Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
It has been a while since a report appeared in RISKS of a squirrel chewing through a communication cable [*]. To relieve the monotonous drumbeat of cyberattack breaches, here is a *two*-squirrel report: At our summer place in the central Idaho mountains, a little after 9:00 a.m. on August 8, 2014, Internet service on our Frontiernet DSL line went dead. A couple of pings established that the DSL line was OK and the central office was still alive. Our next-door neighbor knocked on the door and asked if we had Internet service, since hers was out, too. I grabbed my iPad, which has Internet service on AT&T Mobile, and found that it was incommunicado. The neighbor checked her iPhone, which has Internet service on Verizon Wireless, and it was dead, too. Then a second neighbor came by and asked why her cable TV just went dark. A local hamburger joint put up a sign saying "cash only", since they couldn't authenticate credit cards or validate checks, and the nearby hospital reverted to paper procedures, since the dedicated circuit to their main office 100 miles to the south was out. Then, around 5 p.m., communication services started working again. Syringa Networks, the regional ISP that links Internet points of presence and provides commercial communication services for this area, said that a squirrel had gnawed through a fiber-optic cable in Weiser, Idaho. By itself that should have caused only momentary trouble, since Syringa backs up that cable, running up the Weiser river valley, with a second fiber-optic link running up the Payette river valley, 20 miles to the east. But, according to Syringa, a second squirrel chewed through the Payette river valley fiber-optic cable near Hidden Springs, Idaho. The result was that a 120-mile strip of western Idaho, from Horseshoe Bend to Whitebird, nestled between Hells Canyon and the central Idaho mountains, was cut off from the world. Internet service, cable TV service, and dedicated communication lines were all out of service. Interestingly, landline POTS seemed not to be affected, probably because those services are still using old-fashioned microwave relay towers rather than chewable fiber links. More details: Squirrel Took A Mega Byte http://livinginthenews.com/article/2051?p=3 [* The most recent item was Squirrelcide at San Jose Airport (Dave Stringer-Calvert, RISKS-20.87, 14 Apr 2000). Perhapas the squirrels have gotten smarter. PGN adds: I'm surprised the local hamburger joint did not put up a sign: Special, today only, one squirrelburger. First come, first served.]
Just an article in English about the problem: http://en.ria.ru/world/20140828/192413515/Galileo-Satellites-Incident-Likely-Result-of-Software-Errors.html
Stars take nude photos, load them to cloud. Cloud hacked, photos posted widely. Stars shocked, outraged, sue. Go figure... Zeb Eckert, Bloomberg, 1 Sep 2014 <http://bloom.bg/1tpoenQ> Apple's security standard being under scrutiny after reports that hackers used the iCloud service to illegally access nude photos of celebrities in the U.S. and UK. http://bloom.bg/1B9bP8O [See also Andy Greenberg, `Police Tool Used to Steal Nude Pics From iCloud', *WiReD.com*, 2 Sep 2014 noted by Henry Baker, with the back story at considerable length. PGN] https://www.wired.com/2014/09/eppb-icloud/ [See also Emily Wright, 'Leak' of Celebrities' Personal Property a Despicable, Eye-Opening Crime, *The Boston Globe*. 2 Sep 2014, PGN http://www.boston.com/entertainment/celebrity/2015/09/09/leak-celebrities-personal-property-despicable-crime/BzurbE727AJHdTQcSlrvKK/story.html [See also Sean Gallagher, Apple confirms celebrities' accounts breached in "highly targeted" attack, Ars Technica, 2 Sep 2014. PGN] http://arstechnica.com/tech-policy/2014/09/apple-confirms-celebrities-accounts-breached-in-highly-targeted-attack/
PORTLAND, Ore. (AP via San Jose Mercury News)—Law students taking the bar exam have it tough: Three years hitting the books. Hundreds of thousands of dollars in tuition. And all of it, potentially wasted with a few failed attempts at the dreaded state-administered test. So in late July, with one day of the grueling session behind them, thousands of law students were surprised to find that they couldn't upload their answers using the software they purchased from Florida-based ExamSoft Worldwide Inc. Third-year law students with mountains of debt were perhaps not the best crowd to tick off. They sued. And they sued. And they sued. http://www.mercurynews.com/education/ci_26321759/bar-exam-software-failure-sets-off-wave-lawsuits Software critical for deadline-driven test submission required for bar exam -- updated just before crush of seasonal test taking. What could go wrong? Gabriel Goldberg, Computers and Publishing, Inc. email@example.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
