Slashdot Mirror

fibonacci2000 writes "From the NIST website: 'This effort is a first step in being able to trace software from the vendor through the accreditation process to the states and other purchasers of voting systems. Now election authorities have a reference database to compare with the digital signatures of software provided to them by vendors.'"

Nightshade queries: "I work for a department in a big financial company that uses equal amounts of C++ and Java. For a variety of reasons, we've decided that Java is the future of the group because of all the benefits of the language (it's so easy to use compared to C++, we can use Eclipse, Ant, jUnit, etc). The problem is that we do a lot of numerical computing and Java has no operator overloading! Languages like C# have operator overloading and because of this company's like CenterSpace have popped up with some nice looking numerical libraries. Try to find numerical packages for Java and it'll be pretty tough. What have people done in terms of numerical computing in Java? We currently use the Jama and Colt libraries for matrices and complex numbers, but these have awkward interfaces without operator overloading and are incomplete (no support for things like symmetric matrices) so we're looking for better solutions. So should we bite the bullet and switch to C#? Should we use a pre-processor like JFront? What have other people done?"

Joseph_Daniel_Zukige writes "I'm still trying to figure out who is doing what here. It looks like the typical bureaucratic mess, but it looks like NIST, operating under the Help America Vote Act has set up a Technical Guidelines Development Committee to advise the 'independent bipartisan' United States Election Assistance Commission. So, the TGDC is going to hold some public hearings, and they've invited members of the public to help them out: 'One hour will be reserved at the conclusion of each day for members of the public to provide up to five minutes of testimony.'" Read more below, including how to register (today is the deadline) for the meetings, which will take place in central Maryland later this month. Update: 09/15 18:04 GMT by T : Irvu writes "You can submit online comments to NIST's Technical Guidelines process. The link is here. Just click on the link marked 'Submit Comments or Position Statements.' Alternately you can e-mail your comments to vote@nist.gov."

Joseph_Daniel_Zukige continues "I can't make it. (Very long drive across a very deep ocean, or plane tickets I can't afford.) Twelve people per session is not going to allow a lot of people to testify. I'm sure Microsoft has someone going to sell a MSWxx based voting machine. I hope somebody from the EFF is going. Think it would be possible to pack this thing with enough Slashdot geeks to convince the government at least that electronic voting absolutely requires a human-readable ballot to be produced?" The meetings are taking place on the 20th through 22nd of this month; you have only until 5 p.m. today to register, though. From the linked PDF: "The meetings will be held at the National Institute of Standards and Technology North Campus, 820 West Diamond Avenue, Room 152, Gaithersburg, MD."

Joseph_Daniel_Zukige writes "I'm still trying to figure out who is doing what here. It looks like the typical bureaucratic mess, but it looks like NIST, operating under the Help America Vote Act has set up a Technical Guidelines Development Committee to advise the 'independent bipartisan' United States Election Assistance Commission. So, the TGDC is going to hold some public hearings, and they've invited members of the public to help them out: 'One hour will be reserved at the conclusion of each day for members of the public to provide up to five minutes of testimony.'" Read more below, including how to register (today is the deadline) for the meetings, which will take place in central Maryland later this month. Update: 09/15 18:04 GMT by T : Irvu writes "You can submit online comments to NIST's Technical Guidelines process. The link is here. Just click on the link marked 'Submit Comments or Position Statements.' Alternately you can e-mail your comments to vote@nist.gov."

Joseph_Daniel_Zukige continues "I can't make it. (Very long drive across a very deep ocean, or plane tickets I can't afford.) Twelve people per session is not going to allow a lot of people to testify. I'm sure Microsoft has someone going to sell a MSWxx based voting machine. I hope somebody from the EFF is going. Think it would be possible to pack this thing with enough Slashdot geeks to convince the government at least that electronic voting absolutely requires a human-readable ballot to be produced?" The meetings are taking place on the 20th through 22nd of this month; you have only until 5 p.m. today to register, though. From the linked PDF: "The meetings will be held at the National Institute of Standards and Technology North Campus, 820 West Diamond Avenue, Room 152, Gaithersburg, MD."

Joseph_Daniel_Zukige writes "I'm still trying to figure out who is doing what here. It looks like the typical bureaucratic mess, but it looks like NIST, operating under the Help America Vote Act has set up a Technical Guidelines Development Committee to advise the 'independent bipartisan' United States Election Assistance Commission. So, the TGDC is going to hold some public hearings, and they've invited members of the public to help them out: 'One hour will be reserved at the conclusion of each day for members of the public to provide up to five minutes of testimony.'" Read more below, including how to register (today is the deadline) for the meetings, which will take place in central Maryland later this month. Update: 09/15 18:04 GMT by T : Irvu writes "You can submit online comments to NIST's Technical Guidelines process. The link is here. Just click on the link marked 'Submit Comments or Position Statements.' Alternately you can e-mail your comments to vote@nist.gov."

Joseph_Daniel_Zukige continues "I can't make it. (Very long drive across a very deep ocean, or plane tickets I can't afford.) Twelve people per session is not going to allow a lot of people to testify. I'm sure Microsoft has someone going to sell a MSWxx based voting machine. I hope somebody from the EFF is going. Think it would be possible to pack this thing with enough Slashdot geeks to convince the government at least that electronic voting absolutely requires a human-readable ballot to be produced?" The meetings are taking place on the 20th through 22nd of this month; you have only until 5 p.m. today to register, though. From the linked PDF: "The meetings will be held at the National Institute of Standards and Technology North Campus, 820 West Diamond Avenue, Room 152, Gaithersburg, MD."

