The last time I watched a star wars film was roughly the year 1987.
I'm going to keep my vague inaccurate partial memories of the first three films and my memories of my mother being a sharp tongued sour faced bitch when I requested star wars toys for Christmas, wanted to buy star wars toys with my money or played with them in range of her.
A competently operated website will store hashes of the passwords instead of the passwords themselves. If the hashes get leaked then typically two thirds of the passwords will be revealed in the first few minutes of cracking because people mostly use weak passwords, sites use hashing algorithms that arn't slow enough and GPU's can try billions of passwords per second for common algorithms.
However a good password, such as 14+ random letters and numbers or 5+ random words that don't appear together anywhere in published literature, still won't be revealed from the hash, so it is lower risk to reuse across sites, not zero risk because it could be captured when you log in to a hacked site and due to site storing plaintext passwords.
The big picture is nothing new, when you use software, particularly software which is written in C/C++, to process data from untrustworth sources there is a reasonable chance of hard to spot security vulnerabilities.
I tried one against myself for a minute last year and saw about 4Gbit/second of port 53 UDP traffic. Enough to cause problems for an amateur-hour webhosting service. Any half decent webhost can handle that these days.
"forward deflector array" ? Modded informative ?!? The international space station is a real thing in orbit around the earth with real people on board. Deflector shields are not real. Star trek is fiction, Captain Kirk was an actor in front of some cameras.
For a few more months in the UK analog TV will use 470-862MHz The last few analog transmitters will soon be switched off, the replacement digital transmitters will just use 470-790MHZ.
806-854MHz was auctioned off in 2009. 790-806MHz may be used for other tings in areas where it is not used for digital TV.
The worst case scenario for TV interference is roughly this.
Someone's house is on the edge of the coverage area of a digital TV transmitter which is on the highest multiplex frequency. They are 35miles from the transmitter and have a big TV antenna on a twenty foot pole on the chimney with a wideband preamp on the pole. The TV signal is just barely strong enough to give a picture and only freeze occasionally when a pigeon flies in front of the antenna.
The TV signal is 8MHz wide ending at 790MHz. A mobile internet base station push out 100 watts is installed 100 meters away from the house using frequencies starting just 16MHz higher at 806MHz.
In terms of power the mobile internet signal might be 70dB stronger, that's ten million times the received power.
The base station signal is strong enough that it overloads the masthead preamp. It dosn't even matter if the TV decoder can handle a massive signal close to a very weak signal, (and it probably can't) because the preamp is clipping and the weak TV signal is lost before it even gets to the TV.
In theory with good planning will mitigate this considerably.
In practise vast amounts of existing TV equipment is specifically designed to receive and amplify the frequencies that have been sold oof for other uses. Mobile applications need lots of base stations close to the users. Inevitably lots of people will have a base station on a tall building that they can see out of the window in an area where the TV transmitter is twenty miles away.
Some idiot speculators lost their money. Some people who were stupid enough to trust online wallet services lost their money. Some people who got their windows machines infected lost money. A few idiots who didn't keep backups lost their money. The people who are holding BTC are likely to find it looses value for years but it was their choice to get into it in the first place.
The system still works fine. You can still transfer bitcoins from one user to another across the internet with a few clicks. If you keep your private keys safe nobody can steal your coins.
Bitcoin will be in trouble if a significant attack on the cryptography is found. Bitcoin will be in really big trouble if someone finds a remotely exploitable hole in the client software.
So far, it is not in trouble. It can drop in value to 1 US cent per BTC and still not be in trouble.
Anyone can mine bitcoins, you don't have to be a politically connected bankster to participate.
The creation of new BTC is predictable and publicly documented. Participation is voluntary. Anyone can read about how it works, see that the the amount of BTC in circulation is going to more than double in the next five years, see that the level of commerce with BTC is low and decide if they want to hold any. (Personally I think holding BTC is a bad idea and will be for a years unless commerce increases considerably.)
