Slashdot Mirror


User: mysidia

mysidia's activity in the archive.

Stories
0
Comments
13,354
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 13,354

  1. Re:Not just 'a' crypto key on Attack Steals Crypto Key From Co-Located Virtual Machines · · Score: 1

    See, all the VM needs to do to avoid this attack, is to alter the set of cryptographic operations executed on the CPU, so that no matter what value is in each bit key position, the same cache lines will get dirtied.

    If a Key bit being '1' has a different computation than a key bit being '0', then perform both computations, and discard the result of the unneeded one.

  2. Re:Buy Amazon Prime. on Amazon Charges Sales Tax On "Shipping and Handling" · · Score: 3, Insightful

    Two day shipping is a convenience, but not worth it to a lot of people. It is for me, even if I opt for standard shipping,

    You're forgetting the important part: not only is it 2 day shipping, but it's also "free"; as in, no cost other than the cost of the prime membership for prime eligible items.

    As long as you would normally make 12 orders a year from Amazon, with approximately $7.00 regular shipping per order (approximately 1 order a month); then Prime is a good economic choice.

    More so, if you regularly paid extra per order for expedited shipping. More so if you have sales taxes in there.

  3. Re:It's just absentee voting on New Jersey Residents Displaced By Storm Can Vote By Email · · Score: 3, Insightful

    they'll check the names against the voter rolls just like they do when you vote in person.

    Unfortunately, the list of names on the voter roles is public.

    Will they be smart enough to check that for every ballot received by mail, there was actually an application for a ballot by that person?

  4. Re:Contempt on Apple Hides Samsung Apology So It Can't Be Seen Without Scrolling · · Score: 1

    Say an annual Apple's revenue or so. Lesson will be learned and not just by them.

    The court wouldn't do that, because it would be unjust, and it's likely beyond the judge's power.

    Also, before they can be found contempt, Samsung will have to find some part of the order they are supposedly non compliant with.

    The order didn't specify how or in what manner or where exactly on their website Apple would publish an apology, only that they would have to publish a statement. And they did indeed publish one; and visitors to Apple's website do actually find it... heck we found it, the person who wrote this article found the statement.

    It's possible Samsung will go back and get a new order, or additional requirements to be imposed.

    It's not as if Apple made the statement invisible, eg only by clicking on a special link, or by opening the page source in an editor and finding a HTML comment.

  5. Re:How long until they just reach for a big hammer on Apple Hides Samsung Apology So It Can't Be Seen Without Scrolling · · Score: 1, Interesting

    The next step might be an order to replace the Home page of both Apple.com and Apple.co.uk IN THEIR ENTIRETY with the order in ASCII text format and no HTML, and 1000 empty lines before any additional content, or HTTP link to their ordinary front page content, and keep it that way, with no changes allowed for 30 days.

  6. Re:Shameful behaviour on Apple Hides Samsung Apology So It Can't Be Seen Without Scrolling · · Score: 2, Insightful

    How is this contempt? The message isn't hidden, it's right there on the page. The fact that they optimise the page so that their product shot makes the most of the above-the-fold real estate is not removing it from the page in any way, it's just good design.

    This is an error in the judgement, not an error in Apple's behavior.

    Although I will say: the message is not just below the fold; it's below the content on the page e.g. it's below even Apple's copyright statement; which suggests it's just a disclaimer.

    If the Judge was serious about the prominence of the disclaimer; they should have ordered Apple to display a prominent message. Submit a 'draft' copy of their home page for the judges approval, publish it.

    AND require static front page content, with the Judge's approval for all further changes to the format, display, or content of any element of the Apple.com and Apple.co.uk home pages, and submit and receive approval 7 days before the change may be made, until expiration of the order.

  7. Re:who cares on Apple Hides Samsung Apology So It Can't Be Seen Without Scrolling · · Score: 2

    they've turned off the normal redirect from apple.com to the UK website and aren't displaying it on the main apple.com website for UK visitors

    I'm guessing, because Apple US, is a different company than Apple corporation (UK), and the court has no jurisdiction over Apple US.

  8. Re:OK, stick a fork in them, they're done. on Apple Hides Samsung Apology So It Can't Be Seen Without Scrolling · · Score: 1

    I bought AAPL a couple months ago. Now they're worth $100 each, less than when I bought them. So yes, some cunt is laughing all the way to the bank

    Possibly, but not today. The day you bought the shares from them, they booked their profits.

    Now that the price has dropped a bit.... that person you bought the shares from may be getting more and more interested in buying the shares back (at a lower price, of course)... but for now AAPL is still trading at an extremely lofty multiple of earnings, that is quite difficult to justify rationally.

