Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment: Re:danger vs taste (Score 1) 630

by OdinOdin_ (#49565401) Attached to: Pepsi To Stop Using Aspartame
You are still not getting it. The scientific claims can only be made for the substance used in the experiment. Since you have not verified the mechanism of action you can not be sure it is a blanket claim to anything that tastes sweet.

Since the claim is so interesting can you cite any other experiments over the past 8 years (since the papers date) to confirm the mechanism of action ? Surely someone would have tried it with many other sweet tasting substances since then ?

Taste buds may know more than you think (literally). As in your brains ability to detect sweet and sour in concious thought is one thing, but the taste buds might be able to detect a lot more than your concious thought is capable of discerning.

It is also very difficult to have a substance interact with taste buds and then remove 100% of the substance. One way maybe to evaporate it off the tongue with a blow torch? But still there maybe particles that won't evaporate, so how do you remove ?

Comment: Re:Former Google Engineer - my internal perspectiv (Score 1) 265

by OdinOdin_ (#48230565) Attached to: Ask Slashdot: Why Can't Google Block Spam In Gmail?
You don't have to present a certificate to the server?

You can initiate SSL/TLS where by the only party presenting a certificate is the server to the client.

Do you think that all HTTPS clients present a certificate to the HTTPS server ? This is not how HTTPS usually works, only rare systems that are using client side SSL certificate for authentication use it. But your standard credit card transaction or login portal does not present any certificate to the server.

With STARTTLS sending you start unencrypted, enable TLS via STARTTLS command, then perform some kind of authentication inside the secure TLS channel (this can be plaintext authentication inside TLS). Now you proceed to use the SMTP have both setup a secure channel and authenticated.

Comment: Re:That's the WRONG way to do it (Score 1) 265

by OdinOdin_ (#48230433) Attached to: Ask Slashdot: Why Can't Google Block Spam In Gmail?
Yes you are correct.

The problem is simple to fix, make it cost them CPU computation time.
Implement an SMTP Client <> SMTP Server cookie system, where by an adhoc association can be established between two systems, that the client can represent an arbitrary token to help build trust and reputation around it (or simply use IP address or SSL certificate hash).
Next define a mathematical problem that is cheap (in CPU cost) to setup and verify, but hard for the SMTP client to compute, forcing it to brute force the problem (this making the client pay the greater CPU cost). This needs to scale both linear and exponential.
Allow the server to define the problem to solve and the scale of the challenge, this more trusted clients have a cheap problem, brand new clients get hit with a harder CPU problem.
Built it all into the SMTP protocol.
Now the server is in complete control of the cost a particular client must pay to send the message, the client can decide to accept the cost or bounce the message.

Now sending from a ADSL link, from a foreign country or from a well known virtual host provider can all be scaled accordingly until the point SPAM becomes too expensive to rent enough server capacity.

Comment: Re:funny that.... (Score 1) 178

by OdinOdin_ (#48119135) Attached to: Ebola Vaccine Trials Forcing Tough Choices
Yes there are always vaccines for everything "in development" this is called research.

The opportunity of making a news story at just the moment someone in the US was confirmed as having the strain, is more a marketing ploy to ensure the company with the goods is getting attention and their phone ringing. Better to have your phone ringing offering you government money than your competitors phone ringing because some government official happens to know someone in that industry.

Is the vaccine production ready for the general population, hell no!

Did I tell you I have a perpetual energy machine that is "in development" ?

Comment: Re:Color Me Surprised (Score 1) 335

by OdinOdin_ (#48119047) Attached to: US Says It Can Hack Foreign Servers Without Warrants
> It takes year, my friend.

Did you see "Attack of the clones" ... at some point in the future these MakerBot replicators kits will be capable of building domestic drones carrying payloads, its just a matter of time.

No need to persuade many people of your tyrannical view point over many generations to build that army.

Comment: Re:Technological solution (Score 2) 382

by OdinOdin_ (#47175821) Attached to: High Frequency Trading and Finance's Race To Irrelevance
Heh, because the stock they sell immediately of one of the other 999,999 stocks they hold in the same entity. Those stocks already had their 1 minute minimum holding period expire a long time ago.

This is also why it is funny when people say that pension funds hold their stock for a long term view.

