Follow Slashdot stories on Twitter


Forgot your password?

Comment: Re:Silly (Score 1) 118

by Anrego (#49546857) Attached to: Swallowing Your Password

And I'll add, if it's your idea to create an anonymous but secure connection using PKI to send your biometric identity, that's no better than a password. Infact, it's worse than a password, because (as was the original point), all it takes is your super secret biometric identity to be compromised once, at which point your screwed.

Comment: Re:Silly (Score 1) 118

by Anrego (#49546757) Attached to: Swallowing Your Password

Yes, but how do you validate that the public key I send you is actually my public key? You have to already have it or it has to be stores somewhere that the other party trusts, bringing us right back to our original problem.

PKI lets two parties communicate securely without having ever spoken, and it lets one party validate that something was actually sent by another party _if they have the other parties public key and can trust it_.

Biometrics doesn't add anything useful to this equation that I see. Sure you can use some biometric information as a private key and generate a public key, but what does that give you over using some random number to generate a public key. It still comes down to the party at the other end having that public key and being reasonably sure it's yours.

Comment: Re: Silly (Score 1) 118

by Anrego (#49533737) Attached to: Swallowing Your Password

Sure, but how do they apply to confirming an identity and not a capability.

Maybe I'm too thick to get it, but I can't see how say, a bank, can validate that you are who you say you are without at least knowing _something_ about you that you can than verify through whatever means.

Comment: Re:Silly (Score 1) 118

by Anrego (#49532527) Attached to: Swallowing Your Password

meaning it has to be activated by your particular stomach in order for the challenge to be accepted in the first place

As with DRM, if the thing that decides if you are valid can be in your hands (so to speak), you may as well assume it will be compromised.

There's no way I can think of to pass on a piece of information describing yourself to another party without that party having to know that information already to validate it, and if they do, it can be stolen and replayed.

Comment: Re:Silly (Score 1) 118

by Anrego (#49532177) Attached to: Swallowing Your Password

Assuming it was based on current public key encryption, even if broken an attacker would still need to harvest private keys from users to make use of it. That's gonna require special equipment (portable reader of some kind) and time.

Sure, damage would be done, but it wouldn't be the apocalypse. I suspect you'd see less impact than you do with current CC theft. AES being broken would be a far bigger deal on the internet where it would be much easier to apply the attack in a wide spread manner.

Comment: Silly (Score 5, Insightful) 118

by Anrego (#49532043) Attached to: Swallowing Your Password

The problem with this, and biometrics in general, is that there is only one you.

You can't revoke your "vein pattern" any more than you can revoke your fingerprint. Using your same biometric information for everything has the same pitfalls as using the same password for everything, and you are just one sketchy gas station away from someone getting a copy.

If you are going to implant something, why not implant a challenge/response system with a public/private key and strong cryptography, like you know, we've been doing on the internet with a good amount of success. A random very large number is just as good as any biometric information, and at least you can change it.

Comment: Re:FreedomBox (Score 1) 388

by Anrego (#49519517) Attached to: Why the Journey To IPv6 Is Still the Road Less Traveled

Privacy isn't of great concern to many. It's not even an issue of comprehension. There are people who understand the privacy implications of things like facebook, but still happily participate because the social aspects are more appealing to them.

Social media in general has caught on because a great many people _want_ to share everything about themselves to everyone. Sites like what you linked to do a fairly poor job of convincing such people because they:

- Tend to focus on unrelatable things (like oppression in other countries, or oppression of people at home they can't personally relate to).
- Are written from an opposite viewpoint where privacy is just automatically an important thing that everyone should want. If social media has shown us anything, it's not to many people. The FSF is at the forefront of this too. When you write a blathering piece where you just assume your position from the beginning, people who don't already agree just roll their eyes, and the only ones you convince are those who already agreed.
- Not the case here, but often times focus on rare events where some shared information is used against them.

Very least, going as far as running a server at home, even one that's basically a pre-configured appliance, is a fairly extreme step for most non-geeks to take unless you can make a really compelling argument that doesn't involve dystopian futures and acid mines.

Comment: Re:IPv6 and Rust: overhyped and unwanted! (Score 1) 388

by Anrego (#49518357) Attached to: Why the Journey To IPv6 Is Still the Road Less Traveled

I get that NAT isn't a firewall, but I think it makes a nice second layer.

Lets say I'm using shorewall, and for whatever reason I break my config and don't notice.

Consider: (big bad internet) -- (broken shorewall + nat) -- (internal boxes)

Suddenly you can't get to anything I was forwarding (which I'll probably notice) and yes there are probably effective attacks to get at my internal boxes through the nat, but at least it's not wide open as I imagine it would be in a configuration without nat.

Comment: Re:IPv6 and Rust: overhyped and unwanted! (Score 1) 388

by Anrego (#49517593) Attached to: Why the Journey To IPv6 Is Still the Road Less Traveled

I doubt they'll go this route, but what would make sense to me would be to give customers the option to request a direct connection.

Between cell phones and people who have no interest in running a server (even unintentionally), there's probably only a small portion of people out there who really need a direct connection, and there are probably plenty of IPs to support them if you put everyone else on CGN.

Comment: Re:IPv6 and Rust: overhyped and unwanted! (Score 1) 388

by Anrego (#49517583) Attached to: Why the Journey To IPv6 Is Still the Road Less Traveled

As someone who's not really a networking guy, this!

I like the extra layer NAT provides. It's no substitute for a firewall of course, but having your internal boxes not publicly addressable at all adds an extra layer of warm and fuzzy.

Is this attitude wrong? Probably. But it is also pervasive.

Comment: Re:These days... (Score 4, Insightful) 892

I feel like it exists for a few main reasons:

- People have different priorities. Some are all about the money, some want the retirement contribution, some want equity, some want vacation, etc. People also proportionally value these things differently. How much do you value an extra week of vacation to say, more retirement contribution or more salary? Negotiation solves this problem.

- As has been said, the employer and candidate have two directly opposing goals. The employer wants to pay the least they can while not feeling like you'll get a higher paying opportunity a few weeks later, and the employee wants the most money.

- Negotiation keeps things competitive. If every company stopped allowing negotiations, it would either become a race to the bottom or the top (I'm actually not even sure which, but the cynic in me thinks bottom).

Ultimately, I think this whole thing is stupid. I'm a guy, but I have to imagine this is patronizing as all hell to women. Isn't this the kind of shit feminists have been fighting forever?

Comment: Re:And yet, no one understands Git. (Score 1) 203

by Anrego (#49416191) Attached to: 10 Years of Git: An Interview With Linus Torvalds

I made a post about this above, but yeah, that describes my current relationship with git, and is one of the reasons I don't enjoy using it.

I feel like I truly know svn, I understand what it does and am very comfortable with how it works. Part of that is just having used it for a long time, but I do feel like git is much harder to wrap your head around.

With git I feel like I'm just following a bunch of recipes that I know work (or seem to work), and that's really not a good way to go about anything. Every time I try and get my head around the guts of git, I feel like it's been made intentionally screwy, and most git users I've talked to seem to just operate on the same recipe set I do. I just feels icky.

The flush toilet is the basis of Western civilization. -- Alan Coult