Forgot your password?
typodupeerror

Comment: Re:Don't people encrypt over TOR anyway? (Score 2) 56

by cryptizard (#46780423) Attached to: Tor Blacklisting Exit Nodes Vulnerable To Heartbleed
That's not really the point though, since you can always encrypt traffic using TLS. The point of Tor is to hide the end point you are communicating with from someone who controls the network that your computer is on, like a decentralized VPN. You could always gather traffic on both ends (client side and end point/exit node, called an intersection attack), but it is very unlikely that one party will have control of two separate networks like that. With this attack, you don't actually need control of the other end since you can just query the exit nodes directly and they will leak traffic information to you.

Comment: Re:The only thing that may be leaked in addition.. (Score 4, Informative) 56

by cryptizard (#46780383) Attached to: Tor Blacklisting Exit Nodes Vulnerable To Heartbleed
The point is that, if you know the IP address of the exit node, you can use the heartbleed bug to examine it's outgoing traffic even if you don't have control of the network the exit node is on. This makes intersection attacks much easier because you only need to have data from one end. If I control a network where I see some Tor users, all I have to do is use this exploit on exit nodes until I see outgoing traffic that matches the traffic I see on my own network. I can then link that data to clients on my network and Tor is defeated. This attack is always possible if you control both the client's network and the end point they are communicating with (or some piece of the network between the exit node and the end point), but with this attack you don't need to actually control any part of the network on the exit side because you can just query the exit nodes directly and they will tell you themselves.

Comment: Re:AWS is NOT cheap (Score 2) 145

by cryptizard (#46756493) Attached to: How Amazon Keeps Cutting AWS Prices: Cheapskate Culture
There are a lot of workloads where it makes sense. If you are doing research and you only need to use a lot of computing resources for a few weeks out of the year to run simulations or something, then it is much more economical to go AWS than have a giant cluster sitting idle most of the time.

Comment: Re:Business class is a misnomer (Score 2) 145

by cryptizard (#46756471) Attached to: How Amazon Keeps Cutting AWS Prices: Cheapskate Culture
Yeah I was kind of thrown off by them using the loaded term cheapskate. I would call that efficiency or austerity. Everyone was complaining that they were assholes when companies were flying around in private jets while at the same time laying off employees. Now we complain that they are cheap if they make their employees fly in coach with the rest of us proles.

Comment: Of course it is tape (Score 5, Insightful) 145

by cryptizard (#46756453) Attached to: How Amazon Keeps Cutting AWS Prices: Cheapskate Culture

perhaps the reason Amazon's Glacier storage is so cheap is that maybe it might be based at least partly on tape, not disk

That is one of the stupidest things I have ever read. Of course it is using tape, why else would it take up to 24 hours to get your data when you request it? Everyone knows that is the whole point of Glacier, and the reason they can offer it so cheap. Nobody wants to deal with the hassle of having their own offsite tape library, so Amazon will do it for you with a convenience user interface. That is literally exactly what all of AWS is based on, doing something cheaper for you because they have the expertise and the facilities at scale.

Comment: Misleading (Score 1) 2

The irony is, the those who have put the most effort into privacy and security are the most vulnerable.

I guess what the summary means by this is that only servers which have been upgraded to the version including the bug are vulnerable, but those people are not putting the most effort into security. If there are no known vulnerabilities in the version you are running now, it is better not to upgrade precisely so you don't get in situations like these. Or are you saying that Google doesn't put a lot of effort into their security?

Comment: Perfect Forward Secrecy (Score 1) 2

Even worse, attackers can also retrieve cryptographic keys and passwords and use that info to decrypt any past or future web traffic.

This part is not strictly correct. Many TLS connections use ephemeral Diffie-Hellman key agreement which has perfect forward secrecy. This means that even if the long term secrets are leaked later, the session key cannot be recovered.

+ - Tor: If You Want Privacy or Anonymity, Stay Off the Internet This Week-> 2

Submitted by Daniel_Stuckey
Daniel_Stuckey (2647775) writes "Security holes are par for the course on the web today, but a new, massive bug dubbed "Heartbleed” is particularly nasty, and widespread: Experts say that two-thirds of websites and nearly everyone that’s used the internet in the last two years could be affected to some extent.

The irony is, the those who have put the most effort into privacy and security are the most vulnerable.

The bug exposes the popular cryptographic software, OpenSSL, a mainstay web encryption. Heartbleed makes it possible for anyone to eavesdrop on encrypted sites and access the sensitive data they’re supposed to be protecting, all without leaving any trace on the site’s server. Even worse, attackers can also retrieve cryptographic keys and passwords and use that info to decrypt any past or future web traffic."

Link to Original Source

Comment: Re:This idea is really BS (Score 1) 277

A factor of 10 in average password length you mean, of which security is exponential. That's nothing to sneeze at. It does seem to be relatively pointless compared to just encrypting the password file with a key stored in the TPM or derived from an administrator password at boot time though.

Comment: Re:Thank goodness for open-source alternatives (Score 4, Interesting) 168

by cryptizard (#46622951) Attached to: NSA Infiltrated RSA Deeper Than Imagined
Open-source doesn't help for shit in this situation. Dual_EC_DRBG was an open standard, all the details were public. The problem is that, with cryptographic algorithms, only a handful of people in the entire world are qualified to say whether something might or might not be secure. And even if there is a problem, it might go for years without being found.

Simplicity does not precede complexity, but follows it.

Working...