FIPS 140-2 to be more specific. There are plenty of free options.
Are there? Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST, and none of the validated incarnations were either free-beer or free-libre.
Crypto++ is free and open Source and FIPS 140-2 validated
I have to agree with this recommendation (Gimpel lint).
A few points, though:
- It is purely text-based, so if you are looking for a shiny GUI-based tool (easier to sell to the PHB), you are out of luck.
- depending on the quality of your code, running it for the first time can result in a huge (make that HUGE) amount of warnings. You might want to start small and only turn on more and more options later. Initially, you will have to invest quite a bit of time to get your code "lint-clean". In the long run, this is well worth it.
Stephen King might be able to get a 100,000 people to pay in advance for the next chapter of his new book. A new and unknown author certainly can not.
Well, not $100000, but even relatively unknown, 'midlist' authors can make money that way. An example would be Lawrence Watt-Evans, who published one of his books, The Spriggan Mirror in small pieces, only releasing the next chapter when he got enough money. We are talking $100 per short chapter here, so it is not in the order of millions, but he was happy with the result and is thinking about doing it again.
Note that he is a professional writer and did not do this as a hobby.
Just to be a bit contrarian to most of the posts: If this was the fist time and you normally have no problems with exams, just ignore it. It might not happen again. I have had this happen once, in a quite unimportant test. Panic and total blackout. I managed to literally write my name and like five words in a 3 hour test. Afterwards, I talked with several teachers and my parents (both teach as well). They all agreed: it happens, but normally only once. So I tried to relax, ignore the F on that test and just go on. Well, it worked. For years afterwards (up to and including my PhD defence), I would worry a bit about it happening again, but it never did.
If the attack happens again, I would definitely start looking for professional help, but up to then, just relax. Worrying too much, doing lots of research and trying to remember all sort of tricks might just increase your anxiety.
One has to distinguish two kinds of software reuse: Personal and Organisation-wide:
I worked on a number of projects there, and I tended to copy useful bits from one to the other.
This is personal reuse: It takes almost no additional effort because you are acquainted with to original code, you know what it does, its limitations and so on. If it needs to be extendes, you can do it on the fly.
For other people to reuse your code, it needs at least to be polished and documented. Normally there is some additional programming necessary to extend it to more general cases, add generalised error checking etc. This effort is very often underestimated. In The Mythical Man Month Fred Brocks quotes a factor of at least two, i.e., you need to spend at least same amount of time again that you needed to write the customized code in the first place.
when I was working for a big multinational corporation a few years ago, the VP of my group declared that we would henceforth be reusing software components. A place was designated for placing the reusable pieces that would be reused in the future.
And this is where (in my experience) most institutionalized code reuse fails. Higher-up Managers invent nice procedures but are not willing to spend the money to get the code resuable. Which then means that most projects just ignore those nice plans. And yes, as a project manager I would as well. Why should I spend my budget on making code reusable if I don't get a benefit out of it for the current project. I want the money/resources up front, then I can accept additional project goals like "make this component reusable for the whole company, according to this or that guideline"
Making code really reusable is like many other things in business. You need to invest up front to reap the benefits later. For some reason, for reusable components, PHBs like to overlook the invest part and want the benefit for free. Understandable, but life (and software development) doesn't work that way.
... send data at the rate of hundreds of location datagrams per minute You'd just send position, speed (and maybe acceleration) every minute or so and special packages if acceleration (or speed) changes
... cost First, such a system using public GSM would probably be implemented using GPSR where you'd keep the data connection open (you pay per byte, not per second). Even if the system uses public providers, the railroad companies are certainly big enough that they can easily negotiate much better conditions. But, at least in Europe such a system would probably use the railroad-specific GSM-R system. And if you run the network yourself, you worry more about channel saturation and call-priorities than costs per call.
