Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Uh Batman is usually pretty gritty (Score 1) 143

by Chess_the_cat (#49174235) Attached to: Gritty 'Power Rangers' Short Is Not Fair Use

....when a studio like Warner Brothers produces their own gritty reboot of a character,

Batman is the story of a boy who witnessed his parent's murders and then decided to dress up like a bat in order to punish criminals. Other than the 60s live action TV show and the 80s Superfriends cartoon when wasn't Batman gritty? Have you read The Dark Knight Returns? Or The Killing Joke? Or the original Detective Comics stories? Even Burton had Batman kill at least a dozen henchman in 1989. FFS Bats was blowing guys away with a pistol in 1939. Are you aware of the Batman mythos at all? Who submitted this? Oh.

Comment: Re:C++ important on Apple too (Score 1) 337

You're dropping out of Obj-C for cross platform compatibility, because you're dealing with a low level Apple API, or because you want maximum speed for some part of the code. All these things are usually best served by C.

Cross-platform compatibility of C++ code is excellent these days, C++ can call low-level Apple APIs exactly as well as C, and there is no performance cost to C++ unless you choose it.

Unless you're concerned that you may need to target a platform not supported by a decent C++ compiler (which is really rare, given that gcc is basically everywhere), the only reason to choose C over C++ is personal preference or concern that some of the users of the code may not know C++.

Comment: Re:FDE on Android doesn't work as of yet (Score 2) 106

by swillden (#49173587) Attached to: Google Backs Off Default Encryption on New Android Lollilop Devices

The issue with FDE in Android has for long been the lack of combining strong passwords with a pattern lock or pin lock for unlocking the screen. In other words, your encryption key is only as strong as the pin code or password you are willing to put in every time you open your screen lock.

No, it doesn't. At least in Lollipop FDE-password is separate and you enter it at boot.

It's not separate. In stock Lollipop there is only one password, and it's used both for FDE and for screen unlock. Some customized ROMs (e.g. CM) have separated it, which allows you to choose a strong boot password and a more convenient unlock password. Stock Android didn't go that direction because too many users would set a strong boot password which they only use once every few weeks and therefore forget, losing all of their data.

Comment: Re:FDE on Android doesn't work as of yet (Score 3, Interesting) 106

by swillden (#49173227) Attached to: Google Backs Off Default Encryption on New Android Lollilop Devices

Had I jumped to the Nexus 6 at the same time, however, that may not have been an issue.

As a recent Nexus 6 owner, I can confirm that encryption is enabled by default. I have not noticed any performance lag and the battery life has been really good. I will admit, I'm coming from an 'ancient' phone, so maybe that's why I think it's fast enough; way faster than my old phone.

As mentioned by Gaygirlie, a big factor is the AES-NI instruction in the ARMv8 instruction set supported by your Nexus 6. It dramatically reduces the performance and power hit of AES operations.

Comment: Re:FDE on Android doesn't work as of yet (Score 3, Informative) 106

by swillden (#49173199) Attached to: Google Backs Off Default Encryption on New Android Lollilop Devices

(I'm a member Android Security team who worked on bits of Lollipop FDE)

The issue with FDE in Android has for long been the lack of combining strong passwords with a pattern lock or pin lock for unlocking the screen. In other words, your encryption key is only as strong as the pin code or password you are willing to put in every time you open your screen lock.

This isn't completely true on Lollipop devices that have hardware-backed credential storage. (Well, it's not really "hardware-backed", but it's in a Trusted Execution Environment, typically ARM TrustZone.)

For Lollipop, a big change to FDE was the inclusion of a hardware-backed key in the key derivation function (KDF) for the FDE master key encryption key. This provides two benefits:

1) It means that a dump of the contents of your encrypted flash is useless without the device.

2) It means that brute force search of your PIN/pattern/password space is serialized and rate-limited by the performance of the device. In a way this means that faster devices are less secure, though we also apply a device-tuned scrypt function as part of the KDF, which compensates in the case of an attacker who tries to perform the entire attack on-device.

The best attack against Lollipop FDE, on a device with HW-backed credentials, is to dump the data from the device flash, then flash a custom OS which makes calls into the HW crypto to create an oracle, processing a stream of requests and returning the responses. Then you do a brute force attack with a mixture of on-device and off-device resources, computing the first scrypt function offline, then performing the on-device crypto operation, then taking the results of that and performing the second scrypt function offline, which you then use to try to decrypt the FDE master key, offline.

