Slashdot Mirror


User: billstewart

billstewart's activity in the archive.

Stories
0
Comments
7,948
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 7,948

  1. Threats aren't usually good invitations on The End of the Free PCI Device List (Update) · · Score: 1
    They didn't invite him to continue _his_ website. They ordered him to discontinue _his_ website, but suggested that he could donate his effort for free to them for a website that they control the content of, going through his employer so they aren't even paying for it.

    It was a really dumb approach - the right thing would have been a request from the PCI-SIG themselves, not from their lawyers, asking to do something rather than ordering him to stop. It's too bad for the Linux community, because we get at least as much value out of the list as the PCI businesses do, but I can see why he's stopping. And unfortunately the Wayback machine's last entry for it was from October 2001.

  2. No Karma Bonus for You! on How Close is the Open Entertainment Center? · · Score: 1

    Bogus!
    Bogosity!
    Bogosification!

  3. Where has all the Karma gone? on How Close is the Open Entertainment Center? · · Score: 1

    Excellent!
    But the postings come out Bogus!

  4. Word Processor Encryption and other apps on Decrypting the Secret to Strong Security · · Score: 1
    There _are_ lots of people who will insist that their secret proprietary algorithm is more secure, but most of them are obviously selling snake oil.

    The more serious problem is applications from major software vendors that include passwords or other security features that aren't secure, and are closed-source not to protect the crypto, but just because they're proprietary applications. A couple of obvious examples are A Popular Word Processor from a Large Company in the Northwest and Several ZIP archivers that have passwords and Microsoft's initial PPTP products which totally botched their use of RC4 and had several other serious bugs.

    A somewhat different example is RSA's trade-secret-limited sale of the RC4 algorithm and implementations of it. That wasn't kept secret to protect it against crackers, it was kept secret so they could charge money for toolkits instead of people implementing the algorithm themselves, possibly more successfully than patent licensing on RSa public-key had been, and the reason to believe it was secure was that it was written by Ron Rivest and checked by his coworkers, who are one of the few groups with enough credibility to get away with such an otherwise-dodgy approach. (The NSA and KGB can also, but besides having a repuration, they've also got a captive audience...)

  5. Re:test please ignore on Decrypting the Secret to Strong Security · · Score: 1

    another test, without checking the little box

  6. test please ignore on Decrypting the Secret to Strong Security · · Score: 1

    hey, where's my karma bonus?

  7. Validity for secret keys on Decrypting the Secret to Strong Security · · Score: 1
    I disagree on a couple of points
    • For a given application, there's a length of time that you need to have a valid signature. Maybe it's "forever", or just your lifetime, or the length of time that a contract is valid, or the appropriate Statute of Limitations for fraud, but it's a usage-dependent issue, not a technical issue.
    • The corresponding technical issue is whether your signature system, and the operational environment around it, is strong enough to protect it that long. It's easier if you use a strong algorithm with enough key bits to prevent cracking during the lifetime of the planet, but you've still got key protection to worry about.
    • Once your key is known to be compromised, then obviously future signings are known not to be trustable, but this leaves two big problems - how to tell when the key was compromised, and how to tell when a signature was made. If you know that the signature wasn't compromised until your laptop was stolen, or your business partner left your firm, that's one thing, but it's often harder to be sure. But more importantly, a signature doesn't usually have a trustable timestamp on it, so without some additional mechanism for dating the signing event, or a problem space where old signatures aren't interesting, it's hard to tell whether a signature was made before or after the compromise, because the person who used the leaked key to forge the document might have also forged the date on the document. (There are applications like signing Diffie-Hellman keyparts when setting up a secure phone call where you don't care about old signatures on documents, you just care about right now.)
  8. NSA , DVDCSS,and Hardware Crypto on Decrypting the Secret to Strong Security · · Score: 1
    The extreme case of binary-only is hardware-embedded crypto. It's definitely harder for Bad Guys to crack, since software leaves all their bits out in the open waiting for you to run them under a debugger, while hardware modules often don't let you see much of the internals, and can sometimes arrange to trash themselves if opened. The big use of them in the US was the NSA providing them to the military; back before we had good crypto, there were a lot of probably simplistic algorithms that depended on hardware-provided obscurity to be secure.

    Aside from covering up weak design, and providing higher performance back when that was still a limitation of general-purpose hardware, there actually are good reasons for hardware crypto. The primary one is key protection - software systems make it too easy to leak keys, and whether you're using persistent keys of some sort for identity and authentication or only using Diffie-Hellman key exchange to create transient keys, you still need to protect them during a session.

