Forgot your password?
typodupeerror

Comment: They didn't! (Score 2) 135

by GrievousMistake (#45728485) Attached to: Academics Should Not Remain Silent On Government Hacking

What a non-story. The flaws in Dual EC DRBG were widely published shortly after release.

The backdoor was first published by Dan Shumow and Niels Ferguson in August 2007.

Bruce Schneier wrote the same year:

My recommendation, if you're in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances. If you have to use something in SP 800-90, use CTR_DRBG or Hash_DRBG.

This was common knowledge if you had more than a passing interest in cryptography. I think TFA is mistaken when it says that it didn't get enough attention. The reason academics didn't take it more seriously is that it was seen as so obvious, it was mostly harmless shenanigans.

You would only use it in a serious cryptographic product if you were an incompetent crackhead, or if the NSA had stuffed your ass full of money.

Incidentally, RSA, the large security firm, shipped it in a serious cryptographic product for years and years.

Comment: Re:End of certificates, please? (Score 1) 80

by GrievousMistake (#45696685) Attached to: IETF To Change TLS Implementation In Applications

The trouble with Convergence; I think, is the reliance on online notaries; which become highly-centralized single points of failure.

They don't, really. The great thing about notaries as opposed to CAs is that you can use as many of them as you want, and the client decides how to handle discrepancies and outages. So a browser could ship preconfigured with 8 independent notaries, and alert the user if more than four of them were down, or if any single one of them disagreed with the rest.

In the same way, CAs can still act as authoritative notaries for domains they have signed. But now if they misbehave they can be instantly delisted, and users will fall back on the standard Convergence protection.

+ - UK spies continue "quantum insert" attack via LinkedIn, Slashdot pages->

Submitted by Anonymous Coward
An anonymous reader writes "In the academic literature, these are called "man-in-the-middle" attacks and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the Internet backbone and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack."

Link to Original Source

Comment: Re:Tired of bashing Bitcoin, yet? (Score 0) 285

by GrievousMistake (#45360057) Attached to: Security Breach Forces Bitcoin Bank Inputs.io To Halt Operations

I disagree. The "proof of work" busywork is wasteful and makes it hard to prove any real security. The Bitcoin protocol scales poorly and consumes disproportionate resources.

I am sure it is possible to do both the ledger and the currency distribution more elegantly than Bitcoin does.

For instance, a IOU system like Ripple could facilitate a Hawala-like transaction network without the meaningless weapons race caused by allocating new coins proportionally to hashing power.

Or zero-knowledge protocols could be used to vastly enhance the anonymity of transactions.

Bitcoin is an interesting proof of concept, but "as elegant as a decentralised digital transactions system could be" is overselling it by far.

XBox (Games)

Microsoft Exec Says Xbox One Kinect Is Not Built For Advertising 75

Posted by timothy
from the more-to-come-next-time-around dept.
MojoKid writes "Among the various SNAFUs and PR misfires related to the Xbox One release earlier this year, one item that had people upset was that Kinect would be used for advertising--or worse, that the Xbox One Kinect was actually designed with advertising in mind. The source was a UI designer who was expounding the capabilities of the Kinect and how it could be used to deliver interactive ads and used for native advertising. However, Microsoft Director of Product Planning Albert Penello threw cold water on much of it. 'First--nobody is working on that,' he said. 'We have a lot more interesting and pressing things to dedicate time towards.' He also stated that if Microsoft were to engage in something along those lines, users would definitely have control over it, meaning that Kinect would not be spying on you; you would have to engage with Kinect for anything to happen."

+ - The Future Will Be Modular: Tinkertoy-Like Blocks Will Build Bridges, Planes

Submitted by cartechboy
cartechboy (2660665) writes "Does that sketchy bridge on your commute to work freak you out? How about that budget airplane seat your boss puts you in once a month? If you're nervous about that, then you'll probably freak out about this: Future airplanes, bridges, boats, even spacecraft may be built from modular blocks that snap together like Tinkertoys. While the idea seems strange, the parts are claimed to be up to 10 times stiffer than existing ultralight materials and the construction work will be done by tiny robots crawling along the structure as it's built. It would even be possible to disassemble one structure, say, a bridge, and repurpose it into a new building. Imagine taking apart one wing of your office building and turning it into a boat--just be sure to bring your life jacket."
Television

Legislators Introduce Bill To Stop Set Top Boxes From Watching You 161

Posted by Soulskill
from the stop-looking-at-me dept.
An anonymous reader writes "For a few years now, we've been hearing about TV-related devices that have built-in cameras and microphones. Their stated purpose is to monitor consumers and gather data — often to target advertising. (We'll set aside any unstated purposes — the uses they tell us about are bad enough.) Now, two members of the U.S. House of Representatives have submitted legislation to regulate this sort of technology. '[They] said they want to get out ahead of the release of this new technology and pass legislation that ensures it would include beefed up privacy protections for consumers. They added that this legislation is particularly relevant given the recent revelations about the National Security Agency's Internet surveillance programs. ... Additionally, the bill requires a cable box or set-top device to notify consumers when the monitoring technology is activated and in use by posting the phrase "We are watching you" across their TV screens.'"

Comment: Re:AF_BUS -- a[n] implementation of the D-BUS" (Score 3, Informative) 61

by GrievousMistake (#42668423) Attached to: LTSI Linux Kernel 3.4 Released

Hadn't heard about AF_BUS before...
I found the rationale, and a summary of the argument against.

I get that doing multicast in userspace isn't optimal, but I'm a bit mystified what people are doing with D-Bus that would require any kind of performance. Wasn't D-Bus supposed to be a simple pub-sub system for notification of events and the like?

