Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - The World's Smallest Comic is etched on a hair (

An anonymous reader writes: Gizmodo reports :

Zoom in on this particular hair, though, and you'll find something even stranger: a teeny, tiny comic strip called "Juanita Knits the Planet." Ten micron-tall Juanita and her friends were etched onto the hair using a focused ion beam. The microscopic comic strip was created for the Exceptional Hardware Software Meeting, a gathering for open source and DIY enthusiasts in Germany.

The video is also available on youtube.

Comment Re:It's not just the implementation (Score 2) 447

OpenVPN does its own transport protocol (on top of UDP or whatever was configured) to wrap the SSL control connection in. And for that reason OpenVPN implements its own heartbeat protocol. Let me repeat that: there is no use for TLS heartbeats with OpenVPN.

Side-note: as OpenVPN does not use vanilla SSL sockets, simple-minded Heartbleed exploits that work against HTTPS etc. won't be usable against it, but it is possible to hand-craft a Heartbleed attack against OpenVPN servers (or clients) running with unpatched libopenssl (although AFAIK such an attack has not been seen in the wild yet).

Submission + - Slashdot Beta Woes 16

s.petry writes: What is a Slashdot and why the Beta might destroy it?

Slashdot has been around, well, a very long time. Longer than any of it's competators, but not as long as IIRC. Slashdot was a very much one of the first true social media web sites.

On Slashdot, you could create a handle or ID. Something personal, but not too personal, unless you wanted it to be. But it was not required either. We know each other by our handles, we have watched each other grow as people. We may have even taken pot shots at each other in threads. Unless of course you are anonymous, but often we can guess who that really is.

One of Slashdot's first motto's was "News for Nerds" that Matters. I have no idea when that was removed. I have not always scoured the boards here daily, life can get too busy for that. That excuses my ignorance in a way. I guess someone thought it politically incorrect, but most of us "Nerds" enjoyed it. We are proud of who we are, and what we know. Often we use that pride and knowledge to make someone else look bad. That is how we get our digs in, and we enjoy that part of us too. We don't punch people, we belittle them. It's who we are!

What made Slashdot unique were a few things. What you will note here is "who" has been responsible for the success of Slashdot. Hint, it has never been a just the company taking care of the servers and software.

— First, the user base submitted stories that "they" thought mattered. It was not a corporate feed. Sure, stories were submitted about companies. The latest break through from AMD and Intel, various stories regarding the graphic card wars, my compiler is better than your compiler, and yes your scripting language stinks! Microsoft IIS has brought us all a few laughs and lots of flame wars to boot. Still, we not only read about the products but get to my second point.

— User comments. This is the primary why we have been coming here for as long as we have, many of us for decades. We provide alternative opinions or back what was given in the article. This aspect not only makes the "News" interesting, but often leads to other news and information sharing. It's not always positive, but this is the nature of allowing commentary. It also brings out the third point.

— Moderation. Moderation has been done by the community for a very long time. It took lots of trial and error to get a working system. As with any public system it's imperfect, but it's been successful. People can choose to view poorly modded comments, but don't have to. As with posting anonymous versus with our own handle it's an option that allows us to personalize the way we see and read what's on the site. And as a reward for submitting something worth reading, you might get a mod point of your own to use as a reward for someone else.

Why we dislike Beta and what is being pushed, and why this will result in the end of an era if it becomes forced on the community.

1. Bulky graphics. We get that Dice and Slashdot need revenue. I have Karma good enough to disable advertisements, but have never kept this setting on. I realize that Slashdot/Dice make money with this. That said, the ads sit away from my news and out of the way. I can get there if I want it (but nobody has ever gotten a penny from me clicking an ad... nobody!), but it's not forced into my face or news feed.

2. Low text area. I like having enough on my screen to keep me busy without constant scrolling. Slashdot currently has the correct ratio of text to screen. This ratio has never been complained about, yet Beta reduces the usable text area by at least 1/2 and no option for changing the behavior. I hate reading Slashdot on mobile devices because I can't stand scrolling constantly.

3. JavaScript. We all know the risks of JS, and many of us disable it. We also have an option of reading in Lync or non-standard browsers that many of us toy with for both personal and professional reasons. This flexibility is gone in Beta, and we are forced to allow JS to run. If you don't know the risks of allowing JS to run, you probably don't read much on Slashdot. Those that allow JS do so accepting the risk (which is admittedly low on a well known site).

