2462 posts • joined 21 Dec 2007
Re: Coin flipping
The article's also wrong about 50:50 being the most probable outcome. Its probability is tied with that of 51:49 and 49:51 (considering heads-dominant and tails-dominant cases separately; if you treat "off by one" as a single case, then that case is more probable than heads=tails).
To get 50:50, on the previous toss you must be at 49:50 or 50:49 (i.e., one more head than tail, or vice versa). It doesn't matter how you got there; you have one flip left, and you've flipped the coin 99 times, so this last flip has to bring you equal, or fail to do so.
The probability of the last outcome (assuming a fair coin &c) is 0.5 heads, so you now have equal probability of ending up with 50:50 or 49:51 (or 51:49, if heads were ahead).
So 50:50 is among the most probable outcomes, but it is not the most probable.
Re: New Noun
So now we're all doing Grammar Overanalyzing? I didn't know that was a thing.
You must be new here.
But yes, in this context, "data mining" (and indeed "mining" all by its lonesome) is a nominative verbal or gerund, which in English grammar functions exactly as a noun. Dictionaries conventionally label gerunds and gerundial phrases as "nouns" when they define them, so the original quote is using the standard form for the genre.
Re: Let's hear it for the hypothesis
All this digging around just gives random rubbish.
That is demonstrably, empirically wrong, as any number of applications of unsupervised machine-learning algorithms demonstrate. Take Maximum-Entropy Markov Machines, for example; they start with no hypothesis by definition (that's what "maximum entropy" means in this context), but in suitable applications they converge on a model which has a probability of getting the correct answer1 which is significantly higher, and indeed often much higher, than random.
Man, look at these sophomores all over my lawn.
1As measured by whatever metric is appropriate in the circumstances, such as f0, which is the mean of the recall and precision metrics for MM decoding applications.
Re: Broadcast and Comercial TV is dead
i don't think ive watched a live transmitted program bar major news story at all so far this year
And no doubt generalizing from your individual experience to a universal rule is perfectly valid.
They're not clueless at all. They're assigning penalties based on someone's failure to jump through the hoops (ie, get an export license). That's precisely what they're employed to do.
And while Joan Daemen and Vincent Rijmen are indeed Belgian, they submitted Rijndael to the AES competition. You could say it was "imported", but that's rather a strained claim. And it has nothing to do with US export licensing in any case.
Re: Two thoughts
1. I thought this BS ended like a decade ago.
Nope. Export restrictions were relaxed, not eliminated. You still can't sell to the "enemy" states, and you still need an export license, in both the US and the UK. I've been through the process.
Fortunately, once you have the licenses, renewals are generally easy, provided nothing significant has changed in how the crypto tech is used in the product. (We've added new TLS ciphersuites and had our renewals rubber-stamped, for example.)
... which line was recorded using an answering machine. (Don't know if you're already aware of that, and this was just a wink for the knowing. If that's the case, no soap, radio.)
Re: Awesome band.
Triangle man was about wrestling wasn't it ? Bless Loony Tunes !
The song's title is "Particle Man", and the cartoon in question is part of an episode of Tiny Toon Adventures, not the older WB Loony Tunes series. It's a good one, though, with Plucky Duck in the eponymous role.
The wrestling interpretation used by the TTA writers is a variant reading that doesn't fit particularly well with the entire text. A less-resistant reading is probably just to see the song as the typical TMBG dream-logic treatment of the four-color-comic superhero genre.
But meaning inheres in the reader, not the text. It can be as much about wrestling as you like.
Re: NIght Light
Yes, the lyrics are hardly difficult to interpret, particularly if you ask your friendly reference librarian for help with the more obscure references. What are they teaching in schools these days?
I'm having trouble thinking of a TMBG song that isn't pretty clear with a modicum of thought. "Minimum Wage", maybe.
This would be like the state of New York named after "New York City, New Jersey".
Even if that were the case, it'd be considered child's play in the Midwest. For a while I attended (and taught at) Miami University, which of course is in Ohio (and for which Miami, Florida was probably named1). Miami University is located in Oxford (Ohio). I had a joint seminar with students from the Indiana University of Pennsylvania, in Indiana, Pennsylvania (Jimmy Stewart's home town), and not to be confused with the far-flung (but not that far) campuses of Indiana University of, um, Indiana.2
1There is some dispute. Miami University, of course, is in turn named for the Myaamia, well-known for defeating the US in war, for which they received a treaty that was promptly abrogated, removal, and a university namesake.
2Pennsylvania also has a California University of Pennsylvania, but that never causes confusion.
I live in a town that shares its name with at least 40 other towns in the US, all in different states.
