That certainly changes things. The summary for this article and the Ars article both suggested that the key was 10 chars long, and I couldn't find a specific number in TFA to replace it with.
Absolutely, but if the summary and the Ars article are to be believed then the on-device key is 10 characters long. From TFA, the output characterset appears to include 76 characters, so it seems plausible that they are using this same set for the on-device key as well. They are using HMAC-SHA1, and it seems (from Ars) that they are not using iterated SHA1 (i.e. they are using a single pass).
I think basically using client certificates is too hard for average joes to use, especially across devices. Different browsers on one machine don't share certs. You need to be able to share certs across devices, which means copying them somehow while keeping them secure - and not just keeping them all in DropBox. If you're using certificates, you can't just log on from your friend's phone when you left yours at home.
Also, if you're trying to replace insecure passwords with certificates, then you have the problem that the people who would normally use the crappy passwords will either not password protect their certificates or use crappy passwords on them too. Even if they do this, it does mean that the server password DB being stolen wouldn't reveal their keys but it does mean you need some way to revoke certificates and get new ones if yours are compromised.
In reality, using the same password across multiple sites is a much bigger problem (for those users) than using rubbish passwords if the site is managing passwords correctly. If the server is salting the passwords and using good hashes, as well as limiting the rate of password attempts and implementing some form of lockout then everything beyond the most abysmally bad password is reasonably safe. However, if a user has the same password for their e-mail account, and the dodgy torrent forum they just signed up for using that e-mail address then they are screwed any which way.
Sort of, but the server (rather than the client) has the device, and 'having' the device is needed (ideally) in order to check user passwords at the server end. So rather than being used to identify a user to the server, it is used by the server to generate the password hash which is stored and compared.
As was pointed out by someone on Ars, even if the secret key used by this device isn't stolen it can be bruteforced by having a single known account on the system. This is not a trivial problem, because it seems that they are using SHA1 (on the basis that the key can never be stolen, so the hashes don't need to be so strong). As such, there is a mountain of good gear out there for running lots and lots of hashes fast.
Basically: 1. Create account/password with online retailer 2. Steal user database for online retailer 3. Find you own account, for which you know the username and password (and salt, because it is in the database) and associated hash 4. Bruteforce the HMAC key required to get the stored hash using your username, password and salt 5. Use that same universal HMAC key for attacking all the other accounts 6. profit?
This assumes that there is a single key used for the HMAC and stored on the dongle, but it seems that is actually the case. It does make getting all the passwords a bit harder, but it isn't a miracle cure.
Well, if your starting point is that "open source doesn't lead to bugs being identified and disclosed" then those very posters you are complaining against are partially right, in part. Consider: Open source: anyone can read the code, but (based on our premise) this doesn't lead to identification and disclosure of problems. It can allow a prospective attacker to identify problems and not disclose. Closed source: only internal staff can read the code, but (based on our premise) having many eyes looking doesn't lead to identification and disclosure of problems. Prospective attackers can only do binary analysis, not source analysis, to find problems.
If binary analysis is more difficult than source analysis for finding potential bugs (i.e. potential targets for attack) then closed source is more secure in this context (assuming one or more attackers looking for potential vulnerabilities in the library/source/whatever).
Note: I'm not agreeing with the 'ubiquity' argument because it ignores read distributions of OSs. Also I'm not agreeing with the 'financial interest' arguments, because in a closed source there is the possibility that a company will gamble on an internally-detected vulnerability not being exploitable (or exploited) rather than fix it.
There are valid arguments for using open-source software, but I don't think the "many eyes" argument is necessarily a good one.
You mean like Windows, which in the case of XP has received updates for 12 years which can be installed on any XP computer irrespective of manufacturer-included crapware? I wish Google provided updates for Android like Microsoft did for Windows.
Also, I think you're overstating: 1. the version issues - Google's compatibility libraries are pretty damn good. Inter-device compatibility is a bigger problem, and is more similar to trying to support a range of video cards well on PCs 2. the 'drum beat' of exploits? The 'master key' vulnerability, which only affected users who sideloaded apps (which is significant, no denying) and this one which affects apps which use WebView content in an insecure way. There are also the exploits used to gain root on devices, of course, but iOS has them too in order to jailbreak - although some exploits to gain root on Android don't require being plugged in (but usually require debugging to be enabled which is in a hidden menu).
