The Ponemon Institute surveyed 2,933 members of the general public and then 100 DEFCON and Black Hat attendees to get their views on electronic voting.
DEFCON is hardly the right place to be conducting a survey about the "hackability" of an electronic voting system. 50% of this year's attendees could probably figure out how to hack the vote before their third Mountain Dew.
So if the government makes a rocket using public money, they should give free access to all citizens?
Of course not. Let me fill in the between-the-lines bit:
The government uses public money to fund scientific research and paper on some topic. The results are then made immediately available -- but only to those able to pay out the nose for a subscription to a periodical. The key point is "immediately available." That means that the research was not on a classified topic. In that case, the public should have free access to the results. They've already paid for the privilege.
The results of government funding on classified topics should remain classified, within reason.
Representatives of scientific societies and publishers, some of whom attended [a meeting held by the National Institutes of Health's director], told UPI they were concerned articles would be placed on PubMed before they were properly peer-reviewed. Even if the final versions were posted, there would the possibility of confusion, they said.
More urgent, however, the societies are worried that free publication would kill their financial base.
If the U.S. government sponsors a paper that is funded with public money, the public should have access to the paper. That seems to be a no-brainer. Congress' move to make this happen is the Right Thing.
As far as "killing the financial base" of the scientific publication market goes: Yes, it might just do that. I don't believe that anyone guaranteed that publication market any kind of revenue stream, let alone a good one. They've had it made recently, being able to raise prices to astronomical levels. Now those prices might have to fall. It's called business, people. Get over it.
Five different lists (below). I've also attached real-world stats from my spam filter ("Falcon") for yesterday, to show the relative blocking.
bl.spamcop.net - 172 messages blocked
relays.ordb.org - 2 messages blocked
dnsbl.njabl.org - 7 messages blocked
cbl.abuseat.org - 30 messages blocked
dnsbl.sorbs.net - 31 messages blocked
Falcon - 5 messages blocked due to virus attachment
Falcon - 187 messages blocked due to blacklisted email source
Falcon - 15 messages blocked due to blacklisted web site
Total messages blocked: 449
The DNSBLs are listed in order of checking (which makes the reject rate interesting). Falcon checks all systems in the email chain against all of the DNSBLs, not just the connecting system. Very useful for detecting known spammers sending through mail lists or previously-unknown relays.
# ls.Spam/cur.Spam/new | wc -l
216
SpamAssassin/ClamAV over maybe 2-3-4 days. And that's just stuff it picked up -- false negatives and such still get through.
I didn't quite cite my stats correctly before: Only one piece of spam (a false negative) every five days actually makes it through my filters. False positives are on the order of one every other week and are usually due to dial-up users sending mail through a DNSBL-tagged MTA.
My tests of 300,000+ spam messages counted less than 5000 unique domains in there as the target sites once you decoded and stripped the subdomains, machines, and zones out.
I think the actual number of physical systems is even lower than that.
I wrote my own spam filter. One of things it does is decode the message body, isolate those web addresses, then perform a simple blacklist/whitelist check on both the web server name and IP address. It turned out that, on average, every IP address was the home of three or four names.
That may not be a representative sample, though. Most of my spam is rejected by one of the DNSBLs; only mail that makes it over that hurdle actually gets the message body checked. That comes out to (usually) less than 10 web-server-based rejections per day.
But hey, I'm not going to complain. I average about one piece of spam every five days or so.
On Windows.. Settings>>Automatic Updates, click on the "Automatically download the updates, and install them on the schedule that I specify".
On RedHat strains of Linux, check out the Red Hat Network. Turn on auto updating.
I know about automatic updates; they've been around for awhile. But they're initiated by the user's computer. That mechanism can be disabled or altered by the malignant worm to prevent it from functioning properly. My suggestion is for a network-based service to send the White Hat Worm (WHW) to the user's computer, using the same mechanism that allowed for the first infection.
It's a proactive automatic update, basically, without a fixed distribution channel. The only way a malignant worm could block it would be to close the hole it used to gain entry in the first place. Of course, it works only for network-based security holes; trojans that invade via social engineering (for example) need to be patched using existing methods.
