ZDNet Executive Editor David Berlind suggests that CRAP or Content, Restriction, Annulment, and Protection, is a catchier phrase than DRM - Digital Rights Management. Why does he think this technology is crap? Once you've bought music or other content to play on one device, it won't play on any other device because of the proprietary layer of CRAP.
This was torrented a while back. Maybe someone will put it on Youtube. It is quite funny and makes the point well.
It has taken to the middle of this thread before someone started talking about the most interesting aspect of this topic and it's rated only a 1 so far. Give the guy some points already.
The crux of the whole thing is linking up the cable customer's TV and internet behavior. The cable company and networks don't need Google to match shows with appropriate ads; that's been done for the whole history of TV. Nor do they need Google to match viewing habits over time with ad targeting; cable companies can do that without another party in the chain.
But to go beyond this, we're talking about matching up the web (and other?) internet behavior with the TV viewing.
In the least disturbing variation it would be only Google cookie + TV logs = targeted ads on TV. But even this involves the cable company keeping track of the combination of your current IP and your TV viewing, and expoiting it.
At the extreme, imagine your TV ads being real-time tailored to what you're currently looking at online, and your internet provider continually feeding your profile plus IP combination to Google so it can serve internet ads to pages served from *your* web clicks in particular. Maybe they'll tailor search results as well as ads. Maybe linking DSL into the picture as well. So even if you refuse the Google cookie, you get tracked. Maybe someday, tailoring the content on web pages by insertions and deletions on their way to you.
All this is too Orwellian for me. I want to opt out of all the monitoring as far as possible and prevent any connection between my activity patterns in different spheres.
'Deleting the cookie' does nothing to remove your stored search history crosslinked to your IP address
Having a dynamic IP does not help if you use your computer regularly to check email, log in to slashdot, or visit your unique collection of news sites: anything that can link your particular IP-of-the-day to your identity.
Oh, but there's more. It's not just searches. Just today I noticed that Google is serving css and javascript from www.google.com for third-party sites such as blogs.
So in other words, they can track you across the web unless you foil this too. Prior to this, you could avoid being tracked from site to site by (a) controlling cookies (I never allow beyond-current-session cookies for any site, ever) and (b) black-holing advertising and tracking sites including pagead2.google.com and google analytics, etc.. But now it's either filter www.google.com too, and not have access to their main site; or leave it unfiltered and let Google map all your searches to your IP *plus* the fact that you visit site A, then site B etc. (maybe even what you do there, if they're using XmlHTTPRequest to the max).
So now the practical privacy protection is use the kind of solution the link in the story recommends (FF extension) or maybe searching via something like blackboxsearch or scroogle.
The better solution would be a way to selectively block third-party accessory files - JS, CSS, images ( blacklist/whitelist and 3rd party vs. current site). The Mozilla browsers have an option to disallow third-party images but it doesn't work. Users also need control over XmlHTTPRequest, including optional notification of when it is used, option to turn it off (it's supposed to be same-site-only but iframes are a big loophole).
My post is not an attack on Linus, it is only raising a question. I just want to know why he avoids one crucial issue.
"you types" and "true colors of the FSF goon squad"? That is the stuff of trolls. I agree with RMS/FSF on this one issue, but not everything, and I don't think my post shows any evidence of fanaticism.
BTW, if you interpret my post as an attack then you are implicitly agreeing that a world of all-DRM hardware would be a bad outcome. Otherwise you would not take it as imputing a negative quality when I ask whether LT favors that outcome.
It is a legitimate question. Does Torvalds really think there is no likelihood of the TC scheme making general-purpose programmable PCs hard to obtain or use? This seems to be his premise but it is refuted by the abundant facts and he has not made any argument for it. Or does he think that is an OK scenario? Either way I just want to know which side he is on, and so do others.
First a minor point which keeps getting overlooked. With DRM hardware, you cannot verify GPL compliance. The only way to verify that a set of source code purporting to represent the binary that is running, is really the binary that is running, is to compile from that source and run the new binary. Any hardware that requires signed binaries prevents this unless signature capability is given to anyone who wants it. Thus without GPLv3, there cannot be public verification that any vendor of supposedly-GPL software for "trusted" hardware really is complying with the GPL. So another way to characterize the anti-DRM provision would be to call it verifiability.
Now, DrJimbo in parent post:
"Without the DRM provisions in the GPLv3 that Linus is complaining about, we could eventually face a situation where it is literally impossible to develop FOSS for the latest generation of computers. Worse, those computers could be running the GPLv2 software we wrote even though we have lost all of our rights to further modify it and we've lost the right to even choose what software we run on our own computers."
