To ensure that Secure Computing Corp continues to receive funding and win contracts with the U.S. military and intelligence agencies we have decided to bow down to the Puzzle Palace's (NSA) goal of providing a freely available SELinux distribution.
We promise will not attempt to sue to world's largest black budget organization, and is the government agency with the fewest publicly available details (part of mandate in E.O. 12333 is classified).
We fear their black helicopters.
Re:Counterfeiting, Dark Taxis, and Natioanl Image
on
Greenbacks No More
·
· Score: 2
most widely-accepted currency in the world? With buying power almost anywhere?
What does widely accepted and buying power have to do with whether the US dollar bills are easy to forge or not? Nothing.
It is not in the best interest of the US economy or any other legitimate economy in the world for forged US bills to be used.
I also suspect that in 10-20 years the Euro may surpass the US dollar, in part because of Europe's more pro-active stance against counterfeiting, and being a currency backed by three very powerful and stable countries (UK, Germany, France).
the AMSAT stuff is still amazingly cool (how many "regular" people do military-style sattelite tracking on their home PCs and then use a dedicated sattelite communications channel?).
Yeah, watching the reaction of the guy at the building supply store helping you find the right pieces of PVC pipe and fittings, when you explain to him the PVC pipes with the wrong number of caps is for your building your own satellite antennas is priceless.
So I'm going to agree -- the allure that ham radio once had for me is gone... yes, morse code is cool, and yes, some of the digital modes are still cool, but it's nothing like what it used to be, and sadly, probably won't ever be.
If you were only interested in using ham radio as a means of communications, I can understand why you might be tired or bored with it.
What motivates and interests me is actually building things, networks, infrastructure, transmitters, receivers, learning about a new or at least new to me, modes (e.g. QMSK). In fact I spend a very small amount of time "on the air" with most of the interesting bits happening on the bench.
Counterfeiting, Dark Taxis, and Natioanl Image
on
Greenbacks No More
·
· Score: 5, Insightful
I think it is a great idea, because it finally allows the US Treasury to put some decent anti-counterfeiting into their bills. I mean you think they would be embarassed to be the most successfully counterfeited currency in the world.
Not just new hued (i.e. not bright colours, but various hues) bills but magentic inks, water-spots, metal foil sown into the fiber, various printing methods (for a tactial feel to the blind). Other countries such as Canada have introduced braille for the blind.
The braille is also good for check your pockets at the bars before offering to buy the next round of beer. While in Britian I had my first exposure to different sized bills, and I found it useful to be able to assess at a glance what is in my wallet, and to double check the change from the taxis driver after a night out. Too often you cannot read the bills since it is dark, and taxis are pretty horrid at having burnt out interior lights.
Of course many people will be distracted by the "national image", the real issues of harder to make a quality counterfeit it to the benefit of the US economy, and just about everyone in the US except criminals and the CIA (who have been accused of counterfeiting, but never proven).
For those who cannot understand the tourist angle. I suspect that is a PR claim, but visitors are not only dealing with a new currency, they are often using a second, third, or fifth language, and also trying to do currency conversion to their native currency when shopping and trying to budget their trip. There are those shop keepers and tourist industry people who try to take advanage of the similiar appearance. I'm know that there has been more than a couple bait-and-switch cases of people doing much like a card trick when giving back change; to not just tourists but everyday Americians.
Do you want to be a professional programmer / software developer / software engineer? Or would you be satified being a hack (not a hacker) programmer that writes one-off (web) scripts?
If you want to be a white-collar professional type, expect to be like any other professional, and get the best education you can. Which is typically at least a four year bachelors degree.
You can get an entire BSc Computer Science via correspondance, online or via postal mail. Look at any university in US, you very well may qualify for financial aid, or low-interest student loans.
Then follow this method:
1) Get an education, (knowledge that will not become out of date)
a) understand computers (a la Structure and Interpretation of Computer Programs)
b) mathematics
c) history of computing
d) programming in the small
e) programming in the large
f) software engineering
g) networking
h) professional presentations and writing skills
i) algorithms and data structures
j) database systems (RDBMS, OO databases) etc.
