i agree that the most usable solution is a fixed delay, coupled with a delay status splash.
my comment was that an added delay CAN be added in a way that can not be reversed engineered through averaging... and that doing that might tempt a would-be attacker to spend their time attacking a pathway that is exploit proof. attackers may have infinite time, but if they spend most of it on fruitless efforts, then less successful attacks would happen. how is that not more secure? billions of requests are certainly NOT possible. after many failed requests, the attacker should not be allowed to have their passwords checked, or have an exponentially increasing delay between failed attempts. all of this is extremely basic and standard security concepts that have been around for decades. OAuth and OpenID are bad for many other reasons than a claimed vulnerability to timing based attacks that has not been demonstrated, and would not work on any system that limited access after failed login attempts (pretty much everyone).
the constant the averages "goes to" (i'm not familiar with that mathematical phrase from when i earned a mathematics and computer science degree from the university of wisconsin... i assume you mean "approaches") is the fixed delay. the only point of adding the extra random delay was to not telegraph the fact that a time-based attacked might be possible.
you are the worst kind of idiot. an ignorant hypocrite. just like all the other retards at the kansas bible camp, stephen alongi.
stephen alongi makes pedophiliac homoerotic comments about muslims and their beliefs. he is an instigator. an agitator. completely worthless. he doesn't like people to know that clone53421 is him. clone53421 is stephen alongi. a retard who is too stupid to know when he is wrong, and when it is pointed out to him, he is too stupid to acknowledge it. an ignorant hypocrite. a product of the kansas bible camp. a counselor there. do you want to leave your child with someone at the kansas bible camp who spends their time spouting pedophiliac homoeroticism on the internet?
that's it.... the delay is a single measurement of time that the "timing-based attack" is based on.
if every single individual measurement of time was obfuscated in some way that created a fixed delay plus a random delay as a function of the original delay, then the whole or the average of multiple samples of the whole is irrelevant.
billions of attempts would still not get close enough to an exploitable level of confidence.
if the hidden value is irrelevant, and the averages of samples reveal the hidden value... then the averages of samples is also irrelevant, but you've wasted the stupid attackers time in believing that a timing-based attack might be possible.
you are as dumb as every other youth to attend the kansas bible camp.
so let's say you do it like SSH with an ensured fixed time, and then on top of that add a random delay. could an attacker now determine anything they couldn't have before? obviously, no. but now you've hinted to the would be attacker that a time based attack might be possible. so using a random delay you get the exact same security, and potentially waste more of your would be attackers resources. how is that not better?
yes, but then you telegraph to the attacker that a time based attack is not possible. it seems to make more sense to require the comparison to always make exactly 64 comparisons, and then also add a random number of additional comparisons to waste more of the attackers resources.
we are not talking about arrays of pixel values in channels of RGB, we are talking about a single value of a measurement of time. "resembling" a single value is not possible.
how about this... create a value. now add a random amount of value significant in range relative to the original value... now add a random amount of value as a function of the original value...
you can't differentiate the original value with ANY certainty.
i agree with you completely. i'd go one step further and make the random delay added on top of a fixed time so that any averaging attack would also lead to an answer that was ultimately incorrect.
sad that your comment is scored 1, and people suggesting these ideas are completely pointless are being scored 4+. this site no longer functions properly.
if i make the added delay anywhere from 0 to 100,000 times the average comparison time, and make the delay a function of the comparison time, and create multiple delays for each login attempt, then define "bunch". you'll never be sure of the value, you'll just be getting closer to a value of the function of the comparison time used to create the delay. the original comparison time can NOT be differentiated.
No, once the random amount of time is added, it will never become clear what the actual time to compare the password is.
you're going to run each password 100 times, and then what, average them? i don't think you understand what "random" means. if the person who implemented the added delay always made it 1-2 times the average comparison time, creating maybe only a few 1000 potential measurable delay values, then yes, your simple circumvention might work, but i'm assuming the person who implements the delay to counteract the attack would be smart enough to do it right, in a method that could never be reverse engineered. the delay would have to have significant range relative to the min and max comparison times.
uh, the "signal" IS the amount of delay. adding "random delay" is not "merely adding noise"... it IS removing the signal altogether. the amount of delay caused by the password check and the amount of delay randomly added can NOT be differentiated.
