Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re: GPG is another TrueCrypt? (Score 1) 295

by Martin Blank (#49132959) Attached to: Moxie Marlinspike: GPG Has Run Its Course

No, those who want perfect solutions want the impossible. I want a framework that can be improved over time.

What's the goal? With maybe a handful of exceptions, everyone does something that can compromise their security. HTTPS relies on a trust architecture that we're being reminded recently (Superfish, PrivDog) is actually extremely fragile. And yet it's being encouraged to make the job of the average surveillance tool more difficult. It's very much letting The Other Guy(TM) (remember, three caps minimum on the TM'ed stuff) handle security. It has flaws, but it raises the bar.

That's what we need for end-to-end crypto. It can have flaws, but it needs to raise the bar, and be able to keep raising the bar.

As for understanding how it happens, how many people can describe how an RSA key is generated, much less how a proper PRNG produces a suitably random number and then how AES/Blowfish/whatever encrypts the data? Does the average person need to know that? Not really. And even if they did, they don't care, which is why they don't use it now.

Right now, we have options where you can let a CA provide you your TLS certificate (usually 2048-bit and SHA1). If you know what you're doing, you can roll your own with better security. We need something with that flexibility (though I recognize the flaws of that exact model) for end-to-end crypto, too. We need clients that auto-update, that add or deprecate algorithms as they arrive or are broken without the user having to worry about it, and that can provide safe (and revocable) storage for the keys so they survive a catastrophic loss or be deleted with near-absolute certainty if the user wishes. We need common libraries or protocols that can allow new or existing clients to safely implement connections to these services without having to build them from scratch, thereby preserving and encouraging competition.

These don't lead to a perfect system. They lead to a good enough system with room to grow and improve. But I would argue (as I think Moxie does) that what we have now is far from a perfect system because it's too difficult to use.

Comment: Re:GPG is another TrueCrypt? (Score 4, Interesting) 295

by Martin Blank (#49127783) Attached to: Moxie Marlinspike: GPG Has Run Its Course

Not remotely. He's encouraging good encryption, but calling for some updates (it hasn't significantly changed since the mid-'90s) and a better wrapper. GPG is still largely by geeks, for geeks. I couldn't get my parents to use GPG because they'd dismiss it as too hard, even if one of them is happy to stick it to the man. The suggested minimum settings vary based on where you look and when they were posted.

Example: An RSA key size of 2048 bits is largely considered secure, but NIST recommends 3072 bits for anything that one would want to keep secure into the 2030s. People still often see their e-mail as their private papers and may be concerned over who can read them well past the 2030s. But does that mean they use 3072, or go with the random crypto weblog guy who says to always go with 4096? And why can't I create 8192- or 16384-bit keys like that software claims to over there?

And what to hash to use? Plenty of sites still say MD5, but they were written years ago. Some have updated to SHA1, but others point out weaknesses there. OK, SHA2, then. But then there's SHA256, which must be better, right? (I know SHA256 is a subset of the SHA2 family, but those unfamiliar with crypto will not.)

Until GPG-style crypto becomes relatively automated, it won't be embraced by more than a handful of people. HTTPS is widely used because people don't have to think much about it. This has some downsides for poorly-configured servers and Superfish/Comodo-style backdoors, but browsers and other software help take up the slack by rejecting poor configurations. PGP/GPG were designed to reach near-perfect levels of encryption, but that bar is clearly too high for significant uptake. We should instead be looking for something that encourages end-to-end encryption that is good enough. We can build on if the underlying structure is properly designed, and as people get more accustomed to crypto in their lives, they'll be able to adjust to improvements.

When the majority of communications are relatively well-secured, it makes it far more difficult for a surveillance state to conduct its operations. Perfect security can still be a long-term goal, but we need more realistic goals to encourage uptake in the meantime.

Comment: Re:its all about the $$$ (Score 1) 93

The law is generally stated that for two vehicles traveling in the same lane with no immediate changes before a collision, the trailing driver is at fault in case of a collision. However, it's a valid defense if the leading driver performed an unsafe maneuver prior to the collision, such as changing lanes with insufficient spacing.

