Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:From SIM to Chip and PIN (Score 1) 155

by fgouget (#49118343) Attached to: NSA, GHCQ Implicated In SIM Encryption Hack

I have been wondering about Stingrays too. Based on the Stingrays Wikipedia page they would not need access to the SIM card's private key. Instead they force the device to use the weaker A5/2 security protocol and then crack it which allows them to recover the SIM card's private key.

The "GSM Active Key Extraction" performed by the StingRay in step three merits additional explanation. A GSM phone encrypts all communications content using an encryption key stored on its SIM card with a copy stored at the service provider. While simulating the target device during the above explained man-in-the-middle attack, the service provider cell site will ask the StingRay (which it believes to be the target device) to initiate encryption using the key stored on the target device. Therefore, the StingRay needs a method to obtain the target device's stored encryption key else the man-in-the-middle attack will fail.

GSM primarily encrypts communications content using the A5/1 call encryption cypher. In 2008 it was reported that a GSM phone's encryption key can be obtained using $1,000 worth of computer hardware and 30 minutes of cryptanalysis performed on signals encrypted using A5/1. However, GSM also supports an export weakened variant of A5/1 called A5/2. This weaker encryption cypher can be cracked in real-time. While A5/1 and A5/2 use different cypher strengths, they each utilize the same underlying encryption key stored on the SIM card. Therefore, the StingRay performs "GSM Active Key Extraction" during step three of the man-in-the-middle attack as follows: (1) instruct target device to use the weaker A5/2 encryption cypher, (2) collect A5/2 encrypted signals from target device, and (3) perform cryptanalysis of the A5/2 signals to quickly recover the underlying stored encryption key. Once the encryption key is obtained, the StingRay uses it to comply with the encryption request made to it by the service provider during the man-in-the-middle attack.

This perfectly illustrates why allowing protocol variants with weaker security is a bad idea. It also makes Gemalto's security lapse look somewhat irrelevant: cracking the SIM's private key seems pretty trivial anyway.

Comment: Re:Fallout? (Score 1) 155

by fgouget (#49118237) Attached to: NSA, GHCQ Implicated In SIM Encryption Hack

with the vital secrets either stored a lot more carefully, or, ideally, generated on-SIM and never leaving the SIM during its operational life, short of a direct silicon-level attack.

My understanding is that's what they do already. The private key is generated and put directly into the SIM card and never leaves it. But a private key is useless if nobody knows the corresponding public key. It's the transfer of that public key to the entity that needs it, the carrier, that the NSA/GCHQ intercepted.

Maybe a fix would be for Gemalto to sell blank SIM cards and have the carriers themselves generate and burn the private key to it using a software WORN API: Write Once, Read Never. Of course then the NSA/GCHQ would have no trouble forcing the US carriers to hand over all their public keys but then they can already force them to intercept the communications. At least the rest of the world would only be subject spying by their own government.

Comment: Titi username (Score 1) 65

by fgouget (#49086819) Attached to: 'Babar' Malware Attributed To France

The report says "Titi is a French diminutive for Thiery, or a colloquial term for a small person".

Well first it's Thierry with two 'r's, but I've never seen titi being used as a diminutive for it, though that's because nobody would stand to it being used in public. Then there's the titi parisien but I've never seen titi referring to a small person.

But all this misses the point. Just like an uninspired English-speaking programmer will call his variable 'foo' and then 'bar' if he needs a second one, a French programmer will call his variable 'toto' (from the classic Toto jokes) and then 'titi' if he needs a second one (and then 'tata' but normally by the time he reaches tutu he realizes he really needs to straighten up ;-) ).

So what this really tells us is that this developer has a collegue whose username is 'toto'.

Comment: Titi username (Score 1) 353

by fgouget (#49086793) Attached to: Ask Slashdot: Most Useful Browser Extensions?
The report says "Titi is a French diminutive for Thiery, or a colloquial term for a small person".

Well first it's Thierry with two 'r's, but I've never seen titi being used as a diminutive for it, though that's because nobody would stand to it being used in public. Then there's the titi parisien but I've never seen titi refering to a small person.

But all this misses the point. Just like an uninspired English-speaking programmer will call his variable 'foo' and then 'bar' if he needs a second one, a French programmer will call his variable 'toto' (from the classic Toto jokes) and then 'titi' if he needs a second one (and then 'tata' but normally by the time he reaches tutu he realizes he really needs to straighten up ;-) ).

So what this really tells us is that this developer has a collegue whose username is 'toto'.

Comment: Re:Isn't slashdot's reaction interesting... (Score 1) 65

by fgouget (#49086677) Attached to: 'Babar' Malware Attributed To France

This proves that all the whining about the NSA has little to do with actual worries (as if anyone in the government actually cares about their porn viewing habits), and more to do with overwrought anti-Americanism.

