Because they're still producing them, because they can still make money out of people who buy and then sign up for live. The more xboxes you buy, the more they make (or the less live subscriptions they get) and thus the more money they lose.
No, but the point of an analysis like this is to try and guess what MS is paying for them. If they just phoned up a salesman and asked "how much for one of your chips?" and put it in the report, this is very bad journalism indeed.
No, it's because they can get away with reaming UK customers for more. Games consoles, games, cds, even music from iTMS all cost a lot more here, not because it costs the producers any more, just because we pay it.
Aren't they breaking competition laws if they're using their profits from elsewhere (i.e. windows/office) to subsidise another area and put competitors out of business there, like when Murdoch sold one of his newspapers ridiculously cheap with money from television profits to put another newspaper out of business. (IIRC, may be an unproven allegation, IANAL, etc.)
I've never seen one sold at a loss on its own - you have to sign a contract to buy the service for a minimum period, so all it actually is is a rent-to-buy thing.
I use Konqueror and it starts up far faster, can do everything I've ever tried to, and is very customizable, far more so than firefox seems to be. The whole extensions thing ultimately works against firefox as far as I can see - good, useful things get pushed out to extensions, and the codebase is that much smaller so they don't feel as much need to speed it up.
I don't really have enough information to figure out the progression here. How long would it take to generate 2^64 files with the same MD5. How about 2^128? I'm guessing it would be a huge amount of time.
No, it would be just less than 2x as long. The actual numbers are possibly something different, but there's a finite limit, some n for which you don't take more than n times as long however many collisions you want to generate.
Yes, it does - but it's perfectly reasonable to think plagiarism is equivalent to stealing (and thus use the terms interchangeably) but normal copyright infringement isn't.
Vista is going to have native x64 support in release, if these companies don't write the drivers, at least for products that are currently shipping they are going to lose customers, people are much more likely to get new $10 doo hickies, then they are to return a $1,000 computer.
Surely it's even easier to get a $0 replacement OS?
He needs to know numbers so he can get the parts made. $SEMICONDUCTOR_MANUFACTURER won't make you one or even a thousand of your chip. 100 million was probably where the economics of scale hit being able to make them for $100.
If you get rid of the attribution that's qualitatively different from just copying without permission, and (imo of course) morally equivalent to stealing. Were Sony just distributing the GPL'd code that would be the same as downloading their MP3s, but distributing it and claiming it was their own work is something worse.
Microsoft, at the moment, is going to concede the market to the alternatives. So how exactly does this become "Microsoft mean to blind users!"
Because it's more like "Microsoft, at the moment, is going to refuse to support ODT in the hope of getting Massachusetts to back down". Blind users need an office program with ODT support and accessibility. MS could make them one very easily. But they aren't, and for political rather than technical reasons.
The only thing that has to be re-written is 32-bit drivers. They are only breaking "driver" compatibility for legacy hardware. However hardware makers have started (last summer) to write the 64 bit drivers for their hardware, so I wouldn't worry to much about that.
I'm worried, or would be if I used windows. Big names will probably write them, but will random taiwanese (e.g.) USB network adapters work with the new windows?
In any event, if I have CRC32, MD4 and MD5 hashes for a given string, wouldn't it be massively more difficult to find another string with the same values for all three hashes, even though each hash has been `cracked' individually? (A citation to some sort of discussion would be useful, rather than just saying `no'.)
I used to provide detailled explanations for why it isn't more difficult but got fed up. I suppose it could be argued that it would be better not to post at all, but at least this way you know it isn't significantly more difficult and can look up more. Briefly, and approximately, most (read: every real-life one) attacks on hash functions both allow you to generate arbitrarily many plaintexts with a particular hash with only a little more effort than making two, and will also allow you to get your two things with the same hash from a (sufficiently large) list of plaintexts as easily as getting two things with the same hash given a "free" area (which is, again, how every real-life attack I've seen works). So say you were doing the thing with the postscript documents that was used to demonstrate an MD5 attack recently - they basically need two sections like 'var x = "xxxxxxxxxx"' and 'var x = "yyyyyyyyyyy"' with the hash of both being the same, and then because the same thing appended to both will give two things which also have the same hash (arguably a flaw, but necessary to be able to do nice things like hashing user input or stuff coming over the network) we can make the documents we want. Now, in their example they used the fast MD5 attack to only generate two such strings, but it's just as easy (almost, it's IIRC something like 1.5x as many cycles to generate 3, 1.75x as much to generate 4 and so on) to generate as many as you like, given enough bits. So if we're e.g. taking MD5 and MD4, they're IIRC both 64-bit hashes, so we start by saying we'll have a 128-bit xxxxxx string. Using our MD5 attack we generate (approximately) 2^64 of them with the same MD5. Now, I haven't studied the MD4 attack in as much detail as I'd like to, but I would be amazed if it could not be applied to find a collision among these 2^64 strings (on average, such a collision exists; to make it more certain, add a few bits, start with maybe 140-bit strings and generate 2^70 of them or so). If it isn't, we can do it the other way round - use the MD4 attack to generate 2^64 strings for which 'var x = "xxxxxxxx"' has the same MD4, and then apply the MD5 attack to find a collision among these - and that I know for certain would work.
