147 posts • joined Tuesday 11th March 2008 20:33 GMT
Practice makes perfect
Anyone who plays a musical instrument will know there is an analogous musical problem. Some musical phrases can be especially hard to play for some reason - maybe because the moves are awkward or maybe because they're just unlike anything else you've played before.
Anyway, you can't just label them hard and not play them. The solution is practice. Play them over and over as slowly as you need and eventually you'll find they come naturally. It can sometimes take a while, though.
The same is true of tongue-twisters. Repeat them over and over sufficiently slowly to get them right each time and after a few days (on and off) you'll find they become quite easy. Try it...
And I suppose...
...this is "all within the law" (TM).
So did the UK government know the US was hacking our computers on a grand scale? If so, under what UK laws did they allow it to continue and was GCHQ involved? If they didn't know, then why not?
But wine is commonly brewed today in tanks that are basically like covered swimming pools, dug into the ground and lined to make them watertight. I dare say the ancients could have mastered that technology.
Backdoor or Trojan?
I'd describe it as a backdoor if someone writing the official software sneaked in some unofficial code. If it sneaked itself in, then it'd be a Trojan. Injecting code into an already present file isn't exactly news, though. That's what viruses do, hence their name.
Yes. Just do it!
...our first glimpse of dark matter.
Re: Classic bait and switch coming up....
But it only takes one person to compare the files instead of the checksums and the game's up.
Use two rival teams
I think you need to give the job to two teams who are in competition with each other. Ideally, to two security researchers with big egos and reputations to defend.
That way, neither has any incentive to overlook something at the request of the NSA. If they do that, and their rival doesn't and spots the backdoor, then they will be shown up as either incompetent or corrupt.
It's the only way to be confident they do a proper job.
Re: Definitely a bad choice of name
"Anyone thinking 'Dark' automatically means 'nefarious' and nothing else is simply projecting their world view for everyone to see."
I was thinking rather more of the world view already projected by the media. We already have "Dark Web" as a meme which allows them to stigmatise anonymous communication with underworld associations. Conflating Dark Mail and Dark Web doesn't strike me as something that'll be beyond the limited imagination of the Daily Mail.
The thing that'll stop this push towards proper internet security and anonymity is that something cool and popular (but inadequate) will take over instead, because people will learn what to use from their mates who read publications that are, err.., even more cool and popular than El Reg.
"Dark Mail" doesn't say cool and popular to me.
Where are the marketing people when you really need them?
Definitely a bad choice of name
If they can't see that this will immediately put off 90% of potential users with its implications of underworld activity, not to mention provide a perfect target for the press, then they're well out of touch.
Re: How can a judge overrule a constitution
Presumably he just ruled that the seizure wasn't unreasonable.
Re: Paying for it.
Or maybe from the billions they get from the US government for giving away free open-source software?
That sort of review might not end up being very independent, might it?
Re: Unnamed qualified professionals vs amateurs?
This is a very good point. I think everyone agrees that open source is now the only way one can potentially gain any assurance of no backdoors. But you still need to look very closely at the code and how it behaves - and, of course, you also need confidence in the audit process itself.
So a program to publicly audit key pieces of FOSS for security weaknesses looks like a good way to go and Truecrypt is certainly a good test case. But I think the real work that needs doing next is on the auditing procedure.
How do you produce a public audit process that is itself secure against possible attempts to infiltrate it and overlook security weaknesses? I suggest you probably need at least two independent and well-known (and trusted) experts, probably with support, to produce independent and public reports. Then you may need a separate independent committee to review those reports and draw attention to (and investigate) any discrepancies.
I see the involvement of many people as being essential in building a web of trust that can't be easily subverted. We should perhaps start to see support for auditing security software as being just as important as supporting the writing of the code. If we had as many people doing the former as the latter, we wouldn't be in this mess.
At the same time, we'll no doubt continue to rely on penetration testing by individual security researchers, as we know that regularly turns up obscure ways to defeat security. The idea of a bug bounty is a good one here, I think.
Just some random ideas, really, but I think this is a key area of trust that urgently needs attention.
Aren't our laws great??
I like the way there's a "victim's surcharge" for those whose personal data use hasn't been registered.
I suspect for the true victims the risk to their personal data is the least of their worries.
Actually, it's by no means that simple. At the wavelengths absorbed by CO2 the Earth's atmosphere is optically thick. This means that the radiation occurs from the top of the atmosphere, so it's the temperature "up there" that matters.
