Slashdot Mirror

jimmyUCB writes: "It looks like the American justice system may not be utterly doomed after all. This article from Science Daily says that the American Association for the Advancement of Science (AAAS) is paying scientists and engineers to be impartial tech tutors to judges so they don't have to listen to biased experts that are paid by defendants/plaintiffs. "

willis asks: "Several friends of mine will be graduating from college soon, and we're looking for a good place to get shell accounts with lots of space/bandwidth/reliability that we can do what we want with. We are currently considering two options: rolling our own by putting a box in a colocation facility, administering the box ourselves; or purchasing accounts from a commercial service. Our needs are: 20-30 users, 1-2GB/user, 0.5-1GB bandwith/user, FTP/HTTP/IMAP/SSH and expandable if neccessary. It seems like lots of people miss having good UNIX accounts after they leave school -- what is everybody else doing? Does anybody have any suggestions about good/cheap colos? Good account providers? Appropriate hardware?"

lozvare writes "Thought you might find this interesting. It was posted on BugTraq this morning." I think the stories about this are exaggerated - no one has ever said that WEP couldn't be attacked, it's designed for moderate security, not strong. One of the reasons was U.S. Government export regulations - the standard predates the current loosening of crypto export rules.

eheien writes: "The IEEE currently has an article detailing SETI@home, written by the project founders. The article goes into a great deal of detail on how SETI@home works, how sensitive the search is to signals (it can detect a cell phone on Saturn's moons), how successful it has been, and so on." It's a good read, and has some impressive numbers about the project that most SETI@home participants may not have realized.

USA Today ran this nice piece about Pamela Samuelson, one of the less-sung (not unsung, obviously) heroes of the copyright wars. She's contributed to the DVD cases and in plenty of other areas. Her homepage has many papers about intellectual property and copyright available, good reading if you're into that sort of thing.

BoogieGod writes "The SETI@Home project has finally broken 500,000 years of computing time. They haven't detected any Extra Terestrials yet but there have been some interesting close calls. Now if only all 2.6 million of their users could join distributed.net."

BoogieGod writes "The SETI@Home project has finally broken 500,000 years of computing time. They haven't detected any Extra Terestrials yet but there have been some interesting close calls. Now if only all 2.6 million of their users could join distributed.net."

BoogieGod writes "The SETI@Home project has finally broken 500,000 years of computing time. They haven't detected any Extra Terestrials yet but there have been some interesting close calls. Now if only all 2.6 million of their users could join distributed.net."

The average American child plays videogames forty-nine minutes a day. Some play for much longer and over many years. There are few studies of the effects of gaming, but some traits are increasingly obvious: gamers are often independent, strategic-thinkers and problem solvers. Their interactive instincts often collide unhappily with the traditions and institutions of a static, passive world. Gamers are the new artists, visionaries, and story-tellers of our time, sparked by astonishingly inventive new technologies like the PS 2. Ready or not, they will become increasingly influential. Third in a series.

Younger Americans are used to being denounced as ignorant, violent, obsessive, even uncivilized. Increasingly, they don't care; they've stopped paying attention. Involvement in gaming can be seen as both manifestation and cause this schism, a profoundly significant force in culture and society. Gaming has affected almost everyone who grew up with it -- which is to say, just about half of the country.

Adults may quake at the transformation, but kids are completely at home with the joystick, the key to a new kind of civilization. "They take the powerful sensory presence and participatory formats of digital media for granted. They are impatient to see what comes next," writes Janet Murry of MIT.

How is the influence of gamers showing up in society? Hardly anyone has studed that systematically, but a decade of e-mailing, talking with, teaching, visiting and working with gamers has given me some impressions.

We know something about gamers. They're quick decision-makers, sometimes to the point of impulsiveness. Since their virtual lives depend on fast reactions, their real-life decision making processes become visceral, instinctive. Wishy-washy gamers are unsuccessful gamers, so gamers make a lot of quick decisions and feel confident about them. Therefore, gamers grow impatient when real world institutions and situations plod cluelessly along. Delayed decisions are costly.

Social stereotypes aside, gamers are team players, not loners. They may sit along at their consoles, but ultimately few game alone. They share strategies, tricks and accumulated wisdom on sites all over the Web. They learn to work in pairs and groups, anticipating their teammates' or partners' reactions, learning how to move, build, create and hunt in groups and packs, often with total strangers. When they do game with people they know, they can form powerful social bonds; they came to know their friends' intellects and instincts in unusual depth. (Check out this UC Berkeley study of Sims users.)

Gamers become strategic thinkers. Their imaginations have been continuously stretched. In the same way that chess players learn to think many moves ahead, gamers are always anticipating the games, their moves, and the moves of their teammates and opponents, virtual and human. In a way, gamers are more battle-tested in their decision-making than most people get to be.

And gamers are bringing much of what they've learned to the workplace:

Gareth e-mailed this message after Part One of "Up, Down ... appeared: ".. gaming has also inspired me to take ideas to the software engineers within [my] company. There are several increidle advances in game technology that could be directly applied to the corporate environment. For instance MMORPG's (Massive Multiplayer Online Roleplaying Games) have provided a system where people can virtualy interact while still mainting the visual cues that are required for large converstations to take place. This is a key component missing from the standard audio conferencing that occurs in the workplace. Visual cues are absolutely important for maintaining a sense of order during meetings, it prevents the vocal 'free for all' that occurs otherwise."

It seems inevitable that similiar kinds of ideas will be brought by gamers to educational environments, perhaps even politics.

Gamers are story-tellers. They inhabit increasingly imaginative virtual environments; they spent a substantial portion of their formative years interacting with stories, graphics and representations on screens that nearly become part of their neural systems. They are always telling tales, to one another and to themselves. In the mid-1990's computing power had become cheap enough so that companies like Silicon Graphics could build enormously powerful machines devoted to computer simulations, including their Reality Engine, which began to approach the long sought figure of 80 million polygons a second. Like the PS 2, the Reality Engine turned out to have a powerful impact on gaming and virtual reality.

Finally, gamers are smart. Again like chess players -- except that many video games are more complex -- gamers are often mentally over-stimulated. They can grow tense, keyed-up and narcissistic. They can also become obsessive (and yes, irritable) from focusing so intently on a narrative, character or conflict. Needless to say, they're competitive, as well as resourceful and extremely determined. Successful gaming requires a level of patience and commitment rarely associated with entertainment or, for that matter, education.

Kids of this generation will be different from any that has preceded them. But whether they will able to bridge the generational chasm that separated them from their elders, whether they apply their strategic thinking, creativity and problem-solving skills to our broken educational and political systems -- it's too soon to say.

The computer is the most powerful representational medium ever conceived. Seers like Murray have argued that computing should be put to the highest tasks of society. We know that gamers are the new prophets and story-tellers of society, that gaming is approaching a universal generational experience. So gamers are important. It seems clear that the future is in their hands.

jeffw writes: "Once again a Russian cracker got into a online credit card database and attempted to extort money from the company . MSNBC has the details. Previous incidents were covered on Slashdot here and here. This time it was the appropriately named CreditCards.com, a credit card processing service for merchants. You would probably expect to be notified by one of the processors, the card issuer or the merchant, but in this case victims have to notice the fraudulent charges themselves and contact their card issuer. Hmm, CreditCards.com. I'm sure no cracker would ever think of that as a juicy target. Why not name your company FreeMoneyForCrackers.com instead?"

AugstWest asks: "I was at a concert in Manhattan last night when I panicked and thought my beeper had gone off, which would usually mean that one of my company's servers had failed, leaving clients without vital services. I know I'm not alone in being the sole admin since a lot of companies don't have the resources to have redundant dedicated admins, so if the servers go down, I'm the only one who knows how to get them back up. My nearest terminal was in Connecticut. I would have had to leave the show (leave a King Crimson show?) and drive back to Connecticut (at least an hour) to be able to get in to the server and scope the situation. Fortunately I had hallucinated the beep, but it hit me that there's got to be a wireless device out there that can handle SSH2. I've got a client for the Palm that does SSH1, but it's not enough. What are people using to administer their servers from a wireless device? Since it's just a character shell it shouldn't be too difficult to do, and it would be so nice to be able to just duck out to the hallway, log in to the server, check the status, start things up again, then head back in to the show."

