Posts by Charles 9

Re: Zounds! I envisage a threat to public order!!

(Dear Feds--how about you get a warrant, sworn out by a judge, requiring that a subject of an investigation/prosecution is required to provide his password for any devices, and throw him in jail for contempt of court if he refuses to give it? Oh wait, that takes some effort and means you have to let people know that you are accessing data on a device, and prevents you from accessing whole classes of devices in secret. Forgive my insistence that you actually act to preserve public freedoms rather than undermine them.)

You forget that, unlike in England, one is protected from self-incrimination by simply pleading the Fifth Amendment (which explicitly protects against that). If a defendant refuses to answer that's one thing, but not even Congress has been able to get around someone answering, "I plea the Fifth."

But there is big business interest on both sides of the argument, so it's not so cut and dry.

Re: Sod on

It's worse than that. The politicians in Gilded Age 2.0 were hand-picked by the big businesses themselves. They're less pansies and more peons. It's like crooked sportsmen having made sure their own officials are running the show. What's worse, the common public is not in a position to know or even care.

Re: Sod on

And the worst part is that, in a capitalist economy, monopolies and oligopolies are inevitable. Play the game long enough (like a poker tournament) and eventually someone comes out the winner and gobbles up everyone else. Eventually, it reaches a point that, barring some out-of-nowhere disruption, no one else can stand up to the giant in the playground.

Re: How do you seize a database?

Unless it had nothing of value.

Re: Ok

But what do you do with a captive market, where the ONLY way to get the much-desired-and-exclusive content is to jump through their hoops? Will you jump the hoops or go without?

Don't think in terms of operating costs. Think in terms of manufacturing costs, and by that I mean the entire manufacturing process: from mining the rare earths and other difficult-to-extract minerals needed for the devices to function to all the complicated and energy-intensive processes needed to actually extract them from the ores to the costs needed to operate the delicate machinery to apply these materials into your panels and such.

Remember, with infrastructure like this, there are always two costs: upfront costs and upkeep costs. A low upkeep cost doesn't always justify a monstrous upfront cost.

Re: Bah!

Maybe that's because the elephant's really a frozen mammoth?

Let me put it like this. How would the world be able to produce over 1 yottawatt of sustainable power per year without any more significant energy outlay to build and transport it in the process? Even if you put the server farms in blankin' Antarctica it probably wouldn't be enough. And the alternative too all this information flow is to go back to using dead trees...

As for using Iceland, I think it's already tapped out by aluminium plants and other things that have no other way to run except electricity (electricity is the only practical way to extract aluminium, so they're always built near power plants).

Re: So, can Kryder's Law in fact carry on?

Kryder's Law is still on the way out due to the molecular limit, but if this tech pans out, a transition tech will soon be in place that will allow storage to continue growing; at worst, we'll experience a brief hiccup as there is a brief gap between spinning rust running out of steam and 3D NAND hitting the mainstream.

That's funny. From my end, pay by bonk has become considerably EASIER since KitKat becaue Host Card Emulation means a phone doesn't need a Secure Element to be usable: just the NFC part. Good thing since my own phone's Secure Element's hosed.

Re: "Remember: UBIKRAND's entropy is smooth and easy. Avoid prolonged use."

Perhaps not that paranoid, but perhaps the signature checks can be set up so the memory can be read by another chip and a signature checked from that while the chip that does the checking can be a simple mask ROM whose internal can be verified in, say, an x-ray. The diodes can perhaps be replaceable by the user, among other things that would make subverting the device and keeping it subverted too difficult under all practical circumstances.

Re: N00b question...

The philosophy behind it is that /dev/random is meant to output high-quality random data that would be used for high-security applications like key generation (places where you really really need the output to be unpredictable). It was thought that only high-security applications would need high-quality random data. For most other purposes, Linux also provides /dev/urandom, which isn't as high-qualty because it uses an alternative algorithm to ensure it doesn't block (/dev/random blocks when it runs out of entropy). The reasoning is that an agent with vast resources, such as a state, might be able to predict a pseudorandom patten just long enough to pick up key bits of information that can be used to further subvert the encryption.

I think the problem right now is that we're seeing an increasing need for high-security random data (take a secure server, for example, that needs to generate tons of crypto keys on the spot) to the point that /dev/urandom is not considered good enough. And that's where these hardware RNGs come in. The thought behind an open design is that any copy of the device you have can be checked against the plans for possible subversion by a resourceful adversary such as a state.

Even if someone counters the death was faked?

Re: You are just a number, to be bled for corporate profit.

