NSA Able To Crack A5/1 Cellphone Crypto
26th Chaos Communication Congress, 2009:
It is already well known that you can break A5/1 offline anytime you want, and at the 26th CCC there was the "GSM: SRSLY?" conference which outlined the 2 main problems of GSM and UMTS.
GSM A5/1 can be broken (and the give plenty of details), but it is not used in UMTS. No worries, for UMTS you just need a fake station and you are set. No offline decoding though.
HTTP 2.0 May Be SSL-Only
So your solution is?
not using anything 'cause the NSA is over you?
Saying that the CA system and the DNS(SEC) infrastructure are the same is retarded.
The CA system is managed by hundred of companies, and you can not possibly know if some company as an unauthorized certificate.
Want to know if someone is giving false information on DNSSEC? "dig domainname + dnssec" should be enough....
The current (DNSSEC) system has problems, but it is not as rotten as not having anything, so it's better than nothing. Please stop denigrating it to such an extent
Microsoft Warns Customers Away From RC4 and SHA-1
I can understand RC4.
I can understand MD5.
But SHA1? right now, according to wikipedia, a full collision attack requires something like $2.77M of computing power on the cloud...
maybe a less if you have you own supercomputer, but even at $1M it sound a lot...
So why warn away from SHA1 NOW? what are we going to use? md5? md4? remember that while keccak was chosen as the SHA3, they still have to release the complete details on how it must be implemented -- number of rounds and such -- so SHA3 *NOW* is not an option.
I'll start taking microsoft seriously on this once they phase out MD4, RC4, MD5 from their existing standards and products.
Bill Gates: Internet Will Not Save the World
The Internet is a tool, subject to the human will and policies.
"eradicating disease" is instead long, constant process that requires multiple tools, innovation and people.
It also already has an objective (saving people's lifes).
So, we are comparing a mere object with no specific objective to a long, evolving process with a specific goals...
Color me unimpressed.
But even "eradicating disease" per se doesn't save the world, first because "the world" is not "the people", and because having the cure doesn't mean that you are willing to distribute it freely or at accessible costs.
So, to sum it up... the right policies will save the world?
A Protocol For Home Automation
I had a quick look at the website, and can't find any low-level detail, just a lot of pictures...
That said, he seems to use HTTPS/SSH and certificate-based access.
It is useless to sign the certificates, since we are in a lan, not on the internet, and I doubt your house devices will have a full dns name...
I'm more interested in the packet structure and to the data format, as it always gives more insight on the protocol that big, colored images...
Its said to use websockets, but I doubt that will be the case in SSH-based access.
There seems to be the option to use UDP multicast for the sensors..
The HTTP traffic is exchanged via websockets and json... This is nice, since the programmers can use all the http server/client and json libraries they want, and it usually is fairly simple.... BUT we are talking about home automation, arduino boards and in general "things" with very little computational power/memory etc...
I really don't understand why we want all on HTTP, the efficiency is very low and now you require an HTTP server and client to communicate with something just to flip a switch...
Maybe if SNMP was done the right way, without OIDs and security from the start we would not need this, but I digress...
I don't like the fact that there seem to be a lot of new definitions... apprentices, stewards, and ... "things"... couldn't dumb it down more even if he tried -.-''
But the nice thing is that it seems to be able to include 3rd-party modules and protocols fairly easily... Which IMHO is not a small thing and can in fact help this protocol a lot.
And whatever he does, he can't do as badly as DPWS. If he manages to make it general enough we might even put an end to the horror that is DPWS and WS-* standards....
Ten Steps You Can Take Against Internet Surveillance
That's 500 analysts for 350 million population, or 1 analyst for every 700,000 people. What makes you think you are special enough to deserve their attention?
But since you have so many people to check, doesn't that mean that they are going to make a massive use of automation to do the checks?
Remember how good the spamfilters are? And they are designed against something extremely frequent
Now remember how infrequent a terrorist attack is? And what about that False positive paradox?
