Follow Slashdot stories on Twitter


Forgot your password?
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:Creative commons! (Score 2) 211

CC-BY-ND is what I used for my thesis. Given that the default copyright status of any work such as a thesis is "all rights reserved", I don't see how this can be a bad thing: it's just an explicit waiver of certain rights. Attribution and originality are considered important in a typical "western" academic environment (maybe elsewhere also -- I wouldn't know), and that's all the "BY" and "ND" parts assert. In fact, the "BY" and "ND" parts are intended to preserve the integrity of the work for the sake of clarity in future references: if there's an interesting remark in there that you want to quote, it's important that you have a proper reference for it (BY) and that you can be reasonably sure it's what the author actually said (ND). Just slapping a CC-BY-ND on it doesn't magically make it happen, of course, but it expresses the intended use well.

In response to the sibling reply "ND? you're on crack", it's already considered fair use to quote other works in context, regardless of copyright licenses, so it's not like the "ND" part can take that away. I just want to grant the additional right to redistribute the work, for any reason, so long as attribution is preserved. I want it to be publicly available.

Comment Re:Responsibility (Score 1) 374

I'm unaware of any company that feels responsible to their product.

The example that sprang to my mind was recruitment agents. As a contractor, I'm the kind of product that recruitment agents deal in. I don't know whether they feel responsible to me, as such, but I'm pretty sure they're aware of the fact that I will cease to be their product if I feel that they are not operating sufficiently in my interests. I expect that Google is somewhat aware of that dynamic, as relates to its own "product", although they aren't showing too much evidence of it with the G+ thing. Mind you, there's a lack of competition in social networking: G+ doesn't need to be the perfect social network -- it just needs to be sufficiently less obnoxious than Facebook, and Facebook has set the bar pretty low.

Comment Get better informed (Score 1) 330

OpenVZ and Linux-VServer support separate IP addresses as very basic functionality. How do you suppose hosting providers create virtual private servers based on them if they don't? OpenVZ also supports private iptables per container, so that you can set up per-container firewalls. The main problem with containers is the staggering amount of ignorance about the subject.

Comment Is there a compelling case for EPUB? (Score 1) 221

My version of e-publishing was, "write the thesis in LaTeX, output in PDF via pdfLaTeX, and upload the PDF to Google Books." Instant global accessibility for anyone that wants it (well, instant after the processing period) -- certainly a heck of a lot better than any exposure my University can offer, although I gave them the PDF too, and they supposedly make it available somewhere. It's not EPUB, sure, and I would convert it to other formats if I felt that the effort was worth it, but maximising availability was more important to me than making it convenient for small form-factor e-book readers. I considered EPUB, but I feel that PDF is good enough, particularly given the effort that went into making it look nice in its published dimensions.

If I were going to write another book, however, I'd finish my half-baked "writer's mark-up language" project first. It's a markup language designed to be writer-friendly, medium-agnostic, and readily translated into other forms like HTML and LaTeX for actual rendering. I don't have any immediate plans to write another book, though: writing the thesis has taken the edge off my enthusiasm for the subject for now.

Comment Sir, step away from the key generator (Score 4, Insightful) 223

It sounds like you have an oversimplified idea of "security". Security is not a scalar property that increases with the number of bits in a hash or key. Security depends on your threats, and it's possible to be reasonably secure without the addition of any cryptography at all (although this will be the exception rather than the rule). Let's discuss security threats for a moment.

One threat is that of the eavesdropper. This is the classic threat from online shopping: "OMG, some hacker will see my CC number when I submit it to the shop." This threat can be defeated with encryption -- sort of. You don't need any kind of "certificate" to effect this level of security: you just need a key-sharing technique which defeats a passive eavesdropper. SSL/TLS has this, and it's independent of the number of bits in any hash, since that's a different part of the security puzzle.

Now the bad news: your CC number will still be compromised, despite your super-strong encryption. If you're using a malware-prone OS, then any malware on your system makes an end-run around the encryption. If you're using a public terminal, you need to be sure that it doesn't have keyloggers installed on it, either hardware or software. And even if your client-end computer isn't compromised, your CC number will be stored in a PCI-compliant database, where "PCI-compliant" means "this kind of thing gets compromised several times a week, leaking X thousand CC numbers in one go" for large values of X.

