Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

Comment 10 Character Key? (Score 1) 70

Where did the submitter get the quote that says this uses a 10 character key for the HMAC?
From the article:

The dongle (Scrambler) uses 4 keys / passwords.
1 - 10 characters long is used to identify clusters (when more than one dongle is used to boost throughput).
2 - this is the actual key for SHA1-HMAC
3 - this is used for initialisation vectors.
4 - encryption key for remote commands ENSCRAMBLE and ENGETID. This key is shared with the client (Wordpress in our case) to provide end-to-end encryption of passwords sent for scrambling.

Here are the details from the article about key lengths, etc.

S-CRIB Scrambler Design Basics We use the same hardware as for our Password S-CRIB and only re-implemented the firmware to add required functionality. The keys / passwords now have 32 characters so they can be directly used with AES-256. Each password can give provide up to 199 bits of entropy as we use 76 different characters. The source of passwords is a combination of a "dongle key" (unique for each Scrambler) and a random SHA1 key generated using microsecond timer applied on communication between Scrambler and the host PC.

Comment Resides in a Raspberry Pi? (Score 1) 70

University of Cambridge's S-CRIB Scrambler resides in a Raspberry Pi...

No it doesn't. The S_CRIB Scrambler is a trusted hardware component implemented as a USB dongle that just happens to be plugged into a Raspberry Pi as a host server.

The current implementation uses Raspberry Pi as an "untrusted" host for web service. It is an inexpensive but sufficiently powerful platform for our password scrambling system.

This could just as easily be plugged into a server or any other PC. My point is that the device has nothing to do with and has no dependency on the Raspberry Pi and to imply otherwise is disingenuous.

Comment Re:hack the planet (Score 1) 66

by Fnord666 (#46454547) Attached to: CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk

By keeping your mouth shut about these holes, you are pretty much guaranteeing that they will remain open for exploitation. People in positions with the authority to make decisions about patching the holes will remain oblivious, because let's face it, very few of said people have a fucking clue.

Security by obscurity does not work. I believe that we can all agree on that. On the other hand, responsible disclosure means talking to the people who can do something about a discovered issue should be the first step. Once the issue has been addressed, then a wider disclosure is reasonable.

Comment Re:Non-story (Score 1) 268

He really did a convincing work on the montage and the voice-over, but NPOV must agree the majority of the video came from the deniers. Now I don't know how far fair use goes, but maybe they really have a case there. How did MST3K handle that?

None of which is any concern of Youtube. They have absolutely nothing to say about fair use or not. They follow the letter of the law as written and preserve their Safe Harbor protections under the DMCA. Youtube's actions are out of their hands on both sides unless they are willing to jump into the fray and assume liability.

Submission + - Google acquires Israeli security startup SlickLogin (geektime.com)

Submitted by Fnord666
Fnord666 writes: SlickLogin, an Israeli startup and developer of smart identification technology through user smartphones has been acquired by Google for several million (the official transaction amount remains undisclosed). SlickLogin was founded under a year ago by Or Zelig, Eran Galili and Ori Kabeli. The company first unveiled its technology at TechCrunch Disrupt held last September. the company has yet to launch their product nor have they any customers to date.

Submission + - Incredible 3D GIFs Created with a Simple Visual Effect (mymodernmet.com)

Submitted by Fnord666
Fnord666 writes: Animated gifs seem to be everywhere these days, but some gif creators are taking the visual experience of viewing quick clips of silent motion to another level. By carefully adding a couple of solid-colored (typically white), vertical lines to the moving images, an incredible three-dimensional effect is created. As characters and objects move into the foreground, they seemingly extend beyond the barrier of the image.

Comment Re:GDP (Score 1) 717

by Fnord666 (#46260347) Attached to: Your 60-Hour Work Week Is Not a Badge of Honor

Nothing in your post explains WHY it is a government concern that people get some minimum amount of vacation time. You say that the government should mandate some minimum amount of vacation time because otherwise an employer might not offer any. But that begs the question by assuming that it is a government interest that people get some minimum amount of vacation time.