It's not about feeling special or not, it's just the the system is broken by design... and the algorithms are surely perfect...
Did NIST Cripple SHA-3?
No worries, X.509 are big and bulky, and the management of the certificates authorities kinda sucks anyway.
Nah, I don't use X.509, but the trust model is granted and secure. And bonus points: its free of charge and already existing :)
Did NIST Cripple SHA-3?
Good luck with that, it's not like I'm in the U.S.A., and once the project goes public, I doubt you can really influence it without people noticing. :)
Also, as with everything working with encryption, you need a way to distribute keys, a "trust model". And the trust model will not be too different from todays X.509 certificates, so the NSA might still be able to compromise the trust of this protocol (assuming that the NSA has compromised the trust model in X.509 certificate handling).
Still, with my new protocol you should be able to know if someone is compromising the basic trust model, so some protection might be applied...
Did NIST Cripple SHA-3?
Can someone please make an open source "Scheneier Suite" of cryptography written in C for the world to make use of already please!?
Working on it for my master thesis ;)
Just a "Schneier Suite" would be limiting, though. We need more than just the basic algorithms, and not only from Schneier.
Anyway, I'm developing a new transport/encryption/authentication/federated protocol, which combines ideas from SSL, Kerberos and a lot more, plus some new...
I already have written all the specification, I'm starting to code it now.
Keep your ears open for the "Fenrir" project, I'll probably release something in 3-4 months... Although the stable release will probably wait until I finish my master, around July-October '14... 'sorry for the wait, but I have other things to study, too :(
And yeah, all opensource, a mix of apache2 for the main library and GPL for the auth daemon...
AMD Launches New Mobile APU Lineup, Kabini Gets Tested
What's more, the Core-i3 matches the A4-5000 in power efficiency while its HD 4000 graphics completely outpace the APU.
has anyone bothered looking at the benchmarks? The overall system power consumption when games were run was 20watts for AMD and 35watts for the Core i3.
To my calculation, that's a 75% more power consumption then AMD. Intel hardly "matches" anything...
AMD was still at least 3 watts less power hungry in any other benchmark, too...
OpenStreetMap Launches a New Easy To Use HTML5 Editor
Just tried it, *very* easy to use....maybe a little slow...
now, if only I could save my changes... they seem to have a couple of problems with OAuth (if you already have an account and use it for the first time)
fscking OAuth... worst protocol ever...
Former FBI Agent: All Digital Communications Stored By US Gov't
Just do like the LHC does. filter things at multiple levels, and this is doable for telephones.
You don't really need *all* the data.
Data coming from public terminals might be important, data coming from common houses might be less important as people are afraid of being found out..
Or watch for call-loops. A circle of calls where A calls B, then B calls C and C calls A might be suspicious. bonus points for watched numbers.
Or a series of quick calls from someone, or a chain of quick calls...
filter out calls between families, or between companies... depends on what you're searching..
Or just keep all the data for a week, and if no one collects it, and the algorithms do not signal anything, then discard the old one to make space..
There are a lot of possible ways to analyze all our voice/text data..
If we talk about Internet traffic, then you could optimize thing a little, for example discard content from youtube, BBC, as they already log everything, keep 4chan... there's a lot more data, but profiling helps a lot.
It's not the same as "everything", but if you ask me, it's damn close... and doable....
just my 0.02$
Btrfs Is Getting There, But Not Quite Ready For Production
I tried btrfs as my main laptop filesystem:
nice features, speed ok, but i happened to unplug by mistake the power supply, without a battery. bad crash...
