Honest skepticism is important to Science: scientific theories are considered reliable not because of the strong arguments in favor of them, but because they survive scientific challenge.

But its equally important to recognize that just because skepticism is important to Science, doesn't make all skeptical commentary equally valid, and more importantly it doesn't make all sides equally valid. Its important for scientists to continue to question General Relativity. But when the rubber meets the road, I'm trusting Relativity over any other skeptical invention intended to overturn it. Relativity has survived a lot of challenges. Upstart competitors haven't.

Climatology is an imperfect Science, and its being refined all the time. But Relativity didn't overthrow Newton: Newton is so well tested and established nothing is going to overturn Newtonian gravity because it explains too much of the world too accurately. Relativity *refines* Newtonian gravity in extreme situations Newton was never checked against. All competitors to Einstein are also competitors to Newton: we all know Newton was close enough in most cases: its extraordinarily unlikely anyone is going to discover a normal situation where Newton just plain fails. Anyone wanting to replace Einstein has to not only do better than Relativity, but also better than Newton. Similarly, Climatology is being refined, but the odds are not high that its going to simply fall apart one day. Thinking that will happen represents a complete misunderstanding of how Science itself works.

Over geologic times, lots of things have affected Earth's climate. On astronomical time scales the Sun has an impact: as it ages the Sun emits more radiation: it becomes warmer. But not on human timescales, or even moderate geological time scales. 600 million years ago the Sun was about 4% cooler. That means over the last 15 million years the Sun's radiation has probably increased by about 0.1%. Oceanic circulation has a major role: as continents move around they alter how the oceans transport and circulate heat. Volcanism also has a significant impact, but that impact is tricky to work out: increased CO2 adds to the greenhouse effect, but other volcanic emissions like dust and SO2 have a net cooling effect on the surface of the Earth. The Deccan traps, for example, is believed to have caused significant cooling during their formation.

Life, on long time scales, also causes an effect, Much of the petroleum the industrial revolution is burning and adding to current CO2 levels came primarily from the Carboniferous period. During that time Earth had a warm and humid climate promoting the development of huge rainforests worldwide. These plants photosynthesized so much carbon out of the atmosphere that CO2 levels dropped from something like 1400ppm to 400ppm. That caused the climate to cool significantly over a few hundred million years until it became colder and drier. The rainforests died off, and with the rainforests gone atmospheric CO2 began to rise again, increasing temperatures again.

Actually, over Earth's history the largest contributors to climate change have been atmospheric greenhouse gases, oceanic circulation currents, and the configuration of the continents. Two of the three are things human activity is demonstrated to be capable of altering on timescales many times faster than they have changed in Earth's history.

That's pretty harsh considering that's tantamount to accusing the members of the gay and lesbian community that advocated a pardon as merely seeking a little PR and pandering.

In any case, in the UK a pardon implies the person in question was technically guilty according to the letter of the law, but deserves to escape the legal consequences of the conviction because of a belief they are not "morally guilty." It says nothing about "worthy of criminalization." And the legal issue here seems to be that at one time the power of the pardon in the UK was reserved for people that were "morally and technically innocent" of the crime they were convicted of, but in modern times that distinction is split. The constitutional government has the power to pardon criminals under exceptional circumstances but almost never does because if a strong case can be made for "technical innocence" there's an appeals court designated to handle such cases. But the legal process is essentially to invoke an appeal of the case and a new trial which would be nonsensical for Turing. The alternative rests with the constitutional monarch who can pardon for "moral innocence" which doesn't involve being technically innocent under the law.

Its unclear if the government has the legal option to drop Turing's charges or vacate them because there exists no legal evidence he was innocent of the crime he freely confessed to commiting at the time of the conviction.

Those are all block ciphers. You should not trust intuition when it comes to combining block ciphers and presuming the combination is intrinsically stronger. See: why 3DES but no 2DES.

Be careful when commenting on things you know nothing about, especially when punctuating with condescension. It makes you look like an idiot, even if an anonymous idiot.

If that were true, you would not. However, its not established that's true. Some believe iterative hashing is the best way because hashes are explicitly designed to be one-way functions, meaning they are intrinsically not reversible. That is believed to make hash-based PRNGs more resistant to attack. However, on the flip-side cipher-based PRNGs have the advantage that ciphers have been more closely studied, and are likely more resistant to attack because of that. That's why 800-90 specifies both hash-based and cipher-based PRNG algorithms.

