Follow Slashdot stories on Twitter


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Support cellular rights! (Score 1) 619

Someone ought to make a deck of cards, like playing cards, but instead of the usual pictures, put names of logical fallacies on them. Then you could reply to an invocation of a fallacy simply by dealing the corresponding card.

Not so good for Slashdot of course, but for the real world... it would be succinct and satisfying.

Comment Re:We already have better tech (Score 1) 205

The problem is that it takes only *one* hacked reader to steal your fingerprint, and then that entropy is lost forever. If your password is stolen, you just change your password, but you can't easily change your fingerprints. In this respect, most biometric data is more like names than passwords: if you tell me your name, I know that you're saying that you could be the person with the name in question, but I don't know that you can't be someone else.

What you would ideally want is something that takes a name and something that changes every time you try it, then combines them in a certain manner that cannot be reversed but can be checked. To use the name analogy, if you have to give both your login and password (or your name and password), then if someone steals your password, you're safe unless he also knows your name - you have a window in which to change your password before the adversary determines what your name is. Yet like with names, if the adversary has properly prepared his plan and is attacking you alone, the biometrics won't help you. He might record your voice, lift fingerprints, etc.

It may seem tempting to get around that problem by making a tamper-resistant fingerprint reader so that your fingerprint is never really exposed to the world. The reader would then do some sort of authentication with a remote site and the data would stay on the reader (or be dynamically sampled). The problem with that is that there's no such thing as being fully tamper-proof, and you leave fingerprints everywhere. The bad guys can get another reader and wire it up to take fingerprint info from an external source, then lift your prints from somewhere. That is -- unless the reader itself holds a key that it combines with the fingerprint data, but then you're back to two factors as mentioned above: a name (your print) and a password (the device itself, which can be replaced if compromised).

Comment Re:Quantum Computing Baffles Me (Score 2) 55

Okay, let's try to simplify it even more. Quantum computers have gates just like ordinary computers. There's a difference, though: instead of acting only on a single value, they act on a whole bundle of them at once (that's the probability distribution). You can in effect calculate a function on many inputs at once, but you can't reach behind the curtain and pick all the answers (or any answer you want) from the result. When you do ask the computer to reveal an answer, you get a random answer from the entire bundle according to its probability. The clever part about quantum algorithm design is then to first alter the input bundle in the way you want, then selectively amplify the answer that you're interested in so you'll get it very often and get other answers rarely if at all.

More or less. I Am Not A Quantum Physicist, grain of salt, etcetera.

Comment Re:No, Thank You, Dear Government (Score 1) 291

The process of assembling this quote is done by software at the full discretion of the owner of the computer.

So if you want to play that movie or clip on mplayer instead of Windows Media Player, you're of course free not to divulge any information that you're using mplayer - but if the site doesn't get a signed "I'm using Windows Media Player" token, it won't play the video clip in question. That freedom, like the freedom to work or not to work, is worthless if there's an imbalance of power - if all the video sites only want WMP for instance, or if you want to leak evidence of illicit goings-on at your company and the company server will only serve the data to an MSOffice version that can be trusted to stick the document in sealed storage.

How about this solution: put a switch somewhere on the computer. Switch up? Then you can't forge TPM keys. Switch down? Then you can do so at your discretion. If you want protection that is truly for your own good, you'll just leave the switch up (and no virus can forge anything). If the programs you're running start professing allegiance to their owners in preference to you, flip that switch down and bypass them. Sure, lusers may be socially engineered, but if they're that gullible, the malware could do a DoS by instructing them to stick pieces of metal into the closest outlet, too.
If Trusted Computing is truly about empowering the user, then this switch solution should only empower the user more and so there should be no opposition to it beyond the social engineering complaint.

Comment Re:No, Thank You, Dear Government (Score 1) 291

I've consulted for a bank, and here's the dream : full offline money. If you have a TPM they will manage your account in your laptop (or phone, or ...) and have full offline payments. Because the TPM will only give their program access to the data, they can still prevent you from simply adding money in your own account, while allowing fully disconnected payments to occur which the bank will only find out about weeks after the fact (and so can you on other's computers of course).

