You are correct: everyone can choose to trust any (sub)set of keys in the tree. What I explained is the intended deployment scenario Vixie put forth at, I think, lisa05. And he calls the root key "the uberkey, which really has to last the lifetime of the internet".
If anyone h4xx3d the root zone's public key, they could fake the entire DNS.
Which would be no worse than what we have now, except that we may have grown to rely on secure DNS. Even so, 95% of people wouldn't know what it means that the uberkey of the webpipes haz a hack-sored: http://it.slashdot.org/comments.pl?sid=971611&cid=25107753.
But there's something to be said for "(X) It'd stop spam for two weeks, and then we'd be stuck with it."
And maybe ever DNS-admin 'inside'.gov will setup the DLV manually, that way all communication between.gov's might be better protected.
My understanding is that DLV doesn't try to solve a security problem, but a deployment problem. DNSSEC requires keys on the path you want to travel in the DNS tree; DLV enables you verify the A-record path root-gov-whitehouse by following a key path starting at dlv.vix.com (or another dlv "pseudoroot" of your choice). Thus, if Verisign is uncooperative, you can still deploy DNSSEC.
It still requires you to have a way to trust that you know the key for dlv.vix.com. If you can do that, why not just distribute the.gov key the way you distribute the dlv.vix.com key? What is gained in terms of security by using DLV?
I'd be inclined to say Hellboy fits into that geek community where people are technology-literate and using peer-to-peer file sharing.
Often the people abusing resources will be more technology-literate than the people responsible for the security of the network. CIOs and CEOs are often a little distant from the technologies they're responsible for.
The CEOs are not expected to be sysadmins. The CIOs are expected to know the big picture of systems administration, not the latest 0-days, brand new intrusion detection prevention system or other details.
But if the users outhack the on-the-floor sysadmins who do the work (not the ones who decide that it must be done), why aren't they put to use in the IT department? On the face of it, this looks like horrible mismanagement: "our non-IT staff are better at IT than our IT staff". Utilize the staff where they show their competence.
To become king of the Goblins, one must assassinate the previous king. Thus, only the most foolish seek positions of leadership.
I would hold that the three estates model is a natural state towards which human societies will gravitate, without anyone ever consciously planning or realizing it.
Which is probably why Thomas Jefferson said that "The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. It is its natural manure."
If you want to hear Bill Moyers talk about the importance of the free press---it's entertaining, he's a very good speaker, and you may learn a thing or two about how journalists talk among themselves and what they value---you can find him on http://www.freepress.net/conference/audio05/moyers.mp3.
Interesting distinction between the press and the press.
You always have dig and netcat. Who needs more than a DNS resolver and a TCP pipe when you know HTML and can strip the HTTP headers offa' firefox in emacs?
I use OSS at home and at work simply because it is better than most of the closed-source offerings.
I did some reflecting right now, and I've come up with this: I use because *nix is awesome!
Now, granted, I've only ever used linux, but much of the awesomeness is in the parts that are still unix. Like, say, a turing-complete shell and tons of useful pipe tools.
Now, it may be (looong after the year of linux on the desktop) that some proprietary *nix vendor wants to go for the desktop market. Will I stay true to linux?
I'm not completely certain. Are you? Would you say no to $KILLER_FEATURE because you couldn't get the code for it?
I also prefer open source so that I know what is running the application, or at least know more than a few eyes are looking through it. I feel it is more secure that way.
Yeah yeah, but but... *nix is eleventy-awesome!!
Think about it--if proprietary was just... a little bit better; if it didn't get in your way, there was no DRM or activation, it just sat there and did everything you wanted, except "apt-get source" didn't work, but it ran better, more stable and on more hardware than linux;
Second, the primary usage of IPs comes from blocks assigned to institutions and businesses, with the latter _requiring_ incoming connections.
Exactly who is requiring that businesses can get incoming connections? I'd say it's the businesses themselves. So in the same vein, I require incoming connections (ssh, http, serving games; bittorrent would be nice). And institutions do. And... well, pretty much everyone does; CTCP and DCC springs to mind for Joe Public and http for Joe Public Company.
Could a business have one public IP and NAT/load balance their servers and whatnot?