In the US banking sector the FDIC strongly recommends mandatory vacation time of two consecutive weeks or more for active officers and employees as an effective internal control to combat fraud. This recommendation is even included in their Manual of Examination Policies for FDIC audits. If you allow exceptions you need to have compensating controls in place.

Comment Re:Matter of time (Score 1) 149

by Fnord666 (#46201649) Attached to: Florida Arrests High-Dollar Bitcoin Exchangers For Money Laundering

How hard do you think it is to have ATM's[sic] scan serial numbers on the bills they dispense so the machine/bank/gov't knows who they were given to, and have the bank scan in the deposits so they know who is receiving the bills?

Off the top of my head it would require

  • - Replacing evey dispenser mechanism in every ATM
  • - Replacing evey depository mechanism in every ATM that accepts cash
  • - Updating the communications protocols between the components within the ATM
  • - Updating the SNMP code for the ATM to central to support the new device
  • - Updating the transaction protocol between the ATM and central to support reporting which bills were dispensed or deposited
  • - Updating all of the protocols used by all of the debit networks to pass that information along
  • - A whole new back end system at the card issuing bank to store and report this information

So really just a week or two then.

Submission + - New slashdot beta setting records for suckage 1

Submitted by Ellis D. Tripp
Ellis D. Tripp writes: FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA FUCK BETA

Oh, BTW, FUCK BETA

Submission + - Slashdot Beta Woes 16

Submitted by s.petry
s.petry writes: What is a Slashdot and why the Beta might destroy it?

Slashdot has been around, well, a very long time. Longer than any of it's competators, but not as long as IIRC. Slashdot was a very much one of the first true social media web sites.

On Slashdot, you could create a handle or ID. Something personal, but not too personal, unless you wanted it to be. But it was not required either. We know each other by our handles, we have watched each other grow as people. We may have even taken pot shots at each other in threads. Unless of course you are anonymous, but often we can guess who that really is.

One of Slashdot's first motto's was "News for Nerds" that Matters. I have no idea when that was removed. I have not always scoured the boards here daily, life can get too busy for that. That excuses my ignorance in a way. I guess someone thought it politically incorrect, but most of us "Nerds" enjoyed it. We are proud of who we are, and what we know. Often we use that pride and knowledge to make someone else look bad. That is how we get our digs in, and we enjoy that part of us too. We don't punch people, we belittle them. It's who we are!

What made Slashdot unique were a few things. What you will note here is "who" has been responsible for the success of Slashdot. Hint, it has never been a just the company taking care of the servers and software.

— First, the user base submitted stories that "they" thought mattered. It was not a corporate feed. Sure, stories were submitted about companies. The latest break through from AMD and Intel, various stories regarding the graphic card wars, my compiler is better than your compiler, and yes your scripting language stinks! Microsoft IIS has brought us all a few laughs and lots of flame wars to boot. Still, we not only read about the products but get to my second point.

— User comments. This is the primary why we have been coming here for as long as we have, many of us for decades. We provide alternative opinions or back what was given in the article. This aspect not only makes the "News" interesting, but often leads to other news and information sharing. It's not always positive, but this is the nature of allowing commentary. It also brings out the third point.

— Moderation. Moderation has been done by the community for a very long time. It took lots of trial and error to get a working system. As with any public system it's imperfect, but it's been successful. People can choose to view poorly modded comments, but don't have to. As with posting anonymous versus with our own handle it's an option that allows us to personalize the way we see and read what's on the site. And as a reward for submitting something worth reading, you might get a mod point of your own to use as a reward for someone else.

Why we dislike Beta and what is being pushed, and why this will result in the end of an era if it becomes forced on the community.

1. Bulky graphics. We get that Dice and Slashdot need revenue. I have Karma good enough to disable advertisements, but have never kept this setting on. I realize that Slashdot/Dice make money with this. That said, the ads sit away from my news and out of the way. I can get there if I want it (but nobody has ever gotten a penny from me clicking an ad... nobody!), but it's not forced into my face or news feed.

