Re: Microsoft: Palladium will not limit what you can run
Anish asked for references to Palladium. Using a search engine to find things with "palladium cryptography wasabisystems" or "palladium cypherpunks" will find a bunch of pointers to articles, some of them organized usefully. On Thursday, Mar 13, 2003, at 21:45 US/Eastern, Jay Sulzberger wrote: The Xbox will not boot any free kernel without hardware modification. The Xbox is an IBM style peecee with some feeble hardware and software DRM. But is the Xbox running Nag-Scab or whatever Palladium was renamed? Or is it running something of its own, perhaps using some similar components? At 12:38 AM 03/14/2003 -0500, Jeroen C. van Gelderen wrote: and sold by Microsoft below cost (aka subsidized). With the expectation that you will be buying Microsoft games to offset the initial loss. (You don't have a right to this subsidy, it is up to Microsoft to set the terms here.) It doesn't need to be below cost; Walmart was selling machines with capabilities fairly similar to the Xbox for less, and they certainly don't do anything below cost. (This was the ~$200 Linux PCs.) Now, the amortized development cost of those PCs is probably less than that of X-box, and they were a bit less compact hardware (though Xbox is pretty much of a porker compared to most of the other gamer boxes), and of course the "cost" of the Xbox might include some amortized cost of developing whichever Windows variation it uses, while Walmart didn't have that cost. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Microsoft: Palladium will not limit what you can run
> All video game > consoles are sold under cost today. This is wrong. Cf, http://www.actsofgord.com/Proclamations/chapter02.html /r$ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Face-Recognition Technology Improves
Bill Stewart <[EMAIL PROTECTED]> writes: > >Were there really 750 Million Passengers flying through ATL??? That > >number seems a bit high... > > 750,000 * 100 = 75,000,000 usually (:-), which sounds more credible. > No idea how many of those are unique passengers, but there are probably > a lot of frequent business travellers going through there many times. Ok Ok ok. I'm sorry for trying to do math on only 6 hours sleep before a flight. I mis-counted 0's. I'm sorry. -derek -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: How effective is open source crypto?
having worked on some of the early e-commerce/certificate stuff ... recent ref: http://www.garlic.com/~lynn/aadsm13.htm#25 Certificate Policies (addenda) the assertion is that basic ssl domain name certificate is so that the browser can check the domain name from the url typed in against the domain name from the presented (trusted) certificate ... and have some confidence that the browser is really talking to the server that it thinks it is talking to (based on some trust in the issuing certification authority). in that context ... self-certification is somewhat superfluous ... if you trust the site to be who they claim to be ... then you shouldn't even have to bother to check. that eliminates having to have a certificate at all ... just transmit a public key so slight step up from MITM-attacks with self-signed certificates would be to register your public key at the same time you register the domain. browsers get the server's public key from dns at the same time it gets the ip-address (dns already supports binding of generalized information to domain ... more than simple ip-address). this is my long, repetitive argument about ssl domain name certification http://www.garlic.com/~lynn/subpubkey.html#sslcerts i believe a lot of the non-commercial sites have forgone SSL certificates because of the cost and bother. some number of the commercial sites that utilize SSL certificates only do it as part of financial transaction (and lots of them when it is time to "check-out" actually transfer to a 3rd party service site that specializes in SSL encruyption and payments). The claim by many for some time is that given the same exact hardware they can do 5-6 times as many non-SSL (non-encrypted) HTTP transactions as they can do SSL (encrypted) HTTPS transactions aka they claim 80 to 90 percent hit to the number of transactions that can be done switching from HTTP to HTTPS. a short version of the SSL server domain name certificate is worry about attacks on the domain name infrastructure that can route somebody to a different server. so SSL certificate is checked against to see if the browser is likely talking to the server they think they are talking to. the problem is that if somebody applies for a SSL server domain name certificate the CA (certification authority) has to check with the authoritative agency for domain names to validate the applicants domain name ownership. The authoritative agency for domain names is the domain name infrastructure that has all the integrity concerns giving rise for the need for SSL domain name certificates. So there is a proposal for improving the integrity of the domain name infrastructure (in part backed by the CA industry ... since the CA industry is dependent on the integrity of the domain name infrastructure for the integrity of the certificate of the certificates) which includes somebody registering a public key at the same time at a domain name. So we are in catch-22 1) improving the overall integrity of the domain name infrastructure mitigates a lot of the justification for having SSL domain name certificates (sort of a catch-22 for the CA industry). 