I don't know much about databases, VPNs, encrypted filesytems and such, but this post is plain blither.
The Open Source movement loves to talk about encryption and security, but it's all talk. Is there an open source email encryption protocol, which is implemented under a license which allows it to be linked in to all kinds of software? No, there's gpg, which is under GPL, which means it can only be used in other GPL software. Anyway, the author, Werner Koch, is so confused about security that he thinks that making it as a linkable library would somehow compromise security. D'ohh! Do any of the standard Linux filesystems (ext2, ext3, ReiserFS) support encryption? No. There are clunky loopback kludges you can wrap over them, but they have the drawback of being clunky kludge wrappers. If you want encryption, it needs to be done at the application layer. Given that this thread is about databases, how do Postgres and MySQL fare in that department? Can either of them produce PGP-signed database results? No (that gpg again). Can either Postgres or MySQL store data in encrypted formats? No again, unless it is implemented at the application layer.
1. Loopbacks can be "clunky" but they allow seperation of the encryption and the filesystem. I don't care about encrypting my discs, but that doesn't make it so encryption is unavailable for others to use. Plus, there is no way a new encrypted filesystem should get into the main Linux trunk any time soon. Why? Filesystems are critical to system stability. If the filesystem gets corrupted, the system is gone. Any new filesystem, encrypted or not, should have much testing done before it gets including in the main trunk.
2. MySQL support AES for table encryption and SSL for link encryption. This is far more than good enough for a database, considering that encryption isn't security (google for SQL insertion attacks). Besides, table data signing should belong at the application layer.
Ok, how about encryption on the network? Here we have some things to look up to. We have OpenSSL which is perfectly integrated into the Apache 2 server and a bunch of other places. That's good. We have OpenSSH which is effective, but somewhat brain-dead in that it provides a tunnel mechanism, but only so long as you keep a console open! D'ohh! Mercifully, Linux does have good ipsec support for tunneling.
OpenSSL is BSD, so your previous GPL argument goes out the window. It serves us well. Also, SSH for tunneling should be used for just that. There are many ways to make this work (look at the -N option) and there are a few applications where it is stupid or overkill to use SSH for tunneling. Use Stunnel instead (a generic SSL wrapper for TCP applications). Use the right tool for the job, silly.
Now let's look at other features in the Linux kernel. It has modes for running signed or encrypted ELF files, right? Wrong! Plain old plain-text should be good enough! Did someone forget support for accessing encrypted files? Guess so.
Accessing encrypted files is at the filesystem layer (which we already visited). Encrypted executables make no sense. Signed ones do, though, and that seems like a cool feature. I do not know if Linux can do executable signing at runtime or not.
Ok, but we must be doing better at the authentication level, right? Wrong! You get your choice of plain old passwords, s/key or RSA keys, and that's it. Tokens? We don't need no stinking tokens apparently.
Last I checked, Linux has support for many authentication models. I believe the authentication application is called Pluggable Authentication Modules (PAM).
I think that a Vorbis only player would be great, but we would need better reasons to do that.
Primarily, no expensive license issues.
If you have software that transcodes from MP3/WMA/Whatever, you'll need a license to decode these anyways so the expensive license issues are still there.
Vorbis-decoding can be done using only integers (FLAC too?), which must save some hardware costs.
Again, while Vorbis and FLAC can be decoded with intergers only, so can MP3 (http://www.mars.org/home/rob/proj/mpeg/).
So it wounldn't be much cheeper (because licensing costs still exsist) to make a Vorbis only player compared to a MP3+WMA+AAC+whatever player. In fact, it probably would be more expensive to make a Vorbis player because there are not many off-the-shelf parts or ready-made software out there, which ends up with higher development costs.
Maybe a better solution would be to have the open source/hardware community come up with an open Vorbis player with economy on the mind. Then you can pitch that all the R&D has been done for them so that that company X simply has to build and package the device, kinda like Linux distrobutions are today.
