Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:Who you gonna call? (Score 1) 138

I imagine it would not be stored centrally but in the TPM where the TPM says yay or nae when presented with the image. In theory the TPM doesn't release the actual key even to the BIOS but rather just does the authentication. But who knows what kinds of attacks they can withstand when physically pulled off the mainboard.

Comment Is it really more secure? (Score 4, Insightful) 138

I've seen cases recently where people crossing the border from one nation to another have been asked to enter their phone or laptop password for inspection. They are at this point free to refuse to divulge this information though there may be the obvious consequences. Using biometrics, would it not be possible for an attacker to simply force one to provide biometrics to unlock a device? What about other attacks such as a spouse unlocking a device using his/her partner's fingerprint while (s)he is asleep? I would think this would open up new security holes for the ones it fixes.

Comment Re:Pick an Emphasis On or Interdisciplinary Degree (Score 4, Insightful) 347

Agree with parent here. I would add that as you are finished your first two years, you have jumped through the hoops which cause most people to drop. First year maths, stats etc. In years 3 and 4, things get much more interesting. Stick it out and you'll be a better programmer as a result. Yes, web developer == programmer.

Comment Inexperienced exchange providers (Score 5, Insightful) 232

This is not the fault of the currency. It is a fault of the exchange provider and the users of the currency really need to be careful in who they put their trust.
I'm sorry but noone without a great deal of development experience should be writing a Bitcoin exchange or any other type of financial exchange exposed to the internet. The attackers got hold of the unencrypted wallet? Why would an exchange wallet ever be unencrypted? Why is there a single wallet in the first place? Why not have seperate wallets per user account encrypted with their own passphrase such that the site operator doesn't even have access? Maybe a master password override to decrypt but never stored online etc.
Why is the wallet stored on the webserver in the first place? Why aren't funds transfered to offline storage on a regular basis? I could go on.

Comment Would this invalidate contracts? (Score 1) 204

I am not sure how it works in the US, but here in Canada when a celco changes its terms, it allows the end user to cancel his contract without an ECF. That is, unless the celco agrees to honour the terms of the original contract as signed for its duration. So assuming the 2 year contract also says something to the effect of user agrees with the privacy policy, I would argue that makes the privacy policy part of the contract and is thus grounds for cancelation. Thoughts?

Comment Real encryption (Score 1) 128

With the recent MTGox compromise, I've been looking at a better password system. It looks like one way to go is to use a program like password safe or keesafe to generate unique passwords per website. However, I'm curious as to how resistant these master files are to GPU attacks. GPUs basically sliced through the MTGox MD5 hashes like butter. How long would it take a higher-end distributed cluster to break a Password Safe master file? It's blowfish encrypted I believe.

Comment Home user perspective (Score 1) 425

I realize this article is coming from a corporate perspective but from a home user's perspective, I am really getting quite a lot from IPV6. I once had to poke holes in my firewall to get at internal machines on nonstandard ports when away from home. Now that they are IPV6 enabled,, I can address them directly. I can also access my Samba shares (ISP port blocking) and the SIP protocol works much better now that NAT is not involved.

The tunneling does add latency though so here's hoping the ISPs get native connectivity soon now.

Comment Re:No, and I won't (Score 3, Interesting) 263

Actually, DKIM can be used to guarantee a sender. We're using DKIM here with ADSP. That is:
_adsp._domainkey TXT "DKIM=ALL"
tells a receiver that all emails from our domains should be signed. Since the keys themselves are published in our DNS, a machine not under our control should not be able to send an email purporting to be from our domain.

I'm not sure but I would think that mechanism would make SPF irrelavent. Assuming antispam software actually checked the adsp dkim records.

Comment Re:get rid of symbian signed.. (Score 2, Insightful) 88

That's the thing I don't understand about the whole Symbian open sourcing and the excitement around it. Unless I am off-base, it's not like a programmer will be able to pick up the Symbian codebase, make a modification, compile a new kernel and flash it into his phone. If that's the level of open-sourcing we're talking about here, disabling 'Symbian Signed' will be trivial. Is this geared more toward device manufacturers? IE. end-users and developers need not care?

If all else fails, immortality can always be assured by spectacular error. -- John Kenneth Galbraith

Working...