Please create an account to participate in the Slashdot moderation system


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:This... is a very good idea. (Score 1) 110

by JonySuede (#43689139) Attached to: Honeywords — Honeypot Passwords
Sorry I do enterprise identity management for a living, I might have over-though in the context of a random webapp and skip some random words here and there as I write here with a beer or a scotch after work....
In an enterprise setting you usually have to have reversibility, to synchronized systems, as not everything is sso enabled or ldap friendly, complexity in that setting is unavoidable.
The weird part about daily salt was put into that system by decree by our clueless management that has paid a consultant (read snake-oil dealer) to review and "improved" our security. And agree with you, that part only increase complexity, not security.

Comment: Re:That's sorta up to you; (Score 1) 314

by JonySuede (#43679531) Attached to: Ask Slashdot: Becoming a Programmer At 40?

it's impossible to create your own concurrent access primitives . At best you can invent a new concept, like Dijkstra did with the semaphore. As I don't recall reading a completeness proof of the set of known concurrent access primitives you might have a chance.

You probably meant implement an existing one, like the Semaphore in java before the JSR-166 RI.

Comment: Re:This... is a very good idea. (Score 1) 110

by JonySuede (#43670915) Attached to: Honeywords — Honeypot Passwords
It's a mall part of defense in depth, any sensitives information that is not atomic should be stocked separated. Every speed bump you put into an attacker road is an opportunity for detection, a point for auditing.

It's only going to get faster generating those rainbow table, see the post on gpu somewhere lower...
The true solution is proper keys derivation and management using a dedicated security equipment, ex.: a java card with a keypad to enter the master key. Re-keying capability is a most and a currently safe algorithm like AES-256 in CBC with PKCS7 padding, have someone random from the company enter a new key each year and now your approaching password storage security. From there calculate MD5/SH1/RC4... using a daily one time use salt to populate your identity database across your systems that refuse to be federated.
The keys in the java card are quite safe, those cards are not like the plugin...

Comment: Re:This... is a very good idea. (Score 1) 110

by JonySuede (#43668995) Attached to: Honeywords — Honeypot Passwords
things is most salted password tables I saw in open-sources products (no reason to believe that proprietary is different) looked likes this :

INTEGER user_id,

If the attacker get your database, your still screwed.

Comment: Re:it contradicts the definition (Score 1) 209

But that snippets does warrant a comment that include a tag to disable the warning. This is what I like the most about static analysis; worst case: it forces my developers to comment the hairy pieces of code, typical case: they residing to avoid the need to comment and we have a more maintainable code base. To the same goal, I also use the static analyzer to limit cyclomatic complexity the ennemy #2 of maintenance. #1 being useless shorthanded naming convention or lack of.

Comment: Re:Good luck with that (Score 1) 112

by JonySuede (#43630753) Attached to: AI System Invents New Card Games (For Humans)

a lot of what is considered AI by the people that do AI has nothing to with intelligence.

No it has to do with automating reasoning. Intelligence is so vaguely defined that two people could have an opposite opinion on the importance of rational tough in the definition of intelligence and they would both be right be right depending on which school of thoughts you belong. I suggest you read a little bit in the following encyclopedia : starting at that page

Comment: Re:Poor naming (Score 1) 176

by JonySuede (#42577603) Attached to: Samsung Won't Release Windows RT Tablet In US
I bought it for my laptop, my father bought it for his htpc and my brother-in law bought it for his laptop. At 39 it was money well spent for a measurable speedup.
However, none of us will buy it for our desktop. I like windows 7 on my desktop and my father love is mint/debian/ubuntu frankendistro workstation. Just because some disagree with you it do not mean they are astroturfers.

[Crash programs] fail because they are based on the theory that, with nine women pregnant, you can get a baby a month. -- Wernher von Braun