Right, exactly - And this is what Torvalds consistently refuses to address. He snipes at GPLv3 with invective and complaints about the process (and if he really was the poster in the Groklaw thread, about the definition of source code), etc.. But on the hardware issue he just flippiantly declares that if you don't like the inability to run modified GPL code on the same device, get some other device.
This obviously ignores the "trusted computing" initiative that is intended to make all PCs slave devices, and is progressing like an onrushing freight train while DRM apologists quibble on the tracks and say "let's wait and see what it really turns out to be" or "how it is used" - then of course it will be too late.
This makes me wonder of a darker possibility which I do not like to think of,but it fits the facts: Has Linus sold out? This is suggested by another poster below and in this post at the Newsforge thread:
"You need to understand why Torvalds opposes this. Torvalds sits behind a wall of IBM/HP (and other companies) lawyers. They pay his wages and defend him from the SCOs of the world. In return, he spouts their views... and in this case, these technology companies want this hardware in every PC very very badly. To get the level of control over the user that they want, they must be able to use a "trusted" kernel (the kernel/bios/boot loader are critical components in a trusted system).
"Basically, Torvalds has turned into a mouthpiece for technology companies. "
Otherwise why does Linus fail to address the real and appropriate concerns about TC hardware becoming exclusively available?
"E.g." means "for example," and "i.e." means "in other words." (Translated, of course.) The way I remember is to consider how stupid I'd sound using it wrongly.
Okay, not really. Mentally substitute "for egzample" whenever you use "e.g." to see if it works.
The torrrent referenced in the parent has a current set of the utilities. The last-changed dates are this month, at least on important ones such as Process Monitor and regmon. Also a new EULA.txt in each file as another poster mentioned.
From a practical point of view it's good that these things are fixable. However, the obnoxious presumption of Adobe's settings remains offensive and lowers my opinion of the company.
I think the big picture here is that Adobe has about reached the point of diminishing returns when it comes to enticing people with better products - Photoshop for example, is about the best it can be, or at least improvements won't be as dramatic now, and similarly with other products. So the company tries to tighten its grip in other ways. Same thing with Microsoft and the new licensing severity. Commercial software is declining in the long run but in the meantime we're going to see more of this "squeeze more dollars" behavior.
When an organization reaches a certain market share or amount of power, it reaches a sort of tipping point into arrogance, hubris and control-freakery, manifested in increasing its efforts to exploit all the other parties it deals with to the maximum degree. Microsoft and the **AA are long since way on the far side of that point; similarly on a larger scale the USA in the international arena; and now on a small scale, Adobe.
Last weekend I was collecting installers in preparation to reinstall Windows and wanted the latest Acrobat Reader. v.7 has the notorious behavior that if you turn off Javascript it nags you to turn it on every time you close the app. (Bug or anti-feature? It's exactly the kind of dual-purpose-with-plausible-deniability that is a favorite dirty trick of Micrsoft [WGA Notification, GUIDs, etc.].)
The v.7 reader also contained the Yahoo "feature" even if you specifically opted out of the toolbar. On Windows 2000 you can defeat the Javascript trick by replacing the Javascripts folder with a dummy file. So I expected to do the same on XP, and found that it runs an installer on every startup, and if the Javascripts folder is not as expected refuses to start the app. If I deleted the installer, the reader wouldn't start at all.
So I went to the Adobe site hoping to get a more recent version with this problem fixed. And discovered that (a) they don't even acknowledge the problem on their site (b) they no longer offer a standalone installer - only a stub that expects internet access. Well that's contrary to my security policy (I know, call me tin foil, I don't do plugins either). And no reading PDF documentation prior to networking on an OS install, as far as Adobe cares. With about five points against Adobe, I went for the alternative.
In the same day I was very disappionted to find that the latest version of the heretofore redoubtable Irfanview now bundles the Google (desktop? toolbar? whatever).
You have to get good products on the way up, while the companies are still trying to please, and abandon them when they sell out.
Is it just my perception or is this becoming routine now?
I used to be only concerned in a detached way. Then *today* I received a letter from the student loan people saying, in essence: "We lost a dataset including your information. Sorry! Better contact the credit bureaus, and watch your financial statements. Have a nice day!"
The only way we are going to have data security is if the parties that fail to secure data are held responsible for the consequences to others. Ideally, that would mean that if someone commits fraud using my stolen data, the organization that lost it has to pay me the actual cost of correcting credit reports, changing all my accounts, compensation for time spent, any lawyers needed, etc..
