Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:I wouldn't mind the NSA so much if... (Score 4, Interesting) 166

by jeffmeden (#49347377) Attached to: NJ School District Hit With Ransomware-For-Bitcoins Scheme

...they went after these criminals.

If our government actually did something about stuff like this, I think people would believe in their government a bit more, but as it stands, it seems like the NSA and such only want to either spy on us or topple governments that don't tow the line for the US.

I cannot imagine that finding these criminals is beyond the abilities of the US Government, it just seems like they don't even try.

The thing is, if they did, you would never know about it. It may seem like they don't even try, and they might not be, but they could also be defeating 95% of it. With a mission that is by design clandestine, no one may ever know until our kids get a peek at the public records dump 50 years from now.

Comment: Re:Trade secret? (Score 2) 74

by jeffmeden (#49347205) Attached to: Facebook Sued For Alleged Theft of Data Center Design

Yes, but if they had an NDA they should be suing for breaking the NDA, not theft of trade secrets.

Given that they had to redact a good bit of the material in the suit, my guess is that they are doing both. And why not? Trade secrets are internationally recognized as property, and property law is pretty easy to assert. If they can show a clear paper trail, they will probably win.

Comment: Re:Still waiting for a "hackability meter" (Score 1) 155

by jeffmeden (#49347085) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

You're a fucking shitheel. The vast majority of passwords are cracked offline. The only things saving you, the user, when (not if) shit gets hacked are using strong passwords and not reusing them across services. "2-factor" authentication doesn't do fuck shit because the company got fucking hacked anyway - you can't trust that the keys for the RSA clocks weren't taken at the same time the user table was.

Of course any passwords that get cracked are cracked offline, it has been a long long time since even the most poorly architected of sites had an auth service capable of responding fast enough to brute force. The point is that more often still, passwords are lifted out of databases that don't bother to encrypt them at all, or passwords are "Cracked" by exploiting a poorly built password reset system to overwrite them. In those cases (which account for almost all of the malicious per-account activity), it doesn't matter at all how complex (or uncomplex) your password is.

Comment: Re:Still waiting for a "hackability meter" (Score 1) 155

by jeffmeden (#49346917) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?

Are you secretly planning to use it as a Dunning-Kruger meter and avoid all that self-rate as 10 out of 10? Because if you think you'll get anything else useful out of it, I want some of what you're smoking...

Both are farcical. Good catch.

The point is that a site could very easily be giving you great password strength advice and then proceed to do something totally stupid with it (storing it with such a poor cipher that can be bruteforced in seconds.)

Comment: Re:Still waiting for a "hackability meter" (Score 1) 155

by jeffmeden (#49346615) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

Sorry, but password complexity matters a great deal. When a website's passwords get hacked, they're going to compare hashes and find all the easiest ones first (password, hunter2, 123456, etc). If yours is 15 characters of random letters, numbers, etc, yours will not get cracked first. Now, if someone like the NSA is targeting YOU, then it doesn't matter how complex it is; it will get cracked. But in a list of 5,000,000 passwords, having a complex password can help make sure yours is not one of those cracked.

This is my exact point. You are right if and only if the provider didn't bother to use an effective salt, which renders rainbow tables pointless. Why isn't that part of the meter? "Your password is stored in a hash of type XXX that is ### bits long, hashed for ### rounds, and salted with ### bits during each round." would tell the user all they need to know about how well their password is going to be protected, and they can make a more informed decision.

Comment: Re:Still waiting for a "hackability meter" (Score 1) 155

by jeffmeden (#49346559) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

In that case, even a password of 'veronica' should be strong enough to last until the breach is discovered (days?), the user notified

Considering how awfully many cases there have been where it has taken the company weeks or even months to notify anyone of the breach I'm going to have to disagree on that.

That's my exact point. If a system is compromised and they are going after user data unnoticed, you are boned even if can't brute force your 5000 character epic passpoem, detailing the life and works of seven mythical Norse heroes (apologies to http://www.schneierfacts.com/f...). The only thing keeping you safe in that instance is staying the fuck away from downright terrible and negligent providers.

Comment: Re:Still waiting for a "hackability meter" (Score 1) 155

by jeffmeden (#49346449) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.

Your basis for saying bassword-complexity is irrelevant is that bad people would be doing online brute-forcing? They do matter somewhat when it comes to online-cracking, but the real relevancy doesn't lie there. The passwords matter when it comes to offline brute-forcing: the more complex the password the longer it'll take to crack it even if you have the hash for it. With good passwords and well-done hashing and salting you may end up cracking them for weeks by which time whoever you obtained them from will hopefully already have made their users change their passwords.

