If the file you're accused of "illegally downloading" was an update to Azureus, show them the copyright/license information for the product at http://azureus.sourceforge.net/ . http://sourceforge.net/projects/azureus/ says that it's GPL. So downloading that particular product is quite strictly legal.
A separate issue that you haven't addressed is what other material you've downloaded using BitTorrent. Some people only use it for legally downloadable material like open software ISOs and trade-friendly music like the etree.org stuff (I certainly do; there's way too much stuff I like there to have time for piracy), while other people trade warez and pirated music. If you're one of the latter, please slap yourself on the wrist, clean the stuff off your PC, and be *very* careful when you talk to the university admins. If you're one of the former, you're in a much stronger legal position. There can be a big difference between what legitimate uses you *could* use BT for and what you're actually doing with it.
Illegal downloading is potentially legally dangerous to the university, whether it's done with BT or FTP-over-carrier-pigeon. If they're saying that the *issue* is dangerous to *you*, that sounds to me like a threat, and you really need to talk to your ombudsperson.
Reference code is important, and while the paper's pretty brief, it looks believable at first glance (I'm an engineer who's dealt with lots of crypto, but am not a crypto mathematician) - it claims to have addressed at least the most important popular attacks.
But it doesn't say who wrote the algorithm (just the reference code) - is it someone known to the community? It's written by the anonymous academic "we" - it references a couple of papers by Tom St. Denis, but has the feel of somebody who doesn't natively speak English, and the web version has spelling problems. The paper's about 8 months old - has some version of it been submitted to any of the academic journals, and have any of the published it? fl@ws says later they're working on getting some professionals to look at it, which is a good start (realistically, if the academic community doesn't generate its own buzz, you're going to have to hire credible people to vet it to start to get some attention so that more people will start trying to attack it.) The posting mentions a "challenge", which is usually a bad, bad sign, though this looks better than the usual snake oil that does that.
Things I'd hoped to see that are missing include
Why should we care? There are lots of crypto algorithms out there, some of which, like the AES candidates, have been thoroughly beaten up by the community. Is there some weakness (esp. with Rijndael) that this addresses?
"Faster in hardware" - Sometimes hardware's interesting, but only if you're going to sell lots of it; it needs to perform decently in software. There's a bit of discussion of some of the issues, particularly making it fit on 8-bit processors, in case anybody still uses those, but nothing indicating that any speed testing has been done, or indicating what quantities of memory it needs or sensitivity to running on various architectures (e.g. x86 or something with enough registers or ARM or MIPS, 8/16/32/64 bit issues, etc.) The reference code does indicate that it can at least be implemented in C without hopeless quantities of bit-twiddling, which is a good start.
I couldn't really tell which block modes were useful - CBC, counter-mode, etc. Is there anything different here than AES?
How well does it parallelize - if you're trying to pump out maximum speed on something other than a discrete 8-bit chip, such as an array of cells in an FPGA or ASIC, does that work ok? Or is the answer simply "go use whichever standard operations mode you like, just as you would with AES or 3DES?
Is 128 bits long enough for both the key and the block? There was some discussions about originally trying to design for 256-bit keys, but cutting back to 128 for efficiency reasons. If making it fit onto an 8051 is part of your design criteria, that may be necessary, but many algorithms have some encryption modes that aren't as useful because of birthday attacks because the keys are too short.
"Public Domain" actually several relevant specific legal meanings.
US Technology Export Laws (which were written back when the Free World was the enemy of Communism to prevent Commies from getting militarily useful technology, and kept around much longer as a fiction to prevent citizens from having private communications that the FBI and NSA couldn't wiretap) defines "public domain" essentially as open knowledge that can be freely discussed, at least by academics, without the same limitations as non-public-domain crypto technology which mustn't be disclosed to those nasty Foreigners (except Canadians and sometimes Brits.) Those laws aren't totally gone, but they're mostly gone and it's easy enough to work around them for the most part.
