Microsoft is turning to a new spokesman to drum up interest in its Windows Vista operating system: Jerry Seinfeld.
The comedian will star alongside Microsoft Chairman Bill Gates in a series of ads meant to counter the popular notion that Vista is a failure, the Journal reports.
The Business Technology Blog has filled virtual tomes with posts about how Vista’s image problem with businesses. Sales of the operating system are strong, but part of that is because PC makers stopped selling machines with Vista’s predecessor, XP, earlier this year. This week, InfoWorld reported that nearly 35% of new PCs are downgraded from Vista to XP.
Part of Microsoft’s image problem is due to Apple’s clever-yet-biting Mac vs. PC ads, which have repeatedly poked fun at Vista’s “problems.” In July, a Microsoft exec said publicly that the company was planning an aggressive campaign to boost Vista’s image.
So it’s Seinfeld to the rescue. The company also considered Will Ferrell and Chris Rock, but didn’t want to seem like it was pandering to the hipster crowd, according to the Journal. (Why didn’t they bring back Jennifer Aniston? It worked for Windows 95.)
What will the comedian – who uses a Vista PC in spots he filmed for H-P – say about Windows? Some ideas from the Biztech blog: An ad based on the famous contest episode, where Seinfeld and the Mac guy see how long they can go without rebooting. Or riffing on the same episode, one where Seinfeld uses his Vista PC to become master of his own Internet domain. He could have a run in with the tech Nazi, only to be saved by his PC, or face off against an overzealous software-licensing detective.
One slogan that Microsoft shouldn’t use: “Vista – Not that there’s anything wrong with that.”
-Ben Worthen
Posted on August 21, 2008 04:01 PM · permalink
Location: Mission Valley
Posted by Library (ek_contact@plymouthrocket.com) on August 21, 2008 03:30 PM · permalink
Location: Ocean Beach
Posted by Library (ek_contact@plymouthrocket.com) on August 21, 2008 03:00 PM · permalink
Today's performer is:
Leon Fleisher 10:00am
Location: La Jolla/Riford
Posted by Library (ek_contact@plymouthrocket.com) on August 21, 2008 03:00 PM · permalink
Location: Rancho Peñasquitos
Posted by Library (ek_contact@plymouthrocket.com) on August 21, 2008 03:00 PM · permalink
Confirmado: estou indo para a PyConBrasil, edição Rio de Janeiro. O evento ocorrerá durante os dias 18, 19 e 20 de setembro. Estarei por lá nos dias 17 à 21.
Quem vai? Será que galera da Django Brasil estará em peso por lá para um encontro informal!?
Maiores informações, no site do evento: http://pyconbrasil.com.br/.
Comentários
| Link permanente
Etiquetas:
django,
evento,
pycon,
python,
rio
© Guilherme M. Gondim, 2008.
Termos de Uso
Posted on August 21, 2008 11:53 AM · permalink
Posted on August 21, 2008 11:47 AM · permalink
Posted on August 21, 2008 11:47 AM · permalink
Posted on August 21, 2008 11:47 AM · permalink
Posted on August 21, 2008 11:47 AM · permalink
Posted on August 21, 2008 11:47 AM · permalink
Thank you Slashdot, for your review (3 years after the release of the book)!
My Job Went to India is at this very moment (but probably not by the time you’re reading this) the number one best seller in Amazon’s India travel books category.
I’ve always wanted to write a travel book. Today I get the sensation of having written one without having to go to the effort.
But seriously, it’s been fun to watch the reaction on Slashdot, well known for its high level of discourse. Sadly, everyone except the reviewer (thanks Josh!) is caught up in the India part. My fault, I know. It’s not really about India or outsourcing. It’s about building a remarkable career.
It’s not about trying not to lose. It’s about trying to win.
I think we’ll have to fix this perception problem in the near future.
Posted by chad on August 21, 2008 11:43 AM · permalink
Posted on August 21, 2008 11:25 AM · permalink
Posted on August 21, 2008 11:06 AM · permalink
Posted on August 21, 2008 11:06 AM · permalink
Posted on August 21, 2008 11:06 AM · permalink
Posted on August 21, 2008 11:06 AM · permalink
This spam post reminded me that I haven’t reminded you that the Rails Studio is coming soon here in Denver. It’s happening in September, but early registration ends tomorrow.
This is my first time teaching the public Rails Studio with Dave. We do Advanced Ruby and Ruby Studio, and Advanced Rails together. I got to sit in on a Rails Studio he and Mike did together last year in Seattle and had a great time. It’s really fun watching people experience the “aha” moments for the first time. Reminds you of how you felt the first time you watched the 15 minute intro video.
Apart from all the fun of learning a great framework for the first time, Colorado is a really nice place to be in September. So if you are coming, try to plan a couple of days before or after (I’d say after….let your mind unwind after a few days of hard thinking and head up to Rocky Mountain National Park for the weekend.
The spam post I linked above put it best, I think:
Self’ll broaden the mind he how on route to amplify tall idea-experienced programs.I’m looking forward to amplifying tall idea-experienced programs. And teaching Rails.
Posted by chad on August 21, 2008 11:00 AM · permalink
Information-technology leaders at midsize companies say they could compete with bigger companies, if only they had more money. And staff. And the freedom to focus on long-term projects.
Instead they’re fighting to keep up. That’s according to a survey of 200 tech leaders at businesses with 500 to 3,000 employees by Arrow Enterprise Consulting Solutions, which sells computer gear to the consulting companies and resellers who target these companies.
