Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Comment Re: S/MIME (Score 1) 83

Apologies: I mis-read the earlier comment. My comment about StartSSL generating a private key for the user applies only for SSL/TLS certs (where users can, as I mentioned, skip that and submit their own CSR).

When one generates a client certificate such as used in S/MIME, the key generation takes place entirely in the browser using keygen tags -- the private key is stored locally and the public key is sent to the server for signing.

Put simply, StartSSL (and other CAs around the world) are happy to issue certificates identifying you as you, but none of them AFAIK generate the private key themselves. Maybe some internal corporate CA systems do, but I'm not aware of any commercial ones that generate private keys for client certs.

Comment Re: S/MIME (Score 1) 83

Not necessary. Startcom, a company in Israel, is happy to generate and store a key that you can use to certify that you are you, for free. I think this also demonstrates the insane brokenness of the certificate authority system.

Sure, they offer the option (by default, which is annoying) for them to generate a private key for you (they claim not to store it) but you're welcome to generate your own private key and CSR and submit it for signing -- that way they never see your private key.

Comment Re:Why not both? (Score 4, Insightful) 239

AC has far lower transmission losses over long distances

Does it? I was always under the impression that AC was used for long-distance transmission because it could be easily stepped up to very high voltages with transformers while efficient DC-to-DC conversion was not possible until relatively recently. For the same power transmitted, resistive losses are lower at higher voltages as power lost to heat goes as I^2*R and lower currents could be used.

However, modern solid-state DC-to-DC converters are extremely efficient, can step DC voltages up to very high voltages and thus benefit from lower resistive losses in transmission. HVDC also benefits from not having to deal with inductive or capacitive losses in the cable.

In short, as far I know the key to minimizing losses in transmission lines is to use high voltages, not because of any inherent advantage of AC.

Comment Re:We should do what GPS does (Score 2) 233

I recently took a private tour of the time and frequency lab at METAS (the Swiss Federal Institute of Metrology) and got to observe their atomic clocks, ask the people there some questions, etc.

The scientist in charge of the lab wishes everyone would use TAI for time distribution. TAI has no leap seconds and differs from GPS time by a constant 19 seconds. If TAI was used, computers would never have to worry about leap seconds internally and things would be greatly simplified.

Computers don't care what time is used internally, and it's easy for computers to get a table of leap seconds and use that data to display UTC to users so the displayed time matches solar time.

Comment Oldie but goodie (Score 1) 558

My desktop at home has the following:

Intel Core 2 Quad Q6600 @2.4GHz
8GB DDR2 RAM (MB can hold 16GB, but DDR2 is blood expensive now)
Gigabyte GA-EP45-UD3R motherboard
Nvidia GeForce GTX 550 Ti
Crucial M550 1TB SSD (boot disk, most applications)
Mixed SATA hard disks, from 750GB to 4TB (games, photos, backups, etc.)

Nothing special, but other than the graphics card and hard disks I've found no real need to upgrade the rest of the system. I built it back in 2007 with my then-girlfriend (now wife) and it just keeps on trucking along, plays modern games with no issues, etc.

Comment Re:This makes me worry. (Score 2) 111

Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.

Perhaps, but it also helps protect against content injection or manipulation (e.g. ad injection by shady ISPs), snooping by third parties (e.g. hotel or coffee-shop networks), etc.

Honestly, there's very little reason *not* to encrypt data these days.

Comment Re:Airtel got caught, what about others? (Score 2) 134

How many people routinely check the source of their own web page through different connections to look for such injections? If some major US cell network or ISP did this, how likely they will be caught? Would https stop them from messing around with injections?

So long as the injector can't issue SSL certs that the user will trust, yes, https will stop such injections.

If the injector *can* issue SSL certs that the user will trust (e.g. the ISP requires users install their local CA, or they somehow have a global wildcard from a trusted CA), all bets are off -- the injector can impersonate and inject content into any https-secured site.

Comment Re:Why (Score 1) 138

... have Facebook encrypt email it sends to you ...

This doesn't prove who sent the message. A message must be encrypted with the receiver's public key and encrypted again with the sender's private key. Once again, all security depends on the integrity of the public-key server. Such servers can't prevent man-in-the-middle attacks.

In addition to encrypting messages to your public key, Facebook also digitally signs the messages using their private key and rotates the signing subkey every few months.

The fingerprint of their primary key (which is used to sign the signing subkeys) is available on their HTTPS-secured announcement page.

Additionally, all outgoing emails from Facebook are DKIM-signed, adding further assurance that it's from them.

Sure, it's *possible* that an HTTPS connection may be MITMed and DKIM records spoofed, but that requires an active attacker and significantly increases the risk of the attacker getting discovered. You could use Tor, a VPN, or a proxy from a different computer to verify that the HTTPS certificate, DKIM public keys, and the PGP fingerprint are what you see on your normal internet connection and thus have more assurance that the information is authentic.