What happens is that the radiation surface "up there" moves up to a higher level in the atmosphere so it has a larger area and can radiate more heat. The temperature change at ground level results from the vertical temperature gradient in the atmosphere (the lapse rate) combined with this effectively increased depth of atmosphere. The lapse rate, in turn, is determined by the rate at which heat can be transported upwards through the atmosphere, largely by non-radiative processes like convection.
Both this heat transport and the original greenhouse effect are also greatly affected by water vapour content, which depends mainly on temperature. Indeed, this is one of the main "feedback" effects.
Of course, at other (non CO2) wavelengths, radiation leaves from lower down in the atmosphere and the situation is more like you assume. But in reality, the whole thing is pretty complicated and not very amenable to a back-of-the envelope calculation.
If I had to put money on where the models are wrong (because I believe they probably are) it would be in the area of cloud cover, which is a poorly understood but very important area of feedback. Anything that significantly increases cloud cover as CO2 rises could easily negate any warning effect.
So... a sort of Dad's Cyber Army then?
"Don't tell them your password, Pike!"
"Er, I think I may have left it on the train, Mr. Mainwaring, sir."
"What's that you've got there, Corporal Jones?"
"It's a packet sniffer sir. They don't like it up 'em. Not up their backdoors they don't, sir!"
Oh, the fun we're going to have with this one ;-)
I think you'll find...
That "dog's bollocks" means that something is very good. The term is rarely used when referring to government.
Probably you meant "pig's ear".
I can't really see how phone data is any more anonymous than ANPR data (as El Reg asserts). You can anonymise either set of data by (for example) replacing the car registration number or the phone number with a simple counter - such that the mapping isn't known to whoever buys the data.
Where the problem lies with both systems is that we only have someone's word that this is being done properly. And we all know how "misteaks" can happen.
Re: the NSA was one of several contributors
No. If someone is found to have been conspiring to corrupt a process, you can't just go over their work again with a finer comb. They have a resource advantage after all. You need to exclude their contributions entirely.
Re: Simple h/w device?
There are some resources here to make use of devices you may already have (like a sound card):
Re: Linus is correct in both form and substance.
But on Linux, /dev/random is supposed to produce *true* randomness, with full entropy. Its output should be completely unpredictable by an adversary who even knows the exact state of the rest of your system and all the past output. There is no scope for pseudo-randomness or imperfect entropy in /dev/random. If you try to read random bytes and there isn't enough entropy, it must block.
If you want a non-blocking source of randomness, you read /dev/urandom instead, which uses a pseudo-random number generator seeded from /dev/random. So the quality (true randomness) of the entropy harvested for use in /dev/random IS critically important. If the sources used don't have full entropy, you need to "condition" the data before use, which is a way of concentrating its entropy. For example, you might want to take the "random" CPU data in 1MB chunks and hash each of those down to 64 bytes. Then you could be more confident of having truly random bytes.
Let me explain why this is important. If you use a pseudo-random number generator (PRNG) to generate a key with a fixed seed, your random numbers obviously won't fill the keyspace* - because it will only ever produce one output sequence. But what people don't seem to realise is that if you seed it with "random" numbers that don't have full entropy, the output *still* won't fill the keyspace. It may look perfectly random and be unpredictable, but an adversary who understands the PRNG well enough doesn't have to search the entire keyspace equally to discover the key.
So you need to be exceptionally paranoid about /dev/random.
*By which I mean that the probability of each possible sequence of output bits won't be equal.
Re: Linus is totally wrong
I agree you should use a proven algorithm rather than making your own, but I think you've missed part of the point here. A mathematical algorithm can only produce pseudo-randomness. It still needs to be initialised to a non-predictable value otherwise all computers will generate the same pseudo-random sequence (as I think Android was recently found to be doing).
So good cryptography also depends on a source of true randomness for seeding the mathematical algorithm (and also for re-seeding it occasionally just in case someone spots the pattern). On Linux, /dev/random is the standard place to go to get that "true randomness". So you don't have a choice here. You can't rely on a mathematical formula. You have to have true randomness derived from a physical, non algorithmic source.
All that extra traffic is probably doing wonders for your anonymity.
I think we're missing the obvious
This traffic is all down to the member for Scunthorpe.
Doesn't this stuff make encryption potentially more secure for those who know what they're doing?
If there are biases in (say) how people choose keys, or in the plaintext, that can be exploited, then an attacker will be using methods that search for the most likely cases first.