Instead the banks are allowed to exploit the situation by selling insurance against it. We can't even get disclosure laws everywhere.
Well excuse me for ranting. I guess my only point is, the only way the technical and user-education type of solutions will become relevant is if the costs are placed appropriately.
"How are they planning to enforce this on existing setups? "
Well maybe I'm just paranoid, but maybe that is an implicit purpose of this provision. It would take something like Microsoft's "protected content path" in Vista to monitor all the copies made. And there's nothing the MP/RI Ass. of America would like better than a comprehensive DRM system required by law. And it's entirely typical of interest groups to use one bad policy as a pretext for another.
"What if... The biggest ISP decided to partner with a lot of content providers and limit that content to their customers only? I think it would be called AOL and people would jump ship and go to smaller ISPs.
"Doesn't the same apply here?" -- missing000
What if, in a few years, a few giant ISPs are the only ones left for 99% of USians to choose from, and they all discriminate by content, protocol, and application? Then where will people "jump ship" to? How will we even get news or viewpoints that don't conform to the commercial interests of the few big ISPs?
Part of the problem is that many parents now associate the significant increase in autism in recent decades with the MMR. In many cases the condition becomes manifest *immediately* after the vaccination causing a drastic difference in the child.
One theory holds that it's the combination all three at once that brings on the disease in susceptible individuals. Another is that it's mercury. Until recently these vaccines were laced with Thiomersal (Thimerosal?) which contains ethyl mercury. Methyl mercury is extremely toxic; elemental mercury is relatively inert in the body; the effects of ethyl mercury are officially unknown. The questioning of the MMR, or the mercury-containing version, seems to be a bigger controversy, and more acted upon by parents, in the UK than in USA, but there's a lot about it on www and many parents are concerned here too.
Of course the health authorities reactions to these parental concerns have ranged from derision to contempt to hostility. They refuse to offer the vaccines separately and then blame parents who are reluctant to give them together. They reject any concerns about the mercury as quackery. Studies in journals have purported to show no effects from the doses of mercury. The ingredient (a preservative) has been officially banned now, but was not recalled, so it is still in doses in stocks used by doctors, clinics.
"And let me guess... McAfee will sell me the software to help save me."
It's a remarkable fact that people will buy all sorts of apps to protect themselves against third party exploits, yet it never seems to occur to them that security has to be against the vendors too.
So this "McAfee SiteAdvisor" is going to monitor every site you visit and check with some central DB to give ratings? Well, at least the buyer knows that's what it's doing, and installs it voluntarily, but those are not criteria in my definition of spyware. The delivery, in effect, of all this data about the user to a profit-oriented company qualifies this as voluntary spyware as far as I'm concerned.
But hey, if you can't restrain yourself from downloading and running unnecessary executables whenever you see something flashy, maybe you're better off with this hand-holding, spyware and all.
Right. It's more like "Assuming you are going to download an exe of some frivolous applet, and install it as Administrator on Windows, on a whim, which site will you get it from?"
If this applies to you, you've already flunked the real-world test. If they had a third option "I'll get software only when it's important, and then only from sources I've thoroughly researched and have objective reason to trust" - then this quiz would be a public service. As is, it just encourages the proliferation of Windows malware.
Unfortunately, your main problem with Linux will never be known to Slashdotters. That's because of your main problem with posting: lack of paragraph divisions.
Did the moderators Read The Fine Article before giving the parent points?
Felten in talking about "a conspiracy of about forty devices" is not saying that (defectors at) forty device makers have to reveal secret keys. What he's saying is that you just need to the 40 devices themselves, or rather (as post above pointed out) enough to get 40 different key sets (and some math and programming ability). Then the crack is done by analysing the bit streams between the devices (between player and display, or whatevre).
The expense is the cost of all those tvs and players. Bribing the device makers is a *different* kind of attack which Felten rules out as impractical.
Apparently what they're putting in the chips is, at least, encryption/decryption routines. Aside from the obvious questions (what happens when you want to change algorithms?), the important question is whether they're including digital keys as well.
The single factor that makes "trusted computing" evil is that there's a digital key (the "attestation" or "endorsement" key) baked into the TPM which the owner of the machine is prevented from accessing or changing. If all the keys were accessible to the owner, it would be a purely beneficial technology. With the anti-owner feature, it becomes an engine of DRM, censorship, and vendor lock-in on a vast scale, and at a fundamental level absolutely prevents security and privacy for the computer owner.
So the question is which category this IBM tech falls into. And that in turn depends on whether digital keys will be baked into the processor, or whether it's only a set of routines that any software can use under the owner's control.