One public IP and NAT? No. First of all, if you have one office in the US, one in the EU and one in Japan, your traffic has to be routed somehow. You're not going to buy your own fiber, you're going to use the public internet [with high probability]. So each office has to have their own IP. If you have a lot of people, you need a lot of connections.
If everybody has one persistent connection (downloading files, being on IRC/MSN/..., ssh'ing home, whatever) and wants to do some web browsing, and you have a lot of visitors (who needs to get first priority), you end at a maximum headcount of 30K. I'm sure Microsoft (89809), Dell (82700) and Sun (33350) would be unhappy about that idea. Even Apple (28000) might find it a bit too tight.
One is not enough.
Sure, but they could always switch to IP6, which is gonna be a lot cheaper than all these NATs
As has been pointed out, you need to translate to IP4 to be routed and translate back to have a meaningful conversation, which for our purposes is equivalent to NATting.
Public education should be a privilege, not a right. Then maybe more so-called "students" would appreciate it, and student success rates would be better.
Let's just start by making it optional rather than compelled. It's my deeply held belief that compulsion is the primary demotivator employed by school; this is confirmed by my personal experiences [lies, damned lies, anecdotal evidence]. I think boatloads of students would appreciate that, and student success rates would be better.
Also, I recall there being a study on compulsion killing enjoyment: take a bunch of people (kids, ISTR) and two activities they enjoy; label them "payment" and "reward". Now only allow them to do the reward activity if they do the payment activity first. They will report less enjoyment doing the payment activity than before.
"you can be confident that every U.S. government Web page is being served up by the appropriate agency."
The easiest way entrap a victim is to promote a feeling of security.
I would venture a guess: any visitor to *.gov who doesn't know what a packet is (i.e. at least 95% of the public) will already feel secure. Also, since the difference between secure DNS and insecure DNS will be absolutely invisible to them (presumably), they won't feel any more or less secure now. Or they won't know what the difference between the green padlock and the yellow padlock is. At any mention of the secure DNS in the press, these 95% of visitors will have forgotten about it the next day [just as I might].
Bottom line: no one who doesn't deal with computers either professionally or as a hobby will notice. Their feeling of security will be unaffected.
I've been told that DNSSEC is basically just a proof of concept when it's done on a single TLD, not providing much real security. [...] If so, then when your ISP queries one of the thirteen root servers for the.gov authority, the attacker could still return a fake response and set himself up as the DNS authority for.gov.
That would be my exact understanding as well.
The details are these: Every node in the DNS tree has a key pair. Everybody knows the public key of the root. Every response to a request contains an answer, and a signature on that answer. As an additional request, you can ask for public keys too.
So, here's the scenario for going to whitehouse.gov, assuming full deployment of DNSSEC:
Ask root for whitehouse.gov
Receive IP of nameserver for.gov [check its signature]. Root may opt to give you the public key of.gov, otherwise ask for it and its check signature.
Ask.gov for whitehouse.gov
Receive IP of whitehouse.gov [check sig]. Also,.gov may opt to give you the public key of whitehouse.gov
Until such time as they start writing laws in a language that the average person can read and understand and so, can defend themselves. [...] it takes forever to learn how to wade through the self made bullshit.
I've toyed with this idea. In common law, judges can, essentially, create laws by calling them rulings. If you cut down on the volume of the laws in the books--this may be non-trivial, we live in a complex world--you still have to consider all the case law. You can't really outlaw trials, or the world would disappear in a puff of disappear in a puff of disappear in a puff...;)
So you'd have to abandon common law, or in some other way give very little influence to past findings. But, one might argue, that means that every part of every question that is raised more than once has to be answered without relying on previous answers, instead of relying on past answers and just looking at what's different this time. Seems wasteful.
Just a thought:)
I don't trust any self regulating industry very much.
I'd much rather have someone well versed with the ways of the industry regulate it, than some out-of-touch bureaucrat, as long as the regulating body is not shielded from the public will.
They don't want you to install proprietary software so they'll not make it easy for you and they'll definitely not make it easy for the developers.
Explain to me why Debian packages loads of proprietary software in non-free. Explain to me why mplayer comes with a script that downloads and installs the non-free codecs.
if you want to go against the flow of your OS vendor you have to [...] because your supplier wants to impose restrictions on what kind of software you can run.
