Recently, Debian adopted "logrotate" as their standard log rotation tool. I thought this was interesting because it was developed by Red Hat, not so much to increase the pool of Generally Good software out there as to meet a specific need they ran up against in the process of building a distribution. If this distinction makes any sense (and I think it certainly applies to, say install tools), what can you borrow from other distributions to bring Debian forward? --
We won that fight. This is their *next* braindead idea, and I think this "stunt" is a highly effective and dramatic demonstration of its unworkability. --
Um, you seem to have compiled without enabling a sense of humour. Try switching on CONFIG_HUMOR_RECOGNITION and try again.
Incidentally, the business about contractual obligation is a complete red herring. Think about it - if you can't sue for breach of contract, how do you plan to sue for breaking the terms of the download by being under 18?
And insulting people you're trying to persuade of things is rarely effective and doesn't make Slashdot a fun place to be. Please don't. --
I can only read this as "Perens calls for Corel to be sent signal that Debian's patience has limits". Debian would surely win if they sued, so I guess perhaps he's come to the conclusion that threats are the only language Corel's lawyer's speak. In other words, if all you recognise is "cover your ass" thinking, then you'll have to cover your ass from GPL violations too.
I'm surprised, and I advocated showing patience to Corel earlier, but maybe Bruce is right: maybe it is time to say that the GPL demands attention and has backup if it's needed. --
It's hard to be sure if this is an oversight, or just some over-zealous lawyers, but somehow I doubt Corel plan to ship pornographic-mpeg-collection.deb along with the distribution. So there's little point in baying for Corel's blood at this point when polite requests that they remove this particular bit of boilerplate from their legalese will almost certainly result in the problem being fixed less than a month from now, and perhaps within days.
On the other hand, if they do plan to include hardcore pornography, what was the download site again? --
CDNow! have patented the idea of choosing what tracks to put on a CD using a Web interface. If that's patentable, then coming up with patentable content is easy: modify a buzzword generator to select from lists of:
* common tasks people do on computers * commonly used tools that enable tasks
and perm a million different combinations of them all. If you want to include business models, throw in some common business-transaction type things like payment, auction etc.
If the possible outputs of such a program ran to, say, a few thousand pages, it would be worth printing it all out and sending it to the Patent Office as prior art of all the ideas it lists. --
Check out the very funny STAND campaign website
on
Waiting for the Knock
·
· Score: 3
Someone else already posted the link to http://www.stand.org.uk, but I thought it deserved some emphasis. Their latest bit of campaigning was to send Jack Straw a letter which, if the legislation were to pass as proposed, would leave him liable for a two year jail sentence.
"Dear Mr Straw,
Please find at the end of the letter a confession to a crime, which has been affirmed by Statutory Declaration. The Commissioner of the Metropolitan Police has been informed that you are in possession of this information.
You will not be able to understand the confession, because the words have been scrambled using a strong cryptographic key. This key was created in your name and has been registered on international public key servers..."
STAND is the main campaigning organisation in the UK tackling the issues raised by this bill, and it's a very well done website by some very clueful people. Visit it, everyone! --
GPL *is* appropriate for software docs.
on
Free Books Online
·
· Score: 2
The documentation is part of the software and is forked with it; precisely the same freedoms should accompany it. I don't see any problem with the docs for GPL software being under the GPL.
I'd also be happier if the OPL were certified Open Source. --
I find the charity you're prepared to extend to Mr Calle pins my implausibility meter. There's little room for doubt that Calle's actions were deliberate dishonesty rather than accidental omission. I'd also note that you've posted to this forum four times, it's the only time you've posted to/. and you give no contact details. --
You'll need a way of conditioning the random number output to remove bias. Fortunately, the Linux kernel contains an excellent such conditioner. Simply cat the output from your noisy diode/soundard combination to/dev/random, and read from/dev/random whenever you need random stuff. That way you get lots of other sources of randomness thrown in the mix for free. --
If there's to be an embargo on the Pentium III, it should not cover systems preloaded with operating systems which disable the serial number on start up, and make it difficult for new software installations to arrange for it to be re-enabled on boot.
Now, that's not Windows, but another operating system close to all our hearts...
