Slashdot Mirror

← Back to Domains

Domain: nist.gov

Stories and comments across the archive that link to nist.gov.

Comments · 1,805

  1. Read & Learn, And Legalize Marijuana by Anonymous Coward · · Score: 0 · on Is Hushmail Still Safe?

    Since the article is often pulled from websites, the first article you should read and burn into your mind is this, Google for the title and archive a copy for yourself:

    "A break-in to end all break-ins"
    "In 1971, stolen FBI files exposed the government's domestic spying program"

    It's an amazing story, and in 2008, how much has this expanded into every corner of our lives? The majority of Americans are brainwashed sheep consumers with a limp wet noodle for a brain, thrashing around with their Wii and Paris Hilton media like a fat dinoasaur in a tar pit. Stay informed, we have no privacy, encryption is good but useless with acoustic monitoring, reflections in the eye and objects in your environment, etc.! If it's electronic, there's always a loophole. You shine brighter with each electronic device you use, in many ways. Don't trust Hushmail or any web based mail service to keep anything of yours secure or to provide any reasonable degree of security. Secure your computer room and rig your computer to shut down if you use encryption like Truecrypt or other when your environment is entered by someone other than you or those you permit and trust (you shouldn't trust anyone, everyone has a price)

    Compromising Reflections or How to Read LCD Monitors Around the Corner
    http://www.infsec.cs.uni-sb.de/~unruh/publications/reflections.pdf

    And more:

    http://www.eff.org/wp/detecting-packet-injection
    http://en.wikipedia.org/wiki/Anonymous_remailer
    http://cryptome.org/tempest-law.htm
    http://seclab.uiuc.edu/pubs/LeMayT06.pdf
    http://www-users.cs.umn.edu/~dfrankow/files/lam-etrics2006-security.pdf
    http://cryptome.org/nsa-vaneck.htm
    http://lifehacker.com/software/ssh/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy-237227.php
    http://www.nononsenseselfdefense.com/five_stages.html
    http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
    http://csrc.nist.gov/itsec/guidance_WinXP_Home.html
    http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf
    http://all.net/books/document/harvard.html
    http://www-128.ibm.com/developerworks/library/l-keyc.html
    http://www-128.ibm.com/developerworks/library/l-keyc2/
    http://www-128.ibm.com/developerworks/library/l-keyc3/
    http://www.cl.cam.ac.uk/~mgk25/emsec/optical-faq.html
    http://www.cs.washington.edu/education/courses/csep590/06wi/
    http://www.wiley.com/legacy/compbooks/mcnamara/links.html
    http://lifehacker.com/software/home-server/geek-to-live--set-up-a-personal-home-ssh-server-205090.php

  2. Re:How reliable is their random number generator? by Kz · · Score: 2, Informative · on VIA Releases 800 Pages of Documentation For Linux

    According to them, it's quantum-effect based:

    http://www.via.com.tw/en/initiatives/padlock/hardware.jsp

    in short, it's a set of free running oscillators, where the exact frequency of each is affected by thermal noise. the instabilities generate an easy to detect "beating", turned into bits and accumulated in hardware registers.

    there's very little 'source code for the chip' to read and validate; but there are several tools to statistically verify random distributions.

    (this one looks nice: http://csrc.nist.gov/groups/ST/toolkit/rng/index.html. i'll try to get some time to test it on my via mainboards...)

  3. Re:Headline is wrong and you are wrong too by Guppy06 · · Score: 2, Informative · on Opening Quantum Computing To the Public

    "A kelvin is a unit of temperature difference,"

    It is a unit of thermodynamic temperature.

    "a defined fraction of the temperature of the triple point of water above absolute zero."

    Note the inclusion of absolute zero in the definition.

    "It is not a scale referenced to Absolute Zero."

    Yes, it is; it is a unit of thermodynamic temperature. Didn't you pay attention in your basic chemistry class?

    "But the milli prefix is not capitalised, because capital M implies the Mega prefix"

    If you spent more time reading my post rather than rushing off to be "right," you'd have noticed that I was arguing that the term "millikelvin" is not a proper noun, and that if it was, the first letter of the word "millikelvin" would be capitalized. And while the symbol for the prefix "mega-" is capitalized, when it is spelled out it follows the same rules of capitalization as the rest of English; you'd only capitalize "megakelivin" if it appeared at the beginning of the sentence, was used in a title, or the like.

    "The correct, pedantic version is "10 mk above Absolute Zero", or "10 millikelvins above Absolute Zero"."

    The symbol for kelvin needs to be capitalized, "above absolute zero" is redundant, and "absolute zero" (at least as thermodynamic temperatures go) is not a proper noun or title and should not be capitalized. The temperature was 10 mK.

