Forgot your password?

Comment: No monoculture (Score 1) 526

by DrYak (#46765895) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

OpenSSL has no competition at its core competency, so the team really has no motivation to deliver an iteratively better product, apart from their need to scratch an itch. FLOSS software projects tend not to operate in a competitive environment, where multiple OSS products are useful for the same thing and vie for placement. This is probably bad.

I definitely don't agree.
Take any rant against FLOSS, the first thing you'll hear is complaints about "too much choices to pick from".
Sorry, but you can both complain that there's too much choice (hard on the user) and at the same time not enough choice (hard on security).

In the case of encryption, OpenSSL is far from the only present library. Its IS indeed very popular, but it's not the only used library.

GnuTLS is another popular library, which wasn't affected by Heartbleed (not specifically by this bug. It's not without problems, but still).

Mozilla's NSS seem popular with browsers (Firefox and Chrome use it, probably others too -and not only browsers: Pidgin uses it too). Again a different library, popular too

And that's just he major libraries. Then there are ton of others to chose from.

Some written in higher level language (Botan is in C++) and some (I hope, I haven't tested them all) probably using some facilities to abstract away a few pitfall like buffer lengths.

Comment: Reaction (Score 1) 179

I would also say that everyone has limits. Backing individuals into impossible situations passive aggressively is something that modern society has become very good at.

...and then, there's the different ways that an individual will react and cope once the limits are broken.

To take the current subject: Video games.

Some will react violently to furstration, and angrily throw their controler accros the room.
Other will simply go "meh", consider the "unwinnable game" uninteresting and move onto something and not even mind.

Same could apply to lots of other situations in life.
Some people will just go mad. Other will just chose to ignore and move to something else.

Comment: Or... use better tools (Score 1) 444

by DrYak (#46752409) Attached to: Heartbleed Coder: Bug In OpenSSL Was an Honest Mistake

The process of dissolving a big problem into low-level steps as is required by C programming is mentally brutal. You can't just go "I want to save the text that was deleted and restore it when they hit the undo key." You have to translate that into variables, pointers, structs, mallocs, and glue logic.

Or you could use some tools which abstract away this problems.
- you could use a high level language where some of this porblems don't exist (e.g.: no pointers, and automatic garbage collection).
- or you could stay within the C/C++ world and write wrappers that take care to check everything (for example, almost any moderne tool-kit [Qt, Boost, or even default C++'s std++] will define type that are bound checked automatically [QByteArray or std::string] and smart pointers.
- some of these could even by implemented in plain C.
(But full implementation might require some Macro-ugliness. GTK+-level of ugliness)

Done correctly, such tool can automate the taking care of corner cases that can break the system.

But instead some programmer still decide to use as a simpler syntax for assembler and do everything bare-metal.

In case of OpenSSL, I'm a bit surprised. It has so many helper functions, but nobody has bothered yet to implement buffers with buffer-size checking safetey.

Comment: Niche case hardware (Score 1) 641

by DrYak (#46700871) Attached to: Meet the Diehards Who Refuse To Move On From Windows XP

I might surprise you, but such kind of legacy hardware is so common, that there are hardware manufacturer specialising into making motherboards for such niche case.

You can even find motherboard that can use modern processors (Intel Core 2 and/or more recent) but still have ISA slots.

You can even manage to install MS-DOS or old Win9x on them.

So you can be sure that, 10 year from now, you'll still be able to buy brand-new hardware able to run WinXP so you can still use your legacy hardware. It will be expensive, and will come from some specialist brands, but it will still be possible.

(As an anecdote, we had to install Win98 on a ISA-slot-sporting modern motherboard because of a lab measuring equipment - a calorimeter - that relied on a pair of ISA DAC cards with MS-DOS TSR-drivers. The original computer got fried, but given the extreme price of the equipement, it was cheaper to build such a new custom computer than buying newer equipment)

Comment: Yes and no (Score 1) 75

by DrYak (#46629445) Attached to: DVRs Used To Attack Synology Disk Stations and Mine Bitcoin

Is there a mechanism built into the bitcoin structure that allows for this and voids the coins?

Is there a mechanism built into hard cash that allows to void the silvercoins/bank bills to be remotely voided? No.
And basically any cryptocurrency works the same. There's by definition NO SINGLE ENTITY in control of the bitcoin protocol (that's the whole point of it).
so nobody could remotely void any coin. (but at least that means that legally earned crypto-mony won't suddenly vanish neither... no fraudulous chargebacks on the bitcoin network)

On the other hand, cryptocurrencies aren't anonymous. At all. In fact they are (again by definition) the exact opposite: every signle transaction is broadcasted to the whole network. That really helps the security (thus every single node on the network can check and verify all transaction) without needs for a central authority (see previous point). But that also means that anyone can follow transaction a follow money jumping from one public key to another.

