OK, actually it is kind of a big deal. Discovering a new particle is not something that happens every day, and it's a concrete result of having a well-tuned detector. Besides, it's just cool. So congratulations to the CMS collaboration!

In case you haven't heard the story, late last week CMS announced that they had a statistically significant observation of the baryon, a particle made up of an up quark, a strange quark, and a bottom quark. In this case, "statistically significant" means that they detected this particular decay signature 21 times, of which only of them can be attributed to random coincidences in the detector. So they're about as sure as you can be in physics that they are seeing signs of a real particle. They've also managed to reconstruct various properties of this particle by examining the decay products, and everything matches up with the predicted properties of the .

Now, why isn't this a bigger deal, and why didn't I write about it right away? Well, as I just mentioned, this particle was predicted to exist. Of course, the Higgs boson was also predicted to exist, and everyone gets very excited about that. The difference with this particle is that it's a baryon. All baryons are just different combinations of quarks; for example, the proton consists of two up quarks and a down quark, the neutron of two downs and an up, the neutral lambda baryon of an up quark, a down quark, and a strange quark, and so on. We've already discovered dozens of these baryons, all of which fit into a very well-understood pattern. That makes it easy (for a theoretical particle physicist) to predict the properties of any sort of baryon you can come up with. If you want to know what the mass and spin of a up-bottom-bottom baryon are, the theory can tell you that. We've actually used this pattern many times in the past to predict undiscovered baryons, and it's been pretty close every time. It's gotten to the point where nobody doubts the existence of all the particles predicted by this pattern, even though a bunch of them have never actually been detected. Up until recently, the was one such particle.

For years I've been hearing that Technorati is an essential way to promote your blog over the interwebs. Despite the fact that I still don't entirely understand what this organization does or how it got so dominant in the making-your-blog-cool department, I figured I should probably cave... so this post is a step in the process of claiming my site in Technorati's blog index.

If you're wondering about this for your own blog, the process is (sort of) easy; just sign up, start a claim and fill out some information about your blog, and then you get a claim code like E3QA6PRUDVT9 (see what I did there) which has to be placed in a blog post so Technorati can verify it.

It remains to be seen whether this is actually going to amount to anything useful.

You may remember that about three months ago, the internet erupted in an uproar over two copyright protection bills, SOPA and PIPA, which were working their way through the House of Representatives and the Senate, respectively. Now there is another bill, the Cyber Intelligence Sharing and Protection Act (CISPA), which has many of the same people concerned. Indeed, a lot of privacy advocates are warning that CISPA is even worse than SOPA and PIPA. But other people are saying that it's nowhere near as bad. One way or another, there seems to be a lot of misinformation floating around about this bill, so just as I did with PIPA, I thought it would be useful to go straight to the source and see what CISPA is really about.

As usual, this post comes with the standard disclaimer that I am not a lawyer and this is not legal advice. I make no guarantees about the correctness of this information. If you're concerned about specific effects that CISPA could have on you personally, check with a lawyer.

Now then, to the source. The text of the bill itself can be found on the Library of Congress website as House Resolution 3523. It consists of an addition to title 50 of the United States Code, which deals with national security. The proposed addition starts out as follows:

Sec. 1104. (a) Intelligence Community Sharing of Cyber Threat Intelligence With Private Sector--

(1) IN GENERAL- The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence.

This basically sums up a large part of what people consider to be the problem with CISPA. It allows the government, or more precisely the national intelligence community (FBI, CIA, NSA, and other such organizations) to share information they have collected with private-sector entities, like businesses. Now, I don't know exactly what information our intelligence agencies collect on U.S. residents, but it stands to reason that if they wanted it, they could have access to phone records and the content of phone calls, emails, personal information like your address history and phone number history, your employment history and credit history, all your financial information, most of your shopping preferences, large parts of your web browsing history, and assorted other information. Obviously, government agencies can get far more information on your life and habits than private businesses or random people can. If a channel is opened up by which businesses can get a share of that information, they'd have a field day — and who knows what kinds of nefarious tricks they could pull with it?

But let's hold on a minute. The capacity for information sharing that CISPA introduces comes with restrictions, which are spelled out by the next paragraph of the bill.

(2) SHARING AND USE OF CLASSIFIED INTELLIGENCE- The procedures established under paragraph (1) shall provide that classified cyber threat intelligence may only be--

(A) shared by an element of the intelligence community with--

(i) certified entities; or

(ii) a person with an appropriate security clearance to receive such cyber threat intelligence;

(B) shared consistent with the need to protect the national security of the United States; and

(C) used by a certified entity in a manner which protects such cyber threat intelligence from unauthorized disclosure.

