Slashdot Mirror

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

Knacklappen asks: "On August 5th, vascoda, Germany's new central access point for comprehensive scientific information, goes online. It will incorporate 23 virtual libraries and 4 scientific information networks, and offer these information for free. For the paying customer, there will also be access to electronic journals. What freely accessible scientific information portals do you use? I usually turn to the following when searching for articles: arxiv.org, AVEL, CiteSeer, dissonline.de, DOE Information Bridge, DSpace, ETD, NDLTD, OAIster, OPUS, TheO. Are there any others that you can recommend?"

taped2thedesk writes "The University of Michigan Center for Advanced Computing recently conducted a introductory workshop on parallel (cluster and grid) computing systems. They posted all of the presentations and notes from their workshop online. I attended the workshop and found it very informative - code examples are in C and Fortran, but programmers of any language can understand the concepts they present." (Note: requires a program that can display powerpoint slides.)

taped2thedesk writes "The University of Michigan Center for Advanced Computing recently conducted a introductory workshop on parallel (cluster and grid) computing systems. They posted all of the presentations and notes from their workshop online. I attended the workshop and found it very informative - code examples are in C and Fortran, but programmers of any language can understand the concepts they present." (Note: requires a program that can display powerpoint slides.)

taped2thedesk writes "The University of Michigan Center for Advanced Computing recently conducted a introductory workshop on parallel (cluster and grid) computing systems. They posted all of the presentations and notes from their workshop online. I attended the workshop and found it very informative - code examples are in C and Fortran, but programmers of any language can understand the concepts they present." (Note: requires a program that can display powerpoint slides.)

k-hell writes "Researchers from the University of Michigan are using virtual machines to 'to provide security in an operating-system-independent manner.' They have designed and implemented a replay service for virtual machines called ReVirt, which 'logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction.' A system called BackTracker 'automatically identifies potential sequences of steps that occurred in an intrusion,' and they provide a nice example of BackTracker's output for an attack against a machine that they set up as a honeypot, where an attacker gained access through httpd. Here's the source code."

k-hell writes "Researchers from the University of Michigan are using virtual machines to 'to provide security in an operating-system-independent manner.' They have designed and implemented a replay service for virtual machines called ReVirt, which 'logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction.' A system called BackTracker 'automatically identifies potential sequences of steps that occurred in an intrusion,' and they provide a nice example of BackTracker's output for an attack against a machine that they set up as a honeypot, where an attacker gained access through httpd. Here's the source code."

k-hell writes "Researchers from the University of Michigan are using virtual machines to 'to provide security in an operating-system-independent manner.' They have designed and implemented a replay service for virtual machines called ReVirt, which 'logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction.' A system called BackTracker 'automatically identifies potential sequences of steps that occurred in an intrusion,' and they provide a nice example of BackTracker's output for an attack against a machine that they set up as a honeypot, where an attacker gained access through httpd. Here's the source code."

k-hell writes "Researchers from the University of Michigan are using virtual machines to 'to provide security in an operating-system-independent manner.' They have designed and implemented a replay service for virtual machines called ReVirt, which 'logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction.' A system called BackTracker 'automatically identifies potential sequences of steps that occurred in an intrusion,' and they provide a nice example of BackTracker's output for an attack against a machine that they set up as a honeypot, where an attacker gained access through httpd. Here's the source code."

javifs writes "Do you remember TAMU's security tools? If so you might remember a tool that was developed when COPS, SATAN, and ISS were (back in 1994): Tiger. You might think it was dead, well it's not. Tiger has resurrected at Savannah and even has a new webpage and logo! (cool, isn't it?) Tiger has some interesting features that merit its resurrection, including a modular design that is easy to expand, and its double edge: an audit tool and a host intrusion detection system tool. Free Software intrusion detection is currently going many ways, however, from network IDS (with Snort), to the kernel (LIDS, or SNARE for Linux and Systrace for OpenBSD, for example), not mentioning file integrity checkers (many of these: aide, integrit samhain, tripwire...) and logcheckers (even more of these, check Counterpane's Log Analysis pages). Also, free software Linux/*BSD distributions have a miriad of security tools to do local security checks: Mandrake's msec, OpenBSD's /etc/security, SUSE's Seccheck... maybe Tiger could substitute them at some point in the future. Do you think Tiger has a place in the toolkit of the security professional? (I might be biased, though, after all I'm the upstream developer for Tiger now :-) ) In any case, have you downloaded and tested the latest release candidate for Tiger version 3.2?"

Slashback tonight brings updates and clarifications on the odds of Apple Computer buying Universal Music, the Evil Bit RFC, and more, including Niels Provos' reasons for moving his cryptographic research tools off-shore.

The more numerous the laws ... friscolr writes "The Register has an article about security researcher Niels Provos's (creator/collaborator for systrace, honeyd, openssh, various steg tools, and more) struggle to continue his Ph.D. studies amidst an increasingly restrictive set of U.S. and Michigan laws. This isn't the first time a prominent security researcher in Michigan has voiced serious concerns over new laws."

You may remember several earlier stories mentioning Provos' research, such as this article on his honeynet creation tool honeyd.

Apple Records has a certain ring, though, doesn't it? egoff writes "The Apple/Universal Music deal is unlikely, according to the New York Times (reg req), nor would it be a sure hit with investors. However, if the deal did go through, it would be because of Steve Job's vision for the future of digital music. Said one former Apple exec: 'Apple always needs to pull a rabbit out of its hat. Universal is a pretty big rabbit.'"

Swearing in another language doesn't count. Chilliwilli writes with an update to the recent Anger As a Software Design Philosophy: "Anyone that took a look at the foul language feckfeck might be amazed to see that somebody has actually risen to one of the three challenges and written a quine in this more irritating of languages. Congratulations go to 'hoser'."

Upping their meds. Elyjah writes "Steve Bellovin has compiled a short list of emails he got regarding his most recent RFC (3514) which appeared this last April 1st. (I believe you may have seen something on Slashdot about it.) Some people just...don't...get it."

If you go beyond the Enterprise, doesn't that invalidate their theme song? Built enough floppy-disk Enterprises? GaryK writes "With Dell getting rid of 3.5" disk drives, I'm quite sure we'll have to come up with creative uses for the hundreds and hundreds of floppies we have around our offices. This guy should serve as an inspiration to us all.

CleverNickName writes "Boing Boing pointed me to this 1974 review of the 'new' Dungeons and Dragons game. Some highlights: D&D was subtitled 'Rules for Fantastic Medieval Wargams Campaigns Playable with Paper and Pencil and Miniature Figures.' The reviewer concludes, 'In general, the concept and imagination involved is stunning. However, much more work, refinement, and especially regulation and simplification is necessary before the game is managable.'"

Niels Provos would like you to help create the perfect lure for crackers. In the style of similar challenges presented by the Honeynet Project, Provos, a doctoral candidate at CITI (a research institute at the University of Michigan) has announced a public competition for contributions to his honeyd project, which the project page describes as "a small daemon that creates virtual hosts on a network." Honeyd does more than that terse description implies, though: read on to see how you can contribute to creative cracker snaring.

Behind door number three ... Rather than wait for production systems to be cracked, honeypot makers arrange sting operations: they set up as traps intentionally tempting target machines loaded with tools to observe any break-ins.

Though the projects' names (and their rosters of hackers) are confusingly similar, honeyd is distinct from the Honeynet Project. Both are concerned with watching intruders' behavior for analysis and, in the long run, preventing their exploits, but the projects vary in their scope. Honeyd offers specific software tools to effect the appearance of a crackable box (and can simulate thousands of crackable machines at once); the Honeynet Project is broader, and uses honeyd within its larger framework of studying cracker attacks.

"Honeyd creates virtual honeypots that simulate operating system characteristics to such a degree that it fools fingerprinting tools like nmap or xprobe," says Provos. "As such it is a virtual honeypot that may be used for all kinds of purposes -- network sensors, decoys, et cetera. As the Honeynet project investigates interesting honeypot technologies, Honeyd got me involved with the [Honeynet Project] and is my contribution."

The competition Provos is organizing is in turn a chance for others to contribute to his honeypot tool; a variety of prizes (including a trip to CanSecWest/core03) will go to the programmers who provide the best improvements to the current version (0.5) of honeyd. He's hoping to field contributions to upgrade the user interface, better analyze information captured as intruders try to break in, provide simulated P2P programs, and more. Though there's a list of suggestions on the site, anything to more effectively mimic genuine target machines is welcome.

License requirements are friendly to open source programmers: "Source code features to be integrated into Honeyd need to be covered by a BSD-like license. Service emulations and graphical user interface [submissions] may be either BSD-like or GPL."

Though the honeynet.org page says that Provos is sponsoring the challenge, he says others (like Honeynet Project lead Lance Spitzer) have put up the prizes. "As I am still a poor student, I anticipate that my only financial expenses are going to be shipping costs."

What inspired the idea of a contest, rather than simply waiting for code to roll in from interested hackers? "The Honeynet project has held very successful challenges in the past," says Provos. "Additionally, Lance Spitzer and Marcus Ranum have been giving tutorials on honeypots and noticed that all the participants really enjoyed working with Honeyd. As a result, Lance encouraged me to hold this challenge."

