Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Collateralized Identity (Score 1) 558

I think Joe Cascio's idea of "collateralized identity" looks really interesting here:

The core problem we're really trying to solve with a CAPTCHA is: anonymous identities are very cheap to create. We can require the user to provide and verify an email address, but it turns out those are cheap to create too. What we really need is a way for the user to prove that they have something invested in their identity - be it monetary value, time, cpu cycles, or whatever. A bit like slashdot karma (so you can filter out trolls/spammers using identities with nothing invested in them, which are cheaply created/replaced.)

Bitcoin, if it should ever gain widespread adoption, provides a very convenient mechanism to accomplish this:
1. each bitcoin user already owns pseudonymous unique public identifier (ie. their bitcoin address), which they can provide to any website as a portable identity
2. to prove ownership of this identity the user can sign a challenge from the website using their private key (hey, we just solved the password problem too!)
3. an amount of monetary value (ie. bitcoin) stored at this address, plus the length of time it has been stored there, is publicly visible on the block chain.

This allows the website to assign weight to the identity based on a combination of: the amount of value stored with the identity + the time it has been stored there. An identity that has had $20 stored with it for 3 days is probably not a spammer. An identity that has had $0.20 stored with it for 3 months is also probably not a spammer.

Of course it is easy to generate an unlimited number of such identities - but hard to have a decent amount of value stored with each of them for a decent amount of time. Websites can easily adjust the weighting threshold required to sign up / post comments based on experience with incoming spam. And there's always the ban hammer - which suddenly has some real weight behind it again :)

Important to note:
1. the money (ie. bitcoin) associated with the ID stays under the user's control at all times. The user alone has the private keys required to transfer/spend it any time they like - of course doing so would lower the weight assigned to their identity by any websites that inspect it.
2. the website need not store any authentication information for the user (eg. a password). The user retains control of their private key, and can use it to authenticate without disclosing it to the website.

Too hard for Joe Public to understand? Maybe.

Just imagine this all wrapped up in a friendly browser plugin. When you visit a website there's no login page - your browser has your private keys (perhaps encrypted with a master password, like Firefox's password manager does today) and just automatically authenticates you. Your browser could provide a drop-down "switch identity" widget in the toolbar to let you flip between multiple IDs / generate new ones, which is the only bit visible to the user (they need never hear terms like "private key".)

An "add weight to this identity" option would allow you to add/withdraw funds for any ID. Initially this might look like a bitcoin transfer (confusing for non-technical people), but a private company could easily provide a regular payment gateway on top of this (ie. accepting dollars), making the process no harder than recharging your skype credit.

Adding weight to any identity would be strictly optional, but might eg:
* allow you to skip CAPTCHAs
* allow you to post at +2 on slashdot by default
* generally increase the trust in your identity being genuine all over the web - use your imagination....

Comment Re:That's because security warnings are stupid. (Score 1) 432

You could indeed get a cert for, but if you don't mind my saying, that's a pretty crappy attack mate :)

A lot of people might notice the blatant "1" in your domain name; many more might never visit that domain at all. Which is really the point here.

Let's pretend for the sake of this example that slashdot actually supports SSL :) When I visit the real, with their valid CA-signed cert, I still have confidence I'm communicating with their server not yours.

If you were in a position to intercept my packets to slashdot - ie. the situation in which SSL is of some value - then you still couldn't do much. You can send fake replies to me, pretending to be - classic MITM attack - but your self-signed certificate is a dead giveaway. Good luck getting a CA to issue you a cert for, I doubt they're interested in issuing a duplicate while there's already a valid one out there.

This is the problem trusted certs are designed to solve. Your problem is a different one; it's called phishing (terrible name huh?).

Actually, they've kludged something something together to help with that problem also: big institutions that really need it (eg. banks) can pay a ton of money to a CA for an "extra special cert", which gives them eg. that nice green address bar in firefox, indicating a higher level of identity trust to the user.

Yes, it's probably a cash cow. But hopefully they do a few background checks before issuing those at least, and the high fee presents a barrier that Joe Random Phisher may be unwilling to pay.

Comment Re:I would probably do the same thing (Score 1) 432

This is a misconception. DNS poisoning is certainly not required.

