This is especially annoying because free access to information is a foundation of scientific and other academic inquiry, and because much of the value of a peer-reviewed journal is added at no cost to the publisher.  Scholars and scientists write and submit papers, of course; but they also serve as reviewers and members of editorial boards, frequently on a volunteer basis.  To add insult to injury, the publishers also engage in other questionable practices, such as only offering journals in pre-defined “bundles”, as if they were cable TV channels.

There is now a nascent protest movement among academics to boycott their part of this process.  The action was sparked by a blog post by Timothy Gowers, a mathematician at the University of Cambridge, and Fields Medal recipient.  A Web site,  thecostofknowledge.com, has been set up, which enables members to make a public pledge not to do any or all of:

• Submit articles for publication
• Referee articles submitted by others
• Perform editorial work

The initial action is being taken against the publisher Reed Elsevier, which publishes some of the highest-priced journals.  At this writing, 1335 researchers have signed up.  John Baez, a mathematical physicist at the University of California, Riverside, has an overview post on his Azimuth blog.

This is an encouraging development.  For too long, some of these journal publishers have not only bitten the hand that feeds them, but charged the rest of the body for the privilege.  Or, as Adlai Stevenson once said, “Eggheads of the world, unite!  You have nothing to lose but your yolks.”

Wired has posted an article, by Robert McMillan, that attempts to answer this question.  It’s amusing to reflect on some of this history, and perhaps it holds a few lessons, too.

As the article points out, the idea of passwords in general has a long history, going back at least to the Romans.  However, it is not entirely clear when the idea was first applied to computer system access.  One possible candidate is the SABRE Reservation System, developed by IBM for American Airlines in 1960.  But McMillan thinks the most likely candidate is the Compatible Time-Sharing System [CTSS], developed at MIT in the mid-1960s. under the direction of Fernando Corbató.   (The photo accompanying the article, showing Corbató standing amidst the system’s equipment, is perhaps of interest to historians of computers or fashion.)

It probably arrived at the Massachusetts Institute of Technology in the mid-1960s, when researchers at the university built a massive time-sharing computer called CTSS. The punchline is that even then, passwords didn’t protect users as well as they could have.

The article goes on to suggest that even in CTSS, passwords were something of a security failure.  I think this argument is a bit unfair.  The two security breaches cited in the article were both the result of someone obtaining a copy of the password file, either due to a system error or deliberate subterfuge.  (The password file was, apparently, not encrypted, of which more anon.)  Criticising the use of passwords based on attacks of this kind is like criticising a lock because the burglar opened it with a stolen key.  The lesson to be taken away from these examples is that effective security is a system, not a particular technology.  No matter how good your passwords are, someone who can steal a list of plain text passwords (or capture them with a keystroke logger) can still access your system.  Similarly, being careful with passwords while leaving an unencrypted copy of the password file accessible will not protect you, any more than putting three deadbolt locks on your door while leaving the windows open.

Having an authentication system that is better, in principle, than passwords, is a good thing.  At the time CTSS was developed, though, passwords could have provided effective security had there not been some serious goofs in the implementation.  (We should also remember the very limited resources of that system, by today’s standards.  A system that would take 30 minutes to process a login would not be worth much, although it might be very secure.)   Also, the history of security systems seems to show that, even with a “provably secure” system, like one-time pad cryptography, implementation and user errors can create embarrassing failures.

Symantec has just taken the somewhat unusual step of issuing a white paper, Symantec pcAnywhere Security Recommendations [PDF], which discusses potential security risks from using the product, and recommends that, because of several current vulnerabilities, pcAnywhere be disabled until Symantec has issued appropriate patches.

At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that
resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is
recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein.

Some of the vulnerabilities are, according to the white paper, linked to a theft of some Symantec source code back in 2006.  The stolen code apparently included some encryption and other security functions that were implemented in a vulnerable way.  The principal risk is of a man-in-the-middle attack against the encryption and encoding weaknesses, but other attacks are also possible.   In addition to describing some mitigation steps, the white paper gives a summary of recommended security practices for pcAnywhere users.  In addition to the pcAnywhere product itself, the vulnerable software is bundled with three other Symantec products: Altiris Client Management Suite;  Altiris IT Management Suite versions 7.0 or later; and Altiris Deployment Solution with Remote v7.1.

