Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment: Re:And this is good why? (Score 2) 150

by hankwang (#48809289) Attached to: Wireless Keylogger Masquerades as USB Phone Charger

"the claim that this can work against all Microsoft Wireless Keyboards is 100% BS, and has been since 2007, when the issue was first uncovered; covered in depth by Schneier, and remedied in all versions of the Microsoft Wireless Keyboard created since then, which use at minimum 128-bit AES; NOT XOR."

The only meaningful hits on 'schneier microsoft wireless keyboard' is just a few broken links to a Dreamlab study:,

Those were using a 27 MHz transmitter (near field, i suppose) and an association process that at least uses a different xor key each time. TFA claims that the newer 2.4 GHz keyboards always use the same xor key, 0xCD. TFA mentions at least two recent keyboard models that use this protocol. (Maybe I overlooked other ones)

It seems that there is only the MS "2000 AES for business" keyboard that is explicitly marketed as using AES.

Comment: Re:"which had 12 people killed." WTF? (Score 2) 512

by hankwang (#48769053) Attached to: Publications Divided On Self-Censorship After Terrorist Attack

"Turkey -- 99.8% Muslim"

Where did you get that number? Walk around in a big city and you will see less than 50% of the local women wearing head scarves, in most neighborhoods. In some places, it's less than 10%.

Turkey does register most citizens as "muslim" as a default value, unless they are christian or jewish, but it has little to do with the beliefs of those citizens. Many Turks are atheistic (and utterly despise the present muslim government).

Source: my Turkish S.O., who has "Islam" in her passport despite coming from a family that has been secular for several generations.

Comment: RC4, how weak is it? (Score 4, Informative) 148

by hankwang (#48755887) Attached to: Tips For Securing Your Secure Shell

TFA: "... RC4 are broken. Again, no need to wait for them to become even weaker, disable them now."

Is that really so? I think RC4/arcfour is only known to leak secret data in the first 2 KB of the cipher stream, and for that reason SSH will simply feed it 2 KB or so of garbage data before encrypting the actual payliad. Or am I mistaken?

RC4 has a big advantage: it is by far the fastest cipher, which is relevant if you want to do large file transfers over slowish hardware (home-grade NAS, Raspberry Pi, old Atom CPU, etc.).

Comment: Re:Give the man some slack (Score 2) 119

by hankwang (#48726933) Attached to: Bots Scanning GitHub To Steal Amazon EC2 Keys

The mistake he made was not understanding the tools he was using. (...) Signing up for a service and then using it without reading the documentation is foolish.

I assume that you also blame the subprime borrowers for signing a contract that they didn't fully understand without putting most of the blame on the banks that knew damn well what they were doing?

The fact that one person can be blamed for a mistake due to lack of experience does not mean that there is not someone else (i.e., Amazon and the people who actually abused the keys) who deserves a lot more blame.

Comment: Give the man some slack (Score 4, Insightful) 119

by hankwang (#48724047) Attached to: Bots Scanning GitHub To Steal Amazon EC2 Keys
To all posters who are blaming the man for being so stupid: please RTFA. He had just opened an amazon AWS 1-year free trial to practice what he'd just learnt about Ruby on Rails. He made a mistake:

I knew my API key needed to be safe, so I installed the Figaro gem (a rails API key security gem, which typically works great), and trusted it to keep my API key off of git when I pushed. (...) deleted all traces from GitHub. I was able to clean it up within about 5 minutes (...) After a close call, I went to bed.

Surely it is not that unreasonable to (1) realize that those keys will be scraped within 5 minutes after uploading to an obscure project, and (2) not realize that an S3 key in a free trial subscription wouldn't allow racking up $2375 in EC charges within 10 hours?

Comment: Re:Interesting (Score 4, Interesting) 293

by hankwang (#48661655) Attached to: Hotel Group Asks FCC For Permission To Block Some Outside Wi-Fi

Repeat guests? C'mon, really? You shop for hotels the same way the rest of us do - Either your employer tells you "you will stay here", or you use a price search and pick the lowest place that doesn't mention rats in the toilet.

Would you book a place that mentions complaints along the lines of "The bathroom is clean, but cell phones of any provider don't work here and the room phone is 2 dollars per minute?"

