The iPad isn't a mobile phone either. However, if you change your argument to "iPhone", then yes. The exemptions generally aren't for broad classes of behavior, but specific behaviors. There's one exemption for circumventing DRM for PC video games for the purposes of security research (which was granted because of the requests of a single individual).
The key's already been published, it's harmless for them to show that it's correct. It's also sufficient for them to simply show that the published key works, they don't need to show that it's the same as theirs.
His lawyers can ask for anything, but they won't necessarily get it. Probably any information about Sony's assets will be deemed irrelevant and denied. Certainly anything about the judge's assets will be denied in this trial, and asking for it could land you in some trouble.
Now, if he loses and appeals and has a plausible claim that the judge was bribed, his lawyers could successfully request the records for the judge's bank accounts.
No, no. It's (approximately) sqrt(2^n) where n is the number of bits in the hash (see: birthday attack). MD5 has n=128 bits, so the number of messages you need to hash before you are likely to have a single collision is sqrt(2^128) = 2^64.
Credit card numbers are 16 digits, so there are at most 10^16 of them. 10^16 ~= 2^53. However, there are a lot of 16-digit numbers that are not valid credit card numbers, so there are in fact less than 2^53 credit card numbers. I didn't bother including that.
What you're talking about is not just "encryption" but public-key (or asymmetric) encryption. However, bulk-encrypting a large amount of data that follows predictable patterns (which credit card numbers do) with public-key encryption is highly inadvisable, as they're weak against particular cryptanalysis attacks under those conditions.
Encryption has the problem of being two-way. If you're storing both the encryption key and the credit card number, you're essentially storing the credit card number. If you use a one-way function, like a hash, someone acquiring your list of hashes can't reasonably compute the credit card numbers from them. (Well, today, if you were using MD5, you'd need to take additional precautions against this, as MD5 is too cheap to calculate to provide reasonable protection.)
I think you're reading their statement incorrectly. They're talking about the difficulty of constructing a collision. A collision attack is one where you are able to manipulate both inputs to intentionally produce two inputs that have the same hash value. This isn't the same as the likelihood of two arbitrarily-chosen inputs having the same hash, and it isn't the same as the difficulty of finding an input that has the same hash as a known, fixed input. The difference is important, since there are known collision attacks against MD5 and SHA1, but there are not known preimage attacks against either.
The expected value of the number of different inputs you need for a hash function before you accidentally find a collision is approximately sqrt(2^n), which for MD5 is 2^64 inputs. Since there are less than 2^53 inputs, there's likely not any MD5 collisions among credit card numbers.
For cryptographic hash functions, the probability that two arbitrary inputs produce the same hash should be (1/2)^n, where n is the number of bits in the hash. While this isn't true for all hash functions or simpler functions like CRCs, it's accurate enough for cryptographic hash functions to be used in this fashion. Considering MD5 is 128 bits and a credit card number is 16 digits, which is about 53 bits, it's quite sufficient.
You're correct, perhaps I was unclear. Comparing deaths from added radiation to estimated terrorism prevention deaths is also reasonable. It may well pass that test, though. It would kill a few people a year if implemented worldwide (and every traveler was scanned), so if it prevents one plane from being blown up in 20 years, it's break-even, roughly. (If it had a 10% chance of stopping a 9/11-scale attack in 100 years, it'd also break even.)
Background radiation simply gives you a scale for how big a level of exposure is, since we're exposed to background radiation constantly. The base chance of acquiring cancer through background radiation is fairly reasonable. So if a given exposure is 0.1% background radiation, the impact is fairly small.
Of course, I don't think backscatter machines pass an economic cost-benefit analysis. The money would be better spent elsewhere. (I just don't think trying to criticize them on health grounds is the way to do this.)
Absolutely the inventor has a vested interest. You shouldn't just automatically believe what he says. However, he also has the most information about the device and hopefully has the appropriate domain-specific knowledge. So a report from the inventor can be very informative, even though it needs to be substantiated by a third-party tester.
So instead of believing actual experts in the field, you're going to trust the manufacturer and original inventor?
The inventor is also an expert in the field. It's moot, though. All that matters is whether his methods for assessing the risk are correct and whether the measurements are correct. As the document is publicly available, the former can be checked by anyone. The latter is more opaque, but has been independently verified.
There are a lot of experts in any field and they, not surprisingly, often have different opinions. This letter was written by a small handful of researchers in related field. They ignore or are ignorant of publicly-available data relevant to the questions they pose. Some of their criticisms are insightful, but most are easily addressed by simple quantitative analysis that they choose not to do. So yes, I put little stock in their opinions because they don't back them up sufficiently. Being a researcher in a related field of study is a meaningless appeal to authority.
They're correct. All ionizing radiation poses a risk, there's no inherently safe level. There is, however, a ton of low-level sources of background ionizing radiation, so you can characterize the risk as insignificant or significant.
All the key data isn't redacted from the Johns Hopkins study. Certainly none of the key data I went looking for -- energy spectra, photon flux, etc. -- was missing.