Insulting people (by stating or implying they are clueless) is generally not a good way to get positive moderation. Just thought you might want to have more karma to burn;)
Also, the question you're addressing is not music (composition and performance), but recording, playback and auditory perception (production, HiFi, sound).
The number of speakers, or surround do not determine the quality of music.
True. Because music is composition and performance. In fact, the two are orthogonal; I've recently auditioned for a band and I quite liked their recorded songs even though the production on average was (gently put) not on par with commercial music.
The number of speakers does affect some dimension of the quality of what you're going to perceive. I've found that I even when I'm just listening to stereo, I want to have sound coming from behind me in addition to in front; whether it's the bigger, better speakers in the back (should be easy to test) or just the sound coming from all directions, it is subjectively more pleasant to listen to.
Also, if you do have real surround sound (even just 4.0), you can do nifty tricks like putting the drummer in the back, guitar and base subtly to either side and vocals in center/front. I'd think this makes each instrument more distinguishable while not destroying the integration into one auditory whole.
But I'm not audiophile, I just like having four speakers and sound coming from all directions.
Canonical came to some sort of agreement with Mozilla to allow Ubuntu to continue using the name and logo with their modifications. I never heard what exactly it took to come to such an agreement.
According to the UFSG:
Must not be distributed under a license specific to Ubuntu. The rights attached to the software must not depend on the programme's being part of Ubuntu system. So we will not distribute software for which Ubuntu has a "special" exemption or right, and we will not put our own software into Ubuntu and then refuse you the right to pass it on.
I don't know how that relates to trademark, or how it relates to the Liberty or Death clause of the GPL (and then firefox has two other licenses to be redistributed under), but it seems to clearly be against the spirit if only ubuntu can redistribute their modified firefox in the branded state [especially if, on mozilla's side, this is merely a quality and reputation issue--we're talking about copying the program, not changing it, so the quality is the same everywhere].
What would be the benefit of introducing a new model of networking?
Here's some potential questions:
How will virtual machines on different physical hosts communicate?
How will virtual machines on a single physical host communicate using the new protocol?
What can a new networking protocol do better than existing ones when it's only used on one host?
How likely is it that anyone else are going to adopt VMware's (or Xen's, or whomever's) new protocol?
How is it going to be adopted faster than IPv6 and DNSsec?
What benefits are there to everyone else using the protocol?
Why couldn't (or won't) IETF design and ratify the exact same protocol?
Not all of these points are relevant in all scenarios, but please do address the one overarching question: why is what we have not good enough, and why is the alternative better? I look forward to your answers:)
What does it mean that fair use is a defense and not a right? It means that someone can prevent you from doing the things permitted under the fair use doctrine without limiting your ability to exercise your rights (as I understood and remember it).
Also, when assessing whether something is legal, take current and recent findings of the judiciary body into account; they may be more relevant than what the US Code says.
If you get the same results for very similar input, in what way is it not like a theremin?
The way by which it's different, obviously;)
Suppose you had a guitar-shaped piece of plastic with 6 times 24 buttons on it (nstrings times nfrets plus overhead), hooked up to a computer that generated appropriate sounds. In which ways is that not a guitar? Would you ask Ritchie Blackmore to play it? It's the same result for similar inputs, right?
Okay, let's be more realistic. Electric pianos; they exist, some people like them, some people abhor them. I think it's fair to say the two are similar, but it does make a lot of sense to distinguish them.
Isn't it by the same token fair to distinguish this from the theremin?
Slashdot Mirror
Lots of GOTOs
I've heard from a very reliable source that GOTO are dangerous: http://www.xkcd.com/292/
That runs against my understanding, though.
You are correct: everyone can choose to trust any (sub)set of keys in the tree. What I explained is the intended deployment scenario Vixie put forth at, I think, lisa05. And he calls the root key "the uberkey, which really has to last the lifetime of the internet".
If anyone h4xx3d the root zone's public key, they could fake the entire DNS.
Which would be no worse than what we have now, except that we may have grown to rely on secure DNS. Even so, 95% of people wouldn't know what it means that the uberkey of the webpipes haz a hack-sored: http://it.slashdot.org/comments.pl?sid=971611&cid=25107753.
But there's something to be said for "(X) It'd stop spam for two weeks, and then we'd be stuck with it."
