×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

MIT Removes Online Physics Lectures and Courses By Walter Lewin

AaronLS Re:Sexual Harassment shouldn't cost us knowledge (416 comments)

No I read it correctly, and if you come to me and say I "should" do this or that as a content host, and when I CHOOSE to do otherwise, you start yelling about how "This is total bullshit" then you sound like an ignorant child who is trying to tell people that they should do something where you have no right.

5 days ago
top

BGP Hijacking Continues, Despite the Ability To Prevent It

AaronLS Re:BGP? (57 comments)

I think both sides of the argument are pretty mute anyhow. I don't think much is gained or lost either way you go.

I know what BGP is but I never memorized what the letters stand for. Even if we spelled it out, that barely scratches the surface of what it is and doesn't make the article anymore informative for someone not versed in what BGP is.

Yes, it is usually standard practice in any formal writing. Slashdot is hardly formal though, when Bennet gets to spout his half formed ramblings every week.

about a week ago
top

Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

AaronLS Re:PRIVATE encryption of everything just became... (379 comments)

"If only specific files, then simply decrypt those and host them separately"

You are the one who proposed hosting them unencrypted. I read and quoted exactly what you said. I don't have a reading problem at all.

" Decrypt, host separately... done."

Then again you say the same thing.

"A little file the thin clients grab as part of the login script."

You're the one who proposed access controls as part of your architecture. Go back and read your initial statement.

about a week ago
top

Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

AaronLS Re:PRIVATE encryption of everything just became... (379 comments)

PGP is an example of asymmetric encryption. You have to encrypt a copy of the payload for each receiver. This is why it's great for messaging, and exactly what I was talking about why its applicable only when sharing something between two people. Whenever you send a message to multiple parties, you have to encrypt a copy of the message separately for each receiver. When you try to apply this same technique to file sharing, it means potentially large files have to be duplicated to allow them to be encrypted with each receiver's key.

about a week ago
top

Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

AaronLS Re:PRIVATE encryption of everything just became... (379 comments)

"First rule of computer security is physical security."

Indeed. That's exactly why smart cards are superior. The private key is on the card, and the card is always physically with the owner.

Otherwise you have to lock your office and the cleaners can't do their job. Are they just gonna clean the hallways?

about a week ago
top

Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

AaronLS Re:PRIVATE encryption of everything just became... (379 comments)

" that is all you need."

No hardware is not all you need, you have to build an architecture and software platform. you said yourself:

"You have per client access rules and passively encrypt everything. What is more, the encryption keys can be held on office thin clients that transparently download the decryption engine and keys from an onsite server"

Someone has to do onsite key management. Either you are manually copying keys to each thin client, or your onsite server has ACLs that decide who gets what keys. It also needs to be able to integrate with the cloud storage to pull the upstream encrypted files, which means implementing whatever API is used to access the upstream server. Most small businesses I know, even if they have a couple programmers, aren't skilled enough to grasp these web APIs.

about a week ago
top

Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

AaronLS Re:PRIVATE encryption of everything just became... (379 comments)

"Decrypt, host separately... done."

Then anyone at the hosting company can access the decrypted files. You're just describing the same process in use today that is vulnerable to all the problems we were addressing above. You missed the whole point of the discussion.

about a week ago
top

Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

AaronLS Re:PRIVATE encryption of everything just became... (379 comments)

"Your private key is useless for securing information originating from you, since your public key is, well, public."
"Your private key is useless" ... " since your public key is, well, public."
You are arguing the private key is useless because the public key is public. That is utter nonsense. Your private key is not useless. The whole point of public/private key pairs is that one is public and the other is private.

With assymetric encryption, the sender uses their private key, and the receiving party's public key. The process creates an encrypted payload that only the receiver can decrypt. This is a good place to educate yourself on how public-key cryptography works, aka assyemtric encryption: http://en.wikipedia.org/wiki/P...
"Public-key encryption, in which a message is encrypted with a recipient's public key."

"'combining your private key and their public key' statement is nonsense"
No you idiot, that's exactly what asymmetric encryption is. You need to educate yourself before you start telling people what is nonsense.

I have implemented several forms of asymmetric encryption leveleraging Bouncy-Castle Crypto libraries, and have done extensive reading of the RFCs related to these processes.

