Be warned when reading this that Brett Glass is obsessively, fanatically opposed to the GPL. He used to be on the am-info ("Appraising Microsoft") mailing list, but he would turn every thread into a thread about the evils of the GPL and it became impossible to discuss anything else because everyone was talking about the absurd claims he was making.
Eventually I publically aired the suggestion that we ask the administrator to remove him from the list; he was removed a couple of weeks later, and the list returned to usefulness.
It's a pity, because he's clearly an intelligent and insightful thinker, but his crusade against the GPL is simply beyond all reason. --
The conclusions of those "people out there" are not based on anything resembling a fact. If this sort of mindless, groundless pessimism puts even one person off encrypting just one email message with the best tools we have (PGP, GPG etc) then the NSA have done part of their job without spending a single compute cycle.
Learn a little about how modern crypto works (The Cryptogram is a good place to start). Read the descriptions of some of the AES candidates: Serpent, RC6 or Rijndael might be good ones to start with. Even in the supremely unlikely case that the NSA can crack everything we use, it would still cost them something in compute cycles, and encrypting all the world's email would still put a significant barrier in the path of their intelligence-gathering activities. --
The Weizmann institute announced a design for a piece of opto-electronic kit called TWINKLE that could greatly speed factoring, though modern recommended key lengths (eg 1024 bits) are still *way* out of its reach. However, it hasn't been built yet, it's not handheld and it doesn't go at 12 microseconds.
The UK Government are mulling over how to cripple domestic crypto without getting hit over the head at the moment, so scare stories about crypto are appearing all over the press at the moment, especially the Murdoch-owned press; apparently the crypto we all use is worthless, but the Bad Guys are using unbreakable crypto to hold up banks so it must be stopped, and we must go to the GCHQ (our NSA) for "consultancy" on what best to do about it. --
If our understanding of the physics is correct (pretty much certain) then this system is provably secure: no mathematical breakthrough will let you in.
If you can intercept *all* communications between the two parties, direct and indirect, and substitute *all* messages for ones you've written yourself, then nothing at all will stop a MitM attack. You have to have some sort of authentication lever.
However, you're right to say it's a particular weakness of this system, because the system depends on Bob sending Alice an authenticated message of what measurements he took. If Mallet can subvert this channel he can read the secret message. And QC doesn't provide provably secure authentication, since that's impossible - it's a social problem as much as anything else. Perhaps you could prove that the sender of a message knows a particular secret, but how will that help if you can't be sure who holds the secret?
And you're also right that it's totally impractical for real use. --
The breezy assertions at the start of the article that modern cryptosystems are going to be cracked any moment now are totally unwarranted. Progress in solving problems like factorisation, ECDL etc has not been much different from what might have been predicted fifteen years ago, and we have no particular reasons to think that this will change. It's about as worthwhile as speculating that some as-yet-unknown discovery in physics might render quantum cryptography useless.
Quantum crypto requires bizarre quantum properties of your message to be preserved from end to end - there's no possibility of an ordinary routing network. Furthermore, as the Dodger points out, it just pushes the problem into the authentication domain, and that's resting on precisely the same "untrusted" mathematics and a few social problems too. It's an interesting toy, but the public key crypto we already have - that we can do with straightforward hardware and the networks that already exist - will continue to be the workhorse for 99.99% of encrypted world communications, and don't let anyone try and tell you otherwise.
I do wish people wouldn't mutter dark warnings about perfectly good systems in order to sound interesting: the field of security has enough FUD as it is. --
As people here know, Sun's SCSL is a kind of "embrace and extend" for free software/open source: pretend to offer the efficiency gains, but hold back the freedom so you can still hold your customers in thrall and mess them about at a later date.
The trouble is that a lot of people are going to mistake this for a real open source release. In some ways, it's the nightmare scenario that RMS has been trying to warn ESR of, though I don't think his methods for combating it are the most effective: most people out there still think "free software" means gratis, not libre.
So, how can we spread the word? How can we let people know:
that free/open source software is all about software freedom, not just low prices and local bugfixing
that software freedom is worth having, not just for starry-eyed idealists and people who talk about troublesome ideas like ethics, but for anyone who needs their software to have a future
and that the SCSL doesn't grant it, not by a long way?
This is a pretty complex message, and getting across even the simplest ones is difficult. How shall we tackle it? --
Chip didn't consider all the programming languages in the world before making his choice; there are several others. Some of which might have been a better choice.
