×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

ARIN Is Down To the Last /8 of IPv4 Addresses

IamTheRealMike Re:And yet Akamai deserves a /10 (224 comments)

SNI is universal, unless you're running Windows XP

That's a pretty huge unless!

9 hours ago
top

VK CEO Fired, Says Company Under Kremlin Control

IamTheRealMike Re:How does that sit with you, Snowden? (142 comments)

OTOH, power in the West is rotated between two different bands of crooks (or at least two factions of the same band of crooks).

I think if the Snowden affair has taught us anything, it's that real power in the west is not held by politicians but rather the executive branch (US) and civil service (UK). The bureaucrats appear to be able to do whatever they like, then repeatedly lie about it (USA) or simply refuse to turn up at all (UK) and politicians let them get away with it. What's more, the bureaucracy is now routinely blacklisting and even assassinating people based on no kind of formal process whatsoever, with no democratic oversight, and the people doing it are career government employees who are certainly not elected and in many cases their identities are themselves secret.

For background, in my former job I worked on one of the systems at Google that was compromised by GCHQ (they wrote wire sniffers to decode the login traffic). The root cause of this failure was the incorrect idea that western governments are "good" and the nasty Chinese/Russians/Iranians are "bad" thus internal encryption was only worth the cost when traffic transited wires controlled by "bad guys". But it turned out that they're all bad and the degree of badness appears limited only by their budget, so now Google all wire traffic all the time.

So please get out of this idea that the west is better than Russia. Democracy in the anglosphere has become so weak that lots of people simply refuse to vote at all, or are (at best) single issue voters for things like immigration. Anything national security related is uncontrollable by voting at this point.

yesterday
top

VK CEO Fired, Says Company Under Kremlin Control

IamTheRealMike Re:How does that sit with you, Snowden? (142 comments)

Why? In the USA Facebook and Google+ are both run by people who could be described as "oligarchs" with strong ties to the White House.

By the way, if you believe this story is true then you should also believe that Putin's answer to Snowden was correct, given that it says:

Earlier this month, Durov claimed that Russia's intelligence agency, the Federal Security Service (FSB), had pressured him to hand over personal data on VK users involved in anti-government protests in Ukraine. Durov said he refused to do so, though he's gradually ceded control of the company in recent months and has long butted heads with government authorities. Experts have speculated that the Kremlin is looking to tighten its grip over VK and other social networks in the same way it controls print and TV media. Many Russians used VK to organize widespread anti-Putin demonstrations in 2011 and 2012, when thousands took to the streets to protest allegedly rigged elections

i.e. they are/were not able to simply access that data in the same way the USA and UK were slurping internal Google/Facebook db replication traffic right off the wire. In which case Putin's assertion that the FSB doesn't monitor "millions of users" might be correct, though of course the rationale given is highly suspect.

yesterday
top

Snowden Queries Putin On Live TV Regarding Russian Internet Surveillance

IamTheRealMike Re:Voluntary? (395 comments)

Getting from Hong Kong to Ecuador (or wherever he was going) without flying over any US or allied territory requires strange routes - just go to a flight booking flight and notice that the returned results mostly involve changes in the USA.

Taking such a route was wise - look at how US allies forced down the presidential jet of a LatAm leader just to search for Snowden.

But I'm really not sure why you're arguing with me about this. What happened to Snowden is a matter of public record, it's not something that's up for debate. He got stuck in Russia because the USA revoked his passport and he then wasn't allowed to board his onward flight. But once it became clear that no plane was safe, not even those with diplomatic immunity, if it flew over any US allied territory, he would have been an idiot to leave anyway because that would have been a direct flight into a lifetime of solitary confinement.

about a week ago
top

Snowden Queries Putin On Live TV Regarding Russian Internet Surveillance

IamTheRealMike Re:wouldn't matter if it weren't canned (395 comments)

Fox News is the last place anyone would turn to learn about abuses of power by the government, especially with anything related to national security. It is however VERY effective at making it look like there's real accountability and competition in governance, by turning everything into a personal popularity contest between two men who are little more than figureheads.

about a week ago
top

Snowden Queries Putin On Live TV Regarding Russian Internet Surveillance

IamTheRealMike Re:Wow... Snowden just lost me. (395 comments)

Congratulations. Your post wins the "who can represent the worst stereotypes about Americans" prize for this thread.

