nist.gov · Domains · Slashdot Mirror

OpenSSL is FIPS 140-2 validated by baasnad · 2006-04-18 13:38 · Score: 3, Interesting · on Open-Source or FIPS-Validated Disk Encryption?

OpenSSL is FIPS 140-2 validated:

http://csrc.nist.gov/cryptval/140-1/1401val2006.ht m

Look for # 642

This was (is) the first case of open source software being validated, as opposed to a specific product.

It is important to note that FIPS 140-2 validation simply, proves that the cryptographic algorithms (the math) has been implemented correctly, it does not necessarily mean that the system actually works as advertised.

Also, if you are a government type or contractor, make sure the vendor supplied product actually uses the version that received accreditation. Many times, that was an older version, but the marketing types keep (falsely) stating that the product is FIPS certified!!!

Re:Yet Another Band-Aid? by Ekhymosis · 2006-04-16 11:57 · Score: 1 · on Microsoft Bypasses HOSTS File

If you want to be extra paranoid, then I would suggest using and modifying these templates to suit your needs. http://csrc.nist.gov/itsec/guidance_WinXP.html

It is what I currently use on my laptop and I haven't had any problems since I implemented it over two months ago. Also, if you want to install stuff, there's a sudo program for windows http://home.toadlife.net/winsudo/ that you might want to check out.

Re:How do Google do their queries? by Peter+Mork · 2006-04-10 10:04 · Score: 1 · on Why Is Data Mining Still A Frontier?

Behind virtually every keyword retrieval system is some form of an inverted word index. You first probe the index using the search term. By chopping the index up into pieces (for example one piece for each letter of the alphabet) and replicating each piece across a large number of machines, you can massively parallelize this lookup. The inverted index returns a list of documents identifiers (URLs) containing the keyword, probably pre-sorted in descending Page rank. If you provide multiple keywords, you need to compute the intersection of these lists.

Other algorithms have been around... by tgv · 2006-04-09 19:06 · Score: 5, Insightful · on Google Wins Rights to Aussie Algorithm

The guy must have invented something absolutely bloody amazing. I mean, it's not like similar technology hasn't been around for ages now (check contributions to the TREC (http://trec.nist.gov/) conferences. Some of the submissions reach a level of sophistication Google can only dream of. And the algorithms are published.

So, what's up with this "Orion" thing? What insanely great insight into language processing can a CS student have that whole teams of experts still didn't get?

TuneLab by clockmaker · 2006-04-08 16:02 · Score: 1 · on Software for Your Musical Instruments?

The only software I use is TuneLab Pro and TuneLab Pocket (for Pocket PC) available at http://www.tunelab-world.com/. Trial versions are available, and may work for you. I have heard that some professional piano tuners use this on a laptop. The program lets you calibrate to the tones produced by NIST on WWV or WWVH and their telephone line (303) 499-7111. See http://tf.nist.gov/stations/iform.html for more info.

Re:List of Affected Products: by Anonymous Coward · 2006-04-07 11:50 · Score: 1, Informative · on D-Link Firmware Abuses Open NTP Servers

Well I'm not sure about the others, but the nist servers are okay for anyone to use. That's what they're there for.

http://tf.nist.gov/timefreq/service/its.htm

and their server list: (which time-b.nist.gov is listed on.)

http://tf.nist.gov/timefreq/service/time-servers.h tml

I'm using time-b.nist.gov to set my clocks here.

Re:List of Affected Products: by Anonymous Coward · 2006-04-07 11:50 · Score: 1, Informative · on D-Link Firmware Abuses Open NTP Servers

Well I'm not sure about the others, but the nist servers are okay for anyone to use. That's what they're there for.

http://tf.nist.gov/timefreq/service/its.htm

and their server list: (which time-b.nist.gov is listed on.)

http://tf.nist.gov/timefreq/service/time-servers.h tml

I'm using time-b.nist.gov to set my clocks here.

