You fool! As is well known to anyone who follows Microsoft security bulletins (and who knows more about security than Microsoft) you need to use octuple-ROT-13 at least to guarantee good security!
One of his statements begs a question. Diffie says: "A secret that cannot be readily changed should be regarded as a vulnerability."
Yet asymmetric crypto (which I believe was publicised by Diffie and Helman (sp?) first) relies on one secret (the private key) being kept very very securely. Not only that, but if asymmetric crypto is to be any use, the secret should be kept for a fairly long time, as long as a signature needs to be valid. If you're going to use asymmetric crypto for legal purposes, to sign stuff, for instance, then the secret cannot be easily changed (unless there's some sort of central repository of keys that actually authenticates you properly when you ask to change your key, but even that is a bit dodgy).
Is it just me or does Diffie's statement, in a generalised form, kind of nullify the usefulness of asymmetric crypto? Or maybe I've missed the point...
Not everyone writes entreprise applications where performance doesn't matter that much. If you were programming games (well, at least back a few years ago) you'd have found that you had to do everything you have to do now, but better and all at the same time in real time. That's when you need the kind of person who can "kludge" it and somehow miraculously get it to work fast without everyone fully understand how exactly he did that.
Not that this means that the particular guy you hired was any good.
Well, I remember when I was reading a book about assembler they expressed it beautifully by saying that if school taught kids binary numbers instead of the decimal system, the entire mathematics syllabus could be taught in a couple of months with time to spare.
Binary maths make many integer operations ridiculously simple, and while the fact that it's cheaper and more feasible to detect 2 states than 10 is true, there's also a certain simplicity that you can get to by coding everything with binary logical gates which wouldn't quite be there if you used some sort of decimal logical gates...
Basically, binary arithmetic is really simple so can be optimized really well and is much more universal, in the wider philosophical sense, than decimal arithmetic. Everything in the universe seems to revolve around a binary concept, rather than a decimal one... matter/antimatter, existence/non-existence, quantum spin states, etc.
Seriously depends what you're doing. If you're writing the next entreprise application, sure, optimization tricks are not really your main concern... If you're writing a game engine, though...
I remember back when I was younger and had much more free time (*longing sigh*) I spent most of a term and a summer writing a 3D wolfenstein-like engine, mostly under the careful instruction of a book: Tricks of the game programming gurus. The book was great, and though it gave some optimizing ideas here and there the resulting engine was very slow (esp. compared to the wolf3d engine, which was so perfectly smooth... and the engine I made didn't even do monsters and doors and items). So then I turned to another book I had, called "PC Interdit", which was written in french and oriented towards Pascal rather than C which I was using, but explained a number of optimization tricks which made all the difference (examples: page flipping in mode X instead of double-buffering in mode 13h, basics of coding fast assembler functions to optimize C functions, etc). Before using that book's advice, my engine would run at something like 10 fps or so on my 486DX4 100Mhz in turbo mode, and 1fps more or less without turbo mode... After the optimizations, it ran very smoothly in turbo mode and at least 5-6fps in non-turbo.
So if you're programming a game engine, those books are really really useful. Or in fact if you're programming anything where squeezing every tiny bit of performance is critical. If you're programming a J2EE servlet engine, though, then for sure, it's a waste of your time.
It will never get there. Computers are for one thing, TVs for another. The twos can mix, sure, but they're better off both staying separate. Who needs a set-top box that crashes or a computer that slows down because it's recording today's episode of Friends?
Plus if you think they'll let you do this properly without screwing you up with DRM technologies, you're a dreamer (not that that's a bad thing, but in this case it's really unrealistic). I wouldn't be surprised if the TV networks got their way and ended up having DRM chips on TV receiver cards... Of course, they'd be cracked within the week:-D
I agree 100%. Publishers who complain about the "sewage" coming in through the door and which they have to sift through would do well to remember that their entire livelihood, 100% of it, depends on that sewage not stopping.
Sure, the filtering is a useful service, but it is certainly nothing that is worth such a high price, and doesn't have to be the sole realm of editors. Anyone can read through mounds of drivel and pick up the gems and tell everyone about them. Sure, it takes good taste, but the people who are bad at it will get filtered out (by the public).