Whoops! I guess I was too pissed off to read all the way though your articles:D. Anyways, nice job of trying to get all that information on video into a easy reading series. Prehaps now my father will understand why I tried so hard to get his equiptment to use SVideo instead of RF.
After fooling around with video for quite some time now, I have came to the same conclusion that NEOGEOman gets: Macrovision and the entire industry blows. Sure, we all know that the MPAA sucks, but the drop so low that to mess with the video to the point of almost unwatchable is absurd. Here's a small list of things they do to mess up composite video (NTSC):
- variation of the black level (confuses AGCs) - phase modulation of the color burst (later macrovision versions, like DVD players) - removal of lines from one field and putting them on the other field. - bursts in the VBI
And then the industry refuses to move on until they can get some other "protection" on the video feed. Who do they worry about? The "Casual copier," "hobbyist," "hacker," "small scale pirate," and the "professional pirate" (DDWG powerpoint presentation [http://www.ddwg.org]). The cost? Remotely decent video and your right to fair use.
Arg! </rant>
As a side note, if you're interested in chroma sampling and how it can go wrong, check out this page: http://www.hometheaterhifi.com/volume_8_2/dvd-benc hmark-special-report-chroma-bug-4-2001.html
Right now I just browse through packet storm and SecurityFocus. You'll see all sorts of expolits, some are patched and others not. Be creative with some of them and you'll see how a cracker/hacker can easily use them to break a system.
As a side note, I used to keep a track of just IE exploits at the Unpatched IE Vulnerabilities place but they closed for business.
Just a quick note: There are ways to get out of a restricted security zone due to bugs in the security implementation. I'm not sure if there are any unpatched bugs remaining but there have been some working exploits in the past.
It's still a good idea to use restrictive settings even though security zones are not foolproof.
Dell ships a lot of other software that is bundled with Windows. If they were to not include Windows, then why would you want the bundled software? This is probably where they got $629 from:).
Well, the project manager Viner thought that the project would be based on Windows but after talking to Dr. Tim Ferguson, Viner let Ferguson base it on Linux. Viner was so impressed with the way that Linux preformed the video capture and monitoring that "The experience has made Viner a firm Linux convert. 'The office is moving over to Linux and we are looking at getting some form of network-attached storage for our clients,' he said."
And Ferguson said it best at the end of the article: "Development using open source software means the developer is totally in charge. You can do what you like, and customise things to your own needs. There are downsides, like the problems I faced with the firewire drivers. But then you'll generally find that you are not alone in this; there will be others to contribute little bits of knowledge until the jigsaw is complete."
So to say that Linux is "incidental" is a little bit of an understatment.
Last I checked, RSA is in the public domain. Even if WASTE used stolen/imporperly licensed code, opensource coders could simply replace it with a GPL compatible version.
Freenet doesn't just have "more anonymity built-in," it has leaps and bounds of more anonymity built in for the person who placed the file there in the first place. It is effectivly (nothing is impossible) untraceable to the originator and the argument of "I really didn't download that" does fly because there is not a simple deal to know for sure what one downloaded (esp. with all the safty gaurds like segmentating and encrypting the data). The key is that FreeNet data is most likly not sourced from someone who has also downloaded that data with intent or by the originator.
This defense is untested in court and may or may not fly but FreeNet brings a peace of mind when it comes to P2P.
A better argument against FreeNet as a serious P2P application is that it doesn't handle large files (aka movies and TV shows) very well:).
This is because MPlayer didn't move over to the new libmpeg2, like what xine did, so quickly. There were some design issues and other things that plagued the newer libmpeg2 releases and MPlayer worked with the libmpeg2 team to get these issues fixed. Just recently (within this past week or so) they upgraded the local libmpeg2 v.2.1 copy (hacked up version) to the latest libmpeg2 and ploped it into the CVS version of MPlayer. This late change allowed for all the preformace gains that libmpeg2 v.3.x has without jumping into a poor API or the compatibility problems too soon.
