Slashdot Mirror

FWIW, Ashcroft is Morman.

Nope.

Ashcroft is a Pentecostal (Asssemblies of God), and is the son of a Pentecostal minister.

It may not be too late to Give Florida Back to Spain.
I think we may still have the Receipt around here somehwhere...

On the other hand, at an average height of just 4 feet above sea level, this may be Governor Jeb's covert attempt at "wetlands" reclamation.

My alma mater uses the Library of Congress system for numbering its books. Sure, it's not quite as simple for children to understand (a letter code, followed by numbers, then more letters), and is copyrighted, but as far as I know it's royalty-free to use.

this is clearly a question for lawmeme.

It's just that sort of question people should be asking! I just wrote an article for Salon about the rhetoric and it was published simultaneously with a response by the EFF.

If you're not a Salon subscriber, you can click the free 'day pass' link for the full articles.

By coincedene, LawMeme also reacted to the pair of articles on Salon.

I'd like to hear more specifics about alternative systems *before* I decide that they're any better.

That said, Oppie really was a commie. Letters were released last year that prove that he was a member of the Communist Party.

Cute. Continue to display your lack of understanding of the issue by debating my prose rather than my points. Whoops. But (gasp!) I'm glad you have your writer's handbook handy and infinite time to look up minor details. Now you can continue to bicker over minor points (nice AC flame post follow-up by the way), or you can take my point, and understand it in the context of this new article posted on slashdot today about who is really winning the PR war. Guess what? Its not guys like you.

President Eisenhower warned us of the problems with the military industrial complex that had been created in response to the Cold War.

The "War on Terrorism" has simply become the new justification for spending.

Not that there aren't genuine security needs for the U.S. government. It's just that an accurate picture of those needs is clouded by misinformation from those who stand to gain.

Admiral Grace Hopper really was an amazing woman. Born in 1906, she didn't fit ANY of the stereotypes for geeks. Active Duty Navy, oldest on active duty, created COBOL... Check out the following links....
http://www.agnesscott.edu/lriddle/women/hopper.htm
http://cs-www.cs.yale.edu/homes/tap/Files/hopper-w it.html
Truly Amazing!

You are misleading. Gelernter's research thesis is Organization of data based on timeline and he calls them LifeStreams. It is a fascinating concept. It is very unlike RDBMS (conceptually, it may need a RDBMS implementation underneath but that's not the point) as a poster has mentioned above.

Regarding the Treaty of Tripoli, perhaps you might want to study a more scholarly source. (You will want to read the whole thing and pay particular attention to the issues around "Article XI.")

Regarding the beliefs of Founders of the United States, and how they were all Deists, I think the matter is more complex than you acknowledge.

1) Identify what it is that you can do that cannot be done by anyone else

Like you, I refuse to believe that Americans are different than any other industrialized nation or citizen. I refuse to believe American coders or engineers are better than European or Asian ones.

The main thing that makes a country's workers able to develop new things are the wealth of material at their fingertips. IE - given the same textbooks and teachers, almost any two people can achieve the same end.

What I'm getting at is... IS there anything we can do that others cannot? Is there anything that I can make, that with the proper education couldn't be coppied by someone else and outsourced to a foreign nation where they pay less? Or perhaps even independently developed by the third world nation at a much lower cost?

Secretary systems - easily outsourced
Pay-roll systems - easily outsourced
Programming systems - easily outsourced
Construction - easily accomplished by immigrants

What's to stop a company from setting up camp and eventually housing 5000 people in cramped 'offices', in other countries or here at home, locking the doors, and having them pump out code much the same way we've done in the textile and toy industries, with only a manager or two on the floor or in the building to make sure the peasantry keeps working?

Well, it won't happen in America. We've been good at stopping accidents like that here at home recently. But this is the stuff capitalism brings. If it doesn't happen HERE, it doesn't mean it won't happen AT ALL... it'll just happen elsewhere. Out of sight, out of mind.

Think to yourself... what really makes India and China able to push out code cheaper? Maybe they have smaller cubicles? Maybe they don't air-condition their buildings for their workers. Yes... obviously the low standard of living down there makes it a bit easier... but just think of every way owners cut costs by moving textiles to third world nations, and you'll see some of the ways they'll cut costs by sending IT jobs there too.

If IT gets outsourced from all over America, and payroll gets outsourced, and designing via autocad gets outsourced, what's left for Americans except marketing to the peasantry, managing the peasantry, or running the product over a barcode FOR the peasantry?

Sounds like MacOSX can be called UNIX in a same way as Windows-95. I think that's because BSD layer on MacOSX is like cygwin on Windows - it wasn't designed to be there.

This quote is from Yale Office of Cooperative Research

One somewhat sneaky but perfectly acceptable way of using continuation applications is to make sure that the disclosure of an original patent application is always pending. Because an unlimited number of continuation applications may be filed, the only requirement being that at least one application in the chain of continuation applications is still pending, it is possible to keep a chain of patent applications alive for a long period of time. This is useful when a technology field is crowded and there are several competitors, and when it's not really certain exactly what the competitor will try to bring to market.

Some googling around finds:

* Re: "Double" Licenses--enforceability of shrinkwrap and clickwrap licenses

* WASHINGTON COURT OF APPEALS UPHOLDS ENFORCABILITY OF "SHRINK-WRAP" SOFTWARE LICENSES

* Shrink-wrap software licenses upheld

* Contractor Denied Recovery for $1.95 Million Bidding Error Caused by Allegedly Defective Software

* CPT's Page on the Enforceability of Shrinkwrap Licenses

* ProCD, Inc. v. Zeidenberg, 86 F.3D 1447 (7th Cir., June 20, 1996). This
phone directory data case is important because it validates the legality of
"shrink wrap" software licenses for the first time. This case suggests that
similar "on screen acceptance" licenses, now commonly used on the Internet,
may also be upheld as legal someday. The phone directory database at issue
in this case was not protected by copyright, but was protected by contract.
So the person who published ProCD's phone directories on the Internet was
found to have breached the shrink wrap license agreement that came with the
software.

* In Bowers v. Baystate Technologies Inc., 64 USPQ2d 1065 (CA FC 2002), the Federal Circuit has upheld a contractual no-reverse engineering restriction in an agreement between two parties in a software license that was characterized by the court as shrink wrap.

The scariest thing here about this story is that both of these dim bulbs have law degrees. Are they giving degrees away when you get enough box tops!?

No, they're selling them for tons of cash, like they have for a long time. And please, don't tell me about people failing out. That only happens to the 'not fabulously wealthy.'

note: law school links just chosen at pseudorandom. Just making a point, not accusing any one school of being any worse than any other.

WHAT mobile weapons labs? Links please.

