Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Adobe's New Ebook DRM Will Leave Existing Users Out In the Cold Come July

flonker Re:I think they have to. (304 comments)

First 6 are non-secret, last 4 are non-secret. And one additional digit is a checksum, therefore non-secret. So, a credit card has 5 digits of secrecy.

about 6 months ago
top

Adobe's New Ebook DRM Will Leave Existing Users Out In the Cold Come July

flonker Re:Netflix has light DRM? (304 comments)

I don't know about anybody else, but the reason I don't find Netflix DRM unpalatable is because I didn't purchase the content. The "rental" is very explicit in the agreement between the Netflix and the consumer. If Netflix were to start to sell movies, I would find that objectionable. I do find Steam objectionable, as well as most DRM.

about 6 months ago
top

Spoiled Onions: Exposing Malicious Tor Exit Relays

flonker Re:If all it takes is one... (65 comments)

Also, you are then susceptible to the very same MITM attacks by the VPN provider. (Although they do have an incentive to remain honest.)

about 6 months ago
top

Spoiled Onions: Exposing Malicious Tor Exit Relays

flonker Re:If all it takes is one... (65 comments)

The primary development goal of Tor is to prevent the request from being traced back to the requester. (As a secondary effect, it also bypasses various national/regional content blocking schemes.) Malicious exit relays are detrimental, but in theory the user should be aware of the trust issues involved. I would label this as a user education issue.

The major points being:

  • If your traffic is on the Internet, unless it is encrypted (such as by SSL), it can be passively monitored with only moderate effort.
  • If you are using Tor to reach the Internet, your traffic can't be traced back to you, but it still goes out over the Internet; see the previous point for more details. Tor can do nothing once the traffic is back on the Internet.
  • Attacks such as sslstrip exist. Be on guard against them.

about 6 months ago
top

Windows 8 and Windows 8.1 Pass 10% Market Share, Windows XP Falls Below 30%

flonker Re:Glass have water (470 comments)

But hey, at least Win8 beat Congress!

about 7 months ago
top

NASA's LLCD Tests Confirm Laser Communication Capabilities In Space

flonker Re:SETI (107 comments)

A great example of this that I've seen is: Shine a spotlight at the moon (from Earth) and sweep it across the surface. You can move the spot faster than the speed of light, thus the wave moves faster than c, but no individual photon moves faster than c, and no information is conveyed faster than c.

about 7 months ago
top

DHS Turns To Unpaid Interns For Nation's Cyber Security

flonker Re:FP (174 comments)

The U.S. Department of Labor's Wage and Hour Division allows an employer not to pay a trainee if all of the following are true:

  • The training, even though it includes actual operation of the facilities of the employer, is similar to what would be given in a vocational school or academic educational instruction;
  • The training is for the benefit of the trainees;
  • The trainees do not displace regular employees, but work under their close observation;
  • The employer that provides the training derives no immediate advantage from the activities of the trainees, and on occasion the employer’s operations may actually be impeded;
  • The trainees are not necessarily entitled to a job at the conclusion of the training period; and
  • The employer and the trainees understand that the trainees are not entitled to wages for the time spent in training.

http://en.wikipedia.org/wiki/Internship#United_States

about 7 months ago
top

Ask Slashdot: How Would You Secure Your Parents' PC?

flonker Re:"frozen" configurations (408 comments)

I'll second this. Another similar option is Sandboxie. It sandboxes the browser, preventing any exploits from escaping into the rest of the system. Also, make sure they are using Chrome or Firefox. And finally, ad-blocking software makes a huge difference.

about 7 months ago
top

Ubisoft Hacked, Account Data Compromised

flonker Re:The point? (138 comments)

The point is to minimize the amount of information you actually have. You don't need to know the password itself, you only need to know that they know the password. So, you store just enough information to be able to check that the person attempting to log in knows the password.

1 year,28 days
top

SXSW: Nate Silver Discusses Data Bias, the Strangeness of Fame

flonker Re:silver is honest (136 comments)

Very interesting and insightful troll. I was tempted to mod you up, but I figured a reply would be preferred.

