Really? I thought 2001 was one of the best movies I had ever seen, and I watched it in 1992. Whereas far too many sci-fi films focus on explosions and space-battles that look like WWII dog fights, 2001 seemed clean and plot-driven to me.
While I'm a big fan of security research, I think that the reason we see security lacking in most products is because there just isn't a business case for it. Most of the time, the added hassle of security development or deployment seems larger than the cost of poor or no security. As the consequences of security failures escalate, I'm sure that the market will evolve to include better security focus.
Hopefully, we'll get to that point without a wide-spread catastrophe... for example, the current "Smart Power Grid" ideas will have "Intelligent" power meters in most homes and businesses... imagine what a security failure in a widely deployed "Intelligent" power meter could do!
I have Macs on my desktops, and I run Linux for my number crunching machines. So, I'm no Microsoft fanboy. However, it seems to me that Microsoft actually tried to do the right thing with Vista... namely they built a reasonably secure operating system from the ground up and decided to actually enforce the programming paradigms. The problem isn't with Vista, it's with the antiquated applications that still need tons of shims to work. For example, I recently installed Quicken on my father in law's XP machine and discovered that it wouldn't work unless running as an admin account, which is simply absurd! So, I worry that Windows 7 is just a light weight version of Vista with most of the security rolled back so that insecure applications will be able to continue running and users won't complain about their favorite applications breaking.
If you want someone on-site, you can certainly get them. You just need to be willing to pay for it.
A buddy of mine works as a consultant for a major IT consulting firm where the clients usually pay about six times his salary to have him on-site for 3 days each week. That seems crazy to me, but it is evidently worth it to the clients who want to have all the liability for IT issues on the contractor's back.
As for trust, well there is always a risk... but being a paranoid jerk is a great way to eliminate any loyalty that might otherwise have existed.
What is the proposed self-enforcing voting protocol? With no suggestion made, what is the interest of this article to the slashdot community?
I think that the point of Bruce's blog entry is to give some simple examples to clarify cryptographically self-enforcing protocols. Concrete examples of these self-enforcing voting protocols already exist, but they are a bit too complicated for general consumption so Bruce is just giving us some simplified examples. However, I don't think we'll see Diebold rushing to implement them anytime soon.
It is possible to produce defect-free non-trivial software.
How?
Writing defect free code isn't magic. It's slow, painful, formal, and very very tedious. It requires that you have multiple teams evaluating, simulating, testing, and attacking the system. Because of that, it's very very very expensive.
The code I was involved with was one of these "secure kernels". We did use formal methods for portions of it, but once you leave the formal model section there are other portions that requires months of tedious work. And, when I say tedious, I mean stuff like hand verifying every byte of output from the compilers (because you can't trust the compiler), and using in-circuit emulators to step through every machine instruction and verify every possible case.
These systems are absurdly simple. A single good coder could sling out "good enough" commercial code that does the same thing in a couple months. But, it would probably have some bugs. There are, however, systems in this world that must be bug free.
Systems like these also can't trust the hardware. So "bug free" means that you have multiple versions running on multiple pieces of hardware with N-way comparisons. This is the type of over-kill design that is so astronomically expensive that it's only done for things that absolutely must be bug free (e.g. nuclear weapons).
Anyway, the point of my initial post is that you can produce bug free code, but it's almost never worth the cost. Likewise, most software (commercial and open source) ships with bugs that the programmers know about. So, trying to determine "fraud" based upon "shipping known bugs" in order to force a liability issue is nuts.
If you want guaranteed bug free code, you have to pay for it.
So, where can one obtain an open source OpenCL compiler? (Or, to be more precise, an open source compiler which can take OpenCL compliant code and produce object code that will run on my GPU via the driver stack?)
It has been pretty well documented that the Iranian opposition has been using Twitter extensively to organize their protests. So, I'm sure that the Iranian government is quite happy to have Twitter knocked out.