Here you go.

You might critise the UN but 70 years ago there was no international agency to feed the starving and no notion of an international court (however flawed).

The League of Nations was around almost 80 years ago and they tried to appease Hitler instead of confronting him.

Syria, Libya and Cuba don't have seats on the security council.

Syria does.

I would argue that the UK/US action has put this back by decades, causing more long-term harm to world peace than they have solved.

I would argue that the Secretary Generals by standing so forcibly against colonialism instead of trying to promote economic and political stability have caused more long-term harm to world peace than they have solved. May Dag Hammerskjold burn in hell.

Secondly, if the original UN resolution was enough, why did the US/UK seek a second?

Actually, there were over 14 resolutions on Iraq, so you're asking about a 'second' resolution is ridiculous. The US was merely going to ask for a confirmation of what had already been stated.

They're called 'facts'. You can find them yourself. Start searching for truth instead of grandstanding for virtue. You'll be a wiser man for it.

We have 3 people in the last hundred years that have killed more than 1 million people. Or at least, 3 that come immediately to mind.

Hitler killed 4 million Jews in WWII.

Stalin killed 20 million Russians.

Pol Pot killed 1.7 million people in Cambodia in the 1970s.

Yale has a genocide site devoted to this, though it's interesting that they include Hitler and Pol Pot, but not Stalin. Hmm. I guess ethnic purges count, but political purges don't.

How does this work? If it was not a country then how could it contain Jordan? What was it - a f**king continent?

This was the original delineation based on the Sykes-Picot agreement whereby France and the UK were determining what the partitioned remains of the Ottoman Empire would look like. This is European history. Surely you're aware of it, if even a dumb American like me knows about it.

This is all a rather pointless argument as Isreal was not a state 60 years ago but no-one in the west would argue that it should not exist now.

Actually Hamas makes this very argument.

However, there was British Palestine which was a defined territory in which the Palestinians lived.

Right, of which a section was used to create the state of Israel. In fact, this was inherently accepted by the then leader Palestine/Transjordan, the Emir Hussein.

Your argument is like arguing that Zimbabwe or Ghana have no right to exist as nations because they weren't proper independant countries 60 years ago.

No, it isn't. The Palestinians have 'lost' whatever land they had in Palestine either through sale (the majority of it), war (each Arab conflict with Israel has result in Israeli land gains) or fleeing under false preconceptions (that the Arab countries would fight a war and win the land back).
Israel has constantly sought to improve the lot of Palestinians, building power generation, introducing modern farming, etc.

Interesting that most Americans have the same misconceptions about Arafat - his charter includes provision for an Isreali state and he agreed to the Oslo accord that included an Isreali state.

Bull. Look at points one and two if you don't believe me. If we Americans are coming away with this notion, it's because THAT'S WHAT THE PALESTINIANS ARE SAYING.


The Isrealis then broke the Oslo accord by continuing to build settlements. Interestingly Sharon has stated on several occasions that there will never be a Palestine but I don't see you criticising him for that.

Ehud Barak tried to withdraw forces which resulted in an increase in violence. The subsequent loss of faith in the government, coupled with Arafat's refusal to agree to the partitioning of Israel/Palestine resulted in Sharon's election.
This is similar to Schroeder being re-elected on an anti-US platform and I don't see you criticizing him about that, do you?

And for an American to claim that the EU is not interested in peace in the middle East is a joke - who do you think tried to keep negotiations going between Isreal and Palestine whilst being shat on by Bush?

Well, I'll make more claims. The UK and France spent far more time figuring out how to get more out of the Middle East than in trying to create any kind of stability in the region.
Currently, Russia and France and Germany make more in arms sales than in other sales to Palestine, Syria and Iran.
Why do you think there have been over 70 resolutions condemning Israel by the UN but NO resolutions condemning Palestinian terrorism?
Do you think there might be peace of there were no violence for more than two weeks? Well, that was one of the Oslo accords and guess what, it was the Palestinians that broke it.

You know for a Euro you sure don't know shit about history. Or current events.
Maybe you get off your high horse, come to American and get an education. Eh, fucktard?

Interestingly enough, you and I aren't alone in being misunderstood on this point. My faculty advisor in economics just stopped talking about the stock market during the boom because he would be shouted down by laymen who were sucessful in the stock market and therefore experts. Now is a good time to note that basically everybody was successful at that point. The real question now is, where are all of those people now? This gentleman has taken his Harvard Ph.D. and continued to earn healthy returns by trading bonds and options. Everybody else seems to be in the tank. Everybody is worshipping Warren Buffet again now that he's cashing in--the same people who thought that the guy was a fossil to be value investing during the boom.

The fact is, people are largely misinformed. It used to be that people bought stocks for the dividends. Growth investors were a rarity. Things were a lot more logical back then. Now that everybody is seeking huge capital gains, it adds all sorts of instability and strangeness to the market. People don't buy based on fundamental value but rather on the expectation that others won't buy based on fundamental value either. This causes massive divergences from the real value of the stock. Eventually, a process known as "mean reversion" kicks in (spurred on by a panic, buyer's remorse, an economic slowdown, whatever) and the bottom drops out, bringing us roughly back to where we should be. We've seen it before and we'll see it again. It's just a lot worse now that a big share of the stock is held by people on eTrade who don't understand what they're buying rather than by the business elite and pension funds (which have an interest in stability and steady dividend payouts) as it was in the earlier half of the century. Think about this: Capital gains do not create wealth. They merely redistribute it. To make money on capital gains, you must sell the stock to somebody. If you buy low, sell high, that means that an equal amount of stock is being bought high and sold low. No new wealth is created. Buying at fundamental prices and trading to balance a portfolio, however, minimzes this effect (I'm talking macroeconomically now--not about individual investors). Companies produce something of value, sell it, and the people who own the company get to keep the proceeds. This is good and natural.

I'm not a big fan of the President's "stimulus" plan as it's laid out, but I have to say that reducing the tax on dividends might be good. It's certainly not going to have immediate stimulus effects as he claims it will, but it may encourage investors to think more about what is really driving the value of what they buy. I'd almost be in favor of raising the capital gains tax if I weren't worried that it would discourage companies from investing in policies that promote growth. One thing that scares me, however, is that Bush has stated or implied on more than one occasion that he'd like the market to go back up to where it was. Why? What if the stocks weren't worth what they were selling for? What econimc good does inflating the price do for us?

Anyway, to hear a real expert (Stanley B. Resor Professor of Economics at Yale) talk about it, I highly recommend a book by Robert Schiller: Irrational Exuberance. It was a NY Times bestseller, is highly readable, and is scary as hell. He wrote it in 2000 and accurately predicted almost everything that has happened since, including a discussion on what events might tilt the balance (corporate scandal, war, and terrorist attacks are mentioned). It makes an excellent post mortem read right now. I think it should be mandatory reading for anybody who plans to retire using anything other than a matress full of cash.

