DomainKeys have nothing to do with MUA, but at the moment they are the only way I (the mail recipient) can authenticate a PayPal e-mail. Since DomainKeys are not part of SMTP and since - other than a verbal/written PayPal request - there is no requirement for SMTP servers to discard unsigned e-mails, I can't trust that a 'PayPal' e-mail that reaches me must be authentic. You are happy to oblige PayPal's request, and that's good for everyone, but not everyone is going to follow your example.
Why doesn't Paypal sign its e-mails in the conventional sense (http://en.wikipedia.org/wiki/X509)? Every major mail client would flag it with a nice wax seal or similar and a reasonably knowledgeable user would have confidence in his PayPal messages. A little education from PayPal's site about looking for a good signature would go a long way to helping everyone else.
At the moment, since mail clients don't know anything about DomainKeys, we have NO WAY of knowing if mail really is from PayPal.
And perhaps a mail client consortium could manage lists of domains requiring valid signatures: mail from paypal.com and not signed goes straight to the junk folder; it's not completely different from the management of certificate authorities. Alternatively, at least for Thunderbird, a simple extension could do that job.
And of course this isn't a problem domain specific to PayPal, so their individual lobbying seems to be a drop in the ocean at best.
The tz database http://www.twinsun.com/tz/tz-link.htm underlies time zone handling for the GNU C Library, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris and many more, and is kept current by a dedicated team of (mostly?) volunteers. For time nerds, the historical comments in the plain text files of the tz ftp distribution (ftp://elsie.nci.nih.gov/pub/tzdata2007b.tar.gz) are required reading.
If you're a Firefox person, FoxClocks (see my URL above) puts nice little world clocks on your statusbar. And yes, it uses tz too. Thanks guys.
Andy
How does encryption sit with providing the US government with a 'wire'-tap back door? If it's true PKI and I'm confident of the public key on the other end of the line, not even Skype can get in, unless their software is doing something nasty, like referring the decrypted stream back to Uncle Sam. If it's not - perhaps Skype servers 'manage' the keys so you don't have to worry about trusting the other party's key - then Uncle Sam truly is the man in the middle.
In the latter case, do you have anything to hide? I do - my privacy.
There's really no way to verify an extension without walking through the source, and even then it's not impossible to obfuscate something nasty. And any extension that uses XMLHttpRequest can download its own code.
There are a lot of extensions at https://addons.mozilla.org/, some of them quasi-commercial, and the review process required to have an extension hosted isn't (cannot be, in fairness) thorough.
Perhaps addons.mozilla.org need to be a bit more explicit that you can't _quite_ trust the extensions hosted there. Perhaps they could digitally sign 'popular' extensions that they 'trust'?
Imagine what a PR disaster a malicious extension would be.
Andy
[yeah, I hacked a previous post of mine on the same topic.]
That's one great question. There's really no way to verify an extension without walking through the source, and even then it's not impossible to obfuscate something nasty. And any extension that uses XMLHttpRequest can download its own code.
By "an add-on... promoted and distributed by FF team" you mean anything hosted on https://addons.mozilla.org/ I guess. There are a lot of extensions there, some of them quasi-commercial, and the review process required to have an extension hosted isn't (cannot be, in fairness) thorough.
Perhaps addons.mozilla.org need to be a bit more explicit that you can't _quite_ trust the extensions hosted there. Perhaps they could digitally sign 'popular' extensions that they 'trust'?
Imagine what a PR disaster a malicious extension would be.
I've always thought a good solution would be to have a small vibrating device fixed to your watch (say), which would be triggered by your phone (bluetooth or similar). You wouldn't miss any call when the phone's away from you, and perhaps you could configure the phone to ring audibly if it isn't able to contact your (*ahem*) vibrating device. Best of all worlds?
There have been a number cases throughout scientific history in which a remarkable discovery was made twice, independently and almost simultaneously. Famous examples are Newton/Leibnitz (calculus) and Darwin/Wallis (evolution by natural selection).
