Before the election, I kept hearing all this talk of anti-incumbency and people being mad at both parties for screwing up. And yet, 85% of incumbents that were running for re-election won. Thank you, Mr. Jerry Mander.
There was a lot of talk about the Republican filibuster for various bills, but there was never actually any filibuster.
In the strict classical sense, you are correct. However, that's not how the Senate works anymore. If the minority party threatens to filibuster, the majority simply does not bring the vote to the floor, unless they know they have 60 votes. Basically, both sides have become so damn lazy that they won't even fight for their bills and call the other side's bluff. Yet more evidence that the two-party system sucks.
Did you read then Solicitor General Kagan's argument that basically said "Yeah, this legislation gives the Feds the power to ban books[emph. added], but that's irrelevant because we would never do such a thing."
Kagan said no such thing.
Yes, actually she did. [...] She is arguing that the law DOES cover books but you don't need to worry about it because the Government has never tried to regulate books and if it did there would be grounds for a legal challenge[emph. added].
*Sigh*. WTF? How can you guys take yourselves seriously when you are so clearly taking many things out of context and (intentionally?) misinterpreting clear sentences?
Kagan's quote: "It is still true that BCRA 203, which is the only statute involved in this case, does not apply to books[emph. added] or anything other than broadcast; 441b does, on its face, apply to other media." So part of the law actually under consideration (BCRA 203) does not apply to books, but another section (441b) does. So what is 441b? The first part of the text of that statute reads:
It is unlawful for any national bank, or any corporation [...], to make a contribution or expenditure in connection with any election to any political office[...]
The statue goes on to prohibit unions from making such contributions to federal elections (President, VP, Senate, etc.).
Let me make this very clear: This statute in no way gives the government the power to ban books. And Kagan was making no such claim. Rather, by stating that 441b applied to books, Kagan's argument was as follows. If a corporation paid for the publication of a book that was intended for the purposes of electioneering, that corporation has broken the law. The electioneering element is very clear. This does not apply to books in general. The book has to target a specific candidate and be published in the area where it would have an impact on a particular election. Furthermore, 441b only applies if the publication of the book was paid for by a corporation. If a private individual wanted to publish a book attacking a candidate, 441b does not apply. If a political action committee or a non-profit group or any collective group other than a corporation or national bank paid for the publication of such a book, 441b does not apply.
Even if the statute does apply, the book would not be banned. Rather, the corporation would face prosecution under the statute. In addition, publication of the book would be delayed at most, so as not to sway the electorate. Once the election is over and publication of the book holds no power over that particular election, publication would be allowed to proceed. Of course, as Solicitor General Kagan pointed out, even if there were a book that met all the criteria (corporate-funded solely for electioneering), which is very unlikely, courts would most likely allow the immediate publication because there is a strong argument for a legal challenge. So she is stating that if the government tried to pull such a trick, they'd almost certainly lose.
Finally, note that 441b does not apply to general political speech. Corporations can gladly pay to make Fahrenheit 9/11 or publish Ann Coulter's books, or any other such screed, because those works do not fit the criteria of electioneering. While candidates may be singled out, they are never done so individually. Fahrenheit 9/11, for example, took aim at the culture of the federal government after 9/11. Sure, it takes plenty of shots at Bush. But it also talked about the invasion of Iraq, 9/11 itself, the impact on people, how everyone in Congress (except Feingold) voted for the USA PATRIOT Act without reading it, etc. Political? Yes. Electioneering? No.
This is all a far cry from the suggestion that Kagan was claiming the federal government had the power to ban books.
Lets face it, Facebook users have the same view of privacy Zuckerberg has: they don't value it and they don't understand why anyone would (unless, of course, they had something to hide).
On the contrary. I'm a Facebook user and a privacy advocate. I also have many friends (some of whom are privacy researchers) who feel the same. I know quite well the value of privacy, and I do not give it up lightly. Instead, I view the sacrifice of a small amount of privacy (which I control by limiting the amount of data that I publish) to be the price that I am paying for using the service. I have friends all over the world, and Facebook provides the common platform that we use to keep in touch. Thus, it's not as simple as saying that I don't value privacy. Rather, I have found that the cost-benefit analysis Facebook offers is quite nice for my purposes.
Freedom of speech is about expressing beliefs and opinions and facts[...]
Citation please. If this is true, then why are things like art and porn protected on grounds of free speech? There is plenty of free speech that has nothing to do with beliefs, opinions, or facts. I believe what you mean is that any speech that doesn't violate the Harm principle is protected speech.
Depending on the country, though, there actually are plenty of reasons to curb free speech and expression. Countries like China, North Korea, and Iran do it to keep their governments in power. I'm not saying they're good reasons, but they're reasons nonetheless.
As for corporate personhood, it's actually kind of funny if you look at the history. The court didn't actually decide that corporations were people. Instead, the court reporter inserted a remark into the record that has since been interpreted to grant corporate personhood. So it's been used as precedent, even though that is not what the case actually decided.
"If you aren't paying for the product, you are the product." (I wish I could claim credit for the quote, but I can't. And I've heard it from so many sources that I don't know the origin.)
Oh, gimme a frickin' break. The sooner the precious little froshie lardflakes learn not to click every attachment from a seemingly trusted source, the better.
See my response above. Assuming that they will actually learn the lesson here requires a big leap of faith (and naivete and a lack of experience studying how well "user education" solves security problems).
God forbid we make someone feel bad as a learning experience, the lawyers would descend like... Well, like lawyers.
Again, making students feel bad is not an effective teaching technique. It may work on some, but it will completely backfire on others and you've completely lost them for good. And you don't really have to worry about the lawyers as much as the parents. Yes, the parents. Even in college.
The gap between my suggestion and what those researchers did is pretty wide. My idea:
o Doesn't involve bilking people out of their private credentials;
o Would be limited to a class studying malicious software (how's that for an appropriate context)
o Involves a known-harmless teaching payload;
o Would be fully understood and removed by students at the end of the class.
Actually, it's not as wide as you think. The researchers did not collect any of the personal data. They simply provided a message that this could have been a scam. So the "payload" there was also harmless. The outrage wasn't about any stolen data. The outrage was completely about the deception. Even after the administration placated fears that the students had about identity theft, the uproar continued. Also, the class isn't focused on malicious software. That's just the topic of this lesson. The class is a 101 introduction to computing. If this were a more advanced class...maybe...given the circumstances. But this is absolutely not the right audience for this kind of lesson.