I think MIT developed something along these lines a long time ago. (Here's a link.) The idea was not to empower the government, but to provide a sort of Super PDA for the individual. Oddly enough, I think it uses Emacs.

Another interesting system was Gelernter's LifeStreams, which time-indexed everything...

Of course, half the world seems to be blogging all the time anyway, which tend to be weak on the indexing and searching, but provide a nice low barrier-to-entry for inputting all kinds of trivial crap about one's life.

It's not necessarily entirely about dystopian government power ;-)

The word potassium is derived from the word potash, literally meaning "pot ashes". The word alkali comes from the Arabic qalay, "to fry or roast in a pan", and al-qalay , "the substance that had been roasted." The English word soda is derived from suwwad, the Arabic name of a plant of which the ashes are rich in sodium carbonate (paraphrasing from the bottom of this reference). This most recent effort is most certainly not the first time salt has been extracted from plants, and in fact is such an ancient practice that it has given rise to the names of some of the alkali metals.

Since you mention that you may be building a screen scraper that gathers airline fares, you may be interested to know that American Airlines has already sued (and won a preliminary injunction against) a software company that built a tool that does much the same thing. The case is American Airlines v. FareChase, and was discussed on LawMeme:

American ... sued FareChase in a Texas court (American is based in Dallas, so that's its home turf) and got a preliminary injunction against FareChase's screen-scraping practices. The court decided that the screen-scraping constituted an "interfer[ence] with American's personal property," also known these days as a trespass to chattels. The court also noted that FareChase's actions might be a criminal violation of Texas Law, which states, "A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner." Tex. Penal Code 33.02(a).

• "The Bible is not my Book and Christianity is not my religion. I could never give assent to the long complicated statements of Christian dogma." - Abraham Lincoln
  
  
• "As to Jesus of Nazareth...I think the system of Morals and his Religion, as he left them to us, the best the World ever saw or is likely to see; but I apprehend it has received various corrupting Changes, and I have, with most of the present Dissenters in England, some doubts as to his divinity. " - Benjamin Franklin
  
  
• "I do not find in orthodox Christianity one redeeming feature." - Thomas Jefferson
  
  
• "I do not believe in the creed professed by the Jewish Church, by the Roman Church, by the Greek Church, by the Turkish Church, by the Protestant Church, nor by any Church that I know of. My own mind is my own Church." - Thomas Paine

ARTICLE 11.
As the government of the United States of America is not in any sense founded on the Christian Religion,-as it has in itself no character of enmity against the laws, religion or tranquility of Musselmen,-and as the said States never have entered into any war or act of hostility against any Mehomitan nation, it is declared by the parties that no pretext arising from religious opinions shall ever produce an interruption of the harmony existing between the two countries.

This brief collection of pages at Yale gives more info about OS X and Chinese inputting.

Now morally speaking, of course, MP3 thieves deserve the death penalty, but that seems a little inefficient when a lesser deterrent will work just as well. Why don't they pass a three strikes MP3 law? Or mandatory *minimums* instead of maximums. It's worked with the crack cocaine problem - crack has been pretty much disappeared from our inner-city streets since we declared our war on drugs.

Donald Braman

Thank you for backing up the parent point, "snow pony". Three women mentioned for 2002, none of whom I've heard of, only one of which has a technical position (the other two are "manager" and "CEO").

You really do need to look further into the history of those "managers and CEOs" instead of taking a cheap shot obviously based the limited amount of information you could gleam from a single web page.

Julie Estrin (CEO of Packet Design) holds a B.S. Degree in Math and Computer Science from UCLA and an M.S. in Electric Engineering from Stanford University.

Dr Caroline Kovac holds a Ph.D in Chemistry; and was the head of IBM Research efforts in computational biology.

Like most people of recognition; they have moved up the corporate ladder into executive positions through thier experience and drive.

There is very little publicity of most female technical leaders except when grandstanding takes place (and most people have learned to see through that dribble anyways). You mentioned Lovelace and Hopper. Both notable women of computing; but considering the time period they come from - I think trying to label them as an alternative to feminism when the feminist movement had not even undergone it's major revival until Hopper was well into her 50s (and Lovelace was deceased for over a centuary) to be a touch out of context don't you think?

I do love how you labelled me as a feminist when merely trying to give you an informed opinion. Gynophobic are we? I am the last person I would consider to be a feminist. However I also know I am a highly technically minded individual; the company I work for recognises this year after year and relies on my skills to solve technical problems.

I do my job and do it well. I don't go running around and demand recognition for my work. You might just find there are many quiet achievers such as myself in the world. Considering you took the time to actually list a few noteworthy technically minded women from history; is it that hard to conclude that there are women like them still around?

He didn't really wait nine years. He filed a patent in December 1994. The patent was issued in December 1998, meaning that's how long the patent office spent examining the application. Just before the patent issued, he filed what is known as a contunuation patent application. Basically, he covered one aspect of the invention in the first patent, and another aspect in this patent.

Yale says its a bad idea, and I am gonna guess Yale has a better idea about good law vs. bad law then you do.

or by reading your blog. Sometimes I wonder if the ideal of blogging was initiated as a government attempt to get people used to giving details of their personal life to absolute strangers

Price fixing is only effective for price-inelastic goods (things you'll generally buy the same amount of regardless of how high the price rises, like oil). The reason for this is that as producers collude to keep the price up, people turn to lower priced alternatives. This is expressed in plain English as "well, I'll settle for hamburged if steak is that expensive." While I'm not sure whether your comment about patent infringement makes sense, it's irrelevant because it wouldn't be a rational approach to maximizing revenue. This is kind of hard to understand without seeing a graph. Lest you think I'm just a right wing supply sider nutcase, here's a citation.

Additionally, price fixing is only practical for oligopolistic (few sellers), commoditized products as well. This is why OPEC was such a big deal back in the seventies. I don't see that LCD monitors are any of these things.