It's like the Linux kernels. Sure the (formally) new 2.4.0 came out and was "stable" but there still were some major problems that didn't get ironed out until the 2.4.9ish area. Arp'i and the MPlayer development team simply waited for libmpeg2 to stabalize their new release.
Point being, try out the CVS version of MPlayer! Testers are always welcome!
We've known for a while that the DMCA collides with other laws and rights for a while, most notably fair use. So my question is what makes this any more of a legal victory other than the Copyright Office making an oppinion on this particular issue? How can this collision be any stronger than other colliding laws?
I think a hacker is someone who uses software or hardware in a creative way, which includes creative hacks as in source and creative hacks as in breaking in. This hacker has been creative enough to not only get away with it once but he got away with it twice. If this guy is not a hacker then I don't know who is.
Like other posters have stated, Windows is vulnerable with the NIC drivers being the problem. Microsoft claims it doesn't ship bad drivers but my Xircom CardBus Ethernet II is vunerable (Win2k). I believe I got the driver on Windows Update:).
My Xircom CardBus Ethernet II (PC card) is vunerable on Windows2000 with the latest driver. So yes, Windows, more like the individual NIC drivers, is vunerable.
Here is the padding from one ICMP reply (1 byte data was used in the ICMP echo request).
What's wrong with trying to make a profit from free programs? It's like screaming bloody murder over the fact that RedHat profits from selling free software. If the licenses of Smart Ripper, DVDx and others say that selling them is not allowed then so be it. Otherwise go ahead as packing software with an easy to use GUI is a service, and a valuable service as many DVD drive companies think it is worth paying money for.
He has spammed several usenet groups with this speculation before and he hardly knows what he is talking about. We have decades of experience on audio compression and as one usenet poster put it, "almost every tv or radio uses some kind of compression for audio (e.g. many
radios use mp3).
The telephone itself cuts a lot of frequencies (nothing above 8kHz).
So, everyone should have a serious damage to the ear, isn't it?"
FYI, AVI is a horrible container and only ASF v2 is openly documented by Microsoft. MS uses ASF v1 everywhere and to date I have not seen a ASF v2 file. Did you ever try to make a ASF v1 encoder? I doupt it as VirtualDub once allowed the export of ASF v1 files but they got a nasty letter from MS and had to discontinue the support.
I do support the Quicktme container (Apple got it right the first time) but (unfortunally) I also support MPEG-4. There is no way to get around the patents for video as they extend way too far. VP3 stinks compared to MPEG-4 and other codecs like WMV9 and RealVideo9 either suck and/or are closed tighter than the RIAA's fist on congress. I am giving lots of hope to Tarkin cause just maybe they might pull through with a codec that can compete. Best of luck to them.
As to your last point, people might want to watch a newscast or some other simple video service (a review of a game prehaps?) on thier phones. These services is where video on phones make sense.
if they were estimated to have stolen $11k each I think that they should have gotten what they did.
There is no way they could have stollen 11 thousand dollars worth of bandwidth in such a short time. A T1 is around $600-1000 a month so the uncappers would have to uncap for at least a whole year in order to steal that much bandwidth. Wirtz said that he uncapped for about 16 hours, which is wrong in the first place but FAR from 11 thousand dollars.
They deserve punishment but this is too excessive.
The analogy is incorrect. Microsoft didn't sell the Xbox, they sold Xbox Life which wont work on the modded Xbox, and without warning. I would blame Microsoft for selling me Xbox Live on a modded XBox. Even though I might get my money back it would be too much of a hassle to deal with calling in and sorting things out.
Slashdot Mirror
I don't know much about databases, VPNs, encrypted filesytems and such, but this post is plain blither.
