Become a fan of Slashdot on Facebook


Forgot your password?
Compare cell phone plans using Wirefly's innovative plan comparison tool ×

Comment Re:OK, so how did it happen? (Score 1) 146

Did you watch Citizenfour? There were a couple scenes in there, IIRC, where comments were made about a "second leaker". I believe there were also mentions in some of the Guardian articles as well. Not a lot in either, but definite indications the Snowden was not the only one.

I was wondering what happened to #2...

Comment Re:Why isn't symmetric crypto threatened by quantu (Score 1) 55

It has been a while since I've dug thru the DoC EAR, but from what I remember -- and what I seem to glean from digging thru your link to the Fed Reg -- is that most of this applies only if you're using proprietary encryption. The use of open source algorithms where you provide the relevant source code, such as using AES, Blowfish, or TwoFish, is an exemption.

To be clear, I'm talking about mass market stuff which gets the MMKT designation, nor crypto gear primarily sold to foreign governments.

If using only the published, open source stuff for crypto, then the exporter has only to file the paperwork. The 30-day delay was removed, and there is no real "review request", the paperwork is just on file.

RSA fits the bill just fine, and there is no restriction that I can find for using ginormous keys -- 4,096 bits and beyond.

Feel free to use Elliptic Curve instead of RSA, avoiding Dual EC DRBG (obviously) and the NIST recommended curves if you're paranoid.

I understand that exporting certain hardware requires paperwork, but I'm firmly in the camp of thinking that states "proprietary encryption should be avoided at all costs".

Comment Re:Typical Google (Score 2) 129

You're forgetting the difference between a flaw and the path to exploiting a flaw. The flaw can exist in silicon, but it needs software to exploit it. You can safely run flawed code all day if you are in tight control of the software executing on the system. It isn't until you run untrusted code that you have a problem.

This is why Java is such a vector. Once you connect it to a browser, you're blindly running someone else's untrusted code on your JVM.

When Java is used in an EE environment, not hooked to a browser, then it is much safer simply because exploit code doesn't have a path to any flaw.

Comment Re:Reality vs Theory (Score 1) 211


My general instruction to people has been:

Step 1: Go here
Step 2: Copy a suitable string, depending on the limits of the system you're creating a password for
Step 3: Add a 4 - 6 digit PIN
Step 4: Paste it in, write it down, or use something like Keepass.

Hell, letting your browser remember your password is better than picking something stupid.

Comment Re:The mandate to change passwords every three mon (Score 2) 211

A password written down on a sticky note can't be cracked remotely. You have to be physically present in the room to have a shot.

If the password is sufficiently complex, and the system uses properly salted hashes, then it is infeasible to crack remotely via brute-forcing the password database. Simple passwords are susceptible to brute force cracking.

A better solution is to use both. Write down the complicated password, but append or prepend a memorized PIN. That way, if the written component is compromised, the PIN still has to be guessed.

Comment Re:Also (Score 1) 126

My phone is encrypted and protected with a fairly strong password (12-digit PIN in my case). In addition, the mobile banking app is also protected with a different, fairly strong password. It has multi-factor authentication, but since that is a text to my phone that doesn't count here.

Since my life is on the phone and I use it to constantly stay in touch with family and friends, plus things like navigation, and quick look-ups of information, it is always on me. So much so that I'd sooner forget my wallet or car keys than my phone.

Finally, my phone is not only constantly backed up, it has, essentially, a GPS locator that I can use from my PC to to find it. Just enter "where's my android phone" into Google, assuming you're logged in to your Google account.

Slashdot Top Deals