As for the employer: the travel offices of big companies who regularly have their people work on site at major customer or other offices will consider putting their employees somewhere else if they all complain about a particular hotel. The repeat customer is not the individual person, but the employer.

Comment: Re:Simple: enable your password (Score 1) 105

by hankwang (#48575345) Attached to: Canadian Supreme Court Rules In Favor of Warrantless Cellphone Searches

"the carriers and phone makers are all REQUIRED by calea (in the US) to have backdoors on anything that has a 'network' aspect to it."

Citation needed.

"they have magic usb cables that get into your phone"

I think I saw a website of a company that claims to have such a device, but I had the distinct impression that it mostly helps with booting into recovery mode (android phones); it will tell you which combo of power/volume up/down to press during boot. Some phones don't have a locked bootloader or have a bootloader that allows installing software to the "ROM" from the bootloader. (I've seen this on low-end Samsungs and the popular Clockworkmod bootloader for Cyanogenmod allows this).

For phones that are switched on, it will.check for usb debugging and mass storage access.

Essentially, it has collected the known procedures for rooting for a lot of phones. Guess what, a lot of phones cannot be rooted without either having unlocked the screen or wiping all user data.

Comment: Re:So, in essence, Uber's app is malware (Score 3, Informative) 234

by hankwang (#48474979) Attached to: Uber's Android App Caught Reporting Data Back Without Permission

"Unless they have changed their stance since CM7, the privacy manager sucks compared to XPrivacy because XPrivacy will allow spoofing of data. If a permission is flatly blocked instead of spoofed then many apps will force close"

Well, they did. CM11 has a privacy manager that will allow you to block access to contacts and so on, without making apps crash. I have set it up such that it will notify me whenever an app tries to access contacts, sms, calendar, location and it is surprising how few suspicious popups I get. One weird thing: wifi related apps need location access in order to show access points. Makes some sense, but it took me a while to realize why those apps weren't working.

Comment: Re:Shyeah, right. (Score 1) 284

by hankwang (#48464895) Attached to: Is LTO Tape On Its Way Out?

"You need it backed up on at least 4 pieces of media, of at least 3 different types, in at least 2 different cities, in at least 1 different state; bumping each of those numbers up by 1 is not unreasonable."

At least 2 different cities means two or more cities.
At least 1 different state means one or more states.

Well, at least, you don't store it in zero states.

Comment: Re:Cost nothing to run? (Score 1) 488

by hankwang (#48366613) Attached to: Denmark Faces a Tricky Transition To 100 Percent Renewable Energy

"[Conventional plants] also produce so much more power that merely sending somebody by once a year to glance that the greed led is still softly glowing is more maintenance per watt."

That could be an interesting hypothesis, but if you put it down like a hard fact, you should also provide some data to support it so that we can have a meaningful discussion about it.

Comment: Re:MS Office Incompatibility (Score 2) 170

by hankwang (#48366535) Attached to: What Happens When Nobody Proofreads an Academic Paper

In LaTeX (and Word for that matter), I always prefix my notes with @@@ because that is a string that nnever occurs in normal text (easoly searchable) and that sticks out visually like a sore thumb.

Percent-sign-prefixed comments ("this needs an update") are much easier to overlook, or even guaranteed to be overlooked during proofreading. At least, I don't proofread my LaTeX markup, but rather the typeset document.

Comment: Re:Monster EF5? (Score 1) 61

by hankwang (#48344227) Attached to: Researchers Simulate Monster EF5 Tornado

"It's called the F5 - From what I can gather, somewhere along the line they had to "enhance" the F ratings to get more f4's and ef 5's."

Not quite. From Wikipedia:

It was revised to reflect better examinations of tornado damage surveys, so as to align wind speeds more closely with associated storm damage. Better standardizing and elucidating what was previously subjective and ambiguous, it also adds more types of structures and vegetation, expands degrees of damage, and better accounts for variables such as differences in construction quality.
Since the new system still uses actual tornado damage and similar degrees of damage for each category to estimate the storm's wind speed, the National Weather Service states that the new scale will likely not lead to an increase in a number of tornadoes classified as EF5.

Wherever you go...There you are. - Buckaroo Banzai