Joseph_Daniel_Zukige writes "I'm still trying to figure out who is doing what here. It looks like the typical bureaucratic mess, but it looks like NIST, operating under the Help America Vote Act has set up a Technical Guidelines Development Committee to advise the 'independent bipartisan' United States Election Assistance Commission. So, the TGDC is going to hold some public hearings, and they've invited members of the public to help them out: 'One hour will be reserved at the conclusion of each day for members of the public to provide up to five minutes of testimony.'" Read more below, including how to register (today is the deadline) for the meetings, which will take place in central Maryland later this month. Update: 09/15 18:04 GMT by T : Irvu writes "You can submit online comments to NIST's Technical Guidelines process. The link is here. Just click on the link marked 'Submit Comments or Position Statements.' Alternately you can e-mail your comments to vote@nist.gov."

Joseph_Daniel_Zukige continues "I can't make it. (Very long drive across a very deep ocean, or plane tickets I can't afford.) Twelve people per session is not going to allow a lot of people to testify. I'm sure Microsoft has someone going to sell a MSWxx based voting machine. I hope somebody from the EFF is going. Think it would be possible to pack this thing with enough Slashdot geeks to convince the government at least that electronic voting absolutely requires a human-readable ballot to be produced?" The meetings are taking place on the 20th through 22nd of this month; you have only until 5 p.m. today to register, though. From the linked PDF: "The meetings will be held at the National Institute of Standards and Technology North Campus, 820 West Diamond Avenue, Room 152, Gaithersburg, MD."

Joseph_Daniel_Zukige writes "I'm still trying to figure out who is doing what here. It looks like the typical bureaucratic mess, but it looks like NIST, operating under the Help America Vote Act has set up a Technical Guidelines Development Committee to advise the 'independent bipartisan' United States Election Assistance Commission. So, the TGDC is going to hold some public hearings, and they've invited members of the public to help them out: 'One hour will be reserved at the conclusion of each day for members of the public to provide up to five minutes of testimony.'" Read more below, including how to register (today is the deadline) for the meetings, which will take place in central Maryland later this month. Update: 09/15 18:04 GMT by T : Irvu writes "You can submit online comments to NIST's Technical Guidelines process. The link is here. Just click on the link marked 'Submit Comments or Position Statements.' Alternately you can e-mail your comments to vote@nist.gov."

Joseph_Daniel_Zukige continues "I can't make it. (Very long drive across a very deep ocean, or plane tickets I can't afford.) Twelve people per session is not going to allow a lot of people to testify. I'm sure Microsoft has someone going to sell a MSWxx based voting machine. I hope somebody from the EFF is going. Think it would be possible to pack this thing with enough Slashdot geeks to convince the government at least that electronic voting absolutely requires a human-readable ballot to be produced?" The meetings are taking place on the 20th through 22nd of this month; you have only until 5 p.m. today to register, though. From the linked PDF: "The meetings will be held at the National Institute of Standards and Technology North Campus, 820 West Diamond Avenue, Room 152, Gaithersburg, MD."

grumling writes "The heart of a minuscule atomic clock, believed to be 100 times smaller than any other atomic clock has been demonstrated by scientists at the Commerce Department's National Institute of Standards and Technology (NIST), opening the door to atomically precise timekeeping in portable, battery-powered devices for secure wireless communications, more precise navigation and other applications. "

SeaDour writes "From the National Institute of Standards and Technology (the people who brought you the atomic clock) and the Unviersity of Colorado at Boulder (location of the world's first Bose-Einstein Condensate and Fermionic Condensate) comes the world's first observation of atoms "flying in formation". Atoms are normally expected to fly around through empty space quite haphazardly, constantly colliding with one another. But thanks to precision laser pulses and extremely cold temperatures, Jun Ye's team was able to correograph strontium atoms into the shape of a cube as they travelled across a vacuum chamber. "This 'really bizarre' behavior is believed to occur with all atoms under similar conditions.""

Mr. Manometer writes "With little fan-fare, NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES) with a Federal Register notice (pdf). NIST is encouraging federal agencies to use the Advanced Encryption Standard (AES) instead since they feel that DES is 'now vulnerable to key exhaustion using massive parallel computations.' We all knew this day would come as computers got faster & cheaper... and this should put more pressure on folks to use stronger encryption techniques with is a good thing." Some would argue that DES has been insufficient for some time now.

Mr. Manometer writes "With little fan-fare, NIST proposed yesterday to withdraw the Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES) with a Federal Register notice (pdf). NIST is encouraging federal agencies to use the Advanced Encryption Standard (AES) instead since they feel that DES is 'now vulnerable to key exhaustion using massive parallel computations.' We all knew this day would come as computers got faster & cheaper... and this should put more pressure on folks to use stronger encryption techniques with is a good thing." Some would argue that DES has been insufficient for some time now.

routerwhore writes "NIST Special Publication 800-68 (zip file) has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail."

routerwhore writes "NIST Special Publication 800-68 (zip file) has been created to assist IT professionals, in particularly Windows XP system administrators and information security personnel, in effectively securing Windows XP systems. It discusses Windows XP and various application security settings in technical detail."

