Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment Re:How long does it take to get a cert? (Score 3, Insightful) 92

Actually, without SSL Man in the Middle Attacks are very problematic. As a security researcher, I can tell you that it is very easy to cause mayhem with http-based traffic for facebook. We'd launch a proxy on the network, and funnel traffic through it. With no security, we could, for example, change the destination and content of messages, and see everything.

Comment Re:Never trust security through obscurity (Score 1) 133

your second reply never made it to my feed, allow me to clarify my first reply having seen this one now: If the program is implemented wrong, and they are banking on people having the impression it is fully secure without having actually analyzed the system, then it is security through obscurity. Now, if they had opened it up to auditors and this implementation was genuinely missed, it would have simply been an implementation error.

Comment Re:Never trust security through obscurity (Score 1) 133

Full specifications are available. There is no security through obscurity here.

Actually, it is obscurity. The specification you linked to was NOT followed by the device manufacturer, they just assumed since they didn't tell anyone they violated a proper practice that no one would notice. The specifications listed by you requires devices to adhere to the random number generating requirements outlined in ISO 18031, which the machines did not. This standard mandates a unpredictable entropy source be used as the seed for any random number generating function. The devices were implementing the use of date and time as a seed. This is what a lot of kids are taught in school for computer class, but any cryptographer is supposed to avoid.

Comment Never trust security through obscurity (Score 4, Informative) 133

Lots of these systems use proprietary protocols and have pushed out 3rd party verification by researchers. the random number being generated by time? Any serious security auditor would have caught that if the banks allowed them in, one of the golden rules of cryptography is to have a proper random number generator. The contact-less systems in the US came under similar fire this past year, after years of assurances by card issuers that it couldn't happen.

Comment Re:Use caution with any and all data (Score 2) 320

forgot to add these notes: install an anti-virus that does boot-time scans, like Avast. It will put itself BEFORE the bootloader for Windows, ergo scan files before they could be loaded into memory and hide themselves easier. Of course, if the AV gets compromised it wouldn't help, but keeping it updated should make it much less likely. A FULLY patched Windows 7 machine is a tough freaking nut to crack (coming again from that experience with the DoD in the above post). Of course, get one update behind and it can be devastating. It is not likely that some ordinary scammers will have serious 0day exploits. But then you're in God's hands if that happens. Also regular backups help, but I know that can be difficult with non-technical people. If he's willing, get him an external drive for backups and tell him to just plug it in at a scheduled time (like saturday mornings?) and to unplug it at the end of the day. Unless it gets infected while the backup drive is attached, could help save a lot of trouble. The Win7 backup feature is pretty good. Not the best, but good. Last item: I realize I've been talking about Win7 a lot, but the same applies to pretty much all OSs. However, if he is on XP then I'd get him off of it, as it has reached end of life support for consumers unless they purchased an extended contract with microsoft (which I don't even know if they sell to non-businesses). NOTE: the above post is mine, I wasn't thinking to log in when I made it as it is early morning here and I need some coffee. It was supposed to be a day off from this kind of stuff haha

Comment As a web business owner, I hereby sever GoDaddy (Score 2) 353

I have hung onto GoDaddy because of how cheap they are, and that I've so far never had a problem. But this just goes too far for a mediocre service. The service works, and is cheap, but I'd rather pay more for a better service, even if I don't need it, than support them anymore. As soon as the holidays are over, I am moving over EVERYTHING from them. I also will no longer advise any of my clients from using them (though they were never really "recommended" except for how cheap things can be with them thanks to promos).

Slashdot Top Deals

To be is to program.