×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Government Recommends Cars With Smarter Brakes

Entrope Re:Not a fan (304 comments)

In some cases, yes. In the other cases where I've noticed it, the turning car was already far enough out of the lane that I could drive past it while staying entirely within my lane.

4 days ago
top

Government Recommends Cars With Smarter Brakes

Entrope Re:Not a fan (304 comments)

Is the tradeoff in favor of this kind of system yet? I have it one my car, and the part that I have found useful is the flashing warning -- not the braking. Among other flaws, it tends to have false alarms on certain stretches of road (I'm not sure whether it is picking up signs or fences or something else, but it is almost a given at one spot on my commute home from work), and it gets close to the auto-braking threshold when a car in front of me is turning into a parking lot. (The system in my car has three levels: flashing a warning, pre-tensioning [tugging] seat belts, and automatically braking. A turning car sometimes triggers the pre-tensioning, which is distracting in itself.)

5 days ago
top

IEEE: New H-1B Bill Will "Help Destroy" US Tech Workforce

Entrope Re:They do it for us! (484 comments)

According to the best estimates out there, the US pays substantially more for Medicare fraud (even excluding Medicaid fraud, which is something state governments would handle) than for unreimbursed care. But don't let reality interrupt your little fantasy of how the world works.

about two weeks ago
top

New App Detects Government Stingray Cell Phone Trackers

Entrope Re:IMSI Catchers are Wiretaps, usually illegal (71 comments)

You are just addressing a different part of the 4A's limits than I am. Some things are not 4A searches. The government theory here is probably that Smith v. Maryland (1979) makes an IMSI catcher not a 4A search. Some things are 4A searches, but do not require a warrant to be reasonable -- if the police say "mind if I search your car?" and you say that's okay with you, they don't need a warrant. Other things are 4A searches, but require a warrant to be reasonable -- non-consensual searches of a home, absent some imminent danger, require a warrant. Other things would be considered searches under the 4th Amendment, but even a warrant cannot make them reasonable; but this category is so small that I don't know of any good examples (a lot of possible examples are more clearly prohibited by the Fifth Amendment's limits on compelled testimony against oneself).

My personal take is that use of an IMSI catcher is probably a 4A seizure that would need a warrant -- it disrupts the normal functioning of many phones in an area, temporarily disconnecting them from the cell phone network -- or alternatively it counts as a search because it scoops up so much data from so many people (similar to the "mosaic theory" that some circuits have recently approved).

about three weeks ago
top

New App Detects Government Stingray Cell Phone Trackers

Entrope Fourth amendment searches and warrants (71 comments)

Lots of 4A searches do not require warrants -- searches incident to arrest, custodial searches, searches with consent, and probably more. The warrant requirement only kicks in when a warrantless search would be "unreasonable" (violate a reasonable expectation of privacy, and such expectation is narrower than most non-lawyers would believe).

about a month ago
top

Cyberattack On German Steel Factory Causes 'Massive Damage'

Entrope Re:What took them so long? (212 comments)

The single-session CD is supposed to come from an unsecure network. What good will putting it back there do an attacker?

I am not thinking small, I am thinking rational. You are assuming an "insan[e]" attacker, which is rather silly. I'm not claiming that single-session CDs will make a system unbreachable, or that you should try to. My claim is simply that using single-session CDs (in a controlled, hygenic way) makes the cost to breach a system much higher than the alternatives that were suggested (network and USB) -- not even that single-session CDs are always the right solution.

about a month ago
top

Cyberattack On German Steel Factory Causes 'Massive Damage'

Entrope Re: What took them so long? (212 comments)

Do you have any idea what the error rate for manual data entry is? Typically about 0.5% of the entries will be wrong. Retyping information is a very error prone process.

Do you have any idea that there are known good practices for checking entered data before committing to it? And that most people would want to apply this kind of check before kicking off a production run, of just about anything, regardless of how the order was sent to the system?

What is it about this topic that makes people forget basic engineering practices?

about a month ago
top

Cyberattack On German Steel Factory Causes 'Massive Damage'

Entrope Re:What took them so long? (212 comments)

If you have a air-gapped system, you don't let people plug either random USB devices or random Ethernet devices into it. You help enforce this by disabling USB ports, MAC-locking switch or router ports, making it clear that only specific authorized people can import data, and making sure those authorized few use hygienic practices. It's IT security, not brain surgery.

about a month ago
top

Cyberattack On German Steel Factory Causes 'Massive Damage'

Entrope Re: What took them so long? (212 comments)

Sure... if.

