no, you would rather put the burden on the poor in China rather than having to live like the Dutch or the English or the Swedes.
I work for an ISP. Customers can request to have the port block removed and they can also get their reverse DNS set. I am open to suggestions for how to do better than blocking TCP port 25 by default.
I believe that doing transparent deep packet inspection on TCP port 25 is worse than an outright block. It means buying and servicing more equipment of a type that I would rather have less of, particularly in the current legal climate.
If there was alternatives then it could happen, why there isn't any change is because there is no real useful alternative to fossil fuels.
Well for one thing, there is this magic invention called "insulation". It has been around for a decades in civilized countries, but alas, the US and North Korea and similar countries are a bit behind the curve here.
But releasing tens of thousands of diplomatic cables without reviewing them, which ended up merely revealing embarrassing-but-not-criminal activity on the part of the US government, was something else entirely.
Those cables also revealed that Danish soldiers handed over Iraqi prisoners to the Iraqi police force knowing that the prisoners would be tortured. Alas, no one was prosecuted for this, but it is clearly a war crime. The Danish forces even knew it was a war crime and in later operations brought along a few token British soldiers who happened to be the ones booking in the prisoners, thereby leaving the dirty work to the Brits in an attempt to evade responsibility. That this was done was decided high up in the Danish military hierarchy, almost certainly with the knowledge of the Minister of Defense.
Strangely, there has been zero debate over this in the UK, but the UK population is generally uninterested in human rights at best, and a significant fraction do not believe they should exist at all.
As a Dane, I am very grateful to Bradley Manning for revealing the Danish war crimes.
I do not think that everyone will agree that a packet-inspection gateway is less of an intrusion than an up-front block on port 25.
Anyway, if that becomes popular, spambots will start doing opportunistic TLS. Then your packet-inspection gateway has to man-in-the-middle the TLS connection. THAT is definitely more intrusive than a block on port 25.
They says it's for spam, but since they only filter on ingress, their justification of egress controls ring false.
It is not as bad these days admittedly, but dealing with abuse complaints against your users is a hassle, and even the majority of businesses do not run their own mail server. Blocking port 25 outbound is an easy solution.
Even if you do not block port 25, sending outbound mail from an IP address without a valid somewhat-unique reverse DNS record is pointless. Approximately no one accepts it. In case you manage to get your ISP to insert a reverse DNS record, you are still screwed, because your IP address is likely to be in a "dial-up range" as defined by various unaccountable anti-spam blocklists -- but you probably know all about those, judging by your signature.
2) Rome has a lot more than a flag left standing; their concrete quality was far superior to modern concrete, so there's all kinds of Roman-built stuff still standing and in pretty good shape considering it's 2000 years old. Anything we make out of concrete is usually falling apart after 50 years.
They also used far more concrete to accomplish a given task. Many of the things we build with concrete today could not be built with Roman concrete at all, because while it may have longevity, it does not have sufficient strength for its weight.
Slashdot Mirror
This was certainly not the case on PC's. You began to see advantages as early as 1G because that is when some memory had to be moved away from permanently mapped memory on 32-bit. You ended up with a less than 200MB high memory area which was difficult to use effectively and you had to pay the PAE overhead to get it. Best option was to run a non-PAE kernel and forget about that last bit of memory (or run a custom memory split, if you like compiling your own kernel).
2GB was more or less ok and 3GB was a bit of a sweet spot (but who has that?). 4GB brought the extra pain of having to deal with 32-bit devices and DMA32 memory, or you did the sane thing and just gave up on a few hundred MB again to avoid bounce buffers. To be fair, DMA32 plagues 64-bit Linux as well, but it should not be much of an issue on modern hardware anymore.
Anyway, Android uses a 1GB/3GB memory split, so 1GB is still an unfortunate amount of memory, and all current Android devices are 32-bit.
Russia doesn't have the logistics to go to conventional war with EU. There is no way it could get its supply lines running to handle that kind of campaign. Even if they did gain air superiority, there are too many anti-air systems in the EU to allow them air supremacy, and without air supremacy the campaign would eventually grind to a halt. Hopefully such all-out conflicts are a thing of the past.
The EU's problem is that it has practically no force projection capability itself. France could handle Mali, but that is approximately the limit. Even an EU where everyone agreed for once would not be able to do anything useful about Syria. Libya showed how dependent the EU is on the US; EU ran out of bombs in no time at all and the operations would be impossible without the US providing information from e.g. satellites and AWACS.
Well on the upside someone actually had to hack their way in. In at least one other country, the telecoms incumbent was sold off, and the national ID registry was outsourced to an American company. When the NSA wants access to either, they will not have to be nearly as crude about it.
