The Gauss malware includes a built in config tester, which is how it works. It parses the config, feeds it into a key generating algorithm with a test Initial Value; if the output of the key generating algorithm matches the included hash, then it reruns the algorithm with a different IV and generates the real key. The real key is used to decrypt the payload and do the as-yet-unknown damage.
All Kaspersky really has to do is include the first part of the test with the test IV in their next anti-virus update and have any potential victims phone home with the winning ticket.
If only my device drivers were as reliable as the ones they routinely subvert on CSI:Sacramento! Hell, I can't get a video feed out of my TV tuner card half the time, and the web cam only works on its own schedule, not mine. And audio drivers? Forget about it!
So good luck, spooks. If I wake up tomorrow and all those systems start to work, I know who to thank.
Because the evidence overwhelmingly runs counter to your supposition.
Look at the facts.
The code is stealthy.
The code shares common attributes with other code that has delivered sophisticated attacks, strongly suggesting a common author, implying similar intentions are behind this code.
The code carries other unencrypted malicious code, including exploits and bank login thefts.
The code makes many attempts to decrypt an unknown value. Should it ever succeed, it will make a call to an address in the decrypted memory.
The amount of data to be decrypted and potentially executed is enough to contain a malicious payload on the same scale as the code that sabotaged Natanz.
Why would an established weapons developer go to all the work of fully implementing a cleverly targeted weapon hiding system if he isn't going to actually hide any weapons in it?
Using evidence in court that was obtained by hitting you with wrenches is forbidden, nor can they use information derived from that information. (Fruit of the poisoned tree.)
Depending on the data, though, they may not be nearly as interested in prosecuting you.
Actually it helps a lot. Your paper is far more interesting than the news speculation, as it describes what you did and how to do it, as opposed to how it was applied through the lens of hindsight.
Unfortunately, too many "news" stories try to make their stories interesting by adding crazy speculation about hot topics. "This research uncovered 9/11 conspirators" is far too close to saying "Researchers built a terrorist detector!!!", which is completely untrue, as well as not the point. But it gets people reading their stories.
It seems the hardest part would be testing equality of messages at the nodes. Unless a message was a word-for-word copy, or a "forward" of the original, how would you know that "plane crashes into building", "airliner crashed into skyscraper", and "commercial flight flown into World Trade Center" were all equal messages? It's probably much easier with universally agreed upon topics like "typhoid" or "H5N1".
Taking social networking sites as another example, Pinto said individuals could use the algorithm to find out who had started a rumour posted to 500 contacts by looking at posts received by just 15 to 20 of them.
In other words, after creating a mathematical model of the right 500 people, and after planting 15 or 20 agents inside that 500 person network and monitoring their network traffic for a while, they were able to trace a rumor back to the originator.
The impressed button, I will not be pushing it tonight.
Interesting idea, but I bet the creators are much more cognizant of operational security. I doubt they surf the web from the development machines.
I'm guessing the development boxes are actually VMs inside their workstations. Think about it: would you really want to unit test a malware payload on a machine connected to the rest of your lab, or connected to the entire world?
The behavior of Gauss as described in TFA is made to sound like "socially responsible malware".
By encrypting the payload with a key unique to a specific configuration, they are not providing that payload to anyone else. Not even Kaspersky can decrypt the payload, at least not until the target machine is identified. And by then it's probably too late.
Sure, they're still sending out malware, with USB exploits, root kits, and other bad stuff. It's not that much worse than what is widely available online today. But they're encrypting the very worst part, which is "here's how we're going to cause maximum damage to you." We don't know if the payload is designed to tamper with SCADA systems, initiate wire transfers to a Cayman Island bank, or if it emails compromising pictures of the victim to Al Jazeera. Nobody gets a copy of it, except for one lucky winner. And he doesn't even want it.
So in the attackers' minds, they can say they are distributing a "kinder, gentler virus".
I'm assuming from the article that the configuration data they're talking about are things like MACs from the victim's NICs, serial numbers off of the memory SPD chips, and serial numbers from the SATA drives. If that's true, it would be easy enough to swap a memory stick out to avoid the problem, rather than trying to re-flash something.