Without meaning to dismiss Einstein - clearly one of the modern age's most brilliant minds - perhaps the progress of science isn't so dependent on the existence of one genius with no equal in his/her age, but rather progress occurs when enough great minds have had long enough to study the current scientific canon.
This would imply that 20th Century science progressed roughly independently of whether Einstein was hit by a bus, plus or minus a decade.
Remember that these guys could have been prosecuted under perfectly servicable copyright laws; it's not as if we need a law as divisive as the DMCA to bring people like this to justice.
Copyright laws, together with the concept of Fair Use, are reasonable; the DMCA is a corporate-sponsored attack on Fair Use, and serves no other purpose.
But at least it gives me the opportunity for a shameless plug:)
Actually I'll add that as an Ontario resident, and a despiser of the current US regime, I think Ontario's move is entirely pragmatic: the US accounts for perhaps 80% of Canada's exports, and presumably a large portion of that comes overland from Ontario to the Eastern US. Having said that, I'll confess to the knee-jerk reaction that I don't want _my_ clocks set by a man who can't even set his own.
Human rights abuses aside - and ok that's quite an omission - Cuba does remarkably well for itself. Take a look the UN's 2004 Human Development Report Cuba Fact Sheet. If you put this in the context of the US's trade embargo, it's quite impressive.
To those posters who've been to Cuba, and been shocked by the poverty they've seen, here's the full Human Development Index - maybe your next vacation should be to one of the 125 countries lower down the list.
Why not have a little bluetooth (or whatever) vibrating "thing" that you could clip to your watch, which would vibrate whenever your 'phone is within range (and you could have your phone ring audibly if it can't contact your - for want of a better word - vibrator). You never need a ringtone, but better than that, you don't need your 'phone in contact with your body.
The skewing effect requires that RAND_MAX is not a multiple of num_songs, and is very tiny when RAND_MAX is very much larger than num_songs.
But to see how the skewing arises, imagine you have num_songs = 3 songs with id's 0, 1 and 2, with random() returning 0 to RAND_MAX = 9. Then for random() returning 0, 3, 6 or 9, song_id is 0, so there's a 40% chance of hearing song 0, which presumably is "In The Navy".
Good link. Thanks. My intent, though, is not to create a harder hash (which the link refutes well), but to provide a "safety net" in the case that one is broken. This of course depends on the assumption that there *are* fundamentally different hashes. Basically I agree with ericpi's response to the linked post.
Regarding the two hashes, perhaps you could point me to some reference.
If I apply two fundamentally different hashing algorithms separately to the same message, and call my hash the - say - concatenation of these, I have a hash that's (only) twice as long and twice(ish) as expensive, but presumably much less open to analysis.
My understanding of the 'break' is simple: given a hash, we can now find another 'message' with the same hash, not by 2^80 brute force guesses, but by 2^69 cleverer tries, a factor of 2000 improvement, and potentially bringing this attack into the realm of computational feasibility.
So what?
Until we can find a 'meaningful' message with the same hash, or until we can remove data from or add data to the original message, and preserve the hash, we can sleep easy - except the file-sharers:). Of course as soon as someone can insert something into the original data, code signing is completely broken.
But please, somebody explain to me how we're vulnerable. You can take my message and - if you try very very hard - you can create a garbage message that you could claim I signed. And that's all.
BTW, I'm well aware that applying one hashing mechanism to a message then another will not help, but why not apply two in parallel? The message would have two hashes, which isn't too much of a burden, and barely increaes the message length. Sounds good to me.
I agree that lat-long->base 30 is (may be) original, but orginality does not, or should not, imply patentable. At the very least innovation should be required.
Otherwise why should I not be able to patent my unique URL scheme on the basis that nobody else has done it.
