Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Industrial Control System Firms In Dragonfly Attack Identified

snemarch diz gun be gud! (24 comments)

Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm.

Well, HELLO there, internets!

It'll be interesting to see why that company could not be named. Banking, perhaps?

about a month ago
top

Famo.us: Do We Really Need Another JavaScript Framework?

snemarch Re:Do we need HTML+Javascript at all? (104 comments)

How would one go about running a video game on a dumb terminal? Cellular networks don't have enough throughput to support a lot of OnLive/Gaikai style streaming, and plenty of games are too twitch-sensitive for cellular Internet latency to keep the game enjoyable.

"Nobody wants to play those games". Like, nobody would want to play anything with an inferior non-DRM experience. Catch my drift?

about a month ago
top

Famo.us: Do We Really Need Another JavaScript Framework?

snemarch Re:Not Ready Yet... (104 comments)

Some systems (eg Direct2d) are built on top of 3d graphics stacks, you just have a flat projection and no depth co-ordinates to give the impression of a 2d graphics surface.

Do keep in mind that you're talking about one specific technology stack here.

So you see WebGL is significantly faster than HTML drawing, which is why it might be a good thing overall...

Really? I might be misunderstanding things, but the general browser engine is going to be C/C++ code, whereas all the famo.us stuff will be javascript. Sure thing, JS engines have become a lot more performant lately, but they still don't beat native code.

But sure, if you offer more limited layouting, you might be able to outperform the native browser engines with JS+WebGL. HTML+CSS is a pretty horribly bloated beast.

about a month ago
top

TrueCrypt Author Claims That Forking Is Impossible

snemarch Re:Translation (250 comments)

Dear sir,

I am interested in learning more about 'Forensic Analysis of Tamagotchi Devices'. Please subscribe me to your newsletter.

I would seriously love to know which value they extracted from grabbing his tamagotchis (and other devices). All in all, my impression is that the Norwegian police gained NOTHING from raiding him (except US-bitch creds), because everything relevant was in the open, anyway. It's been several years since I spoke with Jon, anyway, but he was doing well back then - he moved to the .us and attacked FairPlay. Before that, he had went under hiding to avoid the .no army... dunno how it is now, but back then, to avoid conscription, you had to claim you were homosexual (or at least that's what he told me).

I hope he's doing well nowadays, he was definitely a happy influx in our IRC channels back then :)

about a month and a half ago
top

TrueCrypt Author Claims That Forking Is Impossible

snemarch Re:Coded Message (250 comments)

Well played, sir, well played!

about a month and a half ago
top

TrueCrypt Author Claims That Forking Is Impossible

snemarch Re:What's hardest, the crypto or the OS integratio (250 comments)

Mod parent up - I'm replying here, so can't use mod points :-)

Passing the decryption keys around in BIOS-style boot is somewhat dirty - haven't perused the TC source, so I don't know how they specifically do it, but it'd probably be along the lines of leaving the key at some fixed memory location, and let the Windows boot-time driver read it from there. UEFI drivers have a whole new way of booting the system, so you'd need to adapt to that. It's probably doable, and probably doesn't even need big voodoo - but if you've been working on a codebase for ~10 years, don't need UEFI support yourself, and probably have a family to look after now... it'd be a darn big task implementing. While UEFI stuff can be programmed in C rather than assembly and has SDK and documentation, it's quite a different world.

If we ignore (or postpone) encrypted boot volumes, however, I'm pretty sure that very large parts of the TrueCrypt codebase could be re-used - and at the same time, the really archaic build environment requirements could be dropped.

about a month and a half ago
top

TrueCrypt Author Claims That Forking Is Impossible

snemarch Re:Let me attempt to translate for you guys (250 comments)

This sounds like over-the-top paranoia to me.

I'm a developer, and I used the phrase "impossible" quite often (though often softening it with "without spending way too much effort"). In the case of TC, I'd be far more inclined to believe that "impossible" either means due to license/copyright issues or because the build process requires really arcane versions of arcane tools rather than it's backdoored all the way to hell.

If anybody worth their salt forked (and audited) the code, they'd find the flaws that aren't deep-math problems in the core crypto code. And it'd probably still be easier to do fork-and-major-cleanup rather than rewrite-with-original-as-base - just look at what the OpenBSD guys are doing wrt. OpenSSL->LibReSSL - rewrite from scratch would likely introduce new security problems, and irregardless of whether you rewrite from scratch or "just" clean up the code, you need to go through every friggin' source file anyway.

about a month and a half ago
top

TrueCrypt Author Claims That Forking Is Impossible

snemarch Re:Pissing war (250 comments)

The NSA can't force a backdoor without it being instantly obvious. There haven't been any code changes in a very long time and the source code is currently being audited. Any change would be heavily scrutinized.

