Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

If Java Wasn't Cool 10 Years Ago, What About Now?

Aaden42 Re:A stupid consideration (489 comments)

This is why I LOVE working for a place where coders interview coders. You can put whatever you want on your résumé to play buzzword bingo with HR, but a couple of übers with finely tuned bullshit detectors are going to lay down the gauntlet at your tech phone screen, and doubly so if you make it to a face to face.

If you put a tech [that we care about] on your skills list, and you can’t wax poetic about its finer points in a room with two or three folks who eat, sleep, live, and breath whatever it is, your prospects are looking rather dim.

We’re especially tough on people who are “tech collectors,” choosing new toys with every project just to mess around with them and gain “experience.” If you picked something new and knocked it out of the park on the project, we’re listening. Why did you take the risk in picking a new thing instead of using something established? Show your work, your justification is more important than your results in this case.

If you’ve left a legacy of barely functional piles of duct tape and baling wire behind you, we can usually see right through you. You *might* be able to pull it out of the fire if you can really convince us you did your best within constraints that are out of your control, but it’s not looking good for you at all.

2 days ago
top

33 Months In Prison For Recording a Movie In a Theater

Aaden42 Re:Seems like they found something (455 comments)

I think the “irony quotes” on “accident” were enough to imply GP didn’t intend to suggest DUI is actually an accidental occurrence where nobody is at fault.

That said, agreed that community service or something that actually contributes to society makes a lot more sense than having society pay to house & feed him for (near enough to) three years, followed by pretty much ruining his ability to ever be a contributing (IE job holding & tax paying) member of society.

You like hanging out at the movies so much? Fine. Ten hours a week scraping chewing gum off the floors and seats of every theater in town for the next three years. Seems like it should do the trick.

4 days ago
top

33 Months In Prison For Recording a Movie In a Theater

Aaden42 Re:The real crime here (455 comments)

Ahh, but you have to consider who’s perspective of improving society really matters here. If it scares more people into not eroding the *AA’s business model, then it’s a win for the groups that are *really* buying the laws.

4 days ago
top

33 Months In Prison For Recording a Movie In a Theater

Aaden42 Re:The real crime here (455 comments)

How do you enforce a nonviolent sentence?

Easy: By ordering a more compliant entity that has a financial relationship with you to comply on your behalf.

Government: "Pay me a $1000 fine."

Offender: "No."

Government: “Offender’s Bank: Give us $1000 from Offender’s account (by seizing every penny deposited for the next 10 years immediately in priority over EVERY other debit if necessary) plus an extra penalty for non-compliance.”

Offender’s Bank: “Okay, here’s your money, and BTW we’re taking our own fee for enforcing this, and of course we’ll charge them for every overdraft fee that results from draining their account.”

Offender: [sobs pathetically] "How am I going to pay my rent or car payment or buy food now?"

--- Or alternatively if no bank accounts: ---

Government: "Offender's employer: We're garnishing offender's wages. Give us the next $1000 you were going to pay offender, even if that means he doesn't see a penny for a paycheck for the next two months."

Offender's Employer: "Okay, here's your money, and BTW thanks for letting us know our employee's a thief. We’ll be looking to replace them ASAP.”

—-

See: Civil compliance and no truncheons necessary. There will almost always be someone with more to lose than you and less desire to stick it to the man. They’ll comply so you don’t have to.

4 days ago
top

UK Police Warn Sharing James Foley Killing Video Is a Crime

Aaden42 Re: Jurisdiction 101 (391 comments)

That the police say something is illegal isn’t enough to get you thrown in jail.

*Possibly* not enough to get you sentenced, but I’m assuming the UK criminal justice system works much the way the US does in that the police can arrest you for pretty much any old thing they want. You get to cool your heels in a cell until they get around to a bail hearing (he’s a ter’ist! No bail!) and then you need to prove your innocence(*) before they release you.

Yes, when it works out the way it’s supposed to, you do actually have to break a law before you end up in PMITA prison, but the distinction seems someone academic when you’re in jail trying to figure out how to afford a lawyer to get you out.

(*) “Innocent until proven guilty” has such a nice ring to it, but let’s be honest here, shall we? In reality the moment the cops decide they like you for something, you’re fighting to prove your innocence a lot harder than they have to fight to prove you’re guilty.

4 days ago
top

Yahoo To Add PGP Encryption For Email

Aaden42 Re:Awesome!! (175 comments)

You get end to end encryption with just PGP.

Nope. SMTP envelope sender & recipient plus all the headers are still in the clear if you skip TLS. Metadata...

Network stacks don’t have anything to do with PGP

Sure network stacks don’t do PGP. Not sure what that has to do with SMTP which is an application level protocol common on TCP/IP networks and only a tiny part of the entire stack.

