Slashdot Mirror

• Improved Statistical Alignment Models (2000) - Franz Josef Och, Hermann Ney, which investigates and compares several models
• A Syntax-based Statistical Translation Model - Yamada, Knight (2001), which tries to treat sentences structurally instead of just a stream of words
• A Finite-State Approach to Machine Translation - Bangalore, Riccardi (2001), which uses a different way of looking at the problem than usual

• Improved Statistical Alignment Models (2000) - Franz Josef Och, Hermann Ney, which investigates and compares several models
• A Syntax-based Statistical Translation Model - Yamada, Knight (2001), which tries to treat sentences structurally instead of just a stream of words
• A Finite-State Approach to Machine Translation - Bangalore, Riccardi (2001), which uses a different way of looking at the problem than usual

The article's relentless insistence on how THE GOVERNMENT MUST MUST MUST IMMEDIATELY LAUNCH A Manhattan-project-like effort to develop a hydrogen economy and SAVE AMERICA reminded me of those Anime Otakudom lines about "The World Will Be Saved By Steam!", or like various other rants that people go on, usually political or anti-drug. Sure, there's good technical discussion in there about fuel cells and storage issues, but that's not really what it's about.

So Remember, Kids, Hydrogen isn't the answer! Professor Steamhead says ""Steam. Water plus heat equals steam. Always remember this. The world can be saved by steam." and he's got a giant steam-powered mecha robot to do the job with!

Dynamic range is being solved by CMOS focal plane array processing, just like our retina does. Infact, CMOS sensors can probably have a much higher dynamic range than film.

Expect to see CMOS sensors like the Foveon in cameras soon.

I am in a class in which our final project is to design a remote pollsite e-voting system. We read a bunch of definitive papers, including those by Caltech/MIT, the California Electronic Voting Task Force, and the National Science Foundation.

First off, every source believes that there should be a paper trail as a backup. This is good.

Second off, every source believes remote internet voting is too insecure to be feasible at this time.

Third off, my team's research shows it is impossible to have 'remote poll-site voting', in which a voter can cast his ballot at any station or kiosk in the county or state, while protecting voter anonymity and without relying on an always-up internet connection at each poll-site.. The crux of the problem is this: you can't update a voter's record in a central voter registration database (to change him to "VOTED" or something) without the polling stations being connected to that database over the internet , or phone lines, or some kind of link. So instead, you would give each polling station its own copy of the voter registration database. But that means if someone tries to vote twice (once each at two different polling stations), the only way to ensure that both votes are not counted is to associate the ballot with the voter-ID..

At this point, it becomes a matter of trusting the government. Even if the ballot that is associated with the voter-ID is encrypted, do you trust the government not to decrypt those ballots before duplicate votes have been resolved and the voter-IDs have been stripped off? Even if the voting system was open source, do you trust the government to not use a forked version that *doesn't* respect your privacy?

Another scenario is to set up secure links (internet w/ IPSec, or private phone circuits, or satellite...) from the polling stations so you *can* update the central voter database in real-time. All of a sudden, the entire voting system is subject to denial of service attacks. People would climb poles to cut wires, etc. And if your system was designed to be "failsafe", so that voters could still cast a ballot even if the link was down, you'd be back at the voter anonymity problem mentionend above: those failsafe ballots would essentially be the equivilent of modern-day "provisional ballots", in which your name and identifying information are written right on the front of the envelope.

I don't see a cryptographic solution to the problem, as such solutions seem to involve the government holding all the keys.

The professor of the class is a brilliant man, and he admitted to me that this is a fundamental problem and that he was, in fact, hoping a solution might come out of his assigning it to a bunch of students with fresh perspectives.

The Johns Hopkins University here in Baltimore, MD views itself as a potential "soft target" for terrorists, due to its being a high-profile educational institution.

Since February, Hopkins has had a van parked in front of 34th street to keep terrorists from blowing up the freshman dorms with a car bomb.

Presumably this was done to pre-emptively quell the fears of parents who might think JHU wasn't doing enough to keep their kids safe. Nevermind that the side streets allow terrorists equal access to the dorms, that the freshman dorms probably aren't high on Osama's list of Baltimore targets, and that the number of people in the world who knew Hopkins was anything but a hospital can be counted on one hand.

Otherwise a harmless gesture of stupidity, aside from the fact that 34th Street is a free parking zone with about 20 spaces. Its closing has created a major parking shortage in the entire University area. For those of us that actually have to deal with it on a daily basis, this is more than just whining- this is a true inconvenience.

Stupid.

The Johns Hopkins University here in Baltimore, MD views itself as a potential "soft target" for terrorists, due to its being a high-profile educational institution.

Since February, Hopkins has had a van parked in front of 34th street to keep terrorists from blowing up the freshman dorms with a car bomb.

Presumably this was done to pre-emptively quell the fears of parents who might think JHU wasn't doing enough to keep their kids safe. Nevermind that the side streets allow terrorists equal access to the dorms, that the freshman dorms probably aren't high on Osama's list of Baltimore targets, and that the number of people in the world who knew Hopkins was anything but a hospital can be counted on one hand.

Otherwise a harmless gesture of stupidity, aside from the fact that 34th Street is a free parking zone with about 20 spaces. Its closing has created a major parking shortage in the entire University area. For those of us that actually have to deal with it on a daily basis, this is more than just whining- this is a true inconvenience.

Stupid.

Linux doesn't use ASIO, it uses ALSA, which in addition to being much faster (lower latency) than ASIO also supports quite a few soundcards, both consumer and professional grade.

Here is a pdf with latency tests

I think the sound managment in linux has improved quite dramatically in the past few years, and there are right now _a lot_ of projects which will make linux a reasonable choice for professional audio authouring, such as ardour, jack, alsa, etc. (look at links in the story)

I don't know what the current status on VST plugins in linux is, but there's still ladspa, which seems to be a very competent architecture. Steinberg's hesitation in this area might very well prove to be a mistake, costing them influence in a growing market.

I'm right now in the process of trying linux out for a synthpop project I'm working on, using ardour, and various softsynths and sequencers. If some interesting experience comes out of it, I'll make it known.

According to this website, certain shrews produce venom. Also, the Cuban shrew-like animal Solenodons also produces venom in its mouth.

And, just to set the record straight, only male Platypii have venomous spurs. Lastly, Platypii are one of three still-living members of the mammalian subgroup known as "monotremes."

An excellent online resource for information about the animal kingdon is the University of Michgan's Animal Diversity Web.

The Common Criteria Evaluation Assurance Level 4 evaluation given to Windows 2000 only means that Microsoft followed some kind of software engineering methodology when designing and implementing Windows 2000. In fact, the operating system protection profile Microsoft used describes a non-hostile environment (e.g. no viruses, no malicious employees, etc). Jonathan Shapiro said it best in Understanding the Windows EAL4 Evaluation:

Security experts have been saying for years that the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.

Windows is certified at EAL4, and that doesn't provide much assurance of security. The article says RH and Oracle are working on EAL2, which is much weaker.

(Why does Common Criteria start to remind me of Dilbert strips about ISO 9000?)

Compressed audio and video transmission patented? In 1991 at that? Come on, that's like me patenting that you can wear shoes and socks at the same time. Digitally compressed video and audio existed LONG before these jokers. I mean CDs used PCM back in the mid-80s, and as for video, look here and here and about 20,000 more references on Google. This patenting of ideas that are just naive bundles of existing concepts just blows me away ... STOP THE INSANITY!

"I wasn't talking about price competition. I'm talkinb about COST.!"

