This highlights a point you may very well know already, but allow me to restate it:
People (at least people who program computers) haven't really figured out how to write secure code.
Well, what do I mean by secure code? Code that is 100% secure against a particular well-specified threat, or several of these. I.e. "only users logged in as root on the local console can [...]; users accessing the database through the web interface can't [...].", or "no TCP flow will cause the $OS network stack to crash", or [etc.].
This article is merely the observation that even when people write code that has a security function, they can't magically do better than everybody else.
Also, I'd like to advocate the viewpoint that security is a system property. You can't apt-get install security. Putting a firewall in front of a flaky app (especially a flaky proprietary app) is not going to work well: if you need code to detect whether a packet is evil or not, why don't you put that code in the application, so you don't have three competing vendors waste time trying to be the best flaky-packet-handler for $APP?
Oh well, I guess you can ship sooner. Also, if the original developers of $APP can't get the don't-be-flaky right, we might need something to stand in front.
(I hope this is more coherent than my feeling of well-being would suggest I'm able to make it)
Question: how can you tell GPL code is GPL code unless you know that it's GPL code?
Version 2 requires that GPL-covered code states clearly that it's covered by the GPL.
[Section 1] You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
Section 2, which covers modifying and then distributing, says "do Section 1 in this case too".
The author was entitled to compensation for the illegal distribution of his code
In terms of damages, right? Wouldn't it then be up to the court to decide (based on evidence of damages, or statutory damages) exactly what the original author is entitled to?
If it turned out that GPL code was spread throughout Windows (highly unlikely, I'd think), they would almost certainly prefer to pay up rather than make Windows Free Software.
Why does Microsoft have a choice here?
Couldn't the original author sue for damages and also demand that MS either removes the infringing code or becomes compliant with the GPL?
As far as I know, he could even choose to not offer the license again, completely forbidding MS from distributing the code and thus forcing them to remove said code.
As far as I understand these matters, the original author would have the option of not letting Microsoft just pay up and continue redistributing.
I'm not sure what your exact specification is, but there's Gnome Do which claims to be smart about converting short key sequences into program names (so "ffx" will likely turn into "firefox", "opow" into "open office word processor", i.e. oowriter). There's also the default GNOME run dialog which autocompletes things in your $PATH. And you can set up keyboard shortcuts for your favourite applications with xbindkeys.
I agree partially: I think, as I think you do, that these tools are really poorly suited for the things people want to do, and the things people do could work much better if they were made with better tools.
(display postscript over ssh, perhaps? Wasn't that Sun's NeWS? I've heard good things about it... see also my other suggestions.)
You have a hammer (HTTP/HTML) so everything looks like a nail to you.
I disagree with this bit. I think people want the universal accessibility and zero-administration properties of web applications. I've come up with two non-web ways of delivering that, which probably won't be popular, but... none the less, I'm not fixated on applications having to be web applications. Also, I think not every application should be web-based (in fact, I tend to prefer client-side apps over web apps, all else being equal)
Maybe I'm missing something. Which non-nails am I overlooking?
What's the right tool to deliver to your users rich applications which are
accessible from (almost) any computer, anywhere
doesn't require the user to install software that isn't already pre-installed on most computers
works on all architectures and operating systems
can be updated for everybody by the application provider without invading peoples' machines
I don't know of any tool other than HTTP/HTML. I can imagine something with ssh and X forwarding, but windows boxes don't come with X preinstalled (nor ssh). Remote desktop, perhaps? Any other good ideas?
19th century cryptanalytical [wikipedia.org] techniques could determine the correspondence of the mysterious 8-pit repeating units to letters. (After all, what is ASCII except a simple substitution cipher?)
Nit pick: the "Wheel of Fortune" cryptanalysis---guess a you have a couple of extremely-high-probability letters figured out correctly, make qualified guesses at the rest with grep and/usr/share/dict/words---work based on the assumption that you know the distribution of the plaintext (i.e. that it's a natural language and you know which one).
