×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

iPhone Attack Reveals Passwords In Six Minutes

jallen02 Re:Apple iOS File System Encryption (186 comments)

From the article:"This decryption is possible,since on current (3) iOS devices the required cryptographic key does not depend on the user’s secret passcode"

That is what I take issue with since that is not 100% accurate. The quote, for the device they tested (4.2.1, with file system encryption on) should be, "This decryption is possible IN MOST SITUATIONS,since on current (3) iOS devices the required cryptographic key does not depend on the user’s secret passcode".

However you can set flags on files and keychain entries that DOES make the user's passcode required.

more than 3 years ago
top

iPhone Attack Reveals Passwords In Six Minutes

jallen02 Re:Apple iOS File System Encryption (186 comments)

I feel I should clarify. The article summary is a bit misleading and the paper is not, exactly, misleading.

In the version of iOS they tested you have the option of encrypting your keychain entries using the mechanism I describe (which means they would come us as "protected"). And as the PDF article mentions they could not extract the device key (forcing a local brute force attack if you want the passcode set for the device). If the protection level is set to encrypt the keychain entry with the device passcode it can't be recovered through some flaw in the encryption (that we know about).

So the article is basically saying, "Gee we can access things that aren't flagged to be protected with the device passcode". Which is, well what any reasonable observer expected since that is exactly how it was described over a year ago. It is good to see a working implementation.

Apple's real flaw here is that they did not force this encryption for *everything*. Instead they rely on developers to pass in certain options when storing keychain entries (and or when writing files to disk). Without these options the data is, sadly, recoverable. Apple even only encrypts the Mail app out of the box, which does not set the best example. That said they are basically making a very technical commentary on design decisions by Apple and I think this point gets lost in all the scare mongering. It would have been much more coherent (but not have gotten as much PR) to simply make this clear straight away.

more than 3 years ago
top

iPhone Attack Reveals Passwords In Six Minutes

jallen02 Re:Apple iOS File System Encryption (186 comments)

http://wikee.iphwn.org/s5l8900:encryption_keys

That is why the user's passcode is so critical. When you unlock the device it is created once (derived using PBKDF2) and then the passcode is gone. The derived key is held in memory to decrypt the class keys. When the device locks the class keys are (for sure) encrypted and the derived key is forgotten as well.

more than 3 years ago
top

iPhone Attack Reveals Passwords In Six Minutes

jallen02 Apple iOS File System Encryption (186 comments)

In IOS >4 with a modern device (3GS or better, iPad included) this article is blatantly incorrect.

"The attack works because the cryptographic key on current iOS devices is based on material available within the device and is independent of the passcode, the researchers said.". Not true. In iOS4 they use a variant of PBKDF2 to generate an encryption key that is used along with the device key alluded to in this article to decrypt "class keys". The class keys are then used to access data at the various protection levels (Never, After First Unlock, Only When Unlocked). Each of those levels of data has a separate key. Those keys are required to decrypt the individual keys on each file. Each file has an encryption key set on it in the meta data (which means you do have to reformat your system and set a reasonable passcode).

Because of the PBKDF2 variant brute forcing is infeasible. Because of the device key you have to try this IN the device and are limited to Apple's hardware for forcing.

All of this is possible because Apple has an AES-256 hardware chip that blazes through crypto for that algorithm.

Remote wipe uses yet another key (the file system key). So each file encryption key requires a "Class key" and a "file system key" to be decrypted. Lose either one and the file system is history. So remote wipe is accomodated in newer versions of iOS by just forgetting the file system key.

In short, this article is not providing an accurate portrayal of "current/latest" devices. Though I am not sure how many people: Have the newer hardware, have iOS 4 AND have reformatted their filesystem to accomodate the required metadata.

more than 3 years ago
top

The Case For Lousy Passwords

jallen02 BCrypt, md5crypt and others! (343 comments)

Hello,

If most sites were using bcrypt with a decent work factor or another similar algorithm you would probably never crack more than a tiny, tiny fraction of a password database. We know how to prevent this. It is best summarized in PBKDF type algorithms, bcrypt and others. Use it. This stuff works.

more than 3 years ago
top

Iran Arrests Alleged Spies Over Stuxnet Worm

jallen02 Re:"only a national intelligence agency" (261 comments)

