I disagree...the only p2p apps running should be *approved* ones. I realize that's splitting hairs, but the distinction is an important one. For example, I thought the Groove application from a couple years ago was a great idea & a good business use of p2p. That's the sort of thing that I could see being an approved p2p app. BearShare? not so much.
1) what do you do with the 1.6 million muslims (most of whom are peaceful & law-abiding) who are presently living in the UK (many of whom are not first-generation)? If you just throw them out, won't that make the previously peaceful ones very angry with you?
2) what do you do with the 53% of all residents of Northern Ireland who are protestant (and therefore want to stay where they are)? If you just evict them, doesn't that risk starting yet *another* war in that region?
Hidden agenda? hehehe. Nice persecution complex you've got going there. Seriously, that fact wasn't "established" at all...it was testified to by one of the defendants. The fact that the prosecution didn't challenge it just means that they screwed up (which wouldn't by far be the prosecution's only screw-up in this case).
They are providing torrent files. Plain text files. On which no copyright lies, or at least nobody minds that they copy those.
If this is the best argument that the tech community has in favor of the Pirate Bay, then it's no surprise they were found guilty. This is sophomoric bullshit. The simple fact is that the vast, vast majority of the stuff that the Pirate Bay helps find is copyrighted, and the entire point of the site is to help people find that stuff. Claiming "it's just text files" is bullshit, and anyone with an ounce of sense can see that.
Close, they're drumming up support for S.773 and S.778. These bills are designed to give the executive the power to control the security of vital parts of the internet. If they can show that these vital parts of the net are compromised, and therefore risking America, they have an easy talking point when lobbying congress members.
That'll be an interesting negotiation, actually...the US controls the organization that approves the root zone, but the US doesn't host all the root nameservers (and the agreements between ICANN and the roots is not terribly formal, to my understanding, so the root operators are under no particular requirement to do what the US gov asks).
The more interesting one is the gtld-servers, and the affilias servers, which together control all of.com,.net and.org.
In short, the US could nuke some, but not all, of the roots, and all of.com,.net, and.org, but the cc tld's would live on. Less than ideal, granted.
You can't experimentally prove impossibility. You can only show that all your attempts so far failed. For example, do all of the failed perpetual motion machines prove that perpetual motion is impossible? No, because each of them had a flaw...the fundamental issue comes when you say that you can't build a device *without* a flaw like that. That's not experimentally provable.
However, there's another way of looking at it: if we are pretty sure that FTL is impossible, then what you're proposing is an *enormous* waste of money.
It's always possible that there just isn't a feasible way of reaching distant planets. Sometimes the universe just kicks you like that.
Actually, he has a valid point: the user doesn't give a damn about whether their disk's metadata is consistent. They care about their actual data. If a filesystem is sacrificing user data consistency in favor of metadata consistency, then it's made the wrong tradeoff.
For one thing, right there in the summary it says that this is being proposed in a bill in Congress, so the administration isn't doing this unilaterally, Congress is proposing it.
Also, all of the groups involved are already reporting to the Executive, because they're SUPPOSED TO BE. Congress does not do the operational work of the government, they write the laws, and hold the purse strings. The Executive branch does the actual work of implementing the laws. That's what the separation of powers you have so completely misunderstood actually means.
if they ask you if you know a certain technology or language, to always say yes
As someone who has interviewed a lot of people for technical positions, let me assure you that I will tear you apart if you try that in one of my interviews. Maybe other people handle it differently, but when I ask if an interviewee knows a technology, it's not a "yes/no" question, it's my opening to ask questions to see if you *understand* that technology. If you say yes to everything, you're going to be shown to be lying *very* quickly.
Of course you are...they just don't want you to know that you are. (Hint: google "jury nullification" some time.) (Hint #2: those two words are a really fast way to get thrown off a jury.)
The person who alerted the authorities was a DC electrical engineer that these two tried to include in their scam, and who went to the FBI fairly shortly after their proposal (more info from the washington post's article). Kundra was not the one who alerted the FBI.
