Slashdot Mirror

New submitter Gaglia writes: PLAID, the Australian 'unbreakable' smart card identification protocol has been recently analyzed in this scientific paper (disclaimer: I am one of the authors, and this is a personal statement.)

Technically, the protocol is a disaster. In addition to many questionable design choices, we found ways for tracing user identities and recover card access capabilities. The attacks are efficient (few seconds on 'home' hardware in some cases), and involve funny techniques such as RSA moduli fingerprinting and... German tanks. See this entry on Matt Green's crypto blog for a pleasant-to-read explanation.

But the story behind PLAID's standardization is possibly even more disturbing. PLAID was pushed into ISO with a so-called "fast track" procedure. Technical loopholes made it possible to cut off from any discussion the ISO groups responsible for crypto and security analysis. Concerns from tech-savvy experts in the other national panels were dismissed or ignored. We contacted ISO and CERT Australia before going public with our paper, but all we got was a questionable and somewhat irate response (PDF) by PLAID's project editor (our reply here). Despite every possible evidence of bad design, PLAID is now approved as ISO standard, and is coming to you very soon inside security products which will advertise non-existing privacy capabilities.

The detailed story of PLAID in the paper is worth a read, and casts many doubts on the efficacy of the most important standardizing body in the world. It is interesting to see how a "cryptography" product can be approved at ISO without undergoing any real security scrutiny.

On a related note, the enthusiastic comments to PLAID's design made by a few readers in the old Slashdot story reminds us as a cautionary tale that you need cryptographers to assess the security of cryptography. Quoting Bruce Schneier: amateurs produce amateur cryptography.

New submitter yorgo writes The International Organization for Standardization (ISO) will soon publish part 4 of a 5 part series of software testing standards. According to the website, "ISO/IEC/IEEE 29119 Software Testing is an internationally agreed set of standards for software testing that can be used within any software development life cycle or organisation." However, many in the testing community are against it. Some wonder how the ISO/IEC/IEEE achieved consensus without their input. James Bach speculates that exclusion helped build consensus. Others, such as Iain McCowatt, argue that something as variable as software testing cannot be standardized, at all. And others believe that the motive behind the standards is not increased quality, but economic benefit, instead. Michael Bolton explains "rent-seeking" as he builds on James Christie's CAST 2014 presentation, "Standards – promoting quality or restricting competition?"

A comprehensive list of many other arguments, viewpoints, and information has been collected by Huib Schoots. Opponents of ISO 29119 have even started a petition aimed at suspending publication of the standard. Even so, this might be an losing battle. Gil Zilberfeld thinks that companies will take the path of least resistance and accept ISO 29119.

So, where do you stand? What constitutes a consensus? Can a standard be honored without consensus? Can an inherently sapient activity, such as testing, be standardized, at all? What is the real purpose of a standard? Will companies acquiesce and adopt the standard without question?

An anonymous reader writes "The International Organization for Standardization (ISO) has published the new specifications for the C programming language. The standard is known unofficially as C1X and was published officially as ISO/IEC 9899:2011. It provides greater compatibility with the C++ language and adds new features to C (as indicated in the draft)."

Randyll writes "On the 25th, in Madrid, Spain, the ISO C++ committee approved a Final Draft International Standard (FDIS) for the C++ programming language. This means that the proposed changes to the new standard so far known as C++0x are now final. The finalization of the standard itself, i.e. updating the working draft and transmitting the final draft to ITTF, is due to be completed during the summer, after which the standard is going to be published, to be known as C++ 2011. With the previous ISO C++ standard dating back to 2003 and C++0x having been for over eight years in development, the implementation of the standard is already well underway in the GCC and Visual C++ compilers. Bjarne Stroustrup, the creator of C++, maintains a handy FAQ of the new standard."

schliz alerts us that ISO, in response to the four appeals (Venezuela, India, Brazil, South Africa) filed in recent weeks, has put the OOXML standardization process on hold. Here is ISO's press release, which says that ISO/IEC DIS 29500 will not be published for at least "several months" while the appeals process goes forward.
Update: 06/11 10:13 GMT by KD : Reader Alsee points out that the fourth officially recognized appealing country is Venezuela, not Denmark as originally stated. The protests of Denmark and Norway are being disregarded, as they do not come from the administrative heads of their national organizations.

