Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:git was written when SHA-1 attacks were publish (Score 1) 141

Both happened in 2005. And SHA-2 was published 4 years earlier. So yes, the sky is not falling, and git can be made secure, but it also wasn't really wise to use SHA-1 when git was implemented, first.

As a hash function, SHA-1 was perfectly adequate for how Git works.

All Git uses SHA-1 for internally is to hash the contents of a file to turn it into a unique number. SHA-1 is a nice fast algorithm to do that, and 160 bits offers plenty of space to uniquely identify stuff. It's so good that all the other things are hashed like commits and such and then a Git repository is merely a collection of hashes. A hash at the top we call "head" which contains the SHA-1 hash representing a commit object (it's the SHA-1 hash of said object, actually). That commit object points to a few other objects, the commit before it (the old head) and the SHA1 hash of the tree object. The tree object contains a list of SHA1 hashes that represent files in the source tree, specifically the list of changed files.

What happens when there's a collision? Interestingly enough, not much. If you're trying to check in a file that collides, chances are git won't let you because a file already in the repo has the same hash. If you force the matter (you can chop your history down so a conflict isn't immeidately apparent), then remote repos that pull from you or you push to will simply ignore the conflicting file as they will just assume it references the file already in the repo (you can check out an old version and check it back in - guess what? The hashes will be identical!. You often do this if you revert).

Now, perhaps Git could be made to handle the issue a bit more gracefully if you do happen to check in a file that differs but hashes the same, but in reality it's a rare occurance. Even Linux itself which has a huge history hasn't experienced the issue.

If you want fun, see WebKit, because SVN uses SHA-1 internally and someone corrupted the master repo checking in a test case consisting of two files with the same hash (the test case was to test for SHA-1 collisions in WebKit caching code). Ironically, that repo is offline at the moment.

Comment Re:Trainspotting (Score 1) 37

has anyone seen a torrent link for Trainspotting II
I can't afford a cinema ticket

Then just wait. If you can't afford a cinema ticket, you can wait until it hits the video rental places and then rent it. If that's too expensive, and you have Netflix, you can wait for that too. If you still can't afford that, wait for it to be shown on TV for free.

Comment Re:High value items, use registered mail (Score 1) 132

Not only that, but if it's really that irreplaceable, packaging properly helps.

First off, there should be more than one address label. You'd be surprised how often the one outside the box falls off. The postal service in most first world countries is generally quite good, and will open packages on the hopes that there's something with an address inside.

If it's something that's individually wrapped (like those games should be in case the box gets soaked with water), and they're rare, it doesn't hurt to stick an address label inside the bag as well. Boxes may appear tough, but pass them through the machines and they can very well explode or tear and have their contents spill out. This ensures that as pieces are found they can be forwarded on.

Or at the very least, have a slip of paper inside having an address.

Lack of postage is never a reason to never deliver - if necessary, they'll just collect it, but for postal mail, unless it's customs or other fee, postage itself is prepaid and cancelled by the sender.

I've actually had a parcel delayed 6 weeks, because for some reason, it was shipped from the US to Brazil (!!!). Brazil post then found the misdelivered package and sent it back up to USPS who then sent it to Canada. I found a nice letter inside it saying it was from Brazil and what I could make out was "return to origin country" for re-sorting.

Comment Re:Incriminating evidence (Score 1) 126

Ah that pesky 5th amendment (along with the 4th) and the limits it puts on law enforcement. Finally a judge that seems to understand the constitution.

Not really.

The issue is similar to using a Stingray or IMSI catcher - besides getting "the crook", you're getting a bunch of innocent people who are simply bycatch.

The judge simply knows you cannot force a bunch of innocent people to become suspects simply because they were present near the location. So whether it's unlocking their phones with fingerprints, or using a Stingray/IMSI catcher indiscriminately, most of the people will be innocent and steps must be taken to protect their information and activities.

Comment Re:Only Apple cares about our privacy? (Score 1) 103

Although intriguing and saddening that they've unlocked the iPhone 6 (but not 6s?).

What's more intriguing is that, why are Android phones so easy to break?!
And why is it we never hear from Google/Microsoft wanting to protect its users against government surveillance, unlike Apple. ... I guess everyone is aware that Google is a corporate spying empire, and yet there are people here who still argue against Apple and advocate for Android spyware?

Would you advocate GMail/Hangouts over Signal/Telegram/WhatsApp ?

The interesting thing is how few details there are about how they did it. I mean, why the 6/6s and not the 6+? Given for the unlock requires physical access to the phone, it's probably something they've physically accessed.

And unfortunately, Androids are much easier to hack - back when Apple was fighting the FBI, there was over 600 iPhones needing unlocking. The number of Android phones? Only 20 or so.

First, most Android phones do not encrypt storage by default. iPhones have encrypted it by default since the 3GS (it's why a "clear everything" on an iPhone 2G/3G takes hours, while it's only seconds on models after that - the new way is to just toss the encryption key and regenerate a new key, so it takes seconds and not hours (and doesn't wear down the flash)). So one trick is to remove the eMMC chip and read it out directly. Even today most phones are still not encrypted.

Second, Android App security is good. Android itself, though, is full of security holes making it easy to break in. It doesn't help that OEMs generally screw up and make the machines even more vulnerable. And many security vulnerabilities aren't fixed because of various reasons.

Android's security is slowly improving, but ti's still pretty bad.

Comment Re:don't get confused (Score 1) 126

But as a more practical matter anyway, 10 tries of different people's fingerprints, and the phone will be wiped regardless... so there's a limit to how useful the technique would've been to begin with.


On iOS, you get 3 tries to use the fingerprint reader. If you fail, it reverts to the backup security method (PIN, etc). You cannot use the fingerprint reader until the phone is successfully unlocked via this backup method.

