Forgot your password?

Comment: Who is the victim? (Score 1) 622

by ramriot (#48137313) Attached to: The Correct Response To Photo Hack Victim-Blamers

One question I always ask myself when I read of the publication of any private matter from a public person. What if that happened to me or any other private person I know? What would I want others to do?

Clearly I would want responsibility and respectfulness, perhaps a kind admonishment for not taking enough care (if that is due) with a note that they also have done dumb things in their life. I would also expect recognition that the perpetrator could have struck them and support in making sure this does not happen again.

In this case though that is rarely what happened, everyone seemed to become polarized either in support of these public people against the haters or were themselves haters. What seems never to be mentioned is that the hack involved was probably not a targeted one and that the perpetrator is probably sitting on Giga Bytes of private data from a wide swath of individuals, both public and private. If it were not though for their ego in publishing the salacious images of those people already in the public eye we would never have known and would have gone on blindly with our weekass passwords.

So think on this, next time to upload anything potentially useful to an adversary. Next time it could be YOU!

So pick your passwords with care, employ strong second factor authentication and if you just have to send a naked selfy to your significant other learn how to use end-to-end encryption. Because believe me, we really don't what to have to look at your naked self above the fold over breakfast tomorrow.

Comment: No just payment! (Score 4, Informative) 336

by ramriot (#47935203) Attached to: Apple Locks iPhone 6/6+ NFC To Apple Pay Only

If Apple proceeds with locking away the NFC API from developers they will be making a Huge mistake. NFC is not just for payments, it is a use agnostic technology, and as such can be used anywhere you need short (1-2") data communications i.e.
# Door locks / home security
# Wifi tap to secure.
# Bluetooth Pairing
# End to end encrypted messaging tap to exchange / sign public keys
# Second factor online authentication
etc etc.
On Android all these uses are available because the API is open.

Comment: No actual backup though! (Score 1) 268

by ramriot (#47911323) Attached to: Ask Slashdot: What To Do After Digitizing VHS Tapes?

You imply a backup but your current setup does not provide it, Peter Krogh had is succinctly in his 3-2-1 rule see: at bottom

In summary, as well as your two local copies you need an offsite backup, possibly from a trustworthy cloud vendor.
  This all depends though on if the vital media is really worth preserving. If they really are, historic documents that should be preserved for all time you should think about investing in some analog archive storage, as well as the digital to forgo the risks of technology drift overcoming your ability to update the format as new systems replace old formats i,e. Some archive quality 35mm B&W colour separation movie film with integral optical sound recording. Thus can be expensive though for your average family movie, but just think what it will be like in a millenium when yours is the only home movie left in existence ;-)

The 3-2-1 Rule
The simplest way to remember how to back up your images (ed: or any media) safely is to use the 3-2-1 rule.

We recommend keeping 3 copies of any important file (a primary and two backups)
We recommend having the files on 2 different media types (such as hard drive and optical media), to protect against different types of hazards.*
1 copy should be stored offsite (or at least offline).
*While 3-2-1 storage is the ideal arrangement, it's not always possible. A second media type, for instance, is impractical for many people in the ingestion or working file stage. In these cases, many people make do with hard-drive-only copies of their data. Best practices, however, still require 3 copies and some physical separation between the copies.

Comment: Searchable? (Score 3, Interesting) 102

by ramriot (#47882525) Attached to: Top EU Court: Libraries Can Digitize Books Without Publishers' Permission

Ok, so an EU library can scan works for access on their own 'terminals' for research. Can they also make those works searchable in a similar way to that which Google does? And if so can they allow access to that index (like their book index) over the internet?

If they can then at least in the EU Google has a copyright exception if it partners with at least one EU library organisation, to their Google Books project.

Comment: Profit Margin? (Score 1) 819

by ramriot (#47861523) Attached to: 3 Recent Flights Make Unscheduled Landings, After Disputes Over Knee Room

I would love to see the financial analysis of this i.e.

Remove 1" of leg room to get in x extra seats and make n dollars per extra customer
Cost of an interrupted flight due to personal space induced aggression.

I have a feeling that with margins being squeezed and the high cost of missing your allocated airport departure / arrival slot, it may well work out that keeping customers happy is actually more profitable than skimming them for every inch and dollar.

