Forgot your password?

Comment: Re:de Raadt (Score 1) 288

by Xylantiel (#46759807) Attached to: OpenBSD Team Cleaning Up OpenSSL
I disagree that there was no way to catch this. From code I saw, at its core, it was a simple case of using memcpy with the size of the destination buffer rather than the source buffer. Any automated bounds checker would have caught this. But, in addition, there should have been a compliance test that a packet with a specified size bigger than its payload went unanswered since anything else is noncompliant with the RFC. Clearly the person who wrote the RFC understood that answering a heartbeat request with a size different than its payload was a potential problem since the behavior was specified. To me, both of these mean that OpenSSL is enough lacking in validation testing to make me pretty nervous. No wonder everybody has been sticking to 0.9 versions for years if the path forward is this fraught with uncertainty.

Comment: Re:If GNUTls is unneeded, then create a NO-OP libr (Score 1) 144

MITM requires active interception to eavsdrop, wheras an unencrypted connection is vulnerable to passive eavesdropping. That is the sense in which an encrypted but not properly authenticated connection is "better". Also if the ID of the offered certificate is logged it is possible to audit for a MITM attack after the fact. According to Snowden, the NSA can crack 1024 bit certs' private keys. So really even properly verifying the cert is not secure depending on who your adversary is.

Comment: Re:Tracking` (Score 2) 233

by Xylantiel (#46673253) Attached to: Most Expensive Aviation Search: $53 Million To Find Flight MH370
Really, if you're listening to reasonable people it's not expensive at all to have satellite-based ACARS enabled on all planes and have it include some basic flight information. In fact we knew from the first day or two that this plane had flown on for hours after the incident, the Malaysians were just not listening to the satellite techs. And if Malaysian air had simply paid the several thousand dollar fees we would have hours data to work with. These "real time tracking" people are just ambulance chasers. The problem here is that the plane flew on for so long after losing ground contact and Malaysian air was not paying for satellite service. So make intermittent satellite relayed updates mandatory. The additional infrastructure costs... $0. It's already in place.

Comment: Re:But Terrizm! (Score 1) 233

by Xylantiel (#46673029) Attached to: Most Expensive Aviation Search: $53 Million To Find Flight MH370

Do you have references for that with real re-analysis of the radar data? Ones that aren't confused reporters citing "anonymous sources" that they might be misquoting. Reporters are really bad about leaving out little things like "maybe" or "under the assumption that..." which are night and day when eliminating possible options.

It seems more likely that the earlier analysis of the radar data mixed up the plane with another one after it got across the penisula. Also it has been said that there is quite a bit of uncertainty in the radar altitude measurements during the airplane's supposed altitude changes. Do you have a reference that actually discusses what the radar data can and cannot exclude in a technical way? The search is sure acting consistent with a plane that just flew on to the southwest unpiloted. Surely they have made some assumption about the behavior during this time in computing the current search area. What were those assumptions? I haven't seen any technical discussion of this, and would really like to.

Comment: Re:EAP? (Score 1) 150

by Xylantiel (#46554207) Attached to: WPA2 Wireless Security Crackable WIth "Relative Ease"

I believe the problem is that the interface for this and the way warnings are handled is just horrible and inconsistent between clients.

For example, android requires yout to set a passcode in order to store the public certificate. That's right you need to lock your device so nobody can get access to that PUBLIC key. duh. Clearly you should have a passcode for a private key, but not a public one. I"m not sure if this has been straitened out or not. Also it's often not clear if you can say the equivalent of "trust the current certificate, and warn me if the network tries to give a different one". It typically asks you to manually load the certificate that the server can easily send to the client.

This doesn't even mention that generally the cert will be signed in a way that it can be verified through the same trust chain the web browser uses. While this isn't optimal, it's pretty decent in practice and could easily be implemented as an option.

Comment: Re:Um, right. (Score 2) 278

by Xylantiel (#46554103) Attached to: Don't Help Your Kids With Their Homework
I agree. Go look at common core, don't assume you know what it is. A lot of the "criticism" of common core has nothing to do with what is actually in common core. I have looked at the teaching of multiplication and it does some things that seem "weird" but are clearly intended to teach students number concepts, not just rote memorization. Now whether the elementary teacher figures that out is a totally different ballgame - since they may not have a firm number concept themselves and therefare they may not even understand what is being taught or know how to explain it to parents.

Comment: Re:Interfering West Again (Score 1) 878

by Xylantiel (#46512839) Attached to: Russian State TV Anchor: Russia Could Turn US To "Radioactive Ash"

Wait whose economy was it that imploded at the end of the cold war? So the "western" (i.e. pro-individual-freedom, multi-party-rule) mindset was supposed to just leave eastern europe to rot because Russia used to be in charge there. Then we just ignore them re-aquiring territory at gunpoint. Last I checked NATO was not invading eastern european countries to integrate them into the EU. Europeans are doing exactly the opposite, trying to help countries get their economies in good shape so that they can move toward closer ties to the EU at their option.

