Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re:Do what Amazon did... (Score 1) 69 69

Offer up a version of the the package that is small enough to be audited in detail so that there are very very very few bugs with it.

I think they said they had it down to 6k?

Amazon's package depends on OpenSSL. What they've essentially done is to build an OpenSSL version that's 6k bigger than the existing monster.

Comment Re:No more! (Score 1) 69 69

Before complaining about mbed TLS's GPLv2 license, you should probably be aware that OpenSSL uses its own application-specific license, which is not OSI approved. The license contains an advertising clause similar to the original BSD license; that makes OpenSSL both GPL-incompatible and a general PITA to work with.

In fact, I'd wager that almost every time OpenSSL is redistributed, it's done in violation of the license. When was the last time you saw a product advertising that "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit"? That text has to appear whenever you advertise any OpenSSL-based crypto functionality.

The license is technically libre, but only by the skin of its teeth...

Comment Re:Expect an updated U.S. travel advisory. (Score 1) 28 28

At least if you do it you're pampered and it's safe, unless you act out (say run to one particular statue and piss on it, or grope a female soldier)

Right. According to the above mentioned Travel Warning from the U.S. State Department, the following then qualifies as "acting out" and can be cause for arrest:

* involvement in unsanctioned religious and/or political activities (whether those activities took place inside or outside North Korea)
* unauthorized or unescorted travel inside North Korea
* unauthorized interaction with the local population, including unauthorized attempts to speak directly to North Korean citizens
* exchanging currency with an unauthorized vendor
* taking unauthorized photographs
* shopping at stores not designated for foreigners

(The warning then goes on to say that "If DPRK authorities permit you to keep your cell phone upon entry into the country, please keep in mind that you have no right to privacy in North Korea and should assume your communications are monitored." So at least some things are just like in the US.)

Comment Re:Over think (Score 4, Informative) 152 152

The NoCrack authors mention this briefly in their paper (PDF). They call the approach you describe "stateless password managers", and briefly describe some of the drawbacks of the approach:

Chiasson et al. conducted a usability study of both PwdHash and Password Multiplier and found the majority of users could not successfully use them as intended to generate strong passwords. Another usability challenge is dealing with sites with a password policy banning the output of the password hash.

But yeah, I'm not convinced the problems they highlight are intractable, nor that NoCrack solves them.

Comment Re:So how does this work? (Score 3, Interesting) 152 152

What you're proposing sounds like Kamouflage (PDF link from TFA), with only 1 decoy password set (Kamouflage suggest 10,000); and suffers from the problem of generating plausible fake master passwords without revealing anything about the real master password, as mentioned by the authors of NoCrack.

What the NoCrack authors try to achieve is a solution where every incorrect guess at the master password still provides a set of (incorrect but at least sometimes plausible) passwords. A bit like a one-time pad, which is the only provably secure encryption, because brute-forcing the key yields all the possible plain texts (both the correct and all the incorrect ones). Of course, the problem with the one-time pad is that the key length matches the plain text length, which would completely eliminate the benefit of a password manager. Additionally, as noted in TFA, authorized users might not like the idea that making a typo when entering the master password yields (seemingly) correct passwords. :-)

I'm not convinced the NoCrack authors have actually succeeded, as they claim, but can nevertheless recommend the NoCrack paper (PDF), since it discusses pros of cons of the approach and alternatives.

Comment Re:Cost of Programmers Cost of Engines (Score 1) 125 125

Upfront cost? Most engines are charging percentages of revenue

Of the game engines mentioned in TFA, "most" = "one"?

Unity: $1500 (or $900/year) per developer.

CryEngine: $120/year per developer.

Source 2 (upcoming): Free (for games released on Steam).

Unreal: 5% royalty.

Comment Re:How many other flaws (Score 5, Informative) 173 173

Some facts about the U.S. justice system:

* The Reid technique is widely used for interrogations, a technique notorious for its effectiveness in enticing false confessions.
* Only 5 % of convicted felons had their case tried in court; the rest make a plea bargain (typically under threats of excessively long prison sentences and/or the death penalty).
* Judges are elected, subjecting them to the whims of public opinion and making them more politicians than impartial legal officials.
* At least 4 % of people sentenced to death in the U.S. are innocent.
* The U.S. incarcerates more people than any other country in the world, not just relative to the population size, but in absolute numbers.
* U.S. private prisons sees $3+ billion in annual revenue... Not that that has anything to do with the above issues, I'm sure.

The U.S. justice system is broken in so many ways, I'm certainly forgetting some things.

Comment Re:My question about international data collection (Score 2) 200 200

ES said that if my gmail account was moved overseas on an international server, then the NSA could have a copy of my account even if there were no international sources/targets. Is that true or false?

That's true. While theoretically the NSA is not allowed to monitor communications between two american citizens, in practice, any communication leaving the country is simply assumed to involve a foreigner and is thus up for grabs. This "inadvertent" capture of american communications is in fact standard operating procedure:

The government has set a dismally low bar for concluding that a potential surveillance target is, in fact, a foreigner located abroad. By default, targets are assumed to be foreign. That's right, the procedures allow the NSA to presume that prospective targets are foreigners outside the United States absent specific information to the contrary—and to presume therefore that those individuals are fair game for warrantless surveillance.