I live in a town that shares its name with another town in the same state. Different counties, fortunately.
Of course, I live in a state that's nearly two states, connected by a rather long bridge.
Re: To quote the piece. "featured a proof of concept rootkit for the Binder component"
"featured a proof of concept rootkit for the Binder component"
Yes, but from their paper (linked to in the article):
Most importantly, all the techniques described in this paper require running with root permissions.
The concept they're proving is that "if you can get access to Binder messages, you can do a lot of stuff". They demonstrate keylogging, form interception, SMS interception, and so on - but all of their exploits require root.
As others have said above (though I'm not sure any of the people making this claim actually looked at the slides or read the paper), this talk was very much about why the Binder is a juicy target for malware authors, and not about actual vulnerabilities that exist today. While there may well be such vulnerabilities, the authors do not describe any.
In short, it's "look at this whopping great attack surface!".
Especially if they use 'neutral beams'.
Yeah, that's a red flag too. When there's a problem, how will the chief engineer reverse the polarity?
Re: I wonder
It would require a tremendous stretch to believe any of these were plants. One (support for TLS_FALLBACK_SCSV) is in fact a new feature; it isn't a "fix" by any definition. Of the other three, two are DoS issues, which are of very low value to the SIGINT community.
The last could have some SIGINT utility, since getting a product to downgrade to SSLv3 leaves it open to decryption attacks like POODLE and BEAST (when using a block cipher) or RC4 bias exploitation. But few OpenSSL installations use a version built with --no-ssl3, so on the whole it'd be a very low-value attack. If a SIGINT agency had an opportunity to sneak a flaw into the OpenSSL sources, they could do much better.
Re: Access required?
Robert M Lee has a good piece in Forbes online arguing why a non-technical "Cybersecurity Coordinator" (apparently Daniel's actual title) is a bad idea. Even if you agree on principle (as it seems most or all the commentators here do), it's worth a quick read.
As usual, we see that IT-security pronouncements from people who aren't security researchers aren't worth the bits they're encoded with. Schneier was explaining to non-technical audiences why biometrics weren't a silver bullet a decade ago. Looks like the Powers That Be still haven't caught on (or, as a number of people here have suggested, have - but of course they don't have users' interests in mind).
Nothing is "completely secure". The phrase is meaningless.
Biometric identification isn't even vaguely secure, under most reasonable threat models.
There are plenty of good arguments from actual security researchers (Daniel is not one) against making biometrics the default for authentication. While not all facial-recognition systems can be fooled this easily, certainly the potential for forged credentials is among them.
Re: Seems pointless.
Phones are bordering on having larger resolutions that many laptops and desktops these days.
Not everyone wants to spend their money on expensive phones.
Resolution isn't the entire story, particularly for people with reduced visual acuity. Which is pretty much everyone who lives long enough to tell you damn kids to get off our lawns.
No, it's another way for sites to offer user agents ("browsers") more choices about how to display the page. If the user agent is well-written, the new img attributes give the user more control over rendering.
The picture element is a bit of a mixed bag, since the media rules are supposed to be mandatory.
Re: Mixed blessing
Part of the point of picture and the new img attributes is to handle precisely that case. Read the blog post that the article links to.
Re: Not a lot he can sue for
Freedom of Speech in the US means that the press/media can say anything they like.
That is wildly, fabulously wrong.
There are most certainly limitations on expression in the US, both expressly legislated and in practice. In the case of the "media" (which, for most purposes, has no special legal status here, as distinct from any other public expression), libel law attaches, as do various consumer protections that restrict forms of expression deemed dangerous, such as making certain kinds of claims about medical efficacy.
In order to claim damages he'd have to prove it was malicious or similar.
You do see this contradicts your first claim, right?
In the US, there are a variety of libel laws at the federal and state level, so to some extent it depends on in which jurisdiction Nakamoto files suit. In many cases the barrier for libel is high (and in general it's higher in the US than in most other countries, thank goodness), but Nakamoto is not a public figure, which helps.
Ordinarily, under US federal libel law, he'd have to demonstrate that Newsweek knew their statements were false, or they recklessly disregarded the possibility they were false; that the statements didn't constitute "opinion" or "fair comment" (seems a priori true, but IANAL); and that his character was impeached and his reputation damaged. I think he could make a decent case there, but I wouldn't want to bet on it.
He could also claim "defamation per se", which has weaker tests. The two possible categories that could apply there (in this case) are accusing someone of a crime, and interfering with their ability to conduct business. But creating Bitcoin probably wasn't a crime now, and even if cryptocurrencies are criminalized in the future, the prohibition on ex post facto criminalization means that doesn't apply. And from what I've read, I think he'd have a hard time making the case that Newsweek has interfered with his ability to make a living.
