I am concerned that the article implicitly states that the intellectual property really does belong to SCO; ie. that SCO is defending its rights but is being defeated in the courtroom. Look at these few quotes:
Once a quiet member of the Linux community, SCO is a software provider for small to medium-size businesses, with $79 million in revenue last year. . .
SCO began demanding payments for its intellectual property in lawsuits filed against at least three major corporate customers of Linux.
SCO sent out a bevy of lawyers--notably David Boies of United States v. Microsoft fame--demanding that users of Linux pay a fee for the use of SCO's intellectual property. "It's time to step up and claim the ownership rights that are rightly ours," McBride said in September 2003.
This was sacrilege to the free Linux community and a direct threat to IBM, which makes money on Linux not by selling software but by providing support services and hardware.
Anyone reading this who is not familiar with the case will conclude that SCO really does have "something", but is being threatened by IBM who stands to make a great profit from Linux, and that the "free Linux community" are religious zealots (note use of word "sacrilege"; I would have preferred "anti-thetical" or something).
So, yes, the article does admit that SCO is losing in court. But to a layman, SCO is the victim. Hope the media makes progress on this.
(As an aside, one thing I do hope for is that Rob Enderle get his just deserts. Any media pundit who gets up and argues on an emotional basis with no rational support for his arguments deserves to be shown for the fraud he is.)
Awww, frick, gimme a break, SCO! First you sue, then you fart at the media through your mouth, then when you're about to get pounded to a pulp in court (oops, wasn't that your own sledgehammer that you're about to get pounded with?), now you try to tell everyone that IBM committed fraud. It ain't selling! What's next, IBM is really controlled by evil aliens from outer space?
The time of overblown media hype is over. You're not getting any more credibility (or stock investment) just from making more and more specious claims. And, in fact, thank you for doing this so that when some other company tries this tactic (whether or not with the IT industry), the public can remember, "Wait, didn't SCO try that, too?" And hopefully when ill-informed investment analysts advise a buy on this, the public can remember, "Wait, didn't Forbes try to convince us that SCO had something? Didn't Laura Didio say that they had a strong case?" And if they refuse to react to sensationalism, maybe, hopefully, companies will have less incentive to keep burping out lawsuits just to inflate their stock.
Whew, that is about as insightful as I can get at this point given how irritated (pissed!) I am with SCO. Just when you thought they had run out of ways to disgust the industry...
be 'very pporly *BSD has steadily oneR or the other
Yeah, with a link to goat.cx . Someone mod this guy down. We do like to have our fun with newcomers to Slashdot but this isn't appropriate. (Yeah, yeah, I know it's not goatse.cx, it's goat.cx, probably because goatse.cx was unilaterally shut down.)
No need for bike lock with Brompton folding bike
on
Steel Bolt Hacking
·
· Score: 1
I use a
Brompton folding bike
and don't use a lock. It comes with me wherever I go. You don't need a lock when the bike is collapsible into a volume that fits under your office chair. (I'd post a link to my web page showing the photos as it folds, but my web hoster would strangle me for slashdotting their site.)
Well, at least you can rest assured that, at the worst, it's your *computer* that gets infected with a computer virus, not you yourself with a biological virus...
Hang on, I just noticed a web site with this news: "Microsoft announces new feature in WinXPhorn Avalon.NET OutlookPoint 2006: automatic administration of cholera vaccine simply by clicking on the VACCINATION button (requires use of new Fingerpoke Mouse hardware with Embedded Injection Technology from Microsoft)."
Actually, they're not as bad as you think. I set my locale to China and language to Chinese (Mandrake Linux v10). Directory listings and anything else with tables and column headings are aligned much more nicely because each heading is more or less the same length (2-3 Chinese words) rather than widely varying word lengths.
You know, I was thinking... this might be a way for Microsoft to look good in terms of responding to vulnerabilities.
Imagine: security hole found in IE by Joe Slashdotter. He tells MS. Two months go by, with no response. He publishes the hole. Only then does MS jump on it. When castigated, MS says, "Oh, but we already notified both of our premium customers ages ago! It only APPEARS to these Slashdot people that we took a long time, because for some reason they didn't sign up for our Premium Let-Us-Tell-You-How-We-Screwed-Up-Again Early Notification service!"
And in follow up to the parent's post, I want to ask:
[from TFA]
3) On the issue of ignoring patent claims... there is at least rough consensus that the participants of the working group cannot accurately describe the specific claims of the patent application.
This stems from the fact that the patent application is not publicly available. [emphasis mine] Given this, it is the opinion of the co-chairs that MARID should not undertake work on alternate algorithms reasonably thought to be covered by the patent application. We do feel that future changes regarding the patent claim or its associated license could significantly change the consensus of the working group, and at such a time it would be appropriate to consider new work of this type.
So... what, if they did publish the patent, they could decide to include it in a standard? Seeing the patent doesn't prevent the patent owner from taking advantage of it, does it? (In fact, seeing the patent makes it easier to be sued for infringement.) Or am I missing something here?
