Forgot your password?
typodupeerror

Comment: Re:Why Cold Fusion (or something like it) Is Real (Score 1) 342

by WaffleMonster (#48192843) Attached to: The Physics of Why Cold Fusion Isn't Real

you should read what you link: Current techniques for creating large numbers of muons require large amounts of energy, larger than the amounts produced by the catalyzed nuclear fusion reactions.

What do you suppose the word "catalyzed" means in the context of muon catalyzed fusion?

Comment: Re:Popular US browsers will warm, Chinese ones won (Score 1) 86

by WaffleMonster (#48192655) Attached to: China Staging a Nationwide Attack On iCloud and Microsoft Accounts

The ones that use SMS dont prevent replay attacks? Any half decent SMS two factor authentication will prevent replay attacks.

I don't know why I'm stating the obvious... SMS is not a trustworthy communications channel especially when your adversary is your government.

2 factor auth is not supposed to prevent a MITM BTW.

Haha ha ha ha funniest thing I've heard all day.

A page MITM-ing facebook can just pass information between the user and the server (the user will give the 2 factor auth to the MITM-ing server, which will just pass it on to facebook), and keep the session alive for as long as they want.

This is why real systems cryptographically bind both factors.

Comment: Trolls poised to take over the world (Score 1) 473

by WaffleMonster (#48183183) Attached to: In UK, Internet Trolls Could Face Two Years In Jail

When you think about it most of the "mainstream" media is based on trolling. More subtle than "Your mom .... last night ... with ... and ... and ... " yet just the same they deliberately and persistently push the audiences buttons and willfully mislead to attract attention and ever larger audiences.

The online media is much more aggressive in this regard routinely offering structures granting massive audiences to random people visiting their site.. This is a bit like keeping a stack of 100's in an unlocked car in a Wallmart parking lot overnight and being surprised when it turns up missing the next day.

If trolling is an epidemic it only got that way because Trolls have been well fed in environments where the objective function is maximizing advertising profits to the detriment of decency and integrity.

While I can't bring myself to defend threats of injury or death as free speech... this is a worlds away from Malicious Communications Act's "indecent or grossly offensive or information which is false and known or believed to be false by the sender" insanity.

I find it breathtaking TFA would focus almost entirely on rape threats while largely remaining silent on the really insane aspects of this law.

Where is that sensational article titled "Telling a fib will get you two years in jail?" ...

Comment: Re:Wikipedia article deleted (Score 1) 98

by WaffleMonster (#48170967) Attached to: Python-LMDB In a High-Performance Environment

If Wikipedia was a person I would smack it upside the head for shit like this. There is absolutely no reason not to have an article on LMDB, and deleting a perfectly good article for no reason is evidence of a mental disorder. It's not like they have to spend an extra penny for a piece of paper to hold the article, possibly making the book too thick. Wake up.

Speaking only from personal experience
there seems to be a disconnect between what people actually derive value from and rules + perhaps original intent of Wikipedia.

We seem to be stuck in a situation where lack of enforcement itself is supporting quite a bit of value and interest in the site... A situation ripe for leverage by personal whims and selfish persuasion.

I don't think there are any easy answers yet the rampant deletions are particularly annoying and unhelpful to me as a user of Wikipedia.

Comment: Re:It's not that hard to do it right (Score 1) 53

by WaffleMonster (#48156219) Attached to: Drupal Fixes Highly Critical SQL Injection Flaw

Sealing against SQL injection isn't that hard. Don't ever write:

select * from table where id = $id

Does anyone have a better way to build up queries?

The forbidden example above looks to be the easiest and most readable of all the variants you have provided...

SQL context aware eval() routines with safe default marshaling assumptions are relatively trivial to write.

Much better to give people what they want rather than forcing them to use parameterized semantics where not ideal. If web platforms did this from the beginning CVE databases would be much lighter than they have become.

Comment: Re:Stuck between a rock and noplace (Score 1) 68

by WaffleMonster (#48149841) Attached to: Google Finds Vulnerability In SSL 3.0 Web Encryption

Disabling SSLv3 does nothing for future attacks; but the other measures we are putting in place will.

The problem is non standards complaint behavior of web browsers willfully subverting downgrade attack prevention features baked into SSL/TLS standards.

The downgrade SCSV will let a server detect a downgrade attack, or incorrect version fallback.