Encryption of the channel, in this case, provides security against the least convenient and least likely attack. You should probably encrypt the channel anyhow, but you simply can not achieve security, because most of the real threats lie outside your control.

Another threat is the impostor. This is where someone gets lured into going to BadGuy website which is dressed up as GoodGuy website. This is where public key certificates are supposed to help, and that's where you need to worry about how many bits there are in the hash. But if you're worried about the number of bits in the hash, or the kind of hash algorithm, then you're probably fussing over the smallest of problems. Certificates have a very limited lifespan, and so long as your current one isn't at the bottom of the pile, strength-wise, it's probably satisfactory for now.

The real problems that you face in this case are usually beyond your control. You can't create a self-signed certificate in general, because every browser on earth will throw up a warning (that 99% of users won't understand anyway) saying that the certificate can not be verified. You don't want that: you want the browser to do the "I'm secure now" thing, whatever that happens to be, visually. So you'll need to pay up for a certificate. Unfortunately, your clients must then be smart enough to pick the difference between your website with its "I'm secure now" indicator, and an exact copy of that website which lacks this indicator at a different URL, or one that has an "I'm secure now" indicator which doesn't match your identity. How smart are your clients?

If you're a really important target (e.g. Gmail), you have much bigger worries. You ask, "Can I trust that my SSL provider hasn't been hacked (or at least snooped)?", but the problem is much worse than this: you need to trust that every issuer of certificates on Earth hasn't been compromised, which you can't, because some of them have. When any certificate issuer is compromised, it's possible that a fake certificate has been generated for your identity, and someone else can set up a server which validates itself as "secure" for your domain name. There are browser add-ons in some cases that will raise a red flag when a "valid but previously unseen" certificate is shown, but then you're asking for even greater security expertise on the part of your end users to diagnose the situation.

So, in summary, step away from the key-generation software, and go back to square one. Think about your threat model, and whether any of your crypto-magic will protect you better than the Maginot line protected France against invasion by the Germans. And if you're into Bruce Schneier, go pick up a copy of "Secrets and Lies". It will give you a much better education on the difference between cryptography and security than I've done here.

Comment Re:just like /.? (Score 1) 233

I've long thought there should be a "-1, Disagree" option in the drop-down box that takes a mod point but has no effect.

It should have an effect, but not the effect of reducing the comment's score in the usual way. The most fragile aspect of the Slashdot moderation system is that you wind up with a scalar result generated by a small number of people with a small possible range. This means that controversial posts are subject to wide changes mostly depending on the last three people to moderate the comment. You can get +5 insightful on a comment and be modded back down to oblivion if you've made an unpopular point.

But I'm getting tangential here. In practical terms, maybe we could have a separate ranking system for agreement which doesn't require mod points, it just requires an account. The only effect of the thing would be to show a statistical summary of the results. That, at least, would provide an outlet for disagreement without starting a flamewar. The scale could be from -2 to +2, showing the degree of agreement, with the only effect being its contribution to the histogram.

Comment Web site *attribution* is wrong (Score 1) 1027

Catholic] Church's historical position on the immobility of the Earth...

The summary should read, "the ancient Greek position on the immobility of the Earth..." They had this stuff figured out before Jesus was even born. We associate geocentricism with the Catholic church simply because they put so much effort into reconciling the text of the Bible with the science of the day (which was Geocentricism).

And yes, that's what the Roman Catholic Church is doing again with evolution. Who knows -- give it another thousand years, and maybe people will be scoffing at the old Catholic idea of evolution through mutation and natural selection.

Comment Re:The hidden factor: two distinct licenses (Score 1) 758

US Code Title 17, Chapter 1, 117a, which specifically says that the owner of a copy of a computer program is not infringing when they make additional copies as necessary to utilize and/or archive that program.

Well that's genuinely fascinating, but it raises as many questions as it answers. The linchpin of these cases seems to centre around whether software is owned or licensed, with the copyright holders asserting (as in this case) that the arrangement is the latter. This still suggests a dichotomy between the media (which is purchased outright) and the software on it (which is licensed, not owned).

So does lawful ownership of the media on which the software lawfully resides imply ownership of the software for the purposes of the statute you cite? If so, then what right is the EULA granting that one did not already have? Or is it accepted legal doctrine that when one purchases software at retail, one is not actually becoming the owner of the physical goods so purchased?

