Become a fan of Slashdot on Facebook


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:Is this unique to Java? (Score 1) 130 130

I agree that 4 -> 5 was difficult, 5 -> 6 and 6 -> 7 was easy, but 7 -> 8 is difficult again. Mostly due to app server containers like Tomcat and JBoss -- specifically the JSP compiling part needs a lot of love for Java 8 in servlet containers.

Comment: Hash and Salt (Score 4, Interesting) 206 206

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

Salting is nice, but when the attacker gets both the hash and the salt, they can attack specific users. Still, the 100k rounds of SHA256 seem decent.

Would bcrypt be any better than PBKDF2 here?

Comment: End to End Crypto (Score 4, Interesting) 205 205

Is there a market in the world for strong cryptographic file sharing? Meaning only the end users control their private keys and the "network" just connects users -- it never knows the keys.

Or does that only work on the small scale such as one user sharing some files with a few friends. If that same user shared those files with ten thousand friends, then would the sharing would be public as the keys would be "leaked" by nature of lots of people having them? (And thus those files could be examined for copyright infringement.)

Comment: Re: Lol (Score 3, Interesting) 248 248

And since some characters have different lengths, even counting characters might not be good enough. (Can't use max_bytes=80, nor max_chars=40.)

The message could be "displayed" in memory with the chosen font and size to calculate it's length, then truncate the string in character mode to fit within the limited area.

Comment: Re:See it before (Score 1) 276 276

There are multiple layers of virtualization that could be used. A BSD jails approach could be used for sandboxing and library dependency (lib X.Y for Jail 1, lib X.Z for Jail 2). A Docker style approach could be used. Or whatever awesome new micro-virt someone can come up with that's not as heavy as a traditional virtual machine.

Comment: Re:See it before (Score 2) 276 276

The VM for each application is a good idea. Android got close, by at least creating a user for each app using the standard unix permission model where each user can't see another user's files so each app is separate. But they still have all the "what APIs does this device allow" and "what APIs have this program implemented" problems similar to "what libraries does this distro have".

Comment: Re:There will always be a need... (Score 1) 276 276

I know of one large company that maintains it's own "drop" like service where you can upload confidential files, and share them with other employees or clients. There are sensible defaults for the maximum allowed users as well as a time delay (after X days the files are deleted).

Here is another option if you want to outsource:

Comment: Re:See it before (Score 3, Interesting) 276 276

Linux Package Deployment

I don't think the parent was complaining about not being able to modify his own linux desktop because there are other shared users. I think the problem might be around distributions that only release certain versions of software. For example, I run an "old" Ubuntu 10.04 LTS release. It is nearly impossible to install the latest Chromium build due to package dependencies and management. However, I can run the latest Firefox since I can download the tarball directly. (And no, I shouldn't have to upgrade the entire operating system just to run a simple userspace program.)

Gosh that takes me back... or is it forward? That's the trouble with time travel, you never can tell." -- Doctor Who, "Androids of Tara"