Forgot your password?
typodupeerror

Comment: Re:Why do companies insist on producing shit ? (Score 2) 63

It's seriously difficult to understand the mindset of the organization and how they came into this. Did they even bother hiring a competent cryptographer when designing their product ? Were they duped by someone they hired and led to design a insecure product ? Or is encrypting an RFID communication a difficult and non-trivial task with no known vetted solution ?

I don't think that the problem is difficult in some fundamental way (the problem of verifying a remote host with asymmetric crypto has been reasonably well explored with SSL/TLS, and an access control system has the advantage of being able to trust only a CA it controls, and the advantage that you need to get physical access to an RFID reader pad to attempt attacks); but there are significant practical challenges.

RFID chips are pretty power constrained, since they only get whatever energy they can scavenge from the reader's RF output; and customers want them to be cheap. The industry also has fairly long product lifecycles (since, once you've put in a zillion card readers and integrated it with all your other building security stuff you don't want to rip it out and upgrade in 2 years).

It isn't so much a 'there is no known cryptographic solution to this problem' issue as a 'Why yes, we still have major customers using the 'security' provided by the lousy proprietary cryptosystem that our engineers were able to cram into a cheap, power-constrained, chip using the fab processes available in the mid to late 90s, and we really don't want to fix that' issue.

Comment: Re:If you can't do, sue! (Score 1) 63

Most of the world knows that security is fleeting, and those that deepend on the law to preserve obscurity is the fleetingness of all. Do they not even consider that citizens of nations that don't give a shit about legal protections are the very people their customers need to be protected against? These companies should be paying rewards to anyone who can defeat their protections, not punishing them.

Aside from pure cultural dysfunction (of the sort that causes even some software companies to threaten the people who do free security testing for them, and even offer them time to fix bugs before releasing the proof of concept), the issue is that HID and friends are closer to locksmiths than to software companies.

RFID (and non-standardized but conceptually similar contactless short range RF fobs and slightly longer range button-cell-powered keyless entry systems) tends to be painfully computationally limited, since the tags need to be cheap and need to work on a tiny power budget. The older ones are even worse, of course, since they had less efficient silicon fabrication options to work with. For the same reason, such devices aren't usually little microcontrollers with flashable software; but mostly or entirely fixed-function implementations of crap proprietary crypto systems. Depending on when the corresponding card readers and access control stuff was installed, and what the customer picked, those parts of the system may also be hard to upgrade without ripping them out and replacing them(and, since this is a physical security issue, the readers are more likely to be embedded in walls/bolted to stuff/otherwise tied down and hardwired, so it won't just be swapping out a bunch of desktops.

Because upgrading in-software/firmware is often difficult or impossible, and upgrading involves ripping out hardware that was supposed to have years of service life, HID and friends really don't want to hear about it. They'd much rather just try to tamp down public awareness of the issue, hope that there are no high-profile breaches of customers capable of suing them, and pretend it isn't a problem until the flawed parts have aged out.

As much as it's a repulsive, dishonest, and definitely-unworthy-of-support-by-the-courts tactic, it must be admitted that plenty of known-broken lock designs continue to more-or-less do their jobs (if attackers are still forcing doors rather than just picking locks, the lock is apparently still effective) for years after their weaknesses become public knowledge, so it is entirely probable that various HID access fobs will quietly age out without any major incidents. No need to threaten the researchers about it, though.

Comment: Re: Most hated character flaw (Score 1) 63

Incidentally, while iced coffee is refreshing and invigorating, you can also get refreshing and relaxing by icing irish coffee. I don't think I've ever seen the option on a menu; but I was pleasantly surprised by the effectiveness of the experiment; and a place that offers irish coffee will usually be willing to put some over ice on request.

Comment: Re:Bigger fuckup than John Akers (Score 1) 79

by Kjella (#48187177) Attached to: IBM Pays GlobalFoundries $1.5 Billion To Shed Its Chip Division

3) Contractual obligations/customer relations, in the enterprise world people build systems they expect to last many, many years and not have the parts disappear on a whim. Which is is why Intel has launched Itaniums as late as 2012, whoever they suckered into buying it will get time to bail out. Don't underestimate the value of grudges in the enterprise, any executive who gets burned by IBM ditching it fast and dirty will be their enemy when the next big consulting/outsourcing contract rolls around.

