One thing to keep in mind is that as the data recovery technology has advanced, so has storage tech. The density of current storage devices (specifically SATA or EIDE drives) is so great that the tolerances required to read overwritten data is orders of magnitdue more difficult than with the drives when the technology was originally used for this purpose.
Are these better for deaf people? I doubt any serious participant in this discussion would argue they are not. Are they better for the elderly? Based on my experience with voters, the answer is also yes (the ability to enlarge the ballot was wildly popular with the elderly voters, among other things). As far as the actual process of adminstering an election the personnel I worked with (who have been doing elections for approx. 8 years) also said the election was one of the smoothest they'd ever been involved with, and the tallying allowed the results to be made available much sooner than the previous optical scan equipment which is also an improvement.
I am convinced that the equipment has progressed to the point that the greatest threat to vote integrity is not the machines being used (assuming they are at least as secure as the TSx and include a voter verifiable printed audit log) but the lack of procedures or the local election official's unwillingness to follow them.
I am not an advocate of electronic voting, I am an advocate of localized process reform to prevent fraud. My concern is that the current alarm "OMFG if we have complete and total access to a machine with no supervision for an extended period of time we can alter the results on this ONE MACHINE!!#@)($!!" is taking the focus away from the greater danger, that of insufficient local oversight by educated voters.
The TSx machine has the option of a voter verifiable paper audit trail using a printer known as a VVPAT. This consists of a thermal printer whose output is contained behind a clear plastic shield. Once the voter has selected the candidates for which he/she wants to vote for, they have the option to review their printed ballot prior to the vote being cast. While it is possible that this paper trail could be replaced, if proper procedures are followed this is no more likely than the complete replacement of "hand count" paper ballots.
In addition to the above, a simple vote flip as you describe would be far from simple to perform. While I do not assert that it is impossible, it is far more complex than you make it out to be. Each election depends on a custom database that is able to be developed by the local election officials. Each voting machine has NO POSSIBLE foreknowledge of the future candidates. Once delivered to the election commision the election must be loaded using a secure flash memory card, and during the internal testing performed locally by the comission each election is loaded and voted to verify that the proper votes are being assigned to the proper candidate (the election is reset after testing). A simple vote reassingment such as you are proposing would be totally inadequate to falsify the results of the election. Any vote alteration of this type would have to be done centrally via an update to the tabulation software, which would have to be applied individually be each local election official as the central count machines are never connected to any network. As each machine individually maintains a record of the votes cast an audit would reveal that the totals listed by the central count machine do not match those of the individual machines. This is not to say such a modification is impossible, but it is certainly no where near the simple hack you propose.
I am glad you admit I put "some thought" into my post. I wish you had done the same.
I am a computing professional with a background in Computer Forensics and Incident Response. I took a consulting position (specifically a county technician job) with Diebold specifically so I could see what all the hubbub was about with the voting machines.
I went through the entire voting process, from the hardware testing, to the development of the ballots, to the actual election and the tallying of ballots. I can say without a question in my mind that the TSx voting machine and the associated software (assuming the machine is equipped with the voter verifiable printer) is no more susceptable to voter fraud than hand counted paper ballots.
Please keep in mind that I owe nothing to Diebold, have no interest in Diebold, and specifically took this job thinking that I would find gigantic gaping holes in thier product. While the design of the hardware and software leave much to be desired, for someone to assert that commiting large scale voter fraud with this system is easier than with hand counted paper ballots is patently ridiculous in my mind having worked with the hardware and software during an actual election.
The big problem that everyone seems to overlook is that EVERY voting system is inherently operated by humans and is therefore subject to error. My experience during the voting process is that the single most important piece of the "secure election" puzzle isn't the equipment that is used but the processes that are followed and the reasonable inclusion of public scrutiny to the process.
In the case of a hand counted paper ballot, all that is neccesary to commit fraud is a switch of the actual ballots prior to the tally. With the TSx machine (with the attached printer) the audit log of the election (including timestamps and actual votes cast) is present in 3 locations (the actual voting machine, the memory card, and the written record). In order to withstand an audit, all three of these items must be altered to perfectly match the result whereas with paper ballots there is only one record that must be altered.
