Slashdot Mirror

A new study from the Oxford Internet Institute claims to have found no link between time spent playing violent video games, and increased aggressive behavior teen teenagers. From a report: Published in Royal Society Open Science, the study is "one of the most definitive to date" according to the University of Oxford. While many studies have previously made similar and contrary claims, lead researcher professor Andrew Przybylski said the "idea that violent video games drive real-world aggression is a popular one, but it hasn't tested very well over time". According to the university, this study is set apart from previous work by preregistration, where researchers publish their hypothesis, methods and analysis technique before beginning research.

"Part of the problem in technology research is that there are many ways to analyze the same data, which will produce different results," said Przybylski. "A cherry-picked result can add undue weight to the moral panic surrounding video games. The registered study approach is a safeguard against this." This was supported by co-author Dr Netta Weinstein from Cardiff University who said: "Our findings suggest that researcher biases might have influenced previous studies on this topic, and have distorted our understanding of the effects of video games."

A new report from Oxford University found that manipulation of public opinion over social media platforms is growing at a large scale, despite efforts to combat it. "Around the world, government agencies and political parties are exploiting social media platforms to spread junk news and disinformation, exercise censorship and control, and undermine trust in media, public institutions and science," reports Phys.Org. From the report: "The number of countries where formally organized social media manipulation occurs has greatly increased, from 28 to 48 countries globally," says Samantha Bradshaw, co-author of the report. "The majority of growth comes from political parties who spread disinformation and junk news around election periods. There are more political parties learning from the strategies deployed during Brexit and the U.S. 2016 Presidential election: more campaigns are using bots, junk news, and disinformation to polarize and manipulate voters."

This is despite efforts by governments in many democracies introducing new legislation designed to combat fake news on the internet. "The problem with this is that these 'task forces' to combat fake news are being used as a new tool to legitimize censorship in authoritarian regimes," says Professor Phil Howard, co-author and lead researcher on the OII's Computational Propaganda project. "At best, these types of task forces are creating counter-narratives and building tools for citizen awareness and fact-checking." Another challenge is the evolution of the mediums individuals use to share news and information. "There is evidence that disinformation campaigns are moving on to chat applications and alternative platforms," says Bradshaw. "This is becoming increasingly common in the Global South, where large public groups on chat applications are more popular."

An anonymous reader quotes a report from The Guardian: Low-quality, extremist, sensationalist and conspiratorial news published in the U.S. was overwhelmingly consumed and shared by rightwing social network users, according to a new study from the University of Oxford. The study, from the university's "computational propaganda project", looked at the most significant sources of "junk news" shared in the three months leading up to Donald Trump's first State of the Union address this January, and tried to find out who was sharing them and why. "On Twitter, a network of Trump supporters consumes the largest volume of junk news, and junk news is the largest proportion of news links they share," the researchers concluded. On Facebook, the skew was even greater. There, "extreme hard right pages -- distinct from Republican pages -- share more junk news than all the other audiences put together." The research involved monitoring a core group of around 13,500 politically-active U.S. Twitter users, and a separate group of 48,000 public Facebook pages, to find the external websites that they were sharing.

Two mathematics historians investigated the Lovelace-Byron family archives (which are available online) to confirm the early mathematical prowess of Ada Lovelace for two scholarly journals. Slashdot reader bugs2squash shares a post from the Oxford Mathematical Institute: The work challenges widespread claims that Lovelace's mathematical abilities were more "poetical" than practical, or indeed that her knowledge was so limited that Babbage himself was likely to have been the author of the paper that bears her name. The authors pinpoint Lovelace's keen eye for detail, fascination with big questions, and flair for deep insights, which enabled her to challenge some deep assumptions in her teacher's work. They suggest that her ambition, in time, to do significant mathematical research was entirely credible, though sadly curtailed by her ill-health and early death.
Ada Lovelace died in London at age 36.

dcblogs writes: Evans Data Corp., in a survey of 550 software developers, asked them about the most worrisome thing in their careers. A plurality, 29%, chose this answer: "I and my development efforts are replaced by artificial intelligence." Surprisingly, this concern about A.I. topped the second-most identified worry, which was that the platform the developer is working on will become obsolete (23%), or doesn't catch on (14%). Concerns about A.I. replacing software developers has academic support. A study by Oxford University, The Future of Employment, warned that the work of software engineers may soon become computerized. Machine learning advances allow design choices that can be optimized by algorithms. According to Janel Garvin, CEO of Evans Data, the thought of obsolescence due to A.I., "was also more threatening than becoming old without a pension, being stifled at work by bad management, or by seeing their skills and tools become irrelevant."

hypnosec writes: Researchers at Oxford University have demonstrated a 'hybrid' logic gate using two isotopes of calcium, the abundant isotope calcium-40 and the rare isotope calcium-43. One of the leading technologies for building a quantum computer is trapped atomic ions, and researchers at Oxford's Networked Quantum Information Technologies (NQIT – pronounced 'N-kit') Hub are working to develop the constituent elements of a quantum computer based on these ions. As explained by researchers in the study published in the journal Nature, each of the trapped ions is used to represent one 'quantum bit' of information. The quantum states of the ions are controlled with laser pulses of precise frequency and duration. Two different species of ion are needed in the computer: one to store information, a 'memory qubit', and one to link different parts of the computer together via photons, an 'interface qubit'."