Klint Finley, Out in the Open, 1 Sep 2014 <http://www.wired.com/2014/09/tox/> The web forum 4chan is known mostly as a place to share juvenile and, to put it mildly, politically incorrect images. But it's also the birthplace of one of the latest attempts to subvert the NSA's mass surveillance program. When whistleblower Edward Snowden revealed that full extent of the NSA's activities last year, members of the site's tech forum started talking about the need for a more secure alternative to Skype. Soon, they'd opened a chat room to discuss the project and created an account on the code hosting and collaboration site GitHub and began uploading code. Eventually, they settled on the name Tox, and you can already download prototypes of the surprisingly easy-to-use tool. The tool is part of a widespread effort to create secure online communication tools that are controlled not only by any one company, but by the world at large—a continued reaction to the Snowden revelations. This includes everything from instant messaging tools to email services. It's too early to count on Tox to protect you from eavesdroppers and spies. Like so many other new tools, it's still in the early stages of development and has yet to receive the scrutiny that other security tools, such as the instant messaging encryption plugin Off The Record has. But it endeavors to carve a unique niche within the secure communications ecosystem. Up to Your Imagination The main thing the Tox team is trying to do, besides provide encryption, is create a tool that requires no central servers whatsoever—not even ones that you would host yourself. It relies on the same technology that BitTorrent uses to provide direct connections between users, so there's no central hub to snoop on or take down. There are other developers trying to build a secure, peer-to-peer messaging systems, including Briar and Invisible.im, a project co-created by HD Moore, the creator of the popular security testing framework Metasploit. And there are other secure-centric voice calling apps, including those from Whisper Systems and Silent Circle, which encrypt calls made through the traditional telco infrastructure. But Tox is trying to roll both peer-to-peer and voice calling into one. Actually, it's going a bit further than that. Tox is actually just a protocol for encrypted peer-to-peer data transmission. “Tox is just a tunnel to another node that' encrypted and secure,'' says David Lohle, a spokesperson for the project. “What you want to send over that pipe is up to your imagination.'' For example, one developer is building an e-mail replacement with the protocol, and Lohle says someone else is building an open source alternative toBitTorrent Sync. ... [snip]
Carl Straumsheim, Don't E-mail Me, 27 Aug 2014 http://www.slate.com/articles/life/inside_higher_ed/2014/08/salem_college_professor_spring_serenity_duvall_banned_students_from_emailing.html https://www.insidehighered.com/news/2014/08/27/sake-student-faculty-interaction-professor-bans-student-email
Archives of The Risks Forum contain numerous indignant accounts of troubles caused when the electric power went out unexpectedly. Today, most of the discussion depicts apocalyptic scenes to follow cyber attacks on the power grid. Listen to those stories and you may join the stampede to spend hundreds of billions making it more secure. Never mind that 100% reliability and 100% cyber security are unattainable. Never mind that the goal of terrorism is to make us fearful and to induce us to change our society and priorities. Never mind that every year the public does not experience a widespread blackout, that they unwittingly assume that elevators, cell phones and such will never fail, thus increasing the consequences of a real failure. I am of the opinion that the power grid is already too reliable for our own good, and that massive spending on grid security would actually be counterproductive. I'll explain. In parts of India, the power goes out as often as five times per day. Local businesses and the people have adapted to the point where a blackout is hardly noticed. Life and commerce continue uninterrupted. Some have their own backup power. Some find other ways do adapt. No terrorist could scare those people by the threat of a blackout. Firemen hold weekly drills. Pilots and nuclear plant operators train extensively to handle emergencies making. Indeed, all professionals expected to deal with unexpected emergencies sharpen and test their skills, and their equipment via practice. Even as children, we participated in school fire drills. Why not sharpen and train consumers and businesses in analogous ways via staged blackouts? The short answer is that the mere thought is anathema to the culture of the electric utility business. These people dedicate their lives to keeping the lights on always to the best of their abilities. We could design a series of staged blackout drills of varying scope and duration all the way up to a nationwide surprise blackout. Periodic refresher drills could maintain readiness. If power grid security ceased to become a source of fear and a threat to the economy, then its appeal as a terrorism target would vanish. We could spend those hundreds of billions on something else. We might also become more flexible in living with a grid dominated by unpredictable solar and wind sources. It is hard tor me to think of a way we would not be better off. Is there really a good reason to not do as I suggest? Dick Mills, Sailing Vessel Tarwathie
In a sophisticated cyberattack, the hackers infiltrated the banks' networks, siphoning off gigabytes of data, including checking and savings account information. http://bits.blogs.nytimes.com/2014/08/28/daily-report-jpmorgan-and-other-u-s-banks-are-hit-by-hackers/