What's in it for them? Spitzer, one of the challenge judges, lists a few things he'd like to see come out of this contest. "All the plumbing and features are there for developing your own honeypots. I would love to see these capabilities extended and making it easier to use. For example, it would be great [to see] new emulated services added, a port to Windows, and a GUI to make it easier to use."

Spitzer has recently published a book about honeynets as well, so he has a good reason to want some attention focused on this sort of calculated intruder watching.

"I am most interested in the balance of getting realism with as little risk of abuse," says Job de Haas, another judge for the competition and CEO of security consulting firm ITSX. "The idea is to build simulated services, but you want to end the realism where it starts to undermine the security of the system beyond control." De Haas says that one of the system's weak points right now is that it's simply difficult for new users to know where to begin. "Hopefully lots of useful examples will come out of the challenge, to make it easier to get started."

I send you this file to ask your advice about breaking in.

Code submissions from hundreds of contributors (all of them savvy enough about cracking to contribute in the first place) raise the prospect of at least a few of them trying to sneak in their own malware to subvert the competition, but the organizers discount the possibility of a backdoor or other crack being submitted.

While it's unlikely that malicious code would make it far, Provos says that to be on the safe side (and make sure it doesn't hurt his working environment), "Personally, I run all new code under a systrace sandbox, and before new code gets integrated into the official honeyd source code it has to pass a source code audit."

Similarly, De Haas says that he's not worried about malicious code, but is "alert that someone might try. Generally we're quite used to dealing with untrusted code. On the other hand I don't consider myself unhackable, it can always happen. You mostly try to minimize the damage it can do."

"Generally the community is very good about this." says Spitzner. "While I doubt this would happen, you do have to be concerned about it. Fortunately, the judges we have (except for me :) are outstanding at code review."

Further reading: We've mentioned the Honeynet Project a few times before -- here's one story from July 2001 and other from July 2002; a search on "honeynet" will yield several more.

Niels Provos would like you to help create the perfect lure for crackers. In the style of similar challenges presented by the Honeynet Project, Provos, a doctoral candidate at CITI (a research institute at the University of Michigan) has announced a public competition for contributions to his honeyd project, which the project page describes as "a small daemon that creates virtual hosts on a network." Honeyd does more than that terse description implies, though: read on to see how you can contribute to creative cracker snaring.

Behind door number three ... Rather than wait for production systems to be cracked, honeypot makers arrange sting operations: they set up as traps intentionally tempting target machines loaded with tools to observe any break-ins.

Though the projects' names (and their rosters of hackers) are confusingly similar, honeyd is distinct from the Honeynet Project. Both are concerned with watching intruders' behavior for analysis and, in the long run, preventing their exploits, but the projects vary in their scope. Honeyd offers specific software tools to effect the appearance of a crackable box (and can simulate thousands of crackable machines at once); the Honeynet Project is broader, and uses honeyd within its larger framework of studying cracker attacks.

"Honeyd creates virtual honeypots that simulate operating system characteristics to such a degree that it fools fingerprinting tools like nmap or xprobe," says Provos. "As such it is a virtual honeypot that may be used for all kinds of purposes -- network sensors, decoys, et cetera. As the Honeynet project investigates interesting honeypot technologies, Honeyd got me involved with the [Honeynet Project] and is my contribution."

The competition Provos is organizing is in turn a chance for others to contribute to his honeypot tool; a variety of prizes (including a trip to CanSecWest/core03) will go to the programmers who provide the best improvements to the current version (0.5) of honeyd. He's hoping to field contributions to upgrade the user interface, better analyze information captured as intruders try to break in, provide simulated P2P programs, and more. Though there's a list of suggestions on the site, anything to more effectively mimic genuine target machines is welcome.

License requirements are friendly to open source programmers: "Source code features to be integrated into Honeyd need to be covered by a BSD-like license. Service emulations and graphical user interface [submissions] may be either BSD-like or GPL."

Though the honeynet.org page says that Provos is sponsoring the challenge, he says others (like Honeynet Project lead Lance Spitzer) have put up the prizes. "As I am still a poor student, I anticipate that my only financial expenses are going to be shipping costs."

What inspired the idea of a contest, rather than simply waiting for code to roll in from interested hackers? "The Honeynet project has held very successful challenges in the past," says Provos. "Additionally, Lance Spitzer and Marcus Ranum have been giving tutorials on honeypots and noticed that all the participants really enjoyed working with Honeyd. As a result, Lance encouraged me to hold this challenge."

What's in it for them? Spitzer, one of the challenge judges, lists a few things he'd like to see come out of this contest. "All the plumbing and features are there for developing your own honeypots. I would love to see these capabilities extended and making it easier to use. For example, it would be great [to see] new emulated services added, a port to Windows, and a GUI to make it easier to use."

Spitzer has recently published a book about honeynets as well, so he has a good reason to want some attention focused on this sort of calculated intruder watching.

"I am most interested in the balance of getting realism with as little risk of abuse," says Job de Haas, another judge for the competition and CEO of security consulting firm ITSX. "The idea is to build simulated services, but you want to end the realism where it starts to undermine the security of the system beyond control." De Haas says that one of the system's weak points right now is that it's simply difficult for new users to know where to begin. "Hopefully lots of useful examples will come out of the challenge, to make it easier to get started."

I send you this file to ask your advice about breaking in.

Code submissions from hundreds of contributors (all of them savvy enough about cracking to contribute in the first place) raise the prospect of at least a few of them trying to sneak in their own malware to subvert the competition, but the organizers discount the possibility of a backdoor or other crack being submitted.

While it's unlikely that malicious code would make it far, Provos says that to be on the safe side (and make sure it doesn't hurt his working environment), "Personally, I run all new code under a systrace sandbox, and before new code gets integrated into the official honeyd source code it has to pass a source code audit."

Similarly, De Haas says that he's not worried about malicious code, but is "alert that someone might try. Generally we're quite used to dealing with untrusted code. On the other hand I don't consider myself unhackable, it can always happen. You mostly try to minimize the damage it can do."

"Generally the community is very good about this." says Spitzner. "While I doubt this would happen, you do have to be concerned about it. Fortunately, the judges we have (except for me :) are outstanding at code review."

Further reading: We've mentioned the Honeynet Project a few times before -- here's one story from July 2001 and other from July 2002; a search on "honeynet" will yield several more.

Niels Provos would like you to help create the perfect lure for crackers. In the style of similar challenges presented by the Honeynet Project, Provos, a doctoral candidate at CITI (a research institute at the University of Michigan) has announced a public competition for contributions to his honeyd project, which the project page describes as "a small daemon that creates virtual hosts on a network." Honeyd does more than that terse description implies, though: read on to see how you can contribute to creative cracker snaring.

Behind door number three ... Rather than wait for production systems to be cracked, honeypot makers arrange sting operations: they set up as traps intentionally tempting target machines loaded with tools to observe any break-ins.

Though the projects' names (and their rosters of hackers) are confusingly similar, honeyd is distinct from the Honeynet Project. Both are concerned with watching intruders' behavior for analysis and, in the long run, preventing their exploits, but the projects vary in their scope. Honeyd offers specific software tools to effect the appearance of a crackable box (and can simulate thousands of crackable machines at once); the Honeynet Project is broader, and uses honeyd within its larger framework of studying cracker attacks.

"Honeyd creates virtual honeypots that simulate operating system characteristics to such a degree that it fools fingerprinting tools like nmap or xprobe," says Provos. "As such it is a virtual honeypot that may be used for all kinds of purposes -- network sensors, decoys, et cetera. As the Honeynet project investigates interesting honeypot technologies, Honeyd got me involved with the [Honeynet Project] and is my contribution."

The competition Provos is organizing is in turn a chance for others to contribute to his honeypot tool; a variety of prizes (including a trip to CanSecWest/core03) will go to the programmers who provide the best improvements to the current version (0.5) of honeyd. He's hoping to field contributions to upgrade the user interface, better analyze information captured as intruders try to break in, provide simulated P2P programs, and more. Though there's a list of suggestions on the site, anything to more effectively mimic genuine target machines is welcome.

License requirements are friendly to open source programmers: "Source code features to be integrated into Honeyd need to be covered by a BSD-like license. Service emulations and graphical user interface [submissions] may be either BSD-like or GPL."

Though the honeynet.org page says that Provos is sponsoring the challenge, he says others (like Honeynet Project lead Lance Spitzer) have put up the prizes. "As I am still a poor student, I anticipate that my only financial expenses are going to be shipping costs."

What inspired the idea of a contest, rather than simply waiting for code to roll in from interested hackers? "The Honeynet project has held very successful challenges in the past," says Provos. "Additionally, Lance Spitzer and Marcus Ranum have been giving tutorials on honeypots and noticed that all the participants really enjoyed working with Honeyd. As a result, Lance encouraged me to hold this challenge."

What's in it for them? Spitzer, one of the challenge judges, lists a few things he'd like to see come out of this contest. "All the plumbing and features are there for developing your own honeypots. I would love to see these capabilities extended and making it easier to use. For example, it would be great [to see] new emulated services added, a port to Windows, and a GUI to make it easier to use."