Ever thought perhaps the shop owner's been stung once before with someone weaseling their way out of a contract without penalty by faking his/her own death, thus making him "once bitten, twice shy"? It may sound ridiculous, but modern society tells us not everything is taboo to everyone.

Re: Stop with the mobile requirement already

"AIUI, SMS are free to receive, even overseas, on most/all UK/EU networks, so cost is not a real objection."

Even in the US, it's pretty easy to pick a plan that has generous texting allowances if not unlimited texting, meaning even if they charge for receiving, it becomes just a drop in the ocean.

Re: Just...use...CASH

Hacker-proof, but extremely vulnerable to muggers with absolutely no theft protection. Plus the difficult to track bit is being addressed. Query "Where's George?"

Re: Stop with the mobile requirement already

Chicken and egg question. Why do you need an authenticator that doesn't require a Web connection for a service that basically requires you to connect to the Web?

Re: Key fob?

It defeated the purpose of the fob: it's meant to be kept separate from the card so the thief/mugger steals the card but doesn't realize it has a fob until it's too late to go back for a second mugging. Sure, if the perp knows about it, they'll go for the fob, too, but at that point you're already up Crap Creek.

Re: Old school ?

"Why does it seem to me the goal is 0% fraud ? When did that suddenly become the aim ?"

Because it's being demanded by the customers due to all the hype about card detail theft, and they won't settle for anything less.

"Back in the pre-internet days (yes, there really was such a time), it was more credit than debit card fraud (since we used to use cheques*) banks tolerated a certain amount of fraud, for a certain amount of money spent on security. I suspect it's still the same.

So rather than thrashing around for the "perfect" security (i.e.0% fraud), people should be thinking what can give me 1% fraud, for a reasonable (i.e. no damaging my profits too much) amount ?"

I suspect their margins are shrinking, lowering their tolerance levels. That and the investors are likely complaining about bleeding money.

"Does it really matter if the odd £10 dodgy transaction gets passed, as long as you catch the unusual £5000 a stolen/cloned card would be used for ?"

That was before fraudsters learned how to get around this by simply using quantity over quality. One £10 scam is tolerable but try a million of them. Savvy scammers have learned how to "smurf," or suck a card just enough to prevent it being flagged and then letting it sit. They're also tying geographic information to cards so thieves can perform transactions in the boob's hometown, making it harder to detect. In such an environment, the inch becomes the mile, drawing the fight into an all or nothing conflict.

Re: Stop with the mobile requirement already

Well, for many, their mobile is the only second factor available to them, so if you want 2FA, it's mobile or bust. If you declare 2FA bust, then you now have to figure out how to build a security system that's tamper-proof, turnkey simple, and doesn't require a second factor? Last time I checked, that means the general public is not accepting anything less than the impossible.

Re: W00h00

"Can't remember your password?

Re-set immediately just by using the details on the card and the date of birth.

Its not like my DOB is very secret."

So how do you tell the difference between a real customer with a bad memory and an intruder who did the research?

Re: So how secure are 'biometrics'?

"The "password problem" is also very solvable: by a password manager. I remember exactly 2 passwords, both are quite secure; all the others are randomly generated passwords. While this isn't perfect, and a second ("2 factor") authorization is indeed desirable for financial systems, but that's nothing new; every bank already does that, as do some services like Dropbox."

Then someone breaks your master password. Or your memory's so bad you can't even remember that password. And the moment someone says, "Tough!", that someone loses at least one customer. So what are you going to do? Customers are demanding turnkey solutions that don't rely on memory and won't take no for an answer.

Re: Service Life of HD

But what happens when all those 1000+ drives fill up because the Big Data just got TOO Big Data? That's what I'm pointing at. Big Data is growing faster than the drives would normally be able to keep pace. Even if you left room to slot in more drives (and the power costs this would entail), it would just keep growing until it reaches Brobdingnagian proportions and you reach the point where swapping out for bigger drives becomes more economical and continuing to grow your data center.

Re: re: some headerless server somewhere

I'm talking the office environment. If you need it for a private or personal business, well that's your prerogative. But you'd also be the exception. Enterprises, as content creators, will always need the horsepower. Thing is, thanks to improved portable computing and networking capability, man and machine really don't necessarily have to be in the same room anymore. Indeed, barring outlying circumstances like social interaction, why bother with an actual office? Meanwhile, computing has morphed into something that doesn't necessarily need a single muscleman processor to accomplish. By necessity, we've become much more adept at finding ways to slice the jobs into smaller bits that can be parallelized. Even some of the toughest ones like video encoding can be split effectively if you do a little analysis first (for example, detecting scenes and splitting by them would not incur losses because each segment would be split at key frames).