the software does a compare between the stored password and the supplied password
That would indicate that both the stored and supplied password are in the same format; i.e. plaintext or hashed. Since we already know that the software hashes the password before storing it on the drive, it's reasonable (although not guaranteed) to assume that the software hashes the user's input and compares it to the contents of the key drive.
... and the password can be seen in plain text within memory when the software does a compare between the stored password and the supplied password
That doesn't mean anything. The software program, when it asks the user to input the password, may store the user's input (unhashed) in one buffer, and may stored the user's input (hashed) in another buffer. Although the software could then compare the hashed user's input with the password stored on the key drive, the user's unhashed input might still be visible within the first buffer.
Todd Walters, remember 12 years ago in college when I told you that an exploit could theoretically take control of an operating system due to a flaw in the library that renders static graphics? And you said that no, only code that has a chance of executing can lead to exploits?
I Told You So.
BTW if you see this leave me a post, I haven't heard from you in 12 years and I don't know where you are.
CPUs add significantly to the cost of these devices. If you want a device that can be upgraded with new security releases, you'd need flashable firmware, which increases the complexity, support, and cost of the device.
I'd love to find a USB key drive that encrypted data via its own hardware, and didn't require ANY software. How it might work:
The device emulates two USB devices - one is a USB input device, one is a USB drive.
The USB drive is not powered until the USB input device receives the password.
A variation of this theme discards the USB input device, and instead has the password entry theme on the device itself (such as a dial combination lock.)
given that the key is seen decrypted in the debugger one can easily say that Lexar's did NOT use it correctly.
I never recall seeing any statement that suggested the key could be seen plaintext in memory. For all we know, the password is never decrypted, but instead is used to decrypt the data.
The problem is that the one-way hashed value of the password was not hashed with a sufficiently complex algorithm, and could be easily reverse engineered.
Doesn't this constitute fradulent advertising? To advertise the device stores data with AES encryption, and then store something (the password) using something else is clearly at odds with their advertising.
The data is encrypted with AES. The password is not. Since the password is not explicitly a part of the user's data, their claim probably stands.
They might be nailed for giving a false sense of security through their advertising claims. However, as it's unlikely that they were intentionally deceptive or criminally negligent in their programming, a judge would be unlikely to fine them (and would instead let the "invisible hand" of the market balance things out.)
I'm guessing that it's to speed up device response time. After all, if you had a 128 MB partition encrypted, and the device had to load the entire 128 MB of data in order to allow the decryption process to determine if the password was correct, the response time would be phenomenally slower than if a 32-byte password was retrieved from the device.
I agree, though - the only safe way to store the data is to discard the password.
Aside from storing the password in XOR'd form, the software checking the password is flawed. It unencrypts the password first, then compared the password entered. Rather then encrypting the password entered and comparing it to the device?
How do you know what the software does? Neither the linked article nor the submitted post claim that the software unencrypts the password.
For all we know, the software engineers have lifted their authentication strategy from unix password authentication, except perhaps they were lazy and used their own (insecure) hash function.
Okay, I doubt anyone will read this post, as it's late in the game, but here's some questions that came to mind when I analyzed the text from Transitive's web site. In all examples I will use Windows as the native operating system and Linux as the foreign application, unless otherwise noted.
Comment 1.
When a foreign application is started, the operating system recognizes that the application needs translation and automatically starts Dynamite.
How does the operating system recognize that the application needs translation? I see three possibilities.
The first possibility is that the native operating system lets Transitive execute all applications, and Transitive decides whether to translate an application, or let the native operating system run the application unaltered. Integrating this functionality (properly) into an operating system would be extremely diffult, let alone multiple operating systems.
The second possibility is that the native operating system attempts to execute all programs, and only invokes Transitive if an unexpected application type is encountered. Due to the way that Windows only executes files according to file associations (".exe" = DOS/Windows executable, ".com" = micro-executable, ".bat" = batch file), this seems very unlikely, as Windows wouldn't even know how to execute "gimp" because it lacks an extension such as "gimp.exe".
Even if one was to rename "gimp" to "gimp.exe", Windows would attempt to load the "Windows Program Header" for the file, which would be invalid because it's a Linux application. Windows would then generate an error. Of course, Transitive could overwrite certain error handlers within the operating system to catch this kind of error, and then analyze the file using a "magic number" command to determine which operating system and what file type was under scrutiny. But then Transitive would have to overwrite these certain error handlers within all operating systems, a very unlikely proposition.