The survey doesn’t paint a pretty picture of life in the midmarket. The tech leaders surveyed are trying to get by on limited resources. For example, when asked who they rely on for advice, the top response was–no surprise–internal staffers (59% of respondents). But that was followed by cut-rate alternatives: Forty percent said they relied on Internet research; 31% said peers at other companies; and 30% said magazines and journals.
So it’s not a shock that tech leaders at these midsize businesses aren’t wholly satisfied with the job they’re doing. Only 32% said they’re very satisfied with how their business addresses IT (56% are somewhat satisfied) and only 20% are very satisfied with how they’re going about cutting costs, which is far and away the top priority for these businesses. Only 65% of tech leaders said they’re businesses are keeping pace with technology, while 21% said they’re behind the times.
One bright spot: The slumping economy doesn’t seem to have too much of an impact on midsize companies – perhaps because they’re already bootstrapping it. A plurality said the economy has just made their jobs more stressful (43%) while 34% say it’s had no impact at all. And 61% anticipate being able to spend more on IT next year.
-Ben Worthen
Posted on August 21, 2008 10:42 AM · permalink
Thanks to you all who wrote to ask why the hiatus in blogging. I was very busy with reading and thinking. The problem apparently is that I can either write or I can think — but not both at the same time 
Thomas Paine’s pamphlet, Common Sense, is what kept me busy. Reading Paine is an intellectual delight for me because I keep marveling how closely my ideas mirror his. I was hooked from the first line in the introduction to the pamphlet:
Perhaps the sentiments contained in the following pages are not yet sufficiently fashionable to procure them general favor; a long habit of not thinking a thing wrong, gives it a superficial appearance of being right, and raises at a formidable outcry in defense of custom. But the tumult soon subsides. Time makes more converts than reason.
Upon reading that, I immediately thought of the system of education in India. We have been accustomed to thinking that the system is not wrong. Upon further reflection I realized that the education system is just a small (though important) part of the larger system. Even the system of governance is faulty. What is most fundamental bit upon which the system rests? Undoubtedly it has to be the constitution. I guess is that the constitution of India is flawed.
It is easy to dismiss my opinion as that of a person who is not an authority on constitutions. True enough. But what would you say to the village idiot who witnesses the spectacular blowing up of a huge complicated machinery — a device that he could not ever have designed or created — and exclaims, “The guy who designed it is an idiot”? The problem with the machine is revealed unquestionably by the failure of the machine. One does not have to be a genius to observe the effects of faulty design.
Time indeed makes more converts than reason. One can reason with people till the cows come home but it will not sway them one bit if the present conditions favor them. Those who hold power in today’s government will be crazy to let go of something that they find so personally rewarding.
Moving on, here are the first bits of Common Sense:
Some writers have so confounded society with government, as to leave little or no distinction between them; whereas they are not only different, but have different origins. Society is produced by our wants, and governments by our wickedness; the former promotes are happiness positively by uniting our affections, the latter negatively by restraining our vices. The one encourages intercourse, the other creates distinctions. The first is a patron, the last a punisher.
Society in every state is a blessing, but government even in its best state is but a necessary evil; in its worst state an intolerable one; for when we suffer, or are exposed to the same miseries by a government,which we might expect in a country without government, our calamities is heightened by reflection that we furnish the means by which we suffer. . .
A very topical example: the government funds jihad from the taxes it extracts from me.
Who was the man Thomas Paine whose pamphlet had such a profound effect on the colonists that they actually struck out for independence from England instead of continuing to be a colony? An Englishman born in 1737, he came to America in 1774. As late as end of 1775, the mood in the thirteen colonies was one of reconciliation with England. Common Sense was published in January 1776 and it was instrumental to a large degree in changing the mood of Americans. The declaration of independence was made on July 4th, 1776.
Here’s a bit more from Paine:
I draw my idea of the form of government from a principle in nature . . . that the more simple any thing is, the less liable it is to be disordered, and the easier repaired when disordered; and with this maxim in view, I offer a few remarks on the much boasted constitution of ________. That it was noble for dark and slavish times in which it was erected is granted. When the world was over-run with tyranny the least remove therefrom was a glorious rescues. But that it is imperfect, subject to convulsions, and incapable of producing what it seems to promise, is easily demonstrated.
That last sentence is so accurate about the Indian constitution that one would think that Paine was referring to India. He was talking about England. Here’s the continuation of the bit quoted above:
Absolute governments (tho’ the disgrace of human nature) have this advantage with them, that they are simple; if the people suffer, they know the head from which their suffering springs, know likewise the remedy, and are not bewildered by a variety of causes and cures. But the constitution of England is so exceedingly complex, that the nation may suffer for years together without being able to discover in which part the fault lies, some will say in one and some in another, and every political physician will advice a different medicine.
I think it is appropriate that a book titled “common sense” altered the course of history. I think the success of the US is attributable to basic common sense — which in our case we have not got.
The essential difference between the Indian and the US constitution (in my opinion, and I am not a constitutional expert) is that the former empowers the government relative to the people, while the latter empowers the people and puts restrictions on the power of governments. I attribute the difference to the difference in the value-system of the people framing the constitution. The Indian framers were setting themselves up as the rulers of the people of India; in the US case, they were aiming to take power away from the government and vest it in the people.
[ 59.162.93.226 ]
Related post::
Posted by Atanu Dey on August 21, 2008 08:40 AM · permalink
Location: College-Rolando
Posted by Library (ek_contact@plymouthrocket.com) on August 21, 2008 08:30 AM · permalink
Anna is still in Tblisi and is yet uncertain about her future and if the war has really ended. She has sent another letter, exploring herself as the people of Tblisi still sit on the edge.