Re:List of Affected Products: by afidel · 2006-04-07 07:05 · Score: 1 · on D-Link Firmware Abuses Open NTP Servers

Barring a request from the operators of the named sites I would think it is perfectly legal to target any publicly available service. Now, that's not saying it's good etiquette. It's not, but it IS, and should be, legal. Btw time.nist.gov is perfectly acceptable as that is one of the mandates of NIST, see here.

Re:Astonishing manotech! by Fred_A · 2006-04-07 06:03 · Score: 1 · on Viruses Engineered to Construct Batteries

I mean, we all know what a kilobyte is.

Of course we do, it's 1000 bytes. Stop pretending you didn't learn SI prefixes at school just because you're in the US.

Now that units have finally been standardised between data transmission (which has always been using kb) and data storage (which has always been using kib) so that we can finally make the difference between both, you have to moan because you have to learn one ridiculous tidbit of information ?

Or are you stil using GWBASIC because "I know what that is and it's good enough for me"?

Re:It's time.... by LanMan04 · 2006-04-04 05:17 · Score: 1 · on Microsoft Says Recovery From Malware Becoming Impossible

I have a relative that works at the NSA in the Information Assurance/Threat Assessment area, and both of his machines (both classified and non) are Macs running OS X (not sure what version, hopefully Tiger).

For excellent security guides, there is a NIST guide to securing XP, and an NSA guide for securing Mac OS X.

Re:Legislation Needed? by hackstraw · 2006-03-27 08:37 · Score: 1 · on Web Site Attacks Against Unpatched IE Flaw Spike

I work on an air force base, and not only is IE the standard, but Firefox is on the list of unapproved apps. so if you're caught using it via the monthly scans, you're forced to uninstall it.

Cute. The government appears to be pretty stupid about security. Lets subpoena Google and let them spy on the people for us, yet the DOE and other government agencies typically get Ds or Fs when it comes to security. Proof that they are confused:

http://niap.nist.gov/cc-scheme/vpl/vpl_type.html#o peratingsystem

OS X 10.3.6 is listed EAL 3, but Win 2000, 2003, and XP are EAL 4? No mainstream UNIX systems are listed.

I don't know much about security accreditation nowadays (FIPS, EAL, and others). All I know is that I know my systems and my own privacy are much more secure by staying away from Microsoft software. I've never had a compromise, virus, spyware, malware, or anything on any of my Linux, Solaris, or OS X since 1994. I did get a virus from a floppy that a roommate brought from a computer lab on Windows 3.11 back in the day (Monkey boot sector virus).

Re:Why is bandwidth measured in Kb by 91degrees · 2006-03-26 08:03 · Score: 1 · on New Data Transmission Speed Record

Base 2 units make more sense, as your software and RAM use them for measurements, and the disk size inherently is based on a power of two. 80 GB gets put on the box though because it's a larger number.

No they don't. Using the same prefixes to mean the same things for distance, weight, volume, current, power, time, and most other derived units, and using the same one to mean something different for storage, data transmission rates, and binary addressable storage, especially when there's a valid alternative makes no sense at all.

Re:Larry Silverstein did say it. by tubbtubb · 2006-03-23 04:43 · Score: 1 · on Patriot Act Game Pokes Fun at Government

A few floors collapsed, yes. But the bulidings did not. The force of a floor falling on the floor beneath it should not generally be enough to bring the lower floor down.
One floor falling on a lower floor, perhaps. But what about scores of floors? Each floor that collapses would produce additional momentum. There's also the damage caused from the jetliner to consider here for WTC1 and 2, or the falling debris on WTC7.
See this well done presentation.

Think about it: the floors have been holding that weight up for decades.
That's a statement about mostly statics that is meaningless for this argument. They held up floors for decades, but without the dynamics of significant structural damage, fire, etc.

A jet fuel fire is no hotter than any other hydrocarbon fire that reaches it's maximum possible temperature.