As for the harmless payload, how does the student know that? All the student sees is that they clicked on something and the teacher infected their computer. Sure, during the lesson, you point out how to delete the file. But how does the student know that was the only file you installed? You could have embedded a keylogging rootkit within that virus for all they know. By falling for your trick, they lose a little bit of trust in you. As a result, some of them (especially those who are not doing well and think it's because you "have it out for them") will remain suspicious and think that you've planted something nefarious on their computer. Without that trust, you can't convince them otherwise.
As for the lesson being "fully understood [...] at the end of the class," that's just wishful thinking. After all these years, everyone now knows not to click on email attachments, right? Apparently not. I remember reading some commentary once (I think it was Adam Shostack) that pointed out that user education doesn't work. Many, many people who have undergone security training get phished, install viruses, etc. Why is phishing still a problem? Because it works. Social engineering is effective. All you have to do is surround that link with some text about getting rich fast, seeing celebrity X naked, losing 50 pounds in a week, etc., and you will get some hits. Even from people who have been trained to know better.
Most likely, some of these students will (in the short term) not click on anything they get via email, even if it's legitimate. After a while, though, the lesson will fade, they'll become complacent, start clicking on things...and we're back at square one. Many of the students will still click on attachments, thinking they're safe. After all, this attachment isn't called "CS101-Example.exe" so it must be safe, right? "What do you mean I got a virus? All I did was open this.doc file. It wasn't a.exe!"
Deception is inherently disrespectful, even if it is done with good intentions.
What may seem like a "harmless infection" to you demeans the students, because you're encouraging the instructor to abuse the trust that their students have placed in him. In short, what you are proposing causes harm to the teaching profession.
I have a hard time understanding why any real teacher in this fellow's position would abstain from imparting one of the most critical lessons a student can learn about security: that they themselves are the weakest link, no matter how smart and prepared they think they are, and no matter how much theory they c
Then teach them that 99% of all malicious software runs on Windows, and that it's a reflection of the number of vulnerabilities in Windows code and market share.
Market share, yes. Vulnerabilities in Windows code...eh, not so much any more. It may not be the most popular thing to say around these parts, but MS has made great strides in adopting and pushing secure coding techniques. These days, the most culpable are third-party developers, especially device drivers. Sure, you can argue that Windows' access control policies allow it, but that's not what you said above. But I'm just being nitpicky.
Better yet, email the.exe to the entire class. Call it CS101-Example.exe, and use the harmless infection to talk about social engineering. Then take them through the 'infection' process, and show them how to remove the file by hand.
Are you insane?!? Absolutely DO NOT DO THIS!!
I remember a few years ago when researchers at Indiana University conducted a study on phishing. Basically, they set up a web site and lured students to enter their credentials. The s*** storm that erupted was immediate and furious. The only thing that saved these researchers' jobs was that they had worked very closely with the school's Institutional Review Board (IRB) to make sure that they were adequately ensuring (among other things) respect for persons. Deception is inherently disrespectful, even if it is done with good intentions.
What may seem like a "harmless infection" to you demeans the students, because you're encouraging the instructor to abuse the trust that their students have placed in him. In short, what you are proposing causes harm to the teaching profession.
Exactly the same as getting cancer after choosing not to pay for health insurance.
Well, yeah, it'd be exactly the same if every physician refused to give you chemotherapy, even if you offer to pay out of pocket. Fortunately, the medical profession is regulated and they have to follow the Hyppocratic Oath.
Exactly! Clearly, the state of Tennessee has laws forbidding anyone from offering a private fire service. Oh wait...they haven't.
Look, privatized fire departments don't work. They don't make economic sense. To understand why, look into decision theory, specifically areas like Dempster-Shafer theory. When the level of uncertainty rises, people become significantly more risk averse. Consider the following games:
Game 1: Flip a fair coin, and pick heads or tails. If you're right, you win $100. If you're wrong, you lose $100.
Game 2: Flip a biased coin, and pick heads or tails. By biased, it either comes up heads 9999 times out of 10,000, or it comes up tails 9999 times out of 10,000. But you don't know the bias. If you're right, you win $100, and if you're wrong, you lose $100.
Now here's the catch: You have to play the games 10,000 times, and you have to always pick the same way. So once you choose "heads," you're always choosing heads.
Which game do you choose? Clearly, game 1. Since you know the coin is fair, you'll be right about half the time and wrong about half the time. So you'll break even. Now look at game 2. If you guess correctly, you'll win 9999 times and lose once. That means you would win $999,900. If you guess wrong, you'll lose $999,900. But look...the expected value is still $0! So, according to basic probability theory, there's no rational reason to pick game 1 over game 2. But when you start considering factors such as the uncertainty about the probabilities, changes in the possible payoffs, etc., things become more complicated, and most people become risk averse.
Now, let's return to the privatized fire department world. Does your neighbor subscribe to a fire service? More uncertainty. Is your service really the best you can get? Perhaps your service's company policy is to only attempt to fight the fire after 99% of the house is burned down. (Sure, you could read their policy, if disclosure was required by evil government regulators. And clearly no company (cell phones *cough cough* credit cards *cough*) has ever used intentionally complicated policies to mislead their customers.) More uncertainty. Competing fire services have a vested interest in your service doing poorly (i.e., more business for them later on). Are those competing services doing unethical things that could interfere with your fire service? More uncertainty.
There is considerably more uncertainty in privatized services like this than in public systems. As a result, subscribers would be significantly more risk averse...which means the market would establish a significantly higher equilibrium point, based on higher demand. Such privatized services will impose a larger total cost on everyone. Also, since the vast majority would subscribe in the privatized version (because they're risk averse), that means that the average cost per person would also probably be higher in a private system. The only way the average privatized cost would be lower is if the overwhelming majority of fires happened to non-subscribers (meaning they would pay most of the costs).
At the end of the day, free market zealots that argue for the privatization of everything don't understand economics, don't understand human nature, or are simply being irrationally dogmatic. Or some combination thereof.
And just to prevent any ad hominem rebuttals that I'm an evil, commie, Marxist, socialist, fascist... I'm not arguing against all private enterprise. I am simply pointing out that, in some areas, yes, a government-run solution can be less costly than a private solution, and just as efficient.
For those of you that say "Why didn't they put it out when the guy pleaded to pay the $75?"
First correction: He did not offer to pay $75. He offered to pay whatever the cost to put out the fire.
If they agreed to this EVERYONE would fail to pay the $75/year and they'd just offer to pay after the fire dept came. You have to realize that it costs a lot more than $75 to pay for FD services. The $75 is effectively an insurance, $75 alone doesn't come anywhere NEAR the cost of putting out a single fire.
