Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Comment What in the world would make you think that? Wrong (Score 1) 183

> I don't think you grasp why so much weight is in the casing... which is to produce shrapnel.

First, what in the world would make you think I don't know why I build my casings the way I do? Second, you are mistaken about the reason. With a low explosive such as black powder, flash, etc casing thickness is all about the pressure developed. Unconfined, these explosives don't so much as explode as burn quickly. The explosion comes from what's essentially a pressure vessel explosion. The burning composition produces a lot of gas very quickly, which creates a lot of pressure. Eventually it blows like a balloon that's been inflated too far. A weak casing will rupture exactly like a balloon - weakly. A strong casing won't rupture until there is a very high pressure, creating a powerful explosion.

A casing that's TOO strong will waste weight, peel open instead of fracturing, and some point not rupture at all.

Next time you think about correcting you might first ask yourself "do I have a clue what I'm talking about?" When you're considering educating someone about what they do, maybe ask yourself "have I ever even once *tried* doing this? Do I really know better than the people who do this stuff?"

Comment I forgot to subtract fuel weight (Score 1) 183

In my payload estimate I forgot to account for how far they are going. If they take off from the front line, 20 miles away, they'll burn very roughly a kilogram of fuel (could be half that, or twice that). So figure 5kg of payload.

The fuel burn over such long distance for a craft that small will significantly affect CG unless it's carefully designed to have the tank right at the CG. That makes design and flight harder.

Comment Payload around 6kg (13 pounds) (Score 4, Informative) 183

I just designed and built a similar, though smaller plane from scratch. Based on the reported wingspan of three to four meters, we estimate the payload capacity at around 6kg.

Based on my experience with people professional pyro, I'd say that a 6kg weapon using a simple explosive like black powder would be a dangerous item to have laying around the house, but not particularly effective as a military weapon. (Remember most of the weight is the casing, it would be less than a kg of explosive composition.). Modern military explosives are significantly more powerful, and much harder to make, if the people launching these have access to a good supply of military explosives.

Comment You know you can register by mail / internet, righ (Score 1) 498

All that about voter registration. You know you can register by mail, right?

The topic is showing SOME kind of ID when you vote, so we know how many times you voted. In Texas, any of seven different kinds of evidence of ID are accepted. If a person has some reason that they have nothing with their name on it, they can instead sign an affadavit at the polling place attesting to what their name is. Lying on that affadavit to vote under someone else's name is a crime.

So either bring something with your name on it, or sign a sworn statement of who you are.

Comment Everyone has a RIGHT to vote, or sing. I shouldn't (Score 1) 498

> If there's no universal natural right to have an equal voice, there's no point to any of this discussion.

Every citizen has a *right* to vote. They also have the right to sing. I shouldn't sing publicly, because I'm a terrible singer. You would be foolish to encourage me to sing for everyone.

Comment That would be good, not bad (Score 4, Insightful) 498

Over half of Americans don't know who the vice president is. That's how interested many of us are in policy and the political process. A supermajority can't distinguish the Republican platform from the Democrat platform when it is handed to them with the party name redacted.

I don't have my car fixed by someone who doesn't know what an "engine" is, I don't have dental cavities filled by someone who can't point to my bicuspids, and I don't want national policy decided by people who don't recognize the name "Mike Pence", nor know how many senators there are.

> I think it's clear that if you want representative democracy to work and be considered legitimate, you need fewer barriers to voting, even if people like you think a DMV visit is reasonable.

And that's the reason the founders created a republic, not a democracy. The federal budget isn't American Idol. If you're not interested enough in participating in society to either have a driver's license or swing by and pick up a (free) ID, maybe you're not the person who should be deciding federal law and other national policy, based on "I heard he was born in Africa"or "because she's a woman". Maybe the decisions of national policy SHOULD be made by people who have enough interest to do more than "text your vote to 1-800-bumper-sticker".

Comment That's the topic, not the patent (Score 5, Insightful) 57

Each patent has a couple pages describing *exactly* what is patented and how it's different from what was done before (prior art).

They didn't patent the concepts mentioned in the summary. Slashdot summaries often mention the general topic or concept that a patent is *related to*, phrased in a way that makes it sound like someone patented the whole concept. That's not how patents work. For example, with a video cassette (vcr) you can pause it in one device, then take it to another VCR and resume watching. Nobody can patent that idea, and their patent calls out how their invention is different from what has been done before.

If you read (part of?) any of the patents and see one that seems like it was obvious at the time (not in retrospect) I'd be curious to see it. There may be one, but don't think that just because the TOPIC mentioned in the Slashdot summary is obviously interesting, that means their invention was interesting. When Slashdot says "Space X" patents rocket guidance system" that means they patented something they invented that has to do with guiding rockets; it doesn't mean they patented the idea of rocket guidance in general.

