Re: Lots of random numbers
Don Davis [EMAIL PROTECTED] writes: perhaps surprisingly, i disagree with the other respondents. as long as you encrypt or MAC the incoming packets ( their interarrival times), with a closely-guarded secret key, before you stuff the bits into your entropy pool, then you should do fine. Eh? You should *never* need to encrypt information before shoving it in the pool. If you've got a secret you could use for such encryption, shove it in the pool and then forget about it - it will do precisely as much good. I'm inclined to agree with Don here, from principles of conservative cryptographic engineering. By using a keyed one-way function before adding data to the pool, you add an additional layer of defense against an attacker guessing the pool contents. [The /dev/random designs i've played with typically have a "pre" pool for efficient accumulation of samples at interrupt level or similar inconvenient times, and a "real" pool, with the encryption/one way hash occurring when the samples are added to the real pool.] - Bill
Security algorithms for 3rd generation mobile phone networks
Someone told me that the cipher and integrity protection algorithms proposed for use in the next generation mobile phone networks are now publicy available on the etsi website: http://www.etsi.org/dvbandca/3GPP-ALGORITHMS/ Don't shoot the messenger, I don't have anything to do with this stuff. It's not immediately clear why they're not using more established algorithms.. - Bill
Re: having source code for your CPU chip -- NOT
There are no Turing machines. Real computers are finite, and real source codes are finite. I'm sure that if you set a limit on the length of the source code which is recognized by the supposed trap, a sufficiently large FSM can decide in a finite time whether there's a trap. mere finiteness doesn't help much in practice if you're up against algorithms which take time exponential in some parameter (like the size of the 'trap' region) which is likely to get even moderately sized.. - Bill
Re: House committee ditches SAFE for law enforcement version
[CC:'s to list I don't subscribe to deleted.] one possible escape clause here is a constitutional provision regarding immunity of legislators for acts in congress: [from article 1, section 6] ".. for any Speech or Debate in either House, they shall not be questioned in any other place." .. so, as I read it, the only entity capable of enforcing the gag order (i.e., preventing a legislator from repeating what he heard in the closed briefing in a subsequent open legislative session) is the congress itself, and that, likely, only after the fact. But then again, i'm not a lawyer, and I'm also not sure how this provision has been interpreted in the past.. - Bill
Re: How to donate a clue to a lawyer?
If readability of code doesn't matter, why have I seen so much angst within communities of developers indentation styles, identifier spelling, and line breaks? None of them make a bit of difference in the generated object code.. I think Sturgeon's Law may apply here: "90% of everything is crap"... The fact that there's a lot of bad, "write-only" code out there (and I'm certainly responsible for some of it..) does not preclude the existance of quite readable code. Maybe I've just been lucky, but I've had the good fortune to work in environments where my coworkers and mentors cared about the readability of code (and got on my case when I didn't live up to their standards). Programming languages are a mixture of ambiguity and precision. They specify certain things very precisely, and leave other details up to the implementation of the language. Higher level languages are, in general, higher in ambiguity, and lower in precision. Sometimes this is good, sometimes this is bad. Memory management comes to mind as a prime example. The only purpose of calling free() is to release memory. It serves no expository purpose. This is clearly shown by the fact that garbage collected languages do without it. On the contrary, "free()" makes an expository statement that "this object should no longer be used by the program". Often, that isn't necessary, but (for instance) if you are concerned about the exact memory usage of a program, the presence of explicit free() calls makes it easier to understand, and measure, what's going on.. Don Knuth makes a similar argument in defense of his continued use of assembly language for a hypothetical computer for the exposition of algorithms in his continued revisions to The Art of Computer Programming. See the "Why have a machine language" section of http://www-cs-staff.Stanford.EDU/~knuth/mmix.html .. The very fact that you have to be taught this should make clear that the actual purpose of code is instructing machines, not people. People hardly ever forget that the purpose of writing text is communication. I'm not sure I follow the logic here -- all it make clear to me is that the teachers/mentors/etc., care about the quality of the work.. The amateur singers in the theatrical productions I've been involved with regularly needed to be reminded to improve their diction. I would take it that you would argue that the words they sing don't actually matter... - Bill