And here I was thinking that the big problem with Labor (according to the Liberals) was that they were in bed with the unions which, if I remember correctly, are made up of people who are employed.
If the decline continues, it will spell trouble for entrepreneurs such as Austin Heffernan, who runs an aircraft maintenance and repair company in Hagerstown, Md.
Sure, and if people eat less fatty food then the entrepreneur who started up my local fry-up breakfast café will be in trouble. (Note: I'm not saying the use of the word is incorrect, but rather noting that it generally seems to carry concepts of innovation and novelty with it, which really don't apply here)
And yet there was still the Therac-25 case where bad software design and a race condition leading to lethal radiation doses.
The people who designed the system and wrote the code may not have been idiots, but clearly problems made it through the testing process and killed three people (as well as affecting others).
Maybe he was downvoted by all the people who actually want to use the site instead of having to dig through 1000 'boycott Slashdot' and 'BETA SUX0RZZ!!' messages, and this is an example of the moderation system working.
We get it. Everyone hates beta. I hate beta. However, I hate digging through the 'FUCK BETA!' messages nearly as much as I hate beta. By all means, boycott the hell out of site, but I'll just send feedback and if they don't listen I'll find some other site to read. Then I'll come back and have a peep every couple of months to see if they got the message.
I should also point out that it wasn't feeding them pulverized nuts on their own, but rather incorporating nuts in food that you give to the baby as you would any other component of food rather than holding out on giving the child nuts. I didn't make that very clear, unfortunately.
The advice from those same nurses is to not start 'solid food' (i.e. not formula or breast milk) until 4-6 months, so that roughly matches what you're saying.
Well, when there are 17.4 million users of a drug in the US alone eventually one of them will be a crazed cannibal. In 2012 there was that New York cop charged with plotting to murder and eat women. There are only about 795,000 police in the US so perhaps being a cop is a stronger indicator of a potential cannibal than cannabis use.
The advice being provided by the state-provided Maternal and Child Health Nurses in Australia (or at least, the ones I know of) is now to start giving children pulverized nuts (so they don't choke on them) as part of their diet from the very beginning of consuming food, apparently for this exact reason.
Did you read the entire abstract? "This increased risk was not statistically significant in either case."
Oops... there goes the ball game. Sensationalist hype for insignificant findings. Cancelled the study because there was not positive effect and a very slight negative effect.
Actually, there doesn't go the ball game, but you're right in your interpretation of the link I provided. I should have linked to the paper which included the follow-up period (discussed here http://lpi.oregonstate.edu/new... and here http://www.nih.gov/researchmat...)
From the first link:
A paper published recently from the Selenium and Vitamin E Cancer Prevention Trial (SELECT) in the Journal of the American Medical Association (JAMA. 306:1549-1556, 2011) concluded that "dietary supplementation with vitamin E significantly increased the risk of prostate cancer among healthy men."
Well, since this is consistent with findings of previous studies which were not specifically looking for this - for example, a Vitamin E supplement trial which was called off early due to the high cancer rates in the active drug group (http://www.cancer.org/cancer/news/news/major-study-of-supplements-and-prostate-cancer-halted) - I'd say that this result is correct. Of course, maybe that researcher was on the take too, right?
Can you explain how you understand that Robert Heinlein was unintentionally right? My interpretation of what you mean is that 'bread and circuses' in this case = making the rich pay their fair share, and that rather than actually providing bread and circuses, and thus democracy collapsing in a heap, the democrats simply keep promising bread and circuses (so to speak) but never follow through.
That said, the quote by Heinlein basically seems to collapse to "Democracy will only work if 'the plebs' are excluded from voting".
One possible reason (and I'm not in SF so this really is just speculation) is that it is seen as Google using its money to buy its way out of the limitations imposed on the rest of the community - in this case, in transport - rather than contributing to resolving the underlying problem of inadequate general public transport. Whether that is a fair perspective or not is another matter, but that is a possible reason.
Note: TFA doesn't seem to say what the summary says it says. (i.e. it isn't "you don't want your privacy", it is "the way people behave with data suggests they don't want or care about their privacy; they'll sell themselves out at the drop of a hat").
Slashdot Mirror
That certainly changes things. The summary for this article and the Ars article both suggested that the key was 10 chars long, and I couldn't find a specific number in TFA to replace it with.
