Slashdot Mirror

Hey sg,

The thing is that a decentralised system isn't a bad thing at all. PKI was designed, from the start, to be usable as a non-centralised system (non-pyramid). Realistically speaking, using the same example as the one you offered, where a doctor needs to validate medical records provided by the patient to be truthful, you only need to verify the other doctor's credentials and a signed file.

Now we get back to the old "How do I trust another doctor's certificates?", well, we use a centralised service. Each doctor needs to enroll (Google cache of the same document) to get his certificates, and they are delivered by a central authority, possibly governmental (or whatever authority governs doctors in your country). It's not a very hard thing to do, and can be implemented for roughly a couple million dollars -- the whole system.

How many doctors are there in the US? A laughable amount if you compare how many certificates are issued for the DoD. Heck, you could even implement it to be fully PIV-C compatible, and get cross-certification from the US government, and would allow doctors' credentials to be easily validated during a crisis.

Heck, nobody even needs to own the PKI solution in the US. The government can do it for you, if you are a valid organisation, an excellent project provides certificate management for you. Outside the US it gets a bit more difficult, as interoperability is not quite as great as in the US, however PIV is starting to have quite a lot of traction in Europe as well (I can't remember off the top of my head if it's PIV-I or PIV-C that is being implemented with the UK police forces). A pretty good read (Google cache as it doesn't seem to be loading from here) about how data is provided on a PIV smartcard.

That being said, maybe the health care professionals ought to have raised their voice at the same time the engineers and scientists did (Google cache)?

Hey sg,

The thing is that a decentralised system isn't a bad thing at all. PKI was designed, from the start, to be usable as a non-centralised system (non-pyramid). Realistically speaking, using the same example as the one you offered, where a doctor needs to validate medical records provided by the patient to be truthful, you only need to verify the other doctor's credentials and a signed file.

Now we get back to the old "How do I trust another doctor's certificates?", well, we use a centralised service. Each doctor needs to enroll (Google cache of the same document) to get his certificates, and they are delivered by a central authority, possibly governmental (or whatever authority governs doctors in your country). It's not a very hard thing to do, and can be implemented for roughly a couple million dollars -- the whole system.

How many doctors are there in the US? A laughable amount if you compare how many certificates are issued for the DoD. Heck, you could even implement it to be fully PIV-C compatible, and get cross-certification from the US government, and would allow doctors' credentials to be easily validated during a crisis.

Heck, nobody even needs to own the PKI solution in the US. The government can do it for you, if you are a valid organisation, an excellent project provides certificate management for you. Outside the US it gets a bit more difficult, as interoperability is not quite as great as in the US, however PIV is starting to have quite a lot of traction in Europe as well (I can't remember off the top of my head if it's PIV-I or PIV-C that is being implemented with the UK police forces). A pretty good read (Google cache as it doesn't seem to be loading from here) about how data is provided on a PIV smartcard.

That being said, maybe the health care professionals ought to have raised their voice at the same time the engineers and scientists did (Google cache)?

Being implemented in real-world hardware is not in and of itself a flaw, as long as you design your implementation under the assumption that it will be subjected to attacks like this.

Attacks like this are NOT new. See, for example, the guidelines for FIPS 140-2 Level 4.

http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

I am not disagreeing that information about space or life in other places would be interesting. These days I tend to think that bacteria came from outside the solar system myself, given how hardy bacteria is, and how statistically it would just be more likely it came from elsewhere with one small Earth and one big universe. I'm disagreeing with how compelling that would be as a call to action in current US society. As in, "Oh, gee, cute seamonsters on Europa. Now, what kind of cosmetics should we be producing to make the most money?"
http://www.skininc.com/treatments/cosmetics/16814576.html
"Global color cosmetics sales reached $36.8 billion in 2007, ..."

