Follow Slashdot stories on Twitter


Forgot your password?

Comment Re:Stupid FUD (Score 1) 303

MAC address lockdown is practically useless on its own (see: ARP poisoning attacks & DHCP spoofing), not to mention completely unscalable.

Network isolation & good firewall rules at the demarcs are important, but they aren't a panacea.

slacka is correct, protecting networks after a physical intrusion has occurred is very difficult or impossible.

802.1X can help when it comes to the scalability of port authentication, and DHCP snooping and dynamic ARP inspection can both help in securing networks against ARP poisoning & DHCP manipulation, but they still leave some holes open.

802.1AE ("MACsec") theoretically mitigates a whole lot of attacks, but it's difficult to deploy to end-user devices. Want to attack a MACsec-protected network? Just look for the nearest printer which likely doesn't support MACsec and has an exception configged for its switch port.

This doesn't even begin to address hardware keyboard loggers, cameras, or TEMPEST attacks, all of which are perfectly capable of grabbing up user credentials.

In short:
    1) Security requires a defense in depth approach, and physical security is an important part of that defense.
    2) No matter how smart I may think I am, there's usually someone smarter who can think up some attack I haven't.
    3) The more security you have, the more capex, maintenance and failures you have to deal with -- it's a always a balancing act.

More on topic though... as others have said, dumb article with no new revelations....

Comment Re:Where is it? (Score 1) 142

Agree with everything else you're saying, except perhaps this:

They also had to move the bot so it would fit in frame from that shooting location, that's why it's on a different bench from when the local news recorded it earlier.

The "beating" would have occurred on-camera (IIUC) had they performed it in the same place as it had been found. I'd venture that they weren't in possession at the time of the staged beating because it was a few nights after it actually occurred, so they just fake-beat a non-existent bot (plus the two prop arms—who knows what they actually were) just beyond the camera's visibility.

As I said before, I think it's more likely that they just want to troll the interwebs than actually release footage of themselves destroying property. Just a guess, though.

Comment Re:Where is it? (Score 2) 142

Certainly looks staged, I agree.

For example, why is the sky pitch black despite it purportedly being 5:45 AM (well into civil twilight, just 15 min. before full sunrise)?

The remaining question is: are they small d-bags (staged a fake destruction after some unknown party performed the actual destruction) or big ones (did the actual destruction themselves)? I'd guess the former—in an effort to make others look foolish, that seems to be more their M.O., but the latter wouldn't surprise me all that much either....

Comment Re:Well, I did read TFA... (Score 2) 128

Perhaps you're mistaking RSA with DSA.

DSA and ECDSA do share a lot. To construct both of these algorithms, you start with an abelian group (a set of elements (e.g. integers; one of these becomes your public key) plus a "group operation" (e.g. multiplication)) and a "trapdoor operation" which is easy to calculate in one direction, but believed to be hard to calculate in reverse. The trapdoor operation is a repeated application of the group operation.

With DSA, the abelien group is a set of integers between 1 and p-1 (p is prime), the group operation is integer multiplication modulus p, and the trapdoor operation is integer exponentiation modulus p. (Note that exponentiation is repeated multiplication.)

With ECDSA, the abelien group is the set of points on an elliptic curve over a finite field, the group operation is something called "point addition", and the trapdoor operation is something called "scalar multiplication" (which is just repeated point additions).

The rest of the DSA and ECDSA algorithm is the same, and can be defined by steps such as "repeat the group operation x times" which is performed using one of the two group operations above depending on which algorithm is being used.

RSA on the other hand is a completely different beast, and not at all similar to ECDSA.

the only difference between RSA and elliptic curve is the equation you use for the curve.

ECDSA uses a curve. Neither RSA nor DSA uses any form of curves or points.

Elliptic curve obviously uses the equation for an ellipse.

Elliptic curve crypto uses the equation for, well... an elliptic curve. An ellipse (oval), despite the similar name, is an entirely different equation.

Comment Re:There probably isn't one (Score 1) 158

FWIW I use Trendnet Powerline adapters where I have poor Wi-Fi coverage. This is an Ethernet-over-AC-power technology. Specifically, I use a pair of their 500 series. I just ran a quick test, and with a 1Mbps upload stream (from my PS3 location to my PC), I was able to pull a download stream of around 60Mbps - 100Mbps (it fluctuated a bit between those speeds).

I occasionally have to reset them when they seem to lock up (say, once every 6 months or so), but overall I've been quite happy with them.

If you do find a solution to your question for the audio/video/controls, I't definitely recommend a pair of these adapters versus any wireless option.

(Of course, YMMV.... if the two power sockets happen to be on opposite legs in a typical 2-leg 120/240V North American home, then the signal needs to go all the way out to the nearest pole-mounted service transformer and back, which will likely result in a slower speed than otherwise.)

Comment lets you configure your paranoia level.... (Score 1) 70 offers many TLDs (not all) for registration. If you use them for DNS, their config page isn't that great IMO (it's a bit slow and cumbersome), but I like just about everything else about them.

Relevant to TFA: you can configure how many "recovery actions," between 2 and 7 (default: 3), which are required before you're granted access to lost account credentials. They also offer a "scorched earth" option: if you lose access to your account, it's gone forever (any associated services will persist until the account runs out of funds).

Screenshot of account recovery settings

Comment Conflict of interest? That's nothing.... (Score 1) 128

Whatever conflict of interest may or may not exist at the ESRB (or MPAA for that matter) pales in comparison to the real issue those two organizations continue to perpetuate in the US: showing a little skin, talking about sex, and swearing is a sure way to get you an M or R rating, but gunning people down or beheading them is relatively acceptable behavior.