Feeling...Indescribable
I remember that day very well. I was the happiest person. It was cold, winter day and I was walking in the park with my dad. I don’t remember exactly how old I was, but possibly I was 6 or 7. The place around was all white like a vanilla cream. It was so beautiful; the trees, bushes, benches, statues, all covered in snow. We played snowball fight, made a big, funny-looking snowman and then we found some piece of a broken sledge and I tobogganed that day a lot. I remember how many times I fell and rolled on the snowy ground. I was wearing many clothes and could hardly move. I remember that my dad and I laughed our heads off. And I remember that heat, which I felt on my reddened cheeks due to the frost.
But then everything changed. The world was not as colorful as it used to be. Rainbow colors got overshadowed with grey and black. Those were carefree days, but then...I felt completely different. I don’t know how it all started. What happened? and when it happened? Once, I was standing in front of a mirror and I felt something weird. I touched my face and my reflection in the mirror did the same. All of a sudden, I felt like a stranger. At that tiny moment I could not recognize myself. Strange, vague thoughts and questions invaded my mind. Who am I? or what am I? And why am I? ......
Day after day, I was not as happy as I used to be, because I thought a lot, too much, I guess. I thought about life, about the world, about everything. And I parted from everybody. I parted from my family...my friends... Because it got kind of hard for me to trust people. You want to know why? How can I tell you, when I don’t know it either. I just found out lots of things about people; I found out more and more history facts; I found out lots of events. And I found out how cruel and violent can a human being be. And I got scared. I got scared about the thing, which a person can do. I found out that this world is a battle, that we have huge egos, fight for survival and I understood how predatory we can be.
Also I parted because I felt I was different. I felt something that they did not. I thought something that they did not. They could not understand me. I used to talk endlessly with my friends, but they could not get it. This was the first time I felt loneliness. This was not a loneliness because of the lack of friends, who share same interests or because of the lack of relationship with family members. No. Don’t think like that. I have lots of friends, and I am very close to my family. There are lots of people around me! But yet again I am alone. To put it simply, my soul is alone.
Probably you can’t understand what I mean. Once, I heard a saying: “I never say what I mean and I never mean what I say.” Now I would like to tell you that. I never make myself clear, because it’s hard for me to express my feelings and emotions properly. I am often confused and perplexed.
..........
I am happy. Really, I am. I am afraid to be a depressive type of person. I am afraid to look sad, when others see me. I want to always send out the rays of joy and happiness. And I am doing this. I laugh a lot, joke a lot. And I am not doing this because of the fear of others, witnessing me sad. I am doing this, because I am really happy. I am so grateful that I have a family; that I have life; and that I am me. I am happy with everything. I don’t like to complain or be sad. No way. I will never do that. I hate complaining.
I just feel lonely. Feeling lonely isn’t being sad, right? I cry a lot, but I am not depressed. I talk with animals, because they are the ones who are great listeners. But then? What happens next? Animals don’t tell me something....anything...nothing.... the next is - nothing. They don’t calm me, nor give me an advice. They are just listeners and yet again I am alone.
..........
You know how much I want to feel, like I did when I was 6 or 7, playing in the park with my dad? I know that it’s impossible. Because it was past. I will never be 6 or 7 again and life will never look free from worries and troubles, like it was during that time. And it makes me feel weird...sad? No! I am not sad. I am happy... I am always happy.
..........
Alright. Let’s make it brief. What am I trying to say with this article? I have no idea. Maybe I want to tell you how I feel. It’s always easier to write than to speak. Maybe I still believe that somebody might understand me. I am optimistic and I am happy to announce that. That’s why I hope that I am not the one that suffers from the “loneliness disease” and hope that the emptiness will be filled sometime...someday...in the foreseeable future. :)
Posted by shekhar (nettalk@gmail.com) on August 21, 2008 08:00 AM · permalink
eye spy asked : if you prefer to live emotionally........do you get conned by an individual who knows your pulse and plays the cards right and presses the right buttons ..... ?
To live on an emotional plane is not the same as to live on an obsessive plane. One is about freedom and understanding, compassion and encompassing. Not to be confused with singular desire, ownership or emotional needs. For these are expressions of one's own insecurities that get mistakenly expressed as love. If you desire to posses, then of course you are asking to be hurt and conned. Emotions that are a mere reflections of your own negativity. So why blame others for it ?
Posted by shekhar (nettalk@gmail.com) on August 21, 2008 07:41 AM · permalink
Read more of this story at Slashdot.
Posted by samzenpus on August 21, 2008 06:58 AM · permalink
It’s heart-breaking but what is one to do. UC Berkeley, in a ranking of world universities conducted by a Chinese university published the ranked list of top 500 universities. (Thanks Ashish Asgekar for the link.)
UC Berkeley, my alma mater, I regret to say shows up behind Harvard, and — horror of all horrors — behind a junior university which shall not be named here. The only consolation for me is that the university that my nemesis attended — Cornell — shows up way down the list at rank 12.
It is a matter of some pride and considerable astonishment that two Indian universities make the list of the top 500: IISc and IIT-Kgp figure in the 303-401 space. I say astonishment because I am constantly amazed that given that the Indian government has done all it can to destroy education in India, even in this ranking by a Chinese university, two Indian universities are mentioned. But I am sure that given what the government is doing to cripple the IITs, they will be also-rans in the rankings race soon enough. After that, I suppose the government can set its sight on the IISc and kill it in short order.
