Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Back for a limited time - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×

Comment Stalking Horse? (Score 2) 137

I take Mr Beard's comments at face value, that his company can offer lawful intercept without back doors. Unfortunately this has nothing whatsoever in common with the statements made by Apple and others.

You see Blackberry has a unique position in the market, it being not just the manufacturer but also the network operator. Thus for most normal Blackberry users (non-corporate), their secure end to end communications begin and end at Blackberry's servers. Also their device encryption software has at least one known weakness to offline brute force cracking so perhaps there are more.

All this means that what Blackberry is really saying is that, since they control the communication keys and made a less than perfect encryption product they can offer lawful interception where other vendors had to rely of real hardware device encryption and end-too-end communications.

BTW, Apple does not get off scot free here as its Imessage product can offer lawful intercept, just not decryption after the fact because they too control which keys are used to encrypt which iMessage.

Comment $1M or not $1M here is the important bit (Score 2) 79

OK lets accept for not that CMU did not receive payment for their data and that they only gave up their data upon subpoena, it really was just icing to the real issue. That of the un-ethical disclosure of peoples private data resulting in an indirect FBI evidential fishing exercise, which is allowed in discovery unless the evidential collection is prompted (hence the $1) which would render it 'fruit of the poisoned three' and why there is perhaps so much emphasis being placed upon payment.

Remember this, any entity involved in security research or even just a business can be subpoenaed for their data and required by law to not disclose the fact of the request. Further, resisting such requests can lead to extended legal difficulties; just ask Ladar Levison ( ).

So what CMU did wrong here (if current evidence is correct) was to collect and keep significant personal information as a result of their 'Research', which is incompatible with what security research is about. If there had been an Ethical Review Board of the ongoing CMU research this should have been noticed and changes made.

Thus, what could CMU have done.

* They could have set up an internal Review Board to review the ethical, legal and other issues of such research {they admit they did not}
*They could have designed the data collection part of their exploit to anonymize data such that connection inferences can be made without disclosing actual IP addresses ( simply make a salted hash of each IP address ) {they did not}.
* They could have limited collection to just what was needed to prove the exploit and then shut it down {they did not}, instead they ran it for over 3 months.
* Upon proving the method they could have immediately followed responsible disclosure and briefed TOR group {they did not}
* If the research was launched initially by an FBI request or similar, they should have taken legal advice and realised that they could not do this ethically or follow the above and thus NOT agreed to do it {Clearly if so, they failed}

So in closing take note, in the current legal and criminal climate DON'T collect and store unnecessary information unless you can prove that you can protect it from disclosure in untargeted extralegal ways, lest you and your establishment end up be in hot water ( see Sony, Ashley Madison, CMU, NSA etc etc)

Comment Re:per definition every crypto is breakable (Score 1) 418

OK, I get your point. But to be pedantic that is not true.

The strongest form of encryption is the One Time Pad. When used correctly it would be impossible without the key material to decrypt successfully. This is because from the ciphertext all plaintext strings are equally likely to be the decrypted message. Thus if you worked for an infinite time you would produce all possible plane texts of the length of the encrypted message, but you would not know which was the one sent.

Now OTP is really difficult to do properly because of the need to have a true random key the length of your message that is only known to the sender and recipient. But many modern forms of encryption are designed to share this fundamental property of indeterminacy of plaintexts, thus with this simple example many forms of encryption are effectively unbreakable without knowing some other information that would weaken the security model anyway.

Comment Doomed, yer all doomed! (Score 1) 418

So basically this article:

The cat is out of the bag, that train has left the station and other sayings.

You cannot mandate against an idea, encryption is out there, we all rely on it increasingly to manage our very existence. If you mandate that industry weakens the end-to-end secure model then bad things will happen, first the public will make losses, then industry will loose customers and finally the industry donations to the pocket books of politicians and come election time, they will loose.

Which means any politician who suggests this is either a) deluded, b) working for the criminals, c) using it as a false flag to cover something else, in all cases they are automatically unelectable.

Make this clear to your MP that any suggestions like this are an affront to a free and democratic society and will not be tolerated.

Comment B*****cks! (Score 2) 52

If this post is a true reflection of the source material then its a Load of Fetted Dingoes Kidneys.

"Netcraft confirms many U.S. Department of Defense websites, including a remote access service used by the Missile Defense Agency, are more vulnerable to man-in-the-middle attacks than most consumer websites." - True but not by enough to matter unless you can utilize the worlds GRP in processors.