The Open Source movement loves to talk about encryption and security, but it's all talk. Is there an open source email encryption protocol, which is implemented under a license which allows it to be linked in to all kinds of software? No, there's gpg, which is under GPL, which means it can only be used in other GPL software. Anyway, the author, Werner Koch, is so confused about security that he thinks that making it as a linkable library would somehow compromise security. D'ohh! Do any of the standard Linux filesystems (ext2, ext3, ReiserFS) support encryption? No. There are clunky loopback kludges you can wrap over them, but they have the drawback of being clunky kludge wrappers. If you want encryption, it needs to be done at the application layer. Given that this thread is about databases, how do Postgres and MySQL fare in that department? Can either of them produce PGP-signed database results? No (that gpg again). Can either Postgres or MySQL store data in encrypted formats? No again, unless it is implemented at the application layer.
1. Loopbacks can be "clunky" but they allow seperation of the encryption and the filesystem. I don't care about encrypting my discs, but that doesn't make it so encryption is unavailable for others to use. Plus, there is no way a new encrypted filesystem should get into the main Linux trunk any time soon. Why? Filesystems are critical to system stability. If the filesystem gets corrupted, the system is gone. Any new filesystem, encrypted or not, should have much testing done before it gets including in the main trunk.
2. MySQL support AES for table encryption and SSL for link encryption. This is far more than good enough for a database, considering that encryption isn't security (google for SQL insertion attacks). Besides, table data signing should belong at the application layer.
Ok, how about encryption on the network? Here we have some things to look up to. We have OpenSSL which is perfectly integrated into the Apache 2 server and a bunch of other places. That's good. We have OpenSSH which is effective, but somewhat brain-dead in that it provides a tunnel mechanism, but only so long as you keep a console open! D'ohh! Mercifully, Linux does have good ipsec support for tunneling.
OpenSSL is BSD, so your previous GPL argument goes out the window. It serves us well. Also, SSH for tunneling should be used for just that. There are many ways to make this work (look at the -N option) and there are a few applications where it is stupid or overkill to use SSH for tunneling. Use Stunnel instead (a generic SSL wrapper for TCP applications). Use the right tool for the job, silly.
Now let's look at other features in the Linux kernel. It has modes for running signed or encrypted ELF files, right? Wrong! Plain old plain-text should be good enough! Did someone forget support for accessing encrypted files? Guess so.
Accessing encrypted files is at the filesystem layer (which we already visited). Encrypted executables make no sense. Signed ones do, though, and that seems like a cool feature. I do not know if Linux can do executable signing at runtime or not.
Ok, but we must be doing better at the authentication level, right? Wrong! You get your choice of plain old passwords, s/key or RSA keys, and that's it. Tokens? We don't need no stinking tokens apparently.
Last I checked, Linux has support for many authentication models. I believe the authentication application is called Pluggable Authentication Modules (PAM).
"Check out my Advanced Audio Coding collection!"
:). Stick to acronyms, they sound cooler (OGM vs MP3 vs AAC).
I think the stupid names award hasn't only touched Ogg Vorbis's hands
I think that a Vorbis only player would be great, but we would need better reasons to do that.
Primarily, no expensive license issues.
If you have software that transcodes from MP3/WMA/Whatever, you'll need a license to decode these anyways so the expensive license issues are still there.
Vorbis-decoding can be done using only integers (FLAC too?), which must save some hardware costs.
Again, while Vorbis and FLAC can be decoded with intergers only, so can MP3 (http://www.mars.org/home/rob/proj/mpeg/).
So it wounldn't be much cheeper (because licensing costs still exsist) to make a Vorbis only player compared to a MP3+WMA+AAC+whatever player. In fact, it probably would be more expensive to make a Vorbis player because there are not many off-the-shelf parts or ready-made software out there, which ends up with higher development costs.
Maybe a better solution would be to have the open source/hardware community come up with an open Vorbis player with economy on the mind. Then you can pitch that all the R&D has been done for them so that that company X simply has to build and package the device, kinda like Linux distrobutions are today.
Whoops! I guess I was too pissed off to read all the way though your articles :D. Anyways, nice job of trying to get all that information on video into a easy reading series. Prehaps now my father will understand why I tried so hard to get his equiptment to use SVideo instead of RF.