Comment: SQRL (Score 1) 113

by ramriot (#47559313) Attached to: Ask Slashdot: Open Hardware/Software-Based Security Token?


Using a smartphone as your token, and if that is not secure enough for you, I am for my sins presently building an HSM that will interface over NFC with the smartphone to keep all the cryptography parts and master key outside of the potentially vulnerable computing platform. Further I promise as do many of us working on this project to make everything we can public domain or at the least open licensed.

Before making comment on this please do read and digest all the reference material, TL;DR; does not cut it in crypto.

Comment: Do they mean (Score 1) 160

by ramriot (#47556617) Attached to: London Police Placing Anti-Piracy Warning Ads On Illegal Sites

Do they mean ?

Seems likely, and if so the ad serving network would have to cooperate in allowing sunblocks JS to be served to client browsers. I can only home the Met's and Cities finest have a 100% accurate blocklist, because it only takes one high profile false-positive and a suit for loss of earnings due to illegal seizure of assets to drain sunblock dry.

Comment: Agreed really bad idea, but why and what to do? (Score 1) 280

by ramriot (#47468865) Attached to: Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

Agreed what this paper says is a really bad idea, but the bigger question is why do you need to protect your low value digital assets with equivalent security to your high value ones with strong unique passwords.

The reason is, as is mentioned you will have many more low value assets with apparently insignificant information stores than the few that store critical information. So that if say you reuse a week password on all these low value sites a single break in any of them will potentially give an attacker access to all of the rest as it is known that once an attacker gets a username/email and a password (reversed from a week hash) say they will try that username/email and password everywhere they can. It thus will be not a single tiny piece of information you risk with this policy but every piece of information on all the sites you risk and that may well add up to something very saleable to an attacker.

So what do we do?

0/ We cannot go around with many unique strong passwords in our head for fear of leakage and loss of retention.
1/ We could use a password safe, provided we trust the vendors or our skill to write it and not later make what is now a strong keeper weak by software patch.
2/ We could use a high entropy deterministic password generator e.g: if we have the time to work the manual algorithm each time we want a password.
3/ We could do away with almost all passwords by use of Oauth / SiteID etc. Provided we trust a third party in all logins to not track our use.
4/ We could do away with All but one single pass-phrase that would potentially allow us to pseudonymously identify everywhere like SQRL, but that is early days and will need time to be supported.

What I am saying is there is no single solution but many, but for certain the one suggested in the paper is not one of them...

Comment: Great idea in theory, pointless in the real world (Score 1) 277

After reading though their paper and getting a better understanding of the exact protocols etc. I can say assuredly that this method of protecting a database from use-after-theft is pointless.

Here is my reasoning (Ignoring the possible patch to allow pre-knowledge authentication for now, as that leaks way too much information);
1/ The whole system relies on the use of a threshold system of password login attempts to dynamically build the in-memory database decryption key.
2/ That can either happen by one or more administrators attempting login after restart or by using a queued user authentication stack.
3/ In their own FAQ they state that weak passwords should be avoided as this weakens the system.

My assertion is that any real world use of this system is open to humans picking passwords, and humans are really bad at that. That being so, if I were to run an SQL injection to steal the user table I would do the following:-

a) From a dictionary of common "non-weak" human passwords (see recent thefts for the list) pick a password.
b) Run it using the sites hash, using the record salt against every entry, producing a possible hash Hp.
c) XOR that with the hash in the table to get a possible Shamir share Sp.
d) pick random lists of Sp and combine (derive constant from equasion) to see if a statistically significant number of entries agree on a table key C and the share ratio R.
e) If not successful, rinse and repeat with another password and/or repeat to confirm C.

This algorithm should under any normal use derive C in quite short order provided there are at least R+1 repeats of any provided password guess.

Comment: Is anyone really metricated? (Score 1) 2288

by ramriot (#35887784) Attached to: Why Does the US Cling To Imperial Measurements?

May I ask the counterpoint, is there a country anywhere that uses only metric ISO units?
Here in Canada we still put $/lb on food items, In the UK all the road signs are in Miles and speedometers are in Miles/hour and I do not know of anywhere that the weather report is given in Kelvin, as it should be. Is it just me or does a balmy 293K sounds much better that 20C.

(1) Never draw what you can copy. (2) Never copy what you can trace. (3) Never trace what you can cut out and paste down.