If somebody is in a position to read your packets, they are also very likely to be in a position to intercept / modify those packets.

Any point on the route between you and the destination host could be sending those reply packets you receive and failing to pass yours along to the next hop; you really have no way of knowing.

This could be fully automated and, for example, enabled by default for data going to a particular destination host. The initial implementation is non-trivial, I'll grant you, but it only needs to be written once and then every script kidding from here to Timbuktu can pass it around amongst themselves. The attacker requires no more resources than regular plaintext sniffing, excluding a little cpu time to handle the crypto. You think these things don't exist? :)

Encryption is nothing without trust.

Comment Re:Well... yeh. (Score 1) 661

Wow brave post; looks like you were really inviting trouble with these kind of statements :) I used to hold similar views, and I know it can be a hard position to defend. It's not my fault / I have a slow metabolism / I exercise all the time and don't lose weight / some people are just built differently / etc.

Back then I weighed 132kg and had been fat all my life. Today I weigh 91.5kg, fit into ordinary size clothes (read: M, L), and feel springy & full of energy after climbing a couple flights of stairs, instead of puffed & out of breath. The change came only after I saw through all of these excuses and changed my own attitude.

You are obviously proud of the self control you have developed thus far, and you should be, but I would suggest you need to develop it a little further. You can't prevent your brain telling you that you feel hungry, but you can recognise that it is malfunctioning and choose to ignore the signal; nobody is holding a gun to your head compelling you to eat large portions. Eat nutritious food in "moderate" (look it up, it's smaller than you think!) size portions, and enjoy the feeling of being "hungry" - that's your body running low on fuel and burning the reserves!

It's not a terrible thing to feel "hungry". Not the way people in rich western countries use the word (I'm from New Zealand). There are many people in the world who live with real hunger on a daily basis. Do not mistake "I feel like eating" for *hunger* - in your case & in mine it's really not that serious that it can't be overlooked :) After you get used to eating less, your brain will catch on and stop sending the "hunger" signals.

Also, don't knock weight training. Firstly, any kind of exercise is better than none. Secondly, if your body converts fat into muscle you may not initially lose weight (muscle weighs more), but you're already more healthy. Thirdly, having more muscle is like having a bigger engine in a car; you need more juice to run it, even just during daily tasks. In other words more muscle means your metabolism rises and you burn fat more easily, plus you feel like you have more energy and exercise becomes easier. Cardio training is important too, but you've gotta start somewhere - it's a momentum thing. The more you do, the easier it gets.

In short: you have to eat less (esp. less fat; going crazy with fruit & veg can't hurt) and exercise more. That's the only way, and it's damn tough, but it does work and when you get to the other side you realise it's really really worth it :-)

Your body simply can't construct fat cells out of thin air - you have to put the right things in to it to enable it to become fat. Whatever your makeup predisposes you to, what food you put inside your body is your always your own choice.

My 2 cents.

Feed The Growth Of The Pirate Bay As A Political Movement (

Tim Lee points us to an LA Times article on the growing success of The Pirate Bay's political movement, noting that its membership is growing in Sweden and is nearly equal to that of the country's Green Party. This is ironic for a few reasons -- most of all being that the entertainment industry was so proud over the raids on the Pirate Bay's servers last year, insisting that it had killed off the site. Instead, the site was back up in days, and the attention propelled what had been a fairly minor search engine for BitTorrent trackers into the limelight -- helping to get it many more users and to get the political movement some traction. In fact, we've now seen other political parties take on some of the Pirate Bay's platform. To be honest, I have mixed feelings about this. I don't support the Pirate Bay's position that unauthorized downloads are defensible. Instead, I think that copyright holders need to come to the realization that they're actually better off by letting people download content -- not that it needs to be forced upon them by users taking matters into their own hands. That said, by taking such an extreme position (and having it get some attention), perhaps it's more likely that content holders will come to this realization. They'll simply be forced to adapt and will start coming up with more successful business models that actually benefit from free downloads rather than trying to block them and sue their best customers.
Linux Business