The poster has the Alpha and Omega of the analysis in the post: the market bears the price. One by one, manufacturing advantages will arise, and out of pure selfishness and greed, the manufactures will cut prices in an attempt to steal market share. Additionally, as OLED's hit the market, demand for LCDs will fall, and there will be price pressure there.

this yalies idea for a curriculum
Glancing through, it appears the lesson plan has it's moments, though it's not entirely too deep (jobs of the future?), but the bibliography included seemed to supply some good jumping off points for the submitter.
Google, and ye shall find.

the most obvious answer is the sedition act of 1798, but there are countless others. it looks like the avalon project is a pretty good resource for that sort of thing. there's a list of united states statutes pertaining to human rights here, but it's not exactly a complete list. there are plenty of rights-violating laws that aren't listed.

the most obvious answer is the sedition act of 1798, but there are countless others. it looks like the avalon project is a pretty good resource for that sort of thing. there's a list of united states statutes pertaining to human rights here, but it's not exactly a complete list. there are plenty of rights-violating laws that aren't listed.

the most obvious answer is the sedition act of 1798, but there are countless others. it looks like the avalon project is a pretty good resource for that sort of thing. there's a list of united states statutes pertaining to human rights here, but it's not exactly a complete list. there are plenty of rights-violating laws that aren't listed.

"Spray systems mounted on the Mi-8 HIP helicopters were also used against troop concentrations"". (the Mi-8 is a Soviet design)

"Iraqi Su-22 FITTERs and MiG-23 FLOGGERs conducted most air-launched chemical attacks". (likewise, so are the Su-22 and MiG-23)

The US was real buddy-buddy with the other signers of the Baghdad Pact, so I doubt the US was all that hot to have the monarchy overthrown by either communists or Ba'athists.

Poisonous chemicals and deadly viruses are not weapons in their own right. They have many legitimate commercial, agricultural and research uses. Whether or not it was [a good idea/moral] to let Iraq buy dual-use precursor materials is open for debate, but the fact remains (and no one claims otherwise) that Saddam manufactured all his biochem weapons domestically.

The NIC can't run anything. There's no flash or EPROM on it. There's no way for it to force the CPU to execute code. I't can't do a damn thing but perform I/O instructions.

Let's read up on PC hardware initialization, shall we?

Adapter cards on the I/O bus can be configured to present an initialization program in ROM memory somewhere in the middle 128K of free addresses. In hex , these addresses are represented as C0000 to DFFFF. Each time the system is initialized, the POST program scans this area for initialization programs and runs any that it finds. This mechanism allows the display adapter to initialize itself properly (no matter which vendor or model of adapter card you own). Code on the SCSI card makes up to two SCSI disks visible and usable to DOS programs. Code on the LAN adapter will boot a diskless workstation from a LAN server.

Unfortunately for my employeer, I just spent a large chunk of time visiting the referenced discussion about the journalist's notes. While doing so I followed a link to a TCPA and Palladium faq. As a result, I think I just crapped my pants (I could be wrong, let me check). Nope that wasn't crap. It was any hope of a bright future leaving my body through the same orafice that I will take it for the rest of my life. I admit to ignoring most news / rumors about TCPA and Palladium. Until now I didn't read much about it. Having done so, and serriously thought about ramifications, possibilities, and likely outcomes, I have concluded that the future will not be bright. I think I'll start digging that hole I will eventually shove my head in.

Updated 20 February 2003

18 February 2003

To: ukcrypto@chiark.greenend.org.uk
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_g ag.pdf

I have written to the judge opposing the order:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_r esponse.pdf

The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:

http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560 .pdf

These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal' case.

The vulnerabilities are also scientifically interesting:

http://cryptome.org/pacc.htm

For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers.

Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's an omen, if not a precedent ...

_____
Abstract

We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the maximum amount of information is learnt about the true PIN upon each guess. It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.

-- Mike Bond and Piotr Zielinski

Decimalisation table attacks for PIN cracking

February 2003

-----

From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
To: ukcrypto@chiark.greenend.org.uk
Subject: Yet another failure of commercial cryptographic equipment
Date: Tue, 18 Feb 2003 17:52:13 +0000

I gave a talk at Cambridge yesterday in which I described a new and interesting family of attacks on cryptographic equipment. These attacks defeat machines such as the Racal RG7000 and the IBM 4758/CCA which are commonly used to protect the PINs and keys used in automatic teller machines.

The paper is available online at:

http://research.microsoft.com/~aherbert/volume63.p df [4.8MB] (link appears to be broken)

as pages 27-30 in the PDF. [HTML below]

I got a fax yesterday informing me that an application is to be brought in the High Court, it seems by Citibank, on Thursday 20th February for `relief in relation to the protection of information which they accept as being confidential and which ought not to be in the public domain.'

I hope that no English court would go so far as to censor already published material. However, one just can't tell these days ...

Protocol Analysis, Composability and Computation

Ross Anderson, Michael Bond
University of Cambridge, England

Security protocols early days

The study of security protocols has been associated with Roger Needham since 1978, when he published the seminal paper on the subject with Mike Schroeder [1]. The problem they investigated was how to distribute cryptographic keys in a network of computers. One solution is to have an authentication service with which all the principals share a key; then if Alice wants to chat with Bob (for example) she can call the service and get two encrypted messages containing the same session key one encrypted under the key she shares with the service so she can read it, and one encrypted under the key Bob shares with the service so Bob can read it. She can now send the second of these to Bob to establish secure communication. The mechanism that Needham and Schroeder designed for this evolved into Kerberos, which is now part of Windows and is probably the most widely used of all authentication protocols.

Security protocols are now embedded in a great many applications, but it is common to find unexpected bugs in them. For example, many banks used to encrypt each customers PIN using a key known to their ATMs and write it on the ATM card magnetic strip. The idea was to provide a limited service when the network was down. Years later, a villain discovered that the account number and the encrypted PIN were not linked: he could make up a bank card with his own encrypted PIN but someone elses account number, and loot their account. He went on to steal a lot of money, and once in prison wrote a manual telling everyone else how to do it too. The banks had to spend millions on changing their systems.

Clarifying the assumptions

Researchers started to gnaw away at the protocols described in the literature and found fault with essentially all of them. The failure to bind protocol elements was one frequent problem; another was that old messages could be replayed. In the case of the original Needham-Schroeder protocol, for example, the freshness of the key generated by the server was guaranteed to only one of the principals. This was not necessarily an attack, as its inventors only claimed to protect honest insiders from dishonest outsiders. However, it led to a debate about the assumptions underlying security protocol design. Do we protect only against outsiders, or against insiders? Against the malicious, or the merely careless? For example, if we use timestamps to guarantee protocol freshness, are we vulnerable to principals who carelessly let their clocks run slow? Do we only consider an attacker to have won if he can impersonate an authorised principal, or do we need to stop people abusing the protocol mechanisms to perform a service denial attack?

The early attacks led to a second seminal paper, which Roger wrote with Mike Burrows and Martin Abadi in 1989 [2], and which introduced a logic of authentication. This enables an analyst to formalise the assumptions and goals of a security protocol, and to attempt to prove its correctness. When a proof cannot be found, the place at which one gets stuck often shows where an attack can be mounted. This style of analysis turned out to be very powerful, and a large literature quickly developed in which the BAN Logic and other formal tools were developed and extended to tackle a range of problems in protocol design.

