×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Start-Up Founders On Dealing With Depression

Shoten Um.... (257 comments)

Maybe try getting professional help? Instead of asking Slashdot? Just saying.

about two weeks ago
top

Full-Disclosure Security List Suspended Indefinitely

Shoten Re:The real priority here... (162 comments)

Isn't finding out who made the threats. Where can we find the Furry porn?

Find a local LARP and ask around. They'll know.

about a month ago
top

Ask Slashdot: Easiest To Use Multi-User Map Editing?

Shoten Oh, the outrage! (52 comments)

Also, given Google's propensity for dropping features without much pretext...

They have the temerity to change the software that they provide to the world for free without asking permission from you first? God, the BALLS on those Google people!

But all that aside, given that I see some recommendations for alternate (but similar) options besides Google listed above, I have a caveat. Bear in mind that any and all software/services provided on a free basis contain two potential issues: one, the product is you...and two, they may change the nature of said software/services at their discretion without warning or so much as a requirements document from you.

about a month ago
top

Lies Programmers Tell Themselves

Shoten Mentality... (452 comments)

"I am a beautiful and unique snowflake because of the poetry of my code."

about a month ago
top

Weak Apple PRNG Threatens iOS Exploit Mitigations

Shoten Re:Seems it would be easy to gather entropy.. (143 comments)

..on a smart phone like the iPhone. Use the gyros/accelerometers, make the user draw randomly on the screen, maybe use random info like wifi network names currently available, generate random info based on images on the phone, etc. etc. Plenty of data/means available to create the entropy needed.

Easy, but not necessarily a good idea. Picture this threat case:

Attacker has iPhone they wish to compromise. Disassemble, remove gyro, replace with appropriate component (resistor, perhaps?) to generate a steady, predictable outcome. Random seed is no longer entropic, PRNG ends up following suit.

So, to counter that, you could do entropy analysis on the incoming entropy, right? Uh oh...then your iOS boot sequence consequentially develops a dependency: if the gyro doesn't function (or the phone is very still) the phone won't even boot. PLUS you've now had to build all this functionality just to query the gyro/accelerometer into your boot-level code, along with the entropy analysis. At some point, you need to back off from packing lots of stuff into what is effectively the BIOS.

The PRNG in iOS plays a major role in everything, starting with the boot chain. So it's a bit of a challenge.

about a month ago
top

Weak Apple PRNG Threatens iOS Exploit Mitigations

Shoten Re:all PRNGs are deterministic (143 comments)

So "this one is deterministic" seems like a weak complaint.

This is essentially what makes them PRNGs instead of RNGs.

True...but that's by unavoidable effect, not by intent. The intention is to be as far from deterministic as possible...you can't help but be deterministic, as evinced by the classic "living in a state of sin" quote, but you can make it difficult for another person to predict that deterministic outcome. And apparently the PRNG fails, in this case. So the real goal is for a PRNG to have a very small value for the "P", so that the RNG part is bigger. (At least that's how I would explain it to a 5-year-old or someone with a Ph.D. in something other than CS, engineering or mathematics.)

about a month ago
top

Weak Apple PRNG Threatens iOS Exploit Mitigations

Shoten Re:Why do we have all these custom PRNGs? (143 comments)

Because the PRNG is used at a very low level; as such, it is unique to the hardware platform and the OS as well. You can't code it with a high-level language, as it even affects components of the boot process itself (in the case of iOS, that is...see Dallas de Atley's talk at BlackHat 2012 for some insight into this). So, you need separate PRNGs for the A4/A5/A6 line, the ARM, x86, ia64, etc. You can't just have one code library and use it across platforms, because you're using instruction sets that are unique to the processor. And when the processor is proprietary, so will be the PRNG.

about a month ago
top

US Court Freezes Assets of Mt. Gox CEO

Shoten Re:Interesting parallel (132 comments)

It would be a delicious irony if people were able to recover some of their lost value due to government regulations.

You mean like what would have happened if they were regulated like a real bank?

