We must defend Nazis to attack Nazism
on
Nazis on Napster
·
· Score: 3
In practice, censorship was a central plank of what the Nazis did, famously fulfilling Henrich Heine's prediction that where they start by burning books, they end up burning people. If we are to properly oppose this thinking, we have to oppose censorship at every turn, even where it's turned against a justly popular target for hate: neo-Nazis themselves, who would of course institute all sorts of censorship given half a chance. --
I read a paper on gaze tracking interfaces a few years ago. When they implemented the hierarchical menus, they decided that simply gazing on a menu option briefly should trigger the display of the sub-menu, since it was easy to reverse if you looked elsewhere in the menu.
It turned out that people tended to look up and down on a menu to choose an option, and their gaze would fall on the option that they'd eventually select long before the decision to select it was complete. This had the unnerving effect that users felt that the machine knew what they wanted before they did. --
Strong password protocols are the Correct Answer to this problem. If one party (the client) can't carry around the keys needed for strong authentication of both parties, if all you can carry is a password in your head, then strong password protocols like SRP, B-SPEKE, and some others on their way (AMP) are the correct route to strong security. The most effective attack known on these protocols is
1. Decide which end you want to spoof - client or server
2. Choose a guess at the password
3. Do a protocol run.
3a. If you're pretending to be the client, try and log on using the password you've guessed.
3b. If you're pretending to be the server, somehow persuade the client to try and log onto you thinking you're the real server.
4a. If you guessed the password correctly, congratulations! You've successfully spoofed your way in.
4b. If you did not guess the password correctly, you lose! And you have learned *nothing* except that your guess was wrong.
5. If you want to have another guess, you'll have to return to step 1 and persuade the other end to play with you again. They may tire of this game before you do.
(Caveat. Password files have to be kept secret for this: compromise that and you can spoof the client into thinking your the server, while running a dictionary search against them on your supercomputers. Guard password files)
Strong password protocols are Right and Good and should be used everywhere that stronger authentication is not available. Remember to use key stretching on your passwords too. --
I don't think you can plausibly apply the interlock protocol to SSH. When I log into a server, I expect a conversation in which each side reads the message from the other before generating their own messages. If that's the fundamental top-level conversation, any attempt to impose an interlock underneath that, unbeknownst to the communicating parties, can be spoofed.
Interlock only works if the actual communicating parties know they're interlocking. No attempt at automated interlock is going to work, because the MITM can separately spoof two separate interlocked conversations.
No, the correct answer is strong password protocols like SRP and B-SPEKE, as another poster has already observed ("Encrypted Key Exchange"). --
If anyone was going to try and operate a business in blatant violation of Federal law, the first thing they'd do would be refuse to pay taxes. And taxation is something the State will enforce by whatever means necessary. --
What you describe seems to be in danger of becoming the official history of the Mindcraft incident, but it was never true. Those tests were bogus in many different ways: they tested a hugely unrealistic scenario, and initially only the NT box was optimised to handle that scenario. Oh, and they lied too.
However, the resulting publicity meant that parallelizing the part of the kernel hit moved up the priority queue from "might be nice someday" to "must be done soon". And so it was done, and well, and now we can kick the shit out of NT even under the bizarre circumstances Mindcraft set up.
There were no "weeks of denial". The objections raised against the tests were fair and accurate. The fact that we would now win this test doesn't change that. --
A professional cryptographer writes...
on
New Crypto-OS
·
· Score: 4
FWIW this does not strike me as a well-conceived project. They plan to deliberately exclude a whole bunch of useful comms software (like PGP, web browsers) because they don't meet their rather artificial standards of security. They claim "all existing protocols are insecure", which is not the mark of someone with a clue. Oh, and they think they can charge for it - see the FAQ. I do not believe they will build a product that will be useful to anyone.
(and the "pro" thing? I've been a pro for less than a month but I couldn't pass up the opportunity to crow about it on/.!) --
Is your home address and telephone number on your website?
No? Why not? It's not *terifically* private information; in most cases, anyone really determined could find it out. It could be useful to let people call you or send you gifts, or so that your friends can look it up to come to parties after you've moved house. But it's usual for people to be a little bit circumspect with their home address, and with good reason: "I know where you live" is a threat.
The bias here is basically that.com/.org/.net domains (gTLDs) should only be owned by legitimate businesses, who can afford premises and separate phone numbers. These provide a buffer between you and the disgruntled public. If you can't afford those, the message goes, stay off the gTLDs - or open yourself up to potential physical attack, abuse and harrasment. --
One of the goals of a voting system is to give you no way to prove how you voted, to make sure voter coercion is ineffective. Receipts defeat that goal.
The biggest advantage of a computer vote that prints a paper ballot is excellent usability: if you press the big "CONFIRM" button when the screen says "You have cast your vote for Pat Buchanan and (somebody-or-other) of the Reform Party. If this is your final decision, please press Confirm, otherwise press Back." then there's not much can be done to stop you voting that way!
