Slashdot Mirror

While that's a tempting view to hold... Apple encrypts their iOS devices with crypto the government cannot easily, if at all, break (the San Bernadino shooter's phone, which kept them flummoxed for a while, was an old model and improvements have been made since then). Apple also recently announced changes to their app SDK that basically means your servers *must* use good TLS, unless you want to apply for exceptions for every unsecured connection your app wants to make. Microsoft has been making BitLocker available in more and more devices, and as far as I know the government has no way to break that either (unless you let Win10 upload your recovery key to Microsoft, which is not the most trustworthy move on their part but can be avoided). Google has been pushing encryption on their devices as well, and between their data centers, and in their browser. Amazon temporarily dropped encryption on Kindle Fire devices, but then restored it. Not sure what Cisco/Juniper/F5 would have to say (and they've sometimes been the bottleneck on crypto (TLS) advances on the Internet, though I think that's more out of laziness and lack of quality than anything else), but they've got to compete with the likes of Huawei and aren't going to want the government to do anything that makes them look even less trustworthy than those folks. I wouldn't trust anything out of Oracle even if they just said the sky was blue, but I doubt it's actually in their best interest to have backdoored crypto either. In other words, there are plenty of tech companies that are demonstrably fighting against this bullshit.

Of course, at some level all those companies rely on other organizations (hardware manufacturers, certificate authorities, compiler providers, all the way up to the people who pick cryptographic primitives to support and identify the parameters that are best to use with them) to make it possible to build a backdoor-less crypto system. Remember Dual_EC_DRBG, and how the NSA bribed RSA Security to make it the default? How about "Reflections on Trusting Trust" (PDF link)?

'Compiler' you say, yeah about that ... https://www.ece.cmu.edu/~gange...

The one takeaway I had from reading the CERT article here: https://insights.sei.cmu.edu/c... is that the bad UI design decisions affect more than just the macros.

Ken Thompson must be spinning in his grave!

1984 wasn't intended as an instruction manual.

Ken Thompson is not dead!

Ken Thompson must be spinning in his grave!

1984 wasn't intended as an instruction manual.

Translating audio in real time is a fool's errand.
Erm ... you are 20 years behind ...

The biggest "known" project for natural language _voice_ translation was probably the Microsoft one, it got canceled.

It got not canceled because it is to hard, but because Bill Gates was pissed off.

Mr Gates visited the University of Karlsruhe, now KIT, in 1996 and gave a speech. The speech was translated and transcribed in realtime from english to german.

When Bill Gates asked afterwards how this was done Prof. Alex Waibel (Prof at KIT and Carnegie Mellon University) explained that he and his teams are working on real time voice language recognition and translation since ~1987.

Shortly afterwards Microsoft canceled their research/development program.

Why we only have a few (and there are actually quite a few) real life applications of that technology, I don't know. (You find them in your App store for iOS and Android)

Real time language to language translation is not that hard ... at least not as hard as it once was. Surprisingly against the laymen's assumptions it is particular easy e.g. to translate English to/from Japanese, or Thai for that matter.

The language translation tools of KIT and CMU e.g. use Japanese as an interims language. The translation goes from source language to Japanese and from Japanese to target language. That is done, because the "sense" of a sentence can be expressed very clearly in Japanese. You can basically simply construct a language neutral (parse) tree of meaning by using Japanese as the intermediate language. My Thai is very bad, but as far as I can tell you could use Thai as well, or probably Korean.

Why do I know all that? I worked for Prof. Waibel at the KIT (former University of Karlsruhe) as a unix guru from roughly 1990 till 1998.

http://www.cs.cmu.edu/~ahw/

I guess you didn't realize that an H1-B can be coverted to a green card.

out of academic transparency

See all of those corporate logos all over Red Team's vehicles? Do you really think CMU published the coolest stuff they developed?

https://www.fastcompany.com/10...

http://www.equipmentworld.com/...

https://www.saic.com/

https://www.tttech.com/

jealously-guarded corporate secrets.

Patents are anything but that. In fact they tell the world exactly how you do something.

It was Content Scramble system (CSS), the DVD encryption scheme. Shirt-based decryption shown here.

Hm ... I guess those guys think different: https://www.sei.cmu.edu/cmmi/

Also, what is so hard to grasp that there is no "engineer"?

