Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:Who you gonna call? (Score 1) 138

by martok (#49280463) Attached to: Windows 10's Biometric Security Layer Introduced

I imagine it would not be stored centrally but in the TPM where the TPM says yay or nae when presented with the image. In theory the TPM doesn't release the actual key even to the BIOS but rather just does the authentication. But who knows what kinds of attacks they can withstand when physically pulled off the mainboard.

Comment: Is it really more secure? (Score 4, Insightful) 138

by martok (#49280441) Attached to: Windows 10's Biometric Security Layer Introduced

I've seen cases recently where people crossing the border from one nation to another have been asked to enter their phone or laptop password for inspection. They are at this point free to refuse to divulge this information though there may be the obvious consequences. Using biometrics, would it not be possible for an attacker to simply force one to provide biometrics to unlock a device? What about other attacks such as a spouse unlocking a device using his/her partner's fingerprint while (s)he is asleep? I would think this would open up new security holes for the ones it fixes.

Comment: Re:Pick an Emphasis On or Interdisciplinary Degree (Score 4, Insightful) 347

by martok (#42860805) Attached to: Ask Slashdot: Best Alternative To the Canonical Computer Science Degree?

Agree with parent here. I would add that as you are finished your first two years, you have jumped through the hoops which cause most people to drop. First year maths, stats etc. In years 3 and 4, things get much more interesting. Stick it out and you'll be a better programmer as a result. Yes, web developer == programmer.

Comment: Inexperienced exchange providers (Score 5, Insightful) 232

by martok (#41234391) Attached to: BitFloor Joins List of Compromised BitCoin Exchanges

This is not the fault of the currency. It is a fault of the exchange provider and the users of the currency really need to be careful in who they put their trust.
I'm sorry but noone without a great deal of development experience should be writing a Bitcoin exchange or any other type of financial exchange exposed to the internet. The attackers got hold of the unencrypted wallet? Why would an exchange wallet ever be unencrypted? Why is there a single wallet in the first place? Why not have seperate wallets per user account encrypted with their own passphrase such that the site operator doesn't even have access? Maybe a master password override to decrypt but never stored online etc.
Why is the wallet stored on the webserver in the first place? Why aren't funds transfered to offline storage on a regular basis? I could go on.

Comment: Would this invalidate contracts? (Score 1) 204

by martok (#37735106) Attached to: Verizon Wireless Changes Privacy Policy

I am not sure how it works in the US, but here in Canada when a celco changes its terms, it allows the end user to cancel his contract without an ECF. That is, unless the celco agrees to honour the terms of the original contract as signed for its duration. So assuming the 2 year contract also says something to the effect of user agrees with the privacy policy, I would argue that makes the privacy policy part of the contract and is thus grounds for cancelation. Thoughts?

Comment: Real encryption (Score 1) 128

by martok (#36504282) Attached to: Brute-Force Password Cracking With GPUs

With the recent MTGox compromise, I've been looking at a better password system. It looks like one way to go is to use a program like password safe or keesafe to generate unique passwords per website. However, I'm curious as to how resistant these master files are to GPU attacks. GPUs basically sliced through the MTGox MD5 hashes like butter. How long would it take a higher-end distributed cluster to break a Password Safe master file? It's blowfish encrypted I believe.

Comment: Home user perspective (Score 1) 425

by martok (#33290954) Attached to: Why You Shouldn't Worry About IPv6 Just Yet

I realize this article is coming from a corporate perspective but from a home user's perspective, I am really getting quite a lot from IPV6. I once had to poke holes in my firewall to get at internal machines on nonstandard ports when away from home. Now that they are IPV6 enabled,, I can address them directly. I can also access my Samba shares (ISP port blocking) and the SIP protocol works much better now that NAT is not involved.

The tunneling does add latency though so here's hoping the ISPs get native connectivity soon now.

Comment: Re:No, and I won't (Score 3, Interesting) 263

by martok (#30481794) Attached to: Are You Using SPF Records?

Actually, DKIM can be used to guarantee a sender. We're using DKIM here with ADSP. That is:
_adsp._domainkey TXT "DKIM=ALL"
tells a receiver that all emails from our domains should be signed. Since the keys themselves are published in our DNS, a machine not under our control should not be able to send an email purporting to be from our domain.

I'm not sure but I would think that mechanism would make SPF irrelavent. Assuming antispam software actually checked the adsp dkim records.

Comment: Re:get rid of symbian signed.. (Score 2, Insightful) 88

by martok (#28680453) Attached to: Symbian Foundation Takes First Step In Open Sourcing Mobile OS

That's the thing I don't understand about the whole Symbian open sourcing and the excitement around it. Unless I am off-base, it's not like a programmer will be able to pick up the Symbian codebase, make a modification, compile a new kernel and flash it into his phone. If that's the level of open-sourcing we're talking about here, disabling 'Symbian Signed' will be trivial. Is this geared more toward device manufacturers? IE. end-users and developers need not care?

If it's not in the computer, it doesn't exist.