How about, say, Sather? A clean, fast, free (libre and gratis), object-oriented, garbage-collected language, which (and this is the beauty) compiles into portable C, so you can bootstrap Perl without first bootstrapping Sather. You only need Sather if you want to tweak Perl.
If that's too much effort, then you've basically already made the decision that only C or C++ will do since that's the compiler that machines will already have, so there's not much point in talking about other languages you might have used were it not for that condition. But I think it would be a mistake for free software projects to mandate that only these languages will do - it's not a restriction that proprietary, binary-only releases labour under. --
Do a Google search on Adam Penenburg; find his email address and write to him to congratulate him on this article, before going on to read some of his other stuff, including an enlightenting mea culpa on being taken in by bogus hackers himself, echoing Mike@ABC's comments: writing accurate hacker stories is hard. Sadly, staying credulous makes your stories sound better ("hackers hold up banks with crypto") and no-one seems to notice the difference. Thanks for trying to stay honest. --
2) The space with your "extra" data in it looks exactly like free space. Ths means that for normal use mounting the drive read-write, you have to use your most secret passphrase or you'll trash some of your "extra" data.
In "Understand my job, please!" you described Bruce Perens's proposal that we have a team of Linux advocates sharing the load as "glib". Could you say more about why you feel this way - isn't it more likely that a job where the load is shared would be more attractive?
...you'll need plausible deniability. In other words, you'll need the Steganographic File System just released for Linux. It provides a uniquely powerful form of information hiding: you can type in a passphrase that reveals a certain amount of the disk, and there's no way of telling whether there are other, deeper passphrases that would reveal more. This means that there's no legal duress that can force you to reveal your most secret data.
However, if the attacker is using rubber hose cryptanalysis, it means there's nothing you can do to convince them, once and for all, that the passphrase you've given them is the real, true, final passphrase. Could be painful... --
A little URL editing gives us the containing directory, with lots of statements about patents from lots of major companies (Autodesk's seems good, there's also IBM, Borland...) - and the last modified date is 29 May 1994. There's more material on patents in the parent directory - have a poke around.
Sorry to post thrice in one thread, but I thought it was worthy of note... --
The link to the real time telemetry seems to indicate that the probe is still unreachable. The FLORIDA TODAY link says the same (and it seems to be updated very rapidly). Can you provide a URL? --
I didn't know what this term meant, so I did a Google search which turned up these definitions:
[...] "patent flooding," the practice of filing large numbers of patents with narrow claims and utility models to "surround" a rival's basic patent on a core technology. (
BRIE Working Paper 89)
In Japan, filing would expose them to patent piracy of their technology through "patent flooding," i.e., inundating the Japanese Patent Office with hundreds of unworthy patent applications using minuscule modifications of the American invention, followed by bullying tactics to get cross-licensing agreements. (
The Patent Fight Gets Ugly)
I don't see any problem with "defensive patents". In fact, I think we should start taking out a few of our own!
Here's the scheme: we all set up and join the Anti-Patent Patent League. The only condition for membership is that you license all your patents to all other members - you can charge what you like or impose what restrictions you like on non-members. You don't have to have any patents to join: indeed, you can join simply by agreeing to the Patent Sharing Pledge.
Then the FSF allow you to use such patents in GPL v3, and hey presto! Disavow the patenting system, or be locked out of the biggest patent block in history.
There are some tricky technicalities, but it seems like the free software community's answer to defensive patents to me. Maybe Oracle would join... --
"what the FUCK is that?" "Hey, Marylin! Marylin Manson!" and best of all: "Inter-net! Inter-fuckin-net!"
A hundred yards further up the road, an enterprising schemie [1] decided to throw a handy rubbish bin full of glass bottles at my head. I felt drips from the bottles hit my face as it whistled past. *Crash*. I didn't look.
Sadly, they didn't seem in the least worried that I might pull a gun on them and shoot them. But then, if I'd been allowed a gun, they would have been too. I live in Edinburgh, UK. --
Inhabitants of the "UKcrypto" mailing list, for discussing government cryptology policy, have come to the conclusion that this story is a complete fabrication, "cut from whole cloth" by GCHQ (the UK equivalent of the NSA) to spread bad words about strong crypto and encourage regulation.
