Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re: stop the pseudo-scientific bullshit (Score 1) 53

by jd (#49156217) Attached to: Mysterious Siberian Crater Is Just One of Many

The Great Extinction, caused by Siberia becoming one gigantic lava bed (probably after an asteroid strike), was a bit further back in time. Geologically, Siberia is old. You might be confusing the vestiges of Ice Age dessication (which was 10,000 years ago) but which involves the organics on the surface with the geology (aka rocks).

Regardless, though, of how the craters are forming, the fact remains that an awful lot of greenhouse gas is being pumped into the air, an awful lot of information on early civilization is being blasted out of existence, and a lot of locals are finding that the land has suddenly become deadly.

Comment: Re: Authority (Score 1) 26

by jd (#49156167) Attached to: As Big As Net Neutrality? FCC Kills State-Imposed Internet Monopolies

That is a good question. The last time the courts ruled on this, the ruling was that the FCC had ceded power and couldn't claim it back without the will of god. Or Congress, or something.

Personally, I'm all in favour of Thor turning up to the Supreme Court, but he probably wouldn't be allowed in on account of not having a visa.

Comment: Re: Great, fully owned by Silent Circle (Score 4, Interesting) 52

The issue with Silent Circle isn't their jurisdiction. It's that their code is of deeply questionable quality. They recently had a remote code execution exploit that could be triggered just by sending a text message to their phone. It's been literally years since one of these affected mainstream software stacks, so how was that possible?

Well, they wrote their own SMS parsing code, in C, and used JSON to wrap binary encrypted messages and there was a bug that could cause memory corruption when the JSON wasn't exactly in the form they expected.

The amount of fail in that sentence is just amazing. They're a company which justifies its entire existence with security, writing software to run on a smartphone where the OS itself is written in a memory safe language (Java) and yet they are parsing overly complex data structures off the wire ..... in C. That isn't just taking risks, that's playing Russian roulette over and over again. And eventually it killed them. Remote code execution via SMS - ye gods.

After learning about that exploit and more to the point, why it occurred, I will strongly recommend against using Silent Circle for anything. Nobody serious about security should be handling potentially malicious data structures in C, especially not when the rest of the text messaging app is written in Java. That's just crazy.

Comment: Re:Just y'know... reconnect them spinal nerves (Score 1) 207

by Paradise Pete (#49146409) Attached to: Surgeon: First Human Head Transplant May Be Just Two Years Away

The problem, even with a spinal cord cut intentionally and carefully, is that the surgeon has no way to know what connections in the head go to what connections in the body.

It sounds like he's simply hoping it all sorts itself out somehow. Or maybe that the brain could eventually remap everything. Seems unlikely. Especially within two years.

Comment: Re:New design (Score 1) 90

by Paradise Pete (#49145063) Attached to: 3D Printers Making Inroads In Kitchens
Soulskill, thank you for letting us know, and for the effort.

Some problems I am having:

  • I can't get to my account settings. Right now I get a pop-up of article category choices.
  • I can post to a story that I posted to yesterday. This has actually been true for some time. I get a "you can't post to this page" message. Perhaps it is due to some issue with the ISP's invisible proxy? This means I can't ever follow-up when I get a reply.

Comment: Re:Mostly right. (Score 1) 672

by rjh (#49130731) Attached to: Bill Nye Disses "Regular" Software Writers' Science Knowledge

I'm not rejecting Noether's theorem -- I'm rejecting temporal invariance. Spacetime is dynamical, therefore not invariant, etc., etc.

You can definitely torture the definitions of words until you reach a kind of invariance, but I feel this creates more problems than it solves. Better to just say, "conservation of energy only holds true for static backgrounds."

See Sean Carroll's "Energy Is Not Conserved" blogpost for a more detailed explanation. He convinced me to stop talking about the energy of the gravitational field as the escape hatch for conservation. :)

Comment: Your own humanity (Score 1) 688

by rjh (#49130349) Attached to: Ask Slashdot: Terminally Ill - What Wisdom Should I Pass On To My Geek Daughter?

It's commendable that you want to pass on wisdom. But I suspect your daughter isn't going to miss your wisdom anywhere near as much as she's going to miss you. What is it that makes you so uniquely you?

For example: I have some really strong memories associated with science fiction, particularly Poul Anderson's Tau Zero. So I might record myself reading Tau Zero, and whenever I reached a passage that really resonated with me I might go into a long digression about why it resonated with me, and things in my life and history that also strike that same thematic note. By the end of it, she would know not only that I loved Tau Zero, but she'd know a lot more about me and why I loved it and why it spoke to me and why, with only six good months left, I'd choose to spend six hours of it recording it for her.