But isn't SHA-1 just a few steps further from the grave than MD5 (for lack of a better way of putting it?)
Up to a point, but it's still stronger than MD5 ever was. Anything where the hash needs to be secure long-term needs to move away from SHA1 as quick as practical, and I wouldn't trust it against NSA etc. But neither of these really applies to P2P - unlike say a digitally signed contract where being able to generate one with a matching signature months or years later is security-breaking, being able to generate a fake file with the same hash even a day after it was downloaded does an attacker no good. So we can pretty much keep using SHA1 for bittorrent up to the moment there is a practical attack, though of course we need to make sure the infrastructure is in place to move to another hash immediately that happens. It's something to bear in mind, and it would certainly be an incredibly stupid idea to use SHA1 for any new protocol, but it's not an immediate problem.
That, and BT wasn't the only thing I was thinking of, though maybe none of the p2p systems use MD5.
I think we're lucky in that the timescales are such that any P2P system would not have used MD5 for situations that need a secure hash. MD5 has been known t
50% of the world is NOT free! If you count number of countries, the shithole dictatorships far outnumber the free countries. If you count number of people in non-free countries, China makes 25% single-handed.
What we need is application sandboxing; that is, restrict an application's access to system resources when it runs (think chroot jails but on a much grander scale). The key to this (as with any security system) will be to balance security with usability, i.e. not make it so anal that you can't actually do anything.
And therin lies the problem. You can achieve most of the effect of this idea by running as non-admin - but it will either not be restricted enough to make any difference, or be so restricted you can't put up with it. Yes, it's partly ignorance that people don't know what needs access to what, but the amount of learning needed to be able to do decent per-application sandboxing is unreasonable to expect from the average user.
Slashdot Mirror
If we wait until they've driven one of the others out of business it will be too late. They look to have seriously hurt nintendo.
Because they're still producing them, because they can still make money out of people who buy and then sign up for live. The more xboxes you buy, the more they make (or the less live subscriptions they get) and thus the more money they lose.
No, but the point of an analysis like this is to try and guess what MS is paying for them. If they just phoned up a salesman and asked "how much for one of your chips?" and put it in the report, this is very bad journalism indeed.
No, it's because they can get away with reaming UK customers for more. Games consoles, games, cds, even music from iTMS all cost a lot more here, not because it costs the producers any more, just because we pay it.
Aren't they breaking competition laws if they're using their profits from elsewhere (i.e. windows/office) to subsidise another area and put competitors out of business there, like when Murdoch sold one of his newspapers ridiculously cheap with money from television profits to put another newspaper out of business. (IIRC, may be an unproven allegation, IANAL, etc.)
I've never seen one sold at a loss on its own - you have to sign a contract to buy the service for a minimum period, so all it actually is is a rent-to-buy thing.
In Korea, only old people use the gimp.
I use Konqueror and it starts up far faster, can do everything I've ever tried to, and is very customizable, far more so than firefox seems to be. The whole extensions thing ultimately works against firefox as far as I can see - good, useful things get pushed out to extensions, and the codebase is that much smaller so they don't feel as much need to speed it up.
No. There is no patch, it is a zero-day.
Because it's so much simpler, and the codebase is so much smaller than more popular browsers, one would expect it to have far fewer security flaws.
Just use links. You don't miss out on anything really useful, and you get less of the junk.
If it needs an extension to do something as basic as decide which sites are allowed scripting, it's a flawed browser.
Score 1 for the "language is fixed in place forever and never changes" crowd
No, it would be just less than 2x as long. The actual numbers are possibly something different, but there's a finite limit, some n for which you don't take more than n times as long however many collisions you want to generate.
Yes, it does - but it's perfectly reasonable to think plagiarism is equivalent to stealing (and thus use the terms interchangeably) but normal copyright infringement isn't.
I wasn't aware vista was server-only.
Vista is going to have native x64 support in release, if these companies don't write the drivers, at least for products that are currently shipping they are going to lose customers, people are much more likely to get new $10 doo hickies, then they are to return a $1,000 computer.
Surely it's even easier to get a $0 replacement OS?