The seemingly universal practice of law enforcement seizing whole computers or hard drives would be disallowed on a correct interpretation of the Constitution, IMHO (USA perspective here).
" The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
-- 4th Amendment.
It should be obvious that files are the modern equivalent of the founding fathers' "papers". Seizing the whole computer or hard drive is, in 18th century terms, like taking the bookcases, writing desks, ink-pots and goose-quills. It imposes an unjustified cost on people who are supposed to be presumed innocent. The reasonable rule would be simply making copies.
Related idea: Imagine a system where you log on with a smart card; the card's key plus a passphrase are used to encrypt each user's data with his/her own key and, say, AES. Newspapers will have to start using something like this.
GP: "The whole point of TCPA is that 'trust is built in to the machine in a fundamentally inaccessbile (to the user) way."
Parent "You don't know anything about TCPA. The whole point is to do a 'trusted boot' so that the state of the machine can be known and reported in an unforgeable way. This allows both users and remote parties to know that the machine is running a certain configuration, with no rootkits or malware installed."
No, you're the one who doesn't understand TC. When you boot a computer that complies with the whole TC spec, you have no idea what it's running because you can't trust the software that purports to tell you about it.
To boot into trusted mode, you have to be running signed binaries provided by the holders of the attestation key. They may claim to give you source but you can't verify that it's the source of what's running because you can't compile it and replace the signed binary and then get into "trusted" mode.
Therefore you have no idea what the software is doing, no control over what it does, and no way to verify whether it's telling you the truth about anything. It's true that "the state of the machine can be known and reported in an unforgeable way", but the claim that "This allows both users and remote parties to know that the machine is running a certain configuration" is your lie. Only to the key holders is the state known. Non-key-holders including the owner of the hardware are shut out of this knowledge and from control of the machine.
You're either ignorant or a corporate shill. Your phrase "with no rootkits or malware installed" invokes the "big lie" of so-called "trusted computing", the idea that it protects "security" for the owner of the hardware. In fact it abolishes the possibilty of security for the owner of the hardware. TC itself is the ultimate trojan for the reasons explained here.
"... or compile it for a common platform (PC), making necessary changes to account for hardware. Make your own hardware and start an identical company by simply removing the DRM keys and compiling to your interface."
Well, theoretically those means would work. But they impose burdens beyond what you have to do to get effective source in other situations. GPL v2 requires, for example, source in "the preferred form for making changes"; this sort of thing is intended to keep the degree of obstructionism under control.
Also of course I meant to say "sign binaries" not "sign source" in the last part.
Suppose a vendor creates a distro, Blue Hat. It's designed for platform P but P is made to require binaries signed by Blue Hat, it won't run anything else. Now Blue Hat releases a body of source code and claims to have complied with GPL v.2.
Now has Blue Hat complied with GPL v.2? No one outside Blue Hat can know. The only way to verify that some source corresponds to the binary you're running is to compile it and run the result. If you can't do that without a key, and Blue Hat won't give you a suitable key, they could violate GPL with impunity.
It doesn't require that BH give up their ultimate private key, just one sufficient to sign source. This is all that GPL 3 requires in regard to DRM and keys.
The font problem remains. The only thing Linux has to offer in the font department is anti-aliasing. That's fine for those who can stand the blurry look, but some of us need letters in focus. AA gives me a headache and prevents me from reading text for more than 5 minues. It literally hurts my eyes.
On Windows it's *easy*. Just turn off anti-aliasing with a little checkbox, and fonts are *perfect*. They're *beautiful*, perfectly sharp and clear, and letters are razor-sharp and highly readable at any resolution.
Now try to get that on KDE. The checkbox has *no effect at all* and the developer claims it's not a bug.
Supposedly you can get the Windows non-AA look on Linux by (a) install Truetype fonts (b) compile X with certain options (c) make the GUI use the new version instead of the old one.
Well, I spent a whole Saturday trying to get all that working and could not make it happen. And I'm more computer literate than most users.
Not everyone whines about merely esthetic details like the "jagged edges" on curves. Some of us want readability instead. What do I say to someone who's interested in Linux but can't stand the "fuzzy letters"?
So the devs go on building shiny icons, sidebars and other useless junk but won't work on the fundamentals. Well, I appreciate their work, but don't have time to do it myself. I would pay for a solution if I could. I really want to get free from Windows, but readable fonts are pretty basic.
"What is being proposed is more like building two roads into every town and up to every house, one smooth and well-maintained tarmac and the other a dirt track, and then letting Tesco and Waitrose bid for the right to use the good road."