So if you are able to choose keys or plaintext that are statistically unlikely (as far as the attacker's knowledge goes), then it's likely to take the attacker longer to crack the encryption than if he used unbiased techniques.
It's a bit like trying to choose lottery numbers that no-one else will have chosen, in order get a bigger payout.
Re: Time to grow up
I don't think anyone is saying you don't need a security service. They're just saying you need to keep it under control.
Re: gnu indent is your friend
Nah. Displaying a logical document structure in a variety of interesting ways is what CSS is for. I'm sure it'd work.
Keep it simple.
Water vapour is the most powerful greenhouse gas, but it is usually not described as such by climate scientists. This is because they regard any changes in its concentration as being driven by changes in CO2 concentration. So it's not an independent player.
The thinking is that atmospheric water vapour concentration simply depends on atmospheric temperature, because water evaporates and condenses continually (whereas CO2 doesn't). So changes in CO2 concentration drive changes in temperature which drive changes in water vapour, which cause more heating. The feedback isn't strong enough to run away, but may be strong enough to amplify the original effect of CO2 changes. Estimates of the amplification factor vary.
So both sides are right on this issue. Water vapour is sort of irrelevant if you accept the simple feedback model as it's just a slave to CO2. But it's also a potent greenhouse gas. That means that if your simple feedback model is wrong, then the error you make could be quite big.
In my view this issue still isn't settled yet. Water vapour affects things that aren't perfectly understood by a long way - cloud cover probably being the most important . So I'm still on the fence over this one. I wouldn't be surprised to see new feedback effects involving water being found that change the conclusions.
Just trying to advance the debate a bit to scientific issues (instead of name calling), you understand!
Re: asdf Wake up call
Plus you may not be a political activist yourself, but you could well stand to benefit from the efforts of those who are. And they may well have something they quite legitimately wish to hide from the government. Giving the government blanket powers to suppress opposition, which is what this is all about, disadvantages everyone in a democracy.
The tech solution
Is banknotes printed on paper that's a foldable display with an embedded chip. Then your wallet can download whatever pictures you prefer to display on the notes you own.
Oh and Google can track all the money - and use the data it's gathered on you to put an advert underneath.
Re: 5 minutes with a screwdriver...
"I think I'll go AC on this, as I also DIY electrics.......and all the other things that the stateist nazis say I shouldn't."
You might want to check your council's building control website for an update then. The rules changed in April and a lot of what you weren't previously supposed to DIY without nanny's supervision is now OK again. Unless you're installing stuff near a bath, shower, swimming pool, etc. you're probably not breaking the rules any more.
Of course, relaxing the rules hasn't seen nearly as much publicity as when they were introduced in 2005. That's mainly because the electricians bodies aren't nearly so keen on things going back the way they were. I wonder why?
Re: How naive!!
The rather transparent attempt by the PM to conflate this type of filtering with the blocking of illegal child pornography (which already happens of course) in order to justify it also raises suspicions.
One should actually ask why those cases he cites (of child molesters having access to child pornography) weren't prevented by the filtering already in place. In an ideal world, members of the press would already have asked him that question in public, but these days it's beyond them it seems.
And speaking of conflation, did anyone notice how Cameron conflated Google with ISPs when he claimed that "internet companies" are responsible both for finding information and delivering it to you? So that ISPs have to be held accountable for the content.
I'd have loved to see (say) Jeremy Paxman interview Cameron and point out that Google and Virgin are actually different companies. The idea of Cameron having to wriggle out of that on a subject he knows sweet FA about is quite appealing. Oh, well, we can dream...
Still to be convinced there's an easy solution
I doubt this issue is going to spawn a new huge market, but it could well get enough interest to substantially increase the sales of security companies, which is presumably what this AVG spin is all about.
But then you have to trust AVG, or whoever you go with. So now they're no. 1 target for NSA infiltration. Ultimately, I don't see the proper solution being reached by going down that route unless the security firms can find some sort of distributed trust system that doesn't give them any privilege. But that's probably incompatible with the profit motive. So I'm inclined to think FOSS is pretty much essential here. Too bad that generally fails so badly on ease-of-use.
Even with end-to-end encryption - if it can be made practical for the novice - metadata and traffic analysis is still way too powerful to be ignored. Unfortunately, the options here are pretty limited. Re-mailers, VPNs and the like all place trust in those providing the service. Various dark nets have addressed the issue in a distributed manner but nothing of much practical use seems to have emerged. Tor is perhaps a borderline exception, but I don't think it handles most messaging requirements too well (not even email). Also, the fact it hasn't already been shut down makes me think the security services aren't too much troubled by it.