HughPickens.com writes: Henry Farrel writes in the Washington Post that there's a group of people who appear to be somewhat prone to violent extremism: Engineers. They are nine times more likely to be terrorists than you would expect by chance. In a forthcoming book, Engineers of Jihad, published by Princeton University Press, Diego Gambetta and Steffen Hertog provide a new theory explaining why engineers seem unusually prone to become involved in terrorist organizations. They say it's caused by the way engineers think about the world. Survey data indicates engineering faculty at universities are far more likely to be conservative than people with other degrees, and far more likely to be religious. They are seven times as likely to be both religious and conservative as social scientists. Gambetta and Hertog speculate that engineers combine these political predilections with a marked preference towards finding clearcut answers.

Gambetta and Hertog suggest that this mindset combines with frustrated expectations in many Middle Eastern and North African countries (PDF), and among many migrant populations, where people with engineering backgrounds have difficulty in realizing their ambitions for good and socially valued jobs. This explains why there are relatively few radical Islamists with engineering backgrounds in Saudi Arabia (where they can easily find good employment) and why engineers were more prone to become left-wing radicals in Turkey and Iran.

Some people might argue that terrorist groups want to recruit engineers because engineers have valuable technical skills that might be helpful, such as in making bombs. This seems plausible – but it doesn't seem to be true. Terrorist organizations don't seem to recruit people because of their technical skills, but because they seem trustworthy and they don't actually need many people with engineering skills. "Bomb-making and the technical stuff that is done in most groups is performed by very few people (PDF), so you don't need, if you have a large group, 40 or 50 percent engineers," says Hertog. "You just need a few guys to put together the bombs. So the scale of the overrepresentation, especially in the larger groups is not easily explained."

An anonymous reader writes: An Oxford study on chickens discovered that evolution can make significant changes to a genome in as little as 15 years. "For a long time scientists have believed that the rate of change in the mitochondrial genome was never faster than about 2% per million years. The identification of these mutations shows that the rate of evolution in this pedigree is in fact 15 times faster." Professor Greger Larson, senior author on the study, said, "Our observations reveal that evolution is always moving quickly but we tend not to see it because we typically measure it over longer time periods."

New submitter subh_arya writes: Engineers from Microsoft Research have unveiled the first technology to perform 3D surface reconstruction from ordinary smartphone cameras. Their computational framework creates a connected 3D surface model by continuously registering RGB input to an incrementally built 3D model. Although the reconstruction results look promising, Microsoft does not plan to release an app anytime soon.

An anonymous reader writes: The record for smallest computer implementation of chess on any platform was held by 1K ZX Chess, which saw a release back in 1983 for the Sinclair ZX81. It uses just 672 bytes of memory, and includes most chess rules as well as a computer component to play against. The 32-year-old record has been beaten this week by the demoscene group Red Sector Inc. They have implemented a fully-playable version of chess called BootChess in just 487 bytes (readme file including source code).

sarahnaomi writes There sits, in the Clarendon Laboratory at Oxford University, a bell that has been ringing, nonstop, for at least 175 years. It's powered by a single battery that was installed in 1840. Researchers would love to know what the battery is made of, but they are afraid that opening the bell would ruin an experiment to see how long it will last. The bell's clapper oscillates back and forth constantly and quickly, meaning the Oxford Electric Bell, as it's called, has rung roughly 10 billion times, according to the university. It's made of what's called a "dry pile," which is one of the first electric batteries. Dry piles were invented by a guy named Giuseppe Zamboni (no relation to the ice resurfacing company) in the early 1800s. They use alternating discs of silver, zinc, sulfur, and other materials to generate low currents of electricity.

Jason Koebler writes The Royal Society of London, the world's oldest scientific publisher, has unveiled a proposal to create the first serious framework for future geoengineering experiments. It's a sign that what are still considered drastic and risky measures to combat climate change are drifting further into the purview of mainstream science. The scientific body has issued a call to create "an open and transparent review process that ensures such experiments have the necessary social license to operate."

That smoking is bad for your health is a commonplace; cancer, lung disease, and other possible consequences can all shorten smokers' lifespans. A new meta study from researchers at Oxford concludes that mental illness is just as big a factor in shortening lives, and not only because depression is a contributing factor to suicide. From the story at NPR: "We know that smoking boosts the risk of cancer and heart disease, says Dr. Seena Fazel, a psychiatrist at Oxford University who led the study. But aside from the obvious fact that people with mental illnesses are more likely to commit suicide, it's not clear how mental disorders could be causing early deaths. The researchers looked at data on 1.7 million patients, drawing from 20 recent scientific reviews and studies from mostly wealthy countries. Comparing the effects of mental illness and smoking helps put the stats in context, Fazel tells Shots. 'It was useful to benchmark against something that has a very high mortality rate.'" [Press release from Oxford.]

First time accepted submitter Jahta (1141213) writes "The Oxford Internet Institute has created a schematic of the world's international fiber-optic links in the style of the famous London Tube map. The schematic also highlights nodes where censorship and surveillance are known to be in operation. The map uses data sourced from cablemap.info. Each node has been assigned to a country, and all nodes located in the same country have been collapsed into a single node. The resulting network has been then abstracted."

An anonymous reader writes "An article at FiveThirtyEight looks at the likelihood of various occupations being replaced by automation. It mentions President Obama's proposed increase to the federal minimum wage, saying big leaps in automation could reshape that debate. '[The wage increase] from $7.25 to $10.10 per hour could make it worthwhile for employers to adopt emerging technologies to do the work of their low-wage workers. But can a robot really do a janitor's job? Can software fully replace a fast-food worker? Economists have long considered these low-skilled, non-routine jobs as less vulnerable to technological replacement, but until now, quantitative estimates of a job's vulnerability have been missing from the debate.' Many minimum-wage jobs are reportedly at high risk, including restaurant workers, cashiers, and telemarketers. A study rated the probability of computerization within 20 years (PDF): 92% for retail salespeople, 97% for cashiers, and 94% for waitstaff. There are other jobs with a high likelihood, but they employ fewer people and generally have a higher pay rate: tax preparers (99%), freight workers (99%), and legal secretaries (98%)."

