Where did the submitter get the quote that says this uses a 10 character key for the HMAC?
From the article:
The dongle (Scrambler) uses 4 keys / passwords.
1 - 10 characters long is used to identify clusters (when more than one dongle is used to boost throughput).
2 - this is the actual key for SHA1-HMAC
3 - this is used for initialisation vectors.
4 - encryption key for remote commands ENSCRAMBLE and ENGETID. This key is shared with the client (Wordpress in our case) to provide end-to-end encryption of passwords sent for scrambling.
Here are the details from the article about key lengths, etc.
S-CRIB Scrambler Design
Basics
We use the same hardware as for our Password S-CRIB and only re-implemented the firmware to add required functionality. The keys / passwords now have 32 characters so they can be directly used with AES-256. Each password can give provide up to 199 bits of entropy as we use 76 different characters. The source of passwords is a combination of a "dongle key" (unique for each Scrambler) and a random SHA1 key generated using microsecond timer applied on communication between Scrambler and the host PC.
University of Cambridge's S-CRIB Scrambler resides in a Raspberry Pi...
No it doesn't. The S_CRIB Scrambler is a trusted hardware component implemented as a USB dongle that just happens to be plugged into a Raspberry Pi as a host server.
The current implementation uses Raspberry Pi as an "untrusted" host for web service. It is an inexpensive but sufficiently powerful platform for our password scrambling system.
This could just as easily be plugged into a server or any other PC. My point is that the device has nothing to do with and has no dependency on the Raspberry Pi and to imply otherwise is disingenuous.
By keeping your mouth shut about these holes, you are pretty much guaranteeing that they will remain open for exploitation. People in positions with the authority to make decisions about patching the holes will remain oblivious, because let's face it, very few of said people have a fucking clue.
Security by obscurity does not work. I believe that we can all agree on that. On the other hand, responsible disclosure means talking to the people who can do something about a discovered issue should be the first step. Once the issue has been addressed, then a wider disclosure is reasonable.
He really did a convincing work on the montage and the voice-over, but NPOV must agree the majority of the video came from the deniers. Now I don't know how far fair use goes, but maybe they really have a case there. How did MST3K handle that?
None of which is any concern of Youtube. They have absolutely nothing to say about fair use or not. They follow the letter of the law as written and preserve their Safe Harbor protections under the DMCA. Youtube's actions are out of their hands on both sides unless they are willing to jump into the fray and assume liability.
Nothing in your post explains WHY it is a government concern that people get some minimum amount of vacation time. You say that the government should mandate some minimum amount of vacation time because otherwise an employer might not offer any. But that begs the question by assuming that it is a government interest that people get some minimum amount of vacation time.
In the US banking sector the FDIC
strongly recommends mandatory vacation time of two consecutive weeks or more for active officers and employees as an effective internal control to combat fraud. This recommendation is even included in their Manual of Examination Policies for FDIC audits. If you allow exceptions you need to have compensating controls in place.
How hard do you think it is to have ATM's[sic] scan serial numbers on the bills they dispense so the machine/bank/gov't knows who they were given to, and have the bank scan in the deposits so they know who is receiving the bills?
Off the top of my head it would require
- Replacing evey dispenser mechanism in every ATM
- Replacing evey depository mechanism in every ATM that accepts cash
- Updating the communications protocols between the components within the ATM
- Updating the SNMP code for the ATM to central to support the new device
- Updating the transaction protocol between the ATM and central to support reporting which bills were dispensed or deposited
- Updating all of the protocols used by all of the debit networks to pass that information along
- A whole new back end system at the card issuing bank to store and report this information
Not all evidence is admissable in court. Evidence that is illegally obtainted can't be used in a prosecution. And any resulting evidence (like from a traffic stop as described in the article) is excluded as fruit of the poisoned tree
The underlying assumption that everyone seems to be making is that the original evidence was gathered illegally. That is often not the case. The concern the presentation is addressing is that entering the evidence into a court proceeding could compromise classified sources or methods. An alternate but valid evidence trail is then found that will hold up in court without compromising the classified details. That doesn't in any way imply that the original chain of evidence was gathered illegally.
Update 2: Yes, it's 7-bit Bell 202 ASCII. I tried decoding it as such earlier, but must have gotten the bit order wrong! So I just chose a roundabout way.