The logic behind EC was based on the belief that ECs are more resistant to attack because they are based on different mathematical problems than most hash and cipher algorithms, and therefore are less vulnerable to the current state of the art in attacks designed to attack hashes and ciphers. That assertions seems to be false based on research done in the mid 2000s, but the general answer to your question is that no one is certain that, say, AES-based stream cipher PRNGs are certain to be uncrackable, and so people are always looking for alternatives. In fact, the *strongest* PRNG that I can think of is one that simultaneously generates SHA, AES, *and* EC random streams and XORs them together. To break that random stream, you would have to be able to break all three simultaneously. Even if EC had a backdoor in it, that would not help you at all to break a random stream with its contents XORed into two other generators.

So the general answer to the question of why you'd need anything other than a cipher PRNG is that a) no one knows if your preferred cipher PRNG might be broken tomorrow, and b) having multiple kinds of generators based on entirely different math opens the door to creating stronger generators that are a combination of all of them. And by the way, a cipher-based generator that was the XOR of two different cipher-based generators is not guaranteed to be twice as strong.

EC is a bad candidate in general for this kind of RNG hardening (because of its speed and its poorly understood backdoor possibilities), but we only knew that after it had been studied. If it was faster, and its constants were initialized by another PRNG guaranteed to not include the backdoor, it could serve as a PRNG hardener in theory, since its strength relies on an independent problem from hashes and traditional block ciphers.

In my experience, the most important learning tends to be in areas where its possible to experiment at home if you do enough homework to research the issues. For example, its true you can't learn the step-by-step process of interconnecting a Hitachi 150 at home, its also true no one is going to ever trust you to do that based on knowledge you gained from tinkering at home anyway, even if you owned one.

But do you really understand what the real issues of designing, managing, and supporting a real SAN are? Do you know what the real issues are when it comes to RAID rebuilding? Write-back caching? Virtualization workloads? When to lean on IOPS and when to think about throughput? Do you know what the ARC does in a ZFS SAN? How the cluster stores like Ceph and Gluster really work? Can you converse intelligently with vendors when it comes to cache tiering? None of these things costs a significant amount of money to experiment with and learn at home (relatively speaking for IT people), but actually knowing through first hand experience what these things are would put you ahead of 99% of the people *involved* with these things, because most of the people who support SANs only know what the vendor told them, and can only do what instruction manuals describe. They often don't know why they do what they do, and that's where independent learning can generate huge professional skill advantages.

Even today, most of my testing is done with virtual systems provisioned in the slack space on our virtual clusters or just plain on my normal work PC. 32 GB of RAM, some fast SSDs, and Vmware workstation and I can run whole networks of systems for hundreds, not even thousands, of dollars. And I have the theoretical budget to spend thousands on test gear. I just almost never do.

The most important things to learn are not the specific step by step procedures for things, which change daily and are easily rendered obsolete. Its the concepts, the issues, the practical requirements and the fundamental limitations, that are the most valuable things to learn, and in this day and age the most expensive part of learning them is dedicating the time to do so with intellectual honesty (meaning: don't just get it right to check a box on a list: constantly question whether the testing and research you've done is limited or flawed in some way, and can be extended or corrected - you have to be your own worst critic).

That may be true sometimes, or even most of the time, but it can't be a universal generalization. Because who are those independent thinkers going to hire when they leave? If they only hire the mediocre or people who are guaranteed to leave, they themselves will eventually fail also.

I myself started (or rather was part of the start of) my own company because I was one of those people who simply would not fit into virtually any ordinary corporate structure, but I do not deliberately hire the mediocre or the restless. I want people who want to stay and make a go of it, and although some have eventually left others have stayed for years. Its a question of degrees: everyone has a certain desire for independence and structure in some measure, and the goal is to find people who have enough independence but still want some structure. You (as a leader) can try, with varying degrees of success, to make the environment as supportive as possible, but you can never completely eliminate the structure nor does it generally benefit you in the long run to form your own company for the freedom but surround yourself with mediocre non-entities that reflect poorly upon you.

No matter how good you are at what you do, not everyone is cut out to be their own boss or to run their own company. In my experience, while many companies that fail do so because they were ultimately failures at doing the mission of the business, most fail because they were incapable of running a business in the long run, regardless of how well they were at delivering the goods or services of the business. You see this particularly in IT companies, where most just one day close even though the same people are doing the same things on the day they close as they were doing every day for the past few years. It just catches up with them: cash flow, client management, internal operational overhead issues - one day the business reaches a point where something becomes unfixable. And then those guys scatter and join other companies, many of which ultimately run into the same problems a few years later.

