Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Mark Zuckerberg Speaks Mandarin At Tsinghua University In Beijing

WaffleMonster Translation needed (207 comments)

How do you say "Dumb fucks" in mandarin?

yesterday
top

Assange: Google Is Not What It Seems

WaffleMonster Favorite line (257 comments)

"Whatever makes Google a âoekey member of the Defense Industrial Base,â it is not recruitment campaigns pushed out through Google AdWords or soldiers checking their Gmail."

yesterday
top

China Staging a Nationwide Attack On iCloud and Microsoft Accounts

WaffleMonster Re:Popular US browsers will warm, Chinese ones won (109 comments)

Please describe a 2 factor authentication method that is not susceptible to a man in the middle attack.

Client certificate + password

certificate based smart cards /w keypads

Specifically, describe a 2FA mechanism that is safe where one channel is completely compromised (Lets say; the Web Page you are "logging in to" is being man in the middled by the Chinese government).

This is not "Prove something doesn't exist", but show me even one example of a mechanism that does exist that is "man in the middle-proof". Seriously.

Too many people seem to be poisoned by the way things are vs how they could be if the proper readily available technology was brought to bear on the problem. Collection of credentials from web forms per your example is breathtakingly stupid way to have your users fall victim to attacks yet it is **everywhere**

For "what you know" use of zero-knowledge key agreement protocols such as TLS-SRP (RFC5054) enable two parties to establish mutual proof of possession without leaking shit and without associated MITM bullshit.

Imagine entering your credentials into a web form and not having to give a shit who is on the other end and without having any SSL certificates.

If the right person is on the other end login succeeds and *both parties* have evidence of the identity of who they are talking to.

If the wrong person was on the other end they don't get *SHIT* not even material for offline attack and the login fails. No certificates or external security mechanisms are required yet they can still be used to further enhance security and practical user experience.

Zero knowledge agreement satisfies "What you know" factor mutually in a secure way without MITM.

Mutual certificate authentication satisfies "What you have" factor in a secure way without MITM.

Each factor above is able to stand on its own feet separately. Each offers mutual evidence of identity.

2 days ago
top

The Physics of Why Cold Fusion Isn't Real

WaffleMonster Re:Why Cold Fusion (or something like it) Is Real (347 comments)

what do you suppose the word "larger" means, in any context?

Parent said "You cannot over come the columb barrier without sufficient energy."

Yet Muons do it for free as many times as they want before they die or "stick" by virtue of being Muons. This is real cold fusion no crackpottery required.

The production of Muons and assorted details surrounding barriers to useful functioning fusion reactors has zip to do with parents inaccurate comment.

3 days ago
top

China Staging a Nationwide Attack On iCloud and Microsoft Accounts

WaffleMonster Re:Popular US browsers will warm, Chinese ones won (109 comments)

you appear to be clueless around security.

I openly admit to being clueless around everything. You still have to support your arguments.

2FA is not a mitigation against man in the middle. It about raising the confidence level of the identity of the person who initiated the authentication.

Authentication is establishing proof of identity. Over networks this requires strong crypto and guarding of pre-established basis of trust specific to each factor.

There is no way around this basic truth. Number of factors involved is irrelevant.

Just because Google does x or old RSA fobs did y or some bank did z does not make those schemes secure. They may represent practically useful tradeoffs to some subset of the real world yet when your adversary is the Chinese government you quickly appreciate why they are insecure and don't really work.

You can still MITM it depending on other factors implemented, however if you MITM a good 2FA system you only get the one time hijacking of the current session, not the ability to reauthenticate

Is one session not enough to wreak havoc?

and as with many banks they then require a reauth for confirmation of certain off account transactions to help prevent the MITM problem.

I don't think online banking is something that deserves to be held up as an example. At least here in the US the faux second factor schemes allowed to be deployed by many institutions are patently ridiculous and dangerous.

What is secure is entering credentials into a FOB which then performs a cryptographic handshake with the institution. Here each and every factor is strongly protected and at no point is MITM possible unless the physical guard is compromised. Most everything short of the above is noise.

3 days ago
top

Safercar.gov Overwhelmed By Recall For Deadly Airbags

WaffleMonster Re:Be competent? (120 comments)

How about building your tech stack so that it can be scaled up/down on-demand? I'm using Rackspace and we have dedicated servers along with cloud servers. I can add or remove cloud servers as needed and also have the load balancers updated.

All this appears to be doing is asking basic questions and executing trivial database lookups. Is there a reason why even a single server should not easily be able to handle world wide demand by itself?