A "certified entity" is defined in subsection (g) of the bill as follows:

(1) CERTIFIED ENTITY- The term `certified entity' means a protected entity, self-protected entity, or cybersecurity provider that--

(A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and

(B) is able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence.

and in turn, "protected entity," "self-protected entity," and "cybersecurity provider," and the related term "cybersecurity purpose," are defined as

(4) CYBERSECURITY PROVIDER- The term `cybersecurity provider' means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.

(5) CYBERSECURITY PURPOSE- The term `cybersecurity purpose' means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from--

(A) efforts to degrade, disrupt, or destroy such system or network; or

(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

(7) PROTECTED ENTITY- The term `protected entity' means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.

(8) SELF-PROTECTED ENTITY- The term `self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.'

OK, soo... if I'm getting this right, certified entities are basically businesses or organizations that either produce or use (or both) computer security technology, and either have or are eligible for a certain level of security clearance, and which confirm that they are capable of protecting whatever information they receive from unauthorized use. Sure, simply being capable of obtaining a security clearance, and being capable of protecting information, is not saying much. That's where subparagraph (C) comes in; it actually requires these certified entities to protect the information they're given. In essence, the bill is setting up the framework to ensure that, once privileged information leaves the intelligence community, it doesn't go any further.

Now, what sort of information gets out in the first place? That is loosely addressed by subparagraph (B), which says that the government can only share information as necessary to protect national security. There are a couple of problems I have with this statement, though. First of all, it's really vague on what exactly is necessary to protect national security. I understand that intelligence services need to have flexible tools to deal with problems that they haven't anticipated, and it would hinder their work to specify a complete list of circumstances under which information could be shared outside the government, but I really feel like some restrictions could be put in place here — for example, sharing information might only be allowed

1. when necessary to get access to additional information for which the private entity is the only source, or
2. when necessary to facilitate the cooperation of the private entity in an ongoing investigation; and
3. in the face of an imminent threat to national security such that the delay required to go through legal proceedings in a court (i.e. getting a warrant) could lead to property damage or loss of life.

It might be necessary to create some additional procedure by which a court could approve a request to share information with the private sector, since warrants are usually used to take things, not to give them out (as far as I know), but certainly that could be part of the bill as well. Honestly, I'm not sure exactly what sorts of situations prompted this bill to be written, and so I'm not sure what sorts of restrictions would be appropriate. But if history is any indication, intelligence agencies will try pretty hard to pass all sorts of things off as being required in the name of national security, and the current wording gives them free reign to do just that. And as with any organization, there are almost certainly going to be a few people in the intelligence community who would abuse that power.

The other thing that bothers me about this is that there is no accountability for what information gets shared and why it had to be shared. Later on in the bill, subsection (d) specifically, there is a provision that specifies that any sharing of information with the federal government under this act must be described in an annual report to Congress. But it says nothing about information shared by the federal government.

(d) Report on Information Sharing--

(1) REPORT- The Inspector General of the Intelligence Community shall annually submit to the congressional intelligence committees a report containing a review of the use of information shared with the Federal Government under this section, including--

(A) a review of the use by the Federal Government of such information for a purpose other than a cybersecurity purpose;

(B) a review of the type of information shared with the Federal Government under this section;

(C) a review of the actions taken by the Federal Government based on such information;

(D) appropriate metrics to determine the impact of the sharing of such information with the Federal Government on privacy and civil liberties, if any; and

(E) any recommendations of the Inspector General for improvements or modifications to the authorities under this section.

(2) FORM- Each report required under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.

I for one would feel much better knowing that if somebody is abusing the ability to share classified information, there is at least a framework set up for that to be reported to a higher authority. (Not that I really trust Congress, but like it or not, it is their job to oversee intelligence activities.)

Whew. OK. Let's move on to the next part of the bill, subsections (b) and (c), which deal with the reverse process, namely when private-sector entities share information with federal intelligence services.

(b) Private Sector Use of Cybersecurity Systems and Sharing of Cyber Threat Information-

(1) IN GENERAL-

(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes--

(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and

(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.

(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--

(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and

(ii) share such cyber threat information with any other entity, including the Federal Government.

This part seems straightforward enough; it's basically saying that a technology security company can share with the government (or anyone else) information about threats to its systems or its clients' resources, with the explicit permission of the client, when doing so is necessary for the company to do its job of protecting the client.

(2) USE AND PROTECTION OF INFORMATION- Cyber threat information shared in accordance with paragraph (1)--

(A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self-protected entity authorizing such sharing, including appropriate anonymization or minimization of such information;

(B) may not be used by an entity to gain an unfair competitive advantage to the detriment of the protected entity or the self-protected entity authorizing the sharing of information; and

(C) if shared with the Federal Government--

(i) shall be exempt from disclosure under section 552 of title 5, United States Code;

(ii) shall be considered proprietary information and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information; and

(iii) shall not be used by the Federal Government for regulatory purposes.

