It is a net gain. Look at it this way. The US takes some of the top students from some very large countries, e.g. India and China. They get educated here and most want to stay. If we keep them here, we are taking the cream of the crop from other countries and they add to our GDP. Over their lifetimes they add more to or GDP than we have provided in educating them. Why? Because they are smart and driven to work hard.
This is from personal observation of this field over the last twenty years. The stupidest thing we can do is pay for their education and then not allow them to stay. The second most stupid thing we can do is make it harder for them to come here. We are currently doing both of those stupid things more than we used to.
When I was a high school math teacher in the mid 1970s one classroom had one of those monster slide rules above the chalk board. On the first day of class students would ask: "What is that?" to which I'd reply: "It is a manual calculator? Do you want to race?".
I'd write a messy looking problem on the board that was ideally suited for a slide rule: multiplication and division with four significant digits and no addition. Anyone who has used a slide rule knows that such a problem is not fair competition -- heavily loaded in my favor.
I'd have an answer before the students would be halfway through entering their numbers, and the majority of them would make an input error.:-)
The rule of thumb for heating with wood is that it takes 10 acres of forest to yield 1 cord of wood per year forever. Obviously, these are crude estimates, but I've found them to be reasonable accurate for an otherwise unmanaged northern mixed hardwood forest.
No, the real problem is that two-way, not two-factor, authentication is needed. Right now the bank authenticates you and two-factor authentication improves on that. What is missing is your ability to authenticate the bank, i.e. the authentication works both ways. There are clues, e.g. URL or images, but not real authentication.
To put Wall Street bonuses in perspective: "Just these bonuses -- for one year -- overwhelmingly exceed all the pay increases received by [other] workers over the entire six-year period," said Mr. Sum.
That comes from Bob Herbert of the NY Times (Jan 8, 2007) who provided these numbers: "There are 93 million production and nonsupervisory workers (exclusive of farmworkers) in the U.S. Their combined real annual earnings from 2000 to 2006 rose by $15.4 billion, which is less than half of the combined bonuses awarded by the five Wall Street firms for just one year."
If a paper ballot has an ambiguity and won't be counted, it should be flagged as such as soon as it's inserted into the machine so that the voter can have some sort of opportunity to ensure that their vote is counted.
Optically scanned ballots can do that checking (removing that "terrible argument"). However, old pencil-and-paper cannot be anonymously scanned without impacting the privacy of the vote.
We recently celebrated the 50th anniversary of construction of the university's first computer http://www.computing.msu.edu/50years/mistic.html. A panel of the original builders and users was convened to discuss the history. One tidbit which was interesting and relevant to this thread was that they tied a speaker to the sign bit so they could monitor the health of the computer while it was running. Given that output was on paper tape the aural monitoring was useful. I found their choice of the sign bit to be interesting.
so the chances of the man in the middle intercepting a code he can re-use are extremely slim.
That is a correct statement, but misses the point. It would be nice for a man-in-the-middle to get a reusable value, but it isn't necessary for a successful attack. The man-in-the-middle can clean out your account during the session you have successfully set up. I saw a demo of this with a person setting up a man-in-the-middle attack on his own brokerage account using a device which generated one-time passwords for the account. He bought a share of one stock, but the man-in-the-middle did a completely different transaction (bought a share of a competitor's stock).
Where are my mod points when I need them -- ran out last night! Please someone mod this person's thread up -- he actually knows what's going on. Man-in-the-middle can defeat the perfection of a one-time pad. The missing element is the ability of the user to know (REALLY know) that he or she is talking to the bank.
You didn't RTFA, did you? The machines contain a roll of paper similar to what is used in a cash register. These are used to verify vote totals and then signed by the county elections commissioner prior to the Secretary of State certifying the state vote. Other, fully electronic, systems record that vote tallies upon a smart card. It is this unverifiable system that computer security experts like Avi Ruben have been so concerned about.
