Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Metamaterial Superconductor Hints At New Era of High Temperature Superconductors

AC-x Re:I'm not terribly impressed. (39 comments)

Still, that represents a 4% increase in temperature, and also a completely new theory on why superconductors actually work.

about two weeks ago
top

Metamaterial Superconductor Hints At New Era of High Temperature Superconductors

AC-x Also known as -123.15 C (39 comments)

...

about two weeks ago
top

How Patent Trolls Destroy Innovation

AC-x Re:How the Patent System Destroys Innovation (97 comments)

Well, to me it's a combination of how patents are used and the fact too many vague, overly broad and (in the case of software) patents on general ideas rather than specific implementations are granted.

If less nonsense patents were approved, or if there was a second class of patents (for software etc) that had an extremely short term, most of the problems of patent trolling would go away.

There's nothing wrong with an inventor being able to protect an actual physical invention (without protected you'll be immediately priced out by cheap knock-offs), but no-one should be able to protect just a vague idea.

about two weeks ago
top

How Patent Trolls Destroy Innovation

AC-x Re:Cry More (97 comments)

Patents are supposed to protect specific implementations, not vague ideas. If I patent a widget making machine, someone else can build a different machine that makes widgets in a different way and that's fine. Software patents are the equivalent of patenting the idea of a machine that makes widgets.

about two weeks ago
top

Google's Driverless Cars Capable of Exceeding Speed Limit

AC-x Re:Left or Right? (475 comments)

Driverless cars will also need to deal with completely different road signage in different countries too. I'd guess it'd just use GPS to work out what country it's in and follow the appropriate driving side/speed limits/road sign rules etc. (it needs to use GPS to know where it's going anyway).

about two weeks ago
top

Research Unveils Improved Method To Let Computers Know You Are Human

AC-x Re: I get it (91 comments)

HTML5? You don't need HTML5 to animate a few divs moving around, hell it'd be easy enough to make something that works as far back as IE6.

about two weeks ago
top

Reversible Type-C USB Connector Ready For Production

AC-x Problem?? (191 comments)

The problem is that there are billions of existing USB devices and cables that will need adapters and new cables to work with new Type-C devices. It’s a lot like when Apple released the Lightning connector, but on an even grander scale.

What problem? My existing micro-usb devices won't need adapters, new devices with Type-C connectors will come with Type-C to Type-A cables, and when desktops/laptops start to come with Type-C connectors I'll just buy some new cables.

It's the same situation when micro-usb replaced mini-usb, I don't remember there being a problem on a "grand scale" then either.

about three weeks ago
top

DARPA Wants To Kill the Password

AC-x Re: There we go again (383 comments)

If the attacker is performing the attack "offline" then you've already lost the security battle. That's the point. If you lose your password database, assume the passwords are all broken, no matter whether you have "must have 3.2 uppercase and 4.35 lowercase letters, 0.6 special characters and as many numbers as you like, so long as it doesn't start or end with a number" rules or let them use plain English sentences.

The point is a decent password scheme will make brute force attacks a lot more difficult. Relying only on "never getting hacked" isn't a good policy, so taking a complete approach to security as a whole (such as also coming up with a better password scheme) will always be better than only concentrating on one aspect. Coming up with a password scheme that is both more secure and easy to remember is one of the big unsolved IT security problems of course.

A hashed " " is as meaningful as a hashed "a" so "cat dog run fast" is better than a very random 8-char password.

Not quite, according to Randall 4 common words has an entropy of 44 bits (as long as they are chosen randomly). 8 random characters (uppercase, lowercase, numbers) has around 47.6 bits of entropy. If you have GPU that can chew through hundreds of millions of hashes a second (the record is 350 billion/sec for a 25 GPU cluster) you'd still ideally want more entropy than that though.

about three weeks ago
top

DARPA Wants To Kill the Password

AC-x Re: There we go again (383 comments)

You are making a lot of assumptions there; but, ok, I guess...

There are no assumptions here, it's well known that a high percentage of users reuse the same password for multiple sites, including their email. Therefore if you crack an average user's account on a site you've got a good chance of also having their email address password. Obviously having control of someone's email is ground zero as far as getting account credentials is concerned, but even if they use a different password for email there could be connected sites (such as the Sony example in the link) that many users use the same login for, so a breach in a "low importance" service could expose users on more important service from the same company.

about three weeks ago
top

DARPA Wants To Kill the Password

AC-x Re: There we go again (383 comments)

Your "solution" is poorly thought out and is why nobody does it that way

Banks will lock you out on the 2nd or 3rd failed attempt. A quick Google finds plenty of sites like Paddy Power and Yahoo lock accounts after a few bad password entries.

