Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re: Identifying the user?? (Score 1) 54

Aka a cookie? So why the need for a browser extension?

Because it wants to blind the token.

NSL to CloudFlare and data slurp commencing in 5... 4... 3...

NSLs don't work that way. Even the DOJ doesn't claim they can do that with an NSL.

There is, of course, a risk in running any code. But in this case one assumes they'll publish the code.

Comment Re:Down with the CA (Score 1) 45

I honestly think that people are actively sabotaging all of the above approaches.

It's to the advantage of the existing CAs to go make trouble every time something like that comes up at the IETF or wherever. And it's to the advantage of the world's spooks to slow down any standardization that improves security, preferentially slow down the standardization of the most effective alternatives, and make sure that everything is so complicated and option-laden that you can always find a mode you can break.

I don't think there's some vast shadowy conspiracy with central control. Just a lot of players with reasons to fuck things up. Sometimes they may cooperate, but probably they mostly just engage in "leaderless sabotage".

The standards bodies/processes at least try to defend against commercial interests who want to get things they control standardized over technically better alternatives. But once they do get captured, they're hard to un-capture. And they have almost no defenses against players whose only interest is simply to make things not work. And because mentioning the possibility sounds like a conspiracy theory, it's even harder to get them to adopt such defenses.

Comment Re:It's not hard to hack a CA (Score 1) 45

Oh, I forgot the other major reason that the CA infrastructure is shit, which is that those verification standards are indeed too lax. If you can impersonate the server in the first place, you can probably fake control of the domain well enough to get a certificate. But again Let's Encrypt is no worse than any of the others.

Comment Re:It's not hard to hack a CA (Score 3, Insightful) 45

The idiots behind let's encrypt don't understand that the first and role of the public CA system is identity non-repudiation, but they issue certificates with any name to anyone who asks.

You don't have a damned clue how this stuff works, do you?

All the public CAs issue non-EV certificates based on the ability to control email and/or DNS information for domains, and most of them automate it. Their verification standards for non-EV certificates are on page 13 of https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.7.pdf.

Let's Encrypt does exactly the same verification and meets those standards. Let's Encrypt is actually ahead of some of them in that it uses a published and publicly reviewed verification protocol (ACME) to check control over the DNS.

Yes, the CA infrastructure is shit, mostly because all you have to do to impersonate any domain is to find any CA you can trick. No, Let's Encrypt is not any worse than the hundreds of other CAs that the browsers trust.

Comment Re:Are you for real? (Score 1) 424

What did she do to screw up her ex's life, exactly?

She sent him a nasty message. A message that mostly said she could do fine without him, thanks. He was not in the video. The only "shame" directed at him was basically a statement that it was possible for somebody to exist and have a sex life without involving him.

Yeah, it was a bitchy thing to do, but it was a single message and there was zero chance that the whole world was going to start taunting him about it. It wasn't going to even be part of his life for more than a couple of minutes, and there was sure as hell no way that thousands of people would be on his case and forwarding it all over the Internet for years to come.

Absolutely no comparison. Not even a potential comparison. There was no chance that anything even vaguely close to what happened to her could have happened to him. Sorry.

And if it had, that would have been a bad thing too. Even if HE had somehow invited it.

Comment Re:So? (Score 2) 308

Something that's smashed will probably have to be replaced even if it still works, and it's easy to assess whether you've stopped it from working. And "any idiot" is more likely to fry the USB port with that thing than to put the whole machine out of commission. They are VERY UNLIKELY to kill the contents of the hard drive, if that's what you mean by "be recoverable".

As for the wall, my power line still works, and so do lots of other things, even if it's on the end of a long cable. The piezo igniter from a $5 barbecue lighter, say. The piezo can also be quiet and inconspicuous if that's what you want, it has higher voltage and very possibly more current. Still unlikely to make the data unrecoverable, though.

Anyway, most devices are not behind walls, and if you ARE putting it behind a wall, you SHOULD be protecting the USB port from this sort of obvious electrical attack.

The point is that damaging things is easy. I could pop parts off a lot of motherboards by putting the intact devices over my knee. On a more robust device, if you have access to a cooling vent and the thing is turned on, you can go ahead and pee in it, and you'll probably do worse harm than you'd do with that thing. Or dump a bit of salt in your orange juice and dump that in. It's plausibly deniable; you don't have a dedicated destructive device to dispose of.