That sounds like a pretty big incentive to find someone with an electron microscope, or if you're part of organized crime, getting your own. It's not like TPM hacks haven't been pulled off before.

Comment Re:Change cannot be stopped (Score 1) 318

O(n^3), not O(log(n)). If it'd been log(n), the demo quantum computers would already be good enough. As for symmetric crypto, any black box search can be sped up to take the square root of the time it would otherwise take, so a QC would have about as hard a time cracking 256-bit AES as an otherwise comparable classical computer would have cracking 128-bit AES.

Comment Re:Wow. (Score 2) 438

As a culture, we find that the most appropriate treatment of people who have a criminal psychosis is to isolate them and help them, forcibly. We also find that they are not "wrong" and don't need to be punished, but require help. I don't readily see how an act of violence in this case is a critical point where we force help on the unwilling. So, why not force it earlier and prevent the violent acts?

To be a devil's advocate right back (angel's advocate?):

The danger is that preemptive treatment of, say, schizophrenia, can turn into preemptive treatment of sluggishly progressing schizophrenia, were the government to become sufficiently corrupt.

There's also the usual Bayesian argument: if the pre-crime test has 0.1% false positive and negative rate, and there are 10 terrorists in the US, the test is useless, even though 0.1% sounds really impressive and could convince lawmakers. For ordinary crimes, it would still claim a lot of innocents to be suspect.

Comment Re:Bad summary as usual, I don't see it (Score 1) 619

From there, I want to expand the do not call registry. Right now, it only covers telemarketers. I want to also ban solicitations from charities, surveys, and political groups. I want a "leave me the fuck alone" registry. If you aren't one of my friends, customers, or suppliers, or someone I've given permission to call, then I don't want to talk to you.

How about a "do call" registry? Ban solicitations from said marketers, charities, surveys, political groups, et cetera to any number not on the list, and have all new phone numbers start off-list.

Comment Re:How else could boot hacks be prevented (Score 1) 389

You're not hacking at the BIOS level, you're hacking at the bootloader level. But even if the malware were to try to tinker with the BIOS, that vaunted TPM could just deny it access to that part of the CMOS (or flash or what it is that holds the key/hash). So the UEFI would work like this: in either its own flash or in CMOS, there's a region that stores a hash or set of hashes. The computer comes with the hash for well-known bootloaders and, on boot, checks if the loader hashes to one of them. If not, it checks if it hashes to the user override. If neither, then up goes the warning -- and if the user presses "accept", the new hash gets loaded into the user override field. In any event, after this has been done, the TPM (or UEFI, or whatever is responsible for it) locks access to that part of flash or CMOS so that it can't be attacked from the outside.

Comment Re:How else could boot hacks be prevented (Score 1) 389

Yup, the SSH way. If the bootloader changes, pop up a "WARNING: key has changed!" text, with a revert-loader option. If the UEFI is passworded, require the user to input the password if he wants to proceed without reversion. This means that corporate desktops won't be compromised this way (since the end user doesn't have the password and Mitnick doesn't either), and should give other users some reason for concern. If the other users press "go on ahead" anyway, well, there's only so much you can do against a dancing bunnies attack. As another poster pointed out, if users are that gullible, the malware could just as easily do a denial of service attack by asking the user to stick a fork into the nearest outlet.

Comment Re:An easy solution (Score 1) 152

Let's try that again. The original poster's point is that if you want a Magical Zero-Emissions Hydrogen Storage System, you just take the hydrogen you were to use, combine it with carbon (from CO2 from the air), then ship your hydrocarbon around. The guy at the other end then burns the stuff and the CO2 you used is released back into the air. Voila, zero emissions.

(I still think sodium or lithium borohydride would be a better reversible energy carrier, as it has a greater energy density than gasoline and can be easily used in direct borohydride fuel cells, but first they have to get the "recharging" working at better than 10% efficiency.)

Slashdot Top Deals

Work continues in this area. -- DEC's SPR-Answering-Automaton