Quite the opposite. It proves that the anti-French sentiment is so strong in the US and UK that it drowns any rational discussion.

Comment: Re:Lawsuits coming? (Score 1) 418

ISP: Internet Service Provider. They connect your machine to the internet. WTF do you think server hosting companies do, you nitwit?

Server hosting companies certainly do not connect my machine to the Internet: they provide Internet hosting services and not Internet Access. And if you're going to use the ISP acronym in another discussion you should know that it commonly exclusively refers to Internet access providers. But it sure is a great way to spread FUD and claim plausible deniability.

Comment: Re:Lawsuits coming? (Score 1) 418

I don't think it makes any noticable difference but that was not the point I was trying to make. If they can show a measurable difference

And again you miss the point: no matter what equipment you use you will not be able to detect any difference in sound quality between their cable and a regular cable.

It's even obvious without any testing to anyone who knows anything about the Ethernet, TCP/IP or the OSI model: either a packet of data makes it across the cable or it does not. If it does, then it's going to be bit for bit identical no matter what cable you used, and thus the resulting sound will be identical too. If the packet did not get across, then it means you god a broken cable or some rodent has been chomping on it. But the result will either be a retransmission in time, in which case there will again be no impact on the sound quality, and if not, a pop, stall or stutter. But you will under no circumstances get a reduced "sound picture", lesser "differentiation between sonic elements" or lesser "sense of clarity".

Comment: Re:Lawsuits coming? (Score 1) 418

As I said I gave you a deep discount. But if you still think that electrical noise and crosstalk are in any way relevant to the quality of sound sent through IP packets, then you don't know what you're talking about. In fact it puts you clearly in their target audiophile category with the only thing saving you being the size of your wallet. They could likely con you by selling making the same claims about an ordinary cable and selling it at a a mere 50% premium.

Comment: Re:Lawsuits coming? (Score 1) 418

by fgouget (#49028881) Attached to: $10K Ethernet Cable Claims Audio Fidelity, If You're Stupid Enough To Buy It

Given the differences in specs they could probably show some increased noise and crosstalk, as well as less bandwidth. Does it make any real difference? For most applications probably not but that's different than proving a performance increase and thus showing the claims were not false.

Oh. I see the problem. Your connection to the Internet goes through a low quality Ethernet cable, or even, shudder, a WiFi connection. But fear not. I provide you with a premium high-fidelity Ethernet cable that will let you see the full clarity of my prose. With it the words will be sharper, their meaning will come into focus. Never again will you have to wonder at the meaning of what you read. And it can be yours now for the low low price of $1000.

Comment: Re: Questionable banking? (Score 1) 129

by fgouget (#49027483) Attached to: HSBC Banking Leak Shows Tax Avoidance, Dealings With Criminals

All those billions of dollars are from only 10k accounts so the % of shady customers probably is reaching 100.

The leak actually concerns 106k accounts from 203 countries and totalling 180 billion euros (strangely the BBC claims only $118bn), with half of them actively trying to evade taxes (accounts in tax havens) and the rest at least hiding money. That said not all of them are really shady: there are really a number of accounts that the current holders inherited and never got the courage to declare to their country's revenue service. But if you know what percentage of the accounts that is you're better informed than me.

Comment: Re:Lawsuits coming? (Score 1) 418

by fgouget (#49027409) Attached to: $10K Ethernet Cable Claims Audio Fidelity, If You're Stupid Enough To Buy It

While my 10 cent comment is also a bit of hyperbole, they probably could construct a rig with Cat 6 components, plug in a cheap cat 5 cable and show performance degradation.

I really doubt that.

While I think their claims are bunk the GP's question why they aren't sued into oblivion is that not only hyperbole accepted in advertising it would be a lot easier to prove the claims were merely puffery than to prove they were false and misleading.

We'll have to disagree with that. I think their claims fly right past the hyperbole zone and land squarely in the outright lie territory. I still think Consumer Reports, The Better Business Bureau or even any competitor would have no trouble getting them condemned for false advertising.

Comment: Re:Lawsuits coming? (Score 1) 418

by fgouget (#49027339) Attached to: $10K Ethernet Cable Claims Audio Fidelity, If You're Stupid Enough To Buy It

ISPs get plenty of money from spammers. Ever heard of Ecatel?

No. And a search on Google did not return any ISP called Ecatel. There is a server hosting company by that name but that's no ISP. Their relation to spammers is also not clear. So you'll have to be more specific.

Comment: Re:Lawsuits coming? (Score 1) 418

Are you saying that shielding and twisting in ethernet cables don't matter?

The twisting is part of the Ethernet specification so it's identical between the 10 cent cable and the $10.000 one. The shielding only matters if the cable is subjected to radio noise and $10 cables have that too anyway.

Byte your tongue.

Working...