Neither "independent thinker" nor "skilled and smart" are the same thing as "can run a business." Promoting the idea that all the good people are or should be working for themselves I think does a lot of people a disservice, and sets them up for failure. Because most of the skilled, smart, independent thinkers would fail as business operators, and actually most who try ultimately do.

The only way we would know, I think, is if someone at an actual computer manufacturer or other first-hand witness comes forward with knowledge that the NSA, or a proxy like NIST, actually contacted computer manufacturers about and advised a response to a security issue, or there's documentation somewhere about that effort somewhere in the public domain (even if the original reasons for the activity are obfuscated). I'm still not sure if the NSA isn't at least exaggerating in their assertions, something even security companies regularly do, I'm just not willing to dismiss the entire idea as impossible. What is possible today from a security vulnerability perspective is often apparently implausible until demonstrated. Cryptolocker would have been impractical in the days before untraceable Bitcoins. Modern IP PBXs make essentially untraceable phone calls possible for phishing attacks. Stuxnet would have been laughed off as science fiction ten years ago. I think BadBIOS is going to turn out to be a false positive, and not a supervirus, but the fact that people are actually debating whether its possible at all - and not coming to a general consensus - is in and of itself demonstrative of how we've become very conservative in the security community about declaring things to be impossible.

We once thought the NSA put a backdoor in DES, only to discover twenty years later they actually strengthened it against a form of attack we didn't even know existed outside of the NSA back when DES was invented, an assertion that would have been completely implausible until it was demonstrated. Its a shame the NSA irrevocably destroyed that goodwill a billion times over, because ultimately in the long run trust was the most valuable thing they possessed, and nothing they've accomplished or even claimed to have accomplished will compensate for that loss. There were always people who thought the NSA was evil, but at least most of us thought they were on our side. Regardless of whose side they think they are on, they've convinced the majority of people they are not on theirs.

These days manufacturers, particularly for systems with UEFI BIOS, provide utilities that can update the BIOS of your system without booting special update software from physical media. For example, Dell offers BIOS updates that run from within Windows (although they do require reboots).

Besides that, there's the question of how you got the BIOS update in the first place, how you transferred it to a USB stick, how you verified the BIOS update was the correct one for your system. There is a workflow to updating BIOSs that begin with getting the update in the first place and doesn't end until you verify your system can boot from the new one. Modern BIOSs also tend to have built-in verifiers that can reject incorrect or false BIOSs. So even if I were to give you a BIOS update of my own creation, odds are without a deliberate attempt to defeat those security and integrity checking features your computer would not allow you to load my custom BIOS.

NIST SP800-147 specifically refers to standards to protect BIOS integrity, particularly against tampering or unauthorized upgrading. It also covers some of the whole of BIOS update workflow and process, both on the meatware side and the internal technical side.

In any case, if you think updating the BIOS on modern hardware requires a person taking special action with a USB stick and explicitly running a special flashing process, that's no longer true. Theoretically speaking, an attacker could craft malware that ran under Windows or Linux, reflashed your BIOS behind your back, and that BIOS would then take effect the next time you rebooted or power cycled your computer, and it could be crafted to occur without any obvious signs of tampering. *If* the attacker was capable of defeating the security measures designed to prevent such things from occurring, none of which are foolproof.

No, that's the opposite of what I said:

Actually, while I'm not sure the report is credible, your logic is flawed. The article says the attack involved malware disguised *as* a BIOS patch, something which can exist and in fact has occurred in the past. The article also states that the NSA worked with computer manufacturers to close "the vulnerability" but it doesn't say the vulnerability was actually in the BIOS itself. And in fact you don't need a vulnerability in the BIOS to *replace* the BIOS with malware. The logical conclusion is if this attack existed at all, it was more likely to be a vulnerability in the BIOS update workflow, perhaps someone managed to penetrate the signing keys of most of the major BIOS manufacturers which would have allowed them to push out apparent BIOS updates to a wide range of computers. Or perhaps the attack involved vulnerabilities in the patch deployment servers of a significant number of motherboard manufacturers.

The piece also does not state that the attack involved bricking huge numbers of computers worldwide. It talked about worldwide consequences, and this was within the context of attempting to attack the financial system:

Its possible the attack involved a stuxnet-like malware designed specifically to target certain kinds of systems used at the major trading companies, say the servers in use at the NYSE and the NASDAQ. It may not have been an attack intended to brick random computers all over the place. Without knowing more details, its impossible to know how credible this assertion is, but from a security professional's perspective I can state the attack as described (colloquially) is not impossible. In fact I can envision a number of scenarios consistent with the attack description that would have a decent chance for success.

