Okay, I've been confused about this MD5 thing. Most often, the MD5s are either in a file in the ftproot, or in the readme if you've owned the server enough to stick a trojan in the source code, can't you just put in the MD5s of your altered source?
To be useful the MD5 file should be signed, and the GPG key that signed it should be one that you know and trust. Even that may not be enough if the key owner can be tricked into revealing his private key, or the trojan horse can be introduced into the code on the code owners development machine, but it does add one layer of depth to your security.
The first time I had a server hacked (mountd exploit, xmas '99) the machine details were sold on IRC, probably in exchange for credit card numbers, to a somewhat clueless Singapore exchange student who proceeded to delete all of my syslog files so that when I logged in remotely the root mailbox was full of complaints about missing logfiles. The rooted system was up for about a week, during which time it probed several thousand IPs for basic exploits, hosted an IRC channel through eggdrop (together with names of the hacker's friends and passwords), all on a machine with no rootkit installed and very little attempt to hide activity.
Basically I got lucky the first time, and ever since then I've been paranoid, in hopes there won't be a second time. But with a smart hacker and a good root kit, I think even with my paranoia that I could miss a hacker on my machine for a long time, so I suspect it is only a matter of time before some well known developer gets hacked and has signed sources distributed with a trojan horse inside.
When I saw the first picture of the motherboard with vacuum tubes I was a bit surprised; hey, those look like vacuum tubes. At first I thought the entire article might be a joke, but after reading the article for a bit it certainly seems serious enough.
I suppose they are playing to the home theater market, but I couldn't give a damn personally whether they are using double triodes or anything else. The Altec Lansing speakers I have hooked to my computer are sufficient for basic sound, but they aren't going to come close to filling a room like a real stereo system would. Besides, since when do you need a full amp instead of just a preamp in your computer.
You don't mention what the problem was that you found in the iso9660
filesystem, but I've used Xine to correctly play through the entire
Wide Screen Edition of FotR, so the problem doesn't extend throughout
the entire release.
On the off chance that you are referring to the sticker on the
outside of the box that says something like 'Theft Prevention Device
Inside', then that refers not to the DVD, but to an electronic theft
prevention device that keeps you from walking out the door of the
shop with the DVD in your pants. (I was confused by this once myself
when unable to get a DVD to play properly on Linux, but I later found
that it worked fine on another computer -- the DVDs are multilayer
DVDs and some poorly adjusted players won't read the second layer correctly.
Ah, you embarrass me. I'm only a software architect, not a crypto
researcher, so to me all crypto functions are black boxes to me.
One particular area of recent interest (IMHO) was some work that
was presented here at the research labs under NDA to solve the
problems of key invalidation on fixed media. Tricky, nearly
intractable problem that, and from what I understand there are
some similar techniques being used to protect X-Box titles.
For delegated chains of authority I like SPKI, since unlike
PKI it can be used to confer transitive trust without requiring
a common root authority, but admittedly there are a lot of holes
in that argument, not the least being usability. Indeed from my
perspective usability problems are pervasive in crypto; until
computers treat identity more the way that humans do, there will
always be some question as to whether the human signed the
disputed contract, or the software did.
I'm afraid you've fallen into a very common trap. You imagine that because a One Time Pad is unbreakable, that it is also 'the best' encryption imaginable. It isn't.
Encryption is the ability to spread a limited source of entropy
over a broad amount of data. The One Time Pad simply recognizes that
if you have equal amounts of entropy and data then you don't need
a very good mixing algorithm; just XOR the data with the pad and
voila, the data becomes unreadable.
The challenge of good algorithms is to limit the amount of entropy needed to generate unreadable text to as small a size as possible. Typical algorithms in use today will by changing a single bit in the key, ultimately flip about 50% of the encrypted output. Half of the bits is optimum. Fewer and your entropy isn't getting mixed in very well. More and your bit is just inverting the data.