I don't know how well they work on.iso file systems if you don't know they're iso file systems. They might work pretty poorly. And even if the CD contains mostly text, there's a lot of file system metadata that messes with your character frequencies. Good luck "decrypting" that Starcraft CD. Or that music CD.
You know, when CDs and DVDs came out, they claimed they would last 50 years.
Obviously they did extensive 50-year tests of each of their competing best designs. Then went a couple of design iterations, testing each of them, such that they had some evidence to back up that claim.
Which leads you to the startling conclusion that the Stone DVDs were first sketched out on mount Sinai, then the design was tested throughout generations.
Seriously, they'll last a 1000 years? How do they know? What model predicts this? What's the evidence for the validity of that model?
Phone wiretap warrants are on people, not telephones. If you borrow my phone and the police is wiretapping me, they're not allowed to record any of your conversation (except they can listen in something like two seconds every minute to check it's still someone other than me talking).
That might serve as one motivation. The real answer is that they didn't understand the "Don't trust the client" principle. Especially don't trust your clients if you suspect them to be criminals... oh well.
each key doesn't emit one tone. It emits two tones -- one based on [each of row and column]
That is indeed correct; it's also known as DTMF---dual tone multiple frequency. I think I meant to say something about that. Now I wonder why I didn't.
Here's a bit of background the/. editors didn't give you.
If you take a 2-second look at the paper (the pdf link in the summary), you see Matt Blaze's name.
He's been doing other work on making law enforcement wiretapping not work. For instance, go to http://www.usenix.org/events/sec06/tech/ and search the page for "Blaze"; you should find his talk (http://www.usenix.org/events/sec06/tech/mp3/blaze.mp3) and the Q&A session.
As you might infer, this isn't the first time Mr. (Dr.?) Blaze has been studying wiretapping (or other security issues). He's also quite a good, entertaining speaker. I recommend giving him a listen.
The short story (from the usenix talks): press the "C" key on your old 4x4-keypad phone. That's the in-band signal (doh!) used by law enforcement to mean "don't record now". Or, look up the tone frequency, then play it back at a much lower volume with a tone generator (your laptop might do) so it's more comfortable to talk over.
Granted, I picked arbitrary figures to argue a point.
Also, I disagree: it's not written once. It's written once, then rewritten several times, in a sequence of small patches.
And I think there's value to be had if you can type less: while typing, you can't really think that well about what you're going to write next (at least not as well as if you weren't typing).
I think in some (some!) cases my position is very defensible: does "len" really take longer to read and understand, compared to "length"? My experience is that it's the same, so why not save the typing time?
That being said, I think you are right in some cases. I don't advocate brevity at all costs. I advocate brevity in the cases where they're a net win.
Then, "in which cases is it a win?" is an empirical question that I don't know the answer to.
I don't speak English as a first language. I find fmt, ConnMgr, recv, sys, btn, etc. to be perfectly readable abbreviations.
Is it a surprise to you that the Danish branches of $SOFTWARE_COMPANY (at which I've worked) requires its employees to be good (or at least decent enough) at English?
I'd say some mods need to have a blood sample of theirs checked for irony deficiency.
I thought it was quite clear I was making a mockery out of real trolls. My real insults are either references to humorous insults, or I apologize for them and underscore that I'm compelled by my ex-parent to post what I'm posting.
One is not entitled to the work of another for free just because someone wants it.
Let's see. Strictly speaking, you're saying "not (a implies b)" where a is "I want the game for free" and b is "I am allowed to have it".
You're not saying "if a, then not b". And you haven't shown "not b". You haven't really shown that there is no good justification for making copies.
I have one: the benefit to the pirate (of the one copy) exceeds the loss to the makers of the game of that one lost potential sale. That is, if we sum up everybody's utility, this is a net gain.