  9. Re:Cloudflare user on Ask Slashdot: How To Deal With a DDoS Attack? · · Score: 1

    I am pretty unhappy with slashdot today. ... I have seen not one easily implementable solution

    The question in the article is essentially a request for a cure to cancer, and then disappointment that noone in a health forum has an answer.

    They are asking a question that should be asked of a consultant who has a deep understanding of the OP author's current infrastructure, and an understanding of the specific kinds of DDoS and size of attacks they are being hit with.

    There are specific kinds of DDoS that do have an easily implemented cure. There are kinds of attacks that don't.

    The generic answer is: massively overbuild the capacity of your infrastructure, so you can withstand unexpected massive traffic bursts.

    Distribute your infrastructure geographically, and across multiple networks across the country, so visitors from different networks hit different geographic sites (fault isolation).

    Purchase various appliance solutions designed to provide DDoS mitigation for web server applications. Appropriate firewalls with simultaneous connection per IP limits, SYN flood protection.

    Insist that providers you peer with implement BCP38

  10. Re:This May Work on Ask Slashdot: How To Deal With a DDoS Attack? · · Score: 1

    Except the above statement could be construed as a death threat, and lead to a lawsuit and/or criminal charges, even in the face of an apparent 'ransom' attempt

  11. Don't fuel the fire on Ask Slashdot: How To Deal With a DDoS Attack? · · Score: 1

    Honestly, you're better off if you don't respond to the communique. If the attacker isn't able to reach you, they'll move on.

    The owner of the company negotiated with the guy, and he stopped his attack after receiving $400. A small price to pay to get the site online in our case. But obviously we want to come up with a solution that'll allow us to deal with these kinds of attacks in the future.

    You are FINANCING the attacker, by agreeing to pay, without receiving anything in exchange other than "They won't do X".

    This will encourage the attacker and their hacker buddies to do the same thing to others, and YOU in the future.

    In a few months, the same attacker and/or their buddies may be back requiring $1,600, $3000, etc.

    Purchasing a 3rd party anti-DDoS service or filtering service may be expensive, but at least you won't be contributing the problem you purport to be trying to solve.

  12. Payback for the Florida voting machines? on Why Does a Voting Machine Need Calibration? · · Score: 1

    Obligatory: Why Bush took Florida

  13. Re:It makes no sense to me on Why Does a Voting Machine Need Calibration? · · Score: 1

    $10,000+ per voting machine to replace it with a newer model; the localities that have already upgraded to electronic, will be keeping their current machines for the forseeable future..

  14. It's MORE than a calibration issue on Why Does a Voting Machine Need Calibration? · · Score: 1

    According to the article, the area that you could "touch" to vote for one candidate was a MUCH larger area of the tablet.

    That means... almost all the miscalibrations (of which some are certain to occur) will favor one particular candidate.

    This is a fairness issue. Instead of dedicating areas of a screen to a particular candidate on a ballot; the order that candidates are presented in the list, and which of the screen zones are assigned to each candidate, should be randomized on each ballot, to ensure that no particular candidate or choice gets unequal treatment.

  15. Re:You misunderstand on Most US Drones Still Beam Video Unencrypted · · Score: 4, Insightful

    Use a reliable strongly encrypted side-channel for controlling crypto of the primary channel.

    Use a "one-time pad" for the video channel used as a "multi-time pad instead", XOR each block by a random value preloaded on both sender and receiver, each block also XOR'ed by a value negotiated over an encrypted control channel protected with a shared key, pick a new XOR value every 10 - 20 seconds to transmit over the encrypted channel, for the next N seconds of video, and a number of One time PAD bits to skip in the transmission, also transmit a value indicating a pattern for a certain number of 'extra' bits of noise or false signal to be included --- possibly a FALSE unencrypted video stream transmitted alongside the real one.

    Include enough "one time pad" / random data stored on a memory card, for 18 - 24 hours of video, then recycle the pad.

    One time pads are resilient against 'noise' because they result in the same number of bits noise in the output.

    The non-sophisticated adversaries are not likely to defeat even an imperfect implementation. Strictly speaking, any reuse or multiple use of a one time pad makes the stream immediately decipherable by a potential adversary, who has successfully recorded enough ciphertext encoded with the same pad bits, in that they can determine parts of the one time pad.

    The possible range of original plaintext for video are much larger than readable human language -- any arbitrary value. Even with simple 'scramble every bit by XORing it with a fixed value' will be extremely tough for unsophisticated adversaries, trying lots of XOR values to decrypt is easy -- ANALYZING the output of every value that you try, requires an adversary to have some serious computer vision technology, to decide if the output of each attempted value is the video stream being searched for or not.

    However, 'skipping' a certain number of pad bits, for every transmission, introduces unpredictability, and means only a proportion of bits in a frame might be reused, that requires an adversary not only have more than 48hours recorded data but also conduct complex difficult matching, in the process of trying to figure out which bits might be reused --- only a percentage of bits in the transmission may be reused, and by the time they have conducted the search, the drone's mission is done.

