Forgot your password?
typodupeerror

Comment: Will they ? (Score 1) 59

by DrYak (#48221193) Attached to: Tracking a Bitcoin Thief

So what? Since there's no central authority to block transactions or seize funds they'll simply be passed around until any relation with the crime is meaningless with almost everybody in the transaction chain is blissfully unaware that somewhere they were stolen.

Will they pass them around? Enough to blur any relation ship? In a secure way that never leaks any identity?
(oops, one of the exchange I sent money to managed to record my IP address. No matter how much I keep mixing downstream, part of identity are leaked here)

Remember that they have adversaries like government who (as recently proven for the NSA, for example) have quite a few ressources.
A single policeman might not be able to pull enough data and analysis.
But if goverment suspects that some big danger as possible ("pedo-terrorist pirates!" threat, or more realistically: juicy corporate spying opportunities :-P ) and decides to throw ressources at it, tracking might be achievable.

It's not impossible for the thief to manage to get out un-identified. But it requires being particuliarly smart.

Imagine if cash was that way, every time the grocery store tried to despoit money at the bank the bank would say "oh no, this and that bill came from a gas station robbery two years ago so we'll return it to the gas station and deduct it from your deposit.

Cash *does* function this way (a bit): bills have serial numbers. Of the grocery stores deposits a bill with a known serial number on it, police might show up the next day asking for the CCTV suveraillance tapes, because that serial number happens to be a bill passed through the hands of known drug kingpin/terrorist/pedophily ring leader/etc. do it enough with enough of such incidents, and you might get a vague idea of the identity of the people you're looking for.
Unless the criminals have been absolutely perfect in their laundering and have managed to never leak any info (i.e.: by the time the known bill are flagged, they're in the hand of complete random strangers).

Google for "Ransom bill reappear" type of news reports.

Comment: Mass analysis (Score 1) 59

by DrYak (#48220901) Attached to: Tracking a Bitcoin Thief

1 single transaction tracked ? Yes, you mostly get just 1 other bitcoin wallet.

Massively track thousands of such transaction? (that's beyond the capabilities of a small budget research team. But that's well within the capabilities of any decent government) And correlate them with "end-point transaction" (transaction that can be traced to a real-world identity: buying something from an e-shop using bitcoins and ordering it delivered to an address) ?
then, if the tracked person isn't using an insanely high number of "tumbler/mixers" (i.e.: laundering) or moving it in-and-out of tons of exchanges (basically also a form of mixing), you might find some correlation:
aka "a significant number of these BTC have transited to these wallets all mapped to the same real-world address/person"
that is not enough to warrant an arrest, but that is enough to put these real-world persons with the shortest "path" to the tracked transaction on a suspects list for further investigation by classical police work.

(Saddly, often government don't have such concepts of "suspect list". Very often such unsure statistical result won't be used as a "hunch" but will get you put on the "no fly list" and such)

That's why bitcoin protocol is considered "pseudonymous" and not "anonymous".
That's also why we need to have:
- law against data-collection abuses (because someone brilliant in the NSA/CIA/etc. will definitely try to jail people on this base or at least put them on a "pedo watch list" without much tinking)
- better way to do anonymous transactions (optionnal tumblers/mixers for BTC, or alternate protocols that include provision for anonymity)

Comment: Workforce vs. number served (Score 5, Insightful) 586

by DrYak (#48220641) Attached to: Automation Coming To Restaurants, But Not Because of Minimum Wage Hikes

Currently, the way it's implemented in european country, McD doesn't use it to reduce workforce (you're still required to walk up to a clerk to retrieve your order).
McD uses it to accelerate it service and increase the "number served": by the time you finish typing your order and have confirmed, the order is already broadcast to employee's screen. By the time you finish paying and walk to the queue, your order is already ready.
This cuts drastically the waiting time, and european McD's use to cram more customer served per minutes.

In the long run such stategies won't neceessarily reduce the workforce that much, but on the other hand, they will be used to propel "fast food" to a whole new definition of "fast".
On the other hand, that will probably be quite alienating for the workforce: no more breaks between customers, no more small talk while ordering. Work experience is going to be Charlie Chaplin's "modern times"-style: read the screen, pack the bag, hand over the bag, as fast as possible and repeat so the next customer doesn't need to wait.

