Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment Re:It's the base assumption that its invalid (Score 1) 392

It's my understanding of current case law (IANAL) that a combination to a safe is considered "testimony," and thus protected under the 5th amendment. A safe key, on the other hand is not (this is why I specifically chose a combination). Of course, nothing prevents the police from going to the manufacturer for help in opening the safe, though nothing obligates the safe manufacturer to help.

On a related note, if your passphrase is "I totally killed those 3 guys on October 26, 2006", that's probably testimony that would (SHOULD) be protected under the 5th amendment.

Besides, nobody can FORCE anything from your mind ( notwithstanding). The worst they can do is throw you in jail until you comply (or they get bored). Worst case, they convict you for "obstruction of justice" or some similar nonsense. If you're facing a surefire Murder 1 conviction if you do reveal your key, there's simply not much incentive to help out; you'd have to weigh the value of the unencrypted data with the consequences of not revealing your key.

For historical examples, see the origins of "pressing for an answer": If you entered a plea, the trial could continue, and if convicted, they killed you AND took all your property (leaving your family destitute). If you never entered a plea, you simply died under the weights, but your family got to keep your estate. So, standing mute was a rational decision if you knew there was enough evidence to convict because the punishment for not entering a plea (death) was better than being convicted (death AND bankruptcy).

Comment Re:It's the base assumption that its invalid (Score 5, Insightful) 392

Safes can be opened ... with a warrant.

Absolutely. However, I don't believe that anyone is compelled to divulge the combination to a safe; rather law enforcement hires someone to forcibly open the safe. If they can't open the safe without destroying the contents inside, that's just too bad.

There's no reason to make smartphones that can't be searched ... with a warrant.

You can absolutely search my encrypted smartphone with a warrant. How much information you'll get out of it without my key is debatable, but nobody gets to know my passwords (aka combination). If the police are able to crack the encryption, good for them. However, I'll continue to trust math to keep my secrets safe.

That type of encryption is for the government, not for joe six-pack.

The problem with that thinking is it leaves you open to spying from everyone, not just the government. Let's assume we allow some cryptosystem that has a back door / master key. To implement the system, you have to publish the specs which will be viewable to all (don't get me started on export control; it'll get out). Someone much smarter than you or I will realize the back door and exploit it to snoop on highly sensitive encrypted traffic... say online banking. Then joe six-pack gets a little pissed when he finds out that his bank account was raided and now he has no money. Oh, and since it was his password that was used to withdraw all that money, the bank won't be returning that money.

So, how does joe six-pack feel about broken encryption now?

Comment Re:One time pad (Score 1) 128

That said, you could probably use a synchronized random number generator as the shared pad data.

No; a true OTP is NOT the same as pseudo-random OTP. For an illustration of this concept, let's assume that your adversary knows your algorithm for generating the pads but has no information about the shared secret between you and your partner. To make things easier on your opponent, let's assume that he knows that you plan to encrypt a 1GB plain-text ASCII file.

In the case of a true OTP, you and your partner must share 1GB of data securely. Because the pad is truly random, any 1GB ciphertext is equally likely, so your opponent must consider every combination of 1GB, meaning 2^(8e10) equally likely ciphertexts. This is basically secure for all eternity. Also complicating the matter is that for a given ciphertext, all plaintexts are equally likely. So, the opponent doesn't know if you said "Attack the beach at noon" or "Attack the beach at dawn" or "jcfpeb k,spq djte96bslg1Hw"

Now, in the case of a pseudo-random OTP, let's assume that the seed of your PRNG is 32 bits, so you only have to share a very small secret securely. However, there are now only 2^(32) possible ciphertexts that the opponent needs to check. This is a much more practical problem, and he can use some simple checks to see if the decrypted message "makes sense", and choose the most likely plaintext.

In reality, nobody uses a OTP because if you can securely communicate the length of the pad, you can just as easily communicate the entire message. What is used instead is public-key encryption where your partner can encrypt a message, but only you can decrypt it. Of course, this is a few orders of magnitude harder than symmetric encryption, which is why you'll typically use the public-key encryption to share a disposable secret key, which is then used to seed a symmetric encryption method (your pseudo-random OTP would be one of those). In reality, this is still pretty secure, as the key is typically in the range of 128+ bits, meaning a key space of 2^128 for a brute-force attack, which is still pretty infeasible. However, it is not completely 100% secure against any decryption as a One-Time pad is.

