When I was in college, I struggled with Calculus. It got to the point where I really thought I was "not good at math" because I wasn't good at calc. Then I discovered I didn't need to take Calc II/III or Differential Equations. I could substitute more "advanced" classes like Graph Theory, Number Theory, and Cryptology.
Suddenly I was good at math. Not only that, but I got a whole lot better at computer science. The more advanced classes focus more on how to think logically, and how to operate in procedures. Cryptology is especially important because it is one of those items which most computer scientists will use, but only in passing, and using it badly is often worse than not using it at all. An understanding of cryptology brings with it a lots of logic, set theory, and optimization skills.
Joke aside, isn't it illegal to go through people's trash (although perhaps mostly unenforced?) I though even cops need search warrant to go through suspect's trash can.
Nope, I'm pretty sure you're wrong here. Once you place something in a publicly accessible space, it's considered fair game. That's why going through a suspect's trash is such a powerful tool. It doesn't require a warrant, but it can be used as evidence to get one.
Logically it has to be. Otherwise when does "privacy" end? Once it's loaded into the trash truck? Once it's landfilled?
Okay, (deep breath)... I'm going to ask a question I really _should_ know the answer to: does the average user need an MTA anyway?
I don't even send mail directly from my machines, and I've often wondered "what if I just removed sendmail completely?" Would a whole host of system admin packages (cron, logrotate, etc...) break? Or do they write to the spool directly?
Didn't cable TV originally start out without commercials too?
I should note that I was a deprived child, and didn't first get exposed to cable until the mid-90's, so I could be wrong...
I do know that Time-Warner (my provider) isn't exactly in dire financial straits, but my cable bill keeps going up, and the ratio of content to commercial keeps going down...
The government needs to treat spammers like drug traffickers.
The FTC should hook up with the IRS to go after spammers.
Basically, if you're caught spamming the Feds come in and make you account for all of your income over the last year. Any money derived from spamming is forfeited, plus penalties. I'd also like to see the penalties weighted so that if the spammer gives up the identity of who paid him or her to spam, the penalty is reduced if that person is successfully prosecuted as well. This way the number of spammers and the companies which contract them get slapped.
Any legitimate business should be able to account for all its income. If a spammer can't prove his income is clean, it is no different than a drug trafficker having piles of cash around which just magically appeared. Anything which can't be documented as coming from a non-spam source should be considered profits of a criminal enterprise, and should get seized.
Yes, I trust Google a little less today than a year ago, but only slightly. Overall, I trust Google far more than any other company of decent size.
The reason I trust them less, is because they have grown larger, and are expanding. It is easier to "not be evil" when you have a smaller number of employees and a smaller number of projects. As Google grows, they will inevitably hire some people who are willing to take greater liberties with their user's trust than they have in the past. Usually these people are MBA-type weenies who believe that making money is the only reason to do something. I'm sure Google isn't very receptive to this type of attitude presently, but as they grow it becomes easier for little factions to develop within the organization undetected. Couple this with the pressure on the bright developers to not have their latest spin-off fail, and things might get interesting. The idealists can't watch everyone all the time (and nor do they want to)...
As I said, it's not that I don't trust Google, it's just that I worry their size and increasing outside pressure may lead to some slippage of their internal culture and ethics.
I'm glad to see we (the US) haven't completely alienated everyone yet. That said, it is worth pointing out that the DHS isn't "being built from the ground up". DHS is basically a conglomeration of a bunch of existing Federal agencies with a bunch of new infrastructure added in.
Of course, I'd argue that it's easier to build security in from scratch than to merge a bunch of government agencies in a clean and tidy fashion, so I agree that DHS has an especially hard task.
The real question is how subjective these "grades" are. What does "cybersecurity" really mean? Attack from the outside? Compartementalization? (that has to be spelled wrong) Prevention of abuse from within? All of the above? Some these are easy to fix, and some are very hard. For obvious reasons the public can't be given a report listing what and where the weaknesses are, but an unpatched Windows machine is a lot more serious if it is on the perimeter than if it's behind three layers of well-managed firewalls.