There are "mechanical engineers", "electrical engineers" and others and in the end also "software engineers", I for my part actually studied "software engineering" and "computer science" ... funnily I should have worded it different, I studied "computer science" and "software engineering" is a important but depending on what else you study: a small sub section of CS.

I don't care what kind of engineer you are, that you seem so pissed, in real live I'm half an "Requirements Engineer", wow ... another engineer ...

While we're at it, let's not forget the contributions to the English language that come from The Great White North:

https://www.cs.cmu.edu/~steffa...
http://geekmom.com/2013/12/55-...
http://mentalfloss.com/article...
http://www.americansguide.ca/i...
http://www.craigmarlatt.com/ca...

That's enough for now. Note in particular that Canadians can say "homo milk" without giggling.

And how is this 'Internet of Things' supposed to function given the current lack of Internet security, yet more marketing waffle similar to the 'cloud'. Besides, does anyone remember that coke machine that was once connected to the Internet ref.

Computer use at home linked to school failure, increased drug use
Ipad initiative failure
Why the computer is not dominating schools
Why has the computer failed in schools and universities - 20 years later, the "solutions" outlined at the end are still not workable, because, ironically, they need much more individual teacher input than was realized at the time.
There are no technology shortcuts for good education

The history of electronic technologies in schools is fraught with failures.
Computers are no exception, and rigorous studies show that it is incredibly difficult to have positive educational impact with computers. Technology at best only amplifies the pedagogical capacity of educational systems; it can make good schools better, but it makes bad schools worse.
Technology has a huge opportunity cost in the form of more effective non-technology interventions.
Many good school systems excel without much technology.

The inescapable conclusion is that significant investments in computers, mobile phones, and other electronic gadgets in education are neither necessary nor warranted for most school systems. In particular, the attempt to use technology to fix underperforming classrooms (or to replace non-existent ones) is futile. And, for all but wealthy, well-run schools, one-to-one computer programs cannot be recommended in good conscience.

How many schools can even afford one-on-one computer classes, even in the industrialized nations? Because it doesn't work when you try to do it in bulk, as if the kids were computers to be programmed.

Report Finds K-12 Computer Science Education Declining; Most Schools Teach How To Use Computers, But Nothing Deeper

A search for "double-blind experiment computer use in schools" doesn't produce anything apparently relevant. Why are there no hard data available on something that's gobbling up $10 billion a year out of school budgets? The simplest answer is, as always, follow the money.

He says he has 15 years as a "SW engineer/developer" which I take to literally mean "SW developer with no engineering training."

No, he meant what he said. He is a Software Engineer with 15 years experience and/or Software Developer with 15 years experience.

Obviously he is not an Engineer in an traditional engineering discipline like electrical engineering or mechanical engineering.

And before you claim that "software development" may not be called "software engineering" then lease tell that to those guys: http://www.cmu.edu/silicon-val... FYI: their degree is called: MS in Software Engineering, oops: so no one claims that developers are "Engineers" es in "Engineer", they are "Master of Science" ... yes, now you claim that CS is not a science ... but well: the people in that field disagree ;D

repost

Perl Festivity Level 1: Developers and users have gathered to nibble hors d'oeuvres and chat amiably with each other about the Modern Perl Renaissance. With every sip of their drinks Perl seems ever more striking. Some are gathered around the upright piano improvising songs that proclaim how it is faster, neater, and sharper than ever before with its asynchronous APIs.

Perl Festivity Level 2: Everyone is talking loudly -- sometimes to each other, and sometimes to nobody at all. Perl seems even better. Perl Monks are patiently explaining syntax and style to potted plants and other nearby objects. Around the piano people are feeling fun and flexible, just as programming in scripting languages used to be. Someone is crooning a bawdy ballad where a couple of inexperienced DOM and CSS selectors encounter a very supportive bundled development server.

Perl Festivity Level 3: Monks are arguing violently and defrocking one another over nested do...until loops that bail on exceptions. People are gulping down other peoples' drinks, placing hors d'oeuvres in the upright piano to see what happens when the little hammers strike as everyone bawls "Got my Mojolicious workin' ... but it don't work on Python!" They have lost count of their drinks, and the world is harmonious with blissful adherence to modern interfaces and standards.

