Feeds

* Posts by Charles 9

3814 posts • joined 10 Jun 2009

Microsoft's swipe'n'swirl pic passwords LESS secure than PINs, warn researchers

Charles 9
Silver badge

Re: Extra dimensions!

Write your signature twice at your normal speed. Note how different the two of them are, not just in appearance but also in time taken. Circumstances can alter our strokes and our timing, meaning unless a timing-based check is forgiving, we have a passing fair chance of missing. That's probably why timing hasn't been used much in current gesture checks like those seen in Android.

4
0

ATTACK of the ROBOT BANKERS brings stock market to its knees

Charles 9
Silver badge

Re: Attack of the High Frequency Trading systems.

As for the idea that a transaction fee will stop HFTs, given that the companies with the capital to build and operate an HFT routinely operate with billions of dollars at a time, any kind of non-exorbitant transaction fee would likely be absorbed by them as The Cost of Doing Business. And beyond that, suppose these companies decided to end-run around transaction fees?

0
0
Charles 9
Silver badge

Re: Attack of the High Frequency Trading systems.

But there are too many bags for that to happen, and more keep on coming every day. Part of the HFT's job is to FIND the bags...FIRST. And when a trade tales MILLIseconds, every NANOsecond counts. This is "first in wins" taken to inhuman extremes.

1
0
Charles 9
Silver badge

Re: What is a stock market for?

I suspect any attempt to curb HFT outside of the law (and the financial sector is one of the most influential in government) would just be sidestepped if necessary by means of their own feeds or markets.

2
0

BBC releases MYSTERY RIDDLE poster for Doctor Who anniversary episode

Charles 9
Silver badge

Correct. Rose was left alive in Pete's World along with the cloned Ten (which I'm sure most are figuring is what David Tennant will be reprising for the special). Given the clone's circumstances, this would also allow for Tennant not to have to look younger for the special, either (since the cloned Ten was more human than Time Lord and therefore aged).

0
0
Charles 9
Silver badge

Re: The geek in me is compelled to mention...

Never thought of it in those terms. My thought was that the Other, like Eight during the Great Time War, was probably forced into some bad but necesary things. He couldn't have done them "in the name of the Doctor" because this was before he became the Doctor (and that's why I don't think it's Eight; at least Ten acknowledged what Eight did--regrettably, yes, but it didn't seem like Eight abandoned the title during the Time War and resumed it when becoming Nine). I think of it like ultimate motive: why did the Doctor become (and assume the title of) the Doctor in the first place? It's not as if this has been discussed in significant detail, has it?

0
0
Charles 9
Silver badge

Re: The geek in me is compelled to mention...

But he also got flak from the old school at the same time, so there's pressure in both directions.

It'll be curious to see how things are steered once Peter Capaidi becomes Twelve. After a rash of young Doctors, I have to wonder how an older one will be handled these days.

0
0
Charles 9
Silver badge

Re: The geek in me is compelled to mention...

I think Moffat's been doing that since Matt Smith became Eleven. There's already a lot of edgy stuff and looks into the Doctor's sordid past.

1
0
Charles 9
Silver badge

Re: The geek in me is compelled to mention...

My money's on 0, as in Hurt's the Other: the Doctor before he was the Doctor.

1
0

NIST denies it weakened its encryption standard to please the NSA

Charles 9
Silver badge

Re: American Institutions

But then who do you trust for anything with global relevance? Who's to say YOUR non-US government isn't doing the same thing and just weren't caught doing it? The REAL real problem is we're at a lot point in the world of trust, and trust is an essential part of security. But in terms of security, our trust has become so ephemeral we're almost to the unusable "trust no one" state.

We're floating towards Descartian "Evil Genius" territory, and unfortunately (Sorry, Doc Smith), there is no genuine, imitation-proof symbol of trustworthiness in the universe (at least that we know of).

0
0
Charles 9
Silver badge

Re: Paranoia

Two phrases come to mind. One: "Paranoids are just people with all the facts." Two: "It isn't paranoia if everyone really IS out to get you."

6
0
Charles 9
Silver badge

Re: Lying is still not always legal

"Just because you can't tell the truth doesn't mean you're allowed to lie. If, for example, you are an executive at a corporation, making statements about company activities which are later shown to be objectively false is actually illegal under SEC regulations, and you can end up in prison for that (though more slowly than you might for telling the truth). The only thing that you can do with impunity is refuse to comment."