Comment Re:Multi-factor is the only right way (Score 3, Informative) 123

NO! A million times no!

Proper multi-factor authentication is ALWAYS "something you have" and "something you know". The idea is that if someone steals the thing you know (i.e. password), then they have to also steal something you have (i.e. hardware token / smartcard / phone, you name it). The hope is that even if you don't notice that your password is compromised, you'll notice when you lose your phone. Similarly, if someone copies the smartcard you have, they still don't know the PIN to access your account.

The hack of fingerprint databases illustrates this. For example, someone with access to the hacked OPM databse can steal/copy your smartcard and can now impersonate you at will if you've relied on Smartcard + Fingerprints. Now, "something you have" could certainly be your fingerprint, but 2-factor auth is NOT "something you have" and "something else you have." Just like the bank's "security questions" are not two-factor auth, because they're "something you know" and "something else you know."

Comment Re:Negotiating when desperate (Score 3, Insightful) 583

The only exception is if you're 15 years old and it's literally your first job, and in that case it's probably appropriate that the offer is for minimum wage.

So, if I'm 21 and graduating from college, I'm supposed to have enough saved to be able to turn down that first offer? I don't know about you, but I worked >50 hours / week in college (making between $10 - $20/hr at various jobs in early 2000's), and I barely kept the tuition bills paid. Granted, I basically had no debt coming out of college, which put me ahead of a lot of my peers, but I wasn't in any position to say no to a job offer and live on my luxurious (non-existent) savings.

Now that I'm ~15 years out, I do have the freedom to turn down job offers, but it's because I started out with no debt and have been able to save. For those starting off in the hole, saying "no" is a luxury they won't have for a LONG time.

Comment Re:bullshit (Score 2) 212

Reminds me of warnings on grape juice concentrate sold during prohibition: "After dissolving the brick in a gallon of water, do not place the liquid in a jug away in the cupboard for twenty days, because then it would turn into wine."

Could we get something similar: "After downloading the code, do not remove lines 33-67 of Encrypt.c, as this will disable the legally mandated NSA back doors"

Comment Re:Of course they're giving a 6-year transition (Score 1) 259

Well, of COURSE I didn't resell the license - that would be silly! I sold a license, but I had to pay a royalty to my wholly-owned Irish subsidiary for selling the license. It's complete coincidence that the royalty rate is 99% of the gross sales on the licenses. Thus, you can only tax me on the 1% profit that I made on that license, and that's BEFORE I deduct anything else (I'm sure I can find 1% to expense somewhere else - furniture depreciation sounds like a good idea!).

It's kinda like capital gains tax. If I sell $100 worth of MS stock, I'm not taxed on $100. Rather, I'm taxed on the difference between what I paid for it and what I got for it. If I paid $90 for that stock, I only owe taxes on $10 of capital gains income. Things get really tricky when selling for a loss, but I don't want to complicate the matter.

I know it's an oversimplification, but that's essentially the tricks that they're using. When you remove all of the accounting mumbo jumbo, it reveals the tricks for what they are: dirty, slimy ways to avoid paying taxes. (That being said, all the tricks are legal, and if I could use the tricks, I would use them to the fullest extent allowed by law as well).

Comment Re:Of course they're giving a 6-year transition (Score 1) 259

Actually, from my understanding of the loophole works this way:

MS sells a license to use Windows for $100 in Colorado. This is counted as US income. However, in the US, we don't tax revenue, we tax profit. This means that if MS had expenses of $100 for that particular license, then it would owe no US income tax on that sale. Conveniently, they have a wholly-owned subsidiary based in Ireland (but headquartered in the Cayman Islands) that is willing to sell that license for precisely $100. And just like that, no US corporate income tax for ANY license!

Granted, you now need a way to get out of the Irish income tax (which is lower than US income tax), and that's where the Dutch Sandwich comes into play. I know I'm oversimplifying things, but when you can set up new companies and transfer the "assets" for essentially the cost of a few lawyers and filing fees, avoiding taxes becomes pretty easy.

Comment Re:Fine! (Score 1) 365

How can you have a standard like that if it doesn't dictate teaching methods? This is especially true for math where you don't just regurgitate the correct answer. The method is a part of the correct answer. For that you pretty much have to "dictate the teaching method".

Actually, math is probably the LAST subject where you want to "dictate the teaching method". There are over 10 ways to prove the Fundamental Theorem of Algebra; all of them are "correct" and give the answer. By dictating the teaching method, you are stating that all other proofs are incorrect, which is patently wrong.