(Seriously, this is of course a silly suggestion. I'd sooner see a lot more attention paid to big databases than this sort of nonsense.) --
I can't find any description of what encryption algorithm RAR uses on their web pages or anywhere else. That usually means it's a home-grown piece of crap. Furthermore, the password is limited to 10 characters, so it's weak. See On Cryptosystems untrustworthiness or this page on Russian Password Crackers including a couple of RAR crackers to get the picture about how bad the situation is.
Use PGP, or ScramDisk, or SFS, or similar systems which at least tell you what algorithms they're using. --
Questioning the decisions that Government makes, and the laws they pass, is supposed to be a central element of a functioning democracy. Yet if we're supposed to remain silent when it seems that those laws have led to bad or inappropriate consequences, the whole exercise is futile. --
The "poor little website owners" are often up for a fight anyway - they're angry, they're determined, they know they're in the right and they don't want to see justice taken for a ride. The most extreme example would be the McLibel defendents, who faced personal bankrupcy to defend themselves in court.
So don't threaten them - threaten someone upstream from them, like the ISP. The ISP doesn't care about the rights and wrongs of the issue - they're looking at the money. And the money says that you have very little to gain by standing by your customer and everything to lose - the best commercial proposition is simply to drop customers as soon as anyone who can spell "lawsuit" writes to you, regardless of whether they'd have a case, and regardless of who the Good Guys might be.
This simple inequality is probably a bigger risk to free speech online than any CDA style legislation... --
I'll join the chorus of people giving Justin kudos for running this, and I'm sure that you're giving some thought to how you can try and prevent similar incidents in the future. It's not a trivial problem - I think we, the Slashdot readers, should be thinking about it too!
This was quite a big mistake, so it needed a prominient correction, but little mistakes slip into/. stories all the time, sometimes spelling mistakes, other times misunderstandings of the slant of a story; it ends up that you *have* to read at least the highest scored articles on a story if you want to know whether there's any truth to it. What can we do in future to try and make it easier for the/. editors to post accurate stories?
Here's an idea. Could be shot down, but might inspire workable ideas along the same lines. Nominate a group of "slashdot helpers" from among the higher scored volunteers (like moderators). When./ editors post a story, they can choose to put it in a queue waiting for a helper to give it a once-over; helpers will be notified that there are stories awaiting their attention. Helpers can either accept the story as is, or bounce it back to the writer with a comment, or perhaps a suggested modified version (the original is of course preserved). When writers resubmit, they can choose to put it back in the queue or put it straight on the pages.
I bet there are a hundred or more/. readers who would make good helpers for this sort of job. I think you could choose some good helpers and still have no story waiting in the queue for more than ten minutes. And I'm damn sure it would improve the spelling and factual accuracy of some of the stuff here!
You could even give helpers specialities - I for one have often wished I could have commented on a crypto-related story before/. posted it...
I'm sure this idea has problems. Consider this put in the queue - let's see what ideas people have! --
The Independent is a very high quality UK broadsheet paper; it's about as credible as any mainstream news source can be. What's more, *all* the people cited in the article know what they're talking about: people like (from memory) Brian Gladman, Julian Assange, Caspar Bowden, and Bruce Schneier.
I think this article is a pretty impressive bit of cluefulness. --
We have to make crypto easier to use, even if we sacrifice some security in doing so. Sure, for my most private communications I'd rather verify the public key myself or through a PGP-like Web of Trust, but for most mails it's still far better if I trust some DNSSEC-based database to bind an email address to a public key than if I don't use encryption at all.
Of course, by "sacrifice some security" I don't mean we should start using shorter keys - the cost of long keys is not very much so we might as well use them - I mean "allow some possible attacks that more secure approaches might deny", such as trying to substitute a fake public key for the intended recipient's keys. These attacks are still far more expensive and difficult than pure eavesdropping attacks, which are relatively easy to thwart.
Oh, and we shouldn't use SSH everywhere - SRP is the Right Thing for remote passwords, and again it's far more convenient for the users.