"even though NIST banned new use of this signature algorithm two years ago." - Not banned, deprecated & there is an application in the works to continue issuance until the end of 2016.

"vulnerable to attack by enemy governments and criminals who can stump up enough cash ($75,000) to crack the certificates." - That is a gross underestimate by many many orders of magnitude. The figure I guess comes from the recent paper where the researches spent about this much to generate a collision for the most inner part of the algorithm, that was NOT against the entire signature function which would be orders of magnitude more costly in processing time.

Comment Hardly need spoofing in Canada (Score 3, Interesting) 113

The security issues are not even needed to get over-billed in Canada. With stock Android 5.1 or above (including the latest Marshmallow), use on either of the two main budget carriers can result in roaming data charges even when roaming data is disabled.

In seams, because of a programming decision as to how Android tells if it is roaming inside of a shared NVNO region and the odd decision of these two carriers to mimic in network names when using partner carriers the phone will ignore the users selection to not use roaming data and thus incur charges in the range of $1/MB.

Comment Re:Other disruptive technologies? (Score 1) 330

I would say it made buildings over 10 stories practicable, but note that there were elevators before Otis, the Paternoster continuous elevator for example and Otis were initially freight only. The key question though it what technology did Otis disrupt? What form of business model did having taller buildings with easy access make less tenable?

Comment Other disruptive technologies? (Score 1) 330

The refrigerator is a great disruptive technology for the early 20th Century, here is a list of others by the century they gained wider use and what they disrupted:-

Mid 19th Century: The Flush Toilet: replaced in a stroke the use of pit drop toilets when coupled to a sewer and disrupted completely the work of Gong Scourers, who's job it was to be paid to regularly clean out cesspits, cart away the waste and sell it to market gardeners outside of the growing cities. Hence the phrase "Where there's much there's brass"

Mid to late 19th Century: Municipal long distance sewers an sewage treatment: In London UK disrupted the spread of waterborne disease and the livelyhood of any physician or peddler selling posies and possets to cover the smell on the mistaken belief that these diseases were airborne or Miasmic Diseases.

Mid 15th Century: Movable Type Printing Press: Initially disrupted the hand written indulgence business the church had going by drastically reducing the costs of buying your way out of purgatory, then disrupted practically everything to do with knowledge transfer.

That is a good start I'm sure others can continue the thread. You know there may be a book in this!

Comment Time for User TOS? (Score 3, Insightful) 474

Ok so your site needs money from Ads to survive, I get it, we all have to make compromises. But you are serving those ads via un-vetted bloated 3rd party scripts which can harbor malware, cost me time and money & track my Ass between sites. Therefore if you put up a page that asks me to accept your 3rd party Scripted Ads, I will send you a copy of my User Terms of Service for you to agree too. In which you will find clauses that require you to accept responsibility for all 1st, 2nd & 3rd party content and resources served by your site and all losses incurred should that adversely affect my systems, privacy etc.

Alternatively, if you wish to serve all Ads in a 1st party context without scripting then I'm powerless to stop you and would be much happier.

So in the end to me its not the Ads themselves that are the problem, but how they are delivered and what hidden factors are present that I consider a detriment to my using your site.

Comment Induced Plot Hole (SPOILERS!) (Score 1) 242

So firstly I loved both the Book and the Movie. The book for the hard science portrayal (excluding the dust storm, OK) and the Movie for bringing it all home by showing what living on 1/3 rations will do to a body.

But, in going from the Book to Screenplay and to the Movie there are a number of induced goofs that make the final work nonsense, as an example (more to follow later)

In the book and in the movie there are Potatoes, sourced from a box labelled "Do Not Touch Until Thanksgiving", which Mark relies upon for survival . From internal calculation for the book and shown in the movie it is known that the Mars landing in both cases occurs on Nov' 8th 2035. BUT, while in the book the storm blows up on SOL 6 (>=Nov' 14th) 1 week before Thanksgiving. In the movie it is stated to occur on SOL 18 (>=Nov' 26th) which is at least 4 days after Thanksgiving 2035 (Nov 22nd).

So where did the potatoes come from 4 days after they were due to be eaten by the crew as part of a team prepared, thanksgiving day meal?

Machines take me by surprise with great frequency. - Alan Turing