FYI—Can anyone besides Rep. Mike Rogers still seriously believe in NSA's NOBUS conceit: "Nobody But Us" ?? It's time to put *all* hands on the *defensive* deck, and remove all legal authority for U.S. Govt agencies to *weaken* cyberdefenses. "People who live in glass houses shouldn't throw stones", and the U.S. lives in the house with the most glass of all. JPMorgan Hack Spanned Months Via Multiple Flaws Jordan Robertson and Michael Riley 2014-08-29 http://www.bloomberg.com/news/2014-08-29/jpmorgan-hack-said-to-span-months-via-multiple-flaws.html Hackers burrowed into the databanks of JPMorgan Chase & Co. and deftly dodged one of the world's largest arrays of sophisticated detection systems for months. The attack, an outline of which was provided by two people familiar with the firm's investigation, started in June at the digital equivalent of JPMorgan's front door, exploiting an overlooked flaw in one of the bank's websites. From there, it quickly developed into any security team's worst nightmare. The hackers unleashed malicious programs that had been designed to penetrate the corporate network of JPMorgan—the largest U.S. bank, which had vowed two months before the attack began to spend a quarter-billion dollars a year on cybersecurity. With sophisticated tools, the intruders reached deep into the bank's infrastructure, silently siphoning off gigabytes of information, including customer-account data, until mid-August. Only then did a JPMorgan team conducting a routine scan trigger an alarm. They discovered a breach, now being traced and evaluated, which investigators believe originated in Russia. [...] [Long item truncated for RISKS. PGN]
A Grand Ayatollah in Iran has determined that access to high-speed and 3G Internet is "against Sharia" and "against moral standards." In answer to a question published on his website, Grand Ayatollah Nasser Makarem Shirazi, one of the country's highest clerical authorities, issued a fatwa, stating "All third generation [3G] and high-speed Internet services, prior to realization of the required conditions for the National Information Network [Iran's government-controlled and censored Internet which is under development], is against Sharia [and] against moral and human standards." Iran Human Rights via NNSquad http://www.iranhumanrights.org/2014/08/makarem-internet/ Comcast, Verizon, AT&T, Time Warner Cable, and other dominant ISPs are now in a bidding war to hire him as a consultant and board member.
The law requires smartphones sold in California to include antitheft technology, a feature that lawmakers hope will lead to a cool down in phone theft, now the hottest urban crime. http://bits.blogs.nytimes.com/2014/08/25/california-governor-signs-law-requiring-a-kill-switch-on-smartphones/
Details are still coming out, but it appears Target has another Credit Card security issue. While the headlines are calling it a "breach" the articles describe the security issue as someone figuring out the numbering sequence Target uses for their REDcard and then making his own fake cards which he was able to use to purchase over $200,000 worth of merchandise at Target stores in California. http://www.news10.net/story/news/local/stockton/2014/08/29/target-credit-card-breach-investigation-search-warrant/14785085/ http://blog.credit.com/2014/08/another-target-data-breach-94511/
Robert Lemos, Ars Technica, 2 Sep 2014 Home-supply giant is evaluating whether thieves have stolen the information. http://arstechnica.com/security/2014/09/problems-at-home-home-depot-investigates-potential-breach/ [See also Path of Stolen Credit Cards Leads Back to Home Depot, *TheNYTimes*, 4 Sep 2014: Bank and computer security company employees and law enforcement officials are tracing the track taken by the latest batch of stolen cards. PGN] http://www.nytimes.com/2014/09/04/technology/path-of-stolen-credit-cards-leads-back-to-home-depot.html
I've had the same primary email address for almost 25 years, which is good in some ways and bad in others. Lately I discovered that one of the bad things is that I can't send email to the list maintained by my son's school. You see, it's run through Google Groups, and I checked a preference box to prevent anyone but me from making me a member of a Google Group. Back in the late 1990s, when accessing usenet via Google Groups got you autosubscribed if you didn't check that box. So why don't I just uncheck that box? Because I never made a Google account attached to that email address (or at least the panopticon has no record of one) and you have to log in to your Google account to change your preferences for things like that. So 15 years later I'm locked out of a completely different service that just happens to be run on some of the same infrastructure. It's fairly easy for me to fix this by ginning up another email address and getting it properly added to the group, but it does make me wonder about 20 or 40 years hence, when the Internet is still running bits of bots from the 90s, all the old interfaces have been changed a dozen times over, and databases have been migrated until no one active even know what some of the fields mean. Simply forgetting people's opt-in or opt-out choices after a certain statute of limitations seems wrong, but keeping them forever may not be such a good idea either. Or maybe we just shouldn't keep our email addresses for that long.