There are pros and cons to having 'good worms' patch systems. For most Slashdot readers, it's probably not a good thing. We tend to pay attention to patches, what our systems are doing (so as to detect strange activity), etc.. But as others have pointed out, such a worm might not be a bad thing for the non-tech computer users.
What about a subscription-type system for such a service? I can imagine a variant of the virus definitions auto-update that does this. It wouldn't be kicked off by the user's computer, as it could be disabled by the Blaster-style worm, but would rather be initiated by a remote server. Next time a 'bad worm' spreads across the Internet, the service releases the 'good worm' to patch its customers' systems. My mom would probably appreciate something like that.
... the FBI invoked a provision of the USA Patriot Act to obtain financial records from his ISP.
The reality is that law enforcement in the United States is going to use every tool at their disposal to try to catch the bad guys, provided the tool doesn't cost too much. Laws can be invoked for (basically) free, so they get used, abused and stretched a lot.
This Patriot Act thing really needs to be refined. While parts of it may be good, it's worded so that it can be invoked in far too many cases. This escapade with The Stargate SG-1 Information Archive is just the latest example.
Will the law be redefined? The Powers That Be won't do it on their own, as the Patriot Act is (according to their collective mentality) too good a tool to throw away or change. The public needs to call for the change, loudly.
Within a generation, radio emissions from enough stars will be observed and analysed to find the first alien civilisation, Shostak estimates. But because they will probably be between 200 and 1000 light years away, sending a radio message back will take centuries.
OK, I'm curious. How is this 200-1000 light year estimate derived?
"But predicting the date, the decade or even the century of contact is another matter because the 'other end' of the communications link is completely out of our hands...."
Our planet emits enough radio energy to look like a small sun, but it hasn't done so for very long. Some scientists believe that it won't continue at the present level, either, because future requirements will demand higher-capacity transmissions -- radio transmission will fall off in favor of something that's more tightly-focused, in other words.
Making the large assumption that an alien race will go through a similar radio transmission curve, and considering the fact that we don't know how far away said alien civilization is, the chances of us finding them between now and 2020 seems very remote.
Approximately 8.2 GB of data was stolen from Acxiom Corp...
This is yet another example of why it would be a terrible idea to institute a national ID card. The people backing the card, when faced with the concept of someone stealing the contents of the database that would support the card, invariably insist that "it couldn't happen -- we'll secure it real well."
Beyond the fact that a national ID card wouldn't provide any additional security, putting that much private information in one place is just asking for trouble. As this latest debacle shows, and as Schneier points out in the article I referenced.
From the CNN article:
"We will aggressively pursue those who steal private information from computer networks and make it clear that there are serious consequences for such crimes," [Assistant Attorney General Christopher Wray] said.
Oh, good. That will surely stop it from happening.
Want to take action about what you have just read?
Then write a letter to your Members of Congress or your local newspapers, who you can find by entering your ZIP code in the boxes below. Also make sure to tell your newspaper editors that they should carry your favorite conservative columnists!
NOTE: Columns will not be automatically attached to the emails you send through this tool.
Sheesh. All I wanted to do was to forward this to my congressman! Now I have enter my zip code, wait for the next page to load, figure out who my congresscritter really is, rub my eyes after looking at god-awful red-on-green text, accidentally click the picture -- which shows a bio and is not what I wanted to do at all --....
<WHINE>
All I want to do is forward an email!
</WHINE>
5) Sell that soap II
Why not offer all Mac buyers a try-and-buy program much like what some Apple resellers are offering to purchasers of high-end Xserve units. The geeks who fork over $3,000 or so for the Xserve can have a couple of weeks to test-drive these babies, depending on the vendor. If they aren't satisfied, they can return them and get a full refund. That's unheard of in the computer business.
I believe such a tactic with iMacs and iBooks would play well, too. Show Joe Schmo's ma, who wants to use the PC only to see pictures of her grandson, how much you care about her. Show her how much confidence you have in your products. And aren't they way better looking than a Dell? Everyone already knows what a Mac is, as evidenced by Apple's consistently sky-high brand-recognition ratings. Take it to the next level.
