The FBI is mostly whining because they want on-line real-time undetectable wiretapping. Cracking open a locked phone is no different than gaining a warrant and taking the phone in the first place - the suspect is aware that his phone has been taken (or is dead), and it usually happens only after a serious crime has been committed and the suspect has been identified. I have no problem with police using tools to examine evidence after a crime has been committed.

But demanding flawed cryptographic algorithms, on the other hand, permit drift-net trawling of everyone's phones. Did you text someone about the weapon or the assassination plot? These crimes can now be thwarted before the victims are injured -- look, our pre-crime unit saves lives! But the drift-nets don't discriminate, and gather information about misdemeanor or non-criminal activity, too: small drug sales, shoplifting, or in the case of the Cheetohead-in-charge, researching climate change, donating to Hillary, or badmouthing Putin.

If anything, the current administration is so corrupt that the FBI themselves should be putting on the brakes, saying "no, we don't even want the tools to exist since you're just going to use them to ask us to further violate the Constitution for you."

This is how a priest justifies the existence of a religion, not how a scientist describes a fact.

Come back to us when you actually have positive results, not some phony belief.

Not until I can block everything that leaks out, like I do with NoScript today. I don't know when that might be, but if it isn't soon, I'll have to switch to Pale Moon.

Privacy and script blocking are far more important to me than speed or stability.

What you can do is submit your public key to an online checker, like https://keytester.cryptosense.... and see if it's vulnerable.

So I thought the question was asking if the internal structure of an archive file be organized so that an index of all the file and directory information is located at the top of the file, followed by the blobs of data that represent the content of said files? Or should the internal structure be a series of tagged blobs in a linked list, i.e. "next_file_offset=50:path_1:file_name_1:file_content_1"; "next_flie_offset=230:path_2:file_name_2:file_content_2"; etc.?

Someone might ask this with the idea that a top index is great for instantly evaluating and accessing the contents, but it blows for archive maintenance; while if you follow the tagged blobs route you can append arbitrary blobs instantly to the end of any size archive file and still have a valid file, but producing a hierarchical directory listing requires walking the entire file (although a linked list would mitigate the worst performance hits of that.) And that he plans to use the opinions of slashdotters to help him decide what to write.

Because if the poll-taker is asking what I think you're saying he's asking, I'm pretty sure he's an idiot.

And Boom, doesn't go the dynamite. Take a look at some of the Hak5 products, like the Bash Bunny or USB Rubber Ducky. They allow the owner of the device to specify whatever VID/PID combination they want; they actually recommend you change it from their defaults so that scanning for their default VID/PID won't get you caught.

Besides, you can't simply block alternate keyboard IDs anyway, at least not in America. The Americans With Disabilities Act will quickly be invoked by someone who needs an alternative input device in order to do their job. Perhaps they're in a wheelchair and need a wireless keyboard or mouse. Blocking random USB HID devices turns out to be a real problem for them.

And he can hand out copies of his verdict when asked for his "Certified Unethical Hacker" (CUH) credentials.

I just hope some of the classes he faked his grades in were Comp Sci so when he gets out of prison he can go to work for a spammer.

Catalonia has become Cataloffia.

Is this "Spexit" or "Cexit"?

When my grandmother passed about 20 years ago, the family got together to empty the house to sell it. We loaded her old refrigerator on to a truck, and hauled it to the dump (where the guy helping unload it from the truck commented that it was still cold!) On the back was the date of manufacture: 1941. That thing had kept food cold for nearly 60 years.

And you know what? That old fridge was so inefficient that it cost her far more on her electricity bill than if she had thrown it away in 1980 and bought a new one. 60 year reliability was certainly a positive quality, but efficiency was definitely a negative quality that far surpassed it in terms of cost of ownership.

A washing machine from 20 years ago would likely use about 45 gallons of water per wash load, regardless of the load size. A smart HE washer from 2017 uses a sensor to measure the load, and uses between 5-20 gallons. Even in a place where water is cheap, heating the water costs. And the amount of electricity consumed by a modern direct drive motor is a fraction of the belt-driven beasts of the past.