And of course, you get a human-readable paper ballot out of it, so if the software tries to substitute fake votes it'll get caught.
I would still count the ballots entirely on paper, though. --
JWZ would be an unusual club owner anyway.
on
Hacking The City
·
· Score: 2
From what I can tell, the DNA lounge is an *inherently* cool project, and one I think I'd be interested in even if it weren't coming from an eloquent and thoughtful hacker like JWZ. The special thing that's going on here is that someone who wants to run a club for love can actually afford to do so. The fact that the money came from an Internet IPO rocket is irrelevant. --
Yes, the whole hierarchical X.509 approach was doomed from the start and needs to die. What the world really needs is the Simple Public Key Infrastructure, SPKI. This provides a way to generate certificates which transfer trust between keys in various sorts of highly flexible, controllable ways. Read the SPKI docs and you'll be converted to our religion; your whole view of naming, and of the role of a PKI, will change.
SPKI is the public key infrastructure that can actually achieve what it promises, because it doesn't have a root certificate that only God could properly hold. It's the ideas of PGP's Web of Trust taken to their logical conclusion. And it is simple, and neat, and easy to understand. Everyone interested in the problems with PKI should look into it. --
First, your first language doesn't have to be one you'll use again. You'll find it easier to learn other languages once you've got a grasp of programming. Java would be a good next step.
Second, Python will stay useful all your life. Python is basically useful the same way Perl is, but it scales better for large programs. It's not for people who want to be programmers - it's for everyone. It's useful for that tiny little script to automate the thing you can't quite do by hand.
Third, Python runs under Windows. In schools, this is probably the environment I'd use to teach it.
Of course, we could teach them nothing but VBScript under Windows, but this is Slashdot, where handing control of the future to Microsoft is considered a Bad Thing. --
It's too hard to program computers these days. If I wanted to teach someone to program ten years ago, a machine like a BBC Micro would be great: you turn it on, it's immediately ready to accept a program, and drawing to the screen is relatively easy. If you want to draw anything now (essential for the gratification factor in learning to program) you have to become expert on events and windowing systems.
I'd like someone to put together a nice enviroment for beginning programmers. Base it on Python and gtk, so it's portable between Windows and Unix. Use Glade so people can start off drawing what they want their program to look like, then write bits of Python to make it work. Throw in a really good canvas widget, so it's easy to start drawing things and get things moving on the screen without worrying about expose events and redraws. Then write the book "Learn to program with Python", that takes beginners who've only ever used computers before by the hand and leads them through the delights of making them do your bidding.
I know that the CP4E project is looking to shape Python into the ideal beginners language. I'd love to see this happen, because Python is a beginners language you can stick with to write real, large scale applications that do real work. --
(b) - with 19,000 "spoiled ballots" likely going to Gore, his margin should be pretty decisive when this is over.
(d) I don't think applies since it's Florida law that matters here
(c) is the interesting one. Which takes precedence - the law or the approval? Do you need to pass both to have a good ballot, or is one of them both necessary and sufficient? If so, what's the other one for?
In other words, why have laws saying what the ballot papers need to look like if the approval of the candidates is a necessary and sufficient condition for their being legal?
I pity the judge too. The evidence that Gore would win Florida by a clear margin on the *intent* of voters is overwhelming - ie it's pretty much undeniable that the Bush result runs counter to the will of the voting people in Florida as a result of bad design on the Palm Beach ballot paper - but ruling in their favour opens an extraordinary can of worms.
Whoever wins is going to have a hard time claiming a "clear mandate" for anything, that's for sure. --
Basically I think the Gore challenge wouldn't have a leg to stand on, if it weren't for the fact that these ballots are against Florida law, which requires that candidates' names be to the left of where the mark is made. --
If there was one ballot paper for the whole country, or even one per state, then the Democrats' approval would be fatal to this argument. They would have hired a banel of experts to review them, and paid people from all over the country/state to come in and try voting for different candidates under realistic circumstances.
But when every tiny little county can design its own ballot system, you can't do this. The most you can do is get some party enthusiast at the bottom of the food chain to give them the once-over and make sure your candidate's name is spelled correctly.
So citing the Democrats' ratification of the ballot as if Al Gore himself signed off on it is misleading, to say the least. The voters certainly didn't like it: they were complaining as soon as they got into the ballot booth. --
Slashdot Mirror
In practice, censorship was a central plank of what the Nazis did, famously fulfilling Henrich Heine's prediction that where they start by burning books, they end up burning people. If we are to properly oppose this thinking, we have to oppose censorship at every turn, even where it's turned against a justly popular target for hate: neo-Nazis themselves, who would of course institute all sorts of censorship given half a chance.