One of my favorite browser features, middle clicking a link to open it in a new tab, doesn't seem to be working under Firefox. Anyone else seeing this?
It's hard to write software without a clear understanding of the problem
Open source is written by people trying to solve a problem which applies to them directly
I'm a professional software developer, and my wife has a masters degree in political management and a lot of real-world experience in DC and elsewhere. Still I'm in no way qualified to write a requirements document for a voting system. Sure, the obvious things like "count the votes correctly" are easy, but there is a lot more to it. I'm sure there are all sorts of laws about the way the choices are presented, accessability regulations and laws, user interface concerns... These are all areas which traditionally open source projects struggle with.
The other problem is that elections are generally held by governments. The average coding geek doesn't have the alpha and beta test communities which are normally available to traditional projects. Open source is generally (but not always) and iterative model. Someone releases a solution which solves their specific problem, gets feedback from other users, and the solution gets enhanced.
Voting systems should not be made by a private company or by private citizens. The Federal government needs to pick the appropriate agency and develop a single, well-tested system. The system should be totally open source, hardware and software, but the people creating it should be aiming to "get it right" not "get it profitable"
The general public has the skills but not the knowledge.
While I agree that there are privacy concerns with Google turning over search information, I'm much more concerned why Google (or anyone) is being forced to turn over anything at all.
Perhaps I don't fully understand, but isn't this basically a government research effort? They want to see if their assumption is correct to support a law which doesn't currently exist. Correct?
So why should a private company be compelled to give them data? It's not like this is a search warrant. How is this different from if NASA when to the academic community and said: "give us all your observations about the moon?" Just because the government wants data that a private company has, doesn't give them to right to demand it.
I know they are looking for evidence of something which ties (loosely) to illegal acts committed using Google, but that is an awfully broad net to be casting.
I think you're missing the point. The issue here is not about who won, but that the technology is flawed. Whether the election is for some tiny zoning change or for the leader of the country, the machines should work. Counting is easy. Computers are good at counting. This software is not, therefore it should be replaced with something which is.
Internally we have a quite nice GAIM plugin which I use constantly. It also integrates with our corporate LDAP directory, so you can get all sorts of info about your contacts. There is also a Java client (which I haven't used), and a whole suite of Java based tools called the ICT (IBM Community Tools) which do all kinds of IM-type things on top of simple messaging. (Which I find annoying... it's things like directed broadcasts to interest groups... that sort of thing)
I'm quite farmiliar with how PKIs and code-signing work. The problem with any PKI, is that you have to have a root to base the trust from. Verisign's "well known public key" isn't "well known", it's just stored in the local certificate store and marked as a trusted CA. There is nothing stopping a user from substituting their own certificate in Verisign's place, and resigning all the binaries on the box. (Well, until you get into hardware crypto...)
I understand this. I actually helped write a commercial certificate authority, so I'm pretty well-versed when it comes to PKI issues.:)
My point is that unless the root certificate is stored in an untamperable hardware device, there is nothing preventing your from replacing it on your local machine with one you have control over. Of course, this doesn't result in code you can distribute to others (at least not without also giving them the root cert and getting them to resign all of their drivers as well)
I'm not talking about "faking" a PIC, but replacing the mechanism used to validate them.
Okay, so MS requires all kernel drivers to be signed. That's ugly, but anything has that is signed has to be verified to the meaningful. The certificate used to verify the signatures is still stored in software at this time, right?
So, what's to stop me from replacing the certificate which comes with Windows with my own, and then just resigning all the drivers?
(Okay, the DMCA for one... grrr....)
I don't think this if going to make Windows unhackable until hardware support for the certs is added. (which is pretty close, I think...)
Does an OpenSSL FIPS 140-2 module signal the end of RSA Security. Other than their SecureID tokens RSA do not seem to have a lot more to offer.
FIPS 140-2 is basically a standard correctly and security of an algorithm. OpenSSL implements things like the RSA algorithm, and their implementation has been certified as "safe" for government use to a certain level of assurance. This doesn't have anything to do with RSA Security (the company), SecureID, or anything like that.