It doesn't matter how you get 62 + 36 = 98. You can draw squares and lines, column addition, grouping by 5's, or counting on your fingers! All are valid ways of finding the answer. Some may be more efficient than others, which can impact your ability to get through all of the questions, but as long as you get the right answer, it doesn't matter how.

It's like saying "We have a programming problem, please use C to solve it". Any programmer worth his salt would walk away immediately. C may be the right approach, or the best approach could be Java, PHP, or even LISP. It's better to teach multiple methods of doing something simple, so that way when you get to something complex, you have the skills to solve it AND (more importantly) the skills to know what tool to use.

Comment Re:Software Documentation is bad everywhere (Score 5, Insightful) 430

Have you ever USED IBM, Oracle or MS software?

I've run into scenarios with both IBM and MS where I'm looking for a specific error code, and I get into this:
Q: What is ERR:174027?
A: That's ERR:174027
*Bashes head into wall*

Commercial software might have better documentation, but a lot of the help still comes from blogs of people having the same error, which IS NOT documentation!

Comment Re:let them so it gets thrown out? (Score 1) 286

I didn't RTFA


but wouldn't the tricky/slimy answer be "let them search it, so then all of the evidence gets thrown out"?

No, because then you've consented to the search, and there's no restriction on what they can do. By remaining silent, you likely consented to a search. Alarmingly, by remaining silent, you can waive your right to remain silent (see Salinas v. Texas).

Comment Re:What I say (Score 2) 286

Actually, no.

"Am I being detained, or am I free to go?"

Another one of those rights that can use some excercise is the right to walk away from a police encounter. Just because a cop wants to talk to you doesn't mean that you have to talk to him. Granted, it's a good idea to not be a dick, as the cops can legally ruin your day. Be polite and direct without agreeing or admitting to anything is the best course of action.

Comment Re:Some Good, Some Bad (Score 1) 286

Don't get physical/let them do as they please, then lawyer up."

I consider that bad advice, because it discourages people from exercising their right to defend themselves against unlawful arrest, a right that has been repeatedly verified and upheld in court.

Of course, as with any exercising any right, you do so at your own peril.

I think this piece of advice was more aimed about keeping you safe, not keeping you "right". If you start fighting with a cop because he's illegally searching your phone, you might end up catching a bullet. Since you were fighting with the cop, he thought his life was in danger, so the shooting could be "justified", even if the initial search was illegal.

You can be right, but if you're dead, it's really a pointless victory, isn't it? If the search is illegal, you can get it tossed in court (VERY easily), and then you can go after the police for damages. If you're dead, who cares?

Comment Re:danger will robinson (Score 1) 688

Take a better example, like:

- 148.

Doing this in your head the traditional way would be hard.

Not really; the steps are (working from the right, of course):
1 < 8, so 1 becomes 11, 2 becomes 1, and 11 - 8 =3
1 (previously 2) < 4, so 1 becomes 11 and 3 becomes 2, 11 - 4 = 7
2 (previously 3) > 1, so 2 - 1 = 1

Answer: 173. Took me all of 10 seconds. I needed to remember at most 3 pieces of information at once (the fact that I borrowed plus what digits I had already solved). That's well under the 5 - 9 items that people can hold in short-term memory. With this method, I just need to know how to count to 20 really well, and if I'm really stuck, I can use my fingers + toes!. I use this method ALL THE TIME when tipping, to figure out "what tip to I need to make the bill X".

Granted, if I'm subtacting 10-digit numbers, the "traditional" method can get tough to do entirely in your head, which brings me to...

[T]his is the kind of math that makes people think they can't do it without assistance from paper or a calculator.

When was the last time you NEEDED to add/subtract a 3+ digit number and you didn't have a pen/paper or a calculator with you? I don't even have a smart phone, and I've got a calculator on my cell phone if things get really tricky.

But doing 52 + 21 is much easier, and doing 73 + 100 is also quite easy.

Where did 52 come from?? There's no 52 in the problem anywhere! And why are we adding 100?

The "traditional" method only looks at a single digit at a time, so you only need to know how to add 2 single digit numbers (and carry or borrow). With your method, you need to first know that 48 + X = 100, so X = 52. You're no longer doing arithmetic in your head, now you're doing algebra in your head!

Never trust an operating system.