I Don't Believe in Imaginary Property writes "The ISO has put out a FAQ concerning OOXML, but it may raise more questions than it answers. For one, it promises to address problems if they arise in the future. PJ of Groklaw said that's akin to 'selling you a car with four different sizes of tires and assuring that that if you see it's a problem, you can always bring it in for maintenance.' It also handwaves the OSP discriminatory patent promise issues, when asked about contradictions states that some 'may still remain', and asserts that duplicate standards are 'something that need[s] to be decided by the market place.' Notably, the FAQ does not answer the question, 'what the hell were you thinking?'"

ericatcw writes "Critics have charged that last week's ISO Ballot Resolution Meeting (BRM) to decide the fate of changes to Office Open XML standards proposal was too perfunctory and deviated from accepted ISO practices, possibly in an attempt to smooth the passage of the Microsoft format. This week, the ISO 'convener' of the BRM disputed those charges, saying that voting to dispose of 900 changes to the spec at once and allowing 'O' Observer countries to vote were the correct moves. ISO released a statement backing him up. Also, Patrick Durusau, editor of the competing OpenDocument Format specification and a late convert to OOXML's passage, also said that claims the process was flawed were overstated."

bobibobi writes "After months of revisions, OpenDocument receives status of a full published standard. The various stages of a standard's "stage code are also online." The OpenDocument standard has been developed by a variety of organizations and is publicly accessible. This means it can be implemented into any system, be it free software/open source or a closed proprietary product, without royalties.

bobibobi writes "After months of revisions, OpenDocument receives status of a full published standard. The various stages of a standard's "stage code are also online." The OpenDocument standard has been developed by a variety of organizations and is publicly accessible. This means it can be implemented into any system, be it free software/open source or a closed proprietary product, without royalties.

Disgruntled Software Engineer asks: "I work for a large engineering firm and it was recently decided in our company to have our software be ISO 9000 compliant. There exists a software development process in my organization, but it is extremely heavy-weight -- over two-dozen documents totaling 200 pages each! My team doesn't even have the time to read such a process, much less abide by it. I have been tasked by my team in creating a more light-weight process for our team to follow so that our software can pass the audit that is coming soon, but reading through the convoluted ISO website is not helping, and a 'plain English translation' that I found of the standard contains a bulleted list that is 17 pages long! I have not been able to get any idea of how to design a light-weight software engineering process that is ISO 9000 compliant with all of these extremely verbose documents and somewhat odd requirements. Also, the software that my team produces is more for research than for productization, and the dynamic nature of research does not mix well with the rigidity of a software process. What are the bare-minimum set of requirements for ISO 9000 software engineering compliance? What are some tips for designing a process that is light-weight and causes minimal damage in terms of efficient software development? Do you have any interesting experiences or wisdom regarding ISO 9000 and software engineering?"

ewg writes "Today, 2005-10-14, is World Standards Day as celebrated by the IEC, ISO, and ITU. The press release emphasizes the benefits of safety standards, but the interoperability is the true prize for information systems. How many sets of country codes and date formats do we need?" From the release: "International Standards accommodate people's desire to live in a safer, more secure world by providing a valuable safety net. 'Standards for a safer world' is the theme of the message signed by the leaders of the three principal international standardization organizations to mark World Standards Day 2005. Standards developed at the international level through IEC, ISO and ITU are available for use at the national and regional levels to meet the needs of society at large, the market and government regulators," the three leaders point out. They see standards as vital in disseminating best practices and new technologies, while avoiding new barriers to trade that national security and safety regulations may create."

ewg writes "Today, 2005-10-14, is World Standards Day as celebrated by the IEC, ISO, and ITU. The press release emphasizes the benefits of safety standards, but the interoperability is the true prize for information systems. How many sets of country codes and date formats do we need?" From the release: "International Standards accommodate people's desire to live in a safer, more secure world by providing a valuable safety net. 'Standards for a safer world' is the theme of the message signed by the leaders of the three principal international standardization organizations to mark World Standards Day 2005. Standards developed at the international level through IEC, ISO and ITU are available for use at the national and regional levels to meet the needs of society at large, the market and government regulators," the three leaders point out. They see standards as vital in disseminating best practices and new technologies, while avoiding new barriers to trade that national security and safety regulations may create."

