Slashdot Mirror


User: VortexCortex

VortexCortex's activity in the archive.

Stories
0
Comments
5,203
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,203

  1. Re:Revision control gets far too much attention. on An Illustrated Version Control Timeline · · Score: 2, Interesting

    I agree. This is why I use CMake, CTest and Git.

    Test results are stored in a file inside my Git repo, and are therefore part of the "story".

    However, what really matters is the total build, regression, bug reporting, electricity consumption, end user satisfaction, employee payroll, and stock price story -- which encompasses more than just revision control and illustrates that "what matters" is a matter of opinion.

  2. Re:Online applications on An Illustrated Version Control Timeline · · Score: 1

    I'm not sure what you mean by "version-ing for web based applications and sites"

    I have SSH access to my web host.
    The web app code resides in a remote Git repo on the server.

    This is how I update my web based application.

    git checkout remote-master
    git merge local-changes
    git push

  3. Re:Russian Ark on Long Takes In the Movies, Antidote To CGI? · · Score: 2, Informative

    No love for Russian Ark?

    Or for Tiempo Real (Real Time) which "Holds the official Guinness World Record for being the 'First One-Take Movie in Film History'"

    The entire movie has no cuts.

  4. Re:What the hell is the fuss about on Organs of UK Nuclear Workers Secretly Harvested; Energy Secretary Apologizes · · Score: 2, Funny

    If you believe in the concept of an immortal soul, then at that point you arn't using your body any more - so it doesn't really matter that much anyway. Body - Soul = Meat.

    Tell that to the Ancient Egyptians.

  5. Re:I know people are laughing, but... on Microsoft Finally Certifies an Open Source Web App · · Score: 1

    How many applications have Apple personally certified that they work well on Mac? Or Canonical for Ubuntu? Oh right, they don't.

    It would be nice if you only spoke things that you knew were true.

    New Applications added to the Ubuntu Software Center go through the Ubuntu Application Review Process; Which is "a community-driven Application Review Board that is committed to providing high quality reviews of applications submitted by application authors to ensure they are safe and work well."

  6. Re:I can't believe people take this kind of abuse. on Official Google Voice App Approved For iOS · · Score: 1

    I can. What I can't believe is that apple phones aren't required equipment in S&M parlors yet.

  7. Re:Yes, SHA1 security is questionable.. on Cracking Passwords With Amazon EC2 GPU Instances · · Score: 1

    The salt is typically added at the end ...

    Citation needed. I've never salted anywhere but at the beginning.

    ... and for the MD5 hashing algorithm, two colliding passwords will still collide no matter how much salt is added.

    A true, but very contrived example. A simple fix is to include the salt first (or just use HMAC for cryin out loud!).

    For an example of the former:

    #!/usr/bin/perl -w
    use strict;
    use Digest;

    my $one = pack "H*",
    ("d131dd02c5e6eec4693d9a0698aff95c"
    ."2fcab58712467eab4004583eb8fb7f89"
    ."55ad340609f4b30283e488832571415a"
    ."085125e8f7cdc99fd91dbdf280373c5b"
    ."d8823e3156348f5bae6dacd436c919c6"
    ."dd53e2b487da03fd02396306d248cda0"
    ."e99f33420f577ee8ce54b67080a80d1e"
    ."c69821bcb6a8839396f9652b6ff72a70");

    my $two = pack "H*",
    ("d131dd02c5e6eec4693d9a0698aff95c"
    ."2fcab50712467eab4004583eb8fb7f89"
    ."55ad340609f4b30283e4888325f1415a"
    ."085125e8f7cdc99fd91dbd7280373c5b"
    ."d8823e3156348f5bae6dacd436c919c6"
    ."dd53e23487da03fd02396306d248cda0"
    ."e99f33420f577ee8ce54b67080280d1e"
    ."c69821bcb6a8839396f965ab6ff72a70");

    my $MD5 = new Digest( "MD5" );

    $MD5->add( $one );
    print "MD5 one: " . $MD5->hexdigest() . "\n";
    $MD5->add( $two );
    print "MD5 two: " . $MD5->hexdigest() . "\n";

    $MD5->add( "salt" . $two );
    print "MD5 salt + one: " . $MD5->hexdigest() . "\n";
    $MD5->add( "salt" . $one );
    print "MD5 salt + two: " . $MD5->hexdigest() . "\n";
    # -- end --

    Output:

    MD5 one: 79054025255fb1a26e4bc422aef54eb4
    MD5 two: 79054025255fb1a26e4bc422aef54eb4
    MD5 salt + one: 34ca1a8952c4217bc8d8613710116712
    MD5 salt + two: 9fb0c0eb1aa52fbb6466987c079815c4

    A "typical" (among my peers) way to salt is using HMAC:

    HMAC(K,m) = H((K XOR opad) + H((K XOR ipad) + m)).

