Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Comment A few obvious corrections (Score 1) 42

First, DES is 56 bit (near enough 60). Triple DES as per first mode (the authorised standard) is 168 bits. The article fails to distinguish, implying the authors are just a little bit naff. 3DES seems to be quite safe, as long as not used in DES emulation mode. And who the hell emulates a mode that was broken in the 80s?

Second, Blowfish was replaced by TwoFish, ThreeFish and Speck. Skein, an entrant to the DES3 challenge, makes use of ThreeFish.

Third, the Wikipedia page states it has been known for a long time that weak keys are bad. This particular attack, though, is a birthday attack. You can find all the ciphers vulnerable or free that you should be using. Anything not on the list is something you are solely responsible for.

http://csrc.nist.gov/archive/a...

In other words, this information is about as useful as telling up that Model T Fords weren't good at cornering at highway speeds. Below are some links, I can't be buggered to HTML-ify them.

https://en.m.wikipedia.org/wik...
http://www.skein-hash.info/
https://en.m.wikipedia.org/wik...
https://en.m.wikipedia.org/wik...

I do not trust most encryption software these days, but that's because programmers these days are sloppy and arrogant.

The Internet

New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish (threatpost.com) 42

Researchers "have devised a new way to decrypt secret cookies which could leave your passwords vulnerable to theft," reports Digital Trends. Slashdot reader msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction. The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks. The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic -- from a connection that is kept alive for a long period of time -- to recover the session cookie.

Comment Re:We need this (Score 3, Insightful) 220

we need people actively looking into making those new type of batteries instead of just researching them and never do anything with the research

You haven't been paying attention.

Like photovoltaic solar panels (which can now be had for under a dollar a watt WITHOUT subsidies, more than an order of magnitude improvement over the last decade or so), DEPLOYED battery technology has been improving, drastically.

Of course most of the breakthroughs don't get deployed. That's usually because better breakthroughs come along before they get that far.

Comment Re:More political redirection (Score 2) 508

Let's be pragmatic here. She didn't decide the logistics of her email server and how to secure it or delete emails. Her IT intern did this.

Let's be realistic here. She didn't tell her IT guy what tools to use. She didn't have to. Someone -- and it doesn't take too much intelligence to guess who -- gave a directive to make that server and all its contents disappear Jimmy Hoffa style. That directive was given only after the existence of the server became public knowledge and its contents were requested. Can guilt be proven by such an action? No. But can anyone make any remotely plausible, intelligent, cohesive argument as to why someone running for POTUS would knowingly put themselves in such an awkward, damaging position?

Clinton is no fool. She knew wiping the server after it was discovered would leave her open to charges of hiding things. The most plausible explanation of why she'd do this was because there were things on the server that were even more awkward and damaging.

Comment Re:More political redirection (Score 2) 508

Whether the secure wipe was used as a simple matter of Best Practice, or was done for Nefarious reasons, is not known. So when the article makes judgements such as "When you're using BleachBit, it is something you really do not want the world to see." it becomes a political mudslinging story.

What exactly is the purpose of BleachBit? As described on its own web page, BleachBit "tirelessly guards your privacy." It doesn't matter if it was wiped because of "best practices" (something rather laughable given that Sec. Clinton was violating the "best practices" of the very department she was head of according to the head of IT at SecState) or to hide nefarious activities. The main purpose of BleachBit is to preserve privacy by "obfuscating forensic evidence." The OP's statement was completely correct and made no judgments whatsoever about the guilt or innocence of Sec. Clinton. You're calling it mudslinging because you don't like the idea of people questioning her motives and wish to deflect attention.

Comment Re:Clean OS install (Score 1) 363

I use optical media for installs, too.

Mostly because they're a more convenient (and better supported than USB sticks) way to build a system onto a fresh(ly wiped) machine.

Also because they're an easy way to insure I didn't accidentally carry over any data from the pre-wipe configuration or the machine I used to download, or got hit with a "catch the machine before it updates" attack while net-loading or updating from the distribution version to the latest bugfixes. (I go to the net for the initial update through an external firewall machine with tight reach-out-only rules.)

