dents he explored in his “Viewpoint”
“Your Students Are Your Legacy” (Mar.
2009). With appropriate changes based
on the substance of study, the model is
extensible well beyond CS. Patterson’s
legacy is indeed well deserved. I only
wish he had been my advisor when I
was in graduate school.
George sadowsky, Woodstock, VT
educating Computer scientists
About social science
The Viewpoint “Computing as Social
Science” (Apr. 2009) by Michael Buckley was not really about social science,
but about social service, which is quite
a different thing. This is not a mere
quibble. In 20 years of work with computer scientists, I have often had to
start from the beginning, educating
them about sociology—and the social
sciences—as analytic disciplines.
Barry Wellman, Toronto, Canada
Cold Boot, a surprise for
unsuspecting users
The article “Lest We Remember: Cold-Boot Attacks on Encryption Keys” by
J. Alex Halderman et al. (May 2009)
took me back to my student days in
the 1970s when I discovered that the
Control Data Kronos operating system
had a similar vulnerability. One could
access other users’ passwords by running the command-line tool to change
passwords followed by the debug tool
to “dump core” to a file. The privileged
password utility could read the system
password file to perform its function,
but because it didn’t “zero out” the
RAM disk buffers before it terminated,
the nonprivileged memory dump utility revealed the IDs and passwords of
many other users.
Bruce Wallace, Ooltewah, TN
with some unintended inaccuracies
concerning the Cross Site Reference
Forgery or Cross Site Request Forgery
(XSRF) attack. XSRF leverages established session state in the browser.
Also, if a user is authenticated into a
Web site and the attacker somehow
generates a URL to that site from the
same browser, it may be authenticated
as well. This is true for several types of
authentication mechanisms, including session cookies. This type of attack
does not require multiple tabs and has
been around for a while, but tabs give it
a new dimension, since more and more
users keep multiple tabs open that are
potentially authenticated to important
(or high-value) sites. If a user logs into
a bank and then in a separate tab goes
to a page that somehow sends a malicious URL to the bank, that URL may
be authenticated and able to perform
actions on the user’s bank account
without the user’s knowledge or consent. What we were attempting to show
is that sometimes features have unintended security implications, an issue
applicable to all major browsers.
While we regret this error, the article’s original thrust is the same—that
browser security issues are complex,
more so every day, and the risks they
pose are not to be taken lightly.
Thomas Wadlow, San Francisco, CA
Vlad Gorelik, Palo Alto, CA
Communications welcomes your opinion. To submit a
Letter to the Editor, please limit your comments to 500
words or less and send to letters@cacm.acm.org.
© 2009 ACM 0001-0782/09/0700 $10.00
Coming Next Month in
COMMUNICATIONS
How to glean meaning and
usability from a blind user’s
interaction with technology.
equal opportunity support for All
You wouldn’t expect a woman CS department chair and a 1960s liberal to
jointly criticize an article promoting
women in computing, but we were disturbed by some aspects of the cover article “Women in Computing—Take 2”
(Feb. 2009).
Much of the it was devoted to a set
of excellent suggestions for creating
and nurturing CS careers, from initial
childhood exposure through gaining
tenure at a research university. But why
were these suggestions covered in an
article limited to women in computing? Nearly every suggestion applies
equally well to any demographic: underrepresented minorities, people
with handicaps, low-income people,
plain old white males. (There were a
few exceptions, such as “send students
to the Grace Hopper Conference” or
“join CRA-W,” but other career-advanc-ing conferences and organizations can
be substituted with the same overall
message.) We would advise anyone
considering a career in CS, or anyone
in a position to nurture a CS career, to
pay close attention to the good ideas in
the article, while disregarding its focus
on women.
For example, it suggested that introductory CS students should program in pairs. We like this idea very
much for a number of reasons, none
concerning gender. One might think
intuitively that female students in particular prefer pair programming. However, from the statistics provided by
the cited study, there is an even more
positive influence on males than on
females. (That is, the technique had
a slightly better chance of motivating
any given reluctant male to continue
in CS than of motivating any given reluctant female.)
At the junior-professor level, the article suggested less teaching for the first
two years, sufficient startup funding to
support graduate students, help writing grant proposals, and being clear
about what is expected to gain tenure.
Aren’t these strategies appropriate for
all junior faculty? Should females be
granted such departmental support
while males are denied? We certainly
hope not.
There’s no question that women
have faced obstacles over the years
when choosing and building careers
in CS, as well as in other fields. Still, an
article providing sound general advice,
while limiting it to women, is not an
appropriate solution.
Jeffrey D. ullman and
Jennifer Widom, Stanford, CA
Boolean satisfiability:
From theoretical hardness
to practical success.
Revitalizing computer
education by building free
and open source software
for humanity.
More on Browser security
Our article “Security in the Browser”
(May 2009) included a paragraph
Plus the latest news on collaborative
filtering, facial recognition technology,
and games and education.