Unless the "refusal to comment" amounts to an implicit affirmative answer, since if they weren't involved, they would be able to answer in the negative. IOW, a "we can neither confirm nor deny" answer basically equates to an answer meaning "we're keeping a secret".

So what if you're caught between two laws, one saying you can go to prison for telling the truth, another saying you can go to prison for lying, the question is a direct yes/no, and vacillating amounts to admission?

0
0

Torvalds shoots down call to yank 'backdoored' Intel RdRand in Linux crypto

Charles 9
Silver badge

Re: Who can tell?

But we just read that mixing RNGs in particular ways can't hurt and only help. How can mixing RNGs reduce their reliability? Are you saying an adversary could create a stream designed to negate (and thus sabotage) an RN stream? Or is something else involved?

1
0
Charles 9
Silver badge

Re: Android

Android is based a lot on Linux, and /dev/random IIRC isn't too different from its predecessor. However, since most Android devices use ARM, it doesn't have access to a hardware RNG. It can draw in a number of sources of "noise" like network transmissions and user input to help with the entropy issue, but perhaps it lacks the entropy for a more serious implementation.

1
0
Charles 9
Silver badge

Re: drivers/char/andom.c

There is research into alternate sources of entropy from other parts of the CPU. Given a sufficient workload, the registers and other internal workings of the CPU are volatile enough to create a source of entropy (this is the theory behind HAVEGE). Perhaps more research into other independent sources of entropy could be found (I can't think of any, though, off the top of my head that couldn't be subverted in some way).

1
0

Google scrambles to block backdoors

Charles 9
Silver badge

Re: I really don't understand this move@Doug S

And what if your data goes into the cloud ALREADY encrypted by an open-source and well-vetted algorithm? Remember, while the US itself may not publish codes they can't crack, last I checked they didin't restrict the IMPORT of outside algorithms, and there are plenty of sharp minds outside the US.

0
0

That earth-shattering NSA crypto-cracking: Have spooks smashed RC4?

Charles 9
Silver badge

Re: The sky is falling?

Wiki covers the subject pretty well.

http://en.wikipedia.org/wiki/RC4

And relax, it's full of citations where you can get further information.

In a nutshell, RC4 has flaws that reveal key information about the plaintext in the cyphertext. Using that, one could reconstruct the plaintext with some patience (or access to a cloud because RC4 usually doesn't have a lot of bits). Klein's attack, for example, could analyze the cyphertext from a bunch of WEP-encrypted frames and use them to recover the WEP key. Since it could be done over the air and in a short amount of time, WEP was essentially no good anymore.

0
0
Charles 9
Silver badge

Re: Really ..

So why haven't they done anything about quantum encryption, which if performed properly is provably secure by science (the flaws in it have come from implementation flaws, not in the fundamental theory)? Unless you're saying the NSA has defied international science (including science outside US control) and created a way to break Quantum Key Distribution undetectably.

0
0
Charles 9
Silver badge

Re: OMG, the laziness!

But then again, how can Alice be certain she's meeting Bob and not Eve posing as Bob (and before you bring it up, Eve's a tomboy and an expert male crossdresser)?

The most difficult part of a secure conversation is STARTING it, because that requires a level of trust. Thing is, how do you do that in a DTA environment: one where anyone you meet could be the enemy?

1
0
Charles 9
Silver badge

Re: Has RC4 been broken? Probably

But now you run into some "hard" problems.

b) Without Trent, how can Alice and Bob be sure they're talking to each other? For all they know (even in a face-to-face encounter), Eve is posing as one of them. It's such a problem that even Quantum Encryption says you need Trent. So how do you do trust without Trent?

c) And you notice how clunky TOR is? That's because mail can't run properly without an address. Similarly, IP packets require a destination, and that's in the header. So how do you mail an envelope when the addressee is INSIDE the envelope?

0
0

UK investor throws £14.8m at firm that makes UNFORGEABLE 2-cent labels

Charles 9
Silver badge

Re: Hmm...

How does that make sense? If you can repeat the process, you can make it such that two tags return the same signal. As long as you can do that, you can forge the tag, full stop. It has to be a process that doesn't allow for control: like fingerprints, which are made by a chaotic biological process not under the person's control. Otherwise, one could control the process to make a duplicate. Thus the term "snowflake" (snowflakes form by a chaotic process, thus like this tag can't readily produce two identical ones).