The problem with this is of course that if everybody's a pirate, no one will pay the makers of the game, and they won't have a financial incentive to make them.
And that's the real sticky bit about designing good copyright rules: finding a balance between giving people an incitement to make games (etc.) such that there are great games to play versus avoiding people forgoing the benefit of playing that game.
Because once the game exists, the price of each additional copy is so close to zero that the consumers are willing to bear it amongst themselves (see bittorrent, generous seeders, TPB, etc.).
It sounds like you're saying "you want it? Pay the makers for it" as if that is true for everyone and should stay true at all times. I disagree (strongly) with that, because I think your rule would not optimize social welfare.
I don't know what the right rule is. Maybe Stallman is right: everybody should have the four freedoms with all software they use. Maybe the ideal is that by limiting your choice in software (but not limiting yourself in terms of real features) you can have the four freedoms with all software you use--or you can choose the proprietary $APP instead of the free one if you your feature/freedom trade-off says that's what you want. (From my POV, we're quite close to that situation.)
Slashdot Mirror
Here's how you do it in chromium:
(Just tested it, it works just fine. Now, let me change it back :D)
"lets 'bing' it"
Meh. At least they could've chosen a funny-in-that-context name, like "wing", or "hack"... or "kill" :->
This highlights a point you may very well know already, but allow me to restate it:
People (at least people who program computers) haven't really figured out how to write secure code.
Well, what do I mean by secure code? Code that is 100% secure against a particular well-specified threat, or several of these. I.e. "only users logged in as root on the local console can [...]; users accessing the database through the web interface can't [...].", or "no TCP flow will cause the $OS network stack to crash", or [etc.].
This article is merely the observation that even when people write code that has a security function, they can't magically do better than everybody else.
Also, I'd like to advocate the viewpoint that security is a system property. You can't apt-get install security. Putting a firewall in front of a flaky app (especially a flaky proprietary app) is not going to work well: if you need code to detect whether a packet is evil or not, why don't you put that code in the application, so you don't have three competing vendors waste time trying to be the best flaky-packet-handler for $APP?
Oh well, I guess you can ship sooner. Also, if the original developers of $APP can't get the don't-be-flaky right, we might need something to stand in front.
(I hope this is more coherent than my feeling of well-being would suggest I'm able to make it)
I have a great proof why this won't work, but it's too long to fit in into a URL :(
Question: how can you tell GPL code is GPL code unless you know that it's GPL code?
Version 2 requires that GPL-covered code states clearly that it's covered by the GPL.
[Section 1] You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
Section 2, which covers modifying and then distributing, says "do Section 1 in this case too".
See http://www.gnu.org/licenses/old-licenses/gpl-2.0.html for the full text.
The author was entitled to compensation for the illegal distribution of his code
In terms of damages, right? Wouldn't it then be up to the court to decide (based on evidence of damages, or statutory damages) exactly what the original author is entitled to?
If it turned out that GPL code was spread throughout Windows (highly unlikely, I'd think), they would almost certainly prefer to pay up rather than make Windows Free Software.
Why does Microsoft have a choice here?
Couldn't the original author sue for damages and also demand that MS either removes the infringing code or becomes compliant with the GPL?
As far as I know, he could even choose to not offer the license again, completely forbidding MS from distributing the code and thus forcing them to remove said code.
As far as I understand these matters, the original author would have the option of not letting Microsoft just pay up and continue redistributing.
Can someone clarify?
Linux needs this.
I'm not sure what your exact specification is, but there's Gnome Do which claims to be smart about converting short key sequences into program names (so "ffx" will likely turn into "firefox", "opow" into "open office word processor", i.e. oowriter). There's also the default GNOME run dialog which autocompletes things in your $PATH. And you can set up keyboard shortcuts for your favourite applications with xbindkeys.
So exactly what's missing?
[Not WWW/HTTP/HTML]
I agree partially: I think, as I think you do, that these tools are really poorly suited for the things people want to do, and the things people do could work much better if they were made with better tools.