Editors are very worthwhile, but not at any price.
Also, I seriously doubt you can teach a Bayesian filter to see the difference between a great story and a piece of crap that covers the same concepts and ideas.
Yes, they should be (within reason). There's a difference between making people liable for damages and promoting a vigilante-type "citizens take the law into their own hands" spirit.
Yes, if you recklessly cause loss of business, you should be liable for it.
What happened? The end of your illusions about democracy in the US of A, nothing more.
What's disturbing to me is the way a decision made by a US court about a bill passed by a US congress affects me directly even though I don't live anywhere near the US. That's not fair.
I'm not an expert in Ham or this, but I'm curious: is there any possibility, in the medium to long term, for replacing most of the internet infrastructure with an amateur-operated wireless net, free of corporate or governmental intrusion? ie does this technology go in this direction?
The only problem with this strikeback thing is what if the machine which is infected is business-critical?
If you're going to take it on yourself to fix other people's machines, what if this causes them loss of business? And there's also varying definitions of what "strikeback" or "fixing" could mean. What if someone decides to "fix" your database server by shutting it down? Shouldn't they be held liable for the damages caused, just as someone who does that maliciously can be held liable?
There's just too many holes in this strikeback philosophy. It opens the door to tons of abuse too: "I only broke into this machine to fix it, I swear, gov'nor!"
I think it would also result in pretty dire situations when a machine equipped for strikeback mistakenly decides another machine (also strike-back-enabled) needs to be "fixed", and starts attempting to hack into it - and then the other one detects it as well, and they start concurrently trying to hack into each other... probably saturating the network with crap on the way...
I think the basic misconception is thinking that hydrogen is a source of energy. If we were scooping it out of space or from the surface of Jupiter, yes, it would be a source of energy. But as we have to get it out of whatever it's bound into, at the moment for us hydrogen is only a storage for energy, and will remain so until we find a way to directly produce large quantities of it without going through another form of energy.
Even just as a form of energy, Hydrogen is pretty damn good - more efficient per mass than any other fuel, so it could be used just for that property. But that won't solve global warming and such. It could help with the smog problems and air pollution in large cities, but that's about it.
And more importantly, where's the hydrogen-distributing power stations? And even more importantly, where's the cheap and plentiful hydrogen production mechanism?
Hydrogen hybrid cars are all well and nice, but they don't get us anywhere. At the moment the only ways to produce hydrogen are expensive and inefficient, and end up costing more "regular" energy (usually provided by fossil fuels or nuclear power) to produce. Electrolysis is good to play with in the physics labs at school, but when it comes to produce very large quantities of Hydrogen for mass consumption it's worth practically zero.
I read a while ago in New Scientist that some group in Japan was trying to use a solar-pumped laser in a satellite to convert large quantities of salt water (in a big tank on an island) with an added catalyst, into hydrogen. That's the sort of news which are worth noting when it comes to cleaner fuels. Once hydrogen is available in every gas station, oil will die off naturally. Until hydrogen can be produced cheaply and in very large quantities, there's not going to be hydrogen in gas stations, and all these hybrid efforts are just lip service to make Sunday Ecologists feel better about themselves, so presenting this sort of news as a notable even in the move towards cleaner fuels is like saying "Microsoft issues a new patch for IIS, saves the internet from script kiddies".
Hmm... looks mostly like finger-pointing to me. Not really very useful. Most of the time if I let these sorts of vulnerabilities as part of my web apps it's because I don't have the time to code them properly, not because I'm not aware of them. Like now, I'm writing shitty ASP code because I have to get it out ASAP. Even there I'm making a token attempt at checking parameters, but what I'm doing is just a small part of a site programmed by an amateur. I don't have time to fix their entire site, and even if they are aware that these are potential flaws in their web site they don't have time to do this either.
In an ideal world, we'd all have time to write perfect apps, but in that ideal world there probably wouldn't be script kiddies either.