Submission + - Dell will pre-install Ubuntu Linux

atamyrat writes: " 04/30/its-d-day/ It's now official. That's it, the embargo is over. We can talk. Many people have been involved in this and I can only say I am excited to be a tiny small part of it: Ubuntu will be officially supported on Dell computers. Any other details will come on, check it for the official press release, but we can now all put the matter to rest and go about our normal lives — or can we ? :) This from your humble servant at Canonical Global Support Services. install.html"
Linux Business

Submission + - Dell to choose Ubuntu

An anonymous reader writes: DesktopLinux reports that source from Dell unofficially confirm that Ubuntu 7.04 will be the distribution of choice for Linux preloaded computers. "While unable to confirm this through official Dell channels, we have heard the same story now from several internal Dell sources. They tell us that the Austin, Texas, computer giant will be preinstalling the newly released Ubuntu 7.04. These systems will be released in late May 2007. According to our sources, Ubuntu will be released on a Dell e-series "Essential" Dimension desktop, an XPS desktop, and an e-series Inspiron laptop."

Submission + - Social Engineer Proves Major Insecurity At Banks

ApocalypseXP writes: "Story from:

the life of a social engineer
April 15th, 2007 by applekid

I enter the first branch at approximately 9:00AM. Dressed in Dickies coveralls, a baseball cap, work boots and sunglasses I approach the young lady at the front desk.

"Hello," I say. "Jarred White with XYZ Pest Control, here to perform your pest inspection." I flash her the smile followed by the credentials. She looks at me for a moment, goes "Uhm... okay... let me check with the branch manager..." and picks up the phone. I stand around twiddling my thumbs and wait while the manager is contacted and confirmation is made. If all goes according to plan, the fake emails I sent out last week notifying branch managers of our inspection will allow me access.

It does.

The manager greets me and brings me into the secured area behind the teller line. She never asks for identification. She says she received an email from the bank's facilities supervisor saying that we would be by on Monday. I force myself not to laugh, and nod understandingly. I explain the procedure. "Awww no ma'am," I say in a deeply Southern voice, "We don't do sprayin' on this visit. We're just here to see if there's a problem to begin with. Y'know, check for signs of rodents and crap like that." She nods, relieved that I won't be spraying pesticides. The bag that I carry is, for the most part, empty. It contains a flash light, a paper mask, a pair of work gloves, a tiny wireless access point disguised as a pager, two key loggers and lots of space to store stuff. My clipboard is also full of goodies. I sling the bag off my shoulder and get to work, as the lady wanders off. As she begins to leave, she says "Well, I guess you know what you need to do. I'll be in my office. Let me know if you need anything." I don't look up from my "work" as I thank her.

As soon as she disappears I move into the next room. The room is a work room where documents are stored, the printers are kept and various other supplies are stored. I look around the area for anything of interest. A stack of checks for deposit catches my eye, so I grab them and shove them into my clipboard. Each check has a name and account number on it. Nothing else here, but I hear a familiar humming; warm and pleasing to the ears. I walk back to the manager's office, and ask her if she could please grant me entry into "this back room, whatever's in there." She explains that this room houses their computer equipment. I nod and say that rodents are known to bed up in warm areas, and in my experience, computer rooms generate heat. I see the gears turning inside her head, and once she decides that this answer makes perfect sense, she unlocks the door. She asks only that I notify her when I am finished so that she may lock it again. I nod and tell her I would be happy to.

I enter the computer room and immediately begin to see networking equipment. A few tower servers rest on the floor beneath the rack. I could plug any number of items into the switch at this point. If they use DHCP, my rogue access point, which has been preconfigured, will provide me access to the internal network from the parking lot. My key loggers come in two flavors: USB and PS2. I decide to save the goodies for another locale. I take stickers with my company logo and place them on the networking equipment to prove that I have been there. I rummage around the area looking for confidential items. I find a company phone directory and take it. This might come in useful later, I think to myself. Near one of the terminals, I see a pink sticky note. "Bingo," I say aloud. Written on the sticky note are login credentials to the core processor. This information should allow me to query the bank's core processing software for account numbers, names and social security numbers; once I have determined its IP address. I note the credentials in my clipboard.