Re: Misleading Language
It's as though snprintf isn't available everywhere or something...
It isn't - at least not a conforming version. MSVC's is still broken, for example (wrong return value if the buffer is too small, and fails to nul-terminate in that case also). The same for the C library on at least one UNIX platform (HP-UX 11.23, maybe?).
Of course Microsoft C doesn't actually provide snprintf. It provides a family of functions with names beginning with "_snprintf", which is an identifier reserved to the implementation, so it can do whatever Microsoft damn well pleases.
So no, snprintf is not available everywhere.
We use it, but we have to wrap it in code that Does The Right Thing for both conforming and brain-dead implementations.
Re: Why would you PARSE FONTS in the kernel? @AC - Linux drivers
In fact, if you try hard, you don't even have to run the X server as root. Generally speaking, modern distributions do run the X server as root because it is started up before the graphical login starts, and that needs X, but if you disable the graphical login, log in as an ordinary user using a text-based authentication method, and then run up an X server (using something like startx), it works just fine.
And indeed this is how most people did it, back in the day. It wasn't until X11 R4, if memory serves, that xdm became popular. (It was part of X11 R3, a contrib client written to support the "X Terminals" that were just starting to come out, but I don't recall many people using it until R4.) So for the first four years or so of X's existence people would typically log on to a conventional pty device, and then start X (often on a different display), a window manager, and some clients.
Re: Why would you PARSE FONTS in the kernel?
"the video drivers are on the kernel too"
We need to stay stupid because we started off stupid.
Except, of course, they didn't. Video was outside the kernel, and called into the HAL, until NT 4. Then it was moved into the kernel to address complaints about video performance.
So it's more a case of "we started out doing it correctly, but people complained, so we decided to convert to stupid, and we'll be damned if we're going back now".
Re: Yet more reason to disable SSL 3
Yes. SSL 3 is broken for serious use - it's only useful if your threat model is "don't be the low-hanging fruit".1 That's a reasonable threat model for many cases, frankly - but there's almost never a reason to support clients that don't have TLS support, unless you must support IE 6. And even then IE 6 use should be restricted to only those legacy apps that can't run in anything else, and those apps should be scheduled for replacement.
Re: Thank $deity for proprietary software
Lions 27, Christians 1.
Not bad, particularly for trolling on the Reg. I wouldn't put it on the CV but it's a good day's work.
(Cue victims calling "Poe's Law!".)
Re: Confession - OED
The OED records common usage, not proper usage. At least not any more.
The OED has always been a descriptive dictionary.
There are other sources of (correct) information.
I know my language
most people drop the pronunciation of the leading letter
Keep the key in your pocket, walk up to the car and press the button on the lock and the car opens
Press the button? What is this, 2004? I walk up to the Volvo with the transponder in my pocket and pull the door handle and it unlocks and opens.
It's a gimmick, but if we're going to wax gee-wiz about it, we should at least require that Jaguar get it right.
Re: Jaguars are astonishingly awful in the snow
Turbochargers are a cheap way to boost performance while actively exacebating the long-term (<100K miles) UNreliability of the powertrain
Tell that to my stepdaughter's turbocharged 1998 V70, now on its third owner and nearly at 300K miles. And rather casually maintained for at least the past 12 years or so. Biggest powertrain issue to date was a rear-gasket replacement eight or nine years ago.
Re: Not the cache
Yes. My 2015 XC70 T6 - the AWD version of the V70 - has most of the "goodies" mentioned in the article, and the rest can be added as options if you want (I didn't, particularly), with better cargo capacity. The car is luxurious and the I6 engine very nice. The XC70 is decent on country roads; while it's not a true off-roader, between AWD, traction control, skid plates, and considerable ground clearance it gets by very well.
And available for a bit more than half the price.
I can't see any advantage to the Jag at all.
Re: There's a dark side to it
Yes, that's why Google had their free voice-search 411 (telephone directory services) service for a few years. They admitted publicly that it was offered simply so they could harvest speech input and automatically confirm recognition - if the user used the results returned by the search, Google could assume they'd recognized the query successfully.
Speech input lowers the cost of use (for users who don't find it annoying), which encourages use, which lets the provider harvest more data, which improves recognition, which lowers the cost of use (because greater accuracy means the search is more likely to be successful on the first try). It's a virtuous cycle, for very particular meanings of "virtuous".
Re: Minutes of meetings
I, so often the 'acting minutes secretary', would like to see a system that could listen to a meeting with one or more microphones, and five minutes after the meeting ends the system produces a coherent set of minutes.