You are exactly right. So clearly, just billing the $75 is not adequate. So, like you said, treat it as insurance. Consider the parallels to the medical world (at least the idealized version of it). If you have health insurance and go to the emergency room, you pay $X, which is significantly less than the actual cost of service. If you don't have insurance, you have to pay for the actual services used. So do the same thing in this situation. The invoice could be:
8 firefighters, billed at $200/hour for the duration. If it takes 3 hours of work, that's $4800.
$5000 for use of the truck.
$1000 for the water.
$500 for the call to dispatch.
Grand total: $11,300
Again, that's what the guy offered to pay...not just the $75. Basically, it comes out to skipping the $75 payment for 150 years. To me, that's plenty of incentive to pay $75 a year for guaranteed service.
Interesting follow-on to this story: One of Cranick's relatives later went to the fire station and punched the chief that ordered the firefighters not to put out the fire (even though they were on the scene). He's now been charged with assault, but I know a lot of people who want to contribute to the guy's legal defense fund.
Uh, what exactly is news about that at all? He can burn books all day long as I care. Does it matter which ones, except for the fact that glossy paper doesn't burn as good?
YES!
Statements like this completely ignore the power of symbolism. If I were to urinate on a crucifix in public, does that mean upset Christians would be overreacting? I mean, come on, it's just a couple of sticks with a statue on it, right? What about if somebody were to put a big cross on an African American's lawn and set it on fire? Clearly, they'd only be upset because you trespassed, right? Burning a Qur'an is much more than just burning a book. (I would say the same thing if the moron was burning a Bible, the Gita, or any other holy text.) It is burning a religious symbol and showing utter contempt and disrespect for others' beliefs. The fact that the text is considered sacred by that religion's followers does make the act different than burning, say, Animal Farm.
And, yes, a public burning of the Qur'an in the current environment is drastically more of a problem than burning any other religious text. The reason is that there are many, many Muslims who feel that the U.S. and its allies are trying to wipe out Islam, not just terrorists. Acts like this offer yet more evidence to them, making them more likely to take up arms against our troops. GWBush may have been overly simplistic in his world view, but he was at least intelligent enough to understand the importance of this point.
Burning that particular book may not seem to affect you, leading to your indifference. However, burning the Qur'an will actually cost you money, because it makes our involvement in the Middle East more complicated, leading to a longer war there. Or, the extremists may choose to take their frustrations out by bringing the conflict here, like they did on 9/11. You need to accept that the reality of the world requires that we can't just piss everybody off without repercussions.
They should hire people who are actually good at teaching for this job.
...if only it were that simple. I'm a year away from finishing my Ph.D. at a major research university. My motivation has always been to teach at the college level. I just do not find high school material interesting. Give me some undergrad-level cryptography, OS, theory of computing...that's fun material. Sadly, here's what I've learned from my years in grad school:
Great research + mediocre teaching = tenure Mediocre research + great teaching = fired
(Technically, you're not fired...just denied tenure. However, when you're hired, you're given a 7-year contract that is only extended by tenure. Otherwise, when your 7 years is up, so is your job.)
At a university, research is everything. The rule of thumb that I've been told is that the time spent preparing to teach should be the same as the time spent actually teaching. So if you teach a 3-credit hour class (2 days a week, 75 minutes each class), that means you should spend 2.5 hours per week preparing your lecture. Anything more than that, and you're taking away from your research.
The reason for so much emphasis on research is money. At a research university, you are expected to bring in money in the form of research grants. How do you get a grant? By demonstrating that you have a history of successful research (i.e., a large number of publications). So it's not only tenured professors that are obsessed with publishing, it's the entire faculty. And it's because that is the single biggest factor in keeping your job.
The emphasis on bringing in external grant funding is getting even stronger, because the amount of money that universities are receiving from the state and federal governments has been plummeting in recent years (20-30). Part of that is the "fiscal conservatives" obsession with tax cuts, rather than having an actual balanced budget. By cutting taxes and government revenues, you are cutting university operating costs. At the same time, there has been a philosophical shift in the populace. Years ago, people were more likely to support public funding for schools, because the perception was that college students would ultimately go on to benefit society. So society helped the students out by contributing to the cost of education. Now, the perception is that people go to college are doing so for the selfish benefit of a better job. As a result, people feel less inclined to help pay for others' education. I'm not passing judgment on these views, just stating them as reasons that the budget has shifted.
The decreased government support also means that universities have to pass more of the cost on to students. That's why tuition has been rising at double the cost of inflation. To make matters worse, states like CA kept their tuition artificially low for years. That's why there was a huge increase last year (something like 30%, if I remember correctly).
Given all of these money issues, you can now see why there are so many crappy teachers at research universities. In an ideal world, these universities would hire a teaching faculty and a research faculty. But that's just not feasible financially. If hiring committees have to pick, they'll always favor the candidate with the stronger research background.
These types of studies and discussions seem (to me) to be based on a completely flawed premise, which is that religion is such an important topic that everyone must talk about it. Why are there no studies examining why scientists don't talk openly about art, music, architecture, politics, pro sports, etc.? What makes religion so important that my unwillingness to discuss it openly is perceived as a character flaw?
It seems to me that those outside the scientific community have no understanding of the culture of scientists. We care about facts, not opinions. We are trained to make assertions only when we can do so with appropriate authority and evidence. You can't make a living as a scientist by making bold statements without empirical results to support your claims. As a result of this training, most scientists shut up when the discussion moves away from their areas of expertise. If I am sitting with a group of biologists, I won't make any claims regarding the veracity of evolution. I'll let the others talk and learn from what they say. My opinion is irrelevant.
The problem with this culture is that it assumes mutual respect and good faith. People who are motivated by religion do not share our restraint. That is, they do not experience discomfort when speaking without being able to cite the relevant study or journal paper. They are more willing to assert an opinion, and feel that it should be respected irrespective of others' opinions. That's why you have historians and philosophers (I'm looking at you, Discovery Institute) expressing pseudo-scientific opinions that they want treated with the same respect granted to peer-reviewed work. They simply do not agree with the perspective that the methods of how you came to your opinion are more important than the opinion itself.
So I don't think scientists need to talk more about religion. We just need to do a better job of explaining why we don't talk about it.
[Obligatory disclaimer: Coming from a science background, I feel the need to state that the preceding statements are my opinions based on observations. I did not set up a proper experiment and had not control group. Hence, these statements should not be construed as fact.]