Does your suggestion of using apt-get really solve the grandparent poster's problem?
The problem comes if you need, say, version 4 for your new program, but you already have version 3 installed. You can't simply overwrite version 3, because then all the existing programs that depend on it will break. Apparently
you can't just have separate copies of 3 and 4 , since I have yet to find an installation tool that will let you do this.
My impression was that separate versions of libraries (*.so) couldn't coexist. If this is simply due to my package installer (urpmi on Mandrake) rather than the Linux library itself, then I am mistaken.
Prior to settling on Mandrake, I tried to use Debian. I really did, honest. I even tried LibraNet. I could not, for the life of me, wrap my mind around dselect, the front-end to apt-get, much less apt-get itself. It kept telling me that I had unresolved dependencies, and could I please resolve them? And after (I thought) I had done so, it would tell me that I still had (other?) unresolved dependencies. Every time I tried to download something, apt-get would spend half an hour pulling packages off the net, stash it somewhere obscure on my hard drive, install, and then tell me that something was still unresolved. When I tried to twiddle it, it would then spend another half hour pulling the same packages off the net. I didn't know where the packages were stored; I didn't know how to tell dselect to use the packages that it had already ****ing downloaded rather than go on the net again.
Documentation was next to non-existent, except for that one big HTML site on TLDP that assumed you already knew all the Debian terms. One example told me to add a certain line to the "apt.conf" file (not sure if that was the exact filename). I couldn't find this file, for the life of me. Later I discovered that I was supposed to create this file if it didn't exist. Hello!! Newbie here!! Shouldn't you SAY this in your instructions!?
Every time I asked for help, people would talk above my head (not deliberately, I'm sure, but it seems that the gurus had lost touch with what it was like to be a newbie). One guy kept using the word "source" in a weird way, and it took me forever to realize that the word had multiple meanings (1. the origin of the Debian packages; 2. source code; 3. the name of the back-end that pulls packages off the net); when I pointed it out, he acted as if I were born yesterday, as if it should be not only obvious that there were multiple meanings, but obvious which meaning was intended when. All further requests for documentation pointed me back to that one TLDP site.
I tried Mandrake, looked at http://mandrakeuser.cjb.net/ (Step-by-Step Guide to Mandrake), and haven't looked back since.
Now, if you say that apt-get can install multiple versions of libraries where urpmi can't, then I'll dig into apt-get for RPM's. But, boy, slogging through Debian was a great drain on time.
Don't take this as an attack on Debian; take it instead as a newbie's perspective. This was over a year ago, and I hope Debian's improved since then, but honestly, I really tried. (Btw, yes, I now know that Debian caches its packages in/var/cache/apt or something.)
You can't legally pick and choose which trial results you send to FDA when you apply for approval. You have to send
everything .
One word: Celebrex
(As I mentioned in my previous post, Searle obviously did not give everything to the FDA, who fast-tracked the approval.)
You are right that, realistically, you can't get people to use a drug based on a single trial; that's just an extreme example to show that even placebo can do well if you study it hard enough and allow publication bias. In real life, presumably there would be some efficacy to the drug, which can then be biased favourably with publication bias.
You certainly would, if you too were composed of two paragraphs of two sentences each. In fact, for a moment I thought it was you yourself that Garcia posted up there.
So, have you figured out what alternatives there are if you resent Comcast?
Agree with parent: classroom/formal learning has its place.
Consider this: you've been a geek, and a Windows admin-geekfor 5 years. Admittedly, you are capable of learning rapidly just from books and experimenting. So, fine, you can do it the "sink or swim" way with Slackware or Gentoo or Linux From Scratch, and at the end of that you can emerge triumphant from the guts of Linux knowing that you really know the system well. But wouldn't it be much faster to go through the formal training, to give yourself structure and direction in learning? With a bit of classroom learning, couldn't you direct your self-learning that much better? (Admittedly, one of the drawbacks with classroom learning is that it can hold you back, so make sure that you get your own computer in classroom learning so that you can zoom off on your own rather than wait for the lecturer to get through the topics in his/her slow plodding way.)
If the results from using methodology A the first time were bad, then they would move on to mthodology B and give it a whirl. This way they could do many studies using different methodologies but only register and publish the favorable ones.