Copyright and Patent have their own different meanings of Public Domain - If something is copyrighted, you can't copy the exact implementation, but you can write your own code that implements the same mathematical functions. But it it's public domain, feel free to Xerograph it, retype it, whatever.
But if something is patent-protected, you can't implement the algorithm/business-method/hardware yourself, even writing your code from scratch in a clean room, unless you've got a license from the patent-holder.
I don't know the company's name - but I used to get lots of spam for business card printing back when I met her. It's mostly been replaced by other things, or drowned out in the other spam, or successfully filtered, or whatever, but I don't think the print shop my company's bureaucrats contract with charges more than $8-10, and the cards are good quality. I don't get to design my own - they've got our logo in one bluish color and a few lines of black text on white cardstock, and it's probably my corporate IT department that did the web form that didn't let me put a PGP key along the bottom the last time I tried.
Furthermore, Microsoft Word is part of Microsoft Office, which is an entirely different product from the operating system. If it can't play clips without a media player, then it can't, and maybe that's because it's not a media player program. Try OpenOffice.
She had some cheerful business cards. Turns out she'd gotten them "free" from a web site she heard about in an email. Of course, the shipping for the 250 "free" cards cost about $7, so she ended up paying about what should would have if she'd gone to a reputable printer. My wife and I looked at each other sadly and decided it wasn't likely to be worth trying to educate her...
Those two figures aren't in conflict with each other. You can have a very small response rate per message, but spammers send billions and billions of messages to millions of people, and it's quite possible that 10% of the people have bought at least one thing at least once, even if they ignored thousands of other spams the received.
I get almost no spam in Chinese or Korean, but maybe one day in 10 I get spam in Japanese and occasionally I get spam in Hebrew or Russian. Fortunately, the stuff has ISO-standard character-set tags in the From: and Subject: lines (usually both), and since I don't read any of those languages, I can set my spam filters to discard them. It's much less crude than simply discarding anything with a Korean or Chinese IP address or domain name, though on some of my email addresses I do that also.
"Almost Nothing" means "Not Nothing", aka "Ok, yeah, a couple of things". In this case, there's at least one technique that works, and there may be others that nobody's discovered or ranted about yet. But this one's ugly.
Yeah, I realized that one after I'd posted. Most extrasolar planets have been detected by the gravity effects rather than occlusion, but at least one of the articles did refer to a small number being detected by occlusion as well.
Not only did they discover them using infrared, but one really interesting thing about this is that it's the first time that they've directly seen light from one of the planets they discovered, as opposed to previous discoveries which have only seen the light of the star being occluded as the planet passes in front of it. Really nice.
Yes, once in a while a spammer decides to send out his Make Money Fast With Nigerian Herbal Fake Viagra ads with a From: address of some anti-spammer or random person or popular mailing list author (e.g. Declan McCullagh or Dave Farber) so that anybody who whitelists them will get the mail and any bouncegrams or spam complaints will go to somebody they don't mind annoying. It's especially common for spam where the response method is to look at a website (or buy some bogus penny stock) rather than to reply to the sender.
If the IBM system does things cleverly, and I think it does (though you can't really tell from the confused news articles), instead of sending a TMDA-like confirmation note directly to the From: user's address, it makes an SMTP connection to the machine that sent the email and sends the confirmation note from there. This would at least mean that the confirmation only gets delivered to the purported sender if it's sent from a mail server that can reach that person. In general, legitimate mail usually gets sent this way (but not always, especially for people with multiple email addresses), zombie mail doesn't, and open relay mail does (but zombies and relay-blocking lists have made it less popular.)