The original story has bizarre references to "hackers" holding up banks "with crypto" - I know it's a munition, but you can't point it at a bank teller!
See for example thi s article by highly respected cryptologist and computer security expert Ross Anderson, who is also co-author of AES candidate Serpent. Note also thi s observation on bank panic stories, or read the whole thread (search for "today's Times").
I'll also echo the comments here about Jonathan Ungoed-Thomas's hilarious attempts to cover security issues, among other iGaffes. --
I hear a lot of good things about OpenDoc. They say it was the future of document editing. They say it was the glue that made a collection of small applications into an infinitely flexible document creations system. They say it was a work of brilliance, and, better than that, the Right Thing.
Should it be reimplemented? Should it be part of Gnome? --
Install less, and use firewalls
on
Linux Lite?
·
· Score: 4
The basic idea is hard to fault. A few caveats:
(1) There's no need for entirely separate distributions: a radiobutton selection in the install dialog about whether you want the default desktop edition or something fancy would do.
(2) Firewalling the PPP device by default would help. A *lot*. Just bar incoming TCP connections and most other stuff and a lot of script kiddies get shown the door.
(3) The biggest helper would be if these distributions installed fewer packages! I've installed Debian umpteen times, and I've grown to loathe dselect. The best thing would be for distributions to install a minimum set of recommended packages at install time, enough to get online and browse the Web and read mail and news, and then let them get used to it. Another day, they can learn about making Web servers available and suchlike: a simple, secure base would be an excellent place to start. --
"The Onion" had it right, of course...
on
On eBay Addiction
·
· Score: 2
"NEWTON, MA--In a solemn pledge to himself and the world, Kevin Wollersheim, the new owner of a complete Mama's Family video library, announced Monday that he will "never, ever again" shop the online auction house eBay while inebriated." --
I saw it visiting a friend in a psychiatric ward. An old woman I'd never seen before started talking to me, telling me I should visit her in her house in the country and they'd have a great party. As soon as she found out my name she started treating me like an old friend. I found it hard to be friendly while still keeping my distance. I'm pretty sure she's still there: I got the impression she'd been there a while and wasn't expected to check out any time soon.
So while some geeks may not have their social skills as honed as they could be (and I'll second the person who advises you to use your engineering skills on the problem) we're all fortunate not to be too far away from the roughly sensible arena of behaviour. --
Slashdot Mirror
Be warned when reading this that Brett Glass is obsessively, fanatically opposed to the GPL. He used to be on the am-info ("Appraising Microsoft") mailing list, but he would turn every thread into a thread about the evils of the GPL and it became impossible to discuss anything else because everyone was talking about the absurd claims he was making.
Eventually I publically aired the suggestion that we ask the administrator to remove him from the list; he was removed a couple of weeks later, and the list returned to usefulness.
It's a pity, because he's clearly an intelligent and insightful thinker, but his crusade against the GPL is simply beyond all reason.
--
Our debates have to happen in the open. We have to criticise the viewpoints put forward by the people who represent us to other cultures.
If what Bruce does is "sniping from the sidelines" I'd like to know what the hell valid criticism from another participant looks like.
--
No. In space, there is no "up" or "down", so no part of the satellite is the back...
(Score: -1, Unfunny)
--
The conclusions of those "people out there" are not based on anything resembling a fact. If this sort of mindless, groundless pessimism puts even one person off encrypting just one email message with the best tools we have (PGP, GPG etc) then the NSA have done part of their job without spending a single compute cycle.
Learn a little about how modern crypto works (The Cryptogram is a good place to start). Read the descriptions of some of the AES candidates: Serpent, RC6 or Rijndael might be good ones to start with. Even in the supremely unlikely case that the NSA can crack everything we use, it would still cost them something in compute cycles, and encrypting all the world's email would still put a significant barrier in the path of their intelligence-gathering activities.
--
The Weizmann institute announced a design for a piece of opto-electronic kit called TWINKLE that could greatly speed factoring, though modern recommended key lengths (eg 1024 bits) are still *way* out of its reach. However, it hasn't been built yet, it's not handheld and it doesn't go at 12 microseconds.
The UK Government are mulling over how to cripple domestic crypto without getting hit over the head at the moment, so scare stories about crypto are appearing all over the press at the moment, especially the Murdoch-owned press; apparently the crypto we all use is worthless, but the Bad Guys are using unbreakable crypto to hold up banks so it must be stopped, and we must go to the GCHQ (our NSA) for "consultancy" on what best to do about it.