    One way to look at binary-only software is that it's really just bad documentation; source code is much better documentation. It's unable to keep secret keys secret, and as demonstrated a couple of years ago, there's no guarantee that some 15-year-old kid won't figure out how to use your code as well as revealing how lame it is :-)

  9. Crypto if Factoring is Solved on Decrypting the Secret to Strong Security · · Score: 1
    Factoring and Discrete Log appear to be hard problems, but if somebody is able to get a Shor-type quantum computer with enough resolution to crack practical key sizes, we could lose them. But we're not back to square one if that happens. Not only do we know a lot more crypto math than a few years ago, but there are still cryptosystems that QC doesn't solve, such as most symmetric-key systems (or at most, it cuts the effective keysize in half, so you go use triple-AES or whatever.)

    There are Key Distribution System approaches using symmetric keys, such as Kerberos, that we'll have to remember how to do if this happens. They're not as nice as public-key, and I'm not aware of any digital signature systems using them (which is a big lose), but they can still provide privacy.

  10. Isn't ESR the top Gun-Hacker around here? on Linux Top Gun Hacker Contest Report · · Score: 1

    There are a bunch of firearms enthusiasts in the open-source software community, but ESR's probably one of the most vocal :-)

  11. Yep, Lessig's ahead of his time :-) on Disney Wins, Eldred (and everyone else) Loses · · Score: 1

    Hey, I copied the date text directly off the web page... apparently without reading it carefully :-)

  12. Re:A question on Disney Wins, Eldred (and everyone else) Loses · · Score: 2
    • Some people reading this are still 20, not that I'm one of them, and may very well be around for 80 more years.
    • Some people hope the Great Nanotech-powered Singularity will let them still be alive then, either through better medicine repairing damaged cells, or (less likely) uploaded to some non-Intel hardware, or (even more speculatively) frozen for later thawing. The "N Years After You're Dead" versions of the law cover at least the first of these cases.
    • Many people expect to have children and maybe spouses surviving them, who'll get at least a few years use of "N years after you're dead".
    • Some people expect to have grandchildren or great-grandchildren that will be benefiting from it, for the larger values of N.
    • Some people have organizations they want to donate money to, whether it's charity or foundations doing good work or whatever.
    • Some people want to spend the money now, and they'll get a lot more money for it if it's good for longer periods of time. Fixed-term copyrights seem more fair to me, but certainly a "copyright-expires-the-day-you-die" rule would severely reduce the amount of money an 80-year-old author can get for a book compared with an equally good book written by a 20-year-old.
    • Long-time-period work-for-hire has mixed appeal to me - it's one thing for genuine work-for-hire, like IBM paying to have somebody write a manual for their C0B0L code, but it feels different for record-company deals where work-for-hire contracts get used to rip off musicians; this way you can never get your songs back, though I suppose it does mean that you'll get ASCAP royalties trickling in for a long time if your song happens to sell.
  13. But it's also good news on New Substrate Tech Creates System LCDs · · Score: 2

    ... and for just about the same reason, which is that you can build communication systems with cryptographic protection that don't have hooks for wiretappers. It's really two sides of the same coin, with the big difference being who decides what features they want to include and who decides the content being communicated. If your one-piece-communicator has hooks in it that let the Department of Homeland Security listen in on your video calls, the same features can also let Joe Script-Kiddie copy the movies you're watching on it. And besides, you didn't really want to take the lame analog feed from your monitor or use a logic probe to extract the signals between your CPU and onboard video GPU or audio d/a converter anyway just to pirate movies as opposed to grabbing them digitally where you can transmit or compress them, so a device with integrated LCD and video display won't change that much.

  14. Copy of Lessig's Blog Article on Disney Wins, Eldred (and everyone else) Loses · · Score: 3
    Lessig Blog
    losing

    So I've got to go get onto a plane to go to my least favorite city (DC). My inbox is filling with kind emails from friends. Also with a few of a different flavor. It's my nature to identify most closely with those of the different flavor. David Gossett at the law firm of Mayer Brown wrote Declan, "Larry lost Eldred, 7-2." Yes, no matter what is said, that is how I will always view this case. The constitutional question is not even close. To have failed to get the Court to see it is my failing.

    It has often been said that movements gain by losing in the Supreme Court. Some feminists say it would have been better to lose Roe, because that would have built a movement in response. I have often wondered whether it would ever be possible to lose a case and yet smell victory in the defeat. I'm not yet convinced it's possible. But if there is any good that might come from my loss, let it be the anger and passion that now gets to swell against the unchecked power that the Supreme Court has said Congress has. When the Free Software Foundation, Intel, Phillis Schlafly, Milton Friedman, Ronald Coase, Kenneth Arrow, Brewster Kahle, and hundreds of creators and innovators all stand on one side saying, "this makes no sense," then it makes no sense. Let that be enough to move people to do something about it. Our courts will not.