This creates a false sense of security
For at least 95% of the population, it doesn't do squat to the perception of security, and here's why I think this is so: http://it.slashdot.org/comments.pl?sid=971611&cid=25107753.
And maybe ever DNS-admin 'inside' .gov will setup the DLV manually, that way all communication between .gov's might be better protected.
My understanding is that DLV doesn't try to solve a security problem, but a deployment problem. DNSSEC requires keys on the path you want to travel in the DNS tree; DLV enables you verify the A-record path root-gov-whitehouse by following a key path starting at dlv.vix.com (or another dlv "pseudoroot" of your choice). Thus, if Verisign is uncooperative, you can still deploy DNSSEC.
It still requires you to have a way to trust that you know the key for dlv.vix.com. If you can do that, why not just distribute the .gov key the way you distribute the dlv.vix.com key? What is gained in terms of security by using DLV?
--Jonas K
On the face of it, this looks like horrible mismanagement
I fundamentally disagree
And for some very good reasons, which I agree with. I think I should have stressed the on the face of it a bit more, because it stops at the surface :)
FTFA:
I'd be inclined to say Hellboy fits into that geek community where people are technology-literate and using peer-to-peer file sharing.
Often the people abusing resources will be more technology-literate than the people responsible for the security of the network. CIOs and CEOs are often a little distant from the technologies they're responsible for.
The CEOs are not expected to be sysadmins. The CIOs are expected to know the big picture of systems administration, not the latest 0-days, brand new intrusion detection prevention system or other details.
But if the users outhack the on-the-floor sysadmins who do the work (not the ones who decide that it must be done), why aren't they put to use in the IT department? On the face of it, this looks like horrible mismanagement: "our non-IT staff are better at IT than our IT staff". Utilize the staff where they show their competence.
To become king of the Goblins, one must assassinate the previous king. Thus, only the most foolish seek positions of leadership.
Not sure why I quote that, but it sounds cool ;)
the most common websites visited by personal web surfers were online trading sites, instant messaging/chat services and peer-to-peer sharing sites
Cue the collective "You left out slashdot!"
And GBTW!
I would hold that the three estates model is a natural state towards which human societies will gravitate, without anyone ever consciously planning or realizing it.
Which is probably why Thomas Jefferson said that "The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. It is its natural manure."
If you want to hear Bill Moyers talk about the importance of the free press---it's entertaining, he's a very good speaker, and you may learn a thing or two about how journalists talk among themselves and what they value---you can find him on http://www.freepress.net/conference/audio05/moyers.mp3.
Interesting distinction between the press and the press.
You always have dig and netcat. Who needs more than a DNS resolver and a TCP pipe when you know HTML and can strip the HTTP headers offa' firefox in emacs?
I mean, that's what you'd do... right?
Governor Pain
Didn't FTFY. It's funnier this way.
I use OSS at home and at work simply because it is better than most of the closed-source offerings.
I did some reflecting right now, and I've come up with this: I use because *nix is awesome!
Now, granted, I've only ever used linux, but much of the awesomeness is in the parts that are still unix. Like, say, a turing-complete shell and tons of useful pipe tools.
Now, it may be (looong after the year of linux on the desktop) that some proprietary *nix vendor wants to go for the desktop market. Will I stay true to linux?
I'm not completely certain. Are you? Would you say no to $KILLER_FEATURE because you couldn't get the code for it?
I also prefer open source so that I know what is running the application, or at least know more than a few eyes are looking through it. I feel it is more secure that way.
Yeah yeah, but but... *nix is eleventy-awesome!!
Think about it--if proprietary was just... a little bit better; if it didn't get in your way, there was no DRM or activation, it just sat there and did everything you wanted, except "apt-get source" didn't work, but it ran better, more stable and on more hardware than linux;
would you say no to the better technology?
Second, the primary usage of IPs comes from blocks assigned to institutions and businesses, with the latter _requiring_ incoming connections.
Exactly who is requiring that businesses can get incoming connections? I'd say it's the businesses themselves. So in the same vein, I require incoming connections (ssh, http, serving games; bittorrent would be nice). And institutions do. And... well, pretty much everyone does; CTCP and DCC springs to mind for Joe Public and http for Joe Public Company.
Could a business have one public IP and NAT/load balance their servers and whatnot?