Comment: Good / Bad Idea (Score 1) 283

by DrYak (#48211237) Attached to: Will the Google Car Turn Out To Be the Apple Newton of Automobiles?

That's an idea which could be useful in theory.
(e.g.: Cars with drivers will still be able to display warning about red lights, speed limits, etc. based on the info broadcast by trafic signs)

But it has a few problems:

- The implementation will probably be botched. Expect the thing not being properly signed/authenticated, thus enabling malicious hackers to spoof information. (Similar to how hackers hijacked RDS-TMC and broadcast "bison crossing" in Germany a few year back on /. )

- Such system lacks a fail-safe option. A human might notice that a trafic light is off and will fall back to other driving behaviours. A robots might not realise that there is no emitting signal. (The robot can't see a missing emitter unlike a human who can notice a broken traffic light even without any light colour coming off). In some case it might be okay (missing traffic light: drivers are supposed to fall-back to priority-yield, which is probably the default behaviour of a robot when arriving at a crossing without signs), but it might be problematic in other case (a "danger ahead" sign with a broken emitter).

- Car insurance companies are going to abuse the shit out of this (cue in mandatory dongles that spy if you obey trafic signs. Of course driving dangerously and ignoring signs is bad. But violating privacy is bad too) At least european countries are a bit stricter regarding privacy.

Comment: The way bank do it (Score 3, Informative) 119

by DrYak (#48197153) Attached to: Google Adds USB Security Keys To 2-Factor Authentication Options

The way some bank do it, is that the authification asker (a 2F-protected service provider) sends a signed/encrypted message, that the security token decodes/verifies/displays. That message can't be tampered with (cryptography).

So the token will display the message (something like "Authentication required to access GMail.com").
so if an attacker tries to intercept your credential by opening an actual google page in the background, you'll notice that what the thing pretends to be on screen and what the dongle register as an asker aren't the same.

The way to fool the user would be to try to look actually like the page you're trying to spoof. So an attacker needs to look like GMail, so the user thinks he's on Gmail, whereas actually it's a malware page maskarading as it and relying security tokens from the real Gmail.

Now the way that banks counter-act that, is that any critical action (payment, etc.) needs to be confirmed again by the security token system. So the theoretic man-in-the-middle can't inject payment for 10'000$ for his Cayman Islands account. Because every payment needs to be confirmed again. And the bank will issue confirmation message regarding transaction.
You'll notice if when paying a phone bill, the confirmation message instead is 10'000$ for Cayman Islands.

Overall, it works as if the security token is its very own separate device, designed to work over non-reliable non-trusty channel.

(The device doesn't implement a full TCP/IP stack. Most example device accepts only:
- a string of caracters as an input (i.e.: you need to type the last five digit of the account you need to send funds too. The bank will notice when you type the digit of your utility company, but the man-in-the-middle has tried to inject a cayman island account from your browser).
- a 2D flashing barcode to automate string input.
- for the most crazy solution: writing a string to file on a flash-disk, this flashdisk is shared with the security token's microcontroller.
Each time, the attack surface is very small. Only a short string of data is passed. You can't get much exploitable bugs.

For the output, only a string again:
- that you read and type from the token's screen.
- that the token can type on your behalf, communicating with a HID chip on the same device.
- the token can send it to a flash device that makes it visible inside a file.
Again, the security token it self is limited to send just a string. Very small attack surface. All the funny "stuff" are implemented outside, and thus very low risk of remote exploitability)

Comment: Again fixed pipe (Score 1) 54

by DrYak (#48196197) Attached to: Direct3D 9.0 Support On Track For Linux's Gallium3D Drivers

Again, there's a reason why Glide wrapper tend to target OpenGL 1/2 instead of 3/4.

Glide is fixed pipe.
Glide and the other APIs back then (DirectX 7, OpenGL 1/2, etc.) where about just painting plain triangles. Paint triangle with tips at vertex v1,v2,v3 using texture T1, optionally a second texture T2 as lightmap (and for the few architecture that did have it: using a third texture T3 as a bump map).
That's it.
For any pixel on the screen, the only thing the hardware is capable of is geting 2 or 3 textures (interpolating them and mipmaping them), and combine these 3 texture in a hardware specific and fixed way.