Way back in the mid-80's Apple sponsored "Test Drive a Macintosh" -- a way to get people to play around with the revolutionary computer. Potential customers took home the computer in a tote bag and got to see everything they would get if they bought it (manuals, OS on floppies, MacPaint, MacWrite). They got to keep the computer for 24 or 48 hours (I forget which). In the little Apple dealership I worked in at the time, it was a huge success. We saw something like an 80% sell-through rate, just from that program.
So, my gut reflex was that this program would be a good idea. But then again, 2004 isn't the mid-80's. Back then, the program was a great idea because virtually no one knew about Macintosh. Now, you would be hard-pressed to find someone that doesn't know a Macintosh owner. These potential converts already have a "test drive" program: They just go over to their friend's house. And Macintosh owners have no shortage of enthusiasm for showing off their computer....
I've always wondered whether Jeopardy contestants are coached in any way. Do they receive a list of the topics before the show begins, for example? Does anyone knows exactly what goes on behind the scenes?
I have a 14-year old son, and I have Gran Turismo with a force-feedback steering wheel/pedal setup. While GT does not provide a true driving model, I think it's the best simulator out there (particularly if you use a steering wheel instead of a PlayStation controller). I also once believed that my son would learn something valuable from GT. That belief turned out to be only partly true.
Through the game, my son has picked up the basics of driving. He's learned a few things about traction, speed and cornering. But I've noticed that there are some things that he simply can't "get" no matter how much he practices and I coach.
I think one of the biggest reasons for this is, as another poster noted elsewhere, GT may be the best driving simulator, but it's really not all that great when compared with the real thing. GT doesn't supply a big enough field of view, it doesn't supply G-forces or enough kinesthetic feedback, and it certainly doesn't make you scared of hitting things.
The limitations of the gaming platform mean that, at best, Gran Turismo will remind an experienced driver of certain events/actions -- it doesn't provide enough feedback to provide that experience. For instance, if you're driving (in GT) a normal car with a loose suspension and brake hard, you'll see the car nosedive. You won't feel it nosedive, you won't feel the G-force pushing you toward the steering wheel, and you won't feel the sudden lack of those forces if your tires break traction. An experienced driver will see the dip in GT and know what it means, and react to it. To my son, it's just a visual effect.
So, I plan to load my kid into my hopped-up '94 Integra and take him to a parking lot. That will probably provide a lot more real-world experience than Gran Turismo ever will.
UNIVAC's possibilities fired the imagination. Science fiction writers populated magazines and books with powerful computers, based on what they knew of UNIVAC. Pretty cool stuff, if you don't think it's quaint.
BTW, one of the best short stories along those lines was Isaac Asimov's The Last Question (published in Nine Tomorrows among other places). The focus isn't really the computer, but it shows how people were thinking about these new-fangled gadgets at the time.
The machines, made by Election Systems & Software of Omaha, Neb., fail to provide a consistent electronic "event log" of voting activity when asked to reproduce what happened during the election, state officials said.
Emphasis mine.
Considering that an electronic voting system is specifically designed to record and report voting activity, I'd say that a failure to do so consistently is more than a "minor technical hiccup" (as indicated by a spokeswoman for the secretary of state). An intermittent failure of a primary function is worse than an outright failure, as any programmer can tell you. Consider an intermittent failure of the brake system in your car....
In a strange way, I almost welcome all this attention focused on electronic voting systems. After all, the companies building them are pretty much doing what most other software companies do: Throw it all together as quickly as possible and let marketing and sales push it out the door. These are simply "average" software products coming under greater scrutiny. Maybe by pushing better quality here, we can force improved quality in other products (great leap of the imagination, I know).
I thought there already was competition between Titan, Delta, Ariane, Pegasus (for smaller payloads) and the Russian launchers. Am I missing something?
No, I'm just not being clear.