This requires both servers and clients to support it and associated propagation throughout the worlds server and client stacks to be at all effective. SCSV is not even an RFC.

Why leave people exposed in this manner? What good is TLS 1.2 deployment and fancy new AHEAD ciphers when any yahoo can come along and force affected browsers to TLS v1... What is the compatibility based reason for continuing this behavior when SSL v3 is being disabled in new browsers anyway? Please name names.

As with many things, there is a balance to be struck. Disabling SSLv3 a year ago would have affected a lot of sites, including major commerce and banking sites, and it's not always an easy fix with aging infrastructure and long supply chains for equipment.

What balance? What are the tradeoffs? Nobody seems to know. What is on the other side of the ledger to serve as a counterweight to allowing downgrade attacks to persist in 2014 and why does everyone need to bear that risk by DEFAULT?

Comment: Re:Stuck between a rock and noplace (Score 1) 68

by WaffleMonster (#48147375) Attached to: Google Finds Vulnerability In SSL 3.0 Web Encryption

The paper explains it.

Desperately looking for names and versions.

is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions.

Is this IOS? What versions?

Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

Then why are the browser vendors saying they are going to disable SSL v3? If we're going to use SSLv3 as an excuse and that excuse is taken away ... what's left?

Comment: Re:Stuck between a rock and noplace (Score 1) 68

by WaffleMonster (#48147365) Attached to: Google Finds Vulnerability In SSL 3.0 Web Encryption

Some servers don't handle TLS version numbers at all, and typically just reject the connection instead of advertising to the connecting client that they can support SSL3, TLS1.0 and TLS1.1 but not TLS1.2. So when the client tries to connect with TLS1.2, they are disconnected, so the client tries to connect with TLS1.1 and is successful.

Please I'm begging for names... name names and versions... Who is supporting 1.1 AND doing this?

This SCSV thing adds a flag to each side to say "but I'm only using this protocol because you didn't like the other protocol" and for the server to say "but you never asked me?"

Isn't it easier to fix existing implementations rather than inventing new capability negotiation schemes, writing the code and deploying? Is anyone sure extra flags won't cause new compatibility problems?

If everyone is shutting down SSL 3 anyway as seems to be the case... what then is the remaining intersection of TLS 1+ capable servers and clients still not supporting version negotiation? Please anyone who knows I beg you to name names.

BTW, the core reason for all of this was because the pre-TLS browsers absolutely shit themselves over TLS1.0 advertisements, and because browser makers are absolute fuckers, rather than popping up a window saying

Please name names what browsers?

Comment: Re:Stuck between a rock and noplace (Score 2) 68

by WaffleMonster (#48147307) Attached to: Google Finds Vulnerability In SSL 3.0 Web Encryption

Firefox already mitigates the attack to some degree. If the connection started out at TLS 1.2 or 1.1 then it could not be downgraded to SSL3 because the code allowing that was removed sometime ago.

This does not make any sense. A mitigation that does not work is not worth anything.

Easiest way in Firefox to prevent a connection downgrade to SSL3 is to set "security.tls.version.min" to 1 in the about:config page. This sets the minimum version of the encryption protocol to TLS 1.0

What good does that do when a future attack against TLS 1.0 succeeds and 1.2 users again find themselves being pulled down to 1.0?

Comment: Re:How legacy is legacy? (Score 2) 68

by WaffleMonster (#48146899) Attached to: Google Finds Vulnerability In SSL 3.0 Web Encryption

The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore.

I'm scared now... tested using old w2k image IE version 6.0.2800.1106 - TLSv1 amazingly works just fine with IE6 using RC4-SHA cipher, forcing AES was no-go.

When compatibility issues are raised always insist people name names too much of this space is ruled by legend passed down throughout the ages and unhealthy doses of hearsay.

Everyone saying "there are servers" or "there are clients" please name names and versions.

Comment: Re:Stuck between a rock and noplace (Score 1) 68

by WaffleMonster (#48146641) Attached to: Google Finds Vulnerability In SSL 3.0 Web Encryption

It is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions. Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

There has got to be a better solution for clients in 2014 that does not involve leaving users vulnerable to downgrade attack.

Why can't browser vendors provide users with an option to enable "dancing" and not have it enabled by default?

I love backwards compatibility but the cost to overwhelming majority of people who don't have old vulnerability ridden gear to manage via SSL is way too high in 2014.

Do not underestimate the value of print statements for debugging.

Working...