Modern APIs (OpenGL 3/4, DirectX 9, and 10/11, Mantle) are all about programmable shader. For any pixel on the screen, you run a small program (a kernel in mathematics) which can do pretty much anything you want. You can ask the hardware to draw pretty much anything you want. You could even ask the hardware to draw a mandelbrot set (I've done that).
Your modern API relies on a back-end that export the functionality of these general-purpose highly parallel processor that are GPU (Gallium3D is exactly such a back-end. DirectX 11, Mantle, and OpenGL Next are API that promise to stay as close as possible to this low level) (and OpenCL is a way to make this available for other kind of general purpose computing). On top of it, it has a high level API that still works in a highly customisable way: you write shaders that will combine several texture in the way the artist would need (including effects like occlusion mapping, translucent and sub-surface scattering, etc.) and the API converts these mid- high-level shaders and texture accesses, into lower level kernels and memory access to generate whatever is needed on the screen, no matter how complex the maths behind are. (remember: a Mandelbrot set is perfectly doable, even if completely useless).

That's also why DirectX state tracker makes a bit sense: DirectX is supposed to be a little bit less high-level on the abstraction scale than OpenGL. It's better to DirectX-to-Gallium3D (would be like translating C into assembler as a regular compiler), rather than DirectX-to-OpenGL (would be like translating C into Python).

Glide on Gallium3D, would mean rewrite a complete fixed pipeline. Expressing all the classical "texture and lightmap" combination which back then were handled by hardware, and writing modern shaders that re-implements them. Well, guess what? Drawing polygons with a fixed pipe-line is already what OpenGL 1/2 does inside Mesa on Gallium.
Instead of rewriting the same stuff twice and risking to introduce twice as many bugs, simply use a Glide2GL wrapper. Glide and OpenGL are very closely related anyway.

Comment: Glide = Fixed pipe (Score 1) 54

by DrYak (#48176051) Attached to: Direct3D 9.0 Support On Track For Linux's Gallium3D Drivers

It would be nice if support for Glide 2.1 and 3.0 be added also, there is a good chunk of oldies that would benefit and nowadays wine has dosbox built in, so even DOS games would be supported.

Very unlikely in my opinion:
Voodoo cards (and their Glide API) are fixed pipeline.
Whereas, from the ground up gallium3D was organised around the modern features found in a programmable-shader card.
There's a lot of difference between how these work.

On the other hand, Glide was designed with the simplest subset of OpenGL implementable in hardware in mind. That's why it easy to write miniGL or OpenGL implementations on top of it (and the reverse also: it's not impossible to write Glide-to-OpenGL wrappers).
Meaning that, in theory, it could be possible to build a Glide state tracker out of the building block that Gallium3D back-ends expose to the Mesa OpenGL tracker.

Comment: Small percentage (Score 4, Informative) 54

by DrYak (#48176023) Attached to: Direct3D 9.0 Support On Track For Linux's Gallium3D Drivers

This support in mesa will allow these games to be ported more easily, rather than forcing a rewrite in a major portion of any game engine, the display layer.

This won't help much for porting. It only works for drivers that work on Gallium3D. Thus, it only works on Radeon and Nouveau (and the alternative Gallium3D powered ILO. The official Intel runs on classic Mesa).
So only a very few end users will be affected. It's not worth counting on Gallium Nine for the port, as you're missing the big part of users who instead run the proprietary and/or official drivers (specially since Nvidia's blob has way much better hardware support that the reverse engineered Nouveau - due to lack of documentation).

On the other hand, Gallium3D give a nice and faster route for Wine, so a few select users can get straigh Direct3D support instead of going through a transaltion layer. So it's a relative benefit for Wine itself.

The developer can even choose to go the wine route, and simply provide a wrapper for their product, such as Star Trek Online uses with thier Mac port.

That has technically been possible before the Gallium Nine driver, anyway. The presence or absence of this driver don't change the feasibility of such ports. It only makes them faster for a few select users by removing translation layers.

This may be hugely important for the Steam Box initiative.

Well, depends. I doubt that, when it comes out, it will rely on opensource drivers. At least not for Nvidia hardware: the difference of stability and hardware support isn't worth the effort.