Are you serious? You do understand that all of those subjects have evolved extensively since the publication of those books. Reading Marx & Engels, Smith, and Darwin gives you a start, but you cannot possibly grasp the nuances of these systems without learning about Lenin, Trotsky, Keynes, Friedman, Mendel, Watson & Crick, etc.
Yes, editors do have power to introduce bias. But conscientious editors strive for objectivity. Furthermore, most textbooks involve some element of peer review where the editors invite colleagues to read and critique the material.
There simply is too much material on any one of these topics to read all of the original sources ever produced.
That's the approach we take for food, which unlike medical care is a constant necessity for everyone. Poor people get subsidies, but the government doesn't own or micromanage farms or grocery stores.
You've obviously never heard of agricultural subsidies. The U.S. government pays $16 billion per year (a large chunk goes to corporations like Monsanto) to make food cheaper. So, no, the government's approach to food is not capitalist. They are helping you pay for it...just without your knowledge.
Or, by being such an egregious example, it will enable more subtle violations that seem mild in comparison.
While the spying issue is certainly central to this discussion, there's another aspect that I hope gets more notice in the legal fall-out of this case. Specifically, I'm concerned about the implications regarding due process. The student was apparently punished (though it is still not clear how), even though he had done nothing wrong (assuming the Mike & Ike's story holds water). If students are raised under the assumption that they are so powerless that they can be punished even when innocent, what are they going to think when they're grown? Even though courts have consistently limited the legal protections of minors and students in many cases, hopefully they do make it clear that a single photo taken out of context is clearly not adequate to use as grounds for discipline.
there was no evidence of any laptops being stolen therefore the system shouldn't have been turned on to begin with. The only reason the camera's were turned on would be for misuse.
That's not true, because the school's policies did not require evidence that the laptop was stolen. For instance, officials were permitted to activate the system "to find missing, lost or stolen computers, which would include a loaner computer taken off campus against regulations." See here among other stories. I've seen multiple stories that indicate the system was activated 42 times, 18 of which did help to recover lost or stolen systems.
They could get out of this much easier if they simply fired a couple of people and blamed those directly responsible, and their bosses for the policy.
It's a bit more complicated than that. Whomever you pick to fire, you must make sure that it is justified. If you fire the official that took the picture, you need to find appropriate grounds to do so. Otherwise, they could (rightfully) claim that they violated no policy and were being made a scapegoat. Then you'd be looking at a wrongful termination lawsuit, and possibly paying lost wages. Similarly, the administrators can argue that the policy was put into place to protect assets owned by the school district. So if you want to fire someone, you had better be sure that you can justify it.
One aspect that I haven't seen clarified is whether or not the student was actually disciplined. If he was just confronted and presented with a warning, he is going to have a much more difficult time proving damages in a court. If he was suspended without due process and without proof of wrongdoing, then they're screwed. Either way, though, I would be surprised if this is allowed class action status.
As much as I value privacy, I think this story has become a bit sensationalized. Based on the numerous reports I've seen, I believe this is more an example of scope creep than anything nefarious. Basically, to paraphrase a common aphorism, if I must attribute either malice or incompetence, I go with the latter. The possibility of theft does provide a legitimate purpose for the ability to remotely activate the web cam. Where the school screwed up was that they did not have any precise controls over when and how this activation can occur. My guess (I fully admit I have no proof) is that the camera was activated according to district policy, then the official panicked because they thought they saw something. To make it worse for the official, the policy probably did not offer any guidance for what to do in that situation. What if they were trying to locate a stolen laptop and witnessed a rape or murder instead?
The problem comes down to the possibility of secondary use of technology. Whenever technology is deployed that has the potential of violating the privacy of others, the policy should explicitly state under what conditions the technology can be used, including a list of the situations that officials are allowed to document based on their observations. The policy should also default to complete destruction of observed data that does not match the intent of the policy. Hence, the school district should have made the following policy:
Activation of the remote monitoring system will only be done after informing the student and parents in writing.
Activation of the remote monitoring system will never occur unless there is documentation indicating a good faith belief that the laptop has been stolen or is missing.
Data collected during activation will be restricted to the goal of recovering the lost or stolen laptop. The only exception to this rule would be if an operator, while attempting to recover a lost or stolen laptop, observes behavior that constitutes a felony; in such a case, the data will be handed over to
They got the grades because they cheated. They got the job because they got the grades.
And that's the problem. If academic recruiters placed less of an emphasis on GPA, the incentives to cheat would be greatly reduced. But given the large class sizes at universities (i.e., a lot of profs don't even know their students' names) and the large number of applications companies receive, recruiters need some sort of filter. It would be nice if they had the time or ability to perform some sort of an evaluation, but it doesn't seem to happen. In my experience, recruiters are more generally HR people and wouldn't have a clue what a B+ tree is used for.
This problem isn't going away, and the only solution that I can see is better policing by instructors.
The attack is interesting, but it's actually beyond the scope of what the TPM was designed to do. The TPM is primarily intended to provide three services: 1) hardware root of trust at boot, 2) fast and secure cryptographic operations (including key storage), and 3) remote attestation. This attack focuses on the second service, as it is designed to extract the cryptographic keys that are supposed to be stored securely. Yes, the attack succeeds and it's interesting, but a lot of people are missing the big picture.
TPMs were never designed to withstand this type of attack. With regard to "secure storage," the goal was to do something better than just storing your keys on an insecure device like a HD. The reason that this notion of security is good enough is that the TPM was also designed to be inexpensive. Would anyone buy a new desktop if the price suddenly jumped up to $10,000 for a Pentium? So the hardware protection is just supposed to provide a reasonable amount of assurance for the average user. If you're looking at highly sensitive environments (e.g., military), you shouldn't be using a TPM. There are cryptographic co-processors out there that have more robust protections against these types of attacks, but they cost a lot more.
I've seen this article in a few places (see also here) and discussed it with some colleagues (one of whom was a consultant on the design of the TPM). We had the same suspicions regarding whether or not it was an Infineon TPM or a clone.
Regarding the key question, I don't think he has actually been able to extract the endorsement key. I believe the attack is just about extracting keys generated and stored on the TPM. For instance, the CW article refers to the "licensing keys." My impression is that these are keys used by the software to ensure the XBox 360 hasn't been modded. I don't believe you would use the endorsement key in this instance. Unfortunately, none of the articles are clear on this point.