RSA the (algorithm) is still very, very much alive and doesn't show any sign of going anywhere for many years. This is due in part to the fact that the only other option is elliptic curve, (ECC) which is patented, and will be for some time to come.
The difference between you or me and an undercover FBI agent being snooped on is that there's a decent chance the snooping will get the FBI agent killed.
I think "decent chance" is a pretty strong term. Even most low-life scum will think long and hard before killing a federal officer. I'm not saying there isn't a risk, but I think the chance of someone killing their cheating spouse is a lot higher than the chances of a mobster whacking a federal agent. Generally, to be a serious enough criminal to have undercover FBI worries, you've got to have been smart enough to avoid bringing the heat down on you in obvious ways... like by murdering people.
This is a problem for FBI agents, but I don't think they are the group most at risk. In short, this is a bad thing(tm) for everyone.
Many service providers are starting to prioritize their own content at the expense of those from rivals. Many countries have started or are considering blocking Voice-over-IP (VOIP) traffic in order to protect the phone companies from competition.
I know that blocking VOIP has raised some concerns about what that does to a provider's status as a "Common Carrier", but what about prioritizing their own content over outside content? Does the fact that they are making decisions (however simple) about the content passing through their network open them up to problems? I understand it's a simple matter to traffic-shape based on a rule like "from outside our subnet, limit to 'X'", but logically that's not much different than saying "from the website hosted at this address, limit to 0". Yes, this isn't technically practical, but the law isn't designed to only be applied when it's convenient...
I'm annoyed enough that my provider blocks some incoming ports (notably 80), but I can see their position. But what comes down the pipe is none of their business. They should be counting bytes, and that's it. Not bytes from where, or when, or anything else like that.
As soon as my provider starts shaping/restricting my outgoing traffic in any other way that a pure, flat rate-limit or usage-limit, I'm gonna feel morally obligated to find a new provider.
I think the military application of this telescope is as, well, a telescope. You can't shoot things unless you know where they are. I highly doubt this thing will be shooting out the Death Star(tm) ray itself, but rather telling another site where to send the missle, death ray, swarm of space ninjas.
Almost anything which is useful for measuring and locating things is also good for helping blow them up. This doesn't mean we shouldn't do this kind of science. Sure, the military might be able to use it, but the benefits outweigh the negligable risk. Look at it this way: if the US wants this ability, they are either going to build a dedicated military site, or a joint civilian/military site. I doubt the money is going to be spent twice, so I'd rather have the joint site than no science at all.
It's not like they are saying that in order to fund research into improving the freshness of twinkees the military needs a new mind-control ray. The scientific benefit is obvious and large, and the military benefit is slight, and unlikely to be used.
I know this is a rather stupid thing to be hung up on, but the referenced link (DNSsec.org) was so visually cluttered and ugly that I couldn't muster the desire to spend much time there.
Security is always harder to sell than most products, because you are usually trying to convince a customer to spend more time and money for something without out a tangiable return. (If my DNS hasn't been spoofed yet, why pay money? And even if they do secure it, they don't have an easy way to say: "this saved us X dollars this year, and thus was worth the investment")
Add in an "official" website which is hard to read, and painful on the eyes, and you've got a hard sell indeed. As petty as it sounds, a better web presence might help ease acceptance.
While I "understand" the hold, it annoys me. The problem is that people fear the unknown. I'm sure these same folks would freak out if someone told them most their smoke detectors are radioactive and thus "nu-klear" as well. The fact that the isotopes emit alpha particles which are blocked by something as simple as a sheet of paper doesn't register.
It's not reasonable to expect the general public to be experts in particle physics, but I'd like to think they could at least be bothered to do a little reading before getting hysterical.
Yes, you're absolutely correct about the distribution.
(begin probably-true assertion)
One thing to point out is that tradidionally contracts include a percentage of the total "profit" to be handed back to the label for "breakage". This was a big deal before records (the kind with analogue groves) were made out of vinyl. The old ones were quite brittle, and combined with bad streets and rough transport, losing 5-10% of the load to physical damage was to be expected.