A final pre-election assemblage of political news for voters, conscientious objectors, felons, minors, and non-U.S. citizens. Philom points to an interesting analysis of NaderTrading by UCB grad student Scott Aaronson. Cheshyre sent in an interesting tidbit that may affect the odds of George Bush sneaking north for some subsidized health care. Of course, if that's embarrassing, so is trading cigarettes for Gore Votes, as pointed out by photozz. flimpy points to another tech-centric voter's guide. Finally, Mike McCune allleges that "About 90% of the national elections use use a device called the 'Shouptronic' to count the votes. The Shouptronic is a closed system that isn't open for inspection. Several groups argue that it has been used to fix the vote in elections. This is a good argument to use an open system for election counting." He points to this wacky but intriguing book by the equally wacky but intriguing Collier family. I'm convinced.

macsox writes: "Wired News has an article about surfaces that, using vibrations, can move objects around at the owner's whim -- for example, using a mouse as a remote desktop arranger. Also envisioned: rooms that redecorate themselves. The scientist's page is here."

setec asks: "After the end of the ECDL Project last April, I fell out of the practice of participating in distributed processing projects. However, I'm gettin' the itch again, and I've run into a problem that many others have faced, I'm sure. Besides, distributed.net, there really aren't many cool projects out there. And none match the comraderie that the ECDL project offered... Where does a geek go to find a good distributed project?" Actually, I've always found the Great Internet Prime Search to be a worthwhile distributed project and moved my spare cycles there after getting tired with Distributed.Net. There's Seti@Home as well. What other distributed computing projects do you all contribute your idle processor time to?

Jon writes: "In this Daily Cal article Howard King claims, 'We made it pretty clear we're not going to sue colleges, at least not at this point in time. I think at this point my clients want me to continue the educational process.' This article mentions that so far only Penn State University has agreed to ban napster. The UC System (includes Berkeley, UCLA, UCSD, etc), Michigan, Princeton can be added to the schools refusing to ban it."

ed tellefsen asks: "If and when our server goes down, I'd love to be able to reboot it remotely using a palm pilot. I searched at Google and found some open source software called PalmVNC. Anyone familiar with it? Are there other options available?"

Geoffrey Kidd writes: "There's a very interesting article at EE Times about some research which seems to indicate that an essentially unlimited number of bits can be stored in ONE electron. Hmmm. What if one could encode every .mp3 file on Napster in one electron? :)"

kryptt writes "An Article in The Santa Fe Institute's web page (http://www.santafe.edu/sfi/ research/activityUpdate.html) had this on it: "Cognitive Science The Neural Theory of Language Project run by Jerome Feldman and Board member George Lakoff at University California Berkeley aims answering question: How can physical brain give rise to concepts language? In a recent breakthrough collaborators have now isolated, via computational modeling techniques, kinds structures that carry out dynamic mental models separated their structure from parameterized provide input take output models. allows them create formal representations for which they describe linguistic constructions. other work, Lakoff, Rafael Núñez new book forthcomingWhere Mathematics Comes From: Embodied Mind Brings into Being Basic Books, York. is Projects web page: http://www.icsi.berkeley.edu/NTL very interesting reading.."

Sneezer asks: "I work for the department at my university which provides network connectivity for students living in the residence halls. We are currently wrestling with revising our Acceptable Use Policy. We occasionally get complaints from other sysadmins complaining that one of our IPs has port scanned one of their servers. In trying to decide what our policy should be in dealing with residents who play with port scanners, we have come to wonder why so many admins get so uptight about being scanned. Also, could we or should we be held accountable for an intrusion if we were informed that the intruder had been conducting port scans before, but we hadn't intervened?" I feel port-scanning is similar to looking at a house. Looking is OK as long as you don't try to break-in. But as in all things, there is a fine line...the trick is figuring out when it's been crossed.

Troodon writes " BBCnews SCI/TECH has an item: Screensavers could save lives , anouncing the team up between Parabon Computation and the US National Cancer Institute to apply the idle time of home computers in a Seti@homeesque manner, simulating the responce of cancer cells to potential drugs. The sweetner being the _option_ to receive a payment for your troubles. Other new start ups are jumping on the bandwagon, e.g. Popular Power's choice of contributing to research on Influenza Vaccination, or making a little money with big business. But with these companies potentially looking forward to a healthy cut in the profits of any new drugs developed etc., should us plebs look towards more honourable projects, such as trying to help research into the global warming, that all these boxes dug out retirement are going to contribute to?"

leb writes: "Physicists at U.C Berkeley have 'peeled the tips off carbon nanotubes to make seemingly frictionless bearings so small that some 10,000 would stretch across the diameter of a human hair. The minuscule bearings are actually telescoping nanotubes with the inner tube spinning about its long axis. When sliding in and out, however, they act as nanosprings. Both the springs and bearings, which appear to move with no wear and tear, could be important components of the microscopic and eventually nanoscale machines under development around the world.' Based on the principles of Vander Waal's forces this breakthrough, they state that, 'Our results demonstrate that multiwall carbon nanotubes hold great promise for nanomechanical or nanoelectromechanical systems (NEMS) applications,' they conclude in their paper. 'Low-friction, low-wear nanobearings and nanosprings are essential ingredients in general NEMS technologies.' Read the news release and visit the lab Web page."

leb writes: "Physicists at U.C Berkeley have 'peeled the tips off carbon nanotubes to make seemingly frictionless bearings so small that some 10,000 would stretch across the diameter of a human hair. The minuscule bearings are actually telescoping nanotubes with the inner tube spinning about its long axis. When sliding in and out, however, they act as nanosprings. Both the springs and bearings, which appear to move with no wear and tear, could be important components of the microscopic and eventually nanoscale machines under development around the world.' Based on the principles of Vander Waal's forces this breakthrough, they state that, 'Our results demonstrate that multiwall carbon nanotubes hold great promise for nanomechanical or nanoelectromechanical systems (NEMS) applications,' they conclude in their paper. 'Low-friction, low-wear nanobearings and nanosprings are essential ingredients in general NEMS technologies.' Read the news release and visit the lab Web page."

Kirch asks: " Company XYZ Encryption Technologies creates an encryption package (read anti-piracy) that will encrypt your data (read IP) for you and can only be read through licenced decrypted produced by XYZ. Now, the encryption used is very, very weak. It 'encrypts' by offsetting every bit by one and then 'decrypts' by offsetting every bit again by one. Or yet even better 'encrypts' everything by the Pig Latin method. Now the encryption is kept secret by XYZ. Users use this assuming they are protected by the encryption technology touted by XYZ. A semi smart user looks at the encrypted data and says 'Oh Look it's Pig Latin!' The user posts this on forums, makes a Web page exposing XYZ for using Pig Latin and writes a DePigLatin program. Who is liable here? The company, for producing a product with weak encryption, or the user for posting the DePigLatin program?" Sound familiar? It should, but not necessarily for the reason you expect.

ESRI makes a product called ArcView. Arcview has a feature that allows developers to customize it with Avenue. Developers can also encrypt their scripts so they can sell them to users. Dr. William Huber found out a way to decrypt the "encrypted" scripts using the Avenue scripting language. You'll find his findings here. It seems that he stumbled upon this a year ago. Again, who's at fault? ESRI or Dr. Huber? You'll notice he hasn't actually given out the code but does give out a few hints to those who know Avenue.

My limited understanding of the DMCA is that it is a crime to circumvent anti-piracy measures built into most commercial software. This would make the user a criminal for circumventing an anti-piracy measure. There is no provision saying, well if it's weak, then it's OK. So, according to the DMCA, was circumventing the XYZ Pig Latin Encryption technology a crime?"

The similarities to DeCSS should probably come as no surprise to you all at this point. What is a consumer to do when the very laws that are designed to ultimately protect us (as the software publishers keep saying) can be used as a bludgeon to silence the act of discovering what can and should be considered design flaws? Sure the DMCA protects someone, but the answer most assuredly isn't 'us' in any way shape or form.Of course, that last bit shouldn't come as any surprise to you, either.

Update: 07/13 12:43 AM by C :Some information for those of you who are still looking for ammunition against the DMCA: here's a lengthy paper from Pamela Samuelson, a professor at UC Berkeley, and another article from Openlaw . Finally, this bit from Michael Sims: "Sachems, grandmothers, and hackers of all ages have obtained a New York City Official Media Event Permit to peacefully assemble for the redress of wrongs:

Monday 17 July 2000
10:30 am to 5:00 pm
Court Yard of the Federal Court
500 Pearl Street"
(Manhattan, New York City, obviously)

Also, Martin Garbus (the famous lawyer who's representing the DVD defense) will be speaking at H2K, the hacker's conference this weekend. More precisely, he's speaking this Friday at 3PM at the Hotel Pennsylvania (you can go to Hope.Net for more info)."

miss_america writes: "CNN is running an article about how the Internet has fueled distributed/parallel computing. It talks about the limitations, implications and possibilities of internet-based distributed computing. The article highlights UC Berkeley's SETI@home project, Distributed.net, and the ProcessTree Network."

ara818 asks: "I have written a 4,000-line personal web assistant using Perl. After getting everything to work I am now working on making the code run faster. The problem I keep running into though is that there are so many ways to do the same thing in Perl that I don't know which is faster. Right now, I am working on intuition but I'd really like a site or book that could give me at least a few pointers or some guidelines. Is there any such resource available for Perl, or for that matter, other popular programming languages?"

ferlatte writes: "There's a great piece on the effects of the tech industry in Silicon Valley on the environment and their workers. Pretty scary stuff, and sort of unsettling to think about how many toxic substances went into that shiny new laptop. The story is available at http://www.sfbg.com/News/34/30/siliconhell.html." Maybe the industry needs to set up "PolluteE", a "watchdog" agency to make sure companies post their pollution policies prominently on their Web sites...Update: 05/04 11:08 by michael : A good link from the comments: the Silicon Valley Toxics Coalition.