It's much harder to set your own study methodology (and still get the same respect). The family doc who makes an effort to do evidence-based medicine (as opposed to "this is so because my doddering old professor back in medical school said that his teacher said it was so") looks for several key points in the abstract of the journal articles. (What, you think s/he has time to read the whole thing?) You want a randomized, double-blind placebo-controlled multi-centre study with a large sample of the general population . If these keywords are there, the doc jumps to the "conclusion" heading and generally acknowledges it to be valid. The main text of the article is just for medical students who have to do their presentations.:)
randomized: what/who determines which patient goes into which comparison group? If you ask for patients to volunteer to "try the experimental drug" or "try the placebo", you get selection bias: the patients willing to try the drug may be sicker (this could mean that the drug works better, or doesn't work as well). If you say, "Okay, everyone at Dr. Smith's clinic gets the real drug, and everyone at Dr. Jones' gets placebo," there may be other biases. If it ain't randomized, people get purty suspishus.
double-blind: not only do the patients not know whether they're taking the real drug (that would be single-blind), but the doctors who treat the patients also don't know (double-blind). This prevents a doctor from saying, "I'm not telling you whether you're taking the real drug, but do you feel better? Are you sure? Don't you feel just a teensy weensy bit better?" All patients are assigned a number, and at the end of the trial, some oversight comittee reveals which patients got which drug.
placebo-controlled: you have to compare it with something, even if it's just placebo. Got a group where 60% of people improved on the drug? If 50% of the people improved on placebo, it certainly puts a different light on things.
multi-centre: this means that the study took place at various locations, hopefully drawing on different groups. If it were one inner city hospital, that's one thing; if it's five different urban centres in five different countries, that's another.
large sample size: Having a thousand patients (500 per group) would be nice. I generally ignore anything less than N=200. (Multiple low-budget studies can be combined by meta-analysis to achieve the same effect, *if* the experimental conditions are similar.)
general population: some studies target certain segments of the population, such as "diabetics over age 65", which would narrow the market. The wider the population to whom the study is applicable, the better.
There are other study methodologies with such names as "cohort studies", "case-controlled", "retrospective" which get some respect but are viewed generally as a steppingstone to getting funding for the ultimate gold standard, the randomized clinical trial. So if a company's drug trial works with case-controlled, that might not be enough to get FDA approval for whatever labeled use they're after.
Would companies be desperate enough to do this? You bet.
I bet not. These studies can cost millions. Sure, BigPharma has BigMoney, but you're suggesting that they can easily soak a 2000% increase in their phase 4 clinical trial budget!? No way.
If you could take a
placebo and fund 20 studies to show that it worked, wouldn't you? That's like saying, I can sink millions and billions into this research to prove that potato chips cure cancer. And I hold the patent on the potato chip. I gain the ability to market this directly to consumers ("scientific studies have shown that it works...") You know how big a market we're talking about? Anything under a billion in expenses is peanuts in comparison.
Btw, it's Phase 3. Phase 1 = safety (does it HARM people?); phase 2 = effectiveness (any sign that it works at all?); phase 3 = efficacy (does it work better than placebo / standard of care?); phase 4 = aftermarket (now that we're selling the drug, have we run into any problems?)
And nothing stops a drug company from funding a bunch of studies that aren't registered, and then registering duplicate studies that they then expect to be most favorable.
The results of the studies are random, or contain randomness. If you fund a bunch of studies (say, 20 studies) and one of the shows positive results, you can't just duplicate the results. You'd have to duplicate the study, again asking a hospital or two to recruit 300 patients to test the drug, and this time the results might not be positive. You can't even recruit the same patients over, because the standard is to recruit the first consecutive 300 patients to walk in the door who fit the criteria (and consent to the study, of course) to prevent selection bias. Any other way of recruiting would raise red flags that any medical student could spot a mile away.
Funny that a colleague and I were talking about this the other day. Clinical studies and general statistics in (peer-reviewed) medical journals generally use a "0.95 confidence interval".
What this means is that, if left to chance, the experiment/trial/study would be positive in only 1 in 20 times. Example: you give a bunch of sick people an experimental drug, and you give another bunch of sick people a placebo (or a known standard of treatment). The people on the experimental drug get better. Was it really because of the drug? Maybe it was just random chance --but if that chance is calculated to be only 1 in 20 or less, then we say, "Yeah, it's probably because of the drug, and not just chance."
The overwhelming majority of drug trials are corporate-funded. A company that's desperate enough to get its drug to market could easily fund 20 studies, and even if the drug were just placebo, chances are good that 1 in 20 of those studies would turn out positive. (Yes, yes, I'm just approximating.) Without the "negative results registry", you'd think that the drug was working.
Would companies be desperate enough to do this? You bet. I'm not saying that any particular company did this, but consider what happens to get a drug to market. Someone invents a molecule (typically a lab with 12 employess or something), gets bought by a biotech firm with 4 employees (they subcontract everything out), some other lab tests it on animals, some other firm develops a formulation (tablets, capsules, makes sure it doesn't melt inside the bottle or degrade, etc.), a big drug company buys the formulation (or the entire firm) and starts gearing up for clinical trials while submitting for FDA approval. This all takes about five years. What if it doesn't work out? As a backup, the Big Pharma Company also invests in about five backup compounds, and each of those compounds has five backup compounds. We're talking about, after ten years and researching thirty compounds, you might get ONE drug out to the market. (Btw, my wife is the project manager for a bunch of these drug research pipelines at one such Big Pharma company.) But, boy, will that drug make it big! What if the drug didn't really work? Well, let's make it look like it did! (I can see Big Pharma CEO's rationalizing this as "let's put it in the best light possible.")
