Read more of this story at Slashdot.

Read more of this story at Slashdot.

Read more of this story at Slashdot.

Read more of this story at Slashdot.

Take a look at Champernowne's Constant. It's a ridiculously easy sequence to make, and yet it fooled programs designed to root out underlying order in seemingly random numbers.

David Gawen Champernowne was born in 1912. When he was an undergraduate in college, he published a seemingly simple number. Champernowne's Constant is formed by taking the sequence of whole numbers - 1, 2, 3, 4, 5, and so on – and putting them behind a decimal point. So a long sequence of Champernowne's Constant would be as follows:

0.12345678910111213141516171819202122232425 2627282930...

It's just the whole numbers in order with the commas removed between them — it is called a "normal" number. The term "normal" is the key to fooling early computers looking for patterns. Select any single digit from a huge sequence of Champernowne's Constant, and there will be a 10 percent chance of getting a 9. There will also be a ten percent chance of getting a 0, or any other digit.

Now take a sampling of two digits from any of part of Champernowne's Constant. What will the result be? If someone were to pick the number 41, how likely would they be to find it? Well, it occurs naturally once in between the numbers one and a hundred, and that sequence repeats every hundred numbers, so it's once roughly every 100 numbers. (Unless the computer were searching the specific and narrow section of Champernowne's Constant that is 410, 411, 412, 413, and so on.)

Now consider a sequence of numbers that is truly random. Each single number will have a ten percent chance of showing up in each slot, just as they do in Champernowne's Constant. So a person looking for the digit 41 will have a one out of ten chance of getting a four as the first digit, and a one out of ten chance of getting a one as the second digit. Chance of picking any sequence of two digits and getting a 41? One out of one hundred. Chance of getting a specific three digit number? One out of a thousand. And so on.

This is why Champernowne's Constant fooled early programs meant to check if certain sequences of numbers were truly random. The programs searched to see if each one-digit number, two-digit number, three-digit number and so on showed up as often as it should have if the numbers were truly random, and they did. It's just they showed up as often as they would if a person were simply counting them as well.

[Via Math is Fun, Mathworld, and Simon]

Wow, check out the video tour of Evil Mad Scientist Laboratories’ functional recreation of the classic educational binary computer Digi-Comp II.

Several weeks ago, we talked about bringing our giant Digi-Comp II to Maker Faire. But now we’re back, and we wanted to show everyone how it works– not just the many folks who came by to see it at Maker Faire. For those of you just joining us: The Digi-Comp II is a classic 1960?s educational computer kit– an automatic binary digital mechanical computer, capable of conducting basic operations like adding, multiplying, subtracting, dividing, counting, and so forth. These operations are all conducted by the action of marbles rolling down a slope, directed by mechanical switches and flip flops that act as logic gates. Our version is a modern, larger-than life remake. A functional clone, but sized up to use billiard balls instead of small marbles.

Read more of this story at Slashdot.

This week, Lockheed Martin—the largest U.S. military contractor—and several other defense contractors have reportedly experienced intrusions in their computer networks. Those intrusions may be connected to a hacking attack on RSA's SecurID security token division, disclosed back in March.

Hackers penetrating Sony's Playstation network or Google, affecting the data privacy of millions of users? Bad. Hackers penetrating the networks of the US military's largest weapons makers? Really, really, really bad.

Reuters was first tonight with the news of the intrusion at Lockheed, which the company is said to have first detected on Sunday.

They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's RSA security division, said the person who was not authorized to publicly discuss the matter. It was not immediately clear what kind of data, if any, was stolen by the hackers. But the networks of Lockheed and other military contractors contain sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.

A Lockheed press statement, reprinted in part in the Wall Street Journal,

[T]o counter any threats, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data. We have policies and procedures in place to mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multilayered information systems security.

John Markoff and Christopher Drew in the New York Times link the Lockheed hack to the March RSA breach. While Lockheed's problems may be the first publicly known damage from that attack, other firms may also be affected.

"The issue is whether all of the security controls are compromised," said James A. Lewis, a senior fellow and a specialist in computer security issues at the Center for Strategic and International Studies, a policy group in Washington. "That's the assumption people are making."

Neither RSA, which is based in Bedford, Mass., nor Lockheed would discuss the problems on Friday.

Officials in the military industry, who spoke only on the condition of anonymity given the sensitivity of the matter, said Lockheed had detected an intruder trying to break into its networks last Sunday. It shut down much of its remote access and has been providing new tokens and passwords to many workers, company employees said.