Perl Festivity Level 4: All the guests, hors d'oeuvres smeared all over their naked bodies are performing a ritual dance around a burning heap of tables and chairs in celebration of postfix dereference syntax, subroutine signatures, new slice syntax and numerous optimizations. The piano is missing.

~~ with apology and deference to Dave Barry

Agree entirely, but the problem is subtler...

Reflections on Trust

5 seconds of googling:

Carnegie Mellon's primary IP address range (128.2.#.#).

https://www.cmu.edu/iso/govern...

--
BMO

printf("\v"); This was published in August 1984, and credits other work prior to that, including a security critique of an "early version of Multics". It's a 40 year old attack. Your "full trust" argument is bullshit. There are mitigations for this specific trust attack, but they're not practiced widely. And other similar trust attacks aren't mitigated at all.

If someone writes malware for Linux, there will be malware for Linux. (And it has already happened.) The only thing keeping malware on Linux from being widespread is that most people dumb enough to install random shit from a website don't run Linux. It's what protected the Mac for so long: it wasn't a juicy target. If/When Linux reaches the masses, there will be plenty of malware for it.

You can't protect stupid people from themselves. You have to protect yourself from stupid people. That's the way the world works, regardless of your computer's operating system.

Now get off the stump in the middle of my lawn.

Thirty-one years later, it's still worth reflecting on it.

This only works if Debian can guarantee the integrity of the development tool chain. See this >30 year old talk/paper by Ken Thompson describing the problem. Once inserted, the malware is persistent and invisible. Re-compiling your compiler and applications from known-good versions doesn't help.

The problem got a lot more complicated for the attacker today... Thompsons attack works well if there are only a few architectures and only a single compiler. But the attack complexity grows exponentially in the presence of multiple architectures (that can be used to cross-compile each other) and multiple compilers (that can compile each other). Now you need a compiler virus that not only compiles on all architectures well, it also needs to detect all kind of compilers that are there and works on all versions of them. The "reproducible build" system makes it even worse for the attacker, because its easier to to compare the results.

This only works if Debian can guarantee the integrity of the development tool chain. See this >30 year old talk/paper by Ken Thompson describing the problem. Once inserted, the malware is persistent and invisible. Re-compiling your compiler and applications from known-good versions doesn't help.

I was thinking about this being a problem a while back - how to deal with building something from source and knowing I was getting the same output that the developers wanted me to have. Coincidentally about the same time, this article popped on Slashdot and introduced me to Ken Thompson's article Reflections on Trusting Trust - a great read and something that really opened my eyes (in that wide-open-because-of-terror kind of way).

Also from that thread came this email from one of the Tor developers talking about their deterministic build process to do the same thing.

I think this is a problem that would be really great to solve as soon as possible. I very much hope that once we start seeing more reproducible builds we don't suddenly find out that certain compilers have been compromised long ago.

I was thinking about this being a problem a while back - how to deal with building something from source and knowing I was getting the same output that the developers wanted me to have. Coincidentally about the same time, a href="http://developers.slashdot.org/story/13/06/20/1548228/are-you-sure-this-is-the-source-code">this article popped on Slashdot and introduced me to Ken Thompson's article Reflections on Trusting Trust - a great read and something that really opened my eyes (in that wide-open-because-of-terror kind of way).

Also from that thread came this email from one of the Tor developers talking about their deterministic build process to do the same thing.

I think this is a problem that would be really great to solve as soon as possible. I very much hope that once we start seeing more reproducible builds we don't suddenly find out that certain compilers have been compromised long ago.

Christoph Mertz, senior project scientist in CMU's Robotics Institute, is developing a computer program to detect potholes, cracks and other irregularities in roads. Mounted on the windshield of a car, a camera captures images of the street and measures the severity of potholes and cracks. Read more: http://triblive.com/news/alleg... Follow us: @triblive on Twitter | triblive on Facebook

Puns aside about consoles insomnia. Wasting $100s of dollars of you power bill every year is not a serious concern for the video game industry. In 2008 the NRDC, the US EPA with their EnergyStarWalmart beat the console industry about the head and neck and the video game industry managed to sandbag any regulation that even a GE or Sylvania could not for lighting. The reason is simple sloth and incompetence. Simply put the problem is not energy used during game play , but the lack of a meaningful sleep mode. This lack of sleep mode is driven by poor APIs to book mark game status and put the console into sleep mode. The other energy driver is the console companies instant on collecting detailed data of how you use your device and uploading it when you are not playing plus forcing add and other "content" down to your console when it should be sleeping.