If you really want to contribute to the world of cryptography, don't bother with encryption algorithms. The ones we have are quite good. Honestly. Instead you should try to figure out a new use for the basic operations in cryptography. We know how to protect content, add signatures, authenticate content, and do non-repudiation. We can encrypt for a small number of readers each with his own key, or for broadcast, we can build webs of trust, and hierarchies. Come up with a new use that makes as much business sense as digital signatures and you'll have something worth patenting.
Very interesting comparisons. I think you are giving a bit too much
leeway to the digital images though; for example you place the 17Mpx
image as better than 35mm Velvia, but the color still looks worse in that image than it does in the 35mm in my humble opinion. In part it may be the artifacting created by JPG compression in the digital cameras but the color doesn't look 'right' to me until at least 48Mpx.
But thanks for the comparison anyway. Regardless of where one personally draws the line, the information is quite good.
Re:More than a mouthful
on
3D LCD Display
·
· Score: 5, Funny
It does bring a whole new meaning to 'pop up ads', doesn't it.
The article's title says AOL PC, but it's just a bundling of AOL's linux software on a lindows box.
Reread the tail end of the article. The writer spends a bit of time describing his experience with the early access release of AOL7.0 for Lindows. Pretty broken right now, but he believes that it will rapidly improve. (Hmm. If you have to have network access to download software through Click-N-Run, and AOL7.0 for Lindows is on Click-N-Run, then that is a bit of a catch 22 to using AOL for new owners of these machines.)
The benefits of the FSF agenda, on the other hand, are not so clear. Wasting time on trival things like renaming Linux ensures that they remain that way.
While I continue to use Linux in preference over GNU/Linux, I don't agree that FSF agenda is in
any way either irrational or trivial. Linux is a stepping
stone for learning about the free software ideology. While
an ideology of free sharing to form a commonwealth is beyond
what many are willing to contemplate, I am always quite happy
to explain those ideals to someone who asks me: 'Hey, I just
heard that some guy named Stallman wants everyone to change
the name of Linux to GNU/Linux.'
The effort to rename Linux is valuable in itself. It doesn't
ever need to succeed because its value is in education of those
who hear of the naming conflict. We still need Linux as the
stepping stone, so GNU/Linux can't really replace Linux in the
public mind; and once it has then the GNU prefix will no longer
be needed anyway.
Building a software commons from nothing is an incredible
achievement for the FSF to have completed. I'm sorry you don't
value that acheivement enough to donate to them, but hopefully
there will always be enough people who do take the time to
understand and value their contribution.
But writing numbers is something everyone does all the time. Punching holes in paper, on the other hand, they find unreasonably difficult.
Perhaps we do it all the time, but we also misread numbers all the
time. The most common confusion is between a handwritten 1, 7, or 9. Sometimes 4 and 9 (depending on handwriting), with all other digits being confused about equally, which is why your bank prefers it if you write out numbers two different ways.
I don't mean to flame you what with the DM sig and all, but that doesn't make any sense. Sure I get what you're saying but abstinence is ALWAYS more effective than anything else. It's not abstinence if you don't abstain.
If we were to extend that argument, then you'd have to admit that
abstinence also isn't sex, so it certainly can't be safe sex. Safe non-sex perhaps, but not safe sex.
A catapult has no energy input once the projectile has left it. So if he wants to get to 15k feet, the projectile will need to leave the launcher at approximately 300m/s, ie. over 1000 km/h (from Newton, v^2 = 2*a*s, where s is 15,000 * 0.3 to give distance in m, and a is 9.8m for 1G).
You'd probably have to at least triple that figure to compensate for
wind drag if we were talking pure ballistics. In this case I think
the dude was talking about a catapult launched self-propelled water
rocket though, where the water was presumably being ejected from the back end at enough pressure to generate upward thrust. The post didn't mention what would be used to generate the pressure, just the
propellant.
Ya know, I just don't see begging being a viable business model.