If you've got that much knowledge about your potential for being hacked, you've probably already updated your systems with the latest anti-virus programs that would catch Gauss anyway.
My guess is this is trap is set for the personal PC of some top official, like Naim Qassem, the current top guy of Hezbollah. Generally, top people are not known for their l33t haxx0r ski11z, so the chances of his having good defenses being in place are probably fairly low. I doubt that he's going to be the kind of guy to swap RAM sticks, anyway.
Some time a while ago, Gauss surveyed every victim's computer, reporting their config data to the CC servers.
The attackers identified a specific victim, and used that victim's config data to generate a key. The payload was then encrypted by the attackers with that particular key, and then delivered to every active Gauss zombie by the CC server.
The Gauss zombies don't ever carry the key, they always generate it locally from their own config data.
All zombies get the same payload, but only the zombie with the correct config will generate the correct key, unlocking the payload and unleashing the pain.
They can't decrypt it today because Kaspersky doesn't know who the target is, was, or what their configuration looks like.
Let's think about its predecessor, Stuxnet, for a minute. Stuxnet's authors made several big security mistakes. First they gave away a free copy of "How to attack Iranian nuclear centrifuge systems via SCADA vulnerabilities" to every script kiddy on the planet; plus, they essentially told Iran "it's you." They seriously underestimated the ability of various groups of people to disassemble their attacks. So they want to repeat as few of those mistakes as possible.
Like Stuxnet before it, Gauss discovers some facts about the configuration of the machines it's deployed against, and reports them back to the mothership. Let's say the configuration data they retrieve includes the serial numbers of memory chips, NICs, and eSATA disk drives. The attackers then concatenate that data together and hash it 10,000 times to create a key. So when the payload decryption module is loaded onto a new machine, it scans the memory chips, NICs, and disk drives, and runs the key generating hash algorithm again. If the resulting key can successfully decrypt the payload, we can assume Bad Things will happen to the victim. If it can't decrypt it, nothing happens.
This tries to address two of those original mistakes. First, Kaspersky has no way to identify the victim today. All they know so far is that the target is probably any of the thousands of machines that have already been infected with something that reported their configuration to the attacker. For all we know, it could be configuration data originally harvested by Stuxnet, and not a current Gauss victim. Second, they have no way of decrypting the attack until the specific victim is identified and decides to cooperate.
It's possible that the malware attack on the victim will be engineered such that the victim will suffer grave physical harm; perhaps through planting false evidence of treason, or emptying their bank accounts instead of repaying the kind of debts that Must Be Repaid On Time. After destroying the victim, discovery may be moot. I'd assume in any case that the malware payload will clean Gauss from the machine after completing its mission, leaving nothing for investigators to ever learn they were the targeted victim of Gauss.
My guess is that Kaspersky will include a "victim detector" module as part of an anti-Gauss clean-up package. It would run the same serial number detection mechanism, the same key generation mechanism, and attempt the same decryption test to see if it successfully decrypts. But instead of calling the actual malware routine, it could report the machine's configuration back to Kaspersky, so they could decrypt it.
Hey, I seriously don't want our web monkeys writing assembler. Assembler is not even an approved language in our shop, because we can't hire people who can maintain it. But if a C++ developer is in the debugger and has to step into the disassembler, I expect her to know what she's doing. Fortunately, I have a few that do.
The bright spot on the horizon is that my son graduated from University with a degree in Comp Sci, and they appear to have shifted their program away from cranking out an assembly line of Java monkeys to people who can write C and assembler. At least those were among the courses he chose to take. I just thought it was awesome that he had a reverse engineering class that was taught almost entirely in gdb. To me, that was hope for the future.
And yet it took more than 8 minutes for the Fire truck to arrive at the rocket test site.
I wonder how long it would take if they didn't expect this sort of thing...
Rule one of firefighting: don't put anyone needlessly in harm's way. This was an unmanned test flight, with nobody in any imminent danger.
