Slashdot Mirror


User: vux984

vux984's activity in the archive.

Stories
0
Comments
10,772
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,772

  1. came here to see this. thanks.

  2. Re:Won't work for the Windows version on TrueCrypt To Go Through a Crowdfunded, Public Security Audit · · Score: 1

    No you can't just audit the output by starting with 1 line of C code and move up from there, because you don't know what is the actual trigger for the back door. It can be any number of specific lines of code, includes modules or at least some output size of the binary.

    Your assertion was that it was the truecrypt source code. So how about we use that. It's not terribly large.

    It doesn't have to be tiny, you can hide the code in data or other code.

    You can hide a small bit of code, you can't hide large amounts of code.

    But even so just take a look at how tiny some programs are in the demoscene, you can build incredibly small code that does a lot.

    Are really saying that this type of thing can't be done?

    Are you saying it could not be detected? You can't in one breath put forth that someone clever could make a virus, while in the other put forth that noone clever could find it. Especially when the math behind it shows that its an asymmetrical task -- that its much easier to find, than it is to hide.

    Also take a lookt at how some viruses are done, some use polymorphic code to hide their signature.

    Changing signatures is pretty trivial rearrangement, and instruction substitutions. It doesn't at all hide what the code does, it just makes it difficult to detect by trivially comparing a piece to known code.

    You have little faith in human intelligence.

    This has nothing to do with human intelligence; Its math and science. The KTH is possible, and essentially impossible to provably secure against (in a mathematical sense), but its also implausible on a large scale, and extremely difficult to hide from someone who is actively looking for it in a particular piece of code.

    We don't have to find the KTH by inspecting the code. We can find it by comparing the output of multiple toolchains. The differences will be small. Then its just a matter of analyzing the differences.

    Unless ALL the toolchains are infected, and are all 'covering for eachother'. That's gets to be implausible, and even that can be unravelled by building another toolchain.

    Its a lot of work, but not nearly as much work as you think.

  3. Re:Control... on Where Does America's Fear Come From? · · Score: 1

    You did know that AD means "Anno Domini", right? In English, that's "the year of our Lord". If you want to claim adherence to the Christain God, that's fine. You have that right. But don't expect me to pay lip service to a God that, to me, comes off as a petty, cliquish and vindictive sort, according to your own holy books.

    And do you similarly object to the names of the days of the week and the months of the year too?

    You did know that Tuesday is Tiw's day, right? That Wednesday is Woden's day right? Thursday is Thor's day, Friday is Frigg's day... ?

    Saturday is named for Saturn, like the planet, both named for the God Saturnus. Sunday and Monday (Moon-day) speak for themselves and references the worship of sun and moon gods.

    The first 6 months are all named for deities or religious significance as well, the 7th and 8th honor (or to use your phrase "pay lip service to") Roman emperors (Julius and Augustus Caesar.

    While the 9th through 12th are still literally named 7 to 10 offending people who can count.

    The whole AD vs CE nonsense is just silly political correctness, and given that the entire calendar system is stuffed full of regilious symbols and references is pretty pointless.

  4. Re:Won't work for the Windows version on TrueCrypt To Go Through a Crowdfunded, Public Security Audit · · Score: 1

    You say it like it is complicated

    Because it is.

    Yes it has to be hidden, but you can have self modifying code and you can have code that looks like it does something innocent but actually does something else.

    Has anybody actually audited the MSVC binary? Didn't think so.

    Really you just have to audit the output. And you can start with 1 line of C and build up from there iteratively. Its work, and its tedious but its not nearly as hard as you think.

    It doesn't matter how much space it takes it can be done.

    Of course it matters how much space it takes.

    Your whole "self modifying code and innocent code that looks like one thing but is really something else has to be tiny... otherwise it sticks out like a sore thumb.

  5. Re:Won't work for the Windows version on TrueCrypt To Go Through a Crowdfunded, Public Security Audit · · Score: 1

    Of course it isn't something simple like if "solution name" = truecrypt, that is just stupid.

    Yes.

    It's more like detecting specific encryption algorithms in TrueCrypt and injecting code that makes the encryption weaker by either modifying the encryption slightly or storing maybe part of the key somewhere in the data.

    That's a non-trivial hack, how do you propose it "detect specific enryption algorithms in truecrypt" to detect that its compiling truecrypt, and then modify it. How many bytes of code do you think it would take to program that?

    And remember that hack has to be hidden in the compiler binary. And per the KTH hack, in order to not get discovered by the first disassembler or debugger that walks by it also has to infect those, which is even more complex and non-trivial code, that has to be hidden and spread.

    The amount of work the KTH has to be able to perform to defend itself from detection grows exponentially, while the amount of effort to detect the hack grows linearly. (look it up). In practice the KTH code would grow so big with code to defend itself that compiler would end up being mostly KTH code.