[...] someone will eventually figure it out and implement software to do it automatically so any script kiddie can do it. Math -- crypto included -- is funny that way.
Did you read the article? The security of cryptography is based on the lack of an efficient algorithm to do things like factoring large numbers or computing discrete logarithms. This attack has nothing to do with any of that. It is about destroying the chip casing and eavesdropping on the circuitry of the hardware.
Slashdot Mirror
Before the election, I kept hearing all this talk of anti-incumbency and people being mad at both parties for screwing up. And yet, 85% of incumbents that were running for re-election won. Thank you, Mr. Jerry Mander.
There was a lot of talk about the Republican filibuster for various bills, but there was never actually any filibuster.
In the strict classical sense, you are correct. However, that's not how the Senate works anymore. If the minority party threatens to filibuster, the majority simply does not bring the vote to the floor, unless they know they have 60 votes. Basically, both sides have become so damn lazy that they won't even fight for their bills and call the other side's bluff. Yet more evidence that the two-party system sucks.
Did you read then Solicitor General Kagan's argument that basically said "Yeah, this legislation gives the Feds the power to ban books [emph. added], but that's irrelevant because we would never do such a thing."
Kagan said no such thing.
Yes, actually she did. [...] She is arguing that the law DOES cover books but you don't need to worry about it because the Government has never tried to regulate books and if it did there would be grounds for a legal challenge [emph. added].
*Sigh*. WTF? How can you guys take yourselves seriously when you are so clearly taking many things out of context and (intentionally?) misinterpreting clear sentences?
Kagan's quote: "It is still true that BCRA 203, which is the only statute involved in this case, does not apply to books [emph. added] or anything other than broadcast; 441b does, on its face, apply to other media." So part of the law actually under consideration (BCRA 203) does not apply to books, but another section (441b) does. So what is 441b? The first part of the text of that statute reads:
The statue goes on to prohibit unions from making such contributions to federal elections (President, VP, Senate, etc.).
Let me make this very clear: This statute in no way gives the government the power to ban books. And Kagan was making no such claim. Rather, by stating that 441b applied to books, Kagan's argument was as follows. If a corporation paid for the publication of a book that was intended for the purposes of electioneering, that corporation has broken the law. The electioneering element is very clear. This does not apply to books in general. The book has to target a specific candidate and be published in the area where it would have an impact on a particular election. Furthermore, 441b only applies if the publication of the book was paid for by a corporation. If a private individual wanted to publish a book attacking a candidate, 441b does not apply. If a political action committee or a non-profit group or any collective group other than a corporation or national bank paid for the publication of such a book, 441b does not apply.
Even if the statute does apply, the book would not be banned. Rather, the corporation would face prosecution under the statute. In addition, publication of the book would be delayed at most, so as not to sway the electorate. Once the election is over and publication of the book holds no power over that particular election, publication would be allowed to proceed. Of course, as Solicitor General Kagan pointed out, even if there were a book that met all the criteria (corporate-funded solely for electioneering), which is very unlikely, courts would most likely allow the immediate publication because there is a strong argument for a legal challenge. So she is stating that if the government tried to pull such a trick, they'd almost certainly lose.
Finally, note that 441b does not apply to general political speech. Corporations can gladly pay to make Fahrenheit 9/11 or publish Ann Coulter's books, or any other such screed, because those works do not fit the criteria of electioneering. While candidates may be singled out, they are never done so individually. Fahrenheit 9/11, for example, took aim at the culture of the federal government after 9/11. Sure, it takes plenty of shots at Bush. But it also talked about the invasion of Iraq, 9/11 itself, the impact on people, how everyone in Congress (except Feingold) voted for the USA PATRIOT Act without reading it, etc. Political? Yes. Electioneering? No.
This is all a far cry from the suggestion that Kagan was claiming the federal government had the power to ban books.
Lets face it, Facebook users have the same view of privacy Zuckerberg has: they don't value it and they don't understand why anyone would (unless, of course, they had something to hide).
On the contrary. I'm a Facebook user and a privacy advocate. I also have many friends (some of whom are privacy researchers) who feel the same. I know quite well the value of privacy, and I do not give it up lightly. Instead, I view the sacrifice of a small amount of privacy (which I control by limiting the amount of data that I publish) to be the price that I am paying for using the service. I have friends all over the world, and Facebook provides the common platform that we use to keep in touch. Thus, it's not as simple as saying that I don't value privacy. Rather, I have found that the cost-benefit analysis Facebook offers is quite nice for my purposes.
Freedom of speech is about expressing beliefs and opinions and facts[...]
Citation please. If this is true, then why are things like art and porn protected on grounds of free speech? There is plenty of free speech that has nothing to do with beliefs, opinions, or facts. I believe what you mean is that any speech that doesn't violate the Harm principle is protected speech.
Depending on the country, though, there actually are plenty of reasons to curb free speech and expression. Countries like China, North Korea, and Iran do it to keep their governments in power. I'm not saying they're good reasons, but they're reasons nonetheless.
As for corporate personhood, it's actually kind of funny if you look at the history. The court didn't actually decide that corporations were people. Instead, the court reporter inserted a remark into the record that has since been interpreted to grant corporate personhood. So it's been used as precedent, even though that is not what the case actually decided.
"If you aren't paying for the product, you are the product." (I wish I could claim credit for the quote, but I can't. And I've heard it from so many sources that I don't know the origin.)
Oh, gimme a frickin' break. The sooner the precious little froshie lardflakes learn not to click every attachment from a seemingly trusted source, the better.
See my response above. Assuming that they will actually learn the lesson here requires a big leap of faith (and naivete and a lack of experience studying how well "user education" solves security problems).
God forbid we make someone feel bad as a learning experience, the lawyers would descend like... Well, like lawyers.
Again, making students feel bad is not an effective teaching technique. It may work on some, but it will completely backfire on others and you've completely lost them for good. And you don't really have to worry about the lawyers as much as the parents. Yes, the parents. Even in college.
Better yet, email the .exe to the entire class.
Are you insane?!? Absolutely DO NOT DO THIS!!
The gap between my suggestion and what those researchers did is pretty wide. My idea:
o Doesn't involve bilking people out of their private credentials; o Would be limited to a class studying malicious software (how's that for an appropriate context) o Involves a known-harmless teaching payload; o Would be fully understood and removed by students at the end of the class.