Under ideal lab conditions, sure -- but we're comparing something that intended to ignite and burn (fuel) with a random assortment of office equipment that would likely include fire retardants in the carpet, wiring, etc. These are things that are not intended to ignite, let alone burn for long periods of time.
Can you provide evidence that any of those previous building fires burned at the same temperature and for the same amount of time as a large jet fuel fire?
And even if they did, there's still the pesky problem of the massive amount of variables involved in each of these cases. I'll say it again, just because it didn't manage to fully collapse in a handful of previous cases involving different buildings and far different conditions, doesn't mean it is impossible or even unlikely.

There's simply no way the jet fuel was still burning weeks later when they were still finding pools of molten metal.
Assuming a few eyewitness accounts of pools of molten metal are true, what melted them? And what kept them in a liquid state for these eyewitnesses? Planted explosive charges in the basement? Seems like that would have cooled off quickly.
Was steel the only metal at WTC? What about Aluminum, yaknow, from the planes? Al melts at ~1200F. Can these eyewitnesses visually tell different pools of molten metal apart?
Or couldn't they have meant melted steel?
Or perhaps it was glass. Some glass melts as low as 900F.
And where are the pictures of the molten metal?

The steel didn't need to melt for the towers to collapse. I'm sure you've seen it, but here's the link to the Scientific American debunking anyway.

Extraordinary claims require extraordinary proof. And so far, the "official" version of events has far better evidence.

Old axiom... by Ekhymosis · 2006-03-19 11:56 · Score: 1 · on Vista May Put Anti-Spyware Companies Out

There's an old axiom (or saying or whatever) "I want to work in theory, because everything works in theory" Which applied to MS programming mentality seems to hold true. I mean for fuck's sake, in order to even remotely secure my system i had to apply NIST (http://csrc.nist.gov/itsec/guidance_WinXP.html) security profiles and stuff to lockdown my XP installation. So far, no viruses or spyware, but I have everything cranked up to extra paranoid.

Re:Cultural Ignorance? Blinkers? Racism? by funwithBSD · 2006-03-13 04:34 · Score: 1 · on 1001 Islamic Inventions

Maybe because so many of them have all the authority of a programming patent? There is significant prior art to invalidate the claims of the article. Here are some examples:

20 Medieval Europe had kitchen and herb gardens, but it was the Arabs who developed the idea of the garden as a place of beauty and meditation. The first royal pleasure gardens in Europe were opened in 11th-century Muslim Spain. Flowers which originated in Muslim gardens include the carnation and the tulip.

Prior art:
1. hanging gardens of Babylon, one of the 7 wonders of the Ancient world. Persians were Zorastarians, not Muslim, as it had not been invented yet.
2. japan: http://web-japan.org/factsheet/gardens/ancient.htm l, 593
3. egypt: http://en.wikipedia.org/wiki/History_of_gardens, 2500 BC.

18 By the 9th century, many Muslim scholars took it for granted that the Earth was a sphere. The proof, said astronomer Ibn Hazm, "is that the Sun is always vertical to a particular spot on Earth". It was 500 years before that realisation dawned on Galileo. The calculations of Muslim astronomers were so accurate that in the 9th century they reckoned the Earth's circumference to be 40,253.4km - less than 200km out. The scholar al-Idrisi took a globe depicting the world to the court of King Roger of Sicily in 1139.

1. Greek: It is commonly assumed that people from early antiquity generally believed the world was flat, but by the time of Pliny the Elder (1st century) its spherical shape was generally acknowledged. (http://en.wikipedia.org/wiki/Flat_Earth)

2. China: 200ad http://www.chinahistoryforum.com/index.php?showtop ic=5667

The crank-shaft is a device which translates rotary into linear motion and is central to much of the machinery in the modern world, not least the internal combustion engine. One of the most important mechanical inventions in the history of humankind, it was created by an ingenious Muslim engineer called al-Jazari to raise water for irrigation.

1. China: 200 AD, mechanical clock, http://physics.nist.gov/GenInt/Time/early.html, peak 1088 CE

2. Egypt, 2nd century. http://www.history-science-technology.com/Notes/No tes%202.htm. Al-Jazari's pump is a refinement by adding a waterwheel.

