Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:The H1B program could easily be fixed (Score 1) 332

There is no way to fix H1B because on the day it is open, you have off-shore companies from a certain country applying in bulk for a visa for ALL of their employees.

Even if they only get 5% of the spots applied, it's a win-win for them.

Of course, if you aren't from that country or from a company like that, good luck on the "lottery".

Comment co-responsability (Score 1) 162

Someone that posts a link to a torrent site can become co-responsable for the copyright infrigements downstream.

By the same logic, if a mobile phone is hacked and money disapears from the bank account due to that, then the phone manufacturer and operator are co-responsables for that hacking due to leaving the phone open to known vulnerabilities?

Comment Re:Depends on the country (Score 4, Informative) 67

Also, the EU regulations state that the data should be handled just to fulfull the requirements of the service rendered.

Additionally, if the data is exported to the US it still needs to comply with all EU regulations. The fact that the data moved to a different country has no bearings on what the companies can do with it (they still need to apply the EU regulations).

And if they use 3rd party services for some internal processes that have access to the data, those 3rd party also need to comply.

It is not a "out-of-eu regulation" free card.

Submission + - Beta testers wanted for banking-grade authentication

ymenager writes: As most of us Slashdot readers know, cybersecurity has become a major problem worldwide and organization of all sizes are been pillaged by cyberthieves who are able to very easily bypass commonly used authentication solutions through the use of social engineering and sophisticated malware.

This is what led me to create the cloud/mobile authentication solution IDVKey.

IDVKey allows you not just to easily and securely authentication with a website, but also to approve any sensitive operation.

The IDVKey android app can now be downloaded from the app store, and you can view a short video of it’s capabilities here

And because we wanted it to be a universal solution that caters to all authentication needs, we’ve added a password manager with one-time-password generation (OAuth H/TOTP).

IDVKey brings several very interesting capabilities that no other application currently has, one of which is security levels.

Most (all?) authentication solutions are currently built on a one-size-fits-all model. So for example a bank will give you the same app or token to authenticate to their online banking, irrelevant of the fact that you might have a bank account with 1$ or 1 million $ in it.

What we wanted to do was to give the user control of his security, so we’ve implemented multiple security levels in our solution (low/standard/high/very high).

Each security level has it’s own full set of cryptographic keys, and must be unlocked by whatever mechanism you’ve setup.

So for example low could require no password, standard require a PIN, and high require a password in addition to the PIN.

When a website or a service sends a notification (authentication/approval/generic) they are able to setup the security level for that notification, and in order to respond (generally approve/deny) to it you will need to unlock the app to the appropriate level.

Similarly you can setup a security level for entries in your password vault.

In the near future, you’ll also be able to create rules where you will be able to define different security levels based on a notification data.

So for example if your website has a “Payment” approval step, you would be able to create rules like “if amount greater than 75 then security level is high”

Thus allowing you to be in complete control of how much convenience you’re willing to tradeoff for your security.

In order to integrate your website or service with IDVKey, you will need to integrate using our REST APIs, or use one of our SDKs (currently only Java but we’ll be bringing more soon). You’ll find extensive documentation (including RAML specs) in our website

And since this is Slashdot, I’m sure many of you would like know details on how it function beneath the cover so here’s some technical details:

Communication security

All communications are secured by a multiple layer of cryptography.
1. TLS is used at a transport level
2. All requests and responses are additionally signed using HMAC-SHA
3. All notifications (and responses) are signed using RSA and (optionally) encrypted using AES

We never send any sensitive data through third party channels (like for example google cloud notification service, or IOS notifications). All that is sent through those channels is a minimal message that just indicates that it should contact our servers to retrieve pending notifications)

Local data storage security

All sensitive data (vault items, keys, etc) is encrypted using AES with full keys (each security level has it's own key). Those keys are themselves encrypted with a derived key based on the device and unlock mechanism.

We will support hardware encryption where available (with the caveat that on android it seems that changing the phone unlock pattern/pin will reset any stored keys, so we will have to leave that option turned off by default). Hardware encryption will be used in parallel with "soft" encryption, which means that if a bug compromise one of those methods you'll still be safe.

Vault sync

Vault sync allows the user to keep a central copy of his vault data, and have all his devices synchronize with that central copy.
We've designed IDVKey so that we would never have access to vault data unless the user explicitly wants us to (for example to allow web-only access to password), but only for low or standard security level data. Under no circumstances will we ever have access to data that is high or very high security level.

