One thing I did see on CNN's coverage was a brief message to the effect that NASA plans to retire the current fleet by 2010. Hopefully the replacement fleet will be as much of a leap forward in design as the shuttles were to their predecessors.
One of the biggest advancements that they will need to make to the current manned space exploration program will have to be in waste recycling. From what I understand, a lot of effort is spent right now hauling fresh water into space. Water weighs quite a bit and uses a lot of cargo carrying capacity on the current flights.
WRT movies, what do you mean if? You don't think the studio execs just like product x, so that happens to be the product the likeable hero drinks/displays for 3 minutes at a time, do you?
Yes. It's called a one time pad. Take the plaintext you want to hide and encrypt it using XOR with an equivalent length RANDOM key. The result is your ciphertext to be saved. Hide this real key somewhere OFFLINE. Now take a benign message that you want to be able to produce for the court and XOR it with the ciphertext. The result is the phony encryption key that you keep around when the law comes knocking. When they demand the key, give them the second one. The ciphertext will decrypt to your boring chat log with your mother about her deviled egg recipe.
Many of these systems simply dial numbers on a random basis. It almost amounts to wardialing, but I think it gets spread out enough across a number of area codes and prefixes so that it isn't too blatant. At any rate, they aren't looking up any numbers, just dialing.
If I understand the system correctly, there isn't even an operator at the other end during dialing. The system dials automatically, and when someone actually answers, then it looks to see if an operator is available on their side. If not, you get the infamous "nobody there" call.
This maximizes their employee time, but at your inconvenience. Then they wonder why the "do not call" list is so popular!
The telephone consumer protection act of 1991 explicitly prohibits telemarketing calls to numbers where a charge/expense would be incurred by the owner of the number. This was one of the key points of this act and why it included faxes, since the recipient of the fax would incur an expense.
"In October 2003, the record companies, which included Universal Music, Sony, Warner and EMI, alleged that Cooper cooperated with Bal and Takoushis to increase traffic to the ISP, and aide advertising revenue. "
They are alleging that the ISP was not a disinterested party that was unaware of the site's contents, but an active participant that colluded with the site's creator to their advantage.
I agree. Our current legal structure is very far behind when it comes to dealing with issues like this and most of the analogies don't fit well enough to be applicable. The many and varied opinions posted demonstrate that support for both views can be found without looking very far.
We should also keep in mind that the story, or at least the tiny factual portion that is related to the headline, is told solely from the viewpoint of the router owner. The alleged offender certainly acted suspicious, but we have no way of knowing what he was doing without logs or packet traces.
On a slightly different note, I would speculate that by knowingly running an unsecured router in this manner, the AP owner probably violated several clauses in his TOS with his ISP. He could probably be held liable in a civil action for any damages that might have occurred through the use of his AP. (IANAL, YYMV, contents are hot when heated, etc.) I wonder if he would/could also be charged as a criminal if someone used his AP to illegally distribute spam? What if his ISP got blacklisted because of his open AP? Is he liable?
The scope of both criminal and civil issues that can be involved with something like this is interesting as well. Both bodies of law have some serious catching up to do, but until the lawmakers and judges become technically savvy enough to get their heads around the issues, the waters are going to remain murky.
It does make you wonder though what would happen if you actually were lost, noticed an open access point, and knocked on someone's door to ask permission to use their AP?
The thing that I find incredulous is the number of people here who seem to think that because a wireless router isn't secured (for whatever reason), they have every right to access it and use someone else's resources.
At what point do you draw the line then? If it's broadcasting a non-default SSID is it still OK? What if it isn't broadcasting but I passively find it? Still OK? What if WEP is turned on, but that is so lame that its use should be considered an open invitation? After all, if the owner of the router didn't want me to use his equipment, he would use "real" encryption. In addition, if he had open file shares, is it OK for me to access those?
It's very simple. If you don't have permission to use someone else's resources, then it's theft of service.
Some years ago, our local phone company had a distribution box for the neighborhood in my basement. It wasn't locked or secured in any way, so does that give me the right to connect to whatever pair I want when I need to make a phone call?
Even that is not enough sometimes. What happens when the virus comes on the shrink wrapped distro disk from a software company? I've had this happen before and it was a good thing I scanned the disk before running the install.
But do you have the "right", as you say, to defend your home with lethal force? Unless your computer is also the control system for your respirator, you are not in any danger of physical harm. I realize that YMMV depending on your country of residence, but I would be curious to know how many jurisdictions consider it appropriate to use lethal force to defend property if your own life is not in any danger?