    I will always be grateful to Eric Eldred, and our other plaintiffs, for putting his faith in this case. I will always regret not being able to meet that faith with the success it deserves.

    What the Framers of our constitution did is not enough. We must do more.

    posted on [ Jan 16 03 at 1:31 AM ] to [ eldred.cc ] [ 12 comments ]

    the opinions

    There were three opinions. The majority was written by Justice Ginsburg. Justice Stevens wrote a dissent, as did Justice Breyer.

    posted on [ Jan 16 03 at 12:42 AM ] to [ eldred.cc ]

    with deep sadness

    The Supreme Court has rejected our challenge to the Sonny Bono Law.

    posted on [ Jan 16 03 at 12:09 AM ] to [ bad law ]

  15. D'Oh, forgot to finish on Slashback: :CueCat, Exercise, Wormage · · Score: 2

    Oh, right. So who were they? Doesn't matter, because they were a dot-bomb, and they're dead now..... Ran out of cash and valuable prizes, unplugged the DSL, and eventually the gym rolled them out of there.

  16. Reading /. on a gym bike on Slashback: :CueCat, Exercise, Wormage · · Score: 2
    A year or two ago, when I joined a gym, the place had about four exercise bikes with touchscreen computer screens on them, fed by some sort of DSL system. You could either use them to access the Internet, or to play music, and they tracked how long you'd been pedaling and gave you points which you could accumulate for fabulous prizes or something if you wanted to give up your privacy.

    Unfortunately, you had to keep pedaling at a steady rate or it would interrupt whatever fun stuff you were doing on the computer to nag you about getting your butt in gear and pedaling faster, which meant you couldn't do much typing (typing being a relatively inaccurate and clumsy process when you're bouncing around on a bike.) So this meant that most of what you could do with the computer was try to get it fired up into some news site before it nagged you and then do a lot of pagedowns. Well, there was an obvious site to read while biking, which was Slashdot. It was a bit tedious, since the screen was only 640x480, but it was halfway manageable or at least, as long as you didn't want to write long, insightful, informative articles like this one, anyway....

  17. Morrises on Appropriate Punishment For Crackers? · · Score: 2

    The younger is Robert Tappan Morris, and he's at MIT http://www.pdos.lcs.mit.edu/~rtm/. Among other things he's done some stuff on high-performance routing and computer security.

    The elder is Robert H. Morris, not sure the middle name.

  18. Cool - Actual numbers, not just fond memories :-) on Alpha Lives! But Who Will Market It? · · Score: 2

    Interesting that both the 1GHz Itanium2 and the 1250 MHz Alpha are similar in speed to the 2800MHz Xeon (a bit slower integer, a good bit faster floating point), with less than half the clock rate.

  19. Palladium is Not TCPA; TCPA is worse on Discuss BIOS and Palladium Issues With an AMIBIOS Rep · · Score: 3, Informative
    Palladium is a set of Microsoft software capabilities that lets application programmers content providers have some control over what the operating system will do with their stuff and lets Microsoft provide some control over what you can do with your Microsoft-Operating-System environment. If it wants to avoid hackers working around its limitations, it also needs some hardware support, but you only get Palladium if you install the corresponding Windows versions, and you only care if you've got data files that are in Palladium formats, like whatever music/movies format MS can negotiate. If you're a Linux user, you're used to this problem; nothing to see here, you can move along.

    TCPA is a different issue - it's a set of BIOS features that will only let the machine start up if it's running a certified operating system configuration (which the hardware validates as unmodified), and a set of features that let an operating system and application programs check that the system is running in TCPA-approved mode (that's a bit similar to Palladium, but still fundamentally different), and a set of things that the system won't do if it's not running a certified system. Depending on which version of the spec and proposed followons you're reading and how aggressive the implementation is, there may be things that you'd like to do that you can't do on a non-certified system - like use the sound card, or maybe the _video_, or maybe it won't boot at all, or maybe it just won't let you load kernel modules, plus it obviously won't tell the software that you're running in Trust-Us mode if you're not.