Enjoy!

• Secrecy, flagging, and paranoia: adoption criteria in encrypted email
• How to make secure email easier to use
• Why Johnny Can't Encrypt and Why Johnny Still Can't Encrypt
• Views, reactions, and impact of digitally-signed mail in e-commerce
• Usability of security: a case study

Health care is generally a better bet than road safety, with many interventions saving money rather than costing it, but road safety is certainly near the top. Here's an impressively comprehensive list (but, sadly, rather old): http://www.ce.cmu.edu/~hsm/bca...

You're definitely right about the Wikipedia article glossing over some of the specifics, but I'm not sure I agree that the dichotomy is false. (I'll have to dust off the cobwebs a bit—I first learned this stuff when I was studying CS at Carnegie Mellon way back in the early '90s. :)

My understanding is that one important reason to separate the literal function from the closure (function + scope) has to do with separating syntax from semantics. You the function itself just gives you the symbol manipulation; you can't interpret the meaning of it until you have its context, in the form of a scope (or stack frame, etc.).

Symbolic manipulation versus semantic meaning is really important when you're proving things like computability. I remember back in a graduate mathematical logic course, we used only formal logic to prove some complex fundamental theorem of calculus—but the meaning of that theorem was completely irrelevant, we did the proof entirely through symbol manipulation. So we were able to derive the proof syntactically, without any of the calculus semantics. Not sure if that helps illustrate the difference. Like I said, it's been a while since I studied this stuff. :)

From a more practical perspective, this matters a lot when doing compiler optimization. When you use an anonymous function—where "anonymous" literally just means "doesn't have a name"—a typical compiler will do all sorts of optimizations. I see this a lot when doing .NET programming: if you have an anonymous method that has the same contents as a named method, the C# compiler will just call it, or if the anonymous method is only called once, it may just embed it directly into the calling method, etc. (You can actually see this yourself by writing some code, compiling it, and using ildasm to look at the byte code.) Capture is really important here: this won't work with a closure, because it has the scope. However, a lot of times something that looks like a closure doesn't actually require the scoped variables, or they can be passed in as references, so it can be compiled into an anonymous function.

I've been doing a lot of Scala programming lately, and it's done a lot differently behind the scenes in Scala—and the delineation between anonymous and named is a lot more blurry from a compiler perspective. If you define a Scala function:

object MyScalaObj { runAFunction(f: Int => Int) { println(f(3)) } }

this looks a lot like it takes as its f parameter the kind of method that's compiled into a compiler-named anonymous method. But Scala is bytecode-compatible with Java, so this is actually done on the object level—you can pass it an instance of an object (in this case, an instance of scala.runtime.AbstractFunction1):

static Function1 FunctionObj = new AbstractFunction1() {
      @Override
      public Object apply(Object i) {
            return (Integer)i + 6;
      }
};

and call it like this from Java:

MyScalaObj.runAFunction(FunctionObj);

So when the Scala compiler compiles an anonymous method, it generates an object like FunctionObj. The reason this is relevant is because what looks anonymous to Scala is actually not just a function with a stack context, but in fact an actual object on the heap. This is about as far from a literal function as you can get.

And now you know why I thanked Bob Harper in the preface to my most recent book. :)

Even then it would be easy to inject the backdoor when compiling as explained in the classic paper "KEN THOMPSON - 1984 - Reflections on trusting trust" https://www.ece.cmu.edu/~gange...

Competitors only? Not, for example, in a joint venture?

http://www.cmu.edu/cie/news/20...

http://blog.uber.com/carnegie-...

If someone is curious it was 170M of total bets. Bot at least is not total fish. https://www.cs.cmu.edu/brains-...

Choice quote: "Lena became for the engineers something like what Rita Hayworth was for U.S. soldiers in the trenches of World War II."

More historical background available here and here.

