Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Dept of DUH (Score 1) 31

by DigiShaman (#49150187) Attached to: Simple IT Security Tactics for Small Businesses (Video)

IT 101 for SMB (or any business)

1. Get a business class Next-Generation firewall.
2. Don't install JRE or Flash if you can at all avoid it; they're vector for web drive-by-download malware
3. Installed managed AV for all workstations.
4. Block outbound port 25 (SMTP) so as to not be black-listed and fart SPAM from an infected machine to others out in the world.
5. Block TOR at FW level. Unfortunately. it's how bot-nets communicate these days.
6. Limit share access by department and roles.
7. Educate users of cons online.

Comment: Re:Interesing... (Score 1) 382

by PopeRatzo (#49144105) Attached to: Lawmakers Seek Information On Funding For Climate Change Critics

then I'll care about what "prominent members of the U.S. House of Representatives and the Senate" think about climate change.

Take a look at what James Inhofe (R-OK) who is chairman of the fucking Senate Committee on the Environmentthinks of global warming. TRIGGER WARNING: IF STUPIDITY UPSETS YOU DO NOT CLICK.

http://www.slate.com/blogs/fut...

Comment: Re: meanwhile at Fort Meade (Score 1) 97

Unless you're just making shit up.

You're looking at the wrong account. Go to the NSA's "Public Affairs Office"

https://twitter.com/nsa_pao

https://twitter.com/NSA_PAO/st...

https://twitter.com/NSA_PAO/st...

https://twitter.com/NSA_PAO/st...

IIRC, the really silly ones go back to right around Thanskgiving.

Comment: Re: GPG is another TrueCrypt? (Score 1) 300

by Martin Blank (#49132959) Attached to: Moxie Marlinspike: GPG Has Run Its Course

No, those who want perfect solutions want the impossible. I want a framework that can be improved over time.

What's the goal? With maybe a handful of exceptions, everyone does something that can compromise their security. HTTPS relies on a trust architecture that we're being reminded recently (Superfish, PrivDog) is actually extremely fragile. And yet it's being encouraged to make the job of the average surveillance tool more difficult. It's very much letting The Other Guy(TM) (remember, three caps minimum on the TM'ed stuff) handle security. It has flaws, but it raises the bar.

That's what we need for end-to-end crypto. It can have flaws, but it needs to raise the bar, and be able to keep raising the bar.

As for understanding how it happens, how many people can describe how an RSA key is generated, much less how a proper PRNG produces a suitably random number and then how AES/Blowfish/whatever encrypts the data? Does the average person need to know that? Not really. And even if they did, they don't care, which is why they don't use it now.

Right now, we have options where you can let a CA provide you your TLS certificate (usually 2048-bit and SHA1). If you know what you're doing, you can roll your own with better security. We need something with that flexibility (though I recognize the flaws of that exact model) for end-to-end crypto, too. We need clients that auto-update, that add or deprecate algorithms as they arrive or are broken without the user having to worry about it, and that can provide safe (and revocable) storage for the keys so they survive a catastrophic loss or be deleted with near-absolute certainty if the user wishes. We need common libraries or protocols that can allow new or existing clients to safely implement connections to these services without having to build them from scratch, thereby preserving and encouraging competition.

These don't lead to a perfect system. They lead to a good enough system with room to grow and improve. But I would argue (as I think Moxie does) that what we have now is far from a perfect system because it's too difficult to use.

Comment: Re:Realistic (Score 1) 360

by PopeRatzo (#49129807) Attached to: The Groups Behind Making Distributed Solar Power Harder To Adopt

Regarding the incentives (tax credits and the like), again, once solar hits some critical mass, why would the government provide incentives? The incentives did their job, and got some number of people to adopt solar.

Maybe to level the playing field with the fossil fuel industry that has been enjoying those subsidies and incentives forever?

It's funny how certain people are all of a sudden saying, "You mean we're subsidizing energy? I'm shocked, I tell you, just shocked." It's even funnier when the Koch Brothers do it.

Comment: Re:GPG is another TrueCrypt? (Score 4, Interesting) 300

by Martin Blank (#49127783) Attached to: Moxie Marlinspike: GPG Has Run Its Course

Not remotely. He's encouraging good encryption, but calling for some updates (it hasn't significantly changed since the mid-'90s) and a better wrapper. GPG is still largely by geeks, for geeks. I couldn't get my parents to use GPG because they'd dismiss it as too hard, even if one of them is happy to stick it to the man. The suggested minimum settings vary based on where you look and when they were posted.

Example: An RSA key size of 2048 bits is largely considered secure, but NIST recommends 3072 bits for anything that one would want to keep secure into the 2030s. People still often see their e-mail as their private papers and may be concerned over who can read them well past the 2030s. But does that mean they use 3072, or go with the random crypto weblog guy who says to always go with 4096? And why can't I create 8192- or 16384-bit keys like that software claims to over there?

And what to hash to use? Plenty of sites still say MD5, but they were written years ago. Some have updated to SHA1, but others point out weaknesses there. OK, SHA2, then. But then there's SHA256, which must be better, right? (I know SHA256 is a subset of the SHA2 family, but those unfamiliar with crypto will not.)

Until GPG-style crypto becomes relatively automated, it won't be embraced by more than a handful of people. HTTPS is widely used because people don't have to think much about it. This has some downsides for poorly-configured servers and Superfish/Comodo-style backdoors, but browsers and other software help take up the slack by rejecting poor configurations. PGP/GPG were designed to reach near-perfect levels of encryption, but that bar is clearly too high for significant uptake. We should instead be looking for something that encourages end-to-end encryption that is good enough. We can build on if the underlying structure is properly designed, and as people get more accustomed to crypto in their lives, they'll be able to adjust to improvements.

When the majority of communications are relatively well-secured, it makes it far more difficult for a surveillance state to conduct its operations. Perfect security can still be a long-term goal, but we need more realistic goals to encourage uptake in the meantime.

Comment: Re:meanwhile at Fort Meade (Score 1) 97

a bunch of NSA geeks are high fiving each other and can't seem to stop hooting and hollering with awesomeness

You are absolutely correct, and they're doing it in public.

Anyone who has seen the NSA's twitter feed knows they love to joke about this stuff. The first time I saw it, I was sure it had to be a parody account, but in fact it was the actual NSA account. The Intercept did a whole story about the sec-bro culture at the NSA and how we've basically got a bunch of 8chan dickheads who have been given the keys to our lives.

Comment: Re:The Keystone Pipeline already exists (Score 1) 430

by PopeRatzo (#49122829) Attached to: Obama Vetoes Keystone XL Pipeline Bill

Nope - because oil is a world market. It will certainly reduce prices in the US by increasing the global oil supply.

Not one bit. It will not reduce the price of oil one bit.

You should know by now that "supply and demand" does not exist in regard to the oil market, because both sides of the equation are easily manipulated by energy producers.

Force needed to accelerate 2.2lbs of cookies = 1 Fig-newton to 1 meter per second

Working...