It has been said more people have walked on the Moon than have been to the bottom of the "deep ocean floor".
http://wiki.answers.com/Q/What_part_of_the_ocean_has_been_least_explored

We even have AI about to emerge seriously in twenty years or so (let alone new human/machine hybrids). Big yawn by most people.
http://www.transhumanist.com/volume1/moravec.htm

Frankly, the world would probably be a better place if we took all that money that goes into a search for life in space and put it towards helping understand and preserve life around Earth. One example of where the money would be better spent:
http://www.mel.nist.gov/programs/slim.htm
"The United States needs to prepare for a future where products are 100% recyclable, manufacturing itself has a zero net impact on the environment, and complete disassembly and disposal of a product at its end of life is routine."

A few hundred billion spent on sustainable and resilient infrastructure done in a free and open source way, would let us bootstrap our civilization to the stars. In that sense, all the money spend on big science of other sorts has just kept us from creating space habitats. Related, on my own (self-funded) efforts to that end:
http://slashdot.org/comments.pl?sid=1563102&cid=31279590

Basically, the scientists at NASA have politically triumphed over the engineers. So, NASA does amazing scientific experiments with, for the most part, 1960s technology, with lots of money for science but comparatively little for innovation (and of course, the Shuttle has eaten up most of NASA's budget in general, anyway, so the engineers and scientists were just fighting over scraps left over). And beyond that, there are records showing how NASA has from the start been primarily funded for military goals (to demonstrate intimidating technical leadership):
http://www.jfklibrary.org/JFK+Library+and+Museum/News+and+Press/JFK+Library+Releases+White+House+Tape+on+Space+Race.htm
http://www.thespacereview.com/article/735/1
"We know that such recordings can shed substantial light on Kennedy's thinking on space because of another tape that was released five years ago and gained a surprising amount of media attention in the sleepy month of August 2001. That recording, number 60 in the Kennedy Library, concerned a November 1962 meeting between Kennedy, Webb, and several other top White House and NASA officials to discuss the NASA budget. During that meeting, Kennedy made the comment that "I'm not that interested in space..." explaining that he supported the lunar program because it was a race against the Soviets: "the Soviet Union has made this a test of the system. So that's why we're doing it," Kennedy explained."

O

At what point does obscurity become security? 3,727 attempts corresponds to 12 bits of entropy. According to NIST, that's the equivalent of a 5-character user-selected password. The same document stipulates a mere 10 bits of entropy for some applications.

NIST is not a new agency and has been around for some time. They are responsible for keeping track of US time and other standards. If the directory of NIST is anything like those I know who work there I do not think this will be anywhere near as bad as you imply. Finally ACTA has nothing to do with "international standards" and everything to do with copyright law.

NIST isn't a new entity, they are the US Government's standards body, they are part of the Dept of Commerce, and write all kinds of standards the government has to use.

So when the government directs their standards body to take part in standards negotiations on their behalf, there is no conspiracy there.

Take a look at some of what NIST does

http://www.nist.gov/index.html
http://www.nist.gov/public_affairs/orgchart.htm

Also note that like IEEE all of their Technology Special Publications go through public comment periods.

http://csrc.nist.gov/publications/PubsSPs.html

One of my favorites is SCAP, its like an XML for Security products that helps to standardize vulnerability reports and security settings so you can check using an array of SCAP compatible tools if your thousands of machines are all patched and up to date as well as running your enterprise security config.

http://scap.nist.gov/

I'd be concerned if some new bill made someone ELSE without some of the worlds best test labs, scientists and engineers negotiate standards for the US.

NIST isn't a new entity, they are the US Government's standards body, they are part of the Dept of Commerce, and write all kinds of standards the government has to use.

So when the government directs their standards body to take part in standards negotiations on their behalf, there is no conspiracy there.

Take a look at some of what NIST does

http://www.nist.gov/index.html
http://www.nist.gov/public_affairs/orgchart.htm

Also note that like IEEE all of their Technology Special Publications go through public comment periods.

http://csrc.nist.gov/publications/PubsSPs.html

One of my favorites is SCAP, its like an XML for Security products that helps to standardize vulnerability reports and security settings so you can check using an array of SCAP compatible tools if your thousands of machines are all patched and up to date as well as running your enterprise security config.

http://scap.nist.gov/

I'd be concerned if some new bill made someone ELSE without some of the worlds best test labs, scientists and engineers negotiate standards for the US.