While it's obviously true that the machines could be programmed in advance to fix an election, keep in mind that voter registration is a completely different process from the actual vote tallying, and that voter turnout is still done by hand. In order for the electronic record to be altered, it would have to be done in such a way as to mirror the actual voter turnout PER POLLING LOCATION, a number which is independant of the voting machines and in any jurisdiction of consequence this number would be effectively impossible to predict. In the case of hand count you need only have a total number of ballots cast as there is no tracking of the votes per polling location whereas with the voting machines this record is kept in each machine.
The bottom line is that the place we need to be concentrating our efforts for voter reform is on the process rather than the specific technologies used to tally votes. The real problem is polling workers being sent home with voting machines. The real problem is no public oversight of the tallying of votes. The technology used is effectively irrelevant unless there is massive voter oversight allowed at every phase of the process, and we must not let our concern over the vulnerabilites of the technology get in the way of the demand for oversight.
In the county that I supported, each machine was kept under lock and key, with a publically accessable camera trained on them at all times. At no time was a single individual allowed access to the machines, including during the travel time to each polling place. When the polls closed, each machine was brought back (again by a team of two) and the actual tallying was done in a room with seating for the general public and a webcam that allowed the public to watch every single part of the process. This is the type of thing we should be advocating.
I will agree that the early technologies used were inadequate to protect our rights, but the voting machine technology has advanced to the p
There's a new provider that a friend of mine turned me on to. They provide Linux and BSD hosting, exactly what you're looking for, and more. Their prices are very reasonable, and they even offer lifetime shell accounts if that's what you're interested in. I can often get support via AIM or MSN messanger, and the support offered so far has been amazing. I have a custom-tailored package, so I'm paying for exactly what I need, and nothing more. The storage and bandwidth limitations are more than fair, and buying more of either is trivial. My friend always told me how great they were, and I always thought it was too good to be true. But when I finally got fed up with my current host (phpwebhosting.com, which many people really like, but I found to be unusably unresponsive and lacking) I decided to give them a try, and I would never go anywhere else. They are connected to 3 distinct OC-12s, and bandwidth to or from the site has never been an issue. You owe it to yourself to give them a look. I'm not affiliated with them in any way, just a very very happy virtual BSD host customer.
I used the term "snipe" specifically because you're pointing out facts. The problem is your facts have little or nothing to do with the thrust of my original post. The best trolls are always the ones based in the truth.
Listen, if you want to start your own thread attacking Howard for his lousy public performance during his tenure at Microsoft, or his willingness to attend press conferences and praise Microsoft's (fabricated?) single-minded focus on security I promise I'll have little or nothing to say in response. I consider those critisisms valid, if somewhat shortsighted. My intent in stating his job was unrelated to products was nothing more than an attempt to defuse the more obvious trolls that did nothing but scream that flaws in IIS were somehow directly traceable back to his desk. If I take a slightly longer view, as you've advocated, perhaps at least some of those flaws could be traced there, at least indirectly. I agree that security is a mindset and a process, and the responsability can't all be placed on the shoulders of the developers. It cannot, however, be placed soley at Howard's feet by the very same token. Please take a few minutes and re-read my original post. No time? Too lazy? Ok, I'll quote it here:
"I just want all of you who've only heard him give nicely formatted press conferences or canned interviews to know that there's more to him than that."
You ask me to step back and take the outsider's perspective. You complain that "Not everyone has the luxury to know him personally". The WHOLE POINT of my original post was to give you an "insider's" perspective on him.
I very specifically did not speak to his performance in his position at Microsoft or the position he has just resigned for the very reasons you've cited: all I have to go on, really, is public information and in my opinion that's not enough. That's the reason that I posted initially, to attempt to give others the benefit of my perspective. And I still stand by my original conclusion. Someone like Howard, with at least a background in hands-on computer hacking (again, not cracking) is relatively difficult to find at that level, and is very possibly a better choice than whoever gets tapped to replace him. That's not to say that if they were to bring in someone with an unimpeachable record of attacking and solving larger-than-enterprise-level security problems, that I would still feel the same. The bottom line is that right now, at this moment, I see that as extremely unlikely. Again, to quote myself:
"I'm not sure if you could really find someone better to be involved with the goings-on at that level, but I'm absolutely certain that you can find many many worse."
