Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:We should do what GPS does (Score 2) 233 233

I recently took a private tour of the time and frequency lab at METAS (the Swiss Federal Institute of Metrology) and got to observe their atomic clocks, ask the people there some questions, etc.

The scientist in charge of the lab wishes everyone would use TAI for time distribution. TAI has no leap seconds and differs from GPS time by a constant 19 seconds. If TAI was used, computers would never have to worry about leap seconds internally and things would be greatly simplified.

Computers don't care what time is used internally, and it's easy for computers to get a table of leap seconds and use that data to display UTC to users so the displayed time matches solar time.

Comment: Oldie but goodie (Score 1) 558 558

My desktop at home has the following:

Intel Core 2 Quad Q6600 @2.4GHz
8GB DDR2 RAM (MB can hold 16GB, but DDR2 is blood expensive now)
Gigabyte GA-EP45-UD3R motherboard
Nvidia GeForce GTX 550 Ti
Crucial M550 1TB SSD (boot disk, most applications)
Mixed SATA hard disks, from 750GB to 4TB (games, photos, backups, etc.)

Nothing special, but other than the graphics card and hard disks I've found no real need to upgrade the rest of the system. I built it back in 2007 with my then-girlfriend (now wife) and it just keeps on trucking along, plays modern games with no issues, etc.

Comment: Re:This makes me worry. (Score 2) 111 111

Rather than take the time to understand their perimeter and data it exposes they want to "protect" everything with HTTPS. Which probably doesn't make sense for static, non interactive services.

Perhaps, but it also helps protect against content injection or manipulation (e.g. ad injection by shady ISPs), snooping by third parties (e.g. hotel or coffee-shop networks), etc.

Honestly, there's very little reason *not* to encrypt data these days.

Comment: Re:Airtel got caught, what about others? (Score 2) 134 134

How many people routinely check the source of their own web page through different connections to look for such injections? If some major US cell network or ISP did this, how likely they will be caught? Would https stop them from messing around with injections?

So long as the injector can't issue SSL certs that the user will trust, yes, https will stop such injections.

If the injector *can* issue SSL certs that the user will trust (e.g. the ISP requires users install their local CA, or they somehow have a global wildcard from a trusted CA), all bets are off -- the injector can impersonate and inject content into any https-secured site.

Comment: Re:Why (Score 1) 138 138

... have Facebook encrypt email it sends to you ...

This doesn't prove who sent the message. A message must be encrypted with the receiver's public key and encrypted again with the sender's private key. Once again, all security depends on the integrity of the public-key server. Such servers can't prevent man-in-the-middle attacks.

In addition to encrypting messages to your public key, Facebook also digitally signs the messages using their private key and rotates the signing subkey every few months.

The fingerprint of their primary key (which is used to sign the signing subkeys) is available on their HTTPS-secured announcement page.

Additionally, all outgoing emails from Facebook are DKIM-signed, adding further assurance that it's from them.

Sure, it's *possible* that an HTTPS connection may be MITMed and DKIM records spoofed, but that requires an active attacker and significantly increases the risk of the attacker getting discovered. You could use Tor, a VPN, or a proxy from a different computer to verify that the HTTPS certificate, DKIM public keys, and the PGP fingerprint are what you see on your normal internet connection and thus have more assurance that the information is authentic.

Comment: Re:how can we trust facebook? (Score 2) 138 138

That's not how it works. Facebook isn't letting you use PGP to encrypt user-to-user messages.

They're letting you upload your *public* key to your profile with the option to have Facebook encrypt any automated notification messages it sends to your email. This way those notification messages are protected from snooping as they traverse the internet between Facebook and your email server, while they are stored on the mail server, etc.

Comment: Re:You still have to submit it (Score 1) 138 138

So how are you securely getting the email message to facebook to start with? I see an SSL connection that could easily have a "man in the middle" thing going on...

Facebook is encrypting automated notification messages (e.g. "[Friend name] posted new photos. Click here to see them." or "[Friend name] sent you a message on Facebook. Login to read it.") that it sends to your email account. Messages sent within Facebook are still unencrypted, only the notification message sent to your non-Facebook email would be encrypted.

Comment: Re:Share your "encryption network" with Suckerberg (Score 1) 138 138

Maybe you're right. But for me pgp encryption needs marketing so a lot of people start using or at least being aware of it. It needs to become mainstream.

Why not S/MIME? - Seems like a better technology to me, since you can encrypt entire MIME parts (including attachments and (some) headers) rather than just body text.

A PKI is required (or at least strongly encouraged, if users don't want to self-sign keys) for S/MIME. CA-issued keys typically cost money and expire at regular intervals. Outside of corporate environments with managed keyservers, S/MIME is quite uncommon. PGP is hardly common as it is, but it's likely more so than S/MIME.

Facebook can (and does) use PGP/MIME, which has the advantages of S/MIME that you mention while avoiding the downsides.

Comment: Re:Useless (Score 1) 138 138

Uh, if Facebook is doing the encryption that means they have the unencrypted plaintext. How does Facebook encrypting the message on the last leg of its journey to you prevent the NSA from intercepting the plaintext anywhere else along the chain, including having access to Facebook's servers?

Encryption that isn't performed on your machine isn't useful encryption.

Not all adversaries have access (either through legal methods like subpoenas, or otherwise) to Facebook. As an example, a non-US government might be snooping on network connections or foreign mail servers, or they might subpoena those services to gain information on a user. Network providers might monitor user traffic for advertising or other purposes. Email services like Gmail can scan a user's messages to build up a profile or get information on a user.

Accessing Facebook over HTTPS provides protection from many of these adversaries. Nobody reasonably argues that accessing Facebook over plaintext is a good idea. This is the same principle extended to email.