One inventions is not an invention at all, it is a refinement of earlier soaps. The addition of scents seems to be the "invention" here.

So, there you go, a solid historical look at some of the inventions listed here, which show there is some serious bunk there.

BTW, can you list a recent, like last 100 years, invention? The site is down, wonderin g if one is there.

Re:1 petabyte = 1000 terabytes, not 1024. by cepler · 2006-03-10 17:38 · Score: 1 · on IBM's High Performance File System

http://physics.nist.gov/cuu/Units/binary.html

Re:From memory by MyNymWasTaken · 2006-03-10 06:31 · Score: 2, Informative · on The Science of Secrecy

For those as clueless as I was...

Zipf's law

The probability of occurrence of words or other items starts high and tapers off. Thus, a few occur very often while many others occur rarely.

Note: In the English language words like "and," "the," "to," and "of" occur often while words like "undeniable" are rare. This law applies to words in human or computer languages, operating system calls, colors in images, etc., and is the basis of many (if not, all!) compression approaches.

More precisely it is the observation that frequency of occurrence of some event (P), as a function of the rank (i) when the rank is determined by the above frequency of occurrence, is a power-law function P(i) ~ 1/i^a with the exponent a close to unity (1).

Named for Harvard linguistic professor George Kingsley Zipf.

http://www.nist.gov/dads/HTML/zipfslaw.html
http://planetmath.org/encyclopedia/ZipfsLaw.html
http://www.nslij-genetics.org/wli/zipf/

binary prefixes by Lord+Ender · 2006-03-10 06:03 · Score: 4, Insightful · on IBM's High Performance File System

The submitter and editors need to learn their numeric prefixes. Come on! This web site is supposed to be for people who understand computer technology!

A petabyte == 1000 terrabytes
A pebibyte == 1024 terrabytes

Please see the NIST definition page:
http://physics.nist.gov/cuu/Units/binary.html

Hardcore Security by Anonymous Coward · 2006-03-06 01:11 · Score: 0 · on US Government Studies Open Source Quality

The Open Source model does not typically conform to the requirements for getting a high rating (Evaluation Assurance Level 4 or higher) for Common Criteria (http://niap.nist.gov/cc-scheme/). Note that it could, but typically FOSS projects do not have this kind of rigor.

A rating of EAL 4 is a typical benchmark that NATO governments use for "low threat" environments.

Not very expensive... by Buttonius · 2006-03-01 06:06 · Score: 1 · on Japan's New Supercomputing Toy

That lease price is probably per year and a year is approximately 31556909 seconds.
Assuming a US trillion (1E12), gives 59E12 operations per second, or about 1.86E21 operations per year. That is about 62E12 operations per dollar. There will probably be some (rather significant) additional costs to run and cool the beast...

How about using expect? by schlenk · 2006-03-01 01:04 · Score: 1 · on The Elusive Command Alias Function?

If you don't like whats provided by your ssh client, how about wrapping a windows commandline ssh client like putty with Expect?
http://expect.nist.gov/ for Expect and some usage examples
http://tcl.activestate.com/ for Expect for Windows

Just define all the convenience functions you need as simple expect scripts and don't look back. If you like GUIs add some trivial Tk code.

Re:What standard should they be held to? by cyriustek · 2006-02-22 15:39 · Score: 1 · on Liability for Data Breaches are Minimal

That is a good question. Some financial institutions closely align themselves with NIST standards. The NIST standards are generally better than much of the home-brewed stuff coming out of some of these places. (I think they may have led to this direction since much of GLB disucsses agencies, and the agencies ten to use the NIST standards.) Having said this, the standards that are applied often have a lot to do with who audits the financial institution. Some seem to be more rigorous than others. http://csrc.nist.gov/publications/nistpubs/

AFM by cocoamix · 2006-02-15 02:12 · Score: 5, Informative · on New High-Speed Nano Imaging Device

I work with an AFM, and it's a very tempermental machine. The tips are SO delicate, if you look at them wrong, they break and are useless ($10 down the drain). They can only be used once.