Conversational entailment (figuring out whom someone's responding to), plus summarizing with a really large and site-specific knowledge domain. Simples! We should have it working in another fifty years or so.
Some researchers have been making good progress on the entailment front, at least. And general summarization is a largely-solved problem (for English; I don't think the necessary databanks are available for most other languages). Unfortunately, domain-specific summarization is a lot harder.
Re: Isn't this obvious?
you wouldn't really expect an accurate result for sin(1e99), would you?
There's no reason why that input can't be range-reduced.
In any case, the problem is that Intel's fsin is inaccurate for values close to π. That's a bit more of an issue. Try reading Dawson's post.
Re: Active Sites versus All Sites
you end up with a server that runs as efficiently as nginx but within the Apache environment
Possibly, if you're running Apache 2.2 with a suitable MPM (worker or event) configured. With a forking MPM, Apache is never going to be as "efficient" (either in resource consumption or responsiveness) as a threaded event-driven server - and that includes Apache itself, when it's configured for threading rather than (exclusively) forking. For many sites, the robustness and security advantages of forking make it a fine choice, but it's always going to be heavier.
I don't know of a methodologically-sound benchmark comparing current Apache with worker or event MPM and nginx.
There is nothing wrong with nginx, it is a perfectly fine webserver. It is just that httpd is also a perfectly fine webserver.
Agreed. It would be very foolish to recommend one over the other as a general rule, without considering any context. Few sites have to worry about thousands of simultaneous requests - and the ones that do generally have load balancers in front anyway. And many sites don't need Apache's more esoteric capabilities (though certainly many do).
Re: Closed is out of flavour these days.
I nominate "out of flavour" for Eggcorn1 of the Week2.
1Prolepsis: "out of flavor" barely charts on Google Ngrams; "out of flavour" isn't found at all.
2Though it could also be "... of the Weak", for those sick of this particular tiresome and utterly unproductive religious war.
It's true that higher-education funding in the US is badly broken, and that the career track for new science graduates is highly flawed as well. This is broadly true of all the STEM fields - there was a piece in CACM not long ago pointing out that poorly-compensated, temporary post-docs are the main source of employment for new CS PhDs, for example.
Despite that, the US still produces more STEM graduates at all levels than any other country (at least the last I checked), still publishes more basic research, still generates more patents... Tyson and others can say that the US is "falling behind", but it's far from clear what metric justifies that evaluation. Falling behind whom, and on what grounds?
I'd like to see more money spent on primary and secondary R&D. I'd like to see STEM grads get good jobs (and see those jobs distributed more equitably, instead of the lion's share going to grads from a handful of schools, for highly dubious reasons). I'd like to see higher-ed funding fixed. But I'm not sure that "we're falling behind" is a valid justification for those things. "It'd be broadly useful for everyone" seems a lot more plausible and persuasive.
By forcing users to reset their password frequently an organization forces its users to remain within the most difficult rehearsal region
Absolutely. That's one reason why reputable security researchers don't recommend short password / passphrase lifetimes. Doesn't stop know-nothing administrators from imposing such policies, though, because they like to rely on the "standard practice" excuse.
Account lockout is another idiotic policy that's rarely justified by any sensible threat model. If your password / passphrase strength requirements are decent, it's vanishingly unlikely that anyone will correctly guess a user's password with three tries. What is likely is that users will mistype strong passwords or passphrases (per the discussion above) three times, get locked out, and have to request account unlocking or password reset - which means lost productivity and opportunities for social engineering. Three-strikes account lockout is a great example of a policy that does far more harm than good to password-based security.
But here again, the people making these policy decisions generally seem to be actively hostile to sound security research, preferring instead to rely on a cargo-cult set of "standard" practices.
Sounds more like a typing problem than a password problem?
I'll argue it isn't. I'm a trained touch-typist - I was taught to touch-type on manual typewriters in the early '80s, and between programming and my academic work I've touch-typed the equivalent of thousands of pages of text. I still mistype my passphrases (which are now generally around 40 characters) on a regular basis.
Passphrases often aren't especially amenable to touch-typing. The typical passphrase system has zero tolerance for error and doesn't provide useful feedback. With Windows, for example, the standard password dialogs show bullet symbols for each character and are only 26 characters wide; after that, you don't even get feedback to show that you've successfully entered a character, because the identical bullet symbols just scroll horizontally.
And passphrases generally aren't typical natural-language phrases, because those would be weak against dictionary attacks. And since many passphrase systems are actually just password systems that allow long "passwords", they are often configured to require a large alphabet, so your passphrase has to include numerals and punctuation. Those elements make it easier to mistype the passphrase.