Or, to put it another way, if EULAs are not enforced by the mechanism I suggest, then how do they constitute a license rather than an unenforceable contract? Exactly what right, reserved by copyright, is the licensor granting so that the purchaser may lawfully use the software?

Comment Here's what's so bad about the ruling. (Score 1) 758

The terrible thing about the ruling is that it uses copyright law.

When CTA received the physical media for AutoCAD R14, did they become the owners of the physical media (as distinct from the software), or did the media remain the exclusive property of AutoCAD? If the media belonged to AutoCAD, then presumably this would have been prosecuted as a case of stolen property, so I'm assuming that CTA did in fact become the rightful owners of the media. The media was manufactured under license from AutoCAD, so the media is not an unlicensed copy. There is no question of unlicensed goods here so far.

I accept that CTA violated its contractual obligations when it sold the media, rather than destroying it. That should provide grounds for AutoCAD to sue CTA for consequent damages, which should include at least the value for which the goods were sold. However, it SHOULD NOT terminate the license on the physical media: the goods do not become infringing, unlicensed goods due to a contract violation. The only question that should be relevant to copyright in this case was whether the goods themselves were manufactured under license. Allowing a copyright holder to retroactively un-license the production of a copy is a recipe for abuse.

This is awfully close to the case which established the doctrine of first sale, if an earlier poster's summary of that case is accurate enough. I'll quote the relevant part here.

In that case, Bobbs-Merill sold books to wholesalers their copyrighted book including a "shrinkwrap" license saying retailers shall not sell the book below a certain price. Wholesalers sold the books to retailers. Retailers sold the books below the certain price to consumers. The Court held that the license was not binding upon the retailers because there was no privity of contract between the retailers and Bobbs-Merill. This is true: there was only privity of contract between Bobbs-Merill and the wholesalers. And as the license only purported to bind retailers, the wholesalers did not violate the terms of the license either.

That comment argued against the relevance of the first sale doctrine in this case, but let me construct a counter-argument. What Bobbs-Merill should have done in their "shrink-wrap" license is require that the wholesaler also produce a "shrink-wrap" license to bind the retailers. If the wholesaler had failed to bind the retailers, then the books would retroactively become unlicensed reproductions and illegal to sell; if the wholesaler had bound the retailers, then the retailers would be so bound. "First sale" be damned: you can drive a truck full of books through that loophole.

Arguably all this nonsense can take place without getting copyright involved at all. The difference is that your contracts need to be explicit -- not the unilateral terms shenanigans of a shrink-wrap license -- and the dispute remains a dispute between the signatories to the contract, without the cascading effect of copyright infringement on each subsequent transaction (despite the fact that the goods were originally produced under license). No doubt copyright owners like the power offered by shrink-wrap licenses, and being able to sue a whole bunch of extra people for copyright infringement is just adding more power on top.

Comment The hidden factor: two distinct licenses (Score 1) 758

How would that be any different? How would that be at all legal, based on existing contract law?

The theory goes something like this. In order to produce a physical medium which contains software, one must have a license to do so, obviously enough. This is what limits sale of unlicensed ("pirated") copies. But wait, there's more. Having purchased a duly licensed physical copy of the software, you require a further license to actually execute the software, because you'd need to copy the software off the medium and into a computer's memory (and probably onto your hard disk too) in order to actually use it. You don't have that right unless the copyright owner specifically grants it -- or so goes the logic behind the EULA.

Two ramifications follow. One is that the industrial machinery you talked about is different in that it does not require a further act of copying in order to operate it -- assuming the device is purely mechanical. Of course, a manufacturer that wanted to pull that particular stunt could do so by making the device partly software based -- and what device of any complexity isn't at least a little software based these days? All you need to do is ensure that the program code must be copied from A to B as part of execution (e.g. off disk to RAM), and you can sell the license for this act of copying under whatever terms and conditions you like! Your Machiavellian manufacturer then places an EULA in the box which admits that you own the physical atoms therein, but reserves the rights in the software it contains, offering you the license to make copies as necessary to execute the software under its choice of terms and conditions. The ability to actually use the machine for its intended purpose is thus subject to the terms of the EULA.