As the blackhats aren't probably mining actual bitcoins, but some minor alt-coins which is much more mine-able on CPUs, at some point, they'll need to exchange it for something more easily spendable. So they need to send them to one of the (few) exchanges accepting less known coins (Probably cryptsy).
Law forces could collaborate with exchanges and try to catch transaction whose coins can all be traced back to the initial mining by this botnet.
Then it's a matter of matching transaction with profiles registered at the exchange or further following the money trail.

Comment: Probably *NOT* bitcoins (Score 1) 75

by DrYak (#46629369) Attached to: DVRs Used To Attack Synology Disk Stations and Mine Bitcoin

As I've mentionned above, it's probably NOT bitcoins being mined.
The last few article on /. mentioning mining malware, all said "bitcoin mining" when careful reading showed up that in fact the malware didn't mine bitcoins but another cryptocurrency better suited for CPU (one of the latest I remember was PTShares).
Reporter just say "bitcoin mining" because that's the only thing they know and they vaguely remember that creating bitcoins was something CPU intensive.

If the black-hats are smart enough to think this contrived way to infect the synology (infect first the "always on internet" DVR and only then, once you're on the other side of the firewall, start scanning the home intra-net for NAS hidden behind the firewall), perhaps they are also able to pick a CpU worthy (ie.: not SHA-256^2 based) cryptocurrency coin.

Even free-as-in-stolen, you're telling me that the best use somebody can think of for a botnet of network attached storage devices is generating maybe as many hashes as one of those cheapo USB-stick ASICs, rather than, say, basking in juicy private data and massive stolen storage space?

While you're at it, it's best to take as much opportunity as possible.
- you can "safely" mine on a nas, because the clueless user won't notice a heavily degraded performance (unlike on their desktop).
- you can pick-up a coin which won't be beaten by cheapo USB ASICs: math based coins (like PrimeCoin, RieCoin, etc.) are still mined on CPUs. SHA3 based coins (CopperLark, QuarkCoin, etc) don't have an efficient GPU implementation yet. SCrypt-based coins are some memory-intensive, that the jump between hardware generations doesn't yield such a strong difference in hash rate: even if the current mining is mostly done on GPU and some early experimental FPGA, high-end server CPU can still give Litecoin for their run. (so even if the ARM inside NAS isn't that powerful, a whole botnet mining Litecoin could still earn some money back).

And last but not least:
- that the worm download a payload for mining bitcoins, doesn't prevent the the worm to also download a payload for scanning credit-cards numbers, SSN, naked photos, etc.
So don't despair, the massive stolen storage space will also be juiced for all it's worth.

The coin-mining at least is low bandwidth, and it's possible for the blackhats to check if their plan is working just by looking at the income on the cryptocurrency address used for mining. Scanning the stolen storage space would be much more bandwidth intensive (the victim would notice that "their internet has become slow").

On the other hand, getting that money out of the botnet and into the black-hat's pockets is going to be tough:
cryptocurrency aren't anonymous. in fact they work based on the exact opposite: every single transaction is boardcaster to the whole network. While this provide good security against counterfeit wiithout needing a central authority (the whole point of the bitcoin protocole), that also means that anyone can follow the transaction following this mining.
If the hackers indeed used a rare CPU-based coin, that means that they can't do much except exchange it on one of the few major exchange which accepts even very minor coins (like cryptsy). That means it's rather easy for law forces to collaborate with cryptsy to try and catch any transaction with coins coming from this mining- then it's just a question of matching this transaction with user profiles and/or follow the money trail further.

Comment: "Bitcoin": Error in reporting? (Score 3, Informative) 75

by DrYak (#46629167) Attached to: DVRs Used To Attack Synology Disk Stations and Mine Bitcoin

That might also be an error in reporting: TFA's Author might have written "bitcoin mining" (for lack of understanding the whole alt-coin ecosystem) when it would be best described as "cryptocurrency miner".
The last few article on /. mentioning mining malware, all said "bitcoin mining" when careful reading showed up that in fact the malware didn't mine bitcoins but another cryptocurrency better suited for CPU (one of the latest I remember was PTShares).
Reporter just say "bitcoin mining" because that's the only thing they know and they vaguely remember that creating bitcoins was something CPU intensive.

The black-hats creating sophisticated malware (a worm, infecting vulnerable connected DVR, so they in turn can attack Synology NAS and launch mining software) aren't probably stupid enough to mine bitcoin, they probably know better, and the miner is for whatever is the current most CPU-worthy (i.e.: non SHA-256^2 baesd) cryptocurrency-coin.