Just a few months ago, when there was talk of regulating exchanges like these, there was an uproar. I didn't think that the reasons for regulatory oversight would have made themselves apparent so quickly, to be honest. Just the fact that nobody can be sure whether Mt. Gox got ripped off or ripped people off is one reason alone.

I totally get that there are benefits to a truly untraceable, anonymous currency. But to those who oppose regulation for the simple fact that it's the government getting involved, I would advise taking a look at what happened to the banking industry back in the 1920s and early 1930s before making claims that it's all bad.

about a month ago
top

Ask Slashdot: How Do I Change Tech Careers At 30?

Shoten Uh oh... (451 comments)

I like Microsoft products and would head in that direction, probably.

There goes your odds of getting much in the way of help from this crowd...

about a month ago
top

Whole Foods: America's Temple of Pseudoscience

Shoten Re:Why single out Whole Foods? (794 comments)

That may be so, and perhaps they find some other place better to shop, but my sister shops there regularly, and is gluten intolerant (celiac).

P.S.: If they DON'T have gluten free bacon, why not? I could understand it not being sugar free, as I believe most bacon is cured with sugar, but I don't see any reason that it should contain gluten, unless all their bacon is cured with soy sauce or some such. (It definitely doesn't need to be.)

P.P.S: Yes, berating the clerk over this is unjust. But perhaps the manager needs to be asked. (Politely will probably get a better response.)

That was my point...gluten-free bacon is like gluten-free aluminum foil. It's inherently gluten-free to begin with. There's no reason to ask the manager, there's just good reason to learn about what you're eating in the first place. The person was way, way past the point of seeking reasonable solutions to real problems and was out in the stratosphere of making shit up in her mind to be upset about. Unfortunately, there seem to be more and more people like this...getting aggressive in restaurants about gluten in the dishes, making a scene at grocery stores, etc...and I believe two things about them. One, relatively few of them actually have a major problem with gluten. And two, they are making a mess of things for the more sane people who *do* have a real problem with gluten. For every drama-queen gluten-attention-whore I see, I may see 2, 10, 100 well-behaved people with gluten sensitivity/intolerance/allergies but who I don't know are those people because they aren't assholes about it..so my perception becomes all about the screaming lunatic. And as often as not, when I have prolonged contact with the lunatics, I happen to notice that they love pizza and seem to suffer no ill effects from it, which adds a whole other layer to the mess.

about a month and a half ago
top

Whole Foods: America's Temple of Pseudoscience

Shoten Re:Why single out Whole Foods? (794 comments)

Go to Safeway or any other supermarket and take a look around. Or do you really think that post cereals promote heart health? Hell, it took a law suite to stop "vitamin" water from claiming health benefits from their sugar water.

Bingo.

I go to Whole Foods regularly...but I don't give a shit about whether something is "organic". The produce is better, for the most part...both in diversity and in quality. The meat...holy balls, the MEAT...it's incredibly tasty. I don't get the grass fed beef (I find it tough) but the regular stuff. Yes, it's expensive, but if you want a NY strip that's literally almost 2 inches thick and will taste better than what you can find at most restaurants, Whole Foods is the place. Oh, and yes...we are yuppie DINK scum with both foodie inclinations and the money to indulge them...and for that Whole Foods is like a playground.

On the other hand, things like sugar, aluminum foil, paper products...we get those at Giant. I don't feel like paying extra just to have my paper towels be gluten free. (Yes, that's an exaggeration, but just barely.) But that brings to mind another thing...if you're gluten-sensitive, gluten-intolerant, allergic to gluten, or just one of those assholes who thinks that gluten is like eating AIDS, Whole Foods is a much better place to look. Though it does get out of hand sometimes; I watched a woman go totally nuts at a guy in the beer and wine section (diagonally opposite from the meat section within the store) over the fact that they didn't carry (I shit you not) "gluten-free bacon." Which of course leads into the fact that Whole Foods caters to that niche for the self-entitled, of which that screaming cunt is just one excellent example.

