Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.
Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.
Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and learn more about it. Thanks for reading, and for making the site better!
How do you authenticate to Google Apps?
Saqib writes "Recently, I was discussing the NIST's draft Presentation on Effectively and Securely Using the Cloud Computing Paradigm with my colleagues. The discussion ultimately evolved into a discussion about authentication and access control methods employed by various organization to access their Google Apps Standard/Premier/Education accounts. We started talking and comparing Multi-factor authentication, SAML based SSO, OpenId, native Google Authentication etc. I would like to query slashdot readers who use Google Apps about the authentication method their organization currently employees and why. Also please take 2 minutes to answer a brief survey.
The result summary of the survey is available here"
Link to Original Source
Should spammers be executed?
Saqib Ali writes "A rather long discussion @ LinkedIn on whether spammers should be executed.
Spammers are becoming a nuisance. We have to constantly improve the technologies like Captcha to prevent abuse by spammers. As the these Captchas become more and more complex, visually impaired internet users have a tough time deciphering them for legitimate use.
"Men are not hanged for stealing horses, but that horses may not be stolen." George Savile a statesman, writer and a politician. Based on this famous quote by George Savile, should we be prosecuting and hanging the spammers as well?
I truly believe that in order to NOT punish often, we must punish severely. As Michel de Montaigne said, "One of the uses of our system of justice is to warn others... We are reforming, not the hanged individual, but everyone else."
The proportionality of punishment vs. the crime is not in question here. But as a society we have determined that spam is a nuisance and causes hardship for many. To deter this act of spamming, we need strict measures. Simply enacting laws against spam doesn't help if there no severe punishment associated with it.
And how come only criminals get human rights? What about law abiding citizens? What about their rights? Isn't it my right to live a life free of filthy spam?
Link to Original Source
Herman Munster never died
QuantumCrypto writes "Seems like Herman Munster never died. Or at least his identity. AP is reporting that someone tried to steal Herman Munster's identity. Herman Munster was the 1960s Frankenstein-like character from "The Munsters" TV sitcom."
Link to Original Source
Saqib Ali writes "If you haven't already heard, Data At Rest (DAR) Encryption Contract Awardees were announced today. The Office of Management and Budget, DoD and General Services Administration awarded multiple contracts today for blanket purchase agreements (BPA) to protect sensitive, unclassified data residing on government laptops, other mobile computing devices and removable storage media devices. Nine products were select to provide Full Disk Encryption and File Encryption."
Link to Original Source
QuantumCrypto writes "Or at least try sending it. Dr. John Cramer of University of Washington has been working on a project to demonstrate time travel using the principle of quantum entanglement. However unfortunately his funding has run out, and he will lose his lab space if he doesn't find $20,000 fast. I suggest that slashdotters should setup and PayPal account to collect donations for this experiment. Even if the experiment doesn't succeed we will learn from it."
QuantumCrypto writes "IRISA is reporting that Branch Prediction is NOT good for Security. Branch predictors allow processors to execute the next instructions without waiting for the previous ones to be resolved, which in turn allows the RSA key to be spied.
Old news. Right? Well André Seznec at IRISA has independently verified the claims. "I've tried to validate the principle. It works! Beautiful case study by the way!" said André Seznec. Onur Aciçmez and his colleagues managed to grab 508 bits out of a 512-bit key on RSA encryption , at first shot, in just a few thousandths of a second. Quite a feat when compared to the endless three months and the line-up of 80-some 2.2 GHz CPU computers that the German Federal Office for Information Security (BSI) once poured in to crack a SSL 640-bit key (3).
Background from the Artikle:
Until not so long ago,processors were executing threads in a time shared mode: T0 was executing during a time slice, then T1 was executing during the next time slice, then T0 again, ..."Each of these time slices lasts far longer than the processor execution cycle. Say a thread lasts around10 milliseconds, representing about 20 to 30 million processor cycles. As long as a spy thread and a cryptographic thread are not executed simultaneously, there is no way the former can grab very precise information on the latter." The impervious architecture keeps threads peep proof.
