Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
What's the story with these ads on Slashdot? Check out our new blog post to find out. ×

Comment Re:Do we really want Google... (Score 1) 190

They are doing no such thing. [...] PPAPI (Chrome / Opera), NPAPI (Firefox due to be phased out), and ActiveX (IE due to be phased out).

Did you just rebut my claim that plugin support is being phased out by mentioning three incompatible plugin systems, two of which are end-of-life? Neither Firefox, Microsoft Edge (nor Safari for that matter) are slated to gain PPAPI support.

PPAPI plugins are only supported in Chrome and its variants, and usage is dismal. Of plugins that were most popular just two years ago, neither Silverlight (end-of-life), Unity Webplayer (end-of-life), the Google Earth plugin, Java, the Google Hangouts plugin nor the Facebook Videos plugin are available as PPAPI. PPAPI is in practice an internal Chrome API to be used with built-in modules (not plugins) such as Flash, the PDF viewer and NaCL.

All the above mentioned plugins are being supplanted by various HTML 5 features, with the possible exception of Java (which is just dying, as an in-browser technology). The native browser features aren't all there yet; Unity's native WebGL offering is still struggling with audio and video fidelity, but the gap is closing quickly. Already, Unity reports that compiling C# to .NET IL, IL to C++, and then C++ to asm.js JavaScript, and executing the result in Firefox, yields slightly better performance than executing the original IL in the (admitedly, somewhat dated) Mono runtime normally used in Unity.

Comment Re:Do we really want Google... (Score 1) 190

"Flash gets special treatment due to its market share, but make no mistake, the browser manufacturers are looking to kill it as soon as reasonably possible, too." If this is true, it's only because they've found more obtrusive and abusive ways to advertise to us that are more difficult to block.

The elimination of plugins is happening for entirely technical reasons. Microsoft obviously has their own Silverlight plugin, support for which is also gone in their latest browser.

HTML 5 is the future, also for ads. AdBlock etc. handle them without problems.

Comment Re:Do we really want Google... (Score 4, Informative) 190

Like it or not, all the major browsers are phasing out plugin support. Microsoft and Chrome has already dropped support for plugins other than Flash, and Mozilla is about to do the same. Flash gets special treatment due to its market share, but make no mistake, the browser manufacturers are looking to kill it as soon as reasonably possible, too.

Comment Re:Do what Amazon did... (Score 1) 69

Offer up a version of the the package that is small enough to be audited in detail so that there are very very very few bugs with it.

I think they said they had it down to 6k?

Amazon's package depends on OpenSSL. What they've essentially done is to build an OpenSSL version that's 6k bigger than the existing monster.

Comment Re:No more! (Score 1) 69

Before complaining about mbed TLS's GPLv2 license, you should probably be aware that OpenSSL uses its own application-specific license, which is not OSI approved. The license contains an advertising clause similar to the original BSD license; that makes OpenSSL both GPL-incompatible and a general PITA to work with.

In fact, I'd wager that almost every time OpenSSL is redistributed, it's done in violation of the license. When was the last time you saw a product advertising that "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit"? That text has to appear whenever you advertise any OpenSSL-based crypto functionality.

The license is technically libre, but only by the skin of its teeth...

Comment Re:Expect an updated U.S. travel advisory. (Score 1) 28

At least if you do it you're pampered and it's safe, unless you act out (say run to one particular statue and piss on it, or grope a female soldier)

Right. According to the above mentioned Travel Warning from the U.S. State Department, the following then qualifies as "acting out" and can be cause for arrest:

* involvement in unsanctioned religious and/or political activities (whether those activities took place inside or outside North Korea)
* unauthorized or unescorted travel inside North Korea
* unauthorized interaction with the local population, including unauthorized attempts to speak directly to North Korean citizens
* exchanging currency with an unauthorized vendor
* taking unauthorized photographs
* shopping at stores not designated for foreigners

(The warning then goes on to say that "If DPRK authorities permit you to keep your cell phone upon entry into the country, please keep in mind that you have no right to privacy in North Korea and should assume your communications are monitored." So at least some things are just like in the US.)

Comment Re:Over think (Score 4, Informative) 152

The NoCrack authors mention this briefly in their paper (PDF). They call the approach you describe "stateless password managers", and briefly describe some of the drawbacks of the approach:

Chiasson et al. conducted a usability study of both PwdHash and Password Multiplier and found the majority of users could not successfully use them as intended to generate strong passwords. Another usability challenge is dealing with sites with a password policy banning the output of the password hash.

But yeah, I'm not convinced the problems they highlight are intractable, nor that NoCrack solves them.

Comment Re:So how does this work? (Score 3, Interesting) 152

What you're proposing sounds like Kamouflage (PDF link from TFA), with only 1 decoy password set (Kamouflage suggest 10,000); and suffers from the problem of generating plausible fake master passwords without revealing anything about the real master password, as mentioned by the authors of NoCrack.

What the NoCrack authors try to achieve is a solution where every incorrect guess at the master password still provides a set of (incorrect but at least sometimes plausible) passwords. A bit like a one-time pad, which is the only provably secure encryption, because brute-forcing the key yields all the possible plain texts (both the correct and all the incorrect ones). Of course, the problem with the one-time pad is that the key length matches the plain text length, which would completely eliminate the benefit of a password manager. Additionally, as noted in TFA, authorized users might not like the idea that making a typo when entering the master password yields (seemingly) correct passwords. :-)

I'm not convinced the NoCrack authors have actually succeeded, as they claim, but can nevertheless recommend the NoCrack paper (PDF), since it discusses pros of cons of the approach and alternatives.

Comment Re:How many other flaws (Score 5, Informative) 173

Some facts about the U.S. justice system:

* The Reid technique is widely used for interrogations, a technique notorious for its effectiveness in enticing false confessions.
* Only 5 % of convicted felons had their case tried in court; the rest make a plea bargain (typically under threats of excessively long prison sentences and/or the death penalty).
* Judges are elected, subjecting them to the whims of public opinion and making them more politicians than impartial legal officials.
* At least 4 % of people sentenced to death in the U.S. are innocent.
* The U.S. incarcerates more people than any other country in the world, not just relative to the population size, but in absolute numbers.
* U.S. private prisons sees $3+ billion in annual revenue... Not that that has anything to do with the above issues, I'm sure.

The U.S. justice system is broken in so many ways, I'm certainly forgetting some things.

Comment Re:My question about international data collection (Score 2) 200

ES said that if my gmail account was moved overseas on an international server, then the NSA could have a copy of my account even if there were no international sources/targets. Is that true or false?

That's true. While theoretically the NSA is not allowed to monitor communications between two american citizens, in practice, any communication leaving the country is simply assumed to involve a foreigner and is thus up for grabs. This "inadvertent" capture of american communications is in fact standard operating procedure:

The government has set a dismally low bar for concluding that a potential surveillance target is, in fact, a foreigner located abroad. By default, targets are assumed to be foreign. That's right, the procedures allow the NSA to presume that prospective targets are foreigners outside the United States absent specific information to the contrary—and to presume therefore that those individuals are fair game for warrantless surveillance.

"The hottest places in Hell are reserved for those who, in times of moral crisis, preserved their neutrality." -- Dante

Working...