    Let me try the HTML link again: here

  4. Re:Feet and yards? by Thelasko · · Score: 4, Interesting · on The Largest Recorded Tsunami Was 50 Years Ago

    We tried, we even have the metric conversion act of 1975. There are simply too many people who resist change and can't do the math in their head. I understand the difficulties with Fahrenheit to Celsius, but it isn't hard to multiply a pound by 2.2. You can even round it to 2 if you had to.

    I used to work in a factory that was owned by a German company, but located in the US. If I would give a drawing labeled in milimeters to our machinists they would balk at it, and I would have to go back and convert it to inches. We had a visiting machinist from Germany and I accidentally gave him a drawing in milimeters to use with our mill which was in inches. Realizing my mistake I offered to correct the drawing. He simply asked what the conversion was. I told him 25.4 mm/in and he came back a little while later with a perfectly machined part.

  5. Check NIST by DigitalCrackPipe · · Score: 1 · on Best Way To Store Digital Video For 20 Years?

    I can't find the original tips'n'tricks doc NIST published for the best way to reliably store disc media, but here is another study on longevity. I'm sure the other doc can be found without too much trouble.
    As others have noted, refresh media every 5 years, and use good quality media. You can be sure that the DVD format will be around in 5 years, but you may see some writing on the wall at that time that would cause you to change your media of choice.
    Also, having a copy in two different formats helps a lot. Having a backup on HDD would make it much more likely to have at least one of the copies easy to use.
    Overall, though, I suggest not abandoning the media for 20 years without thinking about it - that will just make the recovery job more difficult when you unearth the material.

  6. It is... by msauve · · Score: 2, Informative · on Trees' Leaves Grow At a Cool 70° All Over the World

    "degree Rankine", same as "degree Celcius," "degree centigrade," and "degree Fahrenheit." Kelvin is the odd man out.

  7. Re:Shameless karma whore by bloobloo · · Score: 3, Informative · on Trees' Leaves Grow At a Cool 70° All Over the World

    Because "In accordance with various Federal Acts, the Code of Federal Regulations, and Executive Order 12770 (see Preface), it is NIST policy that the SI shall be used in all NIST publications. "

    http://physics.nist.gov/Pubs/SP811/sec02.html

  8. Re:Because management is boring by Anonymous Coward · · Score: 0 · on Why Are the Best and Brightest Not Flooding DARPA?

    What you are saying here isn't necessarily true. There are government research labs with government employees doing interesting and relevant scientific work. NIST and NRL are two that come to mind, and both have had somewhat recent Nobel winners. DARPA does manage a lot of contracts, but not every government/DoD lab does.

  9. Re:Time Zones by smooth+wombat · · Score: 1 · on Firefox Download Day To Start At 1 p.m. EST
    [citation needed]


    GreenwichMeanTime.com and this thread from WordReference.com

    Then there is this page from the National Institute for Standards and Technology. To quote the first line from the question about what is 12 A.M. and 12 P.M.:

    The answer is that the terms 12 a.m. and 12 p.m. are wrong and should not be used.

    Satisfied?

  10. Re:Yeesh. by ApproachingLinux · · Score: 3, Informative · on NIST Publishes Preview of Math Reference

    and this reference in Oct 99

  11. MathML by bcrowell · · Score: 4, Informative · on NIST Publishes Preview of Math Reference
    It's really a shame that mathml is so poorly supported in browsers. There's basically no practical, reasonable way to do write a single xhtml page that will do something reasonable in most browsers and display inline mathml. Firefox requires the file to have extension .xhtml, and standards say to serve it as application/xhtml+xml; but if you do this, a default install of IE will display a file download dialog, with a warning that "some files can harm your computer." IE wants it served as text/html, and will only display the mathml if the user has installed the MathPlayer plugin. The MathPlayer plugin also implements mathml in way that isn't standards-compliant. The bare minimum you really need is:
    • The majority of users, who have IE with no plugin, should see some kind of graceful degradation.
    • Firefox users should see the math displayed correctly.
    • The tiny minority of users who have MathPlayer+IE should see the math displayed correctly.
    Unfortunately, you just can't accomplish this by any reasonable technique. The technique I've ended up using for the web browser version of my own physics textbooks is to use mod_rewrite to serve mathml to Firefox 3+ users, and serve a version with bitmapped renderings of the equations to everyone else. This also seems to be what DLMF has done. What a disaster.
  12. Re:Yeesh. by gardyloo · · Score: 4, Informative · on NIST Publishes Preview of Math Reference

    Huh. At least 2001: http://cio.nist.gov/esd/emaildir/lists/opsftalk/msg00011.html

  13. Re:Vulnerabilities galore! by Anonymous Coward · · Score: 1, Informative · on Joomla! A User's Guide

    A search for CVE identifiers related to Joomla returns 244 hits:
    http://nvd.nist.gov/nvd.cfm

    New exploits for the vulnerabilities are released several times per week:
    http://milw0rm.com/search.php?dong=joomla

    Sounds like really good quality stuff... Notice that most of the vulnerabilities are for 3rd party add-ons or earlier versions...