1) If you can define the protocol to be simple enough, and
2) if you can be sure that only the intended application will process the data stream on the secure side, and
3) if you actually test that application enough to be confident it is secure, and
4) if you can ensure that sensitive information will not (improperly) leak back down the other direction, and
5) if you use it often enough to pay for that development cost, and
6) if you can resist the pressure to add features or "generality" to the protocol that makes it more costly to ensure secure processing...

then maybe such a protocol makes sense. Maybe somebody somewhere has satisfied all those ifs, but I would suspect not. For your simplified example, it is probably cheaper -- and just as secure -- to have an operator enter the dozen or so keystrokes to order "produce x amount of class y steel" than to design, build, install and support a more automated method. Human involvement has the added bonus of (nominally) intelligent oversight of the intended behavior for the day.

about a month ago
top

Cyberattack On German Steel Factory Causes 'Massive Damage'

Entrope Re:What took them so long? (212 comments)

The point of an air gap is to make data transfers much more controlled. Some can be crossed regularly (with appropriate control), and some should not. One should only adopt any security measure after a cost-benefit analysis. The depth and rigor of that analysis should be determined by the expected costs (ongoing/operational) and potential costs (from a successful exploit).

Thus, I said "If I really wanted to reduce exposure", not "Everybody should do this to reduce exposure". If the productivity costs are very high, you had better impose enough oversight to deter or catch any policy violations... or choose a security policy besides "air gap". My basic points stand: much more software regularly talks to a network than regularly reads from CDs, and the protocols involved are much more complex for network communications; and USB sits in between those two.

FWIW, industrial control instructions can be made much more regular than arbitrary data, making it easier to detect a compromise before it reaches its ultimate target. For example, if the usual file size is 1 MB, you had better have a good reason for it to suddenly be 3 MB. If you are really paranoid, you might have a format checker or sanitizer to act like a very application-specific antivirus.

about a month ago
top

Cyberattack On German Steel Factory Causes 'Massive Damage'

Entrope Re:Sometimes 'air gap' is impossible (212 comments)

What compels the management to hook the control network up to the Internet? If a vendor told me that their safety-impinging product needed Internet access to run -- for a license check or for any other reason -- I would tell them to go pound sand, and I'd be happy to take my business to a competitor. If Internet access is not mandatory, you are describing "sometimes an air gap is inconvenient", not "sometimes an air gap is impossible".

about a month ago
top

Cyberattack On German Steel Factory Causes 'Massive Damage'

Entrope Re:"sophisticated social engineering techniques" (212 comments)

There are techniques like "Hello my name is Solicitor Darren White, my client has just deceased and left you a sum of $1,000,000,000 (ONE BEEELLION DOLLARS)...". There are also techniques like "Registration is now open for [industry-relevant convention], please visit [malware-infected site] to sign up so you can keep up with new developments." Beyond that are very individualized attempts to gain the target's confidence, perhaps involving apparently independent contacts -- persona A contacts the target over a job board, persona B uses some of that information to ask for a supplier reference, eventually culminating in executable code delivered directly to the target in hopes that it will bypass virus checks and be executed on a sufficiently privileged computer. More sophisticated social engineering techniques will usually be more narrowly tailored and more costly for the attacker to use.

about a month ago
top

Cyberattack On German Steel Factory Causes 'Massive Damage'

Entrope Re:What took them so long? (212 comments)

On the one hand, you have to worry about security holes in the USB driver and file system.

On the other hand, you have to worry about security holes in every piece of software that talks to the network.

If I really wanted to reduce exposure for a network, I would probably use single-session CDs to cross the air gap, and make sure to pack any extra space with random data.

about a month ago
top

Skeptics Would Like Media To Stop Calling Science Deniers 'Skeptics'

Entrope Re:Established science CANNOT BE QUESTIONED! (719 comments)

Which people do you think I am describing? There certainly are a lot of weirdo extremists in the environmental-activist camp, but I wasn't really thinking about them. If you want me to ignore the weirdo extremists on that side, will you ignore the weirdo extremists on the other side? More significantly, will media and activists stop focusing on the (conveniently distracting) anti-AGW weirdo extremists so that we can pay more attention to what actually can and should be done?