If NASA gets out of the launch services business then the implication is that it will sell off a large part of its launch service infrastructure. This infrastructure, now owned by the private sector, will undoubtedly be used for more than what NASA is doing with it, for profit reasons if nothing else. A for-profit company, one not encumbered by Congressional budgeting, would likely find far more things to do with all that neat space stuff. At any rate, "dumping" that infrastructure into the private sector increases the competition immensely, considering how small that group is.
Also, "launch services" is a slightly nebulous term. It could mean "get the payload into space" or "help us launch our own rocket/shuttle into space." I think it probably means the former, in this case. If so, then some company may wind up with a couple of space shuttles to play around with. That could be an interesting development, at least until the shuttle's replacement comes along.
On a related note: At one time NASA (somehow) explicitly denied any private company from returning a payload to Earth. Does anyone know if that restriction is still in place? I did the Google thing but couldn't find a definitive answer.
In the more immediate future, the commission wants NASA to turn over nearly all launch activity to private firms.
This is a great step in the right direction, and it should have been done long ago. Allowing private businesses to supply launch services will dramatically increase our use of space. The current demand for getting things into orbit far outstrips NASA's ability to send them there. The competition among the private companies supplying those services will drive the costs down and force innovation at breakneck speed, compared to what we have now.
As an added bonus, people who complain about their tax dollars being "wasted on space" will have much less to bitch about.
Why not just use the mlock() syscall to turn paging off for a memory region? Wouldn't that be easier?
The memory block, with your data, can still be claimed by another application after the page is unlocked. From there it can be written to swap, and we're back to the original problem.
But like someone later in the threads pointed out, if someone has access to your swap file then you probably have bigger problems....
Can you really be sure that the data is wiped? What if the memory is swapped to a page file or swap partition, later swapped back into memory and then you only erase what's in the RAM?
You can either lock the RAM page so it doesn't swap, or force the page to write back out to swap after zeroing. The former is far easier (unless you want to do a lot of painful coding) and, if I remember correctly, was what was done with the project I talked about. I don't think the page locking/unlocking made it into the downloadable library, though.
One way to achieve this is for all data in RAM to be automatically turned into a string of zeros once it is finished with - something he [Tal Garfinkel] says could be done with just a few extra lines of code in application programs.
My company worked on a project a few years ago that required this very thing. It wasn't just passwords, though: The customer demanded that all data passing through the applications be wiped as soon as possible.
The project was written in C++. We started out using a custom string class that performed its own memory management (with zeroing the buffer on deallocation), but then promptly ran into problems with the STL. We wound up writing a memory allocator that also cleans up after itself. Those two solutions took care of the vast majority of the data leakage "problem" -- the only thing left was reinitializing stack variables within functions.
Perhaps the ultimate solution would be to encrypt data as it is entered, before it is saved into RAM, and arrange for programs that use it to decrypt it first.
The same customer actually requested this first. The problems associated with it were were terrible, especially in a multithreaded application. Plus, performance basically sucked. Wiping the data afterwards seemed to have the same end result, the performance was still good, and the customer was happy.
BTW, the memory allocator and string class both made their way into the company's downloadable core library (MIT license).
Coincidentally, I just finished reading Greg Bear's [wikipedia.org] Darwin's Radio and Darwin's Children novels. They use the premise that "junk DNA" is not junk at all, but is used to drive evolution.
Just in case someone wants another opinion on this: I've read Darwin's Radio but haven't picked up Darwin's Children yet. I highly recommend the first book. As the parent post says, the major premise is that the so-called "junk DNA" is really a latent genetic disease that causes sudden, drastic changes in the species, which in turn cause the next major step in evolution. The first book is very well written and I'm looking forward to reading the second book.
To remain attractive to investors, Microsoft must demonstrate that it can replace and augment lost revenue by diversifying into new businesses, but only billion-dollar product segments matter to such a big company. Even the Xbox game platform and MSN can't bring in that kind of money.
Xbox actually fits the product segment nicely, if you put a big minus sign in front of that billion dollar figure.
Slashdot Mirror
The government uses public money to fund scientific research and paper on some topic. The results are then made immediately available -- but only to those able to pay out the nose for a subscription to a periodical. The key point is "immediately available." That means that the research was not on a classified topic. In that case, the public should have free access to the results. They've already paid for the privilege.
