Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: NFS.net lets you configure your paranoia level.... (Score 1) 70

by gurnec (#49308297) Attached to: GoDaddy Accounts Vulnerable To Social Engineering (and Photoshop)

NearlyFreeSpeech.net offers many TLDs (not all) for registration. If you use them for DNS, their config page isn't that great IMO (it's a bit slow and cumbersome), but I like just about everything else about them.

Relevant to TFA: you can configure how many "recovery actions," between 2 and 7 (default: 3), which are required before you're granted access to lost account credentials. They also offer a "scorched earth" option: if you lose access to your account, it's gone forever (any associated services will persist until the account runs out of funds).

Screenshot of NFS.net account recovery settings

Comment: Conflict of interest? That's nothing.... (Score 1) 128

by gurnec (#49300047) Attached to: Why Is the Grand Theft Auto CEO Also Chairman of the ESRB?

Whatever conflict of interest may or may not exist at the ESRB (or MPAA for that matter) pales in comparison to the real issue those two organizations continue to perpetuate in the US: showing a little skin, talking about sex, and swearing is a sure way to get you an M or R rating, but gunning people down or beheading them is relatively acceptable behavior.

(FYI I'm not talking about a violent game's ability to influence the behavior of individuals IRL, which I believe is insignificant if it exists at all, I'm only talking about the ESRB/MPAA's messed up moral compass.)

Comment: NearlyFreeSpeech? Are you kidding?! (Score 2) 295

by gurnec (#49287055) Attached to: Ask Slashdot: Advice For Domain Name Registration?

These guys are crazy!

  • When their costs drop, they actually drop their prices... WTF?!
  • They don't even have any unlimited plans, they charge for usage!! That means that my p0rn site which gets tons of hits isn't subsidized by everyone else!
  • They actually charge for support! Why do I have to pay for support just cause I'm too stupid to figure anything out! I want my support to be paid for by everyone else who doesn't need support!!
  • They have all sorts of burdensome requirements to file a DMCA takedown request, I don't have time for this when all I really want to do is silence my critics!!

Please, whatever you do, avoid NFS at all costs!!!!

+ - Google Code Disables New Project Creation, Will Shut Down On January 25, 2016

Submitted by Anonymous Coward
An anonymous reader writes "GitHub has officially won. Google has announced that Google Code project creation has been disabled today, with the ultimate plan to kill off the service next year. On August 24, 2015, the project hosting service will be set to read-only. This means you will still be able to checkout/view project source, issues, and wikis, but nobody will be able to make changes or new commits. On January 25, 2016, Google Code will be shut down. Google says you will be able to download tarballs of project source, issues, and wikis “throughout the rest of 2016.” After that, Google Code will be gone for good."

+ - My Roommate, the Darknet Drug Lord->

Submitted by sarahnaomi
sarahnaomi (3948215) writes "I first met Ross Ulbricht, the 29-year old found guilty last month of creating and operating the deep web marketplace Silk Road, at a craft beer bar on Haight Street.

He arrived wearing a red sweatshirt and blue jeans, his face bearded. He was there for an interview, a sit-down with myself and the married couple I shared a townhouse with in Glen Park. We had a room for rent, and Ross had responded to the classified we posted online.

We did not know, really, what type of person he was, but, as we chatted over lambics and IPAs, I felt relieved: gone was the posturing so obvious in the previous candidates. They worked in advertising, at startups—Twitter employees who talked about how much money they made and the exotic locales where they took their vacations. Ross was a techie, but he didn't act like one. He seemed eloquent, optimistic, down-to-earth. He seemed trustworthy."

Link to Original Source

Comment: Lights the wearer up like a Christmas tree?? (Score 1) 150

by gurnec (#49163899) Attached to: AVG Announces Invisibility Glasses

If the point of the IR lights is to overexpose a camera that's IR sensitive, wouldn't this light them up like a Christmas tree? I wouldn't think that the kind of person who wants to hide their identity would be interested in wearing a big neon sign that says "Look at meee!!!" to any security guards monitoring those cameras....

Comment: Re:Hope that code gets better (Score 1) 88

Keep in mind that this is crypto code, which often has different properties and requirements than other types of code.

For example, the count of bytes to store a private key, or a finite field element, or a hash output, etc. is hard coded and never changes. It would be akin to asserting that the sizeof a uint32_t is 4 somewhere in your code.... not very useful. Perhaps some defines would be nice from a documentation point of view, but that's more a style choice.

Input validation must be handled very carefully due to the possibility of opening up side channel attacks (anywhere you see a piece of code which branches depending on its input is a potential vulnerability for a timing attack, and is intentionally avoided by this library).

But the big reason I'm a lot less concerned than you are is simply the reputation of the authors, who are among the most talented cryptographers on the planet. It's not that they can do no harm (such hubris would be self-defeating), but rather that the likelihood of you or I finding some vulnerability with just a cursory glance seems extremely unlikely....