After fooling around with video for quite some time now, I have came to the same conclusion that NEOGEOman gets: Macrovision and the entire industry blows. Sure, we all know that the MPAA sucks, but the drop so low that to mess with the video to the point of almost unwatchable is absurd. Here's a small list of things they do to mess up composite video (NTSC):
- variation of the black level (confuses AGCs)
- phase modulation of the color burst (later macrovision versions, like DVD players)
- removal of lines from one field and putting them on the other field.
- bursts in the VBI
And then the industry refuses to move on until they can get some other "protection" on the video feed. Who do they worry about? The "Casual copier," "hobbyist," "hacker," "small scale pirate," and the "professional pirate" (DDWG powerpoint presentation [http://www.ddwg.org]). The cost? Remotely decent video and your right to fair use.
Arg!
</rant>
As a side note, if you're interested in chroma sampling and how it can go wrong, check out this page: http://www.hometheaterhifi.com/volume_8_2/dvd-ben
It's an interesting read.
Here's a .EDU mirror of the above:
http://people.ucsc.edu/~twilly/tmdc6inv.zip
Right now I just browse through packet storm and SecurityFocus. You'll see all sorts of expolits, some are patched and others not. Be creative with some of them and you'll see how a cracker/hacker can easily use them to break a system.
As a side note, I used to keep a track of just IE exploits at the Unpatched IE Vulnerabilities place but they closed for business.
Just a quick note: There are ways to get out of a restricted security zone due to bugs in the security implementation. I'm not sure if there are any unpatched bugs remaining but there have been some working exploits in the past.
It's still a good idea to use restrictive settings even though security zones are not foolproof.
Dell ships a lot of other software that is bundled with Windows. If they were to not include Windows, then why would you want the bundled software? This is probably where they got $629 from :).
Well, the project manager Viner thought that the project would be based on Windows but after talking to Dr. Tim Ferguson, Viner let Ferguson base it on Linux. Viner was so impressed with the way that Linux preformed the video capture and monitoring that "The experience has made Viner a firm Linux convert. 'The office is moving over to Linux and we are looking at getting some form of network-attached storage for our clients,' he said."
And Ferguson said it best at the end of the article: "Development using open source software means the developer is totally in charge. You can do what you like, and customise things to your own needs. There are downsides, like the problems I faced with the firewire drivers. But then you'll generally find that you are not alone in this; there will be others to contribute little bits of knowledge until the jigsaw is complete."
So to say that Linux is "incidental" is a little bit of an understatment.
I think you misinterperted the title. It really means that Linux IP consists of variations in air pressure.
:)
Last I checked, RSA is in the public domain. Even if WASTE used stolen/imporperly licensed code, opensource coders could simply replace it with a GPL compatible version.
Here ya'll go.
h tml
http://people.ucsc.edu/~twilly/tea-with-stallman.
Freenet doesn't just have "more anonymity built-in," it has leaps and bounds of more anonymity built in for the person who placed the file there in the first place. It is effectivly (nothing is impossible) untraceable to the originator and the argument of "I really didn't download that" does fly because there is not a simple deal to know for sure what one downloaded (esp. with all the safty gaurds like segmentating and encrypting the data). The key is that FreeNet data is most likly not sourced from someone who has also downloaded that data with intent or by the originator.
:).
This defense is untested in court and may or may not fly but FreeNet brings a peace of mind when it comes to P2P.
A better argument against FreeNet as a serious P2P application is that it doesn't handle large files (aka movies and TV shows) very well
This is because MPlayer didn't move over to the new libmpeg2, like what xine did, so quickly. There were some design issues and other things that plagued the newer libmpeg2 releases and MPlayer worked with the libmpeg2 team to get these issues fixed. Just recently (within this past week or so) they upgraded the local libmpeg2 v.2.1 copy (hacked up version) to the latest libmpeg2 and ploped it into the CVS version of MPlayer. This late change allowed for all the preformace gains that libmpeg2 v.3.x has without jumping into a poor API or the compatibility problems too soon.