Lucian Constantin, InfoWorld, 29 Aug 2014 The cyber criminals behind this dangerous ransomware program have received $1 million so far, researchers from Dell SecureWorks said http://www.infoworld.com/d/security/cryptowall-held-over-half-million-computers-hostage-encrypted-5-billion-files-249460
Lucian Constantin, InfoWorld, 02 Sep 2014 Attackers are using a sophisticated Web-based tool to gather information on potential targets, researchers from AlienVault said http://www.infoworld.com/d/security/reconnaissance-code-industrial-software-site-points-watering-hole-attack-249563 opening text: Attackers have rigged the website of an industrial software firm with a sophisticated reconnaissance tool, possibly in preparation for attacks against companies from several industries.
I am curious if you posted this somewhere else and the URL wasn't included, or if this is the entirety of your argument? As it stands, you are throwing out some general theories and ideas, but not making any direct comparisons or arguments that back your subject and first line. Since the vendors pay for the bounty, introducing bugs into their own code is counterproductive entirely. That means the basis of the Cobra Effect does not work as a comparison. Perverse Incentive is interesting, but the Wikipedia examples largely don't track either (e.g. the rats, which is a throwback to cobras). The palaeontologist/China example might, but ultimately the vendors decide what to pay. Even if a researcher abstracts the issue out, the vendor can simply not pay 'per vuln' if they don't agree with the abstraction. Finally, the Moral Hazard theory doesn't seem to apply here. What 'risk' is there on either side of the bounty program, in that context? I am not outright disagreeing with your theory, as I feel it is untested in the grand scheme. That said, I also don't think you make any real arguments, let alone convincing ones, that back your original notion. I'd like to hear more if you have time or have written about this elsewhere.
Patently ridiculous. I use "site:" on a regular basis so I can use Google to actually find items offered on e-commerce sites whose local indexing and search functions are hopelessly broken. I created a WGET application several years ago so that we could find out that specific Dell computer models were going end-of-life at a time when our Dell reps couldn't be bothered to inform us. If this was a serious issue, why wouldn't DHS push Google to cease honoring those parameters (I am NOT advocating this)? Oh, wait, that would stop NSA, DHS, and state and local authority from milking them for all they are worth... Re: Henry Baker's economic arguments against mandatory "green" electrical power: I believe that electrical utilities in the US do a daily "budget" for power generation, based on forecast weather and other demand factors, rather than change the supply to match demand in real time, which is the implication I got from his post. Other than that, I think his observations on the subject are 100% on target.