New submitter LordWabbit2 sends this quote from an AP report: "The Vatican Library and Oxford University's Bodleian Library have put the first of 1.5 million pages of ancient manuscripts online. The two libraries in 2012 announced a four-year project to digitize some of the most important works of their collections of Hebrew manuscripts, Greek manuscripts and early printed books. Among the first up on the site Tuesday, are the two-volume Gutenberg bibles from each of the libraries and a beautiful 15th-century German bible, hand-colored and illustrated by woodcuts. ... The Vatican Library was founded in 1451 and is one of the most important research libraries in the world. The Bodleian is the largest university library in Britain."

netbuzz writes "Fed up with phishers using Google Forms to commandeer campus email accounts as spam engines, Oxford University recently blocked access to Google Docs for two-and-a-half hours in what it called an 'extreme action' designed to get the attention of both its users and Google. 'Seeing multiple such incidents the other afternoon tipped things over the edge,' Oxford explains in a blog post. 'We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.' The move generated widespread complaints from those affected, as well as criticism from outside network professionals."

An anonymous reader writes "It appears scientists at the Large Hadron Collider have made an app to visualize proton collisions at the largest of the four experiments, ATLAS. 'For the first time you can now grab live collision events from the underground detectors in Geneva, and beam them direct to your own device. As well as a variety of educational resources, the application allows you to interact with the collision events in full 3D graphics. You can also find out how the different parts of the detector work, learn how to identify different types of collision, and even put your new skills to the test by playing the "Hunt the Higgs" game.' It's free to download from the Android Market."

fangmcgee writes with this excerpt from a University of Oxford news release: "Technology developed for mobile phones and computer gaming – such as video cameras, position detectors, face recognition and tracking software, and depth sensors – is now readily and cheaply available. So Oxford researchers have been looking at ways that this technology can be combined into a normal-looking pair of glasses to help those who might have just a small area of vision left, have cloudy or blurry vision, or can’t process detailed images. ... The glasses have video cameras mounted at the corners to capture what the wearer is looking at, while a display of tiny lights embedded in the see-through lenses of the glasses feed back extra information about objects, people or obstacles in view. In between, a smartphone-type computer running in your pocket recognizes objects in the video image or tracks where a person is, driving the lights in the display in real time. The extra information the glasses display about their surroundings should allow people to navigate round a room, pick out the most relevant things and locate objects placed nearby."

Last year we discussed news that researchers from Oxford University discovered playing Tetris after watching a disturbing film reduced the amount of intrusive flashbacks experienced by test subjects. The researchers then wondered if that was true for other games, so they began a new study, the results of which were just published in the journal PLoS ONE. Reader SpuriousLogic points out that while they repeated their earlier finding about Tetris, they also found that subjects who played trivia game Pub Quiz instead reported more flashbacks. "Research tells us that there is a period of up to six hours after the trauma in which it is possible to interfere with the way that these traumatic memories are formed in the mind. During this time-frame, certain tasks can compete with the same brain channels that are needed to form the memory. This is because there are limits to our abilities in each channel: for example, it is difficult to hold a conversation while doing math problems. The Oxford team reasoned that recognizing the shapes and moving the colored building blocks around in Tetris competes with the images of trauma in the perceptual information channel. Consequently, the images of trauma (the flashbacks) are reduced. The team believe that this is not a simple case of distracting the mind with a computer game, as answering general knowledge questions in the Pub Quiz game increased flashbacks. The researchers believe that this verbal based game competes with remembering the contextual meaning of the trauma, so the visual memories in the perceptual channel are reinforced and the flashbacks are increased."

andylim writes "Separate teams at Oxford university and Zentium, a South Korean company, are working on next-gen augmented reality solutions, which make it possible to fuse real and 3D computer-generated visuals on the fly using mobile phones. The team at Oxford university has named its solution Parallel Tracking and Mapping (PTAM) and it has licensed its technology to QderoPateo LLC, which has ambitious plans to grow the mobile augmented reality market and create an augmented reality search and gaming engine running for its 'Ouidoo' smart phone. Zentium's solution is called D-Track and is being used to develop the first markerless mobile augmented reality pet, called iKat. D-Track's mapping technology is very similar to PTAM and allows your phone to recognise the space in front of the camera and create an appropriate space for an augmented reality object or pet."

andylim writes "Separate teams at Oxford university and Zentium, a South Korean company, are working on next-gen augmented reality solutions, which make it possible to fuse real and 3D computer-generated visuals on the fly using mobile phones. The team at Oxford university has named its solution Parallel Tracking and Mapping (PTAM) and it has licensed its technology to QderoPateo LLC, which has ambitious plans to grow the mobile augmented reality market and create an augmented reality search and gaming engine running for its 'Ouidoo' smart phone. Zentium's solution is called D-Track and is being used to develop the first markerless mobile augmented reality pet, called iKat. D-Track's mapping technology is very similar to PTAM and allows your phone to recognise the space in front of the camera and create an appropriate space for an augmented reality object or pet."

Ianopolous writes "Classic DOOM and DSL Linux Desktop inside your Java-enabled browser! The latest JPC, the fast 100% Java x86 PC emulator, is now available with online demos and downloads. JPC is open source and is the most secure way of running x86 software ever — 2 layers (applet sandbox, JPC sandbox) of independently validated security make it the world's most secure means of isolating x86 software. Visit the website to try out some classic games and play around with Linux all within your web browser. Refresh = reboot!"