Note the problem with this system. If EVERY voter checks each vote recorded on paper, then a verifyable record exists, but it is inconvenient to verify each vote so I expect that few people do. A maliciously modified machine could slip in plenty of unnoticed "mistakes." Also, since the voting machine is sealed, there is no reason to believe that the total reported has any relationship to the total on the paper. Consider, for example, how many paper records were checked in this election? A significantly incorrect vote total could easily slip by. Random checks have been proposed, but not implemented. However, that only works if EVERY voter personally verifies EVERY vote they make -- and that is not a reasonable assumption.
Many CS programs have a "capstone" course -- a popular concept in Engineering colleges. Many capstone courses involve projects sponsored by industry which go through a development cycle (as much as can be done in a semester). For example, at my school (a midwestern USA "Big Ten" state (public) school) local and national companies (names you'd recognize such as automobile and airplane manufacturers) provide projects for teams to complete. A contact person from the company is the customer who provides the specifications and evaluates the product at the end. Teams of around five students in or near their final semester carry the project through from specification to delivery. Many, but not all, of the customers from companies are graduates within the last five to ten years so they are familiar with both the company and the capstone course. The projects they bring are usually projects, often exploratory, which companies would like to investigate. For example, an automobile manufacturer wanted an add on to a car audio system which tracked friends using cell-phone technology. In this case, a simulated demo system was built. For local and smaller companies a web presence has been developed and deployed, usually backed by a database. Some products are directly used by the company. Some teams are offered jobs as a group with the company. Most companies are repeat customers, and there are more companies than we have teams.
The set up I described is not unusual, and essentially every department in our Engineering college does something similar. I accredit CS programs and have visited many schools with similar setups.
If you Google for "capstone course" CS site:edu, you will get a lot of good hits.
Smart chips, combined with proper key management, give you the ability to put encrypted and signed information on a card, making it much more difficult to create/obtain a fraudulent card; you need access to the authentic keys to do so.
Correct, but... One can clone that information. You say, but then the RFID information doesn't match the non-RFID information. Correct, but... In many applications that doesn't matter. For example, it would still work fine for people-less transactions such as Mobil Speedpass for gas and food purchases or to take a car with a passive RFID "key." Even transactions with people often fail because the "OK beep" when passing security is sufficient without bothering to verify RFID information with the non-RFID information such as photo (see posting about first-hand experiences with this effect elsewhere).
What comes to security, there are two main vulnerabilities in contactless cards: eavesdropping and accessing the card without holder's knowledge is easier than in contact cards.
Yes and no. Contactless cards get their power from the radio waves (the "R" of RFID) which provides very little power over the expected time period within range. For that reason, they cannot do much processing, e.g. good cryptography. (See http://en.wikipedia.org/wiki/Speedpass for information about cracking RFID encryption.) There exist RFID devices with batteries (e.g. IPASS toll payment in Chicago, IL, USA and similar), but are generally too thick to fit in your wallet.
The common fallacy of RFID discussions is to confuse "passive" devices which depend on radio waves for power and "active" devices which have a power source but are activated by radio waves. People often talk about the capabilities of active devices in the context of passive devices without realizing that passive devices don't have enough power to do much of anything.
Add East Lansing, Michigan (home of Michigan State University) to the list with http://www.fragcenter.com/. They have been in business for three years. They also repair PCs. As a parent of a teenager one feature I've noticed is that they give out free playing time for good grades -- quite a bit of free time.
Free for how long? Around 1985 the city of Minneapolis, MN awarded cable TV access to a company. Initially, for free any resident could get cable service with all the channels which one could get over the air -- the advantage was increased quality. Anything beyond that basic service cost a fee. That free basic service lasted less than two years. It was a classic bait-and-switch. I expect the same short life for free, limited wireless.
One cool feature that Merit has had for nearly 20 years is that anyone with a Merit account (which includes all college students in Michigan plus others) can dial a local number in any part of the state and get a dial-up connection.
