You posted your questions for Herbert H. Thompson, PhD, on November 3rd and 4th. He decided to wait to answer until after the election in case there was a flagrant voting machine problem he could include in his answers -- and there has been at least one, but it is probably not a "security" problem per se, and is a long way from being resolved in any case. So here we go. Good food for thought here.

Scott Pinzon writes "Writing sonnets, screenplays, or an epic poem in your third language is a breeze compared to the toughest of art forms, didactic fiction. That might explain why the various chapters of Stealing the Network: How to Own an Identity range from appalling to exciting. Whether you see the glass of STN: Identity as half empty or half full depends on whether this is your cup of poison -- but on a technical level, it rocks." Read on for the rest of Pinzon's review.

Thanks to GameSpot for their editorial discussing graphics card manufacturers, and how their race for revenue could harm PC gaming. The piece discusses the days when "3dfx's Glide standard was the only thing going", and "3dfx even secured deals with retailers to create separate sections for 3dfx-compatible games." However, the author laments: "I thought hardware-specific games were a thing of the past. Then I booted up the demo for Bridge It", an Nvidia-sponsored title which "will not run unless you have an Nvidia GeForce 4 Ti or GeForce FX graphics card installed." The article ends with a hope that "clearer heads will prevail and PC gaming can take new steps toward improving ease-of-use, not balkanizing the platform for business reasons."

in4mation writes "The folks at LASEC have found a flaw in the SSL protocol. Quoting Professor Serge Vaudenay from a BBC article the security problem is in 'the SSL protocol itself and not in how we use it or how we implement it.' Apparently the flow only affects webmail and not banking or credit card payments and took less than an hour (160 attempts) to crack." Update: 02/20 20:52 GMT by T : Kurt Seifried writes to say that this is almost exactly wrong: "The flaw is in IMPLEMENTATION, NOT THE PROTOCOL. Due to the way error checks are handled an attacker can find out which error condition occurred by measuring the response. The solution is trivial, a path that forces OpenSSL to do the second check even if the first one fails, thus denying the remote attacker any information as to which exact error condition occurred." He includes a link to the security advisory at openssl.org. Update: 02/20 21:49 GMT by T : Read on below for some more information from SSL 3.0 designer Paul Kocher.

We ran the "Call for questions" Monday, January 13, under the headline, Discuss BIOS and Palladium Issues With an AMIBIOS Rep. Note that Brian Richardson, AMI sales engineer, is a real engineer, not just a salesperson, and is also a staunch Slashdot reader who knows we have low tolerance for PR whitewashes around here. Brian's answers are real, not laundered, and he responded not only to the 10 questions we sent him but also to some he felt deserved answers even though they weren't moderated all the way up. Please note that in much of this interview he is speaking as "Brian Richardson, individual," and that his opinions do not necessarily reflect those of AMI's management. With that said, be prepared to learn a lot about the BIOS business, and how TCPA and Palladium relate (and don't relate) to it.

n1ywb asks: "I recently cajoled myself into buying a Dell Axim. Since the compact flash slot is obviously taken up by my 802.11b card, that leaves me with the OTHER slot for adding additional storage. This other slot is billed as a 'Secure Digital Card' slot, although I understand it is backwards compatable with the 'Multimedia Card' standard. The name 'Secure Digital' is somewhat misleading it seems. It has some kind of digital rights management technology onboard, which nobody seems to want to elaborate on. It has hardware encryption, which sandisk.com touts as 'Cryptographic security for copyrighted data based on proven security concepts from DVD audio.' Hah! DeCSS anyone? Magic markers? There isn't a lot of REAL information about SD cards out there. I like cheap and fast storage, but I'm paranoid of DRM. _I_ am god here; my hardware is slave to me. I don't want my PDA telling me I can't play my Grateful Dead bootlegs because they aren't digitally signed. Should I buy MMC or SD? Where can I find more info? Any real world experiences? What do you think is the bottom line?"

mr.buddylee writes "Last month Slashdot reported a Popular Science story on your privacy. This month the magazine has a couple different articles about the future of security after the attacks on 9/11. Included is a very interesting read on National ID Cards which looks at possible technologies integrated into the card. For instance, how would you like a memory strip containing a digitized image of your fingerprints, your photo, your medical history and flight history stored in your wallet? All secured with what could be a less than secure Smart Card."

The first direct legal challenge to the DMCA was filed at 9 a.m. EDT today by EFF-sponsored attorneys at the United States District Court in Trenton, New Jersey on behalf of Princeton Professor Edward W. Felten and others who helped crack a series of digital watermarking schemes as part of an SDMI Challenge sponsored by the RIAA. Named defendents include the RIAA, SDMI, Verance Corporation (producer of one of the cracked watermarked schemes) and U.S. Attorney General John Ashcroft.

Jason Bennett, frequent reviewer of books, now regales you with this great piece on the background and development of the new encryption standard to replace the pretty-good-till-now DES. It's full of linked information you'll want to digest, too. Update: 02/23 12:32 AM by T : Note: The links I borked are better now; mea culpa (and beware copying in Mozilla).

ESR as chimed in to say his bit on the recent quake problems that popped up following the source release. Its definitely a problem that will happen again and something that needs to be handled. Read what he has to say about it.