(display postscript over ssh, perhaps? Wasn't that Sun's NeWS? I've heard good things about it... see also my other suggestions.)
You have a hammer (HTTP/HTML) so everything looks like a nail to you.
I disagree with this bit. I think people want the universal accessibility and zero-administration properties of web applications. I've come up with two non-web ways of delivering that, which probably won't be popular, but... none the less, I'm not fixated on applications having to be web applications. Also, I think not every application should be web-based (in fact, I tend to prefer client-side apps over web apps, all else being equal)
Maybe I'm missing something. Which non-nails am I overlooking?
And now you don't have an friends left.
Oh, the inory...
Let's teach our AI systems how to do battle... against humans. Skynet anyone?
The robots will be no match for John "Bisu" Connor!
"right tool for the right job"
Fair enough.
What's the right tool to deliver to your users rich applications which are
I don't know of any tool other than HTTP/HTML. I can imagine something with ssh and X forwarding, but windows boxes don't come with X preinstalled (nor ssh). Remote desktop, perhaps? Any other good ideas?
19th century cryptanalytical [wikipedia.org] techniques could determine the correspondence of the mysterious 8-pit repeating units to letters. (After all, what is ASCII except a simple substitution cipher?)
Nit pick: the "Wheel of Fortune" cryptanalysis---guess a you have a couple of extremely-high-probability letters figured out correctly, make qualified guesses at the rest with grep and /usr/share/dict/words---work based on the assumption that you know the distribution of the plaintext (i.e. that it's a natural language and you know which one).
I don't know how well they work on .iso file systems if you don't know they're iso file systems. They might work pretty poorly. And even if the CD contains mostly text, there's a lot of file system metadata that messes with your character frequencies. Good luck "decrypting" that Starcraft CD. Or that music CD.
You know, when CDs and DVDs came out, they claimed they would last 50 years.
Obviously they did extensive 50-year tests of each of their competing best designs. Then went a couple of design iterations, testing each of them, such that they had some evidence to back up that claim.
Which leads you to the startling conclusion that the Stone DVDs were first sketched out on mount Sinai, then the design was tested throughout generations.
Seriously, they'll last a 1000 years? How do they know? What model predicts this? What's the evidence for the validity of that model?
[Why] would that signal even exist?
Phone wiretap warrants are on people, not telephones. If you borrow my phone and the police is wiretapping me, they're not allowed to record any of your conversation (except they can listen in something like two seconds every minute to check it's still someone other than me talking).
That might serve as one motivation. The real answer is that they didn't understand the "Don't trust the client" principle. Especially don't trust your clients if you suspect them to be criminals... oh well.
each key doesn't emit one tone. It emits two tones -- one based on [each of row and column]
That is indeed correct; it's also known as DTMF---dual tone multiple frequency. I think I meant to say something about that. Now I wonder why I didn't.
Thanks for pointing this out, though! :)
Here's a bit of background the /. editors didn't give you.
If you take a 2-second look at the paper (the pdf link in the summary), you see Matt Blaze's name.
He's been doing other work on making law enforcement wiretapping not work. For instance, go to http://www.usenix.org/events/sec06/tech/ and search the page for "Blaze"; you should find his talk (http://www.usenix.org/events/sec06/tech/mp3/blaze.mp3) and the Q&A session.
He also gave essentially the same talk as the first (under a different title) at http://www.usenix.org/event/lisa05/tech/ (again, search the page for "Blaze" or go straight to http://www.usenix.org/event/lisa05/tech/mp3/blaze.mp3).
He also spoke at hotsec06, http://www.usenix.org/events/hotsec06/tech/, with no recorded mp3, and at an e-voting panel, http://www.usenix.org/events/sec07/tech/.
As you might infer, this isn't the first time Mr. (Dr.?) Blaze has been studying wiretapping (or other security issues). He's also quite a good, entertaining speaker. I recommend giving him a listen.