How, praytell, do you propose separating the cost of selling a marginal unit of software from the corpus of the up-front development cost? Maybe MS sinks an assload of money into developing a product and then it fails to sell at the originally planned price-point. Then MS does the rational thing and sells at a lower price point in order to recover as much as possible. The difference between the cost of each marginal unit and the sales price is likely to be enormous under either scenario, while the overall profit picture could well be terrible. Is MS to be forced to sell the product at the higher price point anyway, thereby preventing marginal consumers from having access to a product that they might otherwise want at a lower price point?

You are essentially telling monopolists that they must ignore the market. The economic inefficiencies likely to be spawned under such a regime are not inconsiderable.

Nothing in anything I wrote said that I wanted to stop MS from lowering prices. The issue is whether a company is engaging in illegal below-cost pricing. This isn't something limited to just MS.

It is implicitly stated that you want to prevent them from lowering prices. You want to stop "dumping" which means that they are not allowed to lower prices as low as they might like to under some circumstances.

In addition, everything is reducible to changes in value to a product. Nominal price change tells very little about that story -- look at the "price" of an Apple ][ vs. a new desktop Dell. Price says little.

A nominal change in value is what is commonly called a price change, or price cutting, as in the case at hand. Absolute price cutting invovles adding additional features while keeping the same nominal price for a product.

To avoid "price cutting", which can actually be restated as "improving value", Microsoft must avoid, by your standard of stopping the price cutting to avoid dumping, both a nominal price cut and an increase in value at the same nominal price. In other words, if Microsoft must stop cutting prices, it must also stop improving the product.

Think about it for a second. If the only criteria for product competition was price then why did we break up Standard Oil?

Speak for yourself, Lazarus Long, but I didn't break up Standard Oil. Since you asked my opinion, I think it was broken up primarily because of envy rather than to satisfy some worthwhile economic or political principle.

They were offerring prices far below the competition whenever they moved into a new market.

No. Actually, they controlled the distribution networks for oil transportation on the eastern seaboard and in the upper midwest. They owned the pipelines and coerced the railroads into sweetheart rebate deals. Predatory pricing had very little to do with Standard Oil's success. In fact, Standard Oil had a long and glorious history of lowering nominal and real prices in the marketplace permanently because of their efficient use of technology and their economies of scale.

Standard actually began to have difficulties when Russian oil became cheaply available. Also, Standard failed to exploit discoveries in Texas, which was bringing them under further competitive pressure.

(Of course they subsequently raised those prices and used the higher prices in other markets to subsidize their price competition in the local market...)

This is demonstrably false. Even Ida Tarbell recognized that Standard's dominance resulted from ruthless efficiencies (but high wages) and control of the distribution network (rails and waterways). A sampling: (from "History of Standard Oil" by Ida Tarbell, Chapter 18: Conculsion":

"And what are we going to do about it? for it is our business. We, the people of the United States, and nobody else, must cure whatever is wrong in the industrial situation, typified by this narrative of the growth of the Standard Oil Company. That our first task is to secure free and equal transportation privileges by rail, pipe and waterway is evident. It is not an easy matter. It is one which may require operations which will seem severe but the whole system of discrimination has been nothing but violence, and those who have profited by it cannot complain if the curing of the evils they have wrought bring hardship in turn on them. At all events, until the transportation matter is settled, and settled right, the monopolistic trust will be with us, a leech on our pockets, a barrier to our free efforts."

Again, the MPEG group may or may not have a valid complaint. They could just be crying about sour grapes or trying to get some free PR. (If you think .NET naming is confusing then look at MPEG. MP3 == MPEG 1 Layer 3, and now they have MPEG4 to repace MPEG 1?!?)

It's not confusing at all. MPEG 1 was a standard for multimedia, originally for CD-ROMs. It contains three layers. One is video (MPEG 1 layer 1). One is A/V synchronization (MPEG 1 layer 2). One is audio (MPEG 1 layer 3). Simple.

There are other MPEG standards for use in different circumstances, BTW. MPEG 4 is for low-bandwidth/low-processor power environments, which is why it is such a big deal right now:

MPEG-2
Higher Bandwidth (up to 40Mbits/sec)
Up to 5 audio channels (i.e. surround sound)
Wider range of frame sizes (including HDTV)
Can deal with interlaced video

MPEG-3
MPEG-3 was for HDTV application with dimensions up to 1920 x 1080 x 30Hz, however, it was discovered that the MPEG-2 and MPEG-2 syntx worked very well for HDTV rate video. Now HDTV is a part of MPEG-2 High-1440 Level and High Level toolkit.

MPEG-4
Very Low Bandwidth (64Kbits/sec)
176 x 144 x 10Hz
Optimized for videophones

There are plans for others as well. Google reveals all.

So, please let the whole MS part of this drop. My point was that the people who said "this is the way the market works" were simply wrong. The market is nowhere near that simple.

No problem with dropping MS. That wasn't my point particularly, and I am not a MS-loving drone. My primary point is that if a company is forced to sell a product at a certain price point and it is not allowed to alter its price, then this must therefore mean that the quality of the product must remain unchanged as well. If you want to stop dumping, you have to watch for value, not for nominal price data. My secondary point is that stagnant technology is not very good for consumers or for competition. I don't think that is in dispute.

Let me state, arguendo, that we are in agreement that price dumping is a practice that should be curtailed. From a practical standpoint, there are a number of reasons why this may be nearly impossible to do it in this case. Here is my best reason:

In software, the marginal costs per unit are negligible. This puts MS in the position of being required to keep selling a product for a higher price than the market is be willing to bear if they estimate the front-end development costs wrong. Under your analysis, I believe MS would be required to continue to sell at a price which the market is unwilling to pay. This will artificially move the intersection of the supply and demand curve up and to the left, resulting in less profit, fewer units sold, and disappointed marginal consumers who would like to have purchased the product at or above the equilibrium price, but which were prevented from doing so by (presumably) government regulation.

In addition, knowing that they would have decreased pricing flexibility down the road, the rational mega software producer would stop sinking as much money in to development projects if it knew that the regulators would prevent it from changing its pricing strategy down the road (either up or down), because the risks would be too big.

Innovation from the admittedly largest software business in the world would likely be severely curtailed. Is it good for the software business to not have to worry about beating MS? Is it good for the software business for MS to rest on its laurels? Is it good for consumers?

Dumping simply has no analogy in software that holds up quite the same way as it does with physical goods or personal services.

On a final note, do you think GM and Ford should lay off workers right now because they are producing cars which they are selling below cost (because it is cheaper to keep the lines going at a small loss than it is to shut a factory)? Together, they probably have a monopoly position. Are they trying to supress the profits of the smaller (presumably "weaker") auto manufacturers?

GF.

(here is the image i am talking about)
...just wondering why they would choose a picture of mut (amon-re's wife) with the double-crown of egypt (only a king of a united upper and lower egypt can wear that).

the double-crown is symbolized by the bowling-pin (lower egypt) overlapping the chair (upper egypt). i might have those hats backwards, and it is usually the chair that overlaps the pin.

i don't know much about mut either... i'm not a scholar of ancient egypt, it's just a hobby (my username is that of a curved egyptian sword).

They never agreed on the colour of the universe, either. Is the cosmic spectrum turquoise? Or is it beige? These guys reckon they know, but I think this is another mystery - albeit a lot less important - that various groups will be disproving eachother over for a while.

UFO-loon Denise M. Clark wrote about a UFO book that discusses "the intelligence of our sea life, mainly as that intelligence relates to dolphins". Slashdot user Swannie attempted to make a humorous startrek IV reference by adding "Don't forget about killer whales". Others have pointed out that this was an inaccurate Trek reference. I'd like to add that it was also silly because killer whales are in the family delfinidae; i.e. they are dolphins, and as such were not "forgotten" by Ms. Clark's statement.

