Forgot your password?

Comment: Re:Really? (Score 1) 126

by WaffleMonster (#47946789) Attached to: Next Android To Enable Local Encryption By Default Too, Says Google

Since you're in the security team, could you comment on why Android requires you to set up some sort of lock security just in order to have a VPN configured (even if it's not in use)?

You know what makes even less sense than forcing people to use lock screens even if not saving VPN access credentials?

Having infrastructure with keychain and all of that in place and then not using it in browser and Android email client to secure stored credentials.

Even worse email client cannot be configured to prompt for passwords when checking/sending mail... you *have* to store your password.

Comment: Re:Encryption (Score 1) 126

by WaffleMonster (#47946685) Attached to: Next Android To Enable Local Encryption By Default Too, Says Google

But, please, what makes you think that Apple, or even Samsung, aren't doing exactly the same?

I assume they are.

Apple can install stuff on your device when it feels like it. In fact, you have even less control over an Apple devices and its whims.

What does apple have to do with TFA? For the record Apple's actions ignoring factual inaccuracies in your comments are also inexcusable as are Microsofts...etc. It doesn't matter who's doing it.

So, your concern is really about modern devices, not anything to do with the meat of the story - encryption

Pointing out encryption is meaningless when you don't have control over your own devices is relevant.

P.S. With Android, you can see the source, and build from clean source, without any Google services whatsoever if you want. People have done it for you. Almost every big-selling Android phone is supported. You can get root access and check everything you like. And then encryption really means something.

Great for the technically inclined, not so great for everyone else.

Comment: Encryption (Score 0) 126

by WaffleMonster (#47943247) Attached to: Next Android To Enable Local Encryption By Default Too, Says Google

Just so that I understand google play can install shit on your device when it feels like, google reads all of your email, google further nerfs intentionally nerfed permissions system and just about everything by volume in the app store is spyware designed to sell YOU to the highest bidder.

Relax folks your device is "encrypted" ...LOL..

Comment: But what does it do? (Score 1) 283

by WaffleMonster (#47943137) Attached to: Slashdot Asks: What's In Your Home Datacenter?

What does this "datacenter" in TFA actually do? From youtube videos they pointed to some servers with labels like "push email" ... the whole rack of SGI's? Spammers?!??

Another section of Apache/MySQL "cluster" and DNS servers with only a 60mbit link...

They have a list of websites hosted on the "datacenter" but this appears to be mostly run of the mill basic business fronts/web presence.

Notice the light patterns on the switch ports all of the activity at time of filming appears to be dominated by broadcast.

What does it all do?

Comment: Re:trust (Score 3, Insightful) 85

by WaffleMonster (#47924105) Attached to: Why Is It Taking So Long To Secure Internet Routing?

An untrusted central authority is better than no security.

Peers have to trust each other to act rationally. Filtering and sanity checking of crap from your downstreams and maintenance of physical links with rational actors whom you trust to act professionally is worth more than central authorities.

Comment: Re:Yea no... (Score 1) 75

by WaffleMonster (#47859429) Attached to: Book Review: Architecting the Cloud

That's a *very* strong assertion. In fact, it seems like the sort of thing that the courts would stop, hard. It's essentially extortion. It's absolutely the sort of thing that would send customers screaming... and discouraging everyone around them. I find it hard to believe that any reputable cloud service provider would dare risk their business by doing something like that.

Lost track of number of people who have called in with issues trying to extract data from various providers.

Either they claim they can't do it, provider cut them off and they are screwed or provider feels it necessary to charge a massive fee to extract customers data. Another fine twist is allowing access to data but not in a way it could practically be extracted.

Guessing some of these are cases of you owe us money and we're leveraging whatever we can to force you to pay yet some have specifically mentioned rate hikes and cumulative costs as reason for decision to bail.

You can parse this out till your blue in the face draw whatever lines and labels you think demarcate acceptable behavior from extortion.

Bottom line if you don't insist on full and meaningful access to full datasets your essentially begging the provider to take advantage of you. Expecting they would not seek to maximally leverage their position is not a serious option.

Comment: Re: Not a chance (Score 1) 254

by WaffleMonster (#47859069) Attached to: UCLA, CIsco & More Launch Consortium To Replace TCP/IP

Ehmm. No. TCP is quite special in being byte-oriented. SCTP is message oriented.

By definition a stream is a stream is a stream. Being a stream means you are bound by limits of what you are...a stream. It matters not matter what protocol the stream is implemented over.

