Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

WhatsApp To Offer End-to-End Encryption

IamTheRealMike Re:FBI Director James Comey may not care. (92 comments)

it's all, once again, a lot of buzzwords, and zero security.

That's a bit unfair. Yes, any security system that tries to be entirely transparent cannot really be end to end secure, but nobody has ever built a mainstream, successful deployment of end to end encryption that lets you use a service even if you don't trust it. There are many difficult problems to solve here. Forward secure end to end encryption behind the scenes is clearly an important stepping stone, and OWS has said they will expose things like key verification in future updates. Just because they haven't done everything all at once, and solved every hard problem, does not mean it's just a lot of buzzwords.

2 days ago
top

Republicans Block Latest Attempt At Curbing NSA Power

IamTheRealMike Re:Beware the T E R R O R I S T S !! (424 comments)

You're willing to sit on the sidelines while ISIS engages in a campaign of genocide and ethnic/religious cleansing? ...... They're barbarians and they need to be terminated with extreme prejudice.

You're against ethnic/religious cleansing but want to "terminate with extreme prejudice" an entire very large group of people largely defined along ethnic and religious lines .........

words fail me

3 days ago
top

Republicans Block Latest Attempt At Curbing NSA Power

IamTheRealMike Re:So basically (424 comments)

If the entire government became Libertarian today, it would take less than 10 years for corporations to take total control of governance and we'd have just as much (or probably more) squashing of individual liberties, but no longer any accountability to voters.

Isn't that a contradiction? I'd think a libertarian government would not want anyone, owners of large corporations included, to take over governance. That's kind of the definition of libertarianism, I thought.

Additionally, I'm having a hard time recalling the last occasion on which a company squashed my civil liberties. Actually I don't think it ever happened. Companies, even big ones, are typically very simple creatures compared to governments - they have simple needs and simple desires. Even companies that can't be easily reduced down to the profit motive (most obviously Google in this day and age) still have quite simple motivations, in their case "build sci fi stuff".

On the other hand, our awesome western governments routinely kill people for merely being in the wrong place at the wrong time or receiving a text message from the "wrong" person (see: signature driven drone strikes).

Whilst these governments aren't quite at the stage of drone striking people who are physically in western countries yet, they certainly are willing to do lots of other nasty things, as residents of gitmo will attest. So given a choice between a government that did very little and mostly let corporations get on with it, or the current state of affairs, it's pretty hard to choose the current state of affairs given the very very low likelyhood of companies deciding to nuke people out of existence of their own accord.

There are many powerful players in society and I'm not one of them. Does it make me a crony capitalist or a welfare queen when I decide I'd rather the power go to those I can vote out of office than those I can't?

No, it doesn't make you either of those things. It does mean you have a lot more faith in voting than other people do. This can be described as either very reasonable or perhaps naive, depending on where you live. E.g. in places like America or the UK voting is driven almost entirely by the economy and matters of foreign policy or the justice system have no impact on elections, politicians know that so they do more or less whatever they like. In places like Switzerland where there are referendums four times a year, preferring voting power to market power would make a lot more sense.

3 days ago
top

Alleged Satellite Photo Says Ukraine Shootdown of MH17

IamTheRealMike Re:uh, no? (338 comments)

Yes, that is exactly how sanctions work.

Do they?

about a week ago
top

Will Lyft and Uber's Shared-Ride Service Hurt Public Transit?

IamTheRealMike Re:Don't make me laugh (237 comments)

Your whole post is reasonable and articulate, and written from an entirely US centric point of view. But taxis are regulated in most parts of the world (perhaps everywhere), and government isn't always as dysfunctional as in the states.

about a week ago
top

Department of Justice Harvests Cell Phone Data Using Planes

IamTheRealMike Re:About time for a Free baseband processor (201 comments)

Lavabit is a bad example - the FBI only requested the private SSL key directly after the Lavabit guy refused to co-operate with a more tightly scoped warrant and claimed he had no way to intercept the data of just the user they were interested in (Snowden) ..... a claim that was manifestly false and everyone knew it. If he had handed over just the data of the one user requested, the SSL key would probably still be private. But after proving that he was utterly unco-operative and quite possibly untrustworthy too, the approach the FBI took was not entirely surprising. Additionally it did go through all the motions and there was plenty of oversight of the whole thing - a lot better than some silent interception.