One of the remarkable things about the study of security protocols is that they have not become a solved problem. One might think that managing the objects associated with authenticating users over a network passwords, keys and the like was a fairly compact problem which would have been done to death within a few years. However, the more we dig, the more we find.

Since 1992, Roger has hosted a protocols workshop every Easter. Early events dwelled on matters of authentication and logic, but by the mid-90s, the growing interest in electronic commerce was yielding papers on mechanisms for micropayments, bets, streaming media, mobile communications and electronic voting. Later years brought work on PKI, trust management and copyright enforcement. More and more problems come along as more and more businesses reinvent themselves online; threat models have also become more realistic, with dishonest insiders displacing the mythical evil hacker on the Internet.

Dishonest insiders, and the composition problem

Over the last two years, we have been exploring exactly how one might re-engineer cryptography to cope with dishonest insiders. One conclusion is that the analysis of security protocols must be extended to application programming interfaces. This is because the crypto keys used in authentication and payment protocols are often kept in separate hardware security processors, or at least in cryptographic libraries, to which access can be restricted using physical or logical mechanisms. However, an interface has to be exposed to the application program, which will occasionally be suborned whether by a corrupt insider, or by malware. How much harm can be done, and how can we limit it?

Protecting protocols was hard enough, and yet the typical protocol consists of 35 messages exposed to manipulation. The API of a modern crypto library or hardware cryptoprocessor may contain 30500 callable functions, many with a range of options. This provides a very rich and complex environment for mischief.

Attacks often involve using two separate mechanisms provided by the cryptoprocessor for different purposes, each of which could be innocuous by itself but which combine to cause trouble. For example, it is common to compute a customer PIN by encrypting the account number with a PIN derivation key: the cryptoprocessor then returns the PIN encrypted with a PIN storage key, so that the application has no access to its clear value. So far, so good. Then there is another transaction that can be used to encrypt a communications key under the terminal key loaded in an ATM. Here things start to go wrong, as the cryptoprocessor does not distinguish between a terminal key and a PIN derivation key; it considers them both to be of the same type. The upshot is that an attacker can supply the device with an account number, claiming that it is a communications key, and ask for it to be encrypted under the PIN derivation key.

Attacks like this extend protocol analysis all the way to the composition problem the problem that connecting two systems that are secure in isolation can give a composite system that leaks. This had previously been seen as a separate issue, tackled with different conceptual tools.

Differential protocol analysis

We are now working on the second generation of API attacks, which exploit the application syntax supported by the cryptographic service. These attacks are even more powerful, and at least as interesting from the scientific point of view. PIN generation provides a neat example here too. In more detail, the standard PIN computation involves writing the result of the encryption as a hex string and decimalising it. As some banks like to let customers change their PIN to a more memorable number, there is a provision to add an offset to give the PIN that the customer actually enters: Account number: 8807 0123 4569 1715 PIN derivation key: FEFE FEFE FEFE FEFE Encrypted account number: A2CE 126C 69AE C82D Natural (decimalised) PIN: 0224 Offset: 6565 Customer PIN: 6789

The typical implementation requires the programmer to send the cryptoprocessor the account number, a table describing the decimalisation (here, 0123 4567 8901 2345) and the offset. The processor returns the PIN, encrypted under the PIN storage key. The designers do not seem to have realised that a crooked programmer can manipulate the decimalisation table and the offset as well as the account number. A multitude of attacks follow. For example, one can send in an account number with a decimalisation table of 1111...11 to find out the ciphertext corresponding to a clear PIN of 1111, and then with a decimalisation table of 0111...11 to see if there is a zero in the first four digits of the encrypted account number (if so, the PIN, and thus the ciphertext output, will be different). By manipulating the decimalisation table further, he can get all the digits in the PIN, and by then playing with the offset he can get their order. In total, the attack requires only 1525 unprivileged cryptoprocessor transactions to discover the PIN on a single target account.

This second type of attack takes protocol analysis into yet another realm: that of differential attacks. Over the last ten years, a number of techniques have been invented for attacking cryptographic systems by bombarding them with inputs with chosen differences.

For example, in differential cryptanalysis, one analyses the changes in the output of the encryption algorithm; while with differential power analysis, one measures changes in the current consumption or electromagnetic emissions of the equipment. Now we have examples of how consecutive runs of a protocol can leak information if the inputs are suitably chosen. The resulting differential protocol analysis appears to be very powerful against application-level crypto.

It will take us some time to figure out the general lessons to be drawn from attacks like this, the robustness principles that designers should use to avoid them, and the analysis techniques that might assure us of a particular designs soundness. The randomisation of all protocols (another feature of Rogers work) is likely to be important.

Quantitative analysis and multiparty computation

Various researchers have speculated about whether there might one day be a quantitative analysis of protocol security. This might be feasible for PIN processing applications as we can measure the information leakage per transaction in terms of the reduction of entropy in the unknown PIN. This leads in turn to a possible real-world application of an attack previously considered theoretical.

Gus Simmons wrote extensively on covert channels in protocols. One such channel that is always present is the balking channel when one of the principals in a protocol signals something by halting and refusing to continue. This is normally considered unimportant as its information capacity is only a third of a bit per transaction. But with systems designed to cope with large transaction volumes, this need no longer hold. For example, a Trojanned cryptoprocessor could balk when it sees a predetermined PIN. If the PIN length were eight digits, this would be unlikely to hinder normal operation, but at a thousand transactions a second, a programmer could quickly find a number in a typical nine-digit account number range with just this PIN, and open an account for it. Once this kind of problem is appreciated, one can start to look for attacks that involve inducing rare error conditions that cause the cryptoprocessor to abort a transaction. (They exist.)

A third emerging link is between protocol analysis and secure multiparty computation. In application-level crypto we may have several inputs to a computation, some of them coming from an untrusted source, and we have to stop users manipulating the computation to get outputs useful for bad purposes. In the PIN decimalisation example above, one might try to solve the problem by blocking tables such as 1111...11. Yet an attacker can get by with scarcely more work by using two normal-looking tables that differ slightly (another kind of differential attack). We might therefore think that if we cant sanitize the inputs to the computation, perhaps we can authenticate them, and use only those tables that real banks actually use. But building every bank in the world into our trust base is what we were trying to avoid by using cryptography!

Conclusion

The protocol work that started off a quarter of a century ago may have seemed at the time like a minor detail within the larger project of designing robust distributed systems. Yet it has already grown into the main unifying theme of security engineering. Application-level protocols, and especially those from which an attacker can harvest data over many runs, open up new problems. The resulting analysis techniques are set to invade the world of composable security, and the world of multiparty computation. The influence, and the consequences, of Rogers contribution just keep on growing.

