Forgot your password?
typodupeerror

Comment: Re: KeePass? (Score 2) 114

by lhunath (#47451425) Attached to: Critical Vulnerabilities In Web-Based Password Managers Found

That is very dangerous: when the master password is trivial to reverse from the site password, an attacker could easily set up a hoax site, get your site password and reverse your master key. Master Password above uses a hmac-sha-256 of a 64 byte master key which is something you can't just reverse. It also uses an expensive scrypt based salted key derivation to get that key from your master password, which is also something you can't reverse.

Comment: Re:KeePass? (Score 1) 114

by lhunath (#47450801) Attached to: Critical Vulnerabilities In Web-Based Password Managers Found

How about no keyfile at all? Keeping backups of a keyfile in secure locations, syncing a keyfile between multiple devices and handhelds securely and without conflict, etc all needlessly complicate password management and eventually affect overall security. Also, if an authority obtains your keyfile through any form of search, they are legally within their right to force you to provide the key to unlock it. Not so if there is no encrypted vault.

Comment: Re:Thyroid problem (Score 1) 625

by lhunath (#47230303) Attached to: EU's Top Court May Define Obesity As a Disability

Aggression is a wholly ineffective behavioural change effector. You are just being a short-sighted ass, and the fact that your simplistic opinion is shared by most of the citizenry is most likely the largest cause of obesity.

You won't understand why until you consider that the biggest cause of obesity is psychological.

Many people have a hard time understanding what psychological issues are and how real they manifest themselves. It's not unlike the middle ages where ignorant healers would bleed you to try and get rid of the sickness. These are opinions based on whatever common sense they had at the time combined with a general ignorance. These people were not dumb, they were just uninformed. Now you straighten yourself out.

People get fat because their psychological state drives them to consume things that produce dopamine (the hormone that makes you happy). Probably because they either don't have enough of it (they're sad) or because they've grown addicted to it (nearly everything you buy nowadays will make you addicted to dopamine). To solve the "getting fat" problem, people need to stay away from unhealthy things that produce dopamine (sadly, these are also the "easy" things), and start finding the healthy things that produce dopamine (going out with friends, learning, experiencing new things). Sadly, this becomes harder and harder as your weight increases.

But that's not all. Once you're heavy, solving the "getting fat" problem not only gets tougher, it also won't actually make you skinny. Even if you stop eating anything unhealthy, you will not lose weight. You could eat half the calories a healthy skinny person eats and not lose weight. That's because your body is designed to not go down in weight. You can do crazy things to go down temporarily, but your body will be fighting you all the way and as soon as it gets the chance it will reset your weight back to what it was. This is why nearly every dieter regains their weight. To lose weight permanently, you need to either fight your body's set-point permanently or undergo a certain type of surgery, such as a gastroscopic bypass or duodenal switch.

As for why your attitude is what causes obesity: simplification of the issue, making it taboo and agressively pushing skinnyness are all factors which cause both the psychological environment where a person will start to obsess over the importance of their weight, as well as the bad sources of dopamine and the physical situation of people starving themselves for no good reason which will have the result of your body going into panic mode, shut down its metabolism and build stores of fat for anything it can possibly get its hands on.

The best way to make your population fat is to tell them being fat is horrible, all your own fault and eating food is bad for you. For the love of all that is good, DO NOT TELL ANY CHILD TO NOT GET FAT. Just teach them to live happy and healthy. Being happy means you need no bad sources of dopamine.

Comment: Re:Security by Obscurity only... apk (Score 1) 127

by lhunath (#47161865) Attached to: GnuTLS Flaw Leaves Many Linux Users Open To Attacks

First of all, none of this has anything to do with "Linux". These are all user-land libraries and tools you're referring to. They are all available for Linux, BSD and Windows alike; including OpenSSL and GnuTLS.