It's like the Linux kernels. Sure the (formally) new 2.4.0 came out and was "stable" but there still were some major problems that didn't get ironed out until the 2.4.9ish area. Arp'i and the MPlayer development team simply waited for libmpeg2 to stabalize their new release.
Point being, try out the CVS version of MPlayer! Testers are always welcome!
We've known for a while that the DMCA collides with other laws and rights for a while, most notably fair use. So my question is what makes this any more of a legal victory other than the Copyright Office making an oppinion on this particular issue? How can this collision be any stronger than other colliding laws?
I think a hacker is someone who uses software or hardware in a creative way, which includes creative hacks as in source and creative hacks as in breaking in. This hacker has been creative enough to not only get away with it once but he got away with it twice. If this guy is not a hacker then I don't know who is.
Like other posters have stated, Windows is vulnerable with the NIC drivers being the problem. Microsoft claims it doesn't ship bad drivers but my Xircom CardBus Ethernet II is vunerable (Win2k). I believe I got the driver on Windows Update :).
My Xircom CardBus Ethernet II (PC card) is vunerable on Windows2000 with the latest driver. So yes, Windows, more like the individual NIC drivers, is vunerable.
Here is the padding from one ICMP reply (1 byte data
was used in the ICMP echo request).
cf 1d 3e 59 0c 09 00 08 09 0a 0b 0c 0d 0e 0f 10 11
What's wrong with trying to make a profit from free programs? It's like screaming bloody murder over the fact that RedHat profits from selling free software. If the licenses of Smart Ripper, DVDx and others say that selling them is not allowed then so be it. Otherwise go ahead as packing software with an easy to use GUI is a service, and a valuable service as many DVD drive companies think it is worth paying money for.
He has spammed several usenet groups with this speculation before and he hardly knows what he is talking about. We have decades of experience on audio compression and as one usenet poster put it, "almost every tv or radio uses some kind of compression for audio (e.g. many radios use mp3). The telephone itself cuts a lot of frequencies (nothing above 8kHz). So, everyone should have a serious damage to the ear, isn't it?"
One thread out of many
FYI, AVI is a horrible container and only ASF v2 is openly documented by Microsoft. MS uses ASF v1 everywhere and to date I have not seen a ASF v2 file. Did you ever try to make a ASF v1 encoder? I doupt it as VirtualDub once allowed the export of ASF v1 files but they got a nasty letter from MS and had to discontinue the support.
I do support the Quicktme container (Apple got it right the first time) but (unfortunally) I also support MPEG-4. There is no way to get around the patents for video as they extend way too far. VP3 stinks compared to MPEG-4 and other codecs like WMV9 and RealVideo9 either suck and/or are closed tighter than the RIAA's fist on congress. I am giving lots of hope to Tarkin cause just maybe they might pull through with a codec that can compete. Best of luck to them.
As to your last point, people might want to watch a newscast or some other simple video service (a review of a game prehaps?) on thier phones. These services is where video on phones make sense.
She said that with Linux, the company would have faced issues such as a lack of drivers and support if it decided to use cross-platform hardware.
Isn't the purpose of "cross-platform hardware" to provide cross-platfrom support or do I not speak management?
if they were estimated to have stolen $11k each I think that they should have gotten what they did.
There is no way they could have stollen 11 thousand dollars worth of bandwidth in such a short time. A T1 is around $600-1000 a month so the uncappers would have to uncap for at least a whole year in order to steal that much bandwidth. Wirtz said that he uncapped for about 16 hours, which is wrong in the first place but FAR from 11 thousand dollars.
They deserve punishment but this is too excessive.
The analogy is incorrect. Microsoft didn't sell the Xbox, they sold Xbox Life which wont work on the modded Xbox, and without warning. I would blame Microsoft for selling me Xbox Live on a modded XBox. Even though I might get my money back it would be too much of a hassle to deal with calling in and sorting things out.