Right now, until we learn who they select, it's my feeling that they will find someone worse, especially if you're correct and they're just looking for a fall guy.
It's easy to sit on the sidelines and snipe, but the fact of the matter is you've done nothing to address my original post.
Instead of nitpicking my statement about his position not being related to products, it would be nice if you had addressed my point, which is simply that during the time that I worked with him, he was significantly more clueful than the other administrators I've interacted with at his level.
Since it's doubtful you were employed at Microsoft during his tenure there, and even less likely to have been privy to any policy or other decisions he made while there, its fairly disingenuous for you to now judge him on the content of a few news stories. I suppose that's always the problem with any position related to security, people never hear about the incidents that DIDN'T happen.
Regardless, I'm not here to defend Howard's performance per se just to give my opinion, having worked directly with him (unlike you?) that there are certainly worse people they could tap for the job (see post below re: Hillary Rosen).
Since it's obvious from your reply that you didn't bother to read my entire post, I'm going to guess you're a troll. But since you're getting modded up, I figured I'd better point out why you're wrong. From my original post, to which you replied:
"It's important to note that his time at Microsoft had nothing to do with their products"
While Microsoft has it's share of problems with network and internal security, the problems that you CAN'T lay at his feet, if I understand his position there correctly, are those that relate to IIS etc.
Secondly, I didn't comment as to his performance in his last position, or even at Microsoft. I spoke just to his background and suitability based on my experience. I never said he was a nice guy, or that he was smart, just that when I worked directly with him, he was significantly more clueful than the majority of the other people I've interacted with at his level. Since I haven't been interacting with his most recent office, I can't comment as to whether or not he did or didn't do a good job. But you know what, I doubt you're qualified to do so either. If you are, let me know why and I'll be glad to apologize.
You're not sorry to see him go, eh? I'm sure that will break his heart. Maybe you'll get lucky and the predication further down in this thread will come true, and Hillary Rosen will be tapped as his replacement.
Having worked with Howard during his time with the Air Force, and having followed his career in the private sector and post-Air Force public service, this is really too bad.
For those who don't know (which I assume is most of you), Howard was a pioneer in the area of computer evidence analysis, first as a 'local' police officer, and then as a federal Special Agent. It's important to note that his time at Microsoft had nothing to do with their products (this in response to all those "we all know how secure Microsoft products are" trolls out there).
He and his wife are avid computer users, and Howard was one of the few people I've ever encountered at his level in Government service that could talk to you about technology and computers with any degree of real understanding. He built his own machines (at least when I was working with him) and was taught classes on low-level file system internals and disk layouts.
He became involved with computer crime at a time when only hard-core hackers (not crackers) were really playing around with computers, and paved the way for many others who are themselves pioneers in the information security community, both in the public and private sectors. The atmosphere created and fostered during his time at the Air Force allowed many people to grow and learn, and many of them are not only members of the InfoSec community, but the open-source community as well.
I'd better quit before this turns into blatant fanboyism, if it hasn't already. My intent is not to deify him, I just want all of you who've only heard him give nicely formatted press conferences or canned interviews to know that there's more to him than that. I'm not sure if you could really find someone better to be involved with the goings-on at that level, but I'm absolutely certain that you can find many many worse.
In reality, the biggest difference between grep and so-called "forensics" software is the emphasis on examining the data without modifying it and maintaining the chain of custody and audit trail. In fact, many experienced computer investigators do their jobs with little more than DD, grep, and various other Unix utilities. Most of the digital forensics software out there simply attempts to make this funcionality more accessable to your less tech saavy investigator. (The problems caused by inexperienced/unqualified investigators performing this type of analysis are beyond the scope of this response.)
I am currently the designer and project lead for a cross-platform open source (GPL) digital evidence processing suite. It is intended to bring together the various functionalities required to perform this type of work, and (ideally) operate on whatever platform the investigator desires. Our primary development platform is RedHat 7.1.