Comment Re:how can we trust facebook? (Score 2) 138

That's not how it works. Facebook isn't letting you use PGP to encrypt user-to-user messages.

They're letting you upload your *public* key to your profile with the option to have Facebook encrypt any automated notification messages it sends to your email. This way those notification messages are protected from snooping as they traverse the internet between Facebook and your email server, while they are stored on the mail server, etc.

Comment Re:You still have to submit it (Score 1) 138

So how are you securely getting the email message to facebook to start with? I see an SSL connection that could easily have a "man in the middle" thing going on...

Facebook is encrypting automated notification messages (e.g. "[Friend name] posted new photos. Click here to see them." or "[Friend name] sent you a message on Facebook. Login to read it.") that it sends to your email account. Messages sent within Facebook are still unencrypted, only the notification message sent to your non-Facebook email would be encrypted.

Comment Re:Share your "encryption network" with Suckerberg (Score 1) 138

Maybe you're right. But for me pgp encryption needs marketing so a lot of people start using or at least being aware of it. It needs to become mainstream.

Why not S/MIME? - Seems like a better technology to me, since you can encrypt entire MIME parts (including attachments and (some) headers) rather than just body text.

A PKI is required (or at least strongly encouraged, if users don't want to self-sign keys) for S/MIME. CA-issued keys typically cost money and expire at regular intervals. Outside of corporate environments with managed keyservers, S/MIME is quite uncommon. PGP is hardly common as it is, but it's likely more so than S/MIME.

Facebook can (and does) use PGP/MIME, which has the advantages of S/MIME that you mention while avoiding the downsides.

Comment Re:Useless (Score 1) 138

Uh, if Facebook is doing the encryption that means they have the unencrypted plaintext. How does Facebook encrypting the message on the last leg of its journey to you prevent the NSA from intercepting the plaintext anywhere else along the chain, including having access to Facebook's servers?

Encryption that isn't performed on your machine isn't useful encryption.

Not all adversaries have access (either through legal methods like subpoenas, or otherwise) to Facebook. As an example, a non-US government might be snooping on network connections or foreign mail servers, or they might subpoena those services to gain information on a user. Network providers might monitor user traffic for advertising or other purposes. Email services like Gmail can scan a user's messages to build up a profile or get information on a user.

Accessing Facebook over HTTPS provides protection from many of these adversaries. Nobody reasonably argues that accessing Facebook over plaintext is a good idea. This is the same principle extended to email.

Comment Re:On a positive note (Score 1) 357

Oh, I don't know. It seems to me they have a 100% success rate since 9/11. We haven't had a successful terrorist attack on an airport or airliner in the years following that tragedy. All the anti-government nitwits can kick and scream all they want, and invent excuses and reasons, but at the end of the day THIS PROGRAM HAS DONE ITS JOB. Mission accomplished. Unless you had some other criteria you want to judge them on. And they cannot continue to do it without occasionally brushing a hand where you may not normally have one (besides your own). Deal with it, or find another way to travel. My safety is not worth pandering to your psychological shortcomings.

How frequently did terrorist attacks (attempted or successful) against airliners take place in the US in the years leading up to 9/11, compared to afterwards? How does this compare to other countries with differing degrees of security at airports? (For example, in Zurich there's no body scanners. Just metal detectors and standard luggage x-ray machines.)

Have there been any other changes in regards to monitoring or detecting (potential) terrorists that might have had a bigger effect?

One could argue that current airport screening techniques are reasonable and justified. However, there's obviously unreasonable extremes which one could consider (e.g. full cavity searches for all passengers, requiring passengers to strip and wear only airline-supplied hospital-style gowns, etc.). Where does one draw the line? When does something become unreasonable and not worth doing even if it could increase safety?

Comment Re:More like 57% effective (Score 3, Interesting) 357

They even once saved a plane from the pudding cup my daughter left in her backpack (which naturally earned her a pat-down).

My wife, then-infant daughter, and I had an interesting experience flying in the US: we often traveled with pre-packaged, ready-to-use UHT-sterilized bottles of formula just in case (a) my wife's milk production was insufficient at that moment and (b) we didn't have sufficient time or access to things like boiling water needed to make powdered formula. Since opening the sealed bottles defeats the point of UHT sterilization and starts the ~2 hour countdown after which the formula must be discarded, we asked them not to open the bottles.

Typically this was no problem: they did some swab tests, x-rayed the bottles, and concluded that they were (correctly) harmless. Additionally, they said that not opening the bottles meant that either my wife or I needed to get a pat-down but they let us choose who got the touchy-feely treatment. Obviously, any bad guys would have the one without concealed contraband get the search, thus defeating the purpose of the search.

At least that was better than Newark: the security screeners said they needed to do the swabbing and other tests before letting us proceed. However, the checkpoint was quite busy at the moment so they just had us stand around next to a table holding the bottles, my laptop, etc. for 10 minutes or so, then let us collect all the stuff and go. At no time were any of the tests they mentioned actually done.

Science is what happens when preconception meets verification.