Presumably the Gnome Foundation isn't a business but a non-profit. Most non-profits exist on either membership fees, volunteer labor, grants, or donations. The real question isn't whether the model works, it is whether there is any significant interest in philanthropy among open source advocates.
Personally I'll probably be donating at about the same level I donate to KQED. Less than I give to the EFF or the ACLU, but more than I give to the Sierra Club or my mayor's reelection campaign.
Oh, the US has been in the thrall of big business for the last twenty or thirty years. The Kyoto fiasco is just an anomaly of GW's pseudo-election and his being about ten times as compromised by business as Clinton was. These things go in cycles; after four years I'll hope for a strong enough backlash to elect someone I like into office.
The Dems are crazy if they don't realize that where they lost the election wasn't so much in FL as it was in NH. The real problem is that they've sold out and until someone with some balls steps forward to put a word in for the people who hate this corporatization of democracy, they will keep on losing. I don't mind GW so much; at least when he sells his soul he is whoring in a long tradition. When Gore does the same thing it makes me sick that we are left with only the choice between two equally compromised sides.
If managing the ecosystem is as easy as you proclaim, then why isn't it being done successfully already?
It has and is being done successfully. The majority of countries with problems are extremely poor and have built without consideration of social and environmental impact, just as these same countries destroy rain forest with as little consideration of the same issues. Read some of the texts you cite and you will see that many of the environmentalists call not for an end to dam construction, but for a moratorium until these countries resolve these issues.
In that respect I agree with the environmentalists. A good coal powered plant with adequate scrubbing facilities is better than a poorly run dam, probably in all respects.
Actually, hydro can be even worse than you suggest. If the resevoir behind the dam is shallow, the methane gas emissions from rotting vegetation can be quite staggering. The green house gas emissions can be higher per megawatt than from a coal-fired power station.
At best this is highly misleading information. It is easily mitigated in a number of different ways
by clearing the vegetation before flooding, by introducing nitrate eating bacteria and building an effective ecosystem in the dammed area, or even just by waiting a couple of years. It can also be solved legislatively by establishing requirements for area per depth for the construction of dams. It isn't like people want to go out and create dozens of useless shallow dams; energy generated by the dam is proportional to the depth of the dam since that determines the potential energy that is captured in the backed up water; if you only have a shallow region which could possibly be dammed you might be just as well off building a mill race and capturing kinetic rather than potential energy.
Finally, being in San Fran. with only ~50 mile round trips, what prevents you from using mass transit?
The state of the mass transit system is what prevents most people from using it here in the bay area. Fifty miles is about the distance from Hayward to Palo Alto. Using mass transit you'd have to start on AC Transit or BART, then switch to
VTA to cross the bay. Minimum time required is about an hour and a half each way if you catch the
Express busses and if the express bus goes straight to your office. Add another 20 minutes if you have to switch bus lines again.
Back a few years ago when the dotcom commuters were crowding all of the bridges the time was only about ten minutes more than driving (although the schedule for express busses is very inconvenient), but after all of the layoffs the difference is more like 40 minutes each way which is more than an hour that I wouldn't get to spend with my kid in the evening.
Personally I do count hydro as clean; or at least it is as clean as solar array collection. Habitats get changed by anything you build; houses, farms, even solar fields. And since the hydro cycle is driven entirely by the sun on regions of water that would be exposed to sun anyway, hydro is one of the most compact, least intrusive forms of solar collection I can imagine.
That said, I think hydro would have a much better reputation if there were more mitigation done to reverse some of its side effects such as the impact it can have on salmon migration.
Technically that is what a digital signature consists of. First you generate a secure hash,
then you encrypt the secure hash with your private key. If someone else can then decrypt the hash with your public key, and the hash matches the data then the file hasn't been tampered with.
Re:GCC 2.x and 3.x compiler
on
Pet Bugs?
·
· Score: 2, Interesting
Recheck your prototypes or compile with gcc -Wall.