FWIW, I think it is safe to assume that either Ms. Clark or the author of the book she reviewed is fond of David Brin's Uplift Wars series, and in particular the intelligent dolphins in his book Startide Rising. They ought to expand their reading just a little and familiarize themselves with Brin's essay from Otherness where he talks about the public's refusal to accept that language research has simply not shown dolphins to be as clever as we wish them to be.

For interested parties - This is a very cool book. It is an odd combination of short sci-fi stories grouped by topic along with intelligent non-fictional essays that discuss the same issues. Brin uses the above cetacean language example as a jumping off point to discuss Americans' obession with behaving as though other people's ideas, even ones that are not supported by the facts, ought to be treated like they equal merit.

As a lifelong Daniel Martin, I know how it is.

So what you're saying is that you're not my roommate from junior year?

Yes, I've used mod_backhand. It has great support through the authors as well as through the user development group -- just join their mailing list. It has been deployed on simple 3-node web clusters to even more complex 15+-node web clusters, and it has worked just great at balancing the load of millions of daily pageviews.

mod_backhand, as you can tell by its name, is an Apache module. So, this isn't a replacement for a hardware based load-balancer unless all you're load balancing is HTTP requests.

It's very easy to implement if you're a semi-seasoned web admin that understands Apache directives in the httpd.conf. There are five built-in candidacy functions -- the things that choose which server will be chosen to serve up the data. The project was developed at the Center for Network and Distributed Systems at The Johns Hopkins University.

The place is called Johns Hopkins University...

Jonathan S. Shapiro, Ph.D.
Johns Hopkins University Information Security Institute

By now, you may have heard that Microsoft has received a Common Criteria certification for Windows 2000 (with service pack 3) at Evaluation Assurance Level (EAL) 4. Since a bunch of people know that I work on operating system security and on security assurance, I've received lots of notes asking "What does this mean?" On this page I will try to answer the question. For the impatient the answer is:

• Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.

Since that's a pretty strong statement, bear with me while I try to explain it in plain English.

At the risk of telling you something you already know, here is how a purchaser ought to proceed when buying a security product:

1. Assess your needs. Determine what your requirements are.

2. Decide which product you are most confident will meet those needs.

3. Buy and deploy it.

Each of these is potentially an involved process, and most customers don't have the expertise to do them effectively. Even if you did, Microsoft (or any other vendor) isn't likely to let you examine their code and design documents in order to evaluate their product.

The purpose of the Common Criteria process is to develop standard packages of commonly found requirements (called Protection Profiles) and have a standard process of independent evaluation by which an expert evaluation team arrives at a level of confidence for some particular software product.

As a customer, this makes your life simpler, because you can compare your needs against existing requirements constructed by experts and then see how well the software you are buying meets those requirements. Security requirements are fairly hard to write down correctly, but if the resulting document is annotated properly they aren't all that hard to understand.

Obviously, if you don't know your needs (requirements) you don't stand much of a chance of getting them met. Likewise, if you don't know what requirements a software product was evaluated against, the evaluation result isn't terribly useful to you in practical terms.

From the customer perspective, a Common Criteria evaluation has two parts:

1. A standardized requirements specification called a Protection Profile that says what the system is supposed to do. Sometimes there will be more than one of these -- usually a general baseline protection profile and then some others describing additional, specialized requirements.

2. An evaluation rating. This is basically an investigation by well-trained experts to determine whether the system actually meets the requirements specified in the protection profile(s). The result of the evaluation is an "Evaluation Assurance Level" which can be between 1 and 7. This number expresses the degree of confidence that you can place in the system.

In order to understand the result of an evaluation, you need to know both the evaluation result, which will be a level between EAL1 and EAL7, and the protection profile (the requirements that were tested). Given two systems evaluated against the same protection profile, a higher EAL rating is a better rating provided the requirements meet your needs.

Knowing that a product has met an EAL4 evaluation -- or even an EAL7 evaluation -- tells you absolutely nothing useful. It means that you can have some amount of confidence that the product meets an unknown set of requirements. To give a contrived example, you might need a piece of software that always paints the screen black. I might build a piece of software that paints the screen red with very high reliability, and get it evaluated at EAL4. Obviously my software isn't going to solve your problem.

Microsoft sponsored an evaluation of Windows 2000 (with Service Pack 3 and one patch) against the Controlled Access Protection Profile (plus some enhancements) and obtained an EAL4 evaluation rating. This is most accurately written as "CAPP/EAL4".

The Controlled Access Protection Profile (CAPP) standard document can be found at the Common Criteria website.Here is a description of the CAPP requirements taken from the document itself (from page 9):

• The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel.

Translating that into colloquial English:

• Don't hook this to the internet, don't run email, don't install software unless you can 100% trust the developer, and if anybody who works for you turns out to be out to get you you are toast.

In fairness to Microsoft, CAPP is the most complete operating system protection profile that is presently standardized. This may be the best that Microsoft can do, but it is very important for you as a user to understand that These requirements are not good enough to make the system secure. It also needs to be acknowledged that commercial UNIX-based systems like Linux aren't any better (though they are more resistant to penetration).

Note that the "Don't install software" part means that you probably shouldn't install a word processor. On several occasions Microsoft has unintentionally shipped CD's with viruses on them. A CD with a virus qualified as "malicious system development."

Having described the requirements problem, I now need to describe the problem of the EAL4 evaluation assurance level that Windows 2000 received.

As I mentioned before, EAL levels run from 1 to 7. EAL1 basically means that the vendor showed up for the meeting. EAL7 means that key parts of the system have been rigorously verified in a mathematical way. EAL4 means that the design documents were reviewed using non-challenging criteria. This is sort of like having an accounting audit where the auditor checks that all of your paperwork is there and your business practice standards are appropriate, but never actually checks that any of your numbers are correct. An EAL4 evaluation is not required to examine the software at all.

An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected. Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky.

In the case of the CAPP protection profile, there actually isn't much point to doing anything better than a low-confidence evaluation, because the requirements set itself is very weak. In effect, you would be saying "My results are inadequate, but the good news is that I've done a lot of work so that I can be really sure that the results are inadequate.

In the case of CAPP, an EAL4 evaluation tells you everything you need to know. It tells you that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.

Security isn't something that a large group can do well. It is something achieved by small groups of experts. Adding more programmers and more features makes things worse rather than better. Microsoft has been adding features demanded by their customers for a very long time.

It is possible to do much better. EROS, a research operating system that we are working on here in the Systems Research Laboratory at Johns Hopkins University, should eventually achieve an EAL7 evaluation rating, and is expected to provide total defense against viruses and malicious code. It won't be compatible, because the most important security problems in Windows and UNIX are design problems rather than implementation problems. In fact, none of the viable research efforts toward secure operating systems are compatible with existing systems.

It remains to be seen whether EROS or one of the other attempts to build secure operating systems will prevail, but better solutions are coming.

Jonathan Shapiro is an Assistant Professor in the Department of Computer Science of Johns Hopkins University. He has been working on operating system security and assurance since 1991. His past research has yielded both formally verified security properties and dramatically improved performance results in secure operating systems. His current research focuses on tying these results together into a complete, usable system, and on evaluating and testing the correctness and reliability of the resulting system.

Dr. Shapiro is also member of JHUISI, the Hopkins Information Security Institute.

Jonathan S. Shapiro, Ph.D.
Johns Hopkins University Information Security Institute

By now, you may have heard that Microsoft has received a Common Criteria certification for Windows 2000 (with service pack 3) at Evaluation Assurance Level (EAL) 4. Since a bunch of people know that I work on operating system security and on security assurance, I've received lots of notes asking "What does this mean?" On this page I will try to answer the question. For the impatient the answer is:

• Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.