0
0
Charles 9
Silver badge

Re: Hmm...

More like a bad imitation of the Lens. It wasn't meant as much a masquerade as it was a means to replicate some of the other functions of the Lens like telepathy and increased mental ability: a way to combat the L2's. Thing was, they were too late as L3's had already emerged and would become the most advanced thinkers in the universe.

PS. You're right about Children of the Lens being the coda of the series.

0
0
Charles 9
Silver badge

Re: Hmm...

By that reasoning, you're talking about a "snowflake" manufacture process: one that produces (by design) random patterns in the electrical medium. The process as such doesn't allow for duplicates because that part is outside the control of the manufacturer, but that's not to say someone couldn't contrive a different process that allows for control of that step.

Trying to build a forgeproof ID has been the subject of sci-fi for decades. Even the Lensman series ran its early books on the idea.

8
0

Indian spooks snooping without ISP knowledge

Charles 9
Silver badge

But isn't the first step to going after a bad guy IDENTIFYING them? And in a world full of splinter cells and lone wolves, how else are you going to identify the bad guys, particularly the ones within your midst? And since the threat they pose can be potentially existential, it's kinda "no holds barred": you either go Big Brother or let the bad guy at your neck.

1
2

Silicon daddy: Moore's Law about to be repealed, but don't blame physics

Charles 9
Silver badge

I think it's more than cost that blocks their use. IIRC those high-frequency devices are very simple in nature compared to, say, a CPU. Plus note you used the word "extreme". That implies a bit of risk-taking that may not be desirable in a mass-market setting.

0
0
Charles 9
Silver badge

Re: New architechture and improved coding

You're asking for something with the performance of DRAM but nonvolatile.

They've been working on that stuff for...about three decades at least. Tech up to now like Bubble Memory and Flash have always had strings attached. Bubble memory was slow and had to be heated up to work, while Flash is known to be slow to write and prone to lifecycle issues.

There are several candidates for the position: MRAM, RRAM, Racetrack memory (inspired by bubble memory), PCM, and so on. Thing is, none of them have reached wide-scale commercial release at this point. And while some are getting close, achieving the same size and scale as current DRAM tech is still going to take time, plus the tech has to survive the transition process AND be economical. Then the memory has to undergo a paradigm shift as it becomes more affordable, first replacing the RAM and THEN replacing the mass storage (which has its own level of economy of scale and will be more difficult to reach).

0
0

Want the latest Android version? Good luck with that

Charles 9
Silver badge

Re: MTP vs UMS

Well, as I understand it, one BIG reason for the switch to MTP is the fact that MSD require DISMOUNTING the device on Android so the other OS can mount it (it's a limitation of the spec's definition because USB assumes a master-slave relationship--multiple masters breaks the spec). Since many more apps are calling up the MSD, even in the background, this can be potentially destabilizing. MTP at least has the benefit of being usable on a live-mounted system.

That said, Google realized this isn't perfect. They've been trying to extend the spec to account for this, but I think they would appreciate a different specification to be adopted by the general computing world. It's just that no such alternative is forthcoming.

0
0
Charles 9
Silver badge

That's assuming your phone has the oomph needed for Android 4.0+. I tried it once on a Desire Z (T-Mobile branded G2) and found it was too limited in RAM to work properly (it kept FCing apps), so I settled on a Gingerbread ROM before selling it off to help pay for my new phone.

0
0

Reports: NSA has compromised most internet encryption

Charles 9
Silver badge

Re: Ah well!!!

The thing is, how can you communicate very precise information in plain english without having first met the other party (which can itself be a tipoff)? And what if the plan changes and you have to send new coordinates or whatever and are unable to meet your second party again?

Plain english codewords like "birthday party" are only good for very limited scenarios. Once you get to a broader vocabulary, you're going to need something rather more sophisticated.

0
0
Charles 9
Silver badge

Re: Such a surprise?

But that's the big problem. That you basically NEED a third party to vouch Alice to Bob and vice versa. Not even Quantum Encryption can seem to escape from that dilemma. Thing is, in this environment, if Alice can't trust Bob, what reason could they have to trust Trent, whom to Alice is just another stranger? Especially if Alice is in a hostile environment where DTA is the rule of thumb.