References

1. NEEDHAM, R.M. AND SCHROEDER, R.M., Using encryption for authentication in large networks of computers. Comm. ACM, vol. 21, no. 12, pp. 993-999, 1978.

2. BURROWS, M. ABADI, M. AND NEEDHAM, R.M., A logic of authentication, ACM Transactions on Computer Systems, vol. 8, no. 1, pp. 18-36, 1990.

Updated 20 February 2003

18 February 2003

To: ukcrypto@chiark.greenend.org.uk
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_g ag.pdf

I have written to the judge opposing the order:

http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_r esponse.pdf

The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:

http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560 .pdf

These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike
and I were working as expert witnesses on a `phantom withdrawal' case.

The vulnerabilities are also scientifically interesting:

http://cryptome.org/pacc.htm

For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in
many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers.

Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's
an omen, if not a precedent ...
_____

Abstract

We present an attack on hardware security modules used by retail banks for the secure storage and verification of customer PINs in ATM (cash machine) infrastructures. By using adaptive decimalisation tables and guesses, the
maximum amount of information is learnt about the true PIN upon each guess.
It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000 guesses intended. In a single 30 minute
lunch-break, an attacker can thus discover approximately 7000 PINs rather than 24 with the brute force method. With a $300 withdrawal limit per card, the potential bounty is raised from $7200 to $2.1 million and a single motivated attacker could withdraw $30{50 thousand of this each day. This attack thus presents a serious threat to bank security.

-- Mike Bond and Piotr Zielinski
Decimalisation table attacks for PIN cracking
February 2003

-----

From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
To: ukcrypto@chiark.greenend.org.uk
Subject: Yet another failure of commercial cryptographic equipment
Date: Tue, 18 Feb 2003 17:52:13 +0000

I gave a talk at Cambridge yesterday in which I described a new and interesting family of attacks on cryptographic equipment. These attacks defeat machines such as the Racal RG7000 and the IBM 4758/CCA which are commonly used to protect the PINs and keys used in automatic teller machines.

The paper is available online at:

http://research.microsoft.com/~aherbert/volume63.p df [4.8MB]

as pages 27-30 in the PDF. [HTML below]

I got a fax yesterday informing me that an application is to be brought in the High Court, it seems by Citibank, on Thursday 20th February for `relief in relation to the protection of nformation which they accept as being confidential and which ought not to be in the public domain.'

I hope that no English court would go so far as to censor already published material. However, one just can't tell these days ...

Protocol Analysis, Composability and Computation

Ross Anderson, Michael Bond

University of Cambridge, England

Security protocols early days

The study of security protocols has been associated with Roger Needham since 1978, when he published the seminal paper on the subject with Mike Schroeder [1]. The problem they investigated was how to distribute cryptographic keys in a network of computers. One solution is to have an authentication service with which all the principals share a key; then if Alice wants to chat with Bob (for example) she can call the service and get two encrypted messages containing the same session key one encrypted under the key she shares with the service so she can read it, and one encrypted under the key Bob
shares with the service so Bob can read it. She can now send the second of these to Bob to establish secure communication. The mechanism that Needham and Schroeder designed for this evolved into Kerberos, which is now part of Windows and is probably the most widely used of all uthentication protocols.

Security protocols are now embedded in a great many applications, but it is common to find unexpected bugs in them. For example, many banks used to encrypt each customers PIN using a key known to their ATMs and write it on the ATM card magnetic strip. The idea was to provide a limited service when the network was down. Years later, a villain discovered that the account number and the encrypted PIN were not linked: he could make up a bank card with his own encrypted PIN but someone elses account number, and loot their account. He went on to steal a lot of money, and once in prison wrote a manual telling everyone else how to do it too. The banks had to spend millions on changing their systems.

Clarifying the assumptions

Researchers started to gnaw away at the protocols described in the literature and found fault with essentially all of them. The failure to bind protocol elements was one frequent problem; another was that old messages could be
replayed. In the case of the original Needham-Schroeder protocol, for example, the freshness of the key generated by the server was guaranteed to only one of the principals. This was not necessarily an attack, as its inventors only
claimed to protect honest insiders from dishonest outsiders. However, it led to a debate about the assumptions underlying security protocol design.
Do we protect only against outsiders, or against insiders? Against the malicious, or the merely careless? For example, if we use timestamps to guarantee protocol freshness, are we vulnerable to principals who carelessly let their clocks
run slow? Do we only consider an attacker to have won if he can impersonate an authorised principal, or do we need to stop people abusing the protocol
mechanisms to perform a service denial attack?

The early attacks led to a second seminal paper, which Roger wrote with Mike Burrows and Martin Abadi in 1989 [2], and which introduced a logic of
authentication. This enables an analyst to formalise the assumptions and goals of a security protocol, and to attempt to prove its correctness. When a proof cannot be found, the place at which one gets stuck often shows where an attack can be mounted. This style of analysis turned out to be very powerful, and a large literature quickly developed in which the BAN Logic
and other formal tools were developed and extended to tackle a range of problems in protocol design.

One of the remarkable things about the study of security protocols is that they have not become a solved problem. One might think that managing the
objects associated with authenticating users over a network passwords, keys and the like was a fairly compact problem which would have been done to death within a few years. However, the more we dig, the more we find.

Since 1992, Roger has hosted a protocols workshop every Easter. Early events dwelled on matters of authentication and logic, but by the mid-90s, the growing interest in electronic commerce was yielding papers on mechanisms for micropayments, bets, streaming media, mobile communications and electronic voting. Later years brought work on PKI, trust management and copyright enforcement. More and more problems come along as more and more businesses reinvent themselves online; threat models have also become more realistic, with dishonest insiders displacing the mythical evil hacker on the Internet.

Dishonest insiders, and the composition problem

Over the last two years, we have been exploring exactly how one might re-engineer cryptography to cope with dishonest insiders. One conclusion is that the analysis of security protocols must be extended to application programming interfaces. This is because the crypto keys used in authentication and payment protocols are often kept in separate hardware security processors, or at least in cryptographic libraries, to which access can be restricted using physical or logical mechanisms. However, an interface has to be exposed to the application program, which will occasionally be suborned whether by a corrupt insider, or by malware. How much harm can be done, and how can we limit it?

Protecting protocols was hard enough, and yet the typical protocol consists of 35 messages exposed to manipulation. The API of a modern crypto library or hardware cryptoprocessor may contain 30500 callable functions, many with a range of options. This provides a very rich and complex environment for mischief.