The third possibility is preconfigured "virtualization sandboxes". Virtualization software like VMWare assumes that for a virtualized system, all files and executables within that virtualized system will be executed according to the rules of that virtualized system. Ergo, if you're running a virtualized Linux system, any executable will be executed as a Linux application. Does Transitive require one to preconfigure foreign applications as existing within a predefined virtualized system? Either way, there's alot more to this than simply the "operating system recognizes that the application needs translation."
Comment 2.
Depending on the requirements for the integration, Dynamite can be configured with a wide range of options, including the ability to build "bridges" between translated code and code running native on the target platform.
This sounds like a fairly intensive process, given the number of operating systems and APIs out there.
Comment 3.
This feature has been used, for example, to allow translated applications to call a native accelerated graphics library for the graphics chipset in the target platform, delivering higher quality and speed than other solutions.
Does this mean that Transitive will take a Windows DirectX application and translate it to Linux OpenGL? Or does Transitive have it's own API, which is compatible with all video card drivers out there? For either claim, that's pretty impressive; a technology worth being bought out by nVidia or ATI. Considering the breadth and depth of all graphics libraries and versions available for numerous operating systems, that's phenomenally impressive.
Comment 4.
The front-end decoder reads blocks of instructions from the foreign application's binary and decodes them into an intermediate representation. The intermediate representation allows Dynamite to understand the highe
Your logic is flawed and your criticism of my arguments fail to address the real points I'm raising, but rather than point out the inconsistencies in your arguments, let me just boil my contention down to a few simple statement:
The FCC is the only authority that can provision radio bands.The FCC establishs necessary, but not sufficient, conditions under which radio bands may be used.
In other words, anyone who wishes to use radio bands must adhere to the minimal regulations established by the FCC. But adhering to the minimal regulations established by the FCC does not guarantee someone the right to use such radio bands. The usage of radio bands is not a consitutional right. Therefore, any entity with the power to impose constraints upon another entity may impose such constraints regarding radio bands.
The FDA is the sole authority for regulating food and drugs. Just because the FDA approves the general usage of a drug does not mean that someone has automatic power to use that drug under any circumstance they see fit.
a wireless access point (operated according to US law and FCC regs) is not a "jamming device". they have been certified by the FCC not to cause harmful interference, and any attempt by the university to suggest otherwise will be dismissed outright.
Assume that a theoretical life support system was somehow adversely affected by a wireless access point, and that a person intentionally caused a patient's death by leaving a wireless access point on top of the life support system. According to your argument, the rascal would merely proclaim with a smile, "Oh, no, see the FCC certified this device as not causing harmful interference, so I'm sorry you can't hold me accountable."
That seems like an utterly ridiculous argument. Furthermore, your argument is not so strong as to cause me to believe that a court will "dismiss the charges outright".
as for signing an agreement that your enrollment in a university is contingent upon certain things, if those certain things come into conflict with any local, state, or federal laws, the laws win out. the FCC has been granted _exclusive authority_ to regulate the RF spectrum. any attempt to regulate the spectrum by a private entity, whether directly or indirectly, is disallowed. that's the mistake you're making - the "exclusive" part.
And the mistake that you're making is that believing that the FCC's exclusive authority to regulate the provisioning of a spectrum somehow grants them the rights to regulate any device that uses that spectrum. It does not. Your argument is tantamount to saying that a government agency that regulates the sale of bullets is the sole authority in determining how those bullets may or may not be used to harm others.
the situation is even more separate here - the college does not own the apartments that the students live in, nor do they provide or own the internet connection the students are using to connect the APs to the internet.
The college also does not own any independent academic material a student creates or shares with others, but yet may expel a student for helping another student cheat. By your argument, any student should be able to help any other student cheat under the First Amendment.
Still don't buy your arguments.
This is a call to arm, sent out to all sensible/.ers. PLEASE, DO NOT embed senseless links within your story submission.
It goes against the ethics of every data purist out there to have to mouse over words like "interesting" and "debate", carefully examining the status bar URL, to find out WTF that link points to.
Enough already.
There seems to be a common misconception that since 2.4GHz bands are unregulated, the FCC is the only entity that can restrict the usage of 2.4GHz devices. This, of course, is false.
If you were to bring a wireless jamming device into a police station with the purpose of intentionally interfering with the department's administrative computers, you might get arrested for obstruction of justice.
If you were to bring a wireless jamming device into your office with the purpose of disabling a corporate network, you might get reprimanded, fired, or sued.
If you were to bring a wireless jamming device into a competitor's office with the intent of manipulating the company's stock price by disabling their computer network, you might be charged with securities fraud.