    XOR'ing every block over a period of time by the same reference block, is also immediately decipherable by an adversary, who can conduct an analysis to figure out what the XOR block is.

    However, combining XOR with a "one time" or "multi use" pad, significantly complicates the process of attempting to figure out the XOR key. No analysis of that is possible without first figuring out the random pad data of a block.

    And the simple / militant adversaries, are not likely to break any level of encryption. Or at least, if they do, by the time they were able to decode the video stream: again, the mission will already be over by the time they get it.

    And they are in no better position to decode the next video stream (assuming new keys and random pads are loaded on every drone, before its next mission).

  16. Have two editions on Ask Slashdot: Funding Models For a Free E-book? · · Score: 1

    One premium and one free; the free edition is electronic. With the premium edition, it is a paper printing, with a beautiful shiny cover not available with free version. Include extra material, a pretty cover, maybe more illustrations, or additional appendices in the premium edition.

    Have the sites offering the premium edition for sale contain a link pointing to the free edition.

    You might have a policy of when releasing a new edition, the previous one is made available for free.

    There are lots of potential strategies there.

  17. Re:Wow on Steve Jobs' Yacht Revealed · · Score: 1

    What an ugly monstrosity. Well, we know Steve was a minimalist. Look at the pictures of the bridge. No buttons!

    Sorry... I was too distracted by the f****'in animated gif at the top left on the Slashdot homepage to notice.

    Steve wasn't around to approve the final product. I'm sure he'd scrap this and tell his builders to start over, if he saw it

  18. Austerity measures, what's the point? on Journalist Arrested In Greece For Publishing List of Possible Tax-Evaders · · Score: 1

    While more and more austerity measures are being taken against the people of Greece, there is still no investigation of tax evasion for the people on this list by the government.

    Investigation into tax-evasion is not a cost-effective way of reducing deficits. Just because people are on "the list" does not necessarily mean they are guilty. And even if they are, it is unlikely that the taxes and penalties recovered provide a significant benefit.

    Investigations are more of a way of deterring non-compliance; to the extent that the deterrent is effective, it is useful.. Once a certain rate of compliance is reached, there is only a certain amount of investigation that is cost-effective

  19. Re:Responsible Disclosure on Ask Slashdot: What To Do When Finding a Security Breach On Shared Hosting? · · Score: 1

    I keep seeing these shills on this thread telling people to

    You are posting complete nonsense, in the total bogus claim that there might be "shills" in the discussion. It would seem you are so incompetent in supporting your own arguments, that you think the only way to do so, is to try to project your own character deficiencies on other people.

    Is there some huge list of all the security experts rotting in prison for disclosing Windows/Flash/Android exploits that I'm not aware of?

    Professional Security researchers have lawyers and legal counsel; they do not just start disclosing vulnerabilities without understanding the risk. Professional security researchers take advise, and are aware of the rules they need to follow and the risks, AND accepted rules for responsible disclosure. Off the street Joe, who just discovered a vulnerability in ISP's server, is not darn likely to have much knowledge of the standards, precedents for responsible disclosure, and the risks (legal and otherwise).

    And may very easily inadvertently create additional crimes or tortes, in the process of disclosure -- such as extortion, or tortuous interference with bus. relationships.

    Can you list out some security experts who have disclosed vulnerabilities on the Google.com website, Adobe communtiy website, and Android websites, that allows any user to view the private data of any other user on the system?

    That is an invalid comparison. Disclosing vulnerabilities in software is "safe". Because it is possible to discover vulnerabilities in software, without breaking the law.

    Software researchers attack is in their hands; they own the computer that it runs on. They are legally allowed to hack to their hearts' content, as long as they own the computer system, and all the data that they are gaining access to, via vulnerability.

    Discovering a possible vulnerability, and writing exploit code to prove its existence by gaining access To a server owned and operated by another organization, without the permission of the organization owning the computer system carries much greater legal risks.

    Disclosing a vulnerability in Apache or IIS; is OK, or Safe. Disclosing a vulnerability in Microsoft's implementation of IIS, and posting a script that will login and download other customers' details, may very well result in serious retribution from Microsoft.

    Disclosing a vulnerability is possibly OK in some circumstances, as long as you didn't have to do anything illegal to discover it, OR to disclose it. IF the vulnerability is on someone else's server, and you proved it, by writing a tool that gains access you are not supposed to have, then you have technically broken the law and may experience criminal liabilities.

    If you violate an agreed upon Terms of Service or EULA, you may be subject to civil liabilities and damages for your breach. There are also other possible civil claims, and there are some unique ones that exist in finding a vulnerability in A SERVICE rather than a software product.