Let's recap. Snowden revealed gross abuses and illegality in your government. Doing this results in the same sort of punishments as it does in many other countries with overly authoritarian leadership: lifetime in jail, as you request. So to do the big reveal you admit is something you "really needed", he had to run. His first choice was Hong Kong, but when it appeared the Chinese might hand him over or keep him jailed for years in diplomatic limbo he decided to go to Latin America, probably Ecuador. He was en-route there when the US Govt revoked his passport, leaving him stranded in Russia which happened to be on the way.

Your post and general mentality have multiple failures, but don't worry, they are correctable.

  1. An absurdly strong "us vs them" complex.
  2. A garbled and factually incorrect belief about events in very recent history.
  3. A desire to see someone who did something "really needed" severely punished because he did it for "the wrong reasons", you of course don't elaborate on what those wrong reasons were. He has stated his reasons many times: he saw illegal behaviour and knew it had led to dangerous territory and serious abuses. He did not do it for personal fame or fortune, as evidenced by the fact that he is now broke and vanished from the scene almost entirely for months after he got let out of the Russian airport. Pretty hard to argue he had the wrong reasons.
  4. Finally, a strong quasi-religious belief that the USA is better than Russia, despite the fact that they are both remarkably aggressive and corrupt societies, run by oligarchies, in which democracy is barely functional and anyone who challenges the status quo has to run away lest they end up with a life sentence from a kangaroo court. In addition, the populations of both countries are easily manipulated by telling them how glorious and special they are. There are far more similarities than you dare imagine.

There's a simple fix for your predicament - never use the word "traitor" ever again. It describes a state of fevered flag-waving tribalism which allows your own government to blind you and switch off your critical thinking. The people in power are not better than you or anyone else, they are just ..... the people in power. Your country is not better than other countries, it's just .... the place where you were born. Your rulers deserve no loyalty, no special breaks. They are corrupt and untrustworthy to the core, they need to be watched constantly lest they abuse the powers they were temporarily granted for some purpose or another. You cannot be a traitor to such people, the concept simply has no meaning.

Once you get into this mentality, your recollection of historical events will probably improve.

about a week ago
top

Snowden Queries Putin On Live TV Regarding Russian Internet Surveillance

IamTheRealMike Re:Voluntary? (395 comments)

He didn't choose Moscow. He chose Latin America and got stuck in Russia when the USA revoked his passport. It's the US governments fault he's now in Russia and yet they try and paint him as a traitor who ran to the Russians - yet more US hypocrisy and propaganda.

about a week ago
top

Snowden Queries Putin On Live TV Regarding Russian Internet Surveillance

IamTheRealMike Re:wouldn't matter if it weren't canned (395 comments)

You wont be arrested for insulting or protesting Obama. You wont be arrested for reporting on his failings; there are huge websites dedicated to it.

Of course you will. The Obama administration has prosecuted journalists and leakers at a far higher rate than before. How is one supposed to report on his failings, if the act of revealing them triggers immediate accusations of being a traitor and guaranteed prosecution? The US based papers who reported the Snowden leaks took big risks to do so, and of course their source is now in exile ...

about a week ago
top

Snowden Queries Putin On Live TV Regarding Russian Internet Surveillance

IamTheRealMike Re:Useful Idiot (395 comments)

These propaganda sessions for Putin are pre-staged so Snowden has allowed himself to be used as a "propaganda tool". Considering how freedoms are curtailed in Russia, it seriously deminishes Snowden's reputation.

No it doesn't.

Snowden asked a simple and direct question, as is the norm at Putin's Q&A sessions (he does them with press corps too). Putin gave a simple and direct answer. Whether you believe the answer is a lie or not, it's a question that anyone could have asked and got the same response.