Either that or if you are working in C++ then one of the other args may be going out of scope before you expect it to... like you've written custom constructors and destructors, but blew it on the copy constructor.
Printf making it work is irrelevant. That just means that something that is referencing garbage happens to be seeing some data that has the value you want it to use. Not surprising since you've been playing with it on the stack. If all else fails you can use electricfence to track down the violation.
And now we find out that we were never vulnerable.
I think there will be a movement to put a price on Theo's head.
Before getting too upset with Theo, you should at least consider that security is Theo's life blood. The way he sees it, the primary bug in earlier versions of OpenSSH was the security architecture; by fixing that bug Debian is far ahead of the crowd since you will be impervious to a whole class of programming errors, of which this particular error is only a specific example.
He certainly didn't believe he was giving bad advice, and the fact that this whole thing has backfired on him will probably be setback enough.
I'd certainly hate to see him burned so badly that he decides to drop out, just educated that even rational, well educated people don't always come to the same conclusions given the same data, and that he must let others come to their conclusions on their own.
For what it is worth I do admire the work the Debian team has done to get the new release integrated. I think it speaks volumes that the
open team is also the only Linux distribution to have integrated the new features before the patch was released.
The rationale not exposing the exploit was that if
the exploit became known then immediately there would be many thousands of machines that could be exploited. That would be bad, so the question became 'is there some way to disable the problem code without fixing the bug', then a bug fix can be delivered after without anyone getting hacked.
There were basically two ways to fix your configuration. One was simple, and actually the default on most systems. The other is a pain in the ass, but Theo likes the second method because it is aesthetically more pure; a better implementation of a security conscious application.
The distributions (who couldn't get any information about the nature of the bug, just the suggestion that they fix the pain in the ass way of using sshd) correctly figured that they were being railroaded and balked.
For what it is worth, privelege separation is a better architecture for a security concious program, but setting up a chroot jail and adding new users, along with the brokeness of several ports of the new privsep code especially in the area of pluggable authentication modules (ie: RedHat) means that although I now have 3.4p1 iunstalled on my boxen, I also have privsep turned off. Less pure, but I'm a pragmatist, not an idealist.
If you are writing from europe then you are correct. Under United States copyright law you would be mistaken however. Once a copy of a copyrighted work has been handed out it no longer is under your control. The only rights you maintain over that copy are the ones spelled out in the copyright act which are roughly: the right to publish, the right to publically perform, and the right to create derivative works. Any other uses, such as the use of reading the work, the use of selling it to another party, or the use of storing it for posterity are not exclusive rights granted to the copyright holder.
You might be arguing that there was no alienation. That is, that even though you gave a copy to me, you didn't really give it to me, but only loaned it to me for a while or something like that. Whether that position would be held factual would be for a court to decide.
In any case what you are asking for is simply and plainly contrary to the technological nature of the Web. Cache controls given by the web page designer are advisory, not mandatory. There is no technical means on the Web for doing what you ask. A smart attorney might use that to show that you gave implied consent to have the data copied and cached (even if there was no alienation) by placing the data on a medium where that copying and caching is implicitly a part of the technological means of communication.
I imagine we will be seeing more case law in the next couple of years on this topic, and the results will probably surprise both of us.
If I copyright my content, other people are not allowed to distribute it without my consent. There is no way around this. I don't have to add extra disclaimers, just a copyright notice. How can there be any arguement about this?
Assuming that you were the copyright owner of the original web page, then when you made a copy for the original download to the people running archive.org you were within your rights. Since you gave the copy you made to them, the data is now theirs to dispose of as they please (this is a reasonably
straight forward mapping of Copyright law into the
digital domain.)
Within the limits of copyright law, you can make your single (or multiple) originals available to other people without the Copyright owner's consent, assuming we can apply the first
sale doctrine to alienation of the data by transfer over public networks.
