Slashdot Mirror

(Copied from my earlier post)

NIST (The National Institute of Standards and Technology) currently has a program to provide this service, though largely focused on Microsoft OSes and associated apps. It may be found here: National Software Reference Library

The complete list of software they've checksummed can be found here: Software Listing or you can use their search engine if you're looking for a specific application here: Search Engine

(Copied from my earlier post)

NIST (The National Institute of Standards and Technology) currently has a program to provide this service, though largely focused on Microsoft OSes and associated apps. It may be found here: National Software Reference Library

The complete list of software they've checksummed can be found here: Software Listing or you can use their search engine if you're looking for a specific application here: Search Engine

(Copied from my earlier post)

NIST (The National Institute of Standards and Technology) currently has a program to provide this service, though largely focused on Microsoft OSes and associated apps. It may be found here: National Software Reference Library

The complete list of software they've checksummed can be found here: Software Listing or you can use their search engine if you're looking for a specific application here: Search Engine

NIST (The National Institute of Standards and Technology) currently has a program to provide this service, though largely focused on Microsoft OSes and associated apps. It may be found here: National Software Reference Library

The complete list of software they've checksummed can be found here: Software Listing or you can use their search engine if you're looking for a specific application here: Search Engine

NIST (The National Institute of Standards and Technology) currently has a program to provide this service, though largely focused on Microsoft OSes and associated apps. It may be found here: National Software Reference Library

The complete list of software they've checksummed can be found here: Software Listing or you can use their search engine if you're looking for a specific application here: Search Engine

NIST (The National Institute of Standards and Technology) currently has a program to provide this service, though largely focused on Microsoft OSes and associated apps. It may be found here: National Software Reference Library

The complete list of software they've checksummed can be found here: Software Listing or you can use their search engine if you're looking for a specific application here: Search Engine

1 terabyte (10^12) has 99 511 627 776 less bytes than 1 tebibyte (2^40).

mb is millibit - not very useful Mb is megabit MB is megabyte But see also kibi (Ki), mebi (Mi), gibi (Gi), tebi (Ti), pebi (Pi) and exbi (Ei).

Beware the difference between megaBITS and megaBYTES. mb is megaBIT and MB is megaBYTE. One byte is eight times larger than one bit, so it turns out IEEE 1384 is slower by a factor of two than ATA/100.

according to nist.gov:
The meter is the length of the path travelled by light in vacuum
during a time interval of 1/299 792 458 of a second.

follow the link for the exact definition of a second
(determined by a number of periods of a cesium-133 atom).
i find it odd that nether this slashdot article nor the cnn piece mention these.

Indeed, in fact it was build based on a measure of the earth circumference from Pole to Equator (via Paris).

Actually...

Here it says:

The meter (m) is the Si unit of length and is defined as the length of the path traveled by light in vacuum during the time interval of 1/299792458 of a second.[3] This replaces the two previous definitions of the meter: the original adopted by CGPM in 1889 based on a platinum-iridium prototype bar, and a definition adopted in 1960 based on a krypton86 radiation from an electrical discharge lamp. In each case, the change in definition achieved not only an increase in accuracy, but also progress toward the goal of using fundamental physical quantities as standards, in particular, the quantum mechanical characteristics of atomic systems.

--grendel drago

I never understood the requirement to have central management consoles for everything you run.

If you have so many servers that managing them individually is not an option, then what you need is a general solution to the management problem, not a specific solution for every piece of software you run.

For command line tools, manymaint (a nice Expect script) is one simple and free solution.

As for doing checks of routers, you could just use tftp to download configs to a server on a scheduled basis and run your checks there.

Computing is fun when you use your imagination to solve a problem (even an easy one like this) creatively, instead of asking "Here's my niche problem, where is the expensive niche product from a faceless bland corporation that fixes it?".

I never understood the requirement to have central management consoles for everything you run.

If you have so many servers that managing them individually is not an option, then what you need is a general solution to the management problem, not a specific solution for every piece of software you run.

For command line tools, manymaint (a nice Expect script) is one simple and free solution.

As for doing checks of routers, you could just use tftp to download configs to a server on a scheduled basis and run your checks there.

Computing is fun when you use your imagination to solve a problem (even an easy one like this) creatively, instead of asking "Here's my niche problem, where is the expensive niche product from a faceless bland corporation that fixes it?".

There is a declassified crypto algorithm, designed by the NSA, and available to you. It's Type 2 (good for sensitive but unclassified) called Skipjack. Available here.

If you read the article, you will see that CDL had the CDL-82 hardware encryption chip, which was built-in to the unit. I don't know how good the chip is, but it sounds like there is more to their security claims than just the biometric scanner.

