Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

Comment Re:Unsafe practices still unsafe (Score 1) 94

To create a "brain wallet", you start with a low entropy string, so low that you can remember it in your brain, and then you do stuff to it to expand it out to the key length.

To be fair, it is possible to create a "brain wallet" with enough entropy to remain secure from this sort of attack. Such wallets will have randomly generated passphrases with at least 128 bits of entropy (generally 12-24 words selected uniformly from a standardized 2000-word dictionary, yielding about 11 bits per word). A 24-word passphrase of this sort is equivalent in entropy to a standard 256-bit Bitcoin private key, and within the memorization capacity of most humans.

The problem is "brain wallets" generated from low-entropy passwords, especially ones supplied by the user. Offline attacks against low-entropy passwords are, naturally, trivial to implement with modern computing capabilities.

Comment Re:that's what I just said, it depends on if arg o (Score 1) 151

You're moving the goalposts. What you said was:

So on Linux, -AB can have two different meanings. -A -B has only one meaning, it's always two switches.

"-A -B" is two switches only if "-A" does not have a required argument, otherwise it's one switch. It is not true that "-A -B" is always two switches.

If you're not sure whether a switch takes an optional argument, then the "-AB" and "-A -B" forms have the minor advantage of being unambiguous given that the switch either can take an argument or can be used without one, respectively. However, a better solution would be to consult the --help text or manual page and remove the uncertainty.

Comment Re:not on Linux (glibc getopt) (Score 1) 151

I believe you'll find that the standard behavior under Linux is the opposite of what you claim:

[~]$ ssh -o -Y test@example.com
command-line: line 0: Bad configuration option: -y

The `getopts` command in Bash works the same way:

[~]$ set -- -A -B
[~]$ getopts "A:B" opt; echo $opt; echo $OPTARG;
A
-B

As does `ls`:

[tmp]$ touch -- -t plain
[tmp]$ ls
-t plain
[tmp]$ ls -t
-t plain
[tmp]$ ls -I-t
plain
[tmp]$ ls -I -t
plain

(Tested in Debian Linux. The -I (--ignore) option to `ls` specifies a glob pattern to skip in the output.)

Even the test program in the getopt(3) manual page you linked to processes "-t -n" as a single option "-t" with argument "-n". The documentation simply states that "optstring is a string containing the legitimate option characters. If such a character is followed by a colon, the option requires an argument, so getopt() places a pointer to the following text in the same argv-element, or the text of the following argv-element, in optarg." There is nothing to indicate that following argv-elements starting with a dash are treated differently.

Options with optional arguments (like Perl's "-i" option) are not allowed to be split, so in this case "-A -B" would indeed be treated as two separate options. However, this would cause "-A B" to be processed as an argumentless "-A" and a separate positional argument "B" (equivalent to "B -A"), and not as a substitute for "-AB".

Comment Re:Seriously?? (Score 1) 151

I routinely use X forwarding on a 10 megabit LAN without any problems. More likely a poorly written application is to blame.

The problem is that an X application which is written correctly for local display (for example, taking advantage of hardware acceleration) is "poorly written" for running with a non-local X server, and vice-versa. To handle both cases well you have to implement two different UIs, which shows that X's much-vaunted "network transparency" isn't actually transparent at all.

Comment Re:Seriously?? (Score 1) 151

What people want is ssh -X and yes it is a top priority to many.

That, plus the ability to reconnect to the same session (Ã la screen), ...

In other words, what people really want is the functionality provided by xpra. The thing is, xpra would actually be easier to implement as a Wayland compositor than the current hack based on Xdummy or Xvfb.

Comment Re:It's 2016 and I can't even easily run Wayland y (Score 1) 151

For example there used to be a keystroke for killing grabs. They removed it claiming it was "unnecessary" because you only need it if there's a bug in an application.

They removed it because it was a security problem, not because it was "unnecessary". You could use it to bypass lock screens, which are implemented in part through screen grabs.

The AllowDeactivateGrabs and AllowClosedownGrabs options are available in xorg.conf if you want to restore the original insecure behavior.

Comment Re:You can't be fucking serious. (Score 1) 667

However, that 1 dollar a week thing... isn't it exactly what people here and elsewhere asked for? Like, for so long?

Close, but not quite. Quantity is relevant here. What people were asking for was the ability to pay the amount that the site would have received for the advertising in exchange for ad-free access, not 50 times that amount. It's doubtful that Wired even gets $1/year in advertising revenues from an average non-ad-blocking visitor, never mind $1/week. Paying $52/year just for access to a handful of Wired articles would be unreasonable for all but the most devoted readers.

Comment Re:$52/yr is a lot for a subscription (Score 1) 667

Would you be ok with a company monitoring your browsing habits like that? Such that they know if you bought something already.

The problem is that they're tracking you too closely already. If they just showed the same selection of ads to every visitor then the odds of repeatedly seeing ads for something you already bought wouldn't be very high. Instead, they track you just enough to know that you were interested in the product at one time, without also noting that you already purchased the item and thus are no longer in the market. Rather than adding more tracking, the issue could be resolved by doing less, or at least allowing the obsolete tracking data to expire from the ad profile after a reasonable time (days, not months).

Slashdot Top Deals

How come everyone's going so slow if it's called rush hour?

Working...