Yes, if the NSA decided that the signing keys for cell tower certificates had to be handed over using some crappy secret national security court then there's not much the phone companies can do. However, it's still good enough to stop your average local police force who just can't be bothered justifying themselves to a judge and going through the overhead of a proper legal request ... which is what TFA says the driving rationale for these devices is.

about a week ago
top

Department of Justice Harvests Cell Phone Data Using Planes

IamTheRealMike Re:About time for a Free baseband processor (201 comments)

Having a database of the cell towers a phone *should* see in a given region (it should be possible to crowdsource that) should make it possible to throw an alarm if a cell tower with suspicious characteristics "appears" at some spot.

There's no need for a free/open source baseband or really any technical changes at all to fix this at a technical level. Just disable 2G/GSM on your phone (not sure what the equivalent would be for Verizon). 3G/UMTS onwards involves the phone/SIM authenticating the tower cryptographically. That means - only way to create fake towers is to go get the keys from the phone companies. But at least the phone companies can know about it and mount a legal fight, if they so choose. It's not simply up to a donut eating agent to buy some cool hardware and charter a plane. Although in the USA that might not help much, such fights can go different ways in different jurisdictions.

The problem of course is that 3G coverage is usually not as good as 3G+2G coverage.

about a week ago
top

Will Lyft and Uber's Shared-Ride Service Hurt Public Transit?

IamTheRealMike Re:should be banned or regulated (237 comments)

Do you ever wonder why with this completely paranoid culture we have today why no one ever really worries about getting into a random car driven by a complete stranger in a dark alley in a city in a major US city? Well, it's because the medallion that driver carries is worth several hundred thousand dollars in most cases.

It's because people who are in the habit of assaulting or raping random strangers who get into their cars are extremely rare, and hunted down by experienced law enforcement professionals with great efficiency. It has nothing to do with taxi medallions which 99.99% of people who take taxis cannot possibly authenticate as genuine, being as they are non-experts in taxi licensing. Indeed, most taxis I've been in have visible licenses that are so basic (just a piece of paper with a logo and a photo/name on it) that forging them would be beyond trivial. And if you're the sort of person who drives around trying to entice strangers into your death-cab then printing out a Photoshopped license isn't going to stop you.

Indeed it's only a few US cities that have this crazy medallion system. In most parts of the world taxi licenses are expensive but not THAT expensive. So it can't be medallions that keep people safe.

In general I'm not against carefully thought out laws that have strong and clear justifications for them. I am not some anti-government zealot. A good, solid piece of scientific analysis showing that the costs of such laws are outweighed by their benefits would convince me, ideally backed by studies between areas where taxis are unlicensed vs areas where they are licensed. But I've found that the lawmaking process is very rarely driven by any kind of scientific process like that.

about a week ago
top

After Silk Road 2.0 Shutdown, Rival Dark Net Markets Grow Quickly

IamTheRealMike Re:Hey, no worries! (86 comments)

At some point - probably soon - they'll shut down the last one of these and then there won't be any more. That's how the war on drugs was won!

I know you are being sarcastic, but the number of people on this thread who need a reality check is just amazing.

Why are there no online drug stores running on regular non-Tor websites, accepting money via PayPal? Because they would get shut down and the operators arrested immediately. In fact there used to be one such site, called the Farmers Market, which pre-dated the use of Tor and Bitcoin. And the owners were indeed found and jailed. Since FM was seized there weren't any more like it.

Now we come to this. It appears that the police believe they have a repeatable technique for busting black markets using hidden services. Whether they do or whether it's just a bluff, I suppose we shall see - I suspect they have a technique that is powerful but not all powerful. But I don't know and nor does anyone else outside the law enforcement community, so the people running and using sites like Evolution and Agora are taking big risks.