I, personally, don't use Twitter as I consider it a waste of time. However, I believe that the current DDoS attack might have substantial political ramifications for the Iranian people.
The best attack against DES breaks 15 out of 16 rounds faster than brute force. However for the full 16 rounds, the best attack against DES is brute force. Likewise, the best attack against SKIPJACK breaks 31 out of 32 rounds. In both cases NSA was fairly involved with the development of the algorithms and they just happen to have no "security margin".
Perhaps that means NSA was ignorant of the methods (such as impossible differential cryptanalysis) that the academic sector developed. Perhaps it means that NSA is willing to play fast and loose with securing government communications.
Or maybe, just maybe, it means that NSA knows exactly how strong the algorithms are and doesn't need to rely on ad-hoc measures like "security margins".
I don't know, but the fact that AES-192/256 is specified for Top Secret while AES-128 is for Secret makes me suspect that NSA knows far more about the real security levels of AES than the keysize would indicate.
Interesting to note is that AES-128 is immune to this attack - it's now the strongest variant of AES.
NSA specifies AES-256 for Top Secret information in Suite-B products. NSA knows crypto. So, if NSA thinks that AES-256 is stronger than AES-128, and if recent results indicate that AES-256 only has 110 bits worth of strength, then one might wonder, "what is the actual security level of AES-128?"
When I grade, I don't care about the answer. I look at the way the
student solves the problem. If the setup is correct, the computations
are reasonable, and the flow of the solution demonstrates that the
student knows what she's doing, then I give it full credit even if the
answer is wrong. I couldn't care less about careless errors (poor pun
intended). I'm measuring the student's problem solving abilities, not
her ability to do lots of tedious computations in a short amount of
time (that's what computers are for). Likewise, if a student
magically produces the correct answer without showing any work (or if
the work is clearly B.S.) then I give them no credit. The answer is
irrelevant, it's the process that matters.
I am completely unconcerned about Wolfram Alpha.
I also have a CS background, and I recognize that most CS related jobs
don't require calculus. However, the whole point of taking calculus
is to practice logical reasoning. A good calculus course will force
you to solve lots of long complex problems, clearly express your
reasoning, and maybe even do a bunch of delta-epsilon proofs.
Unfortunately, many calculus courses end up being reduced to mundane
computations of derivatives and integrals... those courses ARE a waste
of time.
p.s. If you're a student who actually wants to learn a subject, then
go to that "rate my professor" site and look for professors who are
"clear" and "hard". Take those professors. You won't learn much from
an easy professor, and three years after you graduate that easy "A"
will be meaningless.
The article to which you refer was written by senior officers of AdaCore, which means they have an inherent bias towards embedded systems and high-reliability software (the two areas where Ada is still seen), and hence biased observations about what skill sets are required in the majority of computer industry jobs.
That said, they are still correct:-)
Unfortunately, in all but the top universities, the CS major is slowly transforming into a Programming major. This is largely due to state legislatures pressuring public schools to quickly turn out programmers to fuel industry demand for code-slingers. Too bad, really.
I'm a Math Prof. I teach lots of freshman calculus classes, and I HATE the TI calculator series. The problem is, that TI has cornered the low-end educational market. So, many textbooks and standardized tests will require a calculator which not-so-coincidently will only match the TI-8x series.
I personally prefer the HP calculators (i.e. the 48GX) because the reverse polish notation is far superior for large calculations. It is a shame that HP is still using the same processor in these calculators that they were using when I was in school.
Most standardized tests (and many professors) will not let you use a PDA because the WiFi features make it too easy to cheat. I personally allow students to use whatever they can carry and I design my tests to make cheating with WiFi useless.
The Point: Research what you're allowed to use before you buy. If you can use a high-end HP, then get it.
Slashdot Mirror
Really? I thought 2001 was one of the best movies I had ever seen, and I watched it in 1992. Whereas far too many sci-fi films focus on explosions and space-battles that look like WWII dog fights, 2001 seemed clean and plot-driven to me.