QuantumG asks: "What happens when someone writes a program and releases it under the GPL and then someone discovers that the program contains useful portions of code that really should be in a separate library that should be under the LGPL. One cannot simply pick up GPL'd code, make it into a library and release it LGPL. That would violate the GPL, right?" Would it? Hit the link below for more.

"Here is an e-mail I fired off to the leader of MaPlay 1.2+ for Win32, an MP3 player for Windows asking his opinion.

Date: Sat, 29 Jan 2000 17:53:27 +1000 (GMT+1000)
From: Trent Waddington 
To: ctsay@pasteur.eecs.berkeley.edu
Subject: MAPlay & Licenses

Hello.  I have been looking at MaPlay 1.2+ for Win32 and have been
very impressed with it.  I have taken the base code and added a simple
API to it (and removed playlists and such) and recompiled it as a
DLL. Now the question becomes one of LGPL vs GPL.. If I use the DLL in
a program to play MP3 files, am I then required to release the source
of that program under the GPL?  Obviously if I wrote a trivial WinAmp
like MP3 player frontend and used the DLL as the backend I would
personally expect that to be released GPL.  However, let's suppose
that I write a game and instead of using a bunch of enormous WAV
files, I MP3 compress them and use the MaPlay DLL to play them.  This
to me sounds like a case for LGPL, but the DLL is a "derived work" of
a GPL'd program and, as such, cannot be released under anything less
liberating than it.. is LGPL *less* liberated than GPL or *more*?
I don't think using MaPlay code to play MP3 files instead of WAV files
justifies that an entire game's source tree must be GPL'd.  Obviously
it should be for Open Source reasons but is the enforcement of GPL
valid?

I would personally be interested in knowing how the programmers of
MaPlay would feel if the MaPlay source was (hypothetically) used in a
game that was closed source.  Assuming there was something in the
about box / ending credits saying that the game used the MaPlay source
and that the source (to the player code) was available at the MaPlay
web site. Would you feel ripped off?"

Can anyone unravel the LGPL and GPL issues inherent here to help him out?

Spencer Kimball, best known for co-creating that little app known as The Gimp, wrote in to let us know what he's doing these days. He, along with four other XCF members have created OnlinePhotoLab.com. Using the Gimp as a backend, it provides 50 megs of storage, and the ability to perform many normal gimp functions on images. Also provides an easy facility for sharing your images. Most interesting is the hardware. Spencer says "We have ten Linux boxes, each a dual processor running four GIMP engines, for a total of 40 engines. We estimate we can process about a million image requests per day. The cost of hardware was less than $25k." Here's hoping it can withstand the Slashdot Effect: it worked great last night ;)

Hoss Man writes "It seems like a few techno-heads out there have figured out how to make a 10Gig harddrive out of a roll of Scotch Tape. It would be cooler if it was Duct Tape, but I guess we can't really complain. " Alright, I'm not sure whether I believe it or not, but it looks pretty darn cool.

Structured Audio writes: "Found this in Dvorak's Forbes column. These are hip in Japan, China, and Germany. See those links for details, but it's essentially a pager-like device that you program with details about who you'd like to date. When it detects you're near someone who also is wearing one of these, and your profiles match, it gets the two of you into a conversation. Wow!" These frighten me.

Tom Phelps writes, "URLs can be made robust so that if a Web page moves to another location anywhere on the Web, you can find it even if that page has been edited. Today's address-based URLs are augmented with a five or so word content-based lexical signature to make a Robust Hyperlink. When the URL's address-based portion breaks, the signature is fed into any Web search engine to find the new site of the page. Using our free, Open Source software (including source code), you can rewrite your Web pages and bookmarks files to make them robust, automatically. Although Web browser support is desirable for complete convenience, Robust Hyperlinks work now, as drop-in replacements of URLs in today's HTML, Web browsers, Web servers and search engines."

ebibe writes, "Researchers at UC Berkeley will announce successfully creating the 'bionic chip.' Part living tissue, part machine, this chip is the first in which a biological cell is part of the actual electronic circuitry. The chip, which took three years to build using silicon microfabrication technology, has a wide range of potential uses, including new ways to treat genetic diseases such as cystic fibrosis or diabetes, safer methods to test new pharmaceuticals for side effects and more complex bionic electronic circuitry. View the entire press release here."

ebibe writes, "Researchers at UC Berkeley will announce successfully creating the 'bionic chip.' Part living tissue, part machine, this chip is the first in which a biological cell is part of the actual electronic circuitry. The chip, which took three years to build using silicon microfabrication technology, has a wide range of potential uses, including new ways to treat genetic diseases such as cystic fibrosis or diabetes, safer methods to test new pharmaceuticals for side effects and more complex bionic electronic circuitry. View the entire press release here."

ebibe writes, "Researchers at UC Berkeley will announce successfully creating the 'bionic chip.' Part living tissue, part machine, this chip is the first in which a biological cell is part of the actual electronic circuitry. The chip, which took three years to build using silicon microfabrication technology, has a wide range of potential uses, including new ways to treat genetic diseases such as cystic fibrosis or diabetes, safer methods to test new pharmaceuticals for side effects and more complex bionic electronic circuitry. View the entire press release here."

frivolous writes, "The University of California, Berkeley has issued a press release here that describes how they've managed to fool algae into producing pure hydrogen gas. This hydrogen can then be used to power nearly everything that's oil-powered today - cars, homes, industry, and so on. If they can get the production rate up as high as they suggest, this could revolutionize the energy industry. I've already submitted the info to Bruce Sterling (see the Viridian Web site for more on his involvement). " To qualify the release: The scientists have filed for a patent, and the process will be appearing in a peer journal next month. That means that it hasn't been throughly analyzed by the scientific community yet. Let's hope it holds up under scrutiny.

frivolous writes, "The University of California, Berkeley has issued a press release here that describes how they've managed to fool algae into producing pure hydrogen gas. This hydrogen can then be used to power nearly everything that's oil-powered today - cars, homes, industry, and so on. If they can get the production rate up as high as they suggest, this could revolutionize the energy industry. I've already submitted the info to Bruce Sterling (see the Viridian Web site for more on his involvement). " To qualify the release: The scientists have filed for a patent, and the process will be appearing in a peer journal next month. That means that it hasn't been throughly analyzed by the scientific community yet. Let's hope it holds up under scrutiny.

Yoel Inbar writes "John Copeland, a professor at Georgia Tech, has discovered the possibility of using Macs running OS 9 as a distributed DOS tool. Basically, by sending a Mac running OS 9 a custom UDP packet, you can get it to reply with a 1500 byte ICMP packet(these packets are normally sent as part of MTU discovery). Send these UDP packets to a bunch of Macs, spoof the source addresses....voila, instant DOS. Apparently this is "in the wild"; he reports several scans designed to elicit these packets. "

MindJob writes "Berkeley's Sensor & Actuator Center has developed a virtual keyboard that allows you to glue 10 tiny chips to your fingernails and type away anywhere. The chips are composed of tiny, battery powered MEMS, or Microelectromechanical Systems, that work by tracking the location of your fingers and transmitting via a low-powered radio to a nearby receiver that will work regardless of the computer platform."

MindJob writes "Berkeley's Sensor & Actuator Center has developed a virtual keyboard that allows you to glue 10 tiny chips to your fingernails and type away anywhere. The chips are composed of tiny, battery powered MEMS, or Microelectromechanical Systems, that work by tracking the location of your fingers and transmitting via a low-powered radio to a nearby receiver that will work regardless of the computer platform."

