Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Banking is typically slowest to change its crypto (Score 2, Insightful) 300

Of all the industries that are slow to implement change in cryptographic practices, banking is by far the slowest. Part of this is bureaucratic inertia, part of this is lack of trust of newer algorithms until "proven" safe, and still part of this is reliance on legacy HSMs in their server facilities. Even the NSA has mandated a faster transition to better crypto (e.g. Suite B) than banking. Banking is still using 3DES instead of AES128, although for practical purposes brute-forcing 3DES at 112 bits of effective security isn't that much worse than AES' 128 bits. Banking won't move quickly unless someone starts stealing many thousands of high-profile accounts, but it'll be a bit like a buffalo stampede.

Still, it's mind-boggling that MD5 is still in use by anyone at this point given that it is susceptible to collisions. NSA Suite B is very clear that SHA2 256 is the minimum acceptable hash, and so it should be elsewhere regardless of your symmetric or asymmetric crypto. Back in the day when RSA512 was still used for PKI because of limited computing power, there might have been an excuse to stick to MD5. And yet, we all moved on to RSA1024 and RSA2048 because RSA512 was broken too. SHA2 is free, and it works. It really is time to move on from MD5 for all uses.

Funny enough that the entire security of the Internet as most users see it is based on the MD5 hash of the browser binary...

Comment Why don't agencies improve authentication? (Score 3, Interesting) 50

The fundamental problem here isn't the data loss (other than a possible loss of privacy), but one of what someone other than the authorized owner of that information can do with it. Credit reporting agencies, property title offices, passport offices, and a whole host of other people need a much stronger form of authentication. These fools have ignored this problem for years, and impose costs not only on the victims but on everyone else due to prosecution, police investigation, etc..

From a practical security perspective, security on data use is really limited to the "something you have" aspect (i.e. your name/SSN/DoB/address), less on the "something you know" and rarely the "something you are" categories. Both government and private industry needs to wake up and start making it much more difficult for people to have anything bad done to them simply because someone uses their data ON TOP of mandating cryptography and security for information (which I deem to be separate concepts).

An idea - digitally sign the hash of a person's fingerprint, retina, signature and a non-obvious PIN (i.e. pictures, phrases, numbers, questions), put the root certificate authority in a government-controlled secure bunker or military base with FIPS 140 secured HSMs and multiple independent layered checks and balances, and use the signature/verification chain for both government and commercial uses.

1080p, Human Vision, and Reality 403

An anonymous reader writes "'1080p provides the sharpest, most lifelike picture possible.' '1080p combines high resolution with a high frame rate, so you see more detail from second to second.' This marketing copy is largely accurate. 1080p can be significantly better that 1080i, 720p, 480p or 480i. But, (there's always a "but") there are qualifications. The most obvious qualification: Is this performance improvement manifest under real world viewing conditions? After all, one can purchase 200mph speed-rated tires for a Toyota Prius®. Expectations of a real performance improvement based on such an investment will likely go unfulfilled, however! In the consumer electronics world we have to ask a similar question. I can buy 1080p gear, but will I see the difference? The answer to this question is a bit more ambiguous."

"Free Wi-Fi" Scam In the Wild 332

DeadlyBattleRobot writes in with a story from Computerworld about a rather simple scam that has been observed in the wild in several US airports. Bad guys set up a computer-to-computer (ad hoc) network and name it "Free Wi-Fi." You join it and, if you have file sharing enabled, your computer becomes a zombie. The perp has set up Internet sharing so you actually get the connectivity you expected, and you are none the wiser. Of course no one reading this would fall for such an elementary con. The article gives detailed instructions on how to make sure your computer doesn't connect automatically to any offered network, and how to tell if an access point is really an ad hoc network (it's harder on Vista).

The Best Graphing Calculator on the Market? 724

aaronbeekay asks: "I'm a sophomore in high school taking an honors chem course. I'm being forced to buy something handheld for a calculator (I've been using Qalculate! and GraphMonkey on my Thinkpad until now). I see people all around me with TIs and think 'there could be something so much better'. The low-res, monochrome display just isn't appealing to me for $100-150, and I'd like for it to last through college. Is there something I can use close to the same price range with better screen, more usable, and more powerful? Which high-tech calculators do you guys use?"

Slashdot Top Deals

Someone is unenthusiastic about your work.