Vinyl reduced that problem a lot, and so did improvements in shipping technology, packaging, etc...
CD's reduced the problem to virtually nil, but I believe most labels still take a cut assuming a 5-10% "breakage" rate.
(end probably-true assertion, I am 85% the above is true, and 99% sure the historical parts are, but I can't be bothered to actually Google it)
The important thing to note is that even though a problem with distribution went away, the labels still feel entitled to their old cut. They are willing to reap the benefits of technology when it suits them. (such as the dramatic drop in the cost of pressing CDs) but are unwilling to adapt their business model when it doesn't.
The whole thing falls back to "what the market will bear" and a lot of the backlash is because the labels don't like the fact the "market" is trying to tell them to get stuffed. (Of course for this to be an altruistic story, none of the content on P2P networks would be stolen, and we're not that dumb....)
Slashdot Mirror
Suddenly I was good at math. Not only that, but I got a whole lot better at computer science. The more advanced classes focus more on how to think logically, and how to operate in procedures. Cryptology is especially important because it is one of those items which most computer scientists will use, but only in passing, and using it badly is often worse than not using it at all. An understanding of cryptology brings with it a lots of logic, set theory, and optimization skills.
I thought that all numbers in the form 2^n -1 are prime - If I am correct, what's so new about this number? -Nicolas
Nope, most of them aren't:
(2^3)-1 = 8 - 1 = 7 (prime)
(2^4)-1 = 16 - 1 = 15 (not prime, 3, 5)
(2^5)-1 = 32 - 1 = 31 (prime)
(2^6)-1 = 64 - 1 = 63 (prime)
(2^7)-1 = 128 - 1 = 127 (prime)
(2^8)-1 = 256 - 1 = 255 (not prime, 3, 5)
etc..
Nope, I'm pretty sure you're wrong here. Once you place something in a publicly accessible space, it's considered fair game. That's why going through a suspect's trash is such a powerful tool. It doesn't require a warrant, but it can be used as evidence to get one.
Logically it has to be. Otherwise when does "privacy" end? Once it's loaded into the trash truck? Once it's landfilled?
I don't even send mail directly from my machines, and I've often wondered "what if I just removed sendmail completely?" Would a whole host of system admin packages (cron, logrotate, etc...) break? Or do they write to the spool directly?
I should note that I was a deprived child, and didn't first get exposed to cable until the mid-90's, so I could be wrong...
I do know that Time-Warner (my provider) isn't exactly in dire financial straits, but my cable bill keeps going up, and the ratio of content to commercial keeps going down...
The FTC should hook up with the IRS to go after spammers.
Basically, if you're caught spamming the Feds come in and make you account for all of your income over the last year. Any money derived from spamming is forfeited, plus penalties. I'd also like to see the penalties weighted so that if the spammer gives up the identity of who paid him or her to spam, the penalty is reduced if that person is successfully prosecuted as well. This way the number of spammers and the companies which contract them get slapped.
Any legitimate business should be able to account for all its income. If a spammer can't prove his income is clean, it is no different than a drug trafficker having piles of cash around which just magically appeared. Anything which can't be documented as coming from a non-spam source should be considered profits of a criminal enterprise, and should get seized.
Yes, I trust Google a little less today than a year ago, but only slightly. Overall, I trust Google far more than any other company of decent size.
The reason I trust them less, is because they have grown larger, and are expanding. It is easier to "not be evil" when you have a smaller number of employees and a smaller number of projects. As Google grows, they will inevitably hire some people who are willing to take greater liberties with their user's trust than they have in the past. Usually these people are MBA-type weenies who believe that making money is the only reason to do something. I'm sure Google isn't very receptive to this type of attitude presently, but as they grow it becomes easier for little factions to develop within the organization undetected. Couple this with the pressure on the bright developers to not have their latest spin-off fail, and things might get interesting. The idealists can't watch everyone all the time (and nor do they want to)...
As I said, it's not that I don't trust Google, it's just that I worry their size and increasing outside pressure may lead to some slippage of their internal culture and ethics.