NIST isn't a new entity, they are the US Government's standards body, they are part of the Dept of Commerce, and write all kinds of standards the government has to use.

So when the government directs their standards body to take part in standards negotiations on their behalf, there is no conspiracy there.

Take a look at some of what NIST does

http://www.nist.gov/index.html
http://www.nist.gov/public_affairs/orgchart.htm

Also note that like IEEE all of their Technology Special Publications go through public comment periods.

http://csrc.nist.gov/publications/PubsSPs.html

One of my favorites is SCAP, its like an XML for Security products that helps to standardize vulnerability reports and security settings so you can check using an array of SCAP compatible tools if your thousands of machines are all patched and up to date as well as running your enterprise security config.

http://scap.nist.gov/

I'd be concerned if some new bill made someone ELSE without some of the worlds best test labs, scientists and engineers negotiate standards for the US.

NIST isn't a new entity, they are the US Government's standards body, they are part of the Dept of Commerce, and write all kinds of standards the government has to use.

So when the government directs their standards body to take part in standards negotiations on their behalf, there is no conspiracy there.

Take a look at some of what NIST does

http://www.nist.gov/index.html
http://www.nist.gov/public_affairs/orgchart.htm

Also note that like IEEE all of their Technology Special Publications go through public comment periods.

http://csrc.nist.gov/publications/PubsSPs.html

One of my favorites is SCAP, its like an XML for Security products that helps to standardize vulnerability reports and security settings so you can check using an array of SCAP compatible tools if your thousands of machines are all patched and up to date as well as running your enterprise security config.

http://scap.nist.gov/

I'd be concerned if some new bill made someone ELSE without some of the worlds best test labs, scientists and engineers negotiate standards for the US.

The parent poster is very informative, and practical, although misses the open source point as a cultural thing, as well as does not discuss the issue of open standards, which may be even more important than open source for a big project (since with open standards, you can at least replace tools over time).

Also, since much work related to rocketry is considered some form of munitions, that is another stumbling block. Although hopefully OpenLuna can avoid most of those issues and focus on the habitat aspect?

But there is one other aspect that is even more important than CAD, and this is simulation and related standards for storing that data connected to simulations. And there are all sorts of simulation tools emphasizing all sorts of different things at all sorts of different levels of detail. And there are all sorts of very interesting simulations that can be made about how to make things that have both on-Earth benefits and advance the cause of making space habitats.

Take for example these ideas for the US National Institute of Standards And Technologies:
"Sustainable and Lifecycle Information-based Manufacturing"
http://www.mel.nist.gov/programs/slim.htm
"The United States needs to prepare for a future where products are 100% recyclable, manufacturing itself has a zero net impact on the environment, and complete disassembly and disposal of a product at its end of life is routine. To document and monitor these changes, US industry will require key resources and methods that will enable it to measure sustainability along several dimensions (such as carbon foot print, energy accounting and recyclability of materials) allowing accurate assessment of status and progress."

That is exactly the kind of information you need in designing a space habitat too, whether on the Moon, Mars, the asteroids, or even anywhere on Earth (like under the sea, or in Antarctica, or in the desert).

Over the last ten years this paper I co-wrote for the Space Studies Institute conference on space manufacturing has gone from unimaginable to mostly obsolete, now that so many people are doing open source design. :-)
"A Review of Licensing and Collaborative Development with Special Attention to the Design of Self-Replicating Space Habitat Systems"
http://www.kurtz-fernhout.com/oscomak/SSI_Fernhout2001_web.html

But, one big issue to consider is to save design costs, you ideally need a good simulation framework for doing virtual testing of concepts. And to do detailed simulations, you ideally might need millions of people to donate spare CPU cycles. If you can get to the point where you can launch an automated seed factory to the moon that would then build infrastructure, all you would need is a billion dollars to build it and launch it (which hundreds of individuals could swing today). But to get to that point you need a credible design. Getting that design together, with as much virtual testing as possible, is something that could productively occupy many people for years, and the best value for a small group might be to put together enough seed information to make the equivalent (maybe not web based) of a Wikipedia of space habitation and open manufacturing information. Three fizzled attempts by me in those directions from years gone by (roughly two, ten, and twenty years ago, respectively):
http://www.oscomak.net/
http://www.kurtz-fernhout.com/oscomak/prototype.htm
http://www.pdfernhout.net/sunrise-sustainable-technology-ventures.html

