Slashdot Mirror

It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.

...Improving the ambidextrous use of the device?

This discussion gets kicked around a lot, and it astonishes me how much assumptions are kicked around in a security-focused discussion.

Superuser has a good write up on this.

Heres the TL;DR:

  * It has been shown to be theoretically possible under the right conditions to recover data from "shadow bits"-- detectable differences in over all magnetic moment from a bit on the disk. This was demonstrated in 1995 by Peter Gutman.
  * It is widely believed that modern disk technologies and densities make such methods much more difficult. However, Heise Security demonstrated that it is still a theoretical possibility, at least for single bytes, though very difficult.
  * There are sector remapping technologies which throw all of this out the window. Blindly following the "multi-overwrite" mantra is also ineffective on non-magnetic media.
  * For reasons unknown, DoD, NSA, and NIST, as well as the UK's ICO all require varying degrees of overwrite and / or destruction. The NSA / DoD specifically indicate that overwrites are OK only when the disks will be repurposed in the same security area. I'll leave it to you to determine if you know more than they do.

Security is highly based upon theory. That is, we trust encryption schemes like AES because there is a strong degree of confidence that it will remain very difficult to crack for many years to come. When "theoretical" holes are discovered, they are treated very seriously because the entire point of such security is to defeat a determined, well funded attacker. Security schemes which do not defeat determined attackers are little better than "do not burgle" signs on your door.

With that in mind, it is incredible that people would suggest things like drilling a hole through a drive when it is clear that that would not prevent a determined attacker from recovering data Worst case, fill the hole with epoxy and sacrifice that quarter of the platter, you can still recover ~75% of the data. Appeals to the difficulty or expense of the recovery are not statements on security, and when a degausser can guarantee security in roughly the time it would take to drill press the drive, its astonishing that people would even suggest it.

Some of the suggestions here are akin to recommending turning off WiFi beacons or using MAC security on your AP. They sound cool, they have the appearance of working, but they are in reality snake oil; a determined attacker will simply ignore them.

They may work for these (I haven't checked) but it's not about throughput. A USB->RS232 wouldn't help with that anyway. The main issue is timing, but here's a discussion about several more issues that pop up with these adapters.

Some people need a real serial port (for various reasons), and these adapters are not (always) suitable replacements.

Yes, me too. I even found a discussion about this on the web.

What would happen with say, a firefox add-on which did the opposite: Generate a large number of fake clicks in short time with the intention of getting someone booted from Adsense( or whatever)?

Wikipedia is aware of the existence of joe jobs in click fraud: see Click fraud#Non-contracting parties. Google is supposed to be able to detect this. And apparently AdSense publishers who become the victim of such a joe job are supposed to report this to AdSense staff. But like you, I'm not certain as to how Google's response to such problem reports can scale.

Based on personal experience.

[citation needed]. That's a myth you're misleading people with there.

Even the clueless will be ripping this stuff out of their walls pronto once the (obviously irresistible) media sideshows get started.

No. No they won't. The clueless will think they are in control of the information flow when in fact, they are not. All of that information will leave their house and reside on someone else's (else's is not a word Firefox? Really? Let's check: http://english.stackexchange.c... stupid Firefox telling me I am wrong.) servers. Once it is on someone else's (fuck you Firefox) server, the clueless no longer control their data regardless of what laws are in place. That data will be used.

But being clueless, they won't understand. Just like they do not understand the NSA domestic surveillance.

lmgtfy.

http://physics.stackexchange.c...

If you have two frames of reference that are not at rest with respect to each other (which is most all of them) and you move from one to the other faster than light and back, you arrive before you left. Any type of faster than light anything (communications or travel) regardless of method (ansible, warp drive, stargate, wormhole, whatever) violates causality because general relativity.

It's lucky that we have so many different trees (and plants in general) that given a start can colonise almost any environment. The 6% figure comes from Zhu, Ort, and Long 2008, see this post for some discussion: http://biology.stackexchange.c...

Wrong on so many levels.

1) Yes, they are moving away from us at faster than the speed of light. This is well established.