To take the analogy further though, this is the equivalent of wiring a boobytrap to your basement window that maims or kills someone who goes through it.
My question is, are you morally justified in doing this?
I think your example still falls under the first case, not the birthday paradox. You are still starting from a selected executable/person and looking for a match.
The birthday paradox would come into play if you downloaded an entire library of executables and were just looking for any two that had a matching hash.
And the math behind the birthday paradox is almost as much fun to explain as the monty hall problem!
Correct. Technically you could sign the document itself, but everyone involved might starve to death waiting for the operation to complete. It has been considered acceptable to generate a hash of the document, then digitally sign the hash, which is a lot smaller. This assumes that the hash is unique and that a different document with a matching hash cannot be found in a reasonable amount of time.
In reality, you are signing every document/program/binary/whatever that has that same hash.
Looking again at the method used, it does rely on control of the original content in both documents and generating the second one afterwards is not the same. Sorry about that.
You, the employee, are going to argue that the company created both documents with matching hashes, then had you sign the more benign one. The company is going to argue that you agreed to the draconian version, then created the benign version at a later time that has a matching hash and are just trying to get out of the obligation. The problem is that:
Both versions are possible
Explaining any of this to people who haven't figured out how to get out of jury duty isn't going to happen. Ever seen the glazed looks on jury members when expert witnesses testify?
If I understand correctly, what this boils down to is that given an document and an MD5 hash, there is now a "reasonable" time based method of generating a second document with different content but a matching hash.
For a hash based signature, there will exist documents that have matching hashes. This is refered to as the pigeonhole principle. If you have 10 pigeonholes to stuff messages in and 11 messages, one of the pigeonholes will get a second message.
The linch pin of this process is the idea that it takes too much time to find or create a second document that has different content but the same hash value. In practice you want it to take so long that by the time a match is found, it no longer matters. What "no longer matter" means depends on the context.
When an adversary can create/find a match in a couple of hours rather than centuries, all bets are off unless the signature expires in seconds.
This really is an important result and has significant implications.
On the one hand, I have difficulty getting my mind around the idea that they went to the trouble of having a custom version of the calculator built just to remove this function and had the key blanked out. On the other hand, I'm inferring from the recall that what TI delivered was apparently not what was promised, and they should recall/replace the calculators that did not meet the design specification.
Obligatory CYA - I don't know what the deliverable was in the contract. I'm inferring some things about the deliverable spec based on the recall.
If students can still use the calculator on the test, then how different is this than pushing '1' '/' '4' '=' ? Does the difference between this method and using the button actually infer any deeper understanding of what it means?
Companies will only begin to take it seriously when it impacts the bottom line. Even then there will be ROI analysis to see whether the cost of the added measures exceeds the expected lost due to fines, etc. If the fines are cheaper(fine * probability of event happening) than actually implementing security changes, then it still won't happen.
There will have to be a true financial disincentive to companies before they will take action. The irony is that if they implemented additional policies and measures because it was the right thing to do but it negatively impacted their quarterly earnings, they would probably be sued by their investors for mismanagement of the company. If the investors didn't sue, then the market would punish them for missing an estimate.
Slashdot Mirror
Thanks for the clarification. I wasn't aware of the distinction. Makes sense though.
One of the biggest advancements that they will need to make to the current manned space exploration program will have to be in waste recycling. From what I understand, a lot of effort is spent right now hauling fresh water into space. Water weighs quite a bit and uses a lot of cargo carrying capacity on the current flights.
WRT movies, what do you mean if? You don't think the studio execs just like product x, so that happens to be the product the likeable hero drinks/displays for 3 minutes at a time, do you?
Yes. It's called a one time pad. Take the plaintext you want to hide and encrypt it using XOR with an equivalent length RANDOM key. The result is your ciphertext to be saved. Hide this real key somewhere OFFLINE. Now take a benign message that you want to be able to produce for the court and XOR it with the ciphertext. The result is the phony encryption key that you keep around when the law comes knocking. When they demand the key, give them the second one. The ciphertext will decrypt to your boring chat log with your mother about her deviled egg recipe.
If I understand the system correctly, there isn't even an operator at the other end during dialing. The system dials automatically, and when someone actually answers, then it looks to see if an operator is available on their side. If not, you get the infamous "nobody there" call. This maximizes their employee time, but at your inconvenience. Then they wonder why the "do not call" list is so popular!
The telephone consumer protection act of 1991 explicitly prohibits telemarketing calls to numbers where a charge/expense would be incurred by the owner of the number. This was one of the key points of this act and why it included faxes, since the recipient of the fax would incur an expense.
