Forgot your password?
typodupeerror

Comment: Re:Thankfully those will be patched right in a jif (Score 1) 109

by TheRaven64 (#47564673) Attached to: Old Apache Code At Root of Android FakeID Mess
I can only assume that you rarely talk to non-geeks. I upgrade my phone roughly every 3 years and most of my non-geek friends have significantly older phones than me. Many of them get new phones only when a geeky relative upgrades and hands down their old device, so the least technical users end up with the least secure devices...

Comment: Re:Past due not reported by companies (Score 1) 384

by TheRaven64 (#47564645) Attached to: 35% of American Adults Have Debt 'In Collections'
Because you can make more money if you invest more capital. If you have a project that has a 10% annual ROI and have $1m in the bank, then you can double your money if you use that as collateral and borrow $10m to invest. This is a big part of the reason why money tends to concentrate in the hands of people who already have money.

Comment: Re:Oe noes! A compiler bug! (Score 2) 706

by TheRaven64 (#47549141) Attached to: Linus Torvalds: "GCC 4.9.0 Seems To Be Terminally Broken"

The reason that most extensions exist is that there is (or was) no way of implementing things that people want with standard C. Inline assembly is one example. All modern C compilers support it, but GCC and Microsoft's compilers use different syntax (most other compilers implement one or the other, sometimes both). Without it, you require that every time you want to use even a single instruction of platform-specific assembly code, you must write an entire function and call it.

Atomics were another big reason for extensions. Prior to C11, if you wanted atomic operations, you needed either assembly or non-standard compiler intrinsics. Efficient vector support is another one.

Comment: Re:Or upgrade to llvm ... (Score 2) 706

by TheRaven64 (#47549083) Attached to: Linus Torvalds: "GCC 4.9.0 Seems To Be Terminally Broken"
While that's technically true, the Ada and Fortran front ends are both using DragonEgg, which is a GCC plugin that converts GIMPLE to LLVM IR. It doesn't work well with GCC 4.7 or newer, produces poor debug info, and is now largely unmaintained. There is a Flang project to produce an LLVM front end for Fortran, but it's very immature. The Ada Labs guys were looking at producing an LLVM front end for Ada, but I don't know that they got anywhere with it.

Comment: Re:Or upgrade to llvm ... (Score 1) 706

by TheRaven64 (#47549053) Attached to: Linus Torvalds: "GCC 4.9.0 Seems To Be Terminally Broken"
Clang wasn't. Clang began in 2007, after Chris Lattner had moved to Apple. Before then, if you wanted to compile C code with LLVM, you had to use llvm-gcc, which was a horrible hack that took a forked version of GCC and translated one of the GCC IRs into LLVM IR before code generation.

Comment: Re:Laziness (Score 1) 143

The problem is worse on Android than on many other platforms because there are very few native shared libraries exposed to developer and there is no sensible mechanism for updating them all. If there's a vulnerability in a library that a load of developers use, then you need 100% of those developers to update the library and ship new versions of their apps to be secure. For most other systems, core libraries are part of a system update and so can be fixed centrally.

Comment: Re:Not surprised (Score 1) 143

I doubt Apple has such a patent. Both of these were features of Symbian at least since EKA2 (over 10 years ago) and, I think, earlier. Apple may have a patent on some particular way of exposing this functionality to the UI, but that's about the most that they could have without it being shot down in court in 10 seconds (prior art that's in the form of a phone OS that millions of people owned is hard to refute).

Comment: Re:umm duh? (Score 1) 176

by TheRaven64 (#47548225) Attached to: Dropbox Head Responds To Snowden Claims About Privacy
Everything you ask for exists. The reason that Google, Microsoft, and Dropbox don't use them is that their entire business model depends on differentiation. If you could connect to their services with any third-party client that also worked with a server that you set up yourself and with their competitors' services, then their hold on the market becomes very tenuous. You're searching for technical solutions to business problems.

