Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Ah yes (Score 1) 39

Security bulletins aren't a great way to track how secure or insecure software is. The best way to do that is with the CVE system. Microsoft (and most other vendors) log publicly and privately reported vulnerabilities as CVEs and link to the CVE when describing vulnerabilities.

My hope is that this change will eliminate some of the pain of running down security bulletin data. Right now if someone asks you if you are patched against MS16-040 you have to go look that up, look up each individual KB inside that, see which ones have been superseded by other updates and check that against your CMDB. Making that simpler would be a win-win.

Full disclosure, I work for Microsoft as a dedicated PFE. The above is my opinion and hope, not paid shilling.

Comment Re:One time pad (Score 1) 138

You update the code as you exhaust it.

For the highest level security you can physically deliver new codes. Thus meaning the code will only be compromised if intercepted. And if it is intercepted... physically... you just invalidate the new code and deploy another one.

Again this is used for the highest level security already. Nuclear launch codes work this way. You can't crack them. If I told you what all the past launch codes were, you'd have no idea what the new launch codes are. The codes don't repeat. Once and never again.

Comment Re:One time pad (Score 1) 138

... It is assumed that the opposition doesn't have physical access to your system or the target system. Rather the assumption is that the encryption is required any other system besides the origin and destination of the message. If you need to secure things so that your own system isn't compromised then you're basically fucked via the first rule of computer security...

Physical security. You either have that or kill yourself.

Comment Re:One time pad (Score 1) 138

Doesn't address the quantum aspect of the query. Define the danger of quantum cracking?

Do you know how that is supposed to work? If you think your 256 bit key is going to hold against what that promises to be then maybe you should look that up.

That said, I haven't seen any practical evidence of it actually working. So maybe it doesn't matter.

Your sad dive into rudeness however is unfortunate. Why is your ego so small that when your obvious autism is revealed you have to lash out.

Calm down, dude. You're autistic. It's okay.

Comment One time pad (Score 1) 138

If you want unbreakable crypto... One time pad.

and here someone says "but MOOOOOM its hard!"... no it isn't.

How many gigs of communication do you need to secure per device? Lets presume that there are LEVELS of security that can be secured with varying levels of security.

Naturally it is impractical to secure everything with the one time pad type encryption. Which to be clear would be a very large file stored on the sender and receiver and the data being encrypted would use only a portion of that seed data to randomize the information you wanted secured. And any portion of the "pad" that was used would be blacklisted from future use. So what would I use with something like this? Well, how about using the one time pad to encrypt new encryption keys. Thus encrypt/decrypt keys, seeds, etc would be secured by one time pad. Transferring the new pad could be done physically if this is really high security thus bypassing networks that are demonstrably compromised enough that you want to encrypt your data over them.

One time pads are already used by the government for the highest level security. Nuclear launch codes for example are one time pad. A lot of the shoe leather and handshake intelligence networks run on one time pads.

There is no reason we can't translate this even more easily to the digital sphere than it is in the wink and pistol sphere. Let us say you have a file that contains something like 32 gigs of randomized "one time pad" data. Using 1:1 encryption that could encrypt 32 gigs of data you want to secure. And breaking it would be basically impossible. No repeating patterns. You need the one time pad data to decrypt. Period. Look at text messages from cell phones. If we WANT to be efficient with our data transmissions, we can be.

Let us say what we want to do is sync two databases over the internet and the data in these databases is very very sensitive. Now we could use the one time pad data sparingly... passing only some data through that system. Maybe just encrypt/decrypt data for some other encryption scheme. Possibly certain aspects of the data would be encrypted using one time pad. Maybe not all the data being synced has the same security clearance. The point is that if you need to be efficient about it, you can be.

And if you want encryption that can't be broken. One time pad.

Now I assume that isn't what they want. They want some fire and forget, cheap as dirt, flawless, idiot proof system they can slot into the system and stop thinking about this ever again.

That is a fantasy. I don't see that happening.

Comment Re:I am not going to complain (Score 1) 181

>> Honestly, if they did employ a dozen or so people to do really good translations between articles in major languages, I'd be all for that. But they're not.

They are working with to do this. The translations, individually, aren't great but duolingo spins an army of drones across them until you have good content.

>> It's already been established that hosting only costs them about $2M/year. A few administrators are not adding much to that.

One does not run the 6th busiest site on the internet with "a few administrators." There are developers, QA, deployment engineers, support engineers, huge network infrastructure, server engineers, corporate it to support all of that, and accounting, HR, and legal to support that. An enterprise of this size is non-trivial.

Looking at it another way, Wikipedia is #7 on the list of busiest sites on the internet. Twitter is #8. Do you think twitter runs on 95m/year?

Slashdot Top Deals

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (1) Gee, I wish we hadn't backed down on 'noalias'.