Too many moving parts. If any one part of the chain there fails during testing (which really only happens in the couple weeks before the election), then that box is unusable, which means there's going to be a *lot* of unusable machines in any given election. Also, any system has to be able to be verified that it's working properly by ANYONE...because that's who you're going to get as volunteers. IT-comfortable folks are thin on the ground as election volunteers.
I volunteered as an election judge this past November, and that was one thing I took away from the experience: Election offices are not IT shops, and are just not set up to anticipate all the failures that will occur with IT gear. For example, we had tons of problems with the UPS' they were sending out to each voting site. As an IT person, you'd expect a fairly high rate of UPS failure after 2 years...they hadn't anticipated that at all.
Philosophically, Linus sees no problem with "Tivo-isation", which is what a big part of the changes in v3 of the GPL were all about. So, since Linus sees no need for those protections, he's not terribly enthusiastic about using them.
While I agree in general that there are too many licenses, one of the problems I ran into (which you mention in passing) was that I'm not necessarily the one who gets to decide what license I'm using. When I talked with my organization's lawyers, they didn't care about license proliferation...they cared only about what they thought was important. So, we ended up with a modified BSD license: the standard 3-clause plus one more to address the lawyer's concerns...personally I think the fourth clause is redundant, but I'm not a lawyer, so they weren't listening to me.
In short, while I think it's good to get this group (ie, the coders) to start agreeing on licenses, the lawyers that we talk to need a bunch of education also. They all seem to want to customize licenses.
This behavior is not the exception, it is the standard operating procedure for online retail,
...and yet it remains unacceptable behavior.
The only way to change something that sucks, even if it is "standard operating procedure," is to make a lot of noise, cause the people doing it to lose money/face, and make "standard operating procedure" look a lot less "standard." This is what the people here are doing. I see nothing wrong with them trying to change this behavior.
I would myself go to another shop and get a SHA-1 signed certificate (or even a SHA-2 signed certificate for those not concerned with low level browsers). At least your customers will know that there is no man in the middle due to the MD5 issue.
Unfortunately, no, they won't. An MD-5 signed intermediate cert can quite happily issue certs signed with SHA-1. (They did just this as part of their testing.) There's no requirement for the signing chain to be signed with the same algorithm.
The fact that your end certificate is SHA-1 signed really doesn't mean anything to the end user. If your cert is MD-5 signed, all that could possibly mean is that your CA at one time did something stupid. Whether it is still doing that stupid thing (or already did that stupid thing for an attacker) is something that the end user has no way of knowing...the end user really is basically screwed here.
His responses to my questions are not encouraging at all....let's start at the top:
There is one specific area that the government can establish some credibility with the private sector: become the gold standard for network security.
I've seen government security from the inside...since there are no actual consequences for failure, there is very little incentive to succeed. You will never manage this.
Next, and the most discouraging:
the Commission did not recommend that the government issue strong credentials to individuals.
The United States should allow consumers to use strong government-issued credentials (or commercially issued credentials based on them) for online activities, consistent with protecting privacy and civil liberties.
If that isn't what you meant, you shouldn't have written it that way.
Credibility will not come to DHS' cyber-security efforts from one election, neither will trust. Bureaucracies don't change that fast, and trust isn't granted that quickly.
My point is not that change wasn't coming...my point was that there was a step in their process that they missed. Call it step zero, if you like. That step is: establish competence and win the trust of the industry.
Slashdot Mirror
I disagree...the only p2p apps running should be *approved* ones. I realize that's splitting hairs, but the distinction is an important one. For example, I thought the Groove application from a couple years ago was a great idea & a good business use of p2p. That's the sort of thing that I could see being an approved p2p app. BearShare? not so much.
The devil is always in the details.
1) what do you do with the 1.6 million muslims (most of whom are peaceful & law-abiding) who are presently living in the UK (many of whom are not first-generation)? If you just throw them out, won't that make the previously peaceful ones very angry with you?