You also don't understand symmetric encryption but enough time wasted on you.

about a week ago
top

Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

AaronLS Re:PRIVATE encryption of everything just became... (379 comments)

It doesn't. As far as I can tell from his vague description of XOR'ing "random bits" with "nonrandom bits", he's talking about a very specific mode of using AES, which is OFB or CTR. In both cases it is clearly documented that reusing the key stream would destroy security. As long as you follow the specification for these modes it is secure.

about two weeks ago
top

Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

AaronLS Re:PRIVATE encryption of everything just became... (379 comments)

Someone could probably make a business of exactly the architecture you describe, providing a small onsite appliance that does this orchestration. So you use their cloud storage solution, and they provide an architecture that guarantees only your onsite appliance has the keys capable of decrypting the data.

about two weeks ago
top

Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

AaronLS Re:PRIVATE encryption of everything just became... (379 comments)

"What is more, the encryption keys can be held on office thin clients that transparently download the decryption engine and keys from an onsite server which likewise can serve both to remote users as part of their login script."

This would be a great architecture for a business when talking only about accessing data that is shared among employees.

However, if they want to share certain files with another business to remotely access the encrypted data, then you have to also share the encryption key to support client side decryption, and you encounter the same problem as before. There are certainly businesses that have moved the majority of their data storage to the cloud, but there are a greater number who haven't made that kind of commitment, and only use cloud storage for sharing certain files/data with business partners. You could host a local server that retrieves the data from the cloud, decrypts it using the onsite stored keys, and serves it to authenticated business partners. This would mean deploying onsite the your own implementation of a web API or website that provides the interface for third parties to login and access authorized data. Half the reason to move to the cloud is to avoid implementing, deploying, and managing this kind of infrastructure.

And of course for individuals sharing with other individuals, this approach doesn't work either.

Essentially, as even your example demonstrates, somewhere a central system must orchestrate access and decrypt the data or provide keys to clients. Moving that system onsite mitigates risk by putting it in your control and affording the business the opportunity to legally challenge information/search requests, but it also decreases the benefits of using the cloud since you've now moved a major piece of infrastructure back onsite.

about two weeks ago
top

Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

AaronLS Re:PRIVATE encryption of everything just became... (379 comments)

Not disagreeing with you, but want to clear up what it means to make cloud storage, or any type of server storage, secure and inaccesible from court orders:

In the case of dropbox, data is stored encrypted, but the server software holds the encryption keys so it can serve the data to clients unencrypted. This means subpeanas and other legal/law enforcement actions can access the data by going to the server operators, who likely will not challenge the order.

If you instead encrypt the data client side before you send it to the server, then everyone who accesses the data must also have the key.
What if you want to revoke access for one person? You have to download the data client side, decrypt/re-encrypt with a new key, reupload, provide key to remaining sharers. So this technique only really works for data that you do not share, i.e. just your personal stuff, and is essentially what people do now when they encrypt data before uploading it to dropbox.

Asymmetric techniques don't really apply here unless you're only sharing with one party. You combined your private key and their public key to encrypt the data, then only they can decrypt it. This does not work when dealing with 3 or more parties, unless some are going to share the same key for one side of the asymmetric encryption, in which case you're back to the same problem we had with sharing a symmetric key.

about two weeks ago
top

MIT Removes Online Physics Lectures and Courses By Walter Lewin

AaronLS Re:Sexual Harassment shouldn't cost us knowledge (416 comments)

"shouldn't cost us knowledge"

Oh I comprehend, that he thinks the content belonged to "us". If it does, then he his welcome to setup hist own host and host that content. Nothing is lost if you exercised your right to make a copy under the CC license, assuming it was licensed that way. If not, then it didn't belong to us.

Who the fuck are you to say this or that entity is obligated to be your personal content host? It's not your fucking server. If I run a website, and I decide that an article is out of date and I take it down, that's might right as the owner of that server. Fuck you.

Content and knowledge are related, but are not the same. If someone stops delivering content, that doesn't mean the knowledge is lost.

What you don't comprehend is the distinction between having knowledge, and actually where it is hosted.