2) As long as the photons reach a region of space receding at less than the speed of light, we can see these galaxies. Good info here

3) "And they fail to mention that they only way we're traveling through space is faster than light, some sort of weird quantum thing, by bending space, or via wormholes" None of which have been shown to exist. And there's some evidence that none of these options can exist.

No. That would be assuming you can go faster than the speed of light, without limits, which isn't the case.

Even if you were a massless particle, you would reach the speed of light in less than 1 year of accelerating at 1G, and then, you wouldn't be able to go faster.

http://space.stackexchange.com/a/841

While he hasn't been able to confirm it, the expert believes iPhones, iPads, OS X, other RADIUS servers besides freeradius, VoIP phones, printers, and various commercial managed wireless solutions could be affected.

From what I've gathered, Apple deprecated their use of OpenSSL in OS X back in December 2012 and iOS never had OpenSSL at all. So is he suggesting that they're vulnerable via RADIUS because Apple continued building or using an implementation that built against OpenSSL even after they had deprecated their use of it and before the bug was even introduced? It's certainly possible, but I'm a typical Slashdotter, so I haven't read the article.

It was the tenth of ten months; the early Romans likely reckoned winter as extracalary.

Yes, the very early Romans. Roman legend has the first king after Romulus added in January and February. While it may not have been that early, it likely predated the Republic. The 10-month calendar was probably obsolete long before 500 BCE.

January and February (and Mercedonius/Intercalaris) were added later, probably when what passed for Roman astronomy became relatively more sophisticated.

Yep -- though, contrary to popular belief, it probably wasn't Julius Caesar who moved the beginning of the year to January. The official year (which was named by the two consuls) was moved to January at least a century before Caesar's calendar reform. And January was basically treated as the first month of the civil year at least a few centuries before that (hence the name January, after Janus, who looked both ways toward the old and new years).

So, we're talking about a VERY old tradition here that was basically obsolete through almost all of historic Rome.

And it wasn't only "pagans" that insisted that March was the first month. The last major hold-out, the United Kingdom of Great Britain, didn't change until AD 1752 (AUC 2505).

It's a bit strange to equate the medieval dating technique putting New Year's on March 25th with the prehistoric Roman New Year's date of March 1st. Basically, after the old Roman tradition had been obsolete for a thousand years or more, some Christians decided that March 25th should be New Year's, since it was the day of the Annunciation, i.e., the conception of Jesus (9 months before Christmas). This kept in line with the idea of "The Year of Our Lord" (anno Domini), where we would date the years back to the time Christ was conceived -- a tradition which was first used at some point in medieval times.

So yeah, while some European countries through the medieval period and renaissance put New Year's at March 25, it wasn't really for anything related to the rationale for the original Roman practice. In fact, England didn't adopt this practice widely UNTIL the 12th century CE or so, which it then kept until the 1700s.

Oh, and by the way, even in countries (like England) where March 25th marked the beginning of some "year," there were often still other civil years that began on January 1st, depending on the legal or religious application involved. At the same time, and in the same country, there could be different "years" numbered beginning on January 1st, March 25th, December 25th, Easter, various points in September or November, and other times. (For some details on the situation in medieval England in this regard, see here.)

If you're so clever, show us your system which does this. Oh, wait, you don't have one, do you

Mr. Smartass thinks he is funny but it's amazing who see on these forums. See that simulator in the photo? It's a german Diamond Simulation which is just a rip-off the french Alsim model that was discontinued. I know this because I use to maintain one of these pieces of shit. The flight model is a fucking joke and is in no way similar to an airliner. The QTGs are a joke too. I wouldn't let this thing near a quadcopter or a car let alone an aircraft, especially when it's pointless anyway.
Autopilots aren't rocket science. and with CAT III autoland, the industry barely has to teach them hand and feet skills any more (which is not to say that's a good practice but it's where it's gone).

I wish they'd research something worth a damn, like making flight models that don't suck balls. Hopefully Slashdot won't sell me out when the cunts try to sue me for saying this.

