Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:Vive le Galt! (Score 2) 695

BitcoinAverage is probably the best place for "the" price of bitcoin. It mains a weighted average of all the exchanges, based on volume. They also document which exchanges have been excluded from their list, and why. In the case of Mt Gox, it hasn't been included in the weighted average for a while, as withdrawals have been dead / dying for a very long time.

Comment Re:Liberal strategy (Score 1) 1144

Yeah, "votes of no confidence" and various fail-safe dissolution rules are two things which I really feel the US government would benefit from. It'd a great way to hold their feet to the fire. That and some other voting system like Instant Runoff. It's weird, because the US Constitution has got pretty much everything else and the kitchen sink thrown in there.

Comment Re:Money for his defense (Score 2) 294

Bitcoin is a rather complex protocol (which I'm not 100% on), so the following is a bit of simplification...

Bitcoin operates as a gigantic transaction ledger (maintained by majority concensus), which tracks the movement of bitcoins between arbitrary psuedonoymous "addresses". To create an address, you generate a ECDSA public/private key pair. The public key is the address, anyone can transfer bitcoins to it. The private key is the control, only someone who has that can move money *out* of that address. The wallet file is essentially just a list of those pairs. If you started using a backup wallet file, you'd have control over all the addresses it has private keys for. If you've emptied any of the them since that backup was made, you'll still have control over the address, there just won't be any money there :)

There's a second (wonderfully useful) wrinkle, though. Due to the nature of ECDSA, you can derive additional public/private pairs from the initial pair, in a deterministic fashion. This allows you to have one master "seed" (e.g. a nice long passphrase) which can be used to generate unlimited public/private keys, without it being obvious that they are even connected to each other. And all you need to take control of any of them is the initial seed value. This means many bitcoin "wallets" are in fact just the seed passphrase... so if you keep it in your head and nowhere else, you have complete control over an unlimited number of addresses, without having to make *any* backups.

Comment False Dichotomy (Score 5, Insightful) 630

I'm sorry, but the entire premise that there is one "best" open source license is completely wrong. Where did this obsession arise to see one license crowned victor over all others, in all situations?

BSD (and MIT and variants) -- I've found they work best for providing backend and reference libraries, which by their nature are trying to provide a standard implementation of something, or at least a standard API. Open and closed sourced projects alike can use and modify it to suit their needs. This means such a library gets the widest adoption over the alternatives (all other factors being equal). This is especially great for server-side programs which want to promote multiple third-party clients - just release a BSD reference client.

LGPL -- A step down, for when you want the adoption level of a BSD license, but your project is complex and high maintenance enough that it needs to keep all the developers focused on a single api and codebase in order to thrive. Graphics libraries like GTK, audio processing libraries like LAME, are a great example of this.

GPL -- Finally, for the same reasons as LGPL, your want everyone contributing back to a single codebase, whether it's because you don't want to give the codebase away to closed source products that then profit from it, prevent brand confusion, or just maximize developer contributions. Mind you, closed source projects *will* choose an LGPL/BSD alternative over this or closed source, so it doesn't make much sense for libraries, etc. Primarily, this is useful for applications, which are vying for user (not developer) eyeballs.

So given they all have different uses that fit better for different project types and target markets, who in their right minds thinks only one of these licenses is correct?

Comment Need a serial hybrid, not parallel (Score 1) 700

What they need to start doing is sell electric cars with a small, removable, high-efficiency, gas turbine generator for charging.

Build an easy-attach mounting point inside the trunk, with hooks for intake, exhaust, and connection to the battery.

You could leave the thing sitting in your garage 3/4 of the year... and plop in it there when you need to go on a trip. Then you've got the best of both worlds (outside of losing some trunk space).

I suspect (IANA engineer) that you'd have a bunch of weight savings from an engine dedicated to charging the car rather than having the power to push the car directly. Also, the engine could be optimized to always run at it's most efficient RPM, rather than going all over the place during stop-n-go traffic.