I live in a condo, and our association has some kind of 10-year package deal from them, so part of my homerowner fees include basic cable. I still get a $0.00 monthly bill from Comcast with lots of offers for upgrades to digital, optional movie channels, pay-per-view, etc. Of course, if I want to call Comcast to get my service fixed, their corporate-plan people don't know what to do because I'm an end user, not an apartment manager, and the home-user people don't know what to do because I'm not a paying customer and there aren't enough digits in the numbers on the bill I get. They can usually figure out how to escalate things if three people from our condo have called within 24 hours of each other, but since we've only got 32 units that doesn't happen often, in spite of frequent problems during the rainy season. Sometimes they send out a cable guy, but of course the cable goes through my downstairs neighbor's unit, and they can't get access to that unless he's home also.
Disclaimer: As a Comcast stockholder, I've had lots of reasons to call the company terminally stupid. Their cable modem folks are worse:-) [Oh, and just so this isn't totally off-topic, their cable modem people don't sell static IP addresses to residential users and don't let you run an email server, which is really annoying to Linux users and doesn't bother spammer zombies a bit.]
The big advantage of dynamic addresses is that DHCP lets users just plug in their computers and have them work, without the need to configure them, so it's easier to sell to couch-potato users. And static-address customers often want to know their address in advance so they can set it up in DNS, etc.
That doesn't mean you can't hack a DHCP server to always hand out the same IP address when asked by a MAC address that you've seen before, so everybody effectively gets a static address as long as they don't change NIC cards, add or change firewall boxes, etc. Or you can do more work and hack up something that, when it sees a new MAC address, hands it a 192.168.*.* address with 10-second lease-time which has a DNS and web server that asks you for your user account number and configures the DHCP server with your MAC and regular static IP address, so you can unplug and connect again and get back the address you're supposed to have. But those take work, at least for somebody, once.
I pay about $57 from sonic.net for service with static IP address; the price would be the same for dynamic, and I could get 4 static addresses just by asking for them. I've looked into other ISPs which have attractive-looking $29 deals, but those seem to all be dynamic addresses (and most are loss-leader pricing for a short term), and by the time you buy a static address, they all seemed to be at least $55. Speakeasy's price was similar to Sonic's when I last looked, and Sonic's plan structure was a slightly better match for me.
There are two different problems here - if the mail's non-spam, or if it's spam. You're replying to the problem of non-spam email where the addresses don't match (which SPF isn't always good at, and which this system might not be that good at.)
Backscatter problems are different - they're the problem of email claiming to be From: realuser@realdomain or random-fake-user@realdomain, but actually sent from some other location, whether a spammer's machine or an open relay, zombie, etc. Yahoo/Hotmail/etc. get annoyed about the large volume of spam claiming to be from fake addresses on their machines, because they not only get complaints, they also get bouncegrams. Real users get even more annoyed - this used to be a huge problem when several popular Microsoft-email viruses were forging from addresses to make their mail more likely to be read, and occasionally spammers decide to joe-job somebody who's annoyed them.
As they say, Never attribute to malice that which can be adequately explained by incompetence. This is technical journalism by non-technical people - you don't expect them to get everything right all the time, though occasionally they'll at least point out interesting things you can check out for yourself. And don't expect non-technical journalism to be much better (sometimes it is much better, because there are some real professionals out there, but too much of it's random restructuring of press releases from governments or the entertainment world.)
So yeah, it sounds a lot like a roll-your-own version of TMDA with SPF whitelisting.
Go read the FAQ if you don't have time to go read the Privacy Act of 1974 and its successors. Private companies don't have the power to force you to give them an SSN, but they may not feel like doing business with you if you don't, or in some cases they may not be allowed to do business with you if you don't. Governments do have the power to force you to give them information, and the original Privacy Act of 1974 was written to limit the extent to which governments (mainly local and state) and government officials could use that - and it's been increasingly weakened, with new exceptions being added and new laws being written to radically increase the extent to which governments must demand SSNs. (After all, the Privacy Act was just a law, and can easily be changed or replaced by other laws whenever 51% of the politicians feel like it; there's nothing magic about it, unlike Supreme Court decisions.)