Digging in, I found the discussion of Otto cycle engines which puts the theoretical limit at 45% and the practical limit below 37%. Gasoline, burning cooler, in a smaller expansion space with hotter exhaust temperature, is lower, usually much lower. http://physics.stackexchange.c...

Well Chris Okasaki's book is the first place. His thesis is still online: http://www.cs.cmu.edu/~rwh/the... . The book which expands the thesis: http://www.amazon.com/Purely-F... . It has been 15 years since his book his blog has some new stuff: http://okasaki.blogspot.com/

Here is a terrific blog post of what came next:
http://cstheory.stackexchange....

Some like me ... gulp ... like clutter if it means more shit on the screen.

Here is a terrific discussion of exactly this sentiment:
http://aviation.stackexchange....

Really, you can blame the whole "UX" fad for destroying sensible HMI/HCI based design.

The stop sign is a classic case of form following function. Bold red colour, so you notice it. Unique shape, so you can tell what it is before you get close enough to read it. Simple and to the point, designed by engineers.

UX brings in a shit load of bollocks around it rather than making it as simple as it needs to be.

Exactly this. UX as a whole is a cancer on modern computing -- nothing more than a combination of follow-the-leader and a circle-jerk. All it takes is for someone presents a (completely wrong) idea and, as long as they are authoritative about it, the other UX sheep will view that opinion as gospel, not to be questioned but only blindly followed. This might be a teacher at a school or a company like Google.

A perfect recent example is this Stack Exchange question regarding traffic signals. An ignorant (but inquisitive) person asks why traffic signals are always three vertical lights instead of some cool new UX-y system of LEDs and poor contrast. An answer posted which sounded very authoritative (but included no references) and had a few pretty pictures was immediately up-voted by the other UX sheep, even though the answer is completely wrong. The author eventually went and made some edits to claim his view was "just historical" to cover up the fact that he was glaringly wrong about the issue of color blindness.

You can see this behavior everywhere. Microsoft following Apple, Mozilla following Google. It has nothing to do with something being empiraclly or evidently better -- it's simply everyone following the hipster cool kid in class around because, well, he wouldn't be popular if he wasn't right!

We've had computer usability studies for decades now which have provided some keen insights into how people intuit the function of computer (some very interesting ones from the original Mac and Windows 95 timeframes). UX, however, has nothing to do with research or study -- it's little more than populist bullshit.

I still have a ways to go, though

Indeed. Writing English would appear to be a major section of your route.

The question was not the brightest in the world, but the grammar was not so troublesome....

There needs to be some sort of appeal or review process whereby the public can object to patents like this and many others that have been granted.

There is. Also see this for some more background information.

I remember reading an article about the information density in different number bases. Having a larger base, say base 10, allows you to write a big number with fewer digits, like 1022. While having a smaller base, base 2, would take more digits, 1111111110. By multiplying the number of symbols by the number of digits needed (something like that, it was a while ago I read about this) you were able to figure out how efficiently you can represent numbers in any base. It turns out that the most efficient base is between 2 and 3, actually it is base e that comes out as the most efficient base to use. Here is a link with possible references to this question.

http://codegolf.stackexchange....

You're probably better off asking this in question where people are actually expeting these sorts of questions:

http://webapps.stackexchange.c...

To whomever modded the AC troll: you're fucking ignorant.

Colored coins are a method to track the origin of bitcoins, so that a certain set of coins can be set aside and conserved, allowing a party to acknowledge them in various ways. Such coins can be used to represent arbitrary digital tokens, such as stocks, bonds, smart property and so on

Source.

Really, if you don't know about the subject, what about you refrain from moderating?

http://meta.unix.stackexchange...

poorly. here is a single S3700 outperforming 16 15k rpm drives: http://dba.stackexchange.com/q...

1998: "'God of the Internet' is dead "
http://news.bbc.co.uk/2/hi/sci...
"Jon Postel, a key figure in the development of the Internet from its inception, died at the weekend of heart problems aged 55."

Now, thanks to a successful internet, I have learned all about how to prevent and reverse heart disease by eating more vegetables and getting enough vitamin D (a problem for many indoors-oriented technies). Sadly, too late for Jon. Hopefully not too late for Roblimo though?
http://slashdot.org/comments.p...