Dozix007 writes "IEEE has approved a new wireless security protocol dubbed 802.11i, intended to finally provide sufficient security for wireless connections that users don't need to rely on alternate security layers. The new specification works by using AES encryption in the transceiver itself, encrypting data directly at the level just above the actual radio pulses themselves. That makes it transparent for applications sending data through the radio, so legacy programs running on new 802.11i-compliant hardware will automatically get the benefits of the new protocol without the need for modification."

An anonymous reader submits "On Monday, May 10, 2004, the National Institute of Standards and Technology (NIST) posted a notice that the AES, DES, 3DES, DSA and SHA-1 algorithms for OpenSSL have been validated. The validation notices can be found at the following NIST sites: Advanced Encryption Standard (AES) Algorithm (Certification # 146); Data Encryption Standard (DES) Validated Implementations (Cert # 258); Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"): (Cert # 256); Digital Signature Algorithm (DSA) Validation System: (Cert # 108); Secure Hash Algorithm (SHS) Validation System: (Cert # 235). Successful validation of these algorithms does NOT mean that OpenSSL has received FIPS 140-2 validation, yet. The overall FIPS 140-2 validation effort for OpenSSL is still in process. Additional updates will be posted on the OSSI web site, www.oss-institute.org. NIST validation of these algorithms does, however, signify a major milestone in OSSI's efforts to secure the FIPS 140-2 validation for OpenSSL. Please post any questions that you might have to questions@oss-institute.org."

An anonymous reader submits "On Monday, May 10, 2004, the National Institute of Standards and Technology (NIST) posted a notice that the AES, DES, 3DES, DSA and SHA-1 algorithms for OpenSSL have been validated. The validation notices can be found at the following NIST sites: Advanced Encryption Standard (AES) Algorithm (Certification # 146); Data Encryption Standard (DES) Validated Implementations (Cert # 258); Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"): (Cert # 256); Digital Signature Algorithm (DSA) Validation System: (Cert # 108); Secure Hash Algorithm (SHS) Validation System: (Cert # 235). Successful validation of these algorithms does NOT mean that OpenSSL has received FIPS 140-2 validation, yet. The overall FIPS 140-2 validation effort for OpenSSL is still in process. Additional updates will be posted on the OSSI web site, www.oss-institute.org. NIST validation of these algorithms does, however, signify a major milestone in OSSI's efforts to secure the FIPS 140-2 validation for OpenSSL. Please post any questions that you might have to questions@oss-institute.org."

An anonymous reader submits "On Monday, May 10, 2004, the National Institute of Standards and Technology (NIST) posted a notice that the AES, DES, 3DES, DSA and SHA-1 algorithms for OpenSSL have been validated. The validation notices can be found at the following NIST sites: Advanced Encryption Standard (AES) Algorithm (Certification # 146); Data Encryption Standard (DES) Validated Implementations (Cert # 258); Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"): (Cert # 256); Digital Signature Algorithm (DSA) Validation System: (Cert # 108); Secure Hash Algorithm (SHS) Validation System: (Cert # 235). Successful validation of these algorithms does NOT mean that OpenSSL has received FIPS 140-2 validation, yet. The overall FIPS 140-2 validation effort for OpenSSL is still in process. Additional updates will be posted on the OSSI web site, www.oss-institute.org. NIST validation of these algorithms does, however, signify a major milestone in OSSI's efforts to secure the FIPS 140-2 validation for OpenSSL. Please post any questions that you might have to questions@oss-institute.org."

An anonymous reader submits "On Monday, May 10, 2004, the National Institute of Standards and Technology (NIST) posted a notice that the AES, DES, 3DES, DSA and SHA-1 algorithms for OpenSSL have been validated. The validation notices can be found at the following NIST sites: Advanced Encryption Standard (AES) Algorithm (Certification # 146); Data Encryption Standard (DES) Validated Implementations (Cert # 258); Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"): (Cert # 256); Digital Signature Algorithm (DSA) Validation System: (Cert # 108); Secure Hash Algorithm (SHS) Validation System: (Cert # 235). Successful validation of these algorithms does NOT mean that OpenSSL has received FIPS 140-2 validation, yet. The overall FIPS 140-2 validation effort for OpenSSL is still in process. Additional updates will be posted on the OSSI web site, www.oss-institute.org. NIST validation of these algorithms does, however, signify a major milestone in OSSI's efforts to secure the FIPS 140-2 validation for OpenSSL. Please post any questions that you might have to questions@oss-institute.org."

An anonymous reader submits "On Monday, May 10, 2004, the National Institute of Standards and Technology (NIST) posted a notice that the AES, DES, 3DES, DSA and SHA-1 algorithms for OpenSSL have been validated. The validation notices can be found at the following NIST sites: Advanced Encryption Standard (AES) Algorithm (Certification # 146); Data Encryption Standard (DES) Validated Implementations (Cert # 258); Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"): (Cert # 256); Digital Signature Algorithm (DSA) Validation System: (Cert # 108); Secure Hash Algorithm (SHS) Validation System: (Cert # 235). Successful validation of these algorithms does NOT mean that OpenSSL has received FIPS 140-2 validation, yet. The overall FIPS 140-2 validation effort for OpenSSL is still in process. Additional updates will be posted on the OSSI web site, www.oss-institute.org. NIST validation of these algorithms does, however, signify a major milestone in OSSI's efforts to secure the FIPS 140-2 validation for OpenSSL. Please post any questions that you might have to questions@oss-institute.org."

