BIOSes, or configuration EEPROMs on peripheral cards. The researcher who pointed out that latter possibility thinks it won't be an issue because conventional rootkits are already so easy. Kind of a cynical reassurance, but probably accurate.
>ignores the possibility of a system defending itself against this attack by verifying the registers she's modifying. Lousy research, girl.
The case under study is a rootkit preventing external analysis. The real system has lost its ability to defend itself by that point, or else it wouldn't be rooted. The real system is no longer in charge of the memory mapping registers after the rootkit takes over. A system trying to defend itself against an attacking process that has direct hardware access is a system in an unwinnable arms race at the very best.
>claiming that virtual machines are a Bad Idea because rootkits could use them to remain undetectable
That's a different reading of her "blue pill" work than mine.
>there are methods to prevent anyone from truly reading what is in RAM.
What she demo'ed was a way to prevent a card on the PCI bus from having the same view of RAM as the CPU does. Unless the players have an architecture like a PC motherboard her attack may not apply. Fundamentally her attack works because there are two channels for getting information from RAM and the two can be configured differently.
>it's really quite difficult to know what is happening at all
True, that's why it's taken a decade of expensive research to get from conclusions like "suggests a discernible impact" to "very likely".
>Anyone who says they 'know' global warming is/isn't reality ought to be treated with suspicion.
The temperature trend is consistent across multiple independent sources of data. If the question is human-caused global warming, the scientists who put together the IPCC report said "very likely", defined as a greater than 90% confidence. That's a sign of people who understand both the extent and the limits of their knowledge, as is the wide range of climate forecasts, ranging from significant to catastrophic.
It causes cancer, after all. But it is only 10-40% of recent temperature increases according to the people who spend their professional careers on such questions. Things can have more than one cause.
The good news is that this is one of the issues where you don't have to understand ocean circulation, feedback loops, or satellite calibration. Just look at what's warming up and what isn't. From CO2, you get heat retained at low altitude that would otherwise be radiated into space. Expected result: nights warming relative to days, troposphere warming, stratosphere cooling. From solar forcing, you expect days warming relative to nights, and stratospheric temperature constant or rising.
Anyone who has Google for a second brain can find out, in minutes, which hypothesis matches the data better.
Norton showed up near the top in several categories. Other large studies have shown the same thing.
The highly consistent feedback from people in the trenches has been along the lines of "I removed the viruses, then to make sure the machine ran OK I removed Norton Antivirus, then I installed Kaspersky and all has been well".
Anyone got a hypothesis to account for the difference?
One useful way to study a black box like human intelligence is to (try to) build a system that does the same things.
From AI research we've learned that what humans consider hard problems are easy, and what humans take for granted (like the capabilities of any healthy 2-year-old) are staggeringly difficult. We've learned that human cognition depends on staggering amounts of experience and knowledge.
AI research proves that hard behaviorism is bogus. If you could implement human behavior as conditioned reflexes, it would have been done by now.
>So if I gather correctly, you can grab my bookmarks or downloaded files, IF I actually type all the letters to those specific paths? That's it?
If I'm reading this right, yes, with the added limitation that Firefox won't budge without a fully qualified path name, so you'd have to type a stream of characters that included a few backslashes.
If I'm reading this right, you could combine it with some exploit that breaks the same-origin policy and steal text typed in elsewhere, but then if you've broken the same-origin policy you could do that anyway.
Only at really low outputs where the other technologies don't scale down gracefully.
They're improving fast, but the ones sold in online catalogs for general home lighting are 25-35 lumens per watt. The worst CFLs are 45-60 (http://en.wikipedia.org/wiki/Luminous_efficacy#Ex amples_2).
As of early 2007, the reasons for LED lighting are o illuminating artwork where you need zero UV coming out o any place that needs extreme longevity (like that bulb in your house that you risk your neck to change). o flashlights, accent lights, other low power uses. o color changing effects
Protoype LEDs have leapfrogged compact fluorescents. If those can be affordably mass-produced, they will deserve to take over.
There's a very well established bit of physics about the spectrum of a hot object. If the spectrum has most of its power in visible light, like sunlight, there will also be a significant tail of ultraviolet (which is why you need sunscreen), and the source will be so hot it vaporizes.
There are some workarounds, like halogen bulbs that recycle boiled-off tungsten and have a quartz envelope to block UV. But the physics is fundamental.
Except there's a key assumption behind that curve, which is that the material itself emits and absorbs all wavelengths completely and equally. The term is "black body". Alter that assumption and the results change. What if GE's found a material that emits poorly in infrared? Then it won't have a black-body spectrum and there's an opportunity to move more output into visible light at any given temperature.
Should an operating system handle normal and predictable events without data loss or incriminating the customer?