Since that's a pretty strong statement, bear with me while I try to explain it in plain English.

At the risk of telling you something you already know, here is how a purchaser ought to proceed when buying a security product:

1. Assess your needs. Determine what your requirements are.

2. Decide which product you are most confident will meet those needs.

3. Buy and deploy it.

Each of these is potentially an involved process, and most customers don't have the expertise to do them effectively. Even if you did, Microsoft (or any other vendor) isn't likely to let you examine their code and design documents in order to evaluate their product.

The purpose of the Common Criteria process is to develop standard packages of commonly found requirements (called Protection Profiles) and have a standard process of independent evaluation by which an expert evaluation team arrives at a level of confidence for some particular software product.

As a customer, this makes your life simpler, because you can compare your needs against existing requirements constructed by experts and then see how well the software you are buying meets those requirements. Security requirements are fairly hard to write down correctly, but if the resulting document is annotated properly they aren't all that hard to understand.

Obviously, if you don't know your needs (requirements) you don't stand much of a chance of getting them met. Likewise, if you don't know what requirements a software product was evaluated against, the evaluation result isn't terribly useful to you in practical terms.

From the customer perspective, a Common Criteria evaluation has two parts:

1. A standardized requirements specification called a Protection Profile that says what the system is supposed to do. Sometimes there will be more than one of these -- usually a general baseline protection profile and then some others describing additional, specialized requirements.

2. An evaluation rating. This is basically an investigation by well-trained experts to determine whether the system actually meets the requirements specified in the protection profile(s). The result of the evaluation is an "Evaluation Assurance Level" which can be between 1 and 7. This number expresses the degree of confidence that you can place in the system.

In order to understand the result of an evaluation, you need to know both the evaluation result, which will be a level between EAL1 and EAL7, and the protection profile (the requirements that were tested). Given two systems evaluated against the same protection profile, a higher EAL rating is a better rating provided the requirements meet your needs.

Knowing that a product has met an EAL4 evaluation -- or even an EAL7 evaluation -- tells you absolutely nothing useful. It means that you can have some amount of confidence that the product meets an unknown set of requirements. To give a contrived example, you might need a piece of software that always paints the screen black. I might build a piece of software that paints the screen red with very high reliability, and get it evaluated at EAL4. Obviously my software isn't going to solve your problem.

Microsoft sponsored an evaluation of Windows 2000 (with Service Pack 3 and one patch) against the Controlled Access Protection Profile (plus some enhancements) and obtained an EAL4 evaluation rating. This is most accurately written as "CAPP/EAL4".

The Controlled Access Protection Profile (CAPP) standard document can be found at the Common Criteria website.Here is a description of the CAPP requirements taken from the document itself (from page 9):

• The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel.

Translating that into colloquial English:

• Don't hook this to the internet, don't run email, don't install software unless you can 100% trust the developer, and if anybody who works for you turns out to be out to get you you are toast.

In fairness to Microsoft, CAPP is the most complete operating system protection profile that is presently standardized. This may be the best that Microsoft can do, but it is very important for you as a user to understand that These requirements are not good enough to make the system secure. It also needs to be acknowledged that commercial UNIX-based systems like Linux aren't any better (though they are more resistant to penetration).

Note that the "Don't install software" part means that you probably shouldn't install a word processor. On several occasions Microsoft has unintentionally shipped CD's with viruses on them. A CD with a virus qualified as "malicious system development."

Having described the requirements problem, I now need to describe the problem of the EAL4 evaluation assurance level that Windows 2000 received.

As I mentioned before, EAL levels run from 1 to 7. EAL1 basically means that the vendor showed up for the meeting. EAL7 means that key parts of the system have been rigorously verified in a mathematical way. EAL4 means that the design documents were reviewed using non-challenging criteria. This is sort of like having an accounting audit where the auditor checks that all of your paperwork is there and your business practice standards are appropriate, but never actually checks that any of your numbers are correct. An EAL4 evaluation is not required to examine the software at all.

An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected. Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky.

In the case of the CAPP protection profile, there actually isn't much point to doing anything better than a low-confidence evaluation, because the requirements set itself is very weak. In effect, you would be saying "My results are inadequate, but the good news is that I've done a lot of work so that I can be really sure that the results are inadequate.

In the case of CAPP, an EAL4 evaluation tells you everything you need to know. It tells you that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.

Security isn't something that a large group can do well. It is something achieved by small groups of experts. Adding more programmers and more features makes things worse rather than better. Microsoft has been adding features demanded by their customers for a very long time.

It is possible to do much better. EROS, a research operating system that we are working on here in the Systems Research Laboratory at Johns Hopkins University, should eventually achieve an EAL7 evaluation rating, and is expected to provide total defense against viruses and malicious code. It won't be compatible, because the most important security problems in Windows and UNIX are design problems rather than implementation problems. In fact, none of the viable research efforts toward secure operating systems are compatible with existing systems.

It remains to be seen whether EROS or one of the other attempts to build secure operating systems will prevail, but better solutions are coming.

Jonathan Shapiro is an Assistant Professor in the Department of Computer Science of Johns Hopkins University. He has been working on operating system security and assurance since 1991. His past research has yielded both formally verified security properties and dramatically improved performance results in secure operating systems. His current research focuses on tying these results together into a complete, usable system, and on evaluating and testing the correctness and reliability of the resulting system.

Dr. Shapiro is also member of JHUISI, the Hopkins Information Security Institute.

Jonathan S. Shapiro, Ph.D.
Johns Hopkins University Information Security Institute

By now, you may have heard that Microsoft has received a Common Criteria certification for Windows 2000 (with service pack 3) at Evaluation Assurance Level (EAL) 4. Since a bunch of people know that I work on operating system security and on security assurance, I've received lots of notes asking "What does this mean?" On this page I will try to answer the question. For the impatient the answer is:

• Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.

Since that's a pretty strong statement, bear with me while I try to explain it in plain English.

At the risk of telling you something you already know, here is how a purchaser ought to proceed when buying a security product:

1. Assess your needs. Determine what your requirements are.

2. Decide which product you are most confident will meet those needs.

3. Buy and deploy it.

Each of these is potentially an involved process, and most customers don't have the expertise to do them effectively. Even if you did, Microsoft (or any other vendor) isn't likely to let you examine their code and design documents in order to evaluate their product.

The purpose of the Common Criteria process is to develop standard packages of commonly found requirements (called Protection Profiles) and have a standard process of independent evaluation by which an expert evaluation team arrives at a level of confidence for some particular software product.

As a customer, this makes your life simpler, because you can compare your needs against existing requirements constructed by experts and then see how well the software you are buying meets those requirements. Security requirements are fairly hard to write down correctly, but if the resulting document is annotated properly they aren't all that hard to understand.

Obviously, if you don't know your needs (requirements) you don't stand much of a chance of getting them met. Likewise, if you don't know what requirements a software product was evaluated against, the evaluation result isn't terribly useful to you in practical terms.

From the customer perspective, a Common Criteria evaluation has two parts:

1. A standardized requirements specification called a Protection Profile that says what the system is supposed to do. Sometimes there will be more than one of these -- usually a general baseline protection profile and then some others describing additional, specialized requirements.

2. An evaluation rating. This is basically an investigation by well-trained experts to determine whether the system actually meets the requirements specified in the protection profile(s). The result of the evaluation is an "Evaluation Assurance Level" which can be between 1 and 7. This number expresses the degree of confidence that you can place in the system.