TFA says "AvanteGarde deployed half a dozen systems...average time until successful compromise was four minutes." If you read the AvanteGarge article you find that the systems with a firewall either ZoneAlarm or SP-2 were not compromised (neither were the Linux or Mac machines). He totally missrepresents the article. While he has some valid points he starts out his article like a troll.
You said "when they [business majors] graduate they may make more money" was not true. However, that is the perception, and perception drives decisions.
If a course uses a cheat check program such as MOSS, multiple students outsourcing assignments to the same place will likely get the served by the same coder, hand in the same program, and get caught. That is, the more students that outsource in a class, the greater the chance of getting caught.
Stories: 1. I know of one TA who did rent-a-coding on the side, and happened across an assignment from one of his classes posted. He bid, got the contract, and reported to the professor. 2. Sometimes it is the student who is "not the sharpest knife in the drawer" who outsources. I found a student posting an outsourcing bid who was easily traceable. I contacted the student before a bid was accepted. 3. In a C++ class, I had a cluster of programs flagged as similar by MOSS. Upon investigating I found that a student had posted a solution on a web site. Only one of the cluster compiled. The others failed because their browsers had removed everything in the #include statements between the angle brackets. The students did not recognize the problem and had not even tried to compile the programs before handing them in. In that class, a program which didn't even compile was worth nothing anyway so their cheating yielded programs which were worth nothing. Their plagiarizing yielded a zero for the course and a note to the Dean.
I am a professor and tell my class "If you can find it on the Web, so can I." I still will get one student out of sixty who copies and gets caught (one a year in this one class for the last three years). After the first incident I figured they might have skipped that class so the next time I put the quote in the assignment, but still had someone plagiarize. By the way, they get a zero for the course and a meeting with the Dean.
Slashdot Mirror
It is a net gain. Look at it this way. The US takes some of the top students from some very large countries, e.g. India and China. They get educated here and most want to stay. If we keep them here, we are taking the cream of the crop from other countries and they add to our GDP. Over their lifetimes they add more to or GDP than we have provided in educating them. Why? Because they are smart and driven to work hard.
This is from personal observation of this field over the last twenty years. The stupidest thing we can do is pay for their education and then not allow them to stay. The second most stupid thing we can do is make it harder for them to come here. We are currently doing both of those stupid things more than we used to.
When I was a high school math teacher in the mid 1970s one classroom had one of those monster slide rules above the chalk board. On the first day of class students would ask: "What is that?" to which I'd reply: "It is a manual calculator? Do you want to race?".
:-)
I'd write a messy looking problem on the board that was ideally suited for a slide rule: multiplication and division with four significant digits and no addition. Anyone who has used a slide rule knows that such a problem is not fair competition -- heavily loaded in my favor.
I'd have an answer before the students would be halfway through entering their numbers, and the majority of them would make an input error.
The rule of thumb for heating with wood is that it takes 10 acres of forest to yield 1 cord of wood per year forever. Obviously, these are crude estimates, but I've found them to be reasonable accurate for an otherwise unmanaged northern mixed hardwood forest.
No, the real problem is that two-way, not two-factor, authentication is needed. Right now the bank authenticates you and two-factor authentication improves on that. What is missing is your ability to authenticate the bank, i.e. the authentication works both ways. There are clues, e.g. URL or images, but not real authentication.
To put Wall Street bonuses in perspective:
"Just these bonuses -- for one year -- overwhelmingly exceed all the pay increases received by [other] workers over the entire six-year period," said Mr. Sum.
That comes from Bob Herbert of the NY Times (Jan 8, 2007) who provided these numbers: "There are 93 million production and nonsupervisory workers (exclusive of farmworkers) in the U.S. Their combined real annual earnings from 2000 to 2006 rose by $15.4 billion, which is less than half of the combined bonuses awarded by the five Wall Street firms for just one year."
You cannot reconstruct the quantum state of an individual photon so a repeater isn't possible. In fact, that is the point.
Someone mod this guy up.
It's called a man-in-the-middle attack, and it works nicely in this situation.