No, but three lefts do.
"In October 2003, the record companies, which included Universal Music, Sony, Warner and EMI, alleged that Cooper cooperated with Bal and Takoushis to increase traffic to the ISP, and aide advertising revenue. "
They are alleging that the ISP was not a disinterested party that was unaware of the site's contents, but an active participant that colluded with the site's creator to their advantage.
We should also keep in mind that the story, or at least the tiny factual portion that is related to the headline, is told solely from the viewpoint of the router owner. The alleged offender certainly acted suspicious, but we have no way of knowing what he was doing without logs or packet traces.
On a slightly different note, I would speculate that by knowingly running an unsecured router in this manner, the AP owner probably violated several clauses in his TOS with his ISP. He could probably be held liable in a civil action for any damages that might have occurred through the use of his AP. (IANAL, YYMV, contents are hot when heated, etc.) I wonder if he would/could also be charged as a criminal if someone used his AP to illegally distribute spam? What if his ISP got blacklisted because of his open AP? Is he liable?
The scope of both criminal and civil issues that can be involved with something like this is interesting as well. Both bodies of law have some serious catching up to do, but until the lawmakers and judges become technically savvy enough to get their heads around the issues, the waters are going to remain murky.
It does make you wonder though what would happen if you actually were lost, noticed an open access point, and knocked on someone's door to ask permission to use their AP?
Google cache of the expired Gont paper
At what point do you draw the line then? If it's broadcasting a non-default SSID is it still OK? What if it isn't broadcasting but I passively find it? Still OK? What if WEP is turned on, but that is so lame that its use should be considered an open invitation? After all, if the owner of the router didn't want me to use his equipment, he would use "real" encryption. In addition, if he had open file shares, is it OK for me to access those?
It's very simple. If you don't have permission to use someone else's resources, then it's theft of service.
Some years ago, our local phone company had a distribution box for the neighborhood in my basement. It wasn't locked or secured in any way, so does that give me the right to connect to whatever pair I want when I need to make a phone call?
Oh, you mean locks like these?
Even that is not enough sometimes. What happens when the virus comes on the shrink wrapped distro disk from a software company? I've had this happen before and it was a good thing I scanned the disk before running the install.
But do you have the "right", as you say, to defend your home with lethal force? Unless your computer is also the control system for your respirator, you are not in any danger of physical harm. I realize that YMMV depending on your country of residence, but I would be curious to know how many jurisdictions consider it appropriate to use lethal force to defend property if your own life is not in any danger?
To take the analogy further though, this is the equivalent of wiring a boobytrap to your basement window that maims or kills someone who goes through it. My question is, are you morally justified in doing this?
And the math behind the birthday paradox is almost as much fun to explain as the monty hall problem!
In reality, you are signing every document/program/binary/whatever that has that same hash.
Looking again at the method used, it does rely on control of the original content in both documents and generating the second one afterwards is not the same. Sorry about that.
If I understand correctly, what this boils down to is that given an document and an MD5 hash, there is now a "reasonable" time based method of generating a second document with different content but a matching hash.
For a hash based signature, there will exist documents that have matching hashes. This is refered to as the pigeonhole principle. If you have 10 pigeonholes to stuff messages in and 11 messages, one of the pigeonholes will get a second message.
The linch pin of this process is the idea that it takes too much time to find or create a second document that has different content but the same hash value. In practice you want it to take so long that by the time a match is found, it no longer matters. What "no longer matter" means depends on the context.
When an adversary can create/find a match in a couple of hours rather than centuries, all bets are off unless the signature expires in seconds.
This really is an important result and has significant implications.
It's not a suppository, it's a floor wax. Wait, it's both a suppository and a floor wax!
On the one hand, I have difficulty getting my mind around the idea that they went to the trouble of having a custom version of the calculator built just to remove this function and had the key blanked out. On the other hand, I'm inferring from the recall that what TI delivered was apparently not what was promised, and they should recall/replace the calculators that did not meet the design specification.
Obligatory CYA - I don't know what the deliverable was in the contract. I'm inferring some things about the deliverable spec based on the recall.
If students can still use the calculator on the test, then how different is this than pushing '1' '/' '4' '=' ? Does the difference between this method and using the button actually infer any deeper understanding of what it means?
There will have to be a true financial disincentive to companies before they will take action. The irony is that if they implemented additional policies and measures because it was the right thing to do but it negatively impacted their quarterly earnings, they would probably be sued by their investors for mismanagement of the company. If the investors didn't sue, then the market would punish them for missing an estimate.