Let's jail the malware authors no matter what, but let's face it, attacks on Internet-connected machines are as predictable as rain in Seattle. Seattle homebuilders aren't allowed to leave off a roof and then say "what, you expect me to control the weather?".
A computer is a software player, its value comes from being able to install and run software. If it runs a web browser, it runs Javascript software without even asking the user.
A company with thousands of engineers and a large research department should have figured out, somewhere around 199x at the latest, that giving every program all the rights of the logged-in user (and compelling a root login at that) was an obsolete idea.
>The bottom line is that I liked Win2K towards the end of its supported life.
These ships will be in operation for decades. Major overhauls are spaced far apart. When Windows 2000 leaves extended support and goes end-of-life, what's the Royal Navy going to do? Ask politely for the source code? And for a few hundred Microsoft engineers to understand it? SELinux or Trusted BSD they just might be able to maintain in-house, if they just have to have an externally developed OS.
>their main connection is a unidirectional 300 baud ship-to-shore link.
That applies only to submarines. Surface ships in NATO are likely to be targeted by the Network-Centric Warfare push, in which situational awareness is shared over a well-connected military. The vision implies, among other things, that one unit can pinpoint an enemy and another can engage it. How will this information arrive? What network-facing Windows 2000 software would you trust the security of, against an enemy with a nation's budget to spend?
The military is also Powerpointing about something called the Global Information Grid.
If the old-timers can be believed, before 1995 people *looked forward* to new releases of software. Not only new products, but whole new categories of software were being created. No nation in the world could keep up.
What, exactly, has changed since then, and who was responsible?
Well, don't use "nobody", use a non-shared account with a name like "www". And chroot won't help you with a SQL injection attack, especially if the scripts log in as "sa" (don't laugh, I've seen it done).
If it's the apps being attacked and not the server, the first line of defense is to sanitize user input.
It's a good article for people who aren't focusing on security professionally. It shouldn't be news to anybody who keeps up with trends, though -- is anyone really still using register_globals?!
Michal Zalewski pointed out a cute hack some years ago. Search engine spiders have to follow links that end in queries, like "toparticle.php?page=1". Barring extraordinary and ultimately impossible care in the coding of the spiders, they could also follow URLs that include attack code after the question mark. In _Silence on the Wire_, he imagined a crook building a long list of links to potentially vulnerable systems, appending attack code to each, and leaving the list someplace where Googlebot and its colleagues will find it. Googlebot could twist the doorknob on 1.5 million PHPBB systems a lot faster than the crook possibly could.
Aviation Week mentioned recently that the situational awareness is so good that war games have started keeping the F-22 on station after all weapons are expended, just to serve as an improvised AWACS.
That machine handles and fights so differently that when the engineers flew simulated combat against Air Force pilots, the engineers won. The first few times. As soon as the pilots got the hang of it the engineers were toast.
>But officials later said it was for research and would not go into orbit.
>It would not remain in orbit but could rise to about 150km (94 miles) before a parachute-assisted descent to Earth.
It's a real and important difference, not a pedantic fine point. It takes *way* more energy to get into orbit, and the strategic implications are radically different.
If you can put a payload in orbit, then as soon as you develop reentry vehicle technology you have an ICBM with global range. Going into space simply means you have a ballistic missile, and the already existing Shahab 3 has a 2,000 km range. Missiles with twice that range were already believed to be under development.
There is nothing new in this article. The summary is in grave error.
Because it's a communicable disease. A vaccine against diabetes, for example, would be in a different ethical category. Requiring people to get a vaccine against an infectious disease is like requiring them to shovel their sidewalks or drive on the right-hand side of the street. (Except for the risk of side effects of course).
1. Linux developer notices that some large software vendor has patent 666,666, "use of arrays of pointers to functions". 2. Linux developer coordinates, via LKML, replacement of all arrays of function pointers by something else. 3. Large software company alleges that the "something else" still infringes their patent. 4. Large software company sues and brings the LKML messages into court as proof of "wilful" infringement and demands triple damages.
Slashdot Mirror
BIOSes, or configuration EEPROMs on peripheral cards. The researcher who pointed out that latter possibility thinks it won't be an issue because conventional rootkits are already so easy. Kind of a cynical reassurance, but probably accurate.
It was possible, dunno if it still is, to use a Firewire device for kernel debugging in FreeBSD.
Macs a few years ago didn't restrict Firewire access, and there was a demo of vandalizing the video display by plugging in an iPod.
Ref. Dornseif, CanSecWest 2005. His results about writing were
OS X: works
FreeBSD: works
Linux: works
Windows 2000: crashes
Windows XP: doesn't work
Except that Adam Boileau demonstrated write access to RAM under Windows from Firewire by having the device lie about its configuration.