Ant writes "A CommsDesign article reports that China walked out of a wireless standards meeting this week, accusing the International Organization for Standardization of favoring the IEEE's 802.11i ANSI-certified wireless LAN security scheme over its own controverisal proposal, EE Times has learned. The gambit came after China's Wireless Authentication and Privacy Infrastructure (WAPI) security scheme was withdrawn and placed on a slower track by the ISO." From the article: "China initially agreed last year to refrain from making its WAPI security scheme mandatory for wireless LAN equipment in China. It then approached ISO with a fast-track submission in an effort to make WAPI an international security standard."

mumkin asks: "I have been shopping for a new domain and am considering going with a more obscure ccTLD for my namespace needs. I like the thought of my lan being a virtual extension of a tropical isle or wind-swept steppe, and generally looking weird in people's logs :) Ideally the NIC would lack a full-on whois server, for that extra degree of anonymity. It is important to me that the registry be doing something worthwhile for the country whose TLD it's hawking, and not just ripping them off. Oh, and I want nothing to do with VeriSign, so .TV and .CC are right out (sorry, Tuvalu! sorry, Cocos Islands). So, the question is: what tiny ccTLD registrars allow non-resident registration, are trustworthy, inexpensive, preferably privacy-conscious, and give something truly meaningful back to the countries whose domains they sell? Here's what I have so far -- who else should I be looking at, or what have I got wrong?" Read on for mumkin's ccTLD listing.

.AS : American Samoa. American Territory. Pop ~68,000. The registry is based in New York City and makes no mention its relationship to American Samoa, or what if any benefits accrue to the people of AS in exchange for the sale of their TLD space. Cost: $45/year. Whois: limited.

.CX : Christmas Island. Home of the dreaded goatse. Part of the Indian Ocean Territories of Australia, pop ~ 3,000. Recently shafted by the bankruptcy of Planet Three, nic.cx is now (according to its website) "a community owned Christmas Island non profit company." $9.60 of every reg. fee goes to the "Christmas Island Information Economy Development Trust," underwriting the cost of internet service on the island. Service which is currently really limited (2 hours/day of dial-up for $25/mo). Cost: $37.40/year. Whois: yes

.HM : The Heard and McDonald Islands. Australian External Territory, Pop: 0. An antarctic island group, mostly covered in glaciers, generally off-limits to visitors. A UN world heritage site. The nic is managed by an Australian guy, and the reg fee pays for the costs of running the registry. All [surname].hm addresses are unavailable, as those have been sold to the mysterious www.my.hm email service. Probably the most morally neutral ccTLD to grab a domain in, since there are no residents to disenfranchise. Cost: $35/year. Whois: none

.PN : Pitcairn Island. British Overseas Territory. Home of 44 descendants of the Bounty mutineers (half of whom are currently under investigation for more recent unsavory acts). Supposedly the sale of domains will help to bring internet access to the island, (they currently have limited, $3.50/min satellite connection, courtesy of a seismic monitoring station on the island. Cost for a domain: auction. Whois: broken

.PS : Palestinian Territories. With only 50 domains registered, the .ps namespace is wide open. It's the only NIC I can think of that's likely to be bombed/raided/otherwise reduced by a military force, since it's located in beautiful Ramallah. Given the US Govt's current mindset, owning a .ps domain could also make you a Person of Interest to any number of three-letter agencies. Cost: $45/year. Whois: limited

.SH : St. Helena Island and .AC : Ascension Island. British Overseas Territories with a population of ~6,000 and ~1,000 respectively. Jamestown, St Helena is the capitol from which the islands of St Helena, Ascension, and Tristan da Cunha are governed. The NIC is run out of London and provides free name service and registration for anyone with residency. Ascension is an an incredibly well-networked island for its size. Cost: $100 first year, $50/year thereafter. Whois: yes

.TJ : Tajikistan. Central Asian nation, pop ~6,250,000. NIC is run by two guys in Fresno who also run one of the two Public Registrars for Tajikistan. No information about their relationship to Tajikistan, or what if any benefits the country may receive from their registry fees. Site last updated in '98. Cost: $25/year ($8/year within .com.tj, .web.tj, etc) Whois: yes

