Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Next Android To Enable Local Encryption By Default Too, Says Google

WaffleMonster Re:Really? (126 comments)

Since you're in the security team, could you comment on why Android requires you to set up some sort of lock security just in order to have a VPN configured (even if it's not in use)?

You know what makes even less sense than forcing people to use lock screens even if not saving VPN access credentials?

Having infrastructure with keychain and all of that in place and then not using it in browser and Android email client to secure stored credentials.

Even worse email client cannot be configured to prompt for passwords when checking/sending mail... you *have* to store your password.

3 days ago
top

Next Android To Enable Local Encryption By Default Too, Says Google

WaffleMonster Re:Encryption (126 comments)

But, please, what makes you think that Apple, or even Samsung, aren't doing exactly the same?

I assume they are.

Apple can install stuff on your device when it feels like it. In fact, you have even less control over an Apple devices and its whims.

What does apple have to do with TFA? For the record Apple's actions ignoring factual inaccuracies in your comments are also inexcusable as are Microsofts...etc. It doesn't matter who's doing it.

So, your concern is really about modern devices, not anything to do with the meat of the story - encryption

Pointing out encryption is meaningless when you don't have control over your own devices is relevant.

P.S. With Android, you can see the source, and build from clean source, without any Google services whatsoever if you want. People have done it for you. Almost every big-selling Android phone is supported. You can get root access and check everything you like. And then encryption really means something.

Great for the technically inclined, not so great for everyone else.

3 days ago
top

Next Android To Enable Local Encryption By Default Too, Says Google

WaffleMonster Encryption (126 comments)

Just so that I understand google play can install shit on your device when it feels like, google reads all of your email, google further nerfs intentionally nerfed permissions system and just about everything by volume in the app store is spyware designed to sell YOU to the highest bidder.

Relax folks your device is "encrypted" ...LOL..

4 days ago
top

Slashdot Asks: What's In Your Home Datacenter?

WaffleMonster But what does it do? (283 comments)

What does this "datacenter" in TFA actually do? From youtube videos they pointed to some servers with labels like "push email" ... the whole rack of SGI's? Spammers?!??

Another section of Apache/MySQL "cluster" and DNS servers with only a 60mbit link...

They have a list of websites hosted on the "datacenter" but this appears to be mostly run of the mill basic business fronts/web presence.

Notice the light patterns on the switch ports all of the activity at time of filming appears to be dominated by broadcast.

What does it all do?

4 days ago
top

Why Is It Taking So Long To Secure Internet Routing?

WaffleMonster Re:trust (85 comments)

An untrusted central authority is better than no security.

Peers have to trust each other to act rationally. Filtering and sanity checking of crap from your downstreams and maintenance of physical links with rational actors whom you trust to act professionally is worth more than central authorities.

about a week ago
top

SanDisk Releases 512GB SD Card

WaffleMonster Micro SD (210 comments)

SanDisk if you are reading this please make a 512GB Micro SD... thanks!!

about two weeks ago
top

Book Review: Architecting the Cloud

WaffleMonster Re:Yea no... (75 comments)

That's a *very* strong assertion. In fact, it seems like the sort of thing that the courts would stop, hard. It's essentially extortion. It's absolutely the sort of thing that would send customers screaming... and discouraging everyone around them. I find it hard to believe that any reputable cloud service provider would dare risk their business by doing something like that.

Lost track of number of people who have called in with issues trying to extract data from various providers.

Either they claim they can't do it, provider cut them off and they are screwed or provider feels it necessary to charge a massive fee to extract customers data. Another fine twist is allowing access to data but not in a way it could practically be extracted.

Guessing some of these are cases of you owe us money and we're leveraging whatever we can to force you to pay yet some have specifically mentioned rate hikes and cumulative costs as reason for decision to bail.

You can parse this out till your blue in the face draw whatever lines and labels you think demarcate acceptable behavior from extortion.

Bottom line if you don't insist on full and meaningful access to full datasets your essentially begging the provider to take advantage of you. Expecting they would not seek to maximally leverage their position is not a serious option.

about two weeks ago
top

UCLA, CIsco & More Launch Consortium To Replace TCP/IP

WaffleMonster Re: Not a chance (254 comments)

Ehmm. No. TCP is quite special in being byte-oriented. SCTP is message oriented.