In order to understand the result of an evaluation, you need to know both the evaluation result, which will be a level between EAL1 and EAL7, and the protection profile (the requirements that were tested). Given two systems evaluated against the same protection profile, a higher EAL rating is a better rating provided the requirements meet your needs.

Knowing that a product has met an EAL4 evaluation -- or even an EAL7 evaluation -- tells you absolutely nothing useful. It means that you can have some amount of confidence that the product meets an unknown set of requirements. To give a contrived example, you might need a piece of software that always paints the screen black. I might build a piece of software that paints the screen red with very high reliability, and get it evaluated at EAL4. Obviously my software isn't going to solve your problem.

Microsoft sponsored an evaluation of Windows 2000 (with Service Pack 3 and one patch) against the Controlled Access Protection Profile (plus some enhancements) and obtained an EAL4 evaluation rating. This is most accurately written as "CAPP/EAL4".

The Controlled Access Protection Profile (CAPP) standard document can be found at the Common Criteria website.Here is a description of the CAPP requirements taken from the document itself (from page 9):

• The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel.

Translating that into colloquial English:

• Don't hook this to the internet, don't run email, don't install software unless you can 100% trust the developer, and if anybody who works for you turns out to be out to get you you are toast.

In fairness to Microsoft, CAPP is the most complete operating system protection profile that is presently standardized. This may be the best that Microsoft can do, but it is very important for you as a user to understand that These requirements are not good enough to make the system secure. It also needs to be acknowledged that commercial UNIX-based systems like Linux aren't any better (though they are more resistant to penetration).

Note that the "Don't install software" part means that you probably shouldn't install a word processor. On several occasions Microsoft has unintentionally shipped CD's with viruses on them. A CD with a virus qualified as "malicious system development."

Having described the requirements problem, I now need to describe the problem of the EAL4 evaluation assurance level that Windows 2000 received.

As I mentioned before, EAL levels run from 1 to 7. EAL1 basically means that the vendor showed up for the meeting. EAL7 means that key parts of the system have been rigorously verified in a mathematical way. EAL4 means that the design documents were reviewed using non-challenging criteria. This is sort of like having an accounting audit where the auditor checks that all of your paperwork is there and your business practice standards are appropriate, but never actually checks that any of your numbers are correct. An EAL4 evaluation is not required to examine the software at all.

An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected. Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky.

In the case of the CAPP protection profile, there actually isn't much point to doing anything better than a low-confidence evaluation, because the requirements set itself is very weak. In effect, you would be saying "My results are inadequate, but the good news is that I've done a lot of work so that I can be really sure that the results are inadequate.

In the case of CAPP, an EAL4 evaluation tells you everything you need to know. It tells you that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.

Security isn't something that a large group can do well. It is something achieved by small groups of experts. Adding more programmers and more features makes things worse rather than better. Microsoft has been adding features demanded by their customers for a very long time.

It is possible to do much better. EROS, a research operating system that we are working on here in the Systems Research Laboratory at Johns Hopkins University, should eventually achieve an EAL7 evaluation rating, and is expected to provide total defense against viruses and malicious code. It won't be compatible, because the most important security problems in Windows and UNIX are design problems rather than implementation problems. In fact, none of the viable research efforts toward secure operating systems are compatible with existing systems.

It remains to be seen whether EROS or one of the other attempts to build secure operating systems will prevail, but better solutions are coming.

Jonathan Shapiro is an Assistant Professor in the Department of Computer Science of Johns Hopkins University. He has been working on operating system security and assurance since 1991. His past research has yielded both formally verified security properties and dramatically improved performance results in secure operating systems. His current research focuses on tying these results together into a complete, usable system, and on evaluating and testing the correctness and reliability of the resulting system.

Dr. Shapiro is also member of JHUISI, the Hopkins Information Security Institute.

Jonathan S. Shapiro, Ph.D.
Johns Hopkins University Information Security Institute

By now, you may have heard that Microsoft has received a Common Criteria certification for Windows 2000 (with service pack 3) at Evaluation Assurance Level (EAL) 4. Since a bunch of people know that I work on operating system security and on security assurance, I've received lots of notes asking "What does this mean?" On this page I will try to answer the question. For the impatient the answer is:

• Security experts have been saying for years that the the security of the Windows family of products is hopelessly inadequate. Now there is a rigorous government certification confirming this.

Since that's a pretty strong statement, bear with me while I try to explain it in plain English.

At the risk of telling you something you already know, here is how a purchaser ought to proceed when buying a security product:

1. Assess your needs. Determine what your requirements are.

2. Decide which product you are most confident will meet those needs.

3. Buy and deploy it.

Each of these is potentially an involved process, and most customers don't have the expertise to do them effectively. Even if you did, Microsoft (or any other vendor) isn't likely to let you examine their code and design documents in order to evaluate their product.

The purpose of the Common Criteria process is to develop standard packages of commonly found requirements (called Protection Profiles) and have a standard process of independent evaluation by which an expert evaluation team arrives at a level of confidence for some particular software product.

As a customer, this makes your life simpler, because you can compare your needs against existing requirements constructed by experts and then see how well the software you are buying meets those requirements. Security requirements are fairly hard to write down correctly, but if the resulting document is annotated properly they aren't all that hard to understand.

Obviously, if you don't know your needs (requirements) you don't stand much of a chance of getting them met. Likewise, if you don't know what requirements a software product was evaluated against, the evaluation result isn't terribly useful to you in practical terms.

From the customer perspective, a Common Criteria evaluation has two parts:

1. A standardized requirements specification called a Protection Profile that says what the system is supposed to do. Sometimes there will be more than one of these -- usually a general baseline protection profile and then some others describing additional, specialized requirements.

2. An evaluation rating. This is basically an investigation by well-trained experts to determine whether the system actually meets the requirements specified in the protection profile(s). The result of the evaluation is an "Evaluation Assurance Level" which can be between 1 and 7. This number expresses the degree of confidence that you can place in the system.

In order to understand the result of an evaluation, you need to know both the evaluation result, which will be a level between EAL1 and EAL7, and the protection profile (the requirements that were tested). Given two systems evaluated against the same protection profile, a higher EAL rating is a better rating provided the requirements meet your needs.

Knowing that a product has met an EAL4 evaluation -- or even an EAL7 evaluation -- tells you absolutely nothing useful. It means that you can have some amount of confidence that the product meets an unknown set of requirements. To give a contrived example, you might need a piece of software that always paints the screen black. I might build a piece of software that paints the screen red with very high reliability, and get it evaluated at EAL4. Obviously my software isn't going to solve your problem.

Microsoft sponsored an evaluation of Windows 2000 (with Service Pack 3 and one patch) against the Controlled Access Protection Profile (plus some enhancements) and obtained an EAL4 evaluation rating. This is most accurately written as "CAPP/EAL4".

The Controlled Access Protection Profile (CAPP) standard document can be found at the Common Criteria website.Here is a description of the CAPP requirements taken from the document itself (from page 9):

• The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel.

Translating that into colloquial English:

• Don't hook this to the internet, don't run email, don't install software unless you can 100% trust the developer, and if anybody who works for you turns out to be out to get you you are toast.

In fairness to Microsoft, CAPP is the most complete operating system protection profile that is presently standardized. This may be the best that Microsoft can do, but it is very important for you as a user to understand that These requirements are not good enough to make the system secure. It also needs to be acknowledged that commercial UNIX-based systems like Linux aren't any better (though they are more resistant to penetration).

Note that the "Don't install software" part means that you probably shouldn't install a word processor. On several occasions Microsoft has unintentionally shipped CD's with viruses on them. A CD with a virus qualified as "malicious system development."

