Become a fan of Slashdot on Facebook


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:Duh (Score 1) 23

by thegarbz (#49352545) Attached to: 'Bar Mitzvah Attack' Plagues SSL/TLS Encryption

Well part of the problem is screwing backwards compatibility with older clients. I mean I personally have secured my website with SSL to the nth degree, but I can't even access it with IE8/9 on a Vista machine and that's a browser. Imagine the amount of older software that wouldn't work if we removed every cipher on a whim.

Comment: Re:Yes, but.... (Score 1) 252

by thegarbz (#49349977) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess

What about the sites that restrict the length of the password? The only thing I have to say to them is, "You're doing it wrong".

There is something deeper behind this. There is no technical reason why password length should be restricted as the resulting hashes are the same length effectively. Every time I see a max password length I can't help but wonder if the reason is limited space in a database column and that some braindead idiot is storing the passwords in plaintext.

Every time I come up with a password that has a maximum entry I ensure I use a strictly unique password.

Comment: Re:Duh (Score 4, Informative) 23

by thegarbz (#49349955) Attached to: 'Bar Mitzvah Attack' Plagues SSL/TLS Encryption

The flaws in RC4 have been known about for a long time but were thought irrelevant in the scheme of SSL/TLS to the point where RC4 was the preferred cipher suit only a few years ago as it was one of the few that were able to mitigate the BEAST attack. So the GP's comment that there's no surprise since RC4 has been known to be weak for a decade isn't quite the full story.

It was only in 2013 where RC4 became strictly taboo for use in SSL/TLS with the exposure of new exploitable vulnerabilities on top of the several previous weaknesses identified, and last month RFC7465 effectively banned the cipher's use in TLS.

Comment: Re:Never going to happen (Score 5, Insightful) 137

That's the thing about harmonisation of disperse markets, for every simple example of a drawback someone will come up with an example of an improvement. Regulations typically don't just magically appear, but are rather a reaction (often a knee jerk reaction) to a specific problem. Your example is good because it highlights some serious issues at both sides. For instance the increased overhead now placed on farmers, but at the same time the increased assurance placed on the customers and the government that everything is done as it should be. I.e. you know the bottle was cleaned properly before you used it, the government knows the measured quantity of goods changing hands for taxation purposes. The poor may be hard done, but they are also the ones reasonably protected.

Now this may or may not be the case here, but in a general sense this is where these ideas often come from.

Comment: Re:caveat emptor (Score 1) 264

This notion that people have perfect access to information to make perfect choices is completely bullshit when the only sources they have available to them are dishonest

I would go one step further. I don't believe we have perfect access to information in the west. Nothing is without bias, even if it's the unintentional bias introduced by human behavior in a perfect review system, e.g. 10 dissatisfied customers will speak out for every 1 satisfied customer which dramatically skews review systems.

Perfect information does not exist in the West even with lots of access.

Comment: Re:Do It, it worked in AZ (Score 1) 860

by thegarbz (#49341717) Attached to: Gen Con Threatens To Leave Indianapolis Over Religious Freedom Bill

you're in favour of slavery

Nice try, but being subject to non-discrimination is not the same as slavery. Slavery would be forcing the printer to do something that he wouldn't otherwise do for anyone else under the same conditions. If the picture of George Washington is the same when given by the KKK member as it is the local black kid, then forcing you to do business with one and not the other is nothing at all like slavery.

Comment: Re:Hmmm (Score 1) 259

by thegarbz (#49341679) Attached to: RadioShack Puts Customer Data Up For Sale In Bankruptcy Auction

It's not my responsibility to keep up with internal corporate policies for retailers.

And in that regard there's no responsibility placed on you, but if someone has gone to reasonable effort to make you aware of their policies before you enter then by entering you are in fact bound by them. I.e. a sign at the door saying your bag will be searched on the way out. I'm not sure exactly where you live but this type of condition has been enforced legally in every country where it's been used.

Comment: Re:Hmmm (Score 1) 259

by thegarbz (#49341669) Attached to: RadioShack Puts Customer Data Up For Sale In Bankruptcy Auction

Nope. I paid for the products and they have no right to search me.

Actually the law disagrees with you depending on what efforts the store went to to inform you that you will be searched on the way out.
If they did inform you with for instance a sign on the doorway on the way in, then your rights end with choosing not to go in the store.

You only ever need a choice. But the choice only needs to be provided once with reasonable notice.

Comment: Re:LEGO$ (Score 4, Insightful) 51

This. Well sort of. At least they are still putting personal effort in, but it does kind of remind me of the gigapixel war of a few years ago.

The first gigapixel photo was made by amateurs who used their own cameras built their own motorised tripod, wrote a lot of custom software to handle the stitching, let their PCs slave away for weeks on the processing and were hailed as pioneers.
The second significantly larger gigapixel photo was made by amateurs using camera gear gifted by Sony, off the shelf software, and processed on computers gifted by Microsoft in return for displaying the result in a Silverlight web app that ran from Microsoft's servers. Then they proclaimed how awesome they were.

It's a good effort they've gone to, but I don't see the $100000 investment in the result and somehow I get the feeling they could probably have achieved similar with less, or quite possibly even did achieve it with less and the money is just the book value.

Comment: Re:Google wants a monopoly... (Score 1) 133

by thegarbz (#49334177) Attached to: Chinese CA Issues Certificates To Impersonate Google

this is about China and spying on their own citizens.

Yes but this doesn't fit in with any other of China's methods which block google completely at the great firewall. All software that bypasses the firewall is done via proxy or VPN and using public DNS so you wouldn't even end up intercepting the connection to use the certificate.

If this was done with the intention of spying on citizens then it won't amount to much at all.

Comment: Re:Are the CAs that do this revoked? (Score 1) 133

by thegarbz (#49334171) Attached to: Chinese CA Issues Certificates To Impersonate Google

Similar for HTTP/2.0, which in large parts are based on SPDY, and written largely by the same people.

Except for the bits which would suit your argument. HTTP/2.0 does not mandate encryption of any kind and that was one of the biggest complaints of slashdot discussions on the topic in the past.

"The only way I can lose this election is if I'm caught in bed with a dead girl or a live boy." -- Louisiana governor Edwin Edwards