Well, now is a good time to start the debate, which do you like better and why?
I prefer Postgres, since it supports full transactions, nested selects, and a number of other SQL features that I can't live without--I've heard that mysql has much better transaction support than it used to, though. mysql also had a tendency to mangle my text fields (trailing whitespace would vanish mysteriously from variable-char fields), I don't know if that's fixed yet or not.
Postgres is abysmally slow at batch inserts (at least 6.x, I haven't had a chance to test 7.x). And it's not super fast in general, but once you are talking about databases of any significant size then it's nowhere near as slow as people say--except at bulk inserts. Slooooooow.
Addison-Wesley Win32 System Programming. It tells you how to do all the typical systems stuff, up to mmap and advanced IPC. There's a chart in the back that has mappings from Unix syscalls to their Windows equivalents and vice-versa. Their Win32 Socket Programming book is also rather good. Sumner
The technology he developed is called "hypertext", and has been implemented in everything from the old Xerox Star to the Apple's Hypercard. Hypercard has been around since '87, and does pretty much what the BT patent describes.
Prior art, bay-bee!
The BT patent filing was in 1980 (15 August), more than 7 years before your "prior art". There's plenty of prior art that ought to make this patent meaningless (e.g. Xanadu), but this isn't a good example of it.
Don't patents expire after a certain amount of time? I know if they go after a company like AOL, they will be caught up in court until the patent expires. and if it expires from when it was first filed, it's already been 20 years
In the US, it's 17 years from the date it's awarded. This one was filed for in 1980, but not awarded until 1989. So they've got until 2006.
Note that the EU doesn't recognize software patents
Software patents aren't recognized, but the apparatus "A computer running the following software..." can be patented (which amounts to basically the same thing as a software patent).
In particular, IDEA and other encryption algorithms are patented in most of Europe.
One clear example here is Java vs. C++. Sure, Java is much slower than C++; but developing something in Java takes orders of magnitude less time than in C++. You know, people say this all the time but I've never seen any evidence to support it. The only scientific study I've ever seen on the subject concluded that development in Java is no faster than development in C/C++ (which is what I've found to be the case in practice as well); it's quite a nice study of a number of issues. 40 programmers were given a problem, some implemented the solution in C, some in C++, and some in Java. Average run times for the different languages (with statistical spreads and best/worst times) were calculated, along with memory use metrics and other neat stuff. Postscript version at: http://wwwipd.ira.uka.de/~prechelt/Biblio/jccpp_ca cm1999.ps.gz PDF version (tougher to read, because it's ps2pdf output) at: http://wwwipd.ira.uka.de/~prechelt/Biblio/jccpp_ca cm1999.pdf Sumner
The basic problem is that you don't just read from a database, you read and write to the database. Database replication is a very non-trivial thing to do. You have to deal with the possibility of data being inserted, updated or removed from any of the servers that are involved. This requires that you have things like global locks, timestamps on everything, primary keys that are generated in a way unique to each replicated version of the database, etc.
Idea: How about making a shim SQL database that acts as a database proxy (of sorts), sort of a RAID for databases. It's a non-trivial project, but not conceptually hard. You need a SQL 92 parser that recognizes commands that write (UPDATE, INSERT, DELETE, DROP, CREATE, etc). Then you have the shim database pass all commands off to n back-end databases; when an INSERT (for instance) comes in, have all the back-ends execute it before returning the results back to the calling process. Read-only requests could be load-balanced (increasing performance) or just master-slaved to the backends. If a backend dies (use a heartbeat or similar, along with a connection timeout), take that server out of rotation and keep going (so long as at least one server is still in rotation).
You're still left with the question of how to recover after a failure; online replication once things have gotten out of sync is tough. You could have the front-end block all write requests while it rebuilds the (newly repaired) additional back-end, but still let reads through to the other databases.
If you use Postgres on the back-end, you might be able to use its transaction views (whatever they call them) to get a persistant state, sync to that state, and keep a journal of transactions that take place after that; do the backup to the persistant state, then have the front-end server roll the journal until you're caught up to the current state. I don't know enough about the pgsql transaction views to know how feasible this is. Worst case, make pgsql read-only for long enough to snapshot it and then keep a journal.
It's a far cry from real replication, but it buys you a hell of a lot for a coding cost that's far lower than trying to do all the write-locking and so forth that real replication needs. You could even load-balance between Postgresql and other databases; maybe have a postgres backend and several mysql backends, using postgres's transactions for disaster recovery and otherwise using mysql for read speed.
The real problem (as I see it) is having the sound card running on the same power supply as the rest of the system - not always the sound card introducing noise itself.
