Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment Re:I have a IMO a propounding question. (Score 1) 64

I have a IMO a propounding question. Why is this stuff just done with no voter imput? Wither its a government project or a private one, I thing we should demand public input and maybe even voter approval or disapproval.........And has any privacy agencies tried this method? Just seem to me they shouldn't be using government equipment "poles" "Right of ways".or government property.

No, the proper way to do it is wait until they have spent all the money to buy the equipment and deploy it, then pass a referendum that makes them illegal.

Comment Re:Worrysome (Score 2) 128

Diversity is good, especially if they wind up diverging and actually being diverse. Not all implementations wind up being vulnerable to the same attacks, except when there are weaknesses inherent to the protocol.

Just be sure that as a developer you write an abstraction layer between the application and the library so that when the interfaces diverge too much you have a single class to rewrite. Diversity in implementations is a good thing. Diversity in the interfaces can be a pain in the butt.

Comment Re:Doppler effect (Score 1) 345

Apparently you are unfamiliar with the Doppler effect [wikipedia.org]. Even on a Harley making a huge obnoxious racket it is easy to get dangerously close to someone before they hear you

Perhaps you should have read the article you cited. Doppler shift affects the observed frequency of the sounds but does not affect the speed at which that sound travels in a given medium. In addition it is the difference between the speeds of the observer and the source. If both are traveling at the same relative speed, there will not be a shift in the frequency for that observer.

Submission + - Netflix has no project managers. Yet, everybody uses this project management too 1

mattydread23 writes: Netflix is well-known for its unusual management structure, and one of its characteristics is a lack of official project managers. Instead, workers cluster into ad hoc groups for particular projects. With no official mandate from IT, a project management tool called Smartsheet has become incredibly popular at the company. Netflix enterprise technology manager Justin Slater explains why.

Comment Re:Millions of conventional TVs vulnerable too (Score 1) 155

"Researchers from Dickweed University's Network Security Lab discovered a flaw affecting nearly every TV on the planet. The flaw allows a radio-frequency attacker with a low budget to take control over tens of thousands of TVs in a single attack, forcing the TVs to turn on or off, or switch channels. The attack works by equipping a drone with a powerful universal remote, sending commands to all TVs in a broad range." It's even scarier like this!

That is not how this attack actually works. The attack has nothing to do with the remote and references to it and the "red button" have derailed things. This is an attack on the broadcast television signal. As you recall, broadcast TV was switched from an analog signal to digital. In Europe the protocol for this signal is DVB and in the US it is ATSC. Within these digital broadcasts is a protocol called the HbbTV standard which allows additional interactive data, features, etc. to be embedded to provide a hybrid viewing experience. For example during a baseball game they might embed an HTML page with the stats for the current batter. The exploit is that this embedded data is not protected in any way so anyone can inject a malicious payload into the signal. This could allow such attacks as session hijacking, etc. In the demonstration the researchers are attacking smartTVs in the neighborhood by rebroadcasting a local channel with the extra packets added to the stream. That approach is limited of course to the extend to which you can override the regular broadcast signal. A much broader impact would be if you could inject the packets at the broadcast source, for example on the network between the broadcast station and the actual transmitter station. In that case your attack would reach entire greater metropolitan areas.

What I am interested in is how much, if any, of this HbbTV information gets through when local channels are carried on other transmission media such as satellite or cable.

Comment Re:It doesn't take a genius to come up with an att (Score 4, Informative) 155

So the idea is that the attacker overrides the RF signal with his own one, which contains the malicious data.

No. They are actually overriding the DVB broadcast signal from the broadcaster and inserting malicious packets into the stream.

Abstract: In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content which is rendered by the television. This system is already in very wide deployment in Europe, and has recently been adopted as part of the American digital television standard.

All of the references to the "red button" on the remote are a distraction that can be confusing. The red button on your remote is simply a way that you can invoke or interact with the hybrid content in the broadcast stream. It has nothing to do with the actual attack and the embedded content doesn't need to be actual interactive content.

Comment Re:This is awesome (Score 1) 217

but in practice the subset of "all people" who actually do code reviews appears to be very, very small -- possibly smaller than the set of people who review closed source code.

I'm going to disagree here. For a given company that has a closed source implementation, there may be small group of people qualified to look at the code and understand it, but that in no way means that they are or have done so. Corporate politics, capitalizable time, access restrictions, etc. all play a part in whether any one at all actually looks at the closed source code for vulnerabilities.

Comment Re:Somewhat (Score 1) 114

This is not at all relevant to most implementations of DH, which use prime fields of large characteristic.

Exactly. Probably more interesting is that their solution is applicable to a wider range of finite fields than recent improvements.
From the paper:

Although we insist on the case of finite fields of small characteristic, where quasi-polynomial complexity is obtained, our new algorithm improves the com- plexity of discrete logarithm computations in a much larger range of finite fields.

I see no good basis for the ScienceDaily author's leap from the paper's results to his conclusion that

Since solving this variant of the discrete logarithm is now within the capacity of current computers, relying on its difficulty for cryptographic applications is therefore no longer an option. This work is still at a theoretical stage and the algorithm still needs to be refined before it is possible to provide a practical demonstration of the weakness of this variant of the discrete logarithm. Nonetheless, these results reveal a flaw in cryptographic security and open the way to additional research. For instance, the algorithm could be adapted in order to test the robustness of other cryptographic applications.

Comment Re:Is Diffie Hellman at risk? (Score 1) 114

Actually there is no need for DH, you can create a new throwaway RSA private/public key pair on both sides, sign it with your main key, use the throwaway keys to transfer the session key then wipe the throwaway keys. The problem with this approach is that generating a new RSA key pair for every session + transferring new key + extra round trips is a really slow process compared to DH.

So how do you go about securely communicating one part of the throwaway keys to the other side so that the session key can be transferred?

Slashdot Top Deals

Staff meeting in the conference room in 3 minutes.

Working...