After the initial crash, the craft still had fuel and oxidant tanks on board that hadn't yet blown up. You don't move the fire crews in until the hazardous materials are accounted for. The crews were quite obviously sitting in their fire rig at a safe distance, waiting for the signal from the range safety officer to tell them that the rest of the fuel was gone. That explosion at the 6:20 mark was the signal they were waiting for. At 8:00 the camera zooms in as they examine the wreckage for any potential surprises. At about 8:17 you could hear the diesel motor of one of the trucks as it approached the pad. At 8:40 you can hear the report from "10-1" (I assume that was the range safety officer) at gate 7 that he had advised the fire crew that there were four pressurized tanks, they believed two were gone, but there were potentially still two tanks with pressure, and that the fire crews had proceeded downrange anyway.
The crews handled the situation exactly as they should have. They expected this sort of thing.
You can put in a kill switch to the fuel pump to not pump more fuel into the rocket motor, and they no doubt have such devices installed. But the tanks are already full of all the fuel the vehicle will ever carry. And you can't put in a kill switch for the existence of the fuel. Once the thing is burning, any fuel remaining in the tanks is going to get out one way or another, regardless of any switches or valves.
Knowing machine language is a large part of the difference between an "average code monkey" and a skilled developer. Hand optimizing assembler code is an exercise in wasted money, except when it isn't. A skilled developer will not only know when the difference is critical, but be able to do the task.
That doesn't mean the number of times a developer needs to trot out the assembler is very large, mind you. Almost no business applications would ever need it these days - a programmer's time and the overall cost of maintaining ASM code is generally much higher than the cost of upgrading the server the code runs on. But if you start talking about slinging millions of pixels around on a GPU 200 times every second, it suddenly becomes very important that you know exactly what the machine is doing.
Cell phones definitely kill people. There's no question that many people die due to cellular telephone usage. However, the full cause of death is "blunt force trauma due to vehicular accident caused by a driver distracted by a cellular telephone." And we know that increasing the transmission power of cell phones is designed to increase the range of places where cell phones will work, which will mean more people talking or texting while driving, which ultimately will lead to even more deaths.
If you want to focus on the health hazard of cell phones, at least pick the one where there's actual evidence of harm. There's not even a blip in a study anywhere that shows cell phones contribute to skin or brain cancer.
That guy sure likes to sell books, doesn't he? And stirring up controversy about things like the "health risks" of 100 milliwatts of non-ionizing radiation sells books to people who are hypersensitive to scare stories.
He even "Rationalizes the Precautionary Principle", which is another way of saying "be scared because you're ignorant, not because there are actual facts." Here's the deal: if cell phones were even a measurable (not even minor, simply measurable) contributor to illness, there are billions of cellular users worldwide, so if there was any statistically detectable basis to these absurd claims, we'd be seeing very large piles of dead bodies.
I really like his "grounding" therapy: touch the ground and you will:
" Prevent inflammation as well as assuage its physical symptoms
Reduce or eliminate chronic pain
Improve sleep
Increase energy
Thin blood and improve blood pressure and flow
Relieve muscle tension and headaches
Lessen hormonal and menstrual symptoms
Dramatically speed healing and prevent bedsores
Reduce or eliminate jet-lag
Protect body against potentially health-disturbing environmental electromagnetic fields (EMF’s)
Accelerate recovery from intense athletic activity; and
Balance the autonomic nervous system (ANS) by decreasing sympathetic, and increasing parasympathetic, nervous activity."
The only things missing from his list are "improves humours & biles" and "clears thetans", and for those I expect he has a link to buy "Dr. Sinatra's Genuine Snake Oil Liniment and Elixir".
This guy is definitely not a crackpot. He's smart, and educated, and appears to be an author who wisely uses fear and psychology to sell books to the gullible. It's definitely in his best interest to have people afraid of cell phones, because those are the people who would buy his crap.
The wiki edits prove nothing. The real reason there are only 5 edits for Pawlenty is that he is the most boring person on the planet*. There is simply nothing to clean up behind that Marvin J. Milquetoast.
