Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:uh, no (Score 4, Interesting) 148

I suppose you know how timing side channel attacks are done? All those layers of abstraction make it possible to accurately predict and alter code path length? Oh, and they do automatically handle things like proper memory scrubbing of keys when no-longer valid? Right?

These things need low level hardware access to manage, and are hard even then where there is less in the way screwing with it. It is nearly impossible to handle properly on highly abstracted languages running in managed virtual environments like Java and C#.

Yes those abstractions help avoid specific classes of vulnerabilities, but can open a whole host of just as bad context specific ones when talking about security stuff like encryption. This is why we should only let specialists in that specific field do such implementations and have them vet each others code.

Comment Re:what we need here is a mentality reset (Score 4, Insightful) 86

Google's safe browsing list have been in both Firefox and chrome since chrome's first release, and both Firefox and chrome have a toggle to turn it off in the options should you wish. For some reason Google has added pirate bay download pages to the list, according to database lookup it matches the sort of block they usually impose when the site has been compromised either directly or via maleware embedded in advertising.

Comment Re:Why are they net accessible? (Score 1) 54

So they can track everything, seriously. Most of these devices have no real need of an internet connection.

Anyway, that said, even my routers are using HTTPS, with a key and certificate pair generated by me for my own CA, it is possible, and not all that hard. I just added a HP printer to my network, again I uploaded my own certificate to it, it even had a nice wizard that generated the CSR which I then signed, run the wizard again and choose to upload the certificate.

Comment Re: DMA (Score 1) 85

No USB does not have DMA exposed to external devices, the USB host controller may use DMA as it is just another device on the PCI/PCI-Express bus, however it is not expose and queriable by devices. Yes, later in FireWire, some operating system drivers (Linux and Windows) would request the FireWire controller disable DMA support, but the hardware needs to be built to have this functionality. Finally such functionality would break thunderbolt as DMA is a fundamental part of how PCI-Express works and as a such key to the functionality. There is a feature for virtual machines to allow PCI-Express pass though called IOMMU that could also be used as DMA mitigation as it works by pretending to the device only a section of memory is the whole system memory, however, I believe only kernels built for use as hypervisor have it enabled and none are actually using it for DMA mitigation.

Comment Re:HORNET, next gen Tor @ 93Gb/s (Score 5, Informative) 89

The problem with Tor is not throughput but latency, and the latency issue in Tor exists as a protection against timing attacks. Basically, Tor nodes capture several requests to pass on, then wait, only sending in batches on a given interval, they also shuffle the order of the batches, 3 hops later and all these waits add up. Without this method, one could easily watch packets going into and coming out of the network and just match them up, as they come out in the same order a few milliseconds later, with the batching you have no idea which packet matches with which one going in.

Slashdot Top Deals

The world is moving so fast these days that the man who says it can't be done is generally interrupted by someone doing it. -- E. Hubbard