Yeah, and when you look at your server and you see someone's added "shout outz" at the top you're really likely to just leave it at that, right? And if they don't disable your website but just kill your bandwidth attempting to DoS other sites?
Skiddies are a really big nuisance simply because of the time everyone has to spend either defending against them or cleaning up after them. Case in point, recently one of our servers got hacked into and the skiddie installed some stupid script called "evilbot.exe" and left it running in the task manager. Now that server doesn't hold any sensitive information (apart from, maybe the emails of our members...). However, the skiddie used our nice 10mbit connection to go and DoS ppl. We noticed the server was cracked because we had connectivity problems when he sent out those packets at max bw, and he vnc'ed in through the same display as us so we knew when he was in and when he wasn't. We still haven't figured out how he got in exactly (though it was likely due to some undocumented vulnerability in IIS. The server is fully patched up but IIS was not meant to be running on this db server...).
This "cracker" was obviously an idiot. He made no attempt whatsoever at hiding his trail, and we detected that the machine had been compromised, and fixed it, within about 60 hours of him getting in. Now during most of that time, our database was up and down like a yoyo while we figured out what was happening, and as the server is hosted remotely in a data centre we couldn't just yank it offline, clean it up and put it back online, we had to do everything through VNC (how I hate windows...). The result is that during this day and a half we were losing money every time the database was down and we wasted a lot of time dealing with this when we have plenty other stuff on our plates.
Should this kid be prosecuted and put in prison? No, probably not. Should he be fined some fee commensurable to the loss of business we encurred through his actions? YES. Sure, there should be a limit to the amount, so that we don't indebt him for the rest of his life, but I'm sure there'd be a lot less script kiddies about if every time they cracked into a server they (or their parents) got fined a few thousand dollars. There's a very good rationale behind that: they're breaking into our property, they're unauthorized and they cause us to waste time and money. I can't see any way you can argue that this should be legal, and if it's illegal, why shouldn't infractions be punished commensurably?
PHP is a scripting language. It's a lot easier to churn out code in that (that's the whole advantage). A "Proper" programming language will normally take a bit more time, but result in code that is
1) more powerful
2) faster
3) more maintainable
Especially when you know what you're doing, scripting languages are very fast to program in - that's the whole point.
I never said choice is bad, but if you're starting a project or thinking of switching the platform of a project, as an IT project manager, you're not going to go for a different OS just because you "like it better". Doesn't look good enough on the project proposal. Thanks for your reply though (and the other two people who have replied).
I read through their strategy and I couldn't find any hint of why people should actually use OS/2 over any other solutions. Java, XML and the internet protocols are very well supported in Linux and *BSD, so why would anyone switch to OS/2 rather than one of those systems, if they decide to switch to something, or why would they choose OS/2 rather than something else if they're starting a new project?
Unless they answer these questions, it's all hot wind.
Well, you just know it won't take long for Palladium to be used for DRM purposes, so I keep my hopes that it won't take too long for people to find ways around these Palladium chips. I'm thinking of people like demo-makers and such, who know how to push hardware beyond its limits. After all, if you can get a DOS screen to display 32-bit colour gradient bars, you can probably also get a Palladium chip to authorize an OS that it shouldn't... And if those people fail on the software side, there's always the mod chip makers in Asia:-)
In any case, I hope I won't be the only one who will refuse to buy a computer with a Palladium BIOS.
I'm always amazed at the skill displayed in all those demos. I used to try my hand at some assembler programming back in the days, but boy, those people have genius. Recently I even went to a small rave and they had lots of big plasma screens in the club with what was clearly demo stuff running... it was really, really cool:-).
I wonder how they do it now, anyone know? Do they still run DOS to have access to all the intricacies of the hardware?
Slashdot Mirror
No, you missed the point of my post. I'm not talking about the algorythm, I'm talking about the private keys.
Daniel
You fool! As is well known to anyone who follows Microsoft security bulletins (and who knows more about security than Microsoft) you need to use octuple-ROT-13 at least to guarantee good security!
Daniel
One of his statements begs a question. Diffie says: "A secret that cannot be readily changed should be regarded as a vulnerability."
