Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:When do people get this (Score 1) 613

Using more RAM doesn't use more energy. Either your RAM is powered on, or it's not. And if it's powered on it maintains its contents, no matter whether the OS has actually written anything useful to it.

That is not entirely true. Although much of the power dissipation in DRAMs comes from driving the data bus at high speeds (and it happens always, no matter what portion of internal memory space is actually used), some of it comes from memory matrix of the chip. Each DRAM cell is built around tiny on-chip capacitor. The capacitor can be either charged or discharged, which represents two values bit can assume. As bit held in the memory cell toggles its state, the capacitor gets charged and discharged. Whenever the capacitor is charged, it receives a portion of energy from power supply. When it is discharged, that energy is thrown away. The faster the average bit toggle rate and greater the average number of bits toggled, the greater the power dissipation of DRAM. Also, since those capacitors are "leaky" (they discharge spontaneously over time measured in milliseconds), a mechanism is in place to refresh them from time to time. Therefore, if memory contains static data consisting predominantly of bit states which correspond to charged capacitors, it wastes more energy then if it contains predominantly bit states which correspond to empty capacitors.


Submission + - UK may U-turn and back OOXML ( 1

superglaze writes: "An unnamed source has claimed that the UK could be set to back OOXML, despite previously voting against Microsoft's format. It seems that the technical group advising the British Standards Institution is now backing OOXML, with IBM, unsurprisingly, being the sole hold-out. Still, even if the UK says yes, it looks like the format will fail the ISO fasttrack process."

Submission + - In The Search For Status Quo (

Anti Globalism writes: "One of the most difficult challenges for a leader is to know how many rules you should enforce, in order to maintain order and discipline in a group of people. There is no absolute guideline how to do this right and the results will vary among cultures and individuals. Parents face the same dilemma every day: if you let your child do whatever it feels like doing, it will end up being driven over by a car or kidnapped by some local lunatic. If you restrict it too much, that will eventually back lash when it grows older and realizes that you destroyed its childhood.

Human nature is very simple: in any given environment where's there's a group of individuals living together, certain norms and principles will be established over time, that seem to benefit the group as a whole. This may of course also include taboos and not all rules are necessarily stated in public; in fact, if you think about the social norms in our society today, they consist of quiet agreements that all people assume you agree with and follow: don't walk naked to work, stand in line to the concert, avoid wearing the Nazi uniform at school etc.

Read more"


Submission + - Microsoft PRNG encryption CRACKED! (

Martin Shin writes: "November 15, 2007 (Computerworld) Israeli researchers who have reverse-engineered a critical component of Windows' encryption technology say attackers could exploit flaws to decipher secured information. Microsoft Corp. has downplayed the threat.

In a paper published earlier this month, Benny Pinkas from the University of Haifa and two Hebrew University graduate students, Zvi Gutterman and Leo Dorrendorf, described how they recreated the algorithm used by Windows 2000's pseudo-random number generator (PRNG). They also spelled out vulnerabilities in the CryptGenRandom function, which calls on the algorithm.

Windows and its applications use the PRNG to create random encryption keys, which are in turn used to encrypt files and e-mail messages, and by the Secure Socket Layer protocol. SSL secures virtually every important Internet data transmission, including information from consumers to online retailers, and from bank customers to their online accounts.

By cracking the PRNG's algorithm, Pinkas and his team were able to predict its future results and uncover what it had come up with in the past, which then let them compute both previous and future encryption keys. They also discovered multiple design flaws in the algorithm that they said could give hackers the keys to the kingdom.

One of the flaws let Pinkas calculate the keys that had already been used on a Windows 2000 machine. In effect, given even remote access to the machine, a hacker could uncover encryption keys that had been generated, and thus the passwords — or other information — which had been used, even if they weren't saved elsewhere on the system. "If you know the 'state' of the PRNG, it should be hard to predict its previous state," said Pinkas yesterday. "It should be like a one-way street. Going backward [in time] should be impossible. But we found a way to very efficiently predict previous states of the PRNG."

That's a major bug, and one that should not have been overlooked, Pinkas added. "It's very well known how to construct a one-way generator. The fact that the PRNG used by Windows 2000 does not provide [this] demonstrates that the design is flawed."

Another problem with Windows' PRNG, added Pinkas, is that a single peek at the current state of its calculations can expose a huge amount of information. Unlike other operating systems such as Linux, Windows only refreshes its "randomness" after the PRNG has produced 128K of output. And since a typical SSL connection between, say, Internet Explorer and a bank consumes just 100-200 bytes of output, it's possible to predict 600-1,200 different SSL connections.

"Once we get the state of the PRNG, we can simulate its future state until the generator is refreshed with new random data," said Pinkas. "But that represents several hundred SSL connections."

Pinkas acknowledged that an attacker must have access to the target PC to get a glimpse of the PRNG's current state — the prerequisite to calculating either future or past encryption keys — but in today's security landscape, that's no barrier. "People are finding new ways to get administrative privileges all the time," he argued. By combining a relatively run-of-the-mill attack — one that results in full access to the machine, such as the just-patched vulnerability in Windows' URI protocol handler — with an exploit of the PRNG's design flaws, hackers could decrypt files or reveal secure traffic between the PC and the outside world, Pinkas said. "It should be pretty easy to do our attacks."