Jason Cain writes "Here's a conspiracy theory from John C. Dvorak about big-time battery makers like Eveready trying to downplay new rechargeable battery technology like NiMH because it would kill their business model. I have NiMH rechargeables for my digital camera, and I can testify that they're great. Why aren't they being promoted more?" I remember there being more of a market for rechargables about 10 years ago, but I rarely hear about them now except when coupled with portable devices like laptops, camcorders and cell phones. Did this market dry up naturally, or was it killed by corporate greed? (More)

After perusing the Dvorak column and some of the informative comments in the talkback section, it turns out that we have had several types of rechargables over the years:

• NiCd (aka NiCaD) - Nickel Cadmium batteries. These batteries suffer from charge memory problems and were discovered to be environmentally unsound due to the fact that both nickel and cadmium are carcinogens.
• LIon - Lithium-Ion batteries. You can find these in most laptops, camcorders and cell phones. Nicer all around batteries, but they are NOT cheap due to the electronics necessary to run them safely.
• NiMH - Nickel Metal Hydride batteries. The newer kids on the block. These seem to be the batteries of the next generation and you'll find a better description of these in the Dvorak article.
• LiS - Lithium-Sulphur batteries. Under development, but looks promising. Check out the Moltech Corporation. You should probably stop by and take a peek at their literature if you want to know more. After further perusal of their site, it looks like Moltech has acquired Eveready's Energizer Power Systems.

Now I can understand why NiCad batteries were discontinued, and LIon is not yet ready for the consumer market, but it sounds like NiMH batteries are, and yet this is the first time I've heard them mentioned. Li-S batteries haven't hit the consumer market yet, but I mention them to underscore the fact that there has been active development of these types of batteries for years, yet they are almost impossible to find in many commercial outlets.

Has the demand for rechargable batteries really been so dismal that they've just about dissapeared from store shelves, or does this conspiracy theory really have weight?

Your thoughts?

chrisr was the first of many to tell us that less than a week after the BBC reported Bell Labs had developed a 50 nanometer transistor, researchers at the University of California at Berkeley have announced an 18 nanometer transistor. Best of all, the team has decided to not patent the design, hoping it will lead to faster acceptance.

chrisr was the first of many to tell us that less than a week after the BBC reported Bell Labs had developed a 50 nanometer transistor, researchers at the University of California at Berkeley have announced an 18 nanometer transistor. Best of all, the team has decided to not patent the design, hoping it will lead to faster acceptance.

Structured Audio writes "Kenwood America (the speaker maker) has moved from Pick to Linux for its enterprise resource planning apps. This Techweb article explains why Kenwood chose Linux over NT or a commercial Unix." ERP and financials are among the most important areas for Linux and open source to shine if they are to be accepted by the corporate world.

"etphonehome" was the first of many to submit this. Astronomers at UC-Berkeley measured a star decreasing in brightness as its planet crossed in front of it. This is the first known planet whose orbital plane crosses Earth, making this measurement possible. It's great to see independent confirmation of the "wobble" which until now has been the only evidence of extrasolar planets. There's a splendid artist's rendition on the astronomers' webpage; see also the story on CNN or the technically-challenged Washington Post ("the planet had indeed cast a shadow over the star").

Most of the questions we got for crypto guru Bruce Schneier earlier this week were pretty deep, and so are his answers. But even if you're not a crypto expert, you'll find them easy to understand, and many of Bruce's thoughts (especially on privacy and the increasing lack thereof) make interesting reading even for those of you who have no interest in crypto because you believe you have "nothing to hide." This is a *long and strong* Q&A session. Click Below to read it all.

First Bruce says, by way of introduction...

"I'd like to start by thanking people for sending in questions. I enjoyed answering all of them.

"I've written on many of these topics before, and often I will point to existing writings on my Web site or in my Crypto-Gram newsletter. This isn't to be annoying; it just seems useful to point to things I have already written. I urge anyone interested to sign up for a free subscription to Crypto-Gram. I write it monthly, and I regularly answer questions such as these, or write about topics in the news (especially ones that have been reported on badly). To subscribe, visit my Web site at www.counterpane.com/."

ryanr asks:
I've heard you say many times that unless a particular crypto alg. has undergone lots of public review, it should not be considered safe. Unless possibly it's from the NSA. (Excluding, of course, the NSA stuff that is INTENTIONALLY backdoored.)

The implication there is that the NSA has applied some many resources to the crypto problems, that they are as good as the rest of the cryptographers put together.

My question is: Do you really think that a private process, no matter how many resources applied, can equal the public process?

ANSWER:
Yes. One way of looking at a public process is as a large and distributed private process. If the NSA collected all of the academic cryptographers, gave them a clearance, and locked them in a basement somewhere, it would become a private process. The real issue is whether or not the NSA has equivalent expertise to the public academic community, and whether it can apply that expertise in an effective manner.

The NSA has a lot more cryptographic experience in the narrow fields of making and breaking algorithms. They have been doing this, and nothing else, for decades. I don't believe that they have much expertise in weird digital signature schemes, or zero-knowledge protocols, or even more bizarre electronic commerce and voting schemes, because they aren't really of practical interest. But the NSA certainly has a very strong practical interest in algorithm design and analysis, to a much greater degree than we in the public community do. And they have seen a lot more ciphers: both designs that they have proposed internally and designs in production systems that they have tried to attack.

The NSA also has the ability to target its analysis resources. The public academic community is scattershot. We work on what interests us, and we are each interested by different things. A director at the NSA has the ability to take the top ten cryptanalysts in the building and say: "You. Go into that room and don't come out until you've broken RC4. I don't care if it takes two years." That ability to direct resources at particular problems gives them an edge that we don't have.

But how much of an edge? Until recently, I would have stated unquestionably that the NSA is a decade ahead of the state of the art in cipher design and analysis. Now, I'm not so sure.

Over the past five years, there has been a lot of open research in cryptography. We have discovered many different types of attacks, and have learned a lot about how to design ciphers. The best and brightest of the cryptographers are staying in the open academic community, and are not being swallowed up by the NSA (or by its counterparts in other countries). There is a vibrant academic community in cryptography; people can exchange ideas, share research, build on each other's work. We've seen attacks against the NSA-designed algorithm Skipjack that almost certainly were not known by the NSA. (See http://www.counterpane.com/crypto-gram-9807.html#skip for Skipjack information, and http://www.counterpane.com/crypto-gram-9809.html#impossible for information on impossible-differential cryptanalysis.) We've seen other attacks that, I believe, were not known by the NSA. (See http://www.counterpane.com/mod3.html for more information.) The public research community is now doing cutting-edge research in cryptography.

Now this doesn't mean we are better than they are. Certainly the NSA knows more about cryptography than the public community does. They read everything we publish, and we read nothing that they publish. Almost by definition, they know what we do. That imbalance alone will always give them an edge in knowledge. But I think that edge is closing rapidly.

And on a related topic, I don't think the recent press flap about the NSAKEY means that the NSA has a backdoor in Microsoft Windows. I wrote about this in HREF="http://www.counterpane.com/crypto-gram-9909.html#NSAKeyinMicrosoftCryptoAPI. But I do think that the NSA deliberately puts back doors in products; seehttp://www.counterpane.com/crypto-gram-9902.html#backdoors for some details.

Sajma asks:
Your book describes a slew of interesting applications for crypto protocols, including electronic money orders, digital time-stamping, and secure multi-party computation. What are the remaining crypto problems of interest to the general public which have not been solved? (secure distribution of digital media comes to mind -- can you sell someone a music file, allow them to use the file anywhere, but make sure no one else can use it?)

- SEE NEXT QUESTION -

randombit asks:
OK, hypothetical question. You rub a magic lamp, and a genie comes out. Specifically, a cryptographic protocol genie. He can come up with an efficient, secure protocol for any activity you want (assuming a protocol is possible, of course). What would you pick, and more importantly, why?

ANSWER:
Two questions; one answer. We actually have all the protocols we need. It's true that I described all sorts of interesting protocols in _Applied Cryptography_. The reality is that none of them is actually useful. What is useful are the few simple primitives -- signatures, encryption, authentication -- and the different ways to mirror real-life trust models using them. These protocols are simpler, easier to understand, and more useful.

The real problem with protocols, and the thing that is the hardest to deal with, is all the non-cryptographic dressing around the core protocols. This is where the real insecurities lie. Security's worst enemy is complexity.

This might seem an odd statement, especially in the light of the many simple systems that exhibit critical security failures. It is true nonetheless. Simple failures are simple to avoid, and often simple to fix. The problem in these cases is not a lack of knowledge of how to do it right, but a refusal (or inability) to apply this knowledge. Complexity, however, is a different beast; we do not really know how to handle it. Complex systems exhibit more failures as well as more complex failures. These failures are harder to fix because the systems are more complex, and before you know it the system has become unmanageable.