The parent post has the most significant comment: it's clear that Microsoft is using current US patent law to prevent interoperability. If they are able to go through with it then once again (US) law will have been shown to be an ass.
"The communists will make your life hell." Certainly Chinese officialdom can be very officious, but it doesn't have anything to do with communism. Remember that China is an almost-Fascist dictatorship in all but name.
"...catch a cold in your first week there." You probably got that on the plane, though it's true though that when you travel you're exposed to strains of viruses/bacteria for which you have no immunity.
"Expect to be cold most of the time." How about tropical southern China? Remember that China's climate is more diverse than the US's. And this post is +5...
"Watch your wallet." I've skipped a few of your choice quotes, but you're basically fear-mongering after a nasty bout of culture-shock, as far as I can see. China - and Asia in general - is very much safer than the US in all ways, though tourists do tend to be targets for opportunistic crimes. Think about it, people: there's an amazing world out there to visit, and it's safe and cheap (avoiding choice parts of Africa and Latin America).
"Take amoxillician." I'm guessing you mean prophylactically? Don't do that - you give your immune system no chance to build up it's defences and you increase selectional pressures which generate antibiotic resistance. Carry a good antibiotic, but only use it if you have to.
"Pocket knives are a good idea." Ok, I've only just got to reading this bit. The poster is a fool. China is SAFE, and that's partly a bi-product of the totalitarian regime and draconian law enforcement.
Slashdot Mirror
DomainKeys have nothing to do with MUA, but at the moment they are the only way I (the mail recipient) can authenticate a PayPal e-mail. Since DomainKeys are not part of SMTP and since - other than a verbal/written PayPal request - there is no requirement for SMTP servers to discard unsigned e-mails, I can't trust that a 'PayPal' e-mail that reaches me must be authentic. You are happy to oblige PayPal's request, and that's good for everyone, but not everyone is going to follow your example.
Why doesn't Paypal sign its e-mails in the conventional sense (http://en.wikipedia.org/wiki/X509)? Every major mail client would flag it with a nice wax seal or similar and a reasonably knowledgeable user would have confidence in his PayPal messages. A little education from PayPal's site about looking for a good signature would go a long way to helping everyone else.
At the moment, since mail clients don't know anything about DomainKeys, we have NO WAY of knowing if mail really is from PayPal.
And perhaps a mail client consortium could manage lists of domains requiring valid signatures: mail from paypal.com and not signed goes straight to the junk folder; it's not completely different from the management of certificate authorities. Alternatively, at least for Thunderbird, a simple extension could do that job.
And of course this isn't a problem domain specific to PayPal, so their individual lobbying seems to be a drop in the ocean at best.
Andy
It is a bit annoying that there's no change log, although in fairness there are a surprising number of changes in the average revision.. cgi/src/share/zoneinfo/northamerica - yes, 2006g has the 2007 US changes.
A bit of googling gives us http://cvsup.pt.freebsd.org/cgi-bin/cvsweb/cvsweb
The tz database http://www.twinsun.com/tz/tz-link.htm underlies time zone handling for the GNU C Library, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris and many more, and is kept current by a dedicated team of (mostly?) volunteers. For time nerds, the historical comments in the plain text files of the tz ftp distribution (ftp://elsie.nci.nih.gov/pub/tzdata2007b.tar.gz) are required reading.
If you're a Firefox person, FoxClocks (see my URL above) puts nice little world clocks on your statusbar. And yes, it uses tz too. Thanks guys. Andy
A Coronal Mass Ejection resulting from an X3 Solar Flare earlier today
Too much Mexican beer after a day on the beach, perhaps.
How does encryption sit with providing the US government with a 'wire'-tap back door? If it's true PKI and I'm confident of the public key on the other end of the line, not even Skype can get in, unless their software is doing something nasty, like referring the decrypted stream back to Uncle Sam. If it's not - perhaps Skype servers 'manage' the keys so you don't have to worry about trusting the other party's key - then Uncle Sam truly is the man in the middle.