The CDL website makes vagues claims that their security chip is FIPS 140 rated, but I have not been able to find it. For that matter, it is not clear that the Paron MPC is actually built using the CDL-82, or some variant of it.

While we're on the subject Ars talks about 8 bytes as being called a "word". As a programmer I was under the impression that a "word" is 2 bytes, a Double Word (DWORD) was 4 bytes and a Quadword was 8 bytes or 64 bits. What's he on about?

Go out and download and install Java's sdk. Also, take a look at jama.

I ran the Scimark 2.0 Java benchmarks on the same machine, running Yellow Dog Linux, kernel 2.4.19, versus Mac OS 10.2.

Here are my results

Yellow Dog 2.3: SciMark 2.0a

Composite Score: 139.92947174097748
FFT (1024): 123.98639890992068
SOR (100x100): 166.2888365390105
Monte Carlo : 11.87347214947242
Sparse matmult (N=1000, nz=5000): 119.76608441786847
LU (100x100): 277.7325666886154


java.vendor: IBM Corporation
java.version: 1.3.1
os.arch: ppc
os.name: Linux
os.version: 2.4.20-0.7bsmp

MacOS 10.2: SciMark 2.0a

Composite Score: 65.55278911110278
FFT (1024): 45.766180267285044
SOR (100x100): 148.7766358092264
Monte Carlo : 8.128496082717385
Sparse matmult (N=1000, nz=5000): 43.78407287809933
LU (100x100): 81.30856051818576

java.vendor: Apple Computer, Inc.
java.version: 1.3.1
os.arch: ppc
os.name: Mac OS X
os.version: 10.2

Machine:
processor : 0
cpu : 7455, altivec supported
clock : 999MHz
revision : 2.1 (pvr 8001 0201)

processor : 1
cpu : 7455, altivec supported
clock : 999MHz
revision : 2.1 (pvr 8001 0201)
bogomips : 999.42
total bogomips : 1998.84
machine : PowerMac3,6
motherboard : PowerMac3,6 MacRISC2 MacRISC Power Macintosh
detected as : 129 (PowerMac G4 Windtunnel)
pmac flags : 00000000
L2 cache : 256K unified
memory : 256MB
pmac-generation : NewWorld

Mem: 253776

However, I use the Chimmy Yahoo client, a console based client that runs on Linux, and run it through some expect scripts. I sometimes use this so that I appear to always be online and receive and reply to messages via email on my cellphone. I send an email message from my phone to an address on my linux box, which interprets the commands and sends them through to the appropriate places, and vice-versa. So far it works great.

The definitive online resource for algorithms is NISTS's Dictionary of Algorithms and Data Structures. There is a list of algorithm resources, and you can also find some free e-books using The Assayer.

In print you should be looking for "Introduction to Algorithms, 2nd edition". It is the bible of the field. Other excellent candidates are "Data Structures and Algorithms" ( / in Java / in C).

Google will also tell you to look here, here and here.

So how come we're not bombing Microsoft?

Seriously, aerial bombing campaign or not, the court's decisions do need to be enforced. Interoperability is essential for economic growth and since Microsoft has been the largest single obstacle to interoperability, you could say that it looks like Microsoft has been a factor in holding back eonomic growth.

Okay, this has to be the absolutey most assinine thing I've done on Slashdot, but I've gotta do it.

It's daylight saving time, not daylight savings time. NIST says so.

Anyway, if it were up to me, we wouldn't have daylight saving at all.

I'd rather not have my money spent on this, thank you. It's not that it's wasted pork - it's development that actively reduces my civil liberties.

...the company will build a device to demonstrate recording and recovery of streaming digital video files.

Why does everything seem to loop back to the DMCA now?

This proposal simply intends to introduce novel new methods by which content providers can their copyrights. They plan to "modify the timing and modulation of the light used to create the displayed image such that frame-based capture by recording devices is distorted," and that certainly doesn't entail the enactment of Draconian legislation like the DMCA.

Therefore, what in the blue hell does this have to do with the DMCA (at least at this point)? If anything, this will give scientists the opportunity to attempt to overcome a new set of technologies. This is the type of thing they should be doing. It's better than having them take the litigious route, trying to force the government to protect their business model, and as this merely deals with video recording of projected films, it's hardly objectionable.

1. Pirate a copy of Windows 2000.
2. Install it on the first computer using the NTFS file system. Install your pirated copy of Office 2000.
3. Change the permissions on C:\, making sure permissions are inherited by child objects:
4. 
   