And this part specifies conditions on when and how that information can be shared: basically that it has to be done in accordance with the company's own privacy policy, and that it can't be used for inappropriate purposes (though I'm not positive that "can't be used for competitive advantage" really covers all the inappropriate purposes one could come up with). It also says that information shared with the government is exempt from Freedom of Information Act requests, which is a pretty necessary stipulation, so it's good to see that that was included.

(3) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--

(A) for using cybersecurity systems or sharing information in accordance with this section; or

(B) for not acting on information obtained or shared in accordance with this section.

This paragraph is an interesting inclusion mostly because of the second item, which provides immunity from prosecution for declining to use any of this cybersecurity information. I like this clause because it means that, if you're ever not sure about the legal status of some information shared pursuant to this act, the safe "default" course of action is to just leave it alone, and that way there will be no legal consequences. This is much better than the alternative of providing immunity from prosecution for people who believed they were acting in compliance with CISPA but who actually weren't.

There is one thing I don't get about this subsection, though. Why is it even necessary? After all, most companies already have privacy policies, and most of those already say that they may share information with the government in accordance with a court order or when necessary to protect their business, in some cases even without explicit approval by the client. Now, granted, this is coming from the perspective of an individual, and subsection (b) does not apply to individuals (it talks about "protected entities," which are organizations, not people). But I would imagine that businesses have similar agreements in place when they deal with each other. So everything that this piece of CISPA allows was already perfectly legal? Maybe it just needed to be explicit, but I just don't see the point.

There's one more piece of the bill that I want to look at, and that is subsection (c), which governs how the federal government (in particular, the intelligence community) may use any information it receives from private-sector entities.

(c) Federal Government Use of Information-

(1) LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b) for any lawful purpose only if--

(A) the use of such information is not for a regulatory purpose; and

(B) at least one significant purpose of the use of such information is--

(i) a cybersecurity purpose; or

(ii) the protection of the national security of the United States.

OK, so they can't use it to influence policymaking, or at least that's what I assume "not for a regulatory purpose" is supposed to mean. But would it be so hard to just prohibit using this information for any purpose other than protecting national security? I feel like that would be a lot cleaner, and it closes the loophole of someone thinking up a wacky way to use shared information that is not regulatory but not intelligence-related either.

(3) ANTI-TASKING RESTRICTION- Nothing in this section shall be construed to permit the Federal Government to--

(A) require a private-sector entity to share information with the Federal Government; or

(B) condition the sharing of cyber threat intelligence with a private-sector entity on the provision of cyber threat information to the Federal Government.

This final piece (that I'm going to talk about) says that the bill does not give the government the authority to demand information from a private company, at least not in any way that isn't already permitted by existing laws (namely, with a search warrant). It's definitely a good thing to make clear that intelligence agencies are still not allowed to bypass the judicial process; CISPA does not enable warrantless wiretapping and the like.

So where does that leave us? Well, there are a lot of people saying CISPA is worse than SOPA and PIPA. I do not agree. The thing that particularly bothered me about the PROTECT-IP Act was that it allowed the government to take highly restrictive actions against website operators without going through the judicial process to determine whether those website operators had actually done anything wrong. It tinkered with the "innocent until proven guilty" mantra that our justice system is (supposed to be) based on. CISPA does not. In fact, as I pointed out above, there are a couple of clauses inserted which effectively prevent the intelligence community from escaping judicial oversight (any more than they already do).

On the other hand, CISPA does enable some channels for information sharing which, in my opinion, are not sufficiently regulated and monitored. If Wikipedia is to be believed, the bill's sponsors are considering another round of changes that may help close some of the loopholes I've identified, but that's still tentative; besides, if you're the type of person who is a little more concerned about privacy than I am, then the idea of this information sharing in any form probably seems pretty bad. I'll probably be contacting my representatives about this, and whatever your opinion about it, I encourage you to do the same!

This is coming kind of late, because I actually received it about a week ago, but the box of stuff I got for being a moderator on Physics Stack Exchange has finally arrived!

It includes a Physics Stack Exchange T-shirt and sticker, a generic Stack Exchange pen, Sharpie, and sticker, and a letter of appreciation from the company's founder and CEO, Joel Spolsky.

There are a few interesting experimental results and analyses from the physics world this week, mostly having to do with dark matter. Probably the biggest of these is a fairly detailed paper on the local density of dark matter by the team of Moni Bidin, Carraro, Méndez, and Smith. As you may know, dark matter is astrophysicists' favorite method to explain how the tangential velocity of stars in large galaxies can be nearly constant all the way from the center out to the (visible) edge, despite the fact that a simple model would tell you that the velocity should be slower for stars further out. It explains a bunch of other observations too, including measurements of gravitational lensing by large galaxy clusters, so we're pretty confident that dark matter exists.