By definition a stream is a stream is a stream. Being a stream means you are bound by limits of what you are...a stream. It matters not matter what protocol the stream is implemented over.

A TCP session is HOL'd no different than any individual stream within a given SCTP session.

The only difference is 1:1 correspondence between TCP session and data stream.
This is compared with 1:Many between SCTP session and multiple streams within.

While separate SCTP streams can not HOL each other each individual stream is HOL'd.

about two weeks ago
top

Why Google Is Pushing For a Web Free of SHA-1

WaffleMonster Re:https://www.google.com using SHA-1 (108 comments)

True. As mentioned in the article and a linked tweet, Google plans to migrate to SHA-256 by the end of 2015. Why it will take them so long is not stated.

I only read Google's announcement and did not follow every link from others before posting.

Hearing this only makes things worse... If Google themselves is not getting their act together until 2016 and concurrently the following is true:

"Chrome 39 (Branch point 26 September 2014)
Sites with end-entity (âoeleafâ) certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as âoesecure, but with minor errorsâ.

It is hard to imagine a situation whereby you can avoid everything appearing broken in much the same way everything is known to the state of California to cause cancer.

In the meantime, their certificates only last three months. Probably only NSA and GCHQ could forge a cert in that short a time â" and they don't need to.

What is the point of this?I don't understand the logic here.. how/who does this help?

Google's cert would be useless as the attacker does not have google's private key and path restrictions of preceding prior trust path makes it useless to repurpose as an intermediary.

Nobody is going to waste their time going after one companies SSL cert they are going to go after any vulnerable trust chain and fuck EVERYONE including Google regardless of how often they change their certs.

about two weeks ago
top

Why Google Is Pushing For a Web Free of SHA-1

WaffleMonster Re:Deprecation shouldn't start at the browser (108 comments)

Root cert sigs are meaningless, they're self-signatures. They could be zeroed out and most trustdbs probably wouldn't care.

Yes this is true but it doesn't matter.

Cross signing / alternate certification paths can lead to one mans root becoming another's intermediary.

Intermediaries have the same problem with 10+ year validity periods.

about two weeks ago
top

Why Google Is Pushing For a Web Free of SHA-1

WaffleMonster More information = less security (108 comments)

When you add decision points about issues the average user has no practical basis for making an informed determination you just make matters worse by adding confusion and uncertainty able to be leveraged by adversaries.

Now instead of secure and not secure.. ideally working and not working... we are hurling FUD and technobabble at users whose day job is NOT technology.

Who am I trying to kid.. .f@#uck...it...ya'll just need more reassuring padlock .gifs to adorn your secure sites.

about two weeks ago
top

Why Google Is Pushing For a Web Free of SHA-1

WaffleMonster Re:Deprecation shouldn't start at the browser (108 comments)

It should start at the certificate authorities. They should've been planning for sha-1 to be unsupported by x date, and not issuing certificates valid past that date.

Certificate authorities roots also use SHA1 and typically carry validity periods of decades.

about two weeks ago
top

Why Google Is Pushing For a Web Free of SHA-1

WaffleMonster https://www.google.com using SHA-1 (108 comments)

Amazing www.google.com and every single link in its trust chain is using SHA-1 signature algorithm.

about two weeks ago
top

AT&T Says 10Mbps Is Too Fast For "Broadband," 4Mbps Is Enough

WaffleMonster Re:Seriously? (533 comments)

Tell that to my 10 megaBYTE per second downstream that still has trouble with YouTube sometimes. 4Mbps would be unusably slow on the modern internet, unless you turned off all media, and adblocked everything. Hell, 10Mbps would still feel like drowning in quicksand to me, even for basic web browsing...and I doubt I'm alone.

I can see consumers thinking to themselves hey my 10mbit connection is slow.. websites take a long time to load and shit is always buffering. If only I upgrade to 100mbit it will be faster.. 10x faster...even!!

Perhaps some of the same consumers with Satellite TV service are lining up at bestbuy for their new 4k TVs .. 4x more pixels 4x less macro blocking!!!!!1!!!

about two weeks ago
top

AT&T Says 10Mbps Is Too Fast For "Broadband," 4Mbps Is Enough

WaffleMonster The FCC is not self-consistant (533 comments)

If your an ISP filing FCC form 477 broadband **CURRENTLY** means the following:

Broadband Connection: A wired line or wireless channel that terminates at an end-user location
and enables the end user to receive information from and/or send information to the Internet at
information transfer rates exceeding 200 kbps in at least one direction.