I fetch the manager and she locks the door. I thank her, and ask if I may inspect some of the offices out in the lobby. I let her know that I don't want to interfere, so I point to an empty office and ask if I may inspect that one. "Oh yes, that's Tom's office. He's one of our loan officers, but he's at another branch today. Sure, go right ahead." I'm already walking toward the open office before she finishes. Satisfied that I'm completing my work, she turns around and goes back to her office. Once inside Tom's office, I get down on my hands and knees and retrieve my flashlight. I pretend to inspect the area around his desk. The walls are made of glass, and everyone can see in. I try to keep an eye out for what's going on, who is watching me, and who might be coming my way, but it's difficult to tell. I decide that I had better make quick work of this place and get out.

I pull a CD from my clipboard and place it in Tom's computer. This CD contains a virus which contacts our company's Network Operations Center and provides us with information about the workstation. It's intended as a proof of concept, and nothing more. The software doesn't hurt the victim's computer. I also rummage through his filing cabinets, which are not locked, and recover a folder full of loan applications. Loan applications are great. They contain social security numbers, names, and sometimes a photo copy of the drivers license. These are no exception.

I get to my feet and return to the manager's office. I smile as I let her know I'm finished, and they have a clean bill of health. "Welp, we didn't find anything ma'am," I tell her, "Now if you'd just sign this here invoice for me just to prove to my dispatcher that I was here, I'd be much obliged." Yes, sometimes I do lay it on quite thick. She signs the fake invoices we had printed up at a local printing company. I date it and sign my initials as well. I thank her for her time and cooperation and leave the building.

I enter my vehicle and realize that I'm sweating. It's Minnesota, so it's not exactly hot outside. I nervously drive to a parking lot across the street, thinking the entire time that somebody must be on to me. Somebody must have figured out my ruse. Somebody has called the police, noted my license plate, and they must be on their way. But they aren't. As I start to calm, I inspect the items I have collected.

* 27 account names and numbers
* 13 loan applications complete with socials, names, birthdays and drivers license
* 1 phone directory with (what appears to be) extensions for everyone in the bank
* 1 login to the AIX Core Processor

This should be enough to start some new eBay accounts. I seal the information in an evidence bag, date it, sign it and place it in a secure bag. I call home base and report that the first job is done, and that I'm moving to the main branch. I light a cigarette and turn up the music as I drive to the next target."

Submission + - Stab proof hoodies available in the UK

Gareth Williams writes: "There is a story here on stab proof hoodies.

"Teens beset by a violent knife culture that has gripped the front pages of newspapers across the country can now buy stab-proof hooded tops five-times stronger than steel. "
Apparently these things are already on sale for 65 pounds a piece. I want one."

Submission + - There's not much C in Ribena

Bugbear1973 writes: "Global drugs giant GlaxoSmithKline faces a court case today for misleading advertising after two 14-year-olds from New Zealand found its popular blackcurrant drink Ribena contained almost no vitamin C. nd-theres-no-c-in-ribena/2007/03/27/1174761419393. html
OK, so it's a bit off topic but don't you just love seeing the 'man' get stung..."

Submission + - Movie Pirates Try to Throw Dogs Off Scent

YesL writes: Movie pirates are spraying chemicals on their bootleg DVDs to confuse two U.S.-loaned dogs that helped Malaysian authorities sniff out nearly 1 million illegal discs, an official said Monday. The two female Labradors have been trained to detect polycarbonate chemicals used in manufacturing discs. But officials received a tip that bootleggers are using chemical sprays to throw Lucky and Flo off the scent, said Fahmi Kassim, the Domestic Trade Ministry's enforcement chief in southern Johor state.

Submission + - Should a startup protect "IP"?

SonOfLilit writes: "I'm an 18 year old student thinking about forming a startup around software ideas.

Now, I'm online enough to know all the talk pro- and con- patents and especially those involving software.

I've also read claims that patents are important to software startups and claims that patents are insignificant to software startups and claims that although they are significant, anything that doesn't work without them isn't good enough.

My current view is that patents are essential in the current patent-based market, but my web conscience is bugging me.

What do you think, /.? Should a software startup apply for patents on it's ideas?

PS. I'm not referring to patents like 'triply linked list', more to patents like 'software application to increase your investment profits by saving the Africans from aids'."

Slashdot Top Deals

Chemist who falls in acid is absorbed in work.