Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment Re:I don't know... (Score 2) 248

Not being able to grep the logs would suck. It would break every hack script I have for checking things in the logs.

Furthermore, I'm not sure what problem the binary file with crypto signing would solve vs. just also logging to a secure log machine. Syslog already allows one to duplicate the logging to any number of off-machine syslog daemons.

For figuring out how a breaking was done woudln't it be better to just log all IP traffic (say with "tcpdump -w ...") on a dedicated logging machine and perhaps have a pruning mechanism that trims any TCP stream to a few megabytes. That way large file transfers wouldn't fill up the logging disk unnecessarily. Add to that some off-machine logging built into sshd or perhaps the pty driver and one can get a pretty good picture of how any breakin was done.

Comment ssh keys compromised? (Score 1) 101

"you should consider the passwords and SSH keys that you have used on these sites compromised."

How the heck can ssh keys compromised by this breakin? Doesn't the site just have access to the developer's public key? With a sufficiently large ssh key (say 1k or 2k) how is anyone going to derive the ssh private key from the public key? The fact that if is effectively impossible is supposed to be the whole point of public key encryption.

Comment stop using non-random passwords (Score 2) 212

People need to stop using non-random passwords for WPA2-PSK. This attack sounds like a dictionary attack, because there is no way at only 400k passwords per second that he could map more than a minuscule fraction of the 2^256 key keyspace. We are talking 1e77 potential passwords. At 400k/sec that only amounts to 1e13 passwords per year. It will still take 1e64 years to break. Since the universe is only ~1.5e10 years old, I think we are safe enough from a true brute force attack.

Of course that assumes people do turn off WEP and WPA1 and all the WPA1 crap in WPA2 (like turning off TKIP and only allowing CCMP).

Comment Where is the NSA in all of this? (Score 1) 173

This incident underscores how little influence the NSA really has when it comes up against lobbyists and morally-corrupt senators trying to ingratiate themselves to the same lobbyists. It is shameful that this country has a group that is very, very good at analyzing security issues yet it isn't allowed force use of a secure operating system within the government.

Comment Re:It's not open source (Score 2, Insightful) 406

If you could actually AFFORD the phone you buy a unlocked one.. Google tried to sell you one, none of you cheap bastards bought one.

The G2 is also available for $500 from T-Mobile free and clear with no contract. It will be interesting to see what justification T-Mobile comes out with for locking down the bootloader on the G2 when it is bought outright like this.

Comment Re:NAT (Score 1) 442

What is needed is a compelling reason for people to get out from under NAT. Most people are so used to the Microsoft way of doing things with their desktop computer being so functionless that they can only work in conjunction with a remote server to do anything of significance. They can't host their own web pages, they can't get email delivered directly to their computer, they can't make a voice call directly to another computer etc. There are tons of application that could be written if everything was on the net directly. Anyone for syncing all their computers (files, bookmarks, etc?) without having to copy them via a remotely located server? We need to start writing these applications and tell the people hiding behind NAT boxes that they are SOL till they get themselves real, routable addresses.

Comment Re:Do it right the first time (Score 1) 470

GPS's don't use UTC for the simple reason that using a discontinuous time system at the low-level is insane. The Russian GLONASS does have leap seconds, and every time a leap second get applied the system has hiccups (as expected). The GPS system simply keeps its own true seconds-since-the-GPS-epoch counter and never steps this for leap seconds. Adding the leap seconds is left for the display routines in the individual end-user GPS devices.

As I see it, it really doesn't matter what UTC does as long as computers implement the low-level (internal) timekeeping correctly. If un*x/linux were to have a true seconds-since-the-epoch counter in the kernel with no leap seconds then time difference calculations would be trivial. Each program wouldn't have to have special (and probably largely untested) logic to deal with the time discontinuity around leap second time. Leap seconds (just like daylight-savings-time/normal-time) could be added by the display routines that map seconds-since-the-epoch into a human readable time. There is no need to muck up the low-level timekeeping for these oddities. Only programs that print out the time would need to even know that a leap second occurred, and in most cases that would all be done by the library routines.

Dan Bernstein first tried to get this low-level stuff straightened out, but folks largely didn't care to fix the problem because POSIX essentially mandated one do things in the more complicated fashion. http://cr.yp.to/proto/utctai.html

Comment Re:Remote wipe requires remote signal, yes? (Score 1) 383

You are assuming the powering down or removing of the SIM doesn't wipe the decryption key. If I were designing a more secure cell phone that's what I'd do. I'd keep the key on an internet server and send it to the phone after it powers up. If the phone got stolen / confiscated I'd send a wipe command that wiped the key from the phone if the power were still on, and simultaneously wiped the key from the server.

Slashdot Top Deals

Whom computers would destroy, they must first drive mad.

Working...