Comment: Re:On a positive note (Score 1) 357 357

Oh, I don't know. It seems to me they have a 100% success rate since 9/11. We haven't had a successful terrorist attack on an airport or airliner in the years following that tragedy. All the anti-government nitwits can kick and scream all they want, and invent excuses and reasons, but at the end of the day THIS PROGRAM HAS DONE ITS JOB. Mission accomplished. Unless you had some other criteria you want to judge them on. And they cannot continue to do it without occasionally brushing a hand where you may not normally have one (besides your own). Deal with it, or find another way to travel. My safety is not worth pandering to your psychological shortcomings.

How frequently did terrorist attacks (attempted or successful) against airliners take place in the US in the years leading up to 9/11, compared to afterwards? How does this compare to other countries with differing degrees of security at airports? (For example, in Zurich there's no body scanners. Just metal detectors and standard luggage x-ray machines.)

Have there been any other changes in regards to monitoring or detecting (potential) terrorists that might have had a bigger effect?

One could argue that current airport screening techniques are reasonable and justified. However, there's obviously unreasonable extremes which one could consider (e.g. full cavity searches for all passengers, requiring passengers to strip and wear only airline-supplied hospital-style gowns, etc.). Where does one draw the line? When does something become unreasonable and not worth doing even if it could increase safety?

Comment: Re:More like 57% effective (Score 3, Interesting) 357 357

They even once saved a plane from the pudding cup my daughter left in her backpack (which naturally earned her a pat-down).

My wife, then-infant daughter, and I had an interesting experience flying in the US: we often traveled with pre-packaged, ready-to-use UHT-sterilized bottles of formula just in case (a) my wife's milk production was insufficient at that moment and (b) we didn't have sufficient time or access to things like boiling water needed to make powdered formula. Since opening the sealed bottles defeats the point of UHT sterilization and starts the ~2 hour countdown after which the formula must be discarded, we asked them not to open the bottles.

Typically this was no problem: they did some swab tests, x-rayed the bottles, and concluded that they were (correctly) harmless. Additionally, they said that not opening the bottles meant that either my wife or I needed to get a pat-down but they let us choose who got the touchy-feely treatment. Obviously, any bad guys would have the one without concealed contraband get the search, thus defeating the purpose of the search.

At least that was better than Newark: the security screeners said they needed to do the swabbing and other tests before letting us proceed. However, the checkpoint was quite busy at the moment so they just had us stand around next to a table holding the bottles, my laptop, etc. for 10 minutes or so, then let us collect all the stuff and go. At no time were any of the tests they mentioned actually done.

Comment: Re:Not enough? (Score 1) 158 158

GPS depends on extremely precise time measurements- there's an atomic clock on each of the GPS satellites- so it's a cheap way of getting a very precise clock. If you know the correct offset between GPS time and UTC, it will be extremely accurate, too.

The GPS time-UTC offset is transmitted as part of the GPS almanac and virtually all receivers should interpret it as soon as it is received. From a cold start with an old receiver, this can take up to 12.5 minutes but most modern GPS receivers can get this in a few tens of seconds to minutes.

Comment: Re:Please explain (Score 4, Insightful) 158 158

I can understand two or three, but I'm at a loss for how someone could have 6 or more GPS devices. Will someone please explain how it's even possible for a normal person to have that many?

Cellphone (work+personal), tablet, fitness watch, in-car navigation system, (I'm struggling now), child/pet location device?

In addition to a few handheld navigation-type GPS receivers and one for a car, I have six individual GPS timing-grade receivers (2x Motorola Oncore UT+, 2x Trimble Resolution T, 1x Garmin GPS 18x LVC, and 1x Trimble Thunderbolt) on or around my desk.

Naturally, this isn't something a typical person has, but tinkering with such things is one of my several diverse hobbies. Several ham operators I know have a Thunderbolt or other GPS-disciplined oscillator to provide a stable frequency reference for their radios.

A few friends have GPS-based emergency rescue beacons (they often hike or climb in remote areas where phone service is not available), while others have beacons so they can find their large amateur rockets.

Comment: Re:Propagation delay (Score 4, Informative) 63 63

Nope, SA is turned off even in war zones, in fact the newest birds don't even have the SA feature.

True, Selective Availability is disabled or otherwise not available on the new satellites, but the government still retains the ability to deny GPS on a regional basis.

See :

"Why are you turning [SA] off?
A. The decision to end the degradation of civil accuracy on a global level was made by the President based on a Secretary of Defense recommendation coordinated with all applicable departments and agencies. This decision is based on the U.S. military commitment to develop and employ technologies to deny the civil services of GPS on a regional basis. Under this approach, it will be possible to deny GPS to potential adversaries in areas of operations while preserving the peaceful use of GPS services outside those areas"

That said, civilian GPS receivers are often quite a bit better, more handy, and more advanced than military ones and a lot of soldiers use them in combat areas. Sure, the military ones are more rugged and get the encrypted military-only channel with better accuracy, but sub-meter accuracy is only really needed for smart bombs and the like. It's less useful for driving a Humvee down the street somewhere or finding out how to get back to base. Handheld civil GPS receivers are typically accurate down to the 3-5 meter range, which is only slightly worse than the military ones.

Denying civil GPS signals in certain regions would almost certainly make things worse for US soldiers, so it's extremely unlikely that the military would ever do regional denial of civil GPS except in the most extreme situations. Even then it'd have limited effect because GLONASS (Russian), Compass (Chinese), and Galileo (EU) are or will soon be perfectly viable alternatives that bad guys could use for guidance.

Getting the job done is no excuse for not following the rules. Corollary: Following the rules will not get the job done.