   • SYSTEM: Full Control
   • CREATOR OWNER: Full Control
   • Administrators: Full Control
   • Authenticated Users: Read & Execute, Read, List
   
   
   
5. Use Computer Management administration tool to create a new user who is a member of Users group. Use Users and Passwords control panel to automatically log that user into the system.
6. Use sysprep to image this disk to the rest of the computers.
7. Bonus points if you pirate Windows 2000 Server, set up a simple Active Directory, and control group policy for the systems from there.

Costa Rica did it 5 years ago with AT&T. It was based on quite interesting technology called Byzantine Quorums. The goal was an effecient replication of the same info over a network. The idea is that you don't have to copy the data to all participating nodes, only to a Quorum... (The name Byzantine comes from much earlier "Byzantine Generals" problem).

The National Institute of Standards and Technology is under the Department of Commerce. NIST does a lot of good, doing basic research on time standard (that benefits communications in a big way) and other metrology, fire retardants among other things which have a real society benefit.

What tests and process do they do? Is this always the same? How do they learn from their mistakes? Is the process upgraded and reviewed regularly.

Not used to working with the government I see :-)

Actually, I think the FIPS 140 process is actually a very good example of those concepts done right. Review the FIPS site.

The answer to your question about tests will be answered thoroughly, perhaps you will want to start with the derived test requirements section.

What tests and process do they do? Is this always the same? How do they learn from their mistakes? Is the process upgraded and reviewed regularly.

Not used to working with the government I see :-)

Actually, I think the FIPS 140 process is actually a very good example of those concepts done right. Review the FIPS site.

The answer to your question about tests will be answered thoroughly, perhaps you will want to start with the derived test requirements section.

From my experience, the FIPS 140 certificate does a good job of ensuring that products live-up to their formal design specifications. The obvious question is how good were the design specifications? This is where things get interesting. To over generalize, I think FIPS 140 does a good on tamper-resistant (and respondent) hardware design, and a poor job on logical security.

A lot of the FIPS philosophy came out of the military, and the testing labs impressed me with the breadth of their physical attacks. On the other hand, the military usually has very simple logical security requirements for a crypto-box. It should be inert until authorized users properly activate it, and at that point it can perform sensitive actions. Commercial cryptography designs by contrast, usually has a set of functions that needs to be generally available. They also have a much smaller set of functions that need authorized users to control.

When we put our product through the immediate predecessor to FIPS 140-1 certification, we were the first commercial product and ended-up breaking a fair-amount of new ground (somewhat painfully as you might imagine). What we had to show was that the cryptographic commands that were available to non-privileged users were safe - because of the logical security design. Even early FIPS 140-1 processes did not really deal with these "always-on" functions very well.

Although it improved, especially with the 140-2 modifications, logical security is still the real weak point. Michael Bond's well publicized attacks on the FIP 140-1 level 4 certified IBM 4758 security module were all aimed at the "logical security" level. My favorite example of insecure by design is the PKCS #11 security module when it is used for server security.

The Cryptoki (PKCS #11) interface was designed for security tokens, and basically works a lot like the military devices. The token (smartcard, whatever) would be plugged into the client device, where it would remain inert until activated by the user password. Actually a pretty good design when used this way.

The problem is when the same design is used for a server, which is unfortunately common since several PKI vendors standardized on using PKCS #11 security modules. PKCS #11 authorization levels are all messed-up for server use. There is no concept of "always-on" commands, or multiple levels of authorization. That means that any entity (server application) that wants to access the security-subsystem must be an authorized user.

The result is that the clear password that enables the PKCS# 11 modules has to be put into the server application. Because of that clear password an attacker no longer has to break into the PKCS #11 box or steal/forge authorized user's identities. They can gain authorized user privileges merely by monitoring the communication lines between the application and box, or by analyzing the object code of the application!

You will find a number of FIPS 140 certified PKCS #11 modules, which is actually no surprise given how well PKCS #11 matches the military origins of the FIPS 140. This is a classic example of a certified subsystem that is quite secure for some uses (human insertion of a token and entry of password), but it quite insecure for others (server applications storing and using clear passwords). All the FIPS certification does in the case of PKCS #11 is tell you that the vendor has followed their design, and not if it will provide logical security in your system!

As others have noted, FIPS 140-x validation is not a panacea; however it does add some additional (and IMO useful) product review beyond what you'd get with standard internal QA plus public review (for open source crypto products). I think it would be great if some vendor or vendors stepped up and sponsored FIPS 140-x validation for OpenSSL and other popular open source crypto implementations.