Spitzer has recently published a book about honeynets as well, so he has a good reason to want some attention focused on this sort of calculated intruder watching.

"I am most interested in the balance of getting realism with as little risk of abuse," says Job de Haas, another judge for the competition and CEO of security consulting firm ITSX. "The idea is to build simulated services, but you want to end the realism where it starts to undermine the security of the system beyond control." De Haas says that one of the system's weak points right now is that it's simply difficult for new users to know where to begin. "Hopefully lots of useful examples will come out of the challenge, to make it easier to get started."

I send you this file to ask your advice about breaking in.

Code submissions from hundreds of contributors (all of them savvy enough about cracking to contribute in the first place) raise the prospect of at least a few of them trying to sneak in their own malware to subvert the competition, but the organizers discount the possibility of a backdoor or other crack being submitted.

While it's unlikely that malicious code would make it far, Provos says that to be on the safe side (and make sure it doesn't hurt his working environment), "Personally, I run all new code under a systrace sandbox, and before new code gets integrated into the official honeyd source code it has to pass a source code audit."

Similarly, De Haas says that he's not worried about malicious code, but is "alert that someone might try. Generally we're quite used to dealing with untrusted code. On the other hand I don't consider myself unhackable, it can always happen. You mostly try to minimize the damage it can do."

"Generally the community is very good about this." says Spitzner. "While I doubt this would happen, you do have to be concerned about it. Fortunately, the judges we have (except for me :) are outstanding at code review."

Further reading: We've mentioned the Honeynet Project a few times before -- here's one story from July 2001 and other from July 2002; a search on "honeynet" will yield several more.

Niels Provos would like you to help create the perfect lure for crackers. In the style of similar challenges presented by the Honeynet Project, Provos, a doctoral candidate at CITI (a research institute at the University of Michigan) has announced a public competition for contributions to his honeyd project, which the project page describes as "a small daemon that creates virtual hosts on a network." Honeyd does more than that terse description implies, though: read on to see how you can contribute to creative cracker snaring.

Behind door number three ... Rather than wait for production systems to be cracked, honeypot makers arrange sting operations: they set up as traps intentionally tempting target machines loaded with tools to observe any break-ins.

Though the projects' names (and their rosters of hackers) are confusingly similar, honeyd is distinct from the Honeynet Project. Both are concerned with watching intruders' behavior for analysis and, in the long run, preventing their exploits, but the projects vary in their scope. Honeyd offers specific software tools to effect the appearance of a crackable box (and can simulate thousands of crackable machines at once); the Honeynet Project is broader, and uses honeyd within its larger framework of studying cracker attacks.

"Honeyd creates virtual honeypots that simulate operating system characteristics to such a degree that it fools fingerprinting tools like nmap or xprobe," says Provos. "As such it is a virtual honeypot that may be used for all kinds of purposes -- network sensors, decoys, et cetera. As the Honeynet project investigates interesting honeypot technologies, Honeyd got me involved with the [Honeynet Project] and is my contribution."

The competition Provos is organizing is in turn a chance for others to contribute to his honeypot tool; a variety of prizes (including a trip to CanSecWest/core03) will go to the programmers who provide the best improvements to the current version (0.5) of honeyd. He's hoping to field contributions to upgrade the user interface, better analyze information captured as intruders try to break in, provide simulated P2P programs, and more. Though there's a list of suggestions on the site, anything to more effectively mimic genuine target machines is welcome.

License requirements are friendly to open source programmers: "Source code features to be integrated into Honeyd need to be covered by a BSD-like license. Service emulations and graphical user interface [submissions] may be either BSD-like or GPL."

Though the honeynet.org page says that Provos is sponsoring the challenge, he says others (like Honeynet Project lead Lance Spitzer) have put up the prizes. "As I am still a poor student, I anticipate that my only financial expenses are going to be shipping costs."

What inspired the idea of a contest, rather than simply waiting for code to roll in from interested hackers? "The Honeynet project has held very successful challenges in the past," says Provos. "Additionally, Lance Spitzer and Marcus Ranum have been giving tutorials on honeypots and noticed that all the participants really enjoyed working with Honeyd. As a result, Lance encouraged me to hold this challenge."

What's in it for them? Spitzer, one of the challenge judges, lists a few things he'd like to see come out of this contest. "All the plumbing and features are there for developing your own honeypots. I would love to see these capabilities extended and making it easier to use. For example, it would be great [to see] new emulated services added, a port to Windows, and a GUI to make it easier to use."

Spitzer has recently published a book about honeynets as well, so he has a good reason to want some attention focused on this sort of calculated intruder watching.

"I am most interested in the balance of getting realism with as little risk of abuse," says Job de Haas, another judge for the competition and CEO of security consulting firm ITSX. "The idea is to build simulated services, but you want to end the realism where it starts to undermine the security of the system beyond control." De Haas says that one of the system's weak points right now is that it's simply difficult for new users to know where to begin. "Hopefully lots of useful examples will come out of the challenge, to make it easier to get started."

I send you this file to ask your advice about breaking in.

Code submissions from hundreds of contributors (all of them savvy enough about cracking to contribute in the first place) raise the prospect of at least a few of them trying to sneak in their own malware to subvert the competition, but the organizers discount the possibility of a backdoor or other crack being submitted.

While it's unlikely that malicious code would make it far, Provos says that to be on the safe side (and make sure it doesn't hurt his working environment), "Personally, I run all new code under a systrace sandbox, and before new code gets integrated into the official honeyd source code it has to pass a source code audit."

Similarly, De Haas says that he's not worried about malicious code, but is "alert that someone might try. Generally we're quite used to dealing with untrusted code. On the other hand I don't consider myself unhackable, it can always happen. You mostly try to minimize the damage it can do."

"Generally the community is very good about this." says Spitzner. "While I doubt this would happen, you do have to be concerned about it. Fortunately, the judges we have (except for me :) are outstanding at code review."

Further reading: We've mentioned the Honeynet Project a few times before -- here's one story from July 2001 and other from July 2002; a search on "honeynet" will yield several more.

Camp CAEN asks: "I work for a computer camp at the local university and I was wondering: how one goes about getting grants? We currently are funded by attendees but I thought it would be ideal to offer scholarships or assistance to those in need. Students who come to camp are middle school and high school students, we teach programming (C++, Java, DirectX), web technologies (HTML, PHP, MySQL), and other technology related topics (system administration, digital video production). The camp lasts two weeks and it can be quite pricey. I know there are plenty of people who would like to attend but can't afford it. Does anyone know of state (in Michigan) or Federal programs that give out money for technology instruction? Or any companies willing to donate equipment/software/books to our camp? Finally, are there any people in education or social work who have done grant writing before and have any good resources (either online or paper)? Anyone else have good ideas or suggestions? Thanks!"

Camp CAEN asks: "I work for a computer camp at the local university and I was wondering: how one goes about getting grants? We currently are funded by attendees but I thought it would be ideal to offer scholarships or assistance to those in need. Students who come to camp are middle school and high school students, we teach programming (C++, Java, DirectX), web technologies (HTML, PHP, MySQL), and other technology related topics (system administration, digital video production). The camp lasts two weeks and it can be quite pricey. I know there are plenty of people who would like to attend but can't afford it. Does anyone know of state (in Michigan) or Federal programs that give out money for technology instruction? Or any companies willing to donate equipment/software/books to our camp? Finally, are there any people in education or social work who have done grant writing before and have any good resources (either online or paper)? Anyone else have good ideas or suggestions? Thanks!"

Camp CAEN asks: "I work for a computer camp at the local university and I was wondering: how one goes about getting grants? We currently are funded by attendees but I thought it would be ideal to offer scholarships or assistance to those in need. Students who come to camp are middle school and high school students, we teach programming (C++, Java, DirectX), web technologies (HTML, PHP, MySQL), and other technology related topics (system administration, digital video production). The camp lasts two weeks and it can be quite pricey. I know there are plenty of people who would like to attend but can't afford it. Does anyone know of state (in Michigan) or Federal programs that give out money for technology instruction? Or any companies willing to donate equipment/software/books to our camp? Finally, are there any people in education or social work who have done grant writing before and have any good resources (either online or paper)? Anyone else have good ideas or suggestions? Thanks!"

Ninja Master Gara writes "Anime News Network reports New York University is offering a new courses on the anime industry and culture. Anime is slowly expanding from University Clubs into mainstream college courses, many of which begin at the 'What is anime?' level. Several Universities and Community Colleges already offer similar courses, or incorporate anime into existing studies." If any school decides to offer a course on the Gundam series, I'd be happy to teach a class.

David Gerard writes "As seen on Yale LawMeme: Microsoft is requiring colleges wanting cheap licenses to keep their license terms secret (e.g. Ohio State, University of Michigan) ... in direct contravention of state public records and Freedom of Information laws." Many FOI laws have loopholes permitting state agencies not to disclose information when it would harm business interests, so what the colleges and Microsoft are doing may not actually be illegal (or could be argued not to be, anyway), but it certainly is shady.