* yes, I know Al Gore invented boring politicians, but Pawlenty raised it to an art form.
Thanks. I did like Zodiac, but it kind of reminded me of the same ending as Cryptonomicon. Both of those novels seemed contrived, and to me they read as if he had followed the trademarked Neal Stephenson Story Writing pattern: 1. Think of some tricky, cool mechanical ideas, like using salad bowls to plug holes in a pipe, Van Eck phreaking, or diesel fuel to melt inaccessible gold. 2. Think of a somewhat plausible setting to place the idea in - polluters, prison, jungle island. 3. Write a plot line where the main character ends up arriving at these ideas in the final chapters. 4. Add additional story arcs, characters, and other flourishes around the base plot. 5. Profit!
They all seem driven to get to the end and to the big reveal of the clever idea. Driving to the end of a story works for a mystery - solve the caper, dispense dose of appropriate justice, meddling kids. But when he gets to the mystery's end, it's more about the clever trick, and less about the people.
Snow Crash was different. It was an amalgam of crazy from start to finish - crazy setting, crazy government, crazy people, crazy religion, and crazy ideas. And he glued them together in a vat of somewhat plausible foreshadowing technologies like the web, gargoyles, scanner evading glass knives, all those kinds of things that were somewhere on the horizon back when he wrote it. It didn't follow his trademarked formula, because the fun ideas just kept coming from start to finish: an Inuit biker who is his own nuclear power, a pizza deliverator for the mob, the metaverse, Snow Crash, falabalas, etc. The people made it interesting, the tech made it cool. It came together in something ineffable that he's just never repeated.
And for some reason I liked Anathem. Perhaps because it didn't closely follow the formula, or that one of the cool ideas (the time-based monastery) was a setting element he introduced from the start, and didn't need the big reveal.
I have to admit being depressed by each and every one of Neal Stephenson's books that wasn't Snow Crash. I've bought and read everything else he's ever written, just hoping to get a second taste of that wondrous, mad, absurd story. Hasn't happened yet.
Or maybe that's just disappointment on a new level.
Assuming that's the case, I agree with you about Brave New World, but because I read 1984 at a younger, more impressionable age, it resonated harder with me, and both scared and depressed me more.
Or in other words, simple measures are actually quite sufficient.
Like anything dealing with security, that depends entirely on the value of the secret being protected.
If this is a MiFARE card, learning the secret could get you and some friends a few free rides on the metro. If this is an access card, it might get you into a building. If this is a passport, it might get you into the country. If this is a banking card, you might get access to the customer's account. Pick the right customer, and it's suddenly very profitable. If this is a satellite card, it could be worth millions on the black market.
The other thing to keep in mind, is that all of these activities will get you in a roughly equal amount of trouble: fraudulent devices and theft add up to about the same punishment regardless of how much money is stolen. A bad guy has incentive to hit the richest target, not the poorest, since the risk to him is the same.
. This phenomenon is how design patterns like the "Abstract Factory Abstract Factory Selector Observer Pattern" get started.
No, bad programming is how patterns like "Abstract Factory Abstract Factory Selector Observer Pattern" get started.
Patterns aren't created out of thin air - at least not the few good ones. Patterns are observed in multiple examples of elegant code, then written down and figured out.
If someone is actually feeding you a line like "the Abstract Factory Abstract Factory Selector Observer Pattern is required in your program for all database access", or even "I've created a new pattern", you have my permission to hit them with a stick and call them an idiot. That's not how patterns work.
Random web pages getting larger isn't really the issue. If I'm creating enterprise web apps for my corporation, I just need to know that my corporate machines' browsers can run them. If the company issued laptops browsers get upgraded and the corporate web pages start the machines thrashing as a result, that's a problem.
And I sure can't say "let's spend a million dollars replacing everyone's laptops so everyone can upgrade to Firefox 14."
Slashdot Mirror
The Gauss malware includes a built in config tester, which is how it works. It parses the config, feeds it into a key generating algorithm with a test Initial Value; if the output of the key generating algorithm matches the included hash, then it reruns the algorithm with a different IV and generates the real key. The real key is used to decrypt the payload and do the as-yet-unknown damage.
