×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Linux Distributions Storing Wi-Fi Passwords In Plain Text

SteveAyre netctl doesn't encrypt it either (341 comments)

That 'encrypted' key is no such thing. The passphrase you enter is used as input to a key-derivation algorithm. The value stored by netctl is the output of that algorithm. The interesting thing is that you can use that passphrase *as* the password too. So netctl is no more secure than NetworkManager storing it in a file on disk. The only thing it protects is someone knowing that the passphrase is BatteryHorseStaple - it doesn't protect your network at all.

The configuration file's permissions are sufficient to hide it from other users but not from physical access, as TFA notes you can encrypt your disk to protect that.

Or use a keyring, which NetworkManager does support. That will store it truly encrypted. The configuration files are just a simple fallback mechanism for when that isn't available.

about a year ago
top

Beer Fridge Caught Interfering With Cellular Network

SteveAyre Re:How (231 comments)

In new-from-the-factory and FCC/equivalent-approved condition, sure. But if it's faulty it might continue to function while internally having developed an internal electrical fault that's causing the noise.

It wouldn't be the first time something like this has happened either:
http://news.bbc.co.uk/2/hi/uk_news/england/beds/bucks/herts/8327549.stm

about a year and a half ago
top

Video Purports To Show Successful Hover Bike Test Flights

SteveAyre Re:Oh! Look! (112 comments)

"but the power:weight ratio and range just wasn't there with 50s engine technology"

Yep, modern batteries should give the required energy storage capacity while electric motors give much better power/torque at very very low weight. Plus the lightweight materials to build the chassis which just didn't exist before the space race and have only improved since then.

In the 50s I imagine the batteries meant an electric motor was just impossible without tethering you to the mains, so it required a internal combustion engine which naturally means very heavy motor and very heavy fuel.

more than 2 years ago
top

Insurer Measures Driver Safety With Smartphone App To Calculate Premiums

SteveAyre Re:Begging to be gamed (345 comments)

Aviva developed a Pay As You Go insurance system several years ago now.
http://www.aviva.co.uk/media-centre/story/2840/norwich-union-launches-innovative-pay-as%20you-drive/

We studied it as part of a project during my CompSci course about the time it was launched.

Essentially you agree that they put a GPS tracker in your car. It monitors your speed/acceleration/braking/etc (just like the app). You then only pay insurance for when you are driving, and the price is affected by how well you drive. It's been around for some time now. It's fixed to your car, and if you remove it from your car so they don't see your bad driving you're illegally driving without insurance.

All the phone app is is a free trial of that type of insurance - far cheaper to give them an app than send them a tracker. If you were to actually buy their insurance there's no way they'd let you keep using the phone app for it. Too much chance of forgetting the phone or battery dying, let alone any 'gaming'.

more than 2 years ago
top

MemSQL Makers Say They've Created the Fastest Database On the Planet

SteveAyre Re:Ya Don't Say! (377 comments)

All recent versions of NDB can store data on disk too. RAM-only is a very old (5.0) requirement.

NDB's real advantage doesn't come from being in memory (if you have enough RAM you can get a massive speedup on standard MySQL by setting large enough buffers to keep a cache of most of or the entire database in memory).

It comes instead from auto-sharding, spreading data out over multiple nodes and having multiple servers transparently searching data for you at the same time so that your query runs much faster than just one server could manage. And you can easily add more nodes as your load increases so the system nicely scales up, even on writes.

more than 2 years ago
top

MariaDB and MySQL Authentication Bypass Exploit

SteveAyre Re:Could have told us what it is (73 comments)

Yes, it's exactly that. They assumed memcmp returned a value in the range -128..127 - so they've assumed a char was sufficient. And many implementations do indeed return that, but unfortunately not all.

http://seclists.org/oss-sec/2012/q2/493:

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.

more than 2 years ago
top

MariaDB and MySQL Authentication Bypass Exploit

SteveAyre Re:Could have told us what it is (73 comments)

this sounds like something a ten-year-old would have found after fifteen minutes of penetration testing.

What stopped them finding it is it depends on what memcmp version is being used. GCC builtin ones aren't affected, neither are BSD libc. glibc's is though. Which you use all depends on how it was compiled and it appears the official vendor ones from mysql.com aren't affected. My own systems also aren't, which appears to be because they're using the GCC builtin version.

Penetration testing'll only find it on the affected versions, if the official mysql.com versions aren't affected then their testing wouldn't have found it because the bug didn't exist on their systems. And since that'll apparently be most of the installed versions out there, it's not going to be something that's been found on many versions in the wild either.

more than 2 years ago
top

MariaDB and MySQL Authentication Bypass Exploit

SteveAyre Re:holy motherfucking cheetah (73 comments)

They say you can get in by making 300 connection attempts, which can be done within a fraction of a second. Which is true.