Use a sound card with digital outputs and you don't have to worry about all the emfs inside your case. hoontech soundtrack makes good ones. See the high-quality linux audio HOWTO at http://audio.netpedia.net/aqht.html for more info.
A jury is only there to decide whether or not a law was broken. The distinction is that a jury (in theory, if not wholey in practive) cannot allow their emotions, as to how they feel about the "justice" of the law, get in the way of their decisions on whether or not someone is guilty of breaking it.
Thank you Alexander Hamilton. Thomas Jefferson would like to speak with you.
Seriously, regardless of how you personally feel about, jury nullification exists. There are constant arguments about its constitutional and legal justifications--and there have been since before the Constitution was finalized--but to say out of hand that it doesn't exist is simply naive. Many well-respected legal scholars agree with you, but many others come down firmly on the opposite side of the issue.
How many people remember how many computer makers there were in the early 80's?
I remember a few... how about Apple, Atari, Burroughs, Coleco, Columbia Data Systems, Corona Computers, Delta Data Systems, Digital Equipment, Eagle, Franklin, GRiD Systems, Hewlett Packard, Hyperion, IBM, ITT, Kaypro, Mohawk, Data Sciences, NCR, NEC, Olivetti, Osborne, Sanyo, Seequa, Sunrise Systems, Tandy, Televideo Systems, Texas Instruments, Victor Technologies, Xerox and Zenith.
For the backend, I'd say go with one of the open source databases, (eg MySql, Postgress, etc)
Minor nit: MySql isn't open source. It's really nice inside a limited problem domain, but it lacks nested selects and other features that you may need. It's pretty speedy, though. Postgres is pretty good for servers that don't get hit too much, but it's too slow for heavily used systems.
Like it or not the DeCSS software publishes a trade secret, the CSS encryption algorithm. This is illegal. Plain and simple. IANAL, but your summary here is just plain wrong. Trade secrets stand in contrast to patents. It is illegal to use patented information without a license, but the patented method must be published for all to see. Trade secrets don't have to be published, but if someone figures them out then they are free to use the information. There are exceptions (NDA violations, illegal methods of discovery, etc), but in general if you figure out a trade secret then it's (by definition) not a trade secret anymore and there is not legal protection on that information. Sumner
deaths seem to be the only form of continuity in The Simpsons When Lisa turns vegetarian, she stays vegetarian for ever after. There are tons of back-references (Bart: "I wish I had an elephant". Lisa: "You did. You named him Stampy. You loved him".), but that's different from character continuity (Mr Burns' gift of a pseudo-Mayan head statue that shows up in the basement). I think Lisa remaining vegetarian was a stipulation of Paul McCartney's guest appearance. Sumner
Because their compilers suck rocks. The IDE is okay (for an IDE), but the compilers are terrible to the point of making PowerPC performance look a lot worse than it is. That hurts Motorola's sales, so naturally they want to improve the compiler.
A maintainer DOES NOT want to flip up to the top of the header files each and every time he runs across a variable to find out what it is.
The language has type information, don't be redundant by encoding it into the variable names. Any decent editor will tell you the types of the variables without having to "flip up to the top of the header files" and without mangling variable names.
However, if you're REALLY paranoid, just disable all access to the account for 24 hours if they enter a bad password 3 times in 24 hours. The time to brute force such a system quickly goes into years when that happens.
Be careful. If you send the password near the beginning of the transmission without much random session salt then the attacker will be able to execute an offline brute-force search. Locking out after a certain number of bad passwords only prevents online attacks.
1. You need to draw a distinction between offline and online attacks. Offline attacks allow the attacker to try a password without the system knowing it; this allows a brute-force attack to be carried out without detection. Any scheme where the attacker has access to the encrypted password allows offline attacks. Online attacks require interaction with the authentication server; consequently, an attacker usually only gets a few tries before being detected. ATM machines (as long as their connection to central offices are secure) are an example of a system where attacks are online; a 4-digit pin number would be trivial to brute-force (it's basically a 10-bit secret key), but because you can't mount offline attacks against it it's still fairly secure. There are password protocols that aren't vulnerable to offline attacks; SRP (The Secure Remote Password protocol), available at http://srp.stanford.edu, is an excellent example.
2. You can make offline hacking attempts arbitrarily difficult once you have out-of-band information--in SSL, you have a public key pair and hence have done a key exchange before the password needs to be entered. By sending some randomly generated per-session salt over the line you can make it much more difficult to execute an offline attack. Consult a security expert for details.
3. There's a fair amount of evidence to suggest that proactive password checkers (e.g. running "crack" against the password when it is set and rejecting "weak" passwords) doesn't buy you that much. It gets you something, but not as much as you'd expect.