The analogy is incomplete. It's letting Tesco and Waitrose bid for, not just the right to use the good road, but a guarantee of a certain speed on the good road, even if it means pushing other traffic off onto the bad road.
In other words, the problem is that with limited bandwidth, prioritizing favored traffic means impairing the rest. It's just another expression for the same thing. The telcos promise they won't "prevent" access to any site or service, but they are euphemistically proposing to reduce it to a worse level of access.
At the risk of being obvious, there's a simple solution. I mean a possible simple solution - well, possible in principle. Whether it could be enacted politically is another question.
Imagine a reform of patent law saying, in essence: if you don't go after violations as soon as you are aware of them, or should be aware of them with due diligence, - you lose the right to do so (at least in regard to the particular infringer). They could still "submarine" until it's granted, but not years later.
Slashdot Mirror
Refer them to a video.
From the page:
This was torrented a while back. Maybe someone will put it on Youtube. It is quite funny and makes the point well.
It has taken to the middle of this thread before someone started talking about the most interesting aspect of this topic and it's rated only a 1 so far. Give the guy some points already.
The crux of the whole thing is linking up the cable customer's TV and internet behavior. The cable company and networks don't need Google to match shows with appropriate ads; that's been done for the whole history of TV. Nor do they need Google to match viewing habits over time with ad targeting; cable companies can do that without another party in the chain.
But to go beyond this, we're talking about matching up the web (and other?) internet behavior with the TV viewing.
In the least disturbing variation it would be only Google cookie + TV logs = targeted ads on TV. But even this involves the cable company keeping track of the combination of your current IP and your TV viewing, and expoiting it.
At the extreme, imagine your TV ads being real-time tailored to what you're currently looking at online, and your internet provider continually feeding your profile plus IP combination to Google so it can serve internet ads to pages served from *your* web clicks in particular. Maybe they'll tailor search results as well as ads. Maybe linking DSL into the picture as well. So even if you refuse the Google cookie, you get tracked. Maybe someday, tailoring the content on web pages by insertions and deletions on their way to you.
All this is too Orwellian for me. I want to opt out of all the monitoring as far as possible and prevent any connection between my activity patterns in different spheres.
Oh, but there's more. It's not just searches. Just today I noticed that Google is serving css and javascript from www.google.com for third-party sites such as blogs.
So in other words, they can track you across the web unless you foil this too. Prior to this, you could avoid being tracked from site to site by (a) controlling cookies (I never allow beyond-current-session cookies for any site, ever) and (b) black-holing advertising and tracking sites including pagead2.google.com and google analytics, etc.. But now it's either filter www.google.com too, and not have access to their main site; or leave it unfiltered and let Google map all your searches to your IP *plus* the fact that you visit site A, then site B etc. (maybe even what you do there, if they're using XmlHTTPRequest to the max).
So now the practical privacy protection is use the kind of solution the link in the story recommends (FF extension) or maybe searching via something like blackboxsearch or scroogle.
The better solution would be a way to selectively block third-party accessory files - JS, CSS, images ( blacklist/whitelist and 3rd party vs. current site). The Mozilla browsers have an option to disallow third-party images but it doesn't work. Users also need control over XmlHTTPRequest, including optional notification of when it is used, option to turn it off (it's supposed to be same-site-only but iframes are a big loophole).
My post is not an attack on Linus, it is only raising a question. I just want to know why he avoids one crucial issue.
"you types" and "true colors of the FSF goon squad"? That is the stuff of trolls. I agree with RMS/FSF on this one issue, but not everything, and I don't think my post shows any evidence of fanaticism.
BTW, if you interpret my post as an attack then you are implicitly agreeing that a world of all-DRM hardware would be a bad outcome. Otherwise you would not take it as imputing a negative quality when I ask whether LT favors that outcome.
It is a legitimate question. Does Torvalds really think there is no likelihood of the TC scheme making general-purpose programmable PCs hard to obtain or use? This seems to be his premise but it is refuted by the abundant facts and he has not made any argument for it. Or does he think that is an OK scenario? Either way I just want to know which side he is on, and so do others.
First a minor point which keeps getting overlooked. With DRM hardware, you cannot verify GPL compliance. The only way to verify that a set of source code purporting to represent the binary that is running, is really the binary that is running, is to compile from that source and run the new binary. Any hardware that requires signed binaries prevents this unless signature capability is given to anyone who wants it. Thus without GPLv3, there cannot be public verification that any vendor of supposedly-GPL software for "trusted" hardware really is complying with the GPL. So another way to characterize the anti-DRM provision would be to call it verifiability.