Posted by Atanu Dey on August 21, 2008 06:52 AM · permalink
For past few days we have been getting pinged by the press folks from Dell who want to attend a joint event next week with Facebook, to announce a new cloud-computing project. That Round Rock, Texas-based Dell and Facebook of Palo Alto, Calif. are getting cozier shouldn’t come as a surprise. Facebook is seriously “server hungry” and has been on a spending spree to beef up its infrastructure. Dell, on the otherhand, has been increasingly seriously about cloud computing and working with online companies and building bespoke solutions for companies like Facebook.
In my conversation with Michael Dell said: “In our view is that there is definitely enormous opportunity in cloud infrastructure. A few years ago, we were out there selling our servers and found that some of these new companies had unique requirements that were really different from the general-purpose servers.” Dell has been trying to get closer to Facebook. Dell has worked closely with Joyent to offer a cloud service that offers free services to Facebook app developers.
A few days prior to our Structure’08 conference, I met with Facebook’s VP of Technology Operations Jonathan Heiliger, and we discussed the issues with current server designs and how today’s start-ups need a whole new class of machines. I am pretty sure the announcement is along those lines.
The pending news can’t be good news for Rackable which had been banking some of the dollars Facebook was spending on its infrastructure. Rackable’s 10-Q filings show that at the end of the second quarter 2008, Facebook accounted for less than 10% of Rackable quarterly revenues of around $76 million. A quarter earlier, Facebook contributed about 24% to Rackable’s Q1 2008 revenues of $68 million. Rackable is trying to streamline its operations and recently announced that it is divesting its Rapidscale clustered storage business.
Bonus reading: Check out Facebook’s blog where they explain why they needed to build its East Coast infrastructure. It is a fairly elaborate description of their entire architecture and worth reading.
Posted by Om Malik on August 21, 2008 06:17 AM · permalink
from NY, USA head of cauliflower large onion sliced cup frozen peas, thawed heavy cream as desired minced garlic if desired. salt, pepper, curry powder, ...
http://www.internationalrecipes.net/find/Curried%20Cauliflower%20and%20Peas - International Recipes
Posted on August 21, 2008 06:00 AM · permalink
Check out the kickass bhangra track ‘Dhage Nage Dhin Tara’ from Loins of Punjab Presents, courtesy of director and buddy Manish Acharya. The track is so catchy I went to the filmmakers after the first screening and demanded an MP3. But it was over a year before he decided to release it as a video. (Press 
to see it in high res, full screen.)
Ajay Naidu and Samrat Chakrabarti rap over Samrat’s phat, phat beats. Nina Paley animated the video collage-style with photos from friends all over the world, including two I shot in Bombay: a granny atop a scooter with sidecar, and the shoe house in Kamala Nehru Park atop Malabar Hill. She also injects self-referential kitties and Hindu sages from Sita Sings the Blues. I almost wish she’d swiped some rotoscoped Reena Shah (of My Pet Dragon) from Sita, those segments were hypnotic. The dude with the downcast look in the beginning is Kunal Roy Kapoor, who’s directing the upcoming The President is Coming movie.
Posted by manish vij on August 21, 2008 05:40 AM · permalink
Excerpts from speech by Leader of the Opposition and NDA’s Prime Ministerial Candidate L.K. Advani, on the occassion of the release of a compendium called “Business Superbrands” by Anmol Dar and his colleagues.
During the ‘License-Permit-Quota’ Raj, there was no opportunity, incentive or compulsion for Indian companies to prove themselves. This is because the ruling party of that period did not trust the Indian entrepreneurial class. As a result, India’s economic growth was severely stunted. My party was strongly opposed to this Soviet-inspired economic model that successive governments had followed until the arrival of the 1990s. And when this model was jettisoned, we supported the change enthusiastically
Thanks to the new liberalised environment for trade and investment, our people were also exposed to the products, services, technologies and business management practices from abroad. As a result, Indian companies realised that they had to not only compete amongst themselves, but also compete, survive and succeed against foreign firms.
Healthy competition boosts excellence
Friends, competition is a foe of complacency. I say this out of my own political experience. If you are complacent, you cannot compete. This is true not only about business, but also about every sphere of life.
But competition is also a friend of quality. Where there is healthy competition, quality always thrives. And so does excellence. Where there is competition, companies pay greater attention to customer satisfaction. This is because they know that their success or otherwise is judged at the marketplace by discerning and demanding customers.
Hence, in the new environment of economic development in India, Indian companies took competition – both domestic and foreign – as a challenge. And within a short period, many of them proved their mettle. <
The emergence of globally competitive Indian companies has dispelled the inferiority complex. “The Made in India” label may not yet be very popular across the world, and this is because India’s share in global trade is still very low. But nobody can deny that scores of Indian companies — the ‘Superbrands’ featured in this book — are today as good as the best in the world. They are second to none in the world in manufacturing excellence, in innovation, in customer service, in corporate social responsibility.
I think that the true reputation of a party or a leader should be judged by the credibility they enjoy. One must be true to one’s own beliefs. One’s practice should match one’s precept. The test of the survival of a free society and a vibrant democracy is whether our public life has sufficient number of people who value their own credibility, who safeguard the trust that people have in them, and set an example for the rest of society.
In this respect, society’s expectation from politicians and businessmen is not fundamentally different. Businessmen and business organisations are also expected to preserve the trust and confidence that customers and stakeholders have in them. In the ultimate analysis, reputation cannot be earned or retained through advertising and other superficial brand-building exercises. It comes only by delivering consistently what you promise, to the satisfaction of your customers.
The value of ‘Brand India’ depends on how good are the infrastructure facilities in our country, how attractive is the environment for investment and doing business, how efficient, transparent and corruption-free is the functioning of various government bodies and how good is the law and order situation. If investors and businessmen are satisfied on all these counts, naturally trade and businesses will thrive and many more ‘Superbrands’ will emerge.