4. Ordering/Sorting/Referencing. Each entry currently gets tagged with a unique thread ID. This allows linking to the exact post in a thread, not just the top of the thread. In Beta this is gone. It could be that the site decided to simply hide the post ID or it was removed. Either way, going to specific posts is something that is used very commonly by the community.

5. Eye candy. Most of us are not here for "eye candy" and many have allergic reactions to eye candy. Slashdot has a good mix currently. It's not as simple as the site starting with a r-e-d-i-t, which is good. That site has a reputation that keeps many of us away, and their format matches my attitude of them (s-i-m-p-l-e-t-o-n). At the same time, it's not like watching some other "news" sites with so much scrolling crap I can't read an article without getting a headache. The wasted space in beta for big bulky borders, sure smells like eye candy. Nothing buzzes or scrolls yet, but we can sense what's coming in a patch later.

The thing is, the community cares about Slashdot. We come here because we care. We submit stories because of that, we vote because of that, we moderate because of that, and we comment because of that. At the same time we realize that without the community Slashdot loses most of its value. We respect that we don't host the servers, backup the databases, or patch the servers. Slashdot/Dice provide the services needed for Slashdot.

It's a give give relationship, and we each get something in return. Slashdot gets tons of Search hits and lots of web traffic. We get a place to learn, teach, and occasionally vent.

Look, if you want to change default color scheme or make pre-made palettes for us to choose from, we would probably be okay with that. If you want to take away our ability to block ads by Karma, or move the ads to the left side of my browser window, I would be okay with those things too.

If you want to make drastic changes to how the site works, this is a different story all together. The reason so many are against Beta is that it breaks some of the fundamental parts of what makes Slashdot work.

User input until recently has not been acknowledged. The acknowledgment we have received is not from the people that are making the decision to push Beta live. We told people Beta was broken, what it lacked, and we were rather surprised to get a warning that Beta would be live despite what we told people. People are already making plans to leave, which means that Slashdot could fade away very soon.

Whether this was the goal for Dice or not remains to be seen. If it is, it's been nice knowing you but I won't be back. A partnership only works when there is mutual respect between the parties. A word of caution, us Nerds have good memories and lots of knowledge. The loss of Slashdot impacts all of Dice holdings, not just Slashdot. I boycott everything a company holds, not just the product group that did me wrong.

If that was not the goal of Dice, you should quickly begin communicating with the user base. What are the plans are to fix what Beta has broken? Why is Beta being pushed live with things broken? A "Sorry we have not been communicating!", and perhaps even a "Thank you" to the user base for helping make Slashdot a success for so many years.

Submission + - Ask Slashdot: What's there to like about the BETA? ( 7

Narnie writes: I come to /. not for the nearly interesting pseudo-tech articles, but for the lively, self-moderated discussion. Today I'm bit surprised to see every discussion summarized to fuckbeta. Popping up all over the place there's discussions about beta and even alternatives being revived and created. As I tend not to RTFA, I haven't sampled the beta myself. So, I ask you guys, what's there to like about the BETA and what's there to loath?

Submission + - slashdot drives away people with beta 2

An anonymous reader writes: For many months now, people have been quietly redirected to slashdot's beta site ( Any negative feedback of the beta is ignored and/or disavowed. The majority of viewers do not like the beta — resulting in major loss of viewership.

Will slashdot alienate existing users of the site and keep pushing the beta OR will it keep the users and boot the beta?

Comment Re:NSA has the ssl keys (Score 1) 279

According to wikipedia, "Ettercap is a [..] tool for man-in-the-middle attacks on LAN". It requires you to gain access to a victim's LAN! If the wikipedia page is right, it performs ARP ARP poisoning to redirect vicitm's connections. This can be detected. On a properly administrated network, this attack can automatically be detected, alerting admins etc.

Requiring access to the LAN and being easily detected for me qualifies as "difficult to deploy". Also note that the computing resources needed to MiTM SSL are pretty enormous (SSL handshake takes a lot of computation). I don't think this will scale to substantial portions of the SSL traffic of a country. Compare that with the almost complete capturing of non-encrypted traffic allegedly implemented by NSA.