Having your fiat currency devalued to cover the deficit spending of long retired spendthrift politicans is not voluntary.
Applying more computer power to bitcoin mining won't devalue bitcoin any more than it will anyway. The software adjusts the difficulty of generating blocks so that it generates approximately 7200 BTC every day for the next year, fewer after that. More computing power applies to mining just means that individual people mining get a smaller share of the coins being generated.
I just wish I could find the setting to show the site as it was six or seven years ago. Bandwidth is cheap and my browser can cope with large pages, I don't want to see or click a "get more comments" button ever. I just want it to show every comment at my chosen score threshold by default.
TcpCrypt was motivated by the observation that server computing power is the performance bottleneck. To make ubiquitous encryption possible, highly asymmetric public key operations are arranged so that the expensive work is performed by the client which does not need to handle high connection setup rates. This is in contrast to SSL/TLS where the server does more work.
I think thats a really insightful observation. I'd really like a new version of the HTTPS that takes away the most common objection to using it by making the client do most of the work. Most computers being used for web browsing have processor time to spare, not sure about smartphones though.
The clamAV engine is designed for scanning incoming email. These days any sensibly configured email system deletes all email with any forum of executable attachment before it gets anywhere near the end users so email scanning is a bit of a niche market.
The ClamAV engine may be good at email scanning but that does not mean it is good for general malware scanning. Clamwin, which uses the clamAV engine in a general windows malware/virus scanner has very poor detection compared to the top few antivirus packages (Eset Nod32, AVG, kaspersky, avira paid version, panda).
Malware delivered via the web is the main source of the epidemic of crap on the windows platform these days. In geek circles I feel like a suspected plague carrier because I carry a windows laptop instead of running ubuntu or carrying an apple.
I do nearly all my browsing in windows virtual machines. The basic firefox only VM is little trouble. A vm with flash player, Sun java, acrobat reader, dotnet addon etc results in the "whats all this network traffic, shit the VM is sending spam" or "popups WTF?" every few months, followed by going back to a known good copy of the VM and redownloading lots of updates.
Over that last year I'v uploaded a couple of dozen malware.exe's from the web to virustotal, (mostly attempts to exploit user ignorance that didn't getting running on my machine eg desirable-file.pdf.exe). I keep the exe's and check how long it takes for AV companies to add detection. Kaspersky and AVG usually add detections within 36 hours, avira is usually "next day" provided next day is monday-friday. Half the time Clamwin does not detect the malware and typically takes a couple of weeks to start detecting my sample if they get it at all. I have little confidence in another package using the clamAV engine doing any better.
Also the ony real cleanup response for malware arriving by email is 'delete', removing malware that has installed itself into windows takes much more work. A of people rely on antivirus software to clean up messy infections instead of being organised enough to have current backups and known-good images of every machine.
I got a DSO-2250 which sounded good for the money. I would have spent more time reading reviews, this review sums it up.
The software for windows is buggy and limited. They seem to have largely rewritten the software between version 6 and version 7 but have just replaced old bugs with different bugs. The most frustrating bug is that it gets stuck and stops triggering until you close and reopen the software. It's really annoying to have your hands full poking the probes into some equipment and not knowing if you have missed the packet of data you are trying to catch because it wasn't sent or because the scope software didn't work.
The manufacturer claims 8bit sampling and 250 megasamples/second. Sadly the hardware is noisy and the lowest two bits randomly change. The software has a smoothing option to hide the noise but then you don't get anything like the time resolution you paid for. If the software was better I could live with that as I mostly look at digital signals.
I still personally favour a PC oscilloscope since I haul a laptop around and might as well make use of it's high resolution screen. For digital work a 'scope that can capture a one time event to look at at your leisure is far better than an analog scope that needs a repetitive signal to keep refreshing the CRT.
There is a very large number of posts in ebay's forums from sellers complaining about this.