I wish to assure this audience that we shall take bold and decisive steps to change this situation – to enhance the value of ‘Brand India’ – if people give us the mandate to form the next government
Posted on August 21, 2008 05:17 AM · permalink
We’re back up after tonight’s unexpected downtime. This was a 2 hour and 45 minute downtime that was caused by a bug in our infrastructure that triggered a number of now resolved issues. This bug was identified and fixed, but it took longer than we initially expected.
All systems should be good to go at this point and we’ll be monitoring the situation closely from here on out. We do not anticipate another issue with this same component given the current fix, but I’ve probably jinxed it for saying that.
Thank you for your patience. We really appreciate it and apologize for the inconvenience tonight’s downtime has caused.
Posted by Gina Bianchini on August 21, 2008 05:08 AM · permalink
- Newforms Tutorial
Useful now that newforms is the Django forms module
Posted on August 21, 2008 05:00 AM · permalink
- If the server key was generated with the weak PRNG, you can
guess the server key and:
- Impersonate the server.
- Passively decode traffic encrypted with static RSA (which a lot of traffic is). This doesn't help with ephemeral Diffie-Hellman (DHE).
- If the server key is strong but the server has a weak PRNG:
- If the server has a DSA private key, you can recover it. This isn't much of an issue for SSL but SSH does use DSA reasonably often.
- This doesn't directly allow you to recover traffic in static RSA mode. The reason for this is that in static RSA mode, the client generates the only secret data (the PreMaster Secret).
- If the client stack is insecure, then you could in principle guess the client's random values. However, none of the major browsers use OpenSSL, so this is probably limited to non-browser clients.
But this raises the interesting question: can you passively attack DHE mode? In this mode, the server generates a fresh DH key for each transaction. Knowing the server's long-term private key doesn't help here— that just lets you impersonate the server. So, the implementation used to generate the long-term key doesn't matter. However, unlike RSA DHE requires the server to generate secret random values, so if the server is running a broken version, this may give us a way in.
We're not the only ones to think along these lines: along these lines: Lucian Bello describes a partial attack and has posted a patch to Wireshark to attack DHE connections:
If an eavesdropper can explore the complete private key space (the all possible numbers for Xc or Xs), he/she will be able to get access to the shared secret. With it all the communication can be deciphered. That's what this patch can do.A Wireshark with this patch and a list of possible private keys will try to brute force the share secret. If one of the parties is using the vulnerable OpenSSL package the communication is totally insecure and will be decrypted.
Bello demonstrates attacking a connection between a broken client and a decent server. However, the attack as described doesn't work with secure clients (which, as I said, is pretty much any browser) and broken non-toy Web servers (the situation is different for non-Web servers (e.g., IMAP and POP servers which run out of inetd): even if the server's PRNG is broken, there isn't a fixed-size list of keys it generates.
To understand why, you need to understand the vulnerability better.
Effectively, the vulnerability stopped any invocations of
RAND_seed() from mixing data into the PRNG. The only
time new seed data gets mixed in is when you get new randomness
values via RAND_bytes(). Each time you call
RAND_bytes() the current process ID gets mixed into the
PRNG. So, for a given PID and a given
sequence of invocations of RAND_bytes(), you always get
the same string of random values. These values are (statistically)
unique, but predictable: you can say "the nth value will always be
one of the following 2^15 values depending on the PID".
However, it should be clear that even for a given PID, you
can generate an arbitrary (well, almost) number of distinct values.
So, if you had a process which generated a million DH keys in
sequence, they'd all be different. Unfortunately for Bello's attack,
this is exactly how many real Web servers work. For instance, Apache w/ Mod_SSL
forks off a bunch of long-lived server processes which each handle
many requests. Bello's attack would potentially work on the first
connection, but the second connection would not be on the key list.
You need another 2^15 values to handle the second connection.
We've
confirmed this by setting up a server, connecting to it, and pulling
out more than 2^15 distinct public keys.
So, you need to do something more complicated.
What follows is our initial analysis of Apache with Mod_SSL, which we're currently working on confirming. The details may not be quite right, but I suspect the general contours are.
With Apache and Mod_SSL it turns out that RAND_bytes()
gets called in the parent process before it forks off the
subprocesses, so each subprocess has both the parent process
and the subprocess PIDs mixed in. So, you have 2^30
distinct PID combinations and therefore random value streams
to deal with. In general, however, since the
parent process forks off an initial set of children immediately and
children aren't killed or started that often, the entropy is probably
a lot less than 2^30, and even 2^30 is still searchable if you've
got even modest computer power.
So, if you get to observe the server from the time of startup, you're in fine shape. As soon as you observe a connection, you check your table of known keys (basically a bigger version of Bello's table that takes into account both parent and child PIDs). [Actually, you can save some compute time by building a table of ServerRandom values, which saves you doing the modular exponentiation to compute the public key for a given private key.] That tells you what the PID pair of the server process you're observing is, and of course it's current state. You've got the private key so you can decrypt the connection. To handle the next connection to that server process, you roll the PRNG forward to compute the next expected key. When the next connection comes in, you repeat this process, so at any given time you know the next value for each active PID pair.
If you're not lucky enough to see the server from
the time of startup, then life gets more complicated, since you
don't know where in its random number stream each server process
is. So, you would need to try candidate numbers of connections.