While I don't have much of an opinion about definitions... 4Mbps vs 10Mbps there needs to be consistency throughout. The FCC should not get to pick and chose what broadband means based on where in law/rules the term is used.

about two weeks ago
top

3 Recent Flights Make Unscheduled Landings, After Disputes Over Knee Room

WaffleMonster Something special in the air (819 comments)

Which of these is worse?

Freakouts over minor incidents necessitating changing course. Apparently common sense has been brutally slaughtered by terrorists and bureaucratic CYA.

Seeing a profit in pissing off or otherwise making your customers as uncomfortable as possible. How much does it cost per plane to rearrange all those seats again when one of the airlines starts running ads comparing legroom?

about two weeks ago
top

UCLA, CIsco & More Launch Consortium To Replace TCP/IP

WaffleMonster Re: Not a chance (254 comments)

*waves magic wand*

Well that didn't work...

TLS/SCTP is the application that no one knows that they need.

Fast open is already shipping in current Linux kernels and you can do the same thing with TLS see RFC5077.

about two weeks ago
top

UCLA, CIsco & More Launch Consortium To Replace TCP/IP

WaffleMonster Re:SMTP (254 comments)

Personally, I think XMPP has the problem solved well enough. Their general architecture is superior to email in terms of verifying that you really know where a message came from, so if you receive spam from user@example.com,

XMPP is embarrassingly similar to email it only seems less spammy because nobody uses it.

...and because each server knows the contact list of its users, it has a good clue about whether that message is spam even before doing any content analysis

Reputation analysis by more voodoo algorithms which assume server is big enough to develop any meaningful clue and not misinterpret results. I'm sick of algorithms... email at the very least used to be reliable...now it is anyone's guess whether a message will be silently dropped for no human understandable reason.

because there's no culture of "spam is an unavoidable problem" in XMPP, nor is there even a culture of "bulk messaging must be allowed" and so no one can even claim ignorance about what their users are doing.

More like a culture of denial. XMPP does NOT meaningfully address spam in any way that matters.

but for now it seems the spammers don't even care about XMPP, probably because email isn't just low-hanging fruit, it's fruit that has fallen from the tree and has been rotting on the ground for years.

Keep on dreamin... they don't care cuz no ones home.

about three weeks ago
top

UCLA, CIsco & More Launch Consortium To Replace TCP/IP

WaffleMonster Re: Not a chance (254 comments)

The advantage of SCTP is that it is not a retarded implementation of go back N.

SCTP has all the same limitations as TCP at the SCTP stream level.

Which means it can operate efficiently at high speeds on unreliable networks. Also the channels could be easily and automatically used with HTTP to replace the inefficient pipelining. With TCP something like SPDY had to reimplement channels on a higher level.

This is semantically identical to opening multiple TCP sessions - one for each stream. If you were to lower round trip cost of subsequent session setup in TCP to zero (e.g. fast open extensions) then you essentially have the useful advantage of SCTP without SCTP.

The only benefit SCTP has is multipath failover baked in and you can't even use the extra paths concurrently it only exists as a contingency.

about three weeks ago
top

UCLA, CIsco & More Launch Consortium To Replace TCP/IP

WaffleMonster Re:Not a chance (254 comments)

Your statement as shown can be applied to the internal combustion engine, or any other technology. Rejecting any change out of hand without consideration is incredibly sad

There are only so many hours in a day... ignoring/rejecting silliness out of ignorance is often a practical necessity.

Yes it's important to take everything with a grain of salt, but everything should be at least considered.

"Everything" ...sort of...includes magic unicorns and assorted demon things observed while trip-pin' on mushr00ms...

See also trusted Internets, motor/generator free energy machines and application of ternary logic to prevent IPv4 exhaustion.

It only takes one successful change to have a dramatic impact and improve the lives of many.

Well paying out that $25k to play is sure to improve the life of someone.

about three weeks ago

Submissions

WaffleMonster hasn't submitted any stories.

Journals

WaffleMonster has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>