Also, do you actually know these sessions are entirely pre-staged? Can you give a cite for that? Putin had to ask for help with a translation of Snowden's question, why would he make himself look linguistically weak like that if it was all pre-staged and he already knew the question was coming? Far better for him to look fluent.

about a week ago
top

Retired SCOTUS Justice Wants To 'Fix' the Second Amendment

IamTheRealMike Re:It's crap (1613 comments)

Are you kidding?

What's going on in places like Yemen and Afghanistan where lots of people are heavily armed is exactly the reason widespread gun ownership in the USA makes no sense. You can't beat modern governments by having lots of people own light weapons, it's a stupid idea. If one lone gunman decides the Feds have overstepped and takes them on, he ends up shot or committing suicide and being described as mentally ill (was he? hard to tell now he's dead). If a group of people try to build a conspiracy to attack government installations the NSA will find them and they'll be prosecuted for terrorism or simply vanished before they even make the first move.

The second amendment is obsolete and should just be deleted entirely. The USA is quite clearly not Switzerland, which has a notable absence of mass shootings. A heavily armed population has not stopped the US Govt sliding more and more towards full-blown authoritarianism, nor is it going to. So there are no benefits to this rule. Other countries that got serious about gun control have seen positive results over the long term (eg UK and Australia)

about a week ago
top

Double Take: Condoleezza Rice As Dropbox's Newest Board Member

IamTheRealMike Re:Low even for Slashdot (313 comments)

I think if James Clapper or Keith Alexander joined the board of DropBox you'd see the same issues. But they haven't.

Being a donor to one of two political choices (or often both) is one thing. That's very, very far removed from power. Actually having started wars whilst being Secretary of State is entirely different.

about two weeks ago
top

Double Take: Condoleezza Rice As Dropbox's Newest Board Member

IamTheRealMike Re:Oh why not? (313 comments)

She gave speeches strongly advocating war in Iraq, and was an integral part of the whole process that led to a war which killed over 100,000 people. It was later solidly established that the people at the very top of the Bush administration knew their excuses for war were BS and kept repeating them anyway, and ignoring all the evidence that they were wrong.

I keep reading about how intelligent this woman is. But given the things she's done, she sounds pretty goddamn dumb to me. It's not everyone who can say their mistakes led directly to mass death.

about two weeks ago
top

Theo De Raadt's Small Rant On OpenSSL

IamTheRealMike Re:Unfortunately, this analysis seems to be spot-o (301 comments)

Much though I love NSA related conspiracy theories, especially lately, I think "the NSA writes a pile of crap and gives it away for free in the hope it becomes inexplicably popular" is perhaps not the best one available. OpenSSL has been around for a loooong time with virtually no resources put into it, which is one reason it sucks. The other reason being that the original author wrote OpenSSL in order to teach himself C (and it shows).

Recall that SSL was not very widely used up until a few years ago, and it's only in the last 18 months that suddenly every man and his dog wants a secure website. It's not surprising that core libraries that do it are subpar. Even very large companies like Google or Microsoft have typically only had one or two people who really understood and cared about SSL.

about two weeks ago
top

Theo De Raadt's Small Rant On OpenSSL

IamTheRealMike Re:So what is an alternative to OpenSSL? (301 comments)

Unpopular though it is, if you can take a small(ish) performance hit, you could use a Java HTTPS server that proxies to your app. The Sun/Oracle JSSE SSL stack (in the Oracle VM, not Android) is pure Java and thus immune to these sorts of errors. In JDK8 it supports TLS 1.2, ECDSA, perfect forward secrecy and the use of AES-NI for hardware accelerated constant time stream ciphering.

about two weeks ago
top

Yahoo DMARC Implementation Breaks Most Mailing Lists

IamTheRealMike Re:SPF.. (83 comments)

I would say it is a problem with mailing lists. They are taking mail, rewriting it to say something different, then delivering it in such a way that they claim they didn't change it (with broken digital signatures). This isn't Yahoo breaking mailing lists. This is just mailing lists doing something stupid. The fix is for them to stop doing MITM attacks on people's mail or to do it, but to resign the mail themselves so they take responsibility for it.

