The Software Engineering Institute is a Federally Funded Research and Development Center (FFRDC), similar to places like Los Alamos, Sandia, or Lincoln Labs. So yes, they certainly receive funding from the government, and that probably includes funding from the FBI.

It sounds like what they are saying is that they were doing general research on Tor as part of their normal research activities. Funding for this, like all other research they do as an FFRDC, comes from the federal government in some form. So yes, indirectly I'm sure the government paid for the research, but that does not seem shocking.

All in all, it's hard to understand what all the fuss is about for this, it seems pretty much in line with the goals of an FFRDC to do this type of research.

You're assuming the machine simply goes "ping". It will actually return data that would be post processed and then show characteristics of gravitational waves.

In some (very loose) sense it's like the search for the Higgs Boson. We don't have a machine that says "yeah I saw a Higgs Boson, turning off now!". It returns a bunch of data that gets analyzed and might show characteristics we expect.

In order to know it is working, we would compare the data it finds to mathematical models of what a black hole merger or something would look like.

I don't think it matters whether we take Exodus or the US Government. I'm not really sure why being a mercenary is so bad? What is the difference if the US Government pays Exodus or hires the people working for Exodus to write exploits directly?
And yes, people are using Tor to fight against the US; certainly hackers and terrorists use Tor. (I don't believe more than a small fraction of Tor users are malicious, but malicious users undoubtedly exist.

If you have responsibly disclosed every exploit you know about, you are not going to be able to hack into the computer which triggers the bomb. I'm not sure why this isn't obvious. Unless somehow your "responsible disclosure" allows for holding on to exploits until you need them for dire situations, you have no way to stop such a computerized device.

Let's be more concrete here: someone has hooked up a Raspberry Pi to detonate a bomb, which is triggered, say, over Tor. Whoever made this wasn't stupid: it has a heartbeat which will detonate the bomb if it fails, so you can't just jam it or cut off internet access. It has normal motion sensors, etc. You have 1 hour to disable it.
I propose that given the possibility of such a scenario (or scenarios like this; obviously this is an extreme and contrived example to try to prove a point), it is ethical to withhold disclosure of vulnerabilities. In your proposed scenario, the government has "emptied its cyber arsenal". It has nothing it can do to prevent such an attack. I believe it is superior to have the capability to prevent such an attack.

Except it isn't that simple.. one side has to win. If the US Government doesn't have people writing exploits, they are losing tools that help them to fight $ENEMY.

It's like saying we shouldn't have fought in Wold War II against Hitler, because war is bad. The Allied forces were the "lesser of two evils"--evil, of course, because war is unethical just like hacking is. Why choose to actively help the lesser of two evils? We should have remained neutral.
We can ignore any historical facts for the sake of hypothetical arguments and say Hitler would have succeeded with 100% certainty without US support. In this sort of scenario are you trying to say that the ethical thing to do is nothing? It really sounds like we have some huge differences of opinion in all of this, so this probably isn't going anywhere.

Ugh, maybe on this computer my replies will show up with my user account (I don't mind a bit of bad karma every now and then, and I think it is hard to have an actual discussion with an AC post). Anyway..

I think this is more akin to "an eye for an eye makes the whole world blind". But obviously, just because something is a catchy statement, that doesn't mean it's good advice.
If other people are attacking you, should you lay down all your weapons and hope they do the same? Maybe, but it's not a cut and dry situation like you make it out to be. I agree that in an ideal world, no one would exploit anyone, and all of our software would be bug free. But it seems naive to base our actions off of that world view when it is not the case. Is fighting and war bad? Yes. But I don't think a Ghandi approach will work in all situations, and sometimes fighting back is necessary. (That doesn't mean all cases, of course.)

I think this is an incredibly bold statement. I think it's a bit hard to judge the ethics of exploiting a computer "in a vacuum", the context certainly matters. Let's take a hypothetical situation: if a computer was used as the trigger for a bomb which was going to go off and kill 100 people, would it not be ethical to hack in to the computer and disable it? [we can assume it also has all the fancy triggering mechanisms in place.. capacitive sensing in case someone gets too close, tilt/shock sensors in case something tries to move it, etc]
I find that belief absurd. And while I'm sure that wasn't the situation you envisioned when you made that claim, I think it's important to note there are cetainly extreme cases where hacking into a computer is clearly ethical.
If we're able to agree that
sometimes computer hacking is ethical, then it just becomes a question of where the line is drawn. How much personal information needs to be on the computer about to detonate a bomb before you decide it isn't The Right Thing To Do to hack in? I am sure there are cases where the government is happy to hack into something that I think is ethically dubious, but again, I think it is absurd to say it is never ethical.