Yet asymmetric crypto (which I believe was publicised by Diffie and Helman (sp?) first) relies on one secret (the private key) being kept very very securely. Not only that, but if asymmetric crypto is to be any use, the secret should be kept for a fairly long time, as long as a signature needs to be valid. If you're going to use asymmetric crypto for legal purposes, to sign stuff, for instance, then the secret cannot be easily changed (unless there's some sort of central repository of keys that actually authenticates you properly when you ask to change your key, but even that is a bit dodgy).
Is it just me or does Diffie's statement, in a generalised form, kind of nullify the usefulness of asymmetric crypto? Or maybe I've missed the point...
Daniel
Not everyone writes entreprise applications where performance doesn't matter that much. If you were programming games (well, at least back a few years ago) you'd have found that you had to do everything you have to do now, but better and all at the same time in real time. That's when you need the kind of person who can "kludge" it and somehow miraculously get it to work fast without everyone fully understand how exactly he did that.
Not that this means that the particular guy you hired was any good.
Daniel
Well, I remember when I was reading a book about assembler they expressed it beautifully by saying that if school taught kids binary numbers instead of the decimal system, the entire mathematics syllabus could be taught in a couple of months with time to spare.
Binary maths make many integer operations ridiculously simple, and while the fact that it's cheaper and more feasible to detect 2 states than 10 is true, there's also a certain simplicity that you can get to by coding everything with binary logical gates which wouldn't quite be there if you used some sort of decimal logical gates...
Basically, binary arithmetic is really simple so can be optimized really well and is much more universal, in the wider philosophical sense, than decimal arithmetic. Everything in the universe seems to revolve around a binary concept, rather than a decimal one... matter/antimatter, existence/non-existence, quantum spin states, etc.
Daniel
Seriously depends what you're doing. If you're writing the next entreprise application, sure, optimization tricks are not really your main concern... If you're writing a game engine, though...
I remember back when I was younger and had much more free time (*longing sigh*) I spent most of a term and a summer writing a 3D wolfenstein-like engine, mostly under the careful instruction of a book: Tricks of the game programming gurus. The book was great, and though it gave some optimizing ideas here and there the resulting engine was very slow (esp. compared to the wolf3d engine, which was so perfectly smooth... and the engine I made didn't even do monsters and doors and items). So then I turned to another book I had, called "PC Interdit", which was written in french and oriented towards Pascal rather than C which I was using, but explained a number of optimization tricks which made all the difference (examples: page flipping in mode X instead of double-buffering in mode 13h, basics of coding fast assembler functions to optimize C functions, etc). Before using that book's advice, my engine would run at something like 10 fps or so on my 486DX4 100Mhz in turbo mode, and 1fps more or less without turbo mode... After the optimizations, it ran very smoothly in turbo mode and at least 5-6fps in non-turbo.
So if you're programming a game engine, those books are really really useful. Or in fact if you're programming anything where squeezing every tiny bit of performance is critical. If you're programming a J2EE servlet engine, though, then for sure, it's a waste of your time.
Daniel
I'd much rather fondle linux software with my brain than the other way round, true enough.
Daniel
It will never get there. Computers are for one thing, TVs for another. The twos can mix, sure, but they're better off both staying separate. Who needs a set-top box that crashes or a computer that slows down because it's recording today's episode of Friends?
:-D
Plus if you think they'll let you do this properly without screwing you up with DRM technologies, you're a dreamer (not that that's a bad thing, but in this case it's really unrealistic). I wouldn't be surprised if the TV networks got their way and ended up having DRM chips on TV receiver cards... Of course, they'd be cracked within the week
Daniel
I agree 100%. Publishers who complain about the "sewage" coming in through the door and which they have to sift through would do well to remember that their entire livelihood, 100% of it, depends on that sewage not stopping.
Sure, the filtering is a useful service, but it is certainly nothing that is worth such a high price, and doesn't have to be the sole realm of editors. Anyone can read through mounds of drivel and pick up the gems and tell everyone about them. Sure, it takes good taste, but the people who are bad at it will get filtered out (by the public).
Editors are very worthwhile, but not at any price.
