Frankly, that's paranoid. I stopped trying to understand the deep math of leading-edge crypto some years ago as my brain calcified, but I understand enough of it to know that there's no need for intentional sabotage to explain vulnerabilities to innovative attack.

My question is how *THIS* mechanism has survived as long as it has. I haven't looked at the math in depth, but the broad descriptions I've found make me expect that there must be far-better-than-brute-force attacks on it. This crack isn't the first one to prove that to be the case, if I'm reading the Fujitsu PR right. I'm hoping for a deeper explanation of why pairing-based cryptography is so attractive that what seems like past evidence of diminishing returns from increased nominal complexity didn't kill it off before now.

A lot of Windows malware is transmitted via email, because there's a long history of Windows mail clients (most importantly Microsoft's crapware) being directly vulnerable and/or facilitating deceptive mail.

I have a lot of Windows malware on my Macs because I have email addresses that have been used openly and actively for 20 years and so have made it onto all sorts of indiscriminate spamming lists that are used for malware distribution. Because mail abuse is a professional focus of mine, the archives of malware-bearing spam I have accumulated is a resource, not an infection. I'm not sure why anyone else would retain all of their junk forever, but many people do so. It is a rare hour when I can't identify a log entry from my mail server rejecting mail that is almost certain to be bearing malware, and a rare week when I don't have at least one spam slip through carrying some form of malware.

If you dig down past the click-bait page referenced in the /. submission, the original source of this story is a blog post by Graham Cluley at Sophos: http://nakedsecurity.sophos.com/2012/04/24/mac-malware-study/ and it includes a breakdown of the strains of Windows malware seen on Macs. The top 2 I recognize as mail-borne and some of the other named ones are likely to end up the browser cache of any carelessly wandering user. It is an act of irresponsible fearmongering by Cluley to say (as he does) in an unqualified way that these "can still be spread to others" and compare the 20% infection rate to the 20% rate of Chlamydia infection in young men in the UK. Those in men are infective, a Mac with a Windows trojan in its browser cache or junk mailbox is not.

1. It is a physical relative to steganography, which is itself a form of security through obscurity. It isn't gold bars hidden under the couch. I promise. Many of the things in my home that I might consider putting in a safe if I had one are in the class of things one would need to know about a priori to make any real start at finding them. Others are such that most people could stare right at them and not understand them to be worth stealing.

2. Most forms of security that do not involve credible threats of violence are ultimately "security through obscurity."

But legitimate questions remain as to whether they will ever truly replace their leathery counterparts.

Legitimate questions would be much less like "Is water wet?" or "Does the Mayan calendar not actually predict the obliteration of the Earth in 2012?" or "Will Apple and Google and a few million /.ers running Kubuntu drive Microsoft into irrelevance and bankruptcy by 2015?"

The physical wallet is not going away. As long as there are legal purchases for which many people would prefer to have plausible deniability, there will be cash. Until the final merger that yields AppFedGoocrosoft, L. L. C., Our Beloved Planetary Government, (with 51% of voting shares held by Goldman-CitiSachs of America, and the financial equity held mostly by the Bain/Koch Group and the LDS Church Inc.) those of us not standing in line to be rendered into spare parts and raw biodiesel input will need some way to hold a half-dozen competing trackable-money tokens, a dozen merchant "savings club" cards, blank bits of thermal paper that used to be receipts we thought we should keep, and enough paper money for a Big Mac, a USA Today, a pack of smokes, and an hour of high-res porn on the medium du jour.

Mobile wallets are all the rage

I'm 47 and have never owned a non-mobile wallet. Not sure what the point would be.

You could have answered that with a simple act of RTFA. In short: no. They had no access to their subjects' mental health records.

I put up my screed on the weakness of the study (after seeing it covered by the Grauniad) at http://tmblr.co/ZaUL7yHBNSh0 before I saw it here, and the short version of my unassailable opinion is that it is a deeply flawed study whose data is just good enough to make a strong case for further study, undermined by the authors drawing unsupportable conclusions and pointlessly denigrating prior work and practical experience.