Ryan Barrett writes "Groove Networks has announced that their P2P infrastructure will power the Homeland Security Information Network, an initiative to increase information sharing between federal, state, and local intelligence agencies. (The initiative doesn't give the govt. more information, it just helps agencies better share the information they already have.) Groove Workspace has also been certified with two govt. security standards, FIPS 140-2 level 1 and NIAP CCITSE. In related news, Groove's developers have been diagnosed with acronym whiplash."

Ryan Barrett writes "Groove Networks has announced that their P2P infrastructure will power the Homeland Security Information Network, an initiative to increase information sharing between federal, state, and local intelligence agencies. (The initiative doesn't give the govt. more information, it just helps agencies better share the information they already have.) Groove Workspace has also been certified with two govt. security standards, FIPS 140-2 level 1 and NIAP CCITSE. In related news, Groove's developers have been diagnosed with acronym whiplash."

swordboy writes "General Electric recently announced the largest and most efficient OLED panel ever created. The 24 inch square panel emits 1200 lumens with a power consumption of about 80 watts - on par with today's incandescent bulbs. This represents the first fruit from the NIST project with ECD Ovonics. The ultimate goal is a cheap, flexible display and lighting technology that can function with an efficiency of 100 lumens per watt. This would make great wallpaper." (And, I hope, a great backlight for laptops.)

richard_za writes "Until now the rival compression software vendors PKWare and Winzip have had different (incompatible) ways of password protecting the ZIP format. In a bid to prevent fragmentation of the standard they have agreed to have their software support opening of the other's files. They have however not agreed to support a single standard. PKZip's encryption is RSA-based while Winzip use an AES approach which is fully documented here. The Register is running this story. PKWare has this press release."

Little Hamster writes "The scientists working on the Digital Preservation Program at the National Institute of Standards and Technology (NIST) has released an excellent 50 page guide on care and handling of CDs and DVDs for long term storage. It talks about the effects of light, moisture, radiation, scratches, marking, adhesive labels, and even playback on the discs. For those slashdotters who is not familiar with the physical made up of these optical discs, there is a very nice chapter explaining all the background. And if you only want to know how to care for your precious data, there is a one page summary. And yes, they agreed that glued-on labels are harmful."

Little Hamster writes "The scientists working on the Digital Preservation Program at the National Institute of Standards and Technology (NIST) has released an excellent 50 page guide on care and handling of CDs and DVDs for long term storage. It talks about the effects of light, moisture, radiation, scratches, marking, adhesive labels, and even playback on the discs. For those slashdotters who is not familiar with the physical made up of these optical discs, there is a very nice chapter explaining all the background. And if you only want to know how to care for your precious data, there is a one page summary. And yes, they agreed that glued-on labels are harmful."

Little Hamster writes "The scientists working on the Digital Preservation Program at the National Institute of Standards and Technology (NIST) has released an excellent 50 page guide on care and handling of CDs and DVDs for long term storage. It talks about the effects of light, moisture, radiation, scratches, marking, adhesive labels, and even playback on the discs. For those slashdotters who is not familiar with the physical made up of these optical discs, there is a very nice chapter explaining all the background. And if you only want to know how to care for your precious data, there is a one page summary. And yes, they agreed that glued-on labels are harmful."

treerex writes "NIST (the US National Institute of Standards and Technology) has just released a 148 page report entitled Computer Security Incident Handling Guide (PDF). It covers the gamut, from setting up a response team to dealing with specific types of attacks: DoS, trojans, worms, malicious code, and unauthorized access. While written by a team from NIST and the contractor Booz-Allen Hamilton (BAH), they appear to have taken input from CERT and luminaries like Spafford. It is an interesting read."

treerex writes "NIST (the US National Institute of Standards and Technology) has just released a 148 page report entitled Computer Security Incident Handling Guide (PDF). It covers the gamut, from setting up a response team to dealing with specific types of attacks: DoS, trojans, worms, malicious code, and unauthorized access. While written by a team from NIST and the contractor Booz-Allen Hamilton (BAH), they appear to have taken input from CERT and luminaries like Spafford. It is an interesting read."

prostoalex writes "Reporters from CNet News.com learned that SUSE Linux Enterprise Server received EAL3 certification, which allows it to compete with such certified operating systems as Windows (from Microsoft), Solaris (from Sun), HP-UX (from HP) and AIX (from IBM). Albeit all of the aforementioned OSs have EAL4 certification, Evaluation Assurance Level 3 allows SUSE Linux to be considered for a range of government and military tenders. Red Hat Linux is expected to receive EAL2 certification any time now."

mrklin writes "James Wiebe of wiebetech.com has written a clear example of how hard drive capacity is calculated (PDF file) by hard drive manufacturers (base 10) and OS (base 2). He failed to name how the capacity should be described, though."

Alien54 writes "Computer scientists at the National Institute of Standards and Technology (NIST) are launching an effort to develop specifications for 'archival quality' CD and DVD media that agencies could use to ensure the procurement of sufficiently robust media for their long-term archiving needs (i.e., 50 years and longer). See the press release at the NIST site." The research involves "...enclosed chambers that use temperature and humidity changes to artificially age the media some 20 years in only six weeks."