This is not like we've taken every written record of physics and banned it. 1) You are still free to host the content at your own free will. 2) That "knowledge" exists in many other forms, so even if was not licensed the knowledge is not lost.

about two weeks ago
top

MIT Removes Online Physics Lectures and Courses By Walter Lewin

AaronLS Re:Sexual Harassment shouldn't cost us knowledge (416 comments)

So your point is, if twisted juuust right, any slashdot article can somehow be an opportunity for someone to bitch about Obama.

about two weeks ago
top

MIT Removes Online Physics Lectures and Courses By Walter Lewin

AaronLS Re:Sexual Harassment shouldn't cost us knowledge (416 comments)

You don't own the content. You might have access to it under a CC license, but you don't own it. If MIT wants to take it down, that's their right. The fact that you think you should have some say in the matter is bullshit.

about two weeks ago
top

Army Building an Airport Just For Drones

AaronLS Re:too expensive (48 comments)

That and "associated maintenance shops, administrative space, storage space, 5-ton bridge crane, oil/water separator, aircraft container and forklift storage, UAV runway, taxiway, access apron, oil and hazardous waste storage buildings, vehicle storage facilities, organizational vehicle parking, and overhead protection/canopy"

about two weeks ago
top

Bellard Creates New Image Format To Replace JPEG

AaronLS Re:This solves what problem? (377 comments)

Servers always work to reduce bandwidth usage. Bandwidth is expensive when you're talking thousands of users.

Smaller images means faster transfer and faster load times, especially for mobile.

Just look at all the efforts put into bundling/compression/etc. Some companies go as far as reducing all their CSS class names to 3 or less characters. These have different purposes though not always directly related to bandwidth reduction. Bundling is more about reducing the number of HTTP requests than reducing bandwidth though, since it bundles multiple requests for CSS/JS into single request for each, because each HTTP request consumes server resources.

Usage is larger than it used to be as well. Now vast majority of people have a computer in their pocket at all times and access internet much more frequently than the age of desktops, when there was one computer per family accessed intermittently.

Many mobile data connections have lower bandwidth than traditional ground connections, although a few are faster.

As for as harddrives, the pervasiveness of digital cameras being on every phone in many pockets, means a tremendous increase in # pictures being taken. Storage on phones is higher $/gb than hard drives. Usually these make their way onto a server such as instagram or facebook, who each would be interested in reducing storage size, as the $/gb is high when you consider that data likely has at least two forms of redundancy.

about two weeks ago
top

Excuse Me While I Kiss This Guy: The Science of Misheard Song Lyrics

AaronLS Re:excuse me while I kiss this guy... (244 comments)

The popular version you hear on radio all the time doesn't sound like this to me, but there is another version that is on the box set that really sounds like this to me.

about two weeks ago
top

Microsoft's New Windows Monetization Methods Could Mean 'Subscriptions'

AaronLS Re:I'm sorry (415 comments)

"A subscription adds one more point of weakness.
Change banks or get a new credit card for any reason, and you have one more account to update. Forget to update, and your computers may not work."

Certainly articulated better than parent, who only vaguely implied what kind of mistake he was referring to. I however addressed this as well: "Maybe you were trying to speak to some sort of DRM failure month-to-month". Microsoft has so far not disabled Windows as a result of being unlicensed. I just recently cloned a VM for local testing and the MAC address changed, and they flagged me as being unlicensed. The only thing they did was disable updates until I reactivated. I was still able to fully and completely use the OS. My point, since I obviously have to lay it out for you illiterates: Microsoft does not prevent you from using your software due to a licensing issue that occurs after initial activation. So until details are revealed about the new pricing/licensing model, anything else it pure speculation, and the evidence we have so far is that their policy is to only block updates, which is only a temporary issue since if they follow existing processes, make it very easy to reactivate.

"Your argument of "other things can break too" is pointless."

That was not my argument. My point was that pricing model has little correlation with uptime, and gave examples of what does correlate with uptime.

As far as AutoCAD breaking, the parent tried to imply somehow a fixed upfront cost is less risky than a monthly cost. The point I was making with AutoCAD, was that the same licensing deactivation error/failures are a risk with upfront pricing models as well. The pricing model again is irrelevant. The risk of software failing as a result of a licensing issue has a lot more to do with how their DRM works, than how you pay for the software.

