Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Comment As a Private Investigator once told me, years ago (Score 4, Insightful) 462

If you find that your residence, automobile, or other personal effects have been entered/searched without your consent or direct knowledge, and everything "looks intact", consider that they didn't come to take something away, but to put something in.

Once your personal effects, especially high-capacity electronics like smartphones and laptops, are out of your direct control, in some other room for hours at a time while you're in a holding cell, you can no longer trust them.

If they can get access to the physical hardware, they can install malware, rootkits, key loggers, replace the network card with one that is known-trojaned, manipulate your certificates, trusts, replace firmware on your devices and anything else they want.

No, once you get your gear back, immediately wipe it. Do not log into it, not even once, and just sell it on eBay or Craigslist.

You can't trust it, so dump it as soon as you can.

Comment Re:Open source? (Score 5, Insightful) 215

Write it down. Heck, even the USPS or FedEx seems to be less compromised - they record the address info (metadata) but I haven't seen anything to imply they've been opening the letters.

They do photograph every single letter and parcel, as well as x-ray scan everything that goes through their facility.

Is that "safe"? I don't know.

Can they discern written text inside a letter in an envelope, through x-ray scanning? I don't know.

Are they photographing every letter under extreme bright lights, making the container effectively transparent?

Not sure, but it's worth exploring every single one of those questions.

Comment Re:Yeah, they all require an email address (Score 1) 174

As for the the guy talking down the "bunch of words"-approach I guess one could take words from different languages and then throw in a few extra characters and numbers in a few groups here and there just to mess up if someone only use dictionaries and then it would become somewhat harder.

Actually, no.

What you've done is make it take marginally longer to guess your password, but not impossible. By marginally, I mean minutes to hours in most cases, not days, weeks, months or years. Just try sticking a sample password of words from different languages into Google for example, and watch it cleanly cleave those words apart into a logical search.

Lexical matching + brute force is a solved problem. Password cracking doesn't just bash letters against a wall until it gets a match anymore. At least good ones don't.

Comment Re:Yeah, they all require an email address (Score 1) 174

Why not use KeePass on your phone then? It supports BlackBerry, Android and iOS.

Or export the data from KeePass and GPG ascii-armor that and email it to youself?

There's plenty of ways to do that. I keep lots of non-web data within KeePass, and it's been remarkably useful to me for more than just "logins".

Comment Re:OMG Pony BotNet! (Score 1) 174

I love how people with a clue suggest people use different passwords everywhere and then more or less every single page in the universe require you to have a freaking login and often don't use any central stuff for doing so (somewhat better now with facebook and Google then again do I really want to connect my accounts that way?)

I'm confused. Are you saying we shouldn't use individual logins, and should use a centralized system of login and authentication instead? That's precisely what we do NOT need. Reusing passwords across multiple sites increases the speed and attack vector.

Using a centralized service ("Log in with your Facebook or Twitter Account here...") magnifies the problem even further.

No, if you want true security in the current environment, always choose to create an account, using the local system's own mechanism, and keep a unique, strong password embedded in that system.

Sharing passwords across systems or reusing the same authentication mechanism across systems is just opening a huge hole so big you could swim in it.

What happens when a flaw in the central authentication system is discovered? What happens when your Facebook credentials are stolen, and now hundreds of other sites you've enabled their use upon, suddenly become open to the criminals who obtained your Facebook authentication?

Resist the urge to centralize you authentication. Seriously, you're asking for trouble. Don't do it.

Comment Re:They pop up and notify me they are running. (Score 1) 243

I use a combination of LBE Security, DroidWall and Permission Manager to lock things down tightly. Silly free flashlight apps that try to read my SMS datastore? Nope, denied. Calculators that try to use WiFi or my cellular network? Denied. Games that try to read my IMEI? Denied.

Super secure, tight controls and you can lock everything down, in or out. Use all three.

Comment Re:Dichotomy (Score 1) 234

According to TFA, NSA knows full well exactly this and tried it, but couldn't gain control of a sufficient number of exit nodes. That's not surprising, it really would take controlling quite a lot of exit nodes.

Are we sure they didn't just root the botnet around mid-August/early September?

Can we be absolutely certain that the botnet itself, and every single node, is 100% secure and non-rootable from the NSA's 0-day toolkits?

Comment I understand TFA and the legal implications, BUT.. (Score 1) 527

Why did the FBI not just raid the location, take the physical servers and storage assets, clone them and then let the courts sort it out? That way they could go and fetch the keys themselves, MiTM the traffic to the host through his ISP, masquerading as Lavabit, and snarf whatever they needed. They're already doing it in other cases.

What I'm wondering, is that when someone comes to your door with a warrant, and you say "No" and close the door, why would they allow you to go back and manipulate the bits and digital information that comprises the portion the warrant asked for?

In this case, how was Lavabit even allowed to shut down their services, if the FBI was at the door asking for the keys?

Something doesn't add up here.

Comment Re:Tin Foil Hat for your car? (Score 1) 314

Do you turn your phone off when you drive your the car or go about your daily business? Unlikely.

If you leave your battery in your phone, even in the 'off' position, your phone is still on, still capable of receiving and sending, including E911. Just because the screen says it's been turned off, doesn't mean it's been turned off. Pull the battery out.

Soon though, that won't be enough, and your phone and other devices will be able to transmit their location, data, etc. without the need for a battery.

Slashdot Top Deals

Save yourself! Reboot in 5 seconds!