    Sounds like really good quality comment...
  14. Re:Vulnerabilities galore! by SqueakyFerret · · Score: 3, Informative · on Joomla! A User's Guide

    A search for CVE identifiers related to Joomla returns 244 hits:
    http://nvd.nist.gov/nvd.cfm And how many of those vulnerabilities relate Joomla itself, or crappy third-party downloadable components? If you download and install crappy untrustworthy components, won't that compromise even the most secure system?
  15. Vulnerabilities galore! by WD · · Score: 3, Informative · on Joomla! A User's Guide

    A search for CVE identifiers related to Joomla returns 244 hits:
    http://nvd.nist.gov/nvd.cfm

    New exploits for the vulnerabilities are released several times per week:
    http://milw0rm.com/search.php?dong=joomla

    Sounds like really good quality stuff...

  16. Re:Idiots better get off their ass by martin-boundary · · Score: 1 · on Gmail As Open-Relay Spam Server
    Quick reply, since the slashdot story is already long stale :)

    1. Admins would not have to keep the identity lists at the MTA up to date. The users do that themselves (their MUA interfaces with the MTA).
    They'll already balk at just keeping any identity list for each user, let alone an updated one :) However, a filtering setup within a MUA is a kind of identity list already.

    3. The individual definition of spam doesn't matter.
    It does if you expect admins to do some filtering work for the users, it does if you expect lawyers to shut spammers down, etc. It only doesn't matter if you expect users to manage their own mail, but that's what many of them are complaining about in the first place. Many users don't want to even specify what they think is spam, but still expect others to get it right on their behalf ...

    4. Identity theft would be a very small problem because a whitelist entry can ofcourse be revoked at any time.
    On the contrary it's a huge problem. There are millions of PCs hijacked for spam ("botnets") and credit card fraud, etc. Say you have a million hijacked mail identities, and each time you use one up over night, the next morning the user is conscientious (year right:) and replaces their identity. That still means you can spam one million nights with impunity, or half a million days and nights.

    Every type of whitelisting scheme is vulnerable to this problem. The most practical defence is to ask ISPs to monitor their user's traffic, but in turn that requires a definition of what traffic is spam and what isn't. Since there's no common definition ...

    5. Normal Mailing lists are a no-brainer. The list-serv has an identity, too. Whitelist that and you're good to go. Ofcourse there remains the
    Again, for a system which is supposed to solve the spam problem you're expecting too much work from users. They don't want to sit down and whitelist each new address they communicate with. It's a geek solution for people like us only ;-)

    Last point: if you personally haven't tried a filter like POPFile or SpamBayes already, it's worth looking into it.

    Personal trainable filters achieve around 99% false negatives (spam caught) with about 0.1% false positives (ham lost). These are real statistics from NIST.

    Next, do the math: how many ham messages does a person get a day? Say 5-20. That means the number of legitimate messages lost in one year is between 1 and 8, and the number of spams getting through is about 1 in a hundred. Not too shabby.

  17. Re:My Guess its at Netlib or at NIST by biobogonics · · Score: 1 · on What Is the Oldest Code Written Still Running?

    I was looking for some mathematical routines to port into Python and ended up poking around at http://www.netlib.org/ and http://www.nist.gov/ where there are huge repositories of mathematical functions, most written in Fortran.

    One of the most interesting things after perusing much of the code I was looking for, was that instead of using integration routines for calculating things like Bessel functions, Hankel functions, and other differential equation related functions, they simply used look up tables and curve fitting.

    BINGO! The math routines used to compute some special statistical functions in early versions of Excel, for example, area under the normal curve and its inverse, go back to Hastings approximations from the mid 50s. They are rational function approximations. I first saw them back in the 60s as cited in the National Bureau of Standards "Handbook of Mathematical Functions". People still use these approximations today.

  18. My Guess its at Netlib or at NIST by LM741N · · Score: 2, Interesting · on What Is the Oldest Code Written Still Running?

    I was looking for some mathematical routines to port into Python and ended up poking around at http://www.netlib.org/ and http://www.nist.gov/ where there are huge repositories of mathematical functions, most written in Fortran.

    One of the most interesting things after perusing much of the code I was looking for, was that instead of using integration routines for calculating things like Bessel functions, Hankel functions, and other differential equation related functions, they simply used look up tables and curve fitting.