But the old fashioned methods are also effective. "Groups claim voter fraud in Maryland, Virginia. More than 150 people may have double voted in 2012 election." ... "The advocacy groups discovered more than 4,300 duplicate voting registrations in a review of records in both states." http://www.wbaltv.com/politics/groups-claim-voter-fraud-in-maryland-virginia/27795574#!bMxgHp
> Unless you're one of those ornery folks who believe that only politically > engaged Americans should vote, Thanks. I'll take that as a compliment. If the only response to the question "why should people who don't care enough to know what the election is about be encouraged to vote in it" is to call names, then I know the correct answer is, indeed, "they should not". > Voter fraud is quite rare, and voting fraud—an organized effort to > illegally disrupt elections—is hard to organize. You must be joking. Every election won by a Republican in the last twenty years has been based on voter fraud, according to the losers. [Before that,] the Daley machine in the city of Chicago kept control of city politics by emptying the graveyards and reminding the political faithful to "vote early, vote often" on election day. Hard to organize? That's why there are political organizing groups. They specialize in, of all things, political organizing. That includes dealing with how to get people "out to vote", even if that requires a bus from a suburb. > A majority of voters regularly endorse the idea. The results of a poll may tell you that. The result of a poll also said that Dewey defeated Truman. What was the actual question being asked, and who asked it to what group? A majority of voters in some places also passed laws against same sex marriage. Using "a majority of voters" to determine what the right way to vote is is called "cherrypicking". > It's hard to steal elections conducted in person or with ballots printed > on something that isn't made up of invisible electronic bits. It would be > much easier to steal, alter, or influence elections that are conducted > online. It is hardER to steal a physical election, perhaps, but hard in absolute terms? Again, you're joking. > ... unless you somehow steal paper ballots in advance and treat them with > magic disappearing ink that would...actually, I can't come up with even a > fanciful way for an election using optically scanned ballots to be stolen > or fudged on a massive scale. It doesn't take using magic ink, all it takes is misplacing a few boxes of ballots from key precincts. What doesn't get counted doesn't count for the opposing candidate. One of my parents helped supervise ballot counting for our county for many years. Part of the training included how to detect a ballot handler who was marking ballots while allegedly counting them. For example, unfolding the ballot and smoothing it out while using a bit of pencil lead held onto a finger by a band-aid to mark, or just void, the ballot. It takes very little imagination to come up with that system and yet it can be very effective. Or you can go to court to get the ballots thrown out for some reason that didn't matter before the election (when objections to the process should take place) but does now that they've been counted and you've lost. Some military absentees don't have postmarks—throw them out. The Republican county officials assisted their absentee voters by putting the voter id number on the application for a ballot and the Democrat ones did not -- throw out the Republican absentees. (Or since we've counted the absentees and they heavily favor the wrong candidate, throw them all out. Our guy comes out ahead.) Those are two real-life examples. Hanging chads and people trying to determine the "intent of the voter" when someone was incapable of poking a hole in a piece of paper... and the elderly Democrat voter who stood up in a public meeting and declared that he had been voting for many years and "didn't need no instructions". Apparently, sir, you did. > With Internet voting, elections could be stolen even before they were > held. Yeah, why wait until during or after the election to commit fraud and steal the election? Vote early, vote often, those bus seats are cramped but the money is good... and you might even get a free lunch.
The article by Marc Ambinder makes a number of very valid points. He does not mention the risk that many voters will be influenced by the fact that someone else can look over their shoulder while they are voting. This is impossible in a conventional voting booth, and this form of voting privacy is an essential part of the process. With voting at home, it will be all too easy for a spouse to influence his or her partner's vote, and thereby in effect gain a second vote. Much the same thing can happen in the workplace, with the employer or colleagues having the same kind of influence. It may be direct or quite subtle, but it deprives many voters of the freedom to vote how they choose with complete privacy, which is an essential feature of any democracy. This reason is in itself sufficient to ban Internet voting. Public voting booths with only one person permitted in a booth, and a complete ban on cameras in polling stations, is essential.