Example of drug research being biased? Ever heard of celecoxib (Celebrex)? Wow, anti-inflammatory pain reliever that, unlike ASA (Aspirin) or ibuprofen (Advil, Motrin), does NOT irritate your stomach! No stomach bleeding (uncommon but serious side effect of ASA/ibuprofen)! They did the research and showed that people actually did (statistically) significantly better than ASA after six months. JAMA (Journal of the American Medical Association) published the study and even sang its praises in the editorial. They get it out and market it to all the physicians all over the place.
And then we find out that the study went on for more than 6 months. We find out that beyond 6 months, the people using Celebrex got WORSE, and deteriorated until at 12 months, they were no better than ASA users. Boy was the JAMA editor mad! (If I recall, he even publicly lambasted Searle for this in the New York Times.)
But you know what? It didn't matter. Celebrex was everywhere, on American TV ads, and people asked for it. Docs who don't really have time to delve into the medical literature already had established in their mind that "Celebrex is better". (My colleagues certainly continued to use it even when ASA was sufficient.) And the drug reps, who ooze snake oil from their skin pores, keep pushing it. One drug rep even questioned my choice of medication when I was getting it from our drug sample closet. I lit into her like you wouldn't believe. Is she the doctor or am I?? (whew, catharsis, feel better now)
So, yes, I think the companies are perfectly capable of doing this (stacking the studies). The benefits are just too great. I welcome the use of the clinical trial pre-registry.
"Caller ID" is not the caller identification service that's available on phones right now. They're referring to an email sender verification system that acts sort of like what your caller ID is to phones, so they nicknamed it "caller ID".
This is OT, but just to let you know, Partition Expert from Acronis can create a boot CD. Boot off that, and you don't need to worry about partitioning a drive that it's running on.
I bought mine early last year (US$45, downloaded) because Partition Magic 6.0 (which I had also bought) didn't work with Linux. PM v7.0 did work with ext2 (or was it ext3 already?) but by that time I was using ReiserFS on all my drives.
Drawback to Acronis Partition Expert: in the 2003 version, at least, you have to run it under Windows to create the boot CD. I still had Win2k at the time. Now that I haven't booted Windows in a year-and-a-half, I have to keep the ISO image around.
Yes, yes, I know, I should be using GNU PartEd and Ranish Partition Manager and all that free stuff. But I just wanted it to work and wasn't averse to paying a bit. Great program.
Someone can bring me up to date on the newest versions on Partition Magic / Partition Expert
In this case, the attacker and the creator of the file are the same person. (I'll say why this is the only important case.)
The attacker/creator creates two files that have the same hash, by adding an arbitrary string of the attacker/creator's choice, using some excuse that will fool some people. Then you get a hash collision.
In your question, you're asking what if YOU add an arbitrary salt string of your choice, and then do the MD5 hash. In this case, the attacker cannot choose your string. But then what use would your new MD5 hash be? You would need to compare it to another MD5 hash (presumably, that of the originating site) which also used the salt string of your choice.
Suppose I post my file, and the MD5 hash is "123abc" (for argument's sake). You get the same MD5 hash after downloading my file. But now you say, "Hey, just to be sure: when I add 'xyzzy' to the front, the MD5 hash is '456def'. Did you get the same thing?" So now I have to go back and rehash it for xyzzy+file.
Then someone else says, "Hey, when I add 'plugh' to the front, I get '321cba'. Did you get the same thing?" Pretty soon I'll be having all these requests and have to post all these hashes. So I say, "Okay, I'm just going to pick some arbitrary string, like 'sf9FD798dfs' and do the hash." The danger is that some people would get fooled into thinking that this is the ONLY hash that needs to be checked (and not the file without the salt), and so it's much easier for me to create a collision.
Adding an arbitrary salt makes it less secure. Here's why:
MD5 will still be able to protect your file (binary or authenticated message, whatever) from being tampered with by SOMEONE ELSE, but not by yourself. One of the problems with the hash collision attack is, as suggested in TFA, someone creates two files that have the same hash (easier than creating a file that has the same has as another pre-specified file) and submits the good one to be trusted before substituting it for the evil one.
Suppose you write a program:
if (user == root) {
omnipotent_flag = True;
}
But what you really want is to write this malware:
if (user == backdoor) {
omnipotent_flag = True;
}
But --gosh darnit, the resulting two programs generate two different MD5 hashes! What to do?
Well, use the excuse of some arbitrary salt string:
if (user == root) {
omnipotent_flag = True;/* I'm just inserting this arbitrary string to randomize the hash --yeah, that's it.
ujiUFIDO94305-8345JFKL:JKDFLS:f */
}
Hey, now you can generate your own malware program:
if (user == backdoor) {
omnipotent_flag = True;/* Inserting whatever random characters it takes to generate the same MD5 hash:
rewAFDSADSF5435435#$%#$% */
}
Of course, the example doesn't have to be as blatant as this, but you can see where this is going:
- the "random" salt can be at the beginning, with a nice-looking comment, and if it is short (like your example of "xyzzy"), it might be accepted. A 5-letter "salt" can increase your number of available files by 64^5 (assuming 64 characters are acceptable as "letters"). One of those might just generate a hash that matches the malware!