Now, DrJimbo in parent post:
Right, exactly - And this is what Torvalds consistently refuses to address. He snipes at GPLv3 with invective and complaints about the process (and if he really was the poster in the Groklaw thread, about the definition of source code), etc.. But on the hardware issue he just flippiantly declares that if you don't like the inability to run modified GPL code on the same device, get some other device.
This obviously ignores the "trusted computing" initiative that is intended to make all PCs slave devices, and is progressing like an onrushing freight train while DRM apologists quibble on the tracks and say "let's wait and see what it really turns out to be" or "how it is used" - then of course it will be too late.
This makes me wonder of a darker possibility which I do not like to think of ,but it fits the facts: Has Linus sold out? This is suggested by another poster below and in this post at the Newsforge thread:
Otherwise why does Linus fail to address the real and appropriate concerns about TC hardware becoming exclusively available?
How about "exempli gratia" and "id est" ?
The torrrent referenced in the parent has a current set of the utilities. The last-changed dates are this month, at least on important ones such as Process Monitor and regmon. Also a new EULA.txt in each file as another poster mentioned.
There is a new torrent now, pre-MS versions. http://thepiratebay.org/details.php?id=3504886 See notes therein.
Thanks for the information!
From a practical point of view it's good that these things are fixable. However, the obnoxious presumption of Adobe's settings remains offensive and lowers my opinion of the company.
I think the big picture here is that Adobe has about reached the point of diminishing returns when it comes to enticing people with better products - Photoshop for example, is about the best it can be, or at least improvements won't be as dramatic now, and similarly with other products. So the company tries to tighten its grip in other ways. Same thing with Microsoft and the new licensing severity. Commercial software is declining in the long run but in the meantime we're going to see more of this "squeeze more dollars" behavior.
When an organization reaches a certain market share or amount of power, it reaches a sort of tipping point into arrogance, hubris and control-freakery, manifested in increasing its efforts to exploit all the other parties it deals with to the maximum degree. Microsoft and the **AA are long since way on the far side of that point; similarly on a larger scale the USA in the international arena; and now on a small scale, Adobe.
Last weekend I was collecting installers in preparation to reinstall Windows and wanted the latest Acrobat Reader. v.7 has the notorious behavior that if you turn off Javascript it nags you to turn it on every time you close the app. (Bug or anti-feature? It's exactly the kind of dual-purpose-with-plausible-deniability that is a favorite dirty trick of Micrsoft [WGA Notification, GUIDs, etc.].)
The v.7 reader also contained the Yahoo "feature" even if you specifically opted out of the toolbar. On Windows 2000 you can defeat the Javascript trick by replacing the Javascripts folder with a dummy file. So I expected to do the same on XP, and found that it runs an installer on every startup, and if the Javascripts folder is not as expected refuses to start the app. If I deleted the installer, the reader wouldn't start at all.
So I went to the Adobe site hoping to get a more recent version with this problem fixed. And discovered that (a) they don't even acknowledge the problem on their site (b) they no longer offer a standalone installer - only a stub that expects internet access. Well that's contrary to my security policy (I know, call me tin foil, I don't do plugins either). And no reading PDF documentation prior to networking on an OS install, as far as Adobe cares. With about five points against Adobe, I went for the alternative.
In the same day I was very disappionted to find that the latest version of the heretofore redoubtable Irfanview now bundles the Google (desktop? toolbar? whatever).
You have to get good products on the way up, while the companies are still trying to please, and abandon them when they sell out.
Is it just my perception or is this becoming routine now?
I used to be only concerned in a detached way. Then *today* I received a letter from the student loan people saying, in essence: "We lost a dataset including your information. Sorry! Better contact the credit bureaus, and watch your financial statements. Have a nice day!"
The only way we are going to have data security is if the parties that fail to secure data are held responsible for the consequences to others. Ideally, that would mean that if someone commits fraud using my stolen data, the organization that lost it has to pay me the actual cost of correcting credit reports, changing all my accounts, compensation for time spent, any lawyers needed, etc..
Instead the banks are allowed to exploit the situation by selling insurance against it. We can't even get disclosure laws everywhere.
Well excuse me for ranting. I guess my only point is, the only way the technical and user-education type of solutions will become relevant is if the costs are placed appropriately.
"How are they planning to enforce this on existing setups? "
Well maybe I'm just paranoid, but maybe that is an implicit purpose of this provision. It would take something like Microsoft's "protected content path" in Vista to monitor all the copies made. And there's nothing the MP/RI Ass. of America would like better than a comprehensive DRM system required by law. And it's entirely typical of interest groups to use one bad policy as a pretext for another.
