1999 also saw the release of Homeworld, also one of the first fully 3d real time strategy games, which was also (fairly) recently released as source although not under gpl. There's now a working port at http://www.thereisnospork.com/projects/homeworld/. It's really very very good, and the game's available for £5 most places. If you haven't played it, do.
wtf? How is lisp a multi-paradigm language? It's functional programming through and through.
Python is a proper multi-paradigm language. Do OO if you want, do functional if you want, do imperative if you want. Lisp is less multi-paradigm than c++, at least there you have the choice of OO or imperative.
No and no. The GPL does nothing to prevent you using gpled works with others, however any derived works must also be GPL. Technically you may need to license the public domain dictionary to yourself under the GPL before combining them, but that's no trouble.
Many people prefer to use GPL as it's definitely open source and the FDL has some serious problems. As long as you define "source code" and "binary" appropriately, I'd actually reccomend using GPL for everything.
No, there is an important difference. This site may be an exception, but normally people don't keep a web browser in the background continuously refreshing a page for when it changes. They read the page and move on. RSS is designed to let people do exactly that, and it's what they do. RSS is for truly dynamic pages, which HTML isn't really designed for although, again, this site shows it can work. And it has been argued that the old "client requests page, server sends it" model isn't suitable for this kind of use.
That would be great. However, it won't be allowed. Artists moan about "integrity", and, more importantly, this would mean they could no longer release remixes and special editions for more $$$.
If I have some special device, like an iPod or a Palmpilot, the software that deals with that device should be able to take any format and make it work on the device (probably by transmogrifying it to whatever the device favors).
Yes, it should. However, quite often it doesn't, and even when it does there's often no software for non-windows systems.
/using his lovely 20-hours-on-a-cd atrac3 player as a normal cd player
Indeed. Originally games, along with everything else, were copyright for 14 years and after that they were free for everyone. Then Disney bought enough politicians to change that.
OK, that's good, but it shouldn't have happened at all. What kind of quality control do they have that they released a stable version with a feature that annoys the hell out of a significant proportion of users AND NO WAY TO TURN IT OFF?
The biggest problem with spatial nautilus, however, is not giving users a preference for it. The gnome devs must have known some people would hate it. And yet they not only made it the default but made it impossible to switch back (ok, you can switch with a registry edit, but they made it as difficult as they could). To me that says there is something very wrong with the way their process works.
Do it in Qt instead. Really, python + qt is a joy to program in. Qt is actually easier to use in python than c++, you don't need to worry about declaring slots separately etc.
I don't have pointers I'm afraid. But if you look at the design MD5 and to a lesser extent SHA1 are based on MD4, and they're related. I'm not sure anyone's found an exploitable pattern, but it is there. It may well not be the case if you use RIPEMD and MD5 or SHA, as I don't think there's a common heritage there, and I don't really know much about RIPEMD.
As far as the second point is concerned, you're partly right, but for this particular attack there's enough variety in the set of strings you can get that any attack against "normal" (other hash) is almost certainly going to be effective. Given that most "intelligent" attacks are based around the idea of modifying small sections of a binary, and you can get a set with a small section which is arbitrary with the same MD5, I think these would still work against (other hash).
The one place where combining hashes does make sense is if both are thought to be equally secure, to hedge your bets if one is broken. But adding a weak hash to a strong one does not make it any stronger, you're better off lengthening the strong hash. Switching to SHA-256 is a better way to improve security than combining MD5 and SHA1, and will probably be easier to implement as well.
The thing is that with this attack you don't have a set of four strings with the same MD5 hash, you have a set of as many strings as you want with the same MD5 hash. At that point finding two of these strings with the same (other hash) is no harder than finding any two strings with the same (other hash). And in fact it's easier than that because most hashing algorithms used today do have things in common - the probability that two strings with the same MD5 also have the same MD4 is much greater than the probability that two random strings have the same MD4.
Sorry to reply twice, but I've just realised why this is completely impractical. PGP uses session keys because encrypting a typical email takes too much computing power. The power or time needed grows exponentially with the size, a typical 700mb iso would take ~2^3000000 times as long as a typical 700b email to encrypt. That's why we always sign hashes rather than files themselves, which means attacks like this are important.
No, that's nonsense. This attack lets you create not just two different binaries with the same md5, but arbitrarily many. Then you just use the attacks against md4 or md2 on this set of binaries. Actually I think for md4 you don't even need to do that, as you can make a binary for an arbitrary md4 fairly easily.
SHA-1 plus MD5 is still secure, yes, but only because SHA-1 is still secure, you might as well just use SHA-1. If you want to improve security, use a double-length version of SHA-1, not SHA-1 plus MD5.
Or he can create two files that MD5sum to the same result. But he has to have control over both files, which offers effectively no advantage to someone who is trying to spread malware or tamper with existing archives that have been MD5summed.
No, this does give an advantage to someone trying to spread malware. I create a cool little game and release it with an MD5 sum. Various important people say that it's a good game, works, and won't mess up your computer. Then I switch it with the one including some trojan. MD5 still matches. Profit. But I thought that attack existed anyway.
Linux is not an operating system, it's the kernel on which multiple operating systems are built.I don't know about you, but the CDs I installed my operating system from said "Linux" on the front (for anyone who cares, one also said "Slackware" and another also said "Mandrake"). Like it or not, the OS is called Linux, as well as the kernel.
I think the real question is why wouldnt you want a calendar in your e-mail program? Other than complying with occam's razor?
Thinking that way is a quick path to feeping creaturitis. The whole point of firefox and thunderbird is that they don't have unnecessary things integrated, thus meaning they are useable on sub-ghz machines.