Comment Re:who are we fooling? (Score 3, Insightful) 279

You suggest that MITM attacks on SSL are as bad as someone sniffing on unencrypted traffic. It is not! MITM attacks are active attacks and are much more invasive to carry out.

Is "false security" better or worse than "no security"?

I really don't understand why everybody tries to reduce these encryption problems on the "false security" vs. "no security" dichotomy. No this is not about false security. This is about security against undetectable passive attackers vs. detectable active attackers. The amount of data a detectable active attacker is able to collect about my person are many orders of magnitude smaller than the amount of data a passive attacker is able to obtain. The active attacker will also only be able to obtain data from the point of time I was chosen as a target. The passive attacker will be able to go back in time and look at my communication (probably many years) before I became interesting enough to be deemed a target.

This is why implementing SSL, even if no protection at all against MITM existed, is much much better than no SSL at all.

Comment Re:who are we fooling? (Score 2) 279

It is pretty dangerous for an adversary to carry out MITM attacks on a large scale, as sooner or later, this is going to be detected.

Apparently they weren't detected until the Snowden files showed it is widespread...(hacking into Belgacom for example), and wasn't the FBI requesting the SSL keys of Lavabit to decrypt traffic?

The attack the FBI attempted on Lavabit had no relation at all to certificate authorities. They merely requested the private host key of the server to be able to decrypt any recorded SSL traffic for that site. Note how this kind of attack only works when you have access to the server in question (in which case you would be able to directly monitor the plaintext communication anyway by tracing the web server executable). I repeat, this is not related at all to certificate authorities. Also note how this attack does not really scale, as it requires you to actively request and collect SSL host keys (not certs!) of all webservers whose traffic you are interested in. For that reason I would expect that information about your operations *will* inevitably leak to the public. Also web servers in other countries will be relatively well protected against this kind of attack.

The SSL Everywhere extension for example can (optionally) collect information for and check with the SSL Observatory to detect differing certificates that indicate MITM attacks.

a MITM attack would also patch (or redirect) SSL Observatory

only decentralized with checks on locally stored previously seen certificates can work, otherwise it's just security theater

But here again at MITM attack would be detectable. If the SSL Everywhere guys were not completely stupid they will check the host key of the SSL Observatory against a private certificate authority that they completely own (with the certifcate authorities' key hard-coded into their browser extension). Or more simple, they could just hard-code the public key of the observatory. Or implement certificate pinning etc. etc.

The only working attack would be for the NSA to MITM every download of the SSL Everywhere executable, patching the certificates contained in its code. But again, this is easy to detect after the fact by inspecting the sources, comparing checksums etc.

For that reason I'm not afraid at all about MITM, as it does not allow for the broad, secret, non-discriminatory data collection that Snowden's leaks show to be implemented by NSA.

Comment Re:NSA has the ssl keys (Score 5, Informative) 279

The NSA likely has keys from all the major SSL cert vendors, rendering this "spamvertisement" moot. HTTPS does not mean that you're secure from everybody. It means you've added a layer of security that will thwart MOST prying eyes, but those that really want to know what you're doing WILL know what you're doing.

Having the keys from multiple SSL cert vendors does not help a bit (and having the keys from many vendors isn't much better than having the keys of a single vendor). It does NOT magically allow you to decrypt SSL traffic from servers whose host key was signed against that cert vendor's certificate!

To decrypt traffic of multiple SSL websites requires you to obtain the private part of the SSL host keys from all the web-servers themselves. Note that web server host keys are signed via signing requests that do not contain a copy of the private key, so even when the cert vendors (CAs) are hacked, you cannot directly listen in on SSL communication. When the servers implement Perfect Forward Secrecy, then even obtaining a copy of the server's host key won't help as each connection uses a temporary key that's exchanged via Diffie Hellman Key Exchange, a method that generates a key shared between two hosts, that (somewhat counter-intuitively) cannot be deduced by sniffing the traffic between those two participants.

What you can still do is to set up a MITM attack: you set up your own intermediate server with its own host key and sign your host key(s) using one of the SSL vendor's certs that you obtained. Then you redirect all traffic to the servers that interest you via your server (i.e. proxying all SSL connections) and then obviously in the process you obtain the cleartext of all SSL sessions running via your server.

