Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Comment Re:Patent? (Score 1, Informative) 183

Yeah, we have it. I even have a couple of FM tuners that pick it up. I have never seen a digital AM radio in the wild.

Here is a tuner that you can likely pick up in a store today:

However, there is not enough compelling reason to invest in HD radio in the US, at least from my experience.

Comment Re:Imagine (Score 1) 278

You absolutely don't need to incorporate (or form an LLC--the more common option for individuals. An LLC is NOT a corporation), but they do make accounting and taxes cleaner.

As a sole proprietorship you just add a tax form Schedule C and you can deduct and expense what you need. You have the option of deducting many expenses (like a computer) using "Section 179" deductions that let you take the whole amount in the year of purchase, as opposed to depreciating.

Comment Re:Why is this still an issue? (Score 1) 249

Public-key cryptography depends on problems which are believed to be hard to solve, but it could be that there is a solution which simply hasn't been discovered yet.

And if it becomes possible to crack ECC or RSA keys economically, somebody getting your e-mails off of your phones is the least of society's problems. All economic transactions become practically impossible on the Internet.

At some point, you have to trust the algorithms, because you ARE ALREADY TRUSTING THE ALGORITHMS TODAY. Even if YOU don't trust them, your bank does. The stock market does.

In short, if ECC and/or RSA falls, all of society as we know it is screwed.

You act as if CAs have never had keys compromised, or abused their position of trust to issue false certificates (under duress or otherwise). Some organizations which have had exactly these problems are still around and allowed to issue keys trusted by all the major browsers. If anything, the CA system illustrates exactly why key escrow is a horrible idea.

You act as if all encryption is suddenly broken and not used anymore because it is useless. Hmmm. As I type this, I see "https" at the top of the URL bar. You do know that "certificate revocation" is a thing, right? Yes, some false certificates were issued. Do experts suddenly recommend that encrypted web traffic is a bad idea based on that information?

Keep in mind that phones are devices that have their firmware in flash memory, not masked ROM. The firmware can be updated. New certificates can be loaded.

To summarize, encryption can be applied to phones, the same techniques with are already being used billions of times a day to protect web traffic. I fail to see how a solution works well enough for everything else can suddenly become horrible when applied to a device that an attacker needs physical access to in order to compromise.

Comment Re:Why is this still an issue? (Score 1) 249

The private key is encrypted with a trusted party's public key. That is how encryption works. Play with the MBED-TLS library for a while to get a feel of things.

I, for one, want a world where law enforcement can put criminals away -- even if the criminals use encryption. I don't want to "destroy security." Security involved keeping the bad guys away from your data. If you define the police as "bad guys" then that is a matter of semantics.

As far as who keeps the keys, as I said, certificate organizations manage the run their entire business around keeping their private key private. Every organization that has an "https" web page has a private key that they somehow manage. You act as if this type of thing has never happened before. A state-sponsored cracker could also wreck economies if they could somehow get into banks, the stock market, etc. How is this any different, except that there is not billions of dollars at stake?

Comment Re:Why is this still an issue? (Score 1) 249

You missed a couple of things...

First, your scheme requires the ability to export the private key from the device (even if it is encrypted). This is poor security practice.

Why? If RSA and/or ECC are really "uncrackable", and is mathematically proven so, I fail to see the problem.

generate and store the private key in a tamper-resistant secure chip

Absolutely true. However, it has to be tamper-resistant because this chip stores PLAIN-TEXT KEYS. If they keys are stored encrypted, the the key encryption key has to be stored in pain-text. These chips often have limited memory, so you can off-load secrets from the crypto chip into the host, but this key is encrypted using a chip-specific key. What you call "poor security practice" is baked into the TPM spec.

Second, why should the manufacturer have the ability to decrypt the user's data?

OK. You have a point here. However, if you accept the postulate that somebody with a warrant signed by a judge has the right to break into your stuff, then you have to trust SOMEBODY. Maybe not the manufacturer, but a private company with a staff of lawyers to protect the rights of the customers.

On the other hand, if you don't accept that postulate, then you probably trust nobody. I, for one, would like to help law enforcement if possible, provided that they can get a warrant. I would not trust them with the keys, but would be OK with having somebody else decrypt my info as long as my legal rights are respected.

Fourth, the manufacturer's private key will eventually leak.

Hmmm. There are a several companies that make a living issuing certificates that have managed to keep their private keys secret. There is already an ecosystem around this problem Why would this one use case be any different?

Fifth, the manufacturer cannot be trusted to represent the owner's interests by requiring a legally-sound warrant before exercising their backdoor

This is closely related to your second point. However, I could imagine that not protecting the customer's privacy would result in some backlash against the company, as it should be. Transparency would be the problem here. Once again, maybe have a trusted 3rd party be the key holder. Maybe some organization like the EFF could have the key-holder and charge the police $1,000 to decrypt the data.

Comment Why is this still an issue? (Score 1) 249

Seriously, why is this an issue?

Public/private key cryptography has been proven secure. HTTPS is based on it, and it is strong enough for me to do banking on-line.

For cases like the police needing to get into an iPhone, all that needs to be done is to take the phone secret (say, an AES key or the phone unlock code) could be encrypted using Apple's public key, and this encrypted secret could be made public (or presented over the USB port). Nobody can do anything with it, except the people who hold the private key (the manufacturer).

Law enforcement can turn over a warrant and the manufacturer can decrypt the secret key, and turn it back over to law enforcement. The government still needs to present a warrant, it is secure, and everybody should be happy.

Have I missed something?

Comment Re:Looks like something (Score 2) 86

That's your prerogative, to be certain, but why? You prefer to have to click through a bunch of icons and/or menus to get to a search functionality option somewhere in your UI? Do you just memorize the location of everything?

Me? I have 0 icons on my desktop and only a handful on my hidden taskbar and I use the MacOS search to launch just about everything else.

It's fast and easy; like tab-complete on the CLI. Just seems like a no-brainer. To each their own.

Slashdot Top Deals

The one day you'd sell your soul for something, souls are a glut.