Attacks often involve using two separate echanisms provided by the cryptoprocessor for different purposes, each of which could be innocuous by itself but which combine to cause trouble. For example, it is common to compute a customer PIN by encrypting the account number with a PIN
derivation key: the cryptoprocessor then returns the PIN encrypted with a PIN storage key, so that the application has no access to its clear
value. So far, so good. Then there is another transaction that can be used to encrypt a communications key under the terminal key loaded in an ATM. Here things start to go wrong, as the cryptoprocessor does not distinguish between a terminal key and a PIN derivation key; it considers them both to be of the same type. The upshot is that an attacker can supply the device
with an account number, claiming that it is a communications key, and ask for it to be encrypted under the PIN derivation key.

Attacks like this extend protocol analysis all the way to the composition problem the problem that connecting two systems that are secure in
isolation can give a composite system that leaks. This had previously been seen as a separate issue, tackled with different conceptual tools.

Differential protocol analysis

We are now working on the second generation of API attacks, which exploit the application syntax supported by the cryptographic service. These attacks are even more powerful, and at least as interesting from the scientific point of view. PIN generation provides a neat example here too. In more detail, the standard PIN computation involves writing the result of the encryption as a hex string and decimalising it. As some banks like to let customers change their PIN to a more memorable number, there is a provision to add an offset to give the PIN that the customer actually enters:
Account number: 8807 0123 4569 1715
PIN derivation key: FEFE FEFE FEFE FEFE
Encrypted account number: A2CE 126C 69AE C82D
Natural (decimalised) PIN: 0224
Offset: 6565
Customer PIN: 6789

The typical implementation requires the programmer to send the cryptoprocessor the account number, a table describing the decimalisation (here, 0123 4567 8901 2345) and the offset. The processor returns the PIN, encrypted under the PIN storage key. The designers do not seem to have realised that a crooked programmer can manipulate the decimalisation table and the offset as well as the account number. A multitude of attacks follow. For example, one can send in an account number with a decimalisation table of 1111...11 to find out the ciphertext corresponding to a clear PIN of 1111, and then with a decimalisation table of 0111...11 to see if there is a zero in the first four digits of the encrypted account number (if so, the PIN, and thus the ciphertext output, will be different). By manipulating the decimalisation table further,
he can get all the digits in the PIN, and by then playing with the offset he can get their order. In total, the attack requires only 1525
unprivileged cryptoprocessor transactions to discover the PIN on a single target account.

This second type of attack takes protocol analysis into yet another realm: that of differential attacks. Over the last ten years, a number of techniques have been invented for attacking cryptographic systems by bombarding them with inputs with chosen differences.

For example, in differential cryptanalysis, one analyses the changes in the output of the encryption algorithm; while with differential power analysis, one measures changes in the current consumption or electromagnetic emissions
of the equipment. Now we have examples of how consecutive runs of a protocol can leak information if the inputs are suitably chosen. The resulting differential protocol analysis appears to be very powerful against
application-level crypto.

It will take us some time to figure out the general lessons to be drawn from attacks like this, the robustness principles that designers should use to avoid them, and the analysis techniques that might assure us of a particular
designs soundness. The randomisation of all protocols (another feature of Rogers work) is likely to be important.

Quantitative analysis and multiparty computation

Various researchers have speculated about whether there might one day be a quantitative analysis of protocol security. This might be feasible for
PIN processing applications as we can measure the information leakage per transaction in terms of the reduction of entropy in the unknown PIN. This
leads in turn to a possible real-world application of an attack previously considered theoretical.

Gus Simmons wrote extensively on covert channels in protocols. One such channel that is always present is the balking channel when one of the principals in a protocol signals something by halting and refusing to continue. This is normally considered unimportant as its information capacity is only a third of a bit per transaction. But with systems designed to cope
with large transaction volumes, this need no longer hold. For example, a Trojanned cryptoprocessor could balk when it sees a redetermined PIN. If the PIN length were eight digits, this would be unlikely to hinder normal
operation, but at a thousand transactions a second, a programmer could quickly find a number in a typical nine-digit account number range with just this PIN, and open an account for it. Once this kind of problem is appreciated, one can start to look for attacks that involve inducing rare error conditions that cause the cryptoprocessor to abort a transaction. (They exist.)

A third emerging link is between protocol analysis and secure multiparty computation. In application-level crypto we may have several inputs to a computation, some of them coming from an untrusted source, and we have to
stop users manipulating the computation to get outputs useful for bad purposes. In the PIN decimalisation example above, one might try to solve the problem by blocking tables such as 1111...11. Yet an attacker can get by with scarcely more work by using two normal-looking tables that differ slightly (another kind of differential attack). We might therefore think that if we cant sanitize the inputs to the computation, perhaps we can authenticate them,
and use only those tables that real banks actually use. But building every bank in the world into our trust base is what we were trying to avoid by
using cryptography!

Conclusion

The protocol work that started off a quarter of a century ago may have seemed at the time like a minor detail within the larger project of designing robust distributed systems. Yet it has already grown into the main unifying theme of security engineering. Application-level protocols, and especially those from which an attacker can harvest data over many runs, open up new problems.
The resulting analysis techniques are set to invade the world of composable security, and the world of multiparty computation. The influence, and the consequences, of Rogers contribution just keep on growing.

References

1. NEEDHAM, R.M. AND SCHROEDER, R.M.,
Using encryption
for authentication in large networks of computers. Comm. ACM, vol.
21, no. 12, pp. 993-999, 1978.

2. BURROWS, M. ABADI, M. AND NEEDHAM, R.M.,
A
logic of authentication, ACM Transactions on Computer Systems,
vol. 8, no. 1, pp. 18-36, 1990.

There have been various attempts by Fundamentally Clueless People to try to get Google regulated by Somebody, Anybody, Especially the Government, preferably by the FTC (because Google is alleged to be essentially a public utility) or at least to get the Ralph Nader folks turned on to Google-Bashing. After all, if Google claims to try to rank the most interesting and relevant topics high in its list, and you're not one of them, that's Just Not Fair! , and at least some arguments from Brandt or people like him want the government to force Google to rank things fairly. Well, duh! The reason everybody uses Google instead of some of its competitors is *precisely* because it usually does a really good job of finding the things everybody is looking for, as opposed to Displaying items 1-10 of the 13122319084324 web pages matching your search in no particularly useful order, and covers a reasonable fraction of the material on the web. The beauty of open technologies like the web is that if you don't like the pagerank, you can go make one of your own; instead of convincing the government Google to change its search order to work the way you want it to, you can just as well run your own search engine or convince your favorite Feds to run their own Politically Correct Search Engine. Meanwhile, if they mess up Google too badly, we'll have to go find something else anyway, and if some liberal-intentioned luser convinces the Feds to mess up all the US search engines, we'll use one from somewhere else, but that's degrading the value of Google for the whole world community, while running your own competitor engine is potentially very valuable to the world (if you're good at it, either as a standalone site or an additional-searches site), or at least neutral.