- Yes, I know the idea is that the hashes match for both the file with the salt and the file without the salt. But you can imagine someone saying, "Yeah, I added this RANDOM salt [laughs evilly to himself] and the hashes still match!" and the sheeple will say, "Wow, it must be a match --I guess I don't need to bother checking the hashes of the original unsalted file."
What is needed is a widely accepted Standard Salt String that is pre-pended to the file, and when people list the MD5's of a file, they also list the MD5's for the file with the Standard Salt String, and both must match. As long as it's the community that chooses the SSString, and not the contributor, the SSString can be any arbitrary sequence of characters, like, oh, say, "m1cr0$0f7 5Ux0R5".
An email address like bunty_tifs@yahoo.com could be spelled out as:
B as in Ball U as in Ululation N as in Night T as in Tail Y as in Ytterbium
(underscore) T as in Tall I as in Intransigent F as in Flash S as in Sail
(@yahoo.com)
Of course, that might be interpreted as
D as in Doll U as in Ululatin M as in Might P as in Pale Y as in Ytterbium
(underscore) P as in Paul I as in Intransigent S as in Slash S as in Sail
Slashdot Mirror
I am concerned that the article implicitly states that the intellectual property really does belong to SCO; ie. that SCO is defending its rights but is being defeated in the courtroom. Look at these few quotes:
Anyone reading this who is not familiar with the case will conclude that SCO really does have "something", but is being threatened by IBM who stands to make a great profit from Linux, and that the "free Linux community" are religious zealots (note use of word "sacrilege"; I would have preferred "anti-thetical" or something).So, yes, the article does admit that SCO is losing in court. But to a layman, SCO is the victim. Hope the media makes progress on this.
(As an aside, one thing I do hope for is that Rob Enderle get his just deserts. Any media pundit who gets up and argues on an emotional basis with no rational support for his arguments deserves to be shown for the fraud he is.)
The time of overblown media hype is over. You're not getting any more credibility (or stock investment) just from making more and more specious claims. And, in fact, thank you for doing this so that when some other company tries this tactic (whether or not with the IT industry), the public can remember, "Wait, didn't SCO try that, too?" And hopefully when ill-informed investment analysts advise a buy on this, the public can remember, "Wait, didn't Forbes try to convince us that SCO had something? Didn't Laura Didio say that they had a strong case?" And if they refuse to react to sensationalism, maybe, hopefully, companies will have less incentive to keep burping out lawsuits just to inflate their stock.
Whew, that is about as insightful as I can get at this point given how irritated (pissed!) I am with SCO. Just when you thought they had run out of ways to disgust the industry...
Yeah, with a link to goat.cx . Someone mod this guy down. We do like to have our fun with newcomers to Slashdot but this isn't appropriate. (Yeah, yeah, I know it's not goatse.cx, it's goat.cx, probably because goatse.cx was unilaterally shut down.)
I use a Brompton folding bike and don't use a lock. It comes with me wherever I go. You don't need a lock when the bike is collapsible into a volume that fits under your office chair. (I'd post a link to my web page showing the photos as it folds, but my web hoster would strangle me for slashdotting their site.)
Well, at least you can rest assured that, at the worst, it's your *computer* that gets infected with a computer virus, not you yourself with a biological virus ...
Hang on, I just noticed a web site with this news: "Microsoft announces new feature in WinXPhorn Avalon.NET OutlookPoint 2006: automatic administration of cholera vaccine simply by clicking on the VACCINATION button (requires use of new Fingerpoke Mouse hardware with Embedded Injection Technology from Microsoft)."
Actually, they're not as bad as you think. I set my locale to China and language to Chinese (Mandrake Linux v10). Directory listings and anything else with tables and column headings are aligned much more nicely because each heading is more or less the same length (2-3 Chinese words) rather than widely varying word lengths.
You know, I was thinking... this might be a way for Microsoft to look good in terms of responding to vulnerabilities.
Imagine: security hole found in IE by Joe Slashdotter. He tells MS. Two months go by, with no response. He publishes the hole. Only then does MS jump on it. When castigated, MS says, "Oh, but we already notified both of our premium customers ages ago! It only APPEARS to these Slashdot people that we took a long time, because for some reason they didn't sign up for our Premium Let-Us-Tell-You-How-We-Screwed-Up-Again Early Notification service!"
I am offering a low-cost service to users of Microsoft products. For a mere $5, you will receive a notice that says:
WARNING -- Your product is riddled with security holes!
There, now people can be warned.
Hurry, send in your money now! Otherwise you won't receive notice that Microsoft products are vulnerable!