2) what do you do with the 53% of all residents of Northern Ireland who are protestant (and therefore want to stay where they are)? If you just evict them, doesn't that risk starting yet *another* war in that region?
IP addresses are not nor will ever be valid evidence in a court of law.
Utter nonsense. For the most part, computer-generated logs (such as server logs, etc) are equivalent to hearsay, but may be considered better than that. Hearsay is admissible in court, but is not the strongest evidence type around.
Lonely Lemur
Marxist Millipede
Narcoleptic Narwhal
Onanistic Orangutan
Promiscuous Parakeet
Questioning Quail
Randy Rodent
Slutty Seal
Trampy Tadpole
Uncanny Ungulate
Hidden agenda? hehehe. Nice persecution complex you've got going there. Seriously, that fact wasn't "established" at all...it was testified to by one of the defendants. The fact that the prosecution didn't challenge it just means that they screwed up (which wouldn't by far be the prosecution's only screw-up in this case).
They are providing torrent files. Plain text files. On which no copyright lies, or at least nobody minds that they copy those.
If this is the best argument that the tech community has in favor of the Pirate Bay, then it's no surprise they were found guilty. This is sophomoric bullshit. The simple fact is that the vast, vast majority of the stuff that the Pirate Bay helps find is copyrighted, and the entire point of the site is to help people find that stuff. Claiming "it's just text files" is bullshit, and anyone with an ounce of sense can see that.
Close, they're drumming up support for S.773 and S.778. These bills are designed to give the executive the power to control the security of vital parts of the internet. If they can show that these vital parts of the net are compromised, and therefore risking America, they have an easy talking point when lobbying congress members.
That'll be an interesting negotiation, actually...the US controls the organization that approves the root zone, but the US doesn't host all the root nameservers (and the agreements between ICANN and the roots is not terribly formal, to my understanding, so the root operators are under no particular requirement to do what the US gov asks).
The more interesting one is the gtld-servers, and the affilias servers, which together control all of .com, .net and .org.
In short, the US could nuke some, but not all, of the roots, and all of .com, .net, and .org, but the cc tld's would live on. Less than ideal, granted.
You can't experimentally prove impossibility. You can only show that all your attempts so far failed. For example, do all of the failed perpetual motion machines prove that perpetual motion is impossible? No, because each of them had a flaw...the fundamental issue comes when you say that you can't build a device *without* a flaw like that. That's not experimentally provable.
However, there's another way of looking at it: if we are pretty sure that FTL is impossible, then what you're proposing is an *enormous* waste of money.
It's always possible that there just isn't a feasible way of reaching distant planets. Sometimes the universe just kicks you like that.
Actually, he has a valid point: the user doesn't give a damn about whether their disk's metadata is consistent. They care about their actual data. If a filesystem is sacrificing user data consistency in favor of metadata consistency, then it's made the wrong tradeoff.
What the fuck are you talking about?
For one thing, right there in the summary it says that this is being proposed in a bill in Congress, so the administration isn't doing this unilaterally, Congress is proposing it.
Also, all of the groups involved are already reporting to the Executive, because they're SUPPOSED TO BE. Congress does not do the operational work of the government, they write the laws, and hold the purse strings. The Executive branch does the actual work of implementing the laws. That's what the separation of powers you have so completely misunderstood actually means.
if they ask you if you know a certain technology or language, to always say yes
As someone who has interviewed a lot of people for technical positions, let me assure you that I will tear you apart if you try that in one of my interviews. Maybe other people handle it differently, but when I ask if an interviewee knows a technology, it's not a "yes/no" question, it's my opening to ask questions to see if you *understand* that technology. If you say yes to everything, you're going to be shown to be lying *very* quickly.
you're not allowed to do anything
Of course you are...they just don't want you to know that you are. (Hint: google "jury nullification" some time.) (Hint #2: those two words are a really fast way to get thrown off a jury.)