It's not like DKIM is new by the way, mailing list developers and admins have had this coming for years. But you won't find a more backward or stubborn bunch than crusty postmasters who ran mailing lists the same way since the 80's.

about two weeks ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

IamTheRealMike Re:Yet again C bites us in the ass (303 comments)

Blah blah blah.

Java 8 has a full SSL stack written in Java itself, so no buffer overflows there, and which uses AES-NI for hardware accelerated encryption if available. It also supports perfect forward secrecy and other modern features (no session tickets though).

If you look at the CVE history of JSSE what you will find is that occasional bugs like the Heartbleed attack (not checking length fields correctly) get reported as denial of service issues because they cause managed exceptions that might, if you wrote your code non-defensively, cause your server app to quit. Or they might just cause the connection to drop, which is the right behaviour.

It's about a million times safer than an ancient piece of 1980's style C like OpenSSL.

about two weeks ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

IamTheRealMike Re:I take it this is a server concern (303 comments)

I don't think Chrome uses OpenSSL, although they are thinking about switching to it. They use NSS, same as Firefox. I'm not sure any browsers use OpenSSL - it's mostly used on the server.

about two weeks ago
top

Blender Foundation Video Taken Down On YouTube For Copyright Violation

IamTheRealMike Re:Stop using Youtube (306 comments)

I feel your pain, but I'm not sure the people complaining in this thread understand the sheer size of YouTube. It's literally the entire worlds video repository. There are over 100 hours of video uploaded every minute. Over 100 hours! Even if YouTube employed an entire army of specialised copyright lawyers trained in the international nuances of fair use, there's no possible way the enormous number of disputes could ever be mediated in a fair way.

When you upload to YouTube, you get a lot of stuff for free, but you don't have to use them. You could host the video yourself and then the disputes would come to you directly instead of being auto-resolved by a machine. If you aren't willing to pay the costs of doing that, then you need to accept the consequences of YouTube's razor-thin profit margins and vast economies of scale.

about two weeks ago
top

.NET Native Compilation Preview Released

IamTheRealMike Is JITC finally going to die? (217 comments)

Many years ago there was an R&D project inside a large tech company. It was exploring many of the hot research topics of the day, topics like mobile code, type based security, distributed computing and just in time compilation using "virtual machines". This project became Java.

Were all these ideas actually good? Arguably, no. Mobile code turned out to be harder to do securely than anyone had imagined, to the extent that all attempts to sandbox malicious programs of any complexity have repeatedly failed. Integrating distributed computing into the core of an OO language invariably caused problems due to the super leaky abstraction, for instance, normal languages typically have no way to impose a deadline on a method call written in the standard manner.

Just in time compilation was perhaps one of the worst ideas of all. Take a complex memory and CPU intensive program, like an optimising compiler, and run it over and over again on cheap consumer hardware? Throw away the results each time the user quits and do it all again when they next start it up? Brilliant, sounds like just the thing we all need!

But unfortunately the obvious conceptual problems with just in time compilers did not kill Java's love for it, because writing them was kind of fun and hey, Sun wasn't going to make any major changes in Java's direction after launch - that might imply it was imperfect, or that they made a mistake. And it was successful despite JITC. So when Microsoft decided to clone Java, they wanted to copy a formula that worked, and the JITC concept came along for the ride.

Now, many years later, people are starting to realise that perhaps this wasn't such a great idea after all. .NET Native sounds like a great thing, except it's also an obvious thing that should have been the way .NET worked right from the start. Android is also moving to a hybrid "compile to native at install time" model with the new ART runtime, but at least Android has the excuse that they wanted to optimise for memory and a slow interpreter seemed like the best way to do that. The .NET and Java guys have no such excuses.