Secondly, "top dog" has nothing to do with any of this either. Software such as OpenSSL and GnuTLS needs to be secure. That means that there should be no exploits. The amount of people "attacking" it is irrelevant given those constraints. Whether 1 researcher is looking for bugs or 10.000 criminals are trying to exploit it is irrelevant. None of them should be able to find anything useful.

Lastly, Windows as much as any other proprietary solution is completely irrelevant to this discussion to anyone with a sensible opinion on the topic. That's not because proprietary software is worse than free software, it's because proprietary software can never offer the kinds of security guarantees that free software can by mere virtue of their insistence on secrecy. What that means is, even if there is a proprietary replacement of OpenSSL for which no exploit is published in 10 years, you could never trust that the NSA, the Russians, the Chinese or the Iranians don't have a way in. You can't even trust that they haven't forced the company to add in back-doors and keep them secret. Essentially, proprietary software loses by default and free software is the only useful thing we have left, even if it sometimes fails at keeping its promises.

Comment: Re:Bjarne Stroustrup (Score 1) 636

by lhunath (#47158999) Attached to: Apple Announces New Programming Language Called Swift

If the world ever advanced when it came face-to-face with a problem it could not solve with current models we wouldn't have reached much of anything.

Obviously the "it doesn't solve any problems" statement is utterly false. It solves all the same problems Objective-C solved.

So why a new programming language? First of all, new programming languages allow you to express the abstract concepts you're trying to convey in a more optimal fashion. Each time we improve a programming language, we have an opportunity to further close the hole of cognitive dissonance between what we want to do and how we describe that intent to a computer. We have an opportunity to remove whole classes of bugs that were possible in the previous generation languages. We have the opportunity to learn from what we don't like about our current situation and make it more comfortable for ourselves.

The less we need to worry about how to do the things, the more we can focus on what things we could do.

Don't be so conservative.

Comment: Open Governance (Score 1) 582

by lhunath (#46769855) Attached to: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

The same argument can be applied to government. Just because all laws are visible to the public doesn't mean we don't ever put and keep bad laws in effect. The solution to bad laws is not hiding them, it's more publicity. Similarly, more review on each commit would help the OpenSSL project.

Comment: Re:SuperGenPass (Score 1) 445

by lhunath (#46404895) Attached to: Ask Slashdot: How Do You Manage Your Passwords?

The idea is great, the implementation horrible.

Master Password is an implementation of the same idea which takes care of all the flaws.

In my opinion, what you need from a password manager is:

  - The output passwords need to be strong against attacks and the solution needs to be strong against attacks.
  - You need to be able to trust the algorithm and the implementation that implements it, and any involved parties.
  - Being safe from loss is just as important. If you can get locked out of everything the day your apartment catches fire, it sucks.
  - It needs to be sufficiently easy to use so that I won't get lazy and skip it.

Doing 10 MD5's (SuperGenPass) offers NO strength against attacks on the solution at all. In fact, if I want all your passwords, all I need to do is make a website, get you to sign up with me, and brute-force your master password from the site password you gave me. A day's work, at most.

Master Password implements several techniques to solve all of the above security problems: http://masterpasswordapp.com/s...

Comment: Re:Confusing summary (Score 5, Informative) 210

by lhunath (#45775935) Attached to: The iOS 7 Jailbreak Fiasco

Evasi0n7 is the name of the method used to apply a tethered jailbreak to the phone. The 7 is for iOS 7. The jailbreak is what disables the security features that lock people out of their own device.

TaiG is the name of a "store" the distributes Chinese applications, similar to Cydia, the store that is currently considered to be the "default" for distributing applications on jailbroken devices. Aside from using Cydia or TaiG, you can also put apps on the device manually or use other stores / distributions.

The deal with TaiG was not a result of any stealing. Evasi0n (the team that made the Evasi0n7 method) had been approached by TaiG with an offer of bundling their store instead of Cydia (which doesn't have a lot of Chinese content) for Chinese users only. Terms of the deal included that TaiG would not be allowed to distribute any "pirated" applications. Evasi0n's rational was that without TaiG on the device, most Chinese users would proceed to install an app store that did provide "pirated" apps and this way they would be condoning a "non-pirating" app store to the huge Chinese jailbreak audience. In exchange for bundling TaiG and therefore giving TaiG a huge userbase in China, Evasi0n was offered a lump of money.

