Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment Other way. (Score 1) 105

What makes you think non-proprietary routers or routers that come with source code aren't backdoored?

To each problems it own tool.

Planting backdoors (i.e.: definitely malicious code) is easier in a definitely closed environment, were very few people can see the code, and the one which understand it can easily by hushed by orders of top management.

In opensource software, that is a little bit more complicated, because the code is open and a lot more people are reading it. Hidden malicious stuff will get discovered eventually. The only variation is the amount of time until discovery. And again all it takes is one single developper poking in the wrong corner (because he/she hit a bizarre bug - side effect from your backdoor) to discover it and very likely he'll be out of reach (geography/jurisdiction) to be prevented from speaking about it and embarrassing the NSA. So this specific way (planting backdoors) won't necessarily be optimal.

Better aim for other better suited solutions in this case:
- exploitable bugs/botched code/and erroneous implementation, leaking information. If it looks like bugs, less change for the whole operation to be blown up if discovered. (buggy key generator as an example in Debian. Could be negligence. Could be an inside job).
- bugged hardware. hardware random number generator for example. Something as simple as a counter whose output is encrypted, would look genuinely random, but for someone knowing the encryption password, is completely trivial to abuse. (And an encryption stage would make sense in a genuine RNG, as a way to erase out any non randomness in the output. So no surprise if there is a AES-like stage in the RNG of a CPU. Simply, the data fed into it isn't the electrical noise generated by heat (as designed by the engineer), but a simple counter (discretely replaced by an anonymous employee at the maker, somewhere on the line between the engineer and the fab).
- limited ressource: randomness is hard to obtain, specially in embed devices like routers. There might not be enough accumulated entropy by the time the SSH keys need to be generated during the first boot of a home router. And thus the keys to the router could be quite easily predicted.

Comment It's crowded in there (Score 1) 105

...when you factor in the chinese backdoor that are here too, it's starting to be a bid crowded inside.

BTW: Speaking of China, maybe that's where to start asking question -
The UK cryptographer should ask the FSB and MSS to out products which got weakened by UK and US.

Very probably the russian and the chinese have knowledge about them too (In theory FSB and MSS are also intelligence agencies, so they should have done they own investigation and perhaps uncovered a few while doing their own security assessment. In practice they probably met a few backdoors while busy trying to plant their own), and unlike the UK and US they don't need to try hiding from public disgrace by trying to keep secretly these specific weakening.

Comment And common grounds (Score 1) 45

Dogs have been selected for millenia for their ability to understand and interact with humans.

And even from the beginning had lots of social behaviour in common. Same hunting technique in packs against big preys, requiring the same kind of coordination (compare with other mammals hunting small preys alone). Same social structure with a stronger dominance ladder (compare to cats which have a looser hierarchy and are much more individual), etc.

Comment The best part survived (Score 1) 189

(dead at this point)

Well, then it's good that the whole Meego/Maemo branch split and ran away before Nokia went belly up and are now readying their Jolla.

(and that *former nokia* people making the jolla. people with actual experience, so its going to be a road a lot less bumpy than, say, openmoko's freefunner)

Comment Driver Sobriety (Score 1) 126

They already have rental cars and this doesn't happen with them.

There's a small difference: the current programs of car-sharing that you constantly swap around (like Switzerland's Mobility, Germany's DB CarSharing, French AutoLib, etc.) all have NON self driving cars. That requires by law that at least one person (the one behind the wheel) is more or less sober.

That means that currently at least someone realise what is happening inside the car and can try to disciplin the rest of the drunken crowd if things start getting out of control.

self-driving taxis require no sober driver. only someone approximately capable to push an app's button to call the cab.
thus when boarding, the whole passenger team could be completely fucked up. And in this state, they might find funny to throw beer cans at each other or whatever. Nobody is going to try to be at least a little bit responsible or adult.

Comment Ubuntu phone project is dead. Lots of others are h (Score 1) 207

There's a Ubuntu phone in the works that obviously allows scripting

Well, specifically, the Ubuntu Edge didn't manage to raise enough funds on Indiegogo.
They were asking quite a lot of money. 32 million and only got around 12 if a remember correctly. That's quite a lot, but at least they were honest with taking into account that they have absolutely NO experience in phone making and that it would probably cost that much ressource to bring the Edge into market while having to learn absolutely every single necessary skill on the way.
Basically, in order to bring the Ubuntu Edge on the market, Canonical would have had to create its own phone making company from the ground. Hence the high required initial investment.