The failure to adopt SQLite as a de-facto "Standard" for web browsers shows a deep problem, since a shared FOSS codebase is probably the best standard we can have.
http://programmers.stackexchan...

Contrast that with suggestions of making de-facto standards by on the ground successes with working code. Which is what SQLite has done in a whole area of embedded storage.

Like Alan Kay has said, any standard with more than three lines is ambiguous. I can agree having had to work implementing a couple standards at IBM.

'wildly' held would be about right.

My compliments for the catch. With internet access, it seems a spell checker could alert the writer to unusual adverb-verb combinations.
Interestingly, although the two words have different meanings, in some combinations, they are almost interchangeable.“Fluctuates widely” or “fluctuates wildly” In some situations, doing something in a "wide" manner is similar to doing it in a "wild" manner.

Some versions are. The OpenVPN appliance I was running was affected, and there were no updates for it this morning so I had to kill it.

https://security.stackexchange...

I read somewhere that there is a TLS flag you can use in the config to disable the affected code, but for the life of me I can't find it for this post. :(

Rather than get all aggro, I will state that I have tried to find a concrete answer to this question ("is OpenSSH vulnerable/impacted by this?"), and I still cannot. So before someone say "shut the fuck up when you don't know what you're talking about" to me, I'll provide the data (and references) I do have:

* OpenSSH links to the libcrypto.so shared library which is absolutely OpenSSL on most systems: ldd /usr/sbin/sshd followed by strings /whatever/path/libcrypto.so.X (you'll find OpenSSL references in there). Truth: because OpenSSH links to a cryptographic library that's part of OpenSSL doesn't mean it's necessarily using the code that's bugged (see below poster's sig and note function names are DTLS-related (keep reading)), but it also doesn't mean it isn't. When was the last time you ran truss/strace with all flags (for children, all syscalls, fd I/O, etc.) and looked at it closely?

* SSH, as a protocol, is not SSL (but keep reading): http://www.comforte.com/solutions/tls-vs-ssh/ and http://stackoverflow.com/questions/723152/difference-between-ssh-and-ssl (see replies to primary thumbs-up'd answer)

* However, SSH does rely on at least some part of TLS, the one that's known is X.509 (a form of PKI) (but keep reading): http://www.snailbook.com/faq/ssl.auto.html

* ...but then things like this seem to imply the OpenSSH folks don't use X.509 at all and that you have to run a special OpenSSH build for this to work: http://security.stackexchange.com/questions/30396/how-to-set-up-openssh-to-use-x509-pki-for-authentication

* ...but then you find things like this which are open-ended and seem to imply otherwise (and the link mentioned on that blog, by the way, is also worth skimming/reading to see what's being done): http://trueg.wordpress.com/2012/09/06/use-an-x-509-certificate-for-ssh-login/

* The "heartbleed" bug, which refers to RFC 6520, pertains to TLS: http://www.snailbook.com/faq/ssl.auto.html (yes same link)

* There are repeated/continual news references to "use of X.509" (which could apply to either SSH or SSL from the above references) in every single news announcement. I shouldn't need to link them all.

There is nothing even remotely definitive on either the OpenSSL or OpenSSH mailing list, and that's a bit shocking if you ask me. Therefore, to me, the OP's question is quite valid.

Does the answer to his/her question change the severity of the situation? Yes it does. Yes you should still upgrade OpenSSL, but what some of us senior system administrators are trying to figure out is whether or not we need to inform every employee that they need to generate new SSH keys. I think everyone at this point is aware webservers (ex. nginx, Apache, etc.) doing SSL need to have OpenSSL upgraded + the daemons restarted + keys re-generated + re-signed, but the concern here is whether or not any part of OpenSSH's function calls into the OpenSSL crypto library rely on anything related to RFC 6520.

My opinion: the reason nobody has definitive answer with references (and I hope this Slashdot post induces such) is because there's a serious disconnect between using security-focused software (end-users, SAs, companies using security software, etc.), the writing of cryptographic algorithms (cryptologists), and ac

We know where he hid it. He hid it in yesterday. Anti-matter is matter going backwards in time*, so when when the big bang happened, all antimatter disappeared into yesterday while we headed off towards tomorrow.