But what can happen is the two pension funds collude to exchange assets with each other (zero sum game) over a period of time, so the fee levied for any transfers can be taken by all the snouts in the transaction cost trough. Yes if you stand back and look at the week to week they look like their are holding their positions a for the long game, but actually they found a way to extract additional profits to pay pension pot "fund managers" their bonuses.

Comment: Re:Encryption (Score 1) 220

by OdinOdin_ (#47175685) Attached to: PHK: HTTP 2.0 Should Be Scrapped
Because the point of the compression is to compress the Content Body Payload transparently (and potentially the HTTP header names and keywords) at the TLS streaming level.

It only makes compression useless for the "Cookie" header which is exactly what is needed to defeat CRIME.
All security sensitive data like this should be able to be trivially fuzzed. Maybe a better scheme would be to implement:

Fuzz-XOR-Key: 0123456789abcdefxyz/+===
Fuzz-Cookie: $version=1; $foobar="123"; $random-nonce-1="192jsk232"; SESSIONID="0123456789secretXOREDresultHER"; $random-nonce-99="982kmn323"; $fuzzed="SESSIONID";

NOTE: Its been a while since I looked at a Cookie header directly, there are probably some major syntax mistakes in the above example.

Now you can extend it to any other kind of header using a common key and transformation technique, by prefixing headers with Fuzz-* and writing an RFC/IETF document on how the key is applied to which parts and when of the header value data.

Your suggestion of disabling compression in SSL/TLS support is already implemented.

Comment: Re:Annoying. (Score 5, Informative) 347

Very similar to how it works in the UK.

A business called "BT Wholesale / aka OpenReach" operates as a corporate entity in its own right, that the government regulates. They more of less have last mile monopoly over the old British Telecom (which used to be the incumbent single telephone operator that was originally a public entity). So this was made private maybe 20 years ago but with certain caveats.

Such as a uniform pricing policy to all other telecom operators wishing to buy their wholesale services. Think like FRAND, as opposed to scheming and back office deals to maintain pricing.

Such as not offering the full package, i.e. only offering wholesale services. A regular home or business consumer never buys directly anything from the wholesale division. The end customer buys from the many (more than 500 in our little island) brand names, who in turn pay the wholesale rental fees out of your subscription.

Such as allowing politicians to have influence (through regulation) over certain aspects of governance. This is a good thing when there is a last mile monopoly, there is at least some kind of elected accountability. Especially when the government paid for the original construction of the network.

There is of course a parallel cable network now, that also have their own independent last mile. So in almost all urban/suburban locations another option exists, but BTs copper POTS network has a much higher coverage.

There also exists some areas (such as Kingston and Hull) which ended up with their own last mile services that operate their own telecoms independently.

Here in the UK now (with BT wholesale) the whole country is getting more street side cabinets (to within of 100 meters of every urban and suburban location) and fibre optics installed to those cabinets back to the local exchange site. The last 100 meters is still largely delivered over copper but at speeds around 80MBit/20Mbit, but I'm sure further speed increases will take places like ADSL/ADSL2/ADSL2+ in the future. This national roll out is over half way through and I'm sure within the next 3 years the original plan will be complete.

There are still issues with many rural locations being on dialup quality, hopefully as cellular like technology improves this could be utilized as back haul for rural locations. Rural in the UK might mean just being 8 miles out of town.

Comment: Re:Encryption (Score 1) 220

by OdinOdin_ (#47103437) Attached to: PHK: HTTP 2.0 Should Be Scrapped
What is the problem with the CRIME attack and header compression ?

Just add an XOR string to the Cookie header, that is applied against the other data fields. This XOR itself can change each time a Cookie header is emitted. Now you have a non-repeating, pseudo random input for the compressor to work on. But the other party can apply a transform to the Cookie header to get back original data.

For good measure also add an additional Random-Nonce-Field-1="random-length-data" which is simply ignored and discarded by the other end. Now you can perterb the compressor in both directions, by applying a completely useless to the attacher the same data (allow it to compress) but also a Random-Nonce-Field-2 which might be different for each header, like the XOR but completely useless and to be ignored data.

Now it is upto the researches to use these tools (added to a Cookie spec change) to come up the most CPU cost efficient way to utilize them to make CRIME and other such attacks not viable.

Or maybe I am missing something glaring here ?

Recent research has tended to show that the Abominable No-Man is being replaced by the Prohibitive Procrastinator. -- C.N. Parkinson