Alien54 writes "Computer scientists at the National Institute of Standards and Technology (NIST) are launching an effort to develop specifications for 'archival quality' CD and DVD media that agencies could use to ensure the procurement of sufficiently robust media for their long-term archiving needs (i.e., 50 years and longer). See the press release at the NIST site." The research involves "...enclosed chambers that use temperature and humidity changes to artificially age the media some 20 years in only six weeks."

Alien54 writes "Computer scientists at the National Institute of Standards and Technology (NIST) are launching an effort to develop specifications for 'archival quality' CD and DVD media that agencies could use to ensure the procurement of sufficiently robust media for their long-term archiving needs (i.e., 50 years and longer). See the press release at the NIST site." The research involves "...enclosed chambers that use temperature and humidity changes to artificially age the media some 20 years in only six weeks."

TonyStanco writes "Big news. DoD issued a policy statement leveling the playing field for Open Source. We have the memo on the Center of Open Source & Government site." The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." See this PDF for more information about National Security Telecommunications and Information Systems Security Policy (NSTISSP) number 11.

jpetts writes "If you have an interest in cryptography and spend even a small amount of time looking at the subject on the Internet, you will almost certainly have come across the name Bruce Schneier. His book, Applied Cryptography is widely regarded as the most accessible, and one of the most important books on cryptographic algorithms ever published. Schneier has also published other books, including the less technical Secrets and Lies, an thought-provoking book aimed at getting people to think about the whole of the security landscape, not just cryptography. Now, together with Niels Ferguson, renowned cryptographic expert, and longtime collaborator, another immensely valuable book on security has just appeared." Read on for the rest of jpetts' review. Practical Cryptography author Neils Ferguson and Bruce Schneier pages xx + 410 publisher Wiley rating 10/10 reviewer James Petts ISBN 0471223573 summary Pure Hands-On Cryptographic Gold; invaluable guide for cryptographers.

Schneier is one of the world's foremost experts, not just on cryptography, but also on security. It was as he delved deeper into the security of cryptographic systems that he realised that even though - theoretically at least - cryptography could be made arbitrarily secure, this was one of the more tractable problems in the security puzzle. For this reason, his company, Counterpane repositioned itself as a managed security company, rather than continuing to focus solely on cryptography. This transition was also reflected in his publication of Secrets and Lies (SL), which is very different in tone and focus from Applied Cryptography (AC). So where does Practical Cryptography (PC) fit in, and what does it offer? For me, the answer is that it lies pretty much squarely in the middle of the line reaching from AC to SL.

There is no shortage of products in the cryptography arena, but the vast majority of these attract undisguised scorn from professional cryptographers (at least those who can be bothered to comment on them), and although I am only an amateur in this field, I take it as axiomatic that only peer-reviewed cryptosystems (algorithms, protocols, etc) which have stood the test of time are worth taking even a preliminary peek at. This includes many that are described in AC. However, One of the problems with AC, openly acknowledged by the author, is that it contains essentially no implementation details. Furthermore, the cryptographic field has moved on since its publication, most notably with the adoption of Rijndael as the Advanced Encryption Standard, now a mandated Federal Information Processing Standard.

The source code to AC has been available from pretty much the moment of the book's publication, but one of the problems which faced a would-be cryptographic coder, is how to produce a working cryptographic product based on the routines that one could lay one's hands on. Merely incorporating the source code in a program does not a cryptosystem make: as Schneier points out cryptography is hard. And this is where this new book is invaluable: it tells you in great detail how hard it is, what the hardest parts are, and how you can maximise the return on the effort you may invest in developing cryptographic software.

The book pulls no punches, and does not gloss over any issues relating to implementing cryptographic systems. It deals with all the major components of a practical cryptosystem: the book's major sections are titled Message Security, Key Negotiation, Key Management and Miscellaneous.

Within each of these sections there are several chapters, covering virtually all the salient points imaginable, right down to the fundamentals. For example, the first chapter of the Key Management section deals with the clock. It explains from first principles the need for a clock: "At first glance, [a clock] is a decidedly un-cryptographic primitive, but because the current time is often used in cryptographic systems, we need a reliable clock." It is this sort of attention to particular implementation details that turns PC from a mere recipe book into an invaluable reference and a true cookbook.

Another invaluable feature is the generous use of pseudocode snippets, not only for algorithmic details, such as MACs and block cyphers, but also for higher-level operations like sending and receiving messages.

Ferguson and Schneier are refreshingly frank, too. Where they believe strongly in something, they let you know it. For example, the first paragraph of chapter 23, Standards, contains the statement that "[s]ecurity standards rarely work," while the authors go even further when dealing with X.509 certificates, stating on p.339, "[w]hatever you do, stay away from X.509 certificates. If you need a reason, read [40] and weep". This candour is refreshing, especially when juxtaposed with the weasel words that so many consultants and software vendors seem to rely on. However, this advice is not just given in curmudgeonly fashion, and when the authors discuss the matter of X.509 in a different context, they add, humorously, "[i]f you must use X.509, you have out condolences."

I am tempted to continue to analyse the book at great length, but to save space I will just highlight some further jewels from this work:

• Implementation issues such as swap files, language-specific memory handling behaviour, caches, etc. are covered in enough detail for you to understand how to do things, and more importantly, how not to do things.
• Randomness, pseudo-randomness and entropy are covered in enough depth for an implementor to avoid pitfalls, and pseudocode examples are given.
• Mathematical topics such as prime numbers, groups and large integer arithmetic are described in excellent detail.
• PKI, its promise, and failure are covered with wit and wisdom.