If I was a larger seller I'd be trying to get together with other big sellers to create a private system to share information about scamming/deadbeat/irrational/insane buyers and hijacked accounts.
On another note, ebay UK has announced that all prices must included VAT (value added tax) if it is going to be charged. In typical ebay fashion until now their help pages said that VAT would be included but they refused to enforce it so lots of people have had the irritating experiance of being unexpectedly asked to pay 17.5% more. People should have read the small print in the auction saying VAT would be added but it's easily done when you are tryign to grab a bargain.
A friend of some of my friends, a man I run into about once a year was caught up in this. The story I heard was that he claimed innocence but pleaded guilty as the legal advise he got was that he would be let off with a fine but he would definetly be found guilty and sent to prison if he tried to fight it.
I'm currently trying to make sense of the WEEE regulations. UK businesses that supply electronic products are required to register with a waste collection and recycling scheme by the 15th of march if they fall into vaguely defined categories covering most consumer products and some other stuff. A few months after that suppliers have to start taking back unwanted electronics.
The intention is the push the costs of disposal back to the manufacturer. A director of a UK manufacturing company told me recently that the extra costs for him amount to 18% of turnover for no practical benefit.
It seems to be a full employment scheme for lawyers and beaurocrats. After reading lots of conflicting information on the web I tried reading the act of parliament that implements the European directive and was even more confused and outraged afterwards. I'm sure there are lots of cases where people can argue over whether their product falss into the vaguely defined categories.
This is on top of CE marking, EMC, and ROHS. I'v seen companys discontinue products because it is just not worth the cost of redesigning to not use lead solder and other non-rohs stuff. With WEEE on top niche market electronics manufacturers just took a big hit. Consideirng how easy it is to buy very very cheap, non-CE marked electronics direct from Hong Kong via ebay I worry about whats left of UK electronics manufacturing. It's been decimated by pacific rim competition over the last ten years already.
To be able to reverse-engineer the Skype protocol, these guys had at one point or another to decrypt the data, and encrypt it as well.
What this means is that they could configure their application as a SuperNode and intercept conversations, files, text in between.
This is not a valid conclusion. To send out and receive audio when participating in a call it is necessary for a client to have the crypto keys. When the client is running on a general purpose computer the keys are inevitably accessable by the end user. The only solution to that is tamper resistant hardware and we, the slashdot masses, hate that.
To function as a relay for other people skype conversations you don't need to be able to encrypt and decrpt the streams, you just pass them on.
There is a big problem with skype which is that the way is implemented means thats the people who run skype could evesdrop on calls and could be served with warrants to do so. Using end to end public key encryption to prevent that would not prevent anyone reverse engineering it and creating a compatable client.
Lots of info on how skype works, including that the people who run skype could evesdrop on conversations, the possibility of using skype to relay non skype traffic and an overflow security hole (hopfully now fixed) were revealed four months ago.
Uh, no. You have to be pretty high up on the geek scale to use a version control system. Unless you were forced into learning it while doing a computer science degree it's a pretty formidable thing.
"What makes version control systems (VCS) so great is this: lots of people can take your code, make little branches, and fiddle around with it in a distributed fashion. Then at some point, you get to merge it all back together in such a way that the VCS will seamlessly delete all the wrong bits, and leave you with a pile of conflicts that takes weeks to manually pick through." -Danny O'Brien
"There is a theory which says that only crazy people work on version control system. There is another theory which says that the first theory gets the causality backwards." - Anonymous
Slashdot Mirror
The last time I watched a star wars film was roughly the year 1987.
I'm going to keep my vague inaccurate partial memories of the first three films and my memories of my mother being a sharp tongued sour faced bitch when I requested star wars toys for Christmas, wanted to buy star wars toys with my money or played with them in range of her.
Anyone got any recommendations for software for end to end encrypted VOIP using PC's?
A competently operated website will store hashes of the passwords instead of the passwords themselves.