This sort of thing is why security people sometimes act so devoid of hope.
>ignores the possibility of a system defending itself against this attack by verifying the registers she's modifying. Lousy research, girl.
The case under study is a rootkit preventing external analysis. The real system has lost its ability to defend itself by that point, or else it wouldn't be rooted. The real system is no longer in charge of the memory mapping registers after the rootkit takes over. A system trying to defend itself against an attacking process that has direct hardware access is a system in an unwinnable arms race at the very best.
>claiming that virtual machines are a Bad Idea because rootkits could use them to remain undetectable
That's a different reading of her "blue pill" work than mine.
>there are methods to prevent anyone from truly reading what is in RAM.
What she demo'ed was a way to prevent a card on the PCI bus from having the same view of RAM as the CPU does. Unless the players have an architecture like a PC motherboard her attack may not apply. Fundamentally her attack works because there are two channels for getting information from RAM and the two can be configured differently.
Apple would be in serious trouble if Microsoft gave even less support to Office on the Mac, and both of them know that.
>it's really quite difficult to know what is happening at all
True, that's why it's taken a decade of expensive research to get from conclusions like "suggests a discernible impact" to "very likely".
>Anyone who says they 'know' global warming is/isn't reality ought to be treated with suspicion.
The temperature trend is consistent across multiple independent sources of data. If the question is human-caused global warming, the scientists who put together the IPCC report said "very likely", defined as a greater than 90% confidence. That's a sign of people who understand both the extent and the limits of their knowledge, as is the wide range of climate forecasts, ranging from significant to catastrophic.
It causes cancer, after all. But it is only 10-40% of recent temperature increases according to the people who spend their professional careers on such questions. Things can have more than one cause.
The good news is that this is one of the issues where you don't have to understand ocean circulation, feedback loops, or satellite calibration. Just look at what's warming up and what isn't. From CO2, you get heat retained at low altitude that would otherwise be radiated into space. Expected result: nights warming relative to days, troposphere warming, stratosphere cooling. From solar forcing, you expect days warming relative to nights, and stratospheric temperature constant or rising.
Anyone who has Google for a second brain can find out, in minutes, which hypothesis matches the data better.
Norton showed up near the top in several categories. Other large studies have shown the same thing.
The highly consistent feedback from people in the trenches has been along the lines of "I removed the viruses, then to make sure the machine ran OK I removed Norton Antivirus, then I installed Kaspersky and all has been well".
Anyone got a hypothesis to account for the difference?
>scientifically useless
One useful way to study a black box like human intelligence is to (try to) build a system that does the same things.
From AI research we've learned that what humans consider hard problems are easy, and what humans take for granted (like the capabilities of any healthy 2-year-old) are staggeringly difficult. We've learned that human cognition depends on staggering amounts of experience and knowledge.
AI research proves that hard behaviorism is bogus. If you could implement human behavior as conditioned reflexes, it would have been done by now.
>So if I gather correctly, you can grab my bookmarks or downloaded files, IF I actually type all the letters to those specific paths? That's it?
If I'm reading this right, yes, with the added limitation that Firefox won't budge without a fully qualified path name, so you'd have to type a stream of characters that included a few backslashes.
If I'm reading this right, you could combine it with some exploit that breaks the same-origin policy and steal text typed in elsewhere, but then if you've broken the same-origin policy you could do that anyway.
42 watt CFL, 2800 lumens, 65 lumens per watt
27 watt halogen, can't find that exact size offhand but usually quoted at 20 lumens per watt.
It sounds like both packages were in error: the CFL would have replaced a 150-watt incandescent.
>The hands down winner though are LED bulbs
x amples_2).
Only at really low outputs where the other technologies don't scale down gracefully.
They're improving fast, but the ones sold in online catalogs for general home lighting are 25-35 lumens per watt. The worst CFLs are 45-60 (http://en.wikipedia.org/wiki/Luminous_efficacy#E
As of early 2007, the reasons for LED lighting are
o illuminating artwork where you need zero UV coming out
o any place that needs extreme longevity (like that bulb in your house that you risk your neck to change).
o flashlights, accent lights, other low power uses.
o color changing effects
Protoype LEDs have leapfrogged compact fluorescents. If those can be affordably mass-produced, they will deserve to take over.
There's a very well established bit of physics about the spectrum of a hot object. If the spectrum has most of its power in visible light, like sunlight, there will also be a significant tail of ultraviolet (which is why you need sunscreen), and the source will be so hot it vaporizes.
There are some workarounds, like halogen bulbs that recycle boiled-off tungsten and have a quartz envelope to block UV. But the physics is fundamental.