James P. Hogan, the sci-fi writer, has been a big inspiration to me, especially with these with two books:

Re: "does anyone here work for an organization of any sort (government, industry, academia, whatever) that requires that everyone use "the latest fully patched versions of Internet Explorer"? Answer is yes. See http://nvd.nist.gov/fdcc/index.cfm

Places with huge problems also tend to have legacies of intervention by foreign governments and foreign corporations. The Earth has no resource limitation problems in the long term:
"Earth's carrying capacity and Catton"
http://listcultures.org/pipermail/p2presearch_listcultures.org/2009-August/004123.html

But, with robots on the way, it's easy to see why many think life is cheap because masses of human labor are no longer needed for the earlier exploitation:
"Robot videos and P2P implications (was Re: A thirty year future...)"
http://listcultures.org/pipermail/p2presearch_listcultures.org/2009-November/005926.html

That is the deeper problem we need to address as a society, how to move past the irony of having all these tools of abundance but people using them to make artificial scarcity. We need to stop using military robots to enforce a culture of work on humans and instead make robots to do the work. We need to stop building nuclear missiles to fight over oil wells on Earth and instead use the same basic technologies to produce power or make accessible resources in space (I'm a renewable energy fan more than nuclear though). Here are some other ways to move past that irony:
http://en.wikipedia.org/wiki/Basic_income
http://www.basicincome.org/bien/aboutbasicincome.html
http://marshallbrain.com/robotic-nation.htm
http://www.michaeljournal.org/lesson1.htm
http://en.wikipedia.org/wiki/Gift_economy
http://www.freecycle.org/
http://www.freesoftwaremagazine.com/articles/free_matter_economy?page=0%2C1
http://en.wikipedia.org/wiki/3d_printing
http://www.mel.nist.gov/programs/slim.htm
http://www.remineralize.org/
http://www.thevenusproject.com/
http://www.juliansimon.com/writings/Ultimate_Resource/
http://books.google.com/books?id=bCuC2H-6k_8C (Surviving America's Depression Epidemic)
http://www.vitamindcouncil.org/treatment.shtml
http://www.honestfoodguide.org/
http://www.global-mindshift.org/memes/wombat.swf
http://en.wikipedia.org/wiki/Jobless_recovery

There are lots of solutions rather than kill off people or prevent them from being born when there is so much abundance for everyone these days through modern technology. You want to stop suffering? Break the link between a right-to-consume and being able to sell your labor on a market where automation and better design is removing good jobs every day, like people said would be a problem even back in 1964:
http://educationanddemocra

First, here's the NIST list of approved 140-1 and 140-2 modules.

Note that they approve the module and not the access software. The flaw is in the access software. Therefore, 140-2 compliance or approval isn't proof that your data is safe. It just means that some approved form of encryption is implemented by the crypto module. It appears that the modules in question were given some form of TEMPEST examination as well, but once again, that means nothing in terms of the access software.

Actually, the flaw is indeed in the modules. They ALL use they same unlock key. I'd say that makes them flawed. The software is not helpful - it just obscures the fact that they all use the same unlock key by asking for a unique password that it converts to the common unlock key - but as unhelpful as the software is, it isn't the issue.

To put it another way, there is no way of fixing the software to change the fact that all of these drives can be accessed with one known key, which means its not the software that is broken, its the keys.

Of course, it doesn't help that the software gave up that key, so that is certainly a flaw but if the modules all had different keys it wouldn't be as helpful and it certainly isn't as big as a problem as the modules all being the same!
-Taylor

First, here's the NIST list of approved 140-1 and 140-2 modules.

Note that they approve the module and not the access software. The flaw is in the access software. Therefore, 140-2 compliance or approval isn't proof that your data is safe. It just means that some approved form of encryption is implemented by the crypto module. It appears that the modules in question were given some form of TEMPEST examination as well, but once again, that means nothing in terms of the access software.

