Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: Tamper evident (Score 5, Interesting) 88 88

From TFA: For those interested, FIPS140-2 Level 1 means that a device has at least one standard ("approved") security algorithm or function and Level 2 means that physical design is tamper-evident.

He seems to think little of the product, but it appears to me it meets the requirements just fine. It's obvious that his key was tampered with, and nothing was done to try to extract key data from the device. Basically, he can take one apart, but there's little chance someone's going to take my Yubikey in the middle of the night, duplicate the key data, and put it back without me noticing something is wrong. Sure, the NSA could probably do it, but they can't have the time with listening to everyones grandmas phone calls. =)

Comment: Re:Stupid question: how do you use it? (Score 3, Interesting) 88 88

It's a second factor in two factor authentication (2FA) for applications that support it.

The one I find to justify it entirely is LastPass. All of the random sites on the internet that need credentials can have automatically generated passwords that are stored encrypted and I never have to remember them. I just have to remember the LastPass password and have the Yubikey setup with my account. The Yubikey integration requires a LastPass Premium subscription.

Of course, nowadays you can use google authenticator without having a piece of custom hardware or paying for LastPass Premium. But I don't mind supporting good companies with useful products.

Comment: Re:my two cents (Score 1) 599 599

It's California, specifically Los Angeles - they are pioneers in fields worthy of Ig Nobel prizes.

If we really want to get away from the classic one-size-fits-all-future-factory-workers education model, trade schools should start around the Jr. High age.

Specialization is critical to the world today, so it makes sense to let people start specializing at an early age. I had to wait for high school to get a computer teacher who could point me in the right direction to learn new things, even though she told others that I knew more than she did. But she combined technical knowledge with people skills, a critical combination that took me several more years to learn. She recommended me for my first job as a programmer at 15.

It would be nice if outliers could be identified and pushed in a more productive direction at an early age. For some, that should be a specialized technical program, others may need remedial potato product upselling classes. Segregating people into groups for reasons other than merit is a trend that puts the US at a severe disadvantage against other cultures who can focus on ability.

Comment: Re:You should title this "Patriot act to be repeal (Score 1) 188 188

You have to have faith that things will work out in the end.

The businesses that own those congressmen are being negatively impacted by the surveillance state. The US can no longer be taken seriously for security products globally because the NSA has to have a finger in every pie, and a plethora of vulnerabilities in every product.

We have the best government many can buy. It just takes time for that money to get in the hands of the large multinational corporations who can be trusted to take the most profitable path. Once the laws start to directly conflict with the ability of those companies to make a profit, and the lucrative government contracts dry up so it's no longer profitable to support the surveillance state, those companies will fight to repeal those laws, unless a third, more profitable option appears. The government would be in a real bad position now if they couldn't just arbitrarily print unlimited sums of money to keep that contract option going.

Of course, this is probably why a lot of people feel it necessary to prepare for the collapse of western civilization.

Comment: Re:Jail time (Score 1) 538 538

Yes, that's exactly that would happen if Anonymous Coward was appointed supreme emperor. Fortunately, the existing corrupt politicians are unlikely to give up their power that easily. AC would be floating in a river by sun up.

I suspect the sentiment was more frustration that politicians are almost never held accountable.

Best idea on term limits comes from a bumper sticker: "Two terms. One in Congress, the other in federal prison for what they did while in Congress."

Comment: Another bad omen for privacy and security (Score 4, Insightful) 309 309

It's a bad sign when those who care about security lose interest. The NSA is doing their part to eradicate secure crypto. Law enforcement agencies are commonly breaking the law to fish for potential criminals. The only protection available is what's written by people who are not subject to influence from the NSA. That's increasingly meaning open source or non-US-based companies.

Crypto is hard to get right. It's hard for the average person to know what ciphers or tools to use and which are just snake oil. It's hard to implement correctly so that it is secure. New ciphers are written by people who have a lot of experience in breaking the old ones. As the old guard ages out, I don't see the same depth of interest in the next generation. With crypto, there's no quick fix, and the new hotness doesn't come overnight.

On the other hand, the 1990s cryptography he mentions would be a huge improvement over many things we have today. Since the 90s, I've wanted the ability to have cryptographically signed financial transactions. Instead of financial institutions and credit reporting agencies using shared secrets, I'd like to have the ability to authenticate with a public key. I'd like to provide my public key in person to my bank so they know I'm authorizing transactions. Instead, they rely on secrets which are available to anyone who's willing to spend a few bucks and maybe break a few laws. Identity theft is so prevalent because we're basically relying on writing (at least a 4000BC technology) for security instead of good crypto. Hell, bad crypto would be an improvement over most of what's being done today.

