I have a IMO a propounding question. Why is this stuff just done with no voter imput? Wither its a government project or a private one, I thing we should demand public input and maybe even voter approval or disapproval.........And has any privacy agencies tried this method? Just seem to me they shouldn't be using government equipment "poles" "Right of ways".or government property.
No, the proper way to do it is wait until they have spent all the money to buy the equipment and deploy it, then pass a referendum that makes them illegal.
Diversity is good, especially if they wind up diverging and actually being diverse. Not all implementations wind up being vulnerable to the same attacks, except when there are weaknesses inherent to the protocol.
Just be sure that as a developer you write an abstraction layer between the application and the library so that when the interfaces diverge too much you have a single class to rewrite. Diversity in implementations is a good thing. Diversity in the interfaces can be a pain in the butt.
Apparently you are unfamiliar with the Doppler effect [wikipedia.org]. Even on a Harley making a huge obnoxious racket it is easy to get dangerously close to someone before they hear you
Perhaps you should have read the article you cited. Doppler shift affects the observed frequency of the sounds but does not affect the speed at which that sound travels in a given medium. In addition it is the difference between the speeds of the observer and the source. If both are traveling at the same relative speed, there will not be a shift in the frequency for that observer.
Holy shit, maybe I should create some fairly non descript website that some hipsters use and then sell it for a whole frigging lot more than it will probabily ever bring in in revenue.
You definitely should. Stop back by when you're done and let us know how it works out.
And by massive they mean "On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so...". Hardly on the scale of the Target breach so far.
"Researchers from Dickweed University's Network Security Lab discovered a flaw affecting nearly every TV on the planet. The flaw allows a radio-frequency attacker with a low budget to take control over tens of thousands of TVs in a single attack, forcing the TVs to turn on or off, or switch channels. The attack works by equipping a drone with a powerful universal remote, sending commands to all TVs in a broad range." It's even scarier like this!
That is not how this attack actually works. The attack has nothing to do with the remote and references to it and the "red button" have derailed things. This is an attack on the broadcast television signal. As you recall, broadcast TV was switched from an analog signal to digital. In Europe the protocol for this signal is DVB and in the US it is ATSC. Within these digital broadcasts is a protocol called the HbbTV standard which allows additional interactive data, features, etc. to be embedded to provide a hybrid viewing experience. For example during a baseball game they might embed an HTML page with the stats for the current batter. The exploit is that this embedded data is not protected in any way so anyone can inject a malicious payload into the signal. This could allow such attacks as session hijacking, etc. In the demonstration the researchers are attacking smartTVs in the neighborhood by rebroadcasting a local channel with the extra packets added to the stream. That approach is limited of course to the extend to which you can override the regular broadcast signal. A much broader impact would be if you could inject the packets at the broadcast source, for example on the network between the broadcast station and the actual transmitter station. In that case your attack would reach entire greater metropolitan areas.
What I am interested in is how much, if any, of this HbbTV information gets through when local channels are carried on other transmission media such as satellite or cable.
So the idea is that the attacker overrides the RF signal with his own one, which contains the malicious data.
No. They are actually overriding the DVB broadcast signal from the broadcaster and inserting malicious packets into the stream.
Abstract: In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content which is rendered by the television. This system is already in very wide deployment in Europe, and has recently been adopted as part of the American digital television standard.
All of the references to the "red button" on the remote are a distraction that can be confusing. The red button on your remote is simply a way that you can invoke or interact with the hybrid content in the broadcast stream. It has nothing to do with the actual attack and the embedded content doesn't need to be actual interactive content.
but in practice the subset of "all people" who actually do code reviews appears to be very, very small -- possibly smaller than the set of people who review closed source code.
I'm going to disagree here. For a given company that has a closed source implementation, there may be small group of people qualified to look at the code and understand it, but that in no way means that they are or have done so. Corporate politics, capitalizable time, access restrictions, etc. all play a part in whether any one at all actually looks at the closed source code for vulnerabilities.
I would ask for a Bennett section so that we could ignore the posts but neither Timothy nor Soulskill can get things posted into the right sections anyway, so never mind.
All IT workers swear. If they don't, they're probably a sociopath and serial killer.
But just because they do swear does not mean they aren't a sociopath and serial killer. In fact, I'm pretty sure that where I work all three are required to move into management.
Once again you have posted an "Ask Slashdot" article in a different section than where it belongs. Some of us regulate what articles we see by section and would appreciate it if you would at least try to get it right.
This is not at all relevant to most implementations of DH, which use prime fields of large characteristic.
Exactly. Probably more interesting is that their solution is applicable to a wider range of finite fields than recent improvements.
From the paper:
Although we insist on the case of finite fields of small characteristic, where
quasi-polynomial complexity is obtained, our new algorithm improves the com-
plexity of discrete logarithm computations in a much larger range of finite fields.