And in follow up to the parent's post, I want to ask:
So... what, if they did publish the patent, they could decide to include it in a standard? Seeing the patent doesn't prevent the patent owner from taking advantage of it, does it? (In fact, seeing the patent makes it easier to be sued for infringement.) Or am I missing something here?
My impression was that separate versions of libraries (*.so) couldn't coexist. If this is simply due to my package installer (urpmi on Mandrake) rather than the Linux library itself, then I am mistaken.
Prior to settling on Mandrake, I tried to use Debian. I really did, honest. I even tried LibraNet. I could not, for the life of me, wrap my mind around dselect, the front-end to apt-get, much less apt-get itself. It kept telling me that I had unresolved dependencies, and could I please resolve them? And after (I thought) I had done so, it would tell me that I still had (other?) unresolved dependencies. Every time I tried to download something, apt-get would spend half an hour pulling packages off the net, stash it somewhere obscure on my hard drive, install, and then tell me that something was still unresolved. When I tried to twiddle it, it would then spend another half hour pulling the same packages off the net. I didn't know where the packages were stored; I didn't know how to tell dselect to use the packages that it had already ****ing downloaded rather than go on the net again.
Documentation was next to non-existent, except for that one big HTML site on TLDP that assumed you already knew all the Debian terms. One example told me to add a certain line to the "apt.conf" file (not sure if that was the exact filename). I couldn't find this file, for the life of me. Later I discovered that I was supposed to create this file if it didn't exist. Hello!! Newbie here!! Shouldn't you SAY this in your instructions!?
Every time I asked for help, people would talk above my head (not deliberately, I'm sure, but it seems that the gurus had lost touch with what it was like to be a newbie). One guy kept using the word "source" in a weird way, and it took me forever to realize that the word had multiple meanings (1. the origin of the Debian packages; 2. source code; 3. the name of the back-end that pulls packages off the net); when I pointed it out, he acted as if I were born yesterday, as if it should be not only obvious that there were multiple meanings, but obvious which meaning was intended when. All further requests for documentation pointed me back to that one TLDP site.
I tried Mandrake, looked at http://mandrakeuser.cjb.net/ (Step-by-Step Guide to Mandrake), and haven't looked back since.
Now, if you say that apt-get can install multiple versions of libraries where urpmi can't, then I'll dig into apt-get for RPM's. But, boy, slogging through Debian was a great drain on time.
Don't take this as an attack on Debian; take it instead as a newbie's perspective. This was over a year ago, and I hope Debian's improved since then, but honestly, I really tried. (Btw, yes, I now know that Debian caches its packages in /var/cache/apt or something.)
One word: Celebrex
(As I mentioned in my previous post, Searle obviously did not give everything to the FDA, who fast-tracked the approval.)
You are right that, realistically, you can't get people to use a drug based on a single trial; that's just an extreme example to show that even placebo can do well if you study it hard enough and allow publication bias. In real life, presumably there would be some efficacy to the drug, which can then be biased favourably with publication bias.
You certainly would, if you too were composed of two paragraphs of two sentences each. In fact, for a moment I thought it was you yourself that Garcia posted up there.
So, have you figured out what alternatives there are if you resent Comcast?
Agree with parent: classroom/formal learning has its place.
Consider this: you've been a geek, and a Windows admin-geekfor 5 years. Admittedly, you are capable of learning rapidly just from books and experimenting. So, fine, you can do it the "sink or swim" way with Slackware or Gentoo or Linux From Scratch, and at the end of that you can emerge triumphant from the guts of Linux knowing that you really know the system well. But wouldn't it be much faster to go through the formal training, to give yourself structure and direction in learning? With a bit of classroom learning, couldn't you direct your self-learning that much better? (Admittedly, one of the drawbacks with classroom learning is that it can hold you back, so make sure that you get your own computer in classroom learning so that you can zoom off on your own rather than wait for the lecturer to get through the topics in his/her slow plodding way.)
It's much harder to set your own study methodology (and still get the same respect). The family doc who makes an effort to do evidence-based medicine (as opposed to "this is so because my doddering old professor back in medical school said that his teacher said it was so") looks for several key points in the abstract of the journal articles. (What, you think s/he has time to read the whole thing?) You want a randomized, double-blind placebo-controlled multi-centre study with a large sample of the general population . If these keywords are there, the doc jumps to the "conclusion" heading and generally acknowledges it to be valid. The main text of the article is just for medical students who have to do their presentations. :)
There are other study methodologies with such names as "cohort studies", "case-controlled", "retrospective" which get some respect but are viewed generally as a steppingstone to getting funding for the ultimate gold standard, the randomized clinical trial. So if a company's drug trial works with case-controlled, that might not be enough to get FDA approval for whatever labeled use they're after.
I bet not. These studies can cost millions. Sure, BigPharma has BigMoney, but you're suggesting that they can easily soak a 2000% increase in their phase 4 clinical trial budget!? No way.