CMU has historically been very skittish about copyright violations. When I was in school there, they dropped a number of Usenet groups because they alleged that the majority of the posts to them contained illegally copied material. They've also been more than willing to pull the accounts of students whose machines are used to attack other machines. None of that should really be surprising, though; it is, in point of fact, illegal to copy mp3s of copyrighted material and since CMU long ago abandoned any pretense of being a common carrier they would be opening themselves up for legal troubles if they didn't cut of access to copyrighted material once it were found. The only troubling thing here--and it is quite troubling--is that they conducted inspections "at the order of" the RIAA. That could mean either that the RIAA said "we've seen evidence that machines X, Y, and Z have illegal mp3s on them" and CMU looked and verified that, or it could mean the RIAA siad "lots of CMU students have mp3s, why don't you look and see which ones". The first is IMO acceptable and in accordance with how law enforcement would act to comply with search and seizure restrictions. It's probably required to comply with the law, though IANAL. The second is rather heavy-handed, especially for an institute of higher learning. I am not a lawyer. This is not legal advice.
It's not like that would have taken very long at all to crack. Hell, it only took a few months to crack 56-bit DES, 40 bits would be a cinch on today's hardware. Let it run overnight and you've got yourself a fistful of cracked, valid CSS keys.
In general it isn't nearly that easy; in particular, you need some known plaintext in the encrypted file to be able to check and see if you've succeeded in decrypting it.
e.g. I encrypt "Secret Message" with my key. You know the message starts with "Secret". You can keep decrypting with different keys until you find one that starts with "Secret" then read the second half. (In practice, you may need a bit more plaintext than that to ensure a unique match) If I encrypt a random number--e.g. an encryption key--you can decrypt it all you want with different keys, but you won't know when you've succeeded.
The end result for DVD would probably have been a two-stage search; first try decrypting the DVD with random keys until you get the movie (which could take a long time, unless you can automate the "this is a valid movie" step), then brute force the encrypted key until you match the key that you have working.
Slashdot Mirror
Well, now is a good time to start the debate, which do you like better and why?
I prefer Postgres, since it supports full transactions, nested selects, and a number of other SQL features that I can't live without--I've heard that mysql has much better transaction support than it used to, though. mysql also had a tendency to mangle my text fields (trailing whitespace would vanish mysteriously from variable-char fields), I don't know if that's fixed yet or not.
Postgres is abysmally slow at batch inserts (at least 6.x, I haven't had a chance to test 7.x). And it's not super fast in general, but once you are talking about databases of any significant size then it's nowhere near as slow as people say--except at bulk inserts. Slooooooow.
Sumner
Addison-Wesley Win32 System Programming. It tells you how to do all the typical systems stuff, up to mmap and advanced IPC. There's a chart in the back that has mappings from Unix syscalls to their Windows equivalents and vice-versa. Their Win32 Socket Programming book is also rather good. Sumner
The technology he developed is called "hypertext", and has been implemented in everything from the old Xerox Star to the Apple's Hypercard. Hypercard has been around since '87, and does pretty much what the BT patent describes.
Prior art, bay-bee!
The BT patent filing was in 1980 (15 August), more than 7 years before your "prior art". There's plenty of prior art that ought to make this patent meaningless (e.g. Xanadu), but this isn't a good example of it.
G. Sumner Hayes
In the US, it's 17 years from the date it's awarded. This one was filed for in 1980, but not awarded until 1989. So they've got until 2006.
G. Sumner Hayes
Note that the EU doesn't recognize software patents
Software patents aren't recognized, but the apparatus "A computer running the following software..." can be patented (which amounts to basically the same thing as a software patent).
In particular, IDEA and other encryption algorithms are patented in most of Europe.
Sumner
One clear example here is Java vs. C++. Sure, Java is much slower than C++; but developing something in Java takes orders of magnitude less time than in C++. You know, people say this all the time but I've never seen any evidence to support it. The only scientific study I've ever seen on the subject concluded that development in Java is no faster than development in C/C++ (which is what I've found to be the case in practice as well); it's quite a nice study of a number of issues. 40 programmers were given a problem, some implemented the solution in C, some in C++, and some in Java. Average run times for the different languages (with statistical spreads and best/worst times) were calculated, along with memory use metrics and other neat stuff. Postscript version at: http://wwwipd.ira.uka.de/~prechelt/Biblio/jccpp_ca cm1999.ps.gz PDF version (tougher to read, because it's ps2pdf output) at: http://wwwipd.ira.uka.de/~prechelt/Biblio/jccpp_ca cm1999.pdf Sumner
It is a very valid question to ask why RMS spends a seemingly inordinate amount of time and bile in his insistance that we use his terminology.
