Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:in my opinion this guy is like Jenny McCarthy (Score 2) 289

by WaffleMonster (#49498511) Attached to: Columbia University Doctors Ask For Dr. Mehmet Oz's Dismissal

or do you just stand against genetic engineering as we currently practice because you have an ignorant fear of what you don't understand?

I fear the properties of roundup ready GMO crops are being leveraged to optimized labor costs during production increasing loads of roundup leeching into the food supply.

People say roundup is safe yet nobody has been able to square this with warning labels and handling instructions printed on bottles purchased from home depot. They also chose to ignore the fact Glyphosate has been labeled a group 2A carcinogen.

But more than anything I fear the ignorance of people engaged in some forms of genetic engineering. Worth keeping in mind it was difficult to see cancer signal attributable to atomic blasts during WWII. I have no confidence if there was a problem that did not present immediately or dramatically to a significant percentage of people the cause would have any prayer of being seen or traceable. A common trick is to say there is no statistically significant basis for an assumption... which in and of itself is fair until you begin to understand the range of problems that could possibly exist under that same banner. Given numerous classic historical examples of active industry successful efforts to increase uncertainty and downplay risks .. I am not predisposed to be trusting of corporations whose objective function is not aligned with my own best interests.

Comment: Re:Must hackers be such dicks about this? (Score 2) 259

by WaffleMonster (#49495001) Attached to: FBI Accuses Researcher of Hacking Plane, Seizes Equipment

To anyone who has a shred of fear of flying, the game of "screwing with the pilots for laughs" is not fucking funny.

Your fears are your problem and do not constitute an excuse for irrational response.

Twitter comments were not known to anyone on the flight. Those who would have normally followed his comments would be his hax0r buddies who understand context and are familiar with issues.

So he's scaring people and breaking/threatening-to-break his word, and they're being dicks to him. This may not be statutory justice, but it's poetic.

Being a dick to LEA who is threatening you to back off when they are in the wrong... Sorry I don't see the issue.

All they are doing is discouraging research and attention making the industry less safe and more likely to allow Manufacturers and Airlines to make riskier design choices in the absence of pressure to do otherwise.

But if his frustration with Boeing and Airbus is going to drive him to be a fear-mongering troll, then any inconvenience caused him by the FBI seems utterly fair.

The media, politicians and security industrial complex are fear mongering trolls. They routinely and intentionally stoke fear for financial gain and self promotion while being fully aware of their deceptions.

A researcher who honestly believes something to be true is not a troll. You may disagree with his conclusions or characterizations but disagreement alone does not make someone a troll.

The idea that harassment by LEA is somehow deserved even for crazy anti-social fear mongering trolls is disappointing. Freedom cannot exist in the absence of tolerance. Being a professional LEA is fundamentally incompatible with in-kind reaction to someone doing something to get you mad.

Comment: Re:What? Why discriminate? (Score 1) 698

by WaffleMonster (#49480939) Attached to: 'We the People' Petition To Revoke Scientology's Tax Exempt Status

How is scientology any less of a religion than christianity or islam or mormons or any other belief system?

The purpose of Scientology as openly admitted by its founder was "to make money" ... If anyone is allowed to start their own religion with the express intent of making money then granting tax exempt status based on assertion of "religious" status alone makes for some pretty ridiculous and nonsensical policy.

Comment: Re:Article one giant spew of hyperbole (Score 1) 171

NTLMv2 isn't broken, but it definitely isn't as good which is why Windows uses Kerberos by default.

Both NTLMv2 and Kerberos are broken because an attacker is able to conduct offline brute force attacks against credentials simply by observing challenge/response communication between client and server.

This constitutes an unacceptable risk because the vast majority of users do not use passwords with sufficient entropy to withstand an offline as attack conducted by modern, distributed and specialized hardware. In the end your looking at an easy >90% success rate against most targets vs guaranteed 100% rate with NTLMv1.

I wish MS would finally get off its ass and switch to a zero knowledge key agreement protocol.