Ianopolous writes "Classic DOOM and DSL Linux Desktop inside your Java-enabled browser! The latest JPC, the fast 100% Java x86 PC emulator, is now available with online demos and downloads. JPC is open source and is the most secure way of running x86 software ever — 2 layers (applet sandbox, JPC sandbox) of independently validated security make it the world's most secure means of isolating x86 software. Visit the website to try out some classic games and play around with Linux all within your web browser. Refresh = reboot!"

Ianopolous writes "Classic DOOM and DSL Linux Desktop inside your Java-enabled browser! The latest JPC, the fast 100% Java x86 PC emulator, is now available with online demos and downloads. JPC is open source and is the most secure way of running x86 software ever — 2 layers (applet sandbox, JPC sandbox) of independently validated security make it the world's most secure means of isolating x86 software. Visit the website to try out some classic games and play around with Linux all within your web browser. Refresh = reboot!"

luge writes "With the unfortunate passing of Congressman Tom Lantos, parts of Silicon Valley and San Francisco will be holding a special election in June to send a replacement to Congress. Given the area, it would be great to have someone who is both tech- and policy-aware fill the seat — and it looks like that just might happen. Lawrence Lessig has apparently bought 'change-congress.com.' A 'Draft Lessig' group is forming on Facebook, featuring some of Lessig's old co-workers at Harvard and Jimmy Wales, among others. No word from Lessig himself yet, but he's been increasingly vocal about politics of late. If it happens, it would be a huge step forward for the representation of technology in Washington."

An anonymous reader writes "Do engineers have a way of looking at the world not all that different from terrorists? According to an article in the EE Times, they do. The story cites 'Engineers of Jihad,' a paper (pdf download) by two Oxford University sociologists, who found that graduates in science, engineering, and medicine are strongly overrepresented among Islamist movements. The paper also found that engineers are 'over-represented' among graduates who gravitate to violent groups. Authors Diego Gambetta and Steffen Hertog chalk this all up to what they call the 'engineering mindset,' which they define as 'a mindset that inclines them to take more extreme conservative and religious positions.' Is this just pop psychology masquerading as science?"

jaavaaguru writes "Researchers at Oxford University have produced a Java-based x86 emulator that they hope will be useful in testing applications and learning about viruses without damaging the host, utilizing the robust sandboxing that Java provides. They have an online demo available that boots DOS and has some games to play. Being purely Java, this emulator should be able to run on almost anything, including cell phones." The code is not yet available outside the Oxford community; the developers are said to be working on a suitable general license. In the meantime the code can be licensed on a case-by-case basis.

jaavaaguru writes "Researchers at Oxford University have produced a Java-based x86 emulator that they hope will be useful in testing applications and learning about viruses without damaging the host, utilizing the robust sandboxing that Java provides. They have an online demo available that boots DOS and has some games to play. Being purely Java, this emulator should be able to run on almost anything, including cell phones." The code is not yet available outside the Oxford community; the developers are said to be working on a suitable general license. In the meantime the code can be licensed on a case-by-case basis.

MROD writes "The KDE Project has announced the release of KDE 3.3.2 with what looks like lots of fixes for the HTML engine and kmail. So, it looks like the Sun SPARC machines at work will be chewing on the source for the next week or so to get a running version."

An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."

zoglmannk asks: "I've become interested in grid computing. A lot has happened since the last time that I looked at it several years ago during the SETI@home heyday. Now several public supported grid applications are coming to fruit: climate modeling, cancer research, protein folding, smallpox therapies, fighting bioterrorism, mersenne prime search, evolution, SETI, and others. All of these have public interest to make a better world. Is mass adoption of public interest grid computing just around the corner? Is there really a need for a majority of those spare CPU cycles? Or is there more computing power than can reasonably be used for the types of problems that can be distributed to home and educational PCs? What is needed to bring grid computing to the masses? More education, advertisement, prizes, reimbursement?"

ReLik writes "BBC News is reporting on a survey carried out on the statistics of internet users in the UK, 'While the battle for digital access is being won, we now face a struggle to convince everyone the net is worth using' said Professor Richard Rose, of the Oxford Internet Institute. It begs the question why goverments around the world are encouraging everyone to use the internet, but is there really enough of a reason for everybody to need to? Is the internet suitable for everybody? Will it ever be?"

GraWil writes "The BBC are reporting the launch of climateprediction.net. The aim of the project is to investigate the approximations that have to be made in state-of-the-art climate models which frequently give rise to inconclusive predictions. More info on the current state of climate modeling is given by the latest Intergovernmental Panel on Climate Change (IPCC) report which highlights the need to quantify uncertainties of climate projections. So now, in addition to finding ET or curing cancer, your PC can now contribute to our understanding of climate change."

Wojina writes "Microsoft has applied for a comprehensive patent on what appears to be the entire implementation of the .NET CLR (Common Language Runtime) and the framework APIs. Microsoft's CLR is an implementation of the CLI (submitted to ECMA for standardization). Does this bode ill for the Mono project? See the CNET News story." And a chaser: Nept points to this interesting Microsoft-funded .NET obfuscation project.

yogi writes "Oxford University Students' Union had a debate last Thursday, titled This House believes that 'the free music mentality is a threat to the future of music.'. Ordinarily, not too exciting, but since it is the Oxford Union, they get Hilary Rosen to speak. She lost the debate, and had to have pictures like this taken. Read the writeup at NTK, or a more detailed one here. I especially like the bit where she asked all the file downloaders whether it made them buy more music."

