Forgot your password?
typodupeerror
Technology (Apple)

+ - iPhone 3Gs Encryption Cracked in 2 Minutes

Submitted by Anonymous Coward
An anonymous reader writes "In a Wired News article, iPhone Forensics expert Jonathan Zdziarski explains how the much touted hardware encryption of the iPhone 3Gs is but a farce, and demonstrates how both the passcode and backup encryption can be bypassed in about 2 minutes. Zdziarski also goes on to say that all data on the iPhone — including deleted data — is automatically decrypted by the iPhone when it's copied, allowing hackers and law enforcement agencies alike access the device's raw disk as if no encryption were present. A second demonstration features the recovery of the iPhone's entire disk while the device is still passcode-locked. According to a similar article in ARS Technica, Zdziarski describes the iPhone's hardware encryption as, "like putting privacy glass on half your shower door," he told Ars. "What, pray tell, is the advantage in that?" with the iPhone being sold into 20% of Fortune-100s and into the military, just how worried should we be with such shoddy security?"
Data Storage

+ - Next Data Center Bottleneck: RAID Controllers->

Submitted by
storagedude
storagedude writes "Interesting article — suggests that most RAID controllers are completely unprepared for solid state drives and parallel file systems, all but guaranteeing another I/O bottleneck in data centers and another round of fixes and upgrades. What's more, some unnamed RAID vendors don't seem to even want to hear about the problem."
Link to Original Source

Comment: Re:STV (Score 5, Informative) 154

by Helvick (#27723197) Attached to: Irish Reject E-Voting, Go Back To Paper
The Irish STV implementation also has to redistribute so called "surplus" votes.

Since it features multiple candidate constituencies the amount of votes required to get elected is not a simple majority but a quota defined by the Droop formula (Total number of valid ballots/(Total number of candidates +1))+1. Ballots for candidates who exceed the quota have a surplus and that surplus gets redistributed according to the next preference on the ballot. The exact mechanism for choosing the actual votes that comprise the surplus amount is random and those randomly selected votes are then transferred as full votes to the next preference candidate. So when a candidate has 10000 votes with a quota of 8500, 1500 ballots are chosen at random and the preferences in those ballots are used to transfer them to the remaining candidates in play. For situations where a candidate gets a surplus on a second count (ie including transferred preferences from an eliminated candidate or from surplus votes from an earlier elected candidate) only the ballots transferred at the last stage are used when selecting the surplus votes to be transferred.

These shortcuts were introduced to speed up manual paper counts but they meant that the task of comparing an electronic count to a paper Voter Verified Audit Trail (VVAT) presents an interesting problem. In order to be able to fully and accurately validate the electronic count the VVAT records would have to be able to be tied exactly to the sequence of the electronic votes (so that each electronic record could be tied to each paper record and the random selections for surplus redistributions could be matched up). One solution to this would be to remove the shortcuts for electronic voting but that would have meant moving to e-Voting entirely as they could not use two different counting methods in different constituencies. So they had to implement an e-Voting STV counting mechanism that followed the same rules as a paper count would. Not hard to do but this then led to a further issue for those of us arguing for a voter verified audit trail for any e-voting system.

One of the Irish Government's least silly arguments against any VVAT for e-Voting was that such a capability might be compromised and could result in someone figuring out exactly how (some) individual voters had voted. Since the Irish constitution explicitly specifies that parliamentary voting must be secret this was something they were very much afraid of - it's notable that since the constitution does not explicitly require counting votes to be accurate (it only implies this) they were less concerned about that. Anyway that's how it seemed to me when I met them about the issue - they didn't say it as bluntly as that but they were terrified about the potential secrecy problems but only worried about the potential for "small" errors.