There are currently software packages out there that attempt to do this, including EnCase and The Forensic Toolkit in the commercial arena and The Coroner's Toolkit in the open source arena, however they lack the broad filesystem support and/or true ease of use to make them usable by everyone. The other barrier is price as EnCase, for example, costs thousands of dollars per copy.
We're well funded, and have already done a significant amount of work. We have some of our core components functional and plan on starting beta testing and releasing our first code drop later this year. If this field interests you and you'd like more information, or you work in the investigative field and have thoughts on what you'd like to see in such a tool, I'd love to hear from you.
Be careful when selecting your DSL provider, to see how they route traffic. I examined Speakeasy and nearly picked them as my ISP, then I found out that they backhaul all their traffic to Seattle (I live in Virginia). Although this is most important for gamers like myself, it is something to look into. I would be careful to select a DSL provider that has a POP near your location. I eventually went with Megapath, who have provided excellent service and route my traffic to DC, which is a single hop and I'm out of their network. Just something to consider.
Revealing a password is generally not considered speech, but rather an access device. Much like the key to a locked file cabinet, law enforcement can compel you to give it up. I think a passphrase would fall into this catagory as well. IANAL, but have had some experience with and exposure to this issue.
I have to chime in with Bryce on this one. I have followed the mailing list (and then lists) for Worldforge since before it was Altima, and the work that has gone on is truly amazing. It has closely followed the benevolent dictator model of development, as well as the release early release often model. I know that there are sites for just Linux games, but I remember a time when links about Altima and other less main-stream topics were more frequent here on/.
Ah well, I am not going to jump on the "I remember when Slashdot was about geeks" bandwagon, but there are plenty of open source and fringe projects that are more worthy of mention than Slashdot is giving them these days.
I'm in the process of trying to get an internal piece of software released open source. It is a very limited purpose application, with no potential to generate revenue. It was written specifically to address a problem faced by a large number of people, and has the potential to generate massive waves of goodwill towards the company where I work. The funny part is that although my bosses agree with the above statements, they are unwilling to move the process forward.
There seems to be an inherent barrier in business to giving something (especially software) away, even when there are other (non-monetary) potential benefits. This company is capable of spending thousands of dollers on a magazine advertisement, but is unwilling to release a fairly simple script that has the potential to generate a much larger amount of business. I would love to hear from others who have experienced this attitude and especially anyone has successfully overcome it.
The whole "we're going to shoot your missles out of the air" Star Wars project that helped bring an end to the cold war was one of the greatest hacks of all time. Reagan threw massive amounts of cash at the project and basically hastened the downfall of the soviet union. Even though there was never a working device, the soviets were convinced that there was but were unable to keep up with the breakneck speed of the spending/research. That should rank somewhere on the list.
This project was originally titled Altima, for alternative-to-Ultima. I have been following the mailing lists for most of a year since it started, and it is amazing the level of work that is being accomplished. They have not only code, but artwork, music, and other media that are all being licensed either under the GPL (the code) or related licenses (for the other media). Any of you who have interest in this type of thing can go see them at Worldforge. You will be impressed.
If I read this article correctly, the only restriction given was the actual _use of code_. There was no restriction mentioned regarding disclosure or discussion that I could see. All in all, it seems to be a great oppourtunity for open source, (as a potent example of the power that can be brought to bear, even under restricted circumstances, by opening the source)and I think it would be foolish to codemn in any way this type of activity by a company (Loki) that has a solid track record of releasing the source to things they develop themselves. (such as the motion JPEG library and installer)If nothing else, it seems like they are just trying to help others see the value in of open source.
http://www.systemapex.com/technology/response_to_m s_linux_page/ Someone (Paul Jara, author of an independent hardware site) has taken the time to write up a fairly well thought out response (point by point) to the Microsoft article. Although lacking in some areas, it seems to be worth a read for those of you who are keeping score...
Slashdot Mirror
One thing to keep in mind is that as the data recovery technology has advanced, so has storage tech. The density of current storage devices (specifically SATA or EIDE drives) is so great that the tolerances required to read overwritten data is orders of magnitdue more difficult than with the drives when the technology was originally used for this purpose.
Better is relative.