I tried using btrfsck, and other debug tools, even in the "dangerdon'teveruse" git branch, they just segfaulted. at the end my filesystem was unrecoverable, I used btrfs-restore, only to find out that 90% of my files had been truncated to 0... even files i didn't use for months....
now, maybe it was the compress=lzo option, or maybe I played a little too much with the repair tools (possible), but untill btrfs can sustain power drops without problems, and the repair tools at least do not segfault, I won't use it for my main filesystem...
btrfs is supposed to save a consistent state every 30 seconds, so I don't understand how I messed up that bad.... maybe the superblock was gone and the btrfsck --repair borked everything, I don't know.... luckily for me: backups :)
Security Holes Found In "Smart" Meters
we had a similar problem in Italy.
basically the new electricity meters were infrared-accessibile.
password protected, of course.
no need to hack anything trough, just use '0000', '1234' or '3635' ("enel as written with a cellphone, it's the company name).
ta-da! full access.
so what did we do? nothing. but we're in italy after all...
Microsoft Interns Still Feel the Love
In this tough economic time, with unemployment approaching 10% (in the U.S.), let me be the first to say FUCK YOU!
In a world where many people have never made a phone call [...] let me be the first to say FUCK YOU!
...for some definitions of "first"...
Trust an Insurance Company's "Drive-Cam?"
it will also monitor other adult drivers.
Not if you put a PostIt note over it while you're driving.
then they say the contract is broken and make you pay a fine or refuse to pay if something happens.
and what if the next thing they ask is odb recording?
oh, and obviously recording someone without having access to registration unless something happens automagically makes him drive safer. yeah, sure.
Google Getting Into the Solar Mirror Business
...Italy just dropped all economical support to solar-termal energy.
photovoltaic still has subsides, but no more for solar-thermal.
and we were the 3rd country with most solar thermal in europe untill now.
Why Users Drop Open Source Apps For Proprietary Alternatives
1. Lack of attention to interface and usability design. This is not "eye candy". Consider: People think Photoshop is easier to use than Gimp. What does that tell you? (Responses that trash Photoshop users illustrate the problem.)
when there's a problem with a gui, people always talk about gimp. firefox has a good gui design, the whole ubuntu distro is actually easy for a normal user, yet all you see is gimp.
gimp's gui is a mess, ok, but there are plently of good opensource gui too. ubuntu/gnome made a good set for instance.
2. I get the impression that, apart from the corporate funded biggies, many open source projects are staffed by one or two people. That's not confidence-insipiring when I'm looking for software to use for years in the future.
in opensource project there usually is a single mantainer and a lot of coders. when you think about it, changing mantainer is like changin ceo. no big difference. but if the company dies, it's dead. if the main mantainer leaves, the worst that could happen is a fork. can you predict how a company will be in 10 years? so what's worst?
3. Rushed updates often made to conform to an established schedule. If an update needs more time, don't release it.
so you get one update per month? ;) apart from some distros, i've never heard of an open source software that was rushed for shedule. usually they don't have any.
4. Lack of innovation. Software innovation is really, really hard and no one does it well. However, open source software, more or less by intent, produces many slightly varied iterations of the same code. I.e., forks.
gotta love this one. fork is a possibility, not something granted for all opensource projects. care to list some big forked opensource projects where both the main and the fork are being developed?
5. Hostile attitude to customers: One of the touted benefits of open source software is access online to developers and other cognoscenti for tech support. Although I suspect it happens with less frequency these days, too many open source users are met with hostile "code it yourself" or "I'm not interested in that..." responses when they ask for help with a problem. Online support forums should not run bugtracking software.That's a developer-only tool.
soo... is adobe accepting bug reports from users now? microsoft? when was the last time you submitted a bug report to a closed source project and it was actually fixed?
maybe it's just me, but apart from #1 these points should make you choose opensource.
funny thing is, your list does not include "gets the job done", which should really be number 1 on the list.
Con Kolivas Returns, With a Desktop-Oriented Linux Scheduler
funny thing is:
Linus is quoted all over the internet saying:
"I have never, ever cared about really anything but the Linux desktop."
and we can't get this patch becouse it won't scale with more than 16 cpus.
someone needs to make up his mind...
RIAA Hearing Next Week Will Be Televised
it will be televised on the 22, 14.00 ( Massachusetts time )
this is the list for the other timezones for those of you who want to see it :P