Comment: 5 min? Actually those keys are STILL on GitHub (Score 1) 119

by gurnec (#48727527) Attached to: Bots Scanning GitHub To Steal Amazon EC2 Keys

In addition to the various other oversights already mentioned, OP doesn't seem to understand Git (or perhaps SCMs in general) given that those (now revoked) keys are still on GitHub -- there was no need for a bot to be all that quick.

Although I wouldn't blame OP for any single one of these oversights -- nobody's perfect -- it's fair to say that it took a number of different oversights / misunderstandings on OP's part for this to become a real problem.

The Courts

Hacker Threatened With 44 Felony Charges Escapes With Misdemeanor 219

Posted by Soulskill
from the my-days-of-not-taking-you-seriously-are-certainly-coming-to-a-middle dept.
An anonymous reader writes: It's no secret that prosecutors usually throw every charge they can at an alleged criminal, but the case of Aaron Swartz brought to light how poorly-written computer abuse laws lend themselves to this practice. Now, another perfect example has resolved itself: a hacker with ties to Anonymous was recently threatened with 44 felony counts of computer fraud and cyberstalking, each with its own 10-year maximum sentence. If the charges stuck, the man was facing multiple lifetimes worth of imprisonment.

But, of course, they didn't. Prosecutors struck a deal to get him to plead guilty to a single misdemeanor charge, which carried only a $10,000 fine. The man's attorney, Tor Eklund, said, "The more I looked at this, the more it seemed like an archetypal example of the Department of Justice's prosecutorial abuse when it comes to computer crime. It shows how aggressive they are, and how they seek to destroy your reputation in the press even when the charges are complete, fricking garbage."

Comment: Re:How did the Constitution Fail? (Score 1) 450

by gurnec (#48341501) Attached to: Joey Hess Resigns From Debian

What are the options, then?

  1. 1. A small handful of individuals who manage to work things out in an amicable way amongst themselves.
  2. 2. A project headed by a benevolent dictator for life (e.g. Slackware).
  3. 3. A governance model that is not dependent on a BDFL, and can scale better than "a small handful of individuals".

Even though option 2 works well for some projects, it's not always ideal. This doesn't seem to be a problem with a simple solution (and it probably doesn't help that not many techies are great at politics).

Comment: Unfortunately, she's not quite that stupid (Score 2) 105

by gurnec (#48290567) Attached to: Video Raises Doubts About Attkisson's Claims of Malicious Hacking

According to WaPo, she claims that this iPhone video was taken in September 2013, and not related to the alleged December 2012 incident. It looks like crooksandliars jumped the gun here.

The rather blatent Dancing with the Stars episode playing in the background may have even been intentional to provide additional credence to the video (the timing is dead on with her claim).

That's not to say she's not otherwise mistaken (or outright dishonest), but this isn't the smoking gun you're looking for.

Comment: Re:Victim Blaming (Score 1) 275

by gurnec (#48229223) Attached to: CHP Officers Steal, Forward Nude Pictures From Arrestee Smartphones

if you're going to store it on someone else's system (iCloud, etc) then this is what happens.

Maybe, but this has been argued to death, no need for a repeat.

First, if you're going to have that crap on your phone

First, if you're going to have that crap on your tablet
First, if you're going to have that crap on your laptop
First, if you're going to have that crap on your home PC
First, if you're going to have that crap in your car
First, if you're going to have that crap in your home

Is that really what you're implying?!? Without more context, it's hard to tell if you're uninformed or just trollin.

Comment: Re:Easy to fake... (Score 2) 109

by gurnec (#48192125) Attached to: China Staging a Nationwide Attack On iCloud and Microsoft Accounts

I don't see a mistakenly created certificate. It looks like it is legitimately for hotmai.com
...
Or another way - if Microsoft is catching typos, why would a nation state be amateurish for doing the same thing?

Microsoft isn't doing the same thing, though. You're right that the (real) hotmai.com site does redirect to outlook.com, however it doesn't have a certificate, nor does it even have https enabled.

Furthermore, the packet capture shows that whoever created it was trying to visit "login.live.com" (it's in the SNI field of the SSL Client Hello message), and so the server should have responded with a cert for that domain, not for hotmail.com nor hotmai.com.

I'll stick by my interpretation that this was amateurish, I just don't know if it was intentionally so.

Comment: Easy to fake... (Score 2) 109

by gurnec (#48191917) Attached to: China Staging a Nationwide Attack On iCloud and Microsoft Accounts

Just an FYI... I've no reason to disbelieve the story, but it would be simple to fake the evidence presented...

I also wonder why the hotmail.com certificate was mistakenly created for the hotmai.com domain... that seems rather amateurish for a nation state. (Of course, perhaps plausible deniability is the reason.)

Regardless of whether or not it's fake, it does serve to point out the intentional flaws of Qihoo’s Chinese 360 "Secure Browser" pointed out by Rosyna above -- certainly a good thing to publicize.

Committees have become so important nowadays that subcommittees have to be appointed to do the work.

Working...