Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

New Mayhem Malware Targets Linux and UNIX-Like Servers

Mathinker Re:Derp (163 comments)

There's this link that references USB-HID specifically at 750 characters per second. I can't find other references to USB HID rates, and the HID protocol is semi-flexible (i.e. it's really fucking hard to implement NKRO on HID, since HID keyboard protocol specifies 6KRO in boot mode; but you're free to implement an alternate HID protocol once your keyboard's out of boot mode).

Thanks for the hint to look at the USB-HIB standard (1.1) in which even high-speed devices are limited to 64KB/s. That's interesting info. Does the USB hardware + operating system on most computers actually enforce that?

OTOH, comparing the "1-2 second turn-around" in your reply to the "750 characters per second" undercuts your original argument as a whole

1-2 second delay is an expected human-facing turn-around: this actually happens on most modern systems. I pointed it out and then theorized eliminating that rate limit entirely, instead relying on the limits of the HID keyboard protocol at 750 characters per second, which is the faster measurement and thus can be taken as a worst case.

You don't actually seem to be addressing my argument here, perhaps you misunderstood? It's clear to me what you did, my argument was that doing what you did made no sense given the "1-2 second delay" you state, and given that datum, your characterizing Windows as "retarded" for not distinguishing between 750 char/s and the much faster network, was illogical.

Your naivety about the average entropy in a typical 8 character password is striking.

We're talking about theoretical password complexity here, not dictionary attacks.

Yes, I am capable of reverse engineering your math. You err, though. "We're talking about..."? No, you're talking about...

I'm not quite getting this. You dismiss the possibility that weak passwords are used, so that hardware password attacks are dismissable, but at the same time address the problem that these same non-weak passwords aren't strong enough to withstand network password attacks without lock-outs? Yes, I suppose there is some real-life situations in which that's true, but why would you rag on Microsoft for trying (in what I agree is not a reasonable way) to cover other possible situations (and, given their user base, much more probable ones)?

3 days ago
top

New York State Proposes Sweeping Bitcoin Regulations

Mathinker Re:Translation (121 comments)

> The IRS will know who you are when you bought your bitcoin from a regulated exchange.

OK... I suppose so (still doesn't address the "multiplicity of jurisdictions" problem), but that is a quite different scenario than that posed by the poster I replied to, who wanted bitcoin "criminalized and shut down" via legislation.

Your comment was already covered by, for example, this poster.

3 days ago
top

New Mayhem Malware Targets Linux and UNIX-Like Servers

Mathinker Re:Derp (163 comments)

> That's called a movie plot security threat, and it's not a concern.

Do you always start out your arguments by "poisoning the well"? BTW, the person who coined "movie plot security threat" doesn't exactly agree with you.

> Aside from all the obvious shit like "how do you get in there unnoticed?"

Did you miss the "on a public computer" part of my post? Never heard of social engineering?

> Even without a 1-2 second turn-around for testing a password, keyboards can only enter 750 characters per second.

Where did this "750 characters per second" come from? Is this a limit built into Windows? USB 2.0 runs at 35 MB/s, according to Wikipedia.

OTOH, comparing the "1-2 second turn-around" in your reply to the "750 characters per second" undercuts your original argument as a whole --- if the password check itself is the limiting factor, even for the "slow" keyboard, it make no sense to make a distinction between password attempts from the keyboard and those from the network, so it would be silly to call Windows "retarded" for doing so.

> That's less than 100 password attempts per second for 8 character passwords,
> or 10^12 seconds to try them all. 800,000 years!

Your naivety about the average entropy in a typical 8 character password is striking.

3 days ago
top

New Mayhem Malware Targets Linux and UNIX-Like Servers

Mathinker Re:Derp (163 comments)

Windows does stupid shit like lock the local console if you set up rate-limit log-in...when logging in through the Microsoft log-in manager. That's retarded. A person is sitting at that console, and can't enter passwords fast enough; it should NEVER BE LOCKED.

You have limited imagination, what about an attack on a public computer via replacing its keyboard with one which includes a CPU + password cracking program?

So Windows isn't quite as retarded as you think; it's just retarded in that it doesn't rate-limit the two kinds of logins separately (i.e., still very retarded).

3 days ago
top

New Mayhem Malware Targets Linux and UNIX-Like Servers

Mathinker Re:Derp (163 comments)

I think nowadays that one can assume that 1400 random infections (for the botnet in question) on the net would include most countries. Even more so for the larger botnets which exist. So my suspicion is that this tactic has limited utility, possibly so limited that it is no longer worthwhile ("Damn, I forgot to turn off the geoblocking before my unexpected trip to Peru!").

3 days ago
top

New York State Proposes Sweeping Bitcoin Regulations

Mathinker Re:Translation (121 comments)

No, I won't bite on the Ponzi flamebait. But <sarc>I'm sure Satoshi is quaking in his boots</sarc>.