Re: 1,000 Free Crypto Sites
A posting by Cindy Cohn, one of Bernstein's legal team, to cyberia-l, archived at http://www.ljx.com/mailinglists/cyberia-l/20266.html suggests that it would be premature to create such sites. She writes: First, the decision is not final for at least 52 days (45 for the govt to seek rehearing/7 more for mandate to issue), even if the government doesn't seek cert or rehearing. It could probably be cited as a slip opinion in the meantime, but is not binding precedent yet. Second, once it is final, it will only be binding precedent within the 9th Circuit. Third, the status pending further review will probably be determined by a motion for stay within the rehearing period. If such a stay is granted, as it was below [in the lower court], folks will probably have to wait until it's all over before they can publish without fear of prosecution. We will oppose any request for a stay, of course. Given that I have this aversion to prosecution, I'm personally prepared to wait on this.. - Bill
Re: FW: FW: Bernstein Opinion Up
[CC's to lists I'm not on trimmed; feel free to forward this as long as you CC: me on forwards..] Peter Junger has a list specifically for discussing the source-code-as-speech issue; for more info on the list, see http://samsara.law.cwru.edu/~sftspch/ The fact that source code is an effective means of communication between people was really driven home to me by my current job, which involves work on a source-code product as well as support of customers using that product. Many of our customers are not native speakers of English, and i have on numerous occasions received a question about one of the features of our product, attempted to describe how to use use it in English prose, received a response essentially restating their question; I then restated my response in C code fragments and the customer went away happy. Another point.. Lance Rose says, about programmers exchanging source code: "this is like potters exchanging pottery" I'm not a potter, but this analogy seems flawed. However, in addition to being a software engineer, I'm also an amateur musician. For me, at least, a very closer analogy is to composers exchanging sheet music with each other. Just as source code is a set of instructions for an abstract machine, music notation is a set of instructions for a performer. To reinforce the analogy.. compilers can take certain liberties when translating source code just as performers can take liberties with the ambiguities found in music notation.. Music notation can be just as mechanical as source code in terms of rigidly specifying down exactly what notes get played when and for how long. It's also worth noting that nobody yet has ruled that object code or other non-source forms of encoding of programs are *not* speech. I think a case for that can be made, but it's more difficult than the case for source code. Again, I think analogies with music could also help here; there are many different ways to digitally encode music.. postscript of sheet music, MIDI encoding at the "note" level, mp3 compression, .. just as there are many different ways to encode computer programs. One might be able to argue that a program is also is a form of speech from a programmer to the users of a program, just as music is a form of speech from a composer to a distant audience in a concert hall, indirected through the performers but I think that establishing that the program source code is a form of speech is an important step along that path. - Bill
Re: Intel Symantec v. ZKS?
Symantec agreed that the program fit its definition of a type of malicious program known as a Trojan horse, so it included the software in its continually updated list of dangerous programs, which include viruses, that cause warnings to pop up on its customers' computers. In fact, this is perfectly reasonable on the part of Symantec, and if I had a PIII I would absolutely want my virus detection software to catch code which enables the serial number. Any such action on the part of downloaded code is malicious and not in my interests, and anything the software can do to prevent it is good. True, but a question well worth asking is "why doesn't antivirus software assume that ActiveX controls are malicious until proven otherwise"? - Bill
Re: [John Gilmore gnu@toad.com] RSA claiming trademark on all uses of RSA to describe algorithm
I should think that the approach taken by generic pharmaceuticals, 'compare with Brand X,' would also suffice to get around RSA's trademark issue. Or, "compatible with brand X" or "interoperates with brand X".. - Bill