That's not a vulnerability, that's a feature

Microsoft downplayed the problem. "We found that there is no security vulnerability," the company said in a statement attributed to Bill Sisk, Microsoft's security response communications manager. "Information is not disclosed inappropriately to unauthorized users on any supported Windows systems. In all cases discussed in the claim, information is visible only to the users themselves or to another user logged onto the local system with administrator credentials."

Sisk then went on to justify Microsoft's position that the flaws did not qualify as security vulnerabilities. "Because administrators by design can access all files and resources on a system, this does not represent inappropriate disclosure of information."

"We got basically the same [response] when we reported our findings in May," said Pinkas, who believes that the risk is greater than Microsoft wants users to believe. An attacker does not need physical access to the PC to carry out an attack that leverages the PRNG's flaws, for example. "Once you have a way to do remote code execution, you can grab the state of the generator," he said. "Any hacker who knows the OS, could grab the state, and as I said, it's not difficult to get administrative privileges on a PC."

A Symantec Corp. researcher took a middle position. In a research note made available to customers of Symantec's DeepSight threat network, analyst Erik Kamerling called the level of difficulty of such an attack as "relatively high" even as he said that Pinkas' discovery was "an extremely sought-after tool in cryptanalysis."

"An attacker must first gain some type of privileged access to an affected machine," said Kamerling. "Then the attacker would have to run a custom application or script that reads internal RNG variables. The attacker would also need to compute pending and past state information, and finally correlate and apply this forward and backward state reconstruction with the communications emanating from the target machine. It's a complicated scenario to say the least."

But Kamerling also hedged his bets. "Any development of an automated tool or program that would accomplish the techniques in the paper would increase the severity of this discovery," he admitted.

Microsoft came close to promising that it would fix the random number generator. "We are evaluating changes to further strengthen our random number generation capabilities," Sisk said. In an earlier statement, the company had said it might include an update in a future Windows service pack.

The paper co-authored by Pinkas, Gutterman and Dorrendorf can be downloaded from the Cryptology ePrint Archive in PDF format."


Submission + - Robotic Cockroaches Raise Ethical Debate (

xrsblu writes: The Boston Globe reports that European scientists have persuaded a colony of cockroaches to behave differently by planting a robot leader in the midst. With robots imitating and influencing living creatures, this raises the question of how humans and machines will interact as robotic technology advances.

"Already, Asian countries that represent the gold standard in robotic research are pondering unprecedented new laws that would regulate how much independence robots should be given by programmers and even what "rights" should be accorded the clever devices, which one day may possess something approaching wills of their own, according to robotic gurus."


Submission + - free software; free legal forms

ir0b0t writes: "Coders and lawyers for openmissoula presented a "proof-of-concept" demo to the Montana Supreme Court Commission on Self-Represented Litigants that uses free code to give free legal forms to low and moderate income Montanans. Many Montanans cannot get access to the courts for even simple matters. Existing nonprofits typically use large grants for proprietary solutions. Will the proof-of-concept demo be embraced by the Montana lawyers?"

Submission + - Eco-ruin caused the fall of Bronze Age Argaric civ (

kfz versicherung writes: "A new study suggests that the fall of the Bronze Age Argaric people in south-east Spain, Europe's driest area, was caused by the exhaustion of precious natural resources resulting from the early civilisation. By compiling a pollen sequence to see how vegetation changed over thousands of years, the researchers obtained clues to how human settlement and climate affected ecosystems. The study revealed significant amounts of charcoal about 4,200 years ago, just after the Argaric civilisation emerged. The authors say that this is a sign that Bronze Age people were setting fires to clear the forests for mining activities and grazing."

Submission + - Expert: Robot lovers will save geeks, ugly people

holy_calamity writes: The guy that predicted human-robot marriage by 2050 has fielded questions from readers of New Scientist. His answers include the assertion that robots will be the saviour of loveless geeks and uglies: "I see nothing wrong from an ethical perspective in designing robots that will behave as though they have strong emotional feelings for their human owner/partner no matter whether that human is fat, thin, ugly, or whatever." Other questions tackled include "why would a robot want sex with an animal?"

Submission + - WWII Colossus codecracker outdone by a German (

superglaze writes: "More on the World War II-era Colossus codecracker project. Not only has it been outdone in a cipher-breaking challenge, but — irony of ironies — it was beaten by a German! From the story: The winner was Joachim Schüth, from Bonn, who completed the task using software he wrote himself. "[Schüth] cracked the most difficult code yesterday," said the museum's spokesperson on Friday. "We're absolutely delighted. He used specially written software for the challenge. Colossus is still chugging away, as we got the signals late. Yesterday the atmospheric conditions were such that we couldn't get good signals.""

Slashdot Top Deals

Your fault -- core dumped