2) Training (skills of tools and techniques, that will have to be maintained)
a) programming language (e.g. C, Pascal, Java, C++, whatever)
b) database (Oracle, PostgreSQL, MySQL)
c) operating systems (VMS, Unix, Linux, W2K, Plan 9)
d) project mangement
Note: Training does not need to be formal, and tends to be more expensive. I did most of my either at university, or on the job.
3) Experience
I think you can figure this one out. I should point out that testing, QA is often an easier to get into than the programming department. Also debugging skills, and seeing what can go wrong (Risks Digest) will hopefully make you a safer programmer.
Security Focus offers several mailing lists that you may wish to subscribe to, or at least read the archives about. In particular Security Certification, CISSP Study, and security-basics. One recent message is certainly worth reading.
Similar questions have been also asked in cryptography and firewall wizards - Nov 2001 mailing lists, and I believe has come up several times before.
A so-so review of different security certificates from CertCities.
The main points I would make are choose a certificate that has the right focus for your career. CISSP is the best known cert, but it is aimed at IT/IS Security Managers and Consultants not at senior technologists / engineers / "in the trenchs" types. The best features of this is requiring 3 years of computer / network / audit security experience and having a broad overview of computing security (the 10 common bodies of knowledge, CBK). This makes it out of reach for many people new to info sec, and that's okay, they likely should focus on another certification anyhow. Next is the SANS/GIAC certificates which are more focused and hands on. The best feature is that they require a "practical" part to the certification, which is doubly good because it is not just exam cramming and lets the student practice her communicaton skills, which is important in the security field since you should be able to work in a team and with others (non-technical other) in an organization outside your team for the common benefit of the business.
Certifications tend to be expensive to get, and don't forget most of them have requirements for maintaince such as x number of contuning education credits, re-examinations, or conference attendance. This is a mixed bag, it is good that it justifies staying up to date, but it can also be very expensive for a member working as a new contractor or for a small company that isn't pre-IPO throwing money around.
One thing I have always found challenging is that the legal system does not use word like common speech or even the Queen's English, so when trying to read raw legal material I find it confusing and frustrating because I know that I am not getting the full meaning out of the material.
I have tried to look for books which give an introduction and overview of the law and legal system to adults, but all I can find are Civics textbooks for high school students and practical howto books like those published by Nolo.
I don't think that such an algorithm can be secure and have backdoors.
You're right, the algorithm AES (a subset of Rijndael) does not have any backdoors. Therefore it may be secure. And to the best of anyone's knowledge it is secure and free of any backdoors.
Cryptographic Module Validation Program is going to put that Backdoors?
The NIST's FIPS standards are used to tendor commercial equipment from suppliers for the US government own use, so it is in the US government's own best interest to make as certain as reasonable possible, using the Cryptographic Module Validation Program, that those products used by the government are safe and secure.
'Join a project rather than starting your own.' While joining another project is helpful, even useful, it does not replace the "developer's personal itch"
This really means, "don't re-invent the wheel". If your project goal is to get working software package, it is quicker, easier, and hopefully has fewer bugs to work with and existing project and try to achieve synergy than starting another similar oriented project from stratch.
Smart cards are microprocessors embedded in a flexible plastic credit card sized card. (ISO 7816)
The capabilities range from simple memory storage cards (3KB to 16KB), which are a high tech equalivant of the magnetic stripe on "swipe cards" to high end crypto processors which are tamper resistant and/or tamper evident. These crypto cards can generate a private key that never leaves the card, and can securely performing digitial signind decryption using the private key. Such cards typically support DES, Triple DES, RSA 512-1024 bit and SHA-1. E.g. CryptoFlex from Schlumberger, Gemplus Public Key
Smart cards are already far more common in Europe, are used in satellite TV, Mondex (an electronic wallet scheme that never seems to get off the ground), and in a different form factor, the SIM cards of GSM mobile phones are smart cards. Because of Sat-TV, Pay-TV, and GSM phones there are hundreds of millions of smart cards in use today.