A TCP session is HOL'd no different than any individual stream within a given SCTP session.

The only difference is 1:1 correspondence between TCP session and data stream.
This is compared with 1:Many between SCTP session and multiple streams within.

While separate SCTP streams can not HOL each other each individual stream is HOL'd.

Comment: Re: using SHA-1 (Score 1) 108

by WaffleMonster (#47858783) Attached to: Why Google Is Pushing For a Web Free of SHA-1

True. As mentioned in the article and a linked tweet, Google plans to migrate to SHA-256 by the end of 2015. Why it will take them so long is not stated.

I only read Google's announcement and did not follow every link from others before posting.

Hearing this only makes things worse... If Google themselves is not getting their act together until 2016 and concurrently the following is true:

"Chrome 39 (Branch point 26 September 2014)
Sites with end-entity (âoeleafâ) certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as âoesecure, but with minor errorsâ.

It is hard to imagine a situation whereby you can avoid everything appearing broken in much the same way everything is known to the state of California to cause cancer.

In the meantime, their certificates only last three months. Probably only NSA and GCHQ could forge a cert in that short a time â" and they don't need to.

What is the point of this?I don't understand the logic here.. how/who does this help?

Google's cert would be useless as the attacker does not have google's private key and path restrictions of preceding prior trust path makes it useless to repurpose as an intermediary.

Nobody is going to waste their time going after one companies SSL cert they are going to go after any vulnerable trust chain and fuck EVERYONE including Google regardless of how often they change their certs.

Comment: Re:Deprecation shouldn't start at the browser (Score 1) 108

by WaffleMonster (#47858655) Attached to: Why Google Is Pushing For a Web Free of SHA-1

Root cert sigs are meaningless, they're self-signatures. They could be zeroed out and most trustdbs probably wouldn't care.

Yes this is true but it doesn't matter.

Cross signing / alternate certification paths can lead to one mans root becoming another's intermediary.

Intermediaries have the same problem with 10+ year validity periods.

Comment: More information = less security (Score 0) 108

by WaffleMonster (#47858561) Attached to: Why Google Is Pushing For a Web Free of SHA-1

When you add decision points about issues the average user has no practical basis for making an informed determination you just make matters worse by adding confusion and uncertainty able to be leveraged by adversaries.

Now instead of secure and not secure.. ideally working and not working... we are hurling FUD and technobabble at users whose day job is NOT technology.

Who am I trying to kid..'ll just need more reassuring padlock .gifs to adorn your secure sites.

Comment: Re:Deprecation shouldn't start at the browser (Score 3, Informative) 108

by WaffleMonster (#47858301) Attached to: Why Google Is Pushing For a Web Free of SHA-1

It should start at the certificate authorities. They should've been planning for sha-1 to be unsupported by x date, and not issuing certificates valid past that date.

Certificate authorities roots also use SHA1 and typically carry validity periods of decades.

Comment: Re:Seriously? (Score 1) 533

by WaffleMonster (#47857251) Attached to: AT&T Says 10Mbps Is Too Fast For "Broadband," 4Mbps Is Enough

Tell that to my 10 megaBYTE per second downstream that still has trouble with YouTube sometimes. 4Mbps would be unusably slow on the modern internet, unless you turned off all media, and adblocked everything. Hell, 10Mbps would still feel like drowning in quicksand to me, even for basic web browsing...and I doubt I'm alone.

I can see consumers thinking to themselves hey my 10mbit connection is slow.. websites take a long time to load and shit is always buffering. If only I upgrade to 100mbit it will be faster.. 10x faster...even!!

Perhaps some of the same consumers with Satellite TV service are lining up at bestbuy for their new 4k TVs .. 4x more pixels 4x less macro blocking!!!!!1!!!

Comment: The FCC is not self-consistant (Score 3, Interesting) 533

by WaffleMonster (#47856693) Attached to: AT&T Says 10Mbps Is Too Fast For "Broadband," 4Mbps Is Enough

If your an ISP filing FCC form 477 broadband **CURRENTLY** means the following:

Broadband Connection: A wired line or wireless channel that terminates at an end-user location
and enables the end user to receive information from and/or send information to the Internet at
information transfer rates exceeding 200 kbps in at least one direction.

While I don't have much of an opinion about definitions... 4Mbps vs 10Mbps there needs to be consistency throughout. The FCC should not get to pick and chose what broadband means based on where in law/rules the term is used.

Although the moon is smaller than the earth, it is farther away.