Luckily for us, that's far from the only opensource project.

That includes old classics like the Geekphone, the qtopia Greenphone, or even the OpenMoko's Freerunner (entirely opensource, including design, PCB and firmware on components).
That includes also several upcoming machines (like some FireFox OS powered phone), and among other the Jolla (done by no less than the former Meego/Maemo team at Nokia, who split after Nokia shut them down and decided to become Microsoft's lapdog).
Jolla's case is slightly different (specially from iconic phones like openmoko's freerunner or ubuntu's edge), in that it's not done by opensource idealists with little experience who make a first try at an opensource phone hoping to liberate the world of walled garden there (though openmoko got help and partnership with FIC). It's former phone maker with quite some experience and legacy, who decides "Fuck our former boss, let's keep making an opensource phone". They have way much more contacts and experience and will probably iterate through a lot less of hardware bugs iterations.

(That's the big problem with some of the early "full opensource phones": the maker are quite inexperienced, make quite a lot of hardware bugs [like broken sound], requiring further iteration to fix. By the time the product is stable and final, it's design seem outdated and underpowered for very expensive price, specially compared to the offer from big brands. That's at least one less problem for the Jolla).

You can hook it up to a monitor, keyboard and mouse to use it as a real computer too. {...} phones already have more CPU power than a 2007 desktop so why are we limiting them to a 4 to 5" screen? Someday soon you'll be able to walk in your office and flick the screen of your smartphone over to your desktop screen and sit at your keyboard and continue to work on whatever you were working on.

And Ubuntu is far from the only one thinking in that direction. That's already been being done in hobbyist circles (get a 'chroot' running inside android phone which have MHL and/or micro-HDMI, Usb-on-the-Go, Bluetooth HID, etc.). That's advertised as a concept for quite some time by Always Innovating (and given their trend, ASUS has therefor a Padfone in the pipeline). So don't despair.

You'll either get your dream "programmable smartphone as a desktop" from an opensource company (such a dock is really a nice "Other half" project for Jolla).
Or simply get a dockable one from the companies copying AI.

Comment Nobody else ? (Score 1) 138

If they got a very secure algorithm, weakened it in a hard to detect way which makes it easier for the NSA and nobody else then that would be perfectly fine to both use for government documents and to give out to other nations.

It's "nobody else" part which is very hard: the NSA are not the only one playing this game. In fact, the FSB (formely KGB, formely Tcheka) has been at this game (mass surveillance including on own's population) for much longer than the NSA.

Even get real known example: NSA has discovered differential analysis as a method to help breaking ciphers. They kept it as a secret. What happened:
- First they developed ciphers resistant to it (DES). They made a part, the controversial S-Box, to specially make the cypher resistant to differential analysis, but didn't gave any explanation about why this part was there (because they wanted to keep the analysis secret). It might show a tendency for the NSA to try to keep things secure.
- Second, differential analysis was latter independently discovered by academics. If big brains at the NSA can discover a method, the same method is available to discover for any other similar big brain (except maybe the academia has less money and thus propbably hires a smaller number of sufficient bright research, thus is a but slower to make their own independent discovery).

Now to go back to your example of "weak point that we're the only one knowing about it":
- If this weak point has been discovered, that means that there is enough knowledge accumulated in the field of cryptology to make this discovery possible, provided that bright enough researcher put their efforts at it. The "adversaries" have access to the same knowledge at the beginning. They can (and probably will) make the same chain of discoveries that lead to discover the weak point. Maybe academia can't afford having the necessary geniuses on their payroll. But what about the FSB and the MSS which are known have massive ressource thrown at them by their respective governments? What make you think that they won't also hire similarily intelligent people? They will and these researcher will eventually discover the same weakness.
- So probably the maths behind the current crypto technology is more or less sound. If it wasn't, the NSA would be at risk at not being the only service with knowledge about it. In fact a given weakness could even have been discovered even before by another entity, and the US could have been already eavesdropped.
- Even so, breaking maths is hard. There are much more low hanging fruits in the form of social engineering. Gain confidence of a company (by planting undercover agent working as security experts at critical positions), and plant hidden bugs that could be exploited. The crypto method should be secure, but the actual implementation is botched in a way that could be exploited by the NSA, while at the same time the can use a "fixed" version. Most of the current snowden & co revelations tend to show that this is the dominant strategy adopted until know.