Designing any software system is always a matter of weighing and reconciling different requirements: functionality, efficiency, political acceptability, security, backward compatibility, deadlines, flexibility, ease of use, and many more. The unspoken requirement is often simplicity. If the system gets too complex, it becomes too difficult and too expensive to make and maintain. Because fulfilling more of the other requirements usually involves a more complex design, many systems end up with a design that is as complex as the designers and implementers can reasonably handle. (Other systems end up with a design that is too complex to handle, and the project fails accordingly.)

Virtually all software is developed using a try-and-fix methodology. Small pieces are implemented, tested, fixed, and tested again. Several of these small pieces are combined into a larger module, and this module is tested, fixed, and tested again. The end result is software that more or less functions as expected, although we are all familiar with the high frequency of functional failures of software systems.

This process of making fairly complex systems and implementing them with a try-and-fix methodology has a devastating effect on security. The central reason is that you cannot easily test for security; security is not a functional aspect of the system. Therefore, security bugs are not detected and fixed during the development process in the same way that functional bugs are. Suppose a reasonable-sized program is developed without any testing at all during development and quality control. We feel confident in stating that the result will be a completely useless program; most likely it will not perform any of the desired functions correctly. Yet this is exactly what we get from the try-and-fix methodology with respect to security.

The only reasonable way to "test" the security of a system is to perform security reviews on it. A security review is a manual process; it is very expensive in terms of time and effort. And just as functional testing cannot prove the absence of bugs, a security review cannot show that the product is in fact secure. The more complex the system is, the harder a security evaluation becomes. A more complex system will have more security-related errors in the specification, design, and implementation. We claim that the number of errors and difficulty of the evaluation are not linear functions of the complexity, but in fact grow much faster.

For the sake of simplicity, let us assume the system has n different options, each with two possible choices. Then, there are about n^2 different pairs of options that could interact in unexpected ways, and 2^n different configurations altogether. Each possible interaction can lead to a security weakness, and the number of possible complex interactions that involve several options is huge. We therefore expect that the number of actual security weaknesses grows very rapidly with increasing complexity.

The increased number of possible interactions creates more work during the security evaluation. For a system with a moderate number of options, checking all the two-option interactions becomes a huge amount of work. Checking every possible configuration is effectively impossible. Thus the difficulty of performing security evaluations also grows very rapidly with increasing complexity. The combination of additional (potential) weaknesses and a more difficult security analysis unavoidably results in insecure systems.

In actual systems, the situation is not quite so bad; there are often options that are "orthogonal" in that they have no relation or interaction with each other. This occurs, for example, if the options are on different layers in the communication system, and the layers are separated by a well-defined interface that does not "show" the options on either side. For this very reason, such a separation of a system into relatively independent modules with clearly defined interfaces is a hallmark of good design. Good modularization can dramatically reduce the effective complexity of a system without the need to eliminate important features. Options within a single module can of course still have interactions that need to be analyzed, so the number of options per module should be minimized. Modularization works well when used properly, but most actual systems still include cross-dependencies where options in different modules do affect each other.

A more complex system loses on all fronts. It contains more weaknesses to start with, it is much harder to analyze, and it is much harder to implement without introducing security-critical errors in the implementation.

This increase in the number of security weaknesses interacts destructively with the weakest-link property of security: the security of the overall system is limited by the security of its weakest link. Any single weakness can destroy the security of the entire system.

Complexity not only makes it virtually impossible to create a secure system, it also makes the system extremely hard to manage. The people running the actual system typically do not have a thorough understanding of the system and the security issues involved. Configuration options should therefore be kept to a minimum, and the options should provide a very simple model to the user. Complex combinations of options are very likely to be configured erroneously, resulting in a loss of security. There are many stories throughout history that illustrate how management of complex systems is often the weakest link.

I repeat: security's worst enemy is complexity. The most serious protocol problem is how to deal with complex protocols (or how to strip them down to the bone).

Get Behind the Mule asks:
Bruce, thanks very much for making cryptography so much more accessible to us all.

You wrote in Applied Cryptography that IDEA was your "favorite" symmetric cipher at the time. Is that still true today?

ANSWER:
It depends what you mean by "favorite." If I needed a secure symmetric algorithm for a design, and performance were not an issue, I would choose triple-DES. No other algorithm has been as well-studied, so nothing can compare in confidence.

The problem is that triple-DES is slow; on a 32-bit microprocessor it encrypts data at a rate of 108 clock cycles per byte. (You have to remember that DES was designed in the mid-1970s for discrete hardware. It is very slow on 32-bit microprocessors.) If I need a faster algorithm, I would use Blowfish. Blowfish encrypts data at a rate of 18 clock cycles per byte. Information on Blowfish is at http://www.counterpane.com/blowfish.html.

Neither is my favorite algorithm. Currently, my favorite algorithm is Twofish. Twofish is our submission to AES. It is still too new to use operationally, but I hope it will see wide use as people analyze it and as confidence grows in its security. Information on Twofish is at http://www.counterpane.com/twofish.html. It's even faster than Blowfish, and (I think) much better designed.

Faster algorithms are more problematic. I don't really like RC4. SEAL is better, but patented by IBM. I don't care for WAKE. I would probably use one of Belgian cryptographer Joan Daemen's designs.

I don't recommend IDEA anymore for several reasons. One, it isn't very fast; on a 32-bit microprocessor it encrypts data at a rate of 50 clock cycles per byte. Two, IDEA is patented, and the terms change regularly. Also, attacks against IDEA have steadily eaten away at the security margin. IDEA has eight rounds, and the current best attack breaks 4.5 rounds. There are still no attacks against the full eight-round cipher, and there is no reason to believe that any are possible. Still, since there are algorithms with much better performance, it seems improper to suggest IDEA.

Speed comparisons of other algorithms can be found at http://www.counterpane.com/speed.html. A detailed paper comparing performance of the AES candidates can be downloaded at http://www.counterpane.com/aes-performance.html. And for a current summary of attacks against various algorithms, see http://www.ii.uib.no/~larsr/bc.html.

Remember, though -- breaking the cryptographic algorithm is almost never the way to attack a security product. There is almost always an easier way to break the security. I've written about this extensively; see http://www.counterpane.com/whycrypto.html and http://www.counterpane.com/pitfalls.html in particular.

Tet asks:
Scott McNealy claims we've already fought and lost the war for personal privacy. Do you agree with him or not, and why?

ANSWER:
One hundred years ago, everyone could have personal privacy. You and a friend could walk into an empty field, look around to see that no one else was nearby, and have a level of privacy that has forever been lost to today's technology. The framers of the Constitution never explicitly put a right to privacy into the document; it never occurred to them that it could be withheld. The ability to have a private conversation, like the ability to keep your thoughts in your head and the ability to fall to the ground when pushed, was a natural consequence of the world. When the Supreme Court found a right to privacy in the Constitution, it's because the language of the Constitution assumed its existence.

Technology has demolished that worldview. Powerful directional microphones can pick up conversations hundreds of yards away. Pinhole cameras -- now being sold over the Internet -- can hide in the smallest cracks; satellite cameras can read the time on your watch from orbit. And the Defense Department is prototyping micro-air vehicles, the size of small birds or butterflies, that can scout out enemy snipers, locate hostages in occupied buildings, or spy on just about anybody.

In the aftermath of the terrorist takeover of the Japanese embassy in Peru, news reports described audio bugs being hidden in shirt buttons that allowed police to pinpoint everyone's location. Van Eck devices can read what's on your computer monitor from halfway down the street. (I heard that the CIA demonstrated this for Scott McNealy at Sun; they captured his password from a van in the company's parking lot.) Lasers bounced off windows can reveal the Doppler effect of compression and rarefaction of air by soundwaves, and eavesdrop on conversations happening on the other side. If an attacker can plug into your power line, it can read it from even further away. Purchase anything lately? Unless you use cash, what, where, and when is recorded in a database. And in many stores, a security camera has recorded your presence while the helpful sales clerk captures your name and personal information.

The ability to trail someone remotely has existed for a while, but it is only used in exceptional circumstances. In 1993, Colombian drug lord Pablo Escobar was found partly by tracking him through his cellular phone usage. Timothy McVeigh's truck was found because the FBI collected the tapes from every surveillance camera in the city, correlated them by time (presumably the explosion acted as a great synch pulse), and looked for it. During Desert Storm the U.S. dropped thousands of miniature robots -- millimeters in diameter -- on Iraq that looked for signs of biological warfare.