Absolutely, but if the summary and the Ars article are to be believed then the on-device key is 10 characters long. From TFA, the output characterset appears to include 76 characters, so it seems plausible that they are using this same set for the on-device key as well. They are using HMAC-SHA1, and it seems (from Ars) that they are not using iterated SHA1 (i.e. they are using a single pass).
Not saying anyone would deploy it like that.
I think basically using client certificates is too hard for average joes to use, especially across devices.
Different browsers on one machine don't share certs. You need to be able to share certs across devices, which means copying them somehow while keeping them secure - and not just keeping them all in DropBox. If you're using certificates, you can't just log on from your friend's phone when you left yours at home.
Also, if you're trying to replace insecure passwords with certificates, then you have the problem that the people who would normally use the crappy passwords will either not password protect their certificates or use crappy passwords on them too. Even if they do this, it does mean that the server password DB being stolen wouldn't reveal their keys but it does mean you need some way to revoke certificates and get new ones if yours are compromised.
In reality, using the same password across multiple sites is a much bigger problem (for those users) than using rubbish passwords if the site is managing passwords correctly. If the server is salting the passwords and using good hashes, as well as limiting the rate of password attempts and implementing some form of lockout then everything beyond the most abysmally bad password is reasonably safe.
However, if a user has the same password for their e-mail account, and the dodgy torrent forum they just signed up for using that e-mail address then they are screwed any which way.
Sort of, but the server (rather than the client) has the device, and 'having' the device is needed (ideally) in order to check user passwords at the server end. So rather than being used to identify a user to the server, it is used by the server to generate the password hash which is stored and compared.
As was pointed out by someone on Ars, even if the secret key used by this device isn't stolen it can be bruteforced by having a single known account on the system. This is not a trivial problem, because it seems that they are using SHA1 (on the basis that the key can never be stolen, so the hashes don't need to be so strong). As such, there is a mountain of good gear out there for running lots and lots of hashes fast.
Basically:
1. Create account/password with online retailer
2. Steal user database for online retailer
3. Find you own account, for which you know the username and password (and salt, because it is in the database) and associated hash
4. Bruteforce the HMAC key required to get the stored hash using your username, password and salt
5. Use that same universal HMAC key for attacking all the other accounts
6. profit?
This assumes that there is a single key used for the HMAC and stored on the dongle, but it seems that is actually the case.
It does make getting all the passwords a bit harder, but it isn't a miracle cure.
Well, if your starting point is that "open source doesn't lead to bugs being identified and disclosed" then those very posters you are complaining against are partially right, in part. Consider:
Open source: anyone can read the code, but (based on our premise) this doesn't lead to identification and disclosure of problems. It can allow a prospective attacker to identify problems and not disclose.
Closed source: only internal staff can read the code, but (based on our premise) having many eyes looking doesn't lead to identification and disclosure of problems. Prospective attackers can only do binary analysis, not source analysis, to find problems.
If binary analysis is more difficult than source analysis for finding potential bugs (i.e. potential targets for attack) then closed source is more secure in this context (assuming one or more attackers looking for potential vulnerabilities in the library/source/whatever).
Note: I'm not agreeing with the 'ubiquity' argument because it ignores read distributions of OSs. Also I'm not agreeing with the 'financial interest' arguments, because in a closed source there is the possibility that a company will gamble on an internally-detected vulnerability not being exploitable (or exploited) rather than fix it.
There are valid arguments for using open-source software, but I don't think the "many eyes" argument is necessarily a good one.
Good find. The Zeta actually looks like it would probably damage the wheel and tyre less too, because of the longer contact area.
You mean like Windows, which in the case of XP has received updates for 12 years which can be installed on any XP computer irrespective of manufacturer-included crapware? I wish Google provided updates for Android like Microsoft did for Windows.
Also, I think you're overstating:
1. the version issues - Google's compatibility libraries are pretty damn good. Inter-device compatibility is a bigger problem, and is more similar to trying to support a range of video cards well on PCs
2. the 'drum beat' of exploits? The 'master key' vulnerability, which only affected users who sideloaded apps (which is significant, no denying) and this one which affects apps which use WebView content in an insecure way. There are also the exploits used to gain root on devices, of course, but iOS has them too in order to jailbreak - although some exploits to gain root on Android don't require being plugged in (but usually require debugging to be enabled which is in a hidden menu).
And here I was thinking that the big problem with Labor (according to the Liberals) was that they were in bed with the unions which, if I remember correctly, are made up of people who are employed.