Language shapes thought. It's the Sapir-[Whorf] hypothesis, widely open to debate but worth considering.
Sumner
The basic problem is that you don't just read from a database, you read and write to the database. Database replication is a very non-trivial thing to do. You have to deal with the possibility of data being inserted, updated or removed from any of the servers that are involved. This requires that you have things like global locks, timestamps on everything, primary keys that are generated in a way unique to each replicated version of the database, etc.
Idea: How about making a shim SQL database that acts as a database proxy (of sorts), sort of a RAID for databases. It's a non-trivial project, but not conceptually hard. You need a SQL 92 parser that recognizes commands that write (UPDATE, INSERT, DELETE, DROP, CREATE, etc). Then you have the shim database pass all commands off to n back-end databases; when an INSERT (for instance) comes in, have all the back-ends execute it before returning the results back to the calling process. Read-only requests could be load-balanced (increasing performance) or just master-slaved to the backends. If a backend dies (use a heartbeat or similar, along with a connection timeout), take that server out of rotation and keep going (so long as at least one server is still in rotation).
You're still left with the question of how to recover after a failure; online replication once things have gotten out of sync is tough. You could have the front-end block all write requests while it rebuilds the (newly repaired) additional back-end, but still let reads through to the other databases.
If you use Postgres on the back-end, you might be able to use its transaction views (whatever they call them) to get a persistant state, sync to that state, and keep a journal of transactions that take place after that; do the backup to the persistant state, then have the front-end server roll the journal until you're caught up to the current state. I don't know enough about the pgsql transaction views to know how feasible this is. Worst case, make pgsql read-only for long enough to snapshot it and then keep a journal.
It's a far cry from real replication, but it buys you a hell of a lot for a coding cost that's far lower than trying to do all the write-locking and so forth that real replication needs. You could even load-balance between Postgresql and other databases; maybe have a postgres backend and several mysql backends, using postgres's transactions for disaster recovery and otherwise using mysql for read speed.
Just some stupid thoughts,
Sumner
Sadly, asp2php fails miserably for complicated asp. Even when it works, the php it generates isn't highly maintainable. :(
The real problem (as I see it) is having the sound card running on the same power supply as the rest of the system - not always the sound card introducing noise itself.
Use a sound card with digital outputs and you don't have to worry about all the emfs inside your case. hoontech soundtrack makes good ones. See the high-quality linux audio HOWTO at http://audio.netpedia.net/aqht.html for more info.
Sumner
A jury is only there to decide whether or not a law was broken. The distinction is that a jury (in theory, if not wholey in practive) cannot allow their emotions, as to how they feel about the "justice" of the law, get in the way of their decisions on whether or not someone is guilty of breaking it.
Thank you Alexander Hamilton. Thomas Jefferson would like to speak with you.
Seriously, regardless of how you personally feel about, jury nullification exists. There are constant arguments about its constitutional and legal justifications--and there have been since before the Constitution was finalized--but to say out of hand that it doesn't exist is simply naive. Many well-respected legal scholars agree with you, but many others come down firmly on the opposite side of the issue.
Sumner
How many people remember how many computer makers there were in the early 80's?
I remember a few... how about Apple, Atari, Burroughs, Coleco, Columbia Data Systems, Corona Computers, Delta Data Systems, Digital Equipment, Eagle, Franklin, GRiD Systems, Hewlett Packard, Hyperion, IBM, ITT, Kaypro, Mohawk, Data Sciences, NCR, NEC, Olivetti, Osborne, Sanyo, Seequa, Sunrise Systems, Tandy, Televideo Systems, Texas Instruments, Victor Technologies, Xerox and Zenith.
Wang.
Sumner
For the backend, I'd say go with one of the open source databases, (eg MySql, Postgress, etc)
Minor nit: MySql isn't open source. It's really nice inside a limited problem domain, but it lacks nested selects and other features that you may need. It's pretty speedy, though. Postgres is pretty good for servers that don't get hit too much, but it's too slow for heavily used systems.
Sumner
Like it or not the DeCSS software publishes a trade secret, the CSS encryption algorithm. This is illegal. Plain and simple. IANAL, but your summary here is just plain wrong. Trade secrets stand in contrast to patents. It is illegal to use patented information without a license, but the patented method must be published for all to see. Trade secrets don't have to be published, but if someone figures them out then they are free to use the information. There are exceptions (NDA violations, illegal methods of discovery, etc), but in general if you figure out a trade secret then it's (by definition) not a trade secret anymore and there is not legal protection on that information. Sumner
deaths seem to be the only form of continuity in The Simpsons When Lisa turns vegetarian, she stays vegetarian for ever after. There are tons of back-references (Bart: "I wish I had an elephant". Lisa: "You did. You named him Stampy. You loved him".), but that's different from character continuity (Mr Burns' gift of a pseudo-Mayan head statue that shows up in the basement). I think Lisa remaining vegetarian was a stipulation of Paul McCartney's guest appearance. Sumner
I don't get why motorola would buy them out.
