Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: maybe just silly language, not silly security (Score 1) 139

by raymorris (#48684439) Attached to: 13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites

I had to take another look because I remembered I had decided it was silly, but I didn't remember WHY I decided it was silly. I just took another quick glance, and noticed two things. There may be another, larger, issue I noticed last time and didn't notice this time. The two I noticed this time are language silliness, rather than security silliness.

First, it's the same as crypt($p,makesalt($alg)). Redundant language bloat. PHP has more duplicate functions than C has functions in total. In Perl, C, C++, PHP itself, and just about every other language you call it as crypt(). Essentially they've just renamed an existing well-known system call, obscuring what it really is.

Second, it takes an "algorithm " parameter, which has exactly one legal value, bcrypt. That's pointless. It should at least accept SHA256 in that parameter as well. It's not like it require any significant addition to the code - it just being passed to crypt() anyway.

Comment: I'm aware of that. PHP's kinda stupid (Score 2) 139

by raymorris (#48682179) Attached to: 13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites

I am aware of that. PHP's password_hash is kind of stupid, not really a good example of best practices for secure systems. Given that PHP was designed for non-programmers, though it _might_ be a net benefit, if people use password_hash rather than plaintext or MySQL PASSWORD().

Comment: those are key derivation, not for passwords, compl (Score 3, Informative) 139

by raymorris (#48681953) Attached to: 13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites

Both brypt and scrypt would PROBABLY work, especially bcrypt, but they're designed for a different use. What you want for password storage is confidence that if the bad guy gets F(plaintext,salt), (the hash) they can't derive the plaintext. It's a one-way trap door - you can compute the hash from the plaintext password, but not the other way around. You do not care about any aspects of the output, other than that it can't be used to infer the input (and that it has a guaranteed reasonable maximum length).

For a key derivation function, it's ALL about the output. You're trying to create output that has particular attributes, such as pseudo- random bits, long length, and bonus points if they length can be extended to go on forever.

Key derivation algorithms sometimes work okay as hashes (for password storage), but almost by accident. That's not what they're designed for. To achieve the very different goals of KDAs, they tend to be much more complex, and therefore much more likely to contain subtle undiscovered weaknesses. I'd rather use something designed for the job at hand. I wouldn't, however, say someone is WRONG to use bcrypt for the purpose. If a student turned in a project that used bcrypt for password storage, I wouldn't mark down their grade. It's just not my personal preference.

Comment: Cloadflare prevents them from taking it down. CIA. (Score 0) 139

by raymorris (#48681089) Attached to: 13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites

You can, given a budget that's a pettance for Microsoft, prevent the attackers from taking you down. The three aspects of security are CIA: Confidentiality, Integrity, and Availability. Giving up one of those aspects is silly.

Cloudflare and F5 provide excellent protections against even extremely large flooding-type attacks, and Prolexic also operates in this space.

Comment: yep. I provide security to some ofthe listed sites (Score 5, Informative) 139

by raymorris (#48680725) Attached to: 13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites

Most of the listed sites have far more than 13,000 registered users, so access to the member database of just ONE of the sites would have yielded a much larger dump.

Also, some of the sites store only a properly salted, modern hash of the password, so there's almost no way to get passwords from the sites' servers.

It's pretty clear the hack is in the client side. We may have a look to see of the logs go back far enough to tell us which browser version, OS, and toolbars or addons those members were using.

Source - I designed the authentication and authorization systems for some of those sites.

Comment: they'll never make a module for the only fighter (Score 1) 257

Now that many different planes are being replaced with the F-35, I'm sure they'll NEVER make an upgraded camera module specifically for it. It's not like they ever upgraded the cameras on anybof the aircraft it's replacing.

Oh space. There's no room for a high res camera. Looking at the 4mm X 4mm , 8MP camera on my phone, I'm having trouble believing that they'll never be able to fit a high-res camera in the plane.