Brute forcing offline is only a scenario that can take place after a breach has occurred. In that case, even a password of 'veronica' should be strong enough to last until the breach is discovered (days?), the user notified(http://techcrunch.com/2015/01/...) make complexity 100% pointless, which is what I am getting at here.

Comment: Re:is this good? (Score 4, Interesting) 155

by jeffmeden (#49346331) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

123Password is very strong because it uses numbers and upper and lower case letters.
Those meters are stupid.

As long as it's not one of either this list: http://gizmodo.com/the-25-most... or just a copy of your exact username, then yep it will probably suit you just fine. Dictionary attacks don't happen in break ins nearly as often as exploiting password resets (via social engineering or otherwise) or other blatant sidesteps of security (token reuse, etc), since everyone tarpits bad logins, sometimes after as few as 3 attempts.

Comment: Still waiting for a "hackability meter" (Score 5, Interesting) 155

by jeffmeden (#49346243) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

The plain simple truth is that complexity of a password is barely relevant at all when compared to the threat of an outright data breach at a provider. Who cares if your password is 'veronica' (your daughters name) or `myL1ttleBr0ny%` since an attacker isn't going to bother with brute forcing anything but '123456' and 'password' because they will get tarpitted by any reputable provider before they can guess anything out of a dictionary more than 5 entries long.

What we need is a meter on a web site describing how much effort they put into server security, how big their target profile is (how many entry points they have) and a sign that says "??? days since a total data breach!", and then the user can decide if they want an account there at all. How's that coming?

Comment: Re:Trade secret? (Score 2) 74

by jeffmeden (#49346115) Attached to: Facebook Sued For Alleged Theft of Data Center Design

How can you claim something is a trade secret if you show it to others? If you want to keep your design proprietary, patent it.

Via a handy catch-all called an NDA. Facebook is in trouble if it stipulated something like "BRG is presenting designs in confidence and all material is proprietary and not to be copied for any reason... Facebook will be held liable for any material/tangential loss due to disclosure of included designs..." etc since Facebook has allegedly shared their "secret modular designs" with the construction firm that won the bid, and Open Compute Project.

Comment: Re:Ummm.... (Score 3, Insightful) 74

by jeffmeden (#49346061) Attached to: Facebook Sued For Alleged Theft of Data Center Design

Did BRG have that concept patented?

Doesn't matter (but would help their case if it were). Note that the lawsuit isn't for infringement (patent or copyright) but for breach of contract and theft of trade secrets (that Facebook allegedly only had access to in confidence, i.e. via aforementioned contract). It all depends on if Facebook's agents signed anything similar to a NDA when negotiating with BRG for a design contract, in order to review a proposal using their "modular techniques". If BRG was smart they would have papered it up very specifically before they showed any sensitive bits to Facebook.

Like TFS says we don't have enough info to know if something super specific about the design was copied (like some allegedly optimal ratio of airflow to floorspace to TDP). This is most likely just a contract chase, hoping that the words of whatever Facebook signed are broad enough to catch them for designing anything similar to what BRG had proposed.

Comment: Re:Wouldn't be the first time... (Score 1) 74

by jeffmeden (#49345959) Attached to: Facebook Sued For Alleged Theft of Data Center Design

Wouldn't be the first time that Mark had blatantly stolen someone else's idea.

Next up, BRG will abandon their ridiculous claims, be put on trial for fraud, cut off their monitoring anklets and tape them to a broom handle mounted on a ceiling fan. You know, for fun. CYA in Belize!!!

Comment: Re:How is this new? (Score 3) 172

In the history of "conservation" no one has managed to turn the ability to use less of a product, into the *practice* of using less of a product. How often do you let the empty ketchup bottle "ride" in the fridge and squeeze a few faint drops on each hot dog hoping to get the last of it, while really only putting 1/10th your normal amount on? Yep. Now, you can get your full ketchup fix on time, every time. And when the bottle is gone it's gone, no more "maybe one more blob of salt-tomato-vinegar heaven, if I shake it just right!" instead, it's on to the next new bottle, and the next full load of ketchup on your bratwurst, and even BETTER sales for Kraft/Heinz.

Further reading: energy efficiency != energy conservation: http://freakonomics.com/2015/0...

Comment: Re:It depends (Score 1) 475

by jeffmeden (#49336835) Attached to: No, It's Not Always Quicker To Do Things In Memory

RAM *is* faster (by far) than any persistent media 9SSD, HD...). So whatever the test, the algorithm is probably bad,

I read this summary as "when the goal is to write a string to disk, building it in memory first is slower than just writing it to the damn disk in the first place".

Followed by a "does this mean my cafeteria meal card is going to get renewed?" at the end.

Decaffeinated coffee? Just Say No.

Working...