L O L

All NIST tracked vulnerabilities for Foxit in the last two years have been of the "open a bad PDF and get infected" variety. How is Foxit any better, other than executing infected PDFs faster?

L O L

All NIST tracked vulnerabilities for Foxit in the last two years have been of the "open a bad PDF and get infected" variety. How is Foxit any better, other than executing infected PDFs faster?

L O L

All NIST tracked vulnerabilities for Foxit in the last two years have been of the "open a bad PDF and get infected" variety. How is Foxit any better, other than executing infected PDFs faster?

It's documented in CVE-1999-1228 but I'm sure it's much older than that.

We have a shuttle launch every few months, and every time the general public's reaction is almost total apathy. Satellites are launched into space all the time, and nobody cares.

Do you judge the success of a space program based on the public's reaction?

Does the public care when a 747 (or Aerobus or whatever) takes off from an airport? Do you use the public's reaction to judge the success of the airline industry?

He doesn't exactly say it, but I think Lu's underlying point is that NASA is run like a PR agency. What mission will grab the public's attention? How can we get the public excited about space flight again? Go to the moon? Go to Mars?

Are you excited about NIST? NOAA? Do you judge their success by what the public thinks about them? Do they try to grab the public's attention to justify their budget? No, they just do their job year in and year out, and that includes R&D.

Lu's point is that maybe NASA shouldn't worry so much about their PR. Maybe they should concentrate on more frequent, but smaller steps. And build on those smaller steps, instead of always trying to grab the public's attention by making giant leaps (heh).

3D printers are just an example, and also BTW they can be cost effective in short run productions, which more and more manufacturing is, essentially printing on demand to reduce inventory costs. Any institution like NASA than can make plans decades ahead should be able to see how that will continue to improve. Also, there are a variety of other flexible manufacturing techniques and ways that costs are falling on that. Not all the loss of manufacturing employment in the USA is offshoring -- some is genuinely because of improved production efficiency, which will only continue. Tools continue to get better and more flexible, so the huge capital costs you refer to are less and less of an issue. Decades ago a computer cost millions of dollars and had less power than an electronic greeting card you can buy in the store for a couple dollars. Are you saying other industries simply will not follow, given all we know now and that we have the internet to continue to improve things? Especially with nanotech picking up?

As far as energy and materials, as long as we do nearly 100% green energy like from solar panels and nearly 100% recycling, the volume does not matter that much; and if it is not nearly 100% sustainable, then we will bury ourselves in waste and pollution eventually anyway. Here is a government program at NIST already in that direction -- I'd suggest giving them US$400 million rather than spend it right now on another cruise to nowhere.
    "Sustainable and Lifecycle Information-based Manufacturing"
    http://www.mel.nist.gov/programs/slim.htm
"""
The United States needs to prepare for a future where products are 100% recyclable, manufacturing itself has a zero net impact on the environment, and complete disassembly and disposal of a product at its end of life is routine. To document and monitor these changes, US industry will require key resources and methods that will enable it to measure sustainability along several dimensions (such as carbon foot print, energy accounting and recyclability of materials) allowing accurate assessment of status and progress. These resources and methods require identification of dimensions, associated measurements and classification of information relevant to sustainable product design and manufacturing. Such a base of information is critical to product designers and manufacturing engineers so that they can incorporate sustainability in their efforts. Hence, the primary challenge is to develop requirements, formal models, and validation methods for sustainability-based and lifecycle information-based manufacturing that support interoperability among tools and standards for design, analysis, simulation, and lifecycle assessment and information management.
"""

I think that you know that I disagree. Linux does not have any form of autorun. Most distributions lack open ports. That's a lot of attack surface missing right there relative to Windows on a per system basis. After all, if your computer isn't listening over the network, it can't be compromised over the network by a remote initiator; if it isn't running a file on the root of a mounted share, CD or pendrive then it can't be automatically compromised by software placed in those locations (or mailed or dropped in the parking lot or in the Men's room at the clubs where your high-value targets hang out) without further user interaction. Then there are the thousands of object formats like images, spreadsheets and wordart that Microsoft seems to think should be embedded in every application. That's how you wind up with a buffer overflow in font rendering that gets system privileges. Even without these things the embedding of Turing Complete scripting languages in every application with hidden execution renders the Windows platform's security horrendous.