--
I read a paper on gaze tracking interfaces a few years ago. When they implemented the hierarchical menus, they decided that simply gazing on a menu option briefly should trigger the display of the sub-menu, since it was easy to reverse if you looked elsewhere in the menu.
It turned out that people tended to look up and down on a menu to choose an option, and their gaze would fall on the option that they'd eventually select long before the decision to select it was complete. This had the unnerving effect that users felt that the machine knew what they wanted before they did.
--
I meant to say: explanation of key stretching, and the paper about it.
--
Strong password protocols are the Correct Answer to this problem. If one party (the client) can't carry around the keys needed for strong authentication of both parties, if all you can carry is a password in your head, then strong password protocols like SRP, B-SPEKE, and some others on their way (AMP) are the correct route to strong security. The most effective attack known on these protocols is
1. Decide which end you want to spoof - client or server
2. Choose a guess at the password
3. Do a protocol run.
3a. If you're pretending to be the client, try and log on using the password you've guessed.
3b. If you're pretending to be the server, somehow persuade the client to try and log onto you thinking you're the real server.
4a. If you guessed the password correctly, congratulations! You've successfully spoofed your way in.
4b. If you did not guess the password correctly, you lose! And you have learned *nothing* except that your guess was wrong.
5. If you want to have another guess, you'll have to return to step 1 and persuade the other end to play with you again. They may tire of this game before you do.
(Caveat. Password files have to be kept secret for this: compromise that and you can spoof the client into thinking your the server, while running a dictionary search against them on your supercomputers. Guard password files)
Strong password protocols are Right and Good and should be used everywhere that stronger authentication is not available. Remember to use key stretching on your passwords too.
--
I don't think you can plausibly apply the interlock protocol to SSH. When I log into a server, I expect a conversation in which each side reads the message from the other before generating their own messages. If that's the fundamental top-level conversation, any attempt to impose an interlock underneath that, unbeknownst to the communicating parties, can be spoofed.
Interlock only works if the actual communicating parties know they're interlocking. No attempt at automated interlock is going to work, because the MITM can separately spoof two separate interlocked conversations.
No, the correct answer is strong password protocols like SRP and B-SPEKE, as another poster has already observed ("Encrypted Key Exchange").
--
My older brother is much bigger and juicier than me, why don't you eat him instead?
(Translation for those who don't know fairy tales: Score: -1, Troll)
--
If anyone was going to try and operate a business in blatant violation of Federal law, the first thing they'd do would be refuse to pay taxes. And taxation is something the State will enforce by whatever means necessary.
--
PDF cannot guarantee this. No format can.
--
The guru of Web usability got the title through being right a lot. Check out his website and buy his book, Designing Web Usability.
There may be a whole load of specific issues to consider, but on the general issue of making a website that people can stand to use, he's your man.
--
What you describe seems to be in danger of becoming the official history of the Mindcraft incident, but it was never true. Those tests were bogus in many different ways: they tested a hugely unrealistic scenario, and initially only the NT box was optimised to handle that scenario. Oh, and they lied too.
However, the resulting publicity meant that parallelizing the part of the kernel hit moved up the priority queue from "might be nice someday" to "must be done soon". And so it was done, and well, and now we can kick the shit out of NT even under the bizarre circumstances Mindcraft set up.
There were no "weeks of denial". The objections raised against the tests were fair and accurate. The fact that we would now win this test doesn't change that.
--
FWIW this does not strike me as a well-conceived project. They plan to deliberately exclude a whole bunch of useful comms software (like PGP, web browsers) because they don't meet their rather artificial standards of security. They claim "all existing protocols are insecure", which is not the mark of someone with a clue. Oh, and they think they can charge for it - see the FAQ. I do not believe they will build a product that will be useful to anyone.
/.!)
(and the "pro" thing? I've been a pro for less than a month but I couldn't pass up the opportunity to crow about it on
--
Is your home address and telephone number on your website?
.com/.org/.net domains (gTLDs) should only be owned by legitimate businesses, who can afford premises and separate phone numbers. These provide a buffer between you and the disgruntled public. If you can't afford those, the message goes, stay off the gTLDs - or open yourself up to potential physical attack, abuse and harrasment.
No? Why not? It's not *terifically* private information; in most cases, anyone really determined could find it out. It could be useful to let people call you or send you gifts, or so that your friends can look it up to come to parties after you've moved house. But it's usual for people to be a little bit circumspect with their home address, and with good reason: "I know where you live" is a threat.
The bias here is basically that
--
One of the goals of a voting system is to give you no way to prove how you voted, to make sure voter coercion is ineffective. Receipts defeat that goal.
The biggest advantage of a computer vote that prints a paper ballot is excellent usability: if you press the big "CONFIRM" button when the screen says "You have cast your vote for Pat Buchanan and (somebody-or-other) of the Reform Party. If this is your final decision, please press Confirm, otherwise press Back." then there's not much can be done to stop you voting that way!