Are these better for deaf people? I doubt any serious participant in this discussion would argue they are not. Are they better for the elderly? Based on my experience with voters, the answer is also yes (the ability to enlarge the ballot was wildly popular with the elderly voters, among other things). As far as the actual process of adminstering an election the personnel I worked with (who have been doing elections for approx. 8 years) also said the election was one of the smoothest they'd ever been involved with, and the tallying allowed the results to be made available much sooner than the previous optical scan equipment which is also an improvement.
I am convinced that the equipment has progressed to the point that the greatest threat to vote integrity is not the machines being used (assuming they are at least as secure as the TSx and include a voter verifiable printed audit log) but the lack of procedures or the local election official's unwillingness to follow them.
I am not an advocate of electronic voting, I am an advocate of localized process reform to prevent fraud. My concern is that the current alarm "OMFG if we have complete and total access to a machine with no supervision for an extended period of time we can alter the results on this ONE MACHINE!!#@)($!!" is taking the focus away from the greater danger, that of insufficient local oversight by educated voters.
The TSx machine has the option of a voter verifiable paper audit trail using a printer known as a VVPAT. This consists of a thermal printer whose output is contained behind a clear plastic shield. Once the voter has selected the candidates for which he/she wants to vote for, they have the option to review their printed ballot prior to the vote being cast. While it is possible that this paper trail could be replaced, if proper procedures are followed this is no more likely than the complete replacement of "hand count" paper ballots.
In addition to the above, a simple vote flip as you describe would be far from simple to perform. While I do not assert that it is impossible, it is far more complex than you make it out to be. Each election depends on a custom database that is able to be developed by the local election officials. Each voting machine has NO POSSIBLE foreknowledge of the future candidates. Once delivered to the election commision the election must be loaded using a secure flash memory card, and during the internal testing performed locally by the comission each election is loaded and voted to verify that the proper votes are being assigned to the proper candidate (the election is reset after testing). A simple vote reassingment such as you are proposing would be totally inadequate to falsify the results of the election. Any vote alteration of this type would have to be done centrally via an update to the tabulation software, which would have to be applied individually be each local election official as the central count machines are never connected to any network. As each machine individually maintains a record of the votes cast an audit would reveal that the totals listed by the central count machine do not match those of the individual machines. This is not to say such a modification is impossible, but it is certainly no where near the simple hack you propose.
I am glad you admit I put "some thought" into my post. I wish you had done the same.
I am a computing professional with a background in Computer Forensics and Incident Response. I took a consulting position (specifically a county technician job) with Diebold specifically so I could see what all the hubbub was about with the voting machines.
I went through the entire voting process, from the hardware testing, to the development of the ballots, to the actual election and the tallying of ballots. I can say without a question in my mind that the TSx voting machine and the associated software (assuming the machine is equipped with the voter verifiable printer) is no more susceptable to voter fraud than hand counted paper ballots.
Please keep in mind that I owe nothing to Diebold, have no interest in Diebold, and specifically took this job thinking that I would find gigantic gaping holes in thier product. While the design of the hardware and software leave much to be desired, for someone to assert that commiting large scale voter fraud with this system is easier than with hand counted paper ballots is patently ridiculous in my mind having worked with the hardware and software during an actual election.
The big problem that everyone seems to overlook is that EVERY voting system is inherently operated by humans and is therefore subject to error. My experience during the voting process is that the single most important piece of the "secure election" puzzle isn't the equipment that is used but the processes that are followed and the reasonable inclusion of public scrutiny to the process.
In the case of a hand counted paper ballot, all that is neccesary to commit fraud is a switch of the actual ballots prior to the tally. With the TSx machine (with the attached printer) the audit log of the election (including timestamps and actual votes cast) is present in 3 locations (the actual voting machine, the memory card, and the written record). In order to withstand an audit, all three of these items must be altered to perfectly match the result whereas with paper ballots there is only one record that must be altered.
While it's obviously true that the machines could be programmed in advance to fix an election, keep in mind that voter registration is a completely different process from the actual vote tallying, and that voter turnout is still done by hand. In order for the electronic record to be altered, it would have to be done in such a way as to mirror the actual voter turnout PER POLLING LOCATION, a number which is independant of the voting machines and in any jurisdiction of consequence this number would be effectively impossible to predict. In the case of hand count you need only have a total number of ballots cast as there is no tracking of the votes per polling location whereas with the voting machines this record is kept in each machine.