This is actually an interesting question. At the moment, data calls on GSM-R have the lowest priority. This means that every other call will interrupt your call (on the same machine) and once the cell starts getting busy, your call is the first to get terminated. For the engine-bound applications that use GSM-R for data at the moment (at least in Germany) this is no real problem (but still a pain in the [expletive deleted]) but for anything safety- or just timing-related this would have to be changed.
It's just a matter of money. At work, a collegue next door is extending a program used to save energy on railroad engines (old link) that originally worked with an odometer to accept GPS signals because it is cheaper to install a GPS receiver than to retrofit an exact odometer.
Additionally, with an odometer you need additional information, like which switches were in what setting and so on. GPS is self-sufficient.
First, kudos to the guy who took the hard way just to save the taxpayer some money. We need more people like him.
But technically the interesting point of the certification id that they managed to get the source code certified. There is at least one other open souce product Crypto++ that is also FIPS 140.2
validated (Certificate #343). But they only managed to get a compiled package validated, which does help me to trust the code but not really to "sell" the library to PHBs.
The article doesn't really go into how they did get NIST to validate the source code. Anybody know more details?
They already have improved them: Try a modern hub-dynamo. The best one is probably the SON but Shimano also makes several models. They are at least twice as efficient as normal sidewall- or bottom-bracket dynamos. Almost no noticable drag and much more reliable, esp. in bad weather. and About the only downside is the price.
You might want to have a look at other alternatives such as Scilab.
Other free mathematical programs also exist, but scilab and octave seem to be the closest in spirit (and language) to matlab.
The nasty thing IMHO is all the email collecting bots that wander trough ALL groups pr0n or no pr0n. A newbie has no chance to know about this and fake an email or SPAM-prove it. Many an email
accounts are rendered useless by this.
It's not really this bad. I've done a little experiment for the last couple of months. All
my usenet posts (different groups, several hundred postings) were posted using a special but functioning email adress as From: adress. This email adress was only used on usenet.
I also analyse all he spam I get and (mostly) eliminate automatically. And guess what: only about 4% of the spam I got since I started using a
legal email adress on usenet again were send to the special usenet email.
So I figure that the 'email collecting bots'
are collecting most of their emails someplace else (the web?) but not on usenet.
Now, I usually don't nitpick, BUT I am just to proud for this: you missed number 126.
528 Pentium III-800 computer, running Red-Hat Linux. (well, usually it is some less, since
a couple are out of order at any time). Just
normal mini-towers in long rows of shelves. And a huge network switch. Normally, the info can be found here, but since Murphy lives, it seems like our webserver is down right now,
another picture.
The author of this article(in german) compared some of the available tools with the
Windows program "Reference Manager".
His conclusion: There are no absolutely recommendable programs, but
Sixpack, Pybliographer (and XEmacs in the bibtex mode)
are strong candidates.
It is interesting how the point of view differs even in European Community countries. Just last
Thursday the German Constitutional Court published its findings on inclusions of genetic samples into a data base. So from now on
each single case has to be evaluated by a judge. The DNA sample can only be included in the database if
1. ths subject was convicted of a serious crime (rape, manslaughter, blackmail,...)
2. there is the expection that the convict will be recidivous.
The simple collection of a DNA sample to compare against a given piece of evidence is allowed (with certain checks) but the sample and collected information has to be destroyed afterwards.
GPS isn't really enough. You need to have something which you couldn't have had if you were anywhere else. Satellites could give you this, but only if they beamed different, cryptographically secure,messages in different directions.
[...]Of course, Bob could just have a tranceiver in France
That problem can be (theoretically) solved with
a very exact clock and an (almost) direct link.
The satellite sends an encrypted signal containing the exact time. Bob then immediately forwards the signal. If the time difference equals (distance(Satellite,France) + distance(France,Alice))/C, (with C the speed of light), Bob cannot be using a transceiver.
Of course, in real life, switching speed and other inevitable technical delays will forbid pinpoint accuracy, but it might be good enough for guaranteeing location within a couple of miles.