And of course, you get a human-readable paper ballot out of it, so if the software tries to substitute fake votes it'll get caught.
I would still count the ballots entirely on paper, though.
--
Sorry, explain who benefits again?
--
From what I can tell, the DNA lounge is an *inherently* cool project, and one I think I'd be interested in even if it weren't coming from an eloquent and thoughtful hacker like JWZ. The special thing that's going on here is that someone who wants to run a club for love can actually afford to do so. The fact that the money came from an Internet IPO rocket is irrelevant.
--
Yes, the whole hierarchical X.509 approach was doomed from the start and needs to die. What the world really needs is the Simple Public Key Infrastructure, SPKI. This provides a way to generate certificates which transfer trust between keys in various sorts of highly flexible, controllable ways. Read the SPKI docs and you'll be converted to our religion; your whole view of naming, and of the role of a PKI, will change.
SPKI is the public key infrastructure that can actually achieve what it promises, because it doesn't have a root certificate that only God could properly hold. It's the ideas of PGP's Web of Trust taken to their logical conclusion. And it is simple, and neat, and easy to understand. Everyone interested in the problems with PKI should look into it.
--
First, your first language doesn't have to be one you'll use again. You'll find it easier to learn other languages once you've got a grasp of programming. Java would be a good next step.
Second, Python will stay useful all your life. Python is basically useful the same way Perl is, but it scales better for large programs. It's not for people who want to be programmers - it's for everyone. It's useful for that tiny little script to automate the thing you can't quite do by hand.
Third, Python runs under Windows. In schools, this is probably the environment I'd use to teach it.
Of course, we could teach them nothing but VBScript under Windows, but this is Slashdot, where handing control of the future to Microsoft is considered a Bad Thing.
--
It's too hard to program computers these days. If I wanted to teach someone to program ten years ago, a machine like a BBC Micro would be great: you turn it on, it's immediately ready to accept a program, and drawing to the screen is relatively easy. If you want to draw anything now (essential for the gratification factor in learning to program) you have to become expert on events and windowing systems.
I'd like someone to put together a nice enviroment for beginning programmers. Base it on Python and gtk, so it's portable between Windows and Unix. Use Glade so people can start off drawing what they want their program to look like, then write bits of Python to make it work. Throw in a really good canvas widget, so it's easy to start drawing things and get things moving on the screen without worrying about expose events and redraws. Then write the book "Learn to program with Python", that takes beginners who've only ever used computers before by the hand and leads them through the delights of making them do your bidding.
I know that the CP4E project is looking to shape Python into the ideal beginners language. I'd love to see this happen, because Python is a beginners language you can stick with to write real, large scale applications that do real work.
--
The linked-to article claims that there are 15,000; one below links to Florida State documents showing the correct number to be 337.
--
He absolutely can't do (a).
(b) - with 19,000 "spoiled ballots" likely going to Gore, his margin should be pretty decisive when this is over.
(d) I don't think applies since it's Florida law that matters here
(c) is the interesting one. Which takes precedence - the law or the approval? Do you need to pass both to have a good ballot, or is one of them both necessary and sufficient? If so, what's the other one for?
In other words, why have laws saying what the ballot papers need to look like if the approval of the candidates is a necessary and sufficient condition for their being legal?
I pity the judge too. The evidence that Gore would win Florida by a clear margin on the *intent* of voters is overwhelming - ie it's pretty much undeniable that the Bush result runs counter to the will of the voting people in Florida as a result of bad design on the Palm Beach ballot paper - but ruling in their favour opens an extraordinary can of worms.
Whoever wins is going to have a hard time claiming a "clear mandate" for anything, that's for sure.
--
...for Jon Katz's ICBM coordinates.
--
Basically I think the Gore challenge wouldn't have a leg to stand on, if it weren't for the fact that these ballots are against Florida law, which requires that candidates' names be to the left of where the mark is made.
--
Check the other "no, there are 337" article I posted.
Wow, this myth's going to be as popular as the one that says Al Gore claimed to have invented the Internet!
--
If there was one ballot paper for the whole country, or even one per state, then the Democrats' approval would be fatal to this argument. They would have hired a banel of experts to review them, and paid people from all over the country/state to come in and try voting for different candidates under realistic circumstances.
But when every tiny little county can design its own ballot system, you can't do this. The most you can do is get some party enthusiast at the bottom of the food chain to give them the once-over and make sure your candidate's name is spelled correctly.
So citing the Democrats' ratification of the ballot as if Al Gore himself signed off on it is misleading, to say the least. The voters certainly didn't like it: they were complaining as soon as they got into the ballot booth.
--
See this Slashdot article, with links to Florida's own documents, refuting this suddenly-popular myth.
--