Symantec has also released a Security Advisory for pcAnywhere and associated products, regarding two serious vulnerabilities that do not seem to be related to the code theft.   Successful attacks against these flaws might result in remote execution of arbitrary code, or unauthorized modification of local files.  The code execution vulnerability is very serious, since the relevant execution context will often be System.  There is a hot fix available for supported versions of pcAnywhere.

The SANS Internet Storm Center has a diary entry on the pcAnywhere issues.  They report seeing some evidence of systematic probes of TCP/IP port 5631, used by pcAnywhere.  This probably indicates attempts to discover and exploit vulnerable systems, so the ISC’s advice, and mine, is patch now.

Using any remote access facility involves some risk, especially if the remote user is in an insecure location.  Users of pcAnywhere should keep an eye on the security news, and on Symantec’s site, so that they can stay on top of this one.

Technology Review reports that a more gradual approach to automated driving technology is being taken by auto manufacturers, especially in Europe.   I’ve written here about a European project to allow communicating vehicles to form up as “road trains” on highways, to improve energy efficiency and safety.  And the automakers have already begun to introduce incremental driving assistance capabilities.

[BMW's Werner] Huber and executives at other European automakers say the automated driving revolution is already here: new safety and convenience technologies are beginning to act as “copilots,” automating tedious or difficult driving tasks such as parallel parking.

The expectation is that these features will be introduced first on high-end models, then gradually make their appearance on a broader range of cars, depending of course on their reception by customers.  There are models offered now that offer parallel parking assistance, and other capabilities are being offered as well.

For example, for $1,350, people who purchase BMW’s 535i xDrive sedan in the United States can opt for a “driver assistance package” that includes radar to detect vehicles in the car’s blind spot. For another $2,600, BMW will install “night vision with pedestrian detection,” which uses a forward-facing infrared camera to spot people in the road.

Probably one of the marketing goals for these features is to get people more accustomed to the idea of the car “thinking for itself”.  One doesn’t have to look at very many car advertisements to realize that the product is often sold as an extension of the driver, probably not ideal for selling a fully autonomous car.  There are also legal obstacles to be dealt with.  Traffic codes assume, at least implicitly, that a person is in control of the vehicle while it is moving.  There will also be interesting issues of software liability, if it appears that a failure of the automatic system caused a collision.

Still, this is potentially valuable experimentation.   Travel by automobile is a big consumer of fossil fuels, as well as being fairly dangerous (compared to other forms of transport).   Anything that might make it safer and more energy efficient is worth a look.

Windows and Mac users should get the new version via the built-in update mechanism.  Linux users should get the updated package from their distributions’ repositories, using their standard package maintenance tools.

Network World reports on a new effort being launched by DARPA, the Defense Advanced Research Projects Agency, to develop new techniques for authenticating users.  The project, which DARPA calls “Active Authentication”, takes a slightly different approach from most past efforts in this area.

… the agency’s Active Authentication program looks to develop what DARPA calls “novel ways of validating the identity of the person at the console that focus on the unique aspects of the individual through the use of software-based biometrics.”

The “biometrics” that are mentioned here are not the usual ones, like fingerprints or hand geometry, but are drawn from a broader set of user characteristics and behavior.

Active Authorization focuses on the computational behavioral traits that can be observed through how we interact with the world.

Examples of the kinds of user behavior that might be considered as authentication factors include:

• - keystrokes
• - eye scans
• - how the user searches for information (verbs and predicates used)
• - eye tracking on the page
• - speed with which the individual reads the content

Some of this is similar in concept to some earlier work on user profiles for security.  In its current announcement, DARPA emphasizes that the first phase of the project will concentrate on developing techniques that can be implemented without installing additional hardware devices in a standard office environment.  Later phases might consider new types of sensor technology.

This is an intriguing approach.  The use of multiple authentication factors should increase reliability of the system; also, as DARPA point out, it might help detect intrusions from logged-in workstations left unattended, since the behavioral authentication factors can be measured on an ongoing basis.