As you can probably guess from the above description, I believe that the real value of this book lies in the fact that two renowned experts, in both theory and practice, are sharing what works, and more importantly what you should avoid like the plague when working with cryptosystems. This information has until now generally only been available by listening to people like Schneier and Ferguson talk, either one-to-one or at conferences. Even then, the authors point out that even talking to "experts" is not without danger: chapter 25 begins "There is something strange about cryptography: everybody thinks they know enough about it to design and build their own system. We never ask a second-year physics student to design a nuclear power plant. We wouldn't let a trainee nurse who claims to have found a revolutionary method for heart surgery operate on us. Yet people who have read a book or two think they can design their own cryptographic system. Worse still, they are sometimes able to convince management, venture capitalists, and even some customers that their design is the neatest thing since sliced bread." Given this statement, some people might claim that this book is a little hubristic, but I disagree. Paranoia, self evaluation and a healthy scepticism are pre-requisites for assessing, deploying and implementing cryptosystems, but since a sine qua non of reliable crypto is open examination and peer evaluation, I believe that the authors are here simply offering advice, which once you understand more about the issues surrounding crypto, is merely common sense. Schneier and Ferguson have both "earned their bones" in the glaring light of crypto, and this book admirably fills an obvious gap in the literature of the field. There is not, to my knowledge, another book like it on the subject, and had it been published at around the same time as AC, I am sure that it would have been regarded by the NSA as even more dangerous than that book. After all, it is frighteningly easy for the uninformed to take good cryptographic algorithms and protocols, and through ignorance turn them into worse-than-useless crypto products.

Is there anything I didn't like about the book? Frankly, no. Some might complain that it is priced too high (it lists at USD50 for the softcover, and USD70 for the hardcover), but it is printed on acid-free paper, and the density of useful advice is such that it outstrips in value many works which cost half the price or less.

If you are interested in crypto, do yourself a favour: buy this book.

You can purchase Practical Cryptography from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

dvdweyer writes "This book deals with administration of UNIX (one wonders why the book doesn't bear the title "Essential UNIX Administration"), all major UNIX platforms are covered, most of them in their almost latest version when the book went to press (Linux: Red Hat 7.3 and SuSE 8.0, Solaris 8 and 9, FreeBSD 4.6, AIX 5, HP-UX 11/11i, Tru64 5.1), SCO and IRIX were dropped for this edition, FreeBSD was added. Other UNIXes (e.g. Debian Linux) are not mentioned, but this makes the book only a little bit less useful on those, with some imagination the information can be used, except for special topics (e.g. package management). This book is on system administration and not targeted on desktop users, as such it doesn't cover KDE, Gnome or any desktop application." Dvddwyer's section-by-section review continues below. Essential System Administration, 3rd Edition author AEleen Frisch pages 1176 publisher O'Reilly rating 9/10 reviewer dvdweyer ISBN 0596003439 summary a well-done standard for all who need a thorough introduction as well as a work of reference in UNIX system administration.

Content Introduction to System Administration

This chapter claims to make you think like a system administrator, I didn't feel any different after reading it, maybe I already think like one ;-). Most of it is about use of superuser privileges (su, sudo). Other parts are communicating with users (talk, wall, motd - but no mention of e-mail or phone) and GUI-based vs. command-line administration.

The Unix Way

Here starts the real stuff: files, processes and devices. A very gentle but thorough introduction to all possibilities of file and directory ownership (chmod, chown, mode strings, numeric modes), next is a description of how files map to disks. The processes are covered on a fairly abstract level, only something about various types (interactive, batch, daemon) and attributes (but no way to show them, not even an example usage of ps or top - that's left for chapter 15). The part on devices is basic, but shows the some commands to list information about devices. Last part in this chapter is about the generic UNIX filesystem layout.

Essential Administrative Tools and Techniques

Here are some of the most important commands and techniques for everyday use: man, grep, awk, find (including how to pipe). Some of the examples are fairly complicated for a novice, a basic knowledge of piping and shell usage is assumed. Next are some methods of handling files and directories (cp, mkdir, diff, rm), periodic execution (cron), logging (syslog, managing log files) and software package management (the most important commands to Linux rpm, Solaris pkg*, etc.) and manual software installation (.configure, make, make install).

Startup and Shutdown

Contains a fairly detailed description of what happens when a system boots up or shuts down. This includes all the gooey stuff about initialization files, runlevels and how to customize those. Last but not least is a short troubleshooting guide, "When the System won't boot."

TCP/IP Networking

The chapter starts with a gentle introduction to TCP/IP and related hardware and explains step-by-step a starting TCP/IP session with dumps and comments. Going on it digs deeper and explains IP addressing, subnets and even a little bit IPv6. The first hands-on part deals with network configuration (ifconfig, configuration files, DHCP, name resolution). A short troubleshooting guide (ping, arp) rounds off the chapter.

Managing Users and Groups

This part starts with a description of the essential files (/etc/passwd, /etc/shadow, /etc/groups) and how to add/remove users and other aspects of user and group management. The default tools for each distribution are also mentioned. Then a whole slew of pages are dedicated to password selection, cracking and enforcing password policies (though I prefer stronger passwords than those given on page 301). The last pages give an introduction to PAM (mostly Linux) and LDAP (mostly OpenLDAP).

