Posts by Michael Wojcik

Re: "he is essential to its mission"

Did anyone say he was?

Re: What About Rust?

Even to the limited extent that this is true, so what? Breyer's decision holds that API use is fair use. It doesn't matter whether the API is contained in the same file as the implementation – either way they're the same "work" for purposes of copyright law.

USC 17 is not a particularly complicated piece of legislation, even if its ramifications are. Just read the first section and its definitions. Proximity has no effect on copyright or fair use.

All the states have laws on the books which were found to be unconstitutional and thus unenforceable. Legislatures are reluctant to make the effort to clean this stuff up, partly because they all have personal projects to fight over, and partly because it's politically unpopular. People who don't like those laws know they're unenforceable anyway, so aren't very bothered one way or another; people who do like them (and there's no shortage of those idiots) get bent out of shape when someone tries to get them removed.

Just a few years ago the legislatures of both Tennessee and Idaho passed laws endorsing the Bible¹. This happens every few years somewhere or other. Typically the governor of the state will veto it, because everyone with an ounce of sense knows it's just asking for an expensive lawsuit the state will lose. In Idaho's case, it violated both the Federal and state constitutions, making it a particularly boneheaded move.

When I lived in Nebraska, there was a ballot proposal to amend the state constitution to remove a provision, added in the 1940s, forbidding the teaching of German in public schools. Of course that had been struck down pretty much immediately after it was passed, so it had no effect anyway; it was just embarrassing crap stuck on the constitution. The ballot issue failed – a majority of voters decided to keep an unenforceable constitutional provision forbidding the teaching of German.

Of course this is why we have constitutions and supreme courts, and why "direct democracy" is a terrible idea. (The movement in the US, from the 1970s on, promoting ballot initiatives and other direct-democracy governance, was largely funded by right-wing groups interested in defanging the regulatory state by sabotaging the legislative process. It's been pretty successful.)

¹Some Bible, anyway. Often the nitwits who write these bills don't specify.

Re: APIs might be subject to copyright

it's hard to discount the possibility that copyright applies to APIs

I really don't think it is.

Rupert mentioned the "process, mechanism, or function" test (USC 17 §102), which APIs do not pass. The First Circuit's 1995 decision in Lotus v. Borland held that software UI "look and feel" failed this test. If things like menu items and button labels aren't protected by copyright, why would APIs be? (CAFC's two decisions, in 2014 and 2018, in favor of Oracle shows that not only are the CAFC justices incapable of understanding software, they're also incapable of observing stare decicis. Maybe the worst circuit in the country, and that's saying something.)

US courts have consistently held that titles, chapter titles, and other short phrases are not protected by copyright. APIs are more similar to chapter titles than to anything else in other "literary works" (which are what software falls under in USC 17.

Re: Don't have to ban the payouts...

but once the criminals no longer get paid they will have no incentive to engage in ransomware attacks

This is a common but fallacious argument.

The cost of ransomware attacks is close to minimal, and there will always be some non-empty set of victims who will pay even if payment is illegal. Thus the return on investment for ransomware attacks will remain positive, and so they'll continue.

Moreover, many ransomware attack pipelines are largely or fully automated. Even if there were never any more payments, those systems will continue to mount attacks because there's no reason for their controllers to try to turn them off.

Re: Poor future historians

They'll describe it as a specific case of the general rule "almost anything else is superior technology to traditional PHP-based anything"?

Re: Unstable

My major complaint with Wordpress is the plugin "ecosystem" in general, as it's historically been a dreadful swamp of gaping security holes. The popularity of Wordpress and its plugins has done a great deal to help web vulnerabilities proliferate.

Re: "Doesn't at all make me want to use them"

I'd donate them to a charity shop myself. Don't see any reason to send them back to the original offender.

Re: Penny in the air?

Yay! Any online forum without its stable of regular kooks is a poor one.

A comments forum for a Reg particle-physics article will decay into an Electric Universe thread within 100 posts.

Re: Electrons or positrons?

"I worked in muon physics/chemistry for nearly two decades." just thrown in casually.

Indeed. Not the sort of thing I regularly see in Facebook comments.

(Not that I read many Facebook comments, it's true, so this is not a statistically-sound observation. And I admit that in the previous month I saw at least one comment on Facebook which was posted by someone with detailed technical knowledge of the subject, so it does happen. But still.)