Possibly, but that will most likely be the organisation's DNS server (mail.foo.com only has an entry on dns.foo.com, not on any random dns server which will only have an address for foo.com) and with a sufficiently paranoid organisation the reverse lookup will be enough to worry them. After all, you would be doing that if you were planning to attack their network.
The speed of java is the one to be afraid of. Python at least lets you use C for things which you need to.
1999 also saw the release of Homeworld, also one of the first fully 3d real time strategy games, which was also (fairly) recently released as source although not under gpl. There's now a working port at http://www.thereisnospork.com/projects/homeworld/. It's really very very good, and the game's available for £5 most places. If you haven't played it, do.
Python is a proper multi-paradigm language. Do OO if you want, do functional if you want, do imperative if you want. Lisp is less multi-paradigm than c++, at least there you have the choice of OO or imperative.
No and no. The GPL does nothing to prevent you using gpled works with others, however any derived works must also be GPL. Technically you may need to license the public domain dictionary to yourself under the GPL before combining them, but that's no trouble.
Many people prefer to use GPL as it's definitely open source and the FDL has some serious problems. As long as you define "source code" and "binary" appropriately, I'd actually reccomend using GPL for everything.
No, there is an important difference. This site may be an exception, but normally people don't keep a web browser in the background continuously refreshing a page for when it changes. They read the page and move on. RSS is designed to let people do exactly that, and it's what they do. RSS is for truly dynamic pages, which HTML isn't really designed for although, again, this site shows it can work. And it has been argued that the old "client requests page, server sends it" model isn't suitable for this kind of use.
That would be great. However, it won't be allowed. Artists moan about "integrity", and, more importantly, this would mean they could no longer release remixes and special editions for more $$$.
Yes, it should. However, quite often it doesn't, and even when it does there's often no software for non-windows systems.
/using his lovely 20-hours-on-a-cd atrac3 player as a normal cd player
You compared them to the people in the story
Indeed. Originally games, along with everything else, were copyright for 14 years and after that they were free for everyone. Then Disney bought enough politicians to change that.
A bad law is a bad law and enforcing one is a bad thing.
OK, that's good, but it shouldn't have happened at all. What kind of quality control do they have that they released a stable version with a feature that annoys the hell out of a significant proportion of users AND NO WAY TO TURN IT OFF?
The biggest problem with spatial nautilus, however, is not giving users a preference for it. The gnome devs must have known some people would hate it. And yet they not only made it the default but made it impossible to switch back (ok, you can switch with a registry edit, but they made it as difficult as they could). To me that says there is something very wrong with the way their process works.
Do it in Qt instead. Really, python + qt is a joy to program in. Qt is actually easier to use in python than c++, you don't need to worry about declaring slots separately etc.
As far as the second point is concerned, you're partly right, but for this particular attack there's enough variety in the set of strings you can get that any attack against "normal" (other hash) is almost certainly going to be effective. Given that most "intelligent" attacks are based around the idea of modifying small sections of a binary, and you can get a set with a small section which is arbitrary with the same MD5, I think these would still work against (other hash).
The one place where combining hashes does make sense is if both are thought to be equally secure, to hedge your bets if one is broken. But adding a weak hash to a strong one does not make it any stronger, you're better off lengthening the strong hash. Switching to SHA-256 is a better way to improve security than combining MD5 and SHA1, and will probably be easier to implement as well.
The thing is that with this attack you don't have a set of four strings with the same MD5 hash, you have a set of as many strings as you want with the same MD5 hash. At that point finding two of these strings with the same (other hash) is no harder than finding any two strings with the same (other hash). And in fact it's easier than that because most hashing algorithms used today do have things in common - the probability that two strings with the same MD5 also have the same MD4 is much greater than the probability that two random strings have the same MD4.
Sorry to reply twice, but I've just realised why this is completely impractical. PGP uses session keys because encrypting a typical email takes too much computing power. The power or time needed grows exponentially with the size, a typical 700mb iso would take ~2^3000000 times as long as a typical 700b email to encrypt. That's why we always sign hashes rather than files themselves, which means attacks like this are important.
The problem with that is that the "signature" will be larger than the file itself. Not good for 700mb isos over dialup.
People who want secure hashes have already been using SHA-1 for some time. (Secure Hashing Algorithm, if you want to know)
SHA-1 plus MD5 is still secure, yes, but only because SHA-1 is still secure, you might as well just use SHA-1. If you want to improve security, use a double-length version of SHA-1, not SHA-1 plus MD5.
No, this does give an advantage to someone trying to spread malware. I create a cool little game and release it with an MD5 sum. Various important people say that it's a good game, works, and won't mess up your computer. Then I switch it with the one including some trojan. MD5 still matches. Profit. But I thought that attack existed anyway.
Use movix instead, or geexbox, or one of several other knoppix-style cds which include it. Or compile the descrambler off a t-shirt.
Linux is not an operating system, it's the kernel on which multiple operating systems are built.I don't know about you, but the CDs I installed my operating system from said "Linux" on the front (for anyone who cares, one also said "Slackware" and another also said "Mandrake"). Like it or not, the OS is called Linux, as well as the kernel.
Thinking that way is a quick path to feeping creaturitis. The whole point of firefox and thunderbird is that they don't have unnecessary things integrated, thus meaning they are useable on sub-ghz machines.
Possibly, but that will most likely be the organisation's DNS server (mail.foo.com only has an entry on dns.foo.com, not on any random dns server which will only have an address for foo.com) and with a sufficiently paranoid organisation the reverse lookup will be enough to worry them. After all, you would be doing that if you were planning to attack their network.