Raytheon published a statement today saying it took "immediate companywide actions" when the RSA breach became known back in March. General Dynamics denied experiencing problems related to the RSA breach; Northrop Grumman and Boeing declined to comment to the Times.

Related reading:

•
SecurID Company Suffers a Breach of Data Security (NYT, March 17, 2011, John Markoff)

• Columbia University computer science professor Steve Bellovin's take on the RSA breach (March, 2011).

• And Ars Technica's counterpoint to RSA's characterization of the breach as "extremely sophisticated."

Sony BMG Greece hacked, company's security woes continue originally appeared on Engadget on Mon, 23 May 2011 15:41:00 EDT. Please see our terms for use of feeds.

With Anonymous Denial of Service attacks and then the twin hacks of PlayStation Network and Sony Online Entertainment, Sony's online infrastructure has been taking a battering over the last few weeks—and it's not over yet. Another successful hack against the company is being reported by security firm F-Secure. A Web server used to host Sony's Thai site has been broken into, and is now being used to host a phishing site that targets customers of an Italian credit card company.

Unlike the PSN and SOE break-ins, this hack is not likely to have any serious consequences; it should be restricted to a relatively unimportant Web server that has no access to sensitive customer information. Still, it shows that Sony's online troubles aren't over yet—and that the entire company needs to take online security more seriously.

Read the comments on this post

Proving the words of countless mothers across countless nations, new research shows that spending all day staring at computers and TVs actually is bad for kids, giving them heart problems later in life.

Scientists say that kids who spend many hours in front of screens have narrower arteries in the back of their eyes, and link this to future heart problems.

The study looked at almost 1,500 Australian children, and the results took into account age, sex, ethnicity, iris color, length of the eyeball, BMI, birth weight and blood pressure. The children averaged 1.9 hours of screen time every day, and 36 minutes of physical activity. Every hour of time in front of a monitor equated to a retinal artery 1.53 microns narrower, and associated with a blood pressure increase of 10 mmHg.

The measure of the micro-vessels in your retina is an indicator for cardiovascular disease and high blood pressure in adulthood.

It might not turn your eyes square, but sitting in front of a screen all day definitely isn't good for your health.

Illustration by Andrea Danti/Shutterstock

Well-designed systems don't store passwords; rather, they take the password you supply and run it through a cryptographic hashing algorithm that turns it into another string (in theory, this string can't be turned back into the password). When you re-visit the website and supply your password, it is run through the algorithm again, and then the result is compared to the stored version. That way, no one -- not even the provider -- knows your password (except you). Again, that which isn't stored can't be leaked. Requiring French online services to keep a record of unhashed passwords is a reversal of decades of best practices in security.

The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers.

This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.

Police, the fraud office, customs, tax and social security bodies will all have the right of access.

Although signing "localhost" is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like "mail" or "webmail"? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a "man-in-the-middle" attack! Everything would look normal: your browser would use HTTPS, it would show a the lock icon that indicates HTTPS is working properly, it would show that a real CA validated the HTTPS certificate, and it would raise no security warnings. And yet, you would be giving your password and your email contents to the attacker.

To test the prevalence of the validated, unqualified names problem, I queried the Observatory database for unqualified names similar to "exchange". (Microsoft Exchange is an extremely popular email server, and servers that run it commonly have "exchange" or "exch" in their names. Likely examples include "exchange.example.net" and "exch-01.example.com".) My results show that unqualified "exchange"-like names are the most popular type of name, overall, that CAs are happy to sign.

It may yet be too soon to celebrate the takedown of the world's largest spam botnet. For one thing, PCs that were infected with Rustock prior to this action remain infected, only they are now somewhat lost, like sheep without a shepherd. In previous takedowns, such as those executed against the Srizbi botnet, the botmasters have been able to regain control over their herds of infected PCs using a complex algorithm built into the malware that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors. Using such a system, the botmaster needs only to register one of these Web site names in order to resume sending updates to and controlling the herd of infected computers.

Stewart said that whoever is responsible for this takedown clearly has done their homework, and that the backup domains hard-coded into Rustock appear to also have been taken offline. But, he said, Rustock also appears to have a mechanism for randomly generating and seeking out new Web site names that could be registered by the botmaster to regain control over the pool of still-infected PCs. Stewart said Rustock-infected machines routinely reach out to a variety of popular Web sites, such as Wikipedia, Mozilla, Slashdot, MSN and others, and that it is possible that Rustock may be configured to use the news headlines or other topical information from these sites as the random seed for generating new command and control domains.