Niels Provos writes in that he has added Mac OS X support for Systrace, a sandboxing/application confinement tool that can be used to increase application and service security. It installs a new kernel to support /dev/systrace and the Systrace application, and a Cocoa frontend.

cybrpnk2 writes with the review below of Michael Crichton's latest book, Prey, which he says is "classic Crichton." Only your thoughts on Crichton can determine whether that's an endorsement or a warning. Read on for the review. Update: 12/07 15:29 GMT by T : The link I originally placed to the movie Them "is some 1996 made-for-TV junk, not the 1950s classic." The link has been updated. Prey author Michael Crichton pages 367 publisher Harper Collins rating Excellent - Among his best reviewer cybrpnk2 ISBN 0066214122 summary The latest sci-fi on nanotechnology from the author of Andromeda Strain and Jurassic Park Michael Crichton has gone full circle and done it again, effectively updating his original sci-fi novel The Andromeda Strain for the 21st century. In his latest book Prey, he has gone from using gigantic T. Rex dinosaurs as the big bad back down to microscopic agents once more. All the classic Crichton trademarks are here -- the race against time, the super-hi tech, the twists in plot and theme. It's his best and in some ways most original novel since Jurassic Park and just as likely to be made into a smash motion picture now that morphing animation is well established. In fact, several scenes in the book almost seem gratuitously tacked on to ultimately make use of some special video effect rather than advance the plot, but that's a minor criticism. Overall this is a great, fun read that's destined to be a SF classic.

In some ways willing suspension of disbelief has to be applied less to the technology depicted and more to the relationships between our protagonists Jake and Julia. They're the typical Silicon Valley couple, all right, but oh how conveniently their relationship advances the plot. He's the between-jobs programming team manager who's specialized in code that models distributed processing and genetic algorithms. She's the cute PR talking head who is lining up funding for the revolutionary Xymos nanobots. He's the cool, loving house-dad that takes care of the cute kids. She's the always-working cold bitch who's having an affair -- isn't she? With the tanned surfing god Xymos exec we hiss at as soon as we meet him? Or is this whole plot line perhaps a little too obvious after being set up by page 18? Maybe Crichton has something a little more twisted in mind for the 350 pages that follow ...

Yep, he sure does, and as fast as helicopters can fly we're at the secretive Xymos desert lab in Nevada where nothing is as it seems. Those swirling little dust devils out there on the parking lot security cameras are considerably more menacing than Taz in a Loony Tunes cartoon, but damned if anybody will give Jack a straight answer about just how ... or especially why. Seems the escaped particles that make up the clouds have been programmed with distributed computing algorithms Jack came up with in his last job -- Xymos wants HIM to tell THEM what's going on. Uh, oh -- Jack used the concept of predator / prey stalking dynamics to keep distributed agents focused on a concrete goal.

Jack's subsequent experiences, experiments, thought processes, and realizations lead the reader into a fascinating exploration of the concept of hive mind. In one sense this is a book about prejudice -- people are the most evolved social mammals on Earth, and as such are always misinterpreting the capabilities, actions and behaviors of a swarm that has neither leaders or followers, only members. As such, Prey is a rare SF book that truly does explore a uniquely alien life form with some very interesting twists. It's also a thought-provoking possible example of Vernor Vinge's technological singularity concept.

It's a good book and it's going to make a great movie. If you just can't wait for the movie, though, no problem. Crichton's three-act structure for Prey follows the well-trod path of a trio of 50s-style sci-fi movie classics: Tremors , Them! , and Invasion of the Body Snatchers . Check 'em out and watch 'em in order after you read Prey for a fun follow-up. To include the tension of Jack and Julia's romantic triangle, watch Casablanca first ... and remember, a kiss is just a kiss, as time goes by.

You can purchase Prey from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

fini writes "The RIAA and MPAA just sent a letter to 2,300 colleges or so, asking to crack down on P2P. Juicy nugget: 'Not only is piracy of copyrighted works illegal, it can take up a significant percentage of a university's costly bandwidth.' Also mentioned, some quasi-FUD on security issues. Six higher-ed honchos also sent a concurring letter. From the RIAA website, here's the story and the letters (PDF only). Mentioned as examples of model policies: Drake University, UNC Chapel Hill and University of Michigan . Interestingly enough, there is no threatening 'or else' stuff in those letters. Not yet..."

fini writes "The RIAA and MPAA just sent a letter to 2,300 colleges or so, asking to crack down on P2P. Juicy nugget: 'Not only is piracy of copyrighted works illegal, it can take up a significant percentage of a university's costly bandwidth.' Also mentioned, some quasi-FUD on security issues. Six higher-ed honchos also sent a concurring letter. From the RIAA website, here's the story and the letters (PDF only). Mentioned as examples of model policies: Drake University, UNC Chapel Hill and University of Michigan . Interestingly enough, there is no threatening 'or else' stuff in those letters. Not yet..."

If you remotely administer any computers, or need to check your email over an untrusted network, odds are you're already familiar with the wonders of OpenSSH. Markus Friedl yesterday posted a release announcement for the newest version, OpenSSH 3.3. Privilege separation in OpenSSH is now enabled by default, another sign of the entire OpenBSD project's appropriate paranoia.

StudMuffin writes "The University of Michigan Medical Center announced that an artificial lung that uses tiny hollow fibers and the heart's own pumping power to oxygenate blood is showing promise in pre-clinical studies, and may reach clinical trials in about a year for lung failure patients awaiting a lung transplant."

StudMuffin writes "The University of Michigan Medical Center announced that an artificial lung that uses tiny hollow fibers and the heart's own pumping power to oxygenate blood is showing promise in pre-clinical studies, and may reach clinical trials in about a year for lung failure patients awaiting a lung transplant."

StudMuffin writes "The University of Michigan Medical Center announced that an artificial lung that uses tiny hollow fibers and the heart's own pumping power to oxygenate blood is showing promise in pre-clinical studies, and may reach clinical trials in about a year for lung failure patients awaiting a lung transplant."

An Anonymous Coward writes: "A new facility called 'systrace' has been developed by one of the OpenBSD developers. It allows enforcement of system call policies on untrusted binaries. For now it is only available OpenBSD-current, but the author claims it is highly portable and can easily be integrated into GNU/Linux systems. Eventually binary-only software is going to become more and more common in Linux, so this could be a another 'Good Thing(TM)' from the paranoids that brought us OpenSSH."

hated writes "OpenSSH-3.2.2 is just released. Among some security fixes associated with Kerberos/AFS token passing, privelage separation has begun to be show up, experimentally right now of course. A paper on OpenSSH privelage separation is available. Pop on over to one of the mirror sites and get your brand spanking new version. The portable website doesn't currently list 3.2.2, but the FTP sites do have it."

Long-time reviewer clampe writes with this piece on Human-Computer Interaction in the New Millenium. This is not a book you're likely to find at the corner bookshop, but if you're serious about keeping track of goings-on in the field of HCI, Cliff argues this one is worth seeking out. Human-Computer Interaction in the New Millenium author John M. Carroll (Editor) pages 703 publisher Addison-Wesley rating 9 reviewer Cliff Lampe ISBN 0-201-70447-1 summary Academic HCI lovefest.

Reviewer's Note:

Most of the people in the book I'm reviewing could crush me beneath their heels, given I'm a lowly doctoral student in the HCI field. However, it's not a simple question of whether the collection is good or bad, but whether it will be good for the reader in their context. Besides, I can give you good inside information on lots of the authors. Like George Furnas, as cool a cat as you'll meet, gets nervous when he does magic tricks and Paul Resnick picks a mean fiddle. Yep, I got tons of dirt.

The Scenario

Anyone who has taken an HCI class has probably come across a gigantic blue paperback book called Human-Computer Interaction: Toward the Year 2000, which has acted as a de facto text in HCI classes in the past. In 1998, leaders in the HCI field realized that this book would soon be obsolete, and started organizing the players who would contribute to this worthy successor. This book is a collection of 29 articles from the lead researchers in the HCI academic research community, and it attempts to outline the research programs that will dominate the HCI field, if not for the next millennium as advertised, then at least for the next 10 years. The book is divided into seven sections:

1. Models, Theories, and Frameworks
2. Usability Engineering Methods and Concepts
3. User Interface Software and Tools
4. Groupware and Cooperative Activity
5. Media and Information
6. Integrating Computation and Real Environments
7. HCI and Society

Each section has 3-5 articles on the section's topic. Examples of the research included:

• Terry Winograd proposes a conceptual framework for the design of interactive spaces, or more basically computing environments built into the architecture of a space and seamlessly integrated with personal context.
• Hollan, Hutchins and Kirsh follow up some of Hutchins work on distributed cognition as an HCI research area, including a call for more ethnographic studies in the area and a better understanding of how people and tools interact.
• Olson and Olson outline the problems of distant work collaboration, and outline situations in which distant work makes more sense than not.
• Terveen and Hill give a great review of work in collaborative filtering, and then outline several approaches to making recommender systems better able to return positive hits.
• Doug Schuler in one article and Paul Resnick in another argue how HCI issues go beyond desktop computing or small groups and can be applied to larger groups, including communities both online and off.

