Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment IP Geolocation is not a science! (Score 2) 153

Just thought I would point that out to any passing FBI operative who thinks that they can go interfering with remote devices without considering international borders.

You may just find yourself falling foul of international treaties initiated by your own government that class this sort of action as cyber-warfare. I just hope the government above the target of your hack is understanding and decides not to retaliate with physical force to your electronic attack.

I for one would find it an interesting exercise in jurisprudence for the FBI to be indicted in a foreign court for cyberwarfare.

Comment Sort of amazed (Score 4, Informative) 527

I accept a few posters going off the deep end, not reading the copy or just plain not understanding the issues, but practically every post with a score missed the point entirely.

This whole issue is just a boring technical matter. The only reason it is news is that politicians with an axe to grind want to make it so.

ICANN has been running successfully as an international corporation with multinational stakeholders for much more than a decade now. Its one remaining tie to the US is the contract that it has with the Department Of Commerce to manage internet names and numbers. That contract will lapse unless renewed at the end of September and ICANN will then carry on exactly as it has been, except without the theoretical DOC control, the US then becomes a stakeholder like everyone else.

Comment Minor Issue!! (Score 1) 194

OK, so lets say this is done, and ISP's are required to have the DNS servers IP as their DHCP autoconfig response.

Questions:

1/ Who will own and operate this DNS service?
2/ What will their DNS request logging retention look like?
3/ Who will have access to those records and with what authentication?
4/ Why are you now thinking this is something from George Orwell's 1984?

Comment DMCA Paramount? (Score 2) 241

Since Ubuntu is covered by the GPL then removal of links to source and by extension compiled images for comparison is a violation of Ubuntu's GPL, thus Copyright infringement, thus The Ubuntu foundation needs to be sending a DMCA copyright infringement notice to Paramount to take down anything they have or use that could mistake their own rights of other protected under GPL.

Comment Fake Article? (Score 1) 116

So the article did exist, but the claim it made was not substantiated by evidence. This leaves us with two alternatives:-

a) The article is false OR
b) Reality is at fault.

Now don't completely exclude b), because your experience of reality is only available to you via what information you can collect. If the information is incomplete then your view of reality will be at fault.

That said, pretty well everything said by all sides on this 'political' debate is a pile of fetid dingo's kidneys.

Comment This is well known & outside the remit! (Score 1) 31

To be perfectly clear, this attack IS just an update on normal authentication session phishing, where the attacker gets the target to authenticate a copy of the login form while the attacker is the custodian of the associated session cookie. If the user is inattentive it will work with all normal authentication methods and sadly also SQRL et-al when used in remote authentication (QR-Code) mode**. Thus most of these authentication methods exclude it from their designs as being out of scope.

That said, SQRL was not designed to address this currently intractable issue (people are lazy observers), it was designed to address the other big problem (people are bad at picking passwords). It does this by only sharing public information (site specific public key) with the server which it proves with zero knowledge that it has secret information (site specific private key) by signing a random challenge from the server. Which just happens to also have a 1:1 hidden relationship to the login page session cookie.

**Remote mode
This is when you use the QR-Code and client on a device separate from the device the browser is running on. In SQRL it is more common and more secure to have your client running on the same device such that instead of scanning the code you click/tap it and launch the associated sqrl:// scheme link. In that case hard same IP protections are enforced which would then refuse to complete an authentication unless the attacker is also present on the same WAN IP as the victim (a very much less likely scenario).

In closing, all these early zero knowledge and token authentication schemes will be updated soon after release to include methods and means to thwart this normally intractable attack mode but that will have to wait for parts of the client to be migrated into the browser agent codebase, where they can either respond more precisely to errors forced upon the attacker or be able to bypass the attacker altogether (see SQRL-V2 CPS mode).

Comment Warrant Canary - Honey Trap anyone? (Score 1) 193

Seems like we all need something evidentially tempting randomly added by us to our data that is way too good not to follow up, which is in actuality a honey trap.

For example, buried in your email is a URL associated with something like "Don't tell the cops but this is where/how you get the good stuff". If LEO follow this up by browsing to this URL, it captures all the info it can about the visitor and sends it to you or a trusted third party. Which suggests to them that interception is occurring.

Comment Why is this even being pursued? (Score 1) 233

I may be later to this post but I seem to remember, backed up by this page clipping from Apple (https://support.apple.com/en-us/HT204587)
"To configure Touch ID, you must first set up a passcode. Touch ID is designed to minimize the input of your passcode; but your passcode will be needed for additional security validation:
After restarting your device
When more than 48 hours have elapsed from the last time you unlocked your device
To enter the Touch ID & Passcode setting"
Therefore, this is not this whole case moot, since 48 hours has most certainly expired since the phone was taken as evidence, thus the fingerprint is not a valid unlock and the legally protected passcode is back in play.

Comment 96% ! (Score 4, Interesting) 110

In consideration of:-

1/ the fact that due to massively expensive texting costs that Brazilian carriers place on customers ~96% of them use Whatsapp.

2/ Whatsapp just happens to offer full e2e strong encryption.

3/ Criminals want to save money also.

So criminals use whatsapp to communicate, thus thwarting legal interception.

I would suggest to the Judge that the root problem is not Whatsapp but the government supported telecoms carriers who forced this situation to exist.

Also, seriously Judges. Someone needs to go down there and teach them the meaning of impossible.

Comment A password? only for today. (Score 1) 637

Passwords are a passing fad they've only been around for about 45 years and it is my hope they will be a dead method within the next 5.

For now, I use a long random passwords with at least 44 bits of entropy (not telling you the character set or length, that leaks too much information). But as I said, the password must die because it is fatally flawed, it relies on having the service store a secret for comparison. Something that can be captured in transit or stolen on the server and brute force reversed from its hash (if used), then used repeatedly until revoked by an out of band repudiation method.

If the very near future only a per site unique zero knowledge proof of sufficient strength to preclude brute forcing will suffice, thus only public information is present on a server and by the nature of a zero knowledge proof against a unique challenge there is nothing useful to steal.

Comment I cannot believe they still think this is a UFO (Score 3, Interesting) 412

This is a well known optical issue, where a point source or illumination outside the field of view (sun) scatters light off the diaphragm edges inside the lens (almost square when fully stopped down). The light then passes back out the lens to reflect a second time of the front elements inside surface. This results in multiple images of the point source appearing at a point in the frame that are out of focus and appear to drift and merge.

Bet you anything you like, if the camera had been even slightly tilted during that clip the "UFO" would have shot across the frame at an integer multiple of the angular tilt.

This effect in a slightly different manner for UFO believers is repeated often when they insist on seeing Diamond UFO's in video footage taken with a camcorder at full zoom with the iris and focus on auto. What they see with their eyes is an unfamiliar point source of light (planet, plane etc), what the camera see's is an out of focus point source vignetted by the iris to a diamond shape with often the light meter filter giving the bottom half a red or green hue.

Comment Perfect Forward Secrecy? (Score 1) 314

Because this bill would require any vendor, writer or provider of encrypted communications to have a way to decrypt it would also require any form of TLS connection to not have perfect forward secrecy. This would mean having like in the earlier DOD era, having a separate crypto' suites for US use that exclude the option.

I mention this because it is not going to happen, the cat is out of the bag and it would require rewriting the core of every TLS implementation everywhere.

Slashdot Top Deals

Kill Ugly Processor Architectures - Karl Lehenbauer

Working...