Unfortunately, there's another complicating factor:
TLS handshakes with Diffie-Hellman and RSA key exchanges
involve different patterns of random values: the DH exchange
involves an extra 128-byte random value for the Xs (the DH
private key) No problem you say, we'll just compute
reasonably sized sections of the random value stream and
look for matches within the probable zone. Unfortunately,
this doesn't look like it's going to work. As I said
earlier, each time you invoke RAND_bytes()
the PID gets mixed into the PRNG. In other words:
RAND_bytes(128); RAND_bytes(32);
does not produce the same 160 bytes as RAND_bytes(32); RAND_bytes(128);. This means that every connection introduces one bit of
entropy: whether DHE or RSA was used. If you're not observing
these connections, this entropy quickly adds up and it
becomes impractical to search the space. It's possible that
there's some analytic attack on the PRNG that would let you
reduce this search space, but nothing popped out at us on
casual inspection.
This suggests that
if you have a server which only does DHE, you can attack
individual connections,
but if it does both DHE and RSA, you need to observe all
the connections from the server to make sure you know the
DHE/RSA pattern.
I should mention one more issue: OpenSSL uses a random blinding value to stop remote timing attacks on static RSA. If you can predict the blinding value, then it may be possible to mount a timing attack on the static RSA key, even if it was generated with a strong PRNG. We're still looking into this as well.
As I said at the beginning all this is preliminary and only partly confirmed. We're hoping to have definitive results sometime in the next few weeks and be publishing soon after that.
Posted on August 21, 2008 04:47 AM · permalink
Now that Jade Goody has had to leave Bigg Boss, there is immense speculation over who will replace her. Rediff reports that Sherlyn Chopra is a candidate, but is playing hard to get.
What she deserves, the actress feels, is a fee of Rs 3 crore for her appearance in the Bigg Boss house.
Sherlyn also wants the makers to install cameras in the bathrooms of the house, so that she could flaunt her collection of bikinis and inner wear while bathing.
Yes, it baffles me as well how Chopra can ‘flaunt’ her bikinis and inner wear while bathing. I thought it was only in Hindi films that people bathed with clothes on. I hope they bargain her down to Rs 3 lakhs or something, and she ends up on the show and shows us what she means.
In yesterday’s episode, by the way, Sanjay Nirupam harangued Sambhavna Seth on the issue of why she “displays her body parts” while doing item numbers. (Loose translation from Hindi.) She gave a feisty reply, saying that she only “displays her art.” A while later, after she had changed out of whatever she was wearing, Nirupam remarked that he was glad that his comments had had an effect, and she was covering her body more. Seth complained to Ketaki Dave about this, who did artful ungli by telling Seth that she should have given Nirupam a fitting reply and not stayed silent.
So just imagine if Sherlyn Chopra joins the zoo with her inner wear. Nirupam won’t know wear to look. Much fun.
The India Uncut Blog © 2007 Amit Varma. All rights reserved.
Visit: India Uncut * The IU Blog *
Rave Out * Extrowords *
Workoutable * Linkastic
Posted by Amit Varma on August 21, 2008 04:41 AM · permalink
Posted by Mike D. on August 21, 2008 04:33 AM · permalink
Some remarkable rainfall piling up in Florida during the current stalled Tropical Storm Fay. Check the following 24-hour precipitation figure, and note that there are areas in Florida now well on their way to 20 inches (!!) of rain over the last day or so.
Posted by pk on August 21, 2008 04:26 AM · permalink
My friend Mat Honan amused and beguiled you a few months ago with Barack Obama is Your New Bicycle. As is the course of such things, he got a book deal for his efforts, despite having been responsible for the onslaught of unfunny ripoffs of the site which followed his success.
But, I take some very small satisfaction in this whole thing because Mat very graciously credits me (both in the book and in conversation) with having helped spread the word about his site. It's just another in the long string of goofy web memes for which I have become an unofficial ambassador. It's a good thing there's no Hell, or surely I'd rot in it for all that I've done.
At any rate, Mat's quite an entertaining and engaging interviewee, as evidenced by his recent stint on Internet Superstar, and as there's a totally gratuitous and flattering mention of me at about the four-minute mark, I felt obliged to link to it here.
You can buy Mat's book at Amazon and other reputable booksellers near you.
Posted by Anil on August 21, 2008 04:18 AM · permalink
I’ve been head down working on my book, which goes way slower than I’d like. I find it’s pretty damn hard to get motivated to write sometimes, so grinding through produces pages but nothing I admire. I’ll probably just keep writing and hopefully go back and mix it up a little later. Then again HTTP is a boring as hell topic, and so absolutely irritating at the same time. It’s like writing about the damn tax code.
Lately though I’ve been exploring electronics and music in an attempt to combine them better. As I went through this learning process and tried to find other people interested in the intersection of art and hacking, I realized that something happened to us geeks. There just aren’t that many places where we can go to talk about our cool ideas or awesome hacks.
It’s like the entire scene was taken over by business pod people only interested in how they can flip their stupid startup to Google. There’s no hard core geeks left, but I know that can’t be true. There has to be at least 5 or 10 who want to talk about truly wicked weird cool shit they work on.
After months of thinking about the problem and talking with others, I came up with an idea. Read about it, and tell me what you think.
Posted on August 21, 2008 04:00 AM · permalink
1986: A deadly cloud of carbon dioxide sweeps down the slopes of an African volcano, smothering more than 1,700 people.
Volcanoes can kill in many ways, but this one is pretty weird. A volcanic lake in the West African nation of Cameroon degassed violently (you could say it burped, or worse) in the middle of the night. Carbon dioxide is odorless and heavier than air. Most of the victims died in their sleep.
Lake Nyos sits in the crater of a volcano that hadn't erupted in centuries ... and probably didn't actually erupt the night of Aug. 21, 1986.
