Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
The Internet

New SWEET32 Crypto Attacks Speed Up Deprecation of 3DES, Blowfish (threatpost.com) 53

Researchers "have devised a new way to decrypt secret cookies which could leave your passwords vulnerable to theft," reports Digital Trends. Slashdot reader msm1267 writes: New attacks revealed today against 64-bit block ciphers push cryptographic ciphers such as Triple-DES (3DES) and Blowfish closer to extinction. The attacks, known as SWEET32, allow for the recovery of authentication cookies from HTTPS traffic protected by 3DES, and BasicAUTH credentials from OpenVPN traffic protected by default by Blowfish.

In response, OpenSSL is expected to remove 3DES from its default bulid in 1.1.0, and lower its designation from High to Medium 1.0.2 and 1.0.1. OpenVPN, meanwhile, is expected to release a new version as well with a warning about Blowfish and new configuration advice protecting against the SWEET32 attacks. The researchers behind SWEET32 said this is a practical attack because collisions begin after a relatively short amount of data is introduced. By luring a victim to a malicious site, the attacker can inject JavaScript into the browser that forces the victim to connect over and over to a site they're authenticated to. The attacker can then collect enough of that traffic -- from a connection that is kept alive for a long period of time -- to recover the session cookie.

Comment Re:That's a pretty light particle... (Score 1) 240

i've been studying this for 25 years (as a reverse-engineer from a software background). i've started to have to go to the field of optics to fully understand why it is that this "extra force or maybe a particle" has not been discovered. look up the work by "Ido Kaminer" and his team and you find that (for the purposes of creating "optical tweezers" - google it) it's possible to create phase-coherent X-Ray beams that *LITERALLY* bend in parabolic arcs or even semi-circles, and as they do so the phase rotates by 1/2 the angle of the amount of curvature.

how the hell could that even happen, ehn?

ok, so it goes like this: the phase-coherent beam does "cancellation" such that it curves a tiny but, but this is the crucial bit - as it moves forward the phases REMAIN COHERENT which is pretty frickin awesome.

now, it's not so hard to imagine that photons (x-rays) could conceivably be created which are so totally phase-coherent that they *LITERALLY* come back to their starting point, and thus (because light has no friction) continue circulating forever. what would we call this? well.... i'd call it... a particle!

what types of particles would you call it? well, we know from radio that you have something called I / Q (which is to do with phase), and i *believe* that if the majority of the photon's phase is in the "real" numberspace you'd end up with an electron, but if it's imaginary it would be a NEUTRINO. utterly hard to detect.

the implications of this quite rational and logical progression are enormous - because it's not the only particles that could have such "imaginary" or complex-number properties, totally invisible to us because they *DON'T* interact in the normal E/M field but they'd only really start to interact at the atomic particle distances.

my feeling is that neutrons are *NOT* a "neutron" but may in fact be a "neutron-atom-with-an-orbiting-neutrino". further, that just like with Hydrogen (H2) there's no reason why two neutrons would not bond together in a Neutron-2 "atom"... utterly impossible to detect, being both chemically stable as well as electrically and magnetically invisible... *this* i believe is our missing "dark matter".

it's a huge logical chain of progression but i haven't seen any evidence which contradicts anything in the chain. the only problem is that there are too many scientists worshipping the "Church Of The Standard Model" or should i say, "stuck for funding if they stray outside of the Standard Model Holy Grail". it thus becomes extremely hard to interact with them (i've tried) as they have literally zero common ground for discussion (not enough experience with the field of Optics), the people in the field of Optics don't have enough interest in particle physics... gahh :)

Blackberry

Canadian Fined For Not Providing Border Agents Smartphone Password (www.cbc.ca) 276

Reader da_foz writes: A Canadian was reentering Canada when he was arrested and charged with hindering or obstructing border officials. At the time traces of cocaine were found on his bags and he was carrying $5,000 in cash. He provided his smartphone to border agents as requested, however refused to provide the password. Canada Border Services Agency officials asked for Philippon's smartphone and its password. From a report: "He handed over his BlackBerry but refused to disclose the code to access the phone. Philippon was arrested and charged under the federal Customs Act, accused of hindering or obstructing border officials." It is unclear if he provided the password while agreeing to the fine.