Actually, it's not as wide as you think. The researchers did not collect any of the personal data. They simply provided a message that this could have been a scam. So the "payload" there was also harmless. The outrage wasn't about any stolen data. The outrage was completely about the deception. Even after the administration placated fears that the students had about identity theft, the uproar continued. Also, the class isn't focused on malicious software. That's just the topic of this lesson. The class is a 101 introduction to computing. If this were a more advanced class...maybe...given the circumstances. But this is absolutely not the right audience for this kind of lesson.
As for the harmless payload, how does the student know that? All the student sees is that they clicked on something and the teacher infected their computer. Sure, during the lesson, you point out how to delete the file. But how does the student know that was the only file you installed? You could have embedded a keylogging rootkit within that virus for all they know. By falling for your trick, they lose a little bit of trust in you. As a result, some of them (especially those who are not doing well and think it's because you "have it out for them") will remain suspicious and think that you've planted something nefarious on their computer. Without that trust, you can't convince them otherwise.
As for the lesson being "fully understood [...] at the end of the class," that's just wishful thinking. After all these years, everyone now knows not to click on email attachments, right? Apparently not. I remember reading some commentary once (I think it was Adam Shostack) that pointed out that user education doesn't work. Many, many people who have undergone security training get phished, install viruses, etc. Why is phishing still a problem? Because it works. Social engineering is effective. All you have to do is surround that link with some text about getting rich fast, seeing celebrity X naked, losing 50 pounds in a week, etc., and you will get some hits. Even from people who have been trained to know better.
Most likely, some of these students will (in the short term) not click on anything they get via email, even if it's legitimate. After a while, though, the lesson will fade, they'll become complacent, start clicking on things...and we're back at square one. Many of the students will still click on attachments, thinking they're safe. After all, this attachment isn't called "CS101-Example.exe" so it must be safe, right? "What do you mean I got a virus? All I did was open this .doc file. It wasn't a .exe!"
Deception is inherently disrespectful, even if it is done with good intentions.
What may seem like a "harmless infection" to you demeans the students, because you're encouraging the instructor to abuse the trust that their students have placed in him. In short, what you are proposing causes harm to the teaching profession.
I have a hard time understanding why any real teacher in this fellow's position would abstain from imparting one of the most critical lessons a student can learn about security: that they themselves are the weakest link, no matter how smart and prepared they think they are, and no matter how much theory they c
Then teach them that 99% of all malicious software runs on Windows, and that it's a reflection of the number of vulnerabilities in Windows code and market share.
Market share, yes. Vulnerabilities in Windows code...eh, not so much any more. It may not be the most popular thing to say around these parts, but MS has made great strides in adopting and pushing secure coding techniques. These days, the most culpable are third-party developers, especially device drivers. Sure, you can argue that Windows' access control policies allow it, but that's not what you said above. But I'm just being nitpicky.
Better yet, email the .exe to the entire class. Call it CS101-Example.exe, and use the harmless infection to talk about social engineering. Then take them through the 'infection' process, and show them how to remove the file by hand.
Are you insane?!? Absolutely DO NOT DO THIS!!
I remember a few years ago when researchers at Indiana University conducted a study on phishing. Basically, they set up a web site and lured students to enter their credentials. The s*** storm that erupted was immediate and furious. The only thing that saved these researchers' jobs was that they had worked very closely with the school's Institutional Review Board (IRB) to make sure that they were adequately ensuring (among other things) respect for persons. Deception is inherently disrespectful, even if it is done with good intentions.
What may seem like a "harmless infection" to you demeans the students, because you're encouraging the instructor to abuse the trust that their students have placed in him. In short, what you are proposing causes harm to the teaching profession.
Exactly the same as getting cancer after choosing not to pay for health insurance.
Well, yeah, it'd be exactly the same if every physician refused to give you chemotherapy, even if you offer to pay out of pocket. Fortunately, the medical profession is regulated and they have to follow the Hyppocratic Oath.
Exactly! Clearly, the state of Tennessee has laws forbidding anyone from offering a private fire service. Oh wait...they haven't.
Look, privatized fire departments don't work. They don't make economic sense. To understand why, look into decision theory, specifically areas like Dempster-Shafer theory. When the level of uncertainty rises, people become significantly more risk averse. Consider the following games:
Now here's the catch: You have to play the games 10,000 times, and you have to always pick the same way. So once you choose "heads," you're always choosing heads.
Which game do you choose? Clearly, game 1. Since you know the coin is fair, you'll be right about half the time and wrong about half the time. So you'll break even. Now look at game 2. If you guess correctly, you'll win 9999 times and lose once. That means you would win $999,900. If you guess wrong, you'll lose $999,900. But look...the expected value is still $0! So, according to basic probability theory, there's no rational reason to pick game 1 over game 2. But when you start considering factors such as the uncertainty about the probabilities, changes in the possible payoffs, etc., things become more complicated, and most people become risk averse.
Now, let's return to the privatized fire department world. Does your neighbor subscribe to a fire service? More uncertainty. Is your service really the best you can get? Perhaps your service's company policy is to only attempt to fight the fire after 99% of the house is burned down. (Sure, you could read their policy, if disclosure was required by evil government regulators. And clearly no company (cell phones *cough cough* credit cards *cough*) has ever used intentionally complicated policies to mislead their customers.) More uncertainty. Competing fire services have a vested interest in your service doing poorly (i.e., more business for them later on). Are those competing services doing unethical things that could interfere with your fire service? More uncertainty.
There is considerably more uncertainty in privatized services like this than in public systems. As a result, subscribers would be significantly more risk averse...which means the market would establish a significantly higher equilibrium point, based on higher demand. Such privatized services will impose a larger total cost on everyone. Also, since the vast majority would subscribe in the privatized version (because they're risk averse), that means that the average cost per person would also probably be higher in a private system. The only way the average privatized cost would be lower is if the overwhelming majority of fires happened to non-subscribers (meaning they would pay most of the costs).
At the end of the day, free market zealots that argue for the privatization of everything don't understand economics, don't understand human nature, or are simply being irrationally dogmatic. Or some combination thereof.
And just to prevent any ad hominem rebuttals that I'm an evil, commie, Marxist, socialist, fascist... I'm not arguing against all private enterprise. I am simply pointing out that, in some areas, yes, a government-run solution can be less costly than a private solution, and just as efficient.
For those of you that say "Why didn't they put it out when the guy pleaded to pay the $75?"
First correction: He did not offer to pay $75. He offered to pay whatever the cost to put out the fire.
If they agreed to this EVERYONE would fail to pay the $75/year and they'd just offer to pay after the fire dept came. You have to realize that it costs a lot more than $75 to pay for FD services. The $75 is effectively an insurance, $75 alone doesn't come anywhere NEAR the cost of putting out a single fire.