Comment: ASCII (Score 1) 110

by DrYak (#46605797) Attached to: Fake PGP Keys For Crypto Developers Found

transparent updating is another issue. You grant a program the the right to install arbitrary binary code.

Huh... no.
Certificate update is *certainly not* binary code installation.

First of all, it's not binary, it's a collection of text files (containing base64 data, so not even full ASCII).
And most importantly, certificates are not executable code. They are just static data.

They can be sagely transparently updated without being a remote access risk.

Comment: x.509 *iz* b0rked!! (Score 1) 110

by DrYak (#46605771) Attached to: Fake PGP Keys For Crypto Developers Found

Firstly, we have no evidence of any CA being compromised by intelligence agencies despite the obvious appeal to them of doing so. This is remarkable. Despite the huge number of Snowden documents so far none of them have even hinted at compromise of the CA infrastructure.

x509 has already been b0rked numerous times. Just look at the slashdot archives: there are a number of case where:
- stolen keys were used to sign malware
- a "legit" certificate was obtain from a CA for nefarious purposes.
(by "legit" I mean that it's a valid certificate signed by an official Certificate Authority. It's 100% legit as the identity signed there is completely wrong. Like a malware compagny getting a certificate issued for "Microsoft" by some obscure CA which isn't the one Microsoft is using, and which is ready to sign a certificate with "microsoft" written on it, even if the guy handing the certificate is you and not bill gates)

That has so often happened, that:
- Some CA were plain black-listed. I don't mean that a few such bogus certificates were revoked. No, I mean that some vendors (linux distribution, opensource software, etc) have decided to say "fuck you" to the root certificate of such sloppy CA that can't be trusted with the key they sign.
- There are several firefox extension (like "Certificate Patrol") which specially track when the CA who's signed the site you are visiting: if suddenly isn't signed by "Geotrust" but by "TurkTrust", it might that you are infact being "Man-in-the-Middle" 'd by a crook who has managed to get a certificate for "Google" signed by "TrukTrust".

I'm not speaking about "Hypothetical Attack Vectors" which are currently debated by the academics and which could be used to create problems.
I'm speaking about actual occurences, documented in the press and reported here.
Several actual cases.

If any random crook can do it, chances are that CIA, FSB/KGB/TchK, MSS or any other government can pull the same trick.

The fact that none of the file of Snowden mentions it (and I doubt it, I'm sure I've read about this somewhere) has probably more to do with random chance (not worth mentionning on any of those particular documents, or any of the mentioned cases happens not to use a bogus certificate), than officials not being able to do it.

Comment: Magical: Gift cards, bitcoins (Score 1) 321

by DrYak (#46472203) Attached to: Google Sued Over Children's In-App Android Purchases

Are you saying this wouldn't have occurred if only app purchases could be done by magically sending cash over the intertubes?

I agree with BarefootMonkey:
- with actual money (and all its electronic imitations, like gift cards, bitcoin, etc.), the control can't be delegated to someone else. Either you have the token, and you decide to spend it. Or you give the token to someone else, and that someone has 100% control on whatever happens to that token (spend it, keep it for later, etc.), but can't do anything about the other tokens still in you pockets.
- with credit cards (and all electronic equivalent, like TFA's google wallet), you give credential to someone else (kid, google, app, whatever), and that someone has suddenly full power to take AS MUCH money as possible until the blocking limit of the credit card. You give a kid the card so the kid can buy a 1.99$ app, but then with the same card, the kid can also buy 200$ worth of in-game bonus.

So indeed, with a cash-equivalent (like a gift card), this situation wouldn't have happened.

Possible way would be:

* Purchase limit. Currently only a timer keeps user logged in (30 seconds). Google could easily implement a "spend" limit (after 20$, CC owner needs to log-in again, no matter if we're only 2sec. into the 30 sec. timer).

* Gift card. Parents buy electronic coupons for 20$ to their kid and let the kid have fun. Once the kid has used up the coupon, well sorry kiddo, you used all your money. ( - This actually helps the kid realise better how things work with cash flow. The kid can notice that there is a limited amount, and that it runs up)

