Okay, well then ARRGH right back at you. "Popular Science" is hardly a respected, peer-reviewed, scientific journal. Just because you read something in "Popular Science" does not mean that the rest of the scientific community does not think that the authors are crackpots.
Not that crackpots are always wrong, but that's where the smart betting money is. For every supposed crackpot like Gallileo (actually not just a crackpot, but borderline heretical for asserting that the Sun was the center of the solar system) there have been thousands of no-name, genuine, dyed-in-the-wool crackpots. A corporate press release and funding by venture capitalists and government agencies do not mean that "something was demonstrated to someone somewhere" or that if something was demonstrated that these folks were the proper observers to pass judgement on the results.
The USDoD spent a good deal of time and money in the last couple of years studying the "invention" of a couple of Bozo's who claimed to have developed a people detector. This device they said, picked up the electro-magnetic field generated by nerve impulses. They "demonstrated" the ability of their device to detect people through walls. Responsible scientists immediately dismissed this idea because the magnitude of the electro-magenetic field created by human nerve impulses is so small that a device that could actually detect them would either either be so large as to have to be carried in several trucks (their device was the size of a water pistol) or held so close to the target as to be touching it (as an EKG or EEG machine does). As it turns out, what these "researchers" had developed was a divining rod. The IC chip inside their device had no power source and was not even attached to the antena on the front of the device.
Strange results do occur frequently during scientific experiments. What separates the crackpots from the scientists is publishing of the results in sufficient detail so that others may point out errors in the experimental methods (such as has been done numerous times with these "cold fusion" experiments that have duplicated the errors of Drs. Fleischmann and Pons) or attempt to replicate the results using the same or similar methods.
Podkletnov's experiments can be dismissed because no one else has been able to duplicate the results, and they have tried. This does not mean that he should stop his research, or that he should receive no funding. He may yet learn something interesting, but I wouldn't put my money on it.
Something to keep in mind - Corporate charters are granted to companies by the citizens of the state (or the government operating - in theory - on their behalf). These charters give the owners of the company certain legal protections that are not afforded to other types of businesses. Incorporation is not a right (it's not mentioned in the Constitution at all). It is a privilege granted by the citizens of the state at their discretion. This privilege can be revoked.
The citizenry can request that the attorney general of their state revoke the charter of a corporation for failure to operate in the public interest. I know it is highly unlikely that any charters would actually be revoked (after all the companies' money probably helped to get the attorney general elected), but it might get the companies' attention, or at least the attention of the press.
For example, an effort is currently underway in California to revoke the charter of Unocal Corporation for repeated polution and violation of environmental laws. So all you/.ers living in Deleware (where all of the members of the MPAA are chartered) start writing/phoning/e-mailing your attorney general. Start a petition drive. Show these bastards that they only exist because we say they can, and if they want to abuse us that we are going to take our ball and go home.
Actually, the story of aspirin is oh so much more interesting. Aspirin was invented (discovered? synthesized?) by a German gentleman by the name of Felix Hoffman who was working as a chemist in the chemical sciences laboratory of Farbenfabriken vorm. Friedr. Bayer & Co. (now Bayer AG) in 1897. The Aspirin trademark was registered in Germany in 1899 and is still recognized in more than 80 countries. However, rather than falling victim to common use, like Kleenex or Xerox, the Aspirin trademark was the victim of its homeland's Imperial ambitions. You may be aware that Germany has twice in this century been the instigator of somewhat significant conflicts with its European neighbors. When the USA became involved in these conflicts Congress and the courts became significantly less concerned with the patent and trademark rights of companies based in Germany (and Austria and Italy and Japan and...). When US companies started to use the Bayer trademark name Aspirin for their products, nobody who mattered cared. So in a way aspirin did fall into common use, but not in the common way. Aspirin wasn't just used by people to refer to similar products (as we do with Kleenex and Xerox, and in the deep South Coke "What kind of coke would you like? Dr. Pepper? Pepsi? Seven-Up?"). Aspirin fell into common use as the actual product name on the label of many brands of acetylsalicylic acid.
By the way, this is very similar to how most *nix systems determine if the password you enter at login time is the same as the password in the passwd or "shadow" password file.
1. Take known word - let's use "abracadabra" for illustration - and send it through the card.
2. Observe encrypted results with network sniffer or similar device.
3. Take same known word and send it through software version of the algorithm you are testing (DES, 3DES, whatever).
4. Observe result of software encryption.
5. If result from step 2 = result from step 4 chip is doing what it claims.
Which brings up an interesting question. Since DES, 3DES, and the other encryption methods listed for this chip set are symetric encryption algorithms (i.e., both sender and receiver use the same key to encrypt and decrypt) how do you get the same key into the sending and receiving cards without sending the key in clear text?