"What if... The biggest ISP decided to partner with a lot of content providers and limit that content to their customers only? I think it would be called AOL and people would jump ship and go to smaller ISPs.
"Doesn't the same apply here?"
-- missing000
What if, in a few years, a few giant ISPs are the only ones left for 99% of USians to choose from, and they all discriminate by content, protocol, and application? Then where will people "jump ship" to? How will we even get news or viewpoints that don't conform to the commercial interests of the few big ISPs?
Very slowly, I think, if at all.
Part of the problem is that many parents now associate the significant increase in autism in recent decades with the MMR. In many cases the condition becomes manifest *immediately* after the vaccination causing a drastic difference in the child.
One theory holds that it's the combination all three at once that brings on the disease in susceptible individuals. Another is that it's mercury. Until recently these vaccines were laced with Thiomersal (Thimerosal?) which contains ethyl mercury. Methyl mercury is extremely toxic; elemental mercury is relatively inert in the body; the effects of ethyl mercury are officially unknown. The questioning of the MMR, or the mercury-containing version, seems to be a bigger controversy, and more acted upon by parents, in the UK than in USA, but there's a lot about it on www and many parents are concerned here too.
Of course the health authorities reactions to these parental concerns have ranged from derision to contempt to hostility. They refuse to offer the vaccines separately and then blame parents who are reluctant to give them together. They reject any concerns about the mercury as quackery. Studies in journals have purported to show no effects from the doses of mercury. The ingredient (a preservative) has been officially banned now, but was not recalled, so it is still in doses in stocks used by doctors, clinics.
"And let me guess ... McAfee will sell me the software to help save me."
It's a remarkable fact that people will buy all sorts of apps to protect themselves against third party exploits, yet it never seems to occur to them that security has to be against the vendors too.
So this "McAfee SiteAdvisor" is going to monitor every site you visit and check with some central DB to give ratings? Well, at least the buyer knows that's what it's doing, and installs it voluntarily, but those are not criteria in my definition of spyware. The delivery, in effect, of all this data about the user to a profit-oriented company qualifies this as voluntary spyware as far as I'm concerned.
But hey, if you can't restrain yourself from downloading and running unnecessary executables whenever you see something flashy, maybe you're better off with this hand-holding, spyware and all.
Right. It's more like "Assuming you are going to download an exe of some frivolous applet, and install it as Administrator on Windows, on a whim, which site will you get it from?"
If this applies to you, you've already flunked the real-world test. If they had a third option "I'll get software only when it's important, and then only from sources I've thoroughly researched and have objective reason to trust" - then this quiz would be a public service. As is, it just encourages the proliferation of Windows malware.
Unfortunately, your main problem with Linux will never be known to Slashdotters. That's because of your main problem with posting: lack of paragraph divisions.
Did the moderators Read The Fine Article before giving the parent points?
Felten in talking about "a conspiracy of about forty devices" is not saying that (defectors at) forty device makers have to reveal secret keys. What he's saying is that you just need to the 40 devices themselves, or rather (as post above pointed out) enough to get 40 different key sets (and some math and programming ability). Then the crack is done by analysing the bit streams between the devices (between player and display, or whatevre).
The expense is the cost of all those tvs and players. Bribing the device makers is a *different* kind of attack which Felten rules out as impractical.
Apparently what they're putting in the chips is, at least, encryption/decryption routines. Aside from the obvious questions (what happens when you want to change algorithms?), the important question is whether they're including digital keys as well.
The single factor that makes "trusted computing" evil is that there's a digital key (the "attestation" or "endorsement" key) baked into the TPM which the owner of the machine is prevented from accessing or changing. If all the keys were accessible to the owner, it would be a purely beneficial technology. With the anti-owner feature, it becomes an engine of DRM, censorship, and vendor lock-in on a vast scale, and at a fundamental level absolutely prevents security and privacy for the computer owner.
So the question is which category this IBM tech falls into. And that in turn depends on whether digital keys will be baked into the processor, or whether it's only a set of routines that any software can use under the owner's control.
The seemingly universal practice of law enforcement seizing whole computers or hard drives would be disallowed on a correct interpretation of the Constitution, IMHO (USA perspective here).
-- 4th Amendment.It should be obvious that files are the modern equivalent of the founding fathers' "papers". Seizing the whole computer or hard drive is, in 18th century terms, like taking the bookcases, writing desks, ink-pots and goose-quills. It imposes an unjustified cost on people who are supposed to be presumed innocent. The reasonable rule would be simply making copies.
Related idea: Imagine a system where you log on with a smart card; the card's key plus a passphrase are used to encrypt each user's data with his/her own key and, say, AES. Newspapers will have to start using something like this.
