×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

"Infrared Curtain" Brings Touchscreen Technology To Cheap Cars

WaffleMonster Touch screens in vechicles = bad idea (63 comments)

Shifters, signals, lights, wipers, gas, break, hazards, fogs, steering..etc are designed to be manipulated by tactile feedback alone. Likewise my audio system was selected for its ability to be fully controllable via tactile feedback.

Driving is not a "game" .. touch interfaces have no place in a vehicle.

6 hours ago
top

Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere

WaffleMonster Getting old (88 comments)

Too often when I hear of "researchers" discovering "flaws" turns out all they are doing is demonstrating an obvious result from commonly known properties of a system.

You mean you can just mount that unencrypted drive, change root password, boot up and have full access to everything? Well jolly geeewiz...

SS7 "flaw" is standard operating procedure for Telco's where only meaningful form of security has always been adult supervision.

Not much different from what happens when one or more "adults" setting up BGP sessions turns out to be an immature little brat.

Only difference at least people know the Internet isn't secure and can plan accordingly by plugging in the E2E security solution of their choice.

Have a smartphone and want to replace standard voice codec with an encrypted one? Sorry that's locked away in the baseband.. access denied son.

Attempts to setup globally trustworthy systems have consistently devolved into jokes. Humanity appears to lack necessary intelligence and integrity to pull it off. The best we can do right now is piecemeal E2E solutions.

2 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

WaffleMonster Re:Bad for small business owners (391 comments)

You forgot that:

- the connection is permanent, multiple request pipe lined trough same connection
- The page are by today standard variable sized, headers are vaiable sized
- Compression is often used
- AES and most symmetric cipher are block ciphe rand rounded

People pointing out all of the ways my response COULD be wrong or if x, y, z countermeasures taken then my scheme is foiled....and and if you used TOR or something then even your IP would be safe... My central goal here is to communicate Joe Biden's point when asked about telephone metadata collection not to nit pick and dot my j's and cross my 0's.

Lets examine some of the responses..

Well just add padding so they won't know... well ok...who is doing that?

Multiple requests encapsulated in an HTTP 1.1 pipeline or futuristic 2.0 scheme... so what? You visit a page and the chatter stops while your reading it and starts up again when you click something else and follow a different link.

There could be dynamic content and that could render it difficult to discern x, y and z... This could be true or not depending on the site.

Compression - I don't get how this is relevant... When NSA/KGB goes to your site to collect baselines wouldn't the data be compressed or not the same as any other visitor?

- AES and most symmetric cipher are block ciphe rand rounded

With AES your looking at a block size of between 16 and 32 bytes.

Insecure shopping cart comments.. If you have a shopping cart on your website it stands to reason you already have an SSL certificate so the question posed regarding value of HTTPS over HTTP is not applicable - otherwise I agree what you enter on a form is probably very safe from prying eyes when using HTTPS vs HTTP.

Random padding for BREACH mitigation... I'll believe there is someone on earth who cared enough to implement this vs simply disabling compression for *dynamic* assets when I see it for myself. Compression overhead for dynamic content was always of questionable ROI as it is.

2 days ago
top

Extracting Data From the Microsoft Band

WaffleMonster Re:This also means (51 comments)

We're all holding our collective breath waiting to hear your practical, commercially and technically feasible alternative.

The proper technical solution is to bind encryption with a secure user authentication protocol.

Dump the certs in the trash where they belong and use TLS-SRP.

Technology is readily available and easy to implement.

3 days ago
top

Extracting Data From the Microsoft Band

WaffleMonster I'm so disgusted (51 comments)

Seems only thing this industry is capable of producing these days is creepy stalker gadgets.

3 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

WaffleMonster Re:503 (391 comments)

I strongly disagree with the people who say encrypted but unauthenticated is as bad as unencrypted. Yes a targetted attack can use man-in-the-middle techniques but if anyone starts doing that on a large scale they are likely to get noticed.

I don't think people realize how easy it is to hijack a TCP session. There is essentially no filtering being done by any operator... packet spoofing can be trivially carried out from virtually anywhere on the network.

I think your right in the abstract that opportunistic encryption is helpful against certain types of threats (e.g. Room 641A) ... and I would be supportive of implementation provided nobody knew it was going on.

The trouble is this nuance is too big an ask for normal users whose day job is not security to understand. When we say "it's encrypted" they hear "it's secure" ... which isn't true.

This is my problem with opportunistic encryption is that people will rely on it and then get burned by it and this is worse than not doing it.