The technology to automatically search for drug negotiations in random telephone conversations, for suspicious behavior in satellite images, or for faces on a "wanted list" of criminals in on-street cameras isn't here yet, but it's just a matter of time. Face-recognition software can pick individual faces out of a crowd. Voice recognition will soon be able to scan millions of telephone calls, listening for a particular person; it can already scan for suspicious words or phrases. Moore's Law, which says the industry can double the computing power of a microchip every 18 months, affects surveillance computing just as it does everything else: the next generation will be smaller, faster, and a lot cheaper. As soon as the recognition technologies can find the people, the computers will be able to do the searching automatically.

At the same time, the fear of crime is facilitating a great deal of surveillance, not all of it instigated by the police. Some U.S. airports automatically record the license plates of anyone coming onto airport property, even if it is just to pick up someone. Some cities are installing directional microphones to pinpoint gunfire; others are setting video cameras on lampposts to deter crime. It's getting difficult to walk into a store without being videotaped. Timothy McVeigh couldn't drive a truck through downtown Oklahoma City without it showing up on an in-store surveillance camera, and these cameras were positioned to protect the store, not to track goings-on outside the windows.

The U.S. is initiating a program called "computer-assisted passenger screening," or CAPS. The idea is to match commercial air travelers against profiles of evildoers, using such items as the traveler's address, credit card number, destination, whether or not he is traveling alone, whether the ticket was paid in cash, when the ticket was purchased, whether it was one-way or round trip, and about three dozen other factors that are being kept secret. Needless to say, groups like the ACLU have objected to stopping and searching people based on stereotypes. Not to mention that the data is saved, just in case the government needs to peek into people's pasts. No warrant required, of course.

More is coming. Out of concern for public safety, the FCC has ruled that by 2001, cellular and PCS companies must be able to locate users who dial 911 to within a radius of 125 meters. Consumers will foot this bill through a user tax, and you can be sure that wireless operators will introduce a plethora of other services based on this technology. The companies are probably going to use the cellular technology to locate people, although if they can wait a couple of technological generations they can drop miniature GPS receivers in the phones and do even better. One way or another, people will end up carrying technology that allows them to be digitally tailed. And currently, no warrant is required.

The surveillance infrastructure is being installed in our country under the guise of "customer service." Some hotels track guest preferences in international databases, so that customers will feel at home even if it is their first stay in a particular city. Caterpillar Corporation is installing diagnostic chips into all new farm machinery. These chips alert the local dealer, via satellite, when a part is failing. The dealer can then drive to the farm with a replacement, often before the machine has even broken down. This is great; I'll bet farmers really like the prompt service and the reduction in downtime. But the same technology can be used for other, less benign, purposes.

Automobile surveillance is almost automatic. Rental cars, equipped with GPS navigational systems, can keep a complete record of exactly where that car has been. Mercedes Benz is planning on embedding a Web server into its cars, so that technicians can spot service problems remotely. At least two companies plan on marketing a smart car locator that uses a GPS receiver and a cellular phone to alert the authorities to your whereabouts in case of an emergency. It only takes a slight modification to allow the locator to work automatically when queried by the police. Lojack, the device that can track your car if it has been stolen, can also be used for surveillance. Will net-connected smart cars give police the ability to track everybody in the country simultaneously? Already systems like Lojack do this, as do car phones.

GPS is a dream technology for surveillance. One company is selling an automatic warehouse inventory system, using GPS and affixable transmitters on objects. The transmitters broadcast their location, and a central computer keeps track of where everything is. Spies have probably been able to use this kind of stuff for years, but it's now becoming a consumer item.

Individual privacy is being eroded from a variety of directions. Most of the time the erosions are small, and no one kicks up a fuss. But there is less and less privacy available, and most people are completely oblivious of it. It is very likely that we will soon be living in a world where there is no expectation of privacy, anywhere or at any time.

rise asks:
As one of the stronger voices behind the proposition that only peer reviewed, open, and thoroughly tested algorithms can be trusted you've widely disseminated several algorithms, Solitaire and Yarrow among them. What attacks or interesting analyses have surfaced since their release?

ANSWER:
For those who want to know what he is asking about, you can read about Solitaire at http://www.counterpane.com/solitaire.html, and about Yarrow at http://www.counterpane.com/yarrow.html. And you can read about my position on the importance of using a public, peer-reviewed algorithm at http://www.counterpane.com/crypto-gram-9904.html#different, my snide comments about proprietary cryptography at http://www.counterpane.com/crypto-gram-9902.html, and my dismissing of cracking contests at http://www.counterpane.com/crypto-gram-9812.html#contests.

There has been some excellent analysis of Solitaire by Paul Crowley. He has posted his results to the sci.crypt newsgroup, and you can look them up. Briefly, he found a bug in the code and a problem with the algorithm. I will fix the bug in the code as soon as I get around to it, but the problem with the algorithm is more disturbing. We hope to write a joint paper documenting the problem, and proposing a fix.

I don't think it is a problem operationally, though. Solitaire is a pencil-and-paper cipher designed for very short messages, and the attack will require a lot of ciphertext. Still, it is a problem and one that I should fix.

As to Yarrow, I don't know any outside cryptanalysis. I'd like to see some.

Thagg asks:
I bought your first edition of Applied Cryptography, and you say two things that bother me, with respect to your submission of Twofish as a Federal standard for encryption.

In the forward, you describe how you got interested in cryptography, and that you had no background or training in the field, but you thought it was interesting. Also, several times throughout the book you caution people not to trust cryptosystems from amateurs.

Clearly you have become well versed in the history and application of cryptography, your book makes all other descriptions of the state of the art invisible by comparison. Still, it appears to me that cryptosystem design and analysis requires fairly extreme mathematical proficiency, which I do not believe that you have.

Now, of course, Twofish is published in detail, and the best people in the world have attempted to crack it (and I think that the competitive process that the US Gov't has promoted is a spectacular way to get the best people to attack each other's ciphers). But, I remain somewhat worried that at the foundations of Twofish...is there something missing that a PhD in mathematics and number theory would have seen?

The winner of this competition will likely be the next DES, and will provide security for a fairly large percentage of the planet. The stakes are high. I'm sure that you have an answer to this criticism, and I'm eager to hear it.

ANSWER:
Certainly you should not trust cryptographic algorithms designed by people who have no experience designing and analyzing cryptographic algorithms. The question you ask is different. You are asking if a Ph.D. in mathematics and number theory gives someone any special insights that someone without the Ph.D. would miss. I believe that cryptographic experience is something that is learned through both training and through experience, and that someone with a Ph.D. is not automatically a better cryptographer.

Cryptography is interesting, because there are no absolute metrics. Anyone can design an algorithm that he himself cannot break. This means that anyone, from the best cryptographer to the sorriest man on the street, can design a cryptographic algorithm that works: that encrypts and decrypts data properly, and that the designer cannot break. The false reasoning that often follows is this: "I can't break it, therefore it is secure." The first question that anyone else should ask is: "You say you can't break it; well, who the hell are you?" More on this topic can be found at http://www.counterpane.com/crypto-gram-9810.html#cipherdesign.

The experience of the designers is something that I look at very carefully when I evaluate an algorithm. I can't devote the months and years necessary to convince myself that an algorithm is secure, so I want to know about the people who are convinced. And I don't look at their academic degrees; I look at what else they have broken.

The Twofish team has dozens of published cryptanalytic attacks, breaking all kinds of ciphers. (A list of Counterpane papers can be found at http://www.counterpane.com/publish.html, and David Wagner's published papers can be found at http://www.cs.berkeley.edu/~daw/.) These are impressive results: mod n cryptanalysis, boomerang attacks, slide attacks, side-channel cryptanalysis, related-key differential cryptanalysis, and attacks against Skipjack, Speed, Akelarre, RC5a, CMEA, ORYX, TwoPrime, etc., etc., etc. Interestingly enough, all five AES finalists have been designed by teams that have a similarly impressive list of published cryptanalytic attack. With a couple of exceptions, none of the non-finalists have any cryptanalysts on their teams.

Another thing to look at is the quality of the designer's analysis. I like designs that have long and detailed documents that discuss how the designers have attacked their own design. You can see this in the submissions for Twofish, and for Mars, RC6, and E2. I worry about a cipher like Serpent that does not come with any analysis. Either the designers didn't do any, which is bad -- or they did it and are hiding it, which is worse.

I think these things speak more to the strength of the design than academic degrees.

In fact, I have seen many systems designed by Ph.D. mathematicians with little cryptographic experience, that have been quickly broken. Experience in cryptography is much more important than experience in general mathematics.

It is certainly possible that there are attacks against an algorithm that the designers missed. This is why AES is a public process. Before AES is chosen, dozens of people with Ph.D.s in mathematics will be performing their own analyses on the submissions. If Twofish is chosen, it will because none of those Ph.D.s have found any weaknesses.