The results of government funding on classified topics should remain classified, within reason.
As far as "killing the financial base" of the scientific publication market goes: Yes, it might just do that. I don't believe that anyone guaranteed that publication market any kind of revenue stream, let alone a good one. They've had it made recently, being able to raise prices to astronomical levels. Now those prices might have to fall. It's called business, people. Get over it.
- bl.spamcop.net - 172 messages blocked
- relays.ordb.org - 2 messages blocked
- dnsbl.njabl.org - 7 messages blocked
- cbl.abuseat.org - 30 messages blocked
- dnsbl.sorbs.net - 31 messages blocked
- Falcon - 5 messages blocked due to virus attachment
- Falcon - 187 messages blocked due to blacklisted email source
- Falcon - 15 messages blocked due to blacklisted web site
- Total messages blocked: 449
The DNSBLs are listed in order of checking (which makes the reject rate interesting). Falcon checks all systems in the email chain against all of the DNSBLs, not just the connecting system. Very useful for detecting known spammers sending through mail lists or previously-unknown relays. I didn't quite cite my stats correctly before: Only one piece of spam (a false negative) every five days actually makes it through my filters. False positives are on the order of one every other week and are usually due to dial-up users sending mail through a DNSBL-tagged MTA.I wrote my own spam filter. One of things it does is decode the message body, isolate those web addresses, then perform a simple blacklist/whitelist check on both the web server name and IP address. It turned out that, on average, every IP address was the home of three or four names.
That may not be a representative sample, though. Most of my spam is rejected by one of the DNSBLs; only mail that makes it over that hurdle actually gets the message body checked. That comes out to (usually) less than 10 web-server-based rejections per day.
But hey, I'm not going to complain. I average about one piece of spam every five days or so.
Oh, wait. It was DoubleClick?
Can I donate some computer time?
It's a proactive automatic update, basically, without a fixed distribution channel. The only way a malignant worm could block it would be to close the hole it used to gain entry in the first place. Of course, it works only for network-based security holes; trojans that invade via social engineering (for example) need to be patched using existing methods.
What about a subscription-type system for such a service? I can imagine a variant of the virus definitions auto-update that does this. It wouldn't be kicked off by the user's computer, as it could be disabled by the Blaster-style worm, but would rather be initiated by a remote server. Next time a 'bad worm' spreads across the Internet, the service releases the 'good worm' to patch its customers' systems. My mom would probably appreciate something like that.
This Patriot Act thing really needs to be refined. While parts of it may be good, it's worded so that it can be invoked in far too many cases. This escapade with The Stargate SG-1 Information Archive is just the latest example.
Will the law be redefined? The Powers That Be won't do it on their own, as the Patriot Act is (according to their collective mentality) too good a tool to throw away or change. The public needs to call for the change, loudly.
Making the large assumption that an alien race will go through a similar radio transmission curve, and considering the fact that we don't know how far away said alien civilization is, the chances of us finding them between now and 2020 seems very remote.
Beyond the fact that a national ID card wouldn't provide any additional security, putting that much private information in one place is just asking for trouble. As this latest debacle shows, and as Schneier points out in the article I referenced.
From the CNN article:
Oh, good. That will surely stop it from happening.<WHINE> All I want to do is forward an email! </WHINE>
"640k ..." (shakes Magic 8 Ball) "... should be enough for anybody."
So, my gut reflex was that this program would be a good idea. But then again, 2004 isn't the mid-80's. Back then, the program was a great idea because virtually no one knew about Macintosh. Now, you would be hard-pressed to find someone that doesn't know a Macintosh owner. These potential converts already have a "test drive" program: They just go over to their friend's house. And Macintosh owners have no shortage of enthusiasm for showing off their computer....
I've always wondered whether Jeopardy contestants are coached in any way. Do they receive a list of the topics before the show begins, for example? Does anyone knows exactly what goes on behind the scenes?