The real problems with the Irish e-Voting debacle had very little to do with the complexities of an STV count - they were the same as they were\are in most other counties though. The machines in question were provided by private companies, closed and not adequately tested by properly independent security professionals, the vote tabulation software was also closed, similarly unavailable for inspection by independent specialists and most worryingly it was never available any significant period of time ahead of any given election as it had to be rewritten for each count. The lack of a voter verified paper audit capability (which could have been implemented safely despite the concerns described above) meant that the systems could be attacked\compromised\fail in ways that could materially affect an election without being detected. In the end though few of those problems led to the current Government's decision to abandon the problem, they finally got fed up with the political and financial costs associated with fighting to keep the project alive and they gave up. I'm pretty sure that many of the Government Ministers and civil servants involved still think that the Nedap\Powervote e-Voting system was perfectly fine.
Handhelds

+ - How did RIM's Blackberry get FCC clearance?

Submitted by Gogogoch
Gogogoch (663730) writes "I'm sure there is an expert reading Slashdot who can tell us how RIM got their Blackberry approved by the EMC regulators, such as the FCC. I'm thinking of the "does not interfere with other equipment" requirement. My experience is that a Blackberry manages to interfere with most forms of telephone, speakerphone, or audio amnplifier producing those annoying clicks and noises something like a 56K modem, but different. Please, how did they get away with it?"

Comment: Re:Allow me to translate... (Score 1) 380

by Helvick (#19591129) Attached to: Corporate IT Hanging Up on Apple's iPhone
Whoa. I think I can help here...I speak a little PHB:

Thanks AC. Glad to see you went to the comedy school of IT.

"I manage the people who run the email servers for my company. I have a degree in business; I am skilled at synergizing my big-picture ideas on a going-forward basis."

No business degree, sorry. Just an engineer and I manage nobody, I design and build the systems. i'm glad that you think I'm qualified to run the whole show, I'll make sure to remember that at my next review.

"We need secure logins, but we don't trust our users."

Well no I don't trust my users, and neither does any other systems admin but that's not the point. Building a secure and usable access control mechanism for mobile devices is hard. Would you be happy if you hired a systems admin who accepted that a username and password alone was sufficient for remote access into your systems? If so then its time you reviewed your risk posture - for my part I like to use RSA-Keys, Certs and one time tokens for that sort of thing. Passwords do not cut it, sorry.

"We did not cover secure IMAP in my MIS classes."

Actually true but only because I never attended any MIS classes. Anyway I was talking about authentication protocols and not mail protocols here so I don't see your point. Mutually authenticated secure IMAP would be good if it turns out to be possible to figure out a secure way to distribute certificates to the device but there is no indication that the iPhone will ship with a good enough certificate enroller and as a closed system writing our own is not an option.

"Encrypted, password-based authentication is too simple to possibly guarantee my job."

100% true. I'd be fired if I suggested it and I'd expect no less. Seriously, passwords don't cut it for authentication over untrusted links in this day and age, if you haven't realized that yet then I suggest you start thinking about why good SSH implementations don't use them.

User Journal

Journal: Centralized Systems = Large Problems

Journal by doom

Annalee Newitz questions whether it's a good idea to store your life on someone else's servers: Data crash of 2027: "... this situation is worse than potentially being data-raped by some feds trolling for terrorists. When we store all our personal, financial, and social information on other people's computers, we risk losing everything for reasons even s

Music

iTunes Staffers Becomes Music's New Gatekeepers 79

Posted by ScuttleMonkey
from the are-you-the-keymaster dept.
WSJdpatton writes to mention The Wall Street Journal has a look at how Apple is shaking up the world of music retailing. "Apple -- now one of the largest sellers of music in the U.S. -- offers home-page placement in exchange for things such as exclusive access to new songs, special discount pricing or additional material such as interviews with stars. Most other big retailers, digital and physical, also seek exclusive offerings, but Apple is especially aggressive and has outsize clout when it comes to the slightly out-of-mainstream music it often emphasizes."
Google

+ - Orkut: You email address can be hacked easily

Submitted by
vikrantsharma1
vikrantsharma1 writes "Orkut has been in the midst of privacy and security concerns since its launch. There have been many ways through which you can get to know the email address of any person on Orkut even when it is not displayed in the public profile. Although, Google keeps on fixing bugs as and when they are highlighted; however, there seems to be a long way before they can make Orkut a secure social network.

One of the method to know the email address which I came across has been listed below which you can try yourself.