The bottom line is that the place we need to be concentrating our efforts for voter reform is on the process rather than the specific technologies used to tally votes. The real problem is polling workers being sent home with voting machines. The real problem is no public oversight of the tallying of votes. The technology used is effectively irrelevant unless there is massive voter oversight allowed at every phase of the process, and we must not let our concern over the vulnerabilites of the technology get in the way of the demand for oversight.
In the county that I supported, each machine was kept under lock and key, with a publically accessable camera trained on them at all times. At no time was a single individual allowed access to the machines, including during the travel time to each polling place. When the polls closed, each machine was brought back (again by a team of two) and the actual tallying was done in a room with seating for the general public and a webcam that allowed the public to watch every single part of the process. This is the type of thing we should be advocating.
I will agree that the early technologies used were inadequate to protect our rights, but the voting machine technology has advanced to the p
Peaked at 620k/sec downloaded the entire file in less than 7 minutes. Now seeding the torrent.... Thanks again.
Your pipe is fat. I'm pulling the file down at > 550k/sec. One thousand thanks.
There's a new provider that a friend of mine turned me on to. They provide Linux and BSD hosting, exactly what you're looking for, and more. Their prices are very reasonable, and they even offer lifetime shell accounts if that's what you're interested in. I can often get support via AIM or MSN messanger, and the support offered so far has been amazing. I have a custom-tailored package, so I'm paying for exactly what I need, and nothing more. The storage and bandwidth limitations are more than fair, and buying more of either is trivial. My friend always told me how great they were, and I always thought it was too good to be true. But when I finally got fed up with my current host (phpwebhosting.com, which many people really like, but I found to be unusably unresponsive and lacking) I decided to give them a try, and I would never go anywhere else. They are connected to 3 distinct OC-12s, and bandwidth to or from the site has never been an issue. You owe it to yourself to give them a look. I'm not affiliated with them in any way, just a very very happy virtual BSD host customer.
I used the term "snipe" specifically because you're pointing out facts. The problem is your facts have little or nothing to do with the thrust of my original post. The best trolls are always the ones based in the truth.
Listen, if you want to start your own thread attacking Howard for his lousy public performance during his tenure at Microsoft, or his willingness to attend press conferences and praise Microsoft's (fabricated?) single-minded focus on security I promise I'll have little or nothing to say in response. I consider those critisisms valid, if somewhat shortsighted. My intent in stating his job was unrelated to products was nothing more than an attempt to defuse the more obvious trolls that did nothing but scream that flaws in IIS were somehow directly traceable back to his desk. If I take a slightly longer view, as you've advocated, perhaps at least some of those flaws could be traced there, at least indirectly. I agree that security is a mindset and a process, and the responsability can't all be placed on the shoulders of the developers. It cannot, however, be placed soley at Howard's feet by the very same token. Please take a few minutes and re-read my original post. No time? Too lazy? Ok, I'll quote it here:
"I just want all of you who've only heard him give nicely formatted press conferences or canned interviews to know that there's more to him than that."
You ask me to step back and take the outsider's perspective. You complain that "Not everyone has the luxury to know him personally". The WHOLE POINT of my original post was to give you an "insider's" perspective on him. I very specifically did not speak to his performance in his position at Microsoft or the position he has just resigned for the very reasons you've cited: all I have to go on, really, is public information and in my opinion that's not enough. That's the reason that I posted initially, to attempt to give others the benefit of my perspective. And I still stand by my original conclusion. Someone like Howard, with at least a background in hands-on computer hacking (again, not cracking) is relatively difficult to find at that level, and is very possibly a better choice than whoever gets tapped to replace him. That's not to say that if they were to bring in someone with an unimpeachable record of attacking and solving larger-than-enterprise-level security problems, that I would still feel the same. The bottom line is that right now, at this moment, I see that as extremely unlikely. Again, to quote myself:
"I'm not sure if you could really find someone better to be involved with the goings-on at that level, but I'm absolutely certain that you can find many many worse."