Strictly speaking, probably not. It has the potential to be, though. If one of the people watching the output was a pedophile, it could be argued that it's child porn. If it was uploaded on the Internet it could also be argued. Otherwise, it doesn't have prurient intent or appeal to prurient interest and so is no more child porn than a parents' photo of a naked young child.
No, it's not a good cost-benefit at all. It's made worse by the fact that people hate them, which, regardless of their reasons, is a compelling reason not to use them. But they're very expensive and don't substantially improve security.
That's not what was being discussed, though. I don't think it makes sense to actually use them, but claiming that they're a health risk isn't correct.
I'll see if I can dig up their intensity per eV graph. I, of course, went looking for the same thing. It's in one of the Johns Hopkins papers. I think they may only plot relative intensity and then also give you total energy, so you can work it out, but it's not in the units I would have expected.
Peak energy is 30-40 keV. Cuts off at 50 keV, long tail dropping to "small" around 5-10 keV.
Sorry, I refer to it in another comment somewhere and don't recall offhand where the link it. Perhaps I'll look it up later.
Some of their concerns are reasonably, but par for the course -- not disclosing the names of the testers and such. Engineering safety reports don't, as a rule, prove that things are safe. They state measurements. Then a regulatory body claims that those measurements are within bounds considered safe. You can't reasonably "prove" safety. It's not a big problem in colloquial speech, but when doing this sort of thing, you want to be careful with what you say. The danger that the model in the field isn't the same as the tested one is a risk, but not a very realistic one. They're subject to serious FDA oversight and it would require a substantial conspiracy to arrange. (Especially since you *can* make backscatter scanners that are safe to within their limits. I knew a handful of people who were researching them and pitching this kind of application many years ago, and a lot of careful safety estimates were made.)
FDA link: Try "other sources". TSA link: It's not their original material, they're just a useful source. The engineering reports are from Johns Hopkins. I assume you didn't bother reading them.
That's actually the letter I was referring to. It's pretty well-known. They claim a lot of data isn't available when it actually is. A lot of their argument is based on qualitative information. There's a good response to that from the inventor of the device (who is, of course, an X-ray scientist), and there are some excellent engineering safety reports out of Johns Hopkins.
Slashdot Mirror
James Billington? No, not particularly.
The iPad isn't a mobile phone either. However, if you change your argument to "iPhone", then yes. The exemptions generally aren't for broad classes of behavior, but specific behaviors. There's one exemption for circumventing DRM for PC video games for the purposes of security research (which was granted because of the requests of a single individual).
The Librarian of Congress also gave an exemption to the DMCA for some kinds of jailbreaking.
The key's already been published, it's harmless for them to show that it's correct. It's also sufficient for them to simply show that the published key works, they don't need to show that it's the same as theirs.
His lawyers can ask for anything, but they won't necessarily get it. Probably any information about Sony's assets will be deemed irrelevant and denied. Certainly anything about the judge's assets will be denied in this trial, and asking for it could land you in some trouble.
Now, if he loses and appeals and has a plausible claim that the judge was bribed, his lawyers could successfully request the records for the judge's bank accounts.
The chemical the bottles are made out of is PET. I think they have some experience with the characteristics of PET.
No, no. It's (approximately) sqrt(2^n) where n is the number of bits in the hash (see: birthday attack). MD5 has n=128 bits, so the number of messages you need to hash before you are likely to have a single collision is sqrt(2^128) = 2^64.
Credit card numbers are 16 digits, so there are at most 10^16 of them. 10^16 ~= 2^53. However, there are a lot of 16-digit numbers that are not valid credit card numbers, so there are in fact less than 2^53 credit card numbers. I didn't bother including that.
What you're talking about is not just "encryption" but public-key (or asymmetric) encryption. However, bulk-encrypting a large amount of data that follows predictable patterns (which credit card numbers do) with public-key encryption is highly inadvisable, as they're weak against particular cryptanalysis attacks under those conditions.
Encryption has the problem of being two-way. If you're storing both the encryption key and the credit card number, you're essentially storing the credit card number. If you use a one-way function, like a hash, someone acquiring your list of hashes can't reasonably compute the credit card numbers from them. (Well, today, if you were using MD5, you'd need to take additional precautions against this, as MD5 is too cheap to calculate to provide reasonable protection.)
I think you're reading their statement incorrectly. They're talking about the difficulty of constructing a collision. A collision attack is one where you are able to manipulate both inputs to intentionally produce two inputs that have the same hash value. This isn't the same as the likelihood of two arbitrarily-chosen inputs having the same hash, and it isn't the same as the difficulty of finding an input that has the same hash as a known, fixed input. The difference is important, since there are known collision attacks against MD5 and SHA1, but there are not known preimage attacks against either.
The expected value of the number of different inputs you need for a hash function before you accidentally find a collision is approximately sqrt(2^n), which for MD5 is 2^64 inputs. Since there are less than 2^53 inputs, there's likely not any MD5 collisions among credit card numbers.