With that in mind, it's kind of surprising that the analysis done by Moni Bidin, Carraro, Méndez, and Smith finds no dark matter at all within a few kiloparsecs of the solar system! Basically, what they've done is apply Newtonian gravity (which applies fairly well on these scales), along with ten reasonable-sounding assumptions, to find a formula which relates the velocities of stars in some region of the galaxy to the local density of matter (regular and dark) within that region. They then took measurements of the velocities of 400 red giants in the vicinity of Earth, extrapolated to the entire stellar population using the known statistics of stellar motion, plugged the velocities into the formula, and came out with a density of , which exactly matches the density of visible stars — no dark matter needed. This is shown in the plot at the right: the dark matter density calculated from the formula is the solid black line, and the gray lines are various theoretical predictions. The line labeled "VIS" means "visible matter only."

Of course, there are a number of ways in which this model could be inaccurate; for example, maybe the velocities of the red giants don't reflect that of the overall stellar population as well as we think, or perhaps the measurements of the dimensions of the galactic disc are a little bit off, or perhaps one or more of the ten assumptions isn't quite right. That's why the entire second half of the paper is devoted to an analysis of how the result for would change if a measurement is incorrect or an assumption is wrong. And the conclusion from that part is that, within the constraints that we definitely know from other measurements, there's pretty much no combination of changed parameters or invalid assumptions that would make the result match any of the common models of dark matter. The only way people are seeing to make sense of the data is to assume that the dark matter is somehow clumped in particular regions of the galaxy, and we just happen to be in the middle of a pretty big dark-matter-free zone. That doesn't seem very likely, but it is possible. It's probably about as likely, though, that there's some new dark matter model nobody's thought up yet which will make more sense out of all this.

Another result that's getting a fair amount of attention is a possible actual detection of dark matter, discovered by Christoph Weniger in data collected by the Fermi Large Area Telescope. The FLAT has been pointed at the sky to collect gamma rays for almost four years now. There are many different sources for these gamma rays, but one possible source is the annihilation of dark matter particles with each other, which could happen if dark matter particles and their antiparticles both exist in large amounts in the same region (or if dark matter particles are their own antiparticles, as is predicted by several models). Now, if you assume that the dark matter particles are moving slowly relative to each other, then if two of them annihilate into a pair of photons, each of those photons will have the same energy as the mass of the original dark matter particle. And in fact, the standard model of cosmology, the Λ-CDM model, does specify that dark matter particles should be moving slowly. So if dark matter particles and antiparticles annihilate to produce photons, we should be able to detect a bunch of photons all at roughly the same energy, which will in turn tell us the mass of whatever particle constitutes the dark matter. This is kind of similar to what happens in particle accelerators: if the particles being collided have just enough energy to make, say, a heavy quark-antiquark pair, then that pair might decay into two photons, each of which has the same energy as the mass of one of the quarks.

This is just the sort of phenomenon that Weniger has discovered (or at least that he's claimed to have discovered; from reading the paper, it's a little hard to see an effect as strong as what he reports). In gamma rays detected from a region near the center of the galaxy, there is a little bump in the photon spectrum around . This suggests that there may be dark matter particles with that mass annihilating in this region. It makes sense that the dark matter would cluster near the galactic center, since it responds to gravity more than to any other force. But the bump is still very small, and as Weniger himself points out, it can only be considered a tentative discovery at this time — not even a discovery, really, more like an observation. Still, this is exciting because, if the result turns out to be true, it would represent the first definitive, direct evidence that dark matter interacts in any way other than by gravity, and the first indication of what sort of particle might be making up this matter.

Yet another interesting result comes courtesy of Sean Carroll at Cosmic Variance, specifically in reference to this paper which reanalyzes data from CDMS. This paper is pretty technically dense, so I haven't been able to properly read skim it, but between Sean's blog post and what I can pick up from the paper, the claim is that the original analysis done by the CDMS collaboration is not sensitive enough to pick up the signal that would be generated by the dark matter at the density predicted by the common models. Specifically, the original analysis excludes a signal greater than (that's detected events per day, per kilogram of detector material, per unit energy bin width), but Collar and Fields say that the signal from WIMP dark matter should be . What's more, they run a different analysis and find that the CDMS data actually do show some events which can't be explained by the known (regular matter) interactions, but which do seem to match a signal found by their "competitor" CoGeNT. If this analysis is correct, it lends support to the idea that there is a substantial population of dark matter particles in the vicinity of the Earth, in contrast to what Moni Bidin et al. concluded. So one or the other of these results is probably going to be wrong, although it's likely going to be a very subtle correction. It's definitely going to be a very interesting time for dark matter detection research over the next few years.

For more information on these results, I'll point you to blog posts by Sean Carroll and Matt Strassler.