Comment: Re:Article one giant spew of hyperbole (Score 1) 171

Only Windows Server 2003 and below will accept LM/NTLMv1 by default, which means as far as supported systems only 2003, and it is EOL July 14, 2015. You'd have to be desperate to still be running any 2003, and if you were you can disable LM/NTLMv1 via GPO. Vista/2008 and above will only accept NTLMv2 responses.

NTLMv2 is broke too.

Comment: Re:Article one giant spew of hyperbole (Score 1) 171

The article states "the encryption method used was devised in 1998 and is weak by todayâ(TM)s standards ... Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability" as if Microsoft must remove the feature in order for Cylance to consider this resolved. Instead a number of improvements have been made to SMB since 1998 include support for HMAC-SHA256 (v2.0) and AES-CMAC (v3.0) hashing.

When faced with claims of security it is necessary to fully understand the underlying basis of trust without which security is a mirage.

What is the mechanism by which one system or user authenticates the identity of another system or user and why is this process trustworthy?

Without secure authentication and proper binding encryption by itself is useless.

You are going need a little more than "$3000 worth of GPUs" to forward brute force the AES-CMAC hashed passwords.

How are the key parameters to AES and HMACs derived? If an attacker can figure that out then a whopping $0 worth of GPUs will suffice.

So how about it... where does this magical session key for admittedly very substantial and well engineered SMB3 encryption come from?

The answer is NTLMv2 or Kerberos. This is a "bad deal". NTLMv2 credentials can be stolen and replayed with impunity by launching offline brute force attacks against captured challenge response. Ditto for Kerberos. Game over.

Comment: Re:Wish this were new or news (Score 1) 171

Do you have an opinion of a relatively common method that is better? My issue with many is that it jusst sends the password to the server for verification, trusting that TLS will protect it. Given that it's exceedingly common for clients to not verify the certs, this is also fraught with risk.

Recommend looking into a PAKE algorithm. The advantage they are able to provide mutual proof of possession of a common secret without leaking knowledge that may be used to determine what that secret is. These systems are not vulnerable to offline attack and provide keying to encrypt the network session such that you can carry on a secure conversation post authentication.

TLS-SRP is currently my favorite option. Currently shipping with many commonly used SSL toolkits. Supported by Apache and CURL but still quite sparse in terms of application support.

Anything you can put a TLS wrapper around you can probably hack to support TLS-SRP authentication without a terrible amount of effort.

Comment: Wish this were new or news (Score 2) 171

I don't know how or why it came to this. The world is hooked on insecure authentication protocols. NTLMv2, Kerberos, plaintext, plaintext over encrypted tunnel protected by group secrets (sigh..) or certificates and dull thud of every flawed permutation of a challenge handshake system imaginable.

These things are employed virtually everywhere and the consequences are visible everywhere.

Haha I tricked you or your computer into connecting to my file system or my fake bank or my fake web site and because of that I now have your credentials and your f*****d.

Living with consequences has become so routine and institutionalized some find it difficult to see the problem at all ... instead resorting to blaming failure of a castle defense or operating in an unsafe environment rather than notice the root cause of the problem - broken authentication systems.

When the most widely deployed use of a secure authentication protocol is protecting an online role playing game I have no interest in Microsoft's (And all other vendors) lame excuses for not fixing these problems decades ago.

Comment: Simplified DFTT algorithm (Score 1) 278

article = new nonsensefilledstory();
article.addStrife();
article.addContraversy();
article.stoketribalisim();
article.allowAnonymousComments(true);
stack_of_trolls *users = article.create();

forall users as user (
      if (user.isTroll() == false && user.respondsToTrolls() == true)
            (globalBanList.addUser(user));
)

Comment: Re:Global ADS-B and AIS spy networks (Score 1) 50

by WaffleMonster (#49461287) Attached to: How Flight Tracking Works: a Global Network of Volunteers

Dude, what is wrong with you?

No, seriously. There is really something very wrong with you. It sounds like a mental illness. You NEED to get it looked at by medical professionals.

What is wrong with the people who take information for purposes other than original intent without asking and proceeding to leverage it for commercial gain?

Did these companies ask the Pilots for permission first?

If you don't have time to do it right, where are you going to find the time to do it over?

Working...