More importantly what is with this failure mode of delay followed by blank screens? Seems like crappy design leading to snowballing collapses.

If you're just doing reads against a database, it's straightforward to add additional replicas (we use MongoDB with replica sets, don't have enough data for sharding yet). If you need to do any processing, then you should build a grid compute system where you can just add additional compute nodes. We're using RabbitMQ along with Celery. Granted, this strategy ignores issues like a saturated network, but our provider is responsible for dealing with that.

Can always count on technology to help us dig even deeper holes for ourselves.

3 days ago
top

Safercar.gov Overwhelmed By Recall For Deadly Airbags

WaffleMonster Why overwhelmed? (120 comments)

Hard to understood why people continue to use inherently slow and glitchy application stacks to run their sites.

Starting with java and piling on interpreters and frameworks to the point it takes a minimum of 1GB just to start tomcat stack for even trivial applications not even counting data tier something has gone terribly wrong. Once started performance running through mazes of redundant abstraction on top of redundant abstraction leaves precious little room to make up for inevitable developer laziness without maxing out available resources. Isn't just Java yet it seems to be the worst offender.

3 days ago
top

The Physics of Why Cold Fusion Isn't Real

WaffleMonster Re:Why Cold Fusion (or something like it) Is Real (347 comments)

you should read what you link: Current techniques for creating large numbers of muons require large amounts of energy, larger than the amounts produced by the catalyzed nuclear fusion reactions.

What do you suppose the word "catalyzed" means in the context of muon catalyzed fusion?

3 days ago
top

China Staging a Nationwide Attack On iCloud and Microsoft Accounts

WaffleMonster Re:Popular US browsers will warm, Chinese ones won (109 comments)

The ones that use SMS dont prevent replay attacks? Any half decent SMS two factor authentication will prevent replay attacks.

I don't know why I'm stating the obvious... SMS is not a trustworthy communications channel especially when your adversary is your government.

2 factor auth is not supposed to prevent a MITM BTW.

Haha ha ha ha funniest thing I've heard all day.

A page MITM-ing facebook can just pass information between the user and the server (the user will give the 2 factor auth to the MITM-ing server, which will just pass it on to facebook), and keep the session alive for as long as they want.

This is why real systems cryptographically bind both factors.

3 days ago
top

In UK, Internet Trolls Could Face Two Years In Jail

WaffleMonster Trolls poised to take over the world (487 comments)

When you think about it most of the "mainstream" media is based on trolling. More subtle than "Your mom .... last night ... with ... and ... and ... " yet just the same they deliberately and persistently push the audiences buttons and willfully mislead to attract attention and ever larger audiences.

The online media is much more aggressive in this regard routinely offering structures granting massive audiences to random people visiting their site.. This is a bit like keeping a stack of 100's in an unlocked car in a Wallmart parking lot overnight and being surprised when it turns up missing the next day.

If trolling is an epidemic it only got that way because Trolls have been well fed in environments where the objective function is maximizing advertising profits to the detriment of decency and integrity.

While I can't bring myself to defend threats of injury or death as free speech... this is a worlds away from Malicious Communications Act's "indecent or grossly offensive or information which is false and known or believed to be false by the sender" insanity.

I find it breathtaking TFA would focus almost entirely on rape threats while largely remaining silent on the really insane aspects of this law.

Where is that sensational article titled "Telling a fib will get you two years in jail?" ...

4 days ago
top

Python-LMDB In a High-Performance Environment

WaffleMonster Re:Wikipedia article deleted (98 comments)

If Wikipedia was a person I would smack it upside the head for shit like this. There is absolutely no reason not to have an article on LMDB, and deleting a perfectly good article for no reason is evidence of a mental disorder. It's not like they have to spend an extra penny for a piece of paper to hold the article, possibly making the book too thick. Wake up.

Speaking only from personal experience
there seems to be a disconnect between what people actually derive value from and rules + perhaps original intent of Wikipedia.

We seem to be stuck in a situation where lack of enforcement itself is supporting quite a bit of value and interest in the site... A situation ripe for leverage by personal whims and selfish persuasion.

I don't think there are any easy answers yet the rampant deletions are particularly annoying and unhelpful to me as a user of Wikipedia.

about a week ago
top

Drupal Fixes Highly Critical SQL Injection Flaw

WaffleMonster Re:It's not that hard to do it right (54 comments)

Sealing against SQL injection isn't that hard. Don't ever write:

select * from table where id = $id

Does anyone have a better way to build up queries?

The forbidden example above looks to be the easiest and most readable of all the variants you have provided...