In the latter case, do you have anything to hide? I do - my privacy.
I'm really not convinced by a team of contributors keeping a "close eye on recommended extensions". I'd personally never heard of Remora (http://wiki.mozilla.org/Update:Remora_Requirement s/) before.
There's really no way to verify an extension without walking through the source, and even then it's not impossible to obfuscate something nasty. And any extension that uses XMLHttpRequest can download its own code.
There are a lot of extensions at https://addons.mozilla.org/, some of them quasi-commercial, and the review process required to have an extension hosted isn't (cannot be, in fairness) thorough.
Perhaps addons.mozilla.org need to be a bit more explicit that you can't _quite_ trust the extensions hosted there. Perhaps they could digitally sign 'popular' extensions that they 'trust'?
Imagine what a PR disaster a malicious extension would be.
Andy
[yeah, I hacked a previous post of mine on the same topic.]
That's one great question. There's really no way to verify an extension without walking through the source, and even then it's not impossible to obfuscate something nasty. And any extension that uses XMLHttpRequest can download its own code.
By "an add-on... promoted and distributed by FF team" you mean anything hosted on https://addons.mozilla.org/ I guess. There are a lot of extensions there, some of them quasi-commercial, and the review process required to have an extension hosted isn't (cannot be, in fairness) thorough.
Perhaps addons.mozilla.org need to be a bit more explicit that you can't _quite_ trust the extensions hosted there. Perhaps they could digitally sign 'popular' extensions that they 'trust'?
Imagine what a PR disaster a malicious extension would be.
Andy
It was always tricky working with Roman numerals in Lotus Notus; I preferred the Second Millenium AD version 'Notes'.
I've always thought a good solution would be to have a small vibrating device fixed to your watch (say), which would be triggered by your phone (bluetooth or similar). You wouldn't miss any call when the phone's away from you, and perhaps you could configure the phone to ring audibly if it isn't able to contact your (*ahem*) vibrating device. Best of all worlds?
Andy
One ping-disabling Firefox extension.
There have been a number cases throughout scientific history in which a remarkable discovery was made twice, independently and almost simultaneously. Famous examples are Newton/Leibnitz (calculus) and Darwin/Wallis (evolution by natural selection).
Without meaning to dismiss Einstein - clearly one of the modern age's most brilliant minds - perhaps the progress of science isn't so dependent on the existence of one genius with no equal in his/her age, but rather progress occurs when enough great minds have had long enough to study the current scientific canon.
This would imply that 20th Century science progressed roughly independently of whether Einstein was hit by a bus, plus or minus a decade.
Andy
Remember that these guys could have been prosecuted under perfectly servicable copyright laws; it's not as if we need a law as divisive as the DMCA to bring people like this to justice.
Copyright laws, together with the concept of Fair Use, are reasonable; the DMCA is a corporate-sponsored attack on Fair Use, and serves no other purpose.
Andy
That messes _this_ up:
:)
http://www.stemhaus.com/firefox/foxclocks/
But at least it gives me the opportunity for a shameless plug
Actually I'll add that as an Ontario resident, and a despiser of the current US regime, I think Ontario's move is entirely pragmatic: the US accounts for perhaps 80% of Canada's exports, and presumably a large portion of that comes overland from Ontario to the Eastern US. Having said that, I'll confess to the knee-jerk reaction that I don't want _my_ clocks set by a man who can't even set his own.
Andy
is a _damning_ indictment...
Specs are rarely useful breasts up-front.
What *would* Sigmund say?
Human rights abuses aside - and ok that's quite an omission - Cuba does remarkably well for itself. Take a look the UN's 2004 Human Development Report Cuba Fact Sheet. If you put this in the context of the US's trade embargo, it's quite impressive.
To those posters who've been to Cuba, and been shocked by the poverty they've seen, here's the full Human Development Index - maybe your next vacation should be to one of the 125 countries lower down the list.