So to get back at the current ask slashdot:
Be confident in the algo themselves. If most security expert (the kind which have a good understanding of the maths involved) agree that a method seems still secure, chances are, the method *IS* secure.
Be suspicious of the implementation you're running. If you're running some proprietary binary code, or worse a hardware blackbox implementation (the suspicion about some random number generators), its very hard to know if the thing is doing exactly what it should or if there isn't a exploitable bug or tweaked constant (the suspicion about some ellipcitc curve) or the thing outright containing a backdoor because it has to comply with local wiretaping law (as the Skype EULA is indirectly telling).
Opensource is slightly less likely because the code is in the open, and someone would eventually end up discovering the bug (See the debian key generation bugs in the recent past). Even the theoretical attack against the compiler could end up being spotted.

Comment ...Software patents: no sense (Score 1) 98

Also, software patents (and in general, patents on anything not physical, like "methods") make no sense at all.

Patents did make sense for industrial inventions.
It makes sense because physical objects take resources to create, they're expensive.
Idea are cheap: they are mostly free. It's the implementation that's challenging.

Back to the car method:
- If I'm the inventor of cars, I won't be able to create a prototype. I would need materials, I would need physical experimentation, etc. To invent cars, I would need to go talk to some industrials. Explain to them what a car is (or would be), and ask for funds to actually be able to at least test the idea and see if it works.
The risk is that industrials will listen carefully, will answer "no, thanks" and pretend not to be interested, then once you step out, start building your invention and getting all the money and keeping it for themselves.
You need patent to protect complex designs of physical objects.

- If you're a software engineer (well I'm actually soft of in this business), and have an Idea (or 20 different, actually), you don't need no industrial sponsor to finance complex building process. Just lock your self with a few beer, fire up the laptop and type your code over the week-end and see how it turns out.
It only costs time and a few basic equipement.
Nothing that needs to be protected.

Idea come for free, writing code is cheap.
Making a complete design for a physical object is much more complex, building a prototype requires lots of ressources.

Only one of the two needs patent protection.

Comment The car: yup bolt its hood shut, thank you. (Score 1) 98

Thing is, though, as a tool, it should assist the user in helping them do what they want,

Yup. Do what the *end users want*.
The tool should *not work against them*.
Not do what *the makers decided to do*.

It should do what the end users want, even if the end user want to do something weird.
I should not be served a DCMA because I use a hammer as a paper weight instead of using it for nailing.
If I want to pry appart two pieces stuck together, I can use a screw driver. I won't be required to buy an extra "pro business deluxe" license to acquire a small chisel because screw drivers are only for screws even if they have the exact shape I need.
Re-purposing something to be used as something else that wasn't thought by the maker is a normal think.

Also tools and object don't work against you. When you open a condom package, no secret database will record which person had sexual activities together. When I put a book into my shelf I more or less expect to find it back with the same content (baring from accident involving cats pushing everything or 3-years-old with a crayon in the hand), I don't expect its content to have been remotely sanitized to please the powers to be.

After all, if a tool doesn't help you, it's pointless.

Same for tools which work against you instead of helping you.
Same for tools which you are forbiden to use in a certain way.

Just imagine a world were "your license doesn't cover that use, you're breaching end-user-license-agreement by doing that and we will revoke the tool" was applied to real object like WD-40 and Duck-tape ?

A car helps transport people - but drivers don't have to be mechanics to use them.

On the other hand, I you happen to be a mechanic you can tweak the car. Even if you're not, your are still allowed to open the hood and do a quick trouble shooting for things within your capabilities if you want. You don't need, but that doesn't mean you're forbidden by law to even think about doing it.

You can even add after market part and other modification to a car (as long as some ciritcal part pass enough safety-certifications as not putting people in danger. Just like an after market power supply won't immediately provoke a fire the instant you try to use it with your computer).

Or at least that was until recently, until software started appearing in the mix. Now you have weird stuff, like onboard computer which can only be serviced by a licensed technician using special connection to access the car over a proprietary and secret connector+protocol, or car which only accept MANUFACTURER-licensed after market parts because the electronics only speak a proprietary protocol.
Yup. It's your car, but even if you wanted it, you couldn't do what you want with it (Even if the thing you want won't kill anybody).

Compare that on a farm where an old borken tractor's motor could be repurposed to power something else.

Likewise a computer is useful for many things - entertainment, communications, assistance, information delivery, etc. But you have to realize that users don't care how it works - they don't want to know because that's not reason why the computer is so useful.