    The KTH demonstrates the difficulty (impossibility even) of provable security. But an actual KTH remaining hidden from someone specifically looking for one is VERY IMplausible.

  6. Re:Which company bought this 'new' rule? on EPA Makes Most Wood Stoves Illegal · · Score: 1

    s, I said that for wood stoves, the regulations should be state and local.

    Because there are few places in the United states where two communities are adjacent along a state or local border, such that wood burning in one would not affect the other?

    Surely you didn't just say that.

    Extremists like you are responsible for much of the dysfunction in Washington

    The dysfunction in washington exists because the system has been warped such that the participants aren't motivated to act like adults and actually solve problems.

  7. Re:Soon, no more bookstores. on Amazon Gets Blow-Back Over Plan To Sell Kindles At Small Bookshops · · Score: 1

    You do know that even Bluray video is compressed, right?

    Yes, uncompressed, wasn't the right word to use. "not over compressed" is probably more appropriate.

    Why would a 4K stream compressed to 20mbit/second not be better quality than a 1080p stream compressed to 5mbit/second?

    I'm sure it would be better.

    But the relevant question is whether it would really any better than a 1080p stream compressed to 20mbit.

  8. Re:Won't work for the Windows version on TrueCrypt To Go Through a Crowdfunded, Public Security Audit · · Score: 1

    So ... if "solution name" = truecrypt, and source-code file = xyz.cpp then replace x with y?

    How plausible is that really?

    What is the easiest way to inject a backdoor into TrueCrypt? By asking Microsoft to add a backdoor to the MSVC compiler.

    I think there's lots of easier, more reliable, less detectable ways than that.

  9. Re:Soon, no more bookstores. on Amazon Gets Blow-Back Over Plan To Sell Kindles At Small Bookshops · · Score: 1

    Because it has 4x more pixels, which I thought was the whole point of 4K?

    But if they aren't streaming uncompressed 1080p adding more pixels for them to extrapolate into isn't going to make a difference.

    netflix hd is like playing a game designed for 1024x768 on 1920x1080 screen. Buying a screen that's 4k isn't going to make it look any better.

  10. Re:Soon, no more bookstores. on Amazon Gets Blow-Back Over Plan To Sell Kindles At Small Bookshops · · Score: 1

    4K has only 4X more pixels than 1080p. Netflix says that currently, you need a 5mbit connection for Hidef streaming, or 7mbit for super hidef.

    Netflix is lying to you. Their hidef isn't blu-ray quality. Its 1080p with compression artifacts. The audio isn't as good either.

    Its better than then the regular hd which is even more compressed, and even that is better than some of the so called hd channels on cable some of which are badly compressed.

    Compared to bluray though its a complete joke.

    It's good enough, and there are only a handful of titles I would even care enough to pay extra for bluray, never mind "4k" but at the same time what's the point drooling over a netflix compressed 4k stream if their superHD is still well beneath even mere bluray 1080p.

  11. Re:Won't work for the Windows version on TrueCrypt To Go Through a Crowdfunded, Public Security Audit · · Score: 5, Insightful

    Sure, vote it up as a point that the the toolchain is always suspect, but saying MSVC is injecting backdoors into everything it compiles is just plain idiotic.

  12. Re:Further down that slippery slope... on US FDA Moves To Ban Trans Fat · · Score: 1

    That fails to address why we shouldn't put it on the label.

  13. Re:Further down that slippery slope... on US FDA Moves To Ban Trans Fat · · Score: 1

    .5/g per serving of Trans-fats will not hurt you. Silly point.

    lets say eating an oreo cookie is 0.2/g and they define a serving as 2 cookies. Then oreas are sold in "lunchable snack packs" containing 6 cookies.

    So kid gets 3 servings of cookies get's 0.2*6 = 1.2g of transfat, parents think they haven't had any yet. Then the same thing happens in half the things in the sandwich, the other desert, and 3 other meals the kids eat. So tracking by label you've eaten 0, while tracking what was actually in the food you ate gives you 28grams per day...

    Of course oreo's says they don't use transfat anymore at all, so its just a theoretical example.

    But the point stands, if its not labelled, you don't know what is there. We can argue the merits and amounts of anything that is 'good or healthy', but its shocking that there is any legitimate reason to argue about labeling. Things should be labelled. Period.

    And if a company doesn't want to label something, that's a red flag that they probably should be labeling it.

  14. Re:Why is the archive worth preserving? on Internet Archive's San Francisco Home Badly Damaged By Fire · · Score: 3, Insightful

    Is the preservation of old internet sites anything more than a curiousity that will end up in museums? Is it useful to the human race in some way?