Yes, it's not a defence against some of the NSA or "remote-administration feature" style of attacks, through the BIOS, drive firmware, CPU-vendor silicon "management engines", persistent threat malware on the download machine, etc. But it's a start. (Also: If those are any good they keep hiding, so at least they stay out of my way while I'm trying to get some work done. B-b )

Comment Re:Self-inflicted (Score 2) 74

Yes, and those idiot's votes count the same as yours and mind. It is amazing how many people "me too" jump on some bullshit I've already proven to be false a few times before. Hoax is the poisoning of the mind for people too stupid to do their own thinking and prefer their news in a 600x600 image square. Whoever controls these drones, controls the vote, because they are half the population.

Or to paraphrase George Carlin, think about how stupid the average person is, then remember that half the population is dumber than they are.

Comment Re:Never that specific program (Score 1) 508

Don't forget to take the platter out and smash it up whichever way you want. If the NSA can get the data off a drive that's being zeroed several times and platter smashed up, they deserve a trophy.

Grind it into dust.

Smashing the platter helps some. But taking it out of the drive just saves them a step.

When a surface has been overwritten a couple times you're not going to have much luck trying to read it with the ordinary heads, even with tweaked signal and head-positioning electronics.

But a scanning magnetic-force microscope makes the last several layers of writing visible to the naked eye (observing the false-color image on a monitor or printed page).

Comment Re:Too secure for insecure? (Score 1, Interesting) 508

Hillary did do something wrong but the punishment for it would never be jail time. People keep focusing on this shouting lock her up. The worst she would have endured if she was a normal member of the state department would be a removal from her job and revocation of any security clearance.

And revocation of retirement benefits. And a felony conviction, with the resulting future denial of a number of civil rights (such as the right to posses a gun) and - yes - federal prison time.

Are you saying that the government would never enforce some of the more severe portions of the law? They seem to enforce it just fine when dealing with low-level functionaries (or even high-level officials who happen to be conservative.)

There is entirely too much corruption throughout our government.

Yep.

We need to fix campaign finance in a big way.

Yes - by completely repealing any campaign finance legislation at any level.

Buying advertisement is political speech. That, even more than any other forms of speech, is precisely one of the rights that is recognized and protected by the First Amendment. (It just happens purchasing advertisements enables the "speaker" to talk to more people than he can by standing on a soapbox in the park.)

Campaign financing laws are bait-and-switch. They claim to level the playing field, blocking the deep-pocket guys and the incumbents from having an advantage over the ordinary citizens and upstart challengers. But they actually penalize the grass-roots organizers and challengers by imposing complex red tape and arcane limits and requirements with draconian penalties for non-compliance (which incumbents' and professional lobbying organizations already know how to handle - or have the financial backing to challenge in court).

They're incumbent protection laws. Which is exactly what you should expect them to be. They were written by incumbents.

Comment So you have to disclose it to the government (Score 1) 29

30.8 5G Provider Cybersecurity Statement Requirements.

(a) Statement. Each Upper Microwave Flexible Use Service licensee is required to submit to the Commission a Statement describing its network security plans and related information, ...

So the applicant has to publish his whole security architecture in order to get a license.

On one hand this conforms to the best practices recommendations of the security community: Expose the algorithm to analysis and keep the security in the keying secrets.

On the other hand this gives the government the opportunity to pick-and-chose only those systems it can break.

Oh, gee. Which way will it work?

Comment Same model NAME! (Score 1) 31

Latest phone supported is the international version of the Galaxy S III (I9300) ... Note: The U.S. version of Galaxy S III is a different motherboard and chip - the same model number on a different device.

The same model NAME on a different device. Model number is different, which is how you tell for sure you got the right one.

Comment One word: Replicant (Score 1) 31

Replicant

Android. Fork of Cyannogen Mod that is fully Open source. Even the drivers and firmware. Latest phone supported is the international version of the Galaxy S III (I9300) (2G and 3G but no 4G LTE). (Note: The U.S. version of Galaxy S III is a different motherboard and chip - the same model number on a different device.)

Stable release is a couple years old (4.2) due to thinning of the development crew. But the project got new blood (post-Snowden) and a 6.0 port (for the 19300 so far) is in alpha.

Some devices (WiFI, Bluetooth, user-facing camera) require closed firmware, which you can load separately. (It's supported but not distributed with the base distribution.

Some (3-D graphics acceleration, GPS) are just not supported. (Use 2-D graphics and, if you really want your phone to know where you are, a plugin GPS device based on a different chip.) GPS is not supported because the phone's GPS chip also requires a proprietary CPU-land driver, which is an open-source no-no.

Slashdot Top Deals

Wishing without work is like fishing without bait. -- Frank Tyger

Working...