They don't say that you have to do it within a fraction of a second.

The memcmp function has a 1/256 chance of returning the required value that makes it treat any password as the correct password - there's no link between the connection attempts, each time you try to connect you have the same 1/256 chance. You could space the attempts out over seveal minutes, hours or days if you wanted to - it'd just slow down the time it'd take you to get in (and make it more likely they've patched their systems before you get in).

Practically, this is slightly less newsworthy than it sounds. Yes the bug exists and yes it's serious, but it also depends on which memcmp version you're using on whether you're actually affected. The gcc builtin ones aren't affected or the libc ones, the glibc one is. That means whether it's exploitable depends on how your server was compiled. And it appears that the official versions from mysql.com aren't affected, and testing my debian systems today neither are they (but they're nicely firewalled anyway, just in case). Source: http://seclists.org/oss-sec/2012/q2/493

more than 2 years ago
top

iPhone 4S Pre-Orders Sell Out

SteveAyre Re:Perhaps to one's surprise? (327 comments)

To be honest, the spec is a large jump in CPU, memory and graphics power. The camera's much better, it's double the download/upload speed and Siri is quite a significant new feature.

The only problem is it's labelled as 4S not 5, when everyone was expecting it to be a 5. That makes them feel its an updated phone when actually it is a significant update. If they'd just launched it as the iPhone5 no-one would have been describing it as a let-down. Well, except anyone complaining that it still looked the same.

more than 3 years ago
top

iPhone 4S Pre-Orders Sell Out

SteveAyre Re:Perhaps to one's surprise? (327 comments)

Possibly. It has 2 antennas and switches between whichever has the best signal... that might be enough so that if the death grip is blocking signal to one, the other will still be working fine.

Of course they've not advertised it as such a fix, because they've never admitted there's been that problem (at least no more so than any other phone). Just said that it "improves signal strength".

more than 3 years ago
top

Storing Hydrogen At Room Temperature

SteveAyre Re:Importance of Hydrogen (152 comments)

And of course now they're still around, using helium which is far safer. It's only the speed that's made planes the preferred option.

more than 3 years ago
top

Verizon Sues FCC Over Net Neutrality Rules

SteveAyre Re:Verizon is correct (275 comments)

And from U.S.C. 47 S151...
For the purpose of regulating interstate and foreign commerce in communication by wire and radio so as to make available

more than 2 years ago
top

Verizon Sues FCC Over Net Neutrality Rules

SteveAyre Re:Verizon is correct (275 comments)

The FCC has authority over the public EM spectrum (as given to them by Congress) such as radio. They have no authority over private cables owned by private companies purchased by private homeowners. Nor do they have authority to censor content on the private cables.

Actually, their current charter is to "make available so far as possible, to all the people of the United States, without discrimination on the basis of race, color, religion, national origin, or sex, rapid, efficient, Nation-wide, and world-wide wire and radio communication services with adequate facilities at reasonable charges."

So yes, it is within their jurisdiction.

more than 2 years ago
top

Cracking Passwords With Amazon EC2 GPU Instances

SteveAyre Re:Yes, SHA1 security is questionable.. (217 comments)

Not true... with salted encrypted passwords you're trying to find a password that the application will think is the correct one. It concatenates the salt with the password and checks whether the hashes match (simplified explanation, but that is what many implementations such as crypt do). That means you're trying to find a collision where the salt is at the start of the input that causes the collision. That's a small subset of the inputs that generate the same hash so it does make finding collisions harder.

more than 4 years ago
top

Facebook Knows When You'll Get Dumped

SteveAyre Context (474 comments)

The guy's completely ignored context though.

What about school/college university terms breaking up? They all break up for spring break and christmas.

I expect more people round those times were blogging things like 'I can't wait until we break up for christmas'' than were saying they were dumped. Which makes the entire chart meaningless.

more than 4 years ago
top

Computer Scientists Scour Your Holiday Photos

SteveAyre Re:Where pictures are taken (156 comments)

So it's actually less accurate than if it just guessed? :)

more than 6 years ago

Submissions

top

UK's first public hydrogen refilling station opens

SteveAyre SteveAyre writes  |  more than 3 years ago

SteveAyre (209812) writes "The UK's first public refuelling station for hydrogen fuel cell cars has been opened in Swindon, England. Hydrogen cars are much cleaner than conventional cars, producing only water vapour from combining the hydrogen fuel with oxygen from the air to produce electricity to drive the electric motor. The project is sponsored by Honda and hopes to setup a chain of stations to create a "hydrogen highway" along the M4 motorway that connects London and south Wales."
Link to Original Source

Journals

SteveAyre has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?