Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×

Comment Re:Kickstarter skeptics eat your heart out (Score 1) 300

As for all the paranoid NSA, ads in my eyes crap, it's just nerd-rage bullshit. As long as they don't close the SDK, and there is literally no logical reason for them to do that in this case, I don't see a problem.

I want to believe yet NSA really does spy on everyone, "smart TVs" really do record everything you watch and facebook really does sell your data to the highest bidder(s).

As a technical matter when developers link to an SDK underlying support library would be capable of calling home to facebook injecting bullshit and or spying on the environment... it is possible to concurrently present an open interface while reeking of the consequences of selling out.

Comment Re:Temper tantrum (Score 2) 300

Facebook might not be a games company right now, but the acquisition of Oculus certainly gives them a huge opportunity to venture in to that market.

Laura, welcome to Slashdot. It is great to see such a positive outlook from a first time poster.

And as far as Minecraft not being social... are you kidding me? It might be a malicious kind of social, but Persson's pull out is coming off as more of a flounce rather than an educated

Sometimes it's better to pull early than live with the consequences.

Comment Re:Who cares about the baseband? (Score 1) 137

How can you possibly verify this?

The baseband processor is a fully self-contained system with its own processors, memory and operating system. While there are devices sharing system memory to reduce BOM you start by selecting hardware with physically separate resources.

Given a sane interface design the operating systems of baseband and smartphone have full control over what it does with data transmitted by each party. Sure a satanic baseband can exploit a weakness in the smartphone ... squarely the smartphones fault within the smartphones power to prevent.

Comment Fuck zuck (Score 0) 535

by WaffleMonster (#46580591) Attached to: Facebook Buying Oculus VR For $2 Billion

Every time something new comes along which does not suck some rich asshole swoops in at the last minute and turns it all to total shit.

Can't wait for version 3 of the developer kit with "cloud" and "facebook" ads and stalking built in.

"WaffleMonster just got his head chopped off in a virtual guillotine"

"WaffleMonster rode the roller-coaster-of-terror and screamed like a little girl"

Comment Re:Why do people continue to use diseased products (Score 1) 88

by WaffleMonster (#46574697) Attached to: Microsoft Word Zero-Day Used In Targeted Attacks

MS Word has been insecure since MicroShaft decided to add VBA and tie Word into the OS. Nothing but virus attacks and worms.

Why the hell do so many people continue using shit products so damned likely to infect their system?

File -> Options -> Trust Center ... First thing any sane person should do after installing word is turn off all macros and activex/vba without notification.

Comment More stupid questions (Score 1) 491

by WaffleMonster (#46566575) Attached to: How Satellite Company Inmarsat Tracked Down MH370

I don't get it. If you are going away from satellite the signal is red shifted. If you are going toward the signal is blue shifted.

Why would there be any change in observed shift if you are going away from geo stationary satellite to the north v away to the south? What explains preferential outcome?

I could understand subtle timing differences due to ionospheric delay or polarization measurements. Ideas?

Comment Re:EAP? (Score 1) 150

by WaffleMonster (#46561497) Attached to: WPA2 Wireless Security Crackable WIth "Relative Ease"

You;re half right, but EAP-TLS doesn't have a password/account component, just the cert, so you are missing an authentication factor.

Clients can ask user to provide a password to access/decrypt private key required to authenticate client to server. The "account" component is client identity (e.g. name of public key)

If you're going through the trouble of actually making sure clients are running a secure supplicant to the point of making users add a client cert and a local CA trustpoint

I've been pushing vendors for 10+ years for a usable solution and they don't seem to care.

All most people want is passwords without all the worry about brute force attacks. Users and Operators alike don't want to deal with certs at all ..there is no *good* reason they should have to.

Comment Re: Not isms or phobias (Score 1) 704

by WaffleMonster (#46549657) Attached to: Getting Misogyny, Racism and Homophobia Out of Gaming

There's a big difference between "You suck at this game" and "You play like a girl," to use the most tame example I can think of.

You fight like Nali.