You are exactly right. So clearly, just billing the $75 is not adequate. So, like you said, treat it as insurance. Consider the parallels to the medical world (at least the idealized version of it). If you have health insurance and go to the emergency room, you pay $X, which is significantly less than the actual cost of service. If you don't have insurance, you have to pay for the actual services used. So do the same thing in this situation. The invoice could be:
Again, that's what the guy offered to pay...not just the $75. Basically, it comes out to skipping the $75 payment for 150 years. To me, that's plenty of incentive to pay $75 a year for guaranteed service.
Interesting follow-on to this story: One of Cranick's relatives later went to the fire station and punched the chief that ordered the firefighters not to put out the fire (even though they were on the scene). He's now been charged with assault, but I know a lot of people who want to contribute to the guy's legal defense fund.
Doh, he burned a book.
Uh, what exactly is news about that at all? He can burn books all day long as I care. Does it matter which ones, except for the fact that glossy paper doesn't burn as good?
YES!
Statements like this completely ignore the power of symbolism. If I were to urinate on a crucifix in public, does that mean upset Christians would be overreacting? I mean, come on, it's just a couple of sticks with a statue on it, right? What about if somebody were to put a big cross on an African American's lawn and set it on fire? Clearly, they'd only be upset because you trespassed, right? Burning a Qur'an is much more than just burning a book. (I would say the same thing if the moron was burning a Bible, the Gita, or any other holy text.) It is burning a religious symbol and showing utter contempt and disrespect for others' beliefs. The fact that the text is considered sacred by that religion's followers does make the act different than burning, say, Animal Farm.
And, yes, a public burning of the Qur'an in the current environment is drastically more of a problem than burning any other religious text. The reason is that there are many, many Muslims who feel that the U.S. and its allies are trying to wipe out Islam, not just terrorists. Acts like this offer yet more evidence to them, making them more likely to take up arms against our troops. GWBush may have been overly simplistic in his world view, but he was at least intelligent enough to understand the importance of this point.
Burning that particular book may not seem to affect you, leading to your indifference. However, burning the Qur'an will actually cost you money, because it makes our involvement in the Middle East more complicated, leading to a longer war there. Or, the extremists may choose to take their frustrations out by bringing the conflict here, like they did on 9/11. You need to accept that the reality of the world requires that we can't just piss everybody off without repercussions.
I shudder to think of the kind of idiocracy we'll be living in, just one generation from now.
Heh heh heh. Yuh tawk lahk uh fag.
They should hire people who are actually good at teaching for this job.
...if only it were that simple. I'm a year away from finishing my Ph.D. at a major research university. My motivation has always been to teach at the college level. I just do not find high school material interesting. Give me some undergrad-level cryptography, OS, theory of computing...that's fun material. Sadly, here's what I've learned from my years in grad school:
Great research + mediocre teaching = tenure
Mediocre research + great teaching = fired
(Technically, you're not fired...just denied tenure. However, when you're hired, you're given a 7-year contract that is only extended by tenure. Otherwise, when your 7 years is up, so is your job.)
At a university, research is everything. The rule of thumb that I've been told is that the time spent preparing to teach should be the same as the time spent actually teaching. So if you teach a 3-credit hour class (2 days a week, 75 minutes each class), that means you should spend 2.5 hours per week preparing your lecture. Anything more than that, and you're taking away from your research.
The reason for so much emphasis on research is money. At a research university, you are expected to bring in money in the form of research grants. How do you get a grant? By demonstrating that you have a history of successful research (i.e., a large number of publications). So it's not only tenured professors that are obsessed with publishing, it's the entire faculty. And it's because that is the single biggest factor in keeping your job.
The emphasis on bringing in external grant funding is getting even stronger, because the amount of money that universities are receiving from the state and federal governments has been plummeting in recent years (20-30). Part of that is the "fiscal conservatives" obsession with tax cuts, rather than having an actual balanced budget. By cutting taxes and government revenues, you are cutting university operating costs. At the same time, there has been a philosophical shift in the populace. Years ago, people were more likely to support public funding for schools, because the perception was that college students would ultimately go on to benefit society. So society helped the students out by contributing to the cost of education. Now, the perception is that people go to college are doing so for the selfish benefit of a better job. As a result, people feel less inclined to help pay for others' education. I'm not passing judgment on these views, just stating them as reasons that the budget has shifted.
The decreased government support also means that universities have to pass more of the cost on to students. That's why tuition has been rising at double the cost of inflation. To make matters worse, states like CA kept their tuition artificially low for years. That's why there was a huge increase last year (something like 30%, if I remember correctly).
Given all of these money issues, you can now see why there are so many crappy teachers at research universities. In an ideal world, these universities would hire a teaching faculty and a research faculty. But that's just not feasible financially. If hiring committees have to pick, they'll always favor the candidate with the stronger research background.
A web site that has the information you're looking for is useful no matter how ugly it is, as long as it's readable.
...which is why I continue to visit Slashdot.
Yeah, that sentence struck a nerve with me, too.
These types of studies and discussions seem (to me) to be based on a completely flawed premise, which is that religion is such an important topic that everyone must talk about it. Why are there no studies examining why scientists don't talk openly about art, music, architecture, politics, pro sports, etc.? What makes religion so important that my unwillingness to discuss it openly is perceived as a character flaw?
It seems to me that those outside the scientific community have no understanding of the culture of scientists. We care about facts, not opinions. We are trained to make assertions only when we can do so with appropriate authority and evidence. You can't make a living as a scientist by making bold statements without empirical results to support your claims. As a result of this training, most scientists shut up when the discussion moves away from their areas of expertise. If I am sitting with a group of biologists, I won't make any claims regarding the veracity of evolution. I'll let the others talk and learn from what they say. My opinion is irrelevant.
The problem with this culture is that it assumes mutual respect and good faith. People who are motivated by religion do not share our restraint. That is, they do not experience discomfort when speaking without being able to cite the relevant study or journal paper. They are more willing to assert an opinion, and feel that it should be respected irrespective of others' opinions. That's why you have historians and philosophers (I'm looking at you, Discovery Institute) expressing pseudo-scientific opinions that they want treated with the same respect granted to peer-reviewed work. They simply do not agree with the perspective that the methods of how you came to your opinion are more important than the opinion itself.
So I don't think scientists need to talk more about religion. We just need to do a better job of explaining why we don't talk about it.