1
0
Charles 9
Silver badge

Re: This kind of governmental cheating

"What should be passed are new acts that say any governmental agency that gets caught breaking or abusing the rules are subject to decimation (as in 1/10th of the employees get fired, even split between top and bottom post), plus at least a 20% reduction in budget for the next 5 years. With real penalties should come improvements."

Ever heard of "Screw the rules, I MAKE them"? That's the problem here. Like it or not, when it's the lawMAKERS (in concert) working against you, you lose.

2
0
Charles 9
Silver badge

Re: Disinformation is their secret weapon

"My biggest concern is when they do this without a warrant, I am a firm believer that NO wire taps, traces, decryption or even a request for encryption keys, should be done without a warrant issued by a judge with good reason as its due to a serious suspected crime (i.e. murder, drugs, people trafficking, firearms, terrorism)..."

Even if the mere issuance of the warrant gives the game away (due to moles and the like) and makes the terrorist(s) go to ground?

0
3
Charles 9
Silver badge

Re: I wonder

1) "The Code is vetted!"... ~By who? Who watches the Watchmen?~

By people OUTSIDE the US, who can't be influenced by the US.

2) "Do these People know what every "bit" does?" I mean are those People able to find such cleverly hidden Code?

You'd be surprised at the thoroughness of some bug hunters, especially if money or prestige are involved.

1
0
Charles 9
Silver badge

Re: Ah well...

"Threats of death to loved ones can also unmask the most fiendish codes too..."

And suppose you're a masochist (torture gets you off) with no friends or family (no other ways to get to you)?

0
1
Charles 9
Silver badge

Re: @AC

You do realize that by making it a LInux instead of say a BSD the code must be open-sourced (GPL license requires it) and able to be analyzed. And the links of the chain needed to produce the kernel from source (like the compiler) could be obtained from places outside US control. SELinux was something they put in for their OWN benefit, to cover their OWN butts, because as the article notes, anything used here could be turned against them. Thing is, SELinux is a rather complicated way of doing things (no root user), so it's not for everyone.

2
0
Charles 9
Silver badge

Re: Disinformation is their secret weapon

Even open-sourced ones where the code can be analyzed?

Also, there's also reason to believe not all algorithms are vulnerable. There's a high-profile case of the FBI trying to obtain evidence off a drug dealer's hard drive, but it was TrueCrypted, and despite a year of brute-forcing, they couldn't get at the data.

As for web of trust systems, it seems all of them are necessarily complicated and difficult to implement. Freenet has a WoT system using CAPTCHAs, and it's clunky as anything.

0
0
Charles 9
Silver badge

Re: Such a surprise?

There is reason to believe that there may be NO solution to the problem of Alice and Bob establishing trust with each other without help from a third paty (whose trust cannot be guaranteeed). Wasn't there a recent article that noted they had a similar trust problem with quantum encryption (which in turn prevented it from being provably secure)? And it may not be possible (or wise) for Alice and Bob to meet face to face.

1
1

Wrist SLAP: Samsung Galaxy Gear smartwatch hands-on

Charles 9
Silver badge

Re: It is not a music player

Can't. You need some length, and the watch isn't long enough for an antenna with good-enough range. Not to mention phones can house multiple antennae. Only way you could improve that is the put the antennae on the strap, which has its own hazards.

0
0
Charles 9
Silver badge

Re: "...should work with any Android handset."

"And constant bluetooth? That's going to suck battery."

Thus the emphasis on Bluetooth 4.0, which if you'll recall was specced with low power in mind.

1
0
Charles 9
Silver badge

Re: It is not a music player

I believe that was the intention. The phone does the heavy lifting and the network negoriation. The watch piggybacks off the phone and gathers its data from that.

0
0
Charles 9
Silver badge
Devil

Re: Meh

"And if you go on to the surveillance sites, you will find currently available devices that pose as pens, buttons, ties and even watches."

What? No shoes? Voyeurs would be snapping those up.

0
0
Charles 9
Silver badge

Re: Qualcomm Toq

The Toq sounds interesting. The biggest interest for me in this case is the Mirasol display, as it would be the first color quick-refresh nonvolatile display to market. Been waiting on one for years, and if successful could mean some good business for Qualcomm in future phones and tablets.