Right now, until we learn who they select, it's my feeling that they will find someone worse, especially if you're correct and they're just looking for a fall guy.
It's easy to sit on the sidelines and snipe, but the fact of the matter is you've done nothing to address my original post. Instead of nitpicking my statement about his position not being related to products, it would be nice if you had addressed my point, which is simply that during the time that I worked with him, he was significantly more clueful than the other administrators I've interacted with at his level.
Since it's doubtful you were employed at Microsoft during his tenure there, and even less likely to have been privy to any policy or other decisions he made while there, its fairly disingenuous for you to now judge him on the content of a few news stories. I suppose that's always the problem with any position related to security, people never hear about the incidents that DIDN'T happen.
Regardless, I'm not here to defend Howard's performance per se just to give my opinion, having worked directly with him (unlike you?) that there are certainly worse people they could tap for the job (see post below re: Hillary Rosen).
Since it's obvious from your reply that you didn't bother to read my entire post, I'm going to guess you're a troll. But since you're getting modded up, I figured I'd better point out why you're wrong. From my original post, to which you replied:
"It's important to note that his time at Microsoft had nothing to do with their products"
While Microsoft has it's share of problems with network and internal security, the problems that you CAN'T lay at his feet, if I understand his position there correctly, are those that relate to IIS etc.
Secondly, I didn't comment as to his performance in his last position, or even at Microsoft. I spoke just to his background and suitability based on my experience. I never said he was a nice guy, or that he was smart, just that when I worked directly with him, he was significantly more clueful than the majority of the other people I've interacted with at his level. Since I haven't been interacting with his most recent office, I can't comment as to whether or not he did or didn't do a good job. But you know what, I doubt you're qualified to do so either. If you are, let me know why and I'll be glad to apologize.
You're not sorry to see him go, eh? I'm sure that will break his heart. Maybe you'll get lucky and the predication further down in this thread will come true, and Hillary Rosen will be tapped as his replacement.
Having worked with Howard during his time with the Air Force, and having followed his career in the private sector and post-Air Force public service, this is really too bad.
For those who don't know (which I assume is most of you), Howard was a pioneer in the area of computer evidence analysis, first as a 'local' police officer, and then as a federal Special Agent. It's important to note that his time at Microsoft had nothing to do with their products (this in response to all those "we all know how secure Microsoft products are" trolls out there).
He and his wife are avid computer users, and Howard was one of the few people I've ever encountered at his level in Government service that could talk to you about technology and computers with any degree of real understanding. He built his own machines (at least when I was working with him) and was taught classes on low-level file system internals and disk layouts.
He became involved with computer crime at a time when only hard-core hackers (not crackers) were really playing around with computers, and paved the way for many others who are themselves pioneers in the information security community, both in the public and private sectors. The atmosphere created and fostered during his time at the Air Force allowed many people to grow and learn, and many of them are not only members of the InfoSec community, but the open-source community as well.
I'd better quit before this turns into blatant fanboyism, if it hasn't already. My intent is not to deify him, I just want all of you who've only heard him give nicely formatted press conferences or canned interviews to know that there's more to him than that. I'm not sure if you could really find someone better to be involved with the goings-on at that level, but I'm absolutely certain that you can find many many worse.
Yes, I know the name of the movie is Equilibrium, but Gunkata was the main reason I liked it so much.
See the fansite here:
http://www.gunkatta.com/home.htm
Gah. Serves me right for not logging in to post that last one. The correct link for the enhanced loopback driver is here
Enjoy.
In reality, the biggest difference between grep and so-called "forensics" software is the emphasis on examining the data without modifying it and maintaining the chain of custody and audit trail. In fact, many experienced computer investigators do their jobs with little more than DD, grep, and various other Unix utilities. Most of the digital forensics software out there simply attempts to make this funcionality more accessable to your less tech saavy investigator. (The problems caused by inexperienced/unqualified investigators performing this type of analysis are beyond the scope of this response.)
I am currently the designer and project lead for a cross-platform open source (GPL) digital evidence processing suite. It is intended to bring together the various functionalities required to perform this type of work, and (ideally) operate on whatever platform the investigator desires. Our primary development platform is RedHat 7.1.