SQL context aware eval() routines with safe default marshaling assumptions are relatively trivial to write.

Much better to give people what they want rather than forcing them to use parameterized semantics where not ideal. If web platforms did this from the beginning CVE databases would be much lighter than they have become.

about a week ago
top

Eggcyte is Making a Pocket-Sized Personal Web Server (Video)

WaffleMonster Re:Web Server? (94 comments)

You did read the TOS of your ISP provider, right? Some don't allow any server at all (email, Web, etc) on your home connection.

Who cares what it says?

about a week ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:Stuck between a rock and noplace (68 comments)

Disabling SSLv3 does nothing for future attacks; but the other measures we are putting in place will.

The problem is non standards complaint behavior of web browsers willfully subverting downgrade attack prevention features baked into SSL/TLS standards.

The downgrade SCSV will let a server detect a downgrade attack, or incorrect version fallback.

This requires both servers and clients to support it and associated propagation throughout the worlds server and client stacks to be at all effective. SCSV is not even an RFC.

Why leave people exposed in this manner? What good is TLS 1.2 deployment and fancy new AHEAD ciphers when any yahoo can come along and force affected browsers to TLS v1... What is the compatibility based reason for continuing this behavior when SSL v3 is being disabled in new browsers anyway? Please name names.

As with many things, there is a balance to be struck. Disabling SSLv3 a year ago would have affected a lot of sites, including major commerce and banking sites, and it's not always an easy fix with aging infrastructure and long supply chains for equipment.

What balance? What are the tradeoffs? Nobody seems to know. What is on the other side of the ledger to serve as a counterweight to allowing downgrade attacks to persist in 2014 and why does everyone need to bear that risk by DEFAULT?

about two weeks ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:POP/IMAP/SMTP? (68 comments)

Yes, if your client falls back to SSLv3.

Please don't confuse browser "dancing" behavior with SSL version negotiation. Clients and servers can support both SSL v3 and TLS 1.2 without danger of being suckered into SSL v3.

about two weeks ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:Stuck between a rock and noplace (68 comments)

The paper explains it.

Desperately looking for names and versions.

is to support old servers (ancient Cisco gear comes to mind) that can't properly negotiate newer TLS versions.

Is this IOS? What versions?

Unfortunately those failed negotations don't fail, er, gracefully -- it just kills the connection. Browsers (Chrome, Firefox, probably others) retry using SSLv3. Why? There's a lot of old gear out there.

Then why are the browser vendors saying they are going to disable SSL v3? If we're going to use SSLv3 as an excuse and that excuse is taken away ... what's left?

about two weeks ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:Stuck between a rock and noplace (68 comments)

Some servers don't handle TLS version numbers at all, and typically just reject the connection instead of advertising to the connecting client that they can support SSL3, TLS1.0 and TLS1.1 but not TLS1.2. So when the client tries to connect with TLS1.2, they are disconnected, so the client tries to connect with TLS1.1 and is successful.

Please I'm begging for names... name names and versions... Who is supporting 1.1 AND doing this?

This SCSV thing adds a flag to each side to say "but I'm only using this protocol because you didn't like the other protocol" and for the server to say "but you never asked me?"

Isn't it easier to fix existing implementations rather than inventing new capability negotiation schemes, writing the code and deploying? Is anyone sure extra flags won't cause new compatibility problems?

If everyone is shutting down SSL 3 anyway as seems to be the case... what then is the remaining intersection of TLS 1+ capable servers and clients still not supporting version negotiation? Please anyone who knows I beg you to name names.

BTW, the core reason for all of this was because the pre-TLS browsers absolutely shit themselves over TLS1.0 advertisements, and because browser makers are absolute fuckers, rather than popping up a window saying

Please name names what browsers?

about two weeks ago
top

Google Finds Vulnerability In SSL 3.0 Web Encryption

WaffleMonster Re:Stuck between a rock and noplace (68 comments)

Firefox already mitigates the attack to some degree. If the connection started out at TLS 1.2 or 1.1 then it could not be downgraded to SSL3 because the code allowing that was removed sometime ago.

This does not make any sense. A mitigation that does not work is not worth anything.

Easiest way in Firefox to prevent a connection downgrade to SSL3 is to set "security.tls.version.min" to 1 in the about:config page. This sets the minimum version of the encryption protocol to TLS 1.0

What good does that do when a future attack against TLS 1.0 succeeds and 1.2 users again find themselves being pulled down to 1.0?

about two weeks ago

Submissions

WaffleMonster hasn't submitted any stories.

Journals

WaffleMonster has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?