    Select either K or m as your salt and passphrase... I prefer K as the salt because my salt has a fixed length, and typically has more entropy than my users' passphases.

  8. Re:seriously though? on State-Sponsored CyberAttacks Expected To Rise · · Score: 1

    this is a security company telling you information that drives their sales. its like an ice cream manufacturer saying "i see a need for more ice cream in the future."

    im surprised slashdot hasnt become more abrasive toward this type of annoying product placement and corporate fear mongering.

    That's because We Like Ice Cream; We love it. We can not resist ice cream. To resist is hopeless...

  9. Re:Whereas traffic going through the US is not sca on For 18 Minutes, 15% of the Internet Routed Through China · · Score: 1

    Security must be end-to-end.

    And how can that be achieved? At some point you have to trust your Browser, OS or hardware vendor / manufacturer.

    There is no such thing as a trusted ISP or country.

    Tell that to all the "Trusted Root CAs" installed in your browser. Who did you trust to put them there? The governments that those CAs reside in can coerce them into creating fake certs; This requires an implied trust in the country those CAs reside in.

    IMO, "end to end" security is not used at all during a HTTPS connection, it's inheretly a 3 party process: You, Them, The CA. Encrypted data might flow end to end, but the security is not end to end unless you are only trusting yourself and the endpoint for that security.

    Even with a PGP web of trust you have to trust more than just yourself and the endpoint unless you have pre-shared the key... at which point I wonder why you wouldn't just use pre-shared key and avoid the whole "public-key encryption" theater of security in the first place.

  10. Re:Protocols used on the 'net are horribly outdate on For 18 Minutes, 15% of the Internet Routed Through China · · Score: 1

    I thought "Freedom of expression" implies your own breast milk costs you $0.

  11. Re:I don't think the authors understand cryptograp on For 18 Minutes, 15% of the Internet Routed Through China · · Score: 2, Insightful

    Please excuse the reply to myself, but I'd like to point out that I'm not trying to single out China here, the above statements apply to USA, UK, Canada, or government that a trusted Root CA company resides within.

    Eg: The US Government could compel (and also gag-order) Thawte into creating fake certs for Google.com (or any other domain), and in Google's case, you wouldn't even find out you've been pwned by checking the cert...

    Honestly, HTTPS / SSL is The Ultimate Theater of Security.

  12. Re:I don't think the authors understand cryptograp on For 18 Minutes, 15% of the Internet Routed Through China · · Score: 4, Insightful

    2) Can China record or alter any traffic that passes through its network? If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data. It only means that encrypted data sent to Chinese servers can be read by the holder(s) of the encryption keys used by those servers.

    I don't think you understand MITM attacks.

    Take a moment to look at the list of trusted root certificate authorities in your web browser right now.
    FF Preferences > Advanced > Encryption > View Certificates

    Notice the Chinese ones? The Chinese government can compel any of those root CAs to produce a certificate for any domain they choose. For example, let's say CNNIC creates rogue certs for Google.com.

    1) You request a secure page "https://mail.google.com"
    2) MITM intercepts the request and makes their own connection to mail.google.com using the real cert.
    3) MITM uses the fake cert to encrypt it's connection to you, and pass you the mail.google.com data.
    4) Firefox validates the cert chain and gives you a big "look it's secure" bar, and you just got pwned.

    The real problem is with the retarded cert system. Any CA can create certs for any domain without the domain's permission; If the CA is trusted your browser won't complain at all.

    This is why it's important to view the certs that you are using (in Firefox, click or hover over the "secure" bar).
    Note: If you had a cookie that kept you signed in to gmail, its too late to check the cert after the MITM is logged into your account.

  13. Re:Time for all websites to go https on Canada To Mandate ISP Deep Packet Inspection · · Score: 1

    HTTPS is too computationally expensive for the average Pentium 133mhz shared server from 1995 to perform on every connection.

    If the websites are to all use SSL, we'll have to upgrade all of... oh, wait.

  14. Re:The Truth is Out There! on The Story of My As-Yet-Unverified Impact Crater · · Score: 1

    ...but lol anyways. Hey my girl friend has a giant stink hole, here, maybe i should sell a picture of anal.

    FTFY

  15. In other news... on Professor Has Camera Surgically Implanted In the Back of His Head · · Score: 1

    ... New camera model to come with idiot attached.

  16. Re:Dictionnary attack doesn't show any weakness on Cracking Passwords With Amazon EC2 GPU Instances · · Score: 1

    I think "able to brute-force thousands of passwords in an hour" qualifies as a weakness in SHA-1.

    Then you must also think that this weakness applies to all hashing algorithms, and thus is not a weakness in SHA-1 but in hashing algorithms in general.