Re: Cocaine

Replace it? It's not like coca leaves grow on trees!

Oh, wait.

Re: Cut out middle men

Sell it to Coca-Cola so they can come out with a line of Really Classic Coke.

Re: Cut out middle men

There's a difference between IQ and intelligence, too. "Intelligence" is a poorly-defined blanket concept which represents some arbitrary subset of many intellectual faculties, while "IQ" is a nonsense metric invented to promote scientific racism.

Re: Encyrption back door?

The maths say that you can break it with enough power and time.

A meaningless statement, in practice.

First, of course, "it" hasn't been defined. RSA? ADH? ECC? Some other key agreement protocol? AES? Some other symmetric cipher? Or is this just hand-waving?

Second, once you assume unbounded resources, the question is no longer interesting. If you have a decision procedure for determining what the correct plaintext is, you can just try every possible key, or even every possible plaintext, "with enough power and time".

Third, it's quite easy to scale cryptographic algorithms up to the point where there aren't enough resources in the visible universe to brute-force them using a conventional computer. It's quite easy to do that for symmetric algorithms and hashing even with general quantum computing. It's a bit harder to do that for asymmetric crypto (key agreement and signatures), but we have candidates with strong evidence for being secure under GQC.

It's vanishingly unlikely that any correctly-implemented, well-studied, modern cryptography was broken in this case. Any of the mooted alternatives -- bad implementation, false implementation (the "it was a trap" theory), insider compromise -- are all much, much more probable.

Years ago, Bruce Schneier famously claimed that cryptography was good enough, and that "if you think your problem is cryptography, you don't understand cryptography and you don't understand your problem". Since then there have been successful attacks on widely-deployed cryptographic algorithms (MD5, SHA1, RC4) and protocols (all SSL/TLS versions prior to TLSv1.2, pretty much anything using CBC and not making a special effort to mitigate padding oracles, etc.). And we have the perennial worry that maybe someone will get feasible large-scale GQC working and so we need post-quantum asymmetric cryptography. But Schneier's basic point was right: implementations and people are the big threats to communication and data security, not the underlying cryptography.

Re: Encyrption back door?

If it was actually end-to-end encryption -- a term of art -- then the service couldn't have discovered the keys. So we're back to a lie, a bad implementation, or tampering. At this point idle speculation is just that.

Re: Encyrption back door?

RSA depends on factoring. DLP and ECC do not; neither do the various PQC schemes in the NIST competition, for example.

I wish people who talk about "modern crypto" understood that it's not all RSA.

Re: Encyrption back door?

I'm pretty sure that short payloads are significantly easier to crack if you know the encryption

Only for certain broken protocols, and in the trivial sense that very short messages only have a small number of possible corresponding plaintexts. (If you intercept a single-bit message, you know the original plaintext was one of two bits, and the actual message was one of two possibilities.)

In fact large amounts of ciphertext are generally more problematic, though for modern algorithms and protocols, it's not an issue for most use cases.

and there's often "padding" put into short messages in real encryption to make it harder to crack.

Not really. A number of cryptographic algorithms and protocols make use of padding, but the technical reasons for that are more complex than just "it's too short". And as a practical matter, padding is more often a source of vulnerabilities, such as padding oracles.

Re: Relaxing holidays

I've certainly enjoyed holidays in places where there's no phone service. But different people enjoy different things. Not everyone is you.

I'm not particularly interested in "relaxing", either. I'm pretty relaxed in much of my daily life; I don't need a vacation for that. I take vacation to spend more time with my extended family and enjoy a variety of activities I don't normally have much time for. But "relaxing" is not my goal.

Re: "vendor agnostic and free from lock-in"

Closed, proprietary software is dead

Yawn. "X is dead", for whatever value of X the author dislikes, is the most feeble, threadbare claim in IT. It's the flag waved by those who have no actual argument to make.

Nothing lasts forever, but most of the things in IT which some self-appointed expert has confidently declared "dead" are still around.

Re: COBOL

Yes. And while COBOL more or less encourages things like comments (the NOTE statement may have been the first explicit provision for long-format comments in source code) and meaningful variable names, that doesn't mean developers will use them.

I don't know how many times I've had to search through multiple source files trying to figure out all the ramifications of someone's SET ws-ctrl-flag-foo-88 TO TRUE.