Banks are being increasingly required to "know your customer", including getting photo id and collecting SSNs. Just about any business that pays you money needs to collect an SSN - it used to be possible to get a non-interest-bearing checking account without one, but I don't think you can do that any more in the US, at least not at a regular bank.
And yes, it's police-state stuff, quite deliberately.
Remember when Slashdot used to work on a Mozilla / Netscape browser, instead of today when it only works correctly on Internet Exploiter? I'm assuming that the problem is that Slashdot's generating too much non-standard code, but perhaps it's that Firefox and Mozilla are both interpreting the standards wrong...
(Yes, I know I can get it to work by changing the font size with ctrl-plus or ctrl-minus, but I shouldn't need to.)
Data never goes away once it's collected. (That doesn't count Murphy's Law of course - data you really want goes away quite easily.) Computer storage is cheap, and keeps becoming radically cheaper. Software and system administration / management costs aren't cheap, and don't get cheaper, and systems that weren't explicitly designed to get rid of data mean that expunging data is typically an expensive unreliable manual process. And that's just the costs of expunging the data in the active database - that doesn't count hunting through backup tapes, etc. New software and applications, on the other hand, can often import data from existing systems (again, minus the Murphy's Law issues), and when they do so, they usually aren't very good about maintaining any constraints on usage of the data, and usually aren't very good about backtracking if you want to find out who's had access to the data or get them to erase it.
All of this means that any law or policy that increases data collection is not only dangerous, but the data usually gets used for other things beyond the original purpose - information *does* want to be free. Anything that hangs an unique identifier on data, such as a National ID Card Number (or SSN, or SIN, or driver's license number), makes it easy for data to be imported into other systems and aggregated together. Anything that hangs a non-unique ID onto something, like a firstname+lastname, increases the chances that data will be imported into other systems incorrectly, combining your data with known criminal SameFirstInitial+DifferentMiddleInitial+SimilarLas tname who lives in a different city. In both cases, you'll never get the data expunged.
On the other hand, Moore's Law also means that applications that used to be unthinkable are now routine. When mainframes costs tens of millions of dollars and needed to be fed punchcards and stored stuff on magtape, writing database applications took a couple of years and a large budget, so only critical applications that could be used by lots of people got written. These days, a cheap desktop computer can hold lots more data, and any random civil servant can run a Spreadsheet query or simple fill-out-the-form database application for anything they feel like, such as tracking their ex-girlfriend's new boyfriend's phone bills. And most of that data could really fit in a pocket-computer as well, so next year that same civil servant or telemarketer can take a picture of your face or license plate using their camera-phone and look it up for some arbitrary reason (currently it takes a laptop for the license-plate lookup, and it's being done to nail parking ticket non-payers.)
Some of these apps fit on a small USB (e.g. 64MB.) But if you want to start doing more than one or two of them, or want bigger apps like some of the Linux flavors, it's really helpful to know how big they are. For some things, like Email, the big problem isn't really the code, it's the data (e.g. you might have a 4MB program install but 100MB of email.)
That's really not the purpose of online gambling websites. In real casinos, you need to have some people winning to generate enough excitement to keep the other suckers busy losing, but in online casinos, that doesn't happen, so you only need to let the suckers win often enough to keep them steadily losing money while they hope for the next big win. And gambling losses are only deductable up to the amount of your winnings.
If you ban solitaire, you'll need to ban boring phone calls as well.
For some people, it's more critical - my department used to have a secretary who played solitaire a lot. Her most important jobs were to keep track of the managers' appointments and answer their phones, and when she'd done any available paperwork, "answering their phones" meant "sitting around being bored", occasionally interrupted by people calling.
These are IRS employees. Almost none of them are ever doing anything you want them to be doing, except occasionally the people who change the ink cartridges on the refund-check-printing machines. The more time they spend playing solitaire, the better.