i agree that for login, a consistent delay coupled with a delay status screen is the most usable solution.
when is the last time you tried to build your own fab? the amount of money required to get in the game to manufacture a one off product of an open hardware design has lowered to about $50,000... something any business should be able to swing on development of a new product. building your own fab and building or licensing enough technology to get you to where an open hardware project could get you would cost many millions of dollars.
no one is saying it's free or cheap, but it's certainly now accessible.
you're completely wrong. computer chip fabs are extremely automated, and many silicon valley chip makers don't even own their own fabs, and instead drop ship them from shared fabs in china. if a standard was created for manufacturing instructions, as the open hardware people are trying to do, then utilizing the fabs to make a one off product of an open design would be accessible to anyone.
you're right that current manufacturing company's testing and development equipment wouldn't match... the entire point of open hardware is to make that fact not matter.
yes... laws can be used to punish offenders... isn't that what they are supposed to do? isn't that what they WILL do if someone in the future steals your identity and signs up for a loan? you really think you'll be stuck with the bill? you just have to make a few calls and sign a few papers.
so you want things to work where if anyone ever tells anyone else anything about you, and then anyone else ever uses information matching the information the original person told anyone, that the original person should be held liable, even if it can't be proven that the original person told the information to the person that ultimately stole your identity?
i can't understand how you could be so stupid to not see how stupid you are.
the only thing removing any semblance of civilization are idiots like you writing broken laws that charge people using non-evidence. YOU ARE AN IDIOT.
if you don't think the banks are fair, DON'T USE THE BANKS. that is how REAL civilization works. FREE MARKET. are you too scared that smarter people will out-compete you? they probably will. YOU ARE AN IDIOT.
Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?
you're demanding fair credit? what gives you the right? you don't have any credit. if you want credit, there are terms. if you don't like the terms, you don't get credit. this has nothing to do with "fair".
so, if he is an advocate for the belief that autistic people are ineffective advocates, and he is ineffective at that role, then i should be left with the belief that autistic people are effective advocates, making him an effective advocate. if he is an ineffective advocate, that would make his advocacy about the belief that autistic people are ineffective advocates effective. this presents hypocrisy in the form of a person who acts in contradiction to their stated beliefs.
way better than GP2x/Wiz... probably worse than PSP because of it's smaller screen, and less powered processing units, but the dingoo only costs $99.99. the dingo has an impressively long lasting USB rechargeable battery, has 4GB internal storage with fast response, and supports SDHC and other standard storage cards. it has a great screen that is bright enough to play in complete dark or direct sunlight. the smaller screen and less power hungry processing units lead to less battery consumption.
again, i fully acknowledge this as a response to a slashvertisement response to a slashvertisement story... but these things are so good i bought one for my brother and sister for christmas last year. there is a native linux distro for it (dingux)... lots of homebrew games that take full advantage of the hardware. then on top of all that it has audio video out cables to plug it in to a tv. plus a built in speaker that sounds great, a stereo headphone jack, and a microphone for taking notes... i think the PSP can do all that, and i think there is a way you can get linux running on a PSP too, but with the dingoo, the installation of linux is endorsed by the hardware manufacturer and is made simple (just run the installer, hit OK)
the controller on this is one of the reasons it's better than the wiz... everything is in the right place and directional pad rolls just right and the buttons are just firm enough... L/R triggers are good too. just a great package, and standards compliant hardware ready to play all of the most popular video and audio codec formats, and has a built in FM tuner.
i've seen videos on youtube that show PSX4ALL (a playstation 1 emulator) running at 100%... so the dingoo is at least powerful enough to emulate intensive playstation 1 games (such as quake 2) at full resolution and framerate.
basically, it does everything great. atari controllers are not comfortable or feasible for portable gaming... that might not be what you're going for, but the dingoo control interface works very well for any kind of gaming platform, AND it all fits combined with a powerful gaming system in a portable form factor that fits in your pocket.
well... maybe not in your desktop image editing program that is always working with the same file, but every web application i've ever made or used creates a completely new file with empty headers and copies over just the resized image information.
if the exif information is still intact, facebook is choosing to copy it over and keep it intact on purpose.
i thought that facebook resized all uploaded photos... i don't have a facebook account to test... is facebook purposefully copying over the geolocation information from camera-phones into the resized images, or was location determined by surrounding land features?
only a moron would conclude that i think the problem should be ignored. i think that publishing the details of how to steal money from banks is irresponsible... and it seems so do the people that were going to present it, as they have concluded it is in their best interest to not present it.
you mean the issue where more exposure can only lead to more exploitation, and degradation of the value of a dollar?