If the new technique they've developed is powerful enough, it's actually not unimaginable that all such sites would end up being seized.

about two weeks ago
top

After Silk Road 2.0 Shutdown, Rival Dark Net Markets Grow Quickly

IamTheRealMike Re:Whack a mole; it's govt. policy! (86 comments)

The fact remains though.... the U.S. post office surely helped facilitate the actual delivery of many of those illegal orders placed on Silk Road, yet we never talk about arresting the mailmen who delivered the packages. We never talk about raids on the post offices to search through boxes held there either.

Um, there might be arguments for what the Silk Road and similar sites have been doing, but this isn't it.

The Post Office in any country is not explicitly set up to facilitate illegal activity. You don't read about postmen getting arrested for delivering packages because they are doing so blindly, they didn't know they were delivering drugs. And you don't hear about raids on post offices because .... duh .... the postal system cooperates with law enforcement when they get a warrant to search mail, along with other ways too.

The charges against Ulbricht and Benthall are "engaging in a conspiracy to sell narcotics". The post office is clearly not doing that, so, no crime.

it seems to me that's little more than a detail that such site operators could get around by simply making broad, more general categories that are clearly usable for LEGAL transactions as well as anything illegal in some countries.

Your understanding of the law is incredibly bad. In law, intent matters a lot. Silk Road 1.0 did in fact have categories for things like books. However its primary purpose was clearly the selling of drugs, as evidenced by the fact that they didn't remove drug listings, had dedicated categories for them, helped mediate disputes for them, charged money on them, and tried to hide themselves because they knew what they were doing was illegal.

If Silk Road had been primarily a book store, and occasional ads for drugs were quickly erased, then there would have been no problem .... but equally no point, because existing sites like Amazon already do a good job of that.

about two weeks ago
top

Google's Lease of NASA Airfield Criticized By Consumer Group

IamTheRealMike Re:Follow the money (138 comments)

Consumer Watchdog got a $100k grant specifically to attack Google. No issues with money getting mixed up for different causes there. It's basically a lobbying/PR group that poses as some sort of consumer rights organisation - at one point there website was being cohosted by an actual Washington lobbying firm that claimed to specialise in "grassroots movements". As phony as they get.

about two weeks ago
top

Espionage Campaign Targets Corporate Executives Traveling Abroad

IamTheRealMike Re:Corporate espionage is standard practice (101 comments)

... at least, outside of the US, it seems. Many countries have a policy that basically boils down to "if you can grab it, then it's yours, and it's impolite for another company to point fingers and claim you stole it."

I guess you didn't read the parts of the Snowden releases where NSA/GCHQ were caught engaging in industrial espionage, right?

If you think the USA is somehow on a moral high ground here, I really wonder why. The USA has less that it can steal from other countries, but it certainly hasn't shown any signs of hesitation.

about two weeks ago
top

Joey Hess Resigns From Debian

IamTheRealMike Re:DebianNoob (447 comments)

(posting to undo a moderation misclick on the above post, sorry)

about two weeks ago
top

After Silk Road 2.0 Bust, Eyes Turn To 'Untouchable' Decentralized Market

IamTheRealMike Re:Look on the bright side ... (108 comments)

Since it's decentralized, they'll have to go after the actual users.....

... or the developers. I'm not sure OpenBazaar is going to win this one. The way to gain immunity is to build tools that genuinely have large amounts of legitimate usage, large enough that attempts to blanket ban the whole thing are seen as unacceptable.

The amount of trading on these black markets is huge. Meanwhile, demand for a pure p2p trading marketplace is probably rather low. It would be very easy for OpenBazaar to be overwhelmed by bad usage and not have enough good usage to defend itself.

Additionally, I think a lot of people have forgotten that even Silk Road 1 and 2 were actually somewhat policed. When SR1 was brand new, in the very earliest days, it had no rules at all and a few ads appeared for things like nuclear material and slaves. The ads were extremely convincing and quite, quite chilling. DPR shut them down immediately and instituted the "no things that do harm to others" policy, though of course that policy was hardly internally consistent - he was quite happy to sell guns.

