Follow Slashdot stories on Twitter


Forgot your password?

Comment Re: Steve Gibson is a... (Score 1) 234

He's 57. Ain't a noob. The attacks were like, ten years ago. They're like a bunch of evil ex-girlfriends on Facebook against whom he really needs a restraining order. No one really cares what the "community" thinks, if what you mean by that is the group that has the time and inclination to launch DDOS attacks and spam threads with "Gibson sucks" posts. I don't believe people of that disposition really matter if they're over 15 years old. Nobody even remembers what the hell he did "wrong", and frankly no one outside of that group cares - if anyone is left, as "they" should have been married and worried about male-pattern baldness and being severely overweight by now.

Comment Re:I have a better idea (Score 1) 234

This methodology requires no patches. No vendor co-operation. Just a little crypto challenge. No more worrying about third parties or passwords. Session encryption is useless if they've already logged your keystrokes, or the ISP gave your keys away or provided their SSL certs to the government. Encryption is necessary, but the problem is passwords, always the passwords.

And it is an expensive hack, thanks you. Lots of time being spent on it.

Comment Re:Stupid idea (Score 1) 234

A web site can still require any authentication it wants, including userid and password. As the proposal states, if you read it.
And, again, and again, and AGAIN, you do not need a smartphone. The challenge can be a generated URL.
Please, help out here, and read the proposal. It's quite clever, and everyone is trying to break it, find the holes. So read those first. Maybe then you can find a new hole, and then someone can get it fixed.

Comment Re:Sounds like client certificates to me... (Score 1) 234

No. It is stored, encrypted, on the phone, or the computer, or the tablet, or the USB stick, by the user, who is responsible for its security. what "browser storage" means, I do not know. If the master key is encrypted in the usual fashion, only the user has the password necessary to unlock it, just as in Truecrypt's case. It's gotta be somewhere. This way, it doesn't exist anywhere else in the universe but that device (and anything else you can store it, encrypted, as well), so no certificate hijacker, no MITM, no ISP, no website ever has that key but you.

Not a certificate, but a means of generating session keys that are unique, and theoretically anonymous, by use of that master key. No one in the world can be you. The only drawbacks are MITM, where someone pretends to be a valid site and presents a fake challenge and then lets you in. That's up to you to police. No one else can stop you from entering a phishing site but you. The other is losing your key (!!) by losing your phone or whatever. They've come up with a revolving two-master key system, where you can revoke your master and then switch to a pre-entered (by you) new master. Further developments are open to view,and anyone can challenge or join in. But, do read first.

Comment Re:Fuck you, NaySAyers (Score 1) 234

The fallacy of the golden mean. The truth doesn't always lie between two extremes. He can be, and has proven to be, careful in his self-education and execution over decades. He nailed Microsoft on open sockets - *yes - he -did* - and figured out Prism as a pipe-tap rather than as a cooperative venture while everyone else was screaming and running in circles, accusing everyone of collaboration (not that there isn't, of course). I've listened to him for years. I've never known anyone so careful of his reasoning, so open to arguments, and ready to admit he is wrong and adapt to new facts. He has a podcast that provides him with excellent feedback, so facts are checked and errors corrected on the next podcast. He's polite, accomplished, and well-liked by people who listen to his show. He's a successful IT professional with good products. He's been a tireless advocate of privacy and freedom and has worked to try to find solutions to now proven security canyons. And his SQRL is no longer his baby - he gave it away for free, as in beer and speech, all open-sourced, and all the problems people have thought of are now being hammered on by people in the GRC discussion group as well as anywhere else that cares to try. If there's a hole, they'll address it. He's not the sole programmer or developer of SQRL. It's out there for anyone to work on, and soon will be a web standard. It helps to read his posts, or listen to his podcast, and not listen to "people" yakking on the internet about him. I can understand character assassination and how it is forever on the internet, but it doesn't mean that intelligent people have to bow to it. Look at what's really there, not at what people say.

Slashdot Top Deals

"The urge to destroy is also a creative urge." -- Bakunin [ed. note - I would say: The urge to destroy may sometimes be a creative urge.]