Comment: Re:oh please. I'm tired of this "diversity" bullsh (Score 4, Interesting) 493

Weirdly enough, women were quite well represented in technology before the 80s. Clearly there was an interest - so what's changed?

Women in other countries are somewhat more well represented in technology and more likely to go into STEM fields - so what are those other countries doing differently?

There are a number of things that make a strong case for the reasons women aren't well represented in tech being related to artificial issues rather than natural tendencies.

Tech isn't singled out as the one and only important field, by the way. I'm not sure where you get that idea from, but if you look at most any field with a lopsided gender ratio you'll see concern about the gender imbalance and efforts to remedy it. Nursing programs will aggressively pursue male candidates, same for elementary teaching, for example.

In any case, my guess as to why tech is singled out is not that tech is singled out, but that you're probably primarily reading tech sites where this gets discussed, so it just seems that way.

Comment: Re:WTF? (Score 1) 493

A willingness to give partial credit for work shown, even if the ultimate answer was wrong, and other things like that. They may be more willing, in this case, to assume that the boy with the wrong answer was on the right track, while the girl with the wrong answer was just flailing around and guessing, even when the provided answers and work were the same.

Comment: Re:Enough already! (Score 1) 254

I see, it's not just ignorance - it's willful ignorance that forms the basis for your factually incorrect opinions, and when challenged on your ignorance, you lash out incoherently.

I'm sure you imagine you have a point - given that your stated opinions have no basis in fact, you probably imagine all kinds of crazy things are true. Please also feel free to imagine that you've put me in my place, if you like. I certainly don't see any point to continuing this discussion; I won't try to reason with someone clearly lacking it.

Comment: Re:Enough already! (Score 1) 254

Except that there is a push to get more men into elementary teaching. And there is a push to get more men in to other industries dominated by women, like nursing.

You seem to have a very strongly held opinion (at least one that's strong enough to comment about and bash "SJW"s) that is clearly based at least in part on ignorance. I'd suggest learning more - not only will it help you avoid embarrassing yourself by displaying your ignorance, but it might even help you revise your opinions.

Also, side note, one of the reasons nobody gives much of a shit about there not being enough white players on pro basketball teams is because, statistically speaking, it isn't remotely relevant. How many pro NBA players are there? Now compare that to fields like software development or IT. Which one of those groups is more relevant for the average person who wishes to achieve upward mobility and has better odds?

Additionally, you're also ignoring the fact that white people were not, historically speaking, forbidden from playing in professional sports leagues and were not harassed and threatened (at least not for their race) when they joining the leagues. The fact that you so blithely ignore historical fact, once again, says to me that you form your opinions out of ignorance. Again, I suggest learning more so that you don't embarrass yourself by spouting off your uninformed nonsense.

Comment: Re:jessh (Score 1) 397

by Martin Blank (#48918307) Attached to: "Mammoth Snow Storm" Underwhelms

You're not factoring in the number of workers who would not have gone in anyway, the lost productivity from being late due to weather for at least some of those who did go in, potential losses to businesses that didn't shut down completely for paying employees to show up but who had little to no business that day, and the costs associated with personal and property damage due to accidents. It gets complex quickly.

Without government intervention, a lot of people would have simply gone in to work because they were afraid that if they didn't show up, they could be in trouble with their employers. When the city makes the call, it's easier to point to that as a justification, and it's more likely to be accepted by the employer.

Comment: Re: Honest question. (Score 1) 479

by thesandtiger (#48842153) Attached to: Fighting Tech's Diversity Issues Without Burning Down the System

Exactly that.

The extra information is irrelevant. It doesn't matter that his idiot identified as a feminist, and it didn't matter that the creep I described identified as a men's right's activist. They are an idiot and a creep, respectively, and it says absolutely nothing about other people who may have some label in common.

The secret of success is sincerity. Once you can fake that, you've got it made. -- Jean Giraudoux

Working...