Please create an account to participate in the Slashdot moderation system


Forgot your password?
What's the story with these ads on Slashdot? Check out our new blog post to find out. ×

Comment Re:Programming (Score 1) 602

See my example above regarding bcrypt vs PBKDF2.

Both are open-source. Both are completely public. But PBKDF2 has been through a completely public security audit. Bcrypt has not.

Someone trying to push public encryption standards that wouldn't pass audit won't get very far.

But government has pushed encryption standards that not only weren't openly audited, but not even publicly available for study.

Given a choice, which one would you trust? The guy who says "pick one of these", and let's you look at them and pick them up and feel them, or the guy who keeps them in a locked box and won't even show you to them first?

I know my choice.

Comment Re:Programming (Score 1) 602

At some point you do have to trust somebody. But who?

Should you trust the coder in the next cubicle over who blindly swallowed stories about the "security" of bcrypt, without any actual evidence?

Or should you trust the government?

Or should you trust the private-sector experts, like Schneier or Adelman?

At some point you have to either study it in-depth yourself, or take someone's word for the ultimate security. But not JUST taking someone's word, and certainly just not coder X at some conference. You can get explanations of how open-source encryption works.

Comment Re:Yes, in many states... (Score 1) 698

Nothing I did was "desperate", nor was I "regurgitating" Latour. Why do you lie so much?

Jane/Lonny Eachus hasn't retracted his endless Sky Dragon Slayer claims, and continues to spread Slayer misinformation.

Bullshit. What "slayer misinformation" do you pretend I "continue" to spread? Just another lie. You seem to have no respect for the truth whatsoever.

But that's probably asking the impossible

What is asking for the impossible, is asking me to stop doing something I'm not doing.

But that's probably asking the impossible, because Jane/Lonny Eachus is so brainwashed that he went above and beyond the call of duty by joining Slayer CEO John O'Sullivan in blaming his teenage victim, and wrongly insisted that none of the members of "Principia Scientific" (John O'Sullivan's Sky Dragon Slayer club) have ever been convicted of any sexual wrongdoing. If Jane/Lonny Eachus really isn't a Sky Dragon Slayer, at the very least he'd retract his mistaken claim that no Slayers have been convicted of sexual wrongdoing, and admit that Slayer CEO John O'Sullivan is an admitted pedophile.

More blatant lies, with utter disregard to what you know to be the truth. Here were my actual words. The rest of your nonsense is links to other sources, or you quoting yourself again.

To the best of my knowledge, none of the members of "Principia Scientific" (which seems from the context is pretty obviously who he is referring to) have ever been convicted of any sexual wrongdoing of any kind. O'Sullivan was once accused of improper sexual conduct by a known troubled (and repeatedly IN trouble) teenager his family was trying to help. He was acquitted of all charges, as khayman80 already knows. If he knew about the charges, it is only reasonable to believe he knew about the acquittal as well.

Note the words "to the best of my knowledge". O'Sullivan had been accused of improper conduct, but was found not guilty by a jury of his peers. As for any other non-criminal conduct in his personal life, I have no knowledge or interest whatsoever.

Further, as I indicated to you, the only person of whom I was aware, who could possibly be the subject of your ranting was O'Sullivan. So imagine my surprise when you linked to a page about someone named Manuel who was completely unknown to me. Further yet, as I told you at the time, I had no idea who were "members" of the Sky Dragon Slayers, nor did I care, nor was I a member myself. So you knew all this, yet posted all this bullshit anyway.

So what is your point here? Some kind of attempt to show guilt by association? Some kind of attempt at sexual harassment? Because I have never so much as met any of these people, and I didn't even know of the existence of some of them until YOU pointed them out to me.

Comment Re:Yes, in many states... (Score 1) 698

Jane, are you still confused about why you aced your hypocrisy final by bragging about how you've been desperately trying to silence/censor/suppress/stifle the speech of others?

Another of your outrageous distortions. Mentioning that I discussed your legal transgressions with an attorney has absolutely nothing to do either bragging or censorship.

But as the Supreme Court has said many times, your "freedom of speech" is limited. You legally get to say whatever you want, about whoever you want, under any circumstances, with gross disregard for the truth.

Comment Re:No shit ... (Score 1) 157

As usual, you just whine that context is missing without explaining how you could possibly believe yourself when you said "nobody is claiming the ocean is not rising."

Nobody is whining. I am certainly accusing.

Many times, in many places, I have clearly stated that of course the ocean is rising. If in one time and one place you thought I meant something else, then the CONTEXT of that statement must have been misunderstood or missing. You already know I don't believe the ocean is not rising at all, but you use your out-of-context distortions to make it appear that I did. That's lying.

Don't you realize that being completely unwilling to back up your lies with actual calculations is indistinguishable from your being completely unable to perform even the most basic tests for acceleration in a dataset?