about three weeks ago

Submissions

top

Fake PGP keys for crypto developers found

IamTheRealMike IamTheRealMike writes  |  about a month ago

IamTheRealMike (537420) writes "In recent months fake PGP keys have been found for at least two developers on well known crypto projects: Erinn Clark, a Tor developer and Gavin Andresen, the maintainer of Bitcoin. In both cases these PGP keys are used to sign the downloads for popular pieces of crypto software. PGP keys are supposed to be verified through the web of trust, but in practice it's very hard to find a trust path between two strangers on the internet: one reply to Erinn's mail stated that despite there being 30 signatures her key, he couldn't find any trust paths to her. It's also very unclear whether anyone would notice a key substitution attack like this. This leaves three questions: who is doing this, why, and what can be done about it? An obvious candidate would be intelligence agencies, who may be trying to serve certain people with backdoored binaries via their QUANTUMTHEORY man-in-the-middle system. As to what can be done about it, switching from PGP to X.509 code signing would be an obvious candidate. Both Mac and Windows support it, obtaining a forged certificate is much harder than simply uploading a fake PGP key, and whilst X.509 certs can be issued in secret until Google's Certificate Transparency system is fully deployed, finding one would be strong evidence that an issuing CA had been compromised: something that seems plausible but for which we currently lack any evidence. Additionally, bad certificates can be revoked when found whereas beyond making blog posts, not much can be done about the fake PGP keys."
top

No back door in TrueCrypt

IamTheRealMike IamTheRealMike writes  |  about 5 months ago

IamTheRealMike (537420) writes "Previously on Slashdot, we learned that the popular TrueCrypt disk encryption tool had mysterious origins and security researchers were raising money to audit it, in particular, to verify that the Windows binaries matched the source. But a part of the job just became a lot easier, because Xavier de Carné de Carnavalet, a masters student at Concordia University in Canada has successfully reproduced the binaries produced by the TrueCrypt team from their public sources. He had to install exactly the same compiler toolchain used by the original developers, to the extent of matching the right set of security updates issued by Microsoft. Once he did that, compiling the binary and examining the handful of differences in a binary diffing tool revealed that the executables matched precisely beyond a handful of build timestamps. If there's a backdoor in TrueCrypt, it must therefore be in the source code itself — where hiding it would be a significantly harder proposition. It thus seems likely that TrueCrypt is sound."
top

Are the NIST standard elliptic curves back-doored?

IamTheRealMike IamTheRealMike writes  |  about 7 months ago

IamTheRealMike (537420) writes "In the wake of Bruce Schneier's statements that he no longer trusts the constants selected for elliptic curve cryptography, people have started trying to reproduce the process that led to those constants being selected ... and found it cannot be done. As background, the most basic standard elliptic curves used for digital signatures and other cryptography are called the SEC random curves (SEC is "Standards for Efficient Cryptography"), a good example being secp256r1. The random numbers in these curve parameters were supposed to be selected via a "verifiably random" process (output of SHA1 on some seed), which is a reasonable way to obtain a nothing up my sleeve number if the input to the hash function is trustworthy, like a small counter or the digits of PI. Unfortunately it turns out the actual inputs used were opaque 256 bit numbers, chosen ad-hoc with no justifications provided. Worse, the curve parameters for SEC were generated by head of elliptic curve research at the NSA — opening the possibility that they were found via a brute force search for a publicly unknown class of weak curves. Although no attack against the selected values are currently known, it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies. Now that the world received strong confirmation that the much more obscure and less widely used standard Dual_EC_DRBG was in fact an NSA undercover operation, NIST re-opened the confirmed-bad standards for public comment. Unless NIST/the NSA can explain why the random curve seed values are trustworthy, it might be time to re-evaluate all NIST based elliptic curve crypto in general."
top

BitCoin reaches dollar parity

IamTheRealMike IamTheRealMike writes  |  more than 3 years ago

IamTheRealMike (537420) writes "The BitCoin peer to peer currency briefly reached exchange parity with the US dollar today after a spike in demand for the coins pushed prices slightly above 1 USD:1 BTC. BitCoin was launched in early 2009, so in only two years this open source currency has gone from having no value at all to one with not only an open market of competing exchanges, but the ability to buy real goods and services like web hosting, gadgets, organic beauty products and even alpaca socks."
Link to Original Source
top