Back in the days of non-correcting typewriters, it's true that touch-typists typically had a much lower error rate than they do today, when correcting typographical errors is trivial. But a vanishingly small number of people use such typewriters now, so very few users have the training to eliminate typographical errors. And expecting users to do so once again puts the security burden on the wrong part of the system.
Re: Not compatible
Virgin Media, where their passwords have to be something like more than 6 and less than 10 and don't allow spaces
Try Schwab's site, which limits passwords to 8 characters, from a restrictive alphabet. And that's for a brokerage and bank. I'd like to see them sued for breach of fiduciary responsibility.
At this point everyone1 knows that 1) Randal Munroe recommends passphrases over cryptic passwords, because they have greater information entropy and are easier for users to remember; 2) lots of other security researchers have been making the same recommendation for years; 3) the people who create and administer password-based authentication systems don't pay any fucking attention2; 4) "correct horse battery staple" is now used as a passphrase by an embarrassing number of xkcd readers who think they're being clever; and thus 5) "correct horse battery staple" is now in password dictionaries.
Thus we have Schneier claiming that Munroe's construction isn't a safe technique. A number of people (including myself) have pointed out why his argument, as presented, doesn't hold water; but it does mean you can't use "correct horse battery staple" itself as a passphrase under many reasonable threat models, and you have to be a bit more thoughtful about using the Munroe technique.
1(who pays attention to these things)
2Because that would require they actually do some work, rather than simply relying on guidelines that were outdated 30 years ago. And, of course, because they're afraid they might get blamed if they deviate from "standard practice" and anything unfortunate happens.
Re: 5 Downvotes.
Perhaps they were just readers who are tired of facile, insulting generalizations.
Though it's hard to see how you could reach that state and still bear to read Reg comments. Or nearly anything else online.
How is this any different to what Barnaby Jack demonstrated at blackhat in 2010?
It's a similar attack mode (to one of Jack's attacks, which required physical access; the other was over the network); what's newsworthy is it's being carried out extensively, and the malware has additional features to make it more useful for real-world theft.
Re: Not that hard
- full logging with signature checks to blah blah blah
Surround each ATM with armed security guards; kill anyone who manages to get too much cash out of the machine, or tampers with it. Or just get rid of the ATMs altogether and make everyone go to a human bank teller.
Security is about threat models, and that includes cost/benefit analysis. A shopping list of security features is just intellectual masturbation without the context of a reasonable model.
Physical access to the machines control system doesn't give you access to the money cassettes
No, but if it'll boot from external media, then it's probably game over. I doubt most ATMs use hard-drive encryption or Secure Boot. Or prevent the BIOS from being flashed. Or a hardware loggers from being physically added to the card reader. And so on.
Actually, I don't care as long as it reduces the number of browsers and permutations we have to support in the ecosystem
Yes, because the browser monoculture worked so fucking well for us before.
Browsers are far more standards-compliant, and significantly more secure, now because of competition. Reducing the number of major players will not help.
I hate IE (and Chrome; I merely dislike Firefox, with Classic Theme Restorer fighting back the Idiotic UI tide), but I don't want it to go away. Three major players is the bare minimum required to keep them on their toes.
Re: @ Lost all faith...
Here is a (bloody huge) actual photo of an actual atomic powered car.
Shrug. My car is "atomic powered". Now, a nuclear-powered car - that'd be something.1
1And yes, that photo is of a nuclear-powered vehicle. No, it's not a car.
what's this funny metal, I'll call it Plutomium
I'm afraid Plutomium has been demoted to a dwarf funny metal.
Re: Curious - "simple, straight-forward and cheap filament bulbs"
His reply "BMW £28,000: this: £8,000. £20,000 buys a LOT of fuel..."
Because the BMW and the muscle car are equivalent, price aside.
Mind you, I wouldn't buy the BMW just because of their horrible infotainment control system. But it's false economics nonetheless.
(Why not buy no car at all, and walk everywhere? £28,000 buys a lot of food and shoes.)
Re: Microsoft scrapping WP royalties
"Cloudbile" - great term for their "strategy": feeling nauseous already ;)
It's a bit of a mouthful. "Clobile" would be more along the lines of the usual Reg portmanteaux.
Indeed, I find it simultaneously euphonious and obnoxious, and I urge the Reg editors to adopt it immediately.
- YARR! Pirates walk the plank: DMCA magnets sink in Google results
- Pics Whisper tracks its users. So we tracked down its LA office. This is what happened next
- Review Xperia Z3: Crikey, Sony – ANOTHER flagship phondleslab?
- Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
- Human spacecraft dodge COMET CHUNKS pelting off Mars