Steps:
1. Open the profile of the person whose email address you wish to know. It can be anyone in the Orkut network.
2. Click on "Ignore User"
3. Open GTalk and sign in with your ID
4. Click on Settings and select "Blocked"
5. You will find the email address of the person whom you blocked on Orkut.

You can see the sceenshots of the same at http://vikrantweb.blogspot.com/2007/03/orkut-your- email-address-can-be-hacked.html"
Announcements

+ - International Public Toilets Database

Submitted by
William S.
William S. writes "Press Release: 10 March 2007

A publicly accessible database has been set up at www.publictoilets.org . You can search for public toilets in 19 countries and find out information that includes the address and detailed information about the facility as well as geographic coordinates. A user can submit comments and enter new locations. There is a wiki, forum and mailing list linked from the main page of the database with information related to public toilets. It is hoped that public exposure to this resource will add to it's content and help expand coverage.

For more information contact:
wstan@publictoilets.org

or go to:

www.publictoilets.org"
Security

+ - BBC reports Skynet going live

Submitted by rowleyrw
rowleyrw (633352) writes "The BBC are reporting "The British military is set to take one of its most significant steps into the digital age with the launch of the first Skynet 5 satellite. The spacecraft will deliver secure, high-bandwidth communications for UK and "friendly" forces across the globe." It's not yet the Skynet of Terminator, but how long before it becomes self aware :-)"
Wii

+ - Features the Wii Opera Browser is Screaming for

Submitted by
frenchy64
frenchy64 writes "With the next release of the Wii Opera Browser just around the corner, there is just so much potential to fulfil it's overwhelming. Okay, we know it needs Tabs, updated Flash and all that jazz, but what else could be included? The Wii Gamers have an editorial suggesting features such as DS Connectivity for an easy wireless Keyboard, Wiimote Gestures, and Browse-While-Playing capabilities (to name a few)!"
United States

+ - FBI abused Patriot act powers

Submitted by devnulljapan
devnulljapan (316200) writes "Well, we all knew this, but here's the scoop from the Guardian and the BBC and CNN even Faux News is covering it, albeit with a spin that it's all Robert Mueller's fault:
The FBI abused its powers under the PATRIOT act to obtain information about US citizens, according to a justice department report published yesterday. The Justice department's inspector-general, Glenn Fine, said the FBI had been illegally using its powers in some cases, was under-reporting the frequency with which it forced firms to hand over customer information, and obtained phone records other than for emergencies.
Why is this not front page news in the US? If only the acronym was ANNA-NICOLE-SMITH..."
Programming

Why Is "Design by Contract" Not More Popular? 178

Posted by Cliff
from the puzzling-outcomes dept.
Coryoth writes "Design by Contract, writing pre- and post-conditions on functions, seemed like straightforward common sense to me. Such conditions, in the form of executable code, not only provide more exacting API documentation, but also provide a test harness. Having easy to write unit tests, that are automatically integrated into the inheritance hierarchy in OO languages, 'just made sense'. However, despite being available (to varying degrees of completeness) for many languages other than Eiffel, including Java, C++, Perl, Python, Ruby, Ada, and even Haskell and Ocaml, the concept has never gained significant traction, particularly in comparison to unit testing frameworks (which DbC complements nicely), and hype like 'Extreme Programming'. So why did Design by Contract fail to take off?"
Linux Business

Samba Success in the Enterprise? 149

Posted by Cliff
from the asking-for-your-experiences dept.
gunnk asks: "We've deployed a Samba server here to replace some aging Novell Netware boxes. It works great: fast, secure, stable. However, we have one VIP that feels that Samba is 'amateur' software and that we should be buying Windows servers. I've been searching with little success for large Samba deployments in Enterprise environments. Anyone out there care to share stories of places that are happily running large Samba installations for their file servers? Or not so happy, for that matter — better to be informed!"
Businesses

+ - Where are the science shortages?

Submitted by
An anonymous reader writes "With Bill Gates talking about the shortages in people to fill positions in science and technology, I was wondering where the shortages really are in science? Are there really any science positions out there in high demand? It seems like a lot of the visa worker issues revolve around IT, but is there an impact in science or engineering?"

God is real, unless declared integer.

Working...