Through the game, my son has picked up the basics of driving. He's learned a few things about traction, speed and cornering. But I've noticed that there are some things that he simply can't "get" no matter how much he practices and I coach.
I think one of the biggest reasons for this is, as another poster noted elsewhere, GT may be the best driving simulator, but it's really not all that great when compared with the real thing. GT doesn't supply a big enough field of view, it doesn't supply G-forces or enough kinesthetic feedback, and it certainly doesn't make you scared of hitting things.
The limitations of the gaming platform mean that, at best, Gran Turismo will remind an experienced driver of certain events/actions -- it doesn't provide enough feedback to provide that experience. For instance, if you're driving (in GT) a normal car with a loose suspension and brake hard, you'll see the car nosedive. You won't feel it nosedive, you won't feel the G-force pushing you toward the steering wheel, and you won't feel the sudden lack of those forces if your tires break traction. An experienced driver will see the dip in GT and know what it means, and react to it. To my son, it's just a visual effect.
So, I plan to load my kid into my hopped-up '94 Integra and take him to a parking lot. That will probably provide a lot more real-world experience than Gran Turismo ever will.
BTW, one of the best short stories along those lines was Isaac Asimov's The Last Question (published in Nine Tomorrows among other places). The focus isn't really the computer, but it shows how people were thinking about these new-fangled gadgets at the time.
Considering that an electronic voting system is specifically designed to record and report voting activity, I'd say that a failure to do so consistently is more than a "minor technical hiccup" (as indicated by a spokeswoman for the secretary of state). An intermittent failure of a primary function is worse than an outright failure, as any programmer can tell you. Consider an intermittent failure of the brake system in your car....
In a strange way, I almost welcome all this attention focused on electronic voting systems. After all, the companies building them are pretty much doing what most other software companies do: Throw it all together as quickly as possible and let marketing and sales push it out the door. These are simply "average" software products coming under greater scrutiny. Maybe by pushing better quality here, we can force improved quality in other products (great leap of the imagination, I know).
No, I'm just not being clear.
If NASA gets out of the launch services business then the implication is that it will sell off a large part of its launch service infrastructure. This infrastructure, now owned by the private sector, will undoubtedly be used for more than what NASA is doing with it, for profit reasons if nothing else. A for-profit company, one not encumbered by Congressional budgeting, would likely find far more things to do with all that neat space stuff. At any rate, "dumping" that infrastructure into the private sector increases the competition immensely, considering how small that group is.
Also, "launch services" is a slightly nebulous term. It could mean "get the payload into space" or "help us launch our own rocket/shuttle into space." I think it probably means the former, in this case. If so, then some company may wind up with a couple of space shuttles to play around with. That could be an interesting development, at least until the shuttle's replacement comes along.
On a related note: At one time NASA (somehow) explicitly denied any private company from returning a payload to Earth. Does anyone know if that restriction is still in place? I did the Google thing but couldn't find a definitive answer.
As an added bonus, people who complain about their tax dollars being "wasted on space" will have much less to bitch about.
The memory block, with your data, can still be claimed by another application after the page is unlocked. From there it can be written to swap, and we're back to the original problem.
But like someone later in the threads pointed out, if someone has access to your swap file then you probably have bigger problems....
You can either lock the RAM page so it doesn't swap, or force the page to write back out to swap after zeroing. The former is far easier (unless you want to do a lot of painful coding) and, if I remember correctly, was what was done with the project I talked about. I don't think the page locking/unlocking made it into the downloadable library, though.
The project was written in C++. We started out using a custom string class that performed its own memory management (with zeroing the buffer on deallocation), but then promptly ran into problems with the STL. We wound up writing a memory allocator that also cleans up after itself. Those two solutions took care of the vast majority of the data leakage "problem" -- the only thing left was reinitializing stack variables within functions.
The same customer actually requested this first. The problems associated with it were were terrible, especially in a multithreaded application. Plus, performance basically sucked. Wiping the data afterwards seemed to have the same end result, the performance was still good, and the customer was happy.BTW, the memory allocator and string class both made their way into the company's downloadable core library (MIT license).