Both can be rendered more secure of course. Here, for example, are some NSA recommendations for Windows. With good system administration by a skilled staff it's possible to build an image and policies for either that can carry most users through a year without being compromised despite heavy online research and heavy communications on the part of the end user. I think we can both agree that this is not what's actually happening in the field.

I argue that if Linux became as popular as windows that it would face security problems at a similar scale.

This argument is beaten to death. Linux runs the Internet. There is no higher value target than the server that stores the files and databases for thousands of users or processes their credit cards and here market share is more evenly matched. And yet... where is the Linux equivalent of the SQL_slammer worm that compromised 90% of all the vulnerable servers in the world in under an hour? Nowhere. The "When Linux is popular it will have problems too" story is just getting silly. There are more than enough Linux users both for commercial software vendors and malware vendors and they're both avoiding it like the plague. Kudos to your marketing team for making the former happen. I have to think the latter made that decision on their own, but perhaps the marketing does help, so thanks for that.

Did you know that the Windows Malware ecosystem is in dollars actually far larger than the Windows market? I thought it odd too, but if you count time and money lost, development and marketing and sales on both sides (attack and defense), hardware and services, it's not even close. Maybe you're on the wrong side of the business.

I'm going to summarize with a truism you should engrave on your desk: "Anything a program can do, another program can do."

Oh yes.

Throw in "automate the acceptance tests" between the usage agreement and coding, just for good measure. Well, actually to free the developers from ever worrying whether they met the goals or broke any planned functionality again.

Really. It's not that hard:
- Expect for the commandline,
- Netcat for network,
- Selenium for web,
- Robot framework for graphical user interfaces.

Googleable, deadwooden and professional help are available on all of above.

It's a world I'd love to live and work in where programmers were engineers providing precise solutions to actual problems!

Officially, struck and damaged by debris from the collapse of towers one and two.

I LOVE the way you phrased that! You forgot to put the "officially" in scare-quotes, though. Could have used some italics tags, too. It's important to impress on people the idea that official=bad!

WTC-7 was a security hardened building with lots of extra steel and concrete

Wrong. It was actually a pretty shit design. It used a cantilever girder arrangement when it was built on top of an old con-ed substation. According to NIST, this design choice didn't really play a part in the collapse - however, your claim that the building was "hardened" is complete bullshit.

which makes the "flying debris" explanation questionable in some people's minds

Well that's good, because flying debris didn't do enough damage to cause collapse. It only started the fires which eventually brought down the building.

More here.

What I can't get over is how stupid/ignorant/crazy/paranoid you'd have to be to believe that blowing up an empty building is just the kind of thing that the nefarious NWO would do. Why exactly would anyone want to do that? Nobody seems to be able to answer that question, although a few of the REALLY crazy fuckers have suggested that the CIA was too cheap to buy paper-shredders, and figured blowing up the building would be a good way to destroy their records. Makes perfect sense, if you're suffering from LSD flashbacks. Oh, and as an alternate explanation, the anti-semites like to push the JOOO connection by claiming that Larry Silverstein ordered the fire department to blow up the building so that he could get insurance money. I'm telling ya, these 9/11 goofers are nuttier than squirrel shit.

You don't trust extensions, yet you happily use F l a s h. Brilliant!

You don't trust extensions, yet you happily use F l a s h. Brilliant!

You don't trust extensions, yet you happily use F l a s h. Brilliant!

You don't trust extensions, yet you happily use F l a s h. Brilliant!

You don't trust extensions, yet you happily use F l a s h. Brilliant!

Sorry, but we already lost this battle by proxy (you and I had no vote). Take it up with the IEEE and NIST if you have a problem with the new units. Personally I've already made my peace and learned to accept the new standard.

IEEE 1541 recommends KiB (kibibytes) for 2^10 and MiB (mebibytes) for 2^20.