--
* For some definitions of time.

We need to start having "radiation leaks" in terms of units that people can understand, like "bananas."

There is a metric for that, and a handy diagram, but the news never uses it because it could lead to people actually having a clue what is going on.

Conveniently, that graph even has a banana-equivalence: one tenth of a microsievert. If you consumed 50,000 bananas in a year, you would reach the standard dosage limit for workers in irradiated (as in, the time they're told to go home and stay out of the glow). 100,000 bananas in a year and you may see an increased risk of cancer. However, the concept of eating 23 1/3 tons of bananas in a year is rather absurd when the average human food consumption in a year is less than half a ton.

Always turn off SSL validation, because it's totally worthless.

Yeah, because if a sufficiently motivated person can always pick a lock, we should just remove all locks?

With certificate validation, someone will have to compromise a CA (admittedly, any trusted CA will do) and do a MITM to get your data. Without certificate validation, anyone who can do a MITM can get your data.

And you seem to think that the difficulty of pulling a MITM attack is about the same as compromising a CA. It is not: Just set up a rogue Wi-Fi hotspot in a cafe or other public place and wait for people to connect. Then, there are off-the-shelf software for sniffing SSL data using rogue certificates generated on the fly (which would now be accepted since your turned off validation) See: Are MITM attacks extremely rare?

I agree that the chances of you getting actually MITM-ed on your typical connection are pretty slim, but then the chances of getting eavesdropped are pretty slim too, so why are you still advocating to use SSL then? (I assume you are because otherwise it doesn't make sense to say "turn off validation") And I would argue that if you can do passive eavesdropping and you are not actually one of the endpoints, you probably already control a node in the middle, and already well-positioned to do an MITM.

But yes, the CA system definitely has its flaws and can't keep up with some new attacks. There are several projects trying to fix this part of SSL. But I find it interesting that instead of proposing a solution, you are effectively proposing that we turn off all security.

On the Lurker's Guide to Babylon 5, on the episode page for "A Voice in the Wilderness, Part I", there is a quote of something you said:

> I tried to develop a basic language structure for each of the races on B5. There are certain commonalities to the structure of names. I came up with some prefixes and suffixes, and assigned meanings to them, the same as real names. For instance, Rathenn (referred to by Delenn in "Voices") and Delenn have the same suffix, which has a specific meaning. You can break it down; Ner-oon (Legacies), Del-enn, Rath-enn, Der-onn, and so forth. The various parts do have specific meanings, but I generally keep that to myself, just for amusement.

Please, what meaning have you given to those name prefixes and suffixes?

(Additionally, I have previously asked this on SciFi.stackexchange.com, and it would be amazing if you could also enlighten us there!)

What's missing is a filter in the receiver circuits.
You've got a transmitter and a receiver connected to the same antenna. When you're using the (powerful) transmitter, you need to make sure its signals don't end up in the (very sensitive) receiver and fry it.
This filter has to provide something like 150 dB of isolation.

You can now deal directly with TSMC for this, or go through third parties like MOSIS and CMP. AFAIK none of the groups that do this publish their rates, and I haven't done this myself, so my numbers come from forums like this one, rounding up the lower numbers that I have commonly seen.

Nor did his scientific speculations revolve around applying the scientific method,

You don't actually know anything about Clarke's work, do you?

http://scifi.stackexchange.com...

You mean like https://programmers.stackexcha... ?

They close out "good" questions there too (examples)... came across one the other day (while programming), in fact. It's like the wikipedia notability police all over again. :O

You mean something like patents.stackexchange.com?

That sounds useful ... I hope you don't mind, but I reposted this as an answer to a relevant question on the new EBooks StackExchange site. Might come in handy there. http://ebooks.stackexchange.co...

Hi Bruce, I remember both times when you tried to start Technocrat.net. How about joining altslashdot ? Don't worry about bad name, we are now looking for some other name.