When security measures become inconvenient, people circumvent them in ways that utterly defeats any security gained - like by telling people their password over the telephone. We have to make security so convenient people don't even realise it's there, and do the best we can in the environment that has real users in it. Those who know what they're doing can of course do better, but on the other hand those who know what they're doing are vastly outnumbered by those who *think* they know what they're doing. --
While the posters here are correct in saying that what you want is an ordinary stream cipher like Panama using keys generated by a public-key algorithm like Diffie-Hellman (remember to autenticate the peer, kids!), there *is* a stream cipher that can be used directly as a public-key algorithm. It's not sensible for bulk use, but it has some nice properties as a public key system.
Look up "probabilistic encryption" in Applied Cryptography. This system uses a neat property of the Blum-Blum-Shub CPRNG: you can run the generator *backwards* from the final state to the inital state *if and only if* you know the primes P and Q used to set up the generator. To run the generator forwards, of course, you need only their product N = P * Q. So to use this scheme, initialise the generator in a random state, encrypt a short message (must be short: BBS is not fast!) by XORring the message with random bits from the generator, then append the final state of the generator. Only the intended recipient, who knows P and Q, can then figure out the initial state and decrypt the message.
OK, it's not what you wanted, but it's neat, isn't it? --
The numbers were better when the test was fairer. A still fairer (ie more realistic) test would be even further in our favour. That they untied the weight around *one* of our ankles does not make it a fair race.
Benchmarks run by those without an axe to grind (eg c't) consistently come out in Linux's favour. A lot of design work went into finding ones that would point the other way: for example, using four 100Mbit cards rather than one gigabit card. That the actual anti-tweaks for Linux were taken out doesn't mean the anti-Linux design wasn't still there.
That's why everyone remembers these benchmarks over all the other Linux vs. NT benchmarks. It wasn't because they were particularly well done: they are famous and remarkable because they're the only ones that NT doesn't lose like a dog. --
Slashdot Mirror
Recently, Debian adopted "logrotate" as their standard log rotation tool. I thought this was interesting because it was developed by Red Hat, not so much to increase the pool of Generally Good software out there as to meet a specific need they ran up against in the process of building a distribution. If this distinction makes any sense (and I think it certainly applies to, say install tools), what can you borrow from other distributions to bring Debian forward?
--
We won that fight. This is their *next* braindead idea, and I think this "stunt" is a highly effective and dramatic demonstration of its unworkability.
--
Um, you seem to have compiled without enabling a sense of humour. Try switching on CONFIG_HUMOR_RECOGNITION and try again.
Incidentally, the business about contractual obligation is a complete red herring. Think about it - if you can't sue for breach of contract, how do you plan to sue for breaking the terms of the download by being under 18?
And insulting people you're trying to persuade of things is rarely effective and doesn't make Slashdot a fun place to be. Please don't.
--
I can only read this as "Perens calls for Corel to be sent signal that Debian's patience has limits". Debian would surely win if they sued, so I guess perhaps he's come to the conclusion that threats are the only language Corel's lawyer's speak. In other words, if all you recognise is "cover your ass" thinking, then you'll have to cover your ass from GPL violations too.
I'm surprised, and I advocated showing patience to Corel earlier, but maybe Bruce is right: maybe it is time to say that the GPL demands attention and has backup if it's needed.
--
Well, no shit! "What bedtime story would you like today, little Amy? Another chapter of The Phantom Tollbooth, or net/ipv4/tcp_ipv4.c?"
...
"So the packet went back to the firewall, knocked on the door, and said 'Mr. firewall, I have a SYN bit now, may I come in?'
'What port do you want?' said the firewall.
'Port 23' said the packet.
'Get lost!' said the firewall again, and once again booted him all the way back to the source host with an ICMP reject in his ear.
Well! The poor little packet was very upset...
--
It's hard to be sure if this is an oversight, or just some over-zealous lawyers, but somehow I doubt Corel plan to ship pornographic-mpeg-collection.deb along with the distribution. So there's little point in baying for Corel's blood at this point when polite requests that they remove this particular bit of boilerplate from their legalese will almost certainly result in the problem being fixed less than a month from now, and perhaps within days.
On the other hand, if they do plan to include hardcore pornography, what was the download site again?
--
CDNow! have patented the idea of choosing what tracks to put on a CD using a Web interface. If that's patentable, then coming up with patentable content is easy: modify a buzzword generator to select from lists of:
* common tasks people do on computers
* commonly used tools that enable tasks
and perm a million different combinations of them all. If you want to include business models, throw in some common business-transaction type things like payment, auction etc.