I hope his opinion isn't representative of more people who have been involved with security and privacy issues, but unfortunately, I think it will resonate with a lot of us.

Comment: Why just nations? (Score 1) 131 131

When will those of us in the flyover states be able to buy our own armed drones?

Youtube is filled with entertaining videos of rednecks with guns and explosives. Armed drones would help take this to a whole new level. Think BattleBots with truly no holds barred.

Sure, there may be some people who would want to use these for illegal purposes, but think of all the benefits. Imagine a new service for stalking victims - counter-stalking drones, now with a "resolve" button.

(For the humor impaired, yes, I'm kidding)

Comment: Re:That's why nobody sensible wants them (Score 3, Informative) 223 223

Encryption is not a panacea.

I'm in full agreement that sensitive data should be encrypted, but I've seen too many cases where encryption (even bad encryption) is an excuse for lazy and bad security decisions.

SSN is a bad "secret" for anything, given how simple and ubiquitous it is. The idea that shared secrets establish identity has been wrong for many years and it's just going to keep getting worse until we, as consumers, can make companies leverage public key cryptography for authentication.

Policies that require encrypting SSN at rest and PII in transit usually results in a database table with:

That sounds like a step in the right direction, unless you consider that how easy it is to decrypt the SSN. On my laptop, it takes 62 seconds to go through every possible SSN using a script that took me less than 60 seconds to write. Add some time for doing an encrypt operation and lookup for each possible value, but it's clearly possible to brute force the entire SSN range on any computer in a very short amount of time. Ultimately, once someone can get access to the data, they can easily generate every possible encrypted SSN and match up actual value to what's in the table.

Real world example:
Cox insisted on having my SSN to get internet service through them. The last 4 of the SSN is used to confirm the user on the web site. They insisted that storing SSN on the internet was safe because it's encrypted. They really want the SSN to be able to track you down if you don't pay and skip town. Most of their customers aren't going to argue with them because they hear that encryption is magic. I eventually convinced a supervisor that their security is a joke and we agreed that my SSN would be in their system as 3.14159265, without the decimal point.

When people believe that encryption makes their data safe, it allows people to decide to make riskier choices with where the data resides. Encryption is a step in the right direction, but it's just one piece of the security puzzle.

Comment: Re: Good! 100,000 more Democrat voters! (Score 1) 331 331

You took that seriously?

I was just making an absurd extension to the "give everyone free money" argument. This is all under a story about mass layoffs at IBM, so I figured trying to add some levity might help.

The income tax is a percentage of income paid to the government. If there was a "negative income tax" that would (mathematically) be money the government paid to the taxpayer(taxearner?). Math jokes aren't always funny, but when they have to be explained, all humor is completely lost.

As someone (often misattributed) once said: Democracy only works until people realize they can vote themselves more money.

Comment: Re:rival IBM? (Score 1) 331 331

Yes, it's too optimistic.

The people who are let go during mass layoffs aren't the visionary, brilliant and rich types. Those people can get another job easily, so there's no reason for them to stick around a soul sucking company they hate until they get laid off.

To found a company you need capital. Unless one or more of the founders is rich, that means convincing others you have something worth investing in.

How many of the people let go are going to work for free or cheap for a brand new startup?
What are they going to work on?
How is that product or service going to turn into a steady income stream?

Does IBM have anything worth a startup trying to beat them on?

A bunch of legacy applications that keep getting resold to new customers? There are none in a new startup.

IBM mainframes? Is there a market for a new mainframe manufacturer? And what's the barrier to entry to design, manufacture and market a new mainframe? I suspect not, but then I don't believe that the market for new IBM mainframes consists of anything but legacy IBM mainframe customers.

Project management? This is most of what IBM does. They get a contract to scope out a project that is never defined and therefore will never succeed or fail, but there's an amazing amount of billable hours in fluffing up the "no deliverables" that these projects could be shrunk to.

Most companies who want a project management circle jerk are perfectly capable of hiring a bunch of contractors and giving them no direction. There's no need for a startup to perform some role to get into that cash bonfire. IBM gets these contracts because people play golf and drink with other people, or they throw one of these engagements in with every product. You don't have to purchase a product, IBM will be happy to bill you for trying to sell you stuff you don't want.

The price one pays for pursuing any profession, or calling, is an intimate knowledge of its ugly side. -- James Baldwin