The short story (from the usenix talks): press the "C" key on your old 4x4-keypad phone. That's the in-band signal (doh!) used by law enforcement to mean "don't record now". Or, look up the tone frequency, then play it back at a much lower volume with a tone generator (your laptop might do) so it's more comfortable to talk over.
Great comment! If I had mod points today I would mod you up.
Don't worry, I just did.
Oh... :(
Then imagine what would happen if everyone came to accept these few simple things.
Boy, that sounds great.
Now, do you have any good suggestions for solving the problems of the world we actually live in? Change human nature, perhaps? ;)
Sorry to be snide. Your world does sound great, but I think you'll have to fight an uphill battle if you fight against peoples' desire to be lazy.
I think Windows would do better to take pages from the KDE book, but maybe that's just personal taste.
I think people would like it, as per my other comment: http://tech.slashdot.org/comments.pl?sid=1440748&cid=30072032
"We never used OS X as a source of inspiration in the design of Windows 7. This is completely uninformed. We used KDE 4 instead".
That's not far from the truth.
Or at least, if you tell people KDE4 is Windows 7, they believe it.
Granted, I picked arbitrary figures to argue a point.
Also, I disagree: it's not written once. It's written once, then rewritten several times, in a sequence of small patches.
And I think there's value to be had if you can type less: while typing, you can't really think that well about what you're going to write next (at least not as well as if you weren't typing).
I think in some (some!) cases my position is very defensible: does "len" really take longer to read and understand, compared to "length"? My experience is that it's the same, so why not save the typing time?
That being said, I think you are right in some cases. I don't advocate brevity at all costs. I advocate brevity in the cases where they're a net win.
Then, "in which cases is it a win?" is an empirical question that I don't know the answer to.
I don't speak English as a first language. I find fmt, ConnMgr, recv, sys, btn, etc. to be perfectly readable abbreviations.
Is it a surprise to you that the Danish branches of $SOFTWARE_COMPANY (at which I've worked) requires its employees to be good (or at least decent enough) at English?
I'd say you hit the nail on the head.
I'd say some mods need to have a blood sample of theirs checked for irony deficiency.
I thought it was quite clear I was making a mockery out of real trolls. My real insults are either references to humorous insults, or I apologize for them and underscore that I'm compelled by my ex-parent to post what I'm posting.
Oh well, irony deficiency...
One is not entitled to the work of another for free just because someone wants it.
Let's see. Strictly speaking, you're saying "not (a implies b)" where a is "I want the game for free" and b is "I am allowed to have it".
You're not saying "if a, then not b". And you haven't shown "not b". You haven't really shown that there is no good justification for making copies.
I have one: the benefit to the pirate (of the one copy) exceeds the loss to the makers of the game of that one lost potential sale. That is, if we sum up everybody's utility, this is a net gain.
The problem with this is of course that if everybody's a pirate, no one will pay the makers of the game, and they won't have a financial incentive to make them.
And that's the real sticky bit about designing good copyright rules: finding a balance between giving people an incitement to make games (etc.) such that there are great games to play versus avoiding people forgoing the benefit of playing that game.
Because once the game exists, the price of each additional copy is so close to zero that the consumers are willing to bear it amongst themselves (see bittorrent, generous seeders, TPB, etc.).
It sounds like you're saying "you want it? Pay the makers for it" as if that is true for everyone and should stay true at all times. I disagree (strongly) with that, because I think your rule would not optimize social welfare.
I don't know what the right rule is. Maybe Stallman is right: everybody should have the four freedoms with all software they use. Maybe the ideal is that by limiting your choice in software (but not limiting yourself in terms of real features) you can have the four freedoms with all software you use--or you can choose the proprietary $APP instead of the free one if you your feature/freedom trade-off says that's what you want. (From my POV, we're quite close to that situation.)
From Golanf.org
Ha. Ha. Very gunny...