I don't care how a piano work. I just play it. I call a specialist to tune it, repair it, etc.
BUT I would be really pissed off if I got sued the moment I open it's hood just to look at the hammers.

Or advanced research - things like software defined radios (these people don't care how computers work - they write their DSP algorithms and have them "magically" work - they don't care about OS updates or kernels or whatever).

You realise that you exactly brought up one of the reasons to keep thing openable? advanced research? Even if radio is heavily regulated (to avoid one accidentally fucking up another transmission), you can still do research and even program your damn SDR if you want? You're not limited to just using the few available radio gizmo at the store. You can hack stuff (As long you follow the local regulations and don't fuck up every single other radio gizmo around you).

would you like to have your car on the stand then have the mechanic say it's going to take days because he accidentally hosed the diagnostics machine playing around with the new Linux kernel?

Or because microsoft fucked up an update and/or a virus speard using some 0-day exploit and has hosed the diagnostic computer (remember that it needs to be only for the DRM on the proprietary protocol to work)

The target of opensource is not to force everyone using computers to necessarily be a mechanic.
The main targets of opensource is to give the freedom to any end-user to:
- study the content
- hackit if they want

And that's important if you want to see if a tool necessarily does what it says it does, and doesn't do anything either by malicious intentions (back door planted) or negligence (exploitable bug). If it's open, someone with the necessary skill will end up finding it one day, even if you personally don't have the skills.

It's also important to letting you do whatever you want. You may want to only use it as recommended. But some other user would like to re-purpose the tool for other needs I wouldn't like artificial problems to that.

Take the iPods/iPhones/iPads as exemple. Even if Apple did lock their software. There are artists who still find a way to incorporate them into their artwork. There are tons of other uses beyond what initially Apple had planned for them. Luckily for now, only the software is locked, but you can find new uses which don't require a change of software.
Opensource proponents simply would like this kind of liberties to also be allowed at the software level.

With enough such deviations, new idea and new possibility emerge. A hackable device is a specially kind of "Distributed R&D" opened to the whole users' crowd.

You can see what kick starter, 3D printing, etc. have managed to bring from outside the big enterprise world.
What they bring to the physical world, opensource brings to the software world.

Yes, nobody wants to *NEED* to recompile a Linux kernel just to get their smart TV to start up and show movie.
On the other hand, some *might WANT* to be able to, just because they need it for a hobby project. They should not be arbitrarily prevented from (with no technical reason).

Currently, IP rights (patents, copyrights, etc.) are saddly abused in that direction (preventing uncontrolled use) rather than in their original intent (protecting and helping invention/creation).

Comment Modernization needed (Score 2) 552

"Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;)" - Linus Torvalds[1]

Pfff... That's soooo last century!

Let me fix that for you, Mr. Torvalds
"Only wimps use tape backup: real men just upload their important stuff on git, and let the rest of the world clone it"
Now that sounds more typical for the current decade.

Oh, and for the MasterCard-Ads like finish:
"For everyone else, there's the NSA."

----

The funniest part is that he is the actual author of the git scm system which served him as backup this time.

Comment Addendum to the restaurant (Score 1) 659

...and then your neighbour, called Boris (and whom you passively-aggressively hate, because he's standing in your way between you and the soon-to-be-waterboarded waiter who told you about the mistress-copying-friend. But don't worry, you'll soon shame Boris publicly because you can prove he has once bad mouthed a married lesbian ... ignoring the fact that Boris has been member of a gay-bashing club for the last couple of centuries), Boris wants you NOT to intervene.

So he goes to speak with the wife-and-kids beating guy (because he's a friend... who owes quite some money to Boris).
The guy realise that peeing into the soup was over the top, so he promise not to do it any more and to go empty his bladder into the WC "so he won't have anymore pee for the soup. I swear I'll empty everything in the toilets".

----

PS:
Meanwhile one of the kid take the opportunity to run away from the table and runs straight to Heidi-the-Swiss (she's blond too, she's easy to confuse with Sweden) while asking for a band-aid. Heidi slaps him in the face, because it would have been more polite to *first* come to the table, and *only then* politely ask for the band-aid.

Comment Add more pee and grenades to your restaurant (Score 4, Funny) 659

Then, he up and smacks her, and starts hitting his kids. And then does it again. People yell at him from around the restaurant, but noone does anything else, and he smacks her again.

So, do I/we have a responsibility to stop the guy?