Besides, all of the major encryption standards were developed in the US, so the EU's decision will not really affect distribution of the well-known algorithms
Well, two of the five finalists (Rijndael and Serpent) of the next generation symmetric encryption standard AES are from Europe. And even if they should not win, it will not matter commercially since all entries have promised that their algorithms are 'available on a worldwide, non-exclusive, royalty-free basis'. So, the next American encryption standard may well be an European algorithm and implementations will definitely be available from European vendors. For the sake of competition lets hope they will be available from Americans as well.
I would imagine delivery on a shiny new mainframe wouldn't be a next day thing
Well, actually, it (probably still) is. Some years ago while working in a mainframe computing center I was told that IBM had actually hired a Boeing to fly a whole mainframe over the Atlantic because they had no adequate hardware in Europe and the still needed to honor their 24-hour service contract.
At that time (more than 10 years ago) the company I worked for estimated that they would go bankrupt if they lost computing service for 72 hours. I would guess that time has decreased by now. If you are that dependant on computers, you really care about the quality and speed of your service contract.
A viable option? Not really. You simply need too much power to hide the signal.
Remember, the signal (from the monitor) is transmitted dozens of times a second. So unless you scroll real fast, the attacker will be able to get hundreds or thousands of readings. This, combined with some suitable filtering, allows you to detect a very small signal in a lot of noise. (Ask you local astronomer for examples.) To beat this, you will need a LOT of noise.
This equates to a lot of radiation. And this has a couple of disadvantages:
1. Radiations seems to be bad for us biological beings. While some of the talk about radiation causing cancer etc. may be overblown, I wouldn't really enjoy sitting next to a nice powerful radio emitter all day.
2. Powerful electromagnetic radiation tends to screw up delicate electronics. Like computers. So you need to shield your computer, anyway. Just what you wanted to avoid.
It sure sounds that way. BUT at least some of his accusations are true. He claims that "the Economist Story Legitimizes My Study" and I have to admit that he is correct: To quote from the story (I can't find it on the net any more, so I'll cut and paste some excerpts):
First, it is hard to tell whether profits have, in fact, risen all that much, for the cost of most executive share-option schemes is not fully reflected in company profit-and-loss accounts. Attempts by the Financial Accounting Standards Board (FASB) to require firms to set the cost of options against profits were killed by corporate lobbyists in 1995. They argued that if the cost of option schemes were treated in that way, fewer of them would be awarded, fewer people would have reason to maximise shareholder value and the economy would suffer.
FASB did, however, manage to make firms include a footnote in their accounts detailing the share options awarded during the year. Smithers & Co., a research firm in London, calculated the cost of these footnoted options and concluded that the American companies granting them overstated their profits by as much as half in the financial year ending in 1998. In some cases, particularly that of high-tech firms (which tend to be generous with options), the disparity is even greater. For instance, Microsoft, the world's most valuable company, declared a profit of $4.5 billion in 1998; when the cost of options awarded that year, plus the change in the value of outstanding options, is deducted, the firm made a loss of $18 billion, according to Smithers.
Some maintain that these numbers exaggerate the problem: there is genuine dispute over how best to calculate and account for the cost of executive options. But this is quibbling. Warren Buffett, a well-known American investor, put the case succinctly for tightening the rules on share-option schemes in the recent annual report of his investment company, Berkshire Hathaway. "Accounting principles offer management a choice : pay employees in one form and count the cost, or pay them in another form and ignore the cost. Small wonder then that the use of options has mushroomed," he observes. "If options aren't a form of compensation, what are they? If compensation isn't an expense, what is it? And, if expenses shouldn't go into the calculation of earnings, where in the world should they go?"
So, the Economist does seem to agree with him at least partly.
There was an interesting sidebar to an article in Scientific American about a year ago describing a technique to hide data on a screen so that the user could not detect it's presence, yet the data could be picked up by Van Eck freaking.