Unfortunately, it turns out after the fact that some pirated apps were spotted on TaiG. Evasi0n reported these to TaiG ASAP and they were removed. You can imagine the trolling that ensued especially from competing jailbreak teams.

Other teams working on a jailbreak method in parallel to Evasi0n were also given this offer from TaiG. In fact, another team was getting a jailbreak release ready with a similar, stolen or different method, I don't know, but since they were getting close to a release, Evasi0n decided to fast-track their working method and release a jailbreak early. The up-side of an early release was that they'd get TaiG's money and they'd get the credit for the jailbreak. The down-side is that the huge volume of apps written for jailbroken devices hadn't been tested and fixed to work on iOS 7 yet, including "Cydia". iOS compatibility is even more crucial for jailbroken apps than for standard iOS apps since they often use undocumented API which is obviously very volatile across iOS versions.

As a result of Evasi0n's early release, a bunch of people jailbroke their device only to find that almost all of the apps written for jailbroken devices that they were installing crashed or cashed their phones to break - since, as I said, they weren't updated for iOS 7.

TL;DR - Evasi0n worked really hard to find a method for jailbreaking, figured they deserved some money for their effort, figured in the mean time they'd condone a safe store to the Chinese, saw their chance at success slip away as other teams were gearing up to steal the glory and released before the developer community was ready, causing breakage and mayhem, never mind the trolling about the sudden appearance of a Chinese app store instead of Cydia.

For Evasi0n's side of the story, read http://evasi0n.com/l.html

Comment: Re:iOS 7.1 (Score 0) 110

by lhunath (#45763671) Attached to: Evad3rs Announce iOS 7 Jailbreak For Latest Apple Devices

It's really not so much about "all the cool stuff Cydia offers".

It's all about freedom and control. A non-broken device is effectively a leased piece of hardware where the owner tells you what you can and cannot do with it. It's like renting your house rather than owning it. Sure, it's nice that maintenance is taken care of for you; but most of us actually prefer to know that the thing we live in/with is controlled by us, not somebody with a different agenda whose interest in your happiness and satisfaction is nothing more than a side-effect of their interest in profit.

It's about wanting to do something with this computer in your pocket that's more powerful than a mainframe when I was a kid, and not having to wonder whether Apple's sandbox will agree to it. It's about wanting to run a daemon on start-up and being able to. It's about wanting to ssh into your phone when you left it at home and get the thing off of it that you need. It's about it locking up and you being able to see why. It's about breaking the display but still being able to put VNC on it and use it like the powerful computer that you payed for minus the display. It's about POSSIBILITY and FREEDOM to do as you please with the thing you payed 750$ for.

Comment: Re:Good idea (Score 1) 107

by lhunath (#45647443) Attached to: Storing Your Encrypted Passwords Offline On a Dedicated Device

This.

When all your online access depends on it, you can't have enough redundancy.

Security isn't just about secrecy. It's also about being safe from loss.

Which is exactly why I created Master Password (algorithm/app): The theory is that all your passwords should be stateless, not rely on any form of storage at all, be long to be secure against brute-force attacks, be irreversible, and even if you lose everything you own tomorrow, be recreatable purely from your own knowledge.

Comment: Re:because (Score 2) 299

by lhunath (#45577505) Attached to: Why People Are So Bad At Picking Passwords

It is my opinion that you cannot trust a human to make a good password.

You also cannot trust anything, a hard-disk, a notebook, a company(!) to store your passwords.

Which is why I use http://masterpasswordapp.com/ and I unlock it with a passphrase. The key elements here being: stateless, no storage, strong passwords.

"Someone's been mean to you! Tell me who it is, so I can punch him tastefully." -- Ralph Bakshi's Mighty Mouse

Working...