If the hashes get leaked then typically two thirds of the passwords will be revealed in the first few minutes of cracking because people mostly use weak passwords, sites use hashing algorithms that arn't slow enough and GPU's can try billions of passwords per second for common algorithms.
However a good password, such as 14+ random letters and numbers or 5+ random words that don't appear together anywhere in published literature, still won't be revealed from the hash, so it is lower risk to reuse across sites, not zero risk because it could be captured when you log in to a hacked site and due to site storing plaintext passwords.
The draft bill is expected to be published tomorrow.
If you are in the UK please write to your local MP. Even a one sentence letter.
It will be too sad if this happens and we did not even try.
Slightly related;
Lcamtuf writes that that running strings over a maliciously crafted file can probably result in code execution on your system.
http://lcamtuf.blogspot.co.uk/2014/10/psa-dont-run-strings-on-untrusted-files.html
The big picture is nothing new, when you use software, particularly software which is written in C/C++, to process data from untrustworth sources there is a reasonable chance of hard to spot security vulnerabilities.
4.5 times faster than QEMU is still very slow
I tried one against myself for a minute last year and saw about 4Gbit/second of port 53 UDP traffic. Enough to cause problems for an amateur-hour webhosting service. Any half decent webhost can handle that these days.
"forward deflector array" ? Modded informative ?!?
The international space station is a real thing in orbit around the earth with real people on board.
Deflector shields are not real. Star trek is fiction, Captain Kirk was an actor in front of some cameras.
For a few more months in the UK analog TV will use 470-862MHz
The last few analog transmitters will soon be switched off,
the replacement digital transmitters will just use 470-790MHZ.
806-854MHz was auctioned off in 2009. 790-806MHz may be used for other tings in areas where it is not used for digital TV.
The worst case scenario for TV interference is roughly this.
Someone's house is on the edge of the coverage area of a digital TV transmitter which is on the highest multiplex frequency. They are 35miles from the transmitter and have a big TV antenna on a twenty foot pole on the chimney with a wideband preamp on the pole.
The TV signal is just barely strong enough to give a picture and only freeze occasionally when a pigeon flies in front of the antenna.
The TV signal is 8MHz wide ending at 790MHz.
A mobile internet base station push out 100 watts is installed 100 meters away from the house using frequencies starting just 16MHz higher at 806MHz.
In terms of power the mobile internet signal might be 70dB stronger, that's ten million times the received power.
The base station signal is strong enough that it overloads the masthead preamp. It dosn't even matter if the TV decoder can handle a massive signal close to a very weak signal, (and it probably can't) because the preamp is clipping and the weak TV signal is lost before it even gets to the TV.
In theory with good planning will mitigate this considerably.
In practise vast amounts of existing TV equipment is specifically designed to receive and amplify the frequencies that have been sold oof for other uses.
Mobile applications need lots of base stations close to the users.
Inevitably lots of people will have a base station on a tall building that they can see out of the window in an area where the TV transmitter is twenty miles away.
Bitcoin is not in trouble.
Some idiot speculators lost their money. Some people who were stupid enough to trust online wallet services lost their money. Some people who got their windows machines infected lost money. A few idiots who didn't keep backups lost their money. The people who are holding BTC are likely to find it looses value for years but it was their choice to get into it in the first place.
The system still works fine. You can still transfer bitcoins from one user to another across the internet with a few clicks. If you keep your private keys safe nobody can steal your coins.
Bitcoin will be in trouble if a significant attack on the cryptography is found.
Bitcoin will be in really big trouble if someone finds a remotely exploitable hole in the client software.
So far, it is not in trouble.
It can drop in value to 1 US cent per BTC and still not be in trouble.
Anyone can mine bitcoins, you don't have to be a politically connected bankster to participate.
The creation of new BTC is predictable and publicly documented.
