Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
The Internet

New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish ( 36

Researchers "have devised a new way to decrypt secret cookies which could leave your passwords vulnerable to theft," reports Digital Trends. Slashdot reader msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction. The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks. The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic -- from a connection that is kept alive for a long period of time -- to recover the session cookie.

Comment Re:YouTube video showing BGA damage under microsco (Score 2) 222

The average iPhone user is not going to evaluate the repair on anything but the replacement cost. Disposal of the old phone is a negative cost - after all, there is a large market for broken iPhones. So sell the year-old broken phone for $100, get the "newest" phone with all the new features for $100 down payment, and the cell company just charges an extra $50 a month for a few more years.

To people who don't understand the costs of buying on credit (which are most of them) it's a new phone for free.

To the people who buy the broken or used phones, it's a bargain.

To the cell carriers who sell the new phones, and to Apple, it's a platinum-plated gold mine.

Comment Re:I don't get it (Score 1) 130

Bleeding off the excess H2 and O2 seems as wasteful as throwing away the tank itself. I would suspect that having an extra ton or two of oxygen and hydrogen wouldn't be all that hard to turn into an extra ton of H2O, which the crew might appreciate. Or if they send up multiple partially empty tanks, they could designate one tank as the recovery tank.

The tank purging process would probably be time consuming, but there should no reason to be in a hurry to convert the tank into a different usable space. Conversion is something the crew can do while under way to their final destination (with the reward of having an extra building to live in after they're all done; that should provide incentive to prioritize the task.) I would question the value of sending dedicated construction robots into orbit since the crew is already going to be there (unless the task has dangerous elements due to the residual fuel, risks of fire or explosive decompression while cutting openings into the tanks, etc.)

It definitely limits the main engines to burning hydrogen and LOX, though. There would be no way to purge a tank holding any of the other fuels they might want to use. Imagine if living in an empty diesel fuel drum was the best of the other available options.

Comment Re:Manned versus unmanned. (Score 1) 190

Right now, people are willing to wait weeks for a cargo ship to cross the ocean; those ships hold thousands of containers. But the expensive assets are unavailable during the journey. If you need them faster, your only choice is to load them on a plane, and you can have them in a day. But what about the middle ground? Is there no market for cargo that needs to arrive in three days instead of three weeks, at one tenth the price of air freight? I'm thinking that half of Amazon purchases could be shipped directly from China and arrive in four or five days, which would probably still be acceptable for most purchases. When you consider the volume Amazon ships, that's a lot of freight.

So I wouldn't discount this as a useless exercise, at least not yet. People are surprisingly clever at coming up with creative uses for all kinds of technical novelties.

Comment Re:That's a pretty light particle... (Score 1) 240

i've been studying this for 25 years (as a reverse-engineer from a software background). i've started to have to go to the field of optics to fully understand why it is that this "extra force or maybe a particle" has not been discovered. look up the work by "Ido Kaminer" and his team and you find that (for the purposes of creating "optical tweezers" - google it) it's possible to create phase-coherent X-Ray beams that *LITERALLY* bend in parabolic arcs or even semi-circles, and as they do so the phase rotates by 1/2 the angle of the amount of curvature.

how the hell could that even happen, ehn?

ok, so it goes like this: the phase-coherent beam does "cancellation" such that it curves a tiny but, but this is the crucial bit - as it moves forward the phases REMAIN COHERENT which is pretty frickin awesome.

now, it's not so hard to imagine that photons (x-rays) could conceivably be created which are so totally phase-coherent that they *LITERALLY* come back to their starting point, and thus (because light has no friction) continue circulating forever. what would we call this? well.... i'd call it... a particle!

what types of particles would you call it? well, we know from radio that you have something called I / Q (which is to do with phase), and i *believe* that if the majority of the photon's phase is in the "real" numberspace you'd end up with an electron, but if it's imaginary it would be a NEUTRINO. utterly hard to detect.

the implications of this quite rational and logical progression are enormous - because it's not the only particles that could have such "imaginary" or complex-number properties, totally invisible to us because they *DON'T* interact in the normal E/M field but they'd only really start to interact at the atomic particle distances.

my feeling is that neutrons are *NOT* a "neutron" but may in fact be a "neutron-atom-with-an-orbiting-neutrino". further, that just like with Hydrogen (H2) there's no reason why two neutrons would not bond together in a Neutron-2 "atom"... utterly impossible to detect, being both chemically stable as well as electrically and magnetically invisible... *this* i believe is our missing "dark matter".

it's a huge logical chain of progression but i haven't seen any evidence which contradicts anything in the chain. the only problem is that there are too many scientists worshipping the "Church Of The Standard Model" or should i say, "stuck for funding if they stray outside of the Standard Model Holy Grail". it thus becomes extremely hard to interact with them (i've tried) as they have literally zero common ground for discussion (not enough experience with the field of Optics), the people in the field of Optics don't have enough interest in particle physics... gahh :)


Canadian Fined For Not Providing Border Agents Smartphone Password ( 276

Reader da_foz writes: A Canadian was reentering Canada when he was arrested and charged with hindering or obstructing border officials. At the time traces of cocaine were found on his bags and he was carrying $5,000 in cash. He provided his smartphone to border agents as requested, however refused to provide the password. Canada Border Services Agency officials asked for Philippon's smartphone and its password. From a report: "He handed over his BlackBerry but refused to disclose the code to access the phone. Philippon was arrested and charged under the federal Customs Act, accused of hindering or obstructing border officials." It is unclear if he provided the password while agreeing to the fine.