If a paper ballot has an ambiguity and won't be counted, it should be flagged as such as soon as it's inserted into the machine so that the voter can have some sort of opportunity to ensure that their vote is counted.
Optically scanned ballots can do that checking (removing that "terrible argument"). However, old pencil-and-paper cannot be anonymously scanned without impacting the privacy of the vote.
We recently celebrated the 50th anniversary of construction of the university's first computer http://www.computing.msu.edu/50years/mistic.html. A panel of the original builders and users was convened to discuss the history. One tidbit which was interesting and relevant to this thread was that they tied a speaker to the sign bit so they could monitor the health of the computer while it was running. Given that output was on paper tape the aural monitoring was useful. I found their choice of the sign bit to be interesting.
so the chances of the man in the middle intercepting a code he can re-use are extremely slim.
That is a correct statement, but misses the point. It would be nice for a man-in-the-middle to get a reusable value, but it isn't necessary for a successful attack. The man-in-the-middle can clean out your account during the session you have successfully set up. I saw a demo of this with a person setting up a man-in-the-middle attack on his own brokerage account using a device which generated one-time passwords for the account. He bought a share of one stock, but the man-in-the-middle did a completely different transaction (bought a share of a competitor's stock).
Where are my mod points when I need them -- ran out last night! Please someone mod this person's thread up -- he actually knows what's going on. Man-in-the-middle can defeat the perfection of a one-time pad. The missing element is the ability of the user to know (REALLY know) that he or she is talking to the bank.
You didn't RTFA, did you? The machines contain a roll of paper similar to what is used in a cash register. These are used to verify vote totals and then signed by the county elections commissioner prior to the Secretary of State certifying the state vote. Other, fully electronic, systems record that vote tallies upon a smart card. It is this unverifiable system that computer security experts like Avi Ruben have been so concerned about.
Note the problem with this system. If EVERY voter checks each vote recorded on paper, then a verifyable record exists, but it is inconvenient to verify each vote so I expect that few people do. A maliciously modified machine could slip in plenty of unnoticed "mistakes." Also, since the voting machine is sealed, there is no reason to believe that the total reported has any relationship to the total on the paper. Consider, for example, how many paper records were checked in this election? A significantly incorrect vote total could easily slip by. Random checks have been proposed, but not implemented. However, that only works if EVERY voter personally verifies EVERY vote they make -- and that is not a reasonable assumption.
Many CS programs have a "capstone" course -- a popular concept in Engineering colleges. Many capstone courses involve projects sponsored by industry which go through a development cycle (as much as can be done in a semester). For example, at my school (a midwestern USA "Big Ten" state (public) school) local and national companies (names you'd recognize such as automobile and airplane manufacturers) provide projects for teams to complete. A contact person from the company is the customer who provides the specifications and evaluates the product at the end. Teams of around five students in or near their final semester carry the project through from specification to delivery. Many, but not all, of the customers from companies are graduates within the last five to ten years so they are familiar with both the company and the capstone course. The projects they bring are usually projects, often exploratory, which companies would like to investigate. For example, an automobile manufacturer wanted an add on to a car audio system which tracked friends using cell-phone technology. In this case, a simulated demo system was built. For local and smaller companies a web presence has been developed and deployed, usually backed by a database. Some products are directly used by the company. Some teams are offered jobs as a group with the company. Most companies are repeat customers, and there are more companies than we have teams.
The set up I described is not unusual, and essentially every department in our Engineering college does something similar. I accredit CS programs and have visited many schools with similar setups.
If you Google for "capstone course" CS site:edu, you will get a lot of good hits.
Smart chips, combined with proper key management, give you the ability to put encrypted and signed information on a card, making it much more difficult to create/obtain a fraudulent card; you need access to the authentic keys to do so.
...
Correct, but...
One can clone that information. You say, but then the RFID information doesn't match the non-RFID information.