Only, this is exactly how you WOULD do it if you were to use a botnet component in an information warfare strategy. I direct you to the excellent work of Charlie Miller.. who worked for the NSA and has DONE this type of work before (information warfare against foreign governments). Much of his paper is just plain logic/reason as well. Think about it. Especially with the stolen certificates. If I have stolen certs those are BIG playing cards. Like sitting on golden 0-days. You don't whip those out until you are ready to play hard. Once you reveal your hand (that you have the stolen certs) the certs get revoked and the cleanup begins. So you don't play those cards till the time is right. It is impossible to say if a government entity is behind it, but if it IS behind it this is when and how you would do it. Plausible deniability, etc. And, if our govt is NOT behind this they are still not going to complain about it. Also, it would take fairly significant resources.. probably a few million dollars to operate, build and run a botnet like this and keep is quiet. Using compartmentalization, each team / group of people isolated from the others, etc.

Thank about it :)

more than 4 years ago
top

Schools, Filtering Companies Blocking Google SSL

jallen02 Re:Old news (308 comments)

Good thing for you most large governments have the root CAs in their pocket and can easily Man in The Middle most SSL transparently, unless the user is superbly vigilant.

more than 4 years ago
top

Schools, Filtering Companies Blocking Google SSL

jallen02 Re:Old news (308 comments)

Except, that is not true. There are commercial proxies that make it very easy to own users that are using SSL. It just costs money. All the IT administrators have to do is install the proxies certificate authority cert in the list of trusted certificates and transparent man in the middle can be done with ease and the user will never be the wiser. The tools to do this can be developed by anyone with a little knowledge of SSL and some time, as well. This is a major fallacy. It is only difficult for organizations that are lazy and or can't afford the proper tools to do it. So it is easier to fight it administratively than pony up for the commercial tools to do it.

more than 4 years ago
top

Germany Finds Kismet, Custom Code In Google Car

jallen02 Re:Is this how they can do wifi location detection (237 comments)

Your gps device is capable of measurements nearly that precise. You just have to let it sit there a while. You let it collect data for a long time and then voila, find the center spot of all the GPS coordinates that got recorded (it will jump around) and you have an incredibly accurate measure.

more than 4 years ago
top

GCC Moving To Use C++ Instead of C

jallen02 Re:thus a disaster (546 comments)

Surely at least one poor individual out there knows every nuance of the language.

more than 4 years ago
top

Is Programming a Lucrative Profession?

jallen02 Re:Depends on specialization and responsibilities (844 comments)

You can get cheap FPGA boards these days too. The only barriers most people will face is motivation and the knowledge of what to learn and when to learn it. The trick is to optimize happiness and earningsat the intersection of the two that best fit the lifestyle choices you probably don't know you will have to make earlier in your career :)

more than 4 years ago
top

New Wheel of Time Book — Chapter One Online, Released Oct 27

jallen02 Re:BRANDON SANDERSON! (269 comments)

I concur with the parent. I recently purchased and read through all four of his most popular novels: Elantris and the Mistborn Trilogy. Sanderson's default writing style is actually shorter and less descriptive... but then for first books you don't always get the luxury of killing an entire forest to describe a bedroom.

That said I have read the annotations for most of his books, Brandon's blog posts regarding his writing (cruise to his website and read up if your remotely interested) and the entire WoT series again. I have decided that with the amount of information Jordan left behind (plot) a writer of Sanderson's talent can pull it off. Sanderson has a much shorter paragraph length on average and his stories had great potential plot wise, he just chose to keep the stories shorter, though he has the vision of the grand epic. The real challenge will be nailing the details and tying up all of the plot threads on a coherent manner. The writing style, I think, Sanderson probably fell into after a few months of writing. Since Sanderson has already managed reasonably complex plots and seems to be keeping it all together (based on his blog posts) I hold high hopes for the completion of this series.

This is a series I started reading in early high school and have treasured to this day. Some books are better than others, but this series is THE epic fantasy story of the last 20 years. It is more of a brute force presence in the fantasy fiction world than something someone did decades ago like Tolkien. Jordan has defined an entire decade of writers and readers that have had to come to terms with his stories when they contemplate the fantasy epic. When an author sits down and thinks of a plot and story for a fantasy epic it is, in my opinion, Tolkien and Jordan that you struggle with: how do you do something different? How do you spin threads of a story of epic length while making the same old good triumphs of evil (epicly!) enjoyable? There are a lot of other great writers in the epic fantasy space and I don't mean to reduce it to the two most well known.... but they are where they are for a reason.