    Obviously, an aggressive implementation won't fly for many Linux users, but it may still be usable by Linux _consumers_. The best case is somewhat like having a car with the hood welded shut and a security system that disables it if you mess around; you can paint it any color you'd like, and put whatever you want in the trunk, but you can't start the engine unless your seatbelt's on and you blow in the breathalyzer (which is hard to reach when you're wearing your seatbelt, of course), and if you take the radio out, the radio won't work and the car won't let you put a different radio in, so the RIAA knows you're not playing MP3-CDs in your car, but at least it isn't always tuned to MS-NBC, though if you're playing a non-RIAA-certified CD, it only plays on the tinny little mono speaker in the dashboard, not the four-way tunable woofers or the heads-up display system, and if you do tune to a different radio station, it only uses the right-hand speaker if Rush Limbaugh is on, and only uses the left-hand speakers if it's National Public Radio, and I'm sorry but you can't play Free Radio Berkeley at all...

  20. Re:Test, please ignore on New Generation of Cases? · · Score: 2

    remember those //s. Watch out for truncation.

  21. Test, please ignore on New Generation of Cases? · · Score: 1

    Shoebox? Way too big.

  22. Re:Proposed Morris Worm Punishment on Appropriate Punishment For Crackers? · · Score: 2
    Morris's father once broke into my computer accounts when we were both at Bell Labs in the early 80s. He was the Unix security head, and I was a newbie trying to learn about security, and had posted something to an internal newsgroup about how I thought I had my account properly secured but wasn't sure - I got a phone call the next morning from somebody who wouldn't give his name at first, telling me what was in my "secure" file :-) One evening later that week somebody in his department used a writeable-terminal hack to knock me offline, unfortunately interfering with a good game of Rogue.

    Somebody from Rutgers described the amount of damage the worm did there as "half a day cleaning up the machines, five days answering phone calls from reporters and bureaucrats about it". They certainly were calmer days, and there was nothing malicious about any of it, unlike way too much of the PC virus world. The press's accuracy was about the same back then, though... I remember an article in ~1979, in one of the Bay Area papers, probably the Oakland Trib, about how "Hackers from Berkeley" had found a security hole in "The Unix, a computer made by DEC", which was really about things you could do sending escape sequences to semi-smart terminals that could get them to send things back to the computer as if the user had typed them.

  23. SE definition depends on company on Discuss BIOS and Palladium Issues With an AMIBIOS Rep · · Score: 2
    Depending on the company, sometimes an SE is also involved in post-sale configuration, or helping the customer deal with installation problems, or free or paid consulting on how to solve the customer's next project or problem, or hand-holding or repairs after somebody screws up something. In some companies, those are separate functions, done by separate people, but they're also part of making the next sale in an ongoing relationship.

    Fortunately, I can and do believe in the products and services I do SE-type work on :-), and to a reasonable extent, I've got a good understanding of their limits. I wouldn't do it otherwise. Ethics are a critical part of engineering. The alternative to "moral flexibility" is that you have to understand your products, and your business, and your industry, and your customer's needs, and sometimes be creative about finding solutions to problems that aren't a close match to what you'd like to sell.

    That doesn't mean I think our stuff is perfect, and when there are limitations that affect the performance a customer will get from them, I'll be happy to tell them; most customers that have their engineers at meetings appreciate this, which is why the sales people bring me. Sometimes it means telling the customer's engineer "Yes, we don't handle the third left-hand flow-control-bit the way you'd like, but that's really only a 1% performance difference, and you can have your purchasing guy haggle with our sales guy over whether to buy a bigger circuit or give you a bigger discount on the price, but remember that we're handling the right-hand flow-control bits in ways that give you N% better performance than the old network did."

  24. Proposed Morris Worm Punishment on Appropriate Punishment For Crackers? · · Score: 2
    Somebody suggested that an appropriate punishment for Robert Morris would have been a few hours of community service, cleaning up the mess he'd made... on every machine that was infected. (The "6000 machines infected" was a really rough estimate, based on a wild-guess 10% times the 60,000 machines on the Internet at the time.)

    These days, of course, 6000 machines is a drop in the bucket - some of the popular viruses have infected millions of machines, and even the ones that only used them to send love notes to other targets often tended to lose useful email access for a day or two; destructive viruses can be a lot worse, especially for the vast majority of people who don't have adequate backups of their data.

  25. VPN setup is easy, and you'll do it anyway on Wi-Fi Alliance To Brand Public Hotspots · · Score: 2
    Sure, as a hacker it's fun to install FreeS/WAN (First do a clean recompile of your kernel....) But commercial VPN products, including the VPNs in the older free PGP versions, are usually much easier to install on Windows desktops, with standard Windows installers. The simplicity either requires you to use pre-shared passwords, or else have an administrator who _did_ do some complex work on your corporate firewall, but for most modern business you're going to do that anyway.

    Of course, using 802.11 without using firewalls is seriously risky, and I'm not optimistic about whatever Son-of-WEP is called really fixing the problem well. But that's a separate issue.