Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment: Re:even more interesting (Score 1) 155

by jiadran (#49117763) Attached to: NSA, GHCQ Implicated In SIM Encryption Hack

Just an idea on how to work around potential weaknesses in the random number generator:
1) Set up a trusted and isolated system.
2) Use the system to generate key pairs
3) Some smart cards allow to import keys, including the private key (but do not allow to re-export the private key)
4) Dispose of private key after programming the smart card, and dispose of the system when replaced

This would not get around other weaknesses of the smart cards, but at least you can ensure that the card uses properly generated keys.

Comment: Re:even more interesting (Score 1) 155

by jiadran (#49117747) Attached to: NSA, GHCQ Implicated In SIM Encryption Hack

The SIM cards come with the keys preconfigured. As the GSM standard uses symmetric cryptography, the key has to be known and thus is stored somewhere outside the SIM card.

With smart cards, you can (and should) generate the keys yourself, or rather, let the card do it. The card normally uses asymmetric cryptography and will then store the private key internally and never disclose it, thus making it impossible for spy agencies to recover the keys*.

* There could be weaknesses, either as bugs or explicitly introduced by spy agencies. For instance, the card could use a weak random number generator (I remember an article that some ID cards used IDs that were not so random after all), or the card could have a back-door to extract the private key. In any case, the attack described, where an employee would be bribed to disclose a database of keys would not work for smart cards, but that does not mean that another attack is not possible.

Also note, just because we know that Gemalto has been compromised does not mean that other companies are more secure.

Comment: Re:Where the fuck is the EU? (Score 1) 194

by jiadran (#47669683) Attached to: Snowden: NSA Working On Autonomous Cyberwarfare Bot

Well, there are actually multiple parts to any serious reply to your "wake-up call":

1) you might not hear/see people from the EU complaining because they might not do it on Slashdot (hint: not everybody speaks English).

2) What can realistically be done against the NSA?I mean, the US interferes almost everywhere, and if someone does not agree, there is a lot of political pressure. Besides, what exactly are Americans doing, other than complaining on Slashdot? (I am really glad for the EFF and a few other such organisations)

3) Please also consider that when Europeans complain, they are labeled as anti-American (or anti-Israel). So people might shut up because it's difficult to have a real argument. But the US might not have as much support outside the US as Americans like to believe.

I would also argue that Europeans (and other countries) really do a lot already. Maybe they don't complain that loudly, they just vote with their wallet (look at what is happening to Cisco or the military airplane deal from Barzil that went to Saab). Or they change laws to mandate having communications that are terminated on both ends in the same country stay in this same country instead of taking the cheapest route (often through London). In fact, I get the impression that Americans complain and European (and others) work hard on overcoming the problems.

If you have any useful ideas on how to tackle the issue efficiently, I (and a great many others, I am sure) would very much like to hear them.

Comment: WebArchive (Score 5, Informative) 273

by jiadran (#47612983) Attached to: Hack an Oscilloscope, Get a DMCA Take-Down Notice From Tektronix

The Google cache was taken down. The original author seems to have agreed to take down the information on his site as well, even without having been contacted him-self:
https://sites.google.com/site/...

However, they were too late. The web archive has already archived their pages. Here are the relevant links:

http://web.archive.org/web/201...

http://web.archive.org/web/201...

(not modified)
https://oshpark.com/profiles/m...
http://web.archive.org/web/201...

Comment: Re:this is great news! (Score 1) 94

by jiadran (#47514387) Attached to: Open-Source Blu-Ray Library Now Supports BD-J Java

No mod points, sorry. I totally agree!

10s forward and backward jumps (with the keyboard, so no point-and-click delays), or 1 minute and 10 minutes jumps are really great.

The mandatory ads on DVDs are annoying on stand-alone players. It would be easier and faster (no waiting for mail deliveries) to just download the movies. Why do I have to watch piracy warnings on a leagally-bought DVD when I could skip them on an illegal download?

Also, as I travel between North America and Europe, region codes are a real PITA. I actually have a stand-alone region-free DVD player, and I never had to update firmware, but I had to enter a secret number to activate the region-free feature. On my Linux laptop this worked out of the box. Do region-free BlueRay players exist? Is it really necessary to update the firmware? Both questions are potential deal-breakers by themselves!

I buy movies on DVD, then rip them to watch on my mobile devices. I would buy BlueRays and a stand-alone player if I could use them with my high-quality but non-DRM monitor.

Comment: Re:That's a nice technical solution you have there (Score 1) 277

Actually, to prevent "look[ing] for the hashes of those texts amongst the password" salted hashes are used. I believe password tables would already be reasonable sure if web sites would adopt salted hash algorithms, such as BCrypt.

This scheme is still vulnerable to to weak passwords, as you can just try the most common password (if restricted to a length greater or equal to 6 characters, it would probably be "123456") for randomb combinations of users until you get a combination that works. Once you have a set of user/password matches, you can then bruteforce other passwords. For large sets of passwords and a small number of correct passwords required, this scheme would hardly be better than standard salted hash approaches, not because the scheme is mathematically weak, but because of the lazyness of users (including me).

Comment: Re:Rediculous (Score 1) 277

Thank you for pointing out one of the real flaws of the system! (sorry, no mod points)

There is another one: Since most people still use weak passwords (such as "password" and "123456"), if you have access to a password store, you can try a combination of user logins with the most likely passwords until you get a combination that is validated (I didn't run the numbers, but I bet it would hardly slow you down). Once you have that, you can use this to crack the rest of the passwords. So you wouldn't need to create fake accounts at all.