With digital TV providing multiple TV channels per MUX, it is a lot cheaper to buy the amount of cards necessary to receive everything. In most cases you can even decrypt a whole bunch of channels with just one subscription card. You will not necessarily get all the fancy features that SnapStream provides, but it is a very affordable solution. HTS-TVHeadend can handle some of the practical details like recording each program into a separate file.
Getting enough disk bandwidth might be a challenge of course, but you need a lot of drives anyway to handle the space requirements. Transcoding is not really practical with that many channels unless you do like SnapStream and use dedicated co-processors per channel.
The Danish experiment was the subject of extended debate on the Danish Engineer's Weekly newspaper (Ingeniøren). Many readers attempted to replicate the experiment, but success was extremely limited. Even the school itself did the exact same experiment again with the opposite result:
"Faktisk kan man her til aften måle at karsen er højst netop lige ud for routeren. I fredags kunne vi se at karsen længst fra routeren var lidt grønnere - end tæt på routeren. Men her til aften vokser den helt jævnt over hele linjen."
"Actually it is possible this evening to measure that the cress is tallest precisely right next to the router. Last Friday we were able to see that the cress furthest away from the router was slightly greener - than close to the router. But tonight it grows evenly along the whole length."
You can look for yourself here: Cress seeds germinate excellently despite mobile device radiation which also has links to the other articles, including the first article which started the debate.
Look, you really don't know if the ultimate result of the S-box tweak was enhanced privacy or decreased. You only know about the effect on differential attacks. The problem with that are the "unknown unknowns."
DES has been attacked time and time again. It is completely certain that DES without the S-box tweak would have been useless as soon as differential attacks were discovered in the academic world. Outside NSA, DES has held up pretty well until the key length made it obsolete, with the best theoretical attacks somewhere in the region of 2^39 chosen plaintexts. This is pretty lousy by the standards of any modern cipher, but it is more effort in practice than just brute-forcing a 56-bit key.
So yes, I am completely confident that the S-box tweak enhanced privacy, simply because the cipher was so horribly broken without the tweak.
It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES.
The S-box tweak made DES resistant (well, more resistant) to differential attacks. The shortened key length did not improve security, it reduced security.
Raptor Eagle Firewall, which later became the Symantec Enterprise Firewall (but by then the code was hopefully gone). Due to export restrictions, its DES encryption revealed 24 bits that the US authorities could somehow extract. At least that was the explanation given to resellers. This code presumably existed only in the export version. Eventually the export restrictions were lifted and hopefully the code was removed.
I think it is unfair to single out that product though, since every US vendor complied with the same restriction somehow. Others chose to implement IBM's CDMF 40-bit degrade of DES instead.
They could, but they would be noticed. There are browser extensions which check that everyone sees the same certificate. Those would have triggered.
That approach can be used for targeted attacks but it is useless for mass surveillance.
There are some nice "QuickSSL" products from the various CAs, which offer to generate certificates without the hassle of you making your own secret key. For those, having the CA in your back pocket is extremely useful.
The claim is VPNs and SSL... so either a break in RSA or AES, either way SSH would be covered.
You do not need to break RSA or AES to break a lot of VPNs. I.e. if you use aggressive mode IKEv1 PSK (typically plus XAUTH, but that does not actually help), the shared private key can be recovered by offline attacks. NSA supercomputers should have no problem handling most keys. Alternatively, if certificates are used, many organizations buy premade certificates including secret keys instead of going through the trouble of generating their own secret keys. That means the NSA only has to compromise the few certificate vendors.
And this is just the passive attacks the NSA can do. If they actively interfere, they can use downgrade attacks or (for HTTPS) the various TLS vulnerabilities or use proper fake vendor certificates or all sorts of other mischief. That is harder to pull off unnoticed of course.
Very little equipment supports IKEv1 with "raw" RSA keys (no certificates), even though that takes the whole PKI problem away and avoids aggressive mode. I'm only aware of (free|open|libre|strong)SWAN and RouterOS. IKEv2 is almost non-existent, and what little equipment supports it tends to only support the equivalent of IKEv1 main mode with PSK or certificates -- precisely the areas where IKEv1 is already good enough.
For those of us who use proprietary encryption acceleration: how do we know that the session keys are chosen securely and not divulged with steganography somehow? I know that products have existed which did exactly that, revealing part of the encryption key in the encrypted data stream (and I know that because the vendor was fairly open about the practice).
If you aren't gaming, why buy a desktop? I suppose there is still AutoCAD and compiling, but that market seems even smaller than the gaming market.
SPECint and SPECfp are a bit useless, they only test a single core and with modern CPUs you cannot just multiply that number by the number of cores and get a meaningful result.
