Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment Re:Very little utility here (Score 1) 183

Job done.

Except it's not even close to done. This protocol is far more secure than no security at all, but is vulnerable to a number of different attacks. If you think the solution is simple, it's because you don't really understand the scope of the problem.

1) How do you trust that the keys posted on the public key servers? Say I wanted to send you a message, How do I know that the key posted on the key server is in fact, from you? (See Certificate Authority) If a malicious party could intercept messages to you and decrypt them (using the bogus public/private key pair) and then re-encrypt the message to you using your formerly available public key, you'd receive the message and have no knowledge of the MITM attack.

2) Given today's environment for gag orders, how do I know that the Certificate Authority is trustworthy? (I don't) Thus, even when signed by a CA, I have little assurance that scenario #1 isn't happening even if protected by CA.

3) A simple DOS of the Key server will prevent anybody from knowing that you are, in fact, using a public key anyway.

4) Which of the numerous Key exchange protocols are YOU using to protect your email? Assume I'm a whistleblower and you are a media rep, and I have some important stuff that you should know. How am I supposed to discover which of the various security mechanisms that you are using? Publishing incorrect information about how you are securing your exchange allows for another type of MITM attack, even when you are doing everything right.

The reality is that the NSA's action and the USA's current legal structure create an environment where literally nothing can truly be trusted. As long as laws that allow for demanding information from a company in conjunction with a gag order preventing disclosure, we can literally not trust a single US Internet company with any type of cryptographic protection. Not just Google/Yahoo/Microsoft, but also any and all CAs, and anybody that depends on CAs to do their job.

So, use a CA from oversees, right? Not subject to US law? Sorry, but that doesn't do it either. Most browsers/email clients are configured with dozens to hundreds of "trusted" CAs. Somebody impersonating you only needs to get a public/private key signed by *any* "trusted" CA in order to not have your browser/email client complain about a MITM attack. In order to properly secure my web-based product with SSL, I not only have to ensure that I'm doing business with a secure CA, but I also have to ensure that every CA trusted by anybody, anywhere is similarly secured. Since there is no way to validate this, and laws exist that prohibit me from knowing if the CA's root key has been given to the NSA, I have no way to do this.

So, in reality, with the security mechanisms in place to protect trust on the Internet, we have an attack footprint that is long, wide, and deep. To call this situation "bad" is a tremendous understatement. The NSA and the United States government have eradicated any actual ability to trust anything online with the current infrastructure. Only with the addition of additional layers of "trustability" can we truly protect ourselves. Tools such as Certificate Patrol at least alert you when certificates change.

Comment Re:someone's gotta start the show (Score 2) 175

The whole point of start ups is that they cost very little to try. Any bonehead with a few thousand bucks, a commodity education, and a couch near a microwave and at least 15 amps of power can create a start up. Since 90% of publicly announced start ups fail, you can be sure that plenty of boneheads have gone this route successfully.

But even that 90% figure hides plenty. I have run a number of "technology previews" in order to try ideas out that were never announced. For example, I recently wrote a web service that linked with the youtube and a smart phone to automatically link training videos in context to written curricula. This allows me to enter content online and link to videos generated in real time without any necessary editing, linking, or cross-indexing. I'm pretty sure I could turn this into some sort of crowd-sourced open training thingie, but I never worked up a business plan.

Does that count as a start up? I know it has never been announced as such, and it probably should count as a failure because it never went anywhere... so what's the real number? 99% failure? 99.999% failure?

Who cares? In this random morass of ideological soup and one-off ideas emerges the occasional hit. And the one hit in 10/100/1000 really doesn't need to be that large in order to offset all the failures.

As a start up kind of guy myself, I did about a half dozen start up ideas, to various stages of completion, one of which was *barely* profitable before I found one that got bite in the marketplace. It took just two years of struggling before my winner emerged. Now, I'm a partner in a small, obscure, B2B software company about the size of Reddit - 25 staff built up over 10 years, and a very comfortable living.

I'm no Billionaire, and I have no dream of changing the world forever, just making life a little better for our hundreds of clients.

Original Author's article was annoying: the type of vaguely critical article written by somebody who rates himself based on the number of obscure words chosen from the thesaurus to describe "omg they are so lame".

Comment Re:Everybody that is surprised is stupid... (Score 1) 182

Our contract at data center that we host at has significant penalties for downtime. In about 6 years of hosting there, we've had exactly 2 incidents of less than 1 hour each.

Of course, the deluge of notifications we get every time a fly causes a ballast to fail in the 3rd light down the main hallway, or when our network usage at 95% exceeds the monthly average by 0.05% get a bit annoying, but I have no complaints of the quality of service.

Comment Re:Babs, look what you did again (Score 3, Insightful) 432

Businesses aren't some unified group, they're just people like you and I trying to make it in a world that is often unfriendly. It's a small percentage of true douches (looking long and hard at you, Goldman Sachs) that give the name "businessman" a bad name.

Often, the schleps running such a business have no clue about things like the Streisand effect. Come to think of it, why don't you become a businessman and set the record straight? Surely, you could beat out this moron...

Comment Fuel economy (Score 1) 325

* If a driving algorithm is a little more accident-prone than the average human driver at a given speed, that deficiency could be rectified by forcing it to observe lower speed limits.
* On the other hand a driving algorithm that proves to be two orders of magnitude less accident-prone than the average human driver at a given speed, should be granted higher speed limits. (Not so much higher as to erase all or most of its safety advantage. But higher.)

Why would you assume faster is better? If the car drives itself, it has no need for a driver. Thus, it could be completely unattended, and take advantage of the fact that optimal fuel economy tends to occur at about 35-55 MPH, where wind resistance is too low to be problematic.

Thanks to exponential nature of inertia, doubling speed generally causes four times the wind resistance. It doesn't take long for that ratio to get stupid, and that's why we don't have planes that fly 5,000 MPH.

In general aviation, it's commonly understood that a more powerful engine will help you climb faster, but typically doesn't speed the plane up much except at the extreme lower end of the power/weight curve - that's mostly a function of wind resistance.

Comment Re:Ridonculous (Score 1) 303

Throw another $50 / $130 on top of Netflix's monthly fee, and it doesn't turn out to be a very good deal at all...

Are you kidding? I was paying that much per month for Cable...

Besides, I already have my Linux box connected to my TV, handling all my TV/DVR, DVD/BluRay, Hulu, gaming, and other functions. Telling me I have to have a separate box just for Netflix just tells me I shouldn't get Netflix.

I'm hard pressed to find a device *other than* your Linux box that doesn't do Netflix! In my large-family household, we have: My phone, Wife's phone, Son's phone, 3 Daughters' phones, my still-working, wifi-only old phone, my 7" tablet, Son's Xbox, PS3, Wif'e's iPad, and several laptops and desktops up to 3 or 4 generations old.

I love Linux. I use it for work, at which it does fantastic. Reliable, cheap, powerful; it's a programmer's paradise! But when I play, I use toys like Windows to watch videos and play GTA.

Slashdot Top Deals

U X e dUdX, e dX, cosine, secant, tangent, sine, 3.14159...

Working...