And yes, hypnotics are often taken by people for whom insomnia is a secondary condition grounded in deeper problems. That doesn't mean the hypnotics are not very useful in enabling them to address the deeper problems. Speaking from personal experience, a dozen doses of Ambien taken over the space of about 2 months during the breakup of my first marriage were critical to saving my job, my ability to eventually pull out of a deep depression, and possibly as many as 4 lives. When life is slicing deep enough that you cannot sleep for days on end, the lack of sleep itself gnaws on the stripped bones of sanity.

The main recommended use of hypnotics is for short periods in cases where insomnia itself is causing additional problems and more comprehensive treatments for underlying primary causes are too slow and/or are impeded by the effects of insomnia. Real primary insomnia that can be managed with hypnotics is pretty rare. A valid conclusion from the study is that people in that one HMO in rural PA who are being prescribed hypnotics are not getting adequate overall care, and that the inadequacy correlates with the amount of hypnotics that they are being prescribed. The authors claim (and I tend to believe them) that there is a growing consensus that CBT is a better treatment for chronic insomnia, but CBT is not something a doctor can write a scrip for and have the patient sleeping soundly that night for a few bucks. It can also uncover and address underlying issues like depression, OCD, and other cases where insomnia is really just a symptom of a more complex primary mental disorder. Of course, if you are a researcher specializing in retrospective studies of this sort who has been given access to a very large data set of patient records by an HMO, you don't have a strong incentive to write a conclusion that this HMO is controlling costs by encouraging doctors to prescribe cheap drugs instead of referring patients to expensive months-long rounds of a talk therapy, even when the best type seems to be the relatively efficient CBT.

Calling this "independent" is hogwash. It's a scam MS has been pulling for well over a decade, paying for "independent" competitive studies whose design and publication they control, and then trumpeting the results of the ones that say things they like.

In this case, the methodology was designed in a way that only exposed the test addresses to a narrow subclass of spam and which helped rationalize the fact that the study is completely blind to false positives. It cannot be accidental that the most widespread criticism of Hotmail and Microsoft's other hosted mail services by outsiders who work with mail servers and spam control is not that they deliver or emit spam, but that they have massive chronic false positive problems, not just with mis-filing into "Spam" or rejecting in SMTP for no good reason, but with mail being accepted for delivery and vanishing without a trace, in large volumes. It's a mess and I am 100% certain that MS knows about internally, at least at senior mail geek levels. It is a spectacular display of chutzpah for MS to be applauding themselves for a study in which they would have been beaten by a email system with no Internet connectivity.

And as someone who has been dealing with spam filtering and prevention since before anyone at MS knew that "spam" wasn't just a Hormel product, I should add that a methodologically sound study of the filtering systems of the big freemailers is probably not possible in the real world. Different people get significantly different types of spam and non-spam based on the history of their addresses and how they use them, and you really can't say anything meaningful about an 'average' mail stream because no real address has one. The big freemail providers have a very hard job because of the scale and diversity of their user base and pathological business models, but that can't justify promotion of a study which ultimately is worthless.

Note that this is not a reply to any particular prior comment...

From TFA:

The scientists are careful to point out that lower-altitude glaciers in the Asian mountain ranges – sometimes dubbed the "third pole" – are definitely melting. Satellite images and reports confirm this. But over the study period from 2003-10 enough ice was added to the peaks to compensate

That is exactly what one would expect for some degree of overall warming. The highest parts of the Himalayas are still high and cold enough to freeze out every bit of moisture in the air that brings them snow, but that air (mostly monsoon flow from the south) is generally moister because it and the ocean it has passed are significantly warmer than in the past. The result is low glaciers melting back from the warm air and rain instead of snow and higher protoglacial snowpack growing faster than the existing glacier paths can move out.

This is very basic weather science: more snow in routinely cold places does not mean they are getting colder, it means they are getting more injections of warm humid air. Of course that's only true as long as the cold predominates, because eventually it all turns to rain. I've watched this happen in Michigan, where we've gone from record snowfall years (but not record cold) to unusually warm and soaked-through winters.

Don't bother trying to patent that idea. It has been proposed and even tried many times.

