Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment Everyone has a RIGHT to vote, or sing. I shouldn't (Score 1) 496

> If there's no universal natural right to have an equal voice, there's no point to any of this discussion.

Every citizen has a *right* to vote. They also have the right to sing. I shouldn't sing publicly, because I'm a terrible singer. You would be foolish to encourage me to sing for everyone.

Comment That would be good, not bad (Score 4, Insightful) 496

Over half of Americans don't know who the vice president is. That's how interested many of us are in policy and the political process. A supermajority can't distinguish the Republican platform from the Democrat platform when it is handed to them with the party name redacted.

I don't have my car fixed by someone who doesn't know what an "engine" is, I don't have dental cavities filled by someone who can't point to my bicuspids, and I don't want national policy decided by people who don't recognize the name "Mike Pence", nor know how many senators there are.

> I think it's clear that if you want representative democracy to work and be considered legitimate, you need fewer barriers to voting, even if people like you think a DMV visit is reasonable.

And that's the reason the founders created a republic, not a democracy. The federal budget isn't American Idol. If you're not interested enough in participating in society to either have a driver's license or swing by and pick up a (free) ID, maybe you're not the person who should be deciding federal law and other national policy, based on "I heard he was born in Africa"or "because she's a woman". Maybe the decisions of national policy SHOULD be made by people who have enough interest to do more than "text your vote to 1-800-bumper-sticker".

Comment That's the topic, not the patent (Score 5, Insightful) 57

Each patent has a couple pages describing *exactly* what is patented and how it's different from what was done before (prior art).

They didn't patent the concepts mentioned in the summary. Slashdot summaries often mention the general topic or concept that a patent is *related to*, phrased in a way that makes it sound like someone patented the whole concept. That's not how patents work. For example, with a video cassette (vcr) you can pause it in one device, then take it to another VCR and resume watching. Nobody can patent that idea, and their patent calls out how their invention is different from what has been done before.

If you read (part of?) any of the patents and see one that seems like it was obvious at the time (not in retrospect) I'd be curious to see it. There may be one, but don't think that just because the TOPIC mentioned in the Slashdot summary is obviously interesting, that means their invention was interesting. When Slashdot says "Space X" patents rocket guidance system" that means they patented something they invented that has to do with guiding rockets; it doesn't mean they patented the idea of rocket guidance in general.

Comment Didn't have to bribe anyone to break every DRM (Score 1) 348

Companies have spent hundreds of millions of dollars trying to encryption this and that, from various forms of DRM to game console and locked bootloaders. It ALWAYS gets broken, sometimes shortly *before* the product is released. No need to bribe anyone;security is just hard because breaking things is easier than making things. It's a fact that if people can make it, people can break it.

Comment Not when it's horribly exaggerated (Score 1) 233

If Microsoft released an update that required two key presses to fix and some moron claimed in the headline that it "bricked" computers, we'd have chorus of people saying "the author is an idiot. That's not bricked.". I imagine we'll get the same response today.

It's like most of MD Solar's submissions. There may be a kernel of truth somewhere in them, but they are so wildly exaggerated that the appropriate response is an outpouring of derision for the misleading articles and headlines, not hunting for so hint of something kinda true among the bullshit.

Comment Not theoretically possible (selector IS a mitm) (Score 1) 214

> Looks like it's time to somehow wrap that handshake before moving onto the "I'd like to talk to XYZ site" and adopting that one's certificate.

I guess I wasn't clear about that point in my post. The thing that selects which certificate (which site) IS a man-in-the-middle. So you can't do that while protecting from man-in-the-middle.

Perhaps the best you can do is through some other, out-of-band secure channel, publish a list which men in the middle are allowed. So you'd have a DNS record (DNSSEC signed) saying "traffic to PayPal.com may be intercepted by webserver47474.rackspace.com".

Note DNSSEC doesn't hide your DNS requests, it only authenticates the replies.

Comment Kerberos 1980s, CHAP (1996) or digest 1997 passwor (Score 0) 121

> a "password in a file" would be the private key, but even that isn't really a good comparison, because you never transmit your private key

Since at least the 1980s (Kerberos) and dial-up modems used CHAP in 1996, you can authenticate via a password without transmitting the password.

There are even better algorithms that use passwords, without transmitting or storing them on the server. For example, the server can store a salted bcrypt of the password. Upon login, the server generates a random number (the challenge) and sends that to the client, along with the salt the server has chosen for this user. The client then computes and sends:

H(H(Hs(password, salt)), challenge) xor Hs(password, salt)

The server can verify that without having the password transmitted, or stored on the server.