But if OpenBazaar has no way to control listings at all, things like that might well start appearing again. And that would put them in a whole world of hurt. Governments care about the drug war yes - but they care about nuclear proliferation a hell of a lot more.

about two weeks ago
top

British Spies Are Free To Target Lawyers and Journalists

IamTheRealMike Re:There can be no defense of this. (184 comments)

Please show me the abundance of dangerous terrorists/serial killers that are simultaneously practicing lawyers or journalists.

about two weeks ago
top

Users Can't Distinguish Scams From Facebook's Features

IamTheRealMike Re:Facebook is the scam (116 comments)

Facebook does mark advertisements as such and always has, as far as I know.

about two weeks ago
top

Pirate Bay Co-founder Arrested In Northeastern Thailand

IamTheRealMike Re:What a shame (189 comments)

Is there a loss in profit for original work? No doubt, but I would argue .....

The failure occurs at this point. You can argue all you want, and if you can convince content creators you are right they might go along with your suggestions to (presumably) give away all their work for free. After all, open source software developers often do.

However, what the Pirate Bay does is simply ignore the wishes of the people who created things, and profit off it. That's not winning arguments, hearts or minds. That's not even ethical. It's selfish exploitation of what could otherwise be a pretty reasonable and flexible framework.

about three weeks ago
top

Ask Slashdot: How Useful Are DMARC and DKIM?

IamTheRealMike Re:Mailing lists (139 comments)

That's not the case at all.

DKIM allows mail providers to detect that a message was tampered with in transmit, and DMARC tells mail providers to trash tampered messages.

Therefore, a mailing list has several options.

Option one is: don't tamper with the signed data in transit. This is very easy. It means not doing things like editing the subject line or adding signatures to the end of mails, but any good email client can auto label or filter mailing list messages anyway, so this is not a big deal.

Option two is: tamper with it, but resign under your own sending identity. This means the From header will be "wrong", but not really, because the message isn't really "from" the sender at this point. It would be more accurate to say the message resembles one sent by the original sender, but really, from a security POV, the mailing list could have done anything.

I prefer option one, myself, but either works.

about three weeks ago
top

Ask Slashdot: How Useful Are DMARC and DKIM?

IamTheRealMike Re:Mailing lists (139 comments)

All mailing lists that I am subscribed to have taken the more expedient option of banning Yahoo users from subscribing to their lists. This has the nice side-effect that it makes users switch to a more modern e-mail provider in the process. After everything was said and done, most users were actually quite thankful for this...

Guess what! It's people like yourself that make upgrading email virtually impossible. Congratulations on holding back the security of the email system for everyone, I hope you're pleased with yourself.

Mailing lists that rewrite people's email whilst refusing to resign it as themselves are doing a man in the middle attack on people's email. MITM attacks are bad, right? That's why browsers reject them. They make phishing easier, spam classification harder and generally make the email ecosystem worse. By doing the same thing as modern web browsers Yahoo is not being old and fusty as you imply, in fact, they are on the cutting edge. Believe me, if it weren't for the preponderance of awful decades-old mailing list managers other mail providers would already be doing the same thing.

The amazing features we get for these MITM attacks are ..... tags in the subject line, and, er, email list signatures. Both of which contain information redundant with the email headers, and both of which can be easily replicated by email client software.

Not worth it, not even close. Please fix your mailing list instead.

about three weeks ago
top

Ask Slashdot: How Useful Are DMARC and DKIM?

IamTheRealMike Re:Not really (139 comments)

That does not equate to "DKIM is useless". Most email on the internet is DKIM signed at this point. If your clients don't use it, they're in the minority.

about three weeks ago

Submissions

top

China performing SSL MITM attacks on iCloud

IamTheRealMike IamTheRealMike writes  |  about 1 month ago

IamTheRealMike (537420) writes "Anti-censorship blog GreatFire has published a story claiming that SSL connections from inside China to Apple iCloud are being subject to a man in the middle attack, using a self signed certificate. Apple has published a knowledge base article stating that the attacks are indeed occurring, with example screenshots of the SSL cert error screens used by popular Mac browsers. Unfortunately, in China at least one natively produced browser called Qihoo markets itself as "secure", but does not show any certificate errors when presented with the self signed cert. Is this the next step towards China doing systematic SSL MITM attacks, thus forcing their population onto Chinese browsers that allow the surveillance and censorship to occur?"
top

