Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Comment Use mine 20+ times a day (Score 3, Informative) 88 88

Really addicted to mine. I have my private SSH key on there (via GPG/PGP), so that's never on my working machines. Use the standard OTP on several personally-run sites. Use U2F security for Google apps. Use the TOTP (a.k.a. Google Authenticator/Authy) app. Use the challenge-response mode as a second factor on my KeePass database. Amazing gadget.

The question regarding the teardown is... "so"? Even with full pin access to the A7005 chip, you *STILL* wouldn't have access to my GPG/SSH private key or my TOTP generators within it. That's the point of a secure element. You'd have to dissolve the casing of the A7005 chip and have a decent microscope lab to get those bits of data out of the chip. You would be able to use my U2F/OTP/TOTP-generated-code functionality. But, you could do that just by stealing my Neo and plugging it into a USB slot without any acetone bath involved.

Comment Re:What we need is,,, (Score 2) 190 190

As said above, SSA doesn't have any sort of biometric verification of "who you are".

And, as said above, your SSN shouldn't be used as an identifier. If we need a common citizen ID number, fine, but it shouldn't be anything but identifying (i.e., effectively public knowledge).

It's the gorram 21st century. We've had public-key encryption figured out for over 30 blessed years now. Most people in the first world are carrying around several crypto smartcard devices already (EMV compatible credit cards and other smartcard tech).

Much of the world now has ID cards with cryptographic chips in them. When you open a line of credit, you prove, through RSA/elliptic-curve signatures that you are YOU via your ID chip. If you lose your ID, it gets put on the centralized revoke list, the issuing agency goes through whatever in-person process to verify you are you, and gives you a new ID. This can extend to online purchasing, online voting, etc, etc.

But, we're so freaked out about government black helicopters that we just accept the whole fraud thing as inevitable.

Comment Re:Consider the alternative question (Score 1) 496 496

Is it, though? It was infinitely easier to carefully (okay, obsessively) portion out the 1700 kCal per day I could eat and maintain just-under-obese status when I was single and nearly a hermit. Married (to a gal with better metabolism than me), there's simply endless, "hey, I made cookies" or "hey, I'm just springing on you that we're going out with friends for fish-n-chips tonight" temptations.

Comment Consider the alternative question (Score 5, Interesting) 496 496

The flip side of the question is "Why are skinny people not fat?".

It's a more interesting question than you may think. One bit of semi-famous research is the 1970s Vermont 'prisoner overfeeding study' ( Like bits of Nazi science, this is probably irreproducible, as it'd *never* get past a human subject review committee today.

A number of lifetime-normal-weight prisoners were fed substantially over their basal metabolic needs for an extended period. Their input was rigorously controlled (being prisoners), and their exercise regimen was pretty easy to monitor and control. Most of them gained weight, but almost none of them nearly as much as the standard "3500 kCal is a pound of fat" Standard Model would predict. Several plateaued on weight gain, and a few lucky (?) prisoners were *never* able gain 10% of their body weight when eating nearly 10,000 Calories a day. Simply couldn't do it.

A lot of people are overeating in the western culture. A lot more that, by the numbers, should be in the 300-pound range. And while there are no shortage of very-very-fat people, they're not nearly as common as they should be if you study individual diet patterns. This is part of the problem. People look at their skinny friends' diets, and some of those skinny friends are like the luckier Vermont prisoners.

Comment "15 mph over" (Score 1) 760 760

The basic principle is sound. 6 days income for 15mph over is pretty stiff, but then again, a lot of US speeding tickets now are in the $400+ range (after court fees, etc) which is 6 days' income for a lot of people.

"15 mph/25 km/h over" is kinda a poor starting point. 55km/h in a 30km/h zone (one that really needs to be a 30km/h zone... like a dense urban center with playgrounds and schools)... to me that's pretty deserving of punishment. 125km/h on a rural road posted at 100km/h in clear weather? I'm not sure that even merits a warning. I'd put the penalties at 30%/40%/50%/60%/70% over the posted limit rather than a fixed speed-delta.

Comment Re:Smartcarding your SSH connection (Score 1) 148 148

Value judgement time, but for my money, nobody's out there brute-forcing RSA keys even at 1024-bit except, maybe, the NSA. If you weigh "everyone but the NSA" security as a bigger day-to-day concern, side-channel issues (keylogging, shared memory, copied private key files, implementation flaws, etc) are a lot more pressing realities than the almost-theoretical added security of 4kb+ RSA keys or going ECC.

Comment Smartcarding your SSH connection (Score 2) 148 148

One bit of paranoia the author might add is moving your private key completely off of your desktop into a smartcard that does the RSA or ECDSA step and, being a far more limited microprocessor, should be more securable than processes running on a general-purpose networked computer and multitasking OS.