Likewise you can do anything else with the original legal copy you have that is permitted under copyright law, such as make fair use of the original. Fair use might be stretched to include the use that archive.org is making of the documents, or it might not, but it has yet to be tested. The only reason you can't say for sure that it isn't a fair use is that fair use isn't a specified set of uses, but any use that the courts consider fair. There are guidelines that have been created for judging fair use, but so far I don't know of any case law establishing archive.org's use as fair or not fair.
My point was that if you really want them to lock away their database to a location where only they can use their originals then you can probably force them to do so in court. I'm merely of the opinion that the world will be poorer for the loss of readily available information.
The goal of the person who started archive.org was to record the history of the world wide web. The assumption was that whatever anyone thinks about the archive, there will never be another chance to go back and get that data once it is lost.
The copies that they have archived in their databases are individual copies served from the original web requests, so they have the right to keep them. They became their copy when they were originally downloaded. Whether they have the right to make new copies and redistribute them depends on how you think fair use applies to that content.
Ultimately if a lot of people start suing them they will
probably shut down the archive to public access and only allow researchers to view their original copies on site. And if you'd prefer that, well, you'll end up with the world you deserve.
Does free software have a positive work cycle; can it sustain itself, or must it be supported socially in order to continue evolving. It isn't clear that there is any business model for free software which covers the bare costs of development of free software, thus the majority of the costs must be borne by the developers.
How do the developers support themselves? If we were to conclude that social support becomes a necessity for the work cycle to continue then free software would be very much like the system I outlined for social support of music.
Is free software really a solution to the excesses of proprietary software, or is it just the alternative that shows by contrast what those excesses have become? Surely a solution would solve the problem. If by social support of the music industry you become free to copy and share music with your friends, isn't that really a solution to a problem. Free software can't be a solution to a problem if it leaves the old problem intact.
In lieu of a real solution I do agree with you though that Free Software is better than the alternative. Cost issues aside, I like the fact that I can just install the RH7 disk I have sitting in my car into any machine that happens to be on my desk without considering how many licenses I've purchased or whether that key was for my home machine(s) or whatever. It is freedom, and like you I believe that the cost isn't nearly as important as the liberty aspects.
But I'm also painfully aware that what I pay in real dollars barely supports the costs of integrating open source software already written into an easy to use distribution. I've wondered if Redhat shouldn't structure itself more like NPR...
Slashdot Mirror
To be useful the MD5 file should be signed, and the GPG key that signed it should be one that you know and trust. Even that may not be enough if the key owner can be tricked into revealing his private key, or the trojan horse can be introduced into the code on the code owners development machine, but it does add one layer of depth to your security.
The first time I had a server hacked (mountd exploit, xmas '99) the machine details were sold on IRC, probably in exchange for credit card numbers, to a somewhat clueless Singapore exchange student who proceeded to delete all of my syslog files so that when I logged in remotely the root mailbox was full of complaints about missing logfiles. The rooted system was up for about a week, during which time it probed several thousand IPs for basic exploits, hosted an IRC channel through eggdrop (together with names of the hacker's friends and passwords), all on a machine with no rootkit installed and very little attempt to hide activity.
Basically I got lucky the first time, and ever since then I've been paranoid, in hopes there won't be a second time. But with a smart hacker and a good root kit, I think even with my paranoia that I could miss a hacker on my machine for a long time, so I suspect it is only a matter of time before some well known developer gets hacked and has signed sources distributed with a trojan horse inside.
I suppose they are playing to the home theater market, but I couldn't give a damn personally whether they are using double triodes or anything else. The Altec Lansing speakers I have hooked to my computer are sufficient for basic sound, but they aren't going to come close to filling a room like a real stereo system would. Besides, since when do you need a full amp instead of just a preamp in your computer.
