anologwintermut's comments

I happen to like guns and shooting. It's a good point to understand the appeal of guns and also "the other side."

But there is a point you are leaving out that comes up if you talk to anyone who does treat firearms seriously: many people do not take those classes and/or do not treat guns safely. Go to a range on Sunday and that will be really clear. Or read the comment history by people who bring this up whenever guns come up in a general forum. Often they rightly end up complaining about safety of other gun owners in posts in more topic specific forums. But somehow, when it comes to a general audience, those issues get omitted.

Taking the class would give you a distinctly wrong impression about the responsibility of all gun owners. As does the suggestion to take the class.

Sorry, not to single you out specifically, it really is a good suggestion. But the net rhetorical effect of people making points like this is (and I think it's intentional) to skew the framing of the issue. Yes, you may be responsible, but with the exception of some people who would never heed your advice, people who want more regulation of firearms aren't worried about you. Guns don't kill people, some people with guns kill people.

Instead of using the NIST recommended curve points it uses self-generated basis points and then takes the output as an input to FIPS/ANSI X.9.31 PRNG, which is the random number generator used in ScreenOS cryptographic operations."

Looks like they feed the output through a standard CPRNG. Assuming it's true, that pretty much breaks the DUAL_EC attack because you can't use the output of the final CPRNG to recover the DUAL_EC state.

Except Chrome, which on every laptop I've ever used seems to decrease battery life by about a 1/3rd compared to Safari and is always marked as using significant power. (Currently 10.9.5 with chrome 44 on a 2014 macbook air, but I've had the issue on newer computers at work)

I'm 99% certain they meant Free RTOS[0] and someone just misheard.

[0]http://en.wikipedia.org/wiki/FreeRTOS

The usual distance bounding protocols only need a nano-second accurate timer on one device called the verifier. For example https://www.usenix.org/legacy/event/sec10/tech/full_papers/R...

Cool trick in that one, the Prover(i.e. the key fob) does the distance measuring part of the challenge response protocol using analog only components. This means its response time is <1 nano second.

So you can do it with only the car having a good timer.

The timer could be in the car. Protocol looks like fob pings car, car challenges fob, fob responds.

so ORAM with this on top of it ?

Not sure how they do it, but it has been done before as a research project http://css.csail.mit.edu/cryptdb/. One of the tricks it uses(though by no means the only) is to do a binary search in an index, it actually has the client decrypt a node and compare and then give the server the result.

It might be true, but how usefulness is it when dealing with society as a whole?. For the Puttman, it probably kicks in, but for a whole field like e.g. programing/computer science/IT, it almost certainly doesn't for the simple reason that the field isn't composed of anywhere near the top 0.001 percent of the population in terms of IQ.

Summers's point was about the distribution at the extremes, not the average. He was addressing the lack of professors in STEM at places like Harvard which manifestly select for the far end of the bell curve. Right, wrong, or otherwise, that has almost nothing to do with the average case and even he contended that the best statistical evidence showed women and men were roughly equal.

So, unless one seriously thinks that the entire field of programming/IT/computer science as a whole requires that level of talent, Summer's point doesn't apply and there are certainly other reasons for the gender gap in computer science.

Sure.

Lets suppose it actually was a valid defense. But what does that have to do with going through the Facebook and personal email of individual employees to know who to target. That was done up close, in personal, by hand. By any definition, those people had their privacy specifically and intentionally violated by actual human analysts.

So I may have missed the details. I thought we knew they hacked Belgacom, but no one mentioned going through employee's personal email and social networks (though in light of this, we can assume they did). If they did mention it and I missed it, sure, nothing new. But the same entire thing then just applies to that instance too.

Because they were useful for targeted surveillance? Not that I agree with the means or the scope, but there's an above board explanation for the desire to get the keys . Suppose you have a handful of phones in Pakistan or Iran you need access to very covertly (e.g. some rogue guy in the ISI where getting caught snooping has major consequences). The least risky way to access his communications is to get the keys. The least risky way to do that is to get them from the broadest source possible(to obscure who you're really interest in) and the one most removed from your target. So there's a legit reason to want the keys, even if your only targeting a few legit targets.

But the means of doing so is truly questionable, even given all their assertions about trust us and we don't look at everyones stuff.

The SIM card bit is actually I think a distraction. The real issue should be the means: the NSA/GCHQ intentionally targeted innocent/non government affiliated people's personal email and social networking.

That's different than collecting everyone'ss data and claiming you never look at it unless someone does something to loose their innocence. Orwellian nightmare that that is and probably bullshit, revelations along those lines are not surprising. The systematic targeting of the personal lives of random employees (at least of non-governmental/ non defense industry ones), is new.

Personally, the biggest take away to this is the invasive targeting of completely innocent and ordinary people simply as a means to get access to things the NSA needed (sim Card keys). We have concrete evidence they nailed peoples personal email accounts and social networks merely as a means to an get crypto keys in mass. Sure, the potential mass surveillance is exceedingly problematic, but thats mainly problematic because of the potential for abuse. Abuse that we either assumed would happen or already had, but as far as I know there was little direct evidence of.

The absolute lowest bar for surveillance seems to be that a government doesn't use it to intentionally target innocent people/ those not in the game (hell, lets lower it even further to be only people the government themselves believe are innocent).[0]

That potentially allows dragnet collection of data if no one looks at it. It might allow hacking just a company's servers to get access to third party data. It probably allows you to spy on foreign heads of state (even if it's a boneheaded move). But it damn well doesn't allow you to go through the personal communications of people who you know have done nothing wrong and aren't even working for someone who has.

[0] This is precisely the woefully low bar Obama has been espousing : “The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security and that we take their privacy concerns into account in our policies and procedures,”

Is one of /the main prng on FreeBSD actually arc4random? I.e. RC4?

The notation that a debate on the rules of digital warfare will do anything is questionable.

Arms control limitations (SALT,START), the hague convention, etc, work because there are means of verifying countries adhere to what they agree on (and ostensibly punishing those who don't).

Given the difficulty of attributing cyber attacks (e.g. Sony), much less cyber espionage, there's little reason to think this is possible in this case. And that's just for direct action.

If we're talking about tactics and capabilities, it's impossible. How are you going to make sure there aren't 30 people somewhere writing malware for a government? You can't, at least absent far more invasive spying or some kind of DRM that makes writing malware illegal.

Not this paper again. It can't be used for cryptographic usage and the title(which is the original title of the paper) is completely misleeading.

The device you're authenticating must have the secret you're authenticating with in it in a retrievable format. So it can't be used for e.g. disk encryption, etc, because the attacker can just get the secret from the device and decrypt.

All it can be used for is authentication, and for that they require a human security guard to ensure it's actually a human playing the authentication game. If you were to attach a computer, its likely it could impersonate you. So almost completely useless (except for getting people's hopes up).

More discussion here : https://news.ycombinator.com/item?id=4266115

After you have tenure and a couple of grad students who believe in "A PhD is one of the few opportunities in academia to do true" ...

People being more social doesn't necessarily mean it was because the women were more social. It could simply be people were more social because it was a more diverse environment ( I at least can get bored of talking to the same people all the time or even the same type of people).