The local telco gets to sell you wires to your house, and if they have to replace the technology attached to the wire and can charge you more money for it, and if you put a few IP bits on their DSLAM instead of using their old voice switch, that's fine too. The long distance telephone companies, on the other hand, are more annoyed by this sort of thing, because you've cut them out of the loop almost entirely (not quite entirely - if a VOIP company doesn't have coverage in a given LATA, they can hand off the bits to a long-distance company at wholesale per-minute prices, and if they get enough traffic that the cost bothers them, they can install a gateway instead.)
Consumer long-distance has been a depressing business for the last few years anyway. There's tons of long-haul fiber in the ground, and a reasonable fraction of the competition is using VOIP or Voice-Over-ATM to avoid having to buy conventional phone switches, and the business is a lot less fun at 2 cents/minute than it was at 25 cents/minute - especially when the local telcos get almost 2 cents/minute for delivering calls on the last mile.
Business long-distance voice still makes money - but VOIP is a real threat there, especially since businesses often have enough users to justify putting in hardware, and since new PBXs are almost always IP PBXs (there's usually no sense putting in a non-IP PBX, and old non-IP PBXs eventually need replacing.)
There seem to be several different flavors of Asterisk bootable CDs out there. Some of them you can boot and run safely, but some of them are designed to install themselves on a PC, wiping out whatever was there before. They don't do this without warning you, but they're designed for installation, not for live-CD use or sharing the hardware. It's not that bad a thing to do - typically if you're building a PBX, you were going to take a spare PC, put a bunch of audio boards in it, and run it as a PBX anyway, but if you were also using that PC as your print server or email server, you'll need to install Asterisk first and then add the other stuff.
A separate issue that you haven't addressed is what other material you've downloaded using BitTorrent. Some people only use it for legally downloadable material like open software ISOs and trade-friendly music like the etree.org stuff (I certainly do; there's way too much stuff I like there to have time for piracy), while other people trade warez and pirated music. If you're one of the latter, please slap yourself on the wrist, clean the stuff off your PC, and be *very* careful when you talk to the university admins. If you're one of the former, you're in a much stronger legal position. There can be a big difference between what legitimate uses you *could* use BT for and what you're actually doing with it.
Illegal downloading is potentially legally dangerous to the university, whether it's done with BT or FTP-over-carrier-pigeon. If they're saying that the *issue* is dangerous to *you*, that sounds to me like a threat, and you really need to talk to your ombudsperson.
But it doesn't say who wrote the algorithm (just the reference code) - is it someone known to the community? It's written by the anonymous academic "we" - it references a couple of papers by Tom St. Denis, but has the feel of somebody who doesn't natively speak English, and the web version has spelling problems. The paper's about 8 months old - has some version of it been submitted to any of the academic journals, and have any of the published it? fl@ws says later they're working on getting some professionals to look at it, which is a good start (realistically, if the academic community doesn't generate its own buzz, you're going to have to hire credible people to vet it to start to get some attention so that more people will start trying to attack it.) The posting mentions a "challenge", which is usually a bad, bad sign, though this looks better than the usual snake oil that does that.
Things I'd hoped to see that are missing include
I don't know the company's name - but I used to get lots of spam for business card printing back when I met her. It's mostly been replaced by other things, or drowned out in the other spam, or successfully filtered, or whatever, but I don't think the print shop my company's bureaucrats contract with charges more than $8-10, and the cards are good quality. I don't get to design my own - they've got our logo in one bluish color and a few lines of black text on white cardstock, and it's probably my corporate IT department that did the web form that didn't let me put a PGP key along the bottom the last time I tried.
Furthermore, Microsoft Word is part of Microsoft Office, which is an entirely different product from the operating system. If it can't play clips without a media player, then it can't, and maybe that's because it's not a media player program. Try OpenOffice.
She had some cheerful business cards. Turns out she'd gotten them "free" from a web site she heard about in an email. Of course, the shipping for the 250 "free" cards cost about $7, so she ended up paying about what should would have if she'd gone to a reputable printer. My wife and I looked at each other sadly and decided it wasn't likely to be worth trying to educate her...