Participation is voluntary. Anyone can read about how it works, see that the the amount of BTC in circulation is going to more than double in the next five years, see that the level of commerce with BTC is low and decide if they want to hold any. (Personally I think holding BTC is a bad idea and will be for a years unless commerce increases considerably.)
Having your fiat currency devalued to cover the deficit spending of long retired spendthrift politicans is not voluntary.
Applying more computer power to bitcoin mining won't devalue bitcoin any more than it will anyway. The software adjusts the difficulty of generating blocks so that it generates approximately 7200 BTC every day for the next year, fewer after that. More computing power applies to mining just means that individual people mining get a smaller share of the coins being generated.
I just wish I could find the setting to show the site as it was six or seven years ago. Bandwidth is cheap and my browser can cope with large pages, I don't want to see or click a "get more comments" button ever. I just want it to show every comment at my chosen score threshold by default.
From the report
TcpCrypt was motivated by the observation that server computing power is the performance bottleneck. To make ubiquitous encryption possible, highly asymmetric public key operations are arranged so that the expensive work is performed by the client which does not need to handle high connection setup rates. This is in contrast to SSL/TLS where the server does more work.
I think thats a really insightful observation. I'd really like a new version of the HTTPS that takes away the most common objection to using it by making the client do most of the work. Most computers being used for web browsing have processor time to spare, not sure about smartphones though.
The clamAV engine is designed for scanning incoming email. These days any sensibly configured email system deletes all email with any forum of executable attachment before it gets anywhere near the end users so email scanning is a bit of a niche market.
The ClamAV engine may be good at email scanning but that does not mean it is good for general malware scanning. Clamwin, which uses the clamAV engine in a general windows malware/virus scanner has very poor detection compared to the top few antivirus packages (Eset Nod32, AVG, kaspersky, avira paid version, panda).
Malware delivered via the web is the main source of the epidemic of crap on the windows platform these days. In geek circles I feel like a suspected plague carrier because I carry a windows laptop instead of running ubuntu or carrying an apple.
I do nearly all my browsing in windows virtual machines. The basic firefox only VM is little trouble. A vm with flash player, Sun java, acrobat reader, dotnet addon etc results in the "whats all this network traffic, shit the VM is sending spam" or "popups WTF?" every few months, followed by going back to a known good copy of the VM and redownloading lots of updates.
Over that last year I'v uploaded a couple of dozen malware .exe's from the web to virustotal, (mostly attempts to exploit user ignorance that didn't getting running on my machine eg desirable-file.pdf.exe). I keep the exe's and check how long it takes for AV companies to add detection. Kaspersky and AVG usually add detections within 36 hours, avira is usually "next day" provided next day is monday-friday.
Half the time Clamwin does not detect the malware and typically takes a couple of weeks to start detecting my sample if they get it at all.
I have little confidence in another package using the clamAV engine doing any better.
Also the ony real cleanup response for malware arriving by email is 'delete', removing malware that has installed itself into windows takes much more work. A of people rely on antivirus software to clean up messy infections instead of being organised enough to have current backups and known-good images of every machine.
I recommend NOT buying a Hantek USB oscilloscope.
I got a DSO-2250 which sounded good for the money. I would have spent more time reading reviews, this review sums it up.
The software for windows is buggy and limited. They seem to have largely rewritten the software between version 6 and version 7 but have just replaced old bugs with different bugs.
The most frustrating bug is that it gets stuck and stops triggering until you close and reopen the software. It's really annoying to have your hands full poking the probes into some equipment and not knowing if you have missed the packet of data you are trying to catch because it wasn't sent or because the scope software didn't work.
The manufacturer claims 8bit sampling and 250 megasamples/second.
Sadly the hardware is noisy and the lowest two bits randomly change. The software has a smoothing option to hide the noise but then you don't get anything like the time resolution you paid for.
If the software was better I could live with that as I mostly look at digital signals.
I still personally favour a PC oscilloscope since I haul a laptop around and might as well make use of it's high resolution screen.