Comment: Carter should sue 8th amendment "excessive bail" (Score 1) 84

by raymorris (#48679515) Attached to: Prosecutors Raid LG Offices Over Alleged Vandalism of Samsung Dishwashers

The Carter case is f_ed up. Remember, though 10,000 cases were handled that day, and Carter's made the news because it was handled so wrongly. The 9,999 cases handled properly aren't newsworthy.

I'd like to see Carter sue Comal county in federal court for violating his Constitutional right right under the 8th amendment, which bars excessive bail.

Comment: automatic when slips, even less traction (Score 1) 122

by raymorris (#48679493) Attached to: Tesla Roadster Update Extends Range

The traction control system should kick in when the tires _actually_ lose traction. If they programmed it for an estimate of the traction of new tires on dry, clean pavement they're doing it very, very wrong. A TCS is supposed to kick in when one tire hits a patch of ice, or there's sand on the road. It doesn't care what kind of tires there are - any tire is going to slip on ice.

Note also the engagement of traction control actually reduces the traction available to make a curve or other maneuver, by "wasting" some of the available traction to use in braking the wheel. The idea is to use traction more effectively to point the car in the direction of the steering wheel, but with a net loss of traction it does a worse job than a trained driver. Of course most drivers are untrained.

Comment: math generally doesn't work, except specific hydro (Score 1) 122

by raymorris (#48678825) Attached to: Tesla Roadster Update Extends Range

Without getting into heavy math, you need a LOT of water pumped up VERY high to get much electricity. Rarely does it work. The one case where it sometimes makes sense is certain existing hydroelectric plants where you already have all of the equipment in place. If the dam is very high (large head value) it can make sense.

To apply that to all of the energy needs for the US, you'd have to cover just over half the country in reservoirs to provide two days of energy storage. Since large storm systems cover a significant portion of the country with clouds, you need that two-day supply at minimum.

So pumped storage is one of many ways to get an extra 1%-2% out of the existing power plants, and thereby reduce fossil fuel usage by 1%. That doesn't seem like much, but there are ten different ways to provide 1%-2% of our energy, and in total that can reduce the usage of fossil fuels and nuclear by 10%-15%, which is significant.

Comment: US, UK Bill of rights require bail (Score 1) 84

by raymorris (#48678773) Attached to: Prosecutors Raid LG Offices Over Alleged Vandalism of Samsung Dishwashers

> Potential flight risk means a judge is facing a black and white decision. It's not that the thought of an inconvenience is unthinkable, but it is usually a blanket to the alternative of "nothing at all". The solution is to tag and release, like anyone else we want to track and/or you have an escort. Someone gets out of the country, that's the border patrol's problem...in an ideal world. Go track em down and execute them

No escort needed, catch and release is called "bail" and it's been around for thousands of years. No need for an escort either; you (or someone willing to take responsibility for you) just put up 10% of the cost of your fine or of the cost to track you down, or put up collateral. When the 5% flee, the bail money pays the bounty hunter.

I suppose if you opt for paying just the 10%, you end up with something of an "escort" in that your bondsman, who is on the hook for the full amount, will want you stop by or call in once per week.

I worked as a bounty hunter for a short time. Interesting work. Some people took care of their FTA after the bondsman called and reminded them they were subjeft to arrest. Of the people who didn't do that, most would immediately bond out again, at twice the price, and show up the second time.

Comment: System Hardware. Or yum install hardinfo (Score 3, Informative) 63

by raymorris (#48673003) Attached to: Linux 3.19 Kernel To Start 2015 With Many New Features

The kernel and friends manage hotplug devices quite nicely.
I take that to mean you want a clickity-click GUI, so you can see what the system has already detected and handled properly for you, and do things without needing to understand what you're doing. If that's what you're looking for, hardinfo is a well-known option. Your choice of graphical desktop environment probably has one it provides by default as well. Look under "System" or similar.

"It's when they say 2 + 2 = 5 that I begin to argue." -- Eric Pepke