If you sign an agreement with a college stating that your enrollment is contingent upon agreeing with campus policies designed to protect the college's network, then you can't use a wireless jamming device without repercussions. This is regardless of whether the "wireless jamming device" is a "wireless access point" that merely has the potential to jam.
Of course, intention will play a role in any of the above scenarios. But the important thing here, people, is that you're not allowed to walk around wherever you want saying, "Who are you, you're not the FCC!"
The FCC only handles circumstances in which two independent entities are in conflict over the usage of such airwaves when no federal or state law exists to regulate the legal behavior between two independent entities with respect to those airways.
A college and an enrolled student are not considered "independent entities", as there exists an expectation to abide by the rules defined in the relationship between the college and the student. NOTE: this goes both ways - the student can sue the college if the college acts in ways that are contradictory to the expectations of the relationship. The college can't fail a student without reason and then say "Who are you, you're not the Council for Higher Education Accreditation, you can't regulate how I pass or fail you!"
I was trying to figure out how to change directories in Linux, and I thought I typed the command to pull up the help feature or "manual". Instead, I accidentally formatted and repartitioned my hard drive, mounted my neighbor's microwave oven via 802.11b, ftp'd my tax returns to the local news journal, subscribed to 6,000 different cable channels via 5 competing cable providers, downloaded all of Google's cache of slashdot articles and indexed a keyword search database, ordered 725 pizzas from Dominos via the repeated and accidental execution of some "command line pizza utility", and somehow sent NASA the plans to create a cost-efficient space vehicle that would allow them to compete in the X Prizes.
To this day I still can't figure out what sequence of commands I must have mistyped to do all that. I still can even figure out how to pull up the help for "cd".
I actually split a Mac mouse in two, because I thought that the "left" mouse button and "right" mouse button were fused together, and I tried to separate them. Little did I know that there wasn't a right mouse button on Macs.
Seriously, I agree. It's a true shame, because slashdot is the one source where I read articles that I remember for years, and frequently find the need to revisit.
And of course, having better searches would allow posting users to determine if a subject has already been posted. Right now it's quite terrible.
No offense, but...
Akamai gets attacked, and the story gets rejected from slashdot, yet a minor patch about a game I've never heard about makes the front page? They must be feeding bat guano to the editors down there in the locked basement.
Slashdot usually manages to post good stories, but there's always a quirk now and then.
If you were a master of economics like me, you'd know why.
Typical./ readers are geeks who don't have significant others. Therefore, any distraction that allows them to become blissfully aware of their status as single will have great demand.
./ obviously realizes this, and is doing its best to disseminate information about a vital patch to a problem that, if left unresolved, would detract from the typical./ reader's ability to remain ignorant of their status.
Or, the committee that reviews submitted posts must have been paid off by Ubisoft.
I understand your frustration. I have often made posts concerning newsworthy evens, only to have them eternally rejected because for some reason, certain types of breaking news just don't need to be relayed to the audience who could use it the most.
But, armed with my frustration as motivation, I turned that anger into the effort to learn economics so that I could gain the spiritual insight into the mechanisms of supply and demand of those ever crucial karma points.
Keep this under wraps, okay, but I think I've discovered the formula for whoring myself under multiple personas in order to gain karma-loaded./ accounts, which I will then sell on ebay to schmucks like you whose submitted posts get continually rejected.
That's a great idea. When Dell sees their product sales sagging, I'm sure they'll say "Crap Bob, 0.001% of 5% of web surfers aren't buying Dells because our web page don't render properly in their browser - we need to fix that right away!"
Teach her something useful, like macros in Excel or Word. Or, if you're really enterprising, teach her how to make a simple application in Visual Basic for Applications, which comes integrated with any recent Microsoft Office release.
The obvious answer is to let the students contest the results of computerized testing, if so desired. An English teacher would then grade the results. This would have the following consequences:
Students who don't really "try" to get a good grade wouldn't bother to contest the scores, especially as the reputation of the computerized grading system rises.
Students who unjustly receive a grade lower than expected, due to computerized testing, have the opportunity to rectify the situation.
The schools, and developers of the system, gain the opportunity to continually assess the consistency between computer-based grading and human-based grading. The special "contested grades" would be generated by the students who most likely would "break" the computer grading algorithm.
Besides, we all know how poor American education is comparitively. This solution at leasts lets us take advantage of the 80/20 rule to streamline those who care to aspire to higher levels of education.
I wonder if this is a problem caused by parasitic computing, as describe in this slashdot article:
http://slashdot.org/articles/01/08/29/199205.shtml
Man, it's scary that I can remember slashdot articles from 3 years ago.