    I suppose in the 1960's that made perfect sense as computers were so slow. But even today, I don't know why I shouldn't do the same thing. With EM and circuit simulation software its GIGO. There are so many parasitics to model, that you can only ever get an approximation anyway, so what difference does it make if you get a tiny error from a look up table, vs. the "exact" integration routine value?

  19. Interesting article, but confused definitions by mattpalmer1086 · · Score: 4, Informative · on How the NSA Took Linux To the Next Level

    The definitions used by the article for discretionary, mandatory and role-based access control are a bit confused. They mix up the type of control with mechanisms commonly used to implement them. To be fair, there are no standard definitions of them - or at least, there's more than one "standard" definition. However, having just completed a dissertation in which I attempted to define those things, allow me to offer them here.

    Discretionary - a user has discretion to decide who has access to what. A common form of discretionary control is access control lists (ACLs), but capabilities are also discretionary. A big problem with discretionary control is the amount of work the user has to do to grant and revoke permissions to everything. This often leads to systems configured with too much permission - the opposite of principle of least privilege.

    Mandatory - the system mandates who has access to what by enforcing a policy (a user may set the policy, but can't grant access outside of that policy). Mandatory systems can require less work to administer day-to-day, as authorisation has been automated. But its often a lot of work to set good policies and are obviously less capable of dealing with things that fall outside of normal working practices. Common forms of mandatory control include label based systems like Bell-LaPadula or Biba (e.g. Top Secret: nuclear;projectX) and protection rings in CPUs.

    Role-based (RBAC)- the permissions of a user are taken from their role or roles. Lots of people ask why this isn't the same as using groups and access control lists. You can implement bits of RBAC using groups and ACLs, but full RBAC is more abstract than this, and explicitly allows for greater control - like separation of duties. The current "standard" is the NIST RBAC definition http://csrc.nist.gov/groups/SNS/rbac/)

    Note that RBAC can be mandatory or discretionary - it doesn't say how the permissions are allocated to the roles, just how the user gets those permissions through the roles.

  20. Re:So... by mikael · · Score: 1 · on NVIDIA GeForce To Quadro Software Mod

    Traditional CAD packages in the 1990's were built on top of Phigs and PEX, Phigs Extension to X.

    Official specification

    Other animation packages were built on top of proprietary API's like SGI GL and others. It was cheaper building an emulation layer mapping Phigs and SGI GL commands to OpenGL that to rewrite the applications altogether.

    At present, the latest API is CUDA

  21. This already exists to a certain extend by bleh-of-the-huns · · Score: 1 · on Google Backs Open-Source CERT Group

    in the National Vulnerability Database by NIST.. http://nvd.nist.gov/ and while yes, the acronym does look like some sort of STD, its not. It covers oss and commercial products alike, and is perfectly free.

  22. Re:Gibi = garbage by tsm_sf · · Score: 1 · on Creative Sued for Base-10 Capacities On HDD MP3 Players

    What is with idiots moderating up factually incorrect nonsense about gibi being "invented" by salesmen or wikipedia? It's an International Electrotechnical Commission (IEC) Technical Committee proposal. At best these posts are funny, trolls at worst. Did you even read the page you linked? Here's an interesting bit (aha ha):

    Historical context* Once upon a time, computer professionals noticed that 2^10 was very nearly equal to 1000 and started using the SI prefix "kilo" to mean 1024. That worked well enough for a decade or two because everybody who talked kilobytes knew that the term implied 1024 bytes. But, almost overnight a much more numerous "everybody" bought computers, and the trade computer professionals needed to talk to physicists and engineers and even to ordinary people, most of whom know that a kilometer is 1000 meters and a kilogram is 1000 grams. So, basically you're wrong.
  23. Re:Gibi = garbage by bh_doc · · Score: 1 · on Creative Sued for Base-10 Capacities On HDD MP3 Players

    What is with idiots moderating up factually incorrect nonsense about gibi being "invented" by salesmen or wikipedia? It's an International Electrotechnical Commission (IEC) Technical Committee proposal. At best these posts are funny, trolls at worst.

  24. Re:Read your references by avoision · · Score: 2, Informative · on Creative Sued for Base-10 Capacities On HDD MP3 Players
    Binary addressing makes sense for RAM, since there's a certain number of addressing lines and it would be a waste for some of the lines to not be fully used. But for hard drives (and flash drives) with 512-byte sectors, it does not make more sense than any other addressing scheme. My hard drive has (thanks to fdisk -l), 255 heads, 63 sectors/track, 3,648 cylinders, which gives 8,225,280 bytes per cylinder or a total of 30,005,821,440 bytes. Those are the logical numbers, not the physical ones, but that only helps my point; that a given mass-storage device's capacity is an arbitrary number of 512-byte sectors. In this case, I paid for 30,000,000,000 bytes and I got that and a little extra. So anybody's lawsuit should only be able to extract money for the difference between the stated number of gigabytes and some integer times 512 bytes (but this is moot, since they always add extra like in the case above).