Other topics include situated computing, participatory design, new user interfaces like tangible user interfaces or gesture recognition, cognitive modelling and so on. Some common themes that emerge are the expectation that user interface needs to go beyond the desktop environment, the application of HCI principle to things other than the individual or small group, the importance of groupware and the development of a unifying theory for the field.

Really, one could write a pretty long review on any of the 29 chapters, since each one does have serious weight, as well as an innovative edge as these investigators attempt to outline directions for the next several years. Some of the articles included here have already struck a chord in this research community and have become widely cited in their draft forms, or from appearances in special journals. Each section of the book typically appeared as as journal article in Human-Computer Interactions, or were specifically solicited by John Carroll.

The Good and the Bad

These are some heavy hitters. The authors list reads like my general prelims, and it takes someone like Carroll to pull together a group like this. Each of the 29 articles stands strong on its own, though one may quibble with claims here and there, yet still manage to paint a remarkably cohesive picture of the area as a whole. This book contains serious research in a single bound volume that should grace the desk of any person interested in HCI issues. It is simply unarguable that this is going to be the HCI book for the foreseeable future.

The book bears some of the problems of the field, which is that it comes from a specific set of disciplines like cognitive psychology and computer science, so may preclude applicable theories from other disciplines. That is the nature of academic boundary making, and is not the specific fault of the book. Just so you are aware of it.

And speaking of academics, some readers may be turned off by the academic edge of this book. HCI in general has always had a foot in both the university and the corporate sector, as evinced by the list of speakers at this year's ACM-SIGCHI conference, but this book tends towards the academic side. Although specific applications get mentioned here, large parts of the book may be a turn off to people like my brother-in-law who is a sysadmin and definitely not interested in new macrotheory for HCI research. Or shaving.

This book takes commitment. It is not for lily-livered pedants who want something to fill the space until the next Harry Potter book comes out. That's neither good nor bad, just fair warning. Don't expect this to be as eminently accessible as a Don Norman book. Still, like in most things the work is very worthwhile.

So What's In It For Me?

It seems that in every field there is That One Book that people will point you to as the ultimate source to quickly get a sense of what it is all about. This book plays that role for the HCI field. If you are at all interested in the state of HCI research, mostly in the U.S. of course, then this is the book you should get. Even if you are already some tricked out, super-HCI guru, there is likely to be some research in here from outside your specific area that you will get value from.

This is not a book for someone who has to do a usability test for the boss next week and needs to know how to conduct one. Nor will this book tell you how to make your website look really cool. What it will do is give you incredible insight into the history and future of an exceedingly interesting field of endeavor.

Cliff is a doctoral student at the University of Michigan School of Information, studying in their Human-Computer Interaction program. He plans to be a contributing author in the next version of this book. You can purchase the Human-Computer Interaction in the New Millenium from bn.com. Want to see your own review here? Just read the book review guidelines, then use Slashdot's handy submission form.

Niels Provos writes: "Even though I should be working on my disseration proposal right now, I got side tracked with a little project. Markus and I have been working on a 'Privilege Separated OpenSSH.' The basic idea is that OpenSSH starts two processes, one privileged and one unprivileged. The unprivileged process deals with all the network data processing, while the privileged process monitors and decides if authentication was successful. This reduces the impact that bugs in for example third party libraries can have on OpenSSH. We hope that any privilege escalation will not be possible any more in the future." This privilege separation should show up in future versions of OpenSSH, including the portable version.

The first Slashback of 2002 brings you updates on Ogg streaming (listen in while it lasts, and send feedback if you like it!), Qwest and your privacy, holes and patches for products from the MS-AOL-Time Warner Industrial Complex, and even more steganographic images failing to appear.

Getcher hot streams while they last ... jmoffitt writes: "In his post to the Vorbis list, Ciaran announced that the Ogg Vorbis BBC streams of Radio 1 and Radio 4 that we've enjoyed since early November would go offline as the test is ending. Everyone is encouraged to send their encouragement for these streams to continue to webweaver@bbc.co.uk. Also, as a special treat, the Radio 4 Ogg stream has been extended a week - just enough for all to catch the first episode of Lord of the Rings on Saturday at 1430 GMT."

Please mind the people interrupting your privacy. Matt Clauson writes: "Discussion list for the Qwest privacy issue and possible protest action has been set up -- send an email qwest-action-subscribe@dotorg.org to subscribe to it."

Plug, plug, plug ... timekillerj writes "Well it looks like AOL jumped right in and fixed that pesky hole. We can all go back to speculating how insecure it is now. An article on Yahoo has more info, including a short debate on w00w00 disclosing before getting a response from AOL."

Backstepping by any other name ... dagoalieman writes "It appears the FBI has decided that MS's patch is sufficient. According to CNN, they announced this earlier today in a rather quiet fashion. While MS may see it as good news, I think the fact that the hole is coming back to public attention just blackens the eye a little more for them. It will be interesting to see future ramifications of the government getting involved in these issues, too..." It can't look good when your company's software is called into question by some of your largest customers.

Nope, still don't see any. Niels Provos writes: "I just updated http://www.citi.umich.edu/u/provos/stego/usenet.php to reflect the final results from our search of hidden messages in USENET images. We did not find a single hidden message.

I also released a new version of stegdetect.

The disconcert cluster that we used for the dictionary attack contained more than two-hundred workstations, mostly from CAEN (that is the computer aided engineering network at UMich). The peak performance is comparable to 72 1200 MHz Pentium III machines :-) ...

Below my mail to the cryptography mailing list.

------- Forwarded Message
From: Niels Provos <provos@citi.umich.edu>
To: cryptography@wasabisystems.com
Subject: Stegdetect 0.4 released and results from USENET search available
Date: Fri, 21 Dec 2001 12:16:14 -0500
Sender: provos@citi.umich.edu

I just released Stegdetect 0.4. It contains the following changes:

- Improved detection accuracy for JSteg and JPhide.
- JPEG Header Analysis reduces false positives.
- JPEG Header Analysis provides rudimentary detection of F5.
- Stegbreak uses the file magic utility to improve dictionary
attack against OutGuess 0.13b.

You can download the UNIX source code or windows binary from

http://www.outguess.org/download.php

- -----

The results from analyzing one million images from the Internet Archive's USENET archive are available at http://www.citi.umich.edu/u/provos/stego/usenet.php.

[...]

After scanning two million images from eBay without finding any hidden messages, we extended the scope of our analysis.

This page provides details about the analysis of one million images from the Internet Archive's USENET archive.

Processing the one million images with stegdetect results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary attack has a peak performance of roughly 87 GFLOPS. However, we have not found a single hidden message. [...]

Comments and feedback are welcome. We have an FAQ at http://www.citi.umich.edu/u/provos/stego/faq.html"

Thanks for the update, Niels!

KeyShark writes: "An article on FoxNews describes how front-line troops soon will be protected by battlefield lasers designed to shoot down rockets, artillery shells and even mortars."

Slashback tonight with updates on SSH vulnerabilities, the Queen's web server, the European answer to GPS (in danger, it seems) and your ever-thinner rights to use software for anything you don't have specific permission for.

Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"

Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.

Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.

In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.

In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.

At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.

A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.

References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/

Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.

Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.

The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.

The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"

Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"

Slashback tonight with updates on SSH vulnerabilities, the Queen's web server, the European answer to GPS (in danger, it seems) and your ever-thinner rights to use software for anything you don't have specific permission for.

Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"

Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.

Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.

In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.

In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.

At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.

A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.

References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/

Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.

Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.

The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.

The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"

Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"

Slashback tonight with updates on SSH vulnerabilities, the Queen's web server, the European answer to GPS (in danger, it seems) and your ever-thinner rights to use software for anything you don't have specific permission for.

Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"

Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.

Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.

In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.

In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.

At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.

A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.

References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/

Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.

Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.

The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.

The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"

Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"

Slashback tonight with updates on SSH vulnerabilities, the Queen's web server, the European answer to GPS (in danger, it seems) and your ever-thinner rights to use software for anything you don't have specific permission for.

Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"

Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.

Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.

In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.

In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.

At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.

A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.

References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/

Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.

Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.

The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.

The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"

Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"

Slashback tonight with updates on SSH vulnerabilities, the Queen's web server, the European answer to GPS (in danger, it seems) and your ever-thinner rights to use software for anything you don't have specific permission for.

Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"

Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.

Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.

In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.

In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.

At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.

A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.

References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/

Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.

Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.

The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.

The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"

Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"

"Hard work, no pay, eternal glory." The Mars Society needs volunteers to simulate Mars exploration, so we're better-prepared for the problems the (hopefully) real astronauts will face. If you have a month free next summer and you'd like to spend it freezing your ass off, read on.

The Mars Society is looking for "anyone in good physical condition between 18 and 60 years of age... Scientific, engineering, practical mechanical, wilderness, and literary skills are all considered a plus." Only the passionate need apply: "conditions are likely to be tough and the job will be very trying." And that's before the robot switches into hunter-killer mode.

If you prefer roasting to freezing, there's a mission somewhere in the Australian Outback next year as well. Either way, go visit the Mars Society homepage and check it out.