I wonder if you're referring to an assembly program I wrote to generate Sierpinksi triangles in 76 bytes. But please note, those 76 bytes included calls to DOS interrupts, which is an API in the same fashion that DirectX is an API.
Slashdot Mirror
I Told You So.
BTW if you see this leave me a post, I haven't heard from you in 12 years and I don't know where you are.
I'd love to find a USB key drive that encrypted data via its own hardware, and didn't require ANY software. How it might work:
- The device emulates two USB devices - one is a USB input device, one is a USB drive.
- The USB drive is not powered until the USB input device receives the password.
A variation of this theme discards the USB input device, and instead has the password entry theme on the device itself (such as a dial combination lock.)The problem is that the one-way hashed value of the password was not hashed with a sufficiently complex algorithm, and could be easily reverse engineered.
They might be nailed for giving a false sense of security through their advertising claims. However, as it's unlikely that they were intentionally deceptive or criminally negligent in their programming, a judge would be unlikely to fine them (and would instead let the "invisible hand" of the market balance things out.)
I agree, though - the only safe way to store the data is to discard the password.
Actually, CHR$(13)+CHR$(10) is used to terminate lines of text (carriage return/linefeed), not character strings.
Comment 1.
How does the operating system recognize that the application needs translation? I see three possibilities.
The first possibility is that the native operating system lets Transitive execute all applications, and Transitive decides whether to translate an application, or let the native operating system run the application unaltered. Integrating this functionality (properly) into an operating system would be extremely diffult, let alone multiple operating systems.
The second possibility is that the native operating system attempts to execute all programs, and only invokes Transitive if an unexpected application type is encountered. Due to the way that Windows only executes files according to file associations (".exe" = DOS/Windows executable, ".com" = micro-executable, ".bat" = batch file), this seems very unlikely, as Windows wouldn't even know how to execute "gimp" because it lacks an extension such as "gimp.exe".
Even if one was to rename "gimp" to "gimp.exe", Windows would attempt to load the "Windows Program Header" for the file, which would be invalid because it's a Linux application. Windows would then generate an error. Of course, Transitive could overwrite certain error handlers within the operating system to catch this kind of error, and then analyze the file using a "magic number" command to determine which operating system and what file type was under scrutiny. But then Transitive would have to overwrite these certain error handlers within all operating systems, a very unlikely proposition.
The third possibility is preconfigured "virtualization sandboxes". Virtualization software like VMWare assumes that for a virtualized system, all files and executables within that virtualized system will be executed according to the rules of that virtualized system. Ergo, if you're running a virtualized Linux system, any executable will be executed as a Linux application. Does Transitive require one to preconfigure foreign applications as existing within a predefined virtualized system? Either way, there's alot more to this than simply the "operating system recognizes that the application needs translation."
Comment 2.
This sounds like a fairly intensive process, given the number of operating systems and APIs out there.
Comment 3.
Does this mean that Transitive will take a Windows DirectX application and translate it to Linux OpenGL? Or does Transitive have it's own API, which is compatible with all video card drivers out there? For either claim, that's pretty impressive; a technology worth being bought out by nVidia or ATI. Considering the breadth and depth of all graphics libraries and versions available for numerous operating systems, that's phenomenally impressive.
Comment 4.
Your logic is flawed and your criticism of my arguments fail to address the real points I'm raising, but rather than point out the inconsistencies in your arguments, let me just boil my contention down to a few simple statement: The FCC is the only authority that can provision radio bands. The FCC establishs necessary, but not sufficient, conditions under which radio bands may be used. In other words, anyone who wishes to use radio bands must adhere to the minimal regulations established by the FCC. But adhering to the minimal regulations established by the FCC does not guarantee someone the right to use such radio bands. The usage of radio bands is not a consitutional right. Therefore, any entity with the power to impose constraints upon another entity may impose such constraints regarding radio bands. The FDA is the sole authority for regulating food and drugs. Just because the FDA approves the general usage of a drug does not mean that someone has automatic power to use that drug under any circumstance they see fit.
This is a call to arm, sent out to all sensible /.ers. PLEASE, DO NOT embed senseless links within your story submission.
It goes against the ethics of every data purist out there to have to mouse over words like "interesting" and "debate", carefully examining the status bar URL, to find out WTF that link points to.
Enough already.
There seems to be a common misconception that since 2.4GHz bands are unregulated, the FCC is the only entity that can restrict the usage of 2.4GHz devices. This, of course, is false.
If you were to bring a wireless jamming device into a police station with the purpose of intentionally interfering with the department's administrative computers, you might get arrested for obstruction of justice.
If you were to bring a wireless jamming device into your office with the purpose of disabling a corporate network, you might get reprimanded, fired, or sued.