2. Low text area. I like having enough on my screen to keep me busy without constant scrolling. Slashdot currently has the correct ratio of text to screen. This ratio has never been complained about, yet Beta reduces the usable text area by at least 1/2 and no option for changing the behavior. I hate reading Slashdot on mobile devices because I can't stand scrolling constantly.

3. JavaScript. We all know the risks of JS, and many of us disable it. We also have an option of reading in Lync or non-standard browsers that many of us toy with for both personal and professional reasons. This flexibility is gone in Beta, and we are forced to allow JS to run. If you don't know the risks of allowing JS to run, you probably don't read much on Slashdot. Those that allow JS do so accepting the risk (which is admittedly low on a well known site).

4. Ordering/Sorting/Referencing. Each entry currently gets tagged with a unique thread ID. This allows linking to the exact post in a thread, not just the top of the thread. In Beta this is gone. It could be that the site decided to simply hide the post ID or it was removed. Either way, going to specific posts is something that is used very commonly by the community.

5. Eye candy. Most of us are not here for "eye candy" and many have allergic reactions to eye candy. Slashdot has a good mix currently. It's not as simple as the site starting with a r-e-d-i-t, which is good. That site has a reputation that keeps many of us away, and their format matches my attitude of them (s-i-m-p-l-e-t-o-n). At the same time, it's not like watching some other "news" sites with so much scrolling crap I can't read an article without getting a headache. The wasted space in beta for big bulky borders, sure smells like eye candy. Nothing buzzes or scrolls yet, but we can sense what's coming in a patch later.

The thing is, the community cares about Slashdot. We come here because we care. We submit stories because of that, we vote because of that, we moderate because of that, and we comment because of that. At the same time we realize that without the community Slashdot loses most of its value. We respect that we don't host the servers, backup the databases, or patch the servers. Slashdot/Dice provide the services needed for Slashdot.

It's a give give relationship, and we each get something in return. Slashdot gets tons of Search hits and lots of web traffic. We get a place to learn, teach, and occasionally vent.

Look, if you want to change default color scheme or make pre-made palettes for us to choose from, we would probably be okay with that. If you want to take away our ability to block ads by Karma, or move the ads to the left side of my browser window, I would be okay with those things too.

If you want to make drastic changes to how the site works, this is a different story all together. The reason so many are against Beta is that it breaks some of the fundamental parts of what makes Slashdot work.

User input until recently has not been acknowledged. The acknowledgment we have received is not from the people that are making the decision to push Beta live. We told people Beta was broken, what it lacked, and we were rather surprised to get a warning that Beta would be live despite what we told people. People are already making plans to leave, which means that Slashdot could fade away very soon.

Whether this was the goal for Dice or not remains to be seen. If it is, it's been nice knowing you but I won't be back. A partnership only works when there is mutual respect between the parties. A word of caution, us Nerds have good memories and lots of knowledge. The loss of Slashdot impacts all of Dice holdings, not just Slashdot. I boycott everything a company holds, not just the product group that did me wrong.

If that was not the goal of Dice, you should quickly begin communicating with the user base. What are the plans are to fix what Beta has broken? Why is Beta being pushed live with things broken? A "Sorry we have not been communicating!", and perhaps even a "Thank you" to the user base for helping make Slashdot a success for so many years.

Submission + - Ask Slashdot: What's there to like about the BETA? (slashdot.org) 7

Submitted by Narnie
Narnie writes: I come to /. not for the nearly interesting pseudo-tech articles, but for the lively, self-moderated discussion. Today I'm bit surprised to see every discussion summarized to fuckbeta. Popping up all over the place there's discussions about beta and even alternatives being revived and created. As I tend not to RTFA, I haven't sampled the beta myself. So, I ask you guys, what's there to like about the BETA and what's there to loath?

Slashdot Top Deals

Intel CPUs are not defective, they just act that way. -- Henry Spencer

Close