It's my legal right to bypass any and all restrictions on an eBook I've bought myself. It's his legal right to tell other people how to bypass any and all of these restrictions.
Right on! Just like it's MY legal right to grow or purchase whatever mind-altering drugs I wan.... Oh wait. No it's not.
But it IS my legal right to tell you and anyone I like how to grow or purchase mind-altering drugs. Unfortunately it seems computer programmers are no longer afforded those rights in their industry.
This story, and the system itself, is very misleading.
Yes, the mathematics of the encryption scheme is provably secure. If you take a string of provably random numbers and combine it with the message text, the cipher text is totally unreadable without knowing the exact string of random numbers. This is trivially provable.
But the whole scheme is made weak by how you share the exact string of random numbers with the recipient. (I'm going to assume that the numbers are truely random).
Basically in this scheme it boils down having a continuous output of random numbers that the world can read - and a way of telling the recipient when to start reading the numbers (and possibly a steping factor - eg. read only every 3rd number).
If anyone can break the system you use for communicating that information - or can work it out for themselves - then the message will be retrieved. Note that this is NOT a break of the encryption since the message was retrieved by someone who knew the entire key (the random string). This is why he can claim the provability of the mathematics, but it doesn't mean that the message couldn't be read by anyone else.
In the report there are NO claims of the security of the initial "START" communication - and the only claim on the security of the random stream is that there would be too much information to store in order to retrieve the message - something which is NOT provable (especially when you consider that you only need a subset of the stream from between the START and the end of the message).
The report actually gets this point entirely wrong when they claim "if the eavesdropper, for example, had a secret way to decode the message saying "start" and it took a minute to do the calculation needed to decode it, it would be too late by the time the eavesdropper got going.". This is untrue. If I have a technique that takes one minute to break the "start" message - then I only need to buffer 1 minute of the random data stream. This is trivial. In reality, you only need to buffer numbers from either:
1) When the "start" message is sent until you have decrypted the "start" message (1 minute in the example).
2) When the "start" message is sent until the end of the message transmission.
The lesser of the two is the amount of data that needs to be buffered.
In summary, the scheme is not weak in the mathematics, but is made much weaker by the way of obtaining the random numbers. And the claim that it is impossible to store that much data is unprovable and possibly false. Hence why the scheme and the report is soo misleading.
No offense to the linux-ppc guys - they're doing a great job and I love helping them out.
But for my powerbook (which is my only real computer and goes with me everywhere) I'll be switching to OS X.
Why? A few reasons...
It is unix based - thats essential for me. I can install ssh, use vi, etc, etc.
It allows me to use most of the apps I already know and love on linux.
It has a good front end that will run all those commercial apps I've been missing in linux (the whole reason why I have linuxppc & OS9 on my laptop).
Hardware compatability. Linux-ppc is doing an awesome job, but there is still alot of devices that just wont work or features of the machine that arn't there (like sleep support, firewire, irda, etc).
Ease of use. OS X is looking like a great interface - the sort of thing I can give my girlfriend and have her happy without asking me a billion questions.
Yes, I will miss linux. But I still wish the project well and look forward to when I can switch back. But when it comes to the uses above, it is still very much in development, and I don't have the time needed to spend working on it (tweaking my installation and helping code) at this time in my life.
Actually, there is a very good reason to have a distribution specific package extension. It is quite common that a package from one distribution (say RH) when installed on another (say Debian) will cause the target system to break horribly. Thats why you should use the packages specific to your distribution. But if both distro's use the same extension, the likelyhood of confusing yourself and installing the wrong one is very high. Hence we differentiate the packages with a distribution specific extension. As for reusing the package manager... It is open source (GPL), so if another distro wants to use it, they can search through the code and replace all references to.deb with.yad (yet-another-distribution). Masklin
Slashdot Mirror
Right on! Just like it's MY legal right to grow or purchase whatever mind-altering drugs I wan.... Oh wait. No it's not. But it IS my legal right to tell you and anyone I like how to grow or purchase mind-altering drugs. Unfortunately it seems computer programmers are no longer afforded those rights in their industry.
Perhaps someone could set up a http server that will return the md5sum for any given offset into the binary, eg:
t some offset >
http://www.aolmd5sum.net/getmd5sum.pl?offset=&l
That the binary is only on that server and is never distributed.
Thats just one idea...
I wonder why AOL is so concerned about the client - I thought they would be encouraging use of their system instead of M$'s IM or any other IM.
This story, and the system itself, is very misleading. Yes, the mathematics of the encryption scheme is provably secure. If you take a string of provably random numbers and combine it with the message text, the cipher text is totally unreadable without knowing the exact string of random numbers. This is trivially provable. But the whole scheme is made weak by how you share the exact string of random numbers with the recipient. (I'm going to assume that the numbers are truely random). Basically in this scheme it boils down having a continuous output of random numbers that the world can read - and a way of telling the recipient when to start reading the numbers (and possibly a steping factor - eg. read only every 3rd number). If anyone can break the system you use for communicating that information - or can work it out for themselves - then the message will be retrieved. Note that this is NOT a break of the encryption since the message was retrieved by someone who knew the entire key (the random string). This is why he can claim the provability of the mathematics, but it doesn't mean that the message couldn't be read by anyone else. In the report there are NO claims of the security of the initial "START" communication - and the only claim on the security of the random stream is that there would be too much information to store in order to retrieve the message - something which is NOT provable (especially when you consider that you only need a subset of the stream from between the START and the end of the message). The report actually gets this point entirely wrong when they claim "if the eavesdropper, for example, had a secret way to decode the message saying "start" and it took a minute to do the calculation needed to decode it, it would be too late by the time the eavesdropper got going.". This is untrue. If I have a technique that takes one minute to break the "start" message - then I only need to buffer 1 minute of the random data stream. This is trivial. In reality, you only need to buffer numbers from either: 1) When the "start" message is sent until you have decrypted the "start" message (1 minute in the example). 2) When the "start" message is sent until the end of the message transmission. The lesser of the two is the amount of data that needs to be buffered. In summary, the scheme is not weak in the mathematics, but is made much weaker by the way of obtaining the random numbers. And the claim that it is impossible to store that much data is unprovable and possibly false. Hence why the scheme and the report is soo misleading.
- It is unix based - thats essential for me. I can install ssh, use vi, etc, etc.
- It allows me to use most of the apps I already know and love on linux.
- It has a good front end that will run all those commercial apps I've been missing in linux (the whole reason why I have linuxppc & OS9 on my laptop).
- Hardware compatability. Linux-ppc is doing an awesome job, but there is still alot of devices that just wont work or features of the machine that arn't there (like sleep support, firewire, irda, etc).
- Ease of use. OS X is looking like a great interface - the sort of thing I can give my girlfriend and have her happy without asking me a billion questions.
Yes, I will miss linux. But I still wish the project well and look forward to when I can switch back. But when it comes to the uses above, it is still very much in development, and I don't have the time needed to spend working on it (tweaking my installation and helping code) at this time in my life.Actually, there is a very good reason to have a distribution specific package extension. It is quite common that a package from one distribution (say RH) when installed on another (say Debian) will cause the target system to break horribly. Thats why you should use the packages specific to your distribution. But if both distro's use the same extension, the likelyhood of confusing yourself and installing the wrong one is very high. Hence we differentiate the packages with a distribution specific extension. As for reusing the package manager... It is open source (GPL), so if another distro wants to use it, they can search through the code and replace all references to .deb with .yad (yet-another-distribution). Masklin