Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:From GRC who brought you ShieldsUp! and SpinRit (Score 1) 31

There are different attacks, however, that makes the QR option in SQRL worse in a practical sense than a username/password. One example is a variant of the hidden-browser attack against a smartcard-based hardware token. The SQRL client in this case serves two purposes: First it reinforces the user's mental perception of what they think is going on and, second, it provides the authentication. An attack against the QR option in SQRL is more significant than a site-specific QR authentication scheme because a SQRL client has the ability to authenticate against multiple web sites.

At the very least, any site using SQRL that cares about security should disallow logins where the SQRL client and browser IP addresses are different. Web sites should also implement the "respond to the SQRL client with the authenticated session URL" option. With this option, users would be required to use a browser on the same machine as the SQRL client. Finally, users should use a client that integrates with the browser as this would enable detection of a web page URL mismatch.

Comment Re: From GRC who brought you ShieldsUp! and SpinRi (Score 1) 31

While I truly believe that one should not bet against stupid users (Mother Nature can always make a "more stupid user"), the attack vector would still have a challenge with SQRL.

The SQRL client is supposed to (modulo bad client implementations) request verification of a valid login from the user before proceeding. For this attack to work the user is looking at some website, sees a QR code on the page (advertisement, bogus login, etc), decides to scan the code in the SQRL client, sees the SQRL client popup a code for a different website, and then decides to proceed with the login. It does not appear that SQRL is any worse then a username/password system in protecting the user from doing stupid things.

Comment Re:From GRC who brought you ShieldsUp! and SpinRit (Score 3, Insightful) 31

They may be crap, but it does not appear that this attack would work with SQRL. The SQRL client hashes the URL of the website, signs the result, and then sends the result to the URL encoded in the QR code. In this attack, the client would see that there is a mismatch between the phishing website and the URL encoded in the QR code. If the attacker modifies the QR code to fix that discrepancy, the SQRL blob would have the wrong URL hashed and the server would reject the login attempt.

The researcher does not mention SQRL in his post or the github repo. That was added by the editor or the submitter.

Comment Re: "Yay for privacy"? (Score 1) 40

Yep, I was trying to mimic the spam/ad writing style.

The last 20% is not trivial to eliminate and often (always in many cases) overwhelms legitimate mail. I have spent the last few weeks retraining spamassassin to gain a few more percentage points. I think I will enable autolearn and dovecot-antispam to help keep the Bayesian database current.

Comment Is anybody surprised by this (Score 1) 71

Alphabet/Google/whatever they are called is a for-profit business. This endeavor has to (roughly) do one ore more of the following:

  • Generate a profit,
  • Enable other activities to generate profit (e.g. data collection on you), or
  • Be booked as an advertising expense.

Anything else would violate their fiduciary responsibilities.

Repeat after me: Do not plug into random USB ports or connect to random WiFi hot spots unless you are comfortable with their security practices and business model.

Comment Re: Ownership and Appreciation (Score 3, Informative) 142

Construction equipment is rented out all the time. For many construction firms it does not make economic sense to own a full complement of heavy construction equipment.
  • https://www.sunbeltrentals.com/equipment/subcat/766/dozers-and-crawler-loaders/
  • http://www.hertzequip.com/herc/rental-equipment-industrial-equipment/earthmoving-equipment+dozers
  • http://www.unitedrentals.com/en/catalog/dozer-70-hp

Comment Re:So - the fact that others are doing it makes it (Score 2, Insightful) 312

In the United States, your assertion that "working stiffs" are burdened with most of the taxes is not supported by the facts. If you look at total taxes paid (local, state, and Federal) as a percentage of income, the bottom 40% are taxed at about 20% and the top 20% are taxed at about 30% (Washington Post). So the rich are paying taxes at a higher rate then the "working stiffs."

If you look at it from the "income to the Federal government" perspective, as of tax year 2011, the top 5% paid 57% of the collected income tax and the bottom 50% paid 12% of the collected income tax.

Based on those two facts, I assert that the "working stiffs" are not taxed at a higher rate then the rich. Also, at the Federal level, the rich pay far more in taxes. Where the "working stiffs" lose out (and the Washington Post article shows this) is at the local and state level.

Comment Re: The failure of rules. (Score 4, Informative) 538

I think you have misinterpreted the rules a bit. Campaigning and party activity are prohibited with government resources.

The President and Cabinet sending emails on implementing political goals are permitted activities. Sending emails about ?NC platform discussions are not permitted.

When I went through ethics training with the GC, it was very clear what was and was not permissible. From the GC point of view, the default was use goverment email and save every email.

I can see the desire, particularly at the executive level, not to leave a record because policy formulation can be a messy activity. However, I'm not sure that is the motivation in this case. First, there is no control over the retention of the other end and, second, a lot discussion happens on the classified side.

Comment Tried and gave up (Score 1) 248

I tried doing the smarthome bit about 15 years ago and it was flaky. While the technology has improved, the cost/benefit just is not there. Also, the concept never had a high WAF. How long does it take the energy savings from a nest (or similar) thermometer to recoup the investment? Will the technology/service last that long? I don't have a smart thermometer, so I'm curious.

Slashdot Top Deals

Anything free is worth what you pay for it.

Working...