On the other hand, if AMD get their shit together in time, and release the hybrid closed/source driver as promised (i.e.: you run the opensource kernel driver "amdgpu". Then, as an OpenGL implementation, you're free to use either the opensource Mesa Gallium3D driver or the Catalyst driver which will only be a GL+CL library running on top of the exact same opensource base), you might see the possibility of AMD Steamboxes that let the user switch between the two GL implementation on the go. That could mean using opensource GL/CL for the interface and for a few select game that need DirectX, and switching to Catalyst GL/CL for games that need GL 4.x, with Steam maintaining a database of which version runs better for which game and handling the switching without need of user intervention.

Over all, Direct3D is a much simpler and lower level API (at some point of time it was considered to be a back-end to be targeted by openGL drivers) so it would be supported faster than openGL and would give definitely a performance boost.

Also, specially if AMD releases Mantle for Linux (or if it becomes "OpenGL Next"), that might attract the interests of some multi-platform developers: such AMD powered Steamboxes would be closer to the hardware found in other consoles (AMD APU or GPU in all other consoles of this generation) and might help PC ports (at least on AMD it might get optimised a bit thank to re-using the work done on consoles).

Comment: Systemd uses (Score 3, Insightful) 303

by DrYak (#48103359) Attached to: What's Been the Best Linux Distro of 2014?

Few random exemple where systemd helps:

- if you look at it probably 99% of all service on linux are just about starting an executable, with a few parameters.
-- with systemd, you do exactly that: write a service file that gives the name of the executable to run. and that's it. done. much more easy to maintain
-- with sysvinit, each distro has it's own local variant of boiler code that need to be copy-pasted around, and each service needs a whole script in /etc/init.d.
Whole script with duplicated lines vs simple text file.

- become a daemon requires some work.
-- either the developper must do a whole dance inside the code (double fork, sanitizing environment like closing descriptors, etc.)
-- or you need to take care of it from the outside (startproc, etc.)
systemd (like also daemontools and several other such "successors of sysvinit") can automatically take care of that. just run the soft in immediate mode, systemd takes care of the daemonisation/sanitization. In fact you can easily run as a service things like scripts.
So you want to have a daemon that is basically just a gawk 1 liner ? feel free.

automatic handling of modern kernel features. Cgroups, brokering capabilities, etc. Classical sysvinit has no concept of these (of course, they didn't exist back then).
- You would need either more kludge in you init.d scripts
- or use a modern system that can take care of that. systemd is one of them.

very light-weight container creation: other parts of systemd take care of state-less systems (basically you only need /usr for a system to work, /etc and /var can be automatically rebuilt with default settings from /usr if they are empty), various daemons under the systemd project can take care of the basic initialisation step (you don't need a full fledged dhcp server and client/pair compatible with every possible corner situation and supporting every option under the sun when all you need is just quickly hand out an IP to a LXC container - similarily to how one would use dnsmasq, systemd has its own micro dhcp implementation).
that makes possible to use LXC-style container (and thus much higher level of isolation) for anything that you don't trust and would like to run in its own container.
You don't trust skype, specially since microsoft did take it over? LXC container combined with SELinux and AppArmor (which LXC supports) would be a way to isolate it. Systemd (not the pid1 daemon, the whole project) is a project that can help generating such containers on the fly without any administrative intervention nor any configuration required.

You might not need these. And you're free to stick to old sysvinit if you want. Or at least move to a more modern spiritual successor of this (openrc)
(Gentoo give you choice of system. Or you could gather people and start "Rubuntu, an openRC spin of Ubuntu")

Or you might want these features. And systemd is then a nice single stop for all this plus more. (Though you could find similar daemon giving similar functions spread over 20 different projects).

It's a bit like the situation with TeX (nice single stop to get a ton of filters for text processing and typesetting) Ghostscript (printing) Pnmtools or ImageMagick (single suite of tighly integrated image filters/processing), etc.
Systemd is a similar suite containing all the necessary building blocks for taking care of system initialisation/process starting, etc.

Systemd has tons of useful funtionality, and thus lots of distribution decided to pick that one up as an openrc successor.
(Including distributions not depending on gnome)

Comment: Then don't (Score 2) 303

by DrYak (#48102919) Attached to: What's Been the Best Linux Distro of 2014?

Systemd gives me nothing I need. So tell me again why I need it or should want it.

Then don't. Stick instead to whatever pleases you. It's not a problem per se.