You cited Church and White, but I have more that say it ISN'T accelerating. I have many counterexamples, but I only need one. Church and White (2011) found a minuscule acceleration (0.009 cm / year ^-2), while others have found larger DEcelerations. Houston and Dean (2011), though their error bars are somewhat larger, Watson (2011), etc.

No dishonesty here. I have evidence for the things I say.

Comment Re:Yes, in many states... (Score 1) 698

There you go again. You have just illustrated a very real difference, and made my point for me.

You have been told many times that I am not a "sky dragon slayer". Whether I might have been once, in your opinion, is another matter. But you talk about years ago as though it were today, in precisely the calculated way that would give someone else the wrong impression.

That's dishonest. UNlike an honest mistake, it's a form of deliberate lying.

I am not (and have not been) the liar here, you are. You might try to excuse yourself for that in many different ways, but it hasn't worked.

Comment Re:Programming (Score 1) 602

Because so many people mis-understood my comment (in several seemingly very creative ways), I will clarify what I meant.

I didn't say you should roll your own. I agree that would be dumb. I didn't mean to imply that you had to know every aspect of every bit of math going on in an encryption algorithm, but you should have at least some grasp of the basics.

The reason I chose bcrypt as an example is because though it is based on Blowfish, it has not been shown rigorously that the additional key-generation rounds it is using to increase decryption time does not weaken the underlying encryption in any way. It seems like a reasonable conclusion, but reasonable is often not enough in encryption, as history has shown us quite often. The only real assurance we have that bcrypt's key-generation doesn't weaken the underlying encryption is that the developers said they "hope" it doesn't, in their original white paper. Hope is not a good measure to use for encryption.

On the other hand, there is PBKDF2, which has pretty much all the advantages of bcrypt, but unlike bcrypt has been fully security-audited.

My main point about the math was just that you should have a good idea of the relative "strength" of the algorithm vs today's computing power, and a basic idea of how it works. But there there are things like: how do I figure out how many bytes my salt should be? Etc.

Not rocket science. But it's not all 6th-grade math either.

Comment Re:Programming (Score 2, Insightful) 602

Well, my comment has been so much misunderstood, I cannot help but think I could have worded it more clearly. I didn't mean what you seem to think I meant. Even so, THIS:

As someone who works in the infosec industry, the fact this comment is rated +5 Informative fills me with panic. Yes, you should absolutely take someone else's word for it, specifically you should take NIST's word for it.

... is such utterly wrong, complete bullshit, I hardly know where to start.

You're referring to the same NIST that tried to foist Clipper Chip and Skipjack on a mostly-unknowing public in the early 90s? And planned to continue with the plan even though 80,000 negative comments were received during the public comment period, and a mere handful of positive comments? The same Skipjack that was later shown to have serious flaws?

Or, let's see... wasn't that the same NIST that has been implicated in trying to push a compromised form of elliptical-curve key generation on the businesses and public of the US?

That NIST?

It is to laugh.

No, people should listen to private-sector experts, and not listen to the Government at all, or at least take what it says with a grain of salt the size of a basketball.

Comment Re:Programming (Score 1) 602

In other words, any web developer who has not worked through their own proof of the Fermat-Euler theorum is not qualified to call themselves a good programmer.

You people seem to have some very creative forms of reading -- um -- "comprehension". I didn't write that and I didn't mean that.

I wasn't trying to imply that you necessarily had to know how elliptical curves apply to public-key cryptography. But you should have a good understanding of key length vs brute-force time, or whether the method being used is vulnerable to rainbow tables, etc. That does require a bit of math. Not PhD level, by any means.

Comment Re:Programming (Score 3, Informative) 602

Indeed. You can be a good programmer in most sub-fields without having a good grasp of multi-variate calculus, but you will never be a good programmer without at least some decent math skills.

You might do okay at coding web sites. But even then: if you don't understand how the encryption works, how do you know what method to use for encrypting the passwords on your website. Should you just take someone's word for it? (Answer: no. And yet that's how bcrypt became popular.)

Comment Re:No, obviously (Score 1) 263

Armed robbery includes any deadly weapon brandished as threat of force during the robbery, not just firearms.

Do you understand what "enhancements" are? In some states, using a firearm specifically will result in an "enhancement" to your sentence if found guilty. It's the same crime (armed robbery), but carries a stiffer sentence if thw weapon happens to be a firearm.

Killing (even accidentally) in the commission of a felony is usually considered murder, so planning to kill in commission of a felony is like planning to murder.

True, but irrelevant to the point being made.

Comment Re:No, obviously (Score 1) 263

They inflict grievous bodily harm, every time.

Nonsense. Where do you get these ideas?

MOST shooting victims today (some sources say as much as 90%) survive.

MOST knifing victims (some sources say as much as 90%) bleed out before help arrives.

Your irrational fears, based on faulty perceptions, are not a rational basis for making law.

It's time to boot, do your boot ROMs know where your disk controllers are?