I find this picture totally unacceptable! Mostly because they replicated the top line, because their scanner fucked up. Fortunately it features a friendly looking lady.

Not only that, but in the article he completely dismisses/ignores/pretends-it-doesn't-exist the Toyota unintended acceleration analysis that happened after the NASA folks got their chance. Turns out the NASA folks didn't get everything there was to analyze, and low and behold once all of the info was available: Toyota's engineers did a crap job of safety in their software.

Full details can be read here.

I can't speak to him being a shill, but he's definitely either misinformed or disingenuous.

TFS refers to TFA which refers to another TFA, and all of them are pathetically written. Here's a link at CMU discussing the competition. This is the second link in TFS, but it's not clear that all of the other links in the first paragraph are just trash.

In any case, a couple of points and/or musings:

• 1500 hands per day, 6 days per week, for two weeks running. I only play at a hobby level, but...isn't that a whopping lot to expect of the human players? Any serious players out there who can comment?
• One of the pros expects fewer "mind games". But mind games are part of the game - if this is a decent AI, shouldn't he be in for more mind games?
• The hands are "prepared". On the one hand, this bothers me, because we must assume that the researchers do not (even subconsciously) select hands that their AI can win. On the other hand, the reason for the preparation (only discussed in the CMU article - all of the "journalists" failed to understand this point) is so that they can play duplicate, in support of better scientific results.

As a final note: may I please encourage submitters and/or our illustrious editors to not fluff up submissions with links to crappy articles that miss most of the important points? Just the source link would have been enough - it's a good article with real information written in actual English.

There's also the digging for blackmail material. The cult of Scientology digs up blackmail material this way, and uses it against you if you ever leave. The process is called "dead agenting".

        http://en.wikipedia.org/wiki/S...

Scientologists are very difficult to reliably polygraph, because of the hundreds or thousands of hours of "E-meter" training, which is a simple polygrpah device. It's a simple Wheatstone bridge, with a copy of the patent at:

        https://www.cs.cmu.edu/~dst/E-...

The last time the U.S. government fought the Scientologists, the CoS literally sent in hundreds of moles to infiltrate the IRS, harassed them with thousands of FOIA requests and bogus lawsuits, hired an army of private investigators to harass individual IRS and FBI employees, and hired a team of lobbyists to swarm Congress and the Presidency:

http://en.wikipedia.org/wiki/O...
http://www.cs.cmu.edu/~dst/Cow...

AND THE SCIENTOLOGISTS WON. The in 1993 the IRS finally backed down in absolute capitulation. The defeated U.S. government even added religious persecution of Scientologists to their list of human rights abuses as part of their surrender deal.

You think they're going to fight the CoS again after that? The U.S. government is scared shitless of the CoS. They would rather fight Russia than ever fight the CoS again.

equivalent of a 486DX2

Really? You couldn't just give the actual CPU?

All high level application computing is done on a Sparc LX class portable computer manufactured by RDI Computer Corporation. See Figure 2. Key components of this computer are a 50MHz MicroSparc CPU, 32 MB's of RAM, 970 MB's of hard disk space, and a 1024x768 active matrix LCD display. (For comparison, this processor is about equivalent to a 486DX2/66 using Spec ratings as a guide.) The laptop contains an optional Peripheral Expansion Unit which is equipped with two SBUS slots and space for additional hard disk drives. The two SBUS slots contain a Datacell color video digitizer and a Performance Computer Company quad serial port expansion unit. The laptop runs SunOS 4.1.x.

I went to https://www.men.cs.cmu.edu/bab... to see if any men had ever done anything in computer science. Apparently not.

The truly funny part is that women wanted absolutely nothing to do with computers until there was money to be made.

Why you stupid sonofabitch.

https://www.women.cs.cmu.edu/a...

I just was going to mention the CMU project and someone beat me to it. They drove nearly autonomously from Pittsburgh to San Diego in 1995. Here are some (old) relevant links:

• Project webpage
• No Hands across America Press Release
• Further info with actual dates
• Summary of a 1995 paper about the project

The CMU project was not anything that was near consumer-ready and it also was not 100% autonomous. IIRC, humans had to intervene in more complicated driving scenarios and the autonomous system handled the open highway stuff. they report a figure of 96% or so autonomy by miles driven on a shorter trip from Pittsburgh to DC. So it's not like they had everything figured out back in 1995. But still...1995!