    Furthermore, for the past two thousand years, the greek prefix giga has meant one billion. Just because we have binary computers doesn't mean we should change that for the purposes of lawsuits.

    Lastly, you know damn well after reading the fine print on any mass storage device in the last 10 or 15 years that it says that when the listed capacity is x gigabytes, that means x * 1,000,000,000 bytes. And that fine print is on the outside of the box, so you know before you buy.

    The National Institute of Standard's has suggested that for the useful binary numbers (2^10, 2^20, 2^30), we use the different prefixes KiB, MiB and GiB to show that they refer to the binary versions. See NIST's recommendation on this.

    I'm happy to buy my ram with capacity listed in GiBs and my hard drives with capacity listed in GB or GiB, but let's not confuse the two prefixes.

  25. Re:50%? by easyTree · · Score: 1 · on Creative Sued for Base-10 Capacities On HDD MP3 Players

    they misrepresented the capacity of their products..

    According to this http://physics.nist.gov/cuu/Units/binary.html page we 'should' really be using GiB, MiB, KiB etc instead of GB, MB and kB.

    e.g.

    one mebibyte 1 MiB = 220 B = 1 048 576 B
    one megabyte 1 MB = 106 B = 1 000 000 B
  26. Re:Ughh.. again... by hobbesmaster · · Score: 1 · on Creative Sued for Base-10 Capacities On HDD MP3 Players

    Yes, we do.

  27. Ughh.. again... by Anonymous Coward · · Score: 0 · on Creative Sued for Base-10 Capacities On HDD MP3 Players

    G, M and K are SI units.
    G = 10^9
    M = 10^6
    K = 10^3

    Just because your industry decided to overload (and this confuse) them, doesn't change the fact that they are SI units.

    If you want them to be base 2, use the Gi, Mi, and Ki SI units.

  28. Re:Makes me nostalgic too by icedevil · · Score: 0 · on Seagate Ships Billionth Hard Drive

    Just say 79 exabytes or even just 79 EB. News for nerds, ok? We didn't smoke our way through high school. ...
    I just wish more people would take advantage of the fact that people on this site should have a basic understanding of things like SI prefixes

    You didn't use them. Why would you take advantage of the fact that you merely assume people understand them when you yourself do not?

    Anyways, you should read:

    http://physics.nist.gov/cuu/Units/binary.html

  29. Re:What about quality of experts? by scoove · · Score: 1 · on The New School of Information Security

    I seriously believe that one of the reasons throwing money at the problem hasn't been working is that people who are implementing these things aren't the best possible candidates.

    In larger corporations, especially where the regulatory environment is a driving factor, you might find that money isn't being thrown at security, but rather compliance. As ErichTheRed points out, there is no shortage of these silver bullets being purchased from executives who don't know better.

    As someone who heads up an information risk program for a global financial firm, I've been fortunate enough to see the policy and technical control environment and observe where and why controls failed to prevent against security incidents. Having a company that came from a regulatory-driven security model (not unlike many), the assessments of the incidents has shown repeatedly that the alignment of a program in reaction to PCI, GLBA, HIPAA, SOX, etc. does not provide for a risk-optimized information security program. Yet business executives in many firms believe that the highest bar to be funded is that prescribed by external regulation. Compliance should be regarded as the lowest bar, not the highest, as it is by no means intended to fully address the realm of information risk and security.

    The recent breach experienced by Hannaford is a good illustration of this problem. Hannaford was reportedly PCI compliant at the time of the breach, yet was using WEP to secure wireless in numerous cases. Elsewhere, there is too much reliance upon comprehensive common controls to compensate for lousy security at the application level. Hannaford execs are apparently "shocked" at the breach, yet were using a wireless security control a mediocre offsec analyst can break in 2-10 minutes. At the same time, I'm certain many firms have gone overboard on other controls (prospect theory tends to explain why so many of us over-treat the perceived likely risks and completely ignore the perceived improbable black swans that end up wiping us out). It's hard for us to make a case for security when we blow too much on some things and never see a threat test it out, and get clobbered on something we ignored.

    The biggest problem I see is that the business executives see security as a product, not a process, and information risk and security people don't do a good enough job correcting that misconception. The lack of understanding risk optimization by InfoSec professionals is a real issue: we tend to overspend for the risk in some controls while neglecting others.

    NIST SP800-37 prescribes creating safe applications in a sea of risk, yet many large firms pretend the oceans can be calmed if the right firewall or NIDS is deployed (think about what it tells you when NIDS is regarded as a control that *prevents* threats from exercising vulnerabilities by executives!).