.TP : East Timor. Big news a while back, the media seems to have forgotten about them once the shooting stopped. Their TLD is managed by Connect-Ireland as a public service to the Timorese diaspora. There is little documentation on the site, and it's unclear where the $35/year registration fee goes. Xanana Gusmao, former resistance leader and current president, is the Administrative Contact! Note: on May 20th, the ISO 3166 list changed East Timor's alpha-2 designation to TL (Timor Leste). Presumably the IANA will soon change their TLD accordingly. Cost: $35/year. Whois: none"

mumkin asks: "I have been shopping for a new domain and am considering going with a more obscure ccTLD for my namespace needs. I like the thought of my lan being a virtual extension of a tropical isle or wind-swept steppe, and generally looking weird in people's logs :) Ideally the NIC would lack a full-on whois server, for that extra degree of anonymity. It is important to me that the registry be doing something worthwhile for the country whose TLD it's hawking, and not just ripping them off. Oh, and I want nothing to do with VeriSign, so .TV and .CC are right out (sorry, Tuvalu! sorry, Cocos Islands). So, the question is: what tiny ccTLD registrars allow non-resident registration, are trustworthy, inexpensive, preferably privacy-conscious, and give something truly meaningful back to the countries whose domains they sell? Here's what I have so far -- who else should I be looking at, or what have I got wrong?" Read on for mumkin's ccTLD listing.

.AS : American Samoa. American Territory. Pop ~68,000. The registry is based in New York City and makes no mention its relationship to American Samoa, or what if any benefits accrue to the people of AS in exchange for the sale of their TLD space. Cost: $45/year. Whois: limited.

.CX : Christmas Island. Home of the dreaded goatse. Part of the Indian Ocean Territories of Australia, pop ~ 3,000. Recently shafted by the bankruptcy of Planet Three, nic.cx is now (according to its website) "a community owned Christmas Island non profit company." $9.60 of every reg. fee goes to the "Christmas Island Information Economy Development Trust," underwriting the cost of internet service on the island. Service which is currently really limited (2 hours/day of dial-up for $25/mo). Cost: $37.40/year. Whois: yes

.HM : The Heard and McDonald Islands. Australian External Territory, Pop: 0. An antarctic island group, mostly covered in glaciers, generally off-limits to visitors. A UN world heritage site. The nic is managed by an Australian guy, and the reg fee pays for the costs of running the registry. All [surname].hm addresses are unavailable, as those have been sold to the mysterious www.my.hm email service. Probably the most morally neutral ccTLD to grab a domain in, since there are no residents to disenfranchise. Cost: $35/year. Whois: none

.PN : Pitcairn Island. British Overseas Territory. Home of 44 descendants of the Bounty mutineers (half of whom are currently under investigation for more recent unsavory acts). Supposedly the sale of domains will help to bring internet access to the island, (they currently have limited, $3.50/min satellite connection, courtesy of a seismic monitoring station on the island. Cost for a domain: auction. Whois: broken

.PS : Palestinian Territories. With only 50 domains registered, the .ps namespace is wide open. It's the only NIC I can think of that's likely to be bombed/raided/otherwise reduced by a military force, since it's located in beautiful Ramallah. Given the US Govt's current mindset, owning a .ps domain could also make you a Person of Interest to any number of three-letter agencies. Cost: $45/year. Whois: limited

.SH : St. Helena Island and .AC : Ascension Island. British Overseas Territories with a population of ~6,000 and ~1,000 respectively. Jamestown, St Helena is the capitol from which the islands of St Helena, Ascension, and Tristan da Cunha are governed. The NIC is run out of London and provides free name service and registration for anyone with residency. Ascension is an an incredibly well-networked island for its size. Cost: $100 first year, $50/year thereafter. Whois: yes

.TJ : Tajikistan. Central Asian nation, pop ~6,250,000. NIC is run by two guys in Fresno who also run one of the two Public Registrars for Tajikistan. No information about their relationship to Tajikistan, or what if any benefits the country may receive from their registry fees. Site last updated in '98. Cost: $25/year ($8/year within .com.tj, .web.tj, etc) Whois: yes

.TP : East Timor. Big news a while back, the media seems to have forgotten about them once the shooting stopped. Their TLD is managed by Connect-Ireland as a public service to the Timorese diaspora. There is little documentation on the site, and it's unclear where the $35/year registration fee goes. Xanana Gusmao, former resistance leader and current president, is the Administrative Contact! Note: on May 20th, the ISO 3166 list changed East Timor's alpha-2 designation to TL (Timor Leste). Presumably the IANA will soon change their TLD accordingly. Cost: $35/year. Whois: none"