For digital work a 'scope that can capture a one time event to look at at your leisure is far better than an analog scope that needs a repetitive signal to keep refreshing the CRT.
There is a very large number of posts in ebay's forums from sellers complaining about this.
If I was a larger seller I'd be trying to get together with other big sellers to create a private system to share information about scamming/deadbeat/irrational/insane buyers and hijacked accounts.
On another note, ebay UK has announced that all prices must included VAT (value added tax) if it is going to be charged. In typical ebay fashion until now their help pages said that VAT would be included but they refused to enforce it so lots of people have had the irritating experiance of being unexpectedly asked to pay 17.5% more. People should have read the small print in the auction saying VAT would be added but it's easily done when you are tryign to grab a bargain.
If they have access to your computer to install an extra root certificate they could also patch your web browser to not check root certificates.
A friend of some of my friends, a man I run into about once a year was caught up in this.
The story I heard was that he claimed innocence but pleaded guilty as the legal advise he got was that he would be let off with a fine but he would definetly be found guilty and sent to prison if he tried to fight it.
I'm currently trying to make sense of the WEEE regulations. UK businesses that supply electronic products are required to register with a waste collection and recycling scheme by the 15th of march if they fall into vaguely defined categories covering most consumer products and some other stuff. A few months after that suppliers have to start taking back unwanted electronics.
The intention is the push the costs of disposal back to the manufacturer.
A director of a UK manufacturing company told me recently that the extra costs for him amount to 18% of turnover for no practical benefit.
It seems to be a full employment scheme for lawyers and beaurocrats. After reading lots of conflicting information on the web I tried reading the act of parliament that implements the European directive and was even more confused and outraged afterwards.
I'm sure there are lots of cases where people can argue over whether their product falss into the vaguely defined categories.
This is on top of CE marking, EMC, and ROHS. I'v seen companys discontinue products because it is just not worth the cost of redesigning to not use lead solder and other non-rohs stuff. With WEEE on top niche market electronics manufacturers just took a big hit.
Consideirng how easy it is to buy very very cheap, non-CE marked electronics direct from Hong Kong via ebay I worry about whats left of UK electronics manufacturing. It's been decimated by pacific rim competition over the last ten years already.
Does this emulator freeze or go wonky every couple of days like real WinCE devices?
Has anyone ever seen a WinCE device that dosn't fall over frequently?
Almost forgot, An analysis of the skype protocol from 2004
What this means is that they could configure their application as a SuperNode and intercept conversations, files, text in between.
This is not a valid conclusion. To send out and receive audio when participating in a call it is necessary for a client to have the crypto keys. When the client is running on a general purpose computer the keys are inevitably accessable by the end user. The only solution to that is tamper resistant hardware and we, the slashdot masses, hate that.
To function as a relay for other people skype conversations you don't need to be able to encrypt and decrpt the streams, you just pass them on.
There is a big problem with skype which is that the way is implemented means thats the people who run skype could evesdrop on calls and could be served with warrants to do so. Using end to end public key encryption to prevent that would not prevent anyone reverse engineering it and creating a compatable client.
Lots of info on how skype works, including that the people who run skype could evesdrop on conversations, the possibility of using skype to relay non skype traffic and an overflow security hole (hopfully now fixed) were revealed four months ago.
Silver needle in the Skype at Blackhat Europe
SVN. Problem solved.
Uh, no. You have to be pretty high up on the geek scale to use a version control system. Unless you were forced into learning it while doing a computer science degree it's a pretty formidable thing.
"What makes version control systems (VCS) so great is this: lots of people can take your code, make little branches, and fiddle around with it in a distributed fashion. Then at some point, you get to merge it all back together in such a way that the VCS will seamlessly delete all the wrong bits, and leave you with a pile of conflicts that takes weeks to manually pick through." -Danny O'Brien
"There is a theory which says that only crazy people work on version control system. There is another theory which says that the first theory gets the causality backwards."
- Anonymous