3 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

WaffleMonster Re:503 (391 comments)

I don't think I've entered either of those things in the last 10 years. Heck they aren't even shown on my URL at the moment.

That's the problem they removed all of the indicators that would tell people what the hell is going on and confuse them with fake pointless assertions. Only now they are realizing they fucked up. When and if they fix it I hope they don't overreact and put even more people at risk.

Do you also consider having a front door with a door lock any better than just having a hole in the wall open to the road?

HTTP should look like the entrance to a 7-11 busy churning our Slurpees for all the good little boys and girls.

HTTPS should look like the entrance to a bank vault with armed guards standing watch.

The industry has failed for a number of reasons to present this picture to the user... at every turn they let their designers loose with their abstract Spartan design bullshit taking away critical information from the user. All the while legitimate sites routinely trick users with fake assertions of security having no basis in reality.

I don't think doubling down and forcing SSL on everyone is the answer.. the answer is realizing you have fucked up and fixing the underlying problem. The underlying problem is browser is not saying shit about security status of a site and when it does it is not obvious enough.

3 days ago
top

Hackers Compromise ICANN, Access Zone File Data System

WaffleMonster Re:fire them (110 comments)

Any employee dumb enough to fall for a phish should be fired.

The messages were *targeted* they appeared to come from real people within the company. If your PM sent you a word doc detailing a new project proposal and you opened it should YOU be fired?

SMTP email is a failed experiment causing untold damage to millions of users around the world.

3 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

WaffleMonster Re:Bad for small business owners (391 comments)

Doesn't it make sense? What makes you so sure? Do you run a gardening shop? How do you know your customers aren't being watched for fertilizer references? Maybe you sell some memorabilia or trinkets with a war or political relevance? God forbid you actually sell stuff that can be used to make firearms.

Your fertilizer page is 14674 bytes in length. What differences does it make if you encrypt it? I still know you went there and I know who you are by your address. Fail.

4 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

WaffleMonster Re:This again? (391 comments)

The secure vs trustworthy issue is a fundamental flaw with HTTPS where both encryption and authenticity are meshed into the same protocol.

This is doublespeak. Encryption without authentication is an illusion.

4 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

WaffleMonster Re:OK (391 comments)

Trivial to defeat HSTS:
https://github.com/sensepost/m...

Oh give me a break this does not defeat HSTS it just links to the wrong hostname offered up by an insecure site. Garbage-In-Garbage-Out.

Saying this defeats HSTS is like saying getting domain micr0s0ft.com registered and an SSL cert assigned defeats SSL because I tricked someone into going there and thinking it was the real deal.

4 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

WaffleMonster Re:503 (391 comments)

It has bugged me for years that unencrypted plain text data is given a pass, but a self-signed certificate with encryption brings up a warning that requires multiple clicks and in some cases even importing a certificate to get through.

When you enter http:/// you are declaring your intent to view unsecured content.

When entering https:/// you are declaring your intent to view secured content. An untrusted certificate is not trustworthy and cannot be used as a means of securing content.

4 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

WaffleMonster Re:Stupid (391 comments)

Personally I think the colour scheme is simply wrong. Rather than White for plain, Red for SSL with some minor error (self signed cert), and green for proper encryption, why not go red for unencrypted, orange for encryption with problems, and green for encrypted and verified?

That's easy most websites will appear red and users will tune it out. You have now increased confusion and lost your ability to communicate important information to the user.

4 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

WaffleMonster Re:Has This Thread Been Hijacked By The NSA And IS (391 comments)

Encouraging the web to go 100% SSL only is a unquestionably a good thing.

Not if it means paying rent to CAs every year so they can sit on their fat ass and do nothing.

The issues with performance were gone a decade ago...

Even if maintaining session state and TLS were completely free round trip delay and assuming the best case that session resumption occurs for all accesses you still have to eat additional round trips...delay that is quite noticeable to those accessing content internationally and over wireless or low bandwidth links.

It makes no sense that all the "anti-SSL"
posts have been modded up.

Why should people have to screw with SSL when they have no secure content to offer? This is what makes no sense to me. Google is twisting arms to have their way.

Regardless of what you think of making everything "secure" I don't subscribe to the notion that ends should justify means.

4 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

WaffleMonster Re:This again? (391 comments)

Every web connection needs to be HTTPs, to keep random people from snooping on which URLs you visit. Problems only multiply with every cookie that discloses information or correlation between different requests.

Fire up wireshark, sort by DNS and pick any well known website at random. why are there all these queries for dozens of others sites? Their all leaking tracking cookies and all kinds of bullshit to many DOZENS of providers who have nothing to do with providing content your browser requested their only job is to stalk your ass wherever you go on the Internet. Turning on HTTPS won't make them go away.