All vault data stored externally (currently dropbox) is encrypted using AES with full keys (each level has it's own encryption key).
We keep a backup copy of those keys in order to allow device recovery. If a password or recovery code is setup, the keys will be encrypted using the password/code (using PBKDF2 key derivation). That naturally means that if the user loses all his devices and forget his recovery password, he will not be able to recover his synced vaults.

All communication with external storage is done directly by the clients, not by our servers. We do not and will never have the ability to directly access the user's dropbox or other external data storage.

What legal non-repudiation is provided by IDVKey

We've designed IDVKey aiming at a very high level of legal non-repudiation: All user replies digitally sign both the reply and content displayed using asymmetric cryptography.

Depending on your jurisdiction this might be sufficient to reach the level of "Advanced Digital Signatures" as defined in various digital signature laws. However many do require digital certificates signed by country-specific approved Certificate Authority (which we can do but haven't at this time, contact us if you need that level of non-repudiation).

How are the APIs implemented

We use RESTful API, which are secured as mentioned above (TLS + HMAC-SHA signing).
We do allow (but strongly discourage) customers to optionally use username/password for API access, but that will limit the security level of their websites to LOW.

We've also carefully designed them in a very defensive way, in order to avoid integration mistakes which might compromise the security.

Versioning is implemented using HTTP headers.

How is our infrastructure managed

We're a 100% DevOps outfit. Infrastructure setup is completely automated using puppet.

How reliable is your infrastructure

We've designed our infrastructure for very high throughput and availability. Everything is clustered and distributed through various data centers. (note: during our beta period we will be running with a reduced infrastructure).

Do you provide an on premise solution

Yes, IDVKey has been designed to be deployable on premise or even as an hybrid solution where the customer runs the backend (which performs all encryption) and reuses our gateway (which handles all connectivity with devices)

Submission + - Banking-grade authentication for all 1

ymenager writes: For a long while I’ve been quite frustrated with the IT authentication available.

1) Most authentication solutions available have proven themselves to be very weak and especially vulnerable to social engineering and advanced malware deployed by cybercriminals (banks lose millions daily due to cyber-theft, even those using “best practice” solutions)

2) Most solutions deployed are based on a “one-size-fits-all” model. This model however is not very good, because each person will have a different willingness to trade off convenience for security depending on the stakes of what they’re trying to protect. For example if you have two bank accounts, one with a small amount of money and another with all your life savings, most people would be willing to suffer extra inconvenience in order to guarantee that all their life savings are protected from cyber-criminals.

3) Most “advanced” authentication technologies are “corporate priced” and completely unaffordable for typical small businesses or websites that have non-paying users (which is the majority of websites out there).

4) Most technologies neglect account recovery, leaving major holes in their security. For example we’re told that “Secured by Visa” would improve your credit card security by protecting with a password, however a hacker can use the account recovery to bypass the password step, only by knowing the user’s date of birth (which is much less “secret” than a password, and often easy to find from social networks or using social engineering).

This led me to create IDVKey, a banking-grade mobile and cloud authentication solution that:

- Provides a very high level of security, in fact better than most banks currently have available for their customers (talking from experience as I’ve spent the last 5 years designing crypto/security solutions in the banking industry).
- Is an “authentication Swiss army knife” that covers all authentication needs.
- Allows the user to take control of their security/convenience balance.
- Is affordable by everyone.

Its primary feature is a secure real-time notification mechanism that allows the user to easily authenticate and approve any sensitive operation using their mobile device (aka out-of-band authentication).

This short video demonstrates how that works

On top of that we’ve added "legacy support” in the form of Google authenticator (TOTP/HOTP) compatible one-time-passwords, as well as a Password manager.

We’re providing various ways for the user to customize security to fit their needs. For example using the ability to set different security levels that are secured by different unlock mechanisms.

For example if you could setup your app to be able to:

- Authenticate with your social network website without needing to unlock the app
- Require a PIN to access most of your other normal website/services
- Require a long password and fingerprint to authenticate with your online bank.

Account recovery is designed to be highly customizable. You will able to specify different recovery mechanisms each with a specific delay.

After the user approves account recovery using one of those methods, the recovery will only be processed after that delay giving the user the chance to identify and abort any fraudulent recovery attempts.

IDVKey is now on open beta, and you can request access on it’s website (please note not all the features described above are currently available in the beta but will released in the near future).

Integration with your website/service can be easily done using our REST API, and we provide extensive documentation in our dev support pages

We also provide various SDKs and examples in order to make integration easier (we currently provide a Java SDK and website example, and will be adding PHP soon).

Slashdot Top Deals

Heisengberg might have been here.