The original scientific article can be found at Markus Kuhn's homepage. (Lots of interesting reading there.) The same article alscribes how to apply the same technique to construct a set of fonts that are quite resistant to normal Van Eck attacks.
Microsoft was funding a project to use this to put product serial numbers on the screen so they could drive a truck through an office park and pick out software pirates. Honest.
This assumes Microsoft having a clever idea. Now I don't have the source handy (I think it was a post on de.comp.security) but I seem to remember that one of the authors (M. Kuhn or R. Anderson) said that when MS gave them a big grant, they looked for some way to demonstrate that their security research had 'real life' applications as well. At least, the UK patent covering this idea (UK patent application no 9722799.5, October 29, 1997: Software Piracy Detector Sensing Electro- magnetic Computer Emanations) has their names on it.
Slashdot Mirror
Are there? Last time I looked into FIPS 140, it was the case that only certain software versions were validated by NIST, and none of the validated incarnations were either free-beer or free-libre.
Crypto++ is free and open Source and FIPS 140-2 validated
I have to agree with this recommendation (Gimpel lint).
A few points, though:
- It is purely text-based, so if you are looking for a shiny GUI-based tool (easier to sell to the PHB), you are out of luck.
- depending on the quality of your code, running it for the first time can result in a huge (make that HUGE) amount of warnings. You might want to start small and only turn on more and more options later. Initially, you will have to invest quite a bit of time to get your code "lint-clean". In the long run, this is well worth it.
Well, not $100000, but even relatively unknown, 'midlist' authors can make money that way. An example would be
Lawrence Watt-Evans, who published one of his books, The Spriggan Mirror in small pieces, only releasing the next chapter when he got enough money. We are talking $100 per short chapter here, so it is not in the order of millions, but he was happy with the result and is thinking about doing it again.
Note that he is a professional writer and did not do this as a hobby.
Just to be a bit contrarian to most of the posts: If this was the fist time and you normally have no problems with exams, just ignore it. It might not happen again.
I have had this happen once, in a quite unimportant test. Panic and total blackout. I managed to literally write my name and like five words in a 3 hour test. Afterwards, I talked with several teachers and my parents (both teach as well). They all agreed: it happens, but normally only once. So I tried to relax, ignore the F on that test and just go on.
Well, it worked. For years afterwards (up to and including my PhD defence), I would worry a bit about it happening again, but it never did.
If the attack happens again, I would definitely start looking for professional help, but up to then, just relax. Worrying too much, doing lots of research and trying to remember all sort of tricks might just increase your anxiety.
This is personal reuse: It takes almost no additional effort because you are acquainted with to original code, you know what it does, its limitations and so on. If it needs to be extendes, you can do it on the fly.
For other people to reuse your code, it needs at least to be polished and documented. Normally there is some additional programming necessary to extend it to more general cases, add generalised error checking etc. This effort is very often underestimated. In The Mythical Man Month Fred Brocks quotes a factor of at least two, i.e., you need to spend at least same amount of time again that you needed to write the customized code in the first place.
And this is where (in my experience) most institutionalized code reuse fails. Higher-up Managers invent nice procedures but are not willing to spend the money to get the code resuable. Which then means that most projects just ignore those nice plans. And yes, as a project manager I would as well. Why should I spend my budget on making code reusable if I don't get a benefit out of it for the current project. I want the money/resources up front, then I can accept additional project goals like "make this component reusable for the whole company, according to this or that guideline"
Making code really reusable is like many other things in business. You need to invest up front to reap the benefits later. For some reason, for reusable components, PHBs like to overlook the invest part and want the benefit for free. Understandable, but life (and software development) doesn't work that way.
You'd just send position, speed (and maybe acceleration) every minute or so and special packages if acceleration (or speed) changes
First, such a system using public GSM would probably be implemented using GPSR where you'd keep the data connection open (you pay per byte, not per second).