Not only are they hurting the player they're insulting, but any person in $category that is in the same game; as well as teaching the non-$category people that this is an acceptable way to act.

If you learn about acceptable behavior from online games or feel insulted by the gibberish spewed by random teenagers your the one with issues.

Comment Re:Sigh. (Score 1) 227

by WaffleMonster (#46549619) Attached to: New Information May Narrow Down Malaysian Jet's Path

If these pings are the data the engines send to Boeing, then they are supposed to be sent every hour.So ping timings getting lomger? Since the pings are transmitted at the speed of light, over the distance the plane travels the change in ping timing would be too small to measure.

It depends on resolution of the timing data they have. I wish they would share raw data. Could have been recording clocking of sat link or some such to determine prop delay.

Also need to keep in mind sat is at geo.. length of actual light path between plane and sat depends on angle/location as well as speed/alt.

Comment Re:EAP? (Score 2) 150

by WaffleMonster (#46549513) Attached to: WPA2 Wireless Security Crackable WIth "Relative Ease"

You mean that clients do not check proper certificate signature by the CA?

The main problem is not so much CA validation but lack of a global namespace.

When I type https://www.securesite.com/ into my browser the only certificates my browser accepts are the ones explicitly for www.securesite.com... certs for www.someothersite.com don't work.

With EAP authentication no such check is done automatically by default. To be secure the client must explicitly select a CA **AND** certificate identity (e.g. www.securesite.com) ... otherwise you might well be presented with a valid certificate.... yet you won't know if it is one legitimately assigned to an attacker. Attackers after all can buy SSL certs the same as you or I.

In too many cases the extra work is simply asking too much of the user... some mobile clients are not even able to provide necessary configuration options to secure it.

Comment Re:EAP? (Score 4, Interesting) 150

by WaffleMonster (#46549361) Attached to: WPA2 Wireless Security Crackable WIth "Relative Ease"

I understand this is about recovering the PSK. This would mean that authentication using a certificate, such as EAP-TTLS is still safe. Correct?

I would say in practice "enterprise" password authentication via TLS (PEAP-* and TTLS-*) is the least secure authentication method for the simple reason virtually no client is configured properly to validate both certificate and identity.

The end result TLS is effectively subject to MITM attack for the overwhelming majority of clients...leaving squishy inner PEAP/TTLS authentication protocol (all completely worthless)

In my view EAP-TLS with mutual certificate authentication is still the most secure authentication option available.

Stanford's SRP protocol would be awesome to protect WPA passwords I believe it could be implemented with minimal changes to existing TLS stacks ... simply do TLS-SRP via EAP-TLS EAP method instead of the cert auth ... you get secure password authentication without the offline attack vector, or having to implement a new EAP method from scratch.

Comment Re:No Details (Score 1) 93

by WaffleMonster (#46546931) Attached to: Speedy Attack Targets Web Servers With Outdated Linux Kernels

Well it sort of does. RHEL is intentionally outdated because that's what their market wants. It's stupid, I know, but there are a lot of people out there who still really want a world where software never updates so the hacked together shit that runs their business can keep running rather than doing it right.

Even if everyone was forced to upgrade to the current version of everything I doubt it would have much impact on "hacked together shit that runs their business"

What does "doing it right" even mean? Says who? You? Objective function of any business is nominally to make money. Not everyone has the same set of problems, not everyone benefits equally from application of the latest and greatest technology. At some juncture you may reach the point of diminishing returns after which platform "improvements" become a liability negatively effecting the business by introduction of unnecessary risk and expenditures.

It's stupid, I know, but there are a lot of people out there who still really want a world where software never updates so the hacked together shit that runs their business can keep running rather than doing it right.

Depressingly little has materially changed in the last decade aside from the ebb and flow of annoying fads promulgated by marketeers and the legion of lemmings following in their footsteps.

While I hope to be proven wrong I fully expect all "advancements" from here on out to be incremental and of questionable or even negative value.

Slashdot Top Deals

An adequate bootstrap is a contradiction in terms.

Close