As much as I don't like javascript too, I like very much how http://math.stackexchange.com/ supports the math rendering engine MathJax. And along with UTF-8 support I think that we need the ability to discuss difficult topics using math to describe them.

we want UTF-8 + MATHJAX support - the math rendering engine that is used by http://math.stackexchange.com/

MATHJAX !! + UTF-8 !!

and we want UTF-8 + MATHJAX support - the math rendering engine that is used by http://math.stackexchange.com/

MATHJAX !! + UTF-8 !!

Why there are companies selling mining hardware?

See http://security.stackexchange.... and https://www.owasp.org/index.ph...

In short: a site can declare that it only uses one (or more) public keys on its secure sites and that this declaration is valid for a certain time period. Browsers that support pinning will check to see if those public keys (and no others) are being used during that validity period. If the key were to suddenly change, even if it's otherwise valid (e.g. issued by a trusted CA), the browser would complain that something is wrong.

This prevents rogue or compromised CAs from issuing certificates to sites that used pinned certificates (at least for the duration of the validity period).

For example, Google Chrome comes hard-coded with the public keys for Google sites. If an otherwise-valid certificate were created for Google sites (such as when the DigiNotar CA was compromised), Chrome would refuse to connect to any server using it because it does not match the built-in pinned value.

Yes, although it's a pretty stupid unit to use for the numbers involved.

It is pretty dangerous for an adversary to carry out MITM attacks on a large scale, as sooner or later, this is going to be detected.

Apparently they weren't detected until the Snowden files showed it is widespread...(hacking into Belgacom for example), and wasn't the FBI requesting the SSL keys of Lavabit to decrypt traffic?

The attack the FBI attempted on Lavabit had no relation at all to certificate authorities. They merely requested the private host key of the server to be able to decrypt any recorded SSL traffic for that site. Note how this kind of attack only works when you have access to the server in question (in which case you would be able to directly monitor the plaintext communication anyway by tracing the web server executable). I repeat, this is not related at all to certificate authorities. Also note how this attack does not really scale, as it requires you to actively request and collect SSL host keys (not certs!) of all webservers whose traffic you are interested in. For that reason I would expect that information about your operations *will* inevitably leak to the public. Also web servers in other countries will be relatively well protected against this kind of attack.

The SSL Everywhere extension for example can (optionally) collect information for and check with the SSL Observatory to detect differing certificates that indicate MITM attacks.

a MITM attack would also patch (or redirect) SSL Observatory

only decentralized with checks on locally stored previously seen certificates can work, otherwise it's just security theater

But here again at MITM attack would be detectable. If the SSL Everywhere guys were not completely stupid they will check the host key of the SSL Observatory against a private certificate authority that they completely own (with the certifcate authorities' key hard-coded into their browser extension). Or more simple, they could just hard-code the public key of the observatory. Or implement certificate pinning etc. etc.

The only working attack would be for the NSA to MITM every download of the SSL Everywhere executable, patching the certificates contained in its code. But again, this is easy to detect after the fact by inspecting the sources, comparing checksums etc.

For that reason I'm not afraid at all about MITM, as it does not allow for the broad, secret, non-discriminatory data collection that Snowden's leaks show to be implemented by NSA.

No, that's new! I actually just found that for myself, about 5 mins after posting this comment, and now I'm super excited. Anyone know by any chance whether there are issues putting Cyanogenmod on a locked phone? I found this stackexchange issue, but I feel like if it were actually a thing, it would be more commonly documented.

Well, it would if the "metaphor" I had heard about how Hawking radiation works were correct, but apparently it isn't. While I won't say the explanation in the linked page makes sense to me (I probably couldn't follow the math anymore even if it was included), I must admit I had some similar concerns as Mr. Kujareevanich regarding that metaphor. If a gravitational well did result in the polarization of the gravitational dipole, then it would seem that perhaps it might affect the results. However if Hawking radiation is just an apparent effect, like blue/red-shifting or Lorentz contraction at relativistic speeds, then it presumably wouldn't be affected.

http://android.stackexchange.com/questions/1648/how-does-android-get-the-coarse-location