If the possible outputs of such a program ran to, say, a few thousand pages, it would be worth printing it all out and sending it to the Patent Office as prior art of all the ideas it lists.
--
Someone else already posted the link to http://www.stand.org.uk, but I thought it deserved some emphasis. Their latest bit of campaigning was to send Jack Straw a letter which, if the legislation were to pass as proposed, would leave him liable for a two year jail sentence.
"Dear Mr Straw,
Please find at the end of the letter a confession to a crime, which has been affirmed by Statutory Declaration. The Commissioner of the Metropolitan Police has been informed that you are in possession of this information.
You will not be able to understand the confession, because the words have been scrambled using a strong cryptographic key. This key was created in your name and has been registered on international public key servers..."
STAND is the main campaigning organisation in the UK tackling the issues raised by this bill, and it's a very well done website by some very clueful people. Visit it, everyone!
--
The documentation is part of the software and is forked with it; precisely the same freedoms should accompany it. I don't see any problem with the docs for GPL software being under the GPL.
I'd also be happier if the OPL were certified Open Source.
--
I find the charity you're prepared to extend to Mr Calle pins my implausibility meter. There's little room for doubt that Calle's actions were deliberate dishonesty rather than accidental omission. I'd also note that you've posted to this forum four times, it's the only time you've posted to /. and you give no contact details.
--
You'll need a way of conditioning the random number output to remove bias. Fortunately, the Linux kernel contains an excellent such conditioner. Simply cat the output from your noisy diode/soundard combination to /dev/random, and read from /dev/random whenever you need random stuff. That way you get lots of other sources of randomness thrown in the mix for free.
--
If there's to be an embargo on the Pentium III, it should not cover systems preloaded with operating systems which disable the serial number on start up, and make it difficult for new software installations to arrange for it to be re-enabled on boot.
Now, that's not Windows, but another operating system close to all our hearts...
(Seriously, this is of course a silly suggestion. I'd sooner see a lot more attention paid to big databases than this sort of nonsense.)
--
... on the Microsoft Monopoly board game, an article entitled "No, the ISP gets the lawsuit - they give in faster".
--
I can't find any description of what encryption algorithm RAR uses on their web pages or anywhere else. That usually means it's a home-grown piece of crap. Furthermore, the password is limited to 10 characters, so it's weak. See On Cryptosystems untrustworthiness or this page on Russian Password Crackers including a couple of RAR crackers to get the picture about how bad the situation is.
Use PGP, or ScramDisk, or SFS, or similar systems which at least tell you what algorithms they're using.
--
Questioning the decisions that Government makes, and the laws they pass, is supposed to be a central element of a functioning democracy. Yet if we're supposed to remain silent when it seems that those laws have led to bad or inappropriate consequences, the whole exercise is futile.
--
The "poor little website owners" are often up for a fight anyway - they're angry, they're determined, they know they're in the right and they don't want to see justice taken for a ride. The most extreme example would be the McLibel defendents, who faced personal bankrupcy to defend themselves in court.
So don't threaten them - threaten someone upstream from them, like the ISP. The ISP doesn't care about the rights and wrongs of the issue - they're looking at the money. And the money says that you have very little to gain by standing by your customer and everything to lose - the best commercial proposition is simply to drop customers as soon as anyone who can spell "lawsuit" writes to you, regardless of whether they'd have a case, and regardless of who the Good Guys might be.
This simple inequality is probably a bigger risk to free speech online than any CDA style legislation...
--
I'll join the chorus of people giving Justin kudos for running this, and I'm sure that you're giving some thought to how you can try and prevent similar incidents in the future. It's not a trivial problem - I think we, the Slashdot readers, should be thinking about it too!
/. stories all the time, sometimes spelling mistakes, other times misunderstandings of the slant of a story; it ends up that you *have* to read at least the highest scored articles on a story if you want to know whether there's any truth to it. What can we do in future to try and make it easier for the /. editors to post accurate stories?
./ editors post a story, they can choose to put it in a queue waiting for a helper to give it a once-over; helpers will be notified that there are stories awaiting their attention. Helpers can either accept the story as is, or bounce it back to the writer with a comment, or perhaps a suggested modified version (the original is of course preserved). When writers resubmit, they can choose to put it back in the queue or put it straight on the pages.