"As many of our parents probably stated in the past, "If AutoCAD jumped off a bridge, would you do it too?""
I at no point advocated that others should follow the model that AutoCAD does. So no, I'm not saying others should do as AutoCAD does. Where did you get that? Just how illiterate are you? Everything about your reply shows you are incapable of the most basic reading comprehension. The only thing I said about AutoCAD was " Just search around for all the issues people have with AutoCAD related to activation." How is that in anyway me suggesting people do the same asAutoCAD?

Whether you choose a fixed up front cost, or a reoccurring cost, you still are at risk for licensing issues. Whether that issue brings your computers down is also not related to pricing model, because from one company to another, their policies differ. Some will block you from support/updates, others will block you from using the software. If you are only looking at the pricing model, then you are ignoring other potential risk factors that are of greater concern. So no my argument is not "other things can break too", but is instead that you should look at the company's other policies for dealing with licensing issues.

If there is a licensing issue, do they prevent you from using the software? We've seen repeatedly terribly implemented DRM that despite the fact you already paid for the software, still breaks. So no my argument is not "other things can break too", but is that the pricing model is the wrong factor to look at.

So let's follow your logic. Company X offers you an OS for $1200 upfront, but they have draconian DRM/licensing and when a failure occurs the software is unusable. Company Y offers you an OS for $100 a month for a 12 month contract, and if they're DRM/licensing allows you to use the software even if a failure is detected, so long as you resolve it within 30 days. You being the illiterate person you are fail to read and comprehend the hundreds of articles warning people of the risks of using Company X's OS, and go ahead and buy it, because you don't like the idea of a month to month fee for Y's OS. Because of X's buggy DRM, you suffer repeated downtime and lose lots of $ because you are illiterate.

about two weeks ago
top

How Relevant is C in 2014?

AaronLS Re:Embedded Systems (641 comments)

"support and development just stops as all the ADD kids jump at the new toy"

We'll assume you means support and development of the language specification/Compilers/IDEs/etc.

Agreed that if there's not a solid backing either through a large community or major corporations, then yeh you'd be an idiot to invest production code in a a language that might not have longevity. This is not a risk unique to high level languages. This is a risk with any language that doesn't have a mature and committed community or corporation supporting it.

""five years down the road someone will fork the fork and you can throw all your code away"

I would be interested in examples of major languages that went this way, and why code had to be wholesale thrown away?

Let's assume by fork, you mean forking the language specification and/or compiler. Someone forking shouldn't cause you to need to throw away code. You would only have to throw your code away if the new fork became so popular that maintainers of the upstream decided to abandon their language and maintain the fork, AND you were of the opinion that the old upstream compiler/specification was not matured enough for you to stick with it.

Even if you switched to the forked compiler, I can only imagine a childish tantrum resulting in someone throwing away their code over some compiler errors that required minor syntax changes. You sound just like that type of person. If anything usually some clever regex will solve this problem. Although I agree, it's a good sign you were an idiot for choosing a language supported by those who do not value backward compatibility, and/or you invested production code into a language that was still in early development when backwards compatibility is usually not a primary goal.

These are attributes of niche languages. There are some low level languages that have been created as experiments, proof-of-concept, etc. that suffer from the same issues. C-- was a lowlevel languages created to try and implement common compiler algorithms for reuse, which is now dead. Ambitious little projects without enough of an audience to gain traction, and eventually the maintainer's time is directed elsewhere and it dies(the language, not the maintainer).

Those are attributes of niche languages, not of high level languages.

"That'll never happen with your C code."

You've not been around very long OR you've never tried to leverage some really old C code and had to fix hundred of compiler errors to get it up to speed. Now usually that's more of an issue with the code not being written to be very portable, but there's nothing inherent about C that makes it any more immune to the portability issues that high level languages suffer from when bad programmers get their fingers in there. Code that compiled fine 10 years ago often won't compile anymore if it's not been maintained, because the more common compiler options are vastly different. You've not been around the block if you've had to maintain someone's really old code and had your compile seg fault the first attempt to compile it.

In fact, I'd say writing portable code requires alot more skill in C because you're at such a low level and have to be much more knowledgeable of things that higher level languages hide from you. It probably makes you a better programmer for it, but that's about like saying beating yourself with a stick makes you tougher.