Comment Might want to move providers... (Score 3, Insightful) 63

It might be a good idea to change art hosting providers then... I'm sure every artist has given deviantArt a (non-exclusive0 icense to commercially display and use the artwork shown on the site, which means Wix can use that. And chances are, they'll let customers use some of that artwork on their website, both as a hook and a retainer (because the art can only be used on Wix hosted websites without obtaining a license).

And only Wix has access to unique artwork that only Wix customers can use, so it's more attractive to join Wix.

Meanwhile, everyone who posted art on the site sees their work ripped off and used on customer's web sites.

Comment Re:Social media? (Score 4, Interesting) 177

Because really, however bad the news was, 20 years ago you'd be waiting for the nightly news to find out about it. Several decades before that, you'd be waiting for the following day's newspaper. Now, we're getting constant updates, and those updates may be causing a device in your pocket to vibrate and make noise every time something new comes out. We know that checking all of those notifications is addictive, and not checking causes stress. However, constantly feeling the need to check also causes stress. (human nature)

It's the reason we have the term "FOMO", or Fear of Missing Out. By not being attached to our phones 24/7 we fear we're going to miss big news about something (... almost always trivial in the big scheme of things).

If you hate that term, get used to it - it's a root of the term for the phobia, and as a medical diagnosis.

Comment Re:Are two hashes better than one? (Score 1) 138

Taking the MD5 and the SHA1 of something isn't significantly more secure than just taking the SHA1 of said something. This was demonstrated in 2004 here: This was then further elaborated and improved upon here: So, don't concatenate hashes kids. It doesn't do what you think it does. Using a proper hash from the start is the only safe way to do things. Even if nobody has figured out how to do it yet the math conclusively shows that breaking SHA1+MD5 is not significantly harder than just breaking SHA1. This is why TLS 1.1 and earlier need to go away.

That's for concatenated hashes. As in, you hash the two hashes to form one number, usually by XOR'ing the numbers together. Which can be shown to increase the solution space considerably.

What I've been curious about, is if you maintain two hashes separately.

You have blob X here, with SHA-1 of S(X) and MD5 M(X). Can you find a blob Y with both a SHA-1 of S(X) and MD5 of M(X)?

It's easy to see if you XOR S(X) and M(X) you make it much easier - but what if we kept them separate, so the SHA-1 AND MD5 has to match. (With concatenation, you don't have to match, the final result has to match, but individually inside you have to find a S(Y)+M(Y) that equals S(X)+M(X), and not S(Y)==S(X) AND M(Y)==M(X).

The only concatenation that wouldn't be easier is if you literally concatenated the bytes together - so 128 bits of MD5 followed by 160 bits of SHA-1 to form a 288 bit MD5/SHA-1 hash that enforces the property that the two hashes individually MUST match simultaneously.

Comment Re:mode complexity (Score 4, Insightful) 143

Besides, we already have all the technology we need to keep our data private. It's just that current law won't *allow* us to keep it private. As such, the *laws* need fixing, not the technology.

No amount of technology can keep public information private. And no amount of "privacy controls" will make public information private. (See a pattern?).

In fact, "social networks" and "privacy" are an oxymoron. There is no such thing as "privacy controls". "Privacy Controls" are marketspeak for "encouraging marks to over-share". Yes, Facebook and everyone has done their research - people will share more if they get the illusion their data is protected.

In the end, everything you post on a third party website, is public. Thanks to people screen shotting, re-posting, etc, anything you post is public. Even if it's a party for selected individuals, the people you didn't invite will find out anyways.

The only "technology" to keep our data private is to ... keep it private.

Not that I agree with the border proection asking for passwords. But that's a legal issue that can really only be dealt with legally.

Comment Re:The story of Geohot's autopilot (Score 1) 132

Are there regulations and procedures to prove that it's safe? There were a number of one and two person entries into the DARPA grand challenge.

It's not a terribly difficult problem to get to work 99.5% of the time, but with lives at risk most people aren't too happy with that number. The airline industry has a failure rate of 1 in 10^-13 deaths per passenger mile or something like that.

They weren't even regulations. The government was halds-off the entire thing. They were merely inquiry questions meant to help facilitate the discussion on safe automated driving. The authorities asked because well, they were curious how this system would respond. It was the same set of questions that got Uber's cars out of San Francisco.

It was questions like how would the backup driver system operate in case someone needs to take over, or how to prevent the system from being misused (given the system only worked in a few car models, they were wondering how the hardware would limit itself to those models).

Basically it posed a few questions on how the system would handle safety issues. The NHTSA doesn't care how the system works, what the core technology behind it is, etc. Just a few open-ended questions.

Comment Re:Candy Crush Spotify Tinder Clash Clans (Score 1) 151

You missed a bunch.

Basically check out any app that's advertised on prime time. A prime-time TV 30-second ad slot costs around half of the quarter million (on average - TV prime time slots are usually around $100-150k).

Hell, weren't there a few that advertised during the superbowl ($5M/slot)?

Comment Re:Hi buddy I'm jail over seas and I need you to (Score 1) 33

Hi buddy I'm jail over seas and I need you to Facebook the guard some cash as a bribe so I can get out.

I think that's what we'll start seeing on posts.

You can tag a post and then put on a simple "Pay me now" button so people can read your plea for money and simply get it by clicking a link.

It's one of those things you really wonder why it hasn't happened before. It's one of those its so obvious now it's done things.

Soon you'll have dozens of posts in your news feed "My car broke down and it'll cost $2000 to fix it! [Send Money]" and other woe-is-me stories...

Slashdot Top Deals

There are never any bugs you haven't found yet.