0
0
Charles 9
Silver badge

Re: Batteries

The watch lasting a week should only be an issue if people sleep with their watches on. But I hear nothing about Qi charging, which (or a similar wireless charging standard) should be standard on a smartwatch so you can just throw the watch on it at night and pick it up in the morning (or after the shower) topped off.

0
0

Smartwatch craze is all just ONE OFF THE WRIST

Charles 9
Silver badge

Oh? And suppose the smartwatch takes off as a companion to the smartphone, Samsung and the like cash in, and Apple find themselves late to the train? Remember, they're not the "absolutely must have it NOW" that they once were. If they were to release an iWatch AFTER the craze takes off...

1
1
Charles 9
Silver badge

Re: I remember watches

That said, there are places where external sources of time are unavailable. Casinos, for example, never show clocks on the floor because they WANT you to lose track of time. That and the big room might mean you lose your signal, so the phone won't help, and laptops would smack of cheating, so when all else fails, it falls back to a cheap quartz wristwatch.

Also handy for when you're out in the sticks, away from civilization and a cell phone signal. The wristwatch can keep chugging on its own for a couple years on a button battery or two. Don't know about anything else.

5
4

New online banking Trojan empties users' wallets, videos privates

Charles 9
Silver badge

Re: Combating global cyber crooks

The trick will be to make things BOTH secure AND easy to use. You need both because without the latter, people get fed up and go around. Trouble is, the two tend to work against each other, as secrity tends to require some complexity (to combat brute forcing) to be useable. And no matter which angle you take, there are complications (anything internal to the user like biometrics can't be replaced if cloned, and anything external to the user like dongles can be lost or stolen).

Plus the anonymous nature of the Internet means there's a ponit when Mallory can mimic Alice to the point of gaining trust, stymiing forensic analysis. Some malcontents are patient enough to fall below the noise floor, such that trying to detect them (realtime or not) results in too many false positives, making the system impractical. Then there's the matter of establishing trust in the first place, and there's hints two parties who can't meet face-to-face can't properly establish it without help from a third party (who really can't be trusted), taking the whole e-commerce system back to DTA mode.

0
0

Pulsars: the GPS beacons of the cosmos

Charles 9
Silver badge

Re: Why is my prime meridian wobbling?

"It's most likely Colon didn't know about the Americas, but he was far from the first European to discover them."

Plus IIRC Vikings had taken some sojourns to the west but didn't make much of it.

What Columbus did was tip off a country (Spain) that just happened to be itching for exploration. Asia was pretty much closed to them as the Turks controlled the Red Sea route and the Portuguese had the Horn of Africa covered. When Columbus came back and told them this new land to the west was full of novel (and valuable) goodies, Spain suddenly realized, "Who needs Asia?"

So, not so much the first to find the place but the one to make the place famous.

0
0

WTF is … Routing Protocol for Low-Power and Lossy Networks?

Charles 9
Silver badge

Re: Sci-Fi

Those depends on radio transmissions, correct, which as electromagnetic waves do not travel at a uniform speed. That's why there's some inherent inaccuracy in GPS systems (atmospheric interference). That and the low power means it has trouble penetrating solid objects. I don't localizers could overcome those physical limitations, especially if it's using time-of-flight to measure distances in a medium where the speed of electromagnetic waves can vary (GPS doesn't strictly rely on time-of-flight so is less vulnerable).

0
0
Charles 9
Silver badge

Re: What about security?

The problem is the the sensor is an originator of information. If it doesn't want the information tampered, it needs to encrypt the data from the point it enters the system. That puts the onus on the sensor to encrypt before transmitting. There's just one issue. Good encryption is resource- and power-intensive. It's a physical limitation; otherwise the encryption is too easy to break. So you end up with the issue of having to encrypt in a resource-constrained environment.

The best bet right now looks like TEA-based algorithms. They're designed for their simplicity, but they've been shown to have chinks.

0
0
Charles 9
Silver badge

What about security?

Security is one thing that really needs to be baked in to get it right, since it's more of a way of thinking than a way of doing.

Sensor swapping and sensor spoofing came to mind when I looked at this new sensor network. There would need to be a way for the sensor to positively identify itself, such as with an asymmetric key. But encryption takes time, resources, and (most critically) power. And now we run into some of the tradeoffs systems like POS terminals faced. Although in their case, it wasn't electical power limitations but CPU power limitations mostly.

In other words, the next problem I see for them is making the network secure while STILL low-powered.

4
0