But if you want Ph.D.s on the Twofish team, co-designer Doug Whiting has a Ph.D. in computer science from CalTech. His dissertation was on building Reed-Solomon error-correcting codes in VLSI, so it had a heavy math content.

Enoch Root asks:
It was noted in your biography that you hold a degree in Physics in addition to your M.S. in Computer Science. This seems to be a developing trend in IT, as many Physics graduates turn to CS. Neal Stephenson undertook studies in Physics before becoming a writer. I am myself a physics graduate turned computer geek.

What impact do you think your science studies have on your current career? I suspect the high mathematical background of physics prepared you for cryptology, but what other aspects of a science degree come into play in your line of work? Would you call your B.S. in Physics an advantage or a disadvantage?

ANSWER:
The unfortunate answer is that it wasn't very relevant. It was neither an advantage nor a disadvantage, although it was harder to get a job out of college with a physics degree. Physics teaches mathematics, and that was helpful.

If you want to become a cryptographer, study mathematics and computer science. I wrote an essay on this very topic; see http://www.counterpane.com/crypto-gram-9910.html#SoYouWanttobeaCryptographer.

Hobbex asks:
One would think that cryptographers, who study the mathematical means for controlling information (not just secrecy, but also signatures, zero knowledge proofs etc) would be the least inclined to support the artificial limits to information set up by our legal system, and yet the field is littered with patents (probably more so than any other field of mathematics).

You, on the other hand, have been very generous with your algorithms and cryptos. Is there a political, ideological, or practical reason behind this?

ANSWER:
It is impossible to make money selling a cryptographic algorithm. It's difficult, but not impossible, to make money selling a cryptographic protocol.

Look at algorithms first. There are free encryption algorithms all over the place: triple-DES, Blowfish, CAST, most of the AES submissions. Look again at the URLs attached to question 6. It makes sense for a designer to use one of these public algorithms. If I patented Blowfish, no one would have used it. No one would have analyzed it. (Why would they do work for free, if I were making money off of it?) Only because Blowfish is free is it in over 100 products. (For a list, see A HREF="http://www.counterpane.com/products.html">http://www.counterpane.com/products.html.) If I patented it and charged for it, it would be much less widely used. IDEA is a good example of this. IDEA could have been everywhere; for a while it was the only trusted DES replacement. But it was patented, and there were licensing rules. As a result, IDEA is barely anywhere. SEAL is a great-looking stream cipher. But because IBM has a patent on it, no one uses it.

The early public-key patents are the only exception to this. Because the patents controlled the concept of public-key cryptography, there was no way to do public-key encryption, key exchange, or digital signatures without licensing the patents. This exception is over; the Diffie-Hellman patents have expired.

Regularly I hear from algorithm inventors who want to patent their new cool algorithm and then sell it. This business plan has absolutely zero percent chance of succeeding. I recommend that people give their cryptography away, and use the PR benefit to make a living. If the IDEA patent holders did that, they would be much better off.

Protocols are a little bit different. You can patent a protocol and turn it into a useful business. It's hard; most of the time a competitor can engineer around a protocol patent. But it is possible, and many companies are making a go at marketing patents in authentication, certificate revocation, digital content protection, etc. I'm not thrilled by this, but it's the reality of American business today.

aheitner asks:
As many know, your Twofish algorithm is one of the (many) submissions to become the AES standard. The goal for these algorithms is to be able to implement them extremely cheaply in hardware -- say on a 6800 with 256 bytes of RAM. In other words, cheaply enough to put on a smart card.

But IBM's team alleges that any algorithm that simple can be fairly easily cracked by doing a power usage analysis on the chip (by watching fluctuations in the electrical contacts with the reader) and that the necessary equipment to protect against power analysis would be equivalent to a much more complex processor -- so much so you might as well just implement a different and more complex (and hopefully power-random) algorithm. Of course IBM suggests their own implementation.

What do you think? Is there a way to build a simple smart card so that power analysis isn't a problem? Perhaps the whole question will become irrelevant since we'll be carrying around so much processing power in our PDAs that we'll just use them?

ANSWER:
Power analysis involves breaking a cryptographic algorithm by looking at the power trace from a chip executing that algorithm. This is a specific case of what I call "side-channel attacks." I wrote about side-channel attacks at http://www.counterpane.com/crypto-gram-9806.html#side, and some excellent information on power analysis can be found at http://www.cryptography.com/dpa/index.html.

I don't believe it is possible to create a cryptographic algorithm that, because of its mathematics, is immune from side-channel attacks.

Any cryptographic primitive, such as a block cipher or a digital signature algorithm, can be thought of in two very different ways. It can be viewed as a mathematical object; typically, a function taking an n-bit input and producing an m-bit output. Alternatively, it can be viewed as a concrete implementation of that mathematical object. Traditionally, cryptanalysis has been directed solely against the mathematical object, and the resultant attacks necessarily apply to any concrete implementation. The statistical attacks against block ciphers -- differential and linear cryptanalysis -- are example of this; these attacks will work against DES regardless of which implementation of DES is being attacked.

In the last few years, new kinds of cryptanalytic attacks have begun to appear in the literature: attacks that target specific implementation details. Both timing attacks and differential fault analysis make assumptions about the implementation, and use additional information garnered from attacking certain implementations. Failure analysis assumes a one-bit feedback from the implementation -- was the message successfully decrypted -- in order to break the underlying cryptographic primitive. Related-key cryptanalysis also makes assumptions about the implementation, in this case about related keys used to encrypt different texts. Side-channels attack are a generalization of this idea.

These attacks don't necessarily generalize -- a fault-analysis attack just isn't possible against an implementation that doesn't permit an attacker to create and exploit the required faults -- but can be much more powerful. For example, differential fault analysis of DES requires between 50 and 200 ciphertext blocks (no plaintext) to recover a key.

A side-channel attack occurs when an attacker is able to use some additional information leaked from the implementation of a cryptographic function to cryptanalyze the function. Clearly, given enough side-channel information, it is trivial to break a cipher. An attacker who can, for example, learn every input into every S-box in every one of DES's rounds can trivially calculate the key. What is surprising is how little side-channel information is necessary to break an algorithm. I have published a paper on side-channel attacks against block ciphers at http://www.counterpane.com/side_channel.html.

You can't design the math to solve this problem. You can try to design he hardware so that side-channel information does not leak; this seems to be far more difficult than it appears. Or you can design your cryptographic protocols so that side-channel attacks don't matter. This makes the most sense. Choosing AES based on side-channel resistance is short-sighted.

A long digression on AES, for those who haven't been following the process and for those who care about the outcome: AES is the Advanced Encryption Standard, the new encryption algorithm that will replace DES. NIST is in the process of defining a new encryption standard, which will have a longer key length (128-, 192-, and 256-bit), larger block size (128-bit), be faster than DES, be patent-free, and hopefully will remain strong for a long, long time.

The process is an interesting one. In 1997, NIST sent out a request for candidate algorithms. They received fifteen submissions by the June 1998 deadline, five from the U.S. and ten from other countries. In August, we (my own algorithm, Twofish, was one of the submissions) presented our algorithms to the world at the First AES Candidate Conference.

There was a Second AES Candidate Conference in Rome in March 1999, where people presented analyses of the algorithms. NIST chose five finalist algorithms this summer: Mars, RC6, Rijndael, Serpent, and Twofish. There will be a third AES Candidate Conference in New York in April 2000. NIST is also accepting public comments on the algorithms through 15 April 2000. Finally, NIST will choose an algorithm to become the standard (or perhaps more than one algorithm).

Cryptographers are busily analyzing the submissions for security. It's tempting to think of the process as a big demolition derby: everyone submits their algorithms and then attacks all the others...the last one standing wins. Really, it won't be like that. I strongly believe at the end of the process most of the candidates will be unbroken. The winner will be chosen based on other factors: performance, flexibility, suitability.

This means that we need your input into this process. I know you're not cryptographers, and you won't be able to comment on the mathematics of the various submissions. But you can comment on your encryption requirements, and whether the algorithms will suit your needs.