There is also Linux support via MUSCLE which supports the PC/SC API made popular under Windows, and most vendors support.
Been there, done that. The Cheese worm for Linux does basiclly the same sort of thing.
Still it's a bad idea. For legal reasons: unauthorized is unauthorized even with good intent. For complexity reasons: the worm/ virus may break something else or have unintended conquences like the Robert Moore Jr. worm in the 1980s. Common sense: Encouraging bad system admin habits, that is to be lazy, is a very bad idea. Think of a silly analogy: like breaking in to fix a faulty burgary alarm is a bad idea.
RSA and DSA are two algorithms which are used in a similar (interchanagable for our purposes) fashion.
The article says that SSH1 used the patented RSA key
The RSA patent in the US (# 4,405,829) expired in September 2000.
How is it that SSH2 can use a signature algorithm to do real encryption?
The actual transport encryption is done via a symmetric cipher algorithm such as Triple-DES (3DES), Blowfish, or IDEA (patented in US, Europe) which are much faster (~ 1000-1500 times) than public key algorithms. The RSA or DSA is used to negotiate the key to be used by the symmetric cipher (which uses the same key to encrypt and decrypt, hence "symmetric").
ood thing the U.S. modified it's policy on exporting encryption technologies (a.k.a. munitions).
The US modified their export regulations back in 1996 transferring cryptographic export to the US Department of Commerce Bureau of Export Administration (BXA), and not relating it under ITAR (Department of State I believe) which was what classified it as Dual-Use Technologies, which also includes nuclear material, weapons, supercomputers, etc.
The techniques do work, they just require a lot of computing resources and time.
It is expected that the smallest challenge will be solved within 1 year or so. To break the high-end of the range in the next 2-3 years would require an advance in the state-of-the-art in knowledge about factoring.
I wouldn't expect a breakthrough because the problem is fairly old, and well understood, but a definate improvement is possible.
A typical Beowulf cluster is made up of numerous modest machines with typical RAM, and moderate networking speed. Today (July 2001) that may be say 20 boxes with dual Intel Pentium III @ 733 Mhz, with 256MB of RAM, and 100Mbit Ethernet to a dedicated switch.
For trying to use GNFS General Number Field Seive or NFS (Number Field Seive), you need more RAM per CPU (e.g. 4GB per CPU) if you want to factor numbers in the RSA-155+ range.
Since I've not used NFS, GNFS for any projects, I think the network bandwidth limitations are okay, except in the last stage which I think it a linear matrix reduction.
Since there is no known way to do factorization of large numbers aside from brute force
That is incorrect.
There are numerous algorithms that are more efficient that dumb brute force. That doesn't mean that will find the answer quickly, but vastly quicker than naive brute force attempts.
CWI has several source code license agreements with companies in The Netherlands, USA, Germany and France which allow them
to use the Number Field Sieve factorization code as this was and is being developed by P.L. Montgomery, A.K. Lenstra, M.
Elkenbracht-Huizing, S. Cavallar and B. Dodson. On a non-commercial basis, the NFS source code has also been made available for
research purposes to other cooperating groups. A group of the Royal Institute of Technology in Stockholm (Hastad) has used this
code as a basis for factoring a hard 512-bit challenge number in October 2000.
If you want to actually try this, there are several things to realise, first you need a lot of computing power, including at least one very large multiprocessor machine with several (>4) GB of RAM. Think high-end Alphas, slightly dusty Crays, think big.
The current record factorings were done with the GNFS (General Number Field Sieve).
GNFS consists of a sieving phase that searches a fixed set of prime numbers for candidates that have a particular algebraic relationship, modulo the number to be factored. This is followed by a matrix solving phase that creates a large matrix from the candidate values, then solves it to determine the factors.