All Kaspersky really has to do is include the first part of the test with the test IV in their next anti-virus update and have any potential victims phone home with the winning ticket.
If only my device drivers were as reliable as the ones they routinely subvert on CSI:Sacramento! Hell, I can't get a video feed out of my TV tuner card half the time, and the web cam only works on its own schedule, not mine. And audio drivers? Forget about it!
So good luck, spooks. If I wake up tomorrow and all those systems start to work, I know who to thank.
I'll bite on your troll-bait.
Because the evidence overwhelmingly runs counter to your supposition.
Look at the facts.
The code is stealthy.
The code shares common attributes with other code that has delivered sophisticated attacks, strongly suggesting a common author, implying similar intentions are behind this code.
The code carries other unencrypted malicious code, including exploits and bank login thefts.
The code makes many attempts to decrypt an unknown value. Should it ever succeed, it will make a call to an address in the decrypted memory.
The amount of data to be decrypted and potentially executed is enough to contain a malicious payload on the same scale as the code that sabotaged Natanz.
Why would an established weapons developer go to all the work of fully implementing a cleverly targeted weapon hiding system if he isn't going to actually hide any weapons in it?
Not much different than referring to them as 2D barcodes, as if a linear barcode doesn't exist in two dimensions.
Using evidence in court that was obtained by hitting you with wrenches is forbidden, nor can they use information derived from that information. (Fruit of the poisoned tree.)
Depending on the data, though, they may not be nearly as interested in prosecuting you.
Actually it helps a lot. Your paper is far more interesting than the news speculation, as it describes what you did and how to do it, as opposed to how it was applied through the lens of hindsight.
Unfortunately, too many "news" stories try to make their stories interesting by adding crazy speculation about hot topics. "This research uncovered 9/11 conspirators" is far too close to saying "Researchers built a terrorist detector!!!", which is completely untrue, as well as not the point. But it gets people reading their stories.
It seems the hardest part would be testing equality of messages at the nodes. Unless a message was a word-for-word copy, or a "forward" of the original, how would you know that "plane crashes into building", "airliner crashed into skyscraper", and "commercial flight flown into World Trade Center" were all equal messages? It's probably much easier with universally agreed upon topics like "typhoid" or "H5N1".
Anyway, the impressed button, now I will push it.
From TFA:
Taking social networking sites as another example, Pinto said individuals could use the algorithm to find out who had started a rumour posted to 500 contacts by looking at posts received by just 15 to 20 of them.
In other words, after creating a mathematical model of the right 500 people, and after planting 15 or 20 agents inside that 500 person network and monitoring their network traffic for a while, they were able to trace a rumor back to the originator.
The impressed button, I will not be pushing it tonight.
Interesting idea, but I bet the creators are much more cognizant of operational security. I doubt they surf the web from the development machines.
I'm guessing the development boxes are actually VMs inside their workstations. Think about it: would you really want to unit test a malware payload on a machine connected to the rest of your lab, or connected to the entire world?
The behavior of Gauss as described in TFA is made to sound like "socially responsible malware".
By encrypting the payload with a key unique to a specific configuration, they are not providing that payload to anyone else. Not even Kaspersky can decrypt the payload, at least not until the target machine is identified. And by then it's probably too late.
Sure, they're still sending out malware, with USB exploits, root kits, and other bad stuff. It's not that much worse than what is widely available online today. But they're encrypting the very worst part, which is "here's how we're going to cause maximum damage to you." We don't know if the payload is designed to tamper with SCADA systems, initiate wire transfers to a Cayman Island bank, or if it emails compromising pictures of the victim to Al Jazeera. Nobody gets a copy of it, except for one lucky winner. And he doesn't even want it.
So in the attackers' minds, they can say they are distributing a "kinder, gentler virus".
I'm assuming from the article that the configuration data they're talking about are things like MACs from the victim's NICs, serial numbers off of the memory SPD chips, and serial numbers from the SATA drives. If that's true, it would be easy enough to swap a memory stick out to avoid the problem, rather than trying to re-flash something.