But yeah...try their steak sometime. WOW, is it good :)

about a month and a half ago
top

California Bill Proposes Mandatory Kill-Switch On Phones and Tablets

Shoten Re:What could go wrong? (341 comments)

You are correct that cryptography is not a cure-all to all problems, however, your post goes irrevocably wrong immediately after that. HSM and TPM chips are quite secure and well established. The example problems you suggest are in no way relevant to the conversation at hand since they deal with an entirely different use case of security. As dmbasso was kind enough to point out, I am referring to the use of asymmetric cryptography to allow secure validation of a private key being held remotely. Such cryptography is used all the time (any time you use an HTTPS page) to prove the exact same thing.

The device merely has to hold the a public key for which the legitimate owner (or the vendor) has the private key. If the device is stolen and locked, it is trivial for an HSM to prevent unlock without the private key. It may be possible to circumvent the kill switch by yanking the HSM, but such an operation would likely exceed the black market cost of the majority of phones as it involves painstaking processes such as removing the silicon one layer at a time with a very carefully applied acid bath, and even then, the write once public key address space would be just as secure as any write once kill switch flag that could be implemented.

To prevent re-activation of the kill switch itself (rather than the recovery mechanism) the switch could be tied in hardware to a similar challenge response against a private key held in the device's HSM. To "kill" the device, this private key would be wiped, preventing the device from starting. To re-initialize it, the private device key would be restored by looking for a key signed by the owner's private key.

This is a simple to implement and highly secure system that would be cost prohibitive to work around and also could use available, near off the shelf components to implement.

Do you have any idea how profoundly ungainly this is? First of all, you're talking about a set of keys that is over a thousand times that of all the SSL key pairs in existence.

Then...who issues the keys, and how do you secure them? (Exhibit 1: problems with forged certs from insecure CAs)

How do you revoke that authority if necessary? (Exhibit 2: problems discovered by the military as they contemplated DNS servers running DNSSEC in combat zones where they could be overrun and captured).

How do you know which kill switch cert goes with which device? (Exhibit 3: AMI meter deployment problems where the meters were mis-deployed, causing incorrect billing attribution)

Finally: How much will this cost...to stand up an unprecedentedly large PKI infrastructure, the governance around who would own/manage it, to license the tech (patents abound with TPM) and to incorporate it.

Look into the NISTIR 7628 guidance from NIST and you will get a brief glimpse into the horrors of incorporating PKI into a group of devices that numbers tens of millions. It's not simple. For further info, look up the comments by Annabelle Lee on the topic.

about 2 months ago
top

California Bill Proposes Mandatory Kill-Switch On Phones and Tablets

Shoten Re:What could go wrong? (341 comments)

I have less of a problem if they make it a kill switch that can be cryptographically turned off by the manufacturer after verifying the purchaser or even with some kind of a special key that you get with the purchase and keep at home. It should also be something that can be turned off by the end user.

If you can ensure that it can be reverted securely when triggered and can be prevented from triggering by the legit user (possibly using the same mechanism as unlocking a locked device) then I don't see a problem with it, but without those two caveats, there are so, so many thing that could go wrong.

I love this..."crypto," the magic "c" word that makes everything secure just by talking about it. In reality, it's not quite that simple. Authentication in Windows, for example, works like what you just described...and yet look at the flaws in NTLM and NTLMv2 authentication that turned up. That covers over a decade of time, before MS adopted Kerberos. Then, to that, add all the vulnerabilities in the software that governs authentication...I've lost track of how many times LSASS has been patched.

And yes, I hear it now...the retort: "But that's Microsoft! They suck at security!" Maybe, maybe not, but the fact that they also dominate the desktop space should be a warning that you have to consider: functionality to be placed in ubiquitous consumer devices may not have the world's best security controlling them. And that is just a simple empirical fact as demonstrated by the recent past and current reality.

about 2 months ago
top

Is Verizon Already Slowing Netflix Down?

Shoten Re:Your task: explain how Net Neutrality stops thi (298 comments)

The only thing competition does is to create monopolies, since the whole point of competition is to eliminate competitors.