If you could take a placebo and fund 20 studies to show that it worked, wouldn't you? That's like saying, I can sink millions and billions into this research to prove that potato chips cure cancer. And I hold the patent on the potato chip. I gain the ability to market this directly to consumers ("scientific studies have shown that it works...") You know how big a market we're talking about? Anything under a billion in expenses is peanuts in comparison.
Btw, it's Phase 3. Phase 1 = safety (does it HARM people?); phase 2 = effectiveness (any sign that it works at all?); phase 3 = efficacy (does it work better than placebo / standard of care?); phase 4 = aftermarket (now that we're selling the drug, have we run into any problems?)
The results of the studies are random, or contain randomness. If you fund a bunch of studies (say, 20 studies) and one of the shows positive results, you can't just duplicate the results. You'd have to duplicate the study, again asking a hospital or two to recruit 300 patients to test the drug, and this time the results might not be positive. You can't even recruit the same patients over, because the standard is to recruit the first consecutive 300 patients to walk in the door who fit the criteria (and consent to the study, of course) to prevent selection bias. Any other way of recruiting would raise red flags that any medical student could spot a mile away.
(For the record --yes, IAAD.)
Funny that a colleague and I were talking about this the other day. Clinical studies and general statistics in (peer-reviewed) medical journals generally use a "0.95 confidence interval".
What this means is that, if left to chance, the experiment/trial/study would be positive in only 1 in 20 times. Example: you give a bunch of sick people an experimental drug, and you give another bunch of sick people a placebo (or a known standard of treatment). The people on the experimental drug get better. Was it really because of the drug? Maybe it was just random chance --but if that chance is calculated to be only 1 in 20 or less, then we say, "Yeah, it's probably because of the drug, and not just chance."
The overwhelming majority of drug trials are corporate-funded. A company that's desperate enough to get its drug to market could easily fund 20 studies, and even if the drug were just placebo, chances are good that 1 in 20 of those studies would turn out positive. (Yes, yes, I'm just approximating.) Without the "negative results registry", you'd think that the drug was working.
Would companies be desperate enough to do this? You bet. I'm not saying that any particular company did this, but consider what happens to get a drug to market. Someone invents a molecule (typically a lab with 12 employess or something), gets bought by a biotech firm with 4 employees (they subcontract everything out), some other lab tests it on animals, some other firm develops a formulation (tablets, capsules, makes sure it doesn't melt inside the bottle or degrade, etc.), a big drug company buys the formulation (or the entire firm) and starts gearing up for clinical trials while submitting for FDA approval. This all takes about five years. What if it doesn't work out? As a backup, the Big Pharma Company also invests in about five backup compounds, and each of those compounds has five backup compounds. We're talking about, after ten years and researching thirty compounds, you might get ONE drug out to the market. (Btw, my wife is the project manager for a bunch of these drug research pipelines at one such Big Pharma company.) But, boy, will that drug make it big! What if the drug didn't really work? Well, let's make it look like it did! (I can see Big Pharma CEO's rationalizing this as "let's put it in the best light possible.")
Example of drug research being biased? Ever heard of celecoxib (Celebrex)? Wow, anti-inflammatory pain reliever that, unlike ASA (Aspirin) or ibuprofen (Advil, Motrin), does NOT irritate your stomach! No stomach bleeding (uncommon but serious side effect of ASA/ibuprofen)! They did the research and showed that people actually did (statistically) significantly better than ASA after six months. JAMA (Journal of the American Medical Association) published the study and even sang its praises in the editorial. They get it out and market it to all the physicians all over the place.
And then we find out that the study went on for more than 6 months. We find out that beyond 6 months, the people using Celebrex got WORSE, and deteriorated until at 12 months, they were no better than ASA users. Boy was the JAMA editor mad! (If I recall, he even publicly lambasted Searle for this in the New York Times.)
But you know what? It didn't matter. Celebrex was everywhere, on American TV ads, and people asked for it. Docs who don't really have time to delve into the medical literature already had established in their mind that "Celebrex is better". (My colleagues certainly continued to use it even when ASA was sufficient.) And the drug reps, who ooze snake oil from their skin pores, keep pushing it. One drug rep even questioned my choice of medication when I was getting it from our drug sample closet. I lit into her like you wouldn't believe. Is she the doctor or am I?? (whew, catharsis, feel better now)
So, yes, I think the companies are perfectly capable of doing this (stacking the studies). The benefits are just too great. I welcome the use of the clinical trial pre-registry.
Buddy, have you been following the /. discussions?
"Caller ID" is not the caller identification service that's available on phones right now. They're referring to an email sender verification system that acts sort of like what your caller ID is to phones, so they nicknamed it "caller ID".
This is OT, but just to let you know, Partition Expert from Acronis can create a boot CD. Boot off that, and you don't need to worry about partitioning a drive that it's running on.
I bought mine early last year (US$45, downloaded) because Partition Magic 6.0 (which I had also bought) didn't work with Linux. PM v7.0 did work with ext2 (or was it ext3 already?) but by that time I was using ReiserFS on all my drives.