[Obligatory disclaimer: Coming from a science background, I feel the need to state that the preceding statements are my opinions based on observations. I did not set up a proper experiment and had not control group. Hence, these statements should not be construed as fact.]
Are you serious? You do understand that all of those subjects have evolved extensively since the publication of those books. Reading Marx & Engels, Smith, and Darwin gives you a start, but you cannot possibly grasp the nuances of these systems without learning about Lenin, Trotsky, Keynes, Friedman, Mendel, Watson & Crick, etc.
Yes, editors do have power to introduce bias. But conscientious editors strive for objectivity. Furthermore, most textbooks involve some element of peer review where the editors invite colleagues to read and critique the material.
There simply is too much material on any one of these topics to read all of the original sources ever produced.
That's the approach we take for food, which unlike medical care is a constant necessity for everyone. Poor people get subsidies, but the government doesn't own or micromanage farms or grocery stores.
You've obviously never heard of agricultural subsidies. The U.S. government pays $16 billion per year (a large chunk goes to corporations like Monsanto) to make food cheaper. So, no, the government's approach to food is not capitalist. They are helping you pay for it...just without your knowledge.
Or, by being such an egregious example, it will enable more subtle violations that seem mild in comparison.
While the spying issue is certainly central to this discussion, there's another aspect that I hope gets more notice in the legal fall-out of this case. Specifically, I'm concerned about the implications regarding due process. The student was apparently punished (though it is still not clear how), even though he had done nothing wrong (assuming the Mike & Ike's story holds water). If students are raised under the assumption that they are so powerless that they can be punished even when innocent, what are they going to think when they're grown? Even though courts have consistently limited the legal protections of minors and students in many cases, hopefully they do make it clear that a single photo taken out of context is clearly not adequate to use as grounds for discipline.
there was no evidence of any laptops being stolen therefore the system shouldn't have been turned on to begin with. The only reason the camera's were turned on would be for misuse.
That's not true, because the school's policies did not require evidence that the laptop was stolen. For instance, officials were permitted to activate the system "to find missing, lost or stolen computers, which would include a loaner computer taken off campus against regulations." See here among other stories. I've seen multiple stories that indicate the system was activated 42 times, 18 of which did help to recover lost or stolen systems.
They could get out of this much easier if they simply fired a couple of people and blamed those directly responsible, and their bosses for the policy.
It's a bit more complicated than that. Whomever you pick to fire, you must make sure that it is justified. If you fire the official that took the picture, you need to find appropriate grounds to do so. Otherwise, they could (rightfully) claim that they violated no policy and were being made a scapegoat. Then you'd be looking at a wrongful termination lawsuit, and possibly paying lost wages. Similarly, the administrators can argue that the policy was put into place to protect assets owned by the school district. So if you want to fire someone, you had better be sure that you can justify it.
One aspect that I haven't seen clarified is whether or not the student was actually disciplined. If he was just confronted and presented with a warning, he is going to have a much more difficult time proving damages in a court. If he was suspended without due process and without proof of wrongdoing, then they're screwed. Either way, though, I would be surprised if this is allowed class action status.
As much as I value privacy, I think this story has become a bit sensationalized. Based on the numerous reports I've seen, I believe this is more an example of scope creep than anything nefarious. Basically, to paraphrase a common aphorism, if I must attribute either malice or incompetence, I go with the latter. The possibility of theft does provide a legitimate purpose for the ability to remotely activate the web cam. Where the school screwed up was that they did not have any precise controls over when and how this activation can occur. My guess (I fully admit I have no proof) is that the camera was activated according to district policy, then the official panicked because they thought they saw something. To make it worse for the official, the policy probably did not offer any guidance for what to do in that situation. What if they were trying to locate a stolen laptop and witnessed a rape or murder instead?
The problem comes down to the possibility of secondary use of technology. Whenever technology is deployed that has the potential of violating the privacy of others, the policy should explicitly state under what conditions the technology can be used, including a list of the situations that officials are allowed to document based on their observations. The policy should also default to complete destruction of observed data that does not match the intent of the policy. Hence, the school district should have made the following policy:
They got the grades because they cheated. They got the job because they got the grades.
And that's the problem. If academic recruiters placed less of an emphasis on GPA, the incentives to cheat would be greatly reduced. But given the large class sizes at universities (i.e., a lot of profs don't even know their students' names) and the large number of applications companies receive, recruiters need some sort of filter. It would be nice if they had the time or ability to perform some sort of an evaluation, but it doesn't seem to happen. In my experience, recruiters are more generally HR people and wouldn't have a clue what a B+ tree is used for.
This problem isn't going away, and the only solution that I can see is better policing by instructors.
The attack is interesting, but it's actually beyond the scope of what the TPM was designed to do. The TPM is primarily intended to provide three services: 1) hardware root of trust at boot, 2) fast and secure cryptographic operations (including key storage), and 3) remote attestation. This attack focuses on the second service, as it is designed to extract the cryptographic keys that are supposed to be stored securely. Yes, the attack succeeds and it's interesting, but a lot of people are missing the big picture.
TPMs were never designed to withstand this type of attack. With regard to "secure storage," the goal was to do something better than just storing your keys on an insecure device like a HD. The reason that this notion of security is good enough is that the TPM was also designed to be inexpensive. Would anyone buy a new desktop if the price suddenly jumped up to $10,000 for a Pentium? So the hardware protection is just supposed to provide a reasonable amount of assurance for the average user. If you're looking at highly sensitive environments (e.g., military), you shouldn't be using a TPM. There are cryptographic co-processors out there that have more robust protections against these types of attacks, but they cost a lot more.
I've seen this article in a few places (see also here) and discussed it with some colleagues (one of whom was a consultant on the design of the TPM). We had the same suspicions regarding whether or not it was an Infineon TPM or a clone.
Regarding the key question, I don't think he has actually been able to extract the endorsement key. I believe the attack is just about extracting keys generated and stored on the TPM. For instance, the CW article refers to the "licensing keys." My impression is that these are keys used by the software to ensure the XBox 360 hasn't been modded. I don't believe you would use the endorsement key in this instance. Unfortunately, none of the articles are clear on this point.
[...] someone will eventually figure it out and implement software to do it automatically so any script kiddie can do it. Math -- crypto included -- is funny that way.
Did you read the article? The security of cryptography is based on the lack of an efficient algorithm to do things like factoring large numbers or computing discrete logarithms. This attack has nothing to do with any of that. It is about destroying the chip casing and eavesdropping on the circuitry of the hardware.