Comment License (Score 4, Insightful) 146


the consequences that we've seen from google's failure to use a self-protecting license includes:

* companies incorporating GPL'd code into Android (particularly video players) and not releasing the source
* performing DRM or other lock-downs ("Tivoisation") and in the case of qualcomm ending up with 900 million devices that are basically landfill
* causing confusion in the minds of corporations over the fact that the linux KERNEL (and u-boot) is still GPL'd

do i need to continue the list? i don't but i believe a reference to mjg59's list is appropriate:

google seems unable to comprehend the severe detrimental consequences of its actions, and the effects that their decisions have on the rest of the software libre community. i appreciate that they're an advertising company so are required to maximise the effective distribution of devices so that they can thus maximise the number of devices through which they can advertise, but pissing all over the free software community that MADE IT POSSIBLE FOR THEM TO HAVE A BUSINESS AT ALL is completely unethical, not to mention the detrimental consequences and money that users have to throw away when devices turn out to have major security flaws that the designers CAN'T FIX IN THE FIELD.

Comment What about fixing it at your end? (Score 1) 7

You're not going to get the world of Java, C, and C++ coders to change to a monocase font. First, and most importantly, they won't because they simply won't. It doesn't matter how many logical arguments you throw at it, how many facts or figures you present to back up your case, how much sympathy you garner from any social group, or even if you got some candidate to introduce new laws mandating the use of all uppercase alphabets in programming languages. You'd actually have much better luck introducing a new case-insensitive language to the world and getting a thousand people to adopt it. It's so ludicrous it's not even an interesting thought experiment. Trying to convince anyone that this is a viable idea is nothing but wasted time. So please stop, right now.

Instead, let's look at alternative ways to make the problem more tolerable at your end.

How about a screen reader that switches voice for upper case; reading lower case text in a higher register and upper case text in a lower register? How about adding case-words to the vocabulary, such as prefixing any upper case letter with CAP- . What about other sounds? How about or one beep to introduce uppercase, and two beeps to introduce lowercase? Or how about a subtle background sound that plays only while it's speaking upper case characters; something like a static hiss that would serve as an audible indicator?

Or better yet, how about a meet in the middle approach: an IDE that fully understands your needs with regard to case, and refactors the code as it imports it. It would make the kinds of substitutions that would remove the reliance on case. It could automatically refactor WindowManager to CAP_W_INDOW_CAP_M_ANAGER, or following the rules you were trying to impose above, or whatever. Perhaps it could simply monocase everything for you, and be smart enough to know the differences from context. You could type your code without regard to case, and build and test it at your leisure. When your normal screen reader speaks the code, it already ignores case, so no changes there. When the IDE builds the code, or when you check it in or merge it, the IDE would refactor your changes back into the original case so the rest of the world is none the wiser.

Comment Why doesn't anybody get their facts straight? (Score 3, Informative) 228

After googling around a bit. stories about running a bash shell on windows pop up.

It isn't "running Linux" on windows. That would imply that there is a Linux kernel running that actually manages hardware. This impression of "running on hardware" is enhanced by the slashdot summary.

None of this. Windows is simply providing those Linux system calls that allows commandline apps to run. A story then mentioned that servers would not run. That's odd: When "bash" runs and say applications like ping, ssh and telnet, you'd have to go to great lengths to prevent another app like "apache" from running.

But if what I hear is true, this is only useful for the most basic of things, no graphical capabilities. I might be an old fart that uses the commandline a lot, but that becomes useful in combination with a bunch of graphical tools that display what I need to know on a graphical screen.

As to security: the implied trick of running a linux kernel that also has access to the windows block devices is very prone to bugs and security issues. But all that is not the case: It's just another program running in an operating system, using a slightly different set of API calls. If the emulated Linux system calls end up calling windows-internal stuff AFTER the "permissions checking" that normal windows calls would do then you have a problem. It tells a lot about how badly windows is layered.

Comment solving the wrong problem (Score 2) 62

y'know... it occurs to me that seeing CENTRALISED trust mechanisms break down really is no surpise, at all. it's a simple mathematical equation which can be explored by doing e^(1/N) * N where you increase N, then make a tiny *tiny* change in the 1/N value. so E^(1/100,010) * 100,000 for example is drastically divergent from E^(1/100,000) / 100,000. point being: the more you CENTRALISE trust, the greater the chance of it being violated (exponentialy greater)

    solving this will take moving away from CENTRALISED trust to DECENTRALISED trust. does anyone remember keynote (an IETF RFC), or advogato, or even the moderation system behind slashdot, and how effective those are? we really really need to start moving to things like blockchain. as in, don't arse about expecting the incumbents to move to blockchain (because they have financial incentives not to do so) - just move to blockchain-based SSL Certificates.

Submission + - SPAM: New Jeep hack proves cars still exposed

lkcl writes: When automotive security researchers Charlie Miller and Chris Valasek take the stage Thursday morning (August 4) at the Black Hat conference in Las Vegas, they will outline new methods of CAN message injection. The two researchers who now work for Uber’s Advanced Technology Center will demonstrate how to physically seize control of the braking, steering, and acceleration systems in a vehicle.
Link to Original Source

Slashdot Top Deals

It is impossible to enjoy idling thoroughly unless one has plenty of work to do. -- Jerome Klapka Jerome