On the off chance that you are referring to the sticker on the outside of the box that says something like 'Theft Prevention Device Inside', then that refers not to the DVD, but to an electronic theft prevention device that keeps you from walking out the door of the shop with the DVD in your pants. (I was confused by this once myself when unable to get a DVD to play properly on Linux, but I later found that it worked fine on another computer -- the DVDs are multilayer DVDs and some poorly adjusted players won't read the second layer correctly.
For delegated chains of authority I like SPKI, since unlike PKI it can be used to confer transitive trust without requiring a common root authority, but admittedly there are a lot of holes in that argument, not the least being usability. Indeed from my perspective usability problems are pervasive in crypto; until computers treat identity more the way that humans do, there will always be some question as to whether the human signed the disputed contract, or the software did.
Encryption is the ability to spread a limited source of entropy over a broad amount of data. The One Time Pad simply recognizes that if you have equal amounts of entropy and data then you don't need a very good mixing algorithm; just XOR the data with the pad and voila, the data becomes unreadable.
The challenge of good algorithms is to limit the amount of entropy needed to generate unreadable text to as small a size as possible. Typical algorithms in use today will by changing a single bit in the key, ultimately flip about 50% of the encrypted output. Half of the bits is optimum. Fewer and your entropy isn't getting mixed in very well. More and your bit is just inverting the data.
If you really want to contribute to the world of cryptography, don't bother with encryption algorithms. The ones we have are quite good. Honestly. Instead you should try to figure out a new use for the basic operations in cryptography. We know how to protect content, add signatures, authenticate content, and do non-repudiation. We can encrypt for a small number of readers each with his own key, or for broadcast, we can build webs of trust, and hierarchies. Come up with a new use that makes as much business sense as digital signatures and you'll have something worth patenting.
But thanks for the comparison anyway. Regardless of where one personally draws the line, the information is quite good.
It does bring a whole new meaning to 'pop up ads', doesn't it.
Reread the tail end of the article. The writer spends a bit of time describing his experience with the early access release of AOL7.0 for Lindows. Pretty broken right now, but he believes that it will rapidly improve. (Hmm. If you have to have network access to download software through Click-N-Run, and AOL7.0 for Lindows is on Click-N-Run, then that is a bit of a catch 22 to using AOL for new owners of these machines.)
While I continue to use Linux in preference over GNU/Linux, I don't agree that FSF agenda is in any way either irrational or trivial. Linux is a stepping stone for learning about the free software ideology. While an ideology of free sharing to form a commonwealth is beyond what many are willing to contemplate, I am always quite happy to explain those ideals to someone who asks me: 'Hey, I just heard that some guy named Stallman wants everyone to change the name of Linux to GNU/Linux.'
The effort to rename Linux is valuable in itself. It doesn't ever need to succeed because its value is in education of those who hear of the naming conflict. We still need Linux as the stepping stone, so GNU/Linux can't really replace Linux in the public mind; and once it has then the GNU prefix will no longer be needed anyway.
Building a software commons from nothing is an incredible achievement for the FSF to have completed. I'm sorry you don't value that acheivement enough to donate to them, but hopefully there will always be enough people who do take the time to understand and value their contribution.
Perhaps we do it all the time, but we also misread numbers all the time. The most common confusion is between a handwritten 1, 7, or 9. Sometimes 4 and 9 (depending on handwriting), with all other digits being confused about equally, which is why your bank prefers it if you write out numbers two different ways.
If we were to extend that argument, then you'd have to admit that abstinence also isn't sex, so it certainly can't be safe sex. Safe non-sex perhaps, but not safe sex.
You'd probably have to at least triple that figure to compensate for wind drag if we were talking pure ballistics. In this case I think the dude was talking about a catapult launched self-propelled water rocket though, where the water was presumably being ejected from the back end at enough pressure to generate upward thrust. The post didn't mention what would be used to generate the pressure, just the propellant.
Presumably the Gnome Foundation isn't a business but a non-profit. Most non-profits exist on either membership fees, volunteer labor, grants, or donations. The real question isn't whether the model works, it is whether there is any significant interest in philanthropy among open source advocates.
