Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Chrome 39 Launches With 64-bit Version For Mac OS X and New Developer Features

Cley Faye Re:Any reason? (65 comments)

Why should you rely on others opinion when it's free on every major system for you to test it out, and install almost instantly given you don't have an internet connection from the third-world?

2 days ago
top

Microsoft To Open Source .NET and Take It Cross-Platform

Cley Faye Re:Too little, too late (524 comments)

As per tradition, I didn't RTFA, but Microsoft have a nasty history with opensource and licensing. It's so bad, that some developer take care of not *seeing* any MS source to avoid future litigation... I would be very careful with the condition attached to using .Net.

about a week ago
top

LibraryBox is an Open Source Server That Runs on Low-Cost Hardware (Video)

Cley Faye Re:Justify my love (47 comments)

You.... don't?

This one is too hard to defend. Sometimes I've been really enthusiastic about small and/or useless stuff on crowdfunding sites and early access stuff, but this is simply overpriced off the shelve hardware with a sticker...

Well, as long as there are people willing to send money to them, I suppose it's a "good" idea from a commercial point of view...

about two weeks ago
top

Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card

Cley Faye Re:Well... no. (126 comments)

Ah, I get it you don't take the subway (or other crowded public transportations) too often...

Regarding the time needed for this, when I put my own card behind my phone, it really worked in roughly a single second. And it does work as fast through multiple layers of clothing as long as there's nothing metallic in the way. Now, in very crowded area, peoples get pushed on each others. If it was enough in the past for a skilled pickpocket to steal your wallet without you noticing, clearly it's enough promiscuity to do a contactless swipe over your pocket.

Now, the question of multiple NFC cards is real, but you assume that people who have multiple contactless cards hold them all in the same place. Unfortunately, for it to mitigate this "attack", all the card need to be on the same technology (for example, my transportation card doesn't talk NFC and don't seem to interfere with my phone NFC reading capabilities). And some people find it more convenient to "spread" their contactless card, so they can just push their wallet/handbag/whatever on the NFC reader instead of taking out the card itself. Again, convenience my very well be in the path of security.

So, all in all, yes, I have evidence that reading an NFC card through clothes can be done efficiently and go unnoticed. Also, since you mention tinfoil wallet time, for NFC it might be enough. I said it in another post, but a "simple" metallic card holder render my cards invisible as far as my phone NFC reader is concerned, so it might be a short term solution. But I also don't doubt that it's infaillible, as boosting the signal from the receiver side might be enough to get through that. YMMV.

about two weeks ago
top

Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card

Cley Faye Re:Just ask your bank to send you (126 comments)

As for people suggesting Faraday cage wallets and such, I'm unconvinced. A proper Faraday cage has to have no gaps, and most of these are not that tightly constructed. I would not be at all surprised if many of them provide only a feeling of security rather than actual security.

Don't know about "faraday cage" wallets, but I carry most of my cards in a simple metallic case that loosely close (it's not airtight or anything). It is enough for my phone to not pick up the card inside when I put them together, so I suppose it would be a severe hindrance to people trying to read an NFC card with a quick bump.

Still, some tweaked hardware to boost the signal on the receiver side might get through. Hmm I need to run some more tests...

about two weeks ago
top

Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card

Cley Faye Re:Needs to be real money (126 comments)

Don't have to. Bump into a person every few minutes in a crowded subway area, and get $20 out of any of them that have a card that happen to be close enough to the "bump".IF you do this every two minutes, and only 1 out of 5 person get you a result, a 7-hour day of work will yield 42 card details, or $840 of "chump change".

Now, think about this: this contactless payment system is not going away soon (I'm not even talking about the "vulnerabilities" exposed there). If you manage to get a channel for all these card numbers, it seems like you're running a very profiteable business. Only fixes are changing the contactless cards to something with actual security (not gonna happen soon), or putting them in some metal wallet to avoid unwanted readings (and people won't care for such small quantities of money).

I didn't RTFA (because this is slashdot after all) but if the topic is really about a way to bypass the small limit on contactless operations, even by a small amount, it can get huge very fast.

about two weeks ago
top

Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card

Cley Faye Re:Good (126 comments)

To be 100% fair, the RFID is easy to disable, you just have to cut the induction loop.