(Image: Spam wall, a Creative Commons Attribution Share-Alike (2.0) image from 63056612@N00's photostream)

Read more of this story at Slashdot.

The Living Earth Simulator is quite possibly the most ambitious computer project ever undertaken. This all-encompassing simulation will collect all the data in the entire world, to predict everything from the next major disease outbreak to the next financial crisis.

The Living Earth Simulator could do for our modern world what the Large Hadron Collider has done for the early universe, says project chair Dr. Dirk Helbing. He calls the LES a "knowledge accelerator" that can collide different fields of knowledge to produce a far greater understanding of what's going on in the world around us.

Such a program, he says, could help show us the next epidemic before it starts, illuminate better ways to deal with climate change, and predict when the next recession will hit. According to Dr. Helbing, the answers to all these mysteries can be found by examining the sum total of human activity:

"Many problems we have today - including social and economic instabilities, wars, disease spreading - are related to human behaviour, but there is apparently a serious lack of understanding regarding how society and the economy work. Revealing the hidden laws and processes underlying societies constitutes the most pressing scientific grand challenge of our century."

So where would they get all the data from? Lots of different organizations are already compiling massive amounts of data, and these would help feed into the Living Earth Simulator. Possible sources would include NASA's Planetary Skin project, which tracks climate data on every corner of the globe, as well as more everyday sites like Google Maps and, yes, Wikipedia. Helbing and his team also plan to incorporate medical records, the latest financial information, and, most frighteningly of all, everything that's going on in the world of social media.

Of course, once all that data is together, there's still the question of what to do with any of it. Helbing says this will require cooperation between social scientists and computer scientists to create the rules and programming that the LES needs to interpret the data and create an accurate model of the Earth as it is today. We've only now got the technology advanced enough to pull off such an endeavor, and it will still be very tricky.

Part of the solution, Dr. Helbing explains, is the rise of semantic web technology. This simple but powerful concept makes a computer see information not just as a set of numbers but as specific data in a specific context, meaning computers will be able to tell the difference between the seemingly random numbers making up, say, financial markets and weather reports in much the same way humans can.

An obvious question to ask is just how much the LES will be able to learn about particular people. On this point, Helbing argues that the vastness of the project should protect everyone's privacy, as the LES's aggregative strips out all individual data in an effort to create an overall picture.

Once you collect all the data and program the simulator, actually running the LES is relatively simple. Yes, the project will need huge banks of supercomputers to run the entire program, but the processing power required isn't beyond what we're currently capable of. Computer expert Pete Warden says that, in all probability, we do have the processing power to handle what the LES requires. That said, he's skeptical about whether the LES could actually produce useful results:

"Economics and sociology have consistently failed to produce theories with strong predictive powers over the last century, despite lots of data gathering. I'm sceptical that larger data sets will mark a big change. It's not that we don't know enough about a lot of the problems the world faces, from climate change to extreme poverty, it's that we don't take any action on the information we do have."

To this point, Dr. Helbing argues that the LES will offer predictive far in advance of our previous models, as it would be able to see global recessions and disease outbreaks coming before they really get started. It's a bold claim, and we won't know for sure what the real capabilities of the LES are until the day that it's up and running.

[via BBC News; check out Gizmodo's coverage here]

Juels says that these cracks were possible because the proprietary algorithms that the firms use to encode the cryptographic keys shared between the immobiliser and receiver, and receiver and engine do not match the security offered by openly published versions such as the Advanced Encryption Standard (AES) adopted by the US government to encrypt classified information. Furthermore, in both cases the encryption key was way too short, says Nohl. Most cars still use either a 40 or 48-bit key, but the 128-bit AES - which would take too long to crack for car thieves to bother trying - is now considered by security professionals to be a minimum standard. It is used by only a handful of car-makers...

What's more, one manufacturer was even found to use the vehicle ID number as the supposedly secret key for this internal network. The VIN, a unique serial number used to identify individual vehicles, is usually printed on the car. "It doesn't get any weaker than that," Nohl says.

(Image: Invalidka - Soviet car for disabled people, a Creative Commons Attribution (2.0) image from dittaeva's photostream)