Possibly that might change if Tor were to become large enough that it's impossible to observe enough of it to draw conclusions, but that's unlikely to happen as, being FOSS, ease-of-use isn't exactly high. Possibly if someone were to market a small Tor appliance that would plug into a home router, though, that might make a difference to take-up.
But on the whole, I'm not optimistic that this whole snooping issue will lead to anything more than a whole lot more bloat in existing security suites.
Re: The MAD question
Well if you've been dumbed-down sufficiently by long-term consumption of BBC content maybe that'd make sense to you.
But the value of the nuclear project actually lies in the fact the enemy doesn't know what's written in the letter.
It's, like, game theory, innit?
Re: Violent Sites Included
Hmm, well the protect-the-kiddies content filter that came on my wife's phone (and was on by default) also blocked alcohol-related sites. So her first attempt when on holiday to locate a good pub for a meal was singularly unsuccessful.
Never mind, I'm sure the government don't have a thing about alcohol.
Oh, hang on...
Re: Wake up and realize this is global.
I find this notion that "it's always been like this" - so why all the fuss? - increasingly tiresome.
In a democracy, it is necessary for the people to be able to overthrow the government - or at least to force it to take a route that it may be firmly set against.
This shouldn't be achieved by violent revolution (which the state is quite right to protect itself against), nor by terrorism (although the terrorists are more attention-seekers than any real threat), but by the force of ideas and the power of persuasion aided by peaceful protest and the ballot box.
The problem with blanket surveillance of the population is that it allows the government to defeat ideas that might threaten it before they see the light of day. Would women have the vote now, if this snooping technology had been available to use against the suffragettes? How long would the abolition of slavery have been delayed? We can't say, of course, but it's pretty obvious it wouldn't have helped any.
And that's just in the rather safe and relatively recent UK environment. Elsewhere, there is no shortage of examples where horrendous crimes have been perpetrated against populations by leaders with blanket surveillance as their key method of retaining power against all opposition.
Yes, spying has always gone on. But the line that has been crossed is the blanket surveillance of whole populations by their own governments at an unprecedented level of saturation. And it's all the more shocking that it's happening in countries that describe themselves as "free" and use the excuse that it helps protect us from other countries where there are totalitatian states.
These days, all states are totalitarian, it seems. If that isn't something to worry about, I'm not sure what is.
"According to National Security Council staffer Thomas Reed, the CIA got wind that the Soviets were trying to steal industrial-control software for a new gas pipeline from a Canadian supplier. He claims the CIA installed a trojan into the Canadian firm's software and allowed it to be purloined by the KGB.
"The pipeline software that was to run the pumps, turbines and valves was programmed to go haywire, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to the pipeline joints and welds," he said. "The result was the most monumental non-nuclear explosion and fire ever seen from space.""
Oh come on now! You steal some control software from a Canadian company and plonk it on your own pipeline - just like that - and it misbehaves. Well whadya know! If you did that it'd be 99.9% likely to blow up with or without the Trojan.
It'd need configuring (at the very least) for your own use and if you didn't test it pretty damn thoroughly you could expect disaster for sure. If you steal some software there are no guarantees. It might not even be finished.
I'm afraid that story is just not plausible unless you don't have a clue about writing and testing software, like I suspect Thomas Reed doesn't.
Re: Clouds - nope!
But if you read about the cyberwar capabilities the US has and is planning to extend, you start to realise that data may be no safer on your own system than in the cloud anyway. For example, and just as a taster:
and I assume the US aren't alone in this. Would anyone like to 100% guarantee their system can resist an attack from a state as determined as this to get at your data?
Increasingly, I think the solution has to be technological as no-one can apparently be trusted with anyone's data these days. What technologies are needed, I have no idea, unfortunately.
I'm not quite sure I follow this. If you post something scurrilous and the police get involved, they have access to the package you posted. Why do they need a picture of it when they can take their own?
Obviously, if they can trace the original picture, they can find where it was posted (but if it was a bomb, the pattern-matching software might not have have much to go on). But a postmark does this and more simply too.
It'd work fine...
until it started to go in the wrong direction and no taxes were coming in. Then it'd be time to find a "more accurate" measure of climate change - i.e. one going in the "right" direction.
Looks like higher taxes either way to me. So no change, really.