But accept that lots of other people DO find systemd useful enough to be worth the switching.
Including distros that aren't entire organised around Gnome.

If you don't like this situation, either move to a distro like Gentoo where that is still an option.
Or gather enough people and create your own spin of Fedora/Debian/Ubuntu (whichever is your preferred starting point) but organised around your preferred init system (with blackjack! and hookers!)

The problem is that, instead of doing this, most of the time, you only hear trolls spouting "Systemd is cancer!" and not doing much.

Comment: systemd (Score 2) 303

by DrYak (#48102849) Attached to: What's Been the Best Linux Distro of 2014?

It's being touted as The One True Way.

huh... no. It's just reported that it's a useful piece of code which actually solve lots of problems.
it's being adopted in lots of place because of this, even in distro that don't necessarily depend on Gnome.

Nobody is trying to force you to use it. You're free to use something else.
You'll just be missing about tons of features which are really useful and come for free with systemd.

But if you don't want it. Fine. Keep using your kludged together scripts. Or move to something else (openrc, the spiritual successor of sysvinit done in a modern way. Or anything else).

Simply accept the fact that systemd is useful enough that tons of distro are picking it up.

The problem is that, instead of just doing that (use something else), each time something is announced about the systemd project (not even necessarily the systemd daemon running as pid 1) there are tons of trolls comming and screaming "systemd cancer!" and not doing much.
Whereas the correct reaction would be just "meh.." and keep on using whatever they like. And perhaps, if they are unhappy that most of the distro are moving toward systemd, they should start a new spin of Debian/Fedora/Ubuntu based on some other alternative init system.

But no, all you here is only whining and very few actual work (like systembsd or uselessd, or adapting launchd so it can serve as systemd replacement, etc)

Comment: Numbers (Score 2) 103

by DrYak (#48101149) Attached to: The Malware of the Future May Come Bearing Real Gifts

Some citations:
Transmission rates based on infected partner's progression stage
Risk based on type of sexual act

It is difficult to get HIV from a woman. Not impossible, but the odds are very low.

Well, not that low, only half the odds, according to study 2.

Now getting HIV from taking it on the butt, it is much more dangerous

Yup. 0.08/0.04 (vaginal) vs 1.4 (annal receptive). About 20x more odds.

And then black woman have a much higher rate of HIV.

Technically, its "women in poorer communities". It happens that in the US black ethnic are often at the bottom of the social scale due to past racial discriminations, etc. but even there they are not alone at the bottom of the scale.

On all this counts, Magic Johnson is not exactly the best example.

He might happen to also be ethnically black, but given his economical situation and popularity, I doubt that he spends his time banging crack-whores. So the fact that HIV is more prevalent among the poorest section of the population has probably rather little impact.
Also, for what I know, he was only interested in women, which lack the proper biological appendage to being a risk for insertive annal (though not properly clean sex-toys might still be a potential danger).

The main reason he caught AIDS are probably due to a high number of partners combined with lack of proper protection.

In fact Magic Johnson helped bring awareness that HIV isn't exclusively targeting drug-addicts and homosexuals.

To transpose that to malware:
the fact that malware are more often found at warez sites ridden with keygen containing hidden malware, and dubious porn site running ads used by hacker to corrupt your system, DOES NOT MEAN that these are the only way a random internet user might get the computer infected by malware.
on the other hand, proper precaution will ALWAYS be a good solution to protect and diminish the risks. (virus scanner, filters, malware blocker, ad-blocker, VMs, etc.)

Comment: And crypto (Score 1) 179

by DrYak (#48101033) Attached to: Eric Schmidt: Anxiety Over US Spying Will "Break the Internet"

From decentralizing and conception to storing data where the US (and others) cannot legally reach it etc.

That, and decent crypto and other such security means.
(OTR for chat, GPG for e-mail, TOR for traffic, etc.)
(code reviews, the whole openssl/libressl/boringssl story, truecrypt/ciphershed, etc.)

Comment: Already happening (Score 2) 179

by DrYak (#48101025) Attached to: Eric Schmidt: Anxiety Over US Spying Will "Break the Internet"

Actually some of it already started happening before the NSA being busted:

for the SWIFT payment processing, the financial information of European users are mirror on two NON-US nodes for very obvious reasons (IRS, etc.)
only US users might have one of the two mirrors of their data on US soil.

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...