• AES will have to work in a variety of current and future applications, doing all sorts of different encryption tasks. Specifically:
• AES will have to be able to encrypt bulk data quickly on top-end 32-bit CPUs and 64-bit CPUs. The algorithm will be used to encrypt streaming video and audio to the desktop in real time.
• AES will have to be able to fit on small 8-bit CPUs in smart cards. To a first approximation, all encryption DES implementations in the world are on small CPUs with very little RAM. It's in burglar alarms, electricity meters, pay-TV devices, and smart cards. Sure, some of these applications will get 32-bit CPUs as those get cheaper, but that just means that there will be another set of even smaller 8-bit applications.
• AES will have to be efficient on the smaller, weaker, 32-bit CPUs. Smart cards won't be getting Pentium-class CPUs for a long time. The first 32-bit smart cards will have simple CPUs with a simple instruction set. 16-bit CPUs will be used in embedded systems that need more power than an 8-bit CPU, but can't afford a 32-bit CPU.
• AES will have to be efficient in hardware, in not very many gates. There are lots of encryption applications in dedicated hardware: contactless cards for fare payment, for example.
• AES will have to be key agile. There are many applications where small amounts of text are encrypted with each key, and the key changes frequently. This is a very different optimization problem than encrypting a lot of data with a single key.
• AES will have to be able to be parallelized. Sometimes you have a lot of gates in hardware, and raw speed is all you care about.
• AES will have to work on DSPs. Sooner or later, your cell phone will have proper encryption built in. So will your digital camera and your digital video recorder.
• AES will need to be secure as a hash function. There are many applications where DES is used both for encryption and authentication; there just isn't enough room for a second cryptographic primitive. AES will have to serve these same two roles.
• AES needs to be secure for a long time. Infrastructure is hard to update. Like DES, AES hardware is likely to be installed and used for decades. A radical new algorithm, with interesting and exciting ideas, just doesn't make sense. A conservative algorithm is what is needed.

Choosing a single algorithm (or even a pair of algorithms) for all these applications is not easy, but that's what we have to do. It might make more sense to have a family of algorithms, each tuned to a particular application, but there will be only one AES. And when AES becomes a standard, customers will want their encryption products to be "buzzword compliant." They'll demand it in hardware, in desktop computer software, on smart cards, in electronic-commerce terminals, and other places we never thought it would be used. Anything we pick for AES has to work in all those applications.

So how do you comment? NIST is accepting formal comments either on paper or by e-mail. See http://www.nist.gov/aes for instructions. Be sure to identify who you represent and what cryptography interests you have. And if you have any weird cryptography applications or environments, tell me. I'd like to know. Remember, the AES is going to be your cryptography standard for the 21st century. Tell NIST what you think.

Christopher B. Brown
Several announcements have been made lately about ciphers being assortedly vulnerable/invulnerable against Quantum cryptography.

Quantum physics seems to be the "magical" form of physics, and its application to cryptography even more magical. I don't think I properly understand "quantum cryptography," and I don't think that most of the people that have made public comment on it understand it terribly well either.

Could you comment on the present state of Quantum cryptography, and its probable relevance in public matters short term (which appears nonexistent), medium term (where the research of today may be in 5-10 years), and longer term?

ANSWER:
There are two separate applications of quantum mechanics to cryptography: quantum computing and quantum cryptography. I think you are conflating the two. Let me take them up in turn.

Quantum cryptography is a means of using quantum mechanics for key exchange. Basically, because it is impossible to measure the state of a quantum system without disturbing it, the physics of the key-exchange protocol allows you to detect eavesdroppers. It's a cool idea, and I spend a few pages in _Applied Cryptography_ explaining it in detail.

Quantum computing is newer. It turns out that it is theoretically possible to build a quantum computer. And, if you can build such a beast, it can factor large numbers and calculate discrete logarithms efficiently. Hence, it renders pretty much all of public-key cryptography insecure.

Both of these things are pretty far out. Quantum cryptography has been demonstrated in the lab; British Telcom researchers have exchanged keys over a 10km fiber-optic link. This is interesting, but I don't see it being used very much. The mathematics of cryptography, while not perfect by any means, is the one thing we can do well. There are so many easier ways of breaking into systems, it doesn't make any sense to replace mathematics with physics. And math is always cheaper.

Quantum computing is far out technologically. These computers are theoretically possible to build. We actually have no idea how to build them. Figure it will be ten or twenty or more years before this has a possibility of being a reality. An excellent article was published in a magazine called _The Sciences_. You can find it at http://cryptome.org/qc-grover.htm.

And when it becomes a reality, it does not destroy all cryptography. Quantum computing reduces the complexity of arbitrary calculations by a factor of a square root. This means that key lengths are effectively halved. 128-bit keys are more than secure enough today; 256-bit keys are more than secure enough against quantum computers.

Neville asks:
What's your response to the notion that the web's reliance on centralized Certificate Authorities for secure commerce is ultimately flawed? There are those, like the Meta Certificate Group, who feel that a hierarchical chain of certificates leading back to only a couple of elite organizations won't hold up in the distributed environment of the Internet. The entire framework of e-commerce seems to stand on the private keys of Verisign and Thawte. Do you feel this is a danger, and will there be viable alternatives?

ANSWER:
I agree with you 100%. The notion of a single global public-key infrastructure (PKI) makes no sense. Open your wallet, and you will see a variety of different authentication credentials: driver's license, credit cards, airline frequent flyer cards, library cards, a passport, and so forth. All of these are analog certificates, and will eventually have digital equivalents. There's no reason in the world why Visa can't use your driver's license number as a credit card number; it's just a pointer into a database, after all. But Visa never, ever will. They want control over issuance, update, and revocation. Similarly, digital credentials only make sense when the entity who cares about the credential controls the issuance, use, update, and revocation of that credential.

I have jointly written a paper with Carl Ellison called "Ten Risks of PIKI: What you aren't being told about Public Key Infrastructure." It will be published in the Winter 2000 issue of the _Computer Security Journal_. It's not on my Web site yet, but will be in by December. (Watch http://www.counterpane.com for details.) You can find a lot more good material on the problems with PKI at Carl Ellison's Web site: http://www.clark.net/pub/cme/html/spki.html.

jovlinger asks:

Bruce,

In a recent cryptogram, you write that most symmetric ciphers need more entropy than people can remember and hence supply. Even with bio-metrics adding more bits, it is not really worth the effort to construct ciphers with more than 128 bits of entropy in the key, because people won't give them more than that much entropy in the pass phrase.

However, social and technological pressures make longer and longer keys a necessity. What promising approaches do you see for making remembering and entering -- even though I have long passages of text memorized, I don't want to type them in for each e-mail I want to send -- usefully long passphrases?

I.e., to paraphrase, would you discuss the state of the art of cipher/human interaction, as it pertains to key management?

ANSWER:
For the rest of you, the Crypto-Gram article he mentions is at http://www.counterpane.com/crypto-gram-9910.html#KeyLengthandSecurity. In it, I argue that people just can't remember complicated enough keys and passwords to be immune from brute-force attacks (for example, L0phtcrack, see http://www.l0pht.com/l0phtcrack). Some of us can, but the masses that are using the Internet aren't able to, can't be bothered to, and won't be cajoled to.

The other way to carry around a large pool of random bits is on a data storage mechanism: a smart card, a Dallas Semiconductor iButton, a chip inside a physical key (like the device DataKey sells). These mechanisms are more annoying than passwords and passphrases, but they work. There's no real alternative; if something is too large to memorize, the only solution is to store it somewhere.

I don't believe that biometrics will ever become cryptographic keys. I wrote about this at http://www.counterpane.com/crypto-gram-9808.html#biometrics. Biometrics does have use as an authentication mechanism (note the difference), if it is engineered properly.

-----------------------

Next week: Mick Morgan, "the Queen of England's Webmaster," will answer questions about why not only the Royal Family's Web site but also the huge open.gov.uk site (and more than 80 other official UK Web sites) now run on Linux.

Your Mama writes "Just how malleable is the brain? How easily can a person overcome the forces -- genetic and environmental -- that shape a creature from birth? Over the last few weeks, evidence has emerged that throws these questions into a new light. The NY Times has the article" (The usual "free NYT registration required" notice would be here if we weren't so bored with it.)

Geoffrey Kidd writes "Hemos posted an article about the Berkeley Smart Dust project on Sept. 8. I've located Pister's web site which includes a block diagram of the gadget and some other details on the progress they're making."

Geoffrey Kidd writes "Hemos posted an article about the Berkeley Smart Dust project on Sept. 8. I've located Pister's web site which includes a block diagram of the gadget and some other details on the progress they're making."

sumana writes "Today in history: On this day in 1969, "Monty Python's Flying Circus" made its debut on BBC Television. (according to the New York Times's online "Learning" section, free registration required, yada yada spam spam spam) " As Eric Idle says: "And to celebrate, we're doing nothing!"

Alec Muzzy writes "The U of C of Berkeley has reported that on Neptune the intense heat and pressure of the atmosphere likely creates diamonds out of methane which then fall like hail on the gas giant. " Interesting reasons why - but isn't it a Arthur C. Clarke book that postulates, back in the 80s, that the center of of the gas giants are enormous diamonds - like the size of the earth?