Even if the system uses public providers, the railroad companies are certainly big enough that they can easily negotiate much better conditions.
But, at least in Europe such a system would probably use the railroad-specific GSM-R system. And if you run the network yourself, you worry more about channel saturation and call-priorities than costs per call.
This is actually an interesting question. At the moment, data calls on GSM-R have the lowest priority. This means that every other call will interrupt your call (on the same machine) and once the cell starts getting busy, your call is the first to get terminated. For the engine-bound applications that use GSM-R for data at the moment (at least in Germany) this is no real problem (but still a pain in the [expletive deleted]) but for anything safety- or just timing-related this would have to be changed.
Additionally, with an odometer you need additional information, like which switches were in what setting and so on. GPS is self-sufficient.
But technically the interesting point of the certification id that they managed to get the source code certified. There is at least one other open souce product Crypto++ that is also FIPS 140.2 validated (Certificate #343). But they only managed to get a compiled package validated, which does help me to trust the code but not really to "sell" the library to PHBs. The article doesn't really go into how they did get NIST to validate the source code. Anybody know more details?
They already have improved them: Try a modern hub-dynamo. The best one is probably the SON but Shimano also makes several models. They are at least twice as efficient as normal sidewall- or bottom-bracket dynamos. Almost no noticable drag and much more reliable, esp. in bad weather. and About the only downside is the price.
You might want to have a look at other alternatives such as Scilab. Other free mathematical programs also exist, but scilab and octave seem to be the closest in spirit (and language) to matlab.
I also analyse all he spam I get and (mostly) eliminate automatically. And guess what: only about 4% of the spam I got since I started using a legal email adress on usenet again were send to the special usenet email.
So I figure that the 'email collecting bots' are collecting most of their emails someplace else (the web?) but not on usenet.
Statistics are fun
528 Pentium III-800 computer, running Red-Hat Linux. (well, usually it is some less, since a couple are out of order at any time). Just normal mini-towers in long rows of shelves. And a huge network switch. Normally, the info can be found here, but since Murphy lives, it seems like our webserver is down right now, another picture.
Well, back to abusing this machine.
The author of this article(in german) compared some of the available tools with the Windows program "Reference Manager". His conclusion: There are no absolutely recommendable programs, but Sixpack, Pybliographer (and XEmacs in the bibtex mode) are strong candidates.
1. ths subject was convicted of a serious crime (rape, manslaughter, blackmail, ...)
2. there is the expection that the convict will be recidivous.
The simple collection of a DNA sample to compare against a given piece of evidence is allowed (with certain checks) but the sample and collected information has to be destroyed afterwards.
A mirror of cryptome can be found here.
Well, actually, it (probably still) is. Some years ago while working in a mainframe computing center I was told that IBM had actually hired a Boeing to fly a whole mainframe over the Atlantic because they had no adequate hardware in Europe and the still needed to honor their 24-hour service contract.
At that time (more than 10 years ago) the company I worked for estimated that they would go bankrupt if they lost computing service for 72 hours. I would guess that time has decreased by now. If you are that dependant on computers, you really care about the quality and speed of your service contract.
Remember, the signal (from the monitor) is transmitted dozens of times a second. So unless you scroll real fast, the attacker will be able to get hundreds or thousands of readings. This, combined with some suitable filtering, allows you to detect a very small signal in a lot of noise. (Ask you local astronomer for examples.) To beat this, you will need a LOT of noise.
This equates to a lot of radiation. And this has a couple of disadvantages:
1. Radiations seems to be bad for us biological beings. While some of the talk about radiation causing cancer etc. may be overblown, I wouldn't really enjoy sitting next to a nice powerful radio emitter all day.
2. Powerful electromagnetic radiation tends to screw up delicate electronics. Like computers. So you need to shield your computer, anyway. Just what you wanted to avoid.