The other thing is you have to consider that "cyber weapons" mean governments can gain intelligence or affect systems without hurting people. Stuxnet is an interesting example. How many lives would have been lost if instead someone bombed the Iranian nuclear facility, or killed off Iranian scientists (yes, I know this still happens anyway, sadly)? Stuxnet was a virus that infected the public's computers as well.
Based on our discussion so far I would expect you to say something like "well sure, maybe it's better than bombing, but having neither would be even better". That's a totally understandable stance, but again, that isn't the world we live in. I think it's a step in the right direction to at least try to minimize deaths.


Anyway, it doesn't sound like we're going to come to an agreement on anything, and that's fine. I definitely understand how hacking can be a moral grey area, and not everyone has to agree. However, I just hope people will accept that it is at least a moral grey area, rather than a moral black area.

http://www.dailymail.co.uk/sci... That's a link to the photos without the blogspam..

The TEDxAustin talk you mentioned is focused on GPS spoofing to make a receiver think that it is somewhere else. Spoofing in that sense has been around for a long time, and while it is very cool and everything, it isn't what is novel about this paper/attack.
This paper goes from just making a GPS receiver think it is located somewhere else to actually exploiting software vulnerabilities in GPS receivers to cause them to crash and things like that. The attacks are related, but the position based spoofing is just a subset of this work.

I don't think you looked at the paper really. GPS spoofing and jamming are nothing new (as is mentioned in the paper). The new aspect is that there are software attacks that can be done on the receivers. For example, one of the divide by zero errors will cause a denial of service attack on some receivers. This is vastly different from jamming, because the DoS continues even after the transmitter is shut off. Jamming would obviously stop as soon as the transmitter is turned off. That is the new, exciting, and dangerous part of all this.

No look, this is perfect. We convince DHS that the terrorists are trying to develop room temperature superconductors to subvert metal detectors and security checkpoints.

Then, clearly the solution is for DHS to start giving obscene amounts of money to physicists in the USA to develop the technology first! It's pretty much a win-win-win situation.

How do you deal with noise for something this sensitive? If you're trying to measure the sound of a bacterium, and someone coughs, or walks by the room, or a truck drives by, how do you cancel that out?

I guess I just don't see how their SNR can be high enough with something that sensitive.

Although 12 million is certainly a large number, the US has many more travelers than that. In 2009, Atlanta's airport had something like 90M travelers use the airport. That means that one airport has more traffic than all of the airports combined in Israel.

I agree that their airport security model is superior, and maybe it can scale to large airports in the USA, but if we have dozens of airports with more traffic than their busiest airport, scaling is very far from a simple task.

Source

Awesome, thanks! I just looked a bit on their website and didn't see that page where they say it's bistable. That definitely makes it harder for e-ink to compare with this.

What does the article mean by e-ink like power consumption? I can't tell if this technology requires power to remain in a given state, or whether it can be static like e-ink. Although the low power consumption of e-ink displays is largely due to their lack of a backlight, being able to display static content with 0 power consumption is really one of the coolest parts about e-ink tech.

I read the article but it didn't seem to answer this, do any readers know? If it could display static content for free then that would be incredibly awesome.

I don't see too many details in this article, but there was something that sounds awful similar from Carnegie Mellon University a little while back called MULE (Mobile User Location-specific Encryption). http://sparrow.ece.cmu.edu/group/pub/studer_wisec10.pdf [pdf warning]

ZigBee generally operates at 250mW/24dBm max power. Obviously some devices can be made to broadcast higher energy levels, but a quarter watt tends to be used.

I suppose a citation would be nice, but if you google it, you will find most chipsets have that as their maximum power rating. (And as the signal only needs to reach the home, there is no reason for a stronger signal to be used.)

One step at a time. If it exists, then we can try to understand it more deeply.