What specific steps do the reasoned thinkers recommend as "what actually needs to be done"? Last I heard, European countries were revising or just rolling back climate agreements because (a) they realized they couldn't achieve their goals without reducing their quality of life, (b) they realized the system was being gamed, and/or (c) they wanted to keep up with the countries who didn't sign up to those agreements.

about a month ago
top

Skeptics Would Like Media To Stop Calling Science Deniers 'Skeptics'

Entrope Re:Established science CANNOT BE QUESTIONED! (719 comments)

Lots of people believe in ghosts. Lots of people also believe in people who "think[] that human activities have no impact on climate change". There's about as much hard evidence in one of these beliefs as in the other.

When climate alarmists stop pretending that the dispute is over the degree of human influence on climate, and how much different countries should spend to mitigate anthropogenic climate change (or other kinds!), they might start to get traction with skeptics. Also when they start acting like the situation is as bad as they claim it is.

I know that when I used an electric sous vide cooker to make pork chops for dinner last night, it was worse for the climate than if I ate raw vegetables, and better than if I grilled a slab of steak over a bonfire. I know that living in the suburbs emits more greenhouse gases than living in a tiny apartment in a big city. I am thoroughly unconvinced that forcing most people to live like the alarmists claim we should (but usually don't live themselves) will yield the claimed benefits, or be worth the costs even if the benefits would be as claimed.

about a month ago
top

Research Highlights How AI Sees and How It Knows What It's Looking At

Entrope Re:Clickbait (130 comments)

I called it cheating because they violated both one of the prime rules of AI: train on a data set that is more or less representative of the data set you will test with, and one of the prime rules of statistics: do not apply a priori statistical analysis when you iterate with feedback based on the thing you estimated. Their test images are intentionally much different from the training images, which is one of the first things an undergraduate course on AI will talk about. They also use what are essentially a priori estimates after they repeatedly tweak the inputs to push those estimates to extremes, which is identified as taboo in decent undergraduate courses on statistics. Both of those are intentional violations of good practices that make the results look worse for the neural networks.

I can't tell from their paper what they mean by "99% confidence". Unless the DNN has max-pooling layers very near the output, none or many of the output units might have high activation levels for a given input. (It sounds like they had classes with low typical activation levels, and did not try to evolve fooling images for those classes.) If that happens -- say, "wheel" gets a score of 0.99, "lizard" gets 0.90, "dog" gets 0.80, and everything else is near zero -- then it is inappropriate to say that the network decided it was a wheel with 99% certainty. You would usually say that the network recognized the image as a wheel, but note it as an ambiguous result.

about a month and a half ago
top

Research Highlights How AI Sees and How It Knows What It's Looking At

Entrope Re:Clickbait (130 comments)

Why was my characterization of their approach "hardly fair"? Someone -- either the researchers or their press people -- decided to hype it as finding a general failing in DNNs (or "AI" as a whole). The failure mode is known, and their particular failure modes are tailored to one particular network (rather than even just one training set). I think the "hardly fair" part is the original hyperbole, and my response is perfectly appropriate to that. The research is not at all what it is sold as.

Don't multi-class identification networks typically have independent output ANNs, so that several can have high scores? I assumed, perhaps incorrectly, that the 99+% measures they cited were cases where only one output class had a high score, and the rest were low. If they were effectively using single-class identifiers, either in fact or by considering only the maximum score in a multi-class identifier, that makes their findings even less notable.

about a month and a half ago
top

Research Highlights How AI Sees and How It Knows What It's Looking At

Entrope Re:Clickbait (130 comments)

The researchers also basically cheated by "training" their distractor images on a fixed neural network. People have known for decades that a fixed/known neural network is easy to fool; what varies is exactly how you can fool it. The only novel finding here is their method for finding images that fool DNNs in practice -- but the chances are overwhelmingly high that a different DNN, trained on the same training set, would not make the same mistake (and perhaps not make any mistake, by assigning a low probability for all classes). It is a useful reminder for some security analyses, but not a useful indictment of AI or DNNs as a whole.

about a month and a half ago
top

Research Highlights How AI Sees and How It Knows What It's Looking At

Entrope Re:This synopsis (130 comments)

The people choosing the training sets are not morons at all. This "research" is almost exactly analogous to finding that this year's SAT can be passed by feeding it a fixed pattern of A, C, D, A, B, and so forth -- and then declaring that this means standardized testing is easy to fake out. They are exploiting the particular structure of a particular instance of a DNN. It is not surprising that they can find odd images that make a DNN answer "yes" when the only question it knows how to answer is "is this a rotary phone dial?"

about a month and a half ago

Submissions

Entrope hasn't submitted any stories.

Journals

Entrope has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?