I believe there are ways to do ssh with PKCS-based smartcards, but the method used around here is based on PGP/GPG keys and either the "OpenPGP Smartcard" (ISO smartcard form factor, requires a smartcard reader) or the YubiKey Neo (USB pen-drive form factor). You create a key pair (possibly using the smartcard CPU itself). You use gpg-agent with OpenSSH (or PuTTY) support instead of ssh-agent/pageant. The private key never leaves the device (the little bit of flash memory in the chip) and is designed to be unrecoverable. The RSA authentication step happens in the microprocessor on the card. The card has a PIN and is designed to lock after a couple missed PINs. for a starting point.

Comment Re:Great feel but poor ergo ... (Score 1) 304 304

How 'ergo' you looking for?

Kinesis, who makes the Advantage series (crazy bowl shaped keyboard that I'm typing on right now and love to pieces) also makes the Freestyle (two halves), and they make the latter in a Bluetooth configuration. Amusingly, a wireless keyboard with a wire (between the two halves).

Comment Re:Well DUH! (Score 1) 403 403

It tells you exactly why in the article. It's the way people drive them.

Doubly-so when we're talking about the vehicles in question in the article. Small displacement cars in the EU are, almost entirely, manual transmission vehicles. This means that you can precisely shift at 1500 RPM on the dynamometer test (which doesn't have any hills, traffic, or risk of death if you stall out), crawl your way up to speed, and get excellent l/100km results. This would be completely suicidal on an Autobahn or Motorway.

Comment Re:Such practices REDUCE profit and kill companies (Score 1) 234 234

Thanks for posting a link (your CATO one) from 1984. It's rare to get that kind of historical perspective on a site dedicated to modern technology issues.

While you were sleeping, Rip Van Winkle, exclusive local franchise agreements (the crux of that paper) were made illegal by the Telecommunications Act of 1996.

Comment Re:I wonder when... (Score 1) 234 234

They'd discover the same thing phone companies did in the 1990s. Direct calling your customers for an upsell is a good way to create a cancellation.

They'll discover no such thing. In the telephone wars era, you could nearly frictionlessly change your long distance provider (if not your last-mile provider, at first). Most people can't change their cable provider, because that's the only possible provider of internet (above 2Mbps anyway), so they can call you all day and you can fume all day, but one thing you won't do is cancel.

Comment Netflix is really two companies (Score 1) 354 354

I agreed with the company split they tried to implement before.

For all the people who never or barely use the mail side, there are also tens of thousands of rural low-bandwidth customers. Virtually everyone I visit around my in-laws (rural South Dakota, only internet access is via cellular or satellite, either way capped at 3-5GB/month) gets red envelopes.

Comment Re:Good since OpenID failed to take over (Score 1) 280 280

The thing is, I'm already having to use a password manager to keep track of my valuable passwords. With what, easily a dozen banking-ish relationships (cards, mortgage, retirement, etc) alone. That battle on complexity was lost long ago (ymmv).

Thus, if I've already resorted to a password manager for my valuable life, adding an entry to that vault for even the most trivial sites (and creating a random password) is easier than remembering a throwaway name/pass for even 30 seconds.

It's not that "you need a password manager to post to your local newspaper blog". You don't. It's that, if you're already using a password manager (and I can't imagine living without one now), using it for trivia is trivial.

Comment It's in what you do with it. (Score 3, Interesting) 608 608

Follow any one stack of learning, "the Ruby way" or "the Drupal way" or "the JSP way", and you can create wonderful small-scale things that, while they might get mocked by the tech-weenie chorus, serve their function and make people happy.

Every hip language/framework/DB/deployment tool/bundler/markup language/food processor is designed to make your day better. Virtually all of them actually do just that (okay, a few will piss you off, but most are not intentionally evil).

The problem is supporting a world with 65 different technologies. It is indeed superhuman to expect someone to be a Groovy/Perl/Node.js/SASS/Hadoop/Puppet/XSLT/AWS/PCI-DSS/Postgres-tweaking/network-routing/desktop-supporting "web guy". (My current job wants that and much more, and, sorry, they don't actually have it in me. I hate faking it. I fake it.)

And, yet, much of the suit-wearing world doesn't understand that, and willfully doesn't want to figure that out. In 1998, they hired "a web guy". If they got successful, they hired five "web guys". Or 20. Those business-people are still looking for "web guys". People who are extreme generalists in "the web" in 2014 are either savants or on the hardcore burnout track.

"It's what you learn after you know it all that counts." -- John Wooden