I haven't read the IPSec standard yet, but the way this works for other hardware encryption systems I've worked with (like Automatic Teller Machines) is that someone has to initialize the encryption devices on both ends with a "key encryption key". This key is then used to send the first session key, and keys are randomly generated and exchanged on an ongoing basis using the previous key to encrypt the new one. (Of course one flaw that I often observe in this system is that the idiots running these networks choose 0123456789ABCDEF as the initial key, consistently).
And "peer" review is exactly what you'll probably get. If Intel has any hopes of selling some of these things to the US Dept. of Defense, certain other US gov't agencies, and some European gov't agencies, then they will submit it to a testing lab to get certified against the "Common Criteria" for information security. If you're not familiar with it, the "Common Criteria" (aka ISO IS 15408-1, -2, and -3) is the replacement for the old DoD "orange" book.
This product is clearly designed for the corporate market, and it will likely get good play there. To answer some of the questions raised in this thread:
Why do hardware encryption? Because it's fast. Purpose designed hardware is almost always (okay, why hedge? make that always) faster than the same process in software. A hardware encryption chip will make the encryption process essentially invisible to the user. This is particularly important when the users are neanderthals like corporate lawyers and merger & acquisition types who think PGP is one of those new US television ratings.
Will the FBI/CIA/NSA have a back door into this? What if they do? As I have already stated, this product is clearly aimed at the corporate market (who may want some sort of key escrow anyway). If you're worried about it, software encrypt whatever you're going to send first.
Will Intel build IDs into these things? Of course! It's called a MAC address.
Not sure why only Win2K support. Probably the IPSec calls in the IP stack.
Well, nice try, but the only one of your four steps that would actually accomplish the goal of securing a computer to which one has physical access is step 4 - Encrypt the filesystem.
Steps 1 and 2 - disabling booting from floppies and CDs in BIOS and setting a BIOS password - are laughably easy to get around. Just pop the cover on the box. Most systems either have a jumper that lets you reset the CMOS or you can just unplug the battery that saves the CMOS memory. Bye-bye BIOS password.
After that step 3 - setting LILO passwords - becomes moot because I will boot off a floppy| CD|second hard disk and just mount your Linux|FreeBSD|OpenBSD|NetBSD|Solaris|whatever partition.
So only step 4, encrypting provides you with any protection. From the way you stated step 4 I am assuming you mean encrypting the entire file system and unencrypting at boot time (rather than unencrypting individual files on the fly during operation). That is the only practical way to achieve security when physical access cannot be controlled, but you better use a damn-big, randomly-generated key.
Slashdot Mirror
Okay, well then ARRGH right back at you. "Popular Science" is hardly a respected, peer-reviewed, scientific journal. Just because you read something in "Popular Science" does not mean that the rest of the scientific community does not think that the authors are crackpots.
Not that crackpots are always wrong, but that's where the smart betting money is. For every supposed crackpot like Gallileo (actually not just a crackpot, but borderline heretical for asserting that the Sun was the center of the solar system) there have been thousands of no-name, genuine, dyed-in-the-wool crackpots. A corporate press release and funding by venture capitalists and government agencies do not mean that "something was demonstrated to someone somewhere" or that if something was demonstrated that these folks were the proper observers to pass judgement on the results.
The USDoD spent a good deal of time and money in the last couple of years studying the "invention" of a couple of Bozo's who claimed to have developed a people detector. This device they said, picked up the electro-magnetic field generated by nerve impulses. They "demonstrated" the ability of their device to detect people through walls. Responsible scientists immediately dismissed this idea because the magnitude of the electro-magenetic field created by human nerve impulses is so small that a device that could actually detect them would either either be so large as to have to be carried in several trucks (their device was the size of a water pistol) or held so close to the target as to be touching it (as an EKG or EEG machine does). As it turns out, what these "researchers" had developed was a divining rod. The IC chip inside their device had no power source and was not even attached to the antena on the front of the device.
Strange results do occur frequently during scientific experiments. What separates the crackpots from the scientists is publishing of the results in sufficient detail so that others may point out errors in the experimental methods (such as has been done numerous times with these "cold fusion" experiments that have duplicated the errors of Drs. Fleischmann and Pons) or attempt to replicate the results using the same or similar methods.
Podkletnov's experiments can be dismissed because no one else has been able to duplicate the results, and they have tried. This does not mean that he should stop his research, or that he should receive no funding. He may yet learn something interesting, but I wouldn't put my money on it.
Something to keep in mind - Corporate charters are granted to companies by the citizens of the state (or the government operating - in theory - on their behalf). These charters give the owners of the company certain legal protections that are not afforded to other types of businesses. Incorporation is not a right (it's not mentioned in the Constitution at all). It is a privilege granted by the citizens of the state at their discretion. This privilege can be revoked.
/.ers living in Deleware (where all of the members of the MPAA are chartered) start writing/phoning/e-mailing your attorney general. Start a petition drive. Show these bastards that they only exist because we say they can, and if they want to abuse us that we are going to take our ball and go home.