I spoke with a friend of mine, Daniel Slosberg, who coordinated Mission Support for the Michigan Mars Society during two similar, less-audacious experiments this year. His was the easy job of sitting at home, coordinating communications (chiefly email, with simulated 20-minute round-trip delay), answering questions from the field, and giving advice.

Daniel happens to be working on an idea for distributed mission support; if you're interested in being part of the ground crew, drop him a line.

For the team that actually goes into the wilderness and lives in the "hab," you'll be simulating Mars isolation as accurately as possible. You'll be brutally far north, for one thing. You'll wear a mock-spacesuit every time you go outside, which will help identify where the problems are in e.g. mobility or hygiene. You'll also spend an hour in the airlock when you enter or leave, which will help remind you not to forget your hammer.

The excursions get more sophisticated each year: next year will be the first with an already-completed hab and the first with more than one mock-suit. Your chance to be part of history.

In related news, Odyssey continues aerobraking, and its mission looks good -- if you've read Robinson's Red Mars series, you know how delicate orbital insertion is. Great work, JPL.

And just for kicks, here's a New Scientist article about synthesizing fuel from the Martian atmosphere to power a "hopper"-lander. If you find the practical chemistry of planetary travel interesting, go read Robert Zubrin who is just all about using whatever resources already exist outside Earth's gravity well.

Mdog writes: "The world championship of solar car racing is about (Nov. 18...ok so I can't wait :) ) to begin Down Under. World Solar Challenge pits high school, university, and corporate teams against each other in a race across Australia's Outback, from Darwin to Adelaide." Mdog supplies some more (ahem) non-partisan information about the race below.

"My Alma Mater's team (which took second in the American Solar Challenge...go UMR!) is looking to take sweet revenge on the evil (*g*) that is the U-Michigan Solar Car team (which won ASC.) Some other North American heavyweights will be Queen's University and U-Waterloo from the frigid north. I'll defer to Ozzies post links to their favoUrite college teams, which, along with the Japanese teams, are often very good. Lastly, watch out for team Solar Motions; out for blood after major technical problems two years ago. Their array is worth...how should I put this...a lot :)

I went two years ago, and this year I'll just be looking forward to this article getting posted on /. *sigh* Good luck and good sun to all the teams. No worries!"

Niels Provos writes: "After months of searching for steganographic content on eBay and elsewhere -- downloading millions of images, we were finally able to find an image with a stegangraphic message hidden in it. Stegdetect and Stegbreak made short process with it. It took less than a second to compute the secret key necessary to extract the hidden message. Two commands at the prompt, and we found the hidden message to be an image of B-52 scrapyard. Right off Terraserver."

With the events of September 11, 2001 still vividly etched into our conscious minds, it was only a matter of time before the US Government would paint the crosshairs on their next target after Bin Laden: encryption. With Ashcroft's declaration of computers as tools of terrorism, and law-enforcement pushing for enhanced surveillance, it appears that one of the first victims of America's new war may be the privacy of her citizens. Of course, if you are concerned about privacy, you're probably wondering how to improve what protections you have in place, if any. So what are the leading-edge innovations on the encryption front right now, and how easily can such tech be adapted to everyday communications? C :In an interesting display of synchronicity, Timothy posted this article, earlier today, which notes that Steganography use isn't as wide-spread as previously thought. Deagol asks: "With the Feds pushing for encryption back-doors, and even more domestic surveillance, how can we resist this? I mean in a practical way, but at the same time taking a stand for our rights to privacy and assembly. What's the current state of the art in hard disk encryption? Email encryption? Steganography? There are many tools out there, as well as many link-farms, (I looked at many today), but many pages seem dated, and it's hard to tell who's using what in a useful implementation. So, who is using PGP or GPG? Who is using BestCrypt or Loopback Encryption, Freenet or Steganography? A privacy weenie wants to know what your daily-use setup is!"

One thing about encryption: the easier it is to do, the more people there will be using it. For the non-tech user, encrypting messages on a day-to-day should be no more complex than 3 steps.

JPMH asks:"First journalists and now even relatively clued-up politicians in the UK are talking about making it an offence to use strong encryption in email and web-pages. An obvious counter is that this won't work, because the messages can easily be hidden using Steganography (Slashdot Jan 2, May 8). But that assumes that the steganography itself is good enough not to be detected. Is this true? How good is the state of the art?

To be undetectable, the properties of the 'message' bits you are putting in must be statistically indistinguishable from the 'image' bits you are overwriting. According to a paper by Neils Provos and Peter Honeyman of U. Michigan (highlighted today in the Register) the simplest common programs, such as JSteg and JPHide, fail this test badly and are easily detected. But they failed to nail any confirmed steganographic content in 2 million images on EBay.

Other programs (eg Provos's Outguess 0.2) are more sophisticated at hiding the messages (and other media eg MP3s give a bigger haystack to hide them in); but on the other hand, more sophisticated statistical models of images (eg Slashdot 16 Aug) may be better at making the 'hidden' content stand out.

So, can messages reliably be hidden? Or will people trying to hide their messages in a reliable manner get caught?"

schnippy writes: "New Scientist reports on new study from the University of Michigan that argues that steganography (the science of obfuscating communications) is not in wide use, or at least not on the 2 million images they scanned on eBay. Earlier this year, USA Today reported that Bin Laden was using steganography to disguise his communications. Full study is available here. Wonder how long before someone sets up a distributed computing client to help search for Bin Laden's secret communications? :p" Niels Provos' research was mentioned in Slashback not long ago, and this article is based on the same research.

A little while ago you asked Forth (and now colorForth) originator Chuck Moore about his languages, the multi-core chips he's been designing, and the future of computer languages -- now he's gotten back with answers well worth reading, from how to allocate computing resources on chips and in programs, to what sort of (color) vision it takes to program effectively. Thanks, Chuck!

FFP, Combinator Calculus and Parallel Forth
by Baldrson

In his 1977 Turing Lecture, John Backus challenged computists to break free of what he called "the von Neumann bottleneck". One of the offshoots of that challenge was work on massive parallelism based on combinator calculus a branch of mathematics that is far closer to Forth's formalism than parameter list systems (which are more or less lambda calculus derivatives).

The prolific Forth afficionado Philip Koopman did some work on combinator reduction related to Forth but seems not to have followed through with implementations that realize the potential for massive parallelism that were pursued in the early 1980s by adherents of Backus's Formal Functional Programming paradigm. Given recent advances in hierarchical grammar compression algorithms, such as SEQUITUR, that are one step away from producing combinator programs as their output, and your own statements that Forth programming consists largely of compressing idiomatic sequences, it seems Backus's original challenge to create massively parallel Formal Functional Programming machines in hardware are near realization with your new chips -- lacking only some mapping of the early work on combinator reduction machines.

It is almost certainly the case you are aware of the relationship between combinator reduction machines and Forth machines -- and of Backus's challenge. What have you been doing toward the end of unifying these two branches of endeavor so that the software engineering advantages sought by Backus are actualized by Forth machines of your recent designs?

Chuck Moore: What can I say? Backus did not mention Forth in his lecture. He probably didn't know of it then. Yet Forth addresses many of his criticisms of conventional languages.

He thinks a language needs or benefits from a formal specification. I grew up worshiping Principia Mathematica 'till I learned how Goedel refuted it. The result is that I distrust formal representations. For example, the ANSII Forth standard does not describe Forth, but a language with the same name.

Yes, I am struck by the duality between Lisp and Lambda Calculus vs. Forth and postfix. But I am not impressed by the productivity of functional languages. Even as research tools, they have failed to live up to their promise. By that I mean to do something with computers that I couldn't do more easily in Forth.

I designed the memory for the c18 to occupy the same area as the processor. This means small, fast and smart. c18 can respond to a bus request by fetching from its memory, accessing off-chip or performing a calculation. The 25x avoids the von Neumann bottleneck by making up to 27 memory accesses at the same time (2 off-chip). And its multiple buses do not substitute a network bottleneck for a memory one.

Standard code will be in the ROM of each computer. How this is customized in RAM and the computers assigned tasks is left to the ingenuity of the programmer, not a compiler. Automatically generated or factored code has never impressed me. Nor has automatic place and route for circuit boards or silicon. They are both an order-of-magnitude from human performance. Because humans understand the problem, judge the results and cheat as required.

Marginalizing of the blind
by Medievalist

When I built my first Internet node, the web did not yet exist, and one of the amazing things about the Internet was how friendly it was to the blind.

Now, with some computer experts estimating that over 50% of the Internet is incomprehensible to braille interfaces, and most computer operating systems devolving to caveman interfaces ("point at the pretty pictures and grunt") we seem to be ready to take the next step - disenfranchising the merely color-blind.

I realize that colorforth is not inherently discriminatory, in that there are a great many other languages that can be used to do the same work. The web is also not inherently discriminatory, because it does not force site designers to design pages as stupidly as, for example, Hewlett-Packard.

Would you care to comment on the situation, speaking as a tool designer? How would you feel if a talented programmer were unable to get a job due to a requirement for colored sight?

CM: I'm amazed at how effective blind programmers can be. I rely so strongly upon seeing the code that it's hard to imagine listening to it. Yet I know it can be done. Not being color-blind, it's hard to appreciate the degree of information loss. But it's less than being blind.