Well currently it looks like he's been hitting his wife and kids for quite some time, and nobody did intervene. But just right now, he has poured some unidentified liquid in the soup that the family has ordered, and *that* you consider over the top, because in your moral sense, it is fundamentally wrong to poison the very food that your family eats.

The restaurant's chef (his name is UN) passing by your table is still cautious because haven't seen yet if the man has actually *peed* in the soup, or just emptied a tap water bottle, and tries to calm you down.

But nonetheless you decide that the whole "probably peed on" soup incident was over the top, so you ready yourself to grab that grenade that you always carry in your bag for this purpose an throw it on the guy. In order to blow him up into pieces. While at risk that the grenade will tear the wife and kids into pieces too. And will probably hurt a few other tables around. (Not mentioning that the whole restaurant is going to become a place where everybody else is going to feel a little bit less comfortable). You see a friend called france on a neighbouring table who promise to put "likes" on the facebook photo album you plan to do about the incident. It's good because the few other friend you had around (including the big guy called Britain) are telling they are fed up with your facebook photo album boasting.

Meanwhile the man is still hitting his wife and kids. (Oh, did I mention that the wife is a member of some weird religious sect who encourage her to ritually bite of the genitals of all individual including her own kids ?)

While all this is happening, there have been fights around quite a few other table (like the one where the family is named Rwanda) but nobody actually cares. And by fight I mean that not only have the man started hitting his own wife and kids, but also move pn to stabbing them with all the available cutlery on the table and is trying to see if he can use something as a make-shift whip. But at least, thank god *he* didn't try peeing in the soup.
(You notice that you happen to be the owner of the shop selling the cutlery and make a mental notice to sell him a few more pieces because there's definitely some market for this).

Meanwhile while you were busy noticing all this around you, a friend on your table has discretely stolen your organiser and is methodically copying all the phone numbers of your mistresses. A waiter passing by notice it a tries to make you realise it. But all you do is start running after him trying to find a way to catch him and waterboard him (but hidden in the kitchen, not on your own table in front of your wife and kids).

A nice blond girl called Sweden is trying to distribute band-aid to all the hurt people.

Comment Meet an old friend (Score 4, Interesting) 239

They're just not as good at it.

I might want to introduce you to an old friend called FSB (née KGB).

Yes, I know your currently outraged a the massive surveillance and interception network that the NSA has built itself recently. But you should probably realise that a time when those who took the decision to start this program weren't even born, there where other organisation which were already been doing it routinely.

Big surprise #1: OMG the NSA is massively spying on everyone including it own population at a scaring level.
Big surprise #2: Others have been doing the exact same for ages and are probably similarily good at it by now. (Russia and China are probable good candidates for having NSA-like infrastructures, capabilites, and gathered data)

Comment Requires hacking vs. (Score 1) 78

There's nothing to stop a government agency or criminal with a zero-day from taking over those endpoints and monitoring/creating/deleting/hiding any active bitcoin transaction they like.

The fundamental difference between decentralized crypto-currencies like bitcoin and absolutely every other form of currency, is the absence of central control.
Yes the could hack into your computer. But that would *require* hacking into the computer (which nonetheless would also be pretty much illegal under lots of jurisdiction in the absence of a whole mandate paperwork. And even if the likes NSA and co might still be doing it, there are still going for trouble once exposed).
Whereas dollars, euros, yens, swiss francs, etc. and credit cards, debit accounts, etc. can be directly manipulated at the bank level without your involvement, in a completely legal and normal way.

Take the "wallet" metaphore:
- with bitcoins, the only way to do anything would be to steal your wallet. It works as if you had gold coins / precious stones in your wallet.
- with anything else: your card could get blocked *by the credit card company*, your accounts linked to your debit card could be *frozen by the banks*, and the whole value of the bills and coins could get (and in fact are regularly victims of) inflation, devaluation, and other forms of currency manipulation by the central bank (which start printing more bills to get itself out of debt, and similar). All this happens without the wallet ever leaving your possession. All this happening completely outside your scope. At the banks and credit card companies and government. Not because someone illegally broke into something or stole something. Just because that's the way these currencies are organised (with central authorities responsible for them).

That's the fundamental difference.
- classical currencies and transaction are controller by single central authorities. which have complete control over it *by design*. There's always someone responsible for any step.
- distributed crypto-currencies aren't controlled by anyone in particular. the responsibilities are distributed over the whole network. No one has officially any say about it.

Slashdot Top Deals

There is one way to find out if a man is honest -- ask him. If he says "Yes" you know he is crooked. -- Groucho Marx

Working...