/. readers who would make good helpers for this sort of job. I think you could choose some good helpers and still have no story waiting in the queue for more than ten minutes. And I'm damn sure it would improve the spelling and factual accuracy of some of the stuff here!
/. posted it...
This was quite a big mistake, so it needed a prominient correction, but little mistakes slip into
Here's an idea. Could be shot down, but might inspire workable ideas along the same lines. Nominate a group of "slashdot helpers" from among the higher scored volunteers (like moderators). When
I bet there are a hundred or more
You could even give helpers specialities - I for one have often wished I could have commented on a crypto-related story before
I'm sure this idea has problems. Consider this put in the queue - let's see what ideas people have!
--
...and proud of it!
As a member of all these groups (and a goth too), I think it's striking how similar the experience of being stereotyped is in each case.
Data point: "nerd" carries much stronger associations of "poorly dressed, socially and sexually inept" than "geek" for me too.
--
The Independent is a very high quality UK broadsheet paper; it's about as credible as any mainstream news source can be. What's more, *all* the people cited in the article know what they're talking about: people like (from memory) Brian Gladman, Julian Assange, Caspar Bowden, and Bruce Schneier.
I think this article is a pretty impressive bit of cluefulness.
--
...or so the guys in the strnage suits told me...
--
We have to make crypto easier to use, even if we sacrifice some security in doing so. Sure, for my most private communications I'd rather verify the public key myself or through a PGP-like Web of Trust, but for most mails it's still far better if I trust some DNSSEC-based database to bind an email address to a public key than if I don't use encryption at all.
Of course, by "sacrifice some security" I don't mean we should start using shorter keys - the cost of long keys is not very much so we might as well use them - I mean "allow some possible attacks that more secure approaches might deny", such as trying to substitute a fake public key for the intended recipient's keys. These attacks are still far more expensive and difficult than pure eavesdropping attacks, which are relatively easy to thwart.
Oh, and we shouldn't use SSH everywhere - SRP is the Right Thing for remote passwords, and again it's far more convenient for the users.
When security measures become inconvenient, people circumvent them in ways that utterly defeats any security gained - like by telling people their password over the telephone. We have to make security so convenient people don't even realise it's there, and do the best we can in the environment that has real users in it. Those who know what they're doing can of course do better, but on the other hand those who know what they're doing are vastly outnumbered by those who *think* they know what they're doing.
--
...I seem to recall.
That's why there's no URL here or anything. But replace "Y2K" back to "Good Times" and ask Deja News for the earliest match it can find.
--
...that this story was about Windows 2000 users!
(sorry, couldn't resist...)
--
While the posters here are correct in saying that what you want is an ordinary stream cipher like Panama using keys generated by a public-key algorithm like Diffie-Hellman (remember to autenticate the peer, kids!), there *is* a stream cipher that can be used directly as a public-key algorithm. It's not sensible for bulk use, but it has some nice properties as a public key system.
Look up "probabilistic encryption" in Applied Cryptography. This system uses a neat property of the Blum-Blum-Shub CPRNG: you can run the generator *backwards* from the final state to the inital state *if and only if* you know the primes P and Q used to set up the generator. To run the generator forwards, of course, you need only their product N = P * Q. So to use this scheme, initialise the generator in a random state, encrypt a short message (must be short: BBS is not fast!) by XORring the message with random bits from the generator, then append the final state of the generator. Only the intended recipient, who knows P and Q, can then figure out the initial state and decrypt the message.
OK, it's not what you wanted, but it's neat, isn't it?
--
The numbers were better when the test was fairer. A still fairer (ie more realistic) test would be even further in our favour. That they untied the weight around *one* of our ankles does not make it a fair race.
Benchmarks run by those without an axe to grind (eg c't) consistently come out in Linux's favour. A lot of design work went into finding ones that would point the other way: for example, using four 100Mbit cards rather than one gigabit card. That the actual anti-tweaks for Linux were taken out doesn't mean the anti-Linux design wasn't still there.
That's why everyone remembers these benchmarks over all the other Linux vs. NT benchmarks. It wasn't because they were particularly well done: they are famous and remarkable because they're the only ones that NT doesn't lose like a dog.
--