For cryptographic hash functions, the probability that two arbitrary inputs produce the same hash should be (1/2)^n, where n is the number of bits in the hash. While this isn't true for all hash functions or simpler functions like CRCs, it's accurate enough for cryptographic hash functions to be used in this fashion. Considering MD5 is 128 bits and a credit card number is 16 digits, which is about 53 bits, it's quite sufficient.
Doesn't it cost $99 / year to host any number of free apps?
Not only that, in the Lake Superior area, it's cold enough you could use open-air cooling half the year.
My choices are purely random. I get my random numbers from a nonhuman source.
So it's Google Voice, but without the other features.
Yeah, astronauts are notorious for having a hard time finding dates.
Actually, at least 5 of the 6 crew are married.
You're correct, perhaps I was unclear. Comparing deaths from added radiation to estimated terrorism prevention deaths is also reasonable. It may well pass that test, though. It would kill a few people a year if implemented worldwide (and every traveler was scanned), so if it prevents one plane from being blown up in 20 years, it's break-even, roughly. (If it had a 10% chance of stopping a 9/11-scale attack in 100 years, it'd also break even.)
Background radiation simply gives you a scale for how big a level of exposure is, since we're exposed to background radiation constantly. The base chance of acquiring cancer through background radiation is fairly reasonable. So if a given exposure is 0.1% background radiation, the impact is fairly small.
Of course, I don't think backscatter machines pass an economic cost-benefit analysis. The money would be better spent elsewhere. (I just don't think trying to criticize them on health grounds is the way to do this.)
Absolutely the inventor has a vested interest. You shouldn't just automatically believe what he says. However, he also has the most information about the device and hopefully has the appropriate domain-specific knowledge. So a report from the inventor can be very informative, even though it needs to be substantiated by a third-party tester.
So instead of believing actual experts in the field, you're going to trust the manufacturer and original inventor?
The inventor is also an expert in the field. It's moot, though. All that matters is whether his methods for assessing the risk are correct and whether the measurements are correct. As the document is publicly available, the former can be checked by anyone. The latter is more opaque, but has been independently verified.
There are a lot of experts in any field and they, not surprisingly, often have different opinions. This letter was written by a small handful of researchers in related field. They ignore or are ignorant of publicly-available data relevant to the questions they pose. Some of their criticisms are insightful, but most are easily addressed by simple quantitative analysis that they choose not to do. So yes, I put little stock in their opinions because they don't back them up sufficiently. Being a researcher in a related field of study is a meaningless appeal to authority.
They're correct. All ionizing radiation poses a risk, there's no inherently safe level. There is, however, a ton of low-level sources of background ionizing radiation, so you can characterize the risk as insignificant or significant.
All the key data isn't redacted from the Johns Hopkins study. Certainly none of the key data I went looking for -- energy spectra, photon flux, etc. -- was missing.
Did you read them? There's a handful and not much is redacted. The tests are on the same model as those used in airports.
Strictly speaking, probably not. It has the potential to be, though. If one of the people watching the output was a pedophile, it could be argued that it's child porn. If it was uploaded on the Internet it could also be argued. Otherwise, it doesn't have prurient intent or appeal to prurient interest and so is no more child porn than a parents' photo of a naked young child.
No, it's not a good cost-benefit at all. It's made worse by the fact that people hate them, which, regardless of their reasons, is a compelling reason not to use them. But they're very expensive and don't substantially improve security.
That's not what was being discussed, though. I don't think it makes sense to actually use them, but claiming that they're a health risk isn't correct.
I'll see if I can dig up their intensity per eV graph. I, of course, went looking for the same thing. It's in one of the Johns Hopkins papers. I think they may only plot relative intensity and then also give you total energy, so you can work it out, but it's not in the units I would have expected.
Peak energy is 30-40 keV. Cuts off at 50 keV, long tail dropping to "small" around 5-10 keV.
Sorry, I refer to it in another comment somewhere and don't recall offhand where the link it. Perhaps I'll look it up later.
Some of their concerns are reasonably, but par for the course -- not disclosing the names of the testers and such. Engineering safety reports don't, as a rule, prove that things are safe. They state measurements. Then a regulatory body claims that those measurements are within bounds considered safe. You can't reasonably "prove" safety. It's not a big problem in colloquial speech, but when doing this sort of thing, you want to be careful with what you say. The danger that the model in the field isn't the same as the tested one is a risk, but not a very realistic one. They're subject to serious FDA oversight and it would require a substantial conspiracy to arrange. (Especially since you *can* make backscatter scanners that are safe to within their limits. I knew a handful of people who were researching them and pitching this kind of application many years ago, and a lot of careful safety estimates were made.)
FDA link: Try "other sources".
TSA link: It's not their original material, they're just a useful source. The engineering reports are from Johns Hopkins. I assume you didn't bother reading them.
That's actually the letter I was referring to. It's pretty well-known. They claim a lot of data isn't available when it actually is. A lot of their argument is based on qualitative information. There's a good response to that from the inventor of the device (who is, of course, an X-ray scientist), and there are some excellent engineering safety reports out of Johns Hopkins.