Comment: Re:Advertised on YouTube? (Score 4, Interesting) 95

The 'you can skip in 5 seconds' ads amaze me. Presumably the people using them know that they have 5 valuable seconds that everyone can see, yet they uniformly squander them. I've almost never seen an ad that tells me anything interesting in the first 5 seconds, which isn't that surprising, but it's really surprising to me that most don't even tell me what the product is. Several that I've seen use the first 4 seconds to fade from black, then get 1 second of something incomprehensible before I hit skip.

Comment: Re:umm duh? (Score 1) 176

by TheRaven64 (#47544353) Attached to: Dropbox Head Responds To Snowden Claims About Privacy

Please correct me if I'm wrong because I may not have imagined this system properly. I was thinking the idea was that you encrypt each file with a single unique key, and then to use a public-key encryption scheme to encrypt that key. You can then send the encrypted file and the encrypted key to another user, knowing that it will need that users private key to decrypt.

Every time you upload a file, you generate a random symmetric key. You encrypt the file with this key and the key with your public key. If you want to download the file, you get the file and the encrypted key and then you decrypt the key with your private key and then decrypt the file. When you create the account, you upload your public key.

When you want to share a file with everyone, with no access control, you download the encrypted key, decrypt it, and provide it to the server. The server can then decrypt the file.

When you want to share a file with a limited set of users, you download each of their public keys (which you can cache in the client) and the encrypted symmetric key, decrypt the key, and then encrypt it once for each user. They will then only be able to access it with their client.

I'm not sure who you're 'we' as in 'internet community' is. We do have standards and off-the-shelf libraries for everything required to implement this and others have done so in the past (one of my colleagues during her PhD did back around 2006, to give one example, others have implemented more complex and flexible schemes more recently). Note that this is the simple textbook scheme for doing this kind of system. It's been implemented before and doubtless will be again. If you check the research literature then you'll find more interesting schemes.

The only problem is if you want to be able to access it from the browser, without some kind of plugin (Google actually does compile OpenSSL with Emscripten to do ASN.1 parsing, but I wouldn't recommend using it for encryption).

Comment: Re:umm duh? (Score 1) 176

by TheRaven64 (#47539311) Attached to: Dropbox Head Responds To Snowden Claims About Privacy

then you may as well just give the server the AES key and ask it to decrypt the file

But in that model, if "the server" has the key, wouldn't Dropbox have the key? I thought that was the whole thing people were freaking out about.

No, you'd have the key. If you wanted to share the file publicly, then there's no point in keeping it encrypted, so you'd provide the server with the key and it would decrypt, saving you the cost of downloading and reencrypting.

I understand what you (and the AC) are saying about storing an encrypted key on the server, and then re-encrypting the key for each new user you'd want to share with. That's a clever arrangement and I admit that I hadn't thought of it, but it still seems like it has the potential to create more complexity than most people want to deal with. It still means you need to manage various encryption keys, and we (Internet culture) seem intent on not developing a coherent system for managing encryption keys.

The client just needs one key, the RSA (or equivalent) public key. You'd need to copy this between devices, but it's relatively small (under 1KB). It's small enough to fit in a version 40 QR code quite easily, so you could set up mobile devices by displaying the QR code on your laptop screen and point the mobile device's camera at it, if you don't have any sensible way of transferring files between devices. The client then has to download the file and the associated key, decrypt the key with the locally-stored key, and then decrypt the file, but that's not something that's exposed to the user.

Comment: Re:umm duh? (Score 1) 176

by TheRaven64 (#47529479) Attached to: Dropbox Head Responds To Snowden Claims About Privacy
The anonymous poster pointed out a simpler mechanism, which is used in practice on file stores that want to be encrypted on the server. This technique also has a number of advantages. Using a symmetric cypher is generally faster than an asymmetric one and using a different key for each file is just good practice anyway as it limits the damage that certain kinds of trojan can do. If you're sharing with everyone, then you may as well just give the server the AES key and ask it to decrypt the file. If you're sharing with just a few people, then sending them a (fixed-size) key for each file is not too much overhead.

"Just think of a computer as hardware you can program." -- Nigel de la Tierre

Working...