    Most of its not. Someone's blog or twitter feed today will be the future's Diary of Anne Frank. Its hard to know now what is or will be important 50, 100, or 1000 years from now.

    Its also useful in the shorter term for everything from investigating crime ( a new lead in a cold case brings to light a new suspect, and suddenly some chatter on geocities or other long defunct page is relevant evidence), to fighting bogus patents (groklaw used to reference the archive to cite prior art), to looking at documentation for older things... where the manufacturer has removed the documentation pages / gone of out business, the support forums removed, end user hosted fansites/discussion etc have gone dormant, abandoned and eventually disappears. Much of it still searchable & recoverable in the archive.

  15. Re:Clear as mud on Apple Issues First Transparency Report · · Score: 1

    Even if they couldn't invoice the government, they could (and possibly according to GAAP should) still account for it, even if it just get's written off as an operational cost.

    If they didn't account for it, then how could they justify paying the two full time employees who spend their days filling out the reports, taking requests, etc. :p

    You can bet that if these companies are well run, accounting knows how much they are spending on legal compliance to this sort of request, even broken down to which agency is their biggest cost center.

    If you or I received a request out of the blue sure it would just end up as 2-3 hrs of random lost time to 'admin'. But if we received 2000 requests a year, or 7 a day, we might well have a full time employee just handling them... damn right we're going to know why we're paying him.

  16. Re:profile = evidence? on Researchers Use Computer-Generated 10-Year-Old Girl To Catch Online Predators · · Score: 1

    The curious thing is that if you solicit sex from someone who a reasonable person would believe was not a minor, but actually is, I'm pretty sure that's still illegal, which is sort of a double standard

    Not at all. It's illegal to attempt to solicit sex from a minor (hinges on intent to commit the crime). And its illegal to actually solicit sex from a minor (hinges on the actual act of commiting the crime )

    This is not unusual.

    In the same way that "attempted murder in the first degree" is illegal, whether you succeed or not, and involuntary manslaughter is one of several possible crimes that applies when you succeed without intending to. Along with a whole raft of other variations covering various levels of success and/or intent.

    For example, it would be interesting to see how a jury would rule if the defendant in such a case provided diary entries that indicated that he or she was reasonably certain that the person on the other end was not actually a minor.

    Yeah, the old "my kink is to cyber with police officers pretending to be minors" defense?

  17. Re:Wii Mini isn't worth $99 on Nintendo Announces $99 Wii Mini For US Release · · Score: 1

    for the original Zelda without needing to emulate

    The virtual console on the wii-u has it. Although its probably emulated still. But at least its official, sanctioned emulation, with a controller that works properly with no hassle. (And as someone who played the original SMB through to the end on VC, the timing is really good... I always had major issues playing SMB in emulation, but I can play SMB on the virtual console with muscle-memory learned at childhood, lol.

    Ikaruga -- great game -- you may be interested in:
    http://steamcommunity.com/sharedfiles/filedetails/?id=183195387

    F-Zero GC -- there were rumours GC titles will show up on the Wii-U virtual console, but i dont' think it's happened yet. I wouldn't hold my breath.

    Your best bet for Ikaruga and F-Zero right now are probably a used Wii... or even a used GC.

  18. Re:OK, so what's new in it? on Nintendo Announces $99 Wii Mini For US Release · · Score: 1

    not at anyone who's even mildly serious about gaming.

    Agreed.

    since they took out Gamecube backwards compatibility

    Anyone serious about gaming, wouldn't have waited SEVEN YEARS to buy one.

    At this stage, backwards compatibility concerns of anyone serious would be whether the Wii-U is back compatible with with the Wii. (it is). I doubt anyone cares about backwards compatiblity with gamecube titles now. Several of the key titles were rereleased for the Wii anyway, and gamecube is a pretty distant memory for most people.

    and Internet connectivity

    Yep; I honestly really can't see why they pulled that. It can't be more than a couple bucks worth of parts. But still, anyone buying a wii now instead of a wii-u is doing it for a cheap console, probably for young kids (and that's fine).

    For anyone 'serious' looking at a wii, the wii-u has all the bells and whistles, and full backwards compatibility with the wii.

  19. Re:OK, so what's new in it? on Nintendo Announces $99 Wii Mini For US Release · · Score: 1

    They strip out the Internet capability, which is an utterly stupid move when they don't have a counterpart with that connectivity

    The counterpart is the wii-u.

  20. Re:No Internet is a Plus for Parents on Nintendo Announces $99 Wii Mini For US Release · · Score: 2, Insightful

    I'm a parent and I want my child to have the skills to cope with profanity and the internet and the intersection of the two. I don't see a Wii of any form having much relevance to that.

    Is your child 5 or 15 ? There is a difference.