(tl;dr; you're an idiot)
Go fuck the horse you rode in on.
If the net effect of beta is fucktards like you going elsewhere, it might be a net positive outcome.
If the decline continues, it will spell trouble for entrepreneurs such as Austin Heffernan, who runs an aircraft maintenance and repair company in Hagerstown, Md.
Sure, and if people eat less fatty food then the entrepreneur who started up my local fry-up breakfast café will be in trouble.
(Note: I'm not saying the use of the word is incorrect, but rather noting that it generally seems to carry concepts of innovation and novelty with it, which really don't apply here)
Call me when soylentnews.org points to a news site.
And yet there was still the Therac-25 case where bad software design and a race condition leading to lethal radiation doses.
The people who designed the system and wrote the code may not have been idiots, but clearly problems made it through the testing process and killed three people (as well as affecting others).
And nothing of value was lost. Bye.
Said the infant to the adult.
I'm looking forward to the boycott so I can enjoy Slashdot without having to swim through whiny comments for a week.
Maybe he was downvoted by all the people who actually want to use the site instead of having to dig through 1000 'boycott Slashdot' and 'BETA SUX0RZZ!!' messages, and this is an example of the moderation system working.
We get it. Everyone hates beta. I hate beta. However, I hate digging through the 'FUCK BETA!' messages nearly as much as I hate beta. By all means, boycott the hell out of site, but I'll just send feedback and if they don't listen I'll find some other site to read. Then I'll come back and have a peep every couple of months to see if they got the message.
I should also point out that it wasn't feeding them pulverized nuts on their own, but rather incorporating nuts in food that you give to the baby as you would any other component of food rather than holding out on giving the child nuts. I didn't make that very clear, unfortunately.
The advice from those same nurses is to not start 'solid food' (i.e. not formula or breast milk) until 4-6 months, so that roughly matches what you're saying.
Well, when there are 17.4 million users of a drug in the US alone eventually one of them will be a crazed cannibal.
In 2012 there was that New York cop charged with plotting to murder and eat women. There are only about 795,000 police in the US so perhaps being a cop is a stronger indicator of a potential cannibal than cannabis use.
The advice being provided by the state-provided Maternal and Child Health Nurses in Australia (or at least, the ones I know of) is now to start giving children pulverized nuts (so they don't choke on them) as part of their diet from the very beginning of consuming food, apparently for this exact reason.
Did you read the entire abstract? "This increased risk was not statistically significant in either case."
Oops... there goes the ball game. Sensationalist hype for insignificant findings. Cancelled the study because there was not positive effect and a very slight negative effect.
Actually, there doesn't go the ball game, but you're right in your interpretation of the link I provided. I should have linked to the paper which included the follow-up period (discussed here http://lpi.oregonstate.edu/new... and here http://www.nih.gov/researchmat...)
From the first link:
A paper published recently from the Selenium and Vitamin E Cancer Prevention Trial (SELECT) in the Journal of the American Medical Association (JAMA. 306:1549-1556, 2011) concluded that "dietary supplementation with vitamin E significantly increased the risk of prostate cancer among healthy men."
Well, since this is consistent with findings of previous studies which were not specifically looking for this - for example, a Vitamin E supplement trial which was called off early due to the high cancer rates in the active drug group (http://www.cancer.org/cancer/news/news/major-study-of-supplements-and-prostate-cancer-halted) - I'd say that this result is correct.
Of course, maybe that researcher was on the take too, right?
Can you explain how you understand that Robert Heinlein was unintentionally right?
My interpretation of what you mean is that 'bread and circuses' in this case = making the rich pay their fair share, and that rather than actually providing bread and circuses, and thus democracy collapsing in a heap, the democrats simply keep promising bread and circuses (so to speak) but never follow through.
That said, the quote by Heinlein basically seems to collapse to "Democracy will only work if 'the plebs' are excluded from voting".
One possible reason (and I'm not in SF so this really is just speculation) is that it is seen as Google using its money to buy its way out of the limitations imposed on the rest of the community - in this case, in transport - rather than contributing to resolving the underlying problem of inadequate general public transport.
Whether that is a fair perspective or not is another matter, but that is a possible reason.
Note: TFA doesn't seem to say what the summary says it says.
(i.e. it isn't "you don't want your privacy", it is "the way people behave with data suggests they don't want or care about their privacy; they'll sell themselves out at the drop of a hat").