Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

The Physics of Why Cold Fusion Isn't Real

WaffleMonster Re:Why Cold Fusion (or something like it) Is Real (342 comments)

you should read what you link: Current techniques for creating large numbers of muons require large amounts of energy, larger than the amounts produced by the catalyzed nuclear fusion reactions.

What do you suppose the word "catalyzed" means in the context of muon catalyzed fusion?

4 hours ago
top

China Staging a Nationwide Attack On iCloud and Microsoft Accounts

WaffleMonster Re:Popular US browsers will warm, Chinese ones won (81 comments)

The ones that use SMS dont prevent replay attacks? Any half decent SMS two factor authentication will prevent replay attacks.

I don't know why I'm stating the obvious... SMS is not a trustworthy communications channel especially when your adversary is your government.

2 factor auth is not supposed to prevent a MITM BTW.

Haha ha ha ha funniest thing I've heard all day.

A page MITM-ing facebook can just pass information between the user and the server (the user will give the 2 factor auth to the MITM-ing server, which will just pass it on to facebook), and keep the session alive for as long as they want.

This is why real systems cryptographically bind both factors.

4 hours ago
top

In UK, Internet Trolls Could Face Two Years In Jail

WaffleMonster Trolls poised to take over the world (472 comments)

When you think about it most of the "mainstream" media is based on trolling. More subtle than "Your mom .... last night ... with ... and ... and ... " yet just the same they deliberately and persistently push the audiences buttons and willfully mislead to attract attention and ever larger audiences.

The online media is much more aggressive in this regard routinely offering structures granting massive audiences to random people visiting their site.. This is a bit like keeping a stack of 100's in an unlocked car in a Wallmart parking lot overnight and being surprised when it turns up missing the next day.

If trolling is an epidemic it only got that way because Trolls have been well fed in environments where the objective function is maximizing advertising profits to the detriment of decency and integrity.

While I can't bring myself to defend threats of injury or death as free speech... this is a worlds away from Malicious Communications Act's "indecent or grossly offensive or information which is false and known or believed to be false by the sender" insanity.

I find it breathtaking TFA would focus almost entirely on rape threats while largely remaining silent on the really insane aspects of this law.

Where is that sensational article titled "Telling a fib will get you two years in jail?" ...

yesterday
top

Python-LMDB In a High-Performance Environment

WaffleMonster Re:Wikipedia article deleted (98 comments)

If Wikipedia was a person I would smack it upside the head for shit like this. There is absolutely no reason not to have an article on LMDB, and deleting a perfectly good article for no reason is evidence of a mental disorder. It's not like they have to spend an extra penny for a piece of paper to hold the article, possibly making the book too thick. Wake up.

Speaking only from personal experience
there seems to be a disconnect between what people actually derive value from and rules + perhaps original intent of Wikipedia.

We seem to be stuck in a situation where lack of enforcement itself is supporting quite a bit of value and interest in the site... A situation ripe for leverage by personal whims and selfish persuasion.

I don't think there are any easy answers yet the rampant deletions are particularly annoying and unhelpful to me as a user of Wikipedia.

3 days ago
top

Drupal Fixes Highly Critical SQL Injection Flaw

WaffleMonster Re:It's not that hard to do it right (53 comments)

Sealing against SQL injection isn't that hard. Don't ever write:

select * from table where id = $id

Does anyone have a better way to build up queries?

The forbidden example above looks to be the easiest and most readable of all the variants you have provided...

SQL context aware eval() routines with safe default marshaling assumptions are relatively trivial to write.

Much better to give people what they want rather than forcing them to use parameterized semantics where not ideal. If web platforms did this from the beginning CVE databases would be much lighter than they have become.

5 days ago
top

Eggcyte is Making a Pocket-Sized Personal Web Server (Video)

WaffleMonster Re:Web Server? (94 comments)

You did read the TOS of your ISP provider, right? Some don't allow any server at all (email, Web, etc) on your home connection.

Who cares what it says?

5 days ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:Stuck between a rock and noplace (68 comments)

Disabling SSLv3 does nothing for future attacks; but the other measures we are putting in place will.

The problem is non standards complaint behavior of web browsers willfully subverting downgrade attack prevention features baked into SSL/TLS standards.

The downgrade SCSV will let a server detect a downgrade attack, or incorrect version fallback.

This requires both servers and clients to support it and associated propagation throughout the worlds server and client stacks to be at all effective. SCSV is not even an RFC.

Why leave people exposed in this manner? What good is TLS 1.2 deployment and fancy new AHEAD ciphers when any yahoo can come along and force affected browsers to TLS v1... What is the compatibility based reason for continuing this behavior when SSL v3 is being disabled in new browsers anyway? Please name names.

As with many things, there is a balance to be struck. Disabling SSLv3 a year ago would have affected a lot of sites, including major commerce and banking sites, and it's not always an easy fix with aging infrastructure and long supply chains for equipment.

What balance? What are the tradeoffs? Nobody seems to know. What is on the other side of the ledger to serve as a counterweight to allowing downgrade attacks to persist in 2014 and why does everyone need to bear that risk by DEFAULT?

5 days ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:POP/IMAP/SMTP? (68 comments)

Yes, if your client falls back to SSLv3.

Please don't confuse browser "dancing" behavior with SSL version negotiation. Clients and servers can support both SSL v3 and TLS 1.2 without danger of being suckered into SSL v3.

about a week ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:Stuck between a rock and noplace (68 comments)

The paper explains it.

Desperately looking for names and versions.

is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions.

Is this IOS? What versions?

Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

Then why are the browser vendors saying they are going to disable SSL v3? If we're going to use SSLv3 as an excuse and that excuse is taken away ... what's left?

about a week ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:Stuck between a rock and noplace (68 comments)

Some servers don't handle TLS version numbers at all, and typically just reject the connection instead of advertising to the connecting client that they can support SSL3, TLS1.0 and TLS1.1 but not TLS1.2. So when the client tries to connect with TLS1.2, they are disconnected, so the client tries to connect with TLS1.1 and is successful.

Please I'm begging for names... name names and versions... Who is supporting 1.1 AND doing this?

This SCSV thing adds a flag to each side to say "but I'm only using this protocol because you didn't like the other protocol" and for the server to say "but you never asked me?"

Isn't it easier to fix existing implementations rather than inventing new capability negotiation schemes, writing the code and deploying? Is anyone sure extra flags won't cause new compatibility problems?

If everyone is shutting down SSL 3 anyway as seems to be the case... what then is the remaining intersection of TLS 1+ capable servers and clients still not supporting version negotiation? Please anyone who knows I beg you to name names.

BTW, the core reason for all of this was because the pre-TLS browsers absolutely shit themselves over TLS1.0 advertisements, and because browser makers are absolute fuckers, rather than popping up a window saying

Please name names what browsers?

about a week ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:Stuck between a rock and noplace (68 comments)

Firefox already mitigates the attack to some degree. If the connection started out at TLS 1.2 or 1.1 then it could not be downgraded to SSL3 because the code allowing that was removed sometime ago.

This does not make any sense. A mitigation that does not work is not worth anything.

Easiest way in Firefox to prevent a connection downgrade to SSL3 is to set "security.tls.version.min" to 1 in the about:config page. This sets the minimum version of the encryption protocol to TLS 1.0

What good does that do when a future attack against TLS 1.0 succeeds and 1.2 users again find themselves being pulled down to 1.0?

about a week ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:How legacy is legacy? (68 comments)

The last major browser that doesn't support TLS 1 was IE6. Even Microsoft doesn't support that piece of crap anymore.

I'm scared now... tested using old w2k image IE version 6.0.2800.1106 - TLSv1 amazingly works just fine with IE6 using RC4-SHA cipher, forcing AES was no-go.

When compatibility issues are raised always insist people name names too much of this space is ruled by legend passed down throughout the ages and unhealthy doses of hearsay.

Everyone saying "there are servers" or "there are clients" please name names and versions.

about a week ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:Stuck between a rock and noplace (68 comments)

It is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions. Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

There has got to be a better solution for clients in 2014 that does not involve leaving users vulnerable to downgrade attack.

Why can't browser vendors provide users with an option to enable "dancing" and not have it enabled by default?

I love backwards compatibility but the cost to overwhelming majority of people who don't have old vulnerability ridden gear to manage via SSL is way too high in 2014.

about a week ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:How legacy is legacy? (68 comments)

According to the summary, this isn't about browsers, it's about servers - the browsers choose to fall back to SSL3 to cope with broken servers.

Intentionally bypassing downgrade attack protection built into SSL to "cope" with broken servers is 100000% a browser defect. There is no possible excuse for this nonsense in 2014.

about a week ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Stuck between a rock and noplace (68 comments)

Does anyone know what exactly "many clients implement a protocol downgrade dance" means? ... never heard of this ever... who exactly is doing this and what the hell are they thinking?

Screw this TLS_FALLBACK_SCSV bullshit it's 2014 cut the music and send the dancers home.

about a week ago
top

Windows Flaw Allowed Hackers To Spy On NATO, Ukraine, Others

WaffleMonster Re:Anyone using Windows deserves it (97 comments)

it's about keeping people informed so they can act appropriately. Imagine yourself a FreeBSD user; if you heard of Heartbleed as a Linux bug, would you think to look for an OpenSSL patch?

If your idea of being notified is hearing about it on CNN, ./, other "media" or social propagation your doomed.

Users should not be expected to know what supporting libraries are used by applications. Application vendors need to provide patches and make announcements for service effecting vulnerabilities in supporting libraries distributed with their applications no different than if source of error were their own code.

Operating system/package vendors need to provide patches and make announcements for vulnerabilities in the software and standard libraries they distribute.

There are established update/security notification channels for these things users need to be following... there is no need for anyone to be guessing or make incorrect assumptions and no excuse for depending on shit sources (mass media, blogs, friends) for security notifications.

If anything keeping people "informed" is doing them a disservice.

about a week ago
top

Windows Flaw Allowed Hackers To Spy On NATO, Ukraine, Others

WaffleMonster Re:Anyone using Windows deserves it (97 comments)

I'll take those two OpenSSL and Bash vulnerabilities any day! That's an important distinction, and not making it lulls anyone using OpenSSL or Bash on a non-Linux system into a false sense of security and may prevent them from patching. That's either a good or bad thing, depending entirely on the color of your hat.

  Yes, Heartbleed and Shellshock both had the potential to be much, much worst than this bug. However, those were only exploited after being found and disclosed, and patches being made available, while this and other Windows flaws are only patched after being found, disclosed, and exploited for a while. Where there were patches issued for Heartbleed and Shellshock within hours of disclosure, this won't be patched until Patch Tuesday. Mind you, that's today, but it's still coming not only days after the disclosure, but months after active exploits.

What is the point? For starters none of us have any idea who all has a stock of what 0-days for any platform.

Secondly CVE databases are loaded to the hilt with windows and Linux vulns.

Distinctions made are about as useful as an intelligence contest for the mentally retarded. Unsurprisingly everyone is failing ... badly.

about a week ago
top

Four Dutch Uberpop Taxi Drivers Arrested, Fined

WaffleMonster Re:Biased summary (280 comments)

FTFY. Slashdot-dwelling Randbots are against it, not Dutch public.

What is the basis? How do you know this?

about a week ago

Submissions

WaffleMonster hasn't submitted any stories.

Journals

WaffleMonster has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?