Anyway, there's lots of reasons people invent new languages. Some of them are doing it just for fun, and never intended them for production use. Proof of concepts, etc. Writing a compiler is a great learning experience.

There's nothing to be sickened by. It's not like there is some street peddler trying to get you to use some esoteric language. There might be a few misguided fools who are all excited about some language and pushing it for production use where it is inappropriate, but someone's misplaced zeal is usually no fault of the language or language designers.

about two weeks ago

Submissions

top

Unlimited Food Stamps During System Outage

AaronLS AaronLS writes  |  about a year ago

AaronLS (1804210) writes "Electronic Benefits Transfer(EBT) card holders were allowed unlimited spending at some Walmart locations during an outage of the system that is used to determine spending limits. Some people hauling out multiple carts of groceries. According to system operator Xerox, there's an “agreed and documented process for retailers like Walmart to follow in response to EBT outage.” It is not clear whether or not Walmart followed this procedure or not, but Walmart spokesperson stated the decision was made to "contine[SIC] to accept EBT cards during the outage so that they could get food for their families.” Other retailers simply did not allow purchases during the outage. Xerox stated they would work to determine the cause and prevent future outages, but did not specifically state whether they would take steps to prevent unlimited spending during future outages.

Was this unlimited spending a flaw of the system and procedure, an intended procedure, or did Walmart simply not follow appropriate procedure? If Walmart took it upon themselves to allow unauthorized spending during the outage, why did they not at least impose a reasonable limit that would allow a family to get through the next day?

This news has already incited a lot of inflammatory and childish debate across the web from both those who are pro and anti-foodstamps, drowning out any intelligent analysis of the system/procedures that caused this event."
top

Disabling Java Recommended In Response to Vulnerability

AaronLS AaronLS writes  |  about 2 years ago

AaronLS writes "US-CERT is recommending that users disable Java in their browsers due to a 0-day vulnerability which US-CERT is "currently unaware of a practical solution". They indicate that the vulnerability is being actively exploited in the wild, and is available in exploit kits."
Link to Original Source
top

The HP Memristor Debate

AaronLS AaronLS writes  |  more than 2 years ago

AaronLS writes "(Note: I would have included links and appropriate formatting for quotes within the story, but I have searched and searched and found no guidelines in the FAQ or googling your site that indicate what formatting tags or HTML are valid for stories.)

There has been a debate about whether HP has or has not developed a memristor. It being something fairly different from existing technologies, and similar in many ways to a memristor, I think they felt comfortable using the term. However, there are those not happy about HP using that labeling. On the other hand, had HP created a new unique label, they would have probably gotten flack for pretending it's something new when it's not. What positive will come from the debate? Martin Reynolds sums it up nicely:

“Is Stan Williams being sloppy by calling it a ‘memristor’? Yeah, he is,” Martin Reynolds tells Wired. “Is Blaise Moutett being pedantic in saying it is not a ‘memristor’? Yeah, he is. [...] At the end of day, it doesn’t matter how it works as long as it gives us the ability to build devices with really high density storage.”"

Link to Original Source
top

Compromised Steam Data Included Credit Card Info

AaronLS AaronLS writes  |  more than 2 years ago

AaronLS writes "Steam has released additional information about a previous security breach, indicating that with the help of third party security experts they have determined no passwords were compromised, but billing information and credits cards were compromised. This information was encrypted, but no details were given on the level or type of this encryption, which would be significant since the attackers would have free reign to throw as much computing power at trying to decrypt the data, either through brute force guessing of the key or other means if the encryption has weaknesses. Also of significance, would be whether all the data shared the same key, or if each user's billing information was encrypted with a different key."
Link to Original Source
top

Flash Density Increasing w/25nm Triple Level Cells

AaronLS AaronLS writes  |  more than 4 years ago

AaronLS (1804210) writes "StorageReview.com has a story indicating Intel and Micron planning production this year for Triple Level Cell flash on 25nm Lithography. This means that 3 bits instead of 2 can be stored in each cell, and the smaller 25nm Lithography generally allows more cells to be fit in the same area.
  This combination should provide a considerable improvement to the density, and hopefully cost, of flash based storage. Read more at StorageReview.com: http://www.storagereview.com/intel_and_micron_announce_25nm_triple_level_cell_nand"

Link to Original Source

Journals

AaronLS has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?