From this article I get the impression that any Tom, Dick, or Harry can go out, 'perform testing' and give away FIPS certs for money.

This is not the case. FIPS 140-1/140-2 test labs must be approved by NIST through a formal accreditation program.

Here's a how-I-understand-it description:

The problem with wires is that they expand; the more heat/current passing through, the more expansion. If you're trying to propagate a wave through something that's slightly cone-shaped (rather than tubular), the wave will lose some of its integrity (it'll get larger rather than keeping its original shape). Also, if the wire gets smaller as you heat it (like using ZrW2O8 for the entire thing), the wave will be distorted (it'll get smaller and smaller).

Fiberoptics use a combination of materials: one that is essentially a traditional wire, and one that shrinks when heated. This produces an expansion in the normal stuff, and shrinks the other, creating a net expansion of zero! This way, the cable stays essentially the same size its entire length, and can propagate your signal with few distortions.

Substances that shrink when heated aren't new, and ZrW2O8 isn't new either. Here's a 1998 PDF from NIST on the stuff.

The first few pages of this nice PDF have a history of fiberoptics (the rest is an ad for the company).

I'm glad I'm using 1024bit encryption. They've worked so hard to do 64 bit. But each additional bit is a redoubling in the amount of computing power it's going to take to decrypt my packets. Good luck!

This is a good joke, but misleading to readers that might not know better.

For their sake: SSH uses both public key and private key (or symmetric) cryptography. Public key crypto uses keys with thousands of bits; private key crypto uses keys with hundreds of bits (older algorithms like DES used only 56). RSA, DSA, and so on are examples of public key crypto. RC5, Blowfish, and such are example of private key crypto.

Their key lengths aren't comparable at all. Whether or not RC5 is "secure" at 64 bits has absolutely nothing to do with using 1024 bits in authentication and session key negotiation.

I'm glad I'm using 1024bit encryption. They've worked so hard to do 64 bit. But each additional bit is a redoubling in the amount of computing power it's going to take to decrypt my packets. Good luck!

This is a good joke, but misleading to readers that might not know better.

For their sake: SSH uses both public key and private key (or symmetric) cryptography. Public key crypto uses keys with thousands of bits; private key crypto uses keys with hundreds of bits (older algorithms like DES used only 56). RSA, DSA, and so on are examples of public key crypto. RC5, Blowfish, and such are example of private key crypto.

Their key lengths aren't comparable at all. Whether or not RC5 is "secure" at 64 bits has absolutely nothing to do with using 1024 bits in authentication and session key negotiation.

Since Bluetooth and 802.11b run in the same frequency space (~2.4 Ghz), having the two running together causes interference, resulting in slower connections (discussed here and here). The effect does drop off with distance - having a 10 metre distance between the sources could result in a 10% performance hit for Bluetooth. Obviously, having both on the same card is asking for trouble...
Further information (with lots of pretty mathematical formulae) can be found in this ugly looking PDF.

My bet is that they use Topic Detection & Tracking techniques and a variation of the Scatter/Gather approach. The latter one was invented at Xerox Parc where Craig Silverstein used to work.

You need a fundamentaly different method of IP addressing, new routing protocols, and methods for interacting with the current net as it exists.

This isn't the encryption scheme mentioned previously, when Slashdot reported that a distributed project has almost "broken" the scheme, is it?

If you mean the recent article in the last week. No.

The recent /. article was a pointer to Schneier's Sept 2002 Crypto-gram about an academic weakness in AES.
It's academic in that it is not possible to break (at present time, and oh the next hundred years) in real-life.

Not so fast: Binary Prefixes are different.

10^9 is Giga (G)
10^12 is Tera (T)
10^15 is Peta (P)
10^18 is Exa (E)
10^21 is Zetta (Z)
10^24 is Yotta (Y)

Get your SI prefixes here

The part about not using the MDI style applications is in my opinion _very_ wrong. I often have 3 or more applications open when working and I find it damn confusing to look at all of them at the same time. Ever hit something outside the program you are working in and then spend time finding your way back?

The gui is just not designed to let me move around with speed and ease. Linux and Windows are much better at that.

Bottom line: Macs are too expensive and slow. I like my new dual mp 2000+; it's cheaper and faster (and it runs Linux properly!).

10. Patents: Implementations of the secure hash algorithms in this standard may be covered by U.S. or foreign patents.

This is NOT news to anyone that has been following CSRC NIST SP-800 publications that have been trickling out of Gaithersburg MD for some time. They are even reaching out to small business

Establishing a decent list of the telco demarks and physical inventory and assesment of vital devices was the 1st thing and probably done to a good tolerance. This is the next step. Get all the traffic reports going to a central NOC.