Comment Didn't have to bribe anyone to break every DRM (Score 1) 348

Companies have spent hundreds of millions of dollars trying to encryption this and that, from various forms of DRM to game console and locked bootloaders. It ALWAYS gets broken, sometimes shortly *before* the product is released. No need to bribe anyone;security is just hard because breaking things is easier than making things. It's a fact that if people can make it, people can break it.

Comment Not when it's horribly exaggerated (Score 1) 233

If Microsoft released an update that required two key presses to fix and some moron claimed in the headline that it "bricked" computers, we'd have chorus of people saying "the author is an idiot. That's not bricked.". I imagine we'll get the same response today.

It's like most of MD Solar's submissions. There may be a kernel of truth somewhere in them, but they are so wildly exaggerated that the appropriate response is an outpouring of derision for the misleading articles and headlines, not hunting for so hint of something kinda true among the bullshit.

Comment Not theoretically possible (selector IS a mitm) (Score 1) 214

> Looks like it's time to somehow wrap that handshake before moving onto the "I'd like to talk to XYZ site" and adopting that one's certificate.

I guess I wasn't clear about that point in my post. The thing that selects which certificate (which site) IS a man-in-the-middle. So you can't do that while protecting from man-in-the-middle.

Perhaps the best you can do is through some other, out-of-band secure channel, publish a list which men in the middle are allowed. So you'd have a DNS record (DNSSEC signed) saying "traffic to may be intercepted by".

Note DNSSEC doesn't hide your DNS requests, it only authenticates the replies.

Comment Kerberos 1980s, CHAP (1996) or digest 1997 passwor (Score 0) 121

> a "password in a file" would be the private key, but even that isn't really a good comparison, because you never transmit your private key

Since at least the 1980s (Kerberos) and dial-up modems used CHAP in 1996, you can authenticate via a password without transmitting the password.

There are even better algorithms that use passwords, without transmitting or storing them on the server. For example, the server can store a salted bcrypt of the password. Upon login, the server generates a random number (the challenge) and sends that to the client, along with the salt the server has chosen for this user. The client then computes and sends:

H(H(Hs(password, salt)), challenge) xor Hs(password, salt)

The server can verify that without having the password transmitted, or stored on the server.

You would be correct to say that *sending plaintext passwords over the network (1970s style)* is much less secure than public keys. You can certainly use passwords without sending them over the network, though - that issue has been solved for decades.

> Plus, even shitty private keys (1024 bits) are way stronger, entropy-wise, than a password so there's that, too.

Much like a LONG password (pass sentence).

Comment It bothers me that the CAN (Score 1) 76

Or are least they figured they may as well patch it. Easy patch.

What bothers me the more than the overflow in parsing a malicious EK cert is that they CAN patch it, that a BIOS / UEFI update touches this code. Presumably if a BIOS update can fix it, a malicious bios update can *create* at least a similar problem, and probably a significantly worse variation. Of course we already knew a malicious BIOS would be bad, but I wouldn't expect it to touch that code.

Comment Close, but no. SNI is (must be) before encryption (Score 1) 214

That's a logical thing to think. Not quite right though.

The reason you couldn't have more than ssl site on an IP was that the server has to include its certificate in the Server Ello, the first message sent by the server. The client has to validate the certificate (and therefore the server) before it shares encryption keys with some otherwise unknown actor out on the internet somewhere. The certificate has to be validated WAY before the Host: header is sent, so the server had no way of choosing between different certificates for different sites on the same IP.

About ten or twelve years ago we introduced Server Name Indication to solve that problem. With SNI, in the very first message of the TLS handshake (ClientHello) the client says "Hello I'd like to speak to, and I can use the following encryption algorithms". That's the FIRST message sent, way before encryption is set up. The server might not even host the site anymore and the client is still going to send out, in plain text "I'm connecting to", because it can't even know that's the right server with first announcing which name it's looking for. The encrypted session starts several messages later, after the server knows which site's key to use for encryption, and the client has validated that the cert belongs to that site.

Suppose you could somehow make the ClientHello invisible, so nobody can see the client announcing which site name it is connecting to. Eavesdroppers could STILL see the name because it's in the TLS certificate! You have to send the certificate before you can start an encrypted session based on that cert, so there's no way to hide the name even if you changed the TLS protocol, without completely redesigning it to be a completely different protocol altogether.

Comment Need to connect wires to microscopic TPM traces (Score 2) 76

> Is the TPM protected from writing? If not, I assume the certificate can be modified/replaced via software.

No, you cannot write directly to TPM nvram from the OS. The spec says the endorsement key is supposed to be permanently burned in at the factory, but some manufacturers instead support CreateEndorsementKeyPair, which asks the TPM to create a key for itself, if it doesn't already have one. If it already has a key, as it should, CreateEndorsementKeyPair does nothing but return an error code.

To put your own malicious endorsement key in the TPM, you'd need to directly access its NVRAM. The most direct way to do that would be to pull out your scanning electron microscope and connect to the nvram traces on the chip. If some *other* vulnerability allowed full write access to TPM NVRAM, that would be a game changer.

Slashdot Top Deals

Save yourself! Reboot in 5 seconds!