The second ramification is the problem of equivocation which seems to be the root problem behind the Autodesk issue. There are TWO licenses. The parties in the case seem to be arguing about different licenses, and arguing as though these are the same license, when they are not. The physical media on which the software is sold (along with any manuals and packaging) are covered by one particular license. They were manufactured under license, and that license is not revocable by any doctrine of which I (and IANAL) am aware. Thus the doctrine of first sale. The license necessary to install (making a persistent copy) and run (making a volatile copy) the software are totally separate, covered by the EULA. It's completely fair that Autodesk terminate the second license on sale of the physical media: this is what prevents people from buying, installing, and re-selling, while continuing to use the software. It might even be fair (in a loose sense of "fair") for them to say that the second license is not transferable with sale of the media, but this does not render the media itself "unlicensed" -- that was license #1, and it's tied to the media for life.

My conclusion: the re-sale of the media should be permitted under the doctrine of first sale, with the understanding that the media no longer carries the necessary license to use the software. The sale should not be prohibited, because there are still valid reasons to purchase the media, even without the license. First among these is the desire to purchase a back-up copy or replacement copy in the case where someone already has license #2. It's also conceivable (albeit odd) that someone wants to purchase the media without intending to run it, or (more likely) they live in a jurisdiction (outside the USA, obviously) where the law does not recognise the need for license #2 -- it is considered implicit, because without it the goods are not fit for the purpose they are sold.

sudo mod me insightful

Comment Re:Solution in search of a problem (Score 1) 350

Not only was it a solution in need of a problem, but the whole user interface left me baffled as to what it actually did. It's a nasty example of attempting user friendliness by giving things cutesy names, while giving the user absolutely no insight into what the things do. They made exactly the same mistake with Buzz, only worse, because they dropped that right into Gmail with everything turned on and automatically buzzing everything. At least with Buzz I actually managed to figure out what it was and how to use it, and thereby conclude that I didn't want or need it (although I wouldn't have nuked it to oblivion if they'd made it unobtrusive in the first place). With Wave, I still don't know what it does, how to use it, or whether it would actually be of any use to me in any conceivable circumstance. I tried and failed, so how well can the folks who don't live and breathe technology have fared?

Comment Re:Makes sense (Score 1) 1123

How about Bulverism (a kind of ad hominem)? This has to be one of the better examples I've seen in the wild. It's almost a categorical Bulverism (rather than a personal ad hominem one): the argument being that only the religious would defend religion; the religious are always wrong about their beliefs; and you have defended religion, are therefore religious, and therefore wrong! Damn watertight argument, that -- unless you question the premises, of course.

Comment Re:Makes sense (Score 1) 1123

The core principles of science are that you can NEVER PROVE a single thing. You can ONLY DISPROVE hypotheses through experimentation.

A disproof is a form of proof. If you disprove A = B, you have proved NOT (A = B). In fact, it's generally necessary to prove something in order to disprove something else.

This whole "science can't prove, it can only disprove" slogan is the ironic catch-cry of the scientific rationalist, so blinded by hatred of religion that he's failed to realise it's a self-contradiction. Dawkins is a lot like this in general: he's so vehement that Science is the only form of knowledge that he doesn't realise he's supporting his position with bad Philosophy.

Comment Re:HA! (Score 1) 342

My paid-for copy of PixelJunk Monsters is inviting me to buy the full version, and you think this has nothing to do with DRM? Clearly we are using incompatible definitions of the term. There has been some kind of license-key-management screw-up precipitated by this bug. Regardless of the actual mechanism, that makes it a DRM issue.

Comment Re:HA! (Score 3, Insightful) 342

What does it have to do with DRM?

The DRM for games purchased on PlayStation Network seems to require that it be able to phone home and validate everything before it lets you play the game. This is impacting all of the games I've tested so far which were purchased from the PlayStation Network. Many of them just fail with an inscrutable error message ("Error HEXADECIMALSOUP") and refuse to start up. Others give you "demo version" mode and behave like you need to purchase the full product still.

Calendar bugs are one thing, but DRM which fails and locks you out of a bunch of stuff you paid for in the presence of such a bug is another thing entirely. If Sony gives me a nice discount voucher or PSN credit by way of apology for this inconvenience, I'll be less peeved, but I get the feeling that Sony (and their ilk) consider their self-rights-protection technology to be so damned important that no amount of inconvenience on the part of their paying customers is too much to ask. They'd be more concerned if a calendar bug allowed you to bypass all that license-key crap.

Promising costs nothing, it's the delivering that kills you.