Comment: Re:Proof read? (Score 1) 46

by jiadran (#45484663) Attached to: Researcher Offers New Perspective On Stuxnet-Wielding Sabotage Program

Well, the document (from which TFS is extracted) was written by a non-native English speaker (Ralph Langner, who is German). Interestingly, I note that as a non-native English speaker myself I make a number of mistakes that Americans find particularly annoying (this post is probably full of them), while at the same time I have difficulties reading comments with typical American mistakes (theirs / there's, then / than, he's / his, etc.). I think that native-English speakers rely more on how it sounds, while non-native English speakers tend to analyze the structure more and thus make different types of mistakes.

Anyway, I appreciate people pointing out mistakes as this allows me to learn.

Comment: Change of tactics (Score 4, Interesting) 46

by jiadran (#45484569) Attached to: Researcher Offers New Perspective On Stuxnet-Wielding Sabotage Program

I know I shouldn't have, but I read the whole document and it's really interesting. Langner thinks that the tactics (and probably the team as well) changed over time. Based on his observations I propose the following (conspiracy) theory:

The attacks on the enrichment plants have been going on much longer than anyone so far claims, maybe since the beginning. That's why Iran's progress was so much slower than what the Pakistany managed to do (the first generation centrifigues are supposedly extremely tricky). Instead of discovering the initial attack (described in the document), the Iranian's compensated for the seemingly random problems by including additional control measures not present in the design from Pakistan: shut-off valves to quickly isolate a malfunctioning centrifuge and over-pressure valves. It took them ten years instead of the two years of the Pakistany, but they still managed to get enrichement started. Maybe with their added failure-tolerant design the original attacks didn't work anymore, or there was a leadership change (as Langner speculates). Maybe the Iranian's suspected something and changed procedures also for contractors and workers (Langner thinks that the initial attack was with direct access to the system while the later attack had to somehow find a way in). Maybe then the initial team was the Israelis who wanted to remain hidden, and when their approach didn't work anymore they asked the Americans for help who used the NSA's attack library for a way accros the air gap. The Americans would probably also be less worried about remaining hidden and maybe actively wanted to send a message.

Altought admittely pure speculation, I think this scenario fits the known facts and observations. I'm curious to see what you think of this ;-)

Comment: Re:Use in driving tests? (Score 1) 233

by jiadran (#45089615) Attached to: Ford Showcases Self-Parking Car Technology

It's similar in Switzerland. If you pass your driving test with an automatic car, you still get the same license, but with a mention that you are only allowed to drive automatic (similar to the mention that one is only allowed to drive with glasses).

As for enforcing this system, wouldn't it be the more fancy cars (with lots of automation) that could actually enforce this, while the old cars (where you would actually need a better license) would not? You could still use biometrics, etc., to determine in a fancy car whether you're allowed to turn off the enhancements.

Comment: Routing Connections from Point A to Point B (Score 5, Interesting) 199

The article mentions that a connection from one point to anohter within Europe would likely stay within Europe. Maybe technically... On a recent trip to Paris I did a traceroute to an e-mail server in Switzerland, and essentially what I saw was: Paris (F) -> London (UK) -> Paris (F) -> London (UK) -> Paris (F) -> Lyon (F) -> Geneva (CH). There might be good reasons why the connection would go through London, but twice, and then come back? Considering that the UK is closely collaborating with the US in its data gathering, I have a feeling that this routing was not entirely by accident.

Comment: Re:Diminishing returns (Score 5, Insightful) 478

by jiadran (#44754589) Attached to: Schneier: We Need To Relearn How To Accept Risk

From what I understand, the point is that we are not concentrating on the biggest risks, but on the wrong risks. The measures we have taken to "protect" flights have resulted in more deaths (due to car accidents of people avoiding flying) than the deaths caused by the original incident that triggered the "security" measures.

All in all, we should not give up our freedoms for security theater that actually increases the overall risk.

Comment: How to make it work (Score 1) 40

by jiadran (#44754565) Attached to: IBM Uses Internal Kickstarters To Pick Projects

It won't work because people cannot do anything else with the money and thus will spend it on some project. They will not choose the best project as they don't have any particular incentive to do so. They will rather spend the money on the project of the people they are friends with.

To make it work I would propose the following changes:

- Employees have to invest real money (e.g., from their salaries). Investments are, of course, completely voluntarily. Investments could be limited to e.g., $1000 per employee per year. The important thing here is that the employee has to invest real money that she/he could use otherwise, so they will only do so for projects that they really believe in.

- IBM would increase the investment to e.g., 10x the value the employee invested. This would ensure that there is a boost to what an employee can achieve with her/his investment.

- The employee gets a bonus if the idea turns into a (viable) business project / product. The bonus could be e.g., 10x the value invested. This would ensure that the employees have an incentive to participate in such projects and that they really choose projects they think are viable rather than the projects of their friends. There could be additional factors, such as a 100x boost if the project not only succeeds but really takes off.

How to choose the "boost factor"? Well, if 10% of projects succeed on average, then the boost factor should be bigger than (1 / 10%) to ensure that investors get on average their investment back (and thus are motivated to participate).

Factorials were someone's attempt to make math LOOK exciting.

Working...