I see no good basis for the ScienceDaily author's leap from the paper's results to his conclusion that
Since solving this variant of the discrete logarithm is now within the capacity of current computers, relying on its difficulty for cryptographic applications is therefore no longer an option. This work is still at a theoretical stage and the algorithm still needs to be refined before it is possible to provide a practical demonstration of the weakness of this variant of the discrete logarithm. Nonetheless, these results reveal a flaw in cryptographic security and open the way to additional research. For instance, the algorithm could be adapted in order to test the robustness of other cryptographic applications.
Actually there is no need for DH, you can create a new throwaway RSA private/public key pair on both sides, sign it with your main key, use the throwaway keys to transfer the session key then wipe the throwaway keys. The problem with this approach is that generating a new RSA key pair for every session + transferring new key + extra round trips is a really slow process compared to DH.
So how do you go about securely communicating one part of the throwaway keys to the other side so that the session key can be transferred?
I need internet for streaming media, general internet access, email, cloud storage, and gaming. Only one company allows me to do that effectively and even if I did switch to a worse service I'd lose the ability to do some of those.
Oh noes! Whatever will you do? How would you survive?
No, you don't need those things. You would like to have them. You need air to breathe, water to drink, food to eat and shelter from the elements. You apparently already have the things that you need which allows you to worry about the things that you want.
Same problem as, "What if your gun runs out of ammo?". How do gun owners mitigate that problem? They check their weapon regularly.
Except that rounds do not magically disappear from a loaded magazine when it sits for a month. It still goes bang when you need it to. Batteries self discharge and could leave you defenseless just when you are counting on it.
I understand that it can be difficult for self employed people with highly variable incomes, but most Americans don't fall into that group and should know their yearly tax liability to within a fifty dollars or so at the beginning of the tax year.
Since the tax codes and the taxation tables aren't finalized until the end of the year I've always found it difficult to predict what my end tax liability is going to be.
Slashdot Mirror
I have a IMO a propounding question. Why is this stuff just done with no voter imput? Wither its a government project or a private one, I thing we should demand public input and maybe even voter approval or disapproval.........And has any privacy agencies tried this method? Just seem to me they shouldn't be using government equipment "poles" "Right of ways".or government property.
No, the proper way to do it is wait until they have spent all the money to buy the equipment and deploy it, then pass a referendum that makes them illegal.
Diversity is good, especially if they wind up diverging and actually being diverse. Not all implementations wind up being vulnerable to the same attacks, except when there are weaknesses inherent to the protocol.
Just be sure that as a developer you write an abstraction layer between the application and the library so that when the interfaces diverge too much you have a single class to rewrite. Diversity in implementations is a good thing. Diversity in the interfaces can be a pain in the butt.
Apparently you are unfamiliar with the Doppler effect [wikipedia.org]. Even on a Harley making a huge obnoxious racket it is easy to get dangerously close to someone before they hear you
Perhaps you should have read the article you cited. Doppler shift affects the observed frequency of the sounds but does not affect the speed at which that sound travels in a given medium. In addition it is the difference between the speeds of the observer and the source. If both are traveling at the same relative speed, there will not be a shift in the frequency for that observer.
Holy shit, maybe I should create some fairly non descript website that some hipsters use and then sell it for a whole frigging lot more than it will probabily ever bring in in revenue.
You definitely should. Stop back by when you're done and let us know how it works out.
And by massive they mean "On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so...". Hardly on the scale of the Target breach so far.
"Researchers from Dickweed University's Network Security Lab discovered a flaw affecting nearly every TV on the planet. The flaw allows a radio-frequency attacker with a low budget to take control over tens of thousands of TVs in a single attack, forcing the TVs to turn on or off, or switch channels. The attack works by equipping a drone with a powerful universal remote, sending commands to all TVs in a broad range." It's even scarier like this!
That is not how this attack actually works. The attack has nothing to do with the remote and references to it and the "red button" have derailed things. This is an attack on the broadcast television signal. As you recall, broadcast TV was switched from an analog signal to digital. In Europe the protocol for this signal is DVB and in the US it is ATSC. Within these digital broadcasts is a protocol called the HbbTV standard which allows additional interactive data, features, etc. to be embedded to provide a hybrid viewing experience. For example during a baseball game they might embed an HTML page with the stats for the current batter. The exploit is that this embedded data is not protected in any way so anyone can inject a malicious payload into the signal. This could allow such attacks as session hijacking, etc. In the demonstration the researchers are attacking smartTVs in the neighborhood by rebroadcasting a local channel with the extra packets added to the stream. That approach is limited of course to the extend to which you can override the regular broadcast signal. A much broader impact would be if you could inject the packets at the broadcast source, for example on the network between the broadcast station and the actual transmitter station. In that case your attack would reach entire greater metropolitan areas.
What I am interested in is how much, if any, of this HbbTV information gets through when local channels are carried on other transmission media such as satellite or cable.