I just was going to mention the CMU project and someone beat me to it. They drove nearly autonomously from Pittsburgh to San Diego in 1995. Here are some (old) relevant links:

• Project webpage
• No Hands across America Press Release
• Further info with actual dates
• Summary of a 1995 paper about the project

The CMU project was not anything that was near consumer-ready and it also was not 100% autonomous. IIRC, humans had to intervene in more complicated driving scenarios and the autonomous system handled the open highway stuff. they report a figure of 96% or so autonomy by miles driven on a shorter trip from Pittsburgh to DC. So it's not like they had everything figured out back in 1995. But still...1995!

I just was going to mention the CMU project and someone beat me to it. They drove nearly autonomously from Pittsburgh to San Diego in 1995. Here are some (old) relevant links:

• Project webpage
• No Hands across America Press Release
• Further info with actual dates
• Summary of a 1995 paper about the project

The CMU project was not anything that was near consumer-ready and it also was not 100% autonomous. IIRC, humans had to intervene in more complicated driving scenarios and the autonomous system handled the open highway stuff. they report a figure of 96% or so autonomy by miles driven on a shorter trip from Pittsburgh to DC. So it's not like they had everything figured out back in 1995. But still...1995!

I just was going to mention the CMU project and someone beat me to it. They drove nearly autonomously from Pittsburgh to San Diego in 1995. Here are some (old) relevant links:

• Project webpage
• No Hands across America Press Release
• Further info with actual dates
• Summary of a 1995 paper about the project

The CMU project was not anything that was near consumer-ready and it also was not 100% autonomous. IIRC, humans had to intervene in more complicated driving scenarios and the autonomous system handled the open highway stuff. they report a figure of 96% or so autonomy by miles driven on a shorter trip from Pittsburgh to DC. So it's not like they had everything figured out back in 1995. But still...1995!

http://users.ece.cmu.edu/~omutlu/pub/dram-row-hammer_kim_talk_isca14.pdf

slide 32:

Other Results in Paper (cont’d)

As many as 4 errors per cache-line
–
Simple ECC (e.g., SECDED) cannot prevent all errors

This article reminds of this guy who did something similar a while back.

Ask her school if you can give a Last Lecture to them and, if you choose to put it online, to 6th-grade students everywhere.

Nope. You can probabaly get an 80K a year job in CS with a degree someplace else. However using the 2013 survey numbers ( http://www.cmu.edu/career/sala... ) Undergard CS majors had a mean salary of $94,544 . Grads data is a bit more sporadic because of the multiple majors, but VLIS was $107,333 and Software Engineering was $94,125. Considering your starting salary out of college has a major impact on your long-term earnings there is a compelling argument to be made that it has a major impact on your long-term $ earned: http://www.businessinsider.com...

Wow must be a different company named Google that I'm competing against when I hire at CMU. Looking at the info for 2013 Google hired 19 CS undergrads from CMU. http://www.cmu.edu/career/sala... In fact, in 2013 Google was the number one employer or CS undergrads that responded to the survey outpacing Microsoft by 50%. (19 to 13). I know this is the grad program but to say Google doesn't care about "where you went to school" shows complete ignorance of the hyper competitive environment for recruiting CS grads from top CS schools.

Sorry mate,
I don't care about your argumentation.
Science is science, does not matter what topic.
Engineering is engineering, does not matter what topic either.

If a university is offering a degree as computer scientist, than you can assume that you study there computer science. Wow, pretty easy. If you find an University where that degree is offered but the education is not scientific, feel free to point one out.

Same for engineering.

Obviously you have no ides about either science nor engineering and especially not much regarding computers, or you would not write such nonsense.

Look, they even have articles about it: http://en.m.wikipedia.org/wiki...

Lets see what Carnegie Mellon has to say about it? http://www.sei.cmu.edu/cmmi/ (cmmi btw is very well established measurement for engineering capabilities in the software industry ... but well, it can't be an industry, after all we are working with our mind and the only tool is a keyboard and a screen, I guess it is an conspiracy running against you, engineers scientists and now an industry)

Next time, I _discover_ an algorithm I name it after you, 'mschaffers ignorance' or something like that.