If you've got that much knowledge about your potential for being hacked, you've probably already updated your systems with the latest anti-virus programs that would catch Gauss anyway.
My guess is this is trap is set for the personal PC of some top official, like Naim Qassem, the current top guy of Hezbollah. Generally, top people are not known for their l33t haxx0r ski11z, so the chances of his having good defenses being in place are probably fairly low. I doubt that he's going to be the kind of guy to swap RAM sticks, anyway.
Close, but not quite.
Some time a while ago, Gauss surveyed every victim's computer, reporting their config data to the CC servers.
The attackers identified a specific victim, and used that victim's config data to generate a key. The payload was then encrypted by the attackers with that particular key, and then delivered to every active Gauss zombie by the CC server.
The Gauss zombies don't ever carry the key, they always generate it locally from their own config data.
All zombies get the same payload, but only the zombie with the correct config will generate the correct key, unlocking the payload and unleashing the pain.
They can't decrypt it today because Kaspersky doesn't know who the target is, was, or what their configuration looks like.
Let's think about its predecessor, Stuxnet, for a minute. Stuxnet's authors made several big security mistakes. First they gave away a free copy of "How to attack Iranian nuclear centrifuge systems via SCADA vulnerabilities" to every script kiddy on the planet; plus, they essentially told Iran "it's you." They seriously underestimated the ability of various groups of people to disassemble their attacks. So they want to repeat as few of those mistakes as possible.
Like Stuxnet before it, Gauss discovers some facts about the configuration of the machines it's deployed against, and reports them back to the mothership. Let's say the configuration data they retrieve includes the serial numbers of memory chips, NICs, and eSATA disk drives. The attackers then concatenate that data together and hash it 10,000 times to create a key. So when the payload decryption module is loaded onto a new machine, it scans the memory chips, NICs, and disk drives, and runs the key generating hash algorithm again. If the resulting key can successfully decrypt the payload, we can assume Bad Things will happen to the victim. If it can't decrypt it, nothing happens.
This tries to address two of those original mistakes. First, Kaspersky has no way to identify the victim today. All they know so far is that the target is probably any of the thousands of machines that have already been infected with something that reported their configuration to the attacker. For all we know, it could be configuration data originally harvested by Stuxnet, and not a current Gauss victim. Second, they have no way of decrypting the attack until the specific victim is identified and decides to cooperate.
It's possible that the malware attack on the victim will be engineered such that the victim will suffer grave physical harm; perhaps through planting false evidence of treason, or emptying their bank accounts instead of repaying the kind of debts that Must Be Repaid On Time. After destroying the victim, discovery may be moot. I'd assume in any case that the malware payload will clean Gauss from the machine after completing its mission, leaving nothing for investigators to ever learn they were the targeted victim of Gauss.
My guess is that Kaspersky will include a "victim detector" module as part of an anti-Gauss clean-up package. It would run the same serial number detection mechanism, the same key generation mechanism, and attempt the same decryption test to see if it successfully decrypts. But instead of calling the actual malware routine, it could report the machine's configuration back to Kaspersky, so they could decrypt it.
Hey, I seriously don't want our web monkeys writing assembler. Assembler is not even an approved language in our shop, because we can't hire people who can maintain it. But if a C++ developer is in the debugger and has to step into the disassembler, I expect her to know what she's doing. Fortunately, I have a few that do.
The bright spot on the horizon is that my son graduated from University with a degree in Comp Sci, and they appear to have shifted their program away from cranking out an assembly line of Java monkeys to people who can write C and assembler. At least those were among the courses he chose to take. I just thought it was awesome that he had a reverse engineering class that was taught almost entirely in gdb. To me, that was hope for the future.
But then, they can name the next lander "Neo" and see if they get better results...
Actually, the next one is named "Michael Bay". They decided to go for realism in their naming schemes.
And yet it took more than 8 minutes for the Fire truck to arrive at the rocket test site.