An entirely different attempt to control Google was the Search King lawsuit. (Slashdot story, LawMeme article.) Unlike Brandt, who's a clueless whiny-liberal type who knows fairness better than you do, Search King was merely greedy, a parasite that tries to sell people a service of improving their Google ranking and then whined because Google downrates sites that try to manipulate their rankings so that their boring pages show up before more genuinely interesting pages. (Of course, Google _will_ be happy to provide you a sponsored-listing ad entry if you pay them, but those are at least visually distinguishable.)

when they get cornered no ?
not that iam one to point fingers

http://research.yale.edu/lawmeme/modules.php?name= News&file=article&sid=807

Also see: NIKOLA TESLA 1856 - 1943 FORGOTTEN AMERICAN SCIENTIST

"ERASED AT THE SMITHSONIAN

OMITTED IN SCHOOL TEXTBOOKS

OMITTED IN TECHNICAL JOURNALS

UNKNOWN, EVEN TO SOME ENGINEERS"

The above page is in co-operation with Yale Scientific Magazine, who has this story: To the Smithsonian or Bust: The Scientific Legacy of Nikola Tesla

The ancient Romans knew what they were doing when they made their laws accessible to everyone in a public place. Here's an introductory article, explaining why this was important, and here's the surviving text.

Of course, maybe in the last two and a half thousand years the patrician aristocracy has once again risen into the ascendent, unfettered by uppity tribunes of the People.

I can understand how the duty of candor is generally important, and admire the forensic work of the wuthor, but don't understand how using a shell assignee is significant. Companies do this sort of thing to keep competitors in the dark, and I don't see how it is fraudulent.

So ... can anyone explain how this is significant? How can it be used to conceal prior art? Ideally, shouldn't the examiner be blind to the identity of the applicant/assignee, to avoid bias? It just seems like an academic Q.

"Inventiveness" is one of the last words I associate with Microsoft. While we're on the topic, and off topic, any predictions for the year Microsoft goes out of business or gets bough out? I'm thinking 2022.

Citizen? Aren't you folks in GB subjects? God save the Queen, and all that.

No. See, for example, this page on the site of the Australia British embassy.

You are right. In the UK, the government can outlaw people with red hair if it wants, and there is not a thing that anyone can do about it. There is no supreme court to go to to fight bad laws.

Just because it's not called the Supreme Court doesn't mean there isn't a highest court of appeal (which is all the US Supreme Court is). There is. It's the House of Lords. Like every other court of appeal in Britain and America, its job is primarily to decide on matters of law, not on the merits of legislation or the verdict reached in the case (unless there was a problem with procedure or there is new evidence).

And (notwithstanding the present government's efforts to do away with them) we have Jury trials and the principle of double jeopardy.

No written constitution. No bill of rights.

No we don't have a single codified document called a Constitution. But, we do have a Bill of Rights, passed in 1689 during the Glorious Revolution, on which the american Bill of Rights was in part based. It mainly concerns itself with defining the separation of power between monarch and parliament (and limiting the monarch's power). In addition we have Magna Carta which guarantees some basic rights like due process.

Only recently has the UK been forced to obey some kind of written code on human rights, by virtue of its being a part of the EEC.

Wrong again. Britain acceded to the Council of Europe (the treaty organization from which the European Court of Human Rights derives - note that this is NOT the same as the European Union, EEC or any of its predecessors) nearly 50 years ago (the treaty came into effect on 3rd September 1953). Furthermore we are a signatory to the UN Universal Declaration on Human Rights.

All this having been said, the UK is more free than the USA. Its hard to believe, but it really is true. Statring with the absence of an SSN here, the british are free to travel, theier driving licences dont have pictures, and you can say whatever you want, whenever you want.

The driving licenses do have pictures - and have had since (if memory serves me correctly) 1998. The new photocard driving licenses are almost always considered good enough ID to prove you are of legal age to drink (18). Many people saw them as the beginning of a national ID card scheme by the back door.

We do have social security numbers - everyone is supposed to be sent a number on their 16th birthday or before if they ask (you need one to work legally and to claim benefits; and also for some other things like reciprocal healthcare arrangements in the EU).

And of course we still have laws against treason, the various incitement laws, very prosecution-friendly libel and slander laws, the blasphemy law (still on the books but not sucessfully used since the early 20th century), and the Official Secrets Act to name but a few which have effects on free speech. In my memory at least once a year a major newspaper has had a High Court injunction put on it by the government to prevent it publishing a story considered embarrassing to the government (although these have often later been removed on appeal), and several important trials are effectively conducted in secret due to reporting restrictions - eg the David Shayler case.

Until the 1960s if you wanted to publicly show a play the Lord Chamberlain's office had to approve it and could first censor it (a tradition which went back at least as far as Shakespeare's time).

The compromises here are gentlemens agreements. There is a flexibility here that doesnt exist in other countries. Britain doesnt look free on paper, but in reality, its a very, very good place to live.

I would have to disagree here. Britain is a free country because it is a stable country. There has not been a successful invasion since 1066. The laws and systems of government have evolved and many hard-fought battles for freedom centuries and decades ago have been allowed to settle in over time. We have a pretty independent judiciary and had a very independent upper house (although it will in future be all-appointed by Blair from what I hear), and a constancy in our current long-serving monarch who has seen 10 Prime Ministers in her time. We have a reasonably competent and professional (if perhaps self-serving) civil service. We have had relatively good economic fortune over the last two centuries or so (as a nation), 500 years of falling levels of crime and have been a major player on the international stage meaning we could shape the world more to suit us.

In America, these things are simply not there - so there are things like the constitution to protect the people from their politicians instead.

Apart from that, its people are the most cultured and tolerant speakers of english on the planet.

Why thankyou!

If he wilfully infringes this rule, he may render himself liable to a restriction of the privileges accorded to his rank or status.

the searchking law suit aginst google's page rankings. I wonder if they will file a similar motion to dismiss based on the fact that ebay didnt do anything wrong. See Here for the section on the The motion to dismiss in the search king case

On LawMeme, Ernest Miller says this about the "God's Machine" quote:

This gives me an idea. Perhaps we should start a fund to buy every member of Congress a TiVo or, preferably, a ReplayTV. If enough money is raised, perhaps one device for every member of the federal judiciary as well, at least the appellate level.

Apologies if this has been posted already, but I couldn't find it anywhere on here.

There is a reason for this distinction, by the way.

Firewire (IEEE1394) is SCSI (scroll to the bottom).