"This word you keep using...I do not think it means what you think it means" -Inigo Montoya

Competition does not lead to monopolies. Competition and monopoly are literally antonyms; they are the opposite of one another. So let me ask you this...if not competition, what would you propose to prevent a monopoly?

about 2 months ago
top

HP To Charge For Service Packs and Firmware For Out-of-Warranty Customers

Shoten Re:Well if HP didn't already have a terrible rep.. (385 comments)

... they sure as hell will now.

I'm not an IT person, but weren't there a few companies that tried this crap wwaayy back when? I seem to remember them all failing miserably.

Actually and unfortunately, most hardware manufacturing companies do this. Cisco does this, for example. Software companies are less likely to do it, but a lot of them do it as well. When I look at my clients and tick off the list of vendors that are in their environments, only Microsoft and Oracle seem to provide access to updates for free.

about 2 months ago
top

Federal Agency Data-Mining Hundreds of Millions of Credit Card Accounts

Shoten Oy. (264 comments)

Everyone seems to be ignoring the most important thing: WHY. The CFPB is a fairly new and rather aggressive consumer protection agency. They are seeking patterns of abuse by the credit industry, particularly around the practice of deliberately depressing FICO scores for a band of consumers with less-than-stellar credit risk but also not-the-end-of-the-world credit risk. This group is also known as the middle class. To do this, statistical information is needed about the FICO scores and credit history of the lower, middle, and upper class. How else will they be able to discern, describe and prove such a thing?

Stop falling for the PR plant, everyone.

about 3 months ago
top

Red Team, Blue Team: the Only Woman On the Team

Shoten Re:The company may be part of the problem... (247 comments)

This was like someone going to a Hindu place of worship and trying to serve prime rib. Would you be impressed?

I would be impressed, and even more so f they pulled if off. Hindus aren't so ignorant to demand everyone else believe their beliefs, or live their life styles. You are more likely Steakhouses in India than Bacon in Saudi Arabia.

Uh...wow, are you ignorant. Go to India sometime and then tell me how likely you are to see a steakhouse in a Hindu temple. What a dumbass.

about 3 months ago
top

Red Team, Blue Team: the Only Woman On the Team

Shoten Re:The company may be part of the problem... (247 comments)

Where were you really going with this ramble?

Tech/computer specialists isn't something that is field specific. Any well rounded programmer/engineer can move from industry to industry with relative ease, in fact its pretty much a job requirement to be able to get in, get up to speed, and get productive. Its what we do.

Are Database Administrators some how different in hospitals than in power plants?

For any given sub-discipline, the job is largely the same everywhere.

When it comes to a predefined solution for compliance, portability is a major problem. You're confusing people with offerings. A chef can move between a steak house and a vegetarian restaurant with only minor training; the menu, however, cannot. This was like someone going to a Hindu place of worship and trying to serve prime rib. Would you be impressed?

about 3 months ago
top

Red Team, Blue Team: the Only Woman On the Team

Shoten The company may be part of the problem... (247 comments)

SecureState...ah, those guys. They don't seem to quite "get it." For example, they were hyping their services, in terms of benefits towards HIPAA compliance...on a LinkedIn group that was explicitly and specifically focused (and named) on NERC compliance. HIPAA is health care, NERC is power grid. Not only totally different compliance regimes, but totally different industries as well. And the regulations don't even share much commonality: HIPAA puts the main focus on privacy while NERC doesn't even mention the word (or any synonym of the word). But everyone's career has a few "stepping stone" jobs, and it can be a golden opportunity to be the smart one among a field of twits.

about 3 months ago

Submissions

top

Cost and Build Problems with Death Star Project

Shoten Shoten writes  |  about a year ago

Shoten (260439) writes "Foreign Policy magazine has a fascinating analogy for real-world timeline and cost overruns on military projects. Apparently, the IGAO (Imperial Government Accountability Office) has run a review of the project to build the Death Star, finding multiple issues. At the top of the list? "Frequent Turnover in Senior Personnel Hampers Continuity," with a recommendation to stop using strangulation as a management tactic. Design flaws relating to reactor shielding and anti-fighter defenses are also cited."

Journals

Shoten has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...