Comment: Re:Requires local access (Score 1) 210

by GrievousMistake (#42301035) Attached to: Denial-of-Service Attack Found In Btrfs File-System

this will be easily stopped by adding a filename prefix or suffix

No it won't. It is still easy to make collisions with a known prefix or suffix. You would have to include a random component.
Even if that was a feasible workaround, it's hardly a common best practice, nor should it be.

There goes this script kiddie's

He discovered this vulnerability himself, and wrote the attack code; he is by definition not a script kiddie. Never mind that he's a professor and published cryptographer.

while about experimental software not being perfect.

This has nothing to do with being experimental software. This is not a bug, it is a weakness in the design. Furthermore, the bad behaviour will not manifest by accident - you have to deliberately provoke it.
This is the type of problem that isn't fixed before someone finds and reports it -- like Junod did.

Please cease your inane babbling.

Microsoft

Microsoft Granted Patent For Augmented Reality Glasses 89

Posted by Unknown Lamer
from the not-tonight-shades dept.
another random user writes with an excerpt from the BBC about Microsoft's vision for augmented reality glasses: "A patent granted to the U.S. tech firm describes how the eyewear could be used to bring up statistics over a wearer's view of a baseball game or details of characters in a play. The newly-released document was filed in May 2011 and is highly detailed. ... Although some have questioned how many people would want to wear such devices, a recent report by Juniper Research indicated that the market for smart glasses and other next-generation wearable tech could be worth $1.5bn by 2014 and would multiply over following years." Noticeable differences from Google's version: two lenses, a wrist computer, and wires.

Comment: Re:Brilliant references! (Score 4, Funny) 197

Also be sure to check out the brilliant paper recently published by Hakin9 in their issue on Nmap.

The authors detail the working of their DARPA Inference Cheking Kludge Scanner (DICKS), and cite such prominent references as
Z. Sun, "Towards the synthesis of vacuum tubes," Journal of Concurrent, Extensible Technology, vol. 84, pp. 1-19, Feb. 2005.
C. Hoare, J. Wilkinson, and D. Ritchie, "Contrasting Scheme and Internet QoS using SluicyMash," Journal of Flexible, Omniscient Epistemologies, vol. 20, pp. 154-194, Feb. 2000

Some excerpts:

"Obviously, event-driven modalities and web browsers are based entirely on the assumption that extreme programming and digital-to-analog converters are not in conflict with the deployment of massive multiplayer online role-playing games."

"We show our method's real-time evaluation in Figure 1. We consider a framework consisting of n flip-flop gates. Such a claim might seem counter intuitive but is derived from known results. Next, NMAP does not require such a theoretical emulation to run correctly, but it doesn't hurt. This seems to hold in most cases. We use our previously enabled results as a basis for all of these assumptions. This seems to hold in most cases."

"Figure 1.3: The 10th-percentile latency of NMAP, as a function of popularity of IPv7"

Android

Universal Android Laptop Dock: Microsoft Nightmare, Or Toy? 262

Posted by timothy
from the cross-platform-within-a-platform dept.
ozmanjusri writes with this story from PC World: "A company that makes keyboard docks has announced a laptop-like peripheral that uses smartphones for processing and storage. Since many Android and Apple phones have multi-core processors powerful enough to deliver laptop-level performance, they only lack usable screens and keyboards to be productive for most office work. ClamCase believes their 13.3-inch 1,280 x 720 ClamBook with keyboard, multi-touch touchpad, and dedicated Android keys will make up for the lack, and turn smartphones into fully-functional laptops. A device like the ClamBook could be a real game-changer for the computer industry. If it succeeds, peripheral makers could build docks which would allow any monitor, keyboard, mouse and storage to be powered by any Android phone. It's a combination which would make BYOD offices very tempting for the corporations who are the Windows/Office combination's remaining cash-cow." I only wish the company would license the idea as well to established makers, so otherwise conventional laptops could gain the ability to easily become advanced phone screens, too.
Google

Sergey Brin Demos Google Glasses Prototype 122

Posted by samzenpus
from the have-you-ever-seen-it-on-google? dept.
MojoKid writes "Folks have been clamoring for more on Google's Project Glass and Sergey Brin — one of the co-founders of Google — is now burying himself in the R&D department associated with its development. Recently Brin appeared on 'The Gavin Newsom Show' with the prototype glasses perched on his face. The visit was actually a bit awkward as you can see in the video, as it's a lot of Brin and Newsom describing what they're seeing via the glasses with no visual for the audience. However, Brin dropped a bomb when he stated that he'd like to have the glasses out as early as next year."
Censorship

Judge Who Ordered Pirate Bay Censorship Found To Be Corrupt 104

Posted by Soulskill
from the conflict-of-interest dept.
TheGift73 writes "TorrentFreak reports that 'This week yet another court order was handed down in Europe with the aim of censoring The Pirate Bay. The ruling forbids the Dutch Pirate Party from not only running a direct proxy, but also telling people how to circumvent an earlier court ordered blockade. However, according to Pirate Party founder Rick Falkvinge, the judge in the case has a history of corruption relating to another file-sharing case he presided over in the Netherlands. The Court of The Hague in the Netherlands has been particularly busy this work with Pirate Bay-related cases.' Falkvinge wrote, '... not only was the plaintiff and judge personally and closely acquainted, the plaintiff in a controversial copyright monopoly case was running a commercial anti-piracy outfit together with the judge in the case. Money was involved. Commercial interest was involved. The judge was, as it appears from this brochure for the quite expensive course, getting money. Shortly after the case. In a directly related matter together with the plaintiff. That makes the judge not only corrupt, but textbook corrupt.'"

Pound for pound, the amoeba is the most vicious animal on earth.

Working...