One public IP and NAT? No. First of all, if you have one office in the US, one in the EU and one in Japan, your traffic has to be routed somehow. You're not going to buy your own fiber, you're going to use the public internet [with high probability]. So each office has to have their own IP. If you have a lot of people, you need a lot of connections.
If everybody has one persistent connection (downloading files, being on IRC/MSN/..., ssh'ing home, whatever) and wants to do some web browsing, and you have a lot of visitors (who needs to get first priority), you end at a maximum headcount of 30K. I'm sure Microsoft (89809), Dell (82700) and Sun (33350) would be unhappy about that idea. Even Apple (28000) might find it a bit too tight.
One is not enough.
Sure, but they could always switch to IP6, which is gonna be a lot cheaper than all these NATs
As has been pointed out, you need to translate to IP4 to be routed and translate back to have a meaningful conversation, which for our purposes is equivalent to NATting.
Public education should be a privilege, not a right. Then maybe more so-called "students" would appreciate it, and student success rates would be better.
Let's just start by making it optional rather than compelled. It's my deeply held belief that compulsion is the primary demotivator employed by school; this is confirmed by my personal experiences [lies, damned lies, anecdotal evidence]. I think boatloads of students would appreciate that, and student success rates would be better.
Also, I recall there being a study on compulsion killing enjoyment: take a bunch of people (kids, ISTR) and two activities they enjoy; label them "payment" and "reward". Now only allow them to do the reward activity if they do the payment activity first. They will report less enjoyment doing the payment activity than before.
-- Jonas K
Before I took up their cash-in hand job offer
So did you get the hand job in your sweet ass-car? ;)
"you can be confident that every U.S. government Web page is being served up by the appropriate agency."
The easiest way entrap a victim is to promote a feeling of security.
I would venture a guess: any visitor to *.gov who doesn't know what a packet is (i.e. at least 95% of the public) will already feel secure. Also, since the difference between secure DNS and insecure DNS will be absolutely invisible to them (presumably), they won't feel any more or less secure now. Or they won't know what the difference between the green padlock and the yellow padlock is. At any mention of the secure DNS in the press, these 95% of visitors will have forgotten about it the next day [just as I might].
Bottom line: no one who doesn't deal with computers either professionally or as a hobby will notice. Their feeling of security will be unaffected.
I've been told that DNSSEC is basically just a proof of concept when it's done on a single TLD, not providing much real security. [...] If so, then when your ISP queries one of the thirteen root servers for the .gov authority, the attacker could still return a fake response and set himself up as the DNS authority for .gov.
That would be my exact understanding as well.
The details are these: Every node in the DNS tree has a key pair. Everybody knows the public key of the root. Every response to a request contains an answer, and a signature on that answer. As an additional request, you can ask for public keys too.
So, here's the scenario for going to whitehouse.gov, assuming full deployment of DNSSEC:
This secures step 4. Step 2 is still not secured. Paul Vixie has given some good talks on DNSSEC and everything else that's wrong with the interwebs ;) See http://www.usenix.org/events/lisa05/tech/mp3/vixie.mp3. You may also like http://media.defcon.org/dc-13/audio/2005_Defcon_V7-Paul_Vixie-The_Internets_March_of_Folly.mp3.
Until such time as they start writing laws in a language that the average person can read and understand and so, can defend themselves. [...] it takes forever to learn how to wade through the self made bullshit.
I've toyed with this idea. In common law, judges can, essentially, create laws by calling them rulings. If you cut down on the volume of the laws in the books--this may be non-trivial, we live in a complex world--you still have to consider all the case law. You can't really outlaw trials, or the world would disappear in a puff of disappear in a puff of disappear in a puff... ;)
So you'd have to abandon common law, or in some other way give very little influence to past findings. But, one might argue, that means that every part of every question that is raised more than once has to be answered without relying on previous answers, instead of relying on past answers and just looking at what's different this time. Seems wasteful.
Just a thought :)
I don't trust any self regulating industry very much.
I'd much rather have someone well versed with the ways of the industry regulate it, than some out-of-touch bureaucrat, as long as the regulating body is not shielded from the public will.
"Oh, you mean like I how I've built and run supertux, wesnoth, frozen-bubble and conky out of svn?"