Dare Obasanjo contributed this followup to an article entitled The Myth of Open Source Security Revisited that appeared on the website kuro5hin. He writes: "The original article tackled the common misconception amongst users of Open Source Software(OSS) that OSS is a panacea when it comes to creating secure software. The article presented anecdotal evidence taken from an article written by John Viega, the original author of GNU Mailman, to illustrate its point. This article follows up the anecdotal evidence presented in the original paper by providing an analysis of similar software applications, their development methodology and the frequency of the discovery of security vulnerabilities." Read on below for his detailed analysis, especially relevant with the currency of security initiatives in the worlds of both open- and closed-source software.

The Myth of Open Source Security Revisited v2.0 The purpose of this article is to expose the fallacy of the belief in the "inherent security" of Open Source software and instead point to a truer means of ensuring the quality of the security of a piece software is high.

Apples, Oranges, Penguins and Daemons

When performing experiments to confirm a hypothesis on the effect of a particular variable on an event or observable occurence, it is common practice to utilize control groups. In an attempt to establish cause and effect in such experiments, one tries to hold all variables that may affect the outcome constant except for the variable that the experiment is interested in. Comparisons of the security of software created by Open Source processes and software produced in a proprietary manner have typically involved several variables besides development methodology.

A number of articles have been written that compare the security of Open Source development to proprietary development by comparing security vulnerabilities in Microsoft products to those in Open Source products. Noted Open Source pundit, Eric Raymond wrote an article on NewsForge where he compares Microsoft Windows and IIS to Linux, BSD and Apache. In the article, Eric Raymond states that Open Source development implies that "security holes will be infrequent, the compromises they cause will be relatively minor, and fixes will be rapidly developed and deployed." However, upon investigation it is disputable that Linux distributions have less frequent or more minor security vulnerabilities when compared to recent versions of Windows. In fact the belief in the inherent security of Open Source software over proprietary software seems to be the product of a single comparison, Apache versus Microsoft IIS.

There are a number of variables involved when one compares the security of software such as Microsoft Windows operating systems to Open Source UNIX-like operating systems including the disparity in their market share, the requirements and dispensations of their user base, and the differences in system design. To better compare the impact of source code licensing on the security of the software, it is wise to reduce the number of variables that will skew the conclusion. To this effect it is best to compare software with similar system design and user base than comparing software applications that are significantly distinct. The following section analyzes the frequency of the discovery of security vulnerabilities in UNIX-like operating systems including HP-UX, FreeBSD, RedHat Linux, OpenBSD, Solaris, Mandrake Linux, AIX and Debian GNU/Linux.

Security Vulnerability Face-Off

Below is a listing of UNIX and UNIX-like operating systems with the number of security vulnerabilities that were discovered in them in 2001 according to the Security Focus Vulnerability Archive. AIX 10 vulnerabilities[6 remote, 3 local, 1 both] Debian GNU/Linux 13 vulnerabilities[1 remote, 12 local] + 1 Linux kernel vulnerability[1 local] FreeBSD 24 vulnerabilities[12 remote, 9 local, 3 both] HP-UX 25 vulnerabilities[12 remote, 12 local, 1 both] Mandrake Linux 17 vulnerabilities[5 remote, 12 local] + 12 Linux kernel vulnerabilities[5 remote, 7 local] OpenBSD 13 vulnerabilities[7 remote, 5 local, 1 both] Red Hat Linux 28 vulnerabilities[5 remote, 22 local, 1 unknown] + 12 Linux kernel vulnerabilities[6 remote, 6 local] Solaris 38 vulnerabilities[14 remote, 22 local, 2 both] From the above listing one can infer that source licensing is not a primary factor in determining how prone to security flaws a software application will be. Specifically proprietary and Open Source UNIX family operating systems are represented on both the high and low ends of the frequency distribution.

Factors that have been known to influence the security and quality of a software application are practices such as code auditing (peer review), security-minded architecture design, strict software development practices that restrict certain dangerous programming constructs (e.g. using the str* or scanf* family of functions in C) and validation & verification of the design and implementation of the software. Also reducing the focus on deadlines and only shipping when the system the system is in a satisfactory state is important.

Both the Debian and OpenBSD projects exhibit many of the aforementioned characteristics which help explain why they are the Open Source UNIX operating systems with the best security record. Debian's track record is particularly impressive when one realizes that the Debian Potato consists of over 55 million lines of code (compared to RedHat's 30,000,000 lines of code).

The Road To Secure Software

Exploitable security vulnerabilities in a software application are typically evidence of bugs in the design or implementation of the application. Thus the process of writing secure software is an extension of the process behind writing robust, high quality software. Over the years a number of methodolgies have been developed to tackle the problem of producing high quality software in a repeatable manner within time and budgetary constraints. The most successful methodologies have typically involved using the following software quality assurance, validation and verification techniques; formal methods, code audits, design reviews, extensive testing and codified best practices.

1. Formal Methods: One can use formal proofs based on mathematical methods and rigor to verify the correctness of software algorithms. Tools for specifying software using formal techniques exist such as VDM and Z. Z (pronounced 'zed') is a formal specification notation based on set theory and first order predicate logic. VDM stands for "The Vienna Development Method" which consists of a specification language called VDM-SL, rules for data and operation refinement which allow one to establish links between abstract requirements specifications and detailed design specifications down to the level of code, and a proof theory in which rigorous arguments can be conducted about the properties of specified systems and the correctness of design decisions.The previous descriptions were taken from the Z FAQ and the VDM FAQ respectively. A comparison of both specification languages is available in the paper, Understanding the differences between VDM and Z by I.J. Hayes et al.
   