An article at Ars Technica  reports that another IPv6 Day has been scheduled for June 6, 2012.  Once again, many of the large Internet services will participate: Google, Microsoft’s Bing, Yahoo!, and Facebook.  In addition, several large ISPs are participating this year, including Comcast, Time-Warner Cable, and AT&T, as well as Free Telecom in France, and XS4ALL in the Netherlands.  Cisco/Linsys and D-Link will also begin enabling IPv6 by default in their home routers.  But the most important difference in World IPv6 Launch is that, this time, it’s not just a test.  The participants will permanently enable IPv6 for their sites and networks.

There will, inevitably, be some configuration errors and other problems that will surface once IPv6 connectivity is being used on an ongoing basis.  But forcing the issue is probably the only realistic way to get people to change.  And, as Ars points out, the Web itself, and  the HTTP protocol, are relatively tolerant of a mixed environment; other services, however, such as Skype, really need to move to IPv6, but have not done much so far.  So there will probably be some inconveniences along the way, but there really is no practical alternative to making the change.

I will not attempt to describe the details of this legislation, since others have already produced good summaries.  Wired has an article explaining some of the reasons for the protest.  Google also has a page on the issue, and the Electronic Frontier Foundation has a three-part article going into more depth.  The prime movers behind this legislation are the content producers, especially those represented by the RIAA [Recording Industry Association of America] and the MPAA [Motion Picture Association of America].  They are upset because the advent of digital distribution makes some parts of their traditional business model economically unsustainable.

The protest and other advocacy by the technology industry and others does seem to have had some effect.  LAst weekend, the White House issued a statement saying that it would not support the bills in their current form.  And just in the last two days, a number of Senators have backed away from support of PIPA.

This is progress, but Congress needs to understand that this kind of legislation, benefiting one specific group while potentially causing great “collateral damage”, is a really bad idea.  As Bruce Schneier  often reminds us, putting in place the surveillance and censorship mecahnisms of a police state is not good civic hygiene.

An organization that maintains a huge database of academic research plans to soon let the public view some of the trove of information for free—a big boost for the idea of “open access” to the world’s knowledge.

JStor, which is run by a non-profit organization, was set up in the mid-1990s to relieve libraries of the burden of storing and cataloging paper journals.  Its total archive includes more than 1,400 journals, so the material to be included in the beta Register & Read program is just a small chunk of the archive, but JStor indicates that more content may be added if the initial experiment is successful.

JStor previously launched its Early Journal Content program, which provides free access to journal articles published prior to 1923 in the United States and prior to 1870 elsewhere.  The organization says that both this and the Register & Read program are part of an attempt to find sustainable ways to provide JStor access to people not affiliated with a participating institution.

Obviously, there is a significant cost associated with running a facility like JStor, and the money to pay the bills has to come from somewhere.  I think JStor is to be commended for trying to provide better free access; there are many people in the world who have no realistic chance of getting “official” access, and it’s just possible that some of them might have significant contributions to make.

Now, according to reports at Technology Review and the New York Times, researchers at IBM’s Almaden lab have developed a new type of magnetic storage material that is dramatically more compact than existing technologies, using only a dozen atoms per bit.

The smallest magnetic-memory bit ever made—an aggregation of just 12 iron atoms created by researchers at IBM—shows the ultimate limits of future data-storage systems.

By comparison, the highest-density magnetic storage devices made today use ~1 million atoms per bit.  The research is reported in the current issue of Science [abstract].  The technology is not quite ready to be included in your next laptop or smart phone.  It only works at very low temperatures (< 5K), and can only retain the data stored for a few hours.  Researchers feel that this can be improved by using a slightly larger number of atoms, ~150, but there is still no scalable method of manufacturing the material.

Nonetheless, the work is of great interest because it shows the possibilities for aggressive use of nanotechnology.  The experimental device is assembled using a scanning tunneling electron microscope (invented in the early 1980s at IBM Zürich) to place individual iron atoms in an anti-ferromagnetic alignment.  In conventional ferromagnetic materials, like the magnetic coating on disk platters, or the magnet on your fridge, the magnetic spins of individual atoms are aligned; this can lead to instability when components are made smaller.  The new material does not have this alignment, so some degree of stability can be achieved with a tiny amount of material.

It’s too soon to say for sure that this approach will produce a new type of computer storage; but we are approaching the physical limits of what can be done with silicon fabrication technology, so it’s good to see new approaches being explored.

Update Sunday, 15 January, 17:05 EST

Wired also has an article on this research, complete with an image of a byte of memory in the new material, with eight little 12-atom clumps.