Except there's a key assumption behind that curve, which is that the material itself emits and absorbs all wavelengths completely and equally. The term is "black body". Alter that assumption and the results change. What if GE's found a material that emits poorly in infrared? Then it won't have a black-body spectrum and there's an opportunity to move more output into visible light at any given temperature.
Should an operating system handle normal and predictable events without data loss or incriminating the customer?
Let's jail the malware authors no matter what, but let's face it, attacks on Internet-connected machines are as predictable as rain in Seattle. Seattle homebuilders aren't allowed to leave off a roof and then say "what, you expect me to control the weather?".
A computer is a software player, its value comes from being able to install and run software. If it runs a web browser, it runs Javascript software without even asking the user.
A company with thousands of engineers and a large research department should have figured out, somewhere around 199x at the latest, that giving every program all the rights of the logged-in user (and compelling a root login at that) was an obsolete idea.
>The bottom line is that I liked Win2K towards the end of its supported life.
These ships will be in operation for decades. Major overhauls are spaced far apart. When Windows 2000 leaves extended support and goes end-of-life, what's the Royal Navy going to do? Ask politely for the source code? And for a few hundred Microsoft engineers to understand it? SELinux or Trusted BSD they just might be able to maintain in-house, if they just have to have an externally developed OS.
>their main connection is a unidirectional 300 baud ship-to-shore link.
That applies only to submarines. Surface ships in NATO are likely to be targeted by the Network-Centric Warfare push, in which situational awareness is shared over a well-connected military. The vision implies, among other things, that one unit can pinpoint an enemy and another can engage it. How will this information arrive? What network-facing Windows 2000 software would you trust the security of, against an enemy with a nation's budget to spend?
The military is also Powerpointing about something called the Global Information Grid.
If the old-timers can be believed, before 1995 people *looked forward* to new releases of software. Not only new products, but whole new categories of software were being created. No nation in the world could keep up.
What, exactly, has changed since then, and who was responsible?
Well, don't use "nobody", use a non-shared account with a name like "www". And chroot won't help you with a SQL injection attack, especially if the scripts log in as "sa" (don't laugh, I've seen it done).
If it's the apps being attacked and not the server, the first line of defense is to sanitize user input.
It's a good article for people who aren't focusing on security professionally. It shouldn't be news to anybody who keeps up with trends, though -- is anyone really still using register_globals?!
Michal Zalewski pointed out a cute hack some years ago. Search engine spiders have to follow links that end in queries, like "toparticle.php?page=1". Barring extraordinary and ultimately impossible care in the coding of the spiders, they could also follow URLs that include attack code after the question mark. In _Silence on the Wire_, he imagined a crook building a long list of links to potentially vulnerable systems, appending attack code to each, and leaving the list someplace where Googlebot and its colleagues will find it. Googlebot could twist the doorknob on 1.5 million PHPBB systems a lot faster than the crook possibly could.
Aviation Week mentioned recently that the situational awareness is so good that war games have started keeping the F-22 on station after all weapons are expended, just to serve as an improvised AWACS.
How much does an AWACS cost?
That machine handles and fights so differently that when the engineers flew simulated combat against Air Force pilots, the engineers won. The first few times. As soon as the pilots got the hang of it the engineers were toast.
>But officials later said it was for research and would not go into orbit.
>It would not remain in orbit but could rise to about 150km (94 miles) before a parachute-assisted descent to Earth.
It's a real and important difference, not a pedantic fine point. It takes *way* more energy to get into orbit, and the strategic implications are radically different.
If you can put a payload in orbit, then as soon as you develop reentry vehicle technology you have an ICBM with global range. Going into space simply means you have a ballistic missile, and the already existing Shahab 3 has a 2,000 km range. Missiles with twice that range were already believed to be under development.
There is nothing new in this article. The summary is in grave error.
>Any good parent will be able to prevent his daughter from being exposed to HPV.
"His" daughter? A reference to "any" parent should include women: statistics show that approximately half of parents are female.
Do you dispute the results of the safety testing on the vaccine?
If so, what do you object to, and on what grounds?
>So why make it a legal issue?
Because it's a communicable disease. A vaccine against diabetes, for example, would be in a different ethical category. Requiring people to get a vaccine against an infectious disease is like requiring them to shovel their sidewalks or drive on the right-hand side of the street. (Except for the risk of side effects of course).
Unless something like this happens:
1. Linux developer notices that some large software vendor has patent 666,666, "use of arrays of pointers to functions".
2. Linux developer coordinates, via LKML, replacement of all arrays of function pointers by something else.
3. Large software company alleges that the "something else" still infringes their patent.
4. Large software company sues and brings the LKML messages into court as proof of "wilful" infringement and demands triple damages.