You would be correct to say that *sending plaintext passwords over the network (1970s style)* is much less secure than public keys. You can certainly use passwords without sending them over the network, though - that issue has been solved for decades.

> Plus, even shitty private keys (1024 bits) are way stronger, entropy-wise, than a password so there's that, too.

Much like a LONG password (pass sentence).

Comment It bothers me that the CAN (Score 1) 76

Or are least they figured they may as well patch it. Easy patch.

What bothers me the more than the overflow in parsing a malicious EK cert is that they CAN patch it, that a BIOS / UEFI update touches this code. Presumably if a BIOS update can fix it, a malicious bios update can *create* at least a similar problem, and probably a significantly worse variation. Of course we already knew a malicious BIOS would be bad, but I wouldn't expect it to touch that code.

Comment Close, but no. SNI is (must be) before encryption (Score 1) 214

That's a logical thing to think. Not quite right though.

The reason you couldn't have more than ssl site on an IP was that the server has to include its certificate in the Server Ello, the first message sent by the server. The client has to validate the certificate (and therefore the server) before it shares encryption keys with some otherwise unknown actor out on the internet somewhere. The certificate has to be validated WAY before the Host: header is sent, so the server had no way of choosing between different certificates for different sites on the same IP.

About ten or twelve years ago we introduced Server Name Indication to solve that problem. With SNI, in the very first message of the TLS handshake (ClientHello) the client says "Hello I'd like to speak to eBay.com, and I can use the following encryption algorithms". That's the FIRST message sent, way before encryption is set up. The server might not even host the site anymore and the client is still going to send out, in plain text "I'm connecting to Lolitas.com", because it can't even know that's the right server with first announcing which name it's looking for. The encrypted session starts several messages later, after the server knows which site's key to use for encryption, and the client has validated that the cert belongs to that site.

Suppose you could somehow make the ClientHello invisible, so nobody can see the client announcing which site name it is connecting to. Eavesdroppers could STILL see the name because it's in the TLS certificate! You have to send the certificate before you can start an encrypted session based on that cert, so there's no way to hide the name even if you changed the TLS protocol, without completely redesigning it to be a completely different protocol altogether.

Comment Need to connect wires to microscopic TPM traces (Score 2) 76

> Is the TPM protected from writing? If not, I assume the certificate can be modified/replaced via software.

No, you cannot write directly to TPM nvram from the OS. The spec says the endorsement key is supposed to be permanently burned in at the factory, but some manufacturers instead support CreateEndorsementKeyPair, which asks the TPM to create a key for itself, if it doesn't already have one. If it already has a key, as it should, CreateEndorsementKeyPair does nothing but return an error code.

To put your own malicious endorsement key in the TPM, you'd need to directly access its NVRAM. The most direct way to do that would be to pull out your scanning electron microscope and connect to the nvram traces on the chip. If some *other* vulnerability allowed full write access to TPM NVRAM, that would be a game changer.

Comment I need the opposite - self-supporting until hit (Score 1) 96

I'd like to find the opposite - something solid enough to be self-supporting at least, until it softens greatly on impact. It's easy enough to find thick liquids that thin under stress (ketchup being one example), but I want it *solid* until it's stressed.

So far the closest I have is floral foam, which crushes easily into a powder.

Comment Trump's public statements aren't tha to understand (Score 5, Interesting) 449

Decades ago, before he got into politics, I studied Trump quite a bit. I read all his books, which explained his thinking although ghost writers wrote the words. I've paid more attention since he started wading into politics and making some outrageous statements. He's not that complicated and his major ideas have been written about extensively.

When he makes public statements, keep in mind he LOVES to get press, he craves publicity. Good press or bad press it doesn't much matter, he just wants to be in the news. Raising his profile both advances his business / agenda and simply feels good for him. There were 16 Republican candidates who were generally more classically qualified than him, yet he got all the attention, and that's a big part of what won him the presidency.

He also loves HUGE, and spectacular! People joke about him always saying everything is going to be "yuge", the biggest, the best ever, and that joke is because he actually does that. He builds hotels huge, with gold plated stuff everywhere. That's his personality. He loves the biggest, the best, going to extremes - and then emphasizing the "yuge" in his PR.

There are a few other things, but those two go a long way to understanding whatever Trump says publicly.

Comment You're confusing orbit with "space" (Score 1) 126

At 60 miles, the air pressure is very low. That doesn't mean you have "limitless time" or any of that. In order to orbit at that altitude, you'd need to be traveling at 20KM/ s or so. The Falcon is only going 500 m/s at that altitude. It would need to be going about 40 times as fast for what you said to make sense.

Slashdot Top Deals

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...