Personally I'll probably be donating at about the same level I donate to KQED. Less than I give to the EFF or the ACLU, but more than I give to the Sierra Club or my mayor's reelection campaign.
The Dems are crazy if they don't realize that where they lost the election wasn't so much in FL as it was in NH. The real problem is that they've sold out and until someone with some balls steps forward to put a word in for the people who hate this corporatization of democracy, they will keep on losing. I don't mind GW so much; at least when he sells his soul he is whoring in a long tradition. When Gore does the same thing it makes me sick that we are left with only the choice between two equally compromised sides.
It has and is being done successfully. The majority of countries with problems are extremely poor and have built without consideration of social and environmental impact, just as these same countries destroy rain forest with as little consideration of the same issues. Read some of the texts you cite and you will see that many of the environmentalists call not for an end to dam construction, but for a moratorium until these countries resolve these issues.
In that respect I agree with the environmentalists. A good coal powered plant with adequate scrubbing facilities is better than a poorly run dam, probably in all respects.
At best this is highly misleading information. It is easily mitigated in a number of different ways by clearing the vegetation before flooding, by introducing nitrate eating bacteria and building an effective ecosystem in the dammed area, or even just by waiting a couple of years. It can also be solved legislatively by establishing requirements for area per depth for the construction of dams. It isn't like people want to go out and create dozens of useless shallow dams; energy generated by the dam is proportional to the depth of the dam since that determines the potential energy that is captured in the backed up water; if you only have a shallow region which could possibly be dammed you might be just as well off building a mill race and capturing kinetic rather than potential energy.
The state of the mass transit system is what prevents most people from using it here in the bay area. Fifty miles is about the distance from Hayward to Palo Alto. Using mass transit you'd have to start on AC Transit or BART, then switch to VTA to cross the bay. Minimum time required is about an hour and a half each way if you catch the Express busses and if the express bus goes straight to your office. Add another 20 minutes if you have to switch bus lines again.
Back a few years ago when the dotcom commuters were crowding all of the bridges the time was only about ten minutes more than driving (although the schedule for express busses is very inconvenient), but after all of the layoffs the difference is more like 40 minutes each way which is more than an hour that I wouldn't get to spend with my kid in the evening.
Personally I do count hydro as clean; or at least it is as clean as solar array collection. Habitats get changed by anything you build; houses, farms, even solar fields. And since the hydro cycle is driven entirely by the sun on regions of water that would be exposed to sun anyway, hydro is one of the most compact, least intrusive forms of solar collection I can imagine. That said, I think hydro would have a much better reputation if there were more mitigation done to reverse some of its side effects such as the impact it can have on salmon migration.
Technically that is what a digital signature consists of. First you generate a secure hash, then you encrypt the secure hash with your private key. If someone else can then decrypt the hash with your public key, and the hash matches the data then the file hasn't been tampered with.
Printf making it work is irrelevant. That just means that something that is referencing garbage happens to be seeing some data that has the value you want it to use. Not surprising since you've been playing with it on the stack. If all else fails you can use electricfence to track down the violation.
Before getting too upset with Theo, you should at least consider that security is Theo's life blood. The way he sees it, the primary bug in earlier versions of OpenSSH was the security architecture; by fixing that bug Debian is far ahead of the crowd since you will be impervious to a whole class of programming errors, of which this particular error is only a specific example.
He certainly didn't believe he was giving bad advice, and the fact that this whole thing has backfired on him will probably be setback enough. I'd certainly hate to see him burned so badly that he decides to drop out, just educated that even rational, well educated people don't always come to the same conclusions given the same data, and that he must let others come to their conclusions on their own.
For what it is worth I do admire the work the Debian team has done to get the new release integrated. I think it speaks volumes that the open team is also the only Linux distribution to have integrated the new features before the patch was released.