NIST have been writing fairly decent and comprehensive publications that deal with Firewall, email, WAP and assesment of security position. And surprisingly the Public it seems has been regularly asked to comment based what is occuring everyday in business IT.

Currently with the release of the ASSET evaluation tool Fed agencies and departments no longer have the rug to sweep year's of poor planning and practice under.

I'd fully expect that in a few years, use of this Federal NOC and its services of cross site and network attack detection ability could be put into a FIPS standard of some sort. Those that deal with GOV will have to deal with GOVs rules.

If I was a federal law enforcement agency it would be an easy sell.

Sharing GOV net traffic information parallels the concept of sharing "most wanted" lists, prison rolls, evidence research, cold leads and what not.

I just wish the US Gov would also do the same for spammers for theft of services!

Its not a surprise that nearly 100% of all Federal buildings and critical facilites have a small number of meatspace entry points which are screened and watched, why should we expect different for Internet, Extranet and Intranet spaces.

I foresee the American Internet much like American Banks in the 1930's. We are past the "glory" bandits like Bonny and Clyde stage and are just getting weary of the wanna be criminals.

It was about that time the FBI was established to chase after cross juristiction criminals. The Bureau with many other institutions like Insurance companies insisted Banks put in physical measures, guards, bars, silent and audible alarms, robbery training for staff, proof of executing government regulations, etc.

I predict in 8 years Insurance industry will up your premiums for not having a syslog server, Not having a written and practiced fair use policy with employees, not having firewalls between vital resources and untrusted segments of your business. Heaven help come audit time!

My friends computers are rock, metal, plastic and air -- not majik. Get over it.

Reading any of the NIST program documents and having any experience with business consolidation helps in what to forecast next.

My bet is the US Gov to institute internal national EDI networks based on XML exchanges to negotiate terms of service and usage of resources. Quasi-Privatized EDI would preclude any undesireables and non-participant networks.

My 2c

This is NOT news to anyone that has been following CSRC NIST SP-800 publications that have been trickling out of Gaithersburg MD for some time. They are even reaching out to small business

Establishing a decent list of the telco demarks and physical inventory and assesment of vital devices was the 1st thing and probably done to a good tolerance. This is the next step. Get all the traffic reports going to a central NOC.

NIST have been writing fairly decent and comprehensive publications that deal with Firewall, email, WAP and assesment of security position. And surprisingly the Public it seems has been regularly asked to comment based what is occuring everyday in business IT.

Currently with the release of the ASSET evaluation tool Fed agencies and departments no longer have the rug to sweep year's of poor planning and practice under.

I'd fully expect that in a few years, use of this Federal NOC and its services of cross site and network attack detection ability could be put into a FIPS standard of some sort. Those that deal with GOV will have to deal with GOVs rules.

If I was a federal law enforcement agency it would be an easy sell.

Sharing GOV net traffic information parallels the concept of sharing "most wanted" lists, prison rolls, evidence research, cold leads and what not.

I just wish the US Gov would also do the same for spammers for theft of services!

Its not a surprise that nearly 100% of all Federal buildings and critical facilites have a small number of meatspace entry points which are screened and watched, why should we expect different for Internet, Extranet and Intranet spaces.

I foresee the American Internet much like American Banks in the 1930's. We are past the "glory" bandits like Bonny and Clyde stage and are just getting weary of the wanna be criminals.

It was about that time the FBI was established to chase after cross juristiction criminals. The Bureau with many other institutions like Insurance companies insisted Banks put in physical measures, guards, bars, silent and audible alarms, robbery training for staff, proof of executing government regulations, etc.

I predict in 8 years Insurance industry will up your premiums for not having a syslog server, Not having a written and practiced fair use policy with employees, not having firewalls between vital resources and untrusted segments of your business. Heaven help come audit time!

My friends computers are rock, metal, plastic and air -- not majik. Get over it.

Reading any of the NIST program documents and having any experience with business consolidation helps in what to forecast next.

My bet is the US Gov to institute internal national EDI networks based on XML exchanges to negotiate terms of service and usage of resources. Quasi-Privatized EDI would preclude any undesireables and non-participant networks.

My 2c

No, It has been redefined min 1983 to make the speed of light the value mentioned by ColaMan, see here.

www.ntp.org the official NTP site. Links to code, hardware, documentation, you name it.

Also check out NIST's list of Manufacturers of Time and Frequency Receivers.

www.ntp.org the official NTP site. Links to code, hardware, documentation, you name it.

Also check out NIST's list of Manufacturers of Time and Frequency Receivers.