If you were to bring a wireless jamming device into a competitor's office with the intent of manipulating the company's stock price by disabling their computer network, you might be charged with securities fraud.
If you sign an agreement with a college stating that your enrollment is contingent upon agreeing with campus policies designed to protect the college's network, then you can't use a wireless jamming device without repercussions. This is regardless of whether the "wireless jamming device" is a "wireless access point" that merely has the potential to jam.
Of course, intention will play a role in any of the above scenarios. But the important thing here, people, is that you're not allowed to walk around wherever you want saying, "Who are you, you're not the FCC!"
The FCC only handles circumstances in which two independent entities are in conflict over the usage of such airwaves when no federal or state law exists to regulate the legal behavior between two independent entities with respect to those airways.
A college and an enrolled student are not considered "independent entities", as there exists an expectation to abide by the rules defined in the relationship between the college and the student. NOTE: this goes both ways - the student can sue the college if the college acts in ways that are contradictory to the expectations of the relationship. The college can't fail a student without reason and then say "Who are you, you're not the Council for Higher Education Accreditation, you can't regulate how I pass or fail you!"
I was trying to figure out how to change directories in Linux, and I thought I typed the command to pull up the help feature or "manual". Instead, I accidentally formatted and repartitioned my hard drive, mounted my neighbor's microwave oven via 802.11b, ftp'd my tax returns to the local news journal, subscribed to 6,000 different cable channels via 5 competing cable providers, downloaded all of Google's cache of slashdot articles and indexed a keyword search database, ordered 725 pizzas from Dominos via the repeated and accidental execution of some "command line pizza utility", and somehow sent NASA the plans to create a cost-efficient space vehicle that would allow them to compete in the X Prizes. To this day I still can't figure out what sequence of commands I must have mistyped to do all that. I still can even figure out how to pull up the help for "cd".
I actually split a Mac mouse in two, because I thought that the "left" mouse button and "right" mouse button were fused together, and I tried to separate them. Little did I know that there wasn't a right mouse button on Macs.
Seriously, I agree. It's a true shame, because slashdot is the one source where I read articles that I remember for years, and frequently find the need to revisit.
And of course, having better searches would allow posting users to determine if a subject has already been posted. Right now it's quite terrible.
If you were a master of economics like me, you'd know why.
Typical ./ readers are geeks who don't have significant others. Therefore, any distraction that allows them to become blissfully aware of their status as single will have great demand.
Or, the committee that reviews submitted posts must have been paid off by Ubisoft.
I understand your frustration. I have often made posts concerning newsworthy evens, only to have them eternally rejected because for some reason, certain types of breaking news just don't need to be relayed to the audience who could use it the most.
But, armed with my frustration as motivation, I turned that anger into the effort to learn economics so that I could gain the spiritual insight into the mechanisms of supply and demand of those ever crucial karma points.
Keep this under wraps, okay, but I think I've discovered the formula for whoring myself under multiple personas in order to gain karma-loaded ./ accounts, which I will then sell on ebay to schmucks like you whose submitted posts get continually rejected.
That's a great idea. When Dell sees their product sales sagging, I'm sure they'll say "Crap Bob, 0.001% of 5% of web surfers aren't buying Dells because our web page don't render properly in their browser - we need to fix that right away!"
Teach her something useful, like macros in Excel or Word. Or, if you're really enterprising, teach her how to make a simple application in Visual Basic for Applications, which comes integrated with any recent Microsoft Office release.
- Students who don't really "try" to get a good grade wouldn't bother to contest the scores, especially as the reputation of the computerized grading system rises.
- Students who unjustly receive a grade lower than expected, due to computerized testing, have the opportunity to rectify the situation.
- The schools, and developers of the system, gain the opportunity to continually assess the consistency between computer-based grading and human-based grading. The special "contested grades" would be generated by the students who most likely would "break" the computer grading algorithm.
Besides, we all know how poor American education is comparitively. This solution at leasts lets us take advantage of the 80/20 rule to streamline those who care to aspire to higher levels of education.Everyone on this thread seems to be getting modded as 4 or 5, so: me too, please!
Don't you also love slashdot's auto- href captions?
I wonder if this is a problem caused by parasitic computing, as describe in this slashdot article: http://slashdot.org/articles/01/08/29/199205.shtml
Man, it's scary that I can remember slashdot articles from 3 years ago.
I wonder if you're referring to an assembly program I wrote to generate Sierpinksi triangles in 76 bytes. But please note, those 76 bytes included calls to DOS interrupts, which is an API in the same fashion that DirectX is an API.