   
2. Code Audits: Reviews of source code by developers other than the author of the code are good ways to catch errors that may have been overlooked by the original developer. Source code audits can vary from informal reviews with little structure to formal code inspections or walkthroughs. Informal reviews typically involve the developer sending the reviewers source code or descriptions of the software for feedback on any bugs or design issues. A walkthrough involves the detailed examination of the source code of the software in question by one or more reviewers. An inspection is a formal process where a detailed examination of the source code is directed by reviewers who act in certain roles. A code inspection is directed by a "moderator", the source code is read by a "reader" and issues are documented by a "scribe".
   
   
3. Testing: The purpose of testing is to find failures. Unfortunately, no known software testing method can discover all possible failures that may occur in a faulty application and metrics to establish such details have not been forthcoming. Thus a correlation between the quality of a software application and the amount of testing it has endured is practically non-existent.
   
   There are various categories of tests including unit, component, system, integration, regression, black-box, and white-box tests. There is some overlap in the aforementioned mentioned testing categories.
   
   Unit testing involves testing small pieces of functionality of the application such as methods, functions or subroutines. In unit testing it is usual for other components that the software unit interacts with to be replaced with stubs or dummy methods. Component tests are similar to unit tests with the exception that dummmy and stub methods are replaced with the actual working versions. Integration testing involves testing related components that communicate with each other while system tests involve testing the entire system after it has been built. System testing is necessary even if extensive unit or component testing has occured because it is possible for seperate subroutines to work individually but fail when invoked sequentialy due to side effects or some error in programmer logic. Regression testing involves the process of ensuring that modifications to a software module, component or system have not introduced errors into the software. A lack of sufficient regression testing is one of the reasons why certain software patches break components that worked prior to installation of the patch.
   
   Black-box testing also called functional testing or specification testing test the behavior of the component or system without requiring knowledge of the internal structure of the software. Black-box testing is typically used to test that software meets its functional requirements. White-box testing also called structural or clear-box testing involves tests that utilize knowledge of the internal structure of the software. White-box testing is useful in ensuring that certain statements in the program are excercised and errors discovered. The existence of code coverage tools aid in discovering what percentages of a system are being excercised by the tests.
   
   More information on testing can be found at the comp.software.testing FAQ .
   
   
4. Design Reviews: The architecture of a software application can be reviewed in a formal process called a design review. In design reviews the developers, domain experts and users examine that the design of the system meets the requirements and that it contains no significant flaws of omission or commission before implementation occurs.
   
   
5. Codified Best Practices: Some programming languages have libraries or language features that are prone to abuse and are thus prohibited in certain disciplined software projects. Functions like strcpy, gets, and scanf in C are examples of library functions that are poorly designed and allow malicious individuals to use buffer overflows or format string attacks to exploit the security vulnerabilities exposed by using these functions. A number of platforms explicitly disallow gets especially since alternatives exist. Programming guidelines for such as those written by Peter Galvin in a Unix Insider article on designing secure software are used by development teams to reduce the likelihood of security vulnerabilities in software applications.

Projects such as the OpenBSD project that utilize most of the aforementioned techniques in developing software typically have a low incidence of security vulnerabilities.

Issues Preventing Development of Secure Open Source Software

One of the assumptions that is typically made about Open Source software is that the availability of source code translates to "peer review" of the software application. However, the anecdotal experience of a number of Open Source developers including John Viega belies this assumption.

The term "peer review" implies an extensive review of the source code of an application by competent parties. Many Open Source projects do not get peer reviewed for a number of reasons including

• complexity of code in addition to a lack of documentation makes it difficult for casual users to understand the code enough to give a proper review
  
  
• developers making improvements to the application typically focus only on the parts of the application that will affect the feature to be added instead of the whole system.
  
  
• ignorance of developers to security concerns.
  
  
• complacency in the belief that since the source is available that it is being reviewed by others.
  
  

Also the lack of interest in unglamorous tasks like documentation and testing amongst Open Source contributors adversely affects quality of the software. However, all of these issues can and are solved in projects with a disciplined software development process, clearly defined roles for the contributers and a semi-structured leadership hierarchy.

Benefits of Open Source to Security-Conscious Users

Despite the fact that source licensing and source code availability are not indicators of the security of a software application, there is still a significant benefit of Open Source to some users concerned about security. Open Source allows experts to audit their software options before making a choice and also in some cases to make improvements without waiting for fixes from the vendor or source code maintainer.

One should note that there are constraints on the feasibility of users auditing the software based on the complexity and size of the code base. For instance, it is unlikely that a user who wants to make a choice of using Linux as a web server for a personal homepage will scrutinize the TCP/IP stack code.

References

1. Frankl, Phylis et al. Choosing a Testing Method to Deliver Reliability. Proceedings of the 19th International Conference on Software Engineering, pp. 68--78, ACM Press, May 1997. < http://citeseer.nj.nec.com/frankl97choosing.html >
   
   
2. Hamlet, Dick. Software Quality, Software Process, and Software Testing. 1994. < http://citeseer.nj.nec.com/hamlet94software.html >
   
   
3. Hayes, I.J., C.B. Jones and J.E. Nicholls. Understanding the differences between VDM and Z. Technical Report UMCS-93-8-1, University of Manchester, Computer Science Dept., 1993. < http://citeseer.nj.nec.com/hayes93understanding.ht ml >
   
   
4. Miller, Todd C. and Theo De Raadt. strlcpy and strlcat - consistent, safe, string copy and concatenation. Proceedings of the 1999 USENIX Annual Technical Conference, FREENIX Track, June 1999. < http://www.usenix.org/events/usenix99/full_papers/ millert/millert_html/ >
   