The usual weather hype dressed up as climate evidence
This weather-records-being-broken thing really has got out of hand. If you want to show there's some sort of unprecedented trend from the mere fact of a record being broken then:
a) It has to be the most extreme event on record. Otherwise it means there was a more extreme event in the past so the present has become less extreme than the past.
b) The records have to extend back a reasonable distance in time. Starting in the 1900s is a pretty pathetic baseline on which to judge anything. We know some very extreme events have occurred in the centuries prior to that, even though we don't have continuous records.
c) The events must have been recorded consistently in the past. For example, the number of countries reporting weather records broken during the year is surely a modern statistic that it'd be impossible to compare like-for-like with anything from the distant past. Likewise, improvements in weather monitoring make unusual events more likely to be widely reported in more recent times.
So pardon me if I take this all with a pinch of salt.
So I wonder...
Would sending random numbers count as encrypted data? They could be encrypted random numbers, of course (or encrypted anything, really), so probably the NSA would have to keep them all, just in case. Sounds like a really fast way to fill up disks to me.
Re: Alternatively ditch comp sci all together
With a successful career, largely in software engineering, now behind me (I'm retired) I can say this is actually pretty good advice. I never had a day's formal instruction in any form of programming or comp. sci., but I did do a lot of Physics and Maths.
Those subjects open a lot of doors if you're any good at them and the skills don't go out of date nearly as quickly as in IT. Given that many of your IT skills could lose their value on a time scale of just a few years, you're going to have to continually learn new stuff throughout a career.
That sets you no higher than other numerate graduates who can also learn the same new stuff just as fast as you. Except that they have the advantage of another large set of skills that aren't going out of fashion.
Think about it. A degree is an investment. You'd invest in a house, that would last, not in a car that'd need replacing in a few years.
The NSA copies stuff without asking. Dreadful, innit?
So how does bacon kill you, exactly?
I can't help wondering about the correlation with "all cause" mortality. Did they not have cause of death information? Could it be that bacon affects your reaction time and gets you killed in car accidents, or perhaps sausages weigh you down and make you more likely to drown?
If they did have cause of death information, then why not look at the diseases that all the commentators have immediately assumed are caused by the great bacon threat, like heart disease and cancer? It makes me think that perhaps the correlation disappears if you do that. They'd then have wasted their time because no-one is going to take seriously a paper that proposes a sausage-drowning theory.
It all looks very suspicious to me.
Of course, it might be that they are one and the same object, but they don't like to admit they got the calculations wrong.
Re: Some dude writes something up. Next: animal entrails, bone casting and the I Ching.
Actually, both systems are on similar shaky ground. In the mathematical case assumptions have to be made about the difficulty (or computational effort) required to reverse the encryption. For example, the difficulty of factoring the product of two large primes. I don't believe that has ever been proven to be difficult. It's just an empirically observed fact, not unlike the fact that QM seems to be a good description of nature.
Anyone could come along at any time with a better method/theory and break the encryption in either system.
Predictions can and do change
It's interesting that after a few years when temperatures haven't risen so much we have started to see models which predict less warming in future.
Of course, much of the science that goes into climate models is still quite uncertain. So it's unsurprising that science alone doesn't well-constrain the models (imagine creating a model locked in a room containing science books but unable to observe the world outside). So the actual past behavior of the climate is a major factor in defining what the models predict and, in fact, in clarifying the science in the process.
Or to put it another way, without a firm theoretical basis, the models are inevitably going to be a simple extrapolation of past events (and recent events in particular, since we have so much more data there). And that, of course, is exactly what we're seeing with the recent Met Office prediction and now this one.
It's also worth keeping in mind that low-confidence forecasts are likely to change. If you are 70% certain about a prediction (and that's the ball-park we're in for many aspects of climate), then there's a 30% chance you're wrong. That means that your next forecast, some years down the line, stands a reasonable chance of being different.
I think when tempted to be dogmatic about climate issues, it's worth keeping that in mind. Just because this prediction differs from an earlier one doesn't necessarily mean either was flawed. It just means we don't really know what's going to happen. In fact, you can reach that conclusion just by looking at a temperature graph.
- Apple's spamtastic iBeacon retail alerts launch with Frisco FAIL
- Submerged Navy submarine successfully launches drone from missile tubes
- Pix Astroboffins spot HOT, YOUNG GIANT where she doesn't belong
- Cache in the Attic El Reg's contraptions confessional no.2: Tablet PC, CRT screen and more
- Developer unleashes bowel-shaking KILLER APP for Google Glass