Having described the requirements problem, I now need to describe the problem of the EAL4 evaluation assurance level that Windows 2000 received.

As I mentioned before, EAL levels run from 1 to 7. EAL1 basically means that the vendor showed up for the meeting. EAL7 means that key parts of the system have been rigorously verified in a mathematical way. EAL4 means that the design documents were reviewed using non-challenging criteria. This is sort of like having an accounting audit where the auditor checks that all of your paperwork is there and your business practice standards are appropriate, but never actually checks that any of your numbers are correct. An EAL4 evaluation is not required to examine the software at all.

An EAL4 rating means that you did a lot of paperwork related to the software process, but says absolutely nothing about the quality of the software itself. There are no quantifiable measurements made of the software, and essentially none of the code is inspected. Buying software with an EAL4 rating is kind of like buying a home without a home inspection, only more risky.

In the case of the CAPP protection profile, there actually isn't much point to doing anything better than a low-confidence evaluation, because the requirements set itself is very weak. In effect, you would be saying "My results are inadequate, but the good news is that I've done a lot of work so that I can be really sure that the results are inadequate.

In the case of CAPP, an EAL4 evaluation tells you everything you need to know. It tells you that Microsoft spent millions of dollars producing documentation that shows that Windows 2000 meets an inadequate set of requirements, and that you can have reasonably strong confidence that this is the case.

Security isn't something that a large group can do well. It is something achieved by small groups of experts. Adding more programmers and more features makes things worse rather than better. Microsoft has been adding features demanded by their customers for a very long time.

It is possible to do much better. EROS, a research operating system that we are working on here in the Systems Research Laboratory at Johns Hopkins University, should eventually achieve an EAL7 evaluation rating, and is expected to provide total defense against viruses and malicious code. It won't be compatible, because the most important security problems in Windows and UNIX are design problems rather than implementation problems. In fact, none of the viable research efforts toward secure operating systems are compatible with existing systems.

It remains to be seen whether EROS or one of the other attempts to build secure operating systems will prevail, but better solutions are coming.

Jonathan Shapiro is an Assistant Professor in the Department of Computer Science of Johns Hopkins University. He has been working on operating system security and assurance since 1991. His past research has yielded both formally verified security properties and dramatically improved performance results in secure operating systems. His current research focuses on tying these results together into a complete, usable system, and on evaluating and testing the correctness and reliability of the resulting system.

Dr. Shapiro is also member of JHUISI, the Hopkins Information Security Institute.

Preface
The X-Windows Disaster
Some quotes
The Unix Hater's Mailinglist archive
Additional Unix-Hater's information

Another interesting tidbit to read (use login/pass "archives", without the quotes) is this.

Actually, yes. Typically, a "click" (pop your tongue against the top of your mouth) is represented as an X. For example, there is an African language known as Xkosa, pronounced click-kosa.

(The only reason I know this is because my Natural Language Processing professor spent most of the first lecture in September using Xkosa an example.)

I've seen two things recently about this, namely Russ Taylor is now a professor at Johns Hopkins where he's doing more robotic surgery stuff from the sound of things.

In addition, I ran into a bunch called Integrated Surgical Systems that cite Taylor's work, though without naming him.

kratos:

I think that it also is a specific kind of power. Supported credibly if not completely enough by it's use as shown in in this document which I found when googling for a little support for my hypothesis. What kind of power it is colors it's relationship with the other word part. I believe it's an oppressive sort of power, essentially the military power required to win and the spoils that are the reward (power over the people, to tax and control their economy. Taken this way Democracy has a different meaning, probably justifiable but incomplete. The people should have power over the government but should they take the position with regard to it that historically military governments do? Similarly if people have power of the "government", this is "govern" the correct root for that word? If the intent is to free the people to govern themselves, and free the economy, "democracy" is possibly the wrong approach.

Philosophy is stored in these terms. Breaking these terms open, or comparatively considering the distinctions between irony and coincidence, ironic coincidence or literal metaphors. I post this to you because of your clear like for making closer study of terms (I paused to grok your distinction between irony and coincidence), and because you also have a pragmatists view of language, a relatively rare combination. It allows one to look for the meaning of words as a philosophist rather than as a grammarian, trying to impose as RULES what are merely interesting philological patterns.

After visiting a pdf on LP technology and finding that LPs have around 290 lines per inch, and 45s 160 or so, it would seem that a reasonable scanner (say 1200 dpi) would pickup 7 pixels per track on a 45. This would make horizontal (along the plane of the record) resolution quite poor. However, if he's only tracking the vertical component (perpendicular to the plane of the record), and the varying heights translate well into light to dark gradients, perhaps there would be enough information to produce some bad sound. I too would like to see the code and perhaps some of the source images.

Everybody is different... But research suggests that exercise has the effect the previous post stated on a substantial majority of the population (rounded to the nearest percent, I think it was about 100%). Maybe the places that make these claims are just way out there... Places like Johns Hopkins University for one.

It also doesn't do much for your heat signiture. Since so much military surveillance is done with IR, you'd think that the extra heat generated by the thing being cloacked and the cloaking mechanism that it'd glow like a light bulb under IR.

So your concern is that although this thing will take on the appearance of the background in the human visible spectrum (approx 380(blue) to 780(red) nanometers), it will not resemble the background radiation at other wavelengths. Not a trivial problem, but not impossible. As long as the cloaking system has the same sensory capabilites as the entity it's hiding from, it knows what appearance to present.
Generating more radiation is seldom a problem. Reducing radiation is harder, especially in the longwave IR (heat) section of the spectrum, which seems to be at issue here. Generally, you can block eletromagnetic radiatiton, but the energy goes to heat. If you want to hide a heat signature, you could do it with the appropriate combination of thermally massive shields, active and/or very good thermal control systems, and something to do with the excess heat. You could try to radiate it in another direction, but the beam would probably be visible to a thermal camera. You might be able to store it if you have a thermos full of butt-ass cold. I'd probably use a flask of liquid nitrogen to absorb the heat, and then release a nitrogen stream at ambient temp. (This could in theory be detected as well, but nitrogen is the majority of the atmosphere, so it's probably hard to detect as long as you get the temp right.
Once you block the heat that you and your cloaking device emit, you can then use you radiation emitters (leds, OLEDs, incandescents, whathaveyou) to emit the right intensities in the right wavelengts as your background. How you get the direction of the light rigth for all obsevrers is beyond me, but that's why it's not my patent. (If you just want to hide from one observer, you basically just get a tv and a camera, hold the tv between you and the observer, and the camera colinear with all three of you (observer, tv, you).)

ok. now then, for the rest of this discussion. Where to start? How bout polar bears, 'cause they kick azz.
Polar bears are supposedly (google it yourself) so well insulated that if you use a thermal camera from an airplane, all you see is footprints because the only points where they leak enough heat to differ from ambient temp is the pads of their feet.

Next: The em spectrum. As i said, humans (most of you, anyways) see from about 380nm to 780nm. Shorter wavelength, higher energy photons are ultraviolet (above violet, hence the sunburn) and so on up to X and gamma rays. Longer wavelength photons are infrared (lower energy, below red) and microwaves and radio and such. Current topic: IR. Near IR (close to visible) is from like 800nm up to around 1100 (depending on who you ask). This is what you tend to get from IRLEDs. Think remote controls, sony camcorder night vision, and other stuff you can see with a black and white camera with no IR filter. (You can't see much further 'cause silicon starts being transparent around 1050nm).
And then there's far IR, more in the 3000 to 8000 nm range, AKA heat. (to see this look into vidicon tubes or thermistor sensors by hamamatsu or indigo). This is even lower energy than near IR. Its everywhere you look, if you could see it, cause everything radiates in this range according to its temp. The spectrum being continuous (as spetcra generally are), if you take something at body temp it will radiate in this range, and if you heat it up enough it will start radiating in near IR and then red (AKA glowing) and then up to white if you get it hot enough.