My goal is to develop tools that augment my abilities. If others can use them, fine. It would be foolish to lose an opportunity to explore or excel just to conform to some equalitarian philosophy. Too often our culture seeks the lowest common denominator.

20-20 vision is required for fighter pilots. I have no qualms about requiring color vision for programmers. Everyone does not need to be a programmer.

But in fact, color is merely a property of words that helps to distinguish them. As is intensity, size, font, volume and tone. I'm sure colorForth will be translated into these other representations. I, myself, will be exploring spoken colorForth. (As soon as I can decipher PC sound cards.)

Massively Parallel Computing
by PureFiction

The 25X system reminded me of IBM's Blue Gene computer, where a large number of inexpensive CPU cores are placed on a single chip.

The biggest problem in dealing with a large number of small cores lies in the programming. I.e. how do you design and code a program that can utilize a thousand cores efficiently for some kind of operation? This goes beyond multi-threading into an entirely different kind of program organization and execution.

Do you see Forth (or future extensions to Forth) as a solution to this kind of problem? Does 25X dream of scaling to the magnitude that IBM envisions for Blue Gene? Do you think massively parallel computing with inexpensive, expendable cores clustered on cheap dies will hit the desktop or power-user market, or forever be constrained to research?

CM: Forth is a massively pragmatic language: do whatever you can to solve a problem. Its strength is in the ease of violating whatever rules it has. The 25x is similarly pragmatic. I don't know how to program it yet, but I'm confident I can. It's just another level of factoring.

The parallelism provided by the 25x has a different slant from other parallel architectures. The computers are not identical. I expect many will have different ROM and different interface to the real world. This asymmetry is a powerful clue as to how applications will be factored.

A 10x10 array of 25x chips is an easy board to build. At 50 Watts, it needs as much power as a notebook. That's 2500 computers providing 6M Mips. I can't imagine programming them any other way than Forth.

The advantage of Forth in this kind of context is that it scales. Forth is the machine language, Forth is the high-level language, Forth is the task-control language, Forth is the supervisory language. Each of these has a different vocabulary, but they share syntax, compiler and programmer skills.

Back to the array of 25x chips. Each chip could be on a vertical and horizontal serial bus with 10 others. A half-duplex bus requires a computer to manage, so that accounts for 200 computers. Now whatever the application, data must be provided. Say 1GHz Ethernet. Data (and program) is received, distributed and crunched. The assignment and coding of computers follows the data flow. Results are routed back to Ethernet, or displayed or whatever. It's a nice programming problem, well within the ability of a human to organize.

Will this ever reach the mass market? I don't know.

The direction of 25x Microcomputer...
by Midnight Ryder

The 25x concept looks like it could really a damned interesting idea. But one of the questions in my mind is where you want to head with it? Is this something that is to be used for very specialized research and scientific applications, or is this something that you envision for a general 'desktop' computer for normal people eventually?

Secondly, if you are considering the 25x for a desktop machine that would be accessible by people that aren't full-time geeks, what about software? Forth is a lost development art for many people (It's probably been 10 years since I even looked at any Forth code) and porting current C and C++ application would be impossible - or would it? Is there a potential way to minimize the 'pain' of completely re-writing a C++ app to colorForth for the 25x machines, which could help to speed adoption of a platform?

CM: At this stage the 25x is a solution looking for a problem. It's an infinite supply of free Mips. There's no obligation to use them all, or even very many. But they can effectively be used to eliminate hardware. To bit-bang what would otherwise need a controller. So if you want video or audio or radio or ...

The first applications will doubtless be embedded. These offer greater volume, less software and less market resistance than a general-purpose computer. I see 25x reaching the desktop as dedicated appliances rather than universal golems.

I'm not interested in recoding C applications. My experience indicates that most applications are hardware-dependent. The 25x is as large a change in the hardware environment as I can imagine. This changes the program so much it might as well be rethought and recoded. The most efficient way to do that is Forth.

Forth is a simple, interactive language. Its learning curve is steep with a long tail. You can be productive in a day/week. This depends only on how long it takes to memorize pre-existing words. Good documentation and management helps mightily. I'd rather train programmers than fight code translators.

That said, there are those who look at the mountain of existing applications and want to mine it. C to Forth translators exist and with some pre/post editing could produce code for the c18 core. How to distribute the application among 25 tiny computers would be a good thesis.

Quick question
by jd

I have often conjectured that multi-threaded processors (ie: processors that can store multiple sets of internal states, and switch between them) could be useful, as the bottleneck moves from the processor core to communications and dragging stuff out of memory.

(If you could microcode the "instruction set", all the better. A parallel processor array can become an entire Object Oriented program, with each instance stored as a "thread" on a given processor. You could then run a program without ever touching main memory at all.)

I'm sure there are neater solutions, though, to the problems of how to make a parallel array useful, have it communicate efficiently, and yet not die from boredom with a hundred wait-states until RAM catches up.

What approach did you take, to solve these problems, and how do you see that approach changing as your parallel system & Forth language evolve?

CM: The 25x could implement a multi-thread application nicely indeed. Except that most applications expect more memory that a c18 core has. Whereupon memory remains the bottleneck.

It's important to choose problems and solutions that avoid using off-chip memory. Even so, with 25 computers to support, I expect that every memory cycle will be utilized. The computer controlling memory can be smart about priorities and about anticipating requirements. For example, it could guarantee enough access to support display computers.

And the nice thing about memory-mapped communication is that a computer need not be aware of its environment. It's an ordinary Forth program accessing data asynchronously. Delays are invisible, as is synchronization. Of course, due care is required to avoid lock-up loops.

These conjectures are fun. But in a year we'll have real applications to review. And a much better appreciation of the advantages and drawbacks of so many tiny computers.

Programming languages...
by Midnight Ryder

This one would probably require a bit more time to answer than you probably have available, but a quick rundown would be cool: Where do you see programming languages headed -vs- where do you think they SHOULD be headed?

Java, C#, and some of the other 'newer' languages seem to be a far cry from Fourth, but are languages headed (in your opinion) in the proper direction?

CM: I've been bemused with the preoccupation of new languages with text processing. I've been accused of not providing string operators in both Forth and colorForth. Indeed, I haven't because I don't use them. Editing a file to pass on to another program never struck me as productive. That's one reason I chose pre-parsed source, to break the dependence upon strings and text processors.

Languages are evolving, as evidenced by the new ones that arise. But as with natural evolution, the process is not directed. There is no goal to approach nor any reward for approaching it. But whatever progress you might perceive, I don't. New languages seem only to propose new syntax for tired semantics.

These languages are all infix. Which is extraordinarily clumsy for anything but arithmetic expressions. And even those are comfortable only because we learned them in Algebra 101. Do you remember the learning curve?

Does everyone really think that 50 years into the computer age we have hit upon the ultimate language? As more and more C code accumulates, will it ever be replaced? Are we doomed to stumble over increasingly bloated code forever? Are we expecting computers to program themselves and thus save civilization?

I'm locked in the Forth paradigm. I see it as the ideal programming language. If it had a flaw, I'd correct it. colorForth uses pre-parsed source to speed and simplify compilation. This solves a non-problem, but it's neat and worth exploring. At least it proves I haven't gone to sleep.

What about memory protection?
by jcr

From the web pages, I don't see any mention of access control.

Can this processor be used in a multi-user, general-purpose mode?

CM: If you had a chip, you'd physically control access to it. It doesn't make sense for another person to share your chip. He can get his own. Certainly an individual c18 has too little memory to multi-task. And I doubt 25 computers could run 25 tasks.

But the 25 computers can certainly perform more than one task. They have to share resources: communication buses, off-chip memory and interfaces. Access is negotiated by the computer in charge of the resource. There is no hardware protection. Memory protection can be provided by the access computer. But I prefer software that is correct by design.

Communication with other computers, via internal or external buses, is subject to the usual problems of scheduling, routing and authentication. Internally, at least, my goal is to minimize delay rather than attempt protection. I anticipate spectacular crashes while software is developed. (Have you ever crashed 2500 computers?)

Where is forth going?
by JanneM

I learned forth early on in my programming career; it was very memory and CPU efficient, something that was important on early microcomputers. It was also a great deal of fun (though far less fun to try and understand what you wrote a week earlier...). Today, even small, cheap microcontrollers are able to run fairly sophisticated programs, and it is far easier to cross-compile stuff on a 'big' machine and just drop the compiled code onto the development board.

Forth has (in my eyes) always been about small and efficient. Today, though, embedded apps are more likely to be written in C than in forth, and the "OS as part to the language" thing isn't as compelling today as it was in the eighties. Where is forth being used today, and where do you see it going in the future?

CM: Forth is being used today as it always has been. In resource-constrained applications. I think they will always exist. I'm creating some with the tiny c18 computers in the 25x. I imagine molecular computers will be limited when they first appear.

Personally, I don't mind losing a mature market that can afford abundant resources. Such applications aren't as much fun. But Forth isn't restricted to small applications. Even with huge memories and fast processors, small, reliable programs have an advantage.

