Follow Slashdot stories on Twitter


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: There is a huge flaw to this.... (Score 1) 255

by TiggertheMad (#49350321) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess
This is an interesting approach, but I see one flaw: If this sort of technique be comes common, wouldn't an attacker just need to know what word list you 'rolled' your password on and then can just brute force all the password combinations from that list?

Example, pretend that you had to pick a password for a new website that only allows all uppercase English characters, with no numbers or symbols allowed (just to keep the math simple). A normal ten character password gives an attacker 26^10 possibilities to try.

Your lets say that your diceware generated password picks 6 words from a list of 1000 words, and each word is 4 characters in length. If you skip white space, conventional wisdom would say that your password is 26^24 possibilities to guess via brute force.

But because this has become a common trend in password generation, or because the attacker is the NSA and have been watching what you read, they know you used this list. They don't bother to try all the combinations, just all the combinations of the words on this list. This gives them only 1000^4 possibilities to try. As it happens (yeah, my example is rigged), this is exactly 1 trillion possibilities, which if they were guessing at the rate suggested in TFA, would take them exactly one second to break via brute force.

Essentially, you are replacing individual characters with words to make a long password easier to recall. There is no reason why an attacker cannot do the same thing, mapping one 'alphabet' of symbols onto another.

Now, some people might point out that there are some things you can do to mix things up a bit and force an attacker to have to dig deeper, but my point is that this might actually make it much simpler for a smart/informed attacker to brute force a password.

Comment: Stringbuilder? Perhaps..... (Score 2) 481

by TiggertheMad (#49337899) Attached to: No, It's Not Always Quicker To Do Things In Memory
Many people are suggesting using string builder, as a easy fix...If you think about this problem, that doesn't solve it as you approach infinite operations, it just pushes the cost crossover point way out (possibly beyond the limits of existing hardware, so it might be practically moot). Since they are doing silly comparisons like this, I would suggest just writing a linked list to store each byte as a counter example that will provide more of an apples to apples comparison. Adding an element to an linked list will have a fixed cost, just like appending a byte to disk will, so after infinite operations, you could demonstrate that memory operations are always going to be faster performing similar tasks when the IO time of memory is faster than disk IO.

Comment: Stupid is as stupid publishes.... (Score 5, Insightful) 481

by TiggertheMad (#49336817) Attached to: No, It's Not Always Quicker To Do Things In Memory
I just scanned the paper, because their claim seem to be idiotic. It looks like they are appending a single byte on the end of a string in memory and on disk. For the memory operation, this will result in a string copy since strings are immutable, vs. doing a one byte file append onto the disk. The former is increasingly expensive and the latter is a fixed cost, so after infinite operations, the disk cost becomes far less than the memory operation. If this is indeed their claim, and I am not missing something, then they should be collectively slapped for wasting our time by writing this paper. If this is really your use case, write some proper data structures to manage your data in a sane fashion.

So yes, if you do stupid things, you can make bad engineering decisions look like good ones.

Comment: the US 'probably' wont use a nuke first.... (Score 1, Interesting) 339

There's a big difference between uranium and a working hydrogen bomb. The US won't use nukes unless someone else detonates one first.

That isn't how it worked out for Hiroshima.....For all our talk about how we are morally 'better' because we are a 'democracy', remember we are the only country that has use a nuclear weapon on an enemy.

Also, this author probably doesn't have a security clearance, so pretty much all the sources of info he is going to have access to is going to be by definition declassified. Unless he was getting some of the engineers who work our current batch of nuclear weapons drunk and taking notes, it seems pretty unlikely that he has any privileged info. You can learn quite a bit about nuclear and thermonuclear devices if you know which physics papers to read. The physics for hydrogen bombs and stars are the same thing.

Comment: Idiot parent, hell half the world is below average (Score 4, Interesting) 569

1) When people are arrested, their friends, family, and neighbors routinely say "I can't believe he did that. He seemed like such a nice guy."

To be fair, when have you seen a news report where a friend or neighbor said, 'Yeah, he was a dangerous nut job that should have been locked up years ago. it's a shame that the SWAT team didn't just kill him and save the state the trial cost'.

Swatting is an activity that the 'Internet' seems to think that it can get away with, because it is a novelty. Once Law enforcement accidentally kills a couple of young children by accident in a bumbled raid, you will get a couple of outraged senators who will make this a federal offense punishable with ten to twenty. The law is slow but it always catches up with society changes.

Comment: D4? w00000ooooooooo...... (Score 1) 148

by TiggertheMad (#49296819) Attached to: "Descent" Goes For a Crowdfunding Reboot (and a Linux Version)
That was one of the reasons why Descent 1 was such a breakthrough; Even Doom 2 still required synchronized clients so if you had one of your 4 maximum players on a slow machine, the whole game would slow down. Descent allowed 16 players and they communicated in an non-synchronized fashion. A player on a bad connection did nothing to other players' performance.
I played the game for hundreds of hours, I never experienced motion sickness. Only one data point, sure, but people I have encountered that have this problem have it with all 3d shooters.

Comment: Censorship doesn't work (Score 1) 216

by TiggertheMad (#49286937) Attached to: France Will Block Web Sites That Promote Terrorism
It wouldn't work...most neo nazis would agree with his racist agenda. But you are correct, he pretty well outlined all the fucked up plans that he carried out in the 30s and 40s back when he was in jail in the 20s. Its hard to see how anyone didn't see what was coming.

Censorship in general, never works very well, and often fans the flames. Just let them post whatever they want. Also, if I was a cia/nsa type, I would want all the extremist groups posting freely and publicly thinking they were safe, so I could intercept all communication going to and from their servers....

Comment: A Language With No Rules... (Score 1) 667

by TiggertheMad (#49278333) Attached to: Why There Is No Such Thing as 'Proper English'

"How would a physics work if the rules of physics changed at the whim of the physicist?"

Isn't that what happens? Newton's laws are changed by Einstein? Higgs creates his boson on a whim, and other physicists follow along, and eventually find some data they say supports that whim? Aren't there other whims that could also account for the observations? Why select Higgs's? Popularity? Social pressure?

No that isn't correct. When Einstein proposes a change to the observed laws of physics, there is an absolute truth to test it against. (Reality). The whim of the scientist is irrelevant, if it cannot be successfully tested it doesn't get added to the 'laws' of physics.Y can explain something any fashion you want to, but it has to pass the test.

Comment: Damn good idea.... (Score 1) 564

by TiggertheMad (#49175919) Attached to: Why We Should Stop Hiding File-Name Extensions
perhaps the solution is not to automatically display a file extension, but rather show the file/object that it will be launched with when clicked on. You don't see 'trip photo.png' but instead, 'trip photo (Photoshop)'. This makes naming files things like 'readme.txt.vbs' less useful of an attack vector.

The beer-cooled computer does not harm the ozone layer. -- John M. Ford, a.k.a. Dr. Mike