Military night vision. Don't know too much about that, but if it's not heat-based you can basically use really sensitive equipment for detecting ambient light (huge lenses and high-gain CCDs) or use near IR illumination (most of your commerical 'night vision' systems).

Tree huggers and radiation. It's the high energy radiation from i.e. nuclear plants (isotope decay is a good source of gamma radiation) that a lot of people worry about. Granted, there are those who worry about microwave radiotion from ovens and cordelss phones (and probably 802.11 if you told them it was microwave), but their mistake is not understanding the EM spectrum and thinking that all radiation is dangerous, not just high energy radiation. (and yes, i could be wrong and low energy radiation could be really harmful too. but i'm still not buying any kind of cellphone shield).

IR going through contrete walls. No. The wall will absorb heat, heat up, and then radiate at a higher energy than the other walls, but the energy is not going through like visible light through glass.

IR blocking polymers. Mylar.

Thermoelectric heat transfer. Peltier junctions. about %10 efficient. if you dont mind expending a lot of energy to cool your chip and have a good place to dump the heat, they rock. They dont get read of heat, they just move it, so unless you have somewhere to move it to, they wont hide you from a thermal camera.

Ok, think that's about it. Hopefully this clears some stuff up.

Here is a site about the pathway sialic acid took through human cells. Its a bit confusing, but informative never-the-less. And here is a PDF of the basic functions of sialic acid. It also has a bit on directed evolution.

So any latency you have in the DAW can put skips or glitches in your recorded input. ...Linux is perfect for this, because comparatively MacOS 9, MacOS X, and all versions of Windows except CE are complete pigs.

Except Linux has traditionally been horrible for latency. There is work being done to make the kernel both interruptable and low-latency, and it shows a lot of improvement in the patches available for 2.4. The necessary patches are still not in the mainstream kernel, IIRC, but they may make it into 2.6.

Furthermore, you are totally incorrect when it comes to Windows and Mac OS. Classic versions of both OSes suck for latency, but OS X is great, and Win2k (and presumable WinXP) do rather decently when it comes to low-latency audio. At the moment, Mac OS X wins under the non-ideal conditions that are likely to be expereinced in the field. (PDF here, Google html)

I think Linux has one really tough competitor in Mac OS X when it comes to this arena. Apple already has mindshare, market share, and a kick-ass audio subsystem. Linux has none of those three, so it'll be an uphill battle. After ALSA is standardized and rolled out completely, maybe we'll talk.

This one is a java-based demo of a bunch of signals and systems engineering math operations, at Johns Hopkins University, and I wish more stuff like this could be available (especially from students working in specific areas) to help students of all ages grasp more complicated math. Or even simple math.

However, I'd be happy if more adults knew that p=mv so they wouldn't be so inclined to cut off a bus in their tiny cars as they both approach a stop light...

Other solution: double up on observations. Different recievers can be attached to a telescope. IR, ultra-violet and visible can be observed at the same time.

Not easily: much of the UV window is very strongly absorbed by the atmosphere, so you can't use it from ground-based telescopes anyway and have to use spacecraft. It's also not so easy to observe two wavelengths at once: you need a lot of complicated optics, and you don't want to waste any of those precious photons. In addition, if the wavelengths are very different, you could have very different design requirements on the rest of the telescope.

So why not double up one projects that are located in the same space in the sky.

They'd have to be really close in the sky. It works for some projects where you're looking at a sample of objects in a patch of sky, like the Hubble Deep Field. However, for many instruments on telescopes like the Keck and Subaru, the field of view is less than 30 arcminutes, which is only the angular diameter of the full moon. Also, the instrument and observing mode you use are strongly dependent on exactly what sort of object you are investigating, and how, and may not be suitable for anything else that happens to be in the field of view.

Also, with image enhancement, you can look at a wider section of sky and view multiple objects, while using computers to examen your specific project.

Image processing and general number-crunching are essential to astronomers already, in order to transform raw data into a final image ("data reduction"). I spent the majority of my Ph.D. working on ways to process a particular type of data, so we're already doing what we can. :-)

Essentially, research-class telescopes are all oversubscribed, and so people tend to make whatever optimisations they can already.

Xvision is a library written at JHU (originally at Yale; the main people moved over here a few years back). I used to work on it a little bit (theoretically, I was the sysadmin, but kinda I got roped into working on it for a while a couple summers back). It's not bad, though the code is pretty dirty in places. It's used to program the robots for that robot soccer competition.

Hrm... a URL... Ah, here:

Xvision2 page.

From the Facts at a glance page:

"The university is named for its initial benefactor, Baltimore merchant Johns Hopkins, whose $7 million bequest -- the largest U.S. philanthropic gift to that time -- established both the university and The Johns Hopkins Hospital."

Apparently, it was the very first US university to actively encourage research as well as teaching.

Unfortunately, it seems to be in bumblefuck, Maryland.

From the Facts at a glance page:

"The university is named for its initial benefactor, Baltimore merchant Johns Hopkins, whose $7 million bequest -- the largest U.S. philanthropic gift to that time -- established both the university and The Johns Hopkins Hospital."

Apparently, it was the very first US university to actively encourage research as well as teaching.

Unfortunately, it seems to be in bumblefuck, Maryland.

The bump map generation to which you refer can no longer be called "innovative", since people have been doing it for years. I first saw it in Krishnamurthy and Levoy 96 (underlying low resolution geometry is b-spline patches, but the principle is the same).
The interesting bit is generating a good common parameterization of your low and high resolution meshes.
Also see Cohen's Appearance-Preserving Simplification of Polygonal Models.

The American Society of Civil Engineers runs a nationwide contest each year, where teams of college students build concrete canoes, race them against other schools in their area, and then meet for a national race. This year's race is in Wisconsin. I've also been told that some places build concrete tobaggans too, but not for a contest.

My girlfriend is the captain of the Johns Hopkins University Concrete Canoe Team. The presentation was held just this past Sunday, against Catholic University in DC. Over the past 3 years of her doing this, I've picked up a few things. Concrete isn't just for cinder-blocks... depending on how you mix it, what you add to it, how you pour it and cure it, and what you pour it ON (example: mix it with microspheres or layer it between sheets of fiberglass mesh), you can make a very lightweight, low-density (read: floats) structure.

Even though I know all this, the old jokes never get less funny. "Concrete canoe? You row, I'll watch."

Not actual benchmarks, but look here:
http://www.linuxdj.com/audio/lad/resourceslatency. php3

More specifically:
http://mambo.peabody.jhu.edu/~karlmac/publications /latency-icmc2001.pdf [PDF]

The color swatch at space.com is WRONG! The correct hex code taken from the academic page is #fff8e7 (which is gamma corrected assuming a display gamma of 2.2 which is only an average for various available monitors).

The color swatch at space.com is WRONG! The correct hex code taken from the academic page is #fff8e7 (which is gamma corrected assuming a display gamma of 2.2 which is only an average for various available monitors).

Go here to look at the other page that the posted color link is comparing to.

Funny though, I think that the beige on black would have looked more white if the autor didn't comment in bright white text right next to the color.

Sorry, the Preview screwed up the URL. Here is the link to the original NASA Press Release.

All I need is a motivation.

Just like when I understood the idea of inheritance and the real OO code reuse, together with the idea of moving data to the foreground and that with a good data you need simple algorithms -- that day I understood, that I have to learn Smalltalk, Objective C, C++ and OO Perl.