(FYI I'm not talking about a violent game's ability to influence the behavior of individuals IRL, which I believe is insignificant if it exists at all, I'm only talking about the ESRB/MPAA's messed up moral compass.)

Comment NearlyFreeSpeech? Are you kidding?! (Score 2) 295

These guys are crazy!

  • When their costs drop, they actually drop their prices... WTF?!
  • They don't even have any unlimited plans, they charge for usage!! That means that my p0rn site which gets tons of hits isn't subsidized by everyone else!
  • They actually charge for support! Why do I have to pay for support just cause I'm too stupid to figure anything out! I want my support to be paid for by everyone else who doesn't need support!!
  • They have all sorts of burdensome requirements to file a DMCA takedown request, I don't have time for this when all I really want to do is silence my critics!!

Please, whatever you do, avoid NFS at all costs!!!!

Submission Google Code Disables New Project Creation, Will Shut Down On January 25, 2016

An anonymous reader writes: GitHub has officially won. Google has announced that Google Code project creation has been disabled today, with the ultimate plan to kill off the service next year. On August 24, 2015, the project hosting service will be set to read-only. This means you will still be able to checkout/view project source, issues, and wikis, but nobody will be able to make changes or new commits. On January 25, 2016, Google Code will be shut down. Google says you will be able to download tarballs of project source, issues, and wikis “throughout the rest of 2016.” After that, Google Code will be gone for good.

Submission My Roommate, the Darknet Drug Lord->

sarahnaomi writes: I first met Ross Ulbricht, the 29-year old found guilty last month of creating and operating the deep web marketplace Silk Road, at a craft beer bar on Haight Street.

He arrived wearing a red sweatshirt and blue jeans, his face bearded. He was there for an interview, a sit-down with myself and the married couple I shared a townhouse with in Glen Park. We had a room for rent, and Ross had responded to the classified we posted online.

We did not know, really, what type of person he was, but, as we chatted over lambics and IPAs, I felt relieved: gone was the posturing so obvious in the previous candidates. They worked in advertising, at startups—Twitter employees who talked about how much money they made and the exotic locales where they took their vacations. Ross was a techie, but he didn't act like one. He seemed eloquent, optimistic, down-to-earth. He seemed trustworthy.

Link to Original Source

Comment Lights the wearer up like a Christmas tree?? (Score 1) 150

If the point of the IR lights is to overexpose a camera that's IR sensitive, wouldn't this light them up like a Christmas tree? I wouldn't think that the kind of person who wants to hide their identity would be interested in wearing a big neon sign that says "Look at meee!!!" to any security guards monitoring those cameras....

Comment Re:Hope that code gets better (Score 1) 88

Keep in mind that this is crypto code, which often has different properties and requirements than other types of code.

For example, the count of bytes to store a private key, or a finite field element, or a hash output, etc. is hard coded and never changes. It would be akin to asserting that the sizeof a uint32_t is 4 somewhere in your code.... not very useful. Perhaps some defines would be nice from a documentation point of view, but that's more a style choice.

Input validation must be handled very carefully due to the possibility of opening up side channel attacks (anywhere you see a piece of code which branches depending on its input is a potential vulnerability for a timing attack, and is intentionally avoided by this library).

But the big reason I'm a lot less concerned than you are is simply the reputation of the authors, who are among the most talented cryptographers on the planet. It's not that they can do no harm (such hubris would be self-defeating), but rather that the likelihood of you or I finding some vulnerability with just a cursory glance seems extremely unlikely....

Comment 5 min? Actually those keys are STILL on GitHub (Score 1) 119

In addition to the various other oversights already mentioned, OP doesn't seem to understand Git (or perhaps SCMs in general) given that those (now revoked) keys are still on GitHub -- there was no need for a bot to be all that quick.

Although I wouldn't blame OP for any single one of these oversights -- nobody's perfect -- it's fair to say that it took a number of different oversights / misunderstandings on OP's part for this to become a real problem.

The Courts

Hacker Threatened With 44 Felony Charges Escapes With Misdemeanor 219

An anonymous reader writes: It's no secret that prosecutors usually throw every charge they can at an alleged criminal, but the case of Aaron Swartz brought to light how poorly-written computer abuse laws lend themselves to this practice. Now, another perfect example has resolved itself: a hacker with ties to Anonymous was recently threatened with 44 felony counts of computer fraud and cyberstalking, each with its own 10-year maximum sentence. If the charges stuck, the man was facing multiple lifetimes worth of imprisonment.

But, of course, they didn't. Prosecutors struck a deal to get him to plead guilty to a single misdemeanor charge, which carried only a $10,000 fine. The man's attorney, Tor Eklund, said, "The more I looked at this, the more it seemed like an archetypal example of the Department of Justice's prosecutorial abuse when it comes to computer crime. It shows how aggressive they are, and how they seek to destroy your reputation in the press even when the charges are complete, fricking garbage."

Comment Re:How did the Constitution Fail? (Score 1) 450

What are the options, then?

  1. 1. A small handful of individuals who manage to work things out in an amicable way amongst themselves.
  2. 2. A project headed by a benevolent dictator for life (e.g. Slackware).
  3. 3. A governance model that is not dependent on a BDFL, and can scale better than "a small handful of individuals".

Even though option 2 works well for some projects, it's not always ideal. This doesn't seem to be a problem with a simple solution (and it probably doesn't help that not many techies are great at politics).

How come everyone's going so slow if it's called rush hour?