Er, reality check?

  • Your "little bit of legislation" is only going to affect people in your little bit of jurisdiction.
  • Except for someone who actually is stupid enough to directly declare he has bitcoin, it is trivial to conceal it, and trade/spend it outside problematic jurisdictions.

Are you one of those who also believe that we just have to pass stricter laws and piracy will disappear?

4 days ago
top

Mt. Fuji Volcano In 'Critical State' After Quakes

Mathinker Re:.. not in italy (151 comments)

> They were convicted for making statements that earthquake will not happen

And they actually made such statements? Or, perhaps they merely said that "as far as science knows, the probability of an earthquake is no larger than, say, last year". The whole thing looked like a witch hunt to blame someone for damages which were caused by natural causes, because no politician is going to get up in front of the electorate and actually tell them "Sorry, there is a very small chance that large numbers of people in our country could die from X, Y, or Z and there is no practical way to prevent these dangers."

It frankly looked like scientists sacrificed on the stage of security theater.

5 days ago
top

Intuit Beats SSL Patent Troll That Defeated Newegg

Mathinker Re:"Clearly bogus"? (59 comments)

Prior art has to be published. Until recently, the courts were very particular about what constitutes publishing, to the extent that "properly publishing" patents was (is?) an industry.

about three weeks ago
top

Intuit Beats SSL Patent Troll That Defeated Newegg

Mathinker Re:WAT (59 comments)

> RC4 is math. It's either broken or not-broken. You can't go half way.

Security isn't binary. Cryptography, being targeted for practical application, is different than theoretical mathematical statements, which we all know can be discovered to be either correct or incorre... hang on, Godel is calling me from the afterlife...

(heard from distance) What? Really! Mind-blowing, man. Yes, I know your name has those two funky dots, but Dice thinks "pretty" is more important than "functional", so it might be a while before Slashdot can actually display them...

about three weeks ago
top

Big Bang Breakthrough Team Back-Pedals On Major Result

Mathinker Never trust the bangking system (127 comments)

Well, we can't be completely sure. Possibly, before the Big Bang, the Central Bang Bank messed up the Bang interest rate stabilization calculations, and our universe ended up getting a lot less Bang for our buck...

about a month ago
top

Fuel Cells From Nanomaterials Made From Human Urine

Mathinker Re: the stuff just comes out by itself (83 comments)

If humanity is ever going to colonize other solar systems with slower-than-light travel, it's a no-brainer that we're going to have to learn how to recycle our waste. In a closed ecosystem, it makes sense to find ways to use urine, or plants/bacteria/yeasts grown using urine, as raw material to produce essential materials for repairs.

about a month and a half ago
top

As Crypto Mining Grows, Data Centers Begin Accepting Bitcoin

Mathinker Re:What a dumb waste of energy... (94 comments)

You're still not arguing against the points raised by DanielRavenNest and ultranova. Neither of them claimed that the bitcoin protocol was the "best-designed" protocol from an energy efficiency point of view.

If you're really interested in solving the problem which seems to irk you so, just go out and make Peercoin (or whatever other alternative cryptocurrency you invent which doesn't require proof-of-work in the long term for maintaining the block chain) more popular than Bitcoin. You could start by talking about Peercoin's advantages every time Bitcoin comes up...

> OK, I think you see the point,

What? I merely see that you don't know how to argue logically well.

about a month and a half ago
top

As Crypto Mining Grows, Data Centers Begin Accepting Bitcoin

Mathinker Re:What a dumb waste of energy... (94 comments)

Honestly, if the machines were that profitable then the companies making them would just keep them and mine on their own, as it would be more profitable than just selling the hardware.

This actually isn't totally true, since cryptocurrencies rely on several kinds of trust, and one of them requires that no single entity controls the mining. So it can sometimes be in the interest of a mining equipment manufacturer to even sell mining equipment at a loss, if the manufacturer also mines.

about 1 month ago
top

As Crypto Mining Grows, Data Centers Begin Accepting Bitcoin

Mathinker Re:What a dumb waste of energy... (94 comments)

> Uh huh. Me and 97% of climate scientists

I'm so glad that you know what 97% of climate scientists think about bitcoin. Nice way to not actually argue on points, though, like showing that the CO2 generated by mining over the life of the bitcoin protocol will exceed the CO2 which might be saved?

about 1 month ago
top

TrueCrypt Website Says To Switch To BitLocker

Mathinker FreeOTFE no longer maintained, it seems (566 comments)

Wikipedia:

The FreeOTFE website is unreachable as of June 2013 and the domain name is now registered by a new owner. The program can be downloaded from a mirror at Sourceforge.