Today I need to know why I need to learn how to think with the functional paradigm. It's a serious problem, which stops many people before they learn functional languages.

Many years ago I was writing C programs to process text, and I could do everything that way, I just didn't realize, that there were better ways to do the same. That was before I knew Regular Expressions, egrep, sed or Perl. Now I write Perl one-liners for tasks, which used to take me days of writing C code, but I didn't know that before, because "If the only tool you have in the toolbox is a hammer - every problem looks like a nail."

So now I ask for a reason to learn the functional way of thinking. I need to know it before I actually learn them, just to have a strong imperative. Learning the new way of thinking is a long and hard process, I just want to know what waits for me at the end.

I hope someone who know that reason, will tell me and those who also need it, why it's worth the efford. Thanks in advance.

-- Your Anonymous Coward who wants to learn new ways of thinking...

Here is an interesting article on the HeLa cell line, derived from a young woman's cervical tumor in 1951. The cells are amazingly resilient and prolific.

That's a rather glib response, and incorrect. Additions, subtractions, are fairly simple operationsm and bitshifts are blazingly fast (and equivalent to dividing or multiplying by factors of 2) - in contrast, multiplications, divisions, and others are substantially more complex. You can improve performance a LOT if you design your codecs with these guidelines in mind. Check out the research section (fast DCT approximations) of this site - Nancy isn't the only codec to keep this matter in mind.

What I'd really like to know is - how well does nancy scale to higher resolutions? It could be competition for MPEG-4 even in the desktop arena. As someone who uses a 3-year-old laptop that can't really handle the &#($ing huge DivX files (which use pretty outdated technology across the board, whether you realize it or not), I welcome a codec that doesn't stress my system, and will save my battery life to boot.

There are several groups working on spintronics-related research around the globe. You can check some of the research the spin-doctors are working on by looking at the Spintronics 2001 Conference webpage. Some incredible results involved researchers injecting spin-polarized current into an LED and producing Circularly Polarized Light!!! Other researchers are trying to produced spin-transistors, to switch/amplify spin-polarized currents. Many of the recent challenges involve producing spin-polarized currents, finding materials that can transport electron-spin, and injecting spin-polarized electrons into semiconductors.

The Chien group here at JHU has been the first to demonstrate experimentally the existence of a half-metal. Crystals of CrO2 have been shown to have spin-polarization of 96%. This was measured at the superconductor/ferromagnetic interface through Point-Contact Andreev Reflection (PCAR) techniques.

I'll explain some of the current concepts of spintronics, but pardon any errors as I haven't really begun my research yet. The manipulation of electron spin is an extra degree of freedom that novel electronic devices can exploit. Spintronics has already, since 13 years after the discovery of GMR (Giant Magnetoresistance) in 1988, penetrated the technology industries (magnetic storage). It's rare for such new technology like this to be commercially available so soon after its discovery. Transistors were one such monumental achievement, the first Ge transistors were available within years of the transistor's invention.

GMR is an effect that occurs with a normal metal film that is sandwiched between two ferromagnetic layers. Depending on whether the spins of the ferromagnetic layer are parallel or anti-parallel, a significant change of resistance is measured across the structure. A more useful device which extrapolates off this concept is a spin-valve This is the standard GMR trilayer, with an anti-ferromagnetic layer on the bottom. This layer pins the spin of the bottom Ferromagnetic layer. The top ferromagnetic layer can then float, and have it's spin affected by the external magnetic field. This in turn creates a magnetic-field-dependent resistance across the device. Sensitive measurements of the magnetic field, obtained by measuring resistance, can be obtained in this manner .This magnetic-field-dependent resistance is known as Magnetoresistance. This concept, in a fundamental sense, is how the newer GMR-based read-heads on high-density hard drives operate.

Another similar device is the Magnetic Tunnel Junction . This is similar to the GMR trilayer, but an insulator film is sandwiched between the ferromagnetic layers, instead of a normal metal. Current can then tunnel through the device, again dependent on whether the spins are parallel or anti-parallel in the ferromagnetic layers. The tunnel junction is the fundamental concept at the core of the MRAM's.

Another exciting area of research with spintronics that I haven't heard anybody on slashdot mention yet is quantum computing. Electrons are spin-1/2 fermions, and hence have two distinct eigenstates of the Spin operator (the eigenstates are usually called "spin-up" and "spin-down"). This makes them perfect candidates for representation of quantum bits (qubits) for potential quantum computation. Some groups are working on this idea, by studying interactions of quantum dots for instance.

Overall, this is a budding field that has already impacted the technology industry in it's scant 13 years of existence. Expect many more interesting and potentially groundbreaking discoveries to occur. But then again, I'm spin-biased. :-)

There are several groups working on spintronics-related research around the globe. You can check some of the research the spin-doctors are working on by looking at the Spintronics 2001 Conference webpage. Some incredible results involved researchers injecting spin-polarized current into an LED and producing Circularly Polarized Light!!! Other researchers are trying to produced spin-transistors, to switch/amplify spin-polarized currents. Many of the recent challenges involve producing spin-polarized currents, finding materials that can transport electron-spin, and injecting spin-polarized electrons into semiconductors.

The Chien group here at JHU has been the first to demonstrate experimentally the existence of a half-metal. Crystals of CrO2 have been shown to have spin-polarization of 96%. This was measured at the superconductor/ferromagnetic interface through Point-Contact Andreev Reflection (PCAR) techniques.

I'll explain some of the current concepts of spintronics, but pardon any errors as I haven't really begun my research yet. The manipulation of electron spin is an extra degree of freedom that novel electronic devices can exploit. Spintronics has already, since 13 years after the discovery of GMR (Giant Magnetoresistance) in 1988, penetrated the technology industries (magnetic storage). It's rare for such new technology like this to be commercially available so soon after its discovery. Transistors were one such monumental achievement, the first Ge transistors were available within years of the transistor's invention.

GMR is an effect that occurs with a normal metal film that is sandwiched between two ferromagnetic layers. Depending on whether the spins of the ferromagnetic layer are parallel or anti-parallel, a significant change of resistance is measured across the structure. A more useful device which extrapolates off this concept is a spin-valve This is the standard GMR trilayer, with an anti-ferromagnetic layer on the bottom. This layer pins the spin of the bottom Ferromagnetic layer. The top ferromagnetic layer can then float, and have it's spin affected by the external magnetic field. This in turn creates a magnetic-field-dependent resistance across the device. Sensitive measurements of the magnetic field, obtained by measuring resistance, can be obtained in this manner .This magnetic-field-dependent resistance is known as Magnetoresistance. This concept, in a fundamental sense, is how the newer GMR-based read-heads on high-density hard drives operate.

Another similar device is the Magnetic Tunnel Junction . This is similar to the GMR trilayer, but an insulator film is sandwiched between the ferromagnetic layers, instead of a normal metal. Current can then tunnel through the device, again dependent on whether the spins are parallel or anti-parallel in the ferromagnetic layers. The tunnel junction is the fundamental concept at the core of the MRAM's.

Another exciting area of research with spintronics that I haven't heard anybody on slashdot mention yet is quantum computing. Electrons are spin-1/2 fermions, and hence have two distinct eigenstates of the Spin operator (the eigenstates are usually called "spin-up" and "spin-down"). This makes them perfect candidates for representation of quantum bits (qubits) for potential quantum computation. Some groups are working on this idea, by studying interactions of quantum dots for instance.

Overall, this is a budding field that has already impacted the technology industry in it's scant 13 years of existence. Expect many more interesting and potentially groundbreaking discoveries to occur. But then again, I'm spin-biased. :-)