But things have changed with the arrival of Pentium 4 HT processor generation (7), a SMT processor in PCs and servers. These CPUs run two threads at the same time: on the very same cycle, instructions from the two threads are executed on the CPU. Why? "Mainly to squeeze performance from the processor, Seznec answers. The processor can execute several instructions per cycle, but generally a significant part of the resource is lost if a single thread executes. When two threads execute at the same time, the hardware is significantly better utilized." Unfortunately, running two threads in parallel on the same hardware CPU can lead to some information leakage. "One can manage to grab an indirect view on a thread execution from a spying thread that is executed simultaneously. This indirect information about its execution can allow to recover critical information such an encryption key.""
Saqib Ali writes "Seems like VA has managed to lose another hard drive containing data on 48,000 veterans. The hard drive was stolen from a employees home. The good news is that hard drive was partially encrypted. So it is expected that no more then 20,000 records were impacted. Which is still a high number. My question, why the partial encryption? If you are going to encrypt, just encrypt the whole drive."
Paid Blogger writes "Seems like Microsoft wanted to pay a blogger in Australia to "fix" some inaccuracies in Wikipedia article on Open Document and OOXML. MS Spokeswoman Catherine Brooker said she believed the articles were heavily written by people at IBM Corp., which is a big supporter of the open-source standard. IBM did not immediately respond to a request for comment."
SHA who? writes "In the light of recent attacks on SHA-1, NIST is preparing for a competition to select the next set of Hash Functions. The public competition will be much like the development process for Advance Encryption Standard (AES). As a first step in this process, NIST is publishing draft minimum acceptability requirements, submission requirements, and evaluation criteria for candidate algorithms, and requests public comment by April 27, 2007.
P.S. NIST has ordered the Federal Agencies to stop using SHA-1 and instead use SHA-2 family of hash functions."
Saqib Ali writes "It is Free. How come you are not using it? An article on how to use freely available Full Disk Encryption (FDE) products to protect the secrecy of the data on your laptops. FDE solutions helps to prevent data leaks in case the laptop is stolen or goes missing. The article includes a brief intro, benefits, drawbacks, some tips, and a complete list of FDE solutions in the market."
Saqib Ali writes "To address the issue of data leaks from stolen or missing laptops, US Government is planning to use Full Disk Encryption (FDE) on all of the Government owned computers. On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The US Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. The selected product will be deployed on Millions of computers in the US federal government space. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The evaluation will come to a end in 90 days. You can view all the vendors competing and list of requirements."
Full Disk Encryption writes "A recent BBC Online article titled "UN warns on password 'explosion'" mentions that Username + Password reuse will make the net less secure which in turn make people wary of spending money online.
My question is why so many online discussion forum require logon to post messages? Currently I have 20+ discussion forum account for the various vendors that I deal with (e.g. citrix, wise, altiris, active batch etc) . Why can't they be like mailing lists where the username+password is optional/not-required.
Discussion forums use username+password as mean to
1) control access,
2) tie the post to a email address; and
3) prevent anonymous spam.
Alternatively this can also be achieved by simply requiring email address along with post, and then sending a authorization email to the poster before making the post visible on the forum. This will achieve the same effect, and the user will not be burdened with remembering username+password for each forum where they contribute.
Why don't the discussion forums this strategy instead of requiring the users to create account???"
Saqib Ali writes "According to 2006 Security Breaches Matrix, large number of the data leaks were caused due to stolen/missing laptops. The mobile devices will be stolen or lost. But one way to easily mitigate the harm is to use Full Disk Encryption (FDE) on all mobile devices. So why don't we encrypt all our HDDs? Cost, and performance impact are the usual arguments.
Analysis shows that the access time increases by 56%-85% after FDE. As HDDs fills up the fragmentation increases and so will the file access time. With FDE, the swap file (system's virtual memory) gets encrypted as well. This will impact the system's performace noticeably when the virtual memory is being used more often.
Encryption key & password management blues follow. What happens when the user forgets his/her new FDE password? How to manage the encryption key backup files? Who has possession of the backups of the encryption keys? What about when the users quits and does not hand over the password / encryption keys? Who can access the system and its encrypted files? How frequently does the password need to be changed? How to prevent the user from writing the passwords down? Using hardware token (RSA Token, smartcard etc) can alleviate many of the password management issues. But these hardware tokens are costly!
Cost for Full Disk Encryption solutions ranges from $0-$300.
My Question: Is it not worth using Full Disk Encryption on mobile devices after all the data leaks we have seen in the last few years?"
stonebeat.org has no journal entries.