Anyhow... my rambling is done. I highly recommend Elantris and or the Mistborn trilogy. Though I suspect that most of us that have been eagerly waiting have already begun studying up on the man to finish up Jordan's legacy.

more than 5 years ago
top

Google Mows With Goats

jallen02 Re:Excuse Me But... (466 comments)

Wait.... you just replied to yourself. Buddy you need to take it easy. These self held discussions on the merits of goat breeds are a little frightening.

more than 5 years ago
top

Forensics Tool Finds Headerless Encrypted Files

jallen02 Re:Don't worry (374 comments)

Yeah, you can fool it but you would definitely end up inflating the data. Properly done crypto should leave the data completely indistinguishable from random noise. If I can determine your data is encrypted and somehow different from random noise then you have implemented your cryptography improperly. However, if you scan a disk and, using statistical frequency analysis, find bits of random noise floating around that is not a common event. Compressed files are pretty easy to test for, even though they do start approaching noise in their randomness compared to a regular file format like HTML. Basically in order to attain proper cryptographic properties you can't cheat and use some method of crypto that is not random. What you could do is properly spread out the random data enough and intersperse it with regular patterns to make it resemble something else. You would basically end up with a data hiding routine. Small messages are the easiest to hide. Ala steganography. A lot of work has been done in that arena.

I realize you may have known some or all of this (crypto and the breaking of it is just fancy statistics for the most part!) Just elaborating on the idea a bit for others. I work in infosec so I love crypto :)

more than 5 years ago
top

With a Computer Science Degree, an Old Man At 35?

jallen02 Good advice... :) (918 comments)

Yes there is ageism at some companies... maybe even in general. You don't want to work at those places because you will likely be treated like a drone anyway. If you are truly passionate about computer science go for it. Become a lethal ninja of the computing sciences. You will probably have to work harder than the whiz kid peers you will meet in college, but you are older and wiser. Go in there, expand your brain, kick ass and just ignore everyone that says this is crazy (it kind of is).

You may have to work harder than a lot of people in the industry to make up for your lack of experience, but if you really love doing this you won't really notice. Just go for it. If you have little holding you down in terms of financial obligations (family, mortgage) you are even better off. If you work hard and show your value you can find good work in this industry. And if your previous experience can be applied to a specific industry you have a huge leg up :)

So to paraphrase Duke Nuke'em -- Fuck emm all, let god sort it out. This is a great time to be in school with the recession as well...

I have been around the block a couple of times by now and you will definitely encounter ageism from time to time. I just ignore it and show my worth and that is that.

more than 5 years ago
top

Traveling With Tom Bihn's Checkpoint Flyer

jallen02 Re:Eh? (133 comments)

As a frequent traveler it is easy to begin to obsess over bags a bit. You basically live with these things and they are like a portable house to you. How convenient, comfortable and easy they make your life is important. And from an absolute perspective things like airport security are a non event. So what if it takes me an extra 3 minutes? Even if it took an extra 3 minutes and you took 100 flights / year that is only a mere 300 minutes! Well convenience in travel matters. There is something nice about slipping through everything as quickly as possible and being on about your business. The central focus of all of these activities is your bag. I am a minimalist. I just have a big bag with a few pockets and I just dump stuff into it. Sturdy and strong so I know it won't fall apart and the rest is trim, but I still compartmentalize things meticulously to deal with airport security.

Side rant: It is all a bunch of bullshit security theater, but I have learned first hand that it is not wise to make a big deal of it. Being followed and harassed by a TSA supervisor threatening to have you arrested is OH so entertaining. I one day, rightly, pointed out a particular rule of theirs to a screening agent who was doing something he should not have been doing and the situation ended with me barely avoiding being arrested and followed by an overzealous supervisor who was quietly stalking behind me and listened to me muttering rather unkind things about the TSA. He then proceeded to flip out telling me not to say another word! Check your ideals of privacy and freedom at the door of the airport. A good bag just makes this process easier.

more than 5 years ago

Submissions

Journals

top

Karma Capped

jallen02 jallen02 writes  |  more than 13 years ago

After being on /. for a couple of years or more I have finally reached the Karma cap.

Even though I really don't care about having Karma since I always post at 1 in almost every case I still feel a strange sense of listlessness and loss of purpose, sad ehh?. I now look at the comments and don't get quite as excited when people find what I have to say informative, or interesting, or insightful. I also don't really mind being moderated into oblivian for sharing an opinon

Perhaps the sadness will fade? :p

Jeremy

top

Stuff............................................. ..........

jallen02 jallen02 writes  |  more than 13 years ago

................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................vv

Slashdot Login

Need an Account?

Forgot your password?