Also, I seriously doubt you can teach a Bayesian filter to see the difference between a great story and a piece of crap that covers the same concepts and ideas.
So my conclusion about Arnold Kling is...
Your article is crap.
Daniel
Yes, they should be (within reason). There's a difference between making people liable for damages and promoting a vigilante-type "citizens take the law into their own hands" spirit.
Yes, if you recklessly cause loss of business, you should be liable for it.
Daniel
What happened? The end of your illusions about democracy in the US of A, nothing more.
What's disturbing to me is the way a decision made by a US court about a bill passed by a US congress affects me directly even though I don't live anywhere near the US. That's not fair.
Daniel
Thanks for the information.
Daniel
I'm not an expert in Ham or this, but I'm curious: is there any possibility, in the medium to long term, for replacing most of the internet infrastructure with an amateur-operated wireless net, free of corporate or governmental intrusion? ie does this technology go in this direction?
Daniel
The only problem with this strikeback thing is what if the machine which is infected is business-critical?
If you're going to take it on yourself to fix other people's machines, what if this causes them loss of business? And there's also varying definitions of what "strikeback" or "fixing" could mean. What if someone decides to "fix" your database server by shutting it down? Shouldn't they be held liable for the damages caused, just as someone who does that maliciously can be held liable?
There's just too many holes in this strikeback philosophy. It opens the door to tons of abuse too: "I only broke into this machine to fix it, I swear, gov'nor!"
I think it would also result in pretty dire situations when a machine equipped for strikeback mistakenly decides another machine (also strike-back-enabled) needs to be "fixed", and starts attempting to hack into it - and then the other one detects it as well, and they start concurrently trying to hack into each other... probably saturating the network with crap on the way...
Daniel
I think the basic misconception is thinking that hydrogen is a source of energy. If we were scooping it out of space or from the surface of Jupiter, yes, it would be a source of energy. But as we have to get it out of whatever it's bound into, at the moment for us hydrogen is only a storage for energy, and will remain so until we find a way to directly produce large quantities of it without going through another form of energy.
Even just as a form of energy, Hydrogen is pretty damn good - more efficient per mass than any other fuel, so it could be used just for that property. But that won't solve global warming and such. It could help with the smog problems and air pollution in large cities, but that's about it.
Daniel
And more importantly, where's the hydrogen-distributing power stations? And even more importantly, where's the cheap and plentiful hydrogen production mechanism?
Hydrogen hybrid cars are all well and nice, but they don't get us anywhere. At the moment the only ways to produce hydrogen are expensive and inefficient, and end up costing more "regular" energy (usually provided by fossil fuels or nuclear power) to produce. Electrolysis is good to play with in the physics labs at school, but when it comes to produce very large quantities of Hydrogen for mass consumption it's worth practically zero.
I read a while ago in New Scientist that some group in Japan was trying to use a solar-pumped laser in a satellite to convert large quantities of salt water (in a big tank on an island) with an added catalyst, into hydrogen. That's the sort of news which are worth noting when it comes to cleaner fuels. Once hydrogen is available in every gas station, oil will die off naturally. Until hydrogen can be produced cheaply and in very large quantities, there's not going to be hydrogen in gas stations, and all these hybrid efforts are just lip service to make Sunday Ecologists feel better about themselves, so presenting this sort of news as a notable even in the move towards cleaner fuels is like saying "Microsoft issues a new patch for IIS, saves the internet from script kiddies".
Daniel
Hmm... looks mostly like finger-pointing to me. Not really very useful. Most of the time if I let these sorts of vulnerabilities as part of my web apps it's because I don't have the time to code them properly, not because I'm not aware of them. Like now, I'm writing shitty ASP code because I have to get it out ASAP. Even there I'm making a token attempt at checking parameters, but what I'm doing is just a small part of a site programmed by an amateur. I don't have time to fix their entire site, and even if they are aware that these are potential flaws in their web site they don't have time to do this either.
In an ideal world, we'd all have time to write perfect apps, but in that ideal world there probably wouldn't be script kiddies either.