There were basically two ways to fix your configuration. One was simple, and actually the default on most systems. The other is a pain in the ass, but Theo likes the second method because it is aesthetically more pure; a better implementation of a security conscious application.
The distributions (who couldn't get any information about the nature of the bug, just the suggestion that they fix the pain in the ass way of using sshd) correctly figured that they were being railroaded and balked.
For what it is worth, privelege separation is a better architecture for a security concious program, but setting up a chroot jail and adding new users, along with the brokeness of several ports of the new privsep code especially in the area of pluggable authentication modules (ie: RedHat) means that although I now have 3.4p1 iunstalled on my boxen, I also have privsep turned off. Less pure, but I'm a pragmatist, not an idealist.
You might be arguing that there was no alienation. That is, that even though you gave a copy to me, you didn't really give it to me, but only loaned it to me for a while or something like that. Whether that position would be held factual would be for a court to decide.
In any case what you are asking for is simply and plainly contrary to the technological nature of the Web. Cache controls given by the web page designer are advisory, not mandatory. There is no technical means on the Web for doing what you ask. A smart attorney might use that to show that you gave implied consent to have the data copied and cached (even if there was no alienation) by placing the data on a medium where that copying and caching is implicitly a part of the technological means of communication.
I imagine we will be seeing more case law in the next couple of years on this topic, and the results will probably surprise both of us.
Assuming that you were the copyright owner of the original web page, then when you made a copy for the original download to the people running archive .org you were within your rights. Since you gave the copy you made to them, the data is now theirs to dispose of as they please (this is a reasonably
straight forward mapping of Copyright law into the
digital domain.)
Within the limits of copyright law, you can make your single (or multiple) originals available to other people without the Copyright owner's consent, assuming we can apply the first sale doctrine to alienation of the data by transfer over public networks.
Likewise you can do anything else with the original legal copy you have that is permitted under copyright law, such as make fair use of the original. Fair use might be stretched to include the use that archive.org is making of the documents, or it might not, but it has yet to be tested. The only reason you can't say for sure that it isn't a fair use is that fair use isn't a specified set of uses, but any use that the courts consider fair. There are guidelines that have been created for judging fair use, but so far I don't know of any case law establishing archive.org's use as fair or not fair.
My point was that if you really want them to lock away their database to a location where only they can use their originals then you can probably force them to do so in court. I'm merely of the opinion that the world will be poorer for the loss of readily available information.
The copies that they have archived in their databases are individual copies served from the original web requests, so they have the right to keep them. They became their copy when they were originally downloaded. Whether they have the right to make new copies and redistribute them depends on how you think fair use applies to that content.
Ultimately if a lot of people start suing them they will probably shut down the archive to public access and only allow researchers to view their original copies on site. And if you'd prefer that, well, you'll end up with the world you deserve.
Does free software have a positive work cycle; can it sustain itself, or must it be supported socially in order to continue evolving. It isn't clear that there is any business model for free software which covers the bare costs of development of free software, thus the majority of the costs must be borne by the developers.
How do the developers support themselves? If we were to conclude that social support becomes a necessity for the work cycle to continue then free software would be very much like the system I outlined for social support of music.
Is free software really a solution to the excesses of proprietary software, or is it just the alternative that shows by contrast what those excesses have become? Surely a solution would solve the problem. If by social support of the music industry you become free to copy and share music with your friends, isn't that really a solution to a problem. Free software can't be a solution to a problem if it leaves the old problem intact.
In lieu of a real solution I do agree with you though that Free Software is better than the alternative. Cost issues aside, I like the fact that I can just install the RH7 disk I have sitting in my car into any machine that happens to be on my desk without considering how many licenses I've purchased or whether that key was for my home machine(s) or whatever. It is freedom, and like you I believe that the cost isn't nearly as important as the liberty aspects. But I'm also painfully aware that what I pay in real dollars barely supports the costs of integrating open source software already written into an easy to use distribution. I've wondered if Redhat shouldn't structure itself more like NPR...