[In 2010] NASA already had spent $292 million on the A-3 structure. Since then, it's spent an additional $57 million to keep building it, according to a February 2013 report by the agency's inspector general, Paul Martin
GP claimed the typo was added by the editor. I was just pointing out that it was already there in the submission and the editor just failed to take it out, that's all.
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
The root post warns of the unstated repercussions of attending this "honeypot" conference. I want to know what those repercussions are.
You mean like when people who develop encrypted messaging systems or encrypted phone applications
get added to watch lists and get harassed every time they enter the country even though they are citizens?
they get energy companies and local installers to push these things and that's how they make a return on their investment?
No. Google did not spend $3.2 billion on a company that makes thermostats. They paid $3.2 billion for a company that makes data acquisition devices that pose as thermostats. The amount of data that they can acquire is staggering. Wait until they offer enhancements like plugging in your current electric rate and provider so it can display the dollar savings.
It's an Event Data Recorder, not an Electronic Data Recorder..
WASHINGTON â" Senators John Hoeven (R-N.D.) and Amy Klobuchar (D-Minn.) today introduced their Driver Privacy Act, legislation that protects a driverâ(TM)s personal privacy by making it clear that the owner of a vehicle is also the owner of any information collected by an Event Data Recorder (EDR).
As it is, we have an agreement where I get X MBps for Y $/mo, so unless I exceed that (shouldn't be possible), leave me alone.
No, you have an agreement that they will provide you with up to X Mbps. If you want guaranteed throughput and a contractual up time, you are talking a business class connection and likely 10x or more in price.
What do you expect from a guy who says the following:
Cybercriminals often advertise the kind of data they've captured from the card's magnetic stripe, which has three so-called "tracks," each containing data.
News flash. They are called tracks because they are tracks on a magnetic recording tape. Nothing "so called" about it.
Slashdot Mirror
From the article:
The dongle (Scrambler) uses 4 keys / passwords.
1 - 10 characters long is used to identify clusters (when more than one dongle is used to boost throughput).
2 - this is the actual key for SHA1-HMAC
3 - this is used for initialisation vectors.
4 - encryption key for remote commands ENSCRAMBLE and ENGETID. This key is shared with the client (Wordpress in our case) to provide end-to-end encryption of passwords sent for scrambling.
Here are the details from the article about key lengths, etc.
S-CRIB Scrambler Design Basics We use the same hardware as for our Password S-CRIB and only re-implemented the firmware to add required functionality. The keys / passwords now have 32 characters so they can be directly used with AES-256. Each password can give provide up to 199 bits of entropy as we use 76 different characters. The source of passwords is a combination of a "dongle key" (unique for each Scrambler) and a random SHA1 key generated using microsecond timer applied on communication between Scrambler and the host PC.
University of Cambridge's S-CRIB Scrambler resides in a Raspberry Pi...
No it doesn't. The S_CRIB Scrambler is a trusted hardware component implemented as a USB dongle that just happens to be plugged into a Raspberry Pi as a host server.
The current implementation uses Raspberry Pi as an "untrusted" host for web service. It is an inexpensive but sufficiently powerful platform for our password scrambling system.
This could just as easily be plugged into a server or any other PC. My point is that the device has nothing to do with and has no dependency on the Raspberry Pi and to imply otherwise is disingenuous.
Not if one stores a long, fixed salt in the device.
(Here fixed means fixed over all users.)
That sort of defeats the purpose of the salt.
10 random chars are good for 65bits. Log(92^10)/Log(2) = 65.24
Quick question. Where did the 92 come from? Uppercase + Lowercase + digits + special chars? I'm struggling to get to 92 here.
By keeping your mouth shut about these holes, you are pretty much guaranteeing that they will remain open for exploitation. People in positions with the authority to make decisions about patching the holes will remain oblivious, because let's face it, very few of said people have a fucking clue.
Security by obscurity does not work. I believe that we can all agree on that. On the other hand, responsible disclosure means talking to the people who can do something about a discovered issue should be the first step. Once the issue has been addressed, then a wider disclosure is reasonable.
He really did a convincing work on the montage and the voice-over, but NPOV must agree the majority of the video came from the deniers. Now I don't know how far fair use goes, but maybe they really have a case there. How did MST3K handle that?