While I'm a big fan of security research, I think that the reason we see security lacking in most products is because there just isn't a business case for it. Most of the time, the added hassle of security development or deployment seems larger than the cost of poor or no security. As the consequences of security failures escalate, I'm sure that the market will evolve to include better security focus.
Hopefully, we'll get to that point without a wide-spread catastrophe... for example, the current "Smart Power Grid" ideas will have "Intelligent" power meters in most homes and businesses... imagine what a security failure in a widely deployed "Intelligent" power meter could do!
I have Macs on my desktops, and I run Linux for my number crunching machines. So, I'm no Microsoft fanboy. However, it seems to me that Microsoft actually tried to do the right thing with Vista... namely they built a reasonably secure operating system from the ground up and decided to actually enforce the programming paradigms. The problem isn't with Vista, it's with the antiquated applications that still need tons of shims to work. For example, I recently installed Quicken on my father in law's XP machine and discovered that it wouldn't work unless running as an admin account, which is simply absurd! So, I worry that Windows 7 is just a light weight version of Vista with most of the security rolled back so that insecure applications will be able to continue running and users won't complain about their favorite applications breaking.
I wish him well on the lawsuit, but I won't hold my breath...
If you want someone on-site, you can certainly get them. You just need to be willing to pay for it.
A buddy of mine works as a consultant for a major IT consulting firm where the clients usually pay about six times his salary to have him on-site for 3 days each week. That seems crazy to me, but it is evidently worth it to the clients who want to have all the liability for IT issues on the contractor's back.
As for trust, well there is always a risk... but being a paranoid jerk is a great way to eliminate any loyalty that might otherwise have existed.
What is the proposed self-enforcing voting protocol? With no suggestion made, what is the interest of this article to the slashdot community?
I think that the point of Bruce's blog entry is to give some simple examples to clarify cryptographically self-enforcing protocols. Concrete examples of these self-enforcing voting protocols already exist, but they are a bit too complicated for general consumption so Bruce is just giving us some simplified examples. However, I don't think we'll see Diebold rushing to implement them anytime soon.
It is possible to produce defect-free non-trivial software.
How?
Writing defect free code isn't magic. It's slow, painful, formal, and very very tedious. It requires that you have multiple teams evaluating, simulating, testing, and attacking the system. Because of that, it's very very very expensive.
The code I was involved with was one of these "secure kernels". We did use formal methods for portions of it, but once you leave the formal model section there are other portions that requires months of tedious work. And, when I say tedious, I mean stuff like hand verifying every byte of output from the compilers (because you can't trust the compiler), and using in-circuit emulators to step through every machine instruction and verify every possible case.
These systems are absurdly simple. A single good coder could sling out "good enough" commercial code that does the same thing in a couple months. But, it would probably have some bugs. There are, however, systems in this world that must be bug free.
Systems like these also can't trust the hardware. So "bug free" means that you have multiple versions running on multiple pieces of hardware with N-way comparisons. This is the type of over-kill design that is so astronomically expensive that it's only done for things that absolutely must be bug free (e.g. nuclear weapons).
Anyway, the point of my initial post is that you can produce bug free code, but it's almost never worth the cost. Likewise, most software (commercial and open source) ships with bugs that the programmers know about. So, trying to determine "fraud" based upon "shipping known bugs" in order to force a liability issue is nuts.
If you want guaranteed bug free code, you have to pay for it.
Bug free software is possible, it's just very very expensive to produce!
I've worked on DoD projects that required bug free software. It is possible, it just requires $150 Million to produce 100,000 lines of code.
Do you really want to force Microsoft or Apple to produce bug free operating systems? Who could afford them?
So, where can one obtain an open source OpenCL compiler? (Or, to be more precise, an open source compiler which can take OpenCL compliant code and produce object code that will run on my GPU via the driver stack?)