--
If our understanding of the physics is correct (pretty much certain) then this system is provably secure: no mathematical breakthrough will let you in.
If you can intercept *all* communications between the two parties, direct and indirect, and substitute *all* messages for ones you've written yourself, then nothing at all will stop a MitM attack. You have to have some sort of authentication lever.
However, you're right to say it's a particular weakness of this system, because the system depends on Bob sending Alice an authenticated message of what measurements he took. If Mallet can subvert this channel he can read the secret message. And QC doesn't provide provably secure authentication, since that's impossible - it's a social problem as much as anything else. Perhaps you could prove that the sender of a message knows a particular secret, but how will that help if you can't be sure who holds the secret?
And you're also right that it's totally impractical for real use.
--
The breezy assertions at the start of the article that modern cryptosystems are going to be cracked any moment now are totally unwarranted. Progress in solving problems like factorisation, ECDL etc has not been much different from what might have been predicted fifteen years ago, and we have no particular reasons to think that this will change. It's about as worthwhile as speculating that some as-yet-unknown discovery in physics might render quantum cryptography useless.
Quantum crypto requires bizarre quantum properties of your message to be preserved from end to end - there's no possibility of an ordinary routing network. Furthermore, as the Dodger points out, it just pushes the problem into the authentication domain, and that's resting on precisely the same "untrusted" mathematics and a few social problems too. It's an interesting toy, but the public key crypto we already have - that we can do with straightforward hardware and the networks that already exist - will continue to be the workhorse for 99.99% of encrypted world communications, and don't let anyone try and tell you otherwise.
I do wish people wouldn't mutter dark warnings about perfectly good systems in order to sound interesting: the field of security has enough FUD as it is.
--
The trouble is that a lot of people are going to mistake this for a real open source release. In some ways, it's the nightmare scenario that RMS has been trying to warn ESR of, though I don't think his methods for combating it are the most effective: most people out there still think "free software" means gratis, not libre.
So, how can we spread the word? How can we let people know:
This is a pretty complex message, and getting across even the simplest ones is difficult. How shall we tackle it?
--
How about, say, Sather? A clean, fast, free (libre and gratis), object-oriented, garbage-collected language, which (and this is the beauty) compiles into portable C, so you can bootstrap Perl without first bootstrapping Sather. You only need Sather if you want to tweak Perl.
If that's too much effort, then you've basically already made the decision that only C or C++ will do since that's the compiler that machines will already have, so there's not much point in talking about other languages you might have used were it not for that condition. But I think it would be a mistake for free software projects to mandate that only these languages will do - it's not a restriction that proprietary, binary-only releases labour under.
--
Do a Google search on Adam Penenburg; find his email address and write to him to congratulate him on this article, before going on to read some of his other stuff, including an enlightenting mea culpa on being taken in by bogus hackers himself, echoing Mike@ABC's comments: writing accurate hacker stories is hard. Sadly, staying credulous makes your stories sound better ("hackers hold up banks with crypto") and no-one seems to notice the difference. Thanks for trying to stay honest.
--
1) Yes, the data is encrypted.
2) The space with your "extra" data in it looks exactly like free space. Ths means that for normal use mounting the drive read-write, you have to use your most secret passphrase or you'll trash some of your "extra" data.
The site appears to be back up.
--
In "Understand my job, please!" you described Bruce Perens's proposal that we have a team of Linux advocates sharing the load as "glib". Could you say more about why you feel this way - isn't it more likely that a job where the load is shared would be more attractive?
Thanks,
--
...you'll need plausible deniability. In other words, you'll need the Steganographic File System just released for Linux. It provides a uniquely powerful form of information hiding: you can type in a passphrase that reveals a certain amount of the disk, and there's no way of telling whether there are other, deeper passphrases that would reveal more. This means that there's no legal duress that can force you to reveal your most secret data.
However, if the attacker is using rubber hose cryptanalysis, it means there's nothing you can do to convince them, once and for all, that the passphrase you've given them is the real, true, final passphrase. Could be painful...
--
Sure, I'll email you with - oh.
Never mind.
I put my email address in the header - I guess you'll just have to email me.
(tip: go to http://www.google.com/ , type in "london goth" and press the "I'm feeling lucky" button.)