I wonder how long it would take if they didn't expect this sort of thing...
Rule one of firefighting: don't put anyone needlessly in harm's way. This was an unmanned test flight, with nobody in any imminent danger.
After the initial crash, the craft still had fuel and oxidant tanks on board that hadn't yet blown up. You don't move the fire crews in until the hazardous materials are accounted for. The crews were quite obviously sitting in their fire rig at a safe distance, waiting for the signal from the range safety officer to tell them that the rest of the fuel was gone. That explosion at the 6:20 mark was the signal they were waiting for. At 8:00 the camera zooms in as they examine the wreckage for any potential surprises. At about 8:17 you could hear the diesel motor of one of the trucks as it approached the pad. At 8:40 you can hear the report from "10-1" (I assume that was the range safety officer) at gate 7 that he had advised the fire crew that there were four pressurized tanks, they believed two were gone, but there were potentially still two tanks with pressure, and that the fire crews had proceeded downrange anyway.
The crews handled the situation exactly as they should have. They expected this sort of thing.
?
You can put in a kill switch to the fuel pump to not pump more fuel into the rocket motor, and they no doubt have such devices installed. But the tanks are already full of all the fuel the vehicle will ever carry. And you can't put in a kill switch for the existence of the fuel. Once the thing is burning, any fuel remaining in the tanks is going to get out one way or another, regardless of any switches or valves.
Knowing machine language is a large part of the difference between an "average code monkey" and a skilled developer. Hand optimizing assembler code is an exercise in wasted money, except when it isn't. A skilled developer will not only know when the difference is critical, but be able to do the task.
That doesn't mean the number of times a developer needs to trot out the assembler is very large, mind you. Almost no business applications would ever need it these days - a programmer's time and the overall cost of maintaining ASM code is generally much higher than the cost of upgrading the server the code runs on. But if you start talking about slinging millions of pixels around on a GPU 200 times every second, it suddenly becomes very important that you know exactly what the machine is doing.
Cell phones definitely kill people. There's no question that many people die due to cellular telephone usage. However, the full cause of death is "blunt force trauma due to vehicular accident caused by a driver distracted by a cellular telephone." And we know that increasing the transmission power of cell phones is designed to increase the range of places where cell phones will work, which will mean more people talking or texting while driving, which ultimately will lead to even more deaths.
If you want to focus on the health hazard of cell phones, at least pick the one where there's actual evidence of harm. There's not even a blip in a study anywhere that shows cell phones contribute to skin or brain cancer.
That guy sure likes to sell books, doesn't he? And stirring up controversy about things like the "health risks" of 100 milliwatts of non-ionizing radiation sells books to people who are hypersensitive to scare stories.
He even "Rationalizes the Precautionary Principle", which is another way of saying "be scared because you're ignorant, not because there are actual facts." Here's the deal: if cell phones were even a measurable (not even minor, simply measurable) contributor to illness, there are billions of cellular users worldwide, so if there was any statistically detectable basis to these absurd claims, we'd be seeing very large piles of dead bodies.
I really like his "grounding" therapy: touch the ground and you will:
" Prevent inflammation as well as assuage its physical symptoms
Reduce or eliminate chronic pain
Improve sleep
Increase energy
Thin blood and improve blood pressure and flow
Relieve muscle tension and headaches
Lessen hormonal and menstrual symptoms
Dramatically speed healing and prevent bedsores
Reduce or eliminate jet-lag
Protect body against potentially health-disturbing environmental electromagnetic fields (EMF’s)
Accelerate recovery from intense athletic activity; and
Balance the autonomic nervous system (ANS) by decreasing sympathetic, and increasing parasympathetic, nervous activity."
The only things missing from his list are "improves humours & biles" and "clears thetans", and for those I expect he has a link to buy "Dr. Sinatra's Genuine Snake Oil Liniment and Elixir".
This guy is definitely not a crackpot. He's smart, and educated, and appears to be an author who wisely uses fear and psychology to sell books to the gullible. It's definitely in his best interest to have people afraid of cell phones, because those are the people who would buy his crap.