It's a slow process finding the resonance frequency, using the slow piezos to move the tip to the near field, and slowly scanning the area. One of the advantages of AFM is that it can be done on completely wet samples.

There's another technology called NSOM. that does much the same thing. Many NSOMs are custom made. We use a Scanning Electron Microscope to check the tips we make to see if they are suitable. Tips are made by slowly stretching a glass wire inder high temperature until the break, giving you 2 NSOM tips.

Neat stuff.

Re:Cart before the horse by Intellectual+Elitist · 2006-02-05 10:41 · Score: 1 · on NIST Standards for New Biometric ID Card Published

> This card is supposed to contain fingerprints as an important part of ensuring a person's ID, but as far as I know there is NO federal standard for matching/comparing fingerprints.

There's no mandated matching algorithm, but there are minimum performance requirements for fingerprint authenticators before they can be certified. See NIST SP 800-76 [PDF] for details.

Project website by Midnight+Warrior · 2006-02-05 08:53 · Score: 4, Informative · on NIST Standards for New Biometric ID Card Published

For those seeking to follow the actual PIV program for federal employees/contractors, check out their home page.

Re:Bad Googler! BAD!! by 25thCenturyQuaker · 2006-02-01 17:08 · Score: 1 · on Sound Waves Kill Skin and Prostate Cancer Cells

You must not be too handy at Googling.

kelvin-hertz relationship (physics.nist.gov)

Maybe you'd prefer a Pittsburgh (PA)-based acid jazz DJ Kelvin Hertz

Re:I assume.... by Anonymous Coward · 2006-01-27 00:36 · Score: 0 · on OpenSSL Receives FIPS 140-2 Validation

DES is allowed for a limited time when used to
communicate with *legathy* systems.
http://csrc.nist.gov/cryptval/DESTranPlan.pdf

Skipjack is still approved, and I believe there
is nothing announced about the security of it.

Re:No FIPS AES? I noticed that too... by oldunixguy · 2006-01-26 04:51 · Score: 1 · on MS Security VP Mike Nash Replies

Mike Nash made a snide remark that "I should also note that in contrast to the existing AES implementations that have not been through an evaluation, we plan to get our implementation evaluated to meet FIPS guidelines and requirements." Might have been true when he said it, but it's no longer true. OpenSSL completed its FIPS 140-2 approval earlier this month. See http://www.linuxelectrons.com/article.php/20060122 164238268 for an article about it; the approval (certificate #626) should be posted at http://csrc.nist.gov/cryptval/140-1/1401val2006.ht m before too long.

Wait, I thought there WAS a version of FIPS AES... by Anonymous Coward · 2006-01-26 03:46 · Score: 0 · on MS Security VP Mike Nash Replies

Hmmm...it looks like Microsoft coughed up FIPS AES into Win2K3sp1, thought it still isn't in SSL. (http://csrc.nist.gov/cryptval/aes/aesval.html - #290)

Re:I assume.... by Schraegstrichpunkt · 2006-01-23 03:55 · Score: 4, Informative · on OpenSSL Receives FIPS 140-2 Validation

Because under FIPS, the only allowable algorithms are 3DES-CBC for encryption and SHA1 for HMAC. If you allow anything else to be used, it is not "FIPS compliant".

Could you cite your sources? From what I can tell, the FIPS 140-2 list of Approved Security Functions includes AES, and Triple-DES, as well as (curiously) DES and Skipjack[1].

For AES, the ciphers can be operated in the ECB, CBC, CFB, OFB, CTR, CMAC, and CCM modes of operation.

Approved hash functions include SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512. Keyed hashing must be done using HMAC, but you can use various DES MACs, as well as CCM mode, for message authentication.

Interestingly, what this basically means is that FIPS 140-2 compliance does not imply that your system is secure. All it means is that the government can use it.

[1] Can somebody please check this? I vaguely remember DES and Skipjack being withdrawn, but I can't find the documentation for that.