--
A little URL editing gives us the containing directory, with lots of statements about patents from lots of major companies (Autodesk's seems good, there's also IBM, Borland...) - and the last modified date is 29 May 1994. There's more material on patents in the parent directory - have a poke around.
Sorry to post thrice in one thread, but I thought it was worthy of note...
--
The link to the real time telemetry seems to indicate that the probe is still unreachable. The FLORIDA TODAY link says the same (and it seems to be updated very rapidly). Can you provide a URL?
--
Just Another Patent System Stupidity, it seems.
--
I don't see any problem with "defensive patents". In fact, I think we should start taking out a few of our own!
Here's the scheme: we all set up and join the Anti-Patent Patent League. The only condition for membership is that you license all your patents to all other members - you can charge what you like or impose what restrictions you like on non-members. You don't have to have any patents to join: indeed, you can join simply by agreeing to the Patent Sharing Pledge.
Then the FSF allow you to use such patents in GPL v3, and hey presto! Disavow the patenting system, or be locked out of the biggest patent block in history.
There are some tricky technicalities, but it seems like the free software community's answer to defensive patents to me. Maybe Oracle would join...
--
Walking back from the goth club one night:
"what the FUCK is that?"
"Hey, Marylin! Marylin Manson!"
and best of all:
"Inter-net! Inter-fuckin-net!"
A hundred yards further up the road, an enterprising schemie [1] decided to throw a handy rubbish bin full of glass bottles at my head. I felt drips from the bottles hit my face as it whistled past. *Crash*. I didn't look.
Sadly, they didn't seem in the least worried that I might pull a gun on them and shoot them. But then, if I'd been allowed a gun, they would have been too. I live in Edinburgh, UK.
--
Inhabitants of the "UKcrypto" mailing list, for discussing government cryptology policy, have come to the conclusion that this story is a complete fabrication, "cut from whole cloth" by GCHQ (the UK equivalent of the NSA) to spread bad words about strong crypto and encourage regulation.
The original story has bizarre references to "hackers" holding up banks "with crypto" - I know it's a munition, but you can't point it at a bank teller!
See for example thi s article by highly respected cryptologist and computer security expert Ross Anderson, who is also co-author of AES candidate Serpent. Note also thi s observation on bank panic stories, or read the whole thread (search for "today's Times").
I'll also echo the comments here about Jonathan Ungoed-Thomas's hilarious attempts to cover security issues, among other iGaffes.
--
I hear a lot of good things about OpenDoc. They say it was the future of document editing. They say it was the glue that made a collection of small applications into an infinitely flexible document creations system. They say it was a work of brilliance, and, better than that, the Right Thing.
Should it be reimplemented? Should it be part of Gnome?
--
The basic idea is hard to fault. A few caveats:
(1) There's no need for entirely separate distributions: a radiobutton selection in the install dialog about whether you want the default desktop edition or something fancy would do.
(2) Firewalling the PPP device by default would help. A *lot*. Just bar incoming TCP connections and most other stuff and a lot of script kiddies get shown the door.
(3) The biggest helper would be if these distributions installed fewer packages! I've installed Debian umpteen times, and I've grown to loathe dselect. The best thing would be for distributions to install a minimum set of recommended packages at install time, enough to get online and browse the Web and read mail and news, and then let them get used to it. Another day, they can learn about making Web servers available and suchlike: a simple, secure base would be an excellent place to start.
--
See Man With Complete "Mama's Family" Video Library Never Going On eBay Drunk Again for our favourite news journal's cutting insights into this growing crisis.
"NEWTON, MA--In a solemn pledge to himself and the
world, Kevin Wollersheim, the new owner of a complete Mama's Family video library, announced Monday that he will "never, ever again" shop the online auction house eBay while inebriated."
--
I saw it visiting a friend in a psychiatric ward. An old woman I'd never seen before started talking to me, telling me I should visit her in her house in the country and they'd have a great party. As soon as she found out my name she started treating me like an old friend. I found it hard to be friendly while still keeping my distance. I'm pretty sure she's still there: I got the impression she'd been there a while and wasn't expected to check out any time soon.
So while some geeks may not have their social skills as honed as they could be (and I'll second the person who advises you to use your engineering skills on the problem) we're all fortunate not to be too far away from the roughly sensible arena of behaviour.
--
And there's my PDA, phone, watch, and many other things I need. If I had such a thing, I might even leave the house from time to time!
--