The problem goes farther back than that. Post 9/11, people were outraged that the government didn't do enough to prevent the 9/11 attacks when it was "obvious" the terrorists involved were a threat. The NSA's "job" wasn't always to perform threat detection: its original job was to secure the communications of the United States and to perform counter-intelligence operations. The NSA and other intelligence agencies perform the level of surveillance they do because we *told* them to do so, in the post 9/11 world. We told them it was their fault 9/11 happened, and it was their responsibility to ensure it doesn't happen again.

Our problem is that they believed us. And when you think its your job to prevent thousands of people from being murdered, lots of things seem much less important when weighed against that responsibility.

Its not enough to just say "stop violating my rights and privacy." We have to clearly define again what the responsibilities of the government actually are to protect us from such threats, and what risks we're willing to accept and not bitch about. Otherwise we'll just bounce endlessly between being outraged at what the government does and outraged at what the government fails to do. We have to choose, and honor that choice. We have to push to unwind the progressive increase in surveillance *and* not punish the government when that lack of surveillance fails to prevent a bad thing. We must support both the good that choice grants and the bad that choice generates.

We have to do something ultimately few people are genuinely willing to do. We have to tell the government they aren't responsible for preventing every single bad thing in the world. That is the only way we can revoke their right to do whatever it takes to attempt to achieve that impossible goal. Until we do, they will likely continue to push the envelope of what is legal. And collecting metadata is not clear-cut illegal. In fact, the Supreme Court has ruled it legal in the past. But even if we pass a law making it illegal, so long as the people who work at these intelligence agencies believe the American people have made it their legal and moral responsibility to do *everything* possible to prevent catastrophes, they will always find a way to push the envelope.

If I'm being honest with myself, if I was told that, so would I.

Actually, technically speaking he got no jail time and no fine. The $183,000 was restitution to the target of the attack. You can argue he shouldn't bear the full burden of that restitution perhaps, but its not wildly unreasonable for someone who is the target of an attack to ask to be compensated not just for the damage due to the attack (which the article says was admittedly less than $5000) but also for any reasonable steps they took to recover from the attack.

In terms of actual direct punishment, he got off with essentially just probation. The punishment fit the crime in my opinion. Whether attackers can be forced to pay restitution to targets of attacks not just for direct damages but also the costs to investigate the attack (very reasonable), eliminate vulnerabilities leveraged by the attack (fairly reasonable), and generally secure the targets against future attacks (debatable) is a separate issue.

Someone seems to have put together a youtube slideshow using Warren Commission photos of a Secret Service reenactment: http://www.youtube.com/watch?v=lpAjEPOxjmc. The photos suggest that Oswald would have both had ample opportunity to observe the motorcade as it first approached the building from the side he was at, and then fire shots at Kennedy as the motorcade turned and began driving away from the building with no serious issue with shooting angles.

As the reenactment photos reveal, Oswald would have been able to observe the motorcade as it approached and made the turn directly in front of his position. Kennedy would have been easily observable as his car turned almost directly below Oswald. In fact, the reenactment seems to suggest the obvious sequence of events: Oswald observed the motorcade as it approached, and as Kennedy's car got close Oswald got a very good look at Kennedy but the presidential limo entered a defilade position and Oswald had to wait for the limo to complete its turn and then begin driving away from his position in order for Oswald to get a good shot.

There's no literal way for that to work, but there are ways to protect sensitive data in a way that could be described in that way.

One way I can think of is to get someone I know to buy something like an Amazon instance in a way that isn't traceable to me. Then I upload my data in an encrypted fashion into the instance. Then I give a set of people different passwords to log into the virtual machine running in that instance. Then I set the instance to power on in a scheduled manner so that the instance is only accessible at certain moments in time known to the people I give the passwords to. At all other times the instance is powered off and the people with the passwords to it do not have any knowledge of how to manage the instance itself directly. Thus, the people I designate as trustees for the data only have access at certain times. On top of that, they could have different segments of a key-split so that to actually access the data requires at least two different people logging into the instance and providing their keys, or alternatively one person logging in and providing two different key segments.

Why you might do something like this is to try to minimize the availability of the data from being discovered or cracked. Most of the time, the data isn't on a system that is in any real way accessible from the internet. Furthermore, it also makes it less expensive to create multiple data caches in the cloud because the cost of running the systems would be very low, since they would not be running most of the time.