Of course, I'd argue that it's easier to build security in from scratch than to merge a bunch of government agencies in a clean and tidy fashion, so I agree that DHS has an especially hard task.
The real question is how subjective these "grades" are. What does "cybersecurity" really mean? Attack from the outside? Compartementalization? (that has to be spelled wrong) Prevention of abuse from within? All of the above? Some these are easy to fix, and some are very hard. For obvious reasons the public can't be given a report listing what and where the weaknesses are, but an unpatched Windows machine is a lot more serious if it is on the perimeter than if it's behind three layers of well-managed firewalls.
(This alone is enough to kill it for me)
I'm a professional software developer, and my wife has a masters degree in political management and a lot of real-world experience in DC and elsewhere. Still I'm in no way qualified to write a requirements document for a voting system. Sure, the obvious things like "count the votes correctly" are easy, but there is a lot more to it. I'm sure there are all sorts of laws about the way the choices are presented, accessability regulations and laws, user interface concerns... These are all areas which traditionally open source projects struggle with.
The other problem is that elections are generally held by governments. The average coding geek doesn't have the alpha and beta test communities which are normally available to traditional projects. Open source is generally (but not always) and iterative model. Someone releases a solution which solves their specific problem, gets feedback from other users, and the solution gets enhanced.
Voting systems should not be made by a private company or by private citizens. The Federal government needs to pick the appropriate agency and develop a single, well-tested system. The system should be totally open source, hardware and software, but the people creating it should be aiming to "get it right" not "get it profitable"
The general public has the skills but not the knowledge.
Perhaps I don't fully understand, but isn't this basically a government research effort? They want to see if their assumption is correct to support a law which doesn't currently exist. Correct?
So why should a private company be compelled to give them data? It's not like this is a search warrant. How is this different from if NASA when to the academic community and said: "give us all your observations about the moon?" Just because the government wants data that a private company has, doesn't give them to right to demand it.
I know they are looking for evidence of something which ties (loosely) to illegal acts committed using Google, but that is an awfully broad net to be casting.
Am I totally missing something here?
I think you're missing the point. The issue here is not about who won, but that the technology is flawed. Whether the election is for some tiny zoning change or for the leader of the country, the machines should work. Counting is easy. Computers are good at counting. This software is not, therefore it should be replaced with something which is.
Fantastic!
Internally we have a quite nice GAIM plugin which I use constantly. It also integrates with our corporate LDAP directory, so you can get all sorts of info about your contacts. There is also a Java client (which I haven't used), and a whole suite of Java based tools called the ICT (IBM Community Tools) which do all kinds of IM-type things on top of simple messaging. (Which I find annoying... it's things like directed broadcasts to interest groups... that sort of thing)
I'm quite farmiliar with how PKIs and code-signing work. The problem with any PKI, is that you have to have a root to base the trust from. Verisign's "well known public key" isn't "well known", it's just stored in the local certificate store and marked as a trusted CA. There is nothing stopping a user from substituting their own certificate in Verisign's place, and resigning all the binaries on the box. (Well, until you get into hardware crypto...)
My point is that unless the root certificate is stored in an untamperable hardware device, there is nothing preventing your from replacing it on your local machine with one you have control over. Of course, this doesn't result in code you can distribute to others (at least not without also giving them the root cert and getting them to resign all of their drivers as well)
I'm not talking about "faking" a PIC, but replacing the mechanism used to validate them.
So, what's to stop me from replacing the certificate which comes with Windows with my own, and then just resigning all the drivers?
(Okay, the DMCA for one... grrr....)
I don't think this if going to make Windows unhackable until hardware support for the certs is added. (which is pretty close, I think...)
Does an OpenSSL FIPS 140-2 module signal the end of RSA Security. Other than their SecureID tokens RSA do not seem to have a lot more to offer.
FIPS 140-2 is basically a standard correctly and security of an algorithm. OpenSSL implements things like the RSA algorithm, and their implementation has been certified as "safe" for government use to a certain level of assurance. This doesn't have anything to do with RSA Security (the company), SecureID, or anything like that.