I'm just not seeing very many plausible situations where that device would be a go-to choice for a vandal.

Comment Re:Uh-huh (Score 1) 299

I think the dog can truly find the drives in a lot of cases... and not just "find" them. But what justified the warrant for the dog to be there in the first place? Where does the parallel construction come in? You could only use the dog to "parallel construct" after you were already conducting an invasive search, and at that point you wouldn't actually need any parallel construction. So what does it do for you?

Anyway, suppose I'm a guilty person, and you're the cop, and you get a warrant for whatever reason, and your dog finds the drive with the details of my scheme to sell drugs to buy child porn for terrorists. Well, if I'm not an idiot, said drive is going to be encrypted. And the number of idiots of the non-drive-encrypting variety is dropping rapidly, partly because of stories like this.

So my drive is encrypted, and I tell you that I don't know the password.

I have total deniability, because it's not uncommon for an actual innocent person to have an encrypted drive lying around and not know the password. In fact, my original point was that I am an actual innocent person in real life, and I do have many encrypted drives with unknown passwords, some of them probably in places I don't even remember. So what have you proven by finding the drive?

So how could you actually use the dog? Well, it would in fact help you to find good evidence against true idiots if you already had a good reason to search them. But the number of available idiots is probably small and is probably going to crash to insignificance. And you'd probably nail the idiots some other way anyway, because they're idiots and they've already screwed up something else to get you there in the first place.

As for using the dog as probable cause, the way they do with drug dogs at traffic stops, I don't think even today's supine US courts would swallow a hit from this dog as probable cause for anything. Flash drives are as common as dirt. 99.99 percent of them are totally innocent. Probably 99.9 percent of encrypted drives are totally innocent. So even if the dog were perfectly reliable, the hit wouldn't mean anything about crime and wouldn't justify anything further. And I think this is more a house search thing than a traffic stop thing anyway.

Which means I'm still not seeing the use of this dog even if you assume the cops are corrupt. Drug dogs are magic search authorizers for corrupt cops, but this one won't help them. And on the non-corrupt side, I bet the dog rarely actually finds usable evidence, and still less often finds decisive evidence, and I bet that becomes even less common within a few years. People will encrypt the drives, and they will have total deniability. The whole thing is a waste of time.

On reflection I was wrong about the "excuse to ransack your house", though. The dog might clue them in to tear open something they otherwise wouldn't, but I suspect that in most cases, once it gets to the point of executing a warrant, they're just going to tear everything up anyway. And as I said the standard "traffic stop" dog abuse won't work here the way it does for drugs.

Comment Uh-huh (Score 1) 299

Every room in my house is full of electronics. I have a box of proably 20 random USB flash drives in my office. None of them have child pornography or whatever on them, but most of them are encrypted. And I legitimately don't know most of the passwords, because who remembers the password they used for a scratch drive?

The dog is either totally useless, or just an excuse to ransack your house and/or confiscate everything you own.

Comment Re:are. you. fucking. kidding. me? (Score 1) 76

There's a word for an organism that voluntarily "subjects itself" to natural selection.

That word is "cull".

Because natural selection, unlike ITGs, is actually tough. It does not give a fuck about your desire to feel superior. It does not give points for your delusions of infallibility. It does not play fair and it does not care if you do. It only cares about success.

If you pass up an easy way to assure success, natural selection will be completely happy to kill you.

You live in its world. It does not live in yours.

Comment Re:Cloud security for you! (Score 1) 41

Any third party service is an extra exposure, period.

You have to be an absolute unmitigated idiot to even think about using something that sends every fucking keystroke to a third party.

And even if you pick the best cloud service every time, you are going to lose if you go out and make yourself dependent on 100 of these things. Not to mention the fact that they often lie and often change their security postures over time. They also love to farm out critical parts of what they do to still more cloud services, increasing your exposure still further. I especially like "I logged into SwiftKey with Google+". So you farmed out not only your goddamned keyboard, but the AUTHENTICATION for access to your keyboard.

I just hope the inevitable collapse of all this "as a service" stuff comes sooner rather than later. Then we can go back to only having to deal with the fact that the local software is crap.

Slashdot Top Deals

What is now proved was once only imagin'd. -- William Blake