Comment PBKDF2 (Score 5, Insightful) 61

I find it kind of odd that all of the analyses linked to in this article go on about SHA512-Crypt, BCrypt, SCrypt, etc, and the slideshow even talks about "Key Derivation Functions"... yet there doesn't seem to be any mention or comparision of PBKDF2-HMAC-SHA512 as a valid password-hashing key derivation function, despite it's widespread use, and that it's one of the core architectural components used in the design of SCrypt.

Comment Re:ALREADY DONE (Score 1) 120

A developer enters a market and wonders aloud "There are 12 conflict libraries, which one should I target?"

His friend replies: "You know, we should write a single library to abstract away all those differences, so everyone can just target 1 library!"

"That's a great idea!" the developer exclaims.

Now there are 13 conflicting libraries.

Comment Re:Price Point (Score 2) 127

it's kinda funny, but webOS comes/came pretty close to what you're describing. Root was accessible by enabling "dev" mode through a special but officially documented code (the konami code for some versions), no cracking needed; the underlying linux os had a number of gnu tools already, and you can use the ipkg framework to install more; then there's Preware, a still thriving open source community / app catalog tool full of free unsigned apps and OS patches which palm and hp both officially sanctioned. The main limitation was that some of the hardware wasn't that well documented.

sigh. My only hope now is that android one day becomes as easy to mod, so getting python and an ssh/http server on my next phone is just as simple.

Comment Re:Not Amazon! (Score 1) 72

Relating to webOS phones... I regularly have 8+ browser pages open on my Palm Pre, and I can switch between them quickly with barely a glance and a couple of idly placed swipes with my thumb. I can't think of another ui that would make that work... even on a tablet, the "tabbed browser" interface is clunky. If they'd make a version of Android with 1) that interface, 2) webos's lack of jailbreaking, 3) something akin to Preware and it's offerings... I'd be a lot happier about switching to an Android phone when my Pre breaks.

Comment Re:Not really cracking the passwords. (Score 3, Insightful) 165

Actually, the fact that OSX uses SHA512 makes it easy to crack the password (compared to the alternatives).

OSX uses SHA512(salt+password) to generate it's hashes. SHA2 was specifically designed to be highly parallelizable and fast on modern processors, which means brute force attacks are going to proceed very quickly. And as time goes on, and average processor speed increases, that amount of time per cpu (and per $) keeps dropping.

There are four modern password hashing schemes worthy of note: SHA512-Crypt (this is NOT simply SHA512), BCrypt, PBKDF2, and SCrypt.
All of these schemes use a variable number of rounds of their underlying cryptographic operation. This allows the algorithm to stay the same, but the cpu-cost to be increased per hash as computers get faster, or if a user is particularly paranoid and wants to make it take longer to crack.

Many of them (such as PBKDF2) even have properties that make them resistant to preimage attacks on the underlying hash function.

Finally, SCrypt has the unique property of being "memory hard"... it's rounds don't just require a certain amount of time, but a certain amount of memory*time. This makes parallelizing the attack much more costly, as each CPU has to get it's own dedicated amount of memory for the attack.

All of the above are so much tougher to brute force, that the cost of OSX's hash scheme is barely worth notice by comparison. I'm not sure why OSX is using what it is... Linux uses SHA512-Crypt, BSD uses BCrypt, WPA2 and many other things use PBKDF2... all would have been better choices.

Comment Notary Servers (Score 1, Interesting) 163

Just to provide some links to the "alternative approach" mentioned in the summary:

* The Perspectives Project spearheaded the concept of independant notary servers instead of a chain-of-trust.

* Convergence is another spin on the same concept, by Moxie Marlinspike in fact. (Not sure if it's compatible w/ Perspectives, but I think it is)

Slashdot Top Deals

If they can make penicillin out of moldy bread, they can sure make something out of you. -- Muhammad Ali