The sieving phase may be done in distributed fashion, on a large number of processors simultaneously. The matrix solving phase requires massive amounts of storage and is typically performed on a large supercomputer.
Slashdot Mirror
To ensure that Secure Computing Corp continues to receive funding and win contracts with the U.S. military and intelligence agencies we have decided to bow down to the Puzzle Palace's (NSA) goal of providing a freely available SELinux distribution.
We promise will not attempt to sue to world's largest black budget organization, and is the government agency with the fewest publicly available details (part of mandate in E.O. 12333 is classified).
We fear their black helicopters.
What does widely accepted and buying power have to do with whether the US dollar bills are easy to forge or not? Nothing.
It is not in the best interest of the US economy or any other legitimate economy in the world for forged US bills to be used.
I also suspect that in 10-20 years the Euro may surpass the US dollar, in part because of Europe's more pro-active stance against counterfeiting, and being a currency backed by three very powerful and stable countries (UK, Germany, France).
Yeah, watching the reaction of the guy at the building supply store helping you find the right pieces of PVC pipe and fittings, when you explain to him the PVC pipes with the wrong number of caps is for your building your own satellite antennas is priceless.
If you were only interested in using ham radio as a means of communications, I can understand why you might be tired or bored with it.
What motivates and interests me is actually building things, networks, infrastructure, transmitters, receivers, learning about a new or at least new to me, modes (e.g. QMSK). In fact I spend a very small amount of time "on the air" with most of the interesting bits happening on the bench.
Not just new hued (i.e. not bright colours, but various hues) bills but magentic inks, water-spots, metal foil sown into the fiber, various printing methods (for a tactial feel to the blind). Other countries such as Canada have introduced braille for the blind.
The braille is also good for check your pockets at the bars before offering to buy the next round of beer. While in Britian I had my first exposure to different sized bills, and I found it useful to be able to assess at a glance what is in my wallet, and to double check the change from the taxis driver after a night out. Too often you cannot read the bills since it is dark, and taxis are pretty horrid at having burnt out interior lights.
Of course many people will be distracted by the "national image", the real issues of harder to make a quality counterfeit it to the benefit of the US economy, and just about everyone in the US except criminals and the CIA (who have been accused of counterfeiting, but never proven).
For those who cannot understand the tourist angle. I suspect that is a PR claim, but visitors are not only dealing with a new currency, they are often using a second, third, or fifth language, and also trying to do currency conversion to their native currency when shopping and trying to budget their trip. There are those shop keepers and tourist industry people who try to take advanage of the similiar appearance. I'm know that there has been more than a couple bait-and-switch cases of people doing much like a card trick when giving back change; to not just tourists but everyday Americians.
The Communications of the ACM article, is available online, at <http://www.csl.sri.com/users/neumann/insideris ks.html#140> (Inside Risks 140, CACM 45, 2, February 2002).
Do you want to be a professional programmer / software developer / software engineer? Or would you be satified being a hack (not a hacker) programmer that writes one-off (web) scripts?
If you want to be a white-collar professional type, expect to be like any other professional, and get the best education you can. Which is typically at least a four year bachelors degree.
You can get an entire BSc Computer Science via correspondance, online or via postal mail. Look at any university in US, you very well may qualify for financial aid, or low-interest student loans.
Then follow this method:
1) Get an education, (knowledge that will not become out of date)
a) understand computers (a la Structure and Interpretation of Computer Programs)
b) mathematics
c) history of computing
d) programming in the small
e) programming in the large
f) software engineering
g) networking
h) professional presentations and writing skills
i) algorithms and data structures
j) database systems (RDBMS, OO databases)
etc.
2) Training (skills of tools and techniques, that will have to be maintained)
a) programming language (e.g. C, Pascal, Java, C++, whatever)
b) database (Oracle, PostgreSQL, MySQL)
c) operating systems (VMS, Unix, Linux, W2K, Plan 9)
d) project mangement
Note: Training does not need to be formal, and tends to be more expensive. I did most of my either at university, or on the job.