Most sites at least switch to a captcha after several failed logins too.

about three weeks ago
top

DARPA Wants To Kill the Password

AC-x Re: There we go again (383 comments)

You should still only allow a certain number of failed login attempts for a given username. Sure it's rare to brute force via an online login, but it's worth doing to protect a user's account. Sure it sucks for that individual user to have the small possibility of being locked out their account temporarily, but it's not as bad as losing their account and also discourages any hacker from hammering your server and sending your entire site down in an actual DOS.

about three weeks ago
top

DARPA Wants To Kill the Password

AC-x Re: There we go again (383 comments)

So, how does cracking a password on one site gain you any knowledge whatsoever as to where, in the vastness of the internet, that it was used again?

The email address they used to register is the obvious one. They may also have connected social media accounts to whatever site got hacked.

about three weeks ago
top

DARPA Wants To Kill the Password

AC-x Re: There we go again (383 comments)

I fully understood what he put forth and repeatedly stated that it had no relation to the context of my original statement.

Sorry Desler you can't just say I was only talking about dictionary attacks on rate limited login portals, so no-one is allowed to talk about anything else, if you're going to mention dictionary attacks then attacking hashes will always be part of that discussion whether you want it to be or not.

about three weeks ago
top

DARPA Wants To Kill the Password

AC-x Re: There we go again (383 comments)

Indeed, although whatever hashing scheme you have, having a password that's findable in a dictionary attack will always be much quicker than one that needs to be completely brute forced.

about three weeks ago
top

DARPA Wants To Kill the Password

AC-x Re: There we go again (383 comments)

I really don't see how that's true, look at how the thread progressed -

AC1: "[We just need better passwords - eg. a complete sentence]"

AC2: "[That password could be broken by a dictionary attack]"

Desler: "Dictionary attacks can be trivially defeated by [rate] limiting"

Me: "Unless you have the password hash"

Desler: "(Insults) ... But if the attacker knows the password hash that is not a dictionary attack. In fact, there would be no need for any attack at all."

Me: "[Password hashes are one way only so still need to be attacked, weak passwords are susceptible to brute forcing the hash]"

Desler: "Yes, that's why you stop such attacks by rate limiting and cooldowns and then eventually just ban their IP if they are just obviously an attacker."

Me: "[Rate limiting doesn't apply to brute force cracking of hashes]"

Desler: "(more insults) Of course, this is why you lock the accounts until the user resets the password. Poof that attack vector is now gone."

Seriously, between him throwing insults and going on about rate limiting preventing brute forcing a hash, where have I misread what Desler said?

about three weeks ago
top

DARPA Wants To Kill the Password

AC-x Re: There we go again (383 comments)

So, what if everyone used passwords like that? No doubt cracking scripts would change. But how is a dictionary attack going to work? They can't possibly put every parsable sentence of a language into a dictionary! The example sentence was 11 words. Even if we treated that as a limit, how many sentences can be made out of 11 or fewer words? Certainly there are far more possible 11-word sentences than there are 11 character passwords.

If that were the only password like it in a database that's true, but if we're suggesting a new password scheme that's adopted (like the XKCD several random words password) then a password made from a valid sentence like that would be easier to crack than a nonsense sentence.

about three weeks ago
top

DARPA Wants To Kill the Password

AC-x Re: There we go again (383 comments)

As I originally responded to AC-x, if the attacker already has the hash and can then brute force it, of course what I mentioned doesn't stop them, but that scenario is no different than knowing their phone's PIN and being able to side step any of the very same protections I mentioned that phone OSes use which is to use a lock-out after a certain number of failed attempts.

As I've had to point out many times knowing the hash is very different to knowing a pin code. Seriously here's an SHA1 hash, can you reverse it? b6faa93a9e6ca445875c6b5511e2153bb51ef43a

The point you've been missing from the original AC's post is that some password schemes are much easier to brute force (eg. with a dictionary attack) than others. That's completely separate to rate limiting online logins and password resets etc.

about three weeks ago
top

DARPA Wants To Kill the Password

AC-x Re: There we go again (383 comments)

But the real point is that's got nothing to do with having a password scheme strong enough to defeat a dictionary attack, which is what the AC above posted about.

In theory password hashes can be uncrackable, in practise most people pick passwords that can be cracked using a dictionary attack.

Coming up with a password scheme that is easier for people to remember but more difficult to brute force would be a huge step forward in IT security, and more useful than relying on all websites to never leak password hashes.

about three weeks ago

Submissions

top

Famous Judge calls U.S. patent system "dysfunctional"

AC-x AC-x writes  |  more than 2 years ago

AC-x (735297) writes "Famous U.S. Circuit Judge Richard Posner calls patent system "dysfunctional", wants to have the trial between Apple and Google-owned Motorola Mobility over smartphone patents dismissed with prejudice because "it was apparent that neither side could show they had been harmed by the other’s patent infringement".

His involvement and his anti-patent blog posts could prove to be a watershed moment for a U.S. patent system that is regarded as spiralling out of control."

Link to Original Source

Journals

AC-x has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>