The major project cost has become software, to the dismay of managers everywhere. On-time, bug-free software is the grail. Forth doesn't guarantee it, but sure makes it easier. Will this ever be convincingly demonstrated? Will management ever value results over procedures?

The currently popular language is selected by uninformed users. The only thing in favor of such democratic choice is that it's better than any other. But why would anyone want to debug 1M lines of code instead of 10K?

What's the next Big Computational Hurdle?
by DG

Now that sub-$1k computers are running in the GHz range, it seems that all the computational tasks on a common desktop system are not processor-bound.

3D, rendered-on-the-fly games get well over 30 frames per second at insanely high resolutions and levels of detail. The most bloated and poorly-written office software scrolls though huge documents and recalculates massive spreadsheets in a snap. Compiling the Linux kernel can be done in less than 5 minutes. And so on.

It seems that the limiting speed of modern computers is off the processor, in IO. What then, do you forsee coming down the pike that requires more processor power than we have today? What's the underlying goal you intend to solve with your work?

CM: Memory is cheap. I don't mind wasting memory as long as it's not full of code that has to be debugged.

Likewise, Mips are cheap. The trick is to find productive ways to waste them. A Pentium waiting for a keystroke isn't very clever.

So here's a huge pool of Mips. What can you do with them? Voice recognition comes instantly to mind. Image recognition close behind. The brain deploys substantial resources to these tasks, so I suspect a computer must.

IO is indeed a bottleneck, but not in principle. If you can't get data from the camera to the computer, combine them. Put the image recognition algorithms in the camera. Analyse, reduce, compress data at the source. Meanwhile, it helps to have multiple paths off-chip.

revolutionary
by rnd

What is the most revolutionary (i.e., it is scoffed at by those in control/power) idea in the software industry today? Explain how this idea will eventually win out and revolutionize software as we know it.

CM: Forth! But then I haven't been out looking for revolutionary ideas. I like the phrase Baldrson used above: compressing ideomatic sequences. If you do this recursively, you obtain a optimal representation. I see no way to get a more compact, clear, reliable statement of a problem/solution.

Forth clearly revolutionizes software as most know it. It could lead to efficient, reliable applications. But that won't happen. A mainstay of our economy is the employment of programmers. A winnowing by factor 100 is in no one's interest. Not the programmers, the companies, the government. To keep those programmers busy requires clumsy languages and bugs to chase.

I don't have to be glib or cynical. Those are facts of life. Society must cope with them. But I don't have to. Nor you. There are niches in which you can be creative, productive, inspired. Not everyone can be so lucky.

Forth as intermediate language
by Ed Avis

Many high-level languages compile into C code, which is then compiled with gcc or whatever. Do any use Forth instead? I understand Forth is a stack-based language: doesn't that present problems when compiling for CPUs that mostly work using registers?

CM: I remember my shock at learning that Fortran compiled into Assembler, that then had to be assembled. A language that can be translated into another is clearly unnecessary. Truely different languages cannot be translated: C into Lisp.

Forth would make a fine intermediate language. But why have an intermediate language? It introduces another layer of confusion and inefficiency between the programmer and her computer. Macros were invented to support compiling directly to machine code.

Stacks are a compiler-friendly construct. Every compiler has to use one to translate infix notation to postfix. If this stack solution has to be assigned to registers, it's an extra step. Forth uses stacks explicitly and avoids the whole subject.

Register-based CPUs have more problems than just the complexity of their compilers. Their instructions must contain register addresses, which makes them longer and programs bigger. And it is rare that every register can be used in every instruction.

Moreover registers need to be optimized. After assigning system registers, performance depends on how well the remaining registers are handled. Compilers can optimize infix expressions better than humans. But such expressions are no longer the preferred means of doing arithmetic. DSPs and super-computers integrate difference equations.

Design guidelines encourage code with many subroutine calls each with only a few arguments. This is the style Forth employs. But it plays havoc with optimization, since register usage must be resolved before each call. So apart from being unnecessary and difficult, optimization has no effect on good code.

fizban writes: "We've talked a lot on Slashdot about active uses of the radio spectrum for things like wireless networking and global communications (Iridium). But what about the passive users who are more and more often finding themselves trampled upon by the corporations and military who grab up more and more of the unused spectrums for their own uses? Check out this New York Times article for a little insight into the challenges being faced by today's and tomorrow's radio astronomers."

An Anonymous Coward writes: "It's never too young to be a yuppie. An engineering professor at the University of Michigan is studying how handheld technology can be incorporated in elementary and high schools. His theory is that PDAs can provide students with a much more interactive and cheaper means of learning than desktop computers. The professor has created a number of interesting applications for using PDAs in school, including a 'cooties' simulator, where students beam around a virus from Palm to Palm and then figure out how it propagated. The New York Times covers the use of PDAs in classrooms here, and Wired News has an article here talking about schools who ban students from carrying PDAs." Both articles focus on Palm OS devices at a school in Ann Arbor, but only the Wired piece points out that the devices were banned there last year.

A desire for information on Code Red and full disclosure, steganography, old game music, and an interesting bit on software patents are the reason you're reading tonight's Slashback.

Good things come in hidden pictures. Intrepid strongman Dug Song writes, in reaction to the "fairly thin" piece earlier today on Steganographic anlysis:

"The only cutting edge, practical work being done today in steganalysis and steganography is by Niels Provos, who gave a talk at HAL2001, and is also presenting at the USENIX security symposium tomorrow:

• http://www.citi.umich.edu/u/provos/papers/detecting/
• http://www.citi.umich.edu/u/provos/stego/

He's been developing several interesting tools to do steganalysis during the course of his universal stego engine development: (http://www.outguess.org/) including stegbreak (which can detect images produced by all popular stego tools -- except outguess), crawl (which he's used to download 2 million jpeg's from eBay to analyze), discern (his distributed computing platform), etc."

Hushing up is not such a good answer sometimes ... Reader Brian McWilliams <brian@pc-radio.com< notes regarding the thread on Slashdot about the costs of full disclosure, "you might want to add an update linking to this story Newsbytes did a couple days ago about the Richard Smith posting. Contains responses from eEye & full disclosure advocates, as well as some more ammo from Smith."

Smith doesn't take kindly to being blamed for damages caused by security holes he publically aired.

So you want to patent "bacon and eggs"? I guess that's OK then. You recently read about the McAffee patent on a seemingly overbroad stretch of computing transactions. Well, it's raised quite a few eyebrows among people interested in a fair computing marketplace. geoa points to this article in which "Neil McAllister in The Gate takes too long to say we shouldn't let another monopoly in the playpen."

It was soooo old ... For everyone enjoying the recent upswing in retro computing interest, Silicon Avatar writes with another tidbit: "Although not necessarily new news, I found a link today when someone mentioned Roland MT-32 to me. Starting with Space Quest IV, Sierra games were written to use either the Adlib soundcard or the Roland MT-32 'soundcard.' Quest Studios seems to have repository of MANY of those songs, including the 'lounge tape' I once had but lost!"

Put that in your souped up underclocked emulator and smoke it.

A desire for information on Code Red and full disclosure, steganography, old game music, and an interesting bit on software patents are the reason you're reading tonight's Slashback.

Good things come in hidden pictures. Intrepid strongman Dug Song writes, in reaction to the "fairly thin" piece earlier today on Steganographic anlysis:

"The only cutting edge, practical work being done today in steganalysis and steganography is by Niels Provos, who gave a talk at HAL2001, and is also presenting at the USENIX security symposium tomorrow:

• http://www.citi.umich.edu/u/provos/papers/detecting/
• http://www.citi.umich.edu/u/provos/stego/

He's been developing several interesting tools to do steganalysis during the course of his universal stego engine development: (http://www.outguess.org/) including stegbreak (which can detect images produced by all popular stego tools -- except outguess), crawl (which he's used to download 2 million jpeg's from eBay to analyze), discern (his distributed computing platform), etc."

Hushing up is not such a good answer sometimes ... Reader Brian McWilliams <brian@pc-radio.com< notes regarding the thread on Slashdot about the costs of full disclosure, "you might want to add an update linking to this story Newsbytes did a couple days ago about the Richard Smith posting. Contains responses from eEye & full disclosure advocates, as well as some more ammo from Smith."

Smith doesn't take kindly to being blamed for damages caused by security holes he publically aired.

So you want to patent "bacon and eggs"? I guess that's OK then. You recently read about the McAffee patent on a seemingly overbroad stretch of computing transactions. Well, it's raised quite a few eyebrows among people interested in a fair computing marketplace. geoa points to this article in which "Neil McAllister in The Gate takes too long to say we shouldn't let another monopoly in the playpen."

It was soooo old ... For everyone enjoying the recent upswing in retro computing interest, Silicon Avatar writes with another tidbit: "Although not necessarily new news, I found a link today when someone mentioned Roland MT-32 to me. Starting with Space Quest IV, Sierra games were written to use either the Adlib soundcard or the Roland MT-32 'soundcard.' Quest Studios seems to have repository of MANY of those songs, including the 'lounge tape' I once had but lost!"

Put that in your souped up underclocked emulator and smoke it.