None of which is any concern of Youtube. They have absolutely nothing to say about fair use or not. They follow the letter of the law as written and preserve their Safe Harbor protections under the DMCA. Youtube's actions are out of their hands on both sides unless they are willing to jump into the fray and assume liability.
Nothing in your post explains WHY it is a government concern that people get some minimum amount of vacation time. You say that the government should mandate some minimum amount of vacation time because otherwise an employer might not offer any. But that begs the question by assuming that it is a government interest that people get some minimum amount of vacation time.
In the US banking sector the FDIC strongly recommends mandatory vacation time of two consecutive weeks or more for active officers and employees as an effective internal control to combat fraud. This recommendation is even included in their Manual of Examination Policies for FDIC audits. If you allow exceptions you need to have compensating controls in place.
Well spoken sir.
How hard do you think it is to have ATM's[sic] scan serial numbers on the bills they dispense so the machine/bank/gov't knows who they were given to, and have the bank scan in the deposits so they know who is receiving the bills?
Off the top of my head it would require
So really just a week or two then.
Then post but also run Adblock and disable Google's tracking scripts.
Done. Oh, and fuck the beta!
Not all evidence is admissable in court. Evidence that is illegally obtainted can't be used in a prosecution. And any resulting evidence (like from a traffic stop as described in the article) is excluded as fruit of the poisoned tree
The underlying assumption that everyone seems to be making is that the original evidence was gathered illegally. That is often not the case. The concern the presentation is addressing is that entering the evidence into a court proceeding could compromise classified sources or methods. An alternate but valid evidence trail is then found that will hold up in court without compromising the classified details. That doesn't in any way imply that the original chain of evidence was gathered illegally.
Update 2: Yes, it's 7-bit Bell 202 ASCII. I tried decoding it as such earlier, but must have gotten the bit order wrong! So I just chose a roundabout way.
[In 2010] NASA already had spent $292 million on the A-3 structure. Since then, it's spent an additional $57 million to keep building it, according to a February 2013 report by the agency's inspector general, Paul Martin
Yeah, I ran into that eariler this week. The only thing that solved it was to delete all of my cache and cookies. Hasn't happened again.
Clear the browser's cache and cookies. It's the web 2.0 version of "Have you tried rebooting it?". If you haven't tried it yet, don't even call me.
And if you need personal or professional advise, there's no better place than Yahoo! Answers.
+1 ROFLMAO
So what? Editors are supposed to "edit".
GP claimed the typo was added by the editor. I was just pointing out that it was already there in the submission and the editor just failed to take it out, that's all.
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
The root post warns of the unstated repercussions of attending this "honeypot" conference. I want to know what those repercussions are.
You mean like when people who develop encrypted messaging systems or encrypted phone applications get added to watch lists and get harassed every time they enter the country even though they are citizens?
No, it was like that in the original submission.
The Pinto Memo was famously quoted in 'Fight Club' which is what I believe the AC is referencing here.
But I would be willing to bet that the AC did not know that. He only knew the Fight Club reference.
What this summary needs is a good old fashioned link to at least one article about the project.
they get energy companies and local installers to push these things and that's how they make a return on their investment?
No. Google did not spend $3.2 billion on a company that makes thermostats. They paid $3.2 billion for a company that makes data acquisition devices that pose as thermostats. The amount of data that they can acquire is staggering. Wait until they offer enhancements like plugging in your current electric rate and provider so it can display the dollar savings.
WASHINGTON â" Senators John Hoeven (R-N.D.) and Amy Klobuchar (D-Minn.) today introduced their Driver Privacy Act, legislation that protects a driverâ(TM)s personal privacy by making it clear that the owner of a vehicle is also the owner of any information collected by an Event Data Recorder (EDR).
As it is, we have an agreement where I get X MBps for Y $/mo, so unless I exceed that (shouldn't be possible), leave me alone.
No, you have an agreement that they will provide you with up to X Mbps. If you want guaranteed throughput and a contractual up time, you are talking a business class connection and likely 10x or more in price.
Cybercriminals often advertise the kind of data they've captured from the card's magnetic stripe, which has three so-called "tracks," each containing data.
News flash. They are called tracks because they are tracks on a magnetic recording tape. Nothing "so called" about it.
That's not the answer: a cheaper labor force will replace existing jobs, but it won't create new ones.
A cheaper labor force can create new jobs if it allows a venture to become profitable where it wasn't before.