You're missing the "it was already backdoored" vector, though. I don't personally believe this is the case, but it's a possible scenario - "OK, code audit is ongoing, they'll find it sooner or later, let's bail".

Given their lack of interest in the project it seems unlikely the developers spotted a vulnerability recently and discussed, privately, fixing it, with the NSA intercepting their discussion and demanding they not fix it.

Dunno about "lack of interest" - TrueCrypt is pretty feature-complete. Genuine question: are there any major bugs or lacking features in 7.1a?/

about a month and a half ago
top

TrueCrypt Author Claims That Forking Is Impossible

snemarch Re:Secret government pressure? (250 comments)

The only thing I would add is that the cease and desist letter would be very illuminating. It would have to give a face to the anonymous developer group, and give New Guys a chance to sink their teeth into that face in court.

Assuming, of course, that the C&D letter comes from the original authors, and not shills set up (and funded by) whatever TLAs.

/me polishes the tin-foil hat :-)

about a month and a half ago
top

TrueCrypt Author Claims That Forking Is Impossible

snemarch Re:Translation (250 comments)

Seriously, people, save yourself the time. You'll just also get a letter from the NSA and either have to include their backdoor or drop the project.

And I sure as hell don't want to be the one who did the right thing only to see it going to waste because someone else didn't.

Please provide evidence that the NSA had anything to do with TrueCrypt ending development.

Please provide evidence that they didn't :-)

about a month and a half ago
top

TrueCrypt Author Claims That Forking Is Impossible

snemarch Re:Translation (250 comments)

First of all, there's a source code audit taking place. The source code audit has shown the binaries match the source, eliminating the possibility that the binaries were built with different source.

No, the audit didn't show that - the matching build was done by somebody else. A later goal of the audit project is to produce "repeatable, deterministic build", though.

Second, it's open-source. If a backdoor is put in the code, it would be in the commits.

The backdoors you have to worry about in Real Life isn't of the "if (nsa_are_connecting) { ... }" type - it's very subtle things that look like late-night coding errors, buffer overflows that allow remote code execution, or really obscure mathy stuff in crypto algorithms (like the wonky Dual_EC_DRBG stuff - that required hard math analysis, and wouldn't have been exposed during a code audit). In other words: you wouldn't discover backdoors from commit logs unless you were a world-class programmer and cryptographer, and you did hardcore analysis of all core-crypto related commits.

IMHO, any buffer-overflow or other "ability to run code on target machine" flaws aren't indicative of backdoors, merely human errors, and it's not critical to the security of TrueCrypt (or any other encryption software) - what we need 100% security against is cold attacks on encrypted volumes. Of course other flaws should be fixed, crypt-key material should be burned as soon as not needed, et cetera - but as long as you have an encrypted volume mounted, you are going to have the encryption key loaded in memory, and if anybody is able to execute code with root/admin/ring0/CallItWhatYouWill, they will be able to snatch your encrypion keys, and you're game over.

about a month and a half ago
top

TrueCrypt Author Claims That Forking Is Impossible

snemarch Re:Translation (250 comments)

Unless the deveopment is done outside of US. Because in that case you can use the letter to wipe your, let's say tears of joy and carry on writing the project. Unless, ofcourse you are planning to visit US any time in the future.

For something as potentially annoying as an opensource, audited, cryptographically (and code-exploitability wise) secure system, do you really believe NSA wouldn't be able to affect people in other countries? Just look at what happened to Jon Lech Johansen when he published the DeCSS code - he was in Norway, did nothing that was illegal according to Norwegian law... yet the .us media industry flexxed their muscles, and his home was raided and all electronic gadgets (including cellphones and a tamagotchi) were raided.

Now, I'm (honestly!) not really sure who are most powerful, the NSA or the .us media industry. But I'd wager that the NSA are willing & capable to do some really nasty things against civilian not-very-well-publicly-known targets.

about a month and a half ago
top

TrueCrypt Author Claims That Forking Is Impossible

snemarch Re:wrong (250 comments)

BitLocker? Nope, might as well be called BootLicker, given Microsoft's complicity with the federal surveillance apparatus.

I somehow kinda doubt that there's any blatant backdoors or crypto vulnerabilities in BitLocker - it would be very, very stupid of Microsoft to do something like that; there's a lot of eyes on MS, and a lot of people (including very skilled Reverse Engineers) who'd like to see MS burn.

On the other hand, given a Court/NSA order and a target, I'm also pretty sure that there's very easy ways for MS to retrieve crypto keys from a running system and handing them over - complying, but keeping the overall BitLocker integrity intact.

Cold attacks against a powered-down system? I'd actually be surprised. MS have done a lot of evil, but it's evil of a different kind.

about a month and a half ago
top

OpenXcom 1.0 Released

snemarch Interesting! (50 comments)

It's nice to see that there's still people interested in the *original* XCOM games - and not the utter junk that's been released since TFTD.