    The best results I've seen have come from a very close tie between the business unit management and information risk using financial language to communicate risk through an optimization approach. I'd suggest ISO 31000 or AS/NZS 4360 (Aussie/NZ standard) as a great starting place to talk about not being risk averse, as so many of us in InfoSec are, but taking the right risks. I certainly encourage people to be careful about probability models - read Taleb's "The Black Swan" for some clues on why you don't want to rely on guassian models for too much of your modeling.

    Back to those regulations like PCI, I've found business execs understand the concept of "minimum baseline" when put in the context of a reserve requirement on credit portfolios. That regulatory requirement serves as the bottom line level, permitting the lending firm to select its own optimizing level of risk. Some may have offsetting efforts that

  30. Re:Bosses don't fear security breaches by NeverVotedBush · · Score: 1 · on What Should We Do About Security Ethics?

    Check out NIST: http://csrc.nist.gov/

    They not only have standards to follow but also scripts that can check security configurations to tell you if you meet standards or not.

    I know DHS gets mocked a lot but they are working with NIST to help harden computer systems. It's worth checking out.

  31. Re:Bridge Mode by roju · · Score: 2, Funny · on AT&T, 2Wire Ignoring Active Security Exploit [Updated]

    Perhaps if we're worried about security issues, administrating a local copy of BIND isn't the greatest plan.

  32. Security Fix by Noksagt · · Score: 1 · on OpenSSH Releases Version 5.0

    The only change over 4.9 is a security fix for an issue that allowed local users to hijack forwarded X sessions. The release notes criticize Debian devs for disclosing this publicly before trying to contact OpenSSH privately.

  33. Re:The most rabid group..... by daveb · · Score: 1 · on The Wrath of the Apple Tribe

    There is reason that people call Macs 100% secure and immune to any attempts at remote attack. Its because its true. Linux has been breached, OpenBSD has had two remote root incidents. MacOS? Zero, zip, nada.

    did you even click on the link for the nvd?

    I'll say again - the biggest vulnerability that apple has is the huge bunch of users who believe they are invulnerable and that patches either don't exist or they are not worth applying.

    Remember th month of apple bugs? Do you think that was a complete list without any other exploits being available?

    You do believe that? Then you might be able to help my uncle move a huge amout of cash out of nigeria where he is falsely imprisoned. Please post your email address and we can continue directly.

  34. Re:The most rabid group..... by daveb · · Score: 1 · on The Wrath of the Apple Tribe
    Why should I? You started the unsubstantiated claims; YOU prove it. The origonal accusation was that windows is less secure than a mac, in spite of the recent stuff that's gone on with apple. You offer no proof and almost imply that it's self evident.

    You made a completly unsubstantiated statement and I called BS with a similar amount of proof as you had.

    I would put a fully patched XP against any fully patched linux with a default install, and I'd be quite interested in the result. I don't know vista personally but I'd expect it to be about the same. BTW if you don't patch anything then it's a stupid test - I'm not talking about making esoteric configuration, just get updated patches for the OS. These days the security comparisons are getting nitpicky. Both linux & Windows are pretty decent thesee days until you start putting applications on them. Apple tho ... well not so great. When it comes to apple - the fanboys themselves are the biggest vulnerbility, they don't believe they NEED to patch.

    Try looking here for some insight - and yes I know - there's a LOT of window, linux and BSD there too http://nvd.nist.gov/nvd.cfm

    No OS is secure - Apple less so than some. The old claim that "apple is more secure" is turning out to be a modern version of The Emperor's New Clothes - only uttered by fanboys and the ignorant

    Blast ... I wasn't going to offer evidence, oh well - the fanboys won't see any

  35. OOXML approved by NIST by seandiggity · · Score: 3, Informative · on Few of OOXML's Flaws Have Been Addressed

    Even though none of the substantial problems have been addressed, NIST has approved OOXML.

  36. Hrm by Shadow-isoHunt · · Score: 5, Informative · on Archive Formats Kill Antivirus Products

    Details on the latest examples
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0308
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0309

  37. Hrm by Shadow-isoHunt · · Score: 5, Informative · on Archive Formats Kill Antivirus Products

    Details on the latest examples
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0308
    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0309

  38. Re:Other than supposed security improvements... by kelpless · · Score: 5, Interesting · on Single Photons Bounced Off Orbiting Satellite

    no cloning principle are exactly right. You cannot read and then reemit a photon with the same polarization Hmm. I think you meant you cannot read and reemit with 100% fidelity. http://www.icfo.es/images/publications/J05-055.pdf, "Quantum Cloning", Valerio Scarani, Sofyan Iblisdir, and Nicolas Gisin. This is a late 2005 review and of eavesdropping techniques for QKD. Much of the terminology of quantum physics is unfamiliar to me but I think the paper states that Eve could theoretically get 5/6 of the bits through cloning and to keep this from happening, Alice and Bob have to assume an eavesdropper if more than 11% of the bits have errors. When dealing with single photons, read errors will happen. There is also work at the University of Tokyo, the Japan Science and Technology Agency, and the University of York (Sam Braunstein and Akira Furusawa) on telecloning (combined quantum teleportation and quantum cloning) that I have a reference to an experiment done two years ago where they cloned 58% of the photons successfully out of a theoretical 66%.