To be even more fair, the data on a passport are somewhat encrypted, so it's not as easy as reading a card number ;)

However the biggest issue with RFID cards is the fact they send your card number, name and expiry date out in an easily decrypted format... So you can now use RFID to harvest CC numbers and rip them off the old fashioned way (in Russia so even if you're identified you can never be caught).

That is the thing I find the most infuriating with these contactless payment systems. We *have* the technology to produce contactless smartcards, and yet their new big thing is just sending all data in plaintext to whatever reader is available. When my mother got her new credit card, I put it on the back of my phone, and on screen popped all the informations needed to use the card on any website not using stuff like 3DSecure (and there are still a fair number of them).

Feels like banks actually want to help pickpocket: now when they bump into you, they won't need to get your wallet.

about two weeks ago
top

Flaw in New Visa Cards Would Let Hackers Steal $1M Per Card

Cley Faye Re:Well... no. (126 comments)

Yeah... or, just putting the damn card in the card reader.

Not sure about the state of payment cards in the US, but in France (and likely most of Europe) we've had smart cards that actually discuss with the payment terminal. While not that secure at times, you needed an actual/intended physical interaction between the card reader and the card.

Fast forward to nowadays, we've introduced contactless cards, so anyone with an NFC phone can read your card info through your pocket. Like reading the magnetic track. Except there's no physical interaction needed. All of this for what? So it could be easier. Why didn't they *simply* use *existing technology* and implemented a protocol that allowed fast payment (without entering a PIN code) through traditional readers instead?

I'm not saying that these new "vulnerabilities" related to contactless/NFC cards are not a problem: the protocols should've been secure from the start. But they actually had something that prevented all these loopholes, and said "nah, let's go with NFC even though it don't speed-up the payment process in the least." What a joke.

about two weeks ago
top

Update: At Least 31 People Feared Dead After Japan Volcano Erupts

Cley Faye Re:No warning? (54 comments)

There probably were warnings. But the question is, how important where they, and how long before did they happen. If a magma stream crawled through an earthcrack, if could have triggered minimal seismic activity for 10-15 minutes before the event, which is both too short and too small to be noticed.
Remember that Japan is located in a very active place regarding underground activities.

about 2 months ago
top

Apple Outrages Users By Automatically Installing U2's Album On Their Devices

Cley Faye Re:It's not your phone (610 comments)

Yes, I think see what you mean. Apps like "Hangout", "Google Video", "Google Books", that kind of apps?

The difference here is that these are always present, but don't interfere with the content of your account. When my Android phone installed Google Video, it didn't replace another Video app, didn't become the "default" video viewer, and wasn't added anywhere except the applications menu. Unless I actively looked for it, I would not find it.

Now, when google decided to add some free music to my music library, it did show up while I was browsing *my* music, and I had to do something to remove it. But I think there's a difference between new app/services being pushed, and content being added to a user account. The former is part of the system's evolution, while the later is more akind of pop-up ads.

About today's topic: from the summary, it looks like there's two issues: first is automatic download on user's devices (even those not using this feature at all), and no obvious way to remove this. I believe the issue is more about this than pushing new services.

about 2 months ago
top

Apple Outrages Users By Automatically Installing U2's Album On Their Devices

Cley Faye Re:It's not your phone (610 comments)

Google Music offer a single-click option to disable "free" content from showing up in your library, and most google services ask you before changing their behavior. What are you referring to exactly?

about 2 months ago
top

BBC: ISPs Should Assume VPN Users Are Pirates

Cley Faye Seems reasonable (not) (363 comments)

On one side, VPN users are pirate. Ok. So no VPN.
On the other side, not using a VPN to work/transfer personal stuff is a security risk, that can lead to data leak, identity theft, etc. So, VPN. And screw the BBC. I suppose they do all their data transfer in the clear, too?

about 2 months ago
top

Japanese Firm Showcases "Touchable" 3-D Technology

Cley Faye Re:What We're All Thinking... (41 comments)