* Cryptocurrencies. I'm not kidding. Bitcoin and co were actually developed exactly for that, exactly to introduce cash-like behaviour. Except for security compromises, bitcoins can't vanish out of your wallet software without your intervention (just like cash can't jump out of your pocket unless a thief is involved).
If you transmit bitcoins to someone else, that someone has full power over them (as noticed by some suckers who left all their coins in exchanges or other on-line wallets that vanished afterward), but can't do anything about those still inside your software wallet.
The only difference with gift cards are:
- gift cards are generally controlled by a single entity which decide over them and handles them. and usually (but not always) they map to actual currency (in some shops, you get a gift card for 20$. But in other shops you get a card for 2000 points, that you paid for 20$, but perhaps later you'll end-up acquiring 25$ worth of goods).
- bitcoins (BTC, the coins) are used on the bitcoin protocol that is distributed. Nobody centrally controls it, anyone is free to jump in and join the party, as long as they follow the protocol (saddly, the lack of regulation means that any crook could do it too. hence all the bitcoin powered scams). And the vlue of BTC are on a roller coaster (meaning that, although it works very well as a mean to "magically send cash over the intertubes", it does a poor job at storing value over time)

Comment: 20TB: history shouldn't be big (Score 1) 983

by DrYak (#46466355) Attached to: How Do You Backup 20TB of Data?

And unless the question's asker is working in the video editing industry, chances are that not much of these 20tb change on a regular basis.

It should be possible to build a 24Tb or 28Tb RAID-6(*) backup server, that could still quite a few daily/weekly/monthly/yearly backups, provided a space-efficient snapshot rotation system. (Not actually keeping separate copies, but either using a file-systems Copy-on-Write snapshots like BTRFS' or whatever is the ZFS equivalent, or using the old classic RSync+hardlinks).

The only thing that you don't solve is disaster resilience (you'll need an offsite replicate for *that*).

(*) At this size, hardware failure are going to be a certainty. RAID-6 (or ZFS's RAID-Z2) are the best solution against bitrot and for resilience against dead drives.

Comment: Build a second one (Score 1) 983

by DrYak (#46466241) Attached to: How Do You Backup 20TB of Data?

You're better off building a second server.
Then use one server as the live server (the one which access from the network to work).
and the other as a server.
- doing rsync and directory rotation [either ZFS/BTRFS/etc. snapshotting, or plain old rsync+hardlinks and directories] should work, specially that (unless you work in the video editing business) chances are that not a big chunk of the 18 TB change a lot. So you could invest into 24 TB of RAID-6 or RAID-Z2 and afford to keep a few daily/few weekly/couple of monthly+yearly snapshots.

Comment: Different prior art: finger counting (Score 3, Informative) 63

by DrYak (#46424819) Attached to: Samsung Galaxy Glass Patent Plans To Turn Fingers Into a Keyboard

Two things mentioned by others:
- The device is NOT projecting a virtual keyboard with a laser that you can tap with your fingers.
Instead, it lets you use *YOUR* finger as a keyboard and you tap them with your thumbs.
- "Projection" is a poor choice of a word. What the device do, is that it superposes a visual aid on the glasses' HUD to help with the tapping. But you're basically tapping your thumb against your fingers (the glass just puts some labels as augmented reality to help you).

So you see that this patent has absolutely nothing to do with virtual keyboard.

Instead, it's got a much more older prior art:
This way of data input is *VERY* closely related to ancient for of finger-counting in base 12 (probably has been used historically in most culture which count in "dozens") where you count phallanges with your thumb.

According to Wikipedia: apperently this method is still used around in Asia, so no surprise that a korean company is trying to turn it into a data input method.

Comment: *which* market (Score 1) 742

by DrYak (#46404807) Attached to: "Microsoft Killed My Pappy"

Market share? Linux enjoys half the market share of Microsoft Vista...

Half of *what* ?
Which *market* are you talking about ?

If you define the market as in "we will only consider high-end gaming machines", yes indeed, that is almost twice the numbers of gaming machines reported by steam (Linux is in the 1-point-something range).

If you define the market as in "the fraction among all operating system, no matter what" you'll see an overwhelming amount of opensource Unixes (Linux or *BSD).

In the average household, you'll probably see 2 or 3 machines running Windows (laptop and workstation), but next to them, there will be a plethora of hardware running an opensource OS:
- including things like modem / wireless router
- non-Apple smartphones
- playstation 4 (some *BSD derivative)
- SOHO NAS server, home media player, etc.

Linux will also very likely be the OS running on the web server hosting the pages you're browsing.

Linux will also be found in your University's cluster.


Comment: Rational (Score 2) 240

by DrYak (#46386617) Attached to: MtGox Sets Up Call Center For Worried Bitcoiners

they wouldnt be touching Bitcoins.

or at least, they won't be risking more money than they can afford to lose.
I mean bitcoin is a fun new technology to start experimenting with. And so it might be interesting for some to risk a bit in order to play with it.

But just don't act like those idiots ready to throw tons of money everywhere just on the vague promise that this one scam could help them make bazillions-USD-worth of BTCs.

Badges? We don't need no stinking badges.