Have you tried koffice? It's lacking some things, but nothing I've noticed, and it performs far better than OOo even in another DE.
He needs to know numbers so he can get the parts made. $SEMICONDUCTOR_MANUFACTURER won't make you one or even a thousand of your chip. 100 million was probably where the economics of scale hit being able to make them for $100.
Sony are competing with Apple, but Microsoft are competing with Apple and Google, so Microsoft are still more evil.
If you get rid of the attribution that's qualitatively different from just copying without permission, and (imo of course) morally equivalent to stealing. Were Sony just distributing the GPL'd code that would be the same as downloading their MP3s, but distributing it and claiming it was their own work is something worse.
Because it's more like "Microsoft, at the moment, is going to refuse to support ODT in the hope of getting Massachusetts to back down". Blind users need an office program with ODT support and accessibility. MS could make them one very easily. But they aren't, and for political rather than technical reasons.
I'm worried, or would be if I used windows. Big names will probably write them, but will random taiwanese (e.g.) USB network adapters work with the new windows?
The first one this story seems to be http://it.slashdot.org/comments.pl?sid=168395&cid= 14040484.
In any event, if I have CRC32, MD4 and MD5 hashes for a given string, wouldn't it be massively more difficult to find another string with the same values for all three hashes, even though each hash has been `cracked' individually? (A citation to some sort of discussion would be useful, rather than just saying `no'.)
I used to provide detailled explanations for why it isn't more difficult but got fed up. I suppose it could be argued that it would be better not to post at all, but at least this way you know it isn't significantly more difficult and can look up more. Briefly, and approximately, most (read: every real-life one) attacks on hash functions both allow you to generate arbitrarily many plaintexts with a particular hash with only a little more effort than making two, and will also allow you to get your two things with the same hash from a (sufficiently large) list of plaintexts as easily as getting two things with the same hash given a "free" area (which is, again, how every real-life attack I've seen works). So say you were doing the thing with the postscript documents that was used to demonstrate an MD5 attack recently - they basically need two sections like 'var x = "xxxxxxxxxx"' and 'var x = "yyyyyyyyyyy"' with the hash of both being the same, and then because the same thing appended to both will give two things which also have the same hash (arguably a flaw, but necessary to be able to do nice things like hashing user input or stuff coming over the network) we can make the documents we want. Now, in their example they used the fast MD5 attack to only generate two such strings, but it's just as easy (almost, it's IIRC something like 1.5x as many cycles to generate 3, 1.75x as much to generate 4 and so on) to generate as many as you like, given enough bits. So if we're e.g. taking MD5 and MD4, they're IIRC both 64-bit hashes, so we start by saying we'll have a 128-bit xxxxxx string. Using our MD5 attack we generate (approximately) 2^64 of them with the same MD5. Now, I haven't studied the MD4 attack in as much detail as I'd like to, but I would be amazed if it could not be applied to find a collision among these 2^64 strings (on average, such a collision exists; to make it more certain, add a few bits, start with maybe 140-bit strings and generate 2^70 of them or so). If it isn't, we can do it the other way round - use the MD4 attack to generate 2^64 strings for which 'var x = "xxxxxxxx"' has the same MD4, and then apply the MD5 attack to find a collision among these - and that I know for certain would work.
But isn't SHA-1 just a few steps further from the grave than MD5 (for lack of a better way of putting it?)
Up to a point, but it's still stronger than MD5 ever was. Anything where the hash needs to be secure long-term needs to move away from SHA1 as quick as practical, and I wouldn't trust it against NSA etc. But neither of these really applies to P2P - unlike say a digitally signed contract where being able to generate one with a matching signature months or years later is security-breaking, being able to generate a fake file with the same hash even a day after it was downloaded does an attacker no good. So we can pretty much keep using SHA1 for bittorrent up to the moment there is a practical attack, though of course we need to make sure the infrastructure is in place to move to another hash immediately that happens. It's something to bear in mind, and it would certainly be an incredibly stupid idea to use SHA1 for any new protocol, but it's not an immediate problem.
That, and BT wasn't the only thing I was thinking of, though maybe none of the p2p systems use MD5.
I think we're lucky in that the timescales are such that any P2P system would not have used MD5 for situations that need a secure hash. MD5 has been known t
Care to provide a source for that claim? As of 1997, approximately 60% of the world's population lived in free countries.
And therin lies the problem. You can achieve most of the effect of this idea by running as non-admin - but it will either not be restricted enough to make any difference, or be so restricted you can't put up with it. Yes, it's partly ignorance that people don't know what needs access to what, but the amount of learning needed to be able to do decent per-application sandboxing is unreasonable to expect from the average user.