3) Experience
I think you can figure this one out. I should point out that testing, QA is often an easier to get into than the programming department. Also debugging skills, and seeing what can go wrong (Risks Digest) will hopefully make you a safer programmer.
criminal for that.
Yes you can copy audio legally for your own pesonal use, part VIII of the Copyright Act.
But the greedy media mogals will still call you a criminal though.
There is an article in the September 2001 issue of Secure Computing Magazine. (a "trade rag" - so it never says anything bad about a potential advertiser)
Pay Your Dues by Jay Heiser in Information Security Magazine is also worth reading.
A small reader survey, May 2001 - Talkback.
Security Focus offers several mailing lists that you may wish to subscribe to, or at least read the archives about. In particular Security Certification, CISSP Study, and security-basics. One recent message is certainly worth reading. Similar questions have been also asked in cryptography and firewall wizards - Nov 2001 mailing lists, and I believe has come up several times before.
A review of one IS manager's experience from Computerworld secuirty Column.
A so-so review of different security certificates from CertCities.
The main points I would make are choose a certificate that has the right focus for your career. CISSP is the best known cert, but it is aimed at IT/IS Security Managers and Consultants not at senior technologists / engineers / "in the trenchs" types. The best features of this is requiring 3 years of computer / network / audit security experience and having a broad overview of computing security (the 10 common bodies of knowledge, CBK). This makes it out of reach for many people new to info sec, and that's okay, they likely should focus on another certification anyhow. Next is the SANS/GIAC certificates which are more focused and hands on. The best feature is that they require a "practical" part to the certification, which is doubly good because it is not just exam cramming and lets the student practice her communicaton skills, which is important in the security field since you should be able to work in a team and with others (non-technical other) in an organization outside your team for the common benefit of the business.
Certifications tend to be expensive to get, and don't forget most of them have requirements for maintaince such as x number of contuning education credits, re-examinations, or conference attendance. This is a mixed bag, it is good that it justifies staying up to date, but it can also be very expensive for a member working as a new contractor or for a small company that isn't pre-IPO throwing money around.
I have tried to look for books which give an introduction and overview of the law and legal system to adults, but all I can find are Civics textbooks for high school students and practical howto books like those published by Nolo.
Any recommendations?
You're right, the algorithm AES (a subset of Rijndael) does not have any backdoors. Therefore it may be secure. And to the best of anyone's knowledge it is secure and free of any backdoors.
The NIST's FIPS standards are used to tendor commercial equipment from suppliers for the US government own use, so it is in the US government's own best interest to make as certain as reasonable possible, using the Cryptographic Module Validation Program, that those products used by the government are safe and secure.
If you don't know it yourself, make it too complex for anyone else to understand.
This really means, "don't re-invent the wheel". If your project goal is to get working software package, it is quicker, easier, and hopefully has fewer bugs to work with and existing project and try to achieve synergy than starting another similar oriented project from stratch.
See: Never do this
If you just want to write your own text editor that is fine too, but the benefit isn't necessary as great as what is possible through colloration.
The Mythical Man-Month by Fred Brooks. A classic, and is not tedious to read. 2nd edition 1995 ISBN 0201835959
Peopleware: Productive Projects and Teams by Tom Demarco and Tim Lister. 2nd edition 1999 ISBN 0932633439
These are both readable and relevant to developers and managers. I think anyone involved in software development should read these books.
Check out Steve McConnell's Construx recommended reading list: http://www.construx.com/ladder/index.htm
The capabilities range from simple memory storage cards (3KB to 16KB), which are a high tech equalivant of the magnetic stripe on "swipe cards" to high end crypto processors which are tamper resistant and/or tamper evident. These crypto cards can generate a private key that never leaves the card, and can securely performing digitial signind decryption using the private key. Such cards typically support DES, Triple DES, RSA 512-1024 bit and SHA-1. E.g. CryptoFlex from Schlumberger, Gemplus Public Key
Smart cards are already far more common in Europe, are used in satellite TV, Mondex (an electronic wallet scheme that never seems to get off the ground), and in a different form factor, the SIM cards of GSM mobile phones are smart cards. Because of Sat-TV, Pay-TV, and GSM phones there are hundreds of millions of smart cards in use today.
