Please create an account to participate in the Slashdot moderation system


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:Would it matter? (Score 1) 576

These are two different assumptions. What if FTL-using civilizations exists, and What if these civilizations also moved to world-constructing stage of technology.

What I'd ask you in turn - what a civilization that can construct and move planetoids hundred miles across would want with our dirtball?

Comment: Re:No surprise... (Score 2) 114

by sinij (#49088729) Attached to: Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk
First, there is no such thing as perfectly secure information system. The best we could do is mitigate identified risks. The best any standard could do is specify how to mitigate specific risks.

In case of NIST CAVP (part of FIPS testing most people are familiar with), the risk they are mitigating is that cryptographic algorithm you are using is flawed in some way. This certification program is hugely successful, there are robust standards and specs, and hardly anyone these days end up with bad algorithms because free certified reference implementations and free testing vectors were made available.

Second, different aspects of FIPS program focus on different risks. For example, at higher certification levels (e.g. CMVP FIPS 140-2 Level 3 or 4) the program provides very robust and comprehensive assurance that both algorithm and methods of use of these algorithms within cryptographic module is secure. I am too lazy to dig through the specs, but I am positive that at level 3 it explicitly examines key storage. The flaw with FIPS is actually opposite of what you state - the level of scrutiny ramps up so rapidly that it is impossible to satisfy it only with a software implementation at above level 2. As a result, overwhelming majority of certifications are against lowest tiers that are limited in scope.

Now, people look at CAVP certification (algorithm testing for software product) and make ignorant statement that the ENTIRE FIPS PROGRAM is ineffective. Even when it is very evident that it accomplishes exactly what it promised to do. To leave you with an example - PCI (payment transactions) requirements cap at FIPS 140-2 level 3. This is stuff that touches MONEY! FIPS 140-2 level 4 is spook-level robust, they even have a requirement to trip zeroization if you attempt to freeze or x-ray the chip.

Comment: Re:This is a general problem (Score 1) 114

by sinij (#49087987) Attached to: Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk
Cryptography knowledge in software development is very shallow. Most only know to integrate OpenSSL (without FIPS module). Ask them about entropy, and they start talking about the heat death of the universe. Even Linux kernel guys, who otherwise tend to be knowledgeable, would tell you that /dev/urandom is a desirable and secure choice.


Comment: Re:No surprise... (Score 3, Insightful) 114

by sinij (#49087887) Attached to: Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk
FIPS is not a joke - it ensures that that your cryptographic algorithms are implemented correctly and meet the standard. So you don't generate matching private/public keys or all 0 keys and other preventable but non-obvious to people outside of crypto mistakes. FIPS does not guarantee that you use these algorithms intelligently, there are other certifications that do that.

Comment: Re:FTFY (Score 2) 114

by sinij (#49087611) Attached to: Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk
Yes, clearly what John Matherly did was by far more harmful than idiotic design decisions that resulted in such unforgivable "barn doors open" security holes. Because if he didn't disclose this vulnerability, nobody else would have found it and everyone would still be perfectly safe.


Comment: Re:No surprise... (Score 5, Insightful) 114

by sinij (#49087581) Attached to: Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk
Government already demands product certification (e.g. FIPS), it is time corporate and individual consumers started doing the same. We expect our power supplies to not electrocute us, there is a certification program to ensure that is the case, why is when it comes to data security we are so lax?

Comment: Re:Would it matter? (Score 1) 576

Why do you assume "thousands M1 tanks" would be available? Even for advanced space-faring species there would be some logistical constrains. They will have to bring "thousands M1 tanks" along with them across the stars. Much better question would be, could a couple modern tanks, some drones, a helicopter or two, and maybe a nuke win WWI against BOTH sides? Clear answer is no, not unless one of the sides decides to ally with the invaders.

Comment: Re:The most insecure OS in the world (Score 2) 136

by sinij (#49038729) Attached to: Microsoft Fixes Critical Remotely Exploitable Windows Root-Level Design Bug
Yes, but GPP did not specify "a production desktop platform". My point was that blanket "X OS is the most insecure" statements are largely pointless. With enough effort and expertise you could secure any OS, or you could exploit any OS, even when airgaped. With enough ignorance you could misconfigure even the most secure OS. The devil is in the details.

The clearest way into the Universe is through a forest wilderness. -- John Muir