SMTP servers currently tell each other about encoding capabilities they may support. The receiving server may tell the sender for instance that it supports 8BITMIME. A sending server which sees that capability may react by not base 64 encoding the message if it contains UTF-8 characters. The sending server makes a decision immediately before transmitting content (after connecting to the remote and saying "EHLO") on what encoding it should apply.

Adding some indication of PGP to the SMTP capabilities might trigger similar behavior. The sending server could encrypt using the recipient’s public key transparently without requiring any user intervention or access to any private key material. That change could be implemented with an RFC similar to RFC-6152 which covered 8BITMIME. An admittedly more in depth change might enhance SMTP to allow the server to provide a recipient’s key ID if available in response to the "RCPT TO” command.

about three weeks ago
top

Yahoo To Add PGP Encryption For Email

Aaden42 Re:Unlikely, if they control the key (175 comments)

And a binary copy of PGP could be trojaned to send your decrypted private out somewhere or steganograph it into the ciphertext the second you provide your passphrase. You need to trust your implementation to handle your key in a responsible manner. All I’m saying is that by depending on Javascript to do the math, it’s possible for the system to be designed such that your decrypted private is never present on Yahoo’s servers but only on your own hardware.

You still have all the usual problems of infected machines, using the coffee shop’s computer with half a dozen key loggers conveniently preinstalled for you, etc. You also have to trust that Yahoo won’t ship your key off the second you furnish the passphrase, but if that’s what they have in mind, they won’t even bother with doing any of it client side anyways.

There’s always room for insecure implementation (whether accidental or intentional), but there’s no reason this system can’t be *designed* in a secure manner. And if the crypto is done in script on the client, it’s possible for that script be be audited to some degree by interested parties.

about three weeks ago
top

Yahoo To Add PGP Encryption For Email

Aaden42 Re:Awesome!! (175 comments)

I’m well aware of the difference between SMTP+TLS and PGP. I’m not missing the point at all. TLS & PGP have nothing to do with each other. They’re encryption at two different levels of the stack. You need to use both to get proper end-to-end encryption of message contents and to protect message contents not only from observers on the wire but also observers at the mail host.

TLS (done right) prevents MitM between Yahoo’s SMTP and (let’s say) Google’s. If Google’s server advertises that their stack deals with PGP correctly, Yahoo can use that as a cue to encrypt the message content and pass it over the already-encrypted TLS connection. The SMTP conversation would always be TLS encrypted, but a part of that conversation can signal to the sender that encryption at the message data level would also be handled properly by the rest of the software stack behind the receiving SMTP connection. That’s blurring the layers, but it’s not unreasonable for a primarily webmail host to signal their user agent’s capabilities as part of the lower SMTP conversation.

Granted, that’s piling on a lot more processing than would typically be done during the SMTP conversation, but it’s doable. You don’t even need the anyone’s private key at that point. The sender’s private was used to clear-sign every message sent (presumably in Javascript on the client side). If the sending SMTP server determines the remote can deal with it, then it needs to obtain the recipient’s public key and encrypt the clear-signed message to it before sending the PGP encrypted message over the TLS encrypted connection. The benefit there is that Google’s stack never gets to read the plaintext of the message.

about three weeks ago
top

Yahoo To Add PGP Encryption For Email

Aaden42 Re:Awesome!! (175 comments)

Yahoo has led the charge before in enhancing email standards where bare SMTP wasn’t adequate. They were fairly early adopters of things like DKIM and helped push the industry to support it. If you want to do something that really does have a fallback route, it wouldn’t even take a standards change to have receiving SMTP servers advertise crypto as part of the SMTP capabilities response.

Granted, it’s a big hit to security if your message is encrypted or not based on the remote mail server, and there are ample opportunities for MitM attacks to cause crypto to be dropped where it might otherwise be supported (so we’re back to trusting TLS keys). That coupled with public PGP key registries offers some options for intelligent fallback behavior while still providing encryption for messages where both sides are capable of dealing with it.

about three weeks ago
top

Yahoo To Add PGP Encryption For Email

Aaden42 Re:Unlikely, if they control the key (175 comments)

It doesn’t necessarily need to do en-/decryption on the server side. Javascript is more than adequate to perform the necessary math.

about three weeks ago
top

Yahoo To Add PGP Encryption For Email

Aaden42 Even if done badly, might do some good? (175 comments)

Key management’s the thing here of course. If it’s on their server, NSA has it, etc. There are ways the key could be encrypted on server, decrypted only locally etc. Most of those have myriad ways the key could be mis-handled, leaked, etc.

That said, I’m kind of leaning towards this being a good thing, even if its implementation isn’t 100% paranoid geek approved secure. Ultimately if the NSA wants to read YOUR stuff, they’re going to (see: $5 wrench). If we assume Yahoo manages to implement this such that key retrieval is at least inconvenient (for $ufficiently large value$ of inconvenient) to anyone other than the account owner, then it should at least complicate NSA’s blanket “read all the things” approach. If it tips the balance back to the point that they actually have to expend more resources than your grandmother’s chocolate chip cookie recipe is really worth, then *maybe* they go back to only reading very interesting people’s emails without a warrant rather than reading everybody’s. I guess that’s worth half a point?