*citation needed*
so you are suggesting that publishing instructions on how to perform an act will lead to less people executing that act....... *logic needed*
the great 'there will always be problems, so why bother fixing them' argument. Remind me never to work with you, you're the worst kind of person for working on technology.
ahhh yes, the classic "don't point out the potential of man in the middle network attacks, or the ability of humans to get inside a closed box" argument.
i wasn't talking about devaluation that may, or definitely is, happening... i was talking about the devaluation that would exist if every person in america held a tool that could extract an arbitrary amount of unearned dollars from any ATM.
so it seems you believe the banks should upgrade their entire ATM hardware infrastructure, and yet you complain about a fee and claim the transaction is "pretty much free".... yeah, except for their costs. a french fry is pretty much free to mcdonald's. why do they charge for them?
Slashdot Mirror
my comment was that an added delay CAN be added in a way that can not be reversed engineered through averaging... and that doing that might tempt a would-be attacker to spend their time attacking a pathway that is exploit proof. attackers may have infinite time, but if they spend most of it on fruitless efforts, then less successful attacks would happen. how is that not more secure? billions of requests are certainly NOT possible. after many failed requests, the attacker should not be allowed to have their passwords checked, or have an exponentially increasing delay between failed attempts. all of this is extremely basic and standard security concepts that have been around for decades. OAuth and OpenID are bad for many other reasons than a claimed vulnerability to timing based attacks that has not been demonstrated, and would not work on any system that limited access after failed login attempts (pretty much everyone).
you are the worst kind of idiot. an ignorant hypocrite. just like all the other retards at the kansas bible camp, stephen alongi.
stephen alongi makes pedophiliac homoerotic comments about muslims and their beliefs. he is an instigator. an agitator. completely worthless. he doesn't like people to know that clone53421 is him. clone53421 is stephen alongi. a retard who is too stupid to know when he is wrong, and when it is pointed out to him, he is too stupid to acknowledge it. an ignorant hypocrite. a product of the kansas bible camp. a counselor there. do you want to leave your child with someone at the kansas bible camp who spends their time spouting pedophiliac homoeroticism on the internet?
you are NOTHING
2) measure delay of response.
that's it.... the delay is a single measurement of time that the "timing-based attack" is based on.
if every single individual measurement of time was obfuscated in some way that created a fixed delay plus a random delay as a function of the original delay, then the whole or the average of multiple samples of the whole is irrelevant.
billions of attempts would still not get close enough to an exploitable level of confidence.
if the hidden value is irrelevant, and the averages of samples reveal the hidden value... then the averages of samples is also irrelevant, but you've wasted the stupid attackers time in believing that a timing-based attack might be possible.
you are as dumb as every other youth to attend the kansas bible camp.
completely ignorant.
the only way a solar sail would ever work is to fly "close" to the sun.
so let's say you do it like SSH with an ensured fixed time, and then on top of that add a random delay. could an attacker now determine anything they couldn't have before? obviously, no. but now you've hinted to the would be attacker that a time based attack might be possible. so using a random delay you get the exact same security, and potentially waste more of your would be attackers resources. how is that not better?
yes, but then you telegraph to the attacker that a time based attack is not possible. it seems to make more sense to require the comparison to always make exactly 64 comparisons, and then also add a random number of additional comparisons to waste more of the attackers resources.
how about this... create a value. now add a random amount of value significant in range relative to the original value... now add a random amount of value as a function of the original value...
you can't differentiate the original value with ANY certainty.
sad that your comment is scored 1, and people suggesting these ideas are completely pointless are being scored 4+. this site no longer functions properly.