    Others have created quantum crypto systems that take the possibility of cloning into account, http://w3.antd.nist.gov/pubs/Mink-SPIE-One-Time-Pad-6244_22.pdf

    'basic' quantum cryptography that is taught can be hacked This is true but I think not for the reasons you believe. Basic quantum crypto provides confidentiality only. To keep from being hacked, you must provide authentication as well (Alice must be able to prove she is communicating with Bob and not Eve). I haven't heard of a way to do this without falling back onto more conventional cryptographic techniques such as RSA signatures - at least when doing quantum crypto over fiber. Maybe sending photons through the atmosphere means you can actually just see if somebody is acting as a man-in-the-middle.
  39. Re:Here's a solution for Norton and Microsoft. by Sancho · · Score: 1 · on Anti-Botnet Market is Black Eye for AV Industry

    Here's that link:
    http://www.nsrl.nist.gov/RDS_Notes.htm

  40. Re:Time for the Government(s)? by Thelasko · · Score: 1 · on IPv4 Address Crunch In 2 Years, IPv6 Not Ready

    Yes, I mean the US government has been so good at mandating the switchover of standards. I mean the Metric Conversion Act of 1975 worked flawlessly. The end of analogue TV in the US happened in 2006 exactly as the FCC mandated in 1997.

    I do think the best thing the FCC did for the digital television switchover is to make the sales of analogue TVs illegal. The same should be done for IPv6.

  41. Re:Criminal prosecution? by Anonymous Coward · · Score: 0 · on Cracking a Crypto Hard Drive Case

    A vendor telling you they use AES is completely and utterly worthless, and always has been. It's a nice buzzword people like to use. No, it is a recognized encryption standard with enough strength to garner NSA approval for use in their systems. Products like this are the EXACT reason why the Cryptographic Module Validation Program (CMVP) was created by NIST and the CSEC to test modules for FIPS 140 compliance. The program/standard was designed to ensure that government agencies requiring cryptographic protection for sensitive data were getting what was being advertised. This means that the cryptography being used was actually the cryptography being advertised. There are also additional requirements that must be met, but those are not immediately pertinent to this discussion.

    Every product that is properly validated under FIPS 140 must include an approved cryptographic function. One such option available for encryption is AES. AES is rather common with over 700 validated implementations. I do not think it is unreasonable to expect that something that says it is using AES based encryption actually be using it. If you are every worried about whether or not something you want to use is actually correctly implementing AES, I guess you have two options: 1) use open-source applications/appliances and review the source yourself OR 2) look to see if the implementation was tested.
  42. Much Earlier Article on Xerox Systems by The+Infamous+TommyD · · Score: 2, Interesting · on Multifunction Printers — The Forgotten Security Risk?

    http://csrc.nist.gov/nissc/2000/proceedings/papers/034.pdf

    Basically, 9 years ago we showed some remarkably embarassing features in Xerox multifunction printer/copiers/faxes. Including SNMP access to plaintext passwords!

    I wonder how many of these "features" are still there.

  43. Appears to be fixed in Ubuntu as of the 12th. by 1336 · · Score: 1 · on Linux Kernel 2.6 Local Root Exploit

    As per Synaptic...

    ---
    Commit Log for Tue Feb 12 15:03:30 2008

    Upgraded the following packages:
    linux-headers-2.6.22-14 (2.6.22-14.51) to 2.6.22-14.52
    linux-headers-2.6.22-14-generic (2.6.22-14.51) to 2.6.22-14.52
    linux-image-2.6.22-14-generic (2.6.22-14.51) to 2.6.22-14.52
    linux-libc-dev (2.6.22-14.51) to 2.6.22-14.52
    ---

    linux-source-2.6.22 (2.6.22-14.52) gutsy-security; urgency=low

        [Tim Gardner]

        * splice: fix user pointer access in get_iovec_page_array()
            (CVE-2008-0600)
            - LP: #190587

      -- Tim Gardner Mon, 11 Feb 2008 10:01:17 -0700
    ---

    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0600

  44. Key Management should be part of PKI by Anonymous Coward · · Score: 1, Interesting · on Encryption Could Make You More Vulnerable

    An "attack" like this could also originate from the inside, where an employee is terminated, etc., and refuses to give up the keys.