Does that mean your washer should break down after five years, just so you can benefit from whatever gains in efficiency they've made? Of course not. But it does imply that buying a washer built to last 60 years is a waste of money.

2FA, or even just smart cards alone would protect against all forms of password stealing. Logging a smart card transaction doesn't get you a replayable password, it only gets you a token that's already been consumed by the legitimate user. Plus, smart cards are a lot easier to use than passwords, so your users would love you for it. (Most users, anyway; some will inevitably complain that they can't use an app on their phone.)

Convenience has its price, however -- without 2FA, a smart card is susceptible to physical theft. But defending a possession against theft is something most people are already pretty good at. The same can't be said for computer security.

Right now, the designers of WiFi light bulbs throw a SoC in the socket and a few LEDs on the heatsink, and because there's no standard, each company makes up their own bare-bones data connection for "on/off", and supplies a clunky iOS and Android app. Nobody reviews the protocols, they shove whatever no-name distro and web server they can think of into the SoC, and ship it.

So the way to improve on this is to have an externally defined standard for IoT devices. The standards need to address all of the security problems. That means having a secure way to deliver updates. It can't be poking giant holes in home users' routers via UPnP. It needs to have a secure communications channel. It has to use high quality cryptographic algorithms. It must be completely open and free. Ideally it should be easier for manufacturers to download a reference implementation than it is to write their own, or to buy something. And of course it needs to be fully subject to review.

What the standards really need to succeed in the eyes of the public is a championing body, with a logo, a certification body, rules, and an insurance fund. Stores need to feature signs like "This devices cyber security guaranteed up to $5000 by the manufacturer, a member in good standing of The Secure Testing Industry Group (STIG)." The logo should become as common as the UL, CE, and ETL logos seen on electric appliances everywhere. Something that says "if you get hacked because our device was vulnerable, we'll pay you money."

Then, we need retailers to get behind this. Make sure every web site selling them features The STIG certification logo right next to the stupid "Trust me" lock. The big box store shelves need to have a signs proclaiming "Security certified by The STIG products sold here".

Putting money on the table puts incentive on the manufacturers to be as secure as possible, and to patch things as quickly as possible. And it gets consumers to prefer it over an unlabeled brand.

Cyber insurance rates are already risk based. The insurance company will set your rate based on the level of competence in security you demonstrate.

My guess is that the evidence of the attack from 5 years ago has long since been destroyed. Disqus *never* noticed it themselves, they were only recently informed of it by Troy Hunt, who obtained a copy of the stolen database and then contacted them.

Anyway, there isn't a law against being incompetent. There may still be consequences, however, if their clients get mad at them for this breach and abandon disqus in favor of another commenting system.

And that in no way defends the incorrect assertion of the article's author that associates SHA-1's flaws with this attack, which was the entire point I was trying to make.

Regarding the security of the password hash database that was stolen, I was assuming a few things: that the attackers are lazy, and while they might try a rainbow table, they won't bother brute-force hashing salted passwords; and that when disqus says they used a salted hash, that they actually used a proper per-user salt algorithm, and not a common-to-all-users salt.

And yes, any scheme can still be bruted force attacked with a limited list of common passwords. Even PBKDF2() hashed passwords can be brute force attacked with a very limited number of common passwords (perhaps the top 10, like "password", "abc123", etc.) and no doubt more than a few user accounts will fall. This being disqus (not exactly a high security site), I have to wonder how many of their users reused their same passwords on their banking or other high value shopping sites? Account Take Overs that exploit a common password across multiple sites seem to be the most damaging form of attack in use today, so I suppose it's prudent to assume that this database is no exception, and that the attackers aren't as lazy as I had assumed.

Of course if they used a common-to-all salt, you can bet that Troy Hunt will start building a rainbow table soon (if he hasn't already begun to do so.) And I'd be even more concerned about the security of that password.