Security

This is indeed a very good introduction to UNIX security and its lines of defense (though I did miss "disable remote root login" and "give users no shell when they don't need it"), next are common mistakes, setuid/setgid access modes and ACLs. A short introduction to PGP/GPG and role-based access control is given. The next big part is about network security: OpenSSH, TCP Wrappers and nmap are introduced; the ubiquitous advice "disable what you don't need" is also given. Firewalls are briefly mentioned, some links to actual products e.g. ipfilter or Netfilter would have been nice. A nice checklist-style guide to hardening an UNIX system is given and the chapter concludes with managing problems and monitoring. I did miss some links to resources on the Internet and a reminder on the importance of frequent patching (Sun recently published a nice whitepaper on this topic).

Managing Network Services

This chapter builds on the foundation built in the chapter on TCP/IP, as such it covers various basic networking services and starts with name resolution via DNS, mentioning configuration and usage of the common tools (BIND, nslookup, host, dig). This is followed by a part on getting out of the local network (routed, gated), getting others on your network (DHCP) and managing (netstat, ping, traceroute, SNMP) and monitoring (tcpdump, snoop). The chapter ends with short introductions to dedicated packages (e.g. NetSaint, MRTG/RRDTool).

Electronic Mail

Next is a chapter on that other big network nuisance^W service: mail. It starts with a gentle introduction to the basics (SMTP, MX records, POP/IMAP). The part on MTAs starts with everybody's darling *cough* sendmail which is covered exhaustively. The other MTA covered is Postfix, which also receives fairly extensive coverage. The rest of the chapter covers mail processing (fetchmail, procmail), there is no mention of other MTA, MUAs, or other modern mail processing tools (e.g. against spam). Though this chapter is well done, and a nice introduction to mail in general, I would prefer to get rid of it in favor of a "mail-is-only-for-dedicated-servers" policy. A short note on how to deactivate or remove the default MTA should be included in the previous chapter (yes, I know that not everyone shares this point of view).

Filesystems and Disks

A very long chapter on filesystems and disks with tons of information on how to create, mount/unmount, repair and monitor filesystems, including some stuff about logical volume managers and RAID. Nicely indexed, it makes a good reference but is boring to read it all (I didn't :-). The last pages are a short introduction to NFS and Samba, but do not cover all the advanced aspects.

Backup and Restore

Covers the tedious taks of backup with all the different aspects: planning backup, strategies to manage the workload, what media to use, what tools are available in a standard setup (tar, cpio, dump, dd, mt, restore). Next is a coverage of the package Amanda and what to look for in commercial packages. Last but not least "restoring from scratch" is covered.

Serial Lines and Devices

Herein is all the stuff about serial devices (tty, termcap, terminfo, stty), usage of USB is covered for FreeBSD, Linux and Solaris.

Printers and the Spooling Subsystem

Contains lots on "old school" printing (BSD spooling facility: LPD, System V printing, AIX spooling facility), a short note "Print Services for UNIX" on Windows NT/2000 (works pretty well for basic usage) and on providing print services for Windows by Samba. LPRng and CUPS also get a few pages. Closeout for this chapter is font management under X, which contains a rant on how cumbersome font management is ;-).

Automating Administrative Tasks

This chapter appeals to a healthy laziness which might save some manual work. It contains some samples and introductions, the best it can do is make appetite for more. Included are: shell script (C-shell), tips for testing and debugging, Perl (including there is more than one way to do it-proof), Expect, C and the lesser known tools Cfengine, Stem. It closes with some short notes on how to create a man page for your own software.

Managing System Resources

This chapter wants to make you think a about system performance before you try to manage it. General steps are given: define, determine, formulate, design, implement, monitor and return to start ...

After the general introduction the chapter gets hands-on with monitoring - ps (it is in there after all ...) with all System V and BSD options, pstree and top are covered. The /proc filesystem is mentioned with some samples of how information can be gathered. Process limits are discussed, including how to disallow the creation of core dumps. Signaling and killing processes with kill and killall is covered next. The next chunks in this big chapter are managing CPU (nice, AIX and Solaris scheduler, cron), memory (paging, recognize memory problems), I/O (performance, disk quotas), network (netstat, some notes on DNS and NFS)

Configuring and Building Kernels

This chapter is essentially a bunch of short guides on what to look for when configuring and building a kernel, for Linux lilo is also explained.

Accounting

This is an introduction to what components are relevant for accounting, and how to enable/disable it. As such it shows what can be done with the standard tools on BSD-style accounting (sa, ac) and System V-style accounting. A few pages are dedicated to printing accounting.

Appendix: Administrative Shell Programming

This is a more thorough introduction to shell programming that could have been integrated in the chapter Automating Administrative Task. Other than that it is a solid, short reference to shell programming.

Index

Last but not least is a very concise index (50+ pages), which makes it easy to find anything that's in the book.

What's bad

There's not much I really disliked in the book, I can recommend to anyone who needs an introduction to UNIX system administration or a general reference text. Some points are: it's not on UNIX CD Bookshelf v3.0, which is a pity for reference usage, there are almost no links to WWW sites of interest, almost all links to further information are to other O'Reilly books (granted, most of them are quite good) and sometimes I found the order in which themes are discussed slightly less than optimal for "junior administrators".