More importantly, if it manages to turn the seething mob of luddite Yahell users onto the fact that encryption is a thing, and explains to them why they want this thing, maybe the “winning hearts and minds” gambit is worth something to the world as a whole, even if the individuals’ email isn’t NSA-proof. Right now most mothers & grandmothers either have no clue what encryption is, or think it’s something only used by hackers, ter’ists, pr0n, criminals, etc. “Them” in other words. If Yahoo manages to convince a sizable portion of the voting public that privacy has worth, and encryption is a way to ensure that privacy, I think that’s a worthy outcome even if the encryption has flaws. Maybe that opens the door to conversations about the difference between effective and ineffective encryption. Maybe it even brings it closer to socially “normal” for someone who knows what effective encryption is to encourage others to use it without being assumed to be a nutcase or worse.

I hate to advocate selling snake oil, but there *are* an awful lot of squeaky snakes around. Maybe the right salesman can convince enough of the populace they need encryption, then we can worry about offering really good encryption for those adequately equipped to work with it.

about three weeks ago
top

Laser Eye Surgery, Revisited 10 Years Later

Aaden42 Missing glasses (550 comments)

I went through the same when I changed from glasses to contacts. I’d been wearing glasses for probably 5-6 years at that point. It did take getting used to, but the improvement in vision was more than worth it for me. It was probably the better part of a year before I dropped the nervous habit of pushing my (nonexistent) glasses back up my nose when I was thinking.

As for not going the laser route? Cost, possibility of severe complications resulting in blindness are higher than those of contacts, and the idea of sharks (assuming that’s where they got the lasers?) holding me down and cutting on my eyeball when I’m merely doped up a little as opposed to completely zonked? I’ll pass..

about a month ago
top

Court Rejects Fox's Attempt to Use Aereo Ruling Against Dish's Hopper

Aaden42 Re:Need a EULA for video (67 comments)

We already have a EULA for video. It’s called “Fair Use.”

If the broadcaster does not agree with that, they are instructed to stop using public airwaves to disseminate their content and go out of business.

about a month and a half ago
top

Mass. Supreme Court Says Defendant Can Be Compelled To Decrypt Data

Aaden42 Re:I lost the password (560 comments)

While it’s true that they will open a physical safe themselves if you refuse, you can indeed be held in contempt if you have the ability to open a safe and refuse to do so when presented with a valid warrant. The “physical safe” analogy is one of the things that’s (unfortunately) applied as an existing-law analogy to crypto.

The distinction is that in order to get a warrant on the safe, they need probable cause that what they’re looking for (with a degree of specificity) is actually in the safe. That’s less clear with an entire hard drive (though if they’re looking for emails, the supposition that they’re on a hard drive isn’t much of a stretch). In this case, the guy admitted what they were looking for was in the “safe” and he know how to “open” it.

Seems pretty much like he screwed himself.

about 2 months ago
top

Mass. Supreme Court Says Defendant Can Be Compelled To Decrypt Data

Aaden42 Re:I lost the password (560 comments)

Just use TrueCrypt on Windows XP. You should be fine.

about 2 months ago
top

TrueCrypt Author Claims That Forking Is Impossible

Aaden42 Re:I'm confused (250 comments)

Government spooks knocking at your door (virtual or physical) does tend to result in symptoms similar to having a nervous breakdown.

It’s technologically possible to fork the code base, but if the license as provided with the last (useable) version is an impediment to that (and my reading of said license (IANAL) suggests it would indeed be problem), then you can’t fork the code legally. A fork that nobody can legally use isn’t of much value outside certain small circles.

TrueCrypt was source-available, but it wasn’t Free Software in the RMS sense by any means.

about 2 months ago
top

Washington Redskins Stripped of Trademarks

Aaden42 Re:Chicago Blackhawks too? (646 comments)

Who gets to decide? Appointed bureaucrats at the US Patent & Trademark Office. That’s who.

about 2 months ago
top

TrueCrypt Website Says To Switch To BitLocker

Aaden42 Re: Fishy (566 comments)

Won’t comment on unsubstantiated “senior developer” claims, but as for the encrypting malware issue, recovery of older versions of Cryptodefense was possible because the malware itself had a bug which leaked the necessary decryption keys somewhere on the target system. After the bug was made public, future versions of the malware fixed it and are no longer recoverable using that technique. It wasn’t a Bitlocker backdoor or similar. Not that I have evidence to contradict the existence of such backdoors, but the particular malware case didn’t rely on one.

http://www.symantec.com/connec...

about 3 months ago

Submissions

Aaden42 hasn't submitted any stories.

Journals

Aaden42 has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>