    That said even the Wii classic presented a very safe environment vs xbox and ps3.

    I don't see a Wii of any form having much relevance to that.

    The main reason to buy a wii, wii mini, or wii-u is, was, and will remain the games. Despite all the shovelware that got released for it, there is quite a solid games library for the Wii.

    Many of the must-have gamecube classics were re-released for the wii so the lack of back-compat in the latest mini isn't as big of a deal.

    Meanwhile the value proposition for the U is perhaps harder to make, the core library is still a bit weak, although there's some good exclusives. The back-compat with Wii however means that if you skipped the wii, there's actually quite a lot of great stuff to play alongside the wii-u titles. The real support for HD is nice, and its Yet-another-way-to-do-netflix on your TV although its one of the better ones due to the tablet support.

    The tablet controller is more comfortable than most people would expect, and its not heavy or awkward even for extended sessions. Hitting its battery life limit is a bigger problem than anything ergonomic complaints, although you can plug it in and keep playing if you want.

    I do most of my gaming on the PC, and there aren't enough unique compelling exlcusives to overcome my distaste for Sony or Microsoft to buy their consoles, but for me the WiiU has been good value. But I have kids, and local multiplayer / party games are a very regular occurence.

    But its certainly not the best console for everyone.

    FWIW I'm very curious how the steambox turns out.

  21. Re:godzilla on New Framework For Programming Unreliable Chips · · Score: 2

    OTOH, in measurement theory, it's been long known that random errors can be eliminated by post-processing multiple measurements.

    Gaining speed an energy efficiency is not usually accomplished by doing something multiple times, and then post processing the results of THAT, when you used to just do it once and got it right.

    You'll have to do the measurements in parallel, and do it a lot faster to have time for the post processing and still come out ahead for performance. And I'm still not sure that buys you any improved efficiency.

    random errors can be eliminated by post-processing multiple measurements.

    And this is the real crux of the paradox :) Random errors can be introduced by post processing multiple measurements on an unreliable processor doing the post processing.

    Now we have to post-post-process the results of the post-processed results to eliminate any random errors there? Turtles all the way down.

    That said, as TFA suggested there are operations that can tolerate error, like video decoding -- and if we can realize substantial gains in performance or energy efficiency that translates into your laptop running a lot longer in exchange for a few transient (sub tenth of a second) pixel errors... that's a pretty good trade.

  22. Re:And nothing of value was lost... on Microsoft To Can Skype API; Third-Party Products Will Not Work · · Score: 1

    The reason I want to switch away from skype is objection to the business model, and the increasing amount of advertising.

    Google Hangouts is jumping out of the frying pan into the fire.

  23. Re:And nothing of value was lost... on Microsoft To Can Skype API; Third-Party Products Will Not Work · · Score: 1

    And so you'll keep changing what you "need" to ensure that what you "need" is skype because giving up the martyrdom and halting your whining is not good enough for you.

    Haven't changed a thing. What are you on about?

    An IM client will support Jitsi and that IM client will do on/offline/away statis, im, group im, voice (IT'S SIP, YOU FUCKWIT).

    I don't use SIP much, but ALL the SIP clients I have used in the passed all seemed to be good at being virtual phones-- voice, conference calls, most didn't even have IM at all, never mind the ability to have group-IM conversations like skype. Maybe I'm missing something from your post, but the SIP clients I've looked at don't seem to do this.

    Using an IM client + separate SIP client would be a clumsy step backwards in usability.

  24. Re:When will he be arrested? on Atlanta Man Shatters Coast-to-Coast Driving Record, Averaging 98MPH · · Score: 1

    Frankly you're a bit of a pussy with speed from what you write. 100Mph is nothing on a well-built highway in a modern good quality car.

    And I wrote:

    "To sum up 100-150mph on an empty highway ... sure ok. Been there done that, agree its not that bad."

    In Germany there are many highways without speed limits and if you're only driving 100Mph you're going to get passed all the time.

    And then I wrote:
    "100mph+ where the other cars are speed matched... sure ok"

    speed matching is the key. If your giong 140mph, passing cars doing 120mph that's completely different from doing 140mph passing cars doing 60mph.

    Its when you mix high speed and low speed vehicles driven by inattentive drivers that it gets dangerous. In North America highway ettiquette is not nearly as well observed, with respect to slower traffic keeping right, etc. If someone is doing 80mph in the fast lane, and someone comes up behind him doing 120mph the guy doing 80 will likely as not just sit there and force the faster car to slow down or pass on the right.

  25. Re:And nothing of value was lost... on Microsoft To Can Skype API; Third-Party Products Will Not Work · · Score: 1

    Microsoft has an advertising business too.

    And it pales in comparison to googles or facebooks. Its not even in the same league.