For once, no, I'm not thinking porn when discussing virtual reality. One thing I'd like to see is a fully virtual keyboard, that could pop out in front of you, and be actually usable. That would be more interesting than force-feedback porn, which can already be simulated by other means (including maybe actual sex).

about 3 months ago
top

Researchers Hack Gmail With 92 Percent Success Rate

Cley Faye Re:Blast from the past (87 comments)

Can't tell if you way off, because what you described is roughly what is already happening. Each app have it's own virtual memory space. Part of the "issue" described here is accessing memory *usage statistics*, not access to memory itself, which would be pretty bad if it could happen without any kind of escalation/debugging tools.

about 3 months ago
top

New SSL Server Rules Go Into Effect Nov. 1

Cley Faye Re:Why? (92 comments)

it doesn't have to be turned on after you finish signing certs until its time to sign another batch...

To be fair, with OCSP you need something that's online all the time your certificates are used. But unless you have hundreds of peoples checking your certificates simultaneously, any low-end contraption can handle it.

about 4 months ago
top

New SSL Server Rules Go Into Effect Nov. 1

Cley Faye Re: Why? (92 comments)

Are you connecting to that self signed cert that is university owned or that self-signed cert that is setup by my evil laptop on the wifi network?

[...]

With BYOD you simply cannot use a self-signed certificates. Your potential attack surface than increases.

That's why the previous poster said "Or the college provides an easy way for the BYOD people to acquire the college's cert."

You don't have to trust any self-signed certificate that the web server throws at you. You go to the official, public website of your uni/work/whatever (or to the IT dept. if they want to do this by hand), and grab the CA cert there. You trust this website, it can have a regular certificate issued by any public authority, and using this newly downloaded cert. as a CA, you can safely connect to anything your workplace have in it's private network.

The only hindrance is that the users have to install this certificate once. Through easy GUI.

about 4 months ago
top

Mac OS X Yosemite Beta Opens

Cley Faye Re:Flat UI Design (165 comments)

You could have formulated it better, but it's true that KDE don't try to change "for change sake". And even if it did, it's one of these desktop that still have relatively easy visual customization.

about 4 months ago
top

Intel Launches Self-Encrypting SSD

Cley Faye Re: How is this news. (91 comments)

Yes, TRIM is there to improve performance when writing in a block, but it don't need to erase it, not when receiving the trim command or afterward. The performance problem comes from a write operation that is smaller thn the block. Imagine a block size of 1kB. If you want to write 200 bytes in it, you have to read the whole block, update the relevant part in memory, and write the updated 1kB. Now, if you have the knowledge that the block is completely unused by the FS, then you can skip the reading part, and just write an 1kB chunk of whatever with the correct 200 bytes. No read/update penalty, AND the ssd firmware can decide to reuse that block for transparent wear-leveling, improving both performances and lifetime. But, all this doesn't require actual deletion of the block content at all.

about 4 months ago
top

Intel Launches Self-Encrypting SSD

Cley Faye Re:How is this news. (91 comments)

TRIM don't actually zap the data, it just mark a block as unused. This is to increase performances, because on the next write in this block, there is no need to read it, update it in memory, then write it. But until something is written there, no guarantee that the content itself is erased. Custom firmware could read it, or advanced forensics could get the chips out and get data from it or something.

about 4 months ago
top

Intel Launches Self-Encrypting SSD

Cley Faye Summary of advantages: (91 comments)

This idea is amazing.
Instead of having:
- full control over the encryption software
- full control over the encryption key
- data that goes in clear in the ram, then is never seen in clear by the hard-drive
- performance nearly identical through either hardware-enabled encryption (AES...), or even software based implementations (even a smartphone can do it transparently)
We're trading all this for:
- who knows what really happen down there
- hey, is your secure key even used for anything more than ciphering a header?
- data goes in clear in the ram, then in clear to the drive, that do whatever with it. It's so easy to make sure an SSD doesn't make invisible copy too.
- performance nearly identical through (supposedly) hardware encryption.

Yeah, no, please stop fixing problem that doesn't exist.

about 4 months ago

Submissions

Cley Faye hasn't submitted any stories.

Journals

Cley Faye has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?