RSA the (algorithm) is still very, very much alive and doesn't show any sign of going anywhere for many years. This is due in part to the fact that the only other option is elliptic curve, (ECC) which is patented, and will be for some time to come.
I think "decent chance" is a pretty strong term. Even most low-life scum will think long and hard before killing a federal officer. I'm not saying there isn't a risk, but I think the chance of someone killing their cheating spouse is a lot higher than the chances of a mobster whacking a federal agent. Generally, to be a serious enough criminal to have undercover FBI worries, you've got to have been smart enough to avoid bringing the heat down on you in obvious ways... like by murdering people.
This is a problem for FBI agents, but I don't think they are the group most at risk. In short, this is a bad thing(tm) for everyone.
Many service providers are starting to prioritize their own content at the expense of those from rivals. Many countries have started or are considering blocking Voice-over-IP (VOIP) traffic in order to protect the phone companies from competition.
I know that blocking VOIP has raised some concerns about what that does to a provider's status as a "Common Carrier", but what about prioritizing their own content over outside content? Does the fact that they are making decisions (however simple) about the content passing through their network open them up to problems? I understand it's a simple matter to traffic-shape based on a rule like "from outside our subnet, limit to 'X'", but logically that's not much different than saying "from the website hosted at this address, limit to 0". Yes, this isn't technically practical, but the law isn't designed to only be applied when it's convenient...
I'm annoyed enough that my provider blocks some incoming ports (notably 80), but I can see their position. But what comes down the pipe is none of their business. They should be counting bytes, and that's it. Not bytes from where, or when, or anything else like that.
As soon as my provider starts shaping/restricting my outgoing traffic in any other way that a pure, flat rate-limit or usage-limit, I'm gonna feel morally obligated to find a new provider.
Almost anything which is useful for measuring and locating things is also good for helping blow them up. This doesn't mean we shouldn't do this kind of science. Sure, the military might be able to use it, but the benefits outweigh the negligable risk. Look at it this way: if the US wants this ability, they are either going to build a dedicated military site, or a joint civilian/military site. I doubt the money is going to be spent twice, so I'd rather have the joint site than no science at all.
It's not like they are saying that in order to fund research into improving the freshness of twinkees the military needs a new mind-control ray. The scientific benefit is obvious and large, and the military benefit is slight, and unlikely to be used.
Security is always harder to sell than most products, because you are usually trying to convince a customer to spend more time and money for something without out a tangiable return. (If my DNS hasn't been spoofed yet, why pay money? And even if they do secure it, they don't have an easy way to say: "this saved us X dollars this year, and thus was worth the investment")
Add in an "official" website which is hard to read, and painful on the eyes, and you've got a hard sell indeed. As petty as it sounds, a better web presence might help ease acceptance.
It's not reasonable to expect the general public to be experts in particle physics, but I'd like to think they could at least be bothered to do a little reading before getting hysterical.
(begin probably-true assertion)
One thing to point out is that tradidionally contracts include a percentage of the total "profit" to be handed back to the label for "breakage". This was a big deal before records (the kind with analogue groves) were made out of vinyl. The old ones were quite brittle, and combined with bad streets and rough transport, losing 5-10% of the load to physical damage was to be expected.
Vinyl reduced that problem a lot, and so did improvements in shipping technology, packaging, etc...
CD's reduced the problem to virtually nil, but I believe most labels still take a cut assuming a 5-10% "breakage" rate.
(end probably-true assertion, I am 85% the above is true, and 99% sure the historical parts are, but I can't be bothered to actually Google it)
The important thing to note is that even though a problem with distribution went away, the labels still feel entitled to their old cut. They are willing to reap the benefits of technology when it suits them. (such as the dramatic drop in the cost of pressing CDs) but are unwilling to adapt their business model when it doesn't.
The whole thing falls back to "what the market will bear" and a lot of the backlash is because the labels don't like the fact the "market" is trying to tell them to get stuffed. (Of course for this to be an altruistic story, none of the content on P2P networks would be stolen, and we're not that dumb....)