Wisdom is overrated. It really, truly is. It's valuable but it's not the best thing out there. And I say that as the son of a father who has the keenest mind I've ever known, a guy who has enormous life experience and wisdom and has shared it with me freely throughout my life. If-and-when he goes, I'll miss his wisdom a lot. But I'll miss him more.

The most important gift you have to pass on to your daughter isn't your wisdom. It's you.

Comment: Yes and no (Score 1) 300

by jd (#49129871) Attached to: Moxie Marlinspike: GPG Has Run Its Course

First, the complexity of the engine shouldn't matter. You will never get the bulk of users out there to use, or care about, the real power of the engine. They don't want to mess with the engine. The engine should be under the hood, in a black box, whatever engineering metaphor you want. Users just want things that work.

I remember way back when I was at university. There were various absolute rules for good software engineering. The first was that the user should be presented with a must-read manual no longer than one paragraph. Tips and tricks could be more extensive, but that one paragraph was all you needed.

The second was that the user absolutely must not care about how something was implemented. In the case of encryption, I take that to mean, in the case of e-mail, that the engine should not be visible outside of configuration. A supplied key should trigger any behind-the-scenes compatibility mode or necessary configuration to talk to that user. If the keys the user has aren't suitable to correspond with that person, the system should ask if one is needed and tie it to that protocol.

There should be no extra controls in e-mail, except at an advanced user level. If a key exists to correspond with a user, it should be used. If a key exists for inbound e-mail, the key should be applied. The process should be transparent, beyond getting passwords.

Any indexes (particularly if full indexes) should be as secure as the message, good security practices on both will take care of any issues.

Ideally, you want to have the same grades of authentication as for the early certification system, adapted to embed the idea that different people in the web of trust will have done different levels of validation and will be trusted to different degrees. The user should see, but not have to deal with, the level of trust.

Last, GnuPG is probably not the system I'd use. Compatibility cruft needs to be as an optional layer and I'm not confident in implementation.

There should be eight main libraries - public key methods, secret key methods, encryption modes, hashes (which encryption modes will obviously pull from), high level protocols, key store, index store and lacing store. (Lacing is how these are threaded together.) The APIs and ABIs to those libraries should be standardized, so that patching is minimally intrusive and you can exploit the Bazaar approach to get the best mix-n-match.

There should also be a trusted source in the community who can evaluate the code against the various secure and robust programming standards, any utilized theorum provers and the accepted best practices in cryptography. Essentially replicate the sort of work NIST does, but keeping it open and keeping it free of conflict of NSA interest.

Comment: Re:When groups like this attack you... (Score 0) 97

I think the Gemalto response seems reasonable, actually. The documents suggest they weren't doing anything more sophisticated than snarfing FTP or email transfers of key files, which Gemalto say they started phasing out in 2010. And the documents themselves say they weren't always successful.

NSA/GCHQ are not magic. They do the same kind of hacking ordinary criminals have been doing for years, just more of it and they spend more time on it. If Gemalto are now taking much better precautions over transfer of key material and the keys are being generated on air gapped networks, then it seems quite plausible that NSA/GCHQ didn't get in. Not saying they could NEVER have got in that way, but these guys are like anyone else, they take the path of least resistance.

Besides, it's sort of hard for them to do something about a hypothetical hack of their core systems that they can't detect and which isn't mentioned in the docs.

Comment: Re:Same error, repeated (Score 4, Informative) 300

by pthisis (#49126393) Attached to: Moxie Marlinspike: GPG Has Run Its Course
Why use gpg instead of s/mime, which has native support in most e-mail programs, with no need for plugins? S/MIME relies on centralized key servers or opens itself to man-in-the-middle attacks. You can hand-authenticate individual CAs with some effort, but there's no equivalent to PGP's web of trust. And CAs are single points of failure, making them extremely desirable points of attack. Marlinspike, of course, has developed his own proposed solution to the CA problem: http://en.wikipedia.org/wiki/C... It's up to the reader whether this contributes to his credibility on the issue because he knows what he's talking about and has taken the time to contribute code to help fix the problem, or whether he's someone with his own personal dog in the fight and hence has an ulterior motive in denigrating PGP's trust model.

Have you ever noticed that the people who are always trying to tell you `there's a time for work and a time for play' never find the time for play?

Working...