   
5. Viega, John. The Myth of Open Source Security. Earthweb.com. < http://www.earthweb.com/article/0,,10455_626641,00 .html >
   
   
6. Gonzalez-Barona, Jesus M. et al. Counting Potatoes: The Size of Debian 2.2. < http://people.debian.org/~jgb/debian-counting/coun ting-potatoes/ >
   
   
7. Wheeler, David A. More Than A Gigabuck: Estimating GNU/Linux's Size. < http://www.counterpane.com/crypto-gram-0003.html >
   
   

Acknowledgements

The following people helped in proofreading this article and/or offering suggestions about content: Jon Beckham, Graham Keith Coleman, Chris Bradfield, and David Dagon. © 2002 Dare Obasanjo

veeoh writes: "Another chapter in the human book of life has been published. Scientists working as part of the Human Genome Project(including some from the Wellcome Trust) have deciphered the complete genetic instructions of a third chromosome, one of the 24 bundles of DNA that carry our genetic material. The BBC has an article about the discovery"

Slashback brings you updates and additional notes on recent Slashdot stories. Tonight that means more on computers playing chess, on judges who don't like being monitored in the workplace (too bad!), and on the (less totally spectactular, still bad) cracking of 802-Errr, something.

Sargon Deep Fritz playing a person may be more cutting edge (and take a lot more processor power), but it seems like an awful lot of resources to spend on playing chess. Alex Bischoff writes: "From the February 1983 issue of "Your Computer", it's chess in 1 KB (for your brand-new ZX-81)."

But sir, even the judges are objecting! saulgood writes "the NY Times is carrying a further article here, about the revolt amongst some judges over their ability to look at Britney Spears and download Metalica mp3's at work... that's right - Power to the People Baby!!! No justice, No peace..."

Take that -- no, please, take that. Bob Lee writes:

"I authored the open source program Code Red Vigilante. This is an open effort to inform the public about the dangers of the Code Red worms and to specifically notify the owners of infected machines ... Vigilante is featured on Incidents.org, OnJava.com, TheServerSide.com, and it will be on the ScreenSavers on TechTV on next Monday.

Not to put too fine a point on it ... Jeffrey Fanelli of Sniffer Technologies writes: "Just to clarify on your story, that intern didn't crack 802.11x, but WEP in a 802.11b environment. 802.11x is a recently developed standard extension to Radius and 802.11 to allow for dynamic keys to be generated per user session. 802.11x uses the same WEP RC4 encryption, but makes it far more difficult to crack given the fact that all nodes associated with a particular Access Point will have a unique session based KEY (a key which, I might add, the user of the Mobile Unit in question cannot themselves identify).

The war on drugs is expensive, and, like most wars, deadly. But it looks like it isn't going to go away any time soon. With that as a given, why not let those who want to wage war on drugs do it in an online gaming environment? The cost of setting up the servers for "Drug Czar" would be lots less than the cost of all those street arrests, border interdictions, and air intercept missions in Peru and Colombia. And, best of all, no one would get hurt.

It could be a wonderful game, with shoot-em-up segments, sim-style strategy, morbid scenes of decayed inner-city neighborhoods, jut-jawed cops and Federal agents, droopy-drawered street drug vendors, and plenty of other colorful characters. Add in politicians, TV preachers, Colombian kingpins, middle-aged parents trying to keep their kids on the straight and narrow plus a bunch of furtive teenage drug experimenters, and you'd have roles in this MUD-variant for everyone who is interested in the drug war -- from either side.

Some players' roles would be predetermined. The U.S. government's drug policy chief would obviously get the Drug Czar role. George W. Bush would play the President. Congressmen, Senators, and agency heads could also mirror their real-life selves. A few taxpayers might whine about these officials getting paid to play games, but isn't the drug war nothing but a silly game anyway? And if it must be played, shouldn't it be played in a virtual environment where keeping a non-violent drug offender in prison doesn't cost taxpayers $20,000 or more per year, and lives aren't ruined or lost?

You can even argue that this game would be the most effective anti-drug policy the government could possibly have. If, indeed, video games have the potential to turn young people into killers, then hollow-faced, chronically sick game avatar junkies constantly searching for a high "by any means necessary" should steer plenty of kids onto the straight and narrow.

There are other drug-dealing games out there, but they don't have the scope, power, and visual ingenuity it will take to wean government drug warriors (not to mention people on the lucrative "dark side" of the fight) away from the non-virtual version. "Drug Czar" needs to be truly overwhelming, a game so vast that only the government can afford to produce it and make it freely available to players all over the world.

How much would all this cost to design and set up? $10 million? $20 million? Even a billion dollars would be a trifle compared to the cost of the offline version. And if it was an Open Source project (I'm sure SourceForge would be happy to host it, especially if the government kicked in a little pocket change to help with server maintenance), I'll bet volunteers from all over the world would help with development.

But remember, U.S.government is of the people, by the people, and for the people, so this isn't going to happen unless you write your elected representatives to tell them that you understand how much fun they are having with their war on drugs, and that you don't want want to take that pleasure away from them but would like them to stop playing it in real life and move it onto the Internet, where it would be less dangerous and more fun than the current version -- and probably at least as effective.

The world is abuzz - thanks to a huge spew of press releases - about a "philanthropic" effort to "cure cancer". Just download the screen saver, which will cheerfully suck up your spare cycles and get to work eliminating the evil scourge - actually, doing a brute-force chemical interaction model which is one teeny-tiny part of the overall effort to fight cancer. What they forgot to mention was that running the client primarily benefits a for-profit company in Austin, TX which wants to sell your CPU cycles to the highest bidder in exchange for some nice beads.