Take a bunch of samples, average them.
if i make the added delay anywhere from 0 to 100,000 times the average comparison time, and make the delay a function of the comparison time, and create multiple delays for each login attempt, then define "bunch". you'll never be sure of the value, you'll just be getting closer to a value of the function of the comparison time used to create the delay. the original comparison time can NOT be differentiated.
you're going to run each password 100 times, and then what, average them? i don't think you understand what "random" means. if the person who implemented the added delay always made it 1-2 times the average comparison time, creating maybe only a few 1000 potential measurable delay values, then yes, your simple circumvention might work, but i'm assuming the person who implements the delay to counteract the attack would be smart enough to do it right, in a method that could never be reverse engineered. the delay would have to have significant range relative to the min and max comparison times.
i agree that for login, a consistent delay coupled with a delay status screen is the most usable solution.
no one is saying it's free or cheap, but it's certainly now accessible.
you're right that current manufacturing company's testing and development equipment wouldn't match... the entire point of open hardware is to make that fact not matter.
you are an idiot
so you want things to work where if anyone ever tells anyone else anything about you, and then anyone else ever uses information matching the information the original person told anyone, that the original person should be held liable, even if it can't be proven that the original person told the information to the person that ultimately stole your identity?
i can't understand how you could be so stupid to not see how stupid you are.
the only thing removing any semblance of civilization are idiots like you writing broken laws that charge people using non-evidence. YOU ARE AN IDIOT.
if you don't think the banks are fair, DON'T USE THE BANKS. that is how REAL civilization works. FREE MARKET. are you too scared that smarter people will out-compete you? they probably will. YOU ARE AN IDIOT.
Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?
you're demanding fair credit? what gives you the right? you don't have any credit. if you want credit, there are terms. if you don't like the terms, you don't get credit. this has nothing to do with "fair".
i don't think you know what most words mean.
again, i fully acknowledge this as a response to a slashvertisement response to a slashvertisement story... but these things are so good i bought one for my brother and sister for christmas last year. there is a native linux distro for it (dingux)... lots of homebrew games that take full advantage of the hardware. then on top of all that it has audio video out cables to plug it in to a tv. plus a built in speaker that sounds great, a stereo headphone jack, and a microphone for taking notes... i think the PSP can do all that, and i think there is a way you can get linux running on a PSP too, but with the dingoo, the installation of linux is endorsed by the hardware manufacturer and is made simple (just run the installer, hit OK)
the controller on this is one of the reasons it's better than the wiz... everything is in the right place and directional pad rolls just right and the buttons are just firm enough... L/R triggers are good too. just a great package, and standards compliant hardware ready to play all of the most popular video and audio codec formats, and has a built in FM tuner.
i've seen videos on youtube that show PSX4ALL (a playstation 1 emulator) running at 100%... so the dingoo is at least powerful enough to emulate intensive playstation 1 games (such as quake 2) at full resolution and framerate.
basically, it does everything great. atari controllers are not comfortable or feasible for portable gaming... that might not be what you're going for, but the dingoo control interface works very well for any kind of gaming platform, AND it all fits combined with a powerful gaming system in a portable form factor that fits in your pocket.
if you want retro gaming, you want a dingoo.
might as well complete the slashvertisement... i play all my retro game backups on the dingoo. best $99.99 i've ever spent on gaming.
if the exif information is still intact, facebook is choosing to copy it over and keep it intact on purpose.
i thought that facebook resized all uploaded photos... i don't have a facebook account to test... is facebook purposefully copying over the geolocation information from camera-phones into the resized images, or was location determined by surrounding land features?
only a moron would conclude that i think the problem should be ignored. i think that publishing the details of how to steal money from banks is irresponsible... and it seems so do the people that were going to present it, as they have concluded it is in their best interest to not present it.
you mean the issue where more exposure can only lead to more exploitation, and degradation of the value of a dollar?
*citation needed*
so you are suggesting that publishing instructions on how to perform an act will lead to less people executing that act....... *logic needed*
the great 'there will always be problems, so why bother fixing them' argument. Remind me never to work with you, you're the worst kind of person for working on technology.
ahhh yes, the classic "don't point out the potential of man in the middle network attacks, or the ability of humans to get inside a closed box" argument.
you aren't qualified to work with me.
so it seems you believe the banks should upgrade their entire ATM hardware infrastructure, and yet you complain about a fee and claim the transaction is "pretty much free".... yeah, except for their costs. a french fry is pretty much free to mcdonald's. why do they charge for them?
They don't have the right [to muzzle], but they do have the guns and goons.
yeah, i realized the "muzzle" might have been a gun reference and not a reference to a tool to stop animals from biting humans.