One problem with it is simply that there is no reliable mechanism in place to identify the responsible sender of every piece of email. Internet email is not a single system, but rather a loosely confederated mob of independently operated systems that mostly use a common set of protocols. Most email these days is spam, sent mostly by hijacked machines, of which most is rejected easily by most receiving systems. The bulk of spam that makes it to user inboxes is either being sent in ways that are intentionally deceptive and often using stolen resources or is arguably not really spam because it is pursuant to some formally (if ignorantly) accepted agreement to be sent mail. Neither of those is easily addressed by making rules for people to follow. The first set are not going to follow any new rules and the latter are working within the letter of the existing rules.

I'm sure 'itwbennett' would rather everyone go to his employer's website to read that article, but it is clearly not written (or edited) by anyone who has any basic clues about spam-fighting. Just reading the subtitle makes me cringe for the unfortunate "journalists" lassoed into writing it, as it was clearly done by spam neophytes in a desperate scramble for click-scrounging content. The article is vaguely about a paper presented almost a year ago at LISA '11. There are links to an abstract and the original paper at the LISA '11 site: http://www.usenix.org/events/lisa11/tech/

The general space of sniffing out spam by looking at TCP characteristics has been mined for years usefully with Symantec and MailChannels both offering proprietary tools that use such techniques and some open DNSBL's using TCP sniffing to identify sources, but it would be incorrect to believe that any one methodology will ever be a magical silver bullet against spam.

No, and the cited bill does not directly do that. What it does is redefine the scope of exemption from the wage and hour rules of the Fair Labor Standards Act. Typically, FLSA applies to people paid on an hourly basis with or without a formal employment contract, and requires employers to pay 1.5 times the regular hourly wage for all hours worked over 40 in a week. Some salaried workers are also covered by FLSA, and some hourly wage workers are not. The rules about what jobs are "FLSA exempt" are very complex and detailed, with a general theme that highly compensated jobs that require managerial, supervisory, creative, or self-directed work are generally exempt from FLSA rules. A very large fraction (maybe a majority) of IT jobs are and always have been FLSA exempt and hence employers can (and often do) require workers in those jobs to work more than 40 hours without following the FLSA rules. Exempt salaried workers can be required to work overtime with no extra pay at all. When hiring for an exempt position or reclassifying a job as exempt, employers must inform the employee of its exempt status.

Employers usually classify every job they legally can as exempt from FLSA. This bill is a change in the rules of what sorts of jobs can be classified as exempt. Because most workers in the US are "at will" with no formal employment contract, reclassifying a job is usually a unilateral act by an employer. So this act (if passed by both houses of Congress and signed by the President) would not *force* a change in any contracts, but it would end a requirement for overtime pay for some types of employee. The last change in those rules was considered by many to have created some problem circumstances of forcing classification of jobs as non-exempt even though they logically fit the rationale for exemption. I am not familiar with all of the details of that, so I'm not sure if that argument has merit. The only non-exempt IT jobs I can think of are low-level jobs like helpdesk, 1st level desktop support, and data center ops techs.

That's a big if. Every story about federal involvement ends up referencing a story by a glorified blogger in Minneapolis publishing under the umbrella of a far-right Christianist billionaire, who claims that he got his information from one anonymous source at the Dept. of Justice.

Also, even if there ends up being a non-ridiculous corroboration of the story, people need to get some perspective on how government, and especially policing, actually works under normal circumstances. DoJ is supposed to be largely autonomous from political control, and even if you were to assume that Obama would like to have replicated the Bush model of trying to pack DoJ with loyalists, the objective fact is that GOP Senators have blocked appointments there to an unprecedented extent and as a result there is a serious leadership gap there which is largely surrounded by people hired under a regime that sought "Loyal Bushies" to fill all roles. The lead agencies for this sort of thing would be the FBI and DHS, both of which are still mostly run by people hired by Bush. The GOP project of obstructionism via political appointment blockage has resulted in a government that runs mostly on autopilot, and autopilot for police agencies tends towards paranoia and excessive force. Even if this is an entirely true story that is just suffering from crappy journalism, it isn't clear that this is the sort of thing that would even make it up to political appointee level even if there weren't so many of those seats sitting empty.