But in fact, that's too narrow a focus. Researchers on the topic of electronic voting and vote counting, including Rebecca Mercuri, Ph.D., will tell you—she does so, right here: http://www.notablesoftware.com/RMstatement.html that *even if your Internet voting system is perfectly secure*, there are well-known, and already used, attacks that it cannot protect against. In fact, mail-in ballots are weak on this point already. When you show up at the balloting location, they check that you are who you say you are, to at least a reasonable degree of certainty, and then *an entire room full of people watch you go into a booth alone*, and you don't get a receipt? So what? So you can't prove you voted a certain way... which keeps vote-selling from being a practical thing to do. You think people won't buy votes? Read history. Nope; there is *no* way to do American Political Voting that does not require the majority of voters to show up in person at public voting locations, and still meets all the requirements we have determined over the last 100 years such a plebiscite is *required* to meet. Game over, Man. Game over. Jay R. Ashworth, Ashworth & Associates, St Petersburg FL firstname.lastname@example.org http://www.bcp38.info +1 727 647 1274
danny burstein wrote: > So Mr. Musk, where's my payoff for supplying the utilities with that big > storage battery? Where's their handout to my community for the 1,000 > batteries, or 25 megawatt-hours, of storage? Why should your company and the > utilities get all the payouts? Do you actually supply the utilities with that big storage battery? I'm not finding any information about it on the Internet. Are you suggesting Tesla is doing it behind your backs and not paying you back for the wear on your battery? Or are you saying it is theoretically possible and therefore automatically economically viable, so Tesla should do it and pay you back for it? Or have you actually done some analysis of the efficiencies of AC->DC, battery charging, and DC->AC as well as voltage conversions and the cost of wear on the battery as well as the inconvenience to some drivers of not being able to drive as far as they expected when they get out of work, and simply neglected to mention it? Assuming you commute to work in your Tesla and power the office off of your battery, shouldn't it be your employer paying you back for that energy since they now don't need to buy it from the power company at peak rates? >> "the 40,000 Tesla vehicles already on the US roads contain about >> 3.3 gigawatts of storage capacity..." > > Wrong unit. If they were gasoline-fueled vehicles, he'd be describing > the size of the fuel tank in gallons per hour. Keep in mind it could also be the right units but wrong thing being measured, but it certainly raised my eyebrows when I saw it. I believe you are right since you should be able to get a lot more than 82.5kW out of a sporty car. (My old Jeep can theoretically produce 142kW.) Still, an average storage of 82.5kWH seems a bit high unless you assume 90% of the cars sold are the 85kWH version (with the remaining 10% being the 60kWH version), and that none of them have lost any storage capacity yet. (Or you could have fewer base models and more battery wear.) Anyway, my point is, I'd like some rock salt with that. The question of actual power output of a fleet of Teslas is also interesting, if perhaps straying off topic. Assuming the 85 kWH battery packs are exactly capable of producing 310 kW (the power of the performance motor) and the 60 kWH battery packs can exactly match the base 270 kW motor, ignoring conversion losses and assuming the same 90/10 distribution as above, then a fleet of 40,000 Teslas could produce 12 GW for 13 minutes then 11 GW for another 3 minutes. I would guess the batteries can't actually sustain that output power. Can you drain a Tesla by flooring it for under 20 minutes? I would guess not, although it could be due to a speed governor.
> Aside from the general economic issue, the big concern is that solar power > is intermittent and can cut out at any second. This repeated claim by the critics of renewable power really annoys me. Yes it *might* be true. But ask Germany or Japan, where nuclear power really did cut out with not much more notice. Or ask Europe, where gas is likely to cut out with precious little notice (if the Russians turn off the tap). ALL power sources come with a risk of failure, and renewables are no more *or* *less* reliable than conventional supplies. (What's annoying is that my rooftop panels won't work without a functioning grid. So if my incoming supply goes down, it takes out my generation too...) The fact is, "statistical averaging" really works, and will give you a pretty reliable supply, if you're not stupid enough to put all your solar panels in one field. Solar panels don't work at night. That does tend to apply to a whole country at a time, but it's regular and can be accounted for. Solar panels do actually work tolerably well in cloudy conditions, and it's pretty rare for a cloud to cover an entire country. The application of a little statistics allows you to calculate the total installed capacity of a country's solar panels, the actual average generation, and how that generation fluctuates over time. And on a scale of thousands of micro-installations scattered over hundreds of square miles, the actual generation curve is likely to be a pretty close fit to the calculated curve based on average daylight over the country. Other points to bear in mind are cost of generation. One of the things behind the adoption of solar panels in the UK is that they generate during the day, when demand is highest. This means that we need fewer "peak supply only" power stations which are expensive to run, reducing the amount of generation the utility companies need. Renewable energy is just one more option in the list of energy sources available, but the propaganda against it gets very tiring when it should just be another arrow (and a very useful one at that) in our quiver.
Hands off my PC! Fascinating technology, which confirms the old rule that if the attacker can get his or her hands on your computer it can be compromised one way or another. The most obvious way is to install a Trojan.