The wiki edits prove nothing. The real reason there are only 5 edits for Pawlenty is that he is the most boring person on the planet*. There is simply nothing to clean up behind that Marvin J. Milquetoast.
* yes, I know Al Gore invented boring politicians, but Pawlenty raised it to an art form.
Thanks. I did like Zodiac, but it kind of reminded me of the same ending as Cryptonomicon. Both of those novels seemed contrived, and to me they read as if he had followed the trademarked Neal Stephenson Story Writing pattern:
1. Think of some tricky, cool mechanical ideas, like using salad bowls to plug holes in a pipe, Van Eck phreaking, or diesel fuel to melt inaccessible gold.
2. Think of a somewhat plausible setting to place the idea in - polluters, prison, jungle island.
3. Write a plot line where the main character ends up arriving at these ideas in the final chapters.
4. Add additional story arcs, characters, and other flourishes around the base plot.
5. Profit!
They all seem driven to get to the end and to the big reveal of the clever idea. Driving to the end of a story works for a mystery - solve the caper, dispense dose of appropriate justice, meddling kids. But when he gets to the mystery's end, it's more about the clever trick, and less about the people.
Snow Crash was different. It was an amalgam of crazy from start to finish - crazy setting, crazy government, crazy people, crazy religion, and crazy ideas. And he glued them together in a vat of somewhat plausible foreshadowing technologies like the web, gargoyles, scanner evading glass knives, all those kinds of things that were somewhere on the horizon back when he wrote it. It didn't follow his trademarked formula, because the fun ideas just kept coming from start to finish: an Inuit biker who is his own nuclear power, a pizza deliverator for the mob, the metaverse, Snow Crash, falabalas, etc. The people made it interesting, the tech made it cool. It came together in something ineffable that he's just never repeated.
And for some reason I liked Anathem. Perhaps because it didn't closely follow the formula, or that one of the cool ideas (the time-based monastery) was a setting element he introduced from the start, and didn't need the big reveal.
I have to admit being depressed by each and every one of Neal Stephenson's books that wasn't Snow Crash. I've bought and read everything else he's ever written, just hoping to get a second taste of that wondrous, mad, absurd story. Hasn't happened yet.
Or maybe that's just disappointment on a new level.
Assuming that's the case, I agree with you about Brave New World, but because I read 1984 at a younger, more impressionable age, it resonated harder with me, and both scared and depressed me more.
Or in other words, simple measures are actually quite sufficient.
Like anything dealing with security, that depends entirely on the value of the secret being protected.
If this is a MiFARE card, learning the secret could get you and some friends a few free rides on the metro. If this is an access card, it might get you into a building. If this is a passport, it might get you into the country. If this is a banking card, you might get access to the customer's account. Pick the right customer, and it's suddenly very profitable. If this is a satellite card, it could be worth millions on the black market.
The other thing to keep in mind, is that all of these activities will get you in a roughly equal amount of trouble: fraudulent devices and theft add up to about the same punishment regardless of how much money is stolen. A bad guy has incentive to hit the richest target, not the poorest, since the risk to him is the same.
. This phenomenon is how design patterns like the "Abstract Factory Abstract Factory Selector Observer Pattern" get started.
No, bad programming is how patterns like "Abstract Factory Abstract Factory Selector Observer Pattern" get started.
Patterns aren't created out of thin air - at least not the few good ones. Patterns are observed in multiple examples of elegant code, then written down and figured out.
If someone is actually feeding you a line like "the Abstract Factory Abstract Factory Selector Observer Pattern is required in your program for all database access", or even "I've created a new pattern", you have my permission to hit them with a stick and call them an idiot. That's not how patterns work.
Random web pages getting larger isn't really the issue. If I'm creating enterprise web apps for my corporation, I just need to know that my corporate machines' browsers can run them. If the company issued laptops browsers get upgraded and the corporate web pages start the machines thrashing as a result, that's a problem.
And I sure can't say "let's spend a million dollars replacing everyone's laptops so everyone can upgrade to Firefox 14."