Fake PGP keys for crypto developers found

IamTheRealMike IamTheRealMike writes  |  about 8 months ago

IamTheRealMike (537420) writes "In recent months fake PGP keys have been found for at least two developers on well known crypto projects: Erinn Clark, a Tor developer and Gavin Andresen, the maintainer of Bitcoin. In both cases these PGP keys are used to sign the downloads for popular pieces of crypto software. PGP keys are supposed to be verified through the web of trust, but in practice it's very hard to find a trust path between two strangers on the internet: one reply to Erinn's mail stated that despite there being 30 signatures her key, he couldn't find any trust paths to her. It's also very unclear whether anyone would notice a key substitution attack like this. This leaves three questions: who is doing this, why, and what can be done about it? An obvious candidate would be intelligence agencies, who may be trying to serve certain people with backdoored binaries via their QUANTUMTHEORY man-in-the-middle system. As to what can be done about it, switching from PGP to X.509 code signing would be an obvious candidate. Both Mac and Windows support it, obtaining a forged certificate is much harder than simply uploading a fake PGP key, and whilst X.509 certs can be issued in secret until Google's Certificate Transparency system is fully deployed, finding one would be strong evidence that an issuing CA had been compromised: something that seems plausible but for which we currently lack any evidence. Additionally, bad certificates can be revoked when found whereas beyond making blog posts, not much can be done about the fake PGP keys."
top

No back door in TrueCrypt

IamTheRealMike IamTheRealMike writes  |  1 year,28 days

IamTheRealMike (537420) writes "Previously on Slashdot, we learned that the popular TrueCrypt disk encryption tool had mysterious origins and security researchers were raising money to audit it, in particular, to verify that the Windows binaries matched the source. But a part of the job just became a lot easier, because Xavier de Carné de Carnavalet, a masters student at Concordia University in Canada has successfully reproduced the binaries produced by the TrueCrypt team from their public sources. He had to install exactly the same compiler toolchain used by the original developers, to the extent of matching the right set of security updates issued by Microsoft. Once he did that, compiling the binary and examining the handful of differences in a binary diffing tool revealed that the executables matched precisely beyond a handful of build timestamps. If there's a backdoor in TrueCrypt, it must therefore be in the source code itself — where hiding it would be a significantly harder proposition. It thus seems likely that TrueCrypt is sound."
top

Are the NIST standard elliptic curves back-doored?

IamTheRealMike IamTheRealMike writes  |  about a year ago

IamTheRealMike (537420) writes "In the wake of Bruce Schneier's statements that he no longer trusts the constants selected for elliptic curve cryptography, people have started trying to reproduce the process that led to those constants being selected ... and found it cannot be done. As background, the most basic standard elliptic curves used for digital signatures and other cryptography are called the SEC random curves (SEC is "Standards for Efficient Cryptography"), a good example being secp256r1. The random numbers in these curve parameters were supposed to be selected via a "verifiably random" process (output of SHA1 on some seed), which is a reasonable way to obtain a nothing up my sleeve number if the input to the hash function is trustworthy, like a small counter or the digits of PI. Unfortunately it turns out the actual inputs used were opaque 256 bit numbers, chosen ad-hoc with no justifications provided. Worse, the curve parameters for SEC were generated by head of elliptic curve research at the NSA — opening the possibility that they were found via a brute force search for a publicly unknown class of weak curves. Although no attack against the selected values are currently known, it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies. Now that the world received strong confirmation that the much more obscure and less widely used standard Dual_EC_DRBG was in fact an NSA undercover operation, NIST re-opened the confirmed-bad standards for public comment. Unless NIST/the NSA can explain why the random curve seed values are trustworthy, it might be time to re-evaluate all NIST based elliptic curve crypto in general."
top

BitCoin reaches dollar parity

IamTheRealMike IamTheRealMike writes  |  more than 3 years ago

IamTheRealMike (537420) writes "The BitCoin peer to peer currency briefly reached exchange parity with the US dollar today after a spike in demand for the coins pushed prices slightly above 1 USD:1 BTC. BitCoin was launched in early 2009, so in only two years this open source currency has gone from having no value at all to one with not only an open market of competing exchanges, but the ability to buy real goods and services like web hosting, gadgets, organic beauty products and even alpaca socks."
Link to Original Source
top