2) registering a public key at the same time as domain name infrastructure ... implies that the public key can be served up from the domain name infrastructure (at the same time as the ip-address eliminating all need for certificates). There is a description of doing an SSL transaction in single round trip. The browser contacts the domain name system and gets back in single transmission the 1) public key, 2) preferred server SSL parameters, 3) ip-address. The browser selects the SSL parameters, generates a random secret key, encrypts the HTTP request with the random secret key, encrypts the random secret key with the public key ... and sends off the whole thing in a single transmission eliminating all of the SSL protocol back&forth setup chatter. The browser had to contact the domain name system in any case to get the ip-address the change allows the browser to get back the rest of the information in the same transmission. -- Anne & Lynn Wheelerhttp://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Face-Recognition Technology Improves
At 09:01 AM 03/15/2003 -0500, Derek Atkins wrote: "Sidney Markowitz" <[EMAIL PROTECTED]> writes: > > In addition, only one subject in 100 is falsely linked > > to an image in the data base in the top systems. > > Wow, 99% accuracy for false positives! That means only a little more than > 75 people a year mistakenly detained for questioning in Atlanta > HartsField Airport (ATL), and even fewer at the less busy airports (source > Airports Council International, 10 Busiest Airports in US by Number of > Passengers, 2001). Were there really 750 Million Passengers flying through ATL??? That number seems a bit high... 750,000 * 100 = 75,000,000 usually (:-), which sounds more credible. No idea how many of those are unique passengers, but there are probably a lot of frequent business travellers going through there many times. Also, I'm not convinced that multiple trials for a single individual are independent. Indeed, one could easily assume that multiple trials for a single individual are highly correlated -- if the machine isn't going to recognize the person on the first try it's highly unliklely it will recognize the person on subsequent tries. It's not like there is a positive feedback mechanism. They're probably not independent, but they'll be influenced by lighting, precise viewing angles, etc., so they're probably nowhere near 100% correlated either. There could be some positive feedback, if they keep photographs of near matches. Another mechanism they could use is the set of names of people expected to fly in and out of the airport, but of course that only works for people who use their real names on airline tickets - it's better for tracking Green Party members than for tracking Carlos the Jackal. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Face-Recognition Technology Improves
Derek Atkins <[EMAIL PROTECTED]> wrote: > Were there really 750 Million Passengers flying through ATL? No, 75 million. If you look at my message again I did correctly say 750,000 for the 1% false positive figure, although I did not type a comma to make it easier to read. > Therefore, a better question would be how many UNIQUE > assengers flew threw ATL, and then take 1% of that True, but to a first approximation most of the 200,000 average passengers per day in ATL will be unique individuals, so the false positive rate over the entire population is a good indicator of the effect of deploying the system in an airport. In any case, unless the individuals who repeatedly are falsely matched against the database stop travelling, they would increase the overall false postive rate by the same amount that repeat passengers who are not falsely matched decrease the overall rate. The more important number in these trials to ask about is the size of the database. A 1% false positive rate on a large population matched against a database of 5 faces is much worse than the same rate against a database of 50. The article mentioned a watch list size of 3000, which seems like a reasonable size for comparison, but the article implies that there were different trials conducted for the study. Without referring to the original report I can't tell if the 1% FP rate was based on that trial or one with a different size database. Taking into account the imprecision inherent in a news article reporting on a large study, all it is safe to say is that when it says "only one subject in a 100" the article is saying "only" while presenting a really horrific scenario for the airport security people if this system is used to screen all the passengers. -- sidney - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]