What's good

Almost everything (writing style, coverage), except those few issues mentioned in "What's bad". The very good index makes it easy to find the information that is applicable in your special situation, even with all those different UNIXes. If you are looking for a general UNIX reference and/or introduction, look no further (you might want to compare it with "The UNIX Systems Administration Handbook", and decide for yourself, note that the USAH does not cover AIX).

You can purchase Essential System Administration, 3rd Edition from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

An anonymous submitter writes "Look, some research money awarded to all the recent slashdot topics! Printable LCD displays and circuits, high accuracy biometric algorithms, holographic data storage, an overclockers dream, and the DMCA fights back. See all the projects listed for NIST's FY2002 funding."

An anonymous submitter writes "Look, some research money awarded to all the recent slashdot topics! Printable LCD displays and circuits, high accuracy biometric algorithms, holographic data storage, an overclockers dream, and the DMCA fights back. See all the projects listed for NIST's FY2002 funding."

An anonymous submitter writes "Look, some research money awarded to all the recent slashdot topics! Printable LCD displays and circuits, high accuracy biometric algorithms, holographic data storage, an overclockers dream, and the DMCA fights back. See all the projects listed for NIST's FY2002 funding."

An anonymous submitter writes "Look, some research money awarded to all the recent slashdot topics! Printable LCD displays and circuits, high accuracy biometric algorithms, holographic data storage, an overclockers dream, and the DMCA fights back. See all the projects listed for NIST's FY2002 funding."

An anonymous submitter writes "Look, some research money awarded to all the recent slashdot topics! Printable LCD displays and circuits, high accuracy biometric algorithms, holographic data storage, an overclockers dream, and the DMCA fights back. See all the projects listed for NIST's FY2002 funding."

An anonymous submitter writes "Look, some research money awarded to all the recent slashdot topics! Printable LCD displays and circuits, high accuracy biometric algorithms, holographic data storage, an overclockers dream, and the DMCA fights back. See all the projects listed for NIST's FY2002 funding."

Slashback tonight with some rare bits of good news, at least for those who liked BBC Ogg Vorbis streams, or who use AES to protect data. Plus, a (final?) turn in the Greek gaming ban, and another visit to Dummies hell.

Let's get with it on those .ogg portables, OK? rassie writes "Checking back at what used to be one of my most visited sites, I noticed that I might start using it again very soon. The BBC is returning to streaming in ogg format. From the page:
Update (2002-09-24): Yay, the legal issues have been resolved. We now have rights to all the of the BBC's radio output. Hopefully we should start kicking off these streams soon."

Your email is still (probably) safe. BitterOak writes "A recent Slashdot story reported that AES might have been broken by the new XL attack of Courtois and Pieprzyk. However, it appears there aren't enough linearly independent equations for this attack to work against AES. Cryptographer T. Moh has a brief explanation here, and Don Coppersmith posted a comment on the NIST AES discussion forum (under General Cryptanalytic Attacks), which comes to the same conclusion. Coppersmith is one of the world's greatest cryptographers, so it seems safe to assume that AES has not been broken at this point."

Hey, now it's just like most of the U.S.! yoink! writes "The BBC is running the following story detailing the end of the short-lived electronic gaming ban in Greece. The Government realised that (hopefully) relatively little gambling was involved with those playing computer, and console games all over the country. The decision to clarify those games which are, in fact, electronic gambling facilities are the only forms of electronic gaming with which the revised legislation now concerns itself."

The lawyers sound like ... dummies. Blue Aardvark House writes "I am an author for the Slash site Slackers Guild. Recently Nastard, the owner of Slackers Guild received a threatening letter from Wiley Publishing concerning the site's Slacking for Dummies document. Nastard's reply is here."

Update: 09/27 03:31 GMT by T : Note: the Slacker's Guild website seems to have slacked, and the links no longer work. For the text of the letter sent by Wiley to Nastard, search below for comment #4340698 by SiMac; for the response, see comment #4340840 by decaying. Also, the "Slacking for Dummies" document link now points to Google's cache.

It's not the first time that Wiley has hunted down obvious parody works; they've even fired off similar mail because someone used "Dummies" in the subject line of an email.

bcrowell writes "The latest CryptoGram reports that AES (Rijndael) and Serpent may have been broken. The good news is that when cryptographers say 'broken' they don't necessarily mean broken in a way that is practical to exploit right now. Still, maybe we need to assume that any given type of crypto is only temporary. All of cryptography depends on a small number of problems that are believed to be hard. And all bets are definitely off when quantum computers arrive on the scene. Maybe someday we'll look back fondly on the golden age of privacy."

The Right Brute writes "It appears that the successors to the SHA-1 cryptographic digest algorithm have been released. FIPS 180-2 can be found here which I believe is the final version of the SHA-256/384/512 algorithm (it does not appear to have changed since the last draft). I have an implementation that I did as a CWEB literate programming example that might serve as a good companion to the specification."

ranger8x writes "Apple has submitted Mac OS X and Mac OS X Server to the U.S. government's National Information Assurance Partnership to evaluate various security features. It seems Apple is looking for some respect by the government, and to 'get more exposure.'"

superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"

"Here are the certification requirements:

Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.

I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."

superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"

"Here are the certification requirements:

Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.

I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."

superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"

"Here are the certification requirements:

Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.

I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."

superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"

"Here are the certification requirements:

Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.

I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."