Correct, but
In many applications that doesn't matter. For example, it would still work fine for people-less transactions such as Mobil Speedpass for gas and food purchases or to take a car with a passive RFID "key." Even transactions with people often fail because the "OK beep" when passing security is sufficient without bothering to verify RFID information with the non-RFID information such as photo (see posting about first-hand experiences with this effect elsewhere).
What comes to security, there are two main vulnerabilities in contactless cards: eavesdropping and accessing the card without holder's knowledge is easier than in contact cards.
Yes and no. Contactless cards get their power from the radio waves (the "R" of RFID) which provides very little power over the expected time period within range. For that reason, they cannot do much processing, e.g. good cryptography. (See http://en.wikipedia.org/wiki/Speedpass for information about cracking RFID encryption.) There exist RFID devices with batteries (e.g. IPASS toll payment in Chicago, IL, USA and similar), but are generally too thick to fit in your wallet.
The common fallacy of RFID discussions is to confuse "passive" devices which depend on radio waves for power and "active" devices which have a power source but are activated by radio waves. People often talk about the capabilities of active devices in the context of passive devices without realizing that passive devices don't have enough power to do much of anything.
They recommend updates which on Windows XP gets you a software firewall. They should have included that firewall in their evaluation.
Add East Lansing, Michigan (home of Michigan State University) to the list with http://www.fragcenter.com/. They have been in business for three years. They also repair PCs. As a parent of a teenager one feature I've noticed is that they give out free playing time for good grades -- quite a bit of free time.
Free for how long? Around 1985 the city of Minneapolis, MN awarded cable TV access to a company. Initially, for free any resident could get cable service with all the channels which one could get over the air -- the advantage was increased quality. Anything beyond that basic service cost a fee. That free basic service lasted less than two years. It was a classic bait-and-switch. I expect the same short life for free, limited wireless.
One cool feature that Merit has had for nearly 20 years is that anyone with a Merit account (which includes all college students in Michigan plus others) can dial a local number in any part of the state and get a dial-up connection.
TFA says "AvanteGarde deployed half a dozen systems...average time until successful compromise was four minutes." If you read the AvanteGarge article you find that the systems with a firewall either ZoneAlarm or SP-2 were not compromised (neither were the Linux or Mac machines). He totally missrepresents the article. While he has some valid points he starts out his article like a troll.
You said "when they [business majors] graduate they may make more money" was not true. However, that is the perception, and perception drives decisions.
It is a crime, but a jury can decide to acquit ... for whatever reason and they do not have to tell why.
Eventually, the DA will get the message.
If a course uses a cheat check program such as MOSS, multiple students outsourcing assignments to the same place will likely get the served by the same coder, hand in the same program, and get caught. That is, the more students that outsource in a class, the greater the chance of getting caught.
Stories:
1. I know of one TA who did rent-a-coding on the side, and happened across an assignment from one of his classes posted. He bid, got the contract, and reported to the professor.
2. Sometimes it is the student who is "not the sharpest knife in the drawer" who outsources. I found a student posting an outsourcing bid who was easily traceable. I contacted the student before a bid was accepted.
3. In a C++ class, I had a cluster of programs flagged as similar by MOSS. Upon investigating I found that a student had posted a solution on a web site. Only one of the cluster compiled. The others failed because their browsers had removed everything in the #include statements between the angle brackets. The students did not recognize the problem and had not even tried to compile the programs before handing them in. In that class, a program which didn't even compile was worth nothing anyway so their cheating yielded programs which were worth nothing. Their plagiarizing yielded a zero for the course and a note to the Dean.
Nicely done (karma bonus for good parenting).
I am a professor and tell my class "If you can find it on the Web, so can I." I still will get one student out of sixty who copies and gets caught (one a year in this one class for the last three years). After the first incident I figured they might have skipped that class so the next time I put the quote in the assignment, but still had someone plagiarize. By the way, they get a zero for the course and a meeting with the Dean.
The proposed, targeted advertising could work for cable, but what about broadcast mediums such as over-the-air or satellite?