The person who alerted the authorities was a DC electrical engineer that these two tried to include in their scam, and who went to the FBI fairly shortly after their proposal (more info from the washington post's article). Kundra was not the one who alerted the FBI.
You probably already have hair on your palms...you've been punished enough.
Too many moving parts. If any one part of the chain there fails during testing (which really only happens in the couple weeks before the election), then that box is unusable, which means there's going to be a *lot* of unusable machines in any given election. Also, any system has to be able to be verified that it's working properly by ANYONE...because that's who you're going to get as volunteers. IT-comfortable folks are thin on the ground as election volunteers.
I volunteered as an election judge this past November, and that was one thing I took away from the experience: Election offices are not IT shops, and are just not set up to anticipate all the failures that will occur with IT gear. For example, we had tons of problems with the UPS' they were sending out to each voting site. As an IT person, you'd expect a fairly high rate of UPS failure after 2 years...they hadn't anticipated that at all.
Philosophically, Linus sees no problem with "Tivo-isation", which is what a big part of the changes in v3 of the GPL were all about. So, since Linus sees no need for those protections, he's not terribly enthusiastic about using them.
Hi, Bruce,
While I agree in general that there are too many licenses, one of the problems I ran into (which you mention in passing) was that I'm not necessarily the one who gets to decide what license I'm using. When I talked with my organization's lawyers, they didn't care about license proliferation...they cared only about what they thought was important. So, we ended up with a modified BSD license: the standard 3-clause plus one more to address the lawyer's concerns...personally I think the fourth clause is redundant, but I'm not a lawyer, so they weren't listening to me.
In short, while I think it's good to get this group (ie, the coders) to start agreeing on licenses, the lawyers that we talk to need a bunch of education also. They all seem to want to customize licenses.
This behavior is not the exception, it is the standard operating procedure for online retail,
...and yet it remains unacceptable behavior.
The only way to change something that sucks, even if it is "standard operating procedure," is to make a lot of noise, cause the people doing it to lose money/face, and make "standard operating procedure" look a lot less "standard." This is what the people here are doing. I see nothing wrong with them trying to change this behavior.
Which means that if you do something awesome, you should never try do anything else, ever.
I would myself go to another shop and get a SHA-1 signed certificate (or even a SHA-2 signed certificate for those not concerned with low level browsers). At least your customers will know that there is no man in the middle due to the MD5 issue.
Unfortunately, no, they won't. An MD-5 signed intermediate cert can quite happily issue certs signed with SHA-1. (They did just this as part of their testing.) There's no requirement for the signing chain to be signed with the same algorithm.
The fact that your end certificate is SHA-1 signed really doesn't mean anything to the end user. If your cert is MD-5 signed, all that could possibly mean is that your CA at one time did something stupid. Whether it is still doing that stupid thing (or already did that stupid thing for an attacker) is something that the end user has no way of knowing...the end user really is basically screwed here.
It's in their slides. As of 2008, there were some big names still using MD-5:
RapidSSL
FreeSSL
TrustCenter
RSA Data Security (!)
Thawte (!)
verisign.co.jp
So, wait, the NSA just released math?
His responses to my questions are not encouraging at all....let's start at the top:
There is one specific area that the government can establish some credibility with the private sector: become the gold standard for network security.
I've seen government security from the inside...since there are no actual consequences for failure, there is very little incentive to succeed. You will never manage this.
Next, and the most discouraging:
the Commission did not recommend that the government issue strong credentials to individuals.
Yes, yes you did. Quoting from page 14, point 17 of the pdf at http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf :
The United States should allow consumers to use strong government-issued credentials (or commercially issued credentials based on them) for online activities, consistent with protecting privacy and civil liberties.
If that isn't what you meant, you shouldn't have written it that way.
Credibility will not come to DHS' cyber-security efforts from one election, neither will trust. Bureaucracies don't change that fast, and trust isn't granted that quickly.
My point is not that change wasn't coming...my point was that there was a step in their process that they missed. Call it step zero, if you like. That step is: establish competence and win the trust of the industry.