    Just like a lock on a door, if properly implemented, in PKI keys can be replaced. Every organization that is serious about implementing a PKI should be just as serious about about key management as it is a massively important component.

    http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf

  45. Re:Slashdotted by Anonymous Coward · · Score: 2, Informative · on TrueCrypt 5.0 Released, Now Encrypts Entire Drive

    The ability to back-up headers makes this software great for businesses or governments
    I think a small business or home based business where everyone is on board that WDE is a good thing could get away with using Truecrypt's WDE feature. Unfortionatly it is not ready for any government agency, nor any business of significant size. Several problems exists:
    • Anybody with admin rights to the machine can remove the FDE (And even though the FDCC guidelines (Which all government agencies are supposed to follow and implement as of Jan 31, 2008 (yea right)) say this is a no-no, all it takes is someone, somewhere to sign off saying "We allow local admin rights because: " and viola! Admin rights.
    • No support for two factor authentication.
    • No support for the "I forgot my password" syndrome beyond saying: Here is a rescue CD, and here is the password, and have fun! Commercial products allow for a challenge-response one time login/password change request.
    • No support for multiple users to log in to the laptop (Ties into the point above).
    • No support for policies (Password length/complexity, time restrictions, that sort of thing)
    • No support for automatic updates (which I guess is a moot point because of the above issue)
    • No support for automatically updating the header files (Needed when the user changes password, a new user is given rights to the machine, etc.)
    • And the biggest one: Truecrypt would need to have a champion at the highest levels before it has a chance of being deployed.
    Some of these problems also prevent Truecrypt from being used as a portable media encryption option in the government as well. For example there is no easy way that a end user can create a container and say "Only myself and Bob can open it".

    In short, it is close to being useful beyond the SOHO market, but not quite there. Reading through there todo's I see that they are going to be addressing some of these issues, and I suspect that with enough constructive input, they will eventually meet the other requirements as well.

  46. Re:Let me explain by nesmex · · Score: 3, Informative · on Drive-By Pharming In the Wild

    Sorry to say this but the attack overrides the modem's password, the attack from Gusanito and similar attacks (ie El Universal) probes with different common 2WIRE router addresses to get to the MDC. Fortunately it is not that elaborated... This attack was reported during late last year. This exploits a vulnerability in 2WIRE modems, as documented in US-CERT http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389
    Trend Micro has a more recent report on a variation of this attack http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
    The UNAM-CERT, also has the "Gusanito" exploit documented (spanish only) at http://www.seguridad.unam.mx/doc/?ap=articulo&id=196
    The attack overrides the modem's password...

  47. Re:Biggest Mexican Bank? by nesmex · · Score: 4, Informative · on Drive-By Pharming In the Wild

    Well yes is Banamex. This attack was reported during late last year. This exploits a vulnerability in 2WIRE modems, as documented in US-CERT http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389
    Trend Micro has a more recent report on a variation of this attack http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
    The UNAM-CERT, also has the "Gusanito" exploit documented (spanish only) at http://www.seguridad.unam.mx/doc/?ap=articulo&id=196
    The attack overrides the modem's password...

  48. USB 2.0 to IDE/SATA and Media Sanitation by danFL-NERaves · · Score: 1 · on How to Say Goodbye to Old Hard Drives?
    I've had great luck with the Sarbent USB 2.0 to IDE/SATA adapter kit for connecting my PC to old hard drives for backup. It was so nice to avoid shutting down my system, opening my case, connecting drives and booting back up again and again. Even on a work bench without case it's a pain and a half to reboot each time. With this kit all you have to do is disconnect the device via the task tray icon then unplug it. Plug the next one back in and you are good to.

    Before disposing of the drives it's also a good idea to sanitize the media. A good guide is NIST's SP 800-88 Revision 1 Guidelines for Media Sanitation which will give you more than enough detail on how to securely dispose of those drives.

  49. Re:Looking good, too bad the press didn't understa by Bruce+Perens · · Score: 1 · on US DHS Testing FOSS Security
    Even those who historically have critized "security through obscurity" never suggested that publishing their design or secrets would lead to better security

    You're wrong about that. For example, NIST, a US government standards agency, is calling for proposals for a new cryptographic algorithm for government use. Their specification requires that it be publicly disclosed (and royalty free, too). This is so that they don't pick a weak algorithm. They want any known or theoretical problems to be pointed out to them. Most certainly NSA participates in building that sort of specification.

    Bruce

  50. Re:Simple = Better by zestyping · · Score: 1 · on Ohio's Alternative to Diebold Machines May Be Equally Bad

    This is why that doesn't work (in general) in the United States.

    http://vote.nist.gov/ballots/il_chicago_20041102_01.pdf

    One ballot = 90 contests.