Drawback to Acronis Partition Expert: in the 2003 version, at least, you have to run it under Windows to create the boot CD. I still had Win2k at the time. Now that I haven't booted Windows in a year-and-a-half, I have to keep the ISO image around.
Yes, yes, I know, I should be using GNU PartEd and Ranish Partition Manager and all that free stuff. But I just wanted it to work and wasn't averse to paying a bit. Great program.
Someone can bring me up to date on the newest versions on Partition Magic / Partition Expert
In this case, the attacker and the creator of the file are the same person. (I'll say why this is the only important case.)
The attacker/creator creates two files that have the same hash, by adding an arbitrary string of the attacker/creator's choice, using some excuse that will fool some people. Then you get a hash collision.
In your question, you're asking what if YOU add an arbitrary salt string of your choice, and then do the MD5 hash. In this case, the attacker cannot choose your string. But then what use would your new MD5 hash be? You would need to compare it to another MD5 hash (presumably, that of the originating site) which also used the salt string of your choice.
Suppose I post my file, and the MD5 hash is "123abc" (for argument's sake). You get the same MD5 hash after downloading my file. But now you say, "Hey, just to be sure: when I add 'xyzzy' to the front, the MD5 hash is '456def'. Did you get the same thing?" So now I have to go back and rehash it for xyzzy+file.
Then someone else says, "Hey, when I add 'plugh' to the front, I get '321cba'. Did you get the same thing?" Pretty soon I'll be having all these requests and have to post all these hashes. So I say, "Okay, I'm just going to pick some arbitrary string, like 'sf9FD798dfs' and do the hash." The danger is that some people would get fooled into thinking that this is the ONLY hash that needs to be checked (and not the file without the salt), and so it's much easier for me to create a collision.
I concur. Helped me greatly, even just admin'ing my own machine. Has questions at the end of each chapter. (Better than O'Reilly's "Running Linux")
Written by Steven Graham & Steve Shah; published by McGraw-Hill Osborne (www.osborne.com). ISBN 0-07-222562-9
Adding an arbitrary salt makes it less secure. Here's why:
/* I'm just inserting this arbitrary string to randomize the hash --yeah, that's it.
/* Inserting whatever random characters it takes to generate the same MD5 hash:
MD5 will still be able to protect your file (binary or authenticated message, whatever) from being tampered with by SOMEONE ELSE, but not by yourself. One of the problems with the hash collision attack is, as suggested in TFA, someone creates two files that have the same hash (easier than creating a file that has the same has as another pre-specified file) and submits the good one to be trusted before substituting it for the evil one.
Suppose you write a program:
if (user == root) {
omnipotent_flag = True;
}
But what you really want is to write this malware:
if (user == backdoor) {
omnipotent_flag = True;
}
But --gosh darnit, the resulting two programs generate two different MD5 hashes! What to do?
Well, use the excuse of some arbitrary salt string:
if (user == root) {
omnipotent_flag = True;
ujiUFIDO94305-8345JFKL:JKDFLS:f */
}
Hey, now you can generate your own malware program:
if (user == backdoor) {
omnipotent_flag = True;
rewAFDSADSF5435435#$%#$% */
}
Of course, the example doesn't have to be as blatant as this, but you can see where this is going:
- the "random" salt can be at the beginning, with a nice-looking comment, and if it is short (like your example of "xyzzy"), it might be accepted. A 5-letter "salt" can increase your number of available files by 64^5 (assuming 64 characters are acceptable as "letters"). One of those might just generate a hash that matches the malware!
- Yes, I know the idea is that the hashes match for both the file with the salt and the file without the salt. But you can imagine someone saying, "Yeah, I added this RANDOM salt [laughs evilly to himself] and the hashes still match!" and the sheeple will say, "Wow, it must be a match --I guess I don't need to bother checking the hashes of the original unsalted file."
What is needed is a widely accepted Standard Salt String that is pre-pended to the file, and when people list the MD5's of a file, they also list the MD5's for the file with the Standard Salt String, and both must match. As long as it's the community that chooses the SSString, and not the contributor, the SSString can be any arbitrary sequence of characters, like, oh, say, "m1cr0$0f7 5Ux0R5".
KWTm
An email address like bunty_tifs@yahoo.com could be spelled out as:
B as in Ball
U as in Ululation
N as in Night
T as in Tail
Y as in Ytterbium
(underscore)
T as in Tall
I as in Intransigent
F as in Flash
S as in Sail
(@yahoo.com)
Of course, that might be interpreted as
D as in Doll
U as in Ululatin
M as in Might
P as in Pale
Y as in Ytterbium
(underscore)
P as in Paul
I as in Intransigent
S as in Slash
S as in Sail
I bought one of the $200 computers from Wal-Mart, with Lindows (so-called at the time) pre-installed.
First thing I did with it was install Mandrake over it.