Comment Re:FMH (Score 5, Interesting) 128 128

I've seen an example that works: The Danish film and video game rating system.

It differs from e.g. the US system in a number of ways:

* It's run by an independent government-sponsored organization, not the industry.
* For children not accompanied by an adult, the highest rating is "15 and older".
* Children ages 7 and up can see any movie if accompanied by an adult, no matter the rating.
* The board is charged only with determining if a film could be psychologically damaging to a typical child. They do not judge the "morals" and message of the film.
* The board features actual child development experts. As such, they know that cursing and nudity is not harmful to children, and if that's all the film contains, it will be rated "All audiences".

Example: "Harold & Kumar Go to White Castle".

USA (MPAA): 17+ (unless accompanied by an adult) due to "strong language, sexual content, drug use and some crude humor".

Denmark: 7+ recommended (but all ages admitted) due "strange and threatening persons, assaults, fights and accidents [...] all in a comedic context" (a context which could be lost on very young children).

To quote the ratings board:

The Media Council classifies films based on a perspective purely concerning harmfulness. The classification decision shall be made on the basis of an assessment of whether a film is considered harmful for children in that particular age group. When classifying films, we look at film effects, depictions of grievous loss, degree of realism, possibility of identification, inclusion of redemption within the course, genre and the expected media competences of the age group in question.

The Media Council’s view on child protection is that
* Children can manage a good thrill.
* Children are not likely to fall to pieces by the slightest push.
* Children are active users of media and, therefore, already in an early age, they have accumulated both media competencies and experiences.
* Media are good resources in children’s everyday life.
* It is acceptable that films frighten, though, only to a certain limit. The Media Council sets these limits.

Comment Re:I'm one of those engineers... (Score 2) 341 341

we havnt even fixed the train crash issues yet... and how hard could that be :)

Not that hard. Automatic train operation is a solved problem; a properly installed, modern ATO system is safer than the best human driver, better at following time tables, and even has significantly lower energy consumption. In fact, many ATO mass transit lines cannot be run manually (without cutting down on the number of departures); human drivers are not able to keep up with the amount of traffic managed by the ATO.

An ATO will not stop the train if there's an unregistered person or vehicle on the tracks (or if the tracks are gone entirely, e.g. due to flooding). But then, the braking distance for a passenger train at speed is high enough that a human won't be able to stop it either.

Also, ATO systems may have a higher false-positive rate than manual systems... e.g. stopping the train because an umbrella has fallen on the tracks (to take a concrete example from the Copenhagen Metro). But that's an availability issue, not a safety issue. (And as noted, humans aren't able to keep up during normal operation, so the ATO still wins on availability overall.)

Full disclosure: I work with ATO systems.

Comment Re: Jerri (Score 3, Informative) 533 533

See what happened in Paris and Denmark. People from Europe travel to Syria and Iraq to fight with ISIS, get training and AK47s, and then come back to Europe to kill the infidels.

Omar El-Hussein, the Copenhagen shooter, never went to Syria nor Iraq, never received any terrorist training, and didn't use an AK47, nor is there any evidence he ever communicated with terrorist organisations.

He did use a C7 rifle stolen from a member of the Danish national guard, but apparently had no weapons training. He did spend a couple of years in the Middle East years ago, but his radicalization appears to have happened primarily while he was incarcerated in Denmark.

Comment Re:Can they do it with corporate code? (Score 1) 220 220

Can they do it with corporate code where there are naming and style standards in abundance, and code reviews to ensure those guidelines are followed?

Presumably, yes. Style guides are 95% formatting, and if one RTFA (I know, I know), they look only at the structure of the parsed AST, not variable names, comments and whitespace. From the article:

Accuracy rates weren’t statistically different when using an off-the-shelf C++ code obfuscators. Since these tools generally work by refactoring names and removing spaces and comments, the syntactic feature set wasn’t changed so author identification at similar rates was still possible.

Since they look at code structure, they've even found identifying patterns that survive compilation and end up in the binary.

This is one of the coolest data mining results I've seen in quite a while.

Comment Re:Well... (Score 3, Informative) 181 181

How would the West feel about the release of a popular film in which the assassination of a living head of state is planned? How would your government behave toward you if YOU wrote a book / published a film / performed a play about this?

In 2006, Death of a President portrayed the assasination of George W. Bush. I don't remember hearing about it at the time, and even searching the website of Fox News doesn't turn up much controversy.

In 2008, AFR came out, in which Anders Fogh Rasmussen, the then-Prime Minister of Denmark (and later Secretary-General of NATO) was murdered (and also, incidentally, portrayed as a closeted homosexual, in line with long-standing rumours). It genereted minor controversy, was well-received by critics, and a failure at the box office. I found it forgettable (I literally don't remember any of it).

Of course, both films were small, independent films, and both can legitimately claim to use the controversial plot for a higher purpose. The Interview... not so much.

After an instrument has been assembled, extra components will be found on the bench.