Comment License (Score 4, Insightful) 146

https://fuchsia.googlesource.c...

the consequences that we've seen from google's failure to use a self-protecting license includes:

* companies incorporating GPL'd code into Android (particularly video players) and not releasing the source
* performing DRM or other lock-downs ("Tivoisation") and in the case of qualcomm ending up with 900 million devices that are basically landfill
* causing confusion in the minds of corporations over the fact that the linux KERNEL (and u-boot) is still GPL'd

do i need to continue the list? i don't but i believe a reference to mjg59's list is appropriate:
http://www.codon.org.uk/~mjg59...

google seems unable to comprehend the severe detrimental consequences of its actions, and the effects that their decisions have on the rest of the software libre community. i appreciate that they're an advertising company so are required to maximise the effective distribution of devices so that they can thus maximise the number of devices through which they can advertise, but pissing all over the free software community that MADE IT POSSIBLE FOR THEM TO HAVE A BUSINESS AT ALL is completely unethical, not to mention the detrimental consequences and money that users have to throw away when devices turn out to have major security flaws that the designers CAN'T FIX IN THE FIELD. http://arstechnica.com/securit...

Comment solving the wrong problem (Score 2) 62

y'know... it occurs to me that seeing CENTRALISED trust mechanisms break down really is no surpise, at all. it's a simple mathematical equation which can be explored by doing e^(1/N) * N where you increase N, then make a tiny *tiny* change in the 1/N value. so E^(1/100,010) * 100,000 for example is drastically divergent from E^(1/100,000) / 100,000. point being: the more you CENTRALISE trust, the greater the chance of it being violated (exponentialy greater)

    solving this will take moving away from CENTRALISED trust to DECENTRALISED trust. does anyone remember keynote (an IETF RFC), or advogato, or even the moderation system behind slashdot, and how effective those are? we really really need to start moving to things like blockchain. as in, don't arse about expecting the incumbents to move to blockchain (because they have financial incentives not to do so) - just move to blockchain-based SSL Certificates.

Submission + - SPAM: New Jeep hack proves cars still exposed

lkcl writes: When automotive security researchers Charlie Miller and Chris Valasek take the stage Thursday morning (August 4) at the Black Hat conference in Las Vegas, they will outline new methods of CAN message injection. The two researchers who now work for Uber’s Advanced Technology Center will demonstrate how to physically seize control of the braking, steering, and acceleration systems in a vehicle.
Link to Original Source

Comment Re:Because.se one size does not fit all (Score 1) 122

Perhaps you aren't aware how low the low end of the Intel processor linecard goes? In particular, see the X3-C3230 and X5-Z8300.

i wasn't! oh _good_ - the collaboration between rockchip and intel actually produced results. why the hell didn't my contact at intel get in touch?? ok *sigh* i'll speak to him and find out if they have a reference design.... that *doesn't* have the backdoor co-processor in it....

right. interesting. the "brief" - and by brief i mean "so sparse and devoid of information it's pretty useless" - says that it was released Q1 2015. i believe it wasn't long after this that intel announced the COMPLETE TERMINATION of their involvement in the smartphone and tablet industry.

now, whether that applies to the rockchip collaboration remains to be seen. anyway, thank you for making me aware of this one, i'll keep an eye on it.

l.

Comment Re:Because.se one size does not fit all (Score 1) 122

Funny, I can buy an entire tablet (it has "memory, storage, processor, hdmi output, usb output *and* casework" and also screen, battery, cameras) with a latest-generation quadcore Intel processor and more storage for the proposed price for the SBC alone (no case).

i trust you understand that that was vs a desktop PC intel processor. i've seen this next type of comparison before as well (a lot) - another mass-produced mass-volume well-established manufacturer product vs an early concept libre and privacy respecting crowd-funded one. ... doesn't really mesh, does it? :)

Perhaps you aren't aware how low the low end of the Intel processor linecard goes? In particular, see the X3-C3230 and X5-Z8300.

i wasn't! oh _good_ - the collaboration between rockchip and intel actually produced results. why the hell didn't my contact at intel get in touch?? ok *sigh* i'll speak to him and find out if they have a reference design.... that *doesn't* have the backdoor co-processor in it....