And COBOL written in pre-COBOL-85 style, with punctuation instead of scope-delimiters, can hide control-flow errors. As can the inconsistent semantics of PERFORM across different COBOL implementations.

Re: COBOL

The z architecture has BCD in hardware. I don't recall Power having it.

Often BCD arithmetic in COBOL programs is on items small enough that they can be represented with full accuracy in one of the native CPU types, so there's just a conversion penalty before and after a basic block of arithmetic operations. You don't need to do actual BCD arithmetic until the items get too large to fit in a 64-bit integer.

In any case, the real USP of COBOL is that it's COBOL, and there's a lot of it. We (Micro Focus¹) sell a whole heaping bunch of mainframe migration because there are so many mainframe COBOL applications which are enormous and stovepiped and embody business logic that's not documented anywhere. Rewriting those applications is a minefield. It's much safer to move them unchanged, or largely unchanged, to a new platform under emulation that supports mainframe aspects like CICS / IMS / JES environments and EBCDIC and mainframe pointers. And, yes, IBM mainframe COBOL dialects.

And then, once your existing systems are running on the migration platform, you can start to modernize them. Integrate with other native or managed languages. Slap web UI front ends on. Wrap pieces as services. Scale out. Whatever.

IBM selling a port of their COBOL compiler for Linux is only a small piece of the mainframe-migration puzzle. And GNU COBOL is nice (and Bruce TIffin deserves ample respect for the huge amount of work he put into OpenCOBOL and then GNU COBOL), but again, a COBOL compiler is only one of many ingredients for migrating existing COBOL mainframe applications.

¹"Micro Focus". Two words.

Re: COBOL

COBOL has been modernized.

OO COBOL? Check. Managed (CLR and JVM) COBOL? Check. Inline declarations and anonymous closures? Check. Support for popular IDEs? Don't know why those things are popular in the first place, but sure, why not. Web UIs and service interfaces? Check.

And compilers have supported lower- and mixed-case COBOL source code for ages. And free-format (so no more worrying about columns), too.

Re: Another test of General Relativity

That's not fair. The "electric universe" dude is a full-fledged kook, not just a crank. That's quality crazy right there.

Re: A Dilemma...

There are certainly cases of "cyberstalking" and other criminal activity being carried out through social media, and using the relative anonymity¹ of social media to impede identification, investigation, and prosecution.

Australia's mooted requirement would increase the work factor for attackers to commit these types of crimes using social media.

So would banning social media, or licensing all Internet use. And you could eliminate more crime by instituting more physical-world surveillance measures. That doesn't mean any of these are good ideas, or are appropriate trade-offs between security and liberty.

Australia's government is on an authoritarian surveillance-state high. Things will get worse there before they get better.

¹Of course "relative anonymity" isn't really a meaningful term, in any precise sense. What people mean by this is better expressed in terms of differential privacy, specifically in the amount of information available from a typical social-media account at various levels of effort and within the scope of various laws.

Re: Australia

a corrupt any law enforcement or regime WILL abuse that right

FTFY.

People are very good at rationalizing behavior which will achieve a short-term goal at the expense of ideological principles or long-term social goods. And law enforcement and other government functions are still run by people.

Re: Amazon and US Unions ?

Why are unions such as a problem for Amazon US ?

It's not so much that they're a problem; they're just cheaper to fight than to have, at least at the moment, in Amazon's estimation. So they'll fight them. It's all about estimated return on investment.

Because anti-union sentiment is relatively strong in the US (compared to many other countries), fighting unionization is often successful here, which raises the expected return on the investment in union-busting. If Amazon thought unionization here was more or less inevitable, it would determine that the more economical course would be to make nice.

Re: Libel? Slander?

IANAL, but I'm pretty sure this wouldn't be contempt of court (in the US). It's just expressing an opinion, which is strongly protected by the First Amendment.

I can proclaim on the street-corner, or publish an editorial in the New York Times,¹ excoriating various SCOTUS decisions on questions of the Fourth Amendment – an area where they have Not Done Well. That's not libel (or slander) or contempt. I can, in fact, profess literal contempt for the court;² that's not "contempt of court" in the legal sense either.

Defying a court decision is contempt. Disrupting proceedings is contempt. Disagreeing isn't.

¹Oh, you know they'd love to have it.

²Not that I'm actually contemptuous of the court. But if I were, I could. Well, I suppose I could even though I'm not, if you see what I mean.