Forgot your password?

Comment: Re:what environments allow USB boot? (Score 2) 132

by Noryungi (#47508613) Attached to: Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS

Anything that has a USB port, really.

Essentially, anything that is run by NGOs or individuals.

Sure, in a corporate or governmental/military environment, USB ports are usually a big ''no no'' but some of use like them USB gadgets.

(Yes, before anyone ask, there has been infiltration through contaminated USB drives and keys ''abandoned'' in strategic locations...)

Comment: Re:Shocked I am! Shocked! (Score 1) 151

by Noryungi (#47471239) Attached to: LibreSSL PRNG Vulnerability Patched

I've spent the past 5 years of my life fully employed in the design, creation, testing, and deployment of secure RNGs.

Citation needed. Seriously, this is /. where everyone is a world-class programmer (except me, of course).

The world is full of bad PRNGs, NRNGs, CSPRNGs, DRBGs, TRNGs and any other form of RNG.

I will grant you that one.

LibreSSL doesn't have a leg to stand on. A good secure RNG will return unpredictable output.

Bzzzzt! Sorry, you lose. As I have already said, this is not a LibreSSL problem - it's a Linux PRNG problem. Unless I am mistaken, the same issue is non-existent under OpenBSD, because it's PRNG is different from Linux, better seeded and because PIDs are randomized under that OS.

We know how to do these things. It isn't trivial, but it isn't hard either.

You contradict yourself: if programming PRNGs is, let's say, a medium difficulty task (neither trivial nor too hard), how come you have spent years designing and programnming PRNGs (your words, not mine) and how come the world is full of bad bad bad PRNGs? Surely, by now, everyone would have agreed on a reasonable implementation?

The truth is, PRNGs are HARD to program, because computers are not good at generating truly random numbers. Period. The best implementations all rely on some form of hardware generator. But don't take my word for it, go ahead and read this instead.

Allowing someone to extract predictable behavior from the service end of a security library is a gross failure and an exposition of incompetence.

As opposed to the magnificent job OpenSSL has done all these years, with information leakage, bug reports that went uncorrected for years and accumulated cruft for such modern OS as VMS, DOS and Windows 3.1?

I think you need to tone down the hysteria a notch right here.

Comment: Re:'Vulnerability" is rubbish. (Score 1) 151

by Noryungi (#47471091) Attached to: LibreSSL PRNG Vulnerability Patched

Incorrect. If your PRNG is garbage, all crypto is also garbage.

A car analogy - if I know where and when you started driving I can make fairly accurate guesses of your location without having to rely on GPS tracking.

That is absolutely right, but I will note right away that this is a problem specific to the Linux PRNG - OpenBSD does not have this vulnerability (also, because PIDs are randomized under OpenBSD)...

Comment: Re:Donate (Score 5, Insightful) 101

by Noryungi (#47435445) Attached to: First Release of LibreSSL Portable Is Available

Oh boy, there is so much wrong here... Where to start?

First of all, OpenSSL problems are not ''getting fixed''. Part of the problem is that funding for OpenSSL was primarily based on company XYZ sponsoring function ABC. This gave incentives to the OpenSSL devs to add more functionalities on top of the cruft, the horrible mess that was the code base. More funding equals more developpers equals more eyeballs, but we haven't seen the progress so far.

Second of all, OpenBSD has given a HUGE amount of (BSD licensed) code to the rest of the world, Linux included. Try typing "ssh -V" on any Linux machine and I can guarantee you will get OpenSSH. And if you are like me, this is something you use EVERY. FREAKING. DAY. So please stop the trolling about OpenBSD, mmmmkay?

Third, the amount of code that has been cleaned up, improved, deleted and just plain scrubbed is simply amazing. You can say whatever you want about OpenBSD cranky devs, they know their stuff and they know their way around C code.

Fourth, OpenSSL is BSD/Apache licensed, and not GPL, so stop spouting off about supporting GPL software - not everything has to be blessed by Stallmann to be acceptable. And, yes, the Linux Foundation recognizes this - while you don't.

Comment: Re:Happy to let someone else test it (Score 5, Informative) 101

by Noryungi (#47434503) Attached to: First Release of LibreSSL Portable Is Available

There is not just ''cruft'' in the code base: if I remember correctly, they removed thousands upon thousands of lines of code from OpenSSL - think VMS, Borland C, Windows 3.x, MS Visual C++ (etc) support.

And they tested the whole thing on the OpenBSD ports - so far, nothing has been broken.

Oh and FIPS support? Not gonna happen. Bob Beck has been very very clear on that subject. OpenBSD does not care too much about US government standard.

Comment: Buddhist meditation... (Score 4, Interesting) 333

... And just about any form of meditation revolves about emptying your mind, focusing on your breathing and discarding thoughts (after examination) rather than dwell on them.

I just read this study as an example of how people are completely disconnected from their own inner life and addicted to constant stimulation. Seriously, an electric shock instead of enjoying a little bit of peace and quiet and a chance to gather yourself? What kind of total lack of self-control is that?

Comment: Re:Know your history (Score 2) 361

There's no Berlin Wall in America.

... Yet. They are working on it, thank you very much. See here. Or here.

I think you didn't get the memo on the whole Berlin Wall metaphor.

Your poor attempt at sarcasm betrays (a) an overly sensitivity to criticism of your country, and (b) a complete misunderstanding of the issue at hand. There is no Berlin Wall because there is no escaping the NSA. They are spying on the entire world. You can move to Mexico - that makes you a suspect. You can move to Canada - that makes you a suspect. If you even talk to someone who may know someone who may have been in contact with a suspect, you will be caught in the dragnet.

Everyone is fair game, everyone is a potential target. Everyone will be spied on, because terrorists! 9/11! Dirty bomb! Mushroom clouds! They hate our freedom!

I suspect YOU did not get THAT memo. Or maybe you are of the "I did not do anything wrong - so I have nothing to hide and nothing to fear from Big Brother" persuasion? Hmmm?

By the way, why are you reading Slashdot, citizen? Do you have your permit for that? And why talk to this terrorist suspect or that one?

The rest of your comment are more of the same drivel, so I will not even dignify it with a response.

To understand a program you must become both the machine and the program.