However, the MITM attack is much more difficult to deploy and scale than simple monitoring and recording IP data. Also skilled users will easily detect the MITM attack, as the host key's public part of the servers in question will suddenly change. There are firefox extensions to check for these signs of a MITM. Even SSL Everywhere has a checker built in (via the SSL Observatory). Or try Certificate Patrol.

Comment Re:who are we fooling? (Score 5, Insightful) 279

> this means that Firefox on Android with HTTPS Everywhere is now by far the most secure browser > against dragnet surveillance attacks like those performed by the NSA, GCHQ, and other intelligence agencies.

While I certainly think it is a good idea to encrypt traffic, this statement is highly misleading or naive: Since the CA system is *flawd by design* and every one of those "authorities" in the long list of built-in CA inside your browser can, by negligence or choice, supply any of these and other agencies with a valid certificate for *any hostname in the world*, initiatives like these protect your privacy only from your local sysadmin/ISP, and also do nothing against traffic analysis.

Should a US person/company trust that "China Internet Network Information Center" isn't going to create a cert for a US bank or company to perform a MITM attach with? Should a Chinese company trust "Wells Fargo" not to? Should the Greeks trust "TÜRKTRUST Bilgi letiim ve Biliim Güvenlii Hizmetleri A.. (c) Aralk 2007", or the Turks "Hellenic Academic and Research Institutions Cert. Authority"? What on earth makes you think ALL of these companies can resists pressures to misbehave? Yet all of them are built-in to your browser and "you" trust them.


The Cert validation in the browsers leads to a *dangerous false sense of security* at most. This is crypto, a weakest-link business [..]

You suggest that MITM attacks on SSL are as bad as someone sniffing on unencrypted traffic. It is not! MITM attacks are active attacks and are much more invasive to carry out. That's not all: in principle all these MITM attacks can be detected: the host key of the Man In The Middle will differ from the host key of the original server (though your browser will accept the differing host key when it is signed by a rogue CA).

It is pretty dangerous for an adversary to carry out MITM attacks on a large scale, as sooner or later, this is going to be detected. The SSL Everywhere extension for example can (optionally) collect information for and check with the SSL Observatory to detect differing certificates that indicate MITM attacks.

There's also the Certificate Patrol Firefox Extension that persistently remembers certificates and warns when certificates changed for no apparent reason.

Submission + - Sniff and decrypt BLE with Ubertooth (

mpeg4codec writes: Hot on the heels of Omri Iluz's BLE-sniffer-on-the-cheap, I decided to write up the BLE (Bluetooth Smart) sniffer I built on Ubertooth. My sniffer is highly robust, can capture data from connections, and is 100% open source.

I also discovered a major flaw in BLE's crypto that allows an attacker to crack its encryption key and decrypt data, 100% passively. I wrote a tool called crackle that will automatically decrypt encrypted BLE data captured by Ubertooth.

Submission + - Neo900 hacker phone reaches minimum number of pre-orders for production 2

wick3t writes: The Neo900 fundraising campaign has already achieved the milestone of 200 pre-orders which means that mass production is now feasible. This follows a successful first prototype that was showcased at the OpenPhoenux-Hard-Software-Workshop 2013. Their next target is 1000 pre-orders as they aspire to reduce the production costs of each device.

Submission + - 17-yo builds fusion reactor, keynotes Berlin's EHSM

lekernel writes: Will Jack is a 17 year old high school student from the US who enjoys nothing more than building nuclear fusion reactors in his basement. He will be the keynote speaker later this month at Berlin's Exceptionally Hard and Soft Meeting, a conference on the frontiers of open source and DIY. Other topics covered by the conference are the CERN open hardware initiative, microchip reverse-engineering, DIY vacuum tubes, and more.

Submission + - EHSM: Exceptionally Hard & Soft Meeting in Berlin (

An anonymous reader writes: Are you sad that the 29C3 will take place in Hamburg but you want to visit Berlin ? As seen on, "(...) the premiere of the uniquely named Exceptionally Hard and Soft Meeting (EHSM) (...) will be held in Berlin, Germany on December 28-30, 2012. “EHSM is turning out to be something like the OSH Summit this side of the pond. (...)” " The schedule looks like a pile of refined geek pr0n: Garage electronic parts manufacture, CPU design, nuclear physics...

Slashdot Top Deals

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984