Graduate students being warned away from leak

IamTheRealMike IamTheRealMike writes  |  more than 3 years ago

IamTheRealMike (537420) writes "The US State Dept has started to warn potential recruits from universities not to read leaked cables, lest it jeopardise their chances of getting a job. They're also showing warnings to troops who access news websites and the Library of Congress and Department of Education have blocked WikiLeaks on their own networks. Quite what happens when these employees go home is an open question."
Link to Original Source
top

Julian Assange rape arrest dropped

IamTheRealMike IamTheRealMike writes  |  more than 4 years ago

IamTheRealMike (537420) writes "The BBC reports that "Swedish authorities have cancelled an arrest warrant for Wikileaks founder Julian Assange on accusations of rape and molestation. The Swedish Prosecution Authority website said the chief prosecutor had come to the decision that Mr Assange was not suspected of rape." — that was fast!"
Link to Original Source
top

BD+ resealed once again

IamTheRealMike IamTheRealMike writes  |  more than 5 years ago

IamTheRealMike (537420) writes "It's been a few months since we last checked in on how the BluRay group were doing in their fight against piracy, so it's time to see how it's going. At the time, a new generation of BD+ programs had stopped both SlySoft AnyDVD HD and the open source effort at Doom9. That was December 13th 2008. At the start of January, SlySoft released an update that could handle the new BD+ programs, meaning that BluRay discs were undecryptable for a period of about three months in total — the same length as SlySofts worst case scenario. The BD+ retaliation was swift but largely ineffective, consisting of a unique program for every BluRay master. Users had to upload log files for every new movie/region to SlySoft, who would then support that unique variant in their next update, usually released a few days later. Despite that, the open source effort never did manage to progress beyond the Winter 2008 programs and is currently stalled completely, thus SlySoft are the only group remaining. This situation remained for several months, but starting around the same time as Paramount joined Fox in licensing BD+ a new set of programs came out which have once again made BluRay discs unrippable. There are currently 19 movies that cannot be decrypted. It appears neither side is unable to decisively gain the upper hand, but one thing seems clear — only full time, for profit professionals are able to consistently beat BD+. Unless SlySoft or a licensed vendor release a BluRay player for Linux it appears the only way to watch BluRay movies on this platform will be to wait for them to become pirateable."
top

BD+ successfully resealed

IamTheRealMike IamTheRealMike writes  |  more than 5 years ago

IamTheRealMike (537420) writes "A month on from the story that BD+ had been completely broken, it appears a new generation of BD+ programs has re-secured the system. A SlySoft developer now estimates February 2009 until support is available. There's a list of unrippable movies on the SlySoft forums, currently there are 16. Meanwhile, one of the open source VM developers seems to have given up on direct emulation attacks, and is now attempting to break the RSA algorithm itself. Back in March SlySoft confidently proclaimed BD+ was finished and said the worst case scenario was 3 months work: apparently they underestimated the BD+ developers."
top

IamTheRealMike IamTheRealMike writes  |  more than 7 years ago

IamTheRealMike (537420) writes "Rose George has written a fascinating tour of the sewers of London — rarely seen yet essential to life. But the sewers are in decline, with the last of the flushermen who know their inner workings about to retire. Although some of the work is now done by robots and contractors, can anything replace the experience of the men who roam the tunnels by night destroying fat blockages, searching for leaks and repairing the underground labryrinths below our cities?"
top

IamTheRealMike IamTheRealMike writes  |  more than 7 years ago

IamTheRealMike (537420) writes "As one of the worlds most prolific producers of oil, Saudi Arabian production is of vital importance to maintaining our standard of living in the west. A new analysis from Stuart Staniford appears to show large, fast declines in production throughout 2006 that are uncorrelated with price, world events or OPECs own announced production cuts (in fact, no evidence for those cuts occurring is found at all). Given that the apparent steep decline (8%/year) matches the rates seen in other areas where horizontal drilling and water injection were used, and high prices give the Kingdom every incentive to produce, is this the beginning of the end for Saudi oil?"

Journals

IamTheRealMike has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?