This whole thing in the Ukraine started with the president of Ukraine back-tracking on the parliament's attempts (and the electorate's desire) to have closer ties to the EU. Why did he do this? because he was turning into Russia's puppet. This is not to mention that this guy was elected president under suspicious circumstances. You cannot compare Russia's under-handed meddling with Ukraine to the west trying to help Ukraine get its economy on track as if they are both bad things. One is bad, one is not.

Comment: Re: Summary is wrong (Score 1) 104

by Xylantiel (#46484429) Attached to: How Steve Jobs Got the iPhone Into Japan

Yep, "most popular smartphone in japan" is a rubbish statistic. Japanese feature phones were so far ahead of those in other parts of the world in features and usage that making a distinction between smartphones and featurephones in the same way one does outside Japan is just nonsense.

It's almost enough to make you wonder if the introduction of the "smartphone" is not what really changed the phone culture in the West. Really Japan had already transitioned to what we think of as the "new" phone-oriented culture, but it was based around high-quality feature phones. So the west might have transitioned even without the introduction of the iphone. The iphone just happened to be the right product in the right place at the right time. I know I was startled to see the speed that Americans transitioned from making fun of asians always poking at their phones to doing the same thing with their own smartphone.

Comment: Re:Sorry, it's horribly insecure, (Score 1) 731

by Xylantiel (#46217651) Attached to: Death Hovers Politely For Americans' Swipe-and-Sign Credit Cards
So why is it swipe&sign vs. chip&pin, why not chip&sign? This would make it near impossible to clone cards but still be more secure under audit (i.e. not subject to easily stolen PIN). Even chip and nothing would probably be better in practice than swipe and sign.

Comment: Re:The whole system needs to change (Score 1) 264

by Xylantiel (#46212699) Attached to: Adjusting GPAs: A Statistician's Effort To Tackle Grade Inflation

I think it does always require measuring proficiency at the end. Otherwise how do you know if you are educating?

That being said, it is easy to create a test that will rank students, but extremely difficult to make a test that will measure their proficiency. And making one that is resistant to cheating (e.g. memorizing answers from previous tests) is even harder.

Current grading is generally not even based on level of proficiency, but on level of coverage. You get a good grade if you can demonstrate skill in all the topics covered. The level of proficiency expected on those topics is often not well defined. Also this leads to what the thread root comment is complaining about, where the class is taught as if everybody is going to achieve proficiency in all topics, even when that is known to not be happening. Is it better to teach a set of topics for which it is known the median student can achieve satisfactory proficiency, and then measure proficiency? What does the letter grade mean in such a system? Does in refer to proficiency or coverage?

Nominally this reveals the underlying problem being grappled with in education today. If you get down and honestly measure student proficiency, you realize that only the top 10% of students were actually learning what they were supposedly learning. This makes it really hard to construct a coherent overall sequence of education because you cannot assume that most students have mastered topics covered in previous courses.

Comment: Re:"Not Reproduclibe" (Score 1) 618

So fund the science. Forbidding regulation is just beuracratic stupidity that will get people killed. My impression is that a lot of regulations don't have good science to back them up because the science costs money and hasn't been done yet, and EPA has to make a rule even in the absence of good science. Are you somehow surprised that they would err on the side of public safety when the science is inconclusive? You do realize that this stuff actually maims and kills people right?

Comment: Re:Golden handcuffs (Score 1) 177

by Xylantiel (#46190219) Attached to: At my current workplace, I've outlasted ...

they're done professionally

Um, now they can begin professionally. I certainly hope that they were trying to get tenure so that they could educate the next generation and improve the knowledge in their chosen field. Who gives a hoot where you live if somebody is paying you to improve worldwide knowledge?

Comment: Re:Multiple credit cards (Score 1) 448

by Xylantiel (#46101181) Attached to: Developer Loses Single-Letter Twitter Handle Through Extortion

You do not appear to understand what he is getting at. In the case referred to in the original article, the credit card info stored at one company was used as proof of identity to another company. i.e. your credit card can be used to identify you uniquely if you only use one credit card. On the other hand if you use pre-paid limited-use cards, this doesn't work. This seems like a general benefit to prevent companies from cross-tracking purchasing habits. But the interesting thing here is this case shows that it also provides additional protection against identity theft-type attacks using your credit card info. Basically because you don't have unique credit card info.

But really that godaddy would give control of your account to somebody that has your credit card info is outrageously stupid on their part. Credit cards are a payment method, not an authentication method. The bank will only eat the cost of payment fraud. This was probably some undertrained phone support person thinking there was no other way to get this guy's account access back, which is ludicrous since he probably has ICANN contact information recorded. They could have hung up and called him back using known-good contact info and the whole scheme would have fallen apart.

As others have said, the lesson is don't use godaddy since they are so "customer-friendly" that they are insecure. This just makes me glad that I moved away from godaddy a while ago.

The more cordial the buyer's secretary, the greater the odds that the competition already has the order.