Because their compilers suck rocks. The IDE is okay (for an IDE), but the compilers are terrible to the point of making PowerPC performance look a lot worse than it is. That hurts Motorola's sales, so naturally they want to improve the compiler.
Sumner
The language has type information, don't be redundant by encoding it into the variable names. Any decent editor will tell you the types of the variables without having to "flip up to the top of the header files" and without mangling variable names.
Sumner
Yes. Project Gutenberg has an old Webster's dictionary.
Sumner
How about getting Free S/WAN working with the new PICS firewall/ipsec machines?
LPF is at http://lpf.ai.mit.edu (no www).
Sumner
However, if you're REALLY paranoid, just disable all access to the account for 24 hours if they enter a bad password 3 times in 24 hours. The time to brute force such a system quickly goes into years when that happens.
Be careful. If you send the password near the beginning of the transmission without much random session salt then the attacker will be able to execute an offline brute-force search. Locking out after a certain number of bad passwords only prevents online attacks.
Sumner
Well, a few things:
1. You need to draw a distinction between offline and online attacks. Offline attacks allow the attacker to try a password without the system knowing it; this allows a brute-force attack to be carried out without detection. Any scheme where the attacker has access to the encrypted password allows offline attacks. Online attacks require interaction with the authentication server; consequently, an attacker usually only gets a few tries before being detected. ATM machines (as long as their connection to central offices are secure) are an example of a system where attacks are online; a 4-digit pin number would be trivial to brute-force (it's basically a 10-bit secret key), but because you can't mount offline attacks against it it's still fairly secure. There are password protocols that aren't vulnerable to offline attacks; SRP (The Secure Remote Password protocol), available at http://srp.stanford.edu, is an excellent example.
2. You can make offline hacking attempts arbitrarily difficult once you have out-of-band information--in SSL, you have a public key pair and hence have done a key exchange before the password needs to be entered. By sending some randomly generated per-session salt over the line you can make it much more difficult to execute an offline attack. Consult a security expert for details.
3. There's a fair amount of evidence to suggest that proactive password checkers (e.g. running "crack" against the password when it is set and rejecting "weak" passwords) doesn't buy you that much. It gets you something, but not as much as you'd expect.
Sumner
Re: lcc
It's not free in the free speech sense, but is in the free beer sense. In more modern parlance, it's gratis but not open-source.
It compiles quickly, but the generated code isn't near modern gcc versions in terms of performance.
SumnerCMU has historically been very skittish about copyright violations. When I was in school there, they dropped a number of Usenet groups because they alleged that the majority of the posts to them contained illegally copied material. They've also been more than willing to pull the accounts of students whose machines are used to attack other machines. None of that should really be surprising, though; it is, in point of fact, illegal to copy mp3s of copyrighted material and since CMU long ago abandoned any pretense of being a common carrier they would be opening themselves up for legal troubles if they didn't cut of access to copyrighted material once it were found. The only troubling thing here--and it is quite troubling--is that they conducted inspections "at the order of" the RIAA. That could mean either that the RIAA said "we've seen evidence that machines X, Y, and Z have illegal mp3s on them" and CMU looked and verified that, or it could mean the RIAA siad "lots of CMU students have mp3s, why don't you look and see which ones". The first is IMO acceptable and in accordance with how law enforcement would act to comply with search and seizure restrictions. It's probably required to comply with the law, though IANAL. The second is rather heavy-handed, especially for an institute of higher learning. I am not a lawyer. This is not legal advice.
In general it isn't nearly that easy; in particular, you need some known plaintext in the encrypted file to be able to check and see if you've succeeded in decrypting it.
e.g. I encrypt "Secret Message" with my key. You know the message starts with "Secret". You can keep decrypting with different keys until you find one that starts with "Secret" then read the second half. (In practice, you may need a bit more plaintext than that to ensure a unique match) If I encrypt a random number--e.g. an encryption key--you can decrypt it all you want with different keys, but you won't know when you've succeeded.
The end result for DVD would probably have been a two-stage search; first try decrypting the DVD with random keys until you get the movie (which could take a long time, unless you can automate the "this is a valid movie" step), then brute force the encrypted key until you match the key that you have working.
Sumner