NIST guidelines (Warning: PDF) require use of IEC prefixes KiB, MiB ... (and not kB, MB) for binary byte multiples.

Actually, Opera did have a hole like this recently: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3832

True, I could say, "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

Or, I could say "cloud".

According to the pdf it has to meet FIPS 140-2, and implies ssl/tls level of encryption. (IANANES, so I'm not sure just how good that is.)

It's pretty good. It also has requirements for user-level authentication (machine-to-machine is not good enough) and approved key-generation algorithms. It's also actively maintained by people who know what they are doing, which makes it a much better decision than trying to write your own security requirements spec.

Why that should get you out of reporting data loss is what I don't follow. When it might be someone sniffing the data at your ISP, you need to report it, but when you have a FIPS certification proving that it must be a serious problem, you can keep it secret?

I can hear people saying I must be new here but I only skimmed TFA.

Right. Most people wouldn't have skimmed it.

The National Institute of Standards and Technology (NIST), a nonregulatory federal agency in the U.S. Department of Commerce, is putting final touches on a guide designed to help small businesses and organizations implement the fundamentals of an effective information security program. The NIST standards should also prove useful for the remote offices of larger companies, where IT staffs are often small or nonexistent and it's important that employees bear more responsibility for information security. http://csrc.nist.gov/publications/drafts/ir-7621/draft-nistir-7621.pdf

Is Apple's move the first major step in forcing computer science to adopt the more awkward binary prefixes, breaking decades of accepted (if technically inaccurate) usage of SI prefixes?

Those two should be swapped. With that out of the way...

No, the summary used those correctly. You have the SI prefixes and the SI binary prefixes, which incidentally weren't approved until 1998, decades after computers started using the standard SI prefixes for binary numbers.

Is Apple's move the first major step in forcing computer science to adopt the more awkward binary prefixes, breaking decades of accepted (if technically inaccurate) usage of SI prefixes?

Those two should be swapped. With that out of the way...

No, the summary used those correctly. You have the SI prefixes and the SI binary prefixes, which incidentally weren't approved until 1998, decades after computers started using the standard SI prefixes for binary numbers.

Flaws in the Hypervisor might be exploited by the VMs: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1244

But suddenly I say: and some people want this same government in charge of our military and now I'll be modded troll into oblivion.

Fixed that for ya. Oh wait, still a dumb thing to say...?

The government is a very large and diverse group of people. Some of those people do legitimately deserve to be criticized, but many, many, many of them do not. They do their jobs daily and with excellence, often for little compensation.

To infer that the government would be bad at managing health care because of a single instance of idiotic training materials is an example of woefully poor logic...

Sure it can. And then someone can use techniques such as MFM, SPM or STM to recover the disk. And then there is this patent which notes that data is often partially written off the track, and thus can't be wiped.

I guess for most people's purposes something like DBAN will work well. But for the truly paranoid, you really need to read NIST's recommendation that you clear, purge and destroy. And by destroy, they mean that you use "Disintegration, Pulverization, Melting, and Incineration." At a "outsourced metal destruction or licensed incineration facility with the specific capabilities to perform these activities effectively, securely, and safely", no less.

http://cic.nist.gov/vrml/vbdetect.html

VRML has been around for over 10 years.

However, I don't expect the technology to take off until the porn sites adopt it more heavily.

There are a number of statistical analyses that you can run against the output of a pRNG to determine how much entropy it will generate under various usage conditions.

NIST's Randomness Test Kit

ENT

Obligatory Wikipedia entry

The organization controls and documents the use of publicly accessible peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

Now, I realize that's highly generic, but it's up to the organizational unit to write some sort of policy around the guidance. If they aren't able to do that, they're not in compliance with FISMA and the GAO should rightly be sticking a rather large boot up their ass.

The Supertrapp program from NIST will soon be fully superseded by the REFPROP program. This newer program calculates REFerence PROPerties of nearly 100 fluids from equations of state in a user-friendly environment. The program can be found at www.nist.gov/srd/nist23.htm. Not all of the fluids that were available in Supertrapp are available in REFPROP, but our current work will soon make them all available, at which point the Supertrapp program will no longer be available for purchase.