United Devices is running the effort. All you have to do is download their closed-source, restrictive-licensed client program and install it on your PC (you also have to agree to their website license to even download the program, of course). You take all risks of installing the program - if the program deletes every file on your computer, too bad. If it downloads some kiddie porn and emails fbi@fbi.gov confessing to the crime, too bad. And I hope you don't pay for bandwidth by the byte, because their main commercial effort seems to be stress-testing websites for Exodus. You do read those license agreements, don't you?

Here's UD's business model in a nutshell:

"Get people to give us computing power and bandwidth for free and sell it to other people."

A nice gig, if you can get it. UD's primary business is selling computing cycles to corporations. As it turns out, they were having a hard time with the first part of the business model, so they came up with a scheme to get people to install their client: we'll do philanthropic work! And what could be more philanthropic than curing cancer?

Who else can we get on board? How about Intel? They're always willing to sponsor anything that promises to burn a lot of CPU cycles. In fact, they're willing to put up a disgusting website that totally misuses the term "peer-to-peer" to achieve an alliterative buzzphrase.

So, the stage is set. Now, read through the site that UD set up for this effort. Try to find in it any mention of anything other than philanthropy and cancer curing. You won't be able to. Why, you might even start to believe all this client does is work on curing cancer. Now go back to UD's main web site and read through it, noting how your computer will be sold to any corporation willing to pay for it. The task your computer runs is determined by UD, not by you.

Even the cancer research isn't philanthropic in the usual sense. Say that your machine discovers the drug that cures cancer. Who benefits? Well, Oxford University will patent it and sell the rights to produce it at some extortionate price, the name-brand drug will be hideously expensive, and 20 years later when the patent expires, the world will be able to afford cancer cures - shame about all those people that died in the meantime.

That's "philanthropy" in the digital age - agreeing to a restrictive license and running a program which can do anything it wants with your computer system or network including destroying it or committing crimes with it or running up your phone bill, all the while doing free work for a for-profit corporation so that a drug company can get a patent on a life-saving drug and charge outrageous prices to pay back the "research costs".

I think I'll stick with xscreensaver.

richard_za writes "Archeologists and doctors from Japan's Waseda University and Nagoya University will join with researchers from Egypt's government and Cairo University to open King Tut's coffin for the first time in 30 years to remove samples of hair, bone or nail. Using these samples, his DNA will be analysed and compared to that of Amenhptep III to test whether he really was Tut's father. The final goal is to map out the lineage of the Kingdom. You can find the full story here."

Randall Burns writes: " Oxford Ancestors, founded by world-famous University of Oxford scientist Bryan Sykes has announced the public availability of an inexpensive($US 180) service that will trace matrilineal ancestry using DNA tests. Applications include forensics, genealogy and research of history. Coverage includes a recent BBC story. The currently available test can trace matrilineal ancestry back to one of seven women who lived 150,000 years ago to which 99% of all people of European descent can trace their ancestry."

Chernicky writes "In 1950, Alan Turing , the father of computer science and (arguably) artificial intelligence, made a prediction about the year 2000. Turing said that in about fifty years, the answers of a computer would be indistinguishable from those of human beings, when asked questions by a human interrogator. With the year 2000 upon us, Dartmouth College is offering a $100,000 prize to the first programmer that can pass the Turing Test. The deadline for submissions is October 30, 1999. "

thomasd writes "AbiSource have just released development version 0.7 of their GPLed wordprocessor, which runs on Unix, Windows, and BeOS. There's still a fair bit missing, but it's now quite usable for producing simple document, and it's starting to look very polished. For the lazy, there are now binary packages as well as source code. "

Matthew Kirkwood writes "This amused me. Apparently something at Hotmail has broken and started sending out multiple copies of many messages. "

Matthew Kirkwood wrote in to tell me that Slashdot has been nominated for Cool Site of the Year in the 'Zine catagory. This is from the original, often imitated Cool Site of the Day. "It's just flattering to be nominated yada yada yada". The winner will be determined by a poll on the page.

Paul Martin writes "I imagine lots of people will submit this story about GNOME (and a little KDE): I think it's worth including for two other reasons, though: Firstly, a new type of FUD ("Linux is just a server OS"); secondly, the apparently random mention of Inprise/Borland at the end. Do techweb know something we don't? "

Matthew Tebbens wrote in to tell us that he's revamped LinuxApps.com. Pretty cool. Ben Hutchings wrote in to say that supposedly RH5 has been ported unofficially to the Amiga? Any word on this? Dave Whitinger (of Threepoint fame) wrote in to warn us about his Low Bandwidth News List. 1 message/day like 0xdeadbeef. Christopher Gutteridge sent us the nuttiest thing I've seen in some time: The Visible Mars Bar Project is one of the coolest pages I've seen in awhile. Nate and I were gonna do a Bananna awhile back, but just never got around to it. Definately worth a gander if you're familiar with the visible human project. Seth Vidal wrote in to tell us about netwinder.org, Corel's new site dedicated to Corel's Uber Geeky Linux NC.

It's late. Watchin' MST. Cursing slow 21.6 connection. Sharing good stuff: Trae wrote in to tell us that this weeks Guest Tiler is Mandrake. Ben Hutchings wrote in with a link to Official Word on the Amiga/Linux stuff. Jambi wrote in to seek help in his network analysis work. Brandon Beattie wrote in to see if anyone out there is interested in assisting in developing a Linux game. Interested folks should email. Brian Keifer sent us a link to an article talking about Atomic Microscope Technology which could allow amazing amounts of fast data storage.