Given what we know about Big Brother nowadays, I'd say that it would be nice if we could maintain several diverse solutions to this problem. Unfortunately, it seems that there's not enough developers around to do that...

about 2 months ago
top

Interviews: Ask Jennifer Granick What You Will

Mathinker MaydayPAC / MayOne.US (58 comments)

What do you think about MayOne, aka MaydayPAC, Lawrence Lessig's attempt to reform US democracy (on the Federal level)? Were you surprised how quickly it reached the initial funding goal? Do you think it has a chance of actually making a significant change?

about 2 months ago
top

5-Year-Old Linux Kernel Bug Fixed

Mathinker Re:This is the problem with Linux Security (127 comments)

>> So yes, I think their safeguards and failsafes extend beyond Windows Update and Norton.
>> Open sourcing their code reduces the black-box vulnerabilities well beyond that level to
>> begin with.

is the same as

> FOSS proponents extremely frequently in the past claimed that OSS was security issue free

eh?

I could analogously argue that your logical ability (which seems small), is zero. But I won't.

Small != zero, and conflating them can be a strawman argument, since it also means conflating their reciprocals.

about 2 months ago
top

5-Year-Old Linux Kernel Bug Fixed

Mathinker Re:This is the problem with Linux Security (127 comments)

> FOSS proponents extremely frequently in the past claimed that OSS was security issue free

Nice strawman, there.

Personally, I'd say that the only frequently claimed advantage claimed for FOSS in the past was that it was, then, so niche that no one would find it worthwhile to try to exploit. Times have changed, now. For example: Firefox, Chromium, and, I'd say, even desktop Linux isn't safe anymore according to that criterion (server Linux never was safe, since servers are such juicy targets).

about 2 months ago
top

5-Year-Old Linux Kernel Bug Fixed

Mathinker Re:This is the problem with Linux Security (127 comments)

> Actually, I am a security professional, working for one of the largest security companies in the industry.

Hm, let me guess. You work for Microsoft, in the team developing Microsoft Security Essentials?

about 2 months ago
top

London Black Cabs Threaten Chaos To Stop Uber

Mathinker Re:Buggy whips (417 comments)

Although some AC has decided to derail my attempt to get you to argue logically, I'll try again, although you don't seem to be that amenable.

1. Why isn't it a false dichotomy?

2. If electricity is 100% reliable, I assume you mean that it is 100% reliable because the laws of physics are 100% reliable. How exactly does this argument extend to make taxi drivers who have passed "The Knowledge" test 100% reliable?

about 2 months ago

Submissions

top

Intrusion at Fedora infrastructure, no damage done

Mathinker Mathinker writes  |  more than 3 years ago

Mathinker (909784) writes "From www.h-online.com :

The Fedora Project has confirmed that there was an intrusion into its infrastructure on the 22nd, but investigations have shown "no impact on product integrity".

The mailing list announcement (Coral Cache URL) makes one think it wasn't a very professional job, the first action which was taken by the intruder set off an email notification."
Link to Original Source

Journals

top

I am NOT anonymous

Mathinker Mathinker writes  |  about 3 years ago

http://yro.slashdot.org/comments.pl?sid=2319574&cid=36745572

% echo -n "I am Mathinker, my salt is UAeqTvlu" | md5sum
efb98ed34ba58ecd29b07b1909d21da3 -

top

No, I'm not mathinker@twitter, either

Mathinker Mathinker writes  |  more than 5 years ago

I actually use the moniker "mathinker" in very few places.

top

2008: Linux privilege escalation bugs

Mathinker Mathinker writes  |  more than 5 years ago

Just want to store this research somewhere where I can link to it easily. (Original post).

If one analyzes the 10 Linux privilege escalation bugs reported for 2008 at Secunia one finds:

Of those, 5 were in proprietary software packages for Linux: Acrobat Reader, MaxDB, Avaya, SSH Tectia Client, and Red Hat Enterprise Linux. Not interesting for ordinary desktop users.

Of the other 5, 1 was in KDE, so that wouldn't affect 100% of Linux users, let's be generous (the most popular free distros use Gnome) and say that's 50% of users.

Of the other 4, 1 seems to work on general Linux systems (sys_remap_file_pages() bug).

Of the other 3, 1 requires the USBLCD driver to be used or only gives group privilege escalation, 1 requires Intel G33 series or newer chipset, and 1 requires that the kernel is running as VMI guest on a x86 system. How many boxes does that cover? Not many, except perhaps for the Intel chipsets --- let's say another 50% (because I have no idea what market share Intel has).

So that's something like 2, maybe 2.5 bugs in all of 2008. Is that "many"? Matter of opinion.

So, in summary, between 10% and 25% of the reported bugs were really mainstream.

top

Mathinker Mathinker writes  |  more than 8 years ago

Just in case you wondered.

I'm not studying to be a CFA either... nor am I mathinker@rareaviation.com

In fact, if a "mathinker" is trying to sell or buy from you, it's not me...

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...