Those two figures aren't in conflict with each other. You can have a very small response rate per message, but spammers send billions and billions of messages to millions of people, and it's quite possible that 10% of the people have bought at least one thing at least once, even if they ignored thousands of other spams the received.
I get almost no spam in Chinese or Korean, but maybe one day in 10 I get spam in Japanese and occasionally I get spam in Hebrew or Russian. Fortunately, the stuff has ISO-standard character-set tags in the From: and Subject: lines (usually both), and since I don't read any of those languages, I can set my spam filters to discard them. It's much less crude than simply discarding anything with a Korean or Chinese IP address or domain name, though on some of my email addresses I do that also.
"Almost Nothing" means "Not Nothing", aka "Ok, yeah, a couple of things". In this case, there's at least one technique that works, and there may be others that nobody's discovered or ranted about yet. But this one's ugly.
Yeah, I realized that one after I'd posted. Most extrasolar planets have been detected by the gravity effects rather than occlusion, but at least one of the articles did refer to a small number being detected by occlusion as well.
Not only did they discover them using infrared, but one really interesting thing about this is that it's the first time that they've directly seen light from one of the planets they discovered, as opposed to previous discoveries which have only seen the light of the star being occluded as the planet passes in front of it. Really nice.
If the IBM system does things cleverly, and I think it does (though you can't really tell from the confused news articles), instead of sending a TMDA-like confirmation note directly to the From: user's address, it makes an SMTP connection to the machine that sent the email and sends the confirmation note from there. This would at least mean that the confirmation only gets delivered to the purported sender if it's sent from a mail server that can reach that person. In general, legitimate mail usually gets sent this way (but not always, especially for people with multiple email addresses), zombie mail doesn't, and open relay mail does (but zombies and relay-blocking lists have made it less popular.)
Disclaimer: As a Comcast stockholder, I've had lots of reasons to call the company terminally stupid. Their cable modem folks are worse :-) [Oh, and just so this isn't totally off-topic, their cable modem people don't sell static IP addresses to residential users and don't let you run an email server, which is really annoying to Linux users and doesn't bother spammer zombies a bit.]
That doesn't mean you can't hack a DHCP server to always hand out the same IP address when asked by a MAC address that you've seen before, so everybody effectively gets a static address as long as they don't change NIC cards, add or change firewall boxes, etc. Or you can do more work and hack up something that, when it sees a new MAC address, hands it a 192.168.*.* address with 10-second lease-time which has a DNS and web server that asks you for your user account number and configures the DHCP server with your MAC and regular static IP address, so you can unplug and connect again and get back the address you're supposed to have. But those take work, at least for somebody, once.
I pay about $57 from sonic.net for service with static IP address; the price would be the same for dynamic, and I could get 4 static addresses just by asking for them. I've looked into other ISPs which have attractive-looking $29 deals, but those seem to all be dynamic addresses (and most are loss-leader pricing for a short term), and by the time you buy a static address, they all seemed to be at least $55. Speakeasy's price was similar to Sonic's when I last looked, and Sonic's plan structure was a slightly better match for me.
Backscatter problems are different - they're the problem of email claiming to be From: realuser@realdomain or random-fake-user@realdomain, but actually sent from some other location, whether a spammer's machine or an open relay, zombie, etc. Yahoo/Hotmail/etc. get annoyed about the large volume of spam claiming to be from fake addresses on their machines, because they not only get complaints, they also get bouncegrams. Real users get even more annoyed - this used to be a huge problem when several popular Microsoft-email viruses were forging from addresses to make their mail more likely to be read, and occasionally spammers decide to joe-job somebody who's annoyed them.
So yeah, it sounds a lot like a roll-your-own version of TMDA with SPF whitelisting.