Originally I disagreed with your post, but upon attempting to reply, I found that I agree that "both sides are equally bad/dishonest/wrong" is a cop-out, but I disagree that it's embarrassing. It's only embarrassing if you aren't doing anything to back up your belief, and voting is a good start, but it isn't enough.

about a year ago
top

On the end of USPS 1st Class Saturday delivery:

flonker Re:Why not cut even more? (564 comments)

Ever since this first started being discussed, I've been thinking M/W/F and T/Th/Sa makes a lot of sense. (a different route for each.) You could toss in 5 or 6 day delivery for commercial addresses.

about a year and a half ago
top

Semi-Automatic Hacking of Masked ROM Code From Microscopic Images

flonker Re:As said this is not really new... (42 comments)

As I've learned, the correct answer is, "Sure, but it'll cost them $n megabucks, and it will take x amount of time." (I'm sure rimcrazy also figured this out since then.)

about a year and a half ago
top

Aaron Swartz Case: Deja Vu All Over Again For MIT

flonker Re:Outward Appearances (175 comments)

Thank you, that answers my question perfectly. An immoral act is immoral in and of itself. Someone's suicide does not affect the morality of the original act.

about a year and a half ago
top

Aaron Swartz Case: Deja Vu All Over Again For MIT

flonker Re:Outward Appearances (175 comments)

To the dispassionate and disinterested outside observer, a mentally disturbed man committed suicide. The only one at fault is the mentally disturbed man.

I've long believed that suicide is nobody's fault except for the one who committed the act. However, I very much want to blame the DA for pushing him to commit suicide. I realize it's an emotional response, but there must be some basis in fact. At what point does provoking someone who then commits suicide become the moral and ethical responsibility of the provocateur?

I know I'm responding to a troll, but it hits upon an issue I've been thinking about for some time. It's well known how DAs threaten disproportionate punishments in order to get a plea bargain. And it's easy to see how this might get someone who was previously not seriously considering suicide to start doing so. Where should the line be drawn? Online/offline bullying? Threats of imprisonment? Threats of physical violence and/or torture? Or is it never someone else's fault?

about a year and a half ago
top

Hacker Bypasses Windows 7/8 Address Space Layout Randomization

flonker Re:Address randomization - security through obscur (208 comments)

security through obscurity

I do not think that means what you think it means.

"Security through obscurity" is being deliberately insecure and relying on other people not knowing about the insecurity as your defense.

Something like this relies on the fact that choosing a random address is much easier than guessing a random address that was previously chosen. This flaw results in forcing the victim to choose a non-random address when they intend to choose a random one. And "address spraying" works by increasing the size of the target the attacker must hit from a single exact address to a large number of ranges which covers most of the available addresses.

about a year and a half ago
top

Mega Defends Its Security Practices

flonker Re:This rebuttal is clear, concise and correct (165 comments)

Mega holding a copy of your encrypted key does not reduce security, and slightly improves security. A password generally has a laughably low number of bits. Anyone who knows or can guess your password can get your key and thus your files. Not very surprising. There is no way around the crypto entropy being limited by the password entropy. However, if your password has 2048 bits of entropy, then the attacker must crack 2048 bits of entropy to recover your key and your files.

Password entropy is an incredibly difficult problem to solve. xkcd has what has become the canonical example of this. 28 bits of entropy for a "typical" password. 44 bits of entropy for 4 random words strung together. The mega key is 2048 bits, which is roughly equivalent to 186 random words strung together or about 311 completely random typed characters. Anyone attempting to crack your crypto is going to attack the password, not the mega key.

The security increase comes from two factors. The net effect of padding your password so that its length is unknown, and the real world security from using a known, trusted and tested security algorithm.

In summary, your encryption isn't any more or less secure than the password you use. If it helps, you can think of the key stored on the servers as a salt, and the password you type in as the actual key.

(Also, if they were so inclined, why would they capture the decrypted key rather than just capturing the password itself?)

about a year and a half ago
top

Mega Defends Its Security Practices

flonker Re:Keep using the old method? (165 comments)

Maybe use their whatever-it's-an-option encryption as added layer and call it a day.

I thought I remember reading that encrypting an encrypted file can actually make it less secure than either encryption step alone.

Sort-of. If you make a mistake in your crypto, you can make things substantially less secure. A mistake, such as using the same key for both encryption steps. Also, encryption is not necessarily additive. Encrypting something multiple times with different keys may not improve the security, or may improve the security less than the cumulative total number of key bits indicate.

As an example, let's take the caesar cipher. If you encrypt twice with a key of 13, you end up with no encryption at all. If you encrypt once with a key of 15 and a second time with a key of 12, you end up with exactly the same security as encryption once with a key of 1.

about a year and a half ago
top

JSTOR an Entitlement For US DoJ's Ortiz & Holder

flonker Re:heard this one before... (287 comments)

"Just following orders" is wrong not because someone higher up gave the order. It's wrong because despite the government condoning the action, the person doing it should know better. Therefore "everyone does it" is pretty much the same thing as "just following orders".

about a year and a half ago

Submissions

top

What tech companies still make good products?

flonker flonker writes  |  more than 2 years ago

flonker (526111) writes "Members of my family individually bought 3 HP laptops last year. Both the battery and the power supply failed in all three of them very shortly after the warranties expired. HP used to be a great tech company, but I guess things change. My question for Ask Slashdot is: What tech companies still produce good products in 2011?"

Journals

flonker has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>