GP: "The whole point of TCPA is that 'trust is built in to the machine in a fundamentally inaccessbile (to the user) way."
Parent "You don't know anything about TCPA. The whole point is to do a 'trusted boot' so that the state of the machine can be known and reported in an unforgeable way. This allows both users and remote parties to know that the machine is running a certain configuration, with no rootkits or malware installed."
No, you're the one who doesn't understand TC. When you boot a computer that complies with the whole TC spec, you have no idea what it's running because you can't trust the software that purports to tell you about it.
To boot into trusted mode, you have to be running signed binaries provided by the holders of the attestation key. They may claim to give you source but you can't verify that it's the source of what's running because you can't compile it and replace the signed binary and then get into "trusted" mode.
Therefore you have no idea what the software is doing, no control over what it does, and no way to verify whether it's telling you the truth about anything. It's true that "the state of the machine can be known and reported in an unforgeable way", but the claim that "This allows both users and remote parties to know that the machine is running a certain configuration" is your lie. Only to the key holders is the state known. Non-key-holders including the owner of the hardware are shut out of this knowledge and from control of the machine.
You're either ignorant or a corporate shill. Your phrase "with no rootkits or malware installed" invokes the "big lie" of so-called "trusted computing", the idea that it protects "security" for the owner of the hardware. In fact it abolishes the possibilty of security for the owner of the hardware. TC itself is the ultimate trojan for the reasons explained here.
Well, theoretically those means would work. But they impose burdens beyond what you have to do to get effective source in other situations. GPL v2 requires, for example, source in "the preferred form for making changes"; this sort of thing is intended to keep the degree of obstructionism under control.
Also of course I meant to say "sign binaries" not "sign source" in the last part.
Suppose a vendor creates a distro, Blue Hat. It's designed for platform P but P is made to require binaries signed by Blue Hat, it won't run anything else. Now Blue Hat releases a body of source code and claims to have complied with GPL v.2.
Now has Blue Hat complied with GPL v.2? No one outside Blue Hat can know. The only way to verify that some source corresponds to the binary you're running is to compile it and run the result. If you can't do that without a key, and Blue Hat won't give you a suitable key, they could violate GPL with impunity.
It doesn't require that BH give up their ultimate private key, just one sufficient to sign source. This is all that GPL 3 requires in regard to DRM and keys.
The font problem remains. The only thing Linux has to offer in the font department is anti-aliasing. That's fine for those who can stand the blurry look, but some of us need letters in focus. AA gives me a headache and prevents me from reading text for more than 5 minues. It literally hurts my eyes.
On Windows it's *easy*. Just turn off anti-aliasing with a little checkbox, and fonts are *perfect*. They're *beautiful*, perfectly sharp and clear, and letters are razor-sharp and highly readable at any resolution.
Now try to get that on KDE. The checkbox has *no effect at all* and the developer claims it's not a bug.
Supposedly you can get the Windows non-AA look on Linux by (a) install Truetype fonts (b) compile X with certain options (c) make the GUI use the new version instead of the old one.
Well, I spent a whole Saturday trying to get all that working and could not make it happen. And I'm more computer literate than most users.
Not everyone whines about merely esthetic details like the "jagged edges" on curves. Some of us want readability instead. What do I say to someone who's interested in Linux but can't stand the "fuzzy letters"?
So the devs go on building shiny icons, sidebars and other useless junk but won't work on the fundamentals. Well, I appreciate their work, but don't have time to do it myself. I would pay for a solution if I could. I really want to get free from Windows, but readable fonts are pretty basic.
"What is being proposed is more like building two roads into every town and up to every house, one smooth and well-maintained tarmac and the other a dirt track, and then letting Tesco and Waitrose bid for the right to use the good road."
The analogy is incomplete. It's letting Tesco and Waitrose bid for, not just the right to use the good road, but a guarantee of a certain speed on the good road, even if it means pushing other traffic off onto the bad road.
In other words, the problem is that with limited bandwidth, prioritizing favored traffic means impairing the rest. It's just another expression for the same thing. The telcos promise they won't "prevent" access to any site or service, but they are euphemistically proposing to reduce it to a worse level of access.
At the risk of being obvious, there's a simple solution. I mean a possible simple solution - well, possible in principle. Whether it could be enacted politically is another question.
Imagine a reform of patent law saying, in essence: if you don't go after violations as soon as you are aware of them, or should be aware of them with due diligence, - you lose the right to do so (at least in regard to the particular infringer). They could still "submarine" until it's granted, but not years later.