Banks are being increasingly required to "know your customer", including getting photo id and collecting SSNs. Just about any business that pays you money needs to collect an SSN - it used to be possible to get a non-interest-bearing checking account without one, but I don't think you can do that any more in the US, at least not at a regular bank.
And yes, it's police-state stuff, quite deliberately.
(Yes, I know I can get it to work by changing the font size with ctrl-plus or ctrl-minus, but I shouldn't need to.)
All of this means that any law or policy that increases data collection is not only dangerous, but the data usually gets used for other things beyond the original purpose - information *does* want to be free. Anything that hangs an unique identifier on data, such as a National ID Card Number (or SSN, or SIN, or driver's license number), makes it easy for data to be imported into other systems and aggregated together. Anything that hangs a non-unique ID onto something, like a firstname+lastname, increases the chances that data will be imported into other systems incorrectly, combining your data with known criminal SameFirstInitial+DifferentMiddleInitial+SimilarLas tname who lives in a different city. In both cases, you'll never get the data expunged.
On the other hand, Moore's Law also means that applications that used to be unthinkable are now routine. When mainframes costs tens of millions of dollars and needed to be fed punchcards and stored stuff on magtape, writing database applications took a couple of years and a large budget, so only critical applications that could be used by lots of people got written. These days, a cheap desktop computer can hold lots more data, and any random civil servant can run a Spreadsheet query or simple fill-out-the-form database application for anything they feel like, such as tracking their ex-girlfriend's new boyfriend's phone bills. And most of that data could really fit in a pocket-computer as well, so next year that same civil servant or telemarketer can take a picture of your face or license plate using their camera-phone and look it up for some arbitrary reason (currently it takes a laptop for the license-plate lookup, and it's being done to nail parking ticket non-payers.)
Some of these apps fit on a small USB (e.g. 64MB.) But if you want to start doing more than one or two of them, or want bigger apps like some of the Linux flavors, it's really helpful to know how big they are. For some things, like Email, the big problem isn't really the code, it's the data (e.g. you might have a 4MB program install but 100MB of email.)
That's really not the purpose of online gambling websites. In real casinos, you need to have some people winning to generate enough excitement to keep the other suckers busy losing, but in online casinos, that doesn't happen, so you only need to let the suckers win often enough to keep them steadily losing money while they hope for the next big win. And gambling losses are only deductable up to the amount of your winnings.
For some people, it's more critical - my department used to have a secretary who played solitaire a lot. Her most important jobs were to keep track of the managers' appointments and answer their phones, and when she'd done any available paperwork, "answering their phones" meant "sitting around being bored", occasionally interrupted by people calling.
These are IRS employees. Almost none of them are ever doing anything you want them to be doing, except occasionally the people who change the ink cartridges on the refund-check-printing machines. The more time they spend playing solitaire, the better.
Consumer long-distance has been a depressing business for the last few years anyway. There's tons of long-haul fiber in the ground, and a reasonable fraction of the competition is using VOIP or Voice-Over-ATM to avoid having to buy conventional phone switches, and the business is a lot less fun at 2 cents/minute than it was at 25 cents/minute - especially when the local telcos get almost 2 cents/minute for delivering calls on the last mile.
Business long-distance voice still makes money - but VOIP is a real threat there, especially since businesses often have enough users to justify putting in hardware, and since new PBXs are almost always IP PBXs (there's usually no sense putting in a non-IP PBX, and old non-IP PBXs eventually need replacing.)
There seem to be several different flavors of Asterisk bootable CDs out there. Some of them you can boot and run safely, but some of them are designed to install themselves on a PC, wiping out whatever was there before. They don't do this without warning you, but they're designed for installation, not for live-CD use or sharing the hardware. It's not that bad a thing to do - typically if you're building a PBX, you were going to take a spare PC, put a bunch of audio boards in it, and run it as a PBX anyway, but if you were also using that PC as your print server or email server, you'll need to install Asterisk first and then add the other stuff.