SPEC has attempted to fix that simply by running multiple copies of the benchmark and aggregating the result as "SPECrate". Whether that measures anything which is useful for actual workloads is debatable. It certainly does not reflect a modern multithreaded workload.
White phosphorus burns for a long time. It is not a particularly fast process, unless you happen to be exposed to a lot of the stuff. You cannot extinguish a white phosphorus fire by cooling it down, so water is generally useless for that purpose -- even if you deprive the affected area of oxygen, it will start burning again as soon as you remove the water.
However, burning people alive is considered a legal form of combat, so white phosphorus, napalm, and flame throwers are not in general forbidden weapons.
They do not really interconnect. They do not accept incoming calls. They probably do not show the original number on caller ID when dialing out, although that can be done with caller ID spoofing in many cases.
Because I can possibly decide that per capita allocations of resources encourage states to grow their populations, and penalize those who whether by accident of history or design have a smaller population.
Your excuses for your ridiculous overconsumption (while still maintaining only a second world median living standard) ring increasingly hollow. You just want to avoid shouldering your responsibility and you are looking for any loophole you can find.
China is working on reducing carbon emissions and poverty while doing more than any other country to lower population. The US in comparison has not even discovered insulation.
All other ports are already open. Practically no one accepts unauthenticated mail on port 465, so that is not really a useful alternative to port 25.
If the total CO2 going into the atmosphere matters, and the average American puts more CO2 into the atmosphere than the average Chinese person, how can you possibly say that China is a worse offender? That kind of thinking lets every small nation (or state or city) off the hook, just because of how borders happen to be drawn.
And no one is asking the US to sacrifice itself. Is the living standard of Northern Europe really all that horrible? That can be done, almost without trying, at half the CO2 emissions per capita of the US. But no, you would rather put the burden on the poor in China rather than having to live like the Dutch or the English or the Swedes.
I work for an ISP. Customers can request to have the port block removed and they can also get their reverse DNS set. I am open to suggestions for how to do better than blocking TCP port 25 by default.
I believe that doing transparent deep packet inspection on TCP port 25 is worse than an outright block. It means buying and servicing more equipment of a type that I would rather have less of, particularly in the current legal climate.
If there was alternatives then it could happen, why there isn't any change is because there is no real useful alternative to fossil fuels.
Well for one thing, there is this magic invention called "insulation". It has been around for a decades in civilized countries, but alas, the US and North Korea and similar countries are a bit behind the curve here.
per-capita means nothing to the environment BTW
Perfect, split China into 10 countries and global warming is solved!
But releasing tens of thousands of diplomatic cables without reviewing them, which ended up merely revealing embarrassing-but-not-criminal activity on the part of the US government, was something else entirely.
Those cables also revealed that Danish soldiers handed over Iraqi prisoners to the Iraqi police force knowing that the prisoners would be tortured. Alas, no one was prosecuted for this, but it is clearly a war crime. The Danish forces even knew it was a war crime and in later operations brought along a few token British soldiers who happened to be the ones booking in the prisoners, thereby leaving the dirty work to the Brits in an attempt to evade responsibility. That this was done was decided high up in the Danish military hierarchy, almost certainly with the knowledge of the Minister of Defense.
Strangely, there has been zero debate over this in the UK, but the UK population is generally uninterested in human rights at best, and a significant fraction do not believe they should exist at all.
As a Dane, I am very grateful to Bradley Manning for revealing the Danish war crimes.
I do not think that everyone will agree that a packet-inspection gateway is less of an intrusion than an up-front block on port 25.
Anyway, if that becomes popular, spambots will start doing opportunistic TLS. Then your packet-inspection gateway has to man-in-the-middle the TLS connection. THAT is definitely more intrusive than a block on port 25.
They says it's for spam, but since they only filter on ingress, their justification of egress controls ring false.
It is not as bad these days admittedly, but dealing with abuse complaints against your users is a hassle, and even the majority of businesses do not run their own mail server. Blocking port 25 outbound is an easy solution.
Even if you do not block port 25, sending outbound mail from an IP address without a valid somewhat-unique reverse DNS record is pointless. Approximately no one accepts it. In case you manage to get your ISP to insert a reverse DNS record, you are still screwed, because your IP address is likely to be in a "dial-up range" as defined by various unaccountable anti-spam blocklists -- but you probably know all about those, judging by your signature.
2) Rome has a lot more than a flag left standing; their concrete quality was far superior to modern concrete, so there's all kinds of Roman-built stuff still standing and in pretty good shape considering it's 2000 years old. Anything we make out of concrete is usually falling apart after 50 years.
They also used far more concrete to accomplish a given task. Many of the things we build with concrete today could not be built with Roman concrete at all, because while it may have longevity, it does not have sufficient strength for its weight.