Comment Re:Because.se one size does not fit all (Score 1) 122

by total contrast we're creating the beginning of a comprehensive eco-system of hardware re-use which *happens* (through direct correlation) to both save money for end-users and also reduce e-waste.

In defence of the Raspberry Pi foundation's work, the ecosystem (peripherals, software, community) is what sets it apart from the sea of samey Allwinner-based SBCs. I really hope that the ecosystem you're building is as successful!

yeah it was the price-point for the feature-set at the right time that really got people's attention, in the same way that the $9 CHIP has grabbed people's attention now... but less so *because* the pi already exists.

so that area is "sewn up" and over-saturated. that's not *the* reason why i have taken the approach that i've taken - it's a different story, tackling a much larger set of systemic and underlying problems in the way that we (world-wide) think of and "consume" our computing appliances. never liked that word "consume". like, "how's that PCB tasting, sir? need some ketchup? how about some steel-reinforced dentures?"... :)

the sunxi community then helped take that initiative over, they've been working non-stop now for years to pressurise allwinner

I hope they have more luck with that than with their software. With all due respect, the linux-sunxi tools are poo, and are (in my experience) a big part of the reason most Allwinner SBCs are found running Android.

yeah if you don't receive any funding and have to do stuff part-time... nobody's very happy with allwinner, but the price-point on their SoCs and the overwhelming marketing success in China is extremely compelling - GPL-violating or not. but, y'know what? they're getting there. oliver and the team have managed to get most of CEDARX reverse-engineered, which is deeply impressive. http://linux-sunxi.org/Cedrus must add that to the TODO list...

Comment Re:Same stupidity from the 90's (Score 1) 122

As a consumer, yeah! I am not a bank. And seeing your prices. pfff...

Thus basically you're asking people to fund with a zero interest loan, not only your pet project but also your eduction.

absolutely correct on both counts (despite the clear hatred, jealousy and patronising in your voice which can be detected from the use of the word "pet"). that's exactly how ethical crowd funding projects work. the unethical ones such as the pi-top and many of the china-based 3d printers that steal marlin GPL'd firmware, they teach people a hard lesson... but it's still education. as a software libre developer i will be documenting everything so that other people can learn, just as i learned from the openmoko, openpandora, ben nanonote, neo900, and many many more.

And you use words like "project that's entirely transparent", but the majority of the funds goes towards NRE (which could be anything)

What critical phase? You telling me that only 250 units will maybe be produced as prototype and then there is this magical critical phase?
How transparent are you...

Really...

Really?

i don't understand your point, i'm having difficulty interpreting the meaning, it's obscured by sarcasm. could you please clarify, perhaps by dropping the sarcasm, it's getting in the way of what you want to say.

Comment Re:What are the success criteria? (Score 1) 122

Excellent and substantive response, though you ["ikcl", but not sure of your relationship to the project] sound a bit defensive about it. Considering the mixed success history of such projects (which both of us referenced), I certainly understand why.

yeah no i get it. here's the thing: i am happy to admit that i don't know what i'm doing: that's why i'm inviting people to participate and point things out. if it succeeds, it succeeds as a *group* project, and that's really valuable. the approach that i'm taking seems to be working: we got this far, y'know?

I followed http://rhombus-tech.net/crowds... and read some more, but it seems to me that your approach is too orthogonal to what I'm trying to describe. You have lots of detail about how you think you can deliver a certain product with certain capabilities within a certain budget. Those numbers seem too fuzzy for me to trust the totals, and I couldn't find the schedule. Other places it felt like you were diverted by details that should not be relevant at this relatively early stage.

i'm talking to the factory owner online, and planning to go to taiwan (and then to HK and Shenzen) in september. leading up to christmas the factories are *stupidly* busy, which is why i will go and collect components personally. the critical window of opportunity is between the two new years: that's when i'd like to get the majority of PCB manufacturing done.

but, part of the issue is: if we go beyond the capacity of the current factory, we'll actually have to find another one, and thus redo the entire schedule. i'll also be able to do injection-molding instead of 3d-printing the casework.... so i put down a best-estimate (it's on the crowd supply page at the end) and we see how it goes. i figured that people would be happy to be kept informed of what's going on.

Slashdot Top Deals

If you can't understand it, it is intuitively obvious.

Working...