  20. Re:It depends on whatcha mean when you say style on Does Coding Style Matter? · · Score: 2

    Seriously? You are reading the code, fixing bugs, and you find formatting problems. So you back out your half-complete changes, fix the formatting, commit that change, then re-apply your fix-in-progress?

    NO. What part of dedicated commit for formatting changes do you not understand?

    You never leave changes from a previous session uncommitted; always commit all changes before leaving the desk.

    Before you start working on any code, you update your working directory from the repository. You correct any formatting problems and commit, after update from the repository, and you do this when you have not yet made any changes to the code, and 'svn diff' is empty.

    If you discover any formatting issues, you ignore any formatting issues you see, DO NOT CHANGE THE FORMATTING, while you are coding, finish your code changes, commit that.

    Then, only after your code changes are fully committed, you run the formatting script, and commit any formatting changes.

    Your diffs will then not be polluted.

  21. Re:Responsible Disclosure on Ask Slashdot: What To Do When Finding a Security Breach On Shared Hosting? · · Score: 1

    The webhost can go fuck itself if they refuse to respond in a responsible fashion.

    They already refused to respond in a responsible fashion, by patching the issue on one system, and leaving other servers vulnerable to the same thing, according to the OP. This creates risk for both the users, and the webhost. The webhost itself might be subject to lawsuits for their negligence, if the situation were discovered

    It's a statement of intent, designed to intimidate, and should be treated with all the respect that type of behavior deserves.

    Actually. A C&D letter from their lawyer is statement of intent, designed to warn the recipient, about damage that may be cause, and the possibility of remedies sought, if the recipient does not cease or abort.

    The main purpose of a C&D letter is that it serves as a written instrument to help establish and document that the harmed party took measure to attempt to mitigate the damage, include informing the counterparty who procedeed despite their objections, which will help their case, and may also increase the size of the damages awarded, because continuation by the party receiving the &D letter (request), will now be considered to be intended willful damage, after notice has been sent to them of it.

    It isn't likely that a C&D would be granted by a court.

    It sounds like you are confusing what a C&D actually is. I'm not talking about gag orders from a judge. You violate a gag order, you go to jail. It's possible the webhost could seek a gag order / injunction as well, in order to compel to not reveal the info until the matter is fully settled, but C&Ds are less expensive, as there are not filing fees involved, or requirements to persuade a judge,an effective deterrant, and transfer additional liability, because the effects of continuing the behavior after the letter, is now considered willful.

    If C&Ds were handed out like candy, the security research industry would have died off years ago, which is why I suggested (s)he passes off the exploit to someone with standing in the security research community.

    The security research industry is not in the business of conducting intrusions on organizations' servers, and using unauthorized exploit scripts to obtain or exercise access sensitive data, without authorization to perform the activity.

    When was the last time you saw a security researcher publish an advisory about a vulnerability that could be used to access details on an online service without authorization?

    Security researchers when talking about "disclosure" are in general always concerned about vulnerabilities in software products, not specific services, hosting services or other public servers that may use vulnerable software, or have security weaknesses resulting from business processes, failing to incorporate security as a basic element.

  22. Download Link? on The Internet Archive Has Saved Over 10,000,000,000,000,000 Bytes of the Web · · Score: 4, Interesting

    How nice of them to do the archiving and release such a large dataset.

    Where can I download the file?

  23. Re:Python Indentation: Style is the language on Does Coding Style Matter? · · Score: 1

    This is why I used to think Python was cute, but have since switched to Ruby.

    Python is such a PITA with regards to its sometimes inconsistent indentation and code block delineation rules.

  24. Re:It depends on whatcha mean when you say style on Does Coding Style Matter? · · Score: 1

    Until source control systems work on semantics and not textual diffs, it is not as simple as that. If I get your code, reformat it to my style, change 2 lines and check it back in, I have completely polluted it as far as a diff goes.

    Don't do that. Have a policy, that auto formatter may not be run, after a cvs/svn update, except against code that contains no other changes, and it has to be committed as a revision for just the formatting changes.

    So:

    cvs update && sh formatter.sh && cvs commit -m 'ran code autoformatter' # ALWAYS run formatter and commit any changes by the formatter immediately after a cvs update

    (Execute your code edit)

    sh formatter.sh

    cvs commit -m 'revision comment'

  25. Re:Responsible Disclosure on Ask Slashdot: What To Do When Finding a Security Breach On Shared Hosting? · · Score: 4, Informative

    Tell the webhost they have XYZ days to fix the problem before you publish the exploit.

    If you do that, be prepared for them to shut off your account immediately, and for them to file a complaint/police report, listing you as the offender, with possible criminal charges, for you hacking their service.

    Their lawyers may also send you a cease-and-decist letter, warning that you will be sued if you publish the information.