Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re:Wrench beats encryption every time (Score 1) 374

Unless of course they just happen to see something during a legal search, then they can collect that evidence too, even if it's not related to the warrant.

It's not a grey area. They absolutely cannot have a broad search for your house and then say "Oh, here's safe. It's used to hold things secret. He MUST have something in there he doesn't want us to see. I'll bet there's all sorts of fun stuff in there! 'Sir, open the safe too'..."

They have to know, with absolute certainty that there's directly-related, incriminating evidence contained in that safe before they ask to open it.

If they're searching your house for a murder weapoon or drug parephenalia, and demand you open the safe and you do, and they find documents implicating tax evasion, they can't then decide to throw in charges for that along with the others you're accused of.

Likewise, if they are looking for a murder weapon, demand you open the safe, and inside they find an encrypted USB thumbdrive in the safe and demand the password, you don't have to provide that decryption passphrase at all.

There's already legal precedent here backing this up, until they decide to invalidate that with NSL and FISA orders, of course.

Comment Re:Wrench beats encryption every time (Score 1) 374

...but if they ask you to open the safe, you have to open it.

Actually, you don't.

You only have to provide access to locations specifically named in the warrant. If the contents of the safe aren't listed on the warrant, you don't have to open it. Also, they have to have evidence that the specific contents in the safe contains incriminating evidence beforehand, else it is off-limits.

Just because they have a warrant, does not mean they can go on a fishing expedition and go looking for evidence. The warrant is there to collect the evidence, not to try to locate it.

If you're still confused, please read the SSD:


Comment Re:Sigh (Score 1) 381

That's how I do it for my employers (large fireproof safe, book sealed so you can't open it without me noticing, etc.) and for myself.

Sealed how? For every way you can seal an article, I can probably name a handful of ways to get around it without disclosure. Wax seals, adhesive, envelopes, locks, string, ink stamps, stickers, all easily and transparently bypassed.

What method are you using with your books?

Comment As a Private Investigator once told me, years ago (Score 4, Insightful) 462

If you find that your residence, automobile, or other personal effects have been entered/searched without your consent or direct knowledge, and everything "looks intact", consider that they didn't come to take something away, but to put something in.

Once your personal effects, especially high-capacity electronics like smartphones and laptops, are out of your direct control, in some other room for hours at a time while you're in a holding cell, you can no longer trust them.

If they can get access to the physical hardware, they can install malware, rootkits, key loggers, replace the network card with one that is known-trojaned, manipulate your certificates, trusts, replace firmware on your devices and anything else they want.

No, once you get your gear back, immediately wipe it. Do not log into it, not even once, and just sell it on eBay or Craigslist.

You can't trust it, so dump it as soon as you can.

Comment Re:Open source? (Score 5, Insightful) 215

Write it down. Heck, even the USPS or FedEx seems to be less compromised - they record the address info (metadata) but I haven't seen anything to imply they've been opening the letters.

They do photograph every single letter and parcel, as well as x-ray scan everything that goes through their facility.

Is that "safe"? I don't know.

Can they discern written text inside a letter in an envelope, through x-ray scanning? I don't know.

Are they photographing every letter under extreme bright lights, making the container effectively transparent?

Not sure, but it's worth exploring every single one of those questions.

Comment Re:Yeah, they all require an email address (Score 1) 174

As for the the guy talking down the "bunch of words"-approach I guess one could take words from different languages and then throw in a few extra characters and numbers in a few groups here and there just to mess up if someone only use dictionaries and then it would become somewhat harder.

Actually, no.

What you've done is make it take marginally longer to guess your password, but not impossible. By marginally, I mean minutes to hours in most cases, not days, weeks, months or years. Just try sticking a sample password of words from different languages into Google for example, and watch it cleanly cleave those words apart into a logical search.

Lexical matching + brute force is a solved problem. Password cracking doesn't just bash letters against a wall until it gets a match anymore. At least good ones don't.

Comment Re:Yeah, they all require an email address (Score 1) 174

Why not use KeePass on your phone then? It supports BlackBerry, Android and iOS.

Or export the data from KeePass and GPG ascii-armor that and email it to youself?

There's plenty of ways to do that. I keep lots of non-web data within KeePass, and it's been remarkably useful to me for more than just "logins".

Comment Re:OMG Pony BotNet! (Score 1) 174

I love how people with a clue suggest people use different passwords everywhere and then more or less every single page in the universe require you to have a freaking login and often don't use any central stuff for doing so (somewhat better now with facebook and Google then again do I really want to connect my accounts that way?)

I'm confused. Are you saying we shouldn't use individual logins, and should use a centralized system of login and authentication instead? That's precisely what we do NOT need. Reusing passwords across multiple sites increases the speed and attack vector.

Using a centralized service ("Log in with your Facebook or Twitter Account here...") magnifies the problem even further.

No, if you want true security in the current environment, always choose to create an account, using the local system's own mechanism, and keep a unique, strong password embedded in that system.

Sharing passwords across systems or reusing the same authentication mechanism across systems is just opening a huge hole so big you could swim in it.

What happens when a flaw in the central authentication system is discovered? What happens when your Facebook credentials are stolen, and now hundreds of other sites you've enabled their use upon, suddenly become open to the criminals who obtained your Facebook authentication?

Resist the urge to centralize you authentication. Seriously, you're asking for trouble. Don't do it.

Slashdot Top Deals

Steve Jobs said two years ago that X is brain-damaged and it will be gone in two years. He was half right. -- Dennis Ritchie