Some 13 years ago (wow, time flies), I was delighted to see a Windows re-release of the XCOM games (the "Collectors Edition"), since the DOS version was indeed pretty troublesome to get running under Windows - this was before the luxury of DOSBox. However, the fine developers who did the port didn't know the difference between "pitch" and "width", and thus it was unplayable (on a wide range of graphics cards, apparently). I was put down by this, but my friend who was visiting that evening said "well, you usually fix... bugs... in programs, so can't you fix this?".

One frantic night of reverse engineering and beer-drinking and reminiscing about chryssalids and tentaculats laters, I had a bugfix loader running. XCOM once again! The CE port in general wasn't perfect, the XCOM1 intro only had MIDI music but not the muton screams and other sound effects, there were stall-for-a-second issues when changing soundtrack on many soundcards, et cetera.

When XCOM1+2 were re-released on STEAM, they initially used my bugfix loaders (I'm told they use DOSBox nowadays - that's a more authentic experience). Didn't even contact me about it. When I reached out to the people in charge (took a while, the rights to the brand had been shifted around quite a bit), I was told that the source code no longer existed - apparently, at the end of days, it had existed on a single laptop that had been stolen or destroyed or whatever.

So, with the above in mind, it's nice to see that people are trying to re-create the legacy of one of the best games I've ever spent countless hours with.

about a month and a half ago
top

Wolfenstein: The New Order Launches

snemarch Re:creepy (167 comments)

It's a shame nobody ever made a modern version of Syndicate.

about 2 months ago
top

Game of Thrones Author George R R Martin Writes with WordStar on DOS

snemarch Re:640k isn't enough for everybody (522 comments)

Windows 3.0 ended up being the most popular dos extender of them all, as everyone had it, and it had a much more feature rich runtime environment.

Are you sure that Win9x wasn't a more popular DOS extender? ;-p

(Definitely was for me - before I could afford a decent computer, I used a manually stripped-down version of Win95 SR2 that weighed in at around 15 megabytes in order to get decent multitasking, and disk caching that performed better (and was more stable) than either SmartDrive or HyperDisk.)

about 3 months ago
top

Game of Thrones Author George R R Martin Writes with WordStar on DOS

snemarch Re:640k isn't enough for everybody (522 comments)

This wasn't really because of the framebuffer address itself, as much as it was the general PC memory layout, combined with a lot of programs abusing internal system structures expected to be at hardcoded addresses. (A000:0000 sure is placed at the 640kb boundary, but it's only 64kb in length; the text-mode buffers framebuffers were at B000 and B800 for monochrome and color, respecitvely).

Most programs used DOS or BIOS calls to allocate memory, so if it hadn't been for the somewhat FUBAR memory layout, and a whole bunch of programs depending on accessing OS internals (which we had to do because CPUs were so goddarn slow back then, that the cost of doing an INT 16h or INT 21h (or ...) for some operations was prohibitively high), there would have a bit been less config.sys tweaking to try to squeeze just a bit more real-mode memory out of the system.

But framebuffer address in and by itself impacting memory allocation? Not really, not until the "32bit physical address" limitation introduced with WinXP-SP1, because of sucky 3rd-party driver developers ignoring PHYSICAL_ADDRESS.HighPart, with a mindset along the lines of "we're on a 32-bit OS, how could a memory-mapped address ever be larger than 32bit?" (even if MMIO to hardware isn't the same as access to physical memory, and PAE was available since the PPro in 1995, but I digress).

about 3 months ago
top

Game of Thrones Author George R R Martin Writes with WordStar on DOS

snemarch Re:640k isn't enough for everybody (522 comments)

No, at least not exactly that - "memory-mapped files" implies that you application treats file access as a pointer to memory, and that the CPU+OS handles all the dirty details (implemented on x86 through the #pagefault mechanism) - before "protected mode" was introduced on the x86, this wasn't possible, and applications had to manually implement paging strategies.

Does anybody else here remember the joys of 16-bit x86 development and .ovl files? :-)

about 3 months ago
top

Kickstarter Security Breach Exposes Customer Data

snemarch Re:at least .. (63 comments)

Considering how many users KS have, there might still be a few mails in the outgoing queue?

I received the "uh oh, we've been hacked" mail yesterday 22.30, GMT+1.

about 6 months ago
top

QuakeNet: Government-Sponsored Attacks On IRC Networks

snemarch Re:Soulskilll and Timothy (197 comments)

Can't please everyone.

And hey, it's easier to get all riled up in your parent's basement than it is to get involved and give proper feedback.

about 6 months ago

Submissions

snemarch hasn't submitted any stories.

Journals

snemarch has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>