To clarify several issues that have been brought up here, although the word "database" is used to describe these products, they are in reality only programs that use equations of state to calculate thermodynamic properties. The equations of state are developed using high accuracy data as explained in Lemmon, E.W. and Jacobsen, R.T, "A New Functional Form and New Fitting Techniques for Equations of State with Application to Pentafluoroethane (HFC-125)," J. Phys. Chem. Ref. Data, Volume 34, Number 1, pp. 69-108, 2005. There is no data in the databases, but this generic word is used to describe all of the standard reference data products sold by NIST.

Concerning the copyright, users of the programs should be aware of the Standard Reference Data Act, PL 90-396, Section 6, which states "The Secretary may secure copyright and renewal thereof on behalf of the United States as author or proprietor in all or any part of any standard reference data which he prepares or makes available under this Act." The SRD Act is online at http://www.nist.gov/srd/publiclaw90-396.pdf

If you have further questions about the Refprop or Supertrapp programs, please feel free to contact me.

Eric Lemmon (Eric.Lemmon@nist.gov)

I posted this elsewhere, but in case you missed it:

The Standard Data Reference Act provides an exception in the case of reference data to the general rule that the U.S. government cannot obtain a copyright.

If the NIST program is the product of the work of US Government employees it is in the public domain.

Not true. The Standard Reference Data Act provides an exception in the case of reference data to the general rule that the government cannot obtain a copyrights.

It looks like they are selling some database

    http://www.nist.gov/srd/dblist.htm

And providing others for free,

    http://srdata.nist.gov/gateway/gateway?dblist=0

Which one are you after? Something like this?

    http://www.metallurgy.nist.gov/phase/solder/solder.tdb

I imagine if you derive approximation formulas to the figures, and publish them packaged as software you
would be able to license it whichever way you liked - sounds "transformative" to me. Might even qualify as proper research.
Would that work?

I don't think "it's only measurements" is enough to say they have no copyright. On the other hand, if the same
numbers appear in different places / articles then if you establish that "these are the numbers", and you make your
database in a different format, it would be a different story.

Stephan

It looks like they are selling some database

    http://www.nist.gov/srd/dblist.htm

And providing others for free,

    http://srdata.nist.gov/gateway/gateway?dblist=0

Which one are you after? Something like this?

    http://www.metallurgy.nist.gov/phase/solder/solder.tdb

I imagine if you derive approximation formulas to the figures, and publish them packaged as software you
would be able to license it whichever way you liked - sounds "transformative" to me. Might even qualify as proper research.
Would that work?

I don't think "it's only measurements" is enough to say they have no copyright. On the other hand, if the same
numbers appear in different places / articles then if you establish that "these are the numbers", and you make your
database in a different format, it would be a different story.

Stephan

It looks like they are selling some database

    http://www.nist.gov/srd/dblist.htm

And providing others for free,

    http://srdata.nist.gov/gateway/gateway?dblist=0

Which one are you after? Something like this?

    http://www.metallurgy.nist.gov/phase/solder/solder.tdb

I imagine if you derive approximation formulas to the figures, and publish them packaged as software you
would be able to license it whichever way you liked - sounds "transformative" to me. Might even qualify as proper research.
Would that work?

I don't think "it's only measurements" is enough to say they have no copyright. On the other hand, if the same
numbers appear in different places / articles then if you establish that "these are the numbers", and you make your
database in a different format, it would be a different story.

Stephan

The FAQ claims that the US government has a copyright on the material. This could be possible if the material was not directly generated by the NIST itself --- for example, they paid a contractor to generate it and it is considered a "work for hire".

The facts themselves probably can't be considered to be under copyright.

OTOH, I agree with a previous poster that you should consult a lawyer if you want to actually do anything which isn't sheeple-ish with the data.

Yes, the "smart grid" goals have been drafted by the utility industry. I'm ok with that, so long as it's not confused with the HVDC grid.

The problem is that people are attacking the HVDC grid, using valid concerns about the "smart" grid.