Just sitting on the wire and collecting destination addresses, amount of data transferred and timing stats is more than enough to piece together exactly what your doing even while everything is encrypted.

4 days ago
top

Google Proposes To Warn People About Non-SSL Web Sites

WaffleMonster Google gone batshit insane (391 comments)

How much did the CA cartel pay Google to come up with this load of BS? Talk to me about SSL everywhere when everyone is using DANE and CAs have long since gone out of business.

You don't scare people with warnings like this. Crying wolf only places your users at increased and unnecessary risk.

4 days ago
top

Small Bank In Kansas Creates the Bank Account of the Future

WaffleMonster Re:Manifest silliness (156 comments)

Since we're not quite done writing them, what, instead, do you propose we put on paper checks
Other than the routing number and account number so that the receiving bank can figure out what bank, and what account, to request funds from?

I won't pretend to know best approach yet half baked ones appear to be easily reachable.

Something as simple as printing random numbers instead of bank account... The numbers get registered with your account when new checks ordered.

Or instead of signing check one presses a bank provided magical stamp like thing against check to "bless" transaction.

It could be as trivial as a challenge response scheme where checks come printed with challenge codes and bank provided stamp writes cryptographic response.

5 days ago
top

Virtual Reality Experiment Wants To Put White People In Black Bodies

WaffleMonster Re:Racist experiment (447 comments)

Black because that is the current big issue in America.

Aggregate damage to society caused by media professionally trolling for ratings and attention is grossly underestimated.

Couldn't begin to count masses of terrified old ladies who think the world is full of pedophiles and murders because that's all the glowing box ever tells them. Ditto on number of tools who think there is a terrorist waiting to behead them under every staircase.

Schools have turned into fortresses with armed guards and draconian "zero tolerance" policies with scary lockdown drills because the media tells us our kids are constantly under attack when in fact actual objective statistics bear out reductions of shooting incidents and deaths decade over decade.

Everyone is so wound up and scared when they get on an airplane even the most absurd overreactions to any event or inhuman security policies (e.g. genital groping) are deemed acceptable and applauded.

All these fears directly feed into and influence policy creating their own reality... not a virtual reality but a real reality with real consequences.

The reason "black" is the current big issue in America is because poking away at tribalism is a train wreck that nobody can resist and it pays off big time as CNN is always rewarded when they do it. From CNN original documentaries on the "N" word to getting black and white talking heads to spew nonsense at each other to praying for riots.

CNN and other news outlets were right there waiting and hoping for people to show up at the event they all but sold tickets for. They couldn't have picked a more divisive example of police (Ferguson) brutality if they tried to fan an enduring controversy.

Everyone in the media is cought up in cherry picking events to support their presuppositions when they SHOULD know better. NOBODY is spending time examining statistics and even trying to understand root causes of problems... divison sells, chaos sells. If the media really cared they would have been doing investigative reports but that takes effort and explaining is boring. Taking pictures of shouting and destruction and fires is both easier and more exciting.

A good step is getting people like you to stop injecting there knee jerk nonsense into the discussion..we ANY discussion, really

Next up a TFA about how blackbody radiation has something to do with black people. Even TFA was complete media spin to fit a narrative that never existed in the first place for hits.

We're all being trolled on a grand scale for profit. Not for fun and jollies but professionally by experts to make money.

What you don't hear is talk about the treatment of poor people or political calculations affecting their treatment. You won't hear anyone talking about plea deals and assorted selective enforcement regimes allowed to metastasis over decades granting prosecutors powers they have no business having. You won't hear jack about globalization or aggregation of wealth or effects of lawyers and jails capturing legal system. It is all about black people vs. white people. Keep the fucking "morans" fighting each other we don't give a shit... we have money to make.

5 days ago
top

Virtual Reality Experiment Wants To Put White People In Black Bodies

WaffleMonster Re:Stop it with this crap. (447 comments)

I know millennials think they are the first generation that is morally superior and have the answers to everything. But I was playing Mike Tyson's Punch out when your parents were still wearing Zooba's. Not everyone is the racist.

Punch out was a hoot. Only game that was ever fun to play with the power glove.

5 days ago
top

Virtual Reality Experiment Wants To Put White People In Black Bodies

WaffleMonster CNN breaking news (447 comments)

Body paint is cheaper and works better.

5 days ago

Submissions

WaffleMonster hasn't submitted any stories.

Journals

WaffleMonster has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?