Very slightly OT, but what the hell?
Why not have a little bluetooth (or whatever) vibrating "thing" that you could clip to your watch, which would vibrate whenever your 'phone is within range (and you could have your phone ring audibly if it can't contact your - for want of a better word - vibrator). You never need a ringtone, but better than that, you don't need your 'phone in contact with your body.
The skewing effect requires that RAND_MAX is not a multiple of num_songs, and is very tiny when RAND_MAX is very much larger than num_songs.
But to see how the skewing arises, imagine you have num_songs = 3 songs with id's 0, 1 and 2, with random() returning 0 to RAND_MAX = 9. Then for random() returning 0, 3, 6 or 9, song_id is 0, so there's a 40% chance of hearing song 0, which presumably is "In The Navy".
Good link. Thanks. My intent, though, is not to create a harder hash (which the link refutes well), but to provide a "safety net" in the case that one is broken. This of course depends on the assumption that there *are* fundamentally different hashes. Basically I agree with ericpi's response to the linked post.
Regarding the two hashes, perhaps you could point me to some reference.
If I apply two fundamentally different hashing algorithms separately to the same message, and call my hash the - say - concatenation of these, I have a hash that's (only) twice as long and twice(ish) as expensive, but presumably much less open to analysis.
My understanding of the 'break' is simple: given a hash, we can now find another 'message' with the same hash, not by 2^80 brute force guesses, but by 2^69 cleverer tries, a factor of 2000 improvement, and potentially bringing this attack into the realm of computational feasibility.
:). Of course as soon as someone can insert something into the original data, code signing is completely broken.
So what?
Until we can find a 'meaningful' message with the same hash, or until we can remove data from or add data to the original message, and preserve the hash, we can sleep easy - except the file-sharers
But please, somebody explain to me how we're vulnerable. You can take my message and - if you try very very hard - you can create a garbage message that you could claim I signed. And that's all.
BTW, I'm well aware that applying one hashing mechanism to a message then another will not help, but why not apply two in parallel? The message would have two hashes, which isn't too much of a burden, and barely increaes the message length. Sounds good to me.
I agree that lat-long->base 30 is (may be) original, but orginality does not, or should not, imply patentable. At the very least innovation should be required.
Otherwise why should I not be able to patent my unique URL scheme on the basis that nobody else has done it.
The parent post has the most significant comment: it's clear that Microsoft is using current US patent law to prevent interoperability. If they are able to go through with it then once again (US) law will have been shown to be an ass.
Hmm. Some interesting travel advice.
"The communists will make your life hell." Certainly Chinese officialdom can be very officious, but it doesn't have anything to do with communism. Remember that China is an almost-Fascist dictatorship in all but name.
"...catch a cold in your first week there." You probably got that on the plane, though it's true though that when you travel you're exposed to strains of viruses/bacteria for which you have no immunity.
"Expect to be cold most of the time." How about tropical southern China? Remember that China's climate is more diverse than the US's. And this post is +5...
"Watch your wallet." I've skipped a few of your choice quotes, but you're basically fear-mongering after a nasty bout of culture-shock, as far as I can see. China - and Asia in general - is very much safer than the US in all ways, though tourists do tend to be targets for opportunistic crimes. Think about it, people: there's an amazing world out there to visit, and it's safe and cheap (avoiding choice parts of Africa and Latin America).
"Take amoxillician." I'm guessing you mean prophylactically? Don't do that - you give your immune system no chance to build up it's defences and you increase selectional pressures which generate antibiotic resistance. Carry a good antibiotic, but only use it if you have to.
"Pocket knives are a good idea." Ok, I've only just got to reading this bit. The poster is a fool. China is SAFE, and that's partly a bi-product of the totalitarian regime and draconian law enforcement.
... could such an issue arise. I'm sympathetic, my left-wing intellectual American friends, but the world is laughing at you just a little bit harder.