Magma deep underneath the lake releases carbon dioxide into its depths. Lake Nyos is 690-feet deep, enough for the water pressure to keep the CO2 dissolved in the lake water, rather than letting it bubble up and escape to the surface. And the crater rim towers above the lake, blocking winds which could otherwise stir the surface and create convection currents that would circulate the deep, CO2-saturated water upward to areas of lower pressure. The lack of seasonal variation less than seven degrees north of the equator also contributes to the lake's placidity.
Volcanic rumbling or other seismic activity could have triggered the sudden release of the gas that deadly night, but there's no record of any tremors and no evidence that anything shook off the shelves of homes in nearby villages. It's possible the gas at the lake's bottom just got so concentrated that even under pressure it came out of solution and formed bubbles. Once the bubbles started rising, a "chimney effect" would have rapidly siphoned huge amounts of gas to the surface.
The gas burst through the surface with a rumble, generating a giant wave that scoured vegetation from the shores. The CO2 cloud was at least 300-feet high, because it suffocated cattle on hillsides that far above lake level. Iron from the deep water oxidized and stained the lake waters with rust.
Then the gas crept down the mountain valleys, invading homes. It extinguished oil lamps and suffocated people in their sleep. Some who were awakened by the loud gas bubble stood up and lived, because their heads were above the invisible gas near the ground. But many who went outside paid with their lives.
Few survived. Those from neighboring villages who discovered the devastation recalled with terror the legends about evil demons living in mountain lakes.
Had this happened before? Yes, at least on a smaller scale. A CO2 cloud released by Lake Monoun, about 60 miles south, killed 37 people two years earlier. (The much larger Lake Kivu -- on the Congo-Rwanda border -- harbors not only carbon dioxide, but methane, in its depths.) And Cameroonians frequently find frogs suffocated by CO2 in low-lying mud puddles.
Engineers hope to prevent a recurrence of the tragedy by continuously degassing Lake Nyos. They've sunk a pipe from a floating platform into the depths of the lake. It shoots a geyser of carbonated water high into the air.
Source: Google Earth; National Geographic, September 1987
Posted by Randy Alfred on August 21, 2008 04:00 AM · permalink
Read more of this story at Slashdot.
Posted by samzenpus on August 21, 2008 03:55 AM · permalink
Now that we have the best quorum determination function and the ideal function to calculate the binomial expansions it is easy to program a script to calculate the p value of motifs in DNA sequences. To the script
#!/usr/bin/env python
import fasta
import sys
from collections import defaultdict
def choose(n, k):
if 0 <= k <= n:
ntok = 1
ktok = 1
for t in xrange(1, min(k, n - k) + 1):
ntok *= n
ktok *= t
n -= 1
#print ntok // ktok
return ntok // ktok
else:
return 0
def get_quorums(seqs, mlen):
"""
add seq id_no to a set
use explicit counter to create seq_no
"""
quorum = defaultdict(set)
id_no = 0
for seq in seqs:
id_no += 1
for n in range(len(seq) - mlen):
quorum[seq[n:n + mlen]].add(id_no)
return quorum
input_seqs = fasta.read_seqs(open(sys.argv[1]).readlines())
input_seqs2 = fasta.read_seqs(open(sys.argv[2]).readlines())
foreground = get_quorums(input_seqs, 10)
background = get_quorums(input_seqs2, 10)
N = len(input_seqs) + len(input_seqs2)
for i in foreground:
term1 = choose(len(background[i]), len(foreground[i]))
term2 = choose((N - len(background[i])), len(input_seqs)-1)
term3 = choose(N, len(input_seqs))
p = (float(term1) * float(term2)) / term3
if 0 < p <= 0.0001:
print i, len(foreground[i]), len(background[i]), p
We already defined choose in the last post (more information in the link from the Python’s cookbook) and earlier Mike sent us a series of quorum-determination functions and one of the best was portrayed and explained here. We also need our fasta module to read the sequences (and only the sequences) in order to use it in the quorum function.
Basically we use the foreground and background files as input, determine the quorum of the different words (width 10) and then we iterate over the results, calculating the p value for each motif found in the foreground set. The tree terms of the Hypergeometric Distribution are calculated separately and we test for a p value smaller that 0.0001 (this can be modified) and we only print the results that fall in this category. Next time we will do some code refactoring and change a little bit this script and also explain it better.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=5f0aeaf8-608a-46ae-acb1-2516b0072438)
Posted on August 21, 2008 02:32 AM · permalink
Embarrassed by the mistake, the county swiftly put Oros on a plane back to California.4,100 Miles For An Arrest That Just Goes Bust (Kentucky Enquirer, thanks Rick Pescovitz!)
"We decided with our attorneys that the best thing to do was get him back home as quick as we could," said Butler Judge-Executive David Fields.
But the cross-country jaunt may prove to cost the county a little more than the expense of a plane ticket.
As he was being freed, Oros ran into a helpful Kentucky lawyer who agreed to sue Butler County and the state of California, if necessary, to try to get extra compensation for the 2,000 miles he rode in shackles....
Other than the handcuffs locked tightly around his wrists, Oros said he enjoyed the 30-hour ride to Kentucky -- his first chance to states outside California.
"They fed me good," he said. "They were entirely nice people."
He also said he had no problem with Gaddie and Deputy Mitchell Russ doing a little souvenir hunting along the way.
"Praise God, let them shop," Oros said.
Posted by David Pescovitz on August 21, 2008 02:15 AM · permalink
 |
 |
In honor of next week’s Barack Obama onanism festival, a.k.a. the Democratic National Convention, Abhi and I teamed up to create some political tees. It’s actually more like Lennon - McCartney where Lennon did the lyrics and I just strummed.