So the idea is that the attacker overrides the RF signal with his own one, which contains the malicious data.
No. They are actually overriding the DVB broadcast signal from the broadcaster and inserting malicious packets into the stream.
Abstract: In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content which is rendered by the television. This system is already in very wide deployment in Europe, and has recently been adopted as part of the American digital television standard.
All of the references to the "red button" on the remote are a distraction that can be confusing. The red button on your remote is simply a way that you can invoke or interact with the hybrid content in the broadcast stream. It has nothing to do with the actual attack and the embedded content doesn't need to be actual interactive content.
Software development is done by humans and humans commit mistakes
I see what you did there. Nothing like a little bit of source code repository humor. Well played sir, well played.
but in practice the subset of "all people" who actually do code reviews appears to be very, very small -- possibly smaller than the set of people who review closed source code.
I'm going to disagree here. For a given company that has a closed source implementation, there may be small group of people qualified to look at the code and understand it, but that in no way means that they are or have done so. Corporate politics, capitalizable time, access restrictions, etc. all play a part in whether any one at all actually looks at the closed source code for vulnerabilities.
I would ask for a Bennett section so that we could ignore the posts but neither Timothy nor Soulskill can get things posted into the right sections anyway, so never mind.
All IT workers swear. If they don't, they're probably a sociopath and serial killer.
But just because they do swear does not mean they aren't a sociopath and serial killer. In fact, I'm pretty sure that where I work all three are required to move into management.
Once again you have posted an "Ask Slashdot" article in a different section than where it belongs. Some of us regulate what articles we see by section and would appreciate it if you would at least try to get it right.
Thanks.
Fnord666
This is not at all relevant to most implementations of DH, which use prime fields of large characteristic.
Exactly. Probably more interesting is that their solution is applicable to a wider range of finite fields than recent improvements.
From the paper:
Although we insist on the case of finite fields of small characteristic, where quasi-polynomial complexity is obtained, our new algorithm improves the com- plexity of discrete logarithm computations in a much larger range of finite fields.
I see no good basis for the ScienceDaily author's leap from the paper's results to his conclusion that
Since solving this variant of the discrete logarithm is now within the capacity of current computers, relying on its difficulty for cryptographic applications is therefore no longer an option. This work is still at a theoretical stage and the algorithm still needs to be refined before it is possible to provide a practical demonstration of the weakness of this variant of the discrete logarithm. Nonetheless, these results reveal a flaw in cryptographic security and open the way to additional research. For instance, the algorithm could be adapted in order to test the robustness of other cryptographic applications.
Actually there is no need for DH, you can create a new throwaway RSA private/public key pair on both sides, sign it with your main key, use the throwaway keys to transfer the session key then wipe the throwaway keys. The problem with this approach is that generating a new RSA key pair for every session + transferring new key + extra round trips is a really slow process compared to DH.
So how do you go about securely communicating one part of the throwaway keys to the other side so that the session key can be transferred?
There's also a name for the phenomenon -- a filter bubble.
This ties in to a more general phenomenon known as confirmation bias.
I need internet for streaming media, general internet access, email, cloud storage, and gaming. Only one company allows me to do that effectively and even if I did switch to a worse service I'd lose the ability to do some of those.
Oh noes! Whatever will you do? How would you survive?
No, you don't need those things. You would like to have them. You need air to breathe, water to drink, food to eat and shelter from the elements. You apparently already have the things that you need which allows you to worry about the things that you want.
Same problem as, "What if your gun runs out of ammo?". How do gun owners mitigate that problem? They check their weapon regularly.
Except that rounds do not magically disappear from a loaded magazine when it sits for a month. It still goes bang when you need it to. Batteries self discharge and could leave you defenseless just when you are counting on it.
Cars aren't typically used in life and death situations. Guns are. Changes the game, so to speak.
Have you ever looked at the fatality statistics associated with intoxicated drivers?
More than that, you've got good quality imagery from that same camera from the launch,
Do they? I thought I read in the reddit thread that the launch video was actually from a second stage camera.
And just what is it you think the populace can do about it? They have the guns.
LEO or the populace? This is Texas, remember? Carrying a firearm is not only a right but also a requirement there.
Thanks for the tip! I might actually watch that some time. Also, let me throw this back at you.
Don't forget this title.
That is the biggest problem. Other then rewarding the people who fix the problem, we try to figure out who is to blame for every freaking thing.
"Fix the problem, not the blame."
Rising Sun (1993) - Capt. John Connor (Sean Connery)
Indeed. But there is a _standard_ solution.
Citation needed.
Heartbleed is a server exploit
Actually it can cut both ways.
I understand that it can be difficult for self employed people with highly variable incomes, but most Americans don't fall into that group and should know their yearly tax liability to within a fifty dollars or so at the beginning of the tax year.
Since the tax codes and the taxation tables aren't finalized until the end of the year I've always found it difficult to predict what my end tax liability is going to be.