The citizenry can request that the attorney general of their state revoke the charter of a corporation for failure to operate in the public interest. I know it is highly unlikely that any charters would actually be revoked (after all the companies' money probably helped to get the attorney general elected), but it might get the companies' attention, or at least the attention of the press.
For example, an effort is currently underway in California to revoke the charter of Unocal Corporation for repeated polution and violation of environmental laws. So all you
Actually, the story of aspirin is oh so much more interesting. Aspirin was invented (discovered? synthesized?) by a German gentleman by the name of Felix Hoffman who was working as a chemist in the chemical sciences laboratory of Farbenfabriken vorm. Friedr. Bayer & Co. (now Bayer AG) in 1897. The Aspirin trademark was registered in Germany in 1899 and is still recognized in more than 80 countries. However, rather than falling victim to common use, like Kleenex or Xerox, the Aspirin trademark was the victim of its homeland's Imperial ambitions. You may be aware that Germany has twice in this century been the instigator of somewhat significant conflicts with its European neighbors. When the USA became involved in these conflicts Congress and the courts became significantly less concerned with the patent and trademark rights of companies based in Germany (and Austria and Italy and Japan and...). When US companies started to use the Bayer trademark name Aspirin for their products, nobody who mattered cared. So in a way aspirin did fall into common use, but not in the common way. Aspirin wasn't just used by people to refer to similar products (as we do with Kleenex and Xerox, and in the deep South Coke "What kind of coke would you like? Dr. Pepper? Pepsi? Seven-Up?"). Aspirin fell into common use as the actual product name on the label of many brands of acetylsalicylic acid.
By the way, this is very similar to how most *nix systems determine if the password you enter at login time is the same as the password in the passwd or "shadow" password file.
Okay, well how about this.
1. Take known word - let's use "abracadabra" for illustration - and send it through the card.
2. Observe encrypted results with network sniffer or similar device.
3. Take same known word and send it through software version of the algorithm you are testing (DES, 3DES, whatever).
4. Observe result of software encryption.
5. If result from step 2 = result from step 4 chip is doing what it claims.
Which brings up an interesting question. Since DES, 3DES, and the other encryption methods listed for this chip set are symetric encryption algorithms (i.e., both sender and receiver use the same key to encrypt and decrypt) how do you get the same key into the sending and receiving cards without sending the key in clear text?
I haven't read the IPSec standard yet, but the way this works for other hardware encryption systems I've worked with (like Automatic Teller Machines) is that someone has to initialize the encryption devices on both ends with a "key encryption key". This key is then used to send the first session key, and keys are randomly generated and exchanged on an ongoing basis using the previous key to encrypt the new one. (Of course one flaw that I often observe in this system is that the idiots running these networks choose 0123456789ABCDEF as the initial key, consistently).
And "peer" review is exactly what you'll probably get. If Intel has any hopes of selling some of these things to the US Dept. of Defense, certain other US gov't agencies, and some European gov't agencies, then they will submit it to a testing lab to get certified against the "Common Criteria" for information security. If you're not familiar with it, the "Common Criteria" (aka ISO IS 15408-1, -2, and -3) is the replacement for the old DoD "orange" book.
This product is clearly designed for the corporate market, and it will likely get good play there. To answer some of the questions raised in this thread:
Why do hardware encryption? Because it's fast. Purpose designed hardware is almost always (okay, why hedge? make that always) faster than the same process in software. A hardware encryption chip will make the encryption process essentially invisible to the user. This is particularly important when the users are neanderthals like corporate lawyers and merger & acquisition types who think PGP is one of those new US television ratings.
Will the FBI/CIA/NSA have a back door into this? What if they do? As I have already stated, this product is clearly aimed at the corporate market (who may want some sort of key escrow anyway). If you're worried about it, software encrypt whatever you're going to send first.
Will Intel build IDs into these things? Of course! It's called a MAC address.
Not sure why only Win2K support. Probably the IPSec calls in the IP stack.
Mark
Well, nice try, but the only one of your four steps that would actually accomplish the goal of securing a computer to which one has physical access is step 4 - Encrypt the filesystem.
Steps 1 and 2 - disabling booting from floppies and CDs in BIOS and setting a BIOS password - are laughably easy to get around. Just pop the cover on the box. Most systems either have a jumper that lets you reset the CMOS or you can just unplug the battery that saves the CMOS memory. Bye-bye BIOS password.
After that step 3 - setting LILO passwords - becomes moot because I will boot off a floppy| CD|second hard disk and just mount your Linux|FreeBSD|OpenBSD|NetBSD|Solaris|whatever partition.
So only step 4, encrypting provides you with any protection. From the way you stated step 4 I am assuming you mean encrypting the entire file system and unencrypting at boot time (rather than unencrypting individual files on the fly during operation). That is the only practical way to achieve security when physical access cannot be controlled, but you better use a damn-big, randomly-generated key.