Abhi will be wearing these designs, and some considerably more pungent, while he live-blogs the DNC. Order them here. Larger previews are after the jump.
Posted by manish vij on August 21, 2008 02:15 AM · permalink
Marty Schwartz is another rock star trader profiled in Market Wizards. After completing his service in the Marine Corps, Schwartz earned a MBA at Columbia Business School. After graduation, Schwartz became a securities analyst. Following eight frustrating years as a securities analyst, Schwartz became a full time independent trader in 1979. The star trader achieved trading fame during the U.S Trading Championships, run by Norm Zadeh, a professor at Princeton University. In the competition, Schwartz had larger profits than all of the other traders combined, and returned 781 percent in the one-year contest. Schwartz shares his trading tips in Market Wizards outline below.
Work Ethic
In any profession, a strong work ethic is important for success. Work ethic is especially important in trading, an extremely competitive career. Schwartz always tries to be better prepared than his competition. His preparation involves long hours and attention to detail, and this work ethic is crucial to his outstanding trading results.
Accepting and Recognizing Wrong Decisions
Removing ego from his trading psychology, is another important factor for Schwartz’s trading success. When Schwartz was a losing trader early in his career he struggled to admit when he was wrong. He corrected this detrimental psychology to become a winning trader. A component of being a winning trader is accepting that you cannot always be correct. Sometimes the market acts in improbable ways that one trader cannot fight against. Winning traders are able to recognize when they are wrong and cut losses. “One of the most suicidal thing you can do is to keep adding to a losing position.”
Coping With Large Losses
Even the best traders have to face large losses at times. Schwartz trades around large losses by reducing the size of his trades until he regains confidence. “After a devastating loss, I always play very small and try to get black ink, black ink. It’s not how much money I make, but just getting my rhythm and confidence back.”
Risk Control
Schwartz, similar to many traders including Larry Hite, employs strong risk control to be a winning trader. By limiting downside risk and preserving capital during down markets, Schwartz is able to position his portfolio to take advantage of early bull markets.
Macro Market N
In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free.
The "Oyster card" used on the London Tube was at issue in the Dutch case, and a similar fare card used on the Boston "T" was the center of the U.S. case. The Dutch court got it right, and the American court, in Boston, got it wrong from the start -- despite facing an open-and-shut case of First Amendment prior restraint.
The U.S. court has since seen the error of its ways -- but the damage is done. The MIT security researchers who were prepared to discuss their Boston findings at the DefCon security conference were prevented from giving their talk.
The ethics of full disclosure are intimately familiar to those of us in the computer-security field. Before full disclosure became the norm, researchers would quietly disclose vulnerabilities to the vendors -- who would routinely ignore them. Sometimes vendors would even threaten researchers with legal action if they disclosed the vulnerabilities.
Later on, researchers started disclosing the existence of a vulnerability but not the details. Vendors responded by denying the security holes' existence, or calling them just theoretical. It wasn't until full disclosure became the norm that vendors began consistently fixing vulnerabilities quickly. Now that vendors routinely patch vulnerabilities, researchers generally give them advance notice to allow them to patch their systems before the vulnerability is published. But even with this "responsible disclosure" protocol, it's the threat of disclosure that motivates them to patch their systems. Full disclosure is the mechanism (.pdf) by which computer security improves.
Outside of computer security, secrecy is much more the norm. Some security communities, like locksmiths, behave much like medieval guilds, divulging the secrets of their profession only to those within it. These communities hate open research, and have responded with surprising vitriol to researchers who have found serious vulnerabilities in bicycle locks, combination safes (.pdf), master-key systems and many other security devices.
Researchers have received a similar reaction from other communities more used to secrecy than openness. Researchers -- sometimes young students -- who discovered and published flaws in copyright-protection schemes, voting-machine security and now wireless access cards have all suffered recriminations and sometimes lawsuits for not keeping the vulnerabilities secret. When Christopher Soghoian created a website allowing people to print fake airline boarding passes, he got several unpleasant visits from the FBI.
This preference for secrecy comes from confusing a vulnerability with information about that vulnerability. Using secrecy as a security measure is fundamentally fragile. It assumes that the bad guys don't do their own security research. It assumes that no one else will find the same vulnerability. It assumes that information won't leak out even if the research results are suppressed. These assumptions are all incorrect.
The problem isn't the researchers; it's the products themselves. Companies will only design security as good as what their customers know to ask for. Full disclosure helps customers evaluate the security of the products they buy, and educates them in how to ask for better security. The Dutch court got it exactly right when it wrote: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."
In a world of forced secrecy, vendors make inflated claims about their products, vulnerabilities don't get fixed, and customers are no wiser. Security research is stifled, and security technology doesn't improve. The only beneficiaries are the bad guys.
If you'll forgive the analogy, the ethics of full disclosure parallel the ethics of not paying kidnapping ransoms. We all know why we don't pay kidnappers: It encourages more kidnappings. Yet in every kidnapping case, there's someone -- a spouse, a parent, an employer -- with a good reason why, in this one case, we should make an exception.
The reason we want researchers to publish vulnerabilities is because that's how security improves. But in every case there's someone -- the Massachusetts Bay Transit Authority, the locksmiths, an election machine manufacturer -- who argues that, in this one case, we should make an exception.
We shouldn't. The benefits of responsibly publishing attacks greatly outweigh the potential harm. Disclosure encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers. It's how we learn about security, and how we improve future security.
---
Bruce Schneier is Chief Security Technology Officer of BT Global Services and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can read more of his writings on his website.
Posted by Bruce Schneier on August 21, 2008 04:00 AM · permalink