Graduate students being warned away from leak

IamTheRealMike IamTheRealMike writes  |  more than 3 years ago

IamTheRealMike (537420) writes "The US State Dept has started to warn potential recruits from universities not to read leaked cables, lest it jeopardise their chances of getting a job. They're also showing warnings to troops who access news websites and the Library of Congress and Department of Education have blocked WikiLeaks on their own networks. Quite what happens when these employees go home is an open question."
Link to Original Source
top

Julian Assange rape arrest dropped

IamTheRealMike IamTheRealMike writes  |  more than 3 years ago

IamTheRealMike (537420) writes "The BBC reports that "Swedish authorities have cancelled an arrest warrant for Wikileaks founder Julian Assange on accusations of rape and molestation. The Swedish Prosecution Authority website said the chief prosecutor had come to the decision that Mr Assange was not suspected of rape." — that was fast!"
Link to Original Source
top

BD+ resealed once again

IamTheRealMike IamTheRealMike writes  |  more than 4 years ago

IamTheRealMike (537420) writes "It's been a few months since we last checked in on how the BluRay group were doing in their fight against piracy, so it's time to see how it's going. At the time, a new generation of BD+ programs had stopped both SlySoft AnyDVD HD and the open source effort at Doom9. That was December 13th 2008. At the start of January, SlySoft released an update that could handle the new BD+ programs, meaning that BluRay discs were undecryptable for a period of about three months in total — the same length as SlySofts worst case scenario. The BD+ retaliation was swift but largely ineffective, consisting of a unique program for every BluRay master. Users had to upload log files for every new movie/region to SlySoft, who would then support that unique variant in their next update, usually released a few days later. Despite that, the open source effort never did manage to progress beyond the Winter 2008 programs and is currently stalled completely, thus SlySoft are the only group remaining. This situation remained for several months, but starting around the same time as Paramount joined Fox in licensing BD+ a new set of programs came out which have once again made BluRay discs unrippable. There are currently 19 movies that cannot be decrypted. It appears neither side is unable to decisively gain the upper hand, but one thing seems clear — only full time, for profit professionals are able to consistently beat BD+. Unless SlySoft or a licensed vendor release a BluRay player for Linux it appears the only way to watch BluRay movies on this platform will be to wait for them to become pirateable."
top

BD+ successfully resealed

IamTheRealMike IamTheRealMike writes  |  more than 5 years ago

IamTheRealMike (537420) writes "A month on from the story that BD+ had been completely broken, it appears a new generation of BD+ programs has re-secured the system. A SlySoft developer now estimates February 2009 until support is available. There's a list of unrippable movies on the SlySoft forums, currently there are 16. Meanwhile, one of the open source VM developers seems to have given up on direct emulation attacks, and is now attempting to break the RSA algorithm itself. Back in March SlySoft confidently proclaimed BD+ was finished and said the worst case scenario was 3 months work: apparently they underestimated the BD+ developers."
top

IamTheRealMike IamTheRealMike writes  |  more than 7 years ago

IamTheRealMike (537420) writes "Rose George has written a fascinating tour of the sewers of London — rarely seen yet essential to life. But the sewers are in decline, with the last of the flushermen who know their inner workings about to retire. Although some of the work is now done by robots and contractors, can anything replace the experience of the men who roam the tunnels by night destroying fat blockages, searching for leaks and repairing the underground labryrinths below our cities?"
top

IamTheRealMike IamTheRealMike writes  |  more than 7 years ago

IamTheRealMike (537420) writes "As one of the worlds most prolific producers of oil, Saudi Arabian production is of vital importance to maintaining our standard of living in the west. A new analysis from Stuart Staniford appears to show large, fast declines in production throughout 2006 that are uncorrelated with price, world events or OPECs own announced production cuts (in fact, no evidence for those cuts occurring is found at all). Given that the apparent steep decline (8%/year) matches the rates seen in other areas where horizontal drilling and water injection were used, and high prices give the Kingdom every incentive to produce, is this the beginning of the end for Saudi oil?"

Journals

IamTheRealMike has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...