There are currently software packages out there that attempt to do this, including EnCase and The Forensic Toolkit in the commercial arena and The Coroner's Toolkit in the open source arena, however they lack the broad filesystem support and/or true ease of use to make them usable by everyone. The other barrier is price as EnCase, for example, costs thousands of dollars per copy.
We're well funded, and have already done a significant amount of work. We have some of our core components functional and plan on starting beta testing and releasing our first code drop later this year. If this field interests you and you'd like more information, or you work in the investigative field and have thoughts on what you'd like to see in such a tool, I'd love to hear from you.
Be careful when selecting your DSL provider, to see how they route traffic. I examined Speakeasy and nearly picked them as my ISP, then I found out that they backhaul all their traffic to Seattle (I live in Virginia). Although this is most important for gamers like myself, it is something to look into. I would be careful to select a DSL provider that has a POP near your location. I eventually went with Megapath, who have provided excellent service and route my traffic to DC, which is a single hop and I'm out of their network. Just something to consider.
Revealing a password is generally not considered speech, but rather an access device. Much like the key to a locked file cabinet, law enforcement can compel you to give it up. I think a passphrase would fall into this catagory as well. IANAL, but have had some experience with and exposure to this issue.
NTFS does not by default encrypt your filesystem. There are several encrypted filesystems I have heard of, but NTFS is not one of them.
I have to chime in with Bryce on this one. I have followed the mailing list (and then lists) for Worldforge since before it was Altima, and the work that has gone on is truly amazing. It has closely followed the benevolent dictator model of development, as well as the release early release often model. I know that there are sites for just Linux games, but I remember a time when links about Altima and other less main-stream topics were more frequent here on /.
Ah well, I am not going to jump on the "I remember when Slashdot was about geeks" bandwagon, but there are plenty of open source and fringe projects that are more worthy of mention than Slashdot is giving them these days.
I'm in the process of trying to get an internal piece of software released open source. It is a very limited purpose application, with no potential to generate revenue. It was written specifically to address a problem faced by a large number of people, and has the potential to generate massive waves of goodwill towards the company where I work. The funny part is that although my bosses agree with the above statements, they are unwilling to move the process forward.
There seems to be an inherent barrier in business to giving something (especially software) away, even when there are other (non-monetary) potential benefits. This company is capable of spending thousands of dollers on a magazine advertisement, but is unwilling to release a fairly simple script that has the potential to generate a much larger amount of business. I would love to hear from others who have experienced this attitude and especially anyone has successfully overcome it.
The whole "we're going to shoot your missles out of the air" Star Wars project that helped bring an end to the cold war was one of the greatest hacks of all time. Reagan threw massive amounts of cash at the project and basically hastened the downfall of the soviet union. Even though there was never a working device, the soviets were convinced that there was but were unable to keep up with the breakneck speed of the spending/research. That should rank somewhere on the list.
Better yet, you can go here. I promise to check my links next time!
This project was originally titled Altima, for alternative-to-Ultima. I have been following the mailing lists for most of a year since it started, and it is amazing the level of work that is being accomplished. They have not only code, but artwork, music, and other media that are all being licensed either under the GPL (the code) or related licenses (for the other media). Any of you who have interest in this type of thing can go see them at Worldforge. You will be impressed.
If I read this article correctly, the only restriction given was the actual _use of code_. There was no restriction mentioned regarding disclosure or discussion that I could see. All in all, it seems to be a great oppourtunity for open source, (as a potent example of the power that can be brought to bear, even under restricted circumstances, by opening the source)and I think it would be foolish to codemn in any way this type of activity by a company (Loki) that has a solid track record of releasing the source to things they develop themselves. (such as the motion JPEG library and installer)If nothing else, it seems like they are just trying to help others see the value in of open source.
http://www.systemapex.com/technology/response_to_m s_linux_page/ Someone (Paul Jara, author of an independent hardware site) has taken the time to write up a fairly well thought out response (point by point) to the Microsoft article. Although lacking in some areas, it seems to be worth a read for those of you who are keeping score...