Daniel
Yeah, and when you look at your server and you see someone's added "shout outz" at the top you're really likely to just leave it at that, right? And if they don't disable your website but just kill your bandwidth attempting to DoS other sites?
Skiddies are a really big nuisance simply because of the time everyone has to spend either defending against them or cleaning up after them. Case in point, recently one of our servers got hacked into and the skiddie installed some stupid script called "evilbot.exe" and left it running in the task manager. Now that server doesn't hold any sensitive information (apart from, maybe the emails of our members...). However, the skiddie used our nice 10mbit connection to go and DoS ppl. We noticed the server was cracked because we had connectivity problems when he sent out those packets at max bw, and he vnc'ed in through the same display as us so we knew when he was in and when he wasn't. We still haven't figured out how he got in exactly (though it was likely due to some undocumented vulnerability in IIS. The server is fully patched up but IIS was not meant to be running on this db server...).
This "cracker" was obviously an idiot. He made no attempt whatsoever at hiding his trail, and we detected that the machine had been compromised, and fixed it, within about 60 hours of him getting in. Now during most of that time, our database was up and down like a yoyo while we figured out what was happening, and as the server is hosted remotely in a data centre we couldn't just yank it offline, clean it up and put it back online, we had to do everything through VNC (how I hate windows...). The result is that during this day and a half we were losing money every time the database was down and we wasted a lot of time dealing with this when we have plenty other stuff on our plates.
Should this kid be prosecuted and put in prison? No, probably not. Should he be fined some fee commensurable to the loss of business we encurred through his actions? YES. Sure, there should be a limit to the amount, so that we don't indebt him for the rest of his life, but I'm sure there'd be a lot less script kiddies about if every time they cracked into a server they (or their parents) got fined a few thousand dollars. There's a very good rationale behind that: they're breaking into our property, they're unauthorized and they cause us to waste time and money. I can't see any way you can argue that this should be legal, and if it's illegal, why shouldn't infractions be punished commensurably?
Daniel
PHP is a scripting language. It's a lot easier to churn out code in that (that's the whole advantage). A "Proper" programming language will normally take a bit more time, but result in code that is
1) more powerful
2) faster
3) more maintainable
Especially when you know what you're doing, scripting languages are very fast to program in - that's the whole point.
Daniel
Well, if they're trying to win friends at Microsoft and influence linux people to dislike them violently, that would be a good method :-P
Daniel
I never said choice is bad, but if you're starting a project or thinking of switching the platform of a project, as an IT project manager, you're not going to go for a different OS just because you "like it better". Doesn't look good enough on the project proposal. Thanks for your reply though (and the other two people who have replied).
Daniel
I read through their strategy and I couldn't find any hint of why people should actually use OS/2 over any other solutions. Java, XML and the internet protocols are very well supported in Linux and *BSD, so why would anyone switch to OS/2 rather than one of those systems, if they decide to switch to something, or why would they choose OS/2 rather than something else if they're starting a new project?
Unless they answer these questions, it's all hot wind.
Daniel
Well, you just know it won't take long for Palladium to be used for DRM purposes, so I keep my hopes that it won't take too long for people to find ways around these Palladium chips. I'm thinking of people like demo-makers and such, who know how to push hardware beyond its limits. After all, if you can get a DOS screen to display 32-bit colour gradient bars, you can probably also get a Palladium chip to authorize an OS that it shouldn't... And if those people fail on the software side, there's always the mod chip makers in Asia :-)
In any case, I hope I won't be the only one who will refuse to buy a computer with a Palladium BIOS.
Daniel
Nopers, it was "Goliath - The Platinum Edition", live from the MaD in Lausanne, Switzerland, on Dec 31st :-)
There's a picture of the screens here, at the bottom in the middle.
Daniel
I'm always amazed at the skill displayed in all those demos. I used to try my hand at some assembler programming back in the days, but boy, those people have genius. Recently I even went to a small rave and they had lots of big plasma screens in the club with what was clearly demo stuff running... it was really, really cool :-) .
I wonder how they do it now, anyone know? Do they still run DOS to have access to all the intricacies of the hardware?
Respects to them, in any case.
Daniel