Enclosed are the URL and abstract for my latest paper on technology and financial manias. Your assistance in the work that led to this paper is gratefully acknowledged, although it may not have affected this manuscript, and may only influence later ones. Because a referee and an editor complained about the inordinately long acknowledgments in a previous paper, I have now listed you along with everyone else who assisted in this project on the web page http://www.dtc.umn.edu/~odlyzko/doc/mania-ack.html Again, many thanks for your help, and if you have any comments on this work, I would be delighted to receive them. The forgotten discovery of gravity models and the inefficiency of early railway networks http://www.dtc.umn.edu/~odlyzko/doc/mania09.pdf Andrew Odlyzko email@example.com http://www.dtc.umn.edu/~odlyzko ABSTRACT The routes of early railways around the world were generally inefficient because the prevailing doctrine of the time called for concentrating on provision of fast service between major cities and neglect of local traffic. Modern planners rely on methods such as the "gravity models of spatial interaction," which show the costs of such faulty assumptions. Such models were not used in the 19th century. The first formulation of gravity models is usually attributed to Henry Carey in 1858. This paper shows that a Belgian civil engineer, Henri-Guillaume Desart, discovered them earlier, in 1846, based on the study of a unique and extensive data set on passenger travel in his country. His work was published during the great Railway Mania in Britain. Had the validity and value of this contribution been recognized properly, the investment losses of that gigantic bubble could have been lessened, and more efficient rail systems in Britain and many other countries would almost surely have been built. This incident shows society's early encounter with the "Big Data" of the day and the slow diffusion of economically significant information. The methods used in the study point to ways to apply methods of modern network science to analyze information dissemination in the 19th century. The above paper, as well as previous papers in this series, is available at: http://www.dtc.umn.edu/~odlyzko/doc/bubbles.html
Apologies for the bit of self-promotion, but I've just published a book which some RISKS readers might find interesting, and are unlikely to hear about through other channels. Quantum computing and communications has a strong relationship to security and cryptography. The topic shows up here in RISKS occasionally. (For what it's worth, I've been a RISKS reader since the 1980s.) My own background is in computer systems (OS, architecture, storage), but for the last ten years I've been working on architectures for quantum computers and quantum networks. ACM members may have seen my article with Clare Horsman in Communications of the ACM; it was the cover article last October. My book, _Quantum Networking_, has just been published by Wiley-ISTE, and is targeted at people with my own interests and experiences, such as RISKS readers. It begins with no assumption of any background in quantum mechanics or quantum computing, and carries the reader through the leading edge of work on quantum repeater networks, which will hopefully evolve to allow us to create and use quantum entanglement (Einstein's famous "spooky action at a distance") at intercontinental distances. The first of four parts covers basic concepts, including just enough on the notation and mathematics, a chapter for the physicists on why large-scale networks are hard, and quantum teleportation. Linear algebra (multiplying matrices, eigenvectors and eigenvalues), exponentiation of complex numbers, and basic discrete probability—if you can handle these, you won't have any trouble with the math. The second part, covering applications of quantum networks, may be of the most interest to RISKS readers. One chapter covers the well-known quantum key distribution (QKD) from the point of view of someone (me) who has actually worked on IPSEC, and talks about the sets of circumstances in which it actually provides useful enhancements to security. Other cryptographic primitives such as quantum secret sharing and quantum Byzantine generals agreement are discussed. There is a brief description of universal blind quantum computation, which is a client-server computation in which the server learns *nothing* about the computation it is performing on behalf of the client, except an upper bound on its size. Finally, the use of entanglement as a shared reference frame allows applications like long-baseline optical interferometry and clock synchronization. I bring together the little that has been studied about needed entanglement generation rates and extend it to talk about both connection and network performance requirements. The third part covers mainstream research on lines of quantum repeater links. Quantum repeaters, unlike basic single-photon QKD, can in theory operate over long distances by coupling links together into a path, without requiring trust of the intermediate nodes. The fourth part, on extending from lines of links to topologically complex networks, represents the core of my own research. It covers multiplexing and resource management, routing, and our Quantum Recursive Network Architecture, which sketches a path to a quantum Internetwork that can truly scale to global levels. I hope people in the community will find it of some use. Feel free to send me questions, comments, and errata. Should someone here feel the urge, you have my blessing, indeed encouragement, to write an independent, unbiased review. I'm sure PGN would publish it. http://www.wiley.com/WileyCDA/WileyTitle/productCd-1848215371.html available in hardback and various electronic formats. I actually have not seen the electronic formats, so I can't vouch for their fidelity in reproducing equations and figures.
Please report problems with the web pages to the maintainer