      "able to brute force thousands of passwords in an hour" means nothing. The ability to brute force something given less computational steps than intended means something. Throw enough CPU at any algorithm and you'll see the same brute force time-frame results from any hashing algorithm.

    I would fully explain, but I'm certain you wouldn't understand.

  17. Re:Yes, SHA1 security is questionable.. on Cracking Passwords With Amazon EC2 GPU Instances · · Score: 1

    And replacing the stupid thing is pretty simple. So just get over it already and drop the bad algorithm. How hard can it be?

    It's not simple to replace anything that is "written" in hardware.

    It's not simple to replace an algorithm with one that is more complex (more computation cycles) when performance (or battery life) is the key issue.

    It's not simple to replace one hashing algorithm with another when you have thousands of users that must then update their passwords (and password hashes).

    It's not a convincing argument to say "replace a hashing algorithm with another algorithm" if there is no complete break in the wild for the in-use algorithm. The common wisdom when it comes down to the dollars and cents of production is: If it's not broke, don't fix it.

    I still use MD5 where I can because it is not broken (salted, of course). Mapping all hash collisions for 1-6 length inputs is no break in my book... I could do that in less than a day with any popular hashing algorithm.

    The answer is simple: When hashing passwords, always use a salt. Crypt3 did it, why the hell people are still NOT salting password hashes is beyond me.

  18. Re:Yes, SHA1 security is questionable.. on Cracking Passwords With Amazon EC2 GPU Instances · · Score: 3, Informative

    My understanding is that hash functions should not have collisions.

    Then, you simply do not understand.

    Let me explain gently. If a hash function produces and n bit digest (output) for any given input then any input that is greater than n bits in length MUST produce a digest that collides with an input of n bits or less even though the inputs are dissimilar.

    Example: For each letter of this sentence choose either a 0 or 1. You are a 1 bit hashing function. How many collisions did you create after only 3 inputs?

  19. Re:Public domain on The Beatles On iTunes · · Score: 1

    It already is "public domain" if you refuse to abide by the unjust copyright laws.

  20. Re:Lame non-news on The Beatles On iTunes · · Score: 1

    2012 is not correct. Public domain starts 70 years after the artist's death...

  21. Re:Who cares? on The Beatles On iTunes · · Score: 1

    Well, I second the "who cares" motion; I certainly don't care.

    Your argument about iTunes is moot since I have never used iTunes.

    Your argument about "companies [I] have likely purchased" from is moot since I have never purchased music from anywhere but the musicians themselves.

    The "Be-dulls" don't do it for me. Each to their own musical preference, which (I think) is the point of "Who cares?"

    The only news I can muster from this article is: The iTunes marketplace is too profitable for any sellout to exclude themselves from, no mater how elitist they are.

    I prefer to support my local artists and watch live performances.
    I don't care about the pop music market; This is not "stuff that matters".

  22. Re:Who are the Beatles on The Beatles On iTunes · · Score: 1

    What is a Cold Play?

    It's when you use sex to medicate a cold.

    You "feed a flu", but you "screw a cold".

  23. A computer powered computer? on Tablet Prototype Needs No External Power Supply · · Score: 1

    What about a computer that is powered by inducing current in wires by sliding a set of magnets back and forth?

    Configure the magnets and wires such that they resemble an abacus and presto: Computer powered computer.

    Up next:
    A vehicle powered vehicle (electric bicycle that charges when you pedal),
    Toast powered Toaster (burns bread to heat bread),
    etc...

  24. Re:Too Cool on Exciting Kinect Stuff Already Coming Out · · Score: 1

    Quake was so fucking awesome on a 33MHz 486SX with no floating point unit.

    No it wasn't. I had such a system. Doom was fairly awesome on it, but Quake (and even Hexen) ran like crap -- Not an awesome experience by any measure (unless you think studdering sound clips and a nifty 3D slide show make for an "awesome" game).

    However, Quake was awesome on my Pentium 133mhz with 16MB of RAM...

  25. Re:Let's all just acknowledge this for a moment on WSJ Warnings About Cookies Carry Cookies · · Score: 1

    It's a threat to your privacy to use the unencrypted un-anonymous web.
    Even use of TOR doesn't guarantee your "privacy".

    Let's all sit around in a group and read news paper articles.
    If you want to read a section, just ask someone sitting next to you to pass it along.

    Now, let's try to provide the news paper, room and chairs for free... Guess what happens: Advertising.
    Guess what makes more money? Targeted Advertising. Guess who knows that you want the sports section? That fella sitting next to you who passes you the article... he may even work for the news paper, eh?

    If you want to sit in our group wearing a ski-mask and gloves, and only use sign language to communicate we may not know who you are, but we will still recognize you as the ski-masked mute.

    Vote for Browser-Cookies... because the alternative is a pay-wall beyond which the advertisers will have your real name and billing information.