There is also Linux support via MUSCLE which supports the PC/SC API made popular under Windows, and most vendors support.
Been there, done that. The Cheese worm for Linux does basiclly the same sort of thing.
Still it's a bad idea. For legal reasons: unauthorized is unauthorized even with good intent. For complexity reasons: the worm/ virus may break something else or have unintended conquences like the Robert Moore Jr. worm in the 1980s. Common sense: Encouraging bad system admin habits, that is to be lazy, is a very bad idea. Think of a silly analogy: like breaking in to fix a faulty burgary alarm is a bad idea.
RSA and DSA are two algorithms which are used in a similar (interchanagable for our purposes) fashion.
The article says that SSH1 used the patented RSA key
The RSA patent in the US (# 4,405,829) expired in September 2000.
How is it that SSH2 can use a signature algorithm to do real encryption?
The actual transport encryption is done via a symmetric cipher algorithm such as Triple-DES (3DES), Blowfish, or IDEA (patented in US, Europe) which are much faster (~ 1000-1500 times) than public key algorithms. The RSA or DSA is used to negotiate the key to be used by the symmetric cipher (which uses the same key to encrypt and decrypt, hence "symmetric").
The US modified their export regulations back in 1996 transferring cryptographic export to the US Department of Commerce Bureau of Export Administration (BXA), and not relating it under ITAR (Department of State I believe) which was what classified it as Dual-Use Technologies, which also includes nuclear material, weapons, supercomputers, etc.
It is expected that the smallest challenge will be solved within 1 year or so. To break the high-end of the range in the next 2-3 years would require an advance in the state-of-the-art in knowledge about factoring.
I wouldn't expect a breakthrough because the problem is fairly old, and well understood, but a definate improvement is possible.
See the RSA Crypto FAQ.
For trying to use GNFS General Number Field Seive or NFS (Number Field Seive), you need more RAM per CPU (e.g. 4GB per CPU) if you want to factor numbers in the RSA-155+ range.
Since I've not used NFS, GNFS for any projects, I think the network bandwidth limitations are okay, except in the last stage which I think it a linear matrix reduction.
That is incorrect.
There are numerous algorithms that are more efficient that dumb brute force. That doesn't mean that will find the answer quickly, but vastly quicker than naive brute force attempts.
See the RSA FAQ, What are the best factoring methods in use today?
See the RSA Security FAQ, How Much Does It Cost?
CWI has several source code license agreements with companies in The Netherlands, USA, Germany and France which allow them to use the Number Field Sieve factorization code as this was and is being developed by P.L. Montgomery, A.K. Lenstra, M. Elkenbracht-Huizing, S. Cavallar and B. Dodson. On a non-commercial basis, the NFS source code has also been made available for research purposes to other cooperating groups. A group of the Royal Institute of Technology in Stockholm (Hastad) has used this code as a basis for factoring a hard 512-bit challenge number in October 2000.
The current record factorings were done with the GNFS (General Number Field Sieve).
GNFS consists of a sieving phase that searches a fixed set of prime numbers for candidates that have a particular algebraic relationship, modulo the number to be factored. This is followed by a matrix solving phase that creates a large matrix from the candidate values, then solves it to determine the factors.
The sieving phase may be done in distributed fashion, on a large number of processors simultaneously. The matrix solving phase requires massive amounts of storage and is typically performed on a large supercomputer.
Some pointers:
In case you haven't noticed...It isn't easy, and cannot be fully solved using a distributed.net technique.
to factor a 760-bit number in one year would require 215,000 Pentium-class machines, each with 4 Gigabytes of physical RAM.
to factor a 1620-bit number in one year would require 1.6 x 10^15 Pentium-class machines, each with 120 Terrabytes of physical RAM.
Good luck.