I think that one sentence more than anything else illustrates just how you're NOT in Apple's target market.
I totally agree, I'm not in Apple's target market.
I hope you are aware that this observation is orthogonal to the discussion you're replying to. If not, please consider yourself informed :)
They don't want you to install proprietary software so they'll not make it easy for you and they'll definitely not make it easy for the developers.
Explain to me why Debian packages loads of proprietary software in non-free. Explain to me why mplayer comes with a script that downloads and installs the non-free codecs.
if you want to go against the flow of your OS vendor you have to [...] because your supplier wants to impose restrictions on what kind of software you can run.
True for Apple. Not true for Debian.
excuse me but are you clueless about music?
Insulting people (by stating or implying they are clueless) is generally not a good way to get positive moderation. Just thought you might want to have more karma to burn ;)
Also, the question you're addressing is not music (composition and performance), but recording, playback and auditory perception (production, HiFi, sound).
The number of speakers, or surround do not determine the quality of music.
True. Because music is composition and performance. In fact, the two are orthogonal; I've recently auditioned for a band and I quite liked their recorded songs even though the production on average was (gently put) not on par with commercial music.
The number of speakers does affect some dimension of the quality of what you're going to perceive. I've found that I even when I'm just listening to stereo, I want to have sound coming from behind me in addition to in front; whether it's the bigger, better speakers in the back (should be easy to test) or just the sound coming from all directions, it is subjectively more pleasant to listen to.
Also, if you do have real surround sound (even just 4.0), you can do nifty tricks like putting the drummer in the back, guitar and base subtly to either side and vocals in center/front. I'd think this makes each instrument more distinguishable while not destroying the integration into one auditory whole.
But I'm not audiophile, I just like having four speakers and sound coming from all directions.
We found a witch! May we burn her?
Canonical came to some sort of agreement with Mozilla to allow Ubuntu to continue using the name and logo with their modifications. I never heard what exactly it took to come to such an agreement.
According to the UFSG:
Must not be distributed under a license specific to Ubuntu. The rights attached to the software must not depend on the programme's being part of Ubuntu system. So we will not distribute software for which Ubuntu has a "special" exemption or right, and we will not put our own software into Ubuntu and then refuse you the right to pass it on.
I don't know how that relates to trademark, or how it relates to the Liberty or Death clause of the GPL (and then firefox has two other licenses to be redistributed under), but it seems to clearly be against the spirit if only ubuntu can redistribute their modified firefox in the branded state [especially if, on mozilla's side, this is merely a quality and reputation issue--we're talking about copying the program, not changing it, so the quality is the same everywhere].
Nutrition for cognition, hopefully.
What would be the benefit of introducing a new model of networking?
Here's some potential questions:
Not all of these points are relevant in all scenarios, but please do address the one overarching question: why is what we have not good enough, and why is the alternative better? I look forward to your answers :)
They do not however, have any right to deny people their fair use rights
Fair use is a defense, not a right.
IANAL, TINLA; see http://en.wikipedia.org/wiki/Fair_use. I've heard those words spoken by a female lawyer in a slashdotter-friendly context. I think it was Cindy Cohen, either relating to EFF, Defcon or both, but I may be wrong; check http://www.defcon.org/html/links/defcon-media-archives.html (check it even if you don't care, you might learn something really fucking awesome).
What does it mean that fair use is a defense and not a right? It means that someone can prevent you from doing the things permitted under the fair use doctrine without limiting your ability to exercise your rights (as I understood and remember it).
Also, when assessing whether something is legal, take current and recent findings of the judiciary body into account; they may be more relevant than what the US Code says.
You may have loaded libheisenberg instead.
Are you uncertain of that?
If you get the same results for very similar input, in what way is it not like a theremin?
The way by which it's different, obviously ;)
Suppose you had a guitar-shaped piece of plastic with 6 times 24 buttons on it (nstrings times nfrets plus overhead), hooked up to a computer that generated appropriate sounds. In which ways is that not a guitar? Would you ask Ritchie Blackmore to play it? It's the same result for similar inputs, right?
Okay, let's be more realistic. Electric pianos; they exist, some people like them, some people abhor them. I think it's fair to say the two are similar, but it does make a lot of sense to distinguish them.
Isn't it by the same token fair to distinguish this from the theremin?