Comment: Re:Unity is rubbish. Systemd is rubbish (Score 3, Interesting) 103

by Kjella (#48186319) Attached to: Ubuntu Turns 10

Except they're not chasing the mainstream, they're chasing the hype wave of Apple/Google/Microsoft trying to be the "big next thing" instead of what is actually mainstream today with Win7/OS X. Instead of picking a market and staying on target to finish the job they still haven't finished on the office desktop from 1999 or the laptop from 2004 or smartphone from 2009 or tablet from 2014. And at this rate I don't think Ubuntu will stay in one place long enough to be relevant to anyone outside the ~1% of the desktop market Linux owns today.

Comment: Re:Eh (Score 1) 192

by fuzzyfuzzyfungus (#48185043) Attached to: The Woman Who Should Have Been the First Female Astronaut
At this point, I'd be tempted to make any would-be astronaut pass the 'n months in standby and hard vacuum before the signal from mission control wakes you up' test, because Our Robot Overlords have gotten considerably better; but it'd be no worse, and possibly better, than the John Glenn launch a few years back.

Comment: Re:That's absurd, aim your hate cannon elsewhere. (Score 3, Interesting) 305

by fuzzyfuzzyfungus (#48183517) Attached to: If You're Connected, Apple Collects Your Data

People love to hate Apple. It's a thing. Also, is there any evidence this data is not anonymised by Apple?

'Anonymised' is mostly a weasel word. It isn't always impossible; but the more interesting the dataset is, the more likely it is that there's a clever re-identification attack with good odds of success. If you are serious about preventing those, you tend to have to nuke the data so hard that they aren't of much interest anymore.

Unless robustly demonstrated to the contrary, it's an essentially worthless claim.

Comment: Re:Overly broad? (Score 3, Insightful) 406

by fuzzyfuzzyfungus (#48182003) Attached to: Soda Pop Damages Your Cells' Telomeres
I'd go with 'no' and 'no'. Yes, the end goal is to discover the cause, the mechanism, and the effect as precisely as possible; but the universe of possibilities is absurdly gigantic, easily larger than you could ever afford to study.

So what do you do? You start by trying to cut the search space into more manageable chunks with this sort of study, which doesn't provide the level of precision you ultimately want; but can (relatively) cheaply and easily provide some leads on what is worth looking at in greater detail and what isn't.

Comment: Re:Is D3D 9 advantageous over 10? (Score 1) 52

by Kjella (#48178539) Attached to: Direct3D 9.0 Support On Track For Linux's Gallium3D Drivers

Games only started using D3D 10/11 *very* recently -- the back catalog this could enable is huge, and D3D 9 games are still coming out today. It'd say it's very important to support.

Bullshit. Almost all games have had an D3D 9 rendering path since XP has been so massively popular, but a whole lot of games has taken advantage of D3D 10/11 where it's been available. It's very important to the number of games you can run on Linux, but it does not represent the state of the art. Speaking of which, WINE's support of D3D 9 through an OpenGL has been pretty good. Or rather my impression has been that if they can figure out what DirectX is doing, there's usually a fairly efficient way of doing in OpenGL. The summary tries to paint it as if OpenGL has been a blocker to DirectX support, my impression is quite the opposite. A gallium3d implementation is closer to the hardware and "more native" than a DirectX-to-OpenGL translation layer, but while it might boost performance a little it won't fundamentally support anything new.

Comment: Re:Why Cold Fusion (or something like it) Is Real (Score 1) 342

by Kjella (#48173869) Attached to: The Physics of Why Cold Fusion Isn't Real

Does he mean a transient reaction in the test set-up that produces the byproducts of fusion, but not long enough to generate useful power?

A transient reaction that can't be reliably reproduced despite recreating the same conditions to the best of our ability. Which might be because the conditions necessary are so extremely specific that they only got them right once by accident or because of some contamination or malfunction that somehow produced the necessary conditions yet attempts to recreate them fail. Or the results of the initial experiment were wrong, but here they've clearly put their desire to believe it was real over their good judgement.

Comment: Re:But the ID shouldn't have to be secret (Score 1) 59

by Kjella (#48173721) Attached to: South Korean ID System To Be Rebuilt From Scratch After Massive Leaks

Except authentication is usually not username+password or digital signature, it's identification+official paper saying you're that person. Everywhere your use your passport, driver's license or any other photo ID you're relying on three things:

1) The difficulty of acquiring the information to be on the card
2) The difficulty of forging the card
3) The difficulty of fooling the issuers into producing a fake card

The last one is often a sneaky one, enough ID info and you might trick one of them into believing you've lost your ID and issue a new one. But there's enough direct fakes too, if they have the necessary information that's half the way.

Do not underestimate the value of print statements for debugging.

Working...