The fastest devices on the market today will perform the HW-backed crypto operation in about 50 ms. Assuming everything is pipelined properly, this is the brute force attempt rate: 20 attempts per second. With a four-digit PIN, this is negligible: the entire space can be searched in 8 minutes. However, a six-character alphanumeric password (random, all lowercase) would take 630 days, on average, to break. That's pretty reasonable security.

In theory. In practice it would take much longer than that. I tried running this test on a Nexus 9 and found the device kept throttling itself because it got too hot, plus even with a 2A charger it consumed more power than was being provided to it, so I had to stop when the battery died and wait for it to recharge.

Pre-Lollipop, and even on Lollipop devices that lack HW-backed crypto, you can conduct the entire attack off-line, parallelized, on however much hardware you care to throw at it. I can't make any promises about the future, but I will say that I, personally, really want to significantly improve Android FDE in the future. I have changes in mind that will make brute force essentially impossible, unless you can break into the Trusted Execution Environment.

Comment: Re:By facts, not links? (Score 1) 369

by swillden (#49172891) Attached to: Google Wants To Rank Websites Based On Facts Not Links

Bah. Outright falsehood-pushing "journalism" is as old as journalism, and the online version of it as old as online journalism. Wikipedia has been abused as long as it has existed, and the Woozle Effect is also nothing new -- indeed the name and awareness of the phenomenon predates the existence of ARPANET, much less the Internet.

Comment: Re:By facts, not links? (Score 1) 369

by swillden (#49163233) Attached to: Google Wants To Rank Websites Based On Facts Not Links

> it was shown that Wikipedia is on par with dead tree encyclopedias

The linked article above is from 2005. A LOT has changed in a decade.

What has changed that's relevant? The existence of mobile devices? Bah.

> What makes it more true now than it was then?

Thanks to the wonders of modern technology and the rise of political correctness fanatics

Political correctness is new since 2005? Ummm, let me guess, you're under 30, aren't you?

You have groups openly state on Wikipedia that it's their goal to push their viewpoints on articles.

Which was also true before 2005.

Clickbait sites written by people close to these groups get turned into sources.

Also true before 2005.

I'll stop here, but nothing you mention was any different previously.

Comment: Re:Search Neutrality? (Score 1) 369

by mc6809e (#49161941) Attached to: Google Wants To Rank Websites Based On Facts Not Links

He doesn't mean that there's a barrier to entering the search engine business. He means Google itself, having so much power, is a gate-keeper, deciding through their search results what sites deserve to be found quickly by average users and which sites do not.

Google does discriminate. It must. There's only a finite amount of screen space on a user's device or display so a decision must be made to prioritize certain sites over others.

Some site even pay for that prioritization.

Comment: Re:By facts, not links? (Score 1) 369

by swillden (#49161921) Attached to: Google Wants To Rank Websites Based On Facts Not Links

It had come a long way, then it started being manipulated by ideology pushing extremists that have become very adept at abusing the hell out of labrynthian policies to the point that even when the author of a news article flat out says "They're lying, I never said that at all" it's the author that gets punished.

This exact same complaint was common before it was shown that Wikipedia is on par with dead tree encyclopedias. What makes it more true now than it was then?

Comment: Re:And no one cares (Score 1) 184

by swillden (#49161885) Attached to: Google Taking Over New TLDs

Yes, but it's not progress if it destroys the more technical constructs that allow more knowledgeable people to be more productive. Replacing whole interfaces with a search box does just that.

Does it? I don't think so. The omnibox makes me more productive, not less. The difference is tiny, granted, but it's non-zero.

Comment: Re:military weather? (Score 2) 251

by gtall (#49160763) Attached to: 20-Year-Old Military Weather Satellite Explodes In Orbit

Well, I know this sounds weird, but during a conflict the U.S. Military and Russia's and China's are not going to be relying on commercial weather satellites. Something about they possibly being pwned by the enemy. Militaries worry about these sorts of things, clearly you have never been in one.

In case of injury notify your superior immediately. He'll kiss it and make it better.

Working...