It has been pretty well documented that the Iranian opposition has been using Twitter extensively to organize their protests. So, I'm sure that the Iranian government is quite happy to have Twitter knocked out.
I, personally, don't use Twitter as I consider it a waste of time. However, I believe that the current DDoS attack might have substantial political ramifications for the Iranian people.
The best attack against DES breaks 15 out of 16 rounds faster than brute force. However for the full 16 rounds, the best attack against DES is brute force. Likewise, the best attack against SKIPJACK breaks 31 out of 32 rounds. In both cases NSA was fairly involved with the development of the algorithms and they just happen to have no "security margin". Perhaps that means NSA was ignorant of the methods (such as impossible differential cryptanalysis) that the academic sector developed. Perhaps it means that NSA is willing to play fast and loose with securing government communications. Or maybe, just maybe, it means that NSA knows exactly how strong the algorithms are and doesn't need to rely on ad-hoc measures like "security margins". I don't know, but the fact that AES-192/256 is specified for Top Secret while AES-128 is for Secret makes me suspect that NSA knows far more about the real security levels of AES than the keysize would indicate.
Interesting to note is that AES-128 is immune to this attack - it's now the strongest variant of AES.
NSA specifies AES-256 for Top Secret information in Suite-B products. NSA knows crypto. So, if NSA thinks that AES-256 is stronger than AES-128, and if recent results indicate that AES-256 only has 110 bits worth of strength, then one might wonder, "what is the actual security level of AES-128?"
I'm a math prof. at a reasonably large school.
I teach plenty of calculus.
When I grade, I don't care about the answer. I look at the way the student solves the problem. If the setup is correct, the computations are reasonable, and the flow of the solution demonstrates that the student knows what she's doing, then I give it full credit even if the answer is wrong. I couldn't care less about careless errors (poor pun intended). I'm measuring the student's problem solving abilities, not her ability to do lots of tedious computations in a short amount of time (that's what computers are for). Likewise, if a student magically produces the correct answer without showing any work (or if the work is clearly B.S.) then I give them no credit. The answer is irrelevant, it's the process that matters.
I am completely unconcerned about Wolfram Alpha.
I also have a CS background, and I recognize that most CS related jobs don't require calculus. However, the whole point of taking calculus is to practice logical reasoning. A good calculus course will force you to solve lots of long complex problems, clearly express your reasoning, and maybe even do a bunch of delta-epsilon proofs. Unfortunately, many calculus courses end up being reduced to mundane computations of derivatives and integrals... those courses ARE a waste of time.
p.s. If you're a student who actually wants to learn a subject, then go to that "rate my professor" site and look for professors who are "clear" and "hard". Take those professors. You won't learn much from an easy professor, and three years after you graduate that easy "A" will be meaningless.
The article to which you refer was written by senior officers of AdaCore, which means they have an inherent bias towards embedded systems and high-reliability software (the two areas where Ada is still seen), and hence biased observations about what skill sets are required in the majority of computer industry jobs. That said, they are still correct :-)
Unfortunately, in all but the top universities, the CS major is slowly transforming into a Programming major. This is largely due to state legislatures pressuring public schools to quickly turn out programmers to fuel industry demand for code-slingers. Too bad, really.
I just asked a colleague and he put it like this, "TI == Windows." I think that about sums it up.
I'm a Math Prof. I teach lots of freshman calculus classes, and I HATE the TI calculator series. The problem is, that TI has cornered the low-end educational market. So, many textbooks and standardized tests will require a calculator which not-so-coincidently will only match the TI-8x series. I personally prefer the HP calculators (i.e. the 48GX) because the reverse polish notation is far superior for large calculations. It is a shame that HP is still using the same processor in these calculators that they were using when I was in school. Most standardized tests (and many professors) will not let you use a PDA because the WiFi features make it too easy to cheat. I personally allow students to use whatever they can carry and I design my tests to make cheating with WiFi useless. The Point: Research what you're allowed to use before you buy. If you can use a high-end HP, then get it.