Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment Re:My Ideal Setup (Score 3, Informative) 20

hate the idea that every service I use could be accessed if someone has my device

Then use a PassKey authenticator that requires a PIN or biometric entry to use the key. For example a Passkey stored on a Yubikey with a strong PIN set. Or a Passkey stored on a TPM configured to require entry of the PIN each time the credential will be used. Many users would disable the separate PIN requirement, or choose a solution that does not require one for their own convenience purposes, But you don't have to. You can use the strongest possible implementation of Passkeys for your purposes.

By having separate passwords for each site and requiring passkeys for MFA,

Auth with a password sent to the server plus online MFA is weak authentication. You are better off authenticating with a Passkey stored on a cryptographic authenticator which confirms multiple auth factors locally on your device.

Any fixed value you send to an online server such as a "password" is not bound to your auth session and can be stolen and used independently with other authentications. That is why it is better to have a cryptographic device in your physical possession that authenticates a Knowledge or Biometric factor from you Before authorizing the response to a cryptographic challenge for authentication using the secret keys stored on that module.

Statistically speaking: If your auth process involves sending a password to a remote server ("Online authentication"), then that password will eventually be stolen. That together with the unbound session is why you can say Online remote multi-factor authentication is still weak authentication.

Comment Re:Does Iran have any home-grown IP infrastructure (Score 1) 68

I was assuming that they were mandating that these so-ordered officials stop using digital communications
The article states a limited ban on connected devices. Officials and their security teams are forbidden from using devices such as Laptops and phones which connect to public networks.

Thus suggesting that there are also private networks, and they may still use some devices which do not connect to public networks.

Comment Re:Back to basics? (Score 1) 68

My guess is at some point there will be a secure public communications network, the internet isn't it.

You just go to a telecom provider and order either Point-to-Point circuits or Dark fiber to be installed between your buildings and a centralized building of yours with the extra stipulation that your point to point links have to traverse dedicated fiber exclusively.

Then when you go to connect up the fiber ports you configure and provision either 802.1AE MacSec or QSFP-DD transceivers with Layer 1 encryption support (Where you can set a static AES-256 key for each transceiver pair), Or use BOTH MacSec and Layer 1 encryption - resulting in double layer encryption.

You can also use a parallel fiber links for low-bandwidth Quantum Key Distribution - Quantum encryption providing a mechanism that could be securely used to distribute rolling keys for the primary link.

In any case; All the tech has been created to allow a high-bandwidth private communications physical layer network.
The only problem is.. What the heck are you going to even bother using that network for without internet access?

Comment Re:Does Iran have any home-grown IP infrastructure (Score 1) 68

Traffic analysis might be enough to expose the structure of covert organizations.

What if 20% of the members of the organization have a daily task to make sure they create and send a total of at least 10 to 20 encrypted messages each at random times of day? The actual 20% of org members who have this task would rotate daily, And most members of the org have no knowledge or assignment other than to create and send the messages.

A random number between 0 and 50% of the total messages are sent to actual other members of the organization which can be anyone, so the structure of the org is hidden.

The rest of the messages are sent to strangers' valid phone numbers learned from other sources. In other words; the organization has a daily task of members sending encrypted messages to outsiders who cannot even decrypt the message. Since the phone numbers are random; an adversary looking in cannot tell whether the message is readable by the recipient, or if the message is Spam as far as the recipient is concerned.

The message has to be decrypted by an initial layer first before the recipient can tell whether it even claims to be a legitimate message.

When a member of the organization receives such a message they are to flip a coin and pick between ignoring the message or giving a canned reply based on their own study of how people react to receiving a message from a stranger they don't understand.

Comment Re:Does Iran have any home-grown IP infrastructure (Score 1) 68

there's a reasonably good chance that there will be attempts by one's adversary to use that technology against one in some capacity.
Yes, there is. But this also makes fixating on the internet connection perhaps unreasonable.
So as you're probably aware, there notoriously exist these devices called Stingrays.

Cell phones that don't use Internet are still just as good at exposing your location over the corresponding protocols.

At this point you're going to stand out If all the cellphones in an area with purposefully no internet connectivity can be identified and located precisely. But your officials' cellphones are the only phones oddly configured that way. Or they use a specific make and model device which is not used by the rest of the population, but still connect to the cell network.

Comment Re: What? (Score 1) 284

It's sad that we need to have laws to force the president..

We don't "need to have laws" - The people are supposed to vote for a president they believe will prioritize their interests, And Congress does not have the power to make laws to "force" anything about the president's dealings. The president's conduct is outside Congress' enumerated powers, therefore, any laws they tried to pass targeting the president specifically for regulation would end up being invalid. Three-quarters of the states would have to pass a constitutional amendment.

Comment Re: What? (Score 1) 284

oath to the people and didn't need to be 'legislated' into serving the people.
That's up to the election process. By design the only check on the president is the election process, and the congressional power of impeachment. They can't be "legislated" into lifting a finger. The constitution lays down a fundamental concept called a separation of powers, and vests the full executive power on the president.

Comment Re:What? (Score 1) 284

How can a person have a full time job serving the people and do another full time job running a company

Elected as president is not employment. If made president you are the big boss. Look at private industry for example. It is very common to have people who are CEOs and on the board of multiple companies.

The job description of these executive roles does not include full time work, And neither does the presidency. The president only has to do as many hours of work as they deem necessary to conduct their executive role. 99% of the actual work will be done by the employees and assistants, not the elected executive.

Comment Re:Not only that... (Score 1) 73

This is what I do, it's a major reason I run my own email server but thankfully the '+' hack built into many modern MTAs gives you an approximation of the same thing... sort of.

Well; my current recommendation is Bitwarden or 1Passwords's integrations with various services
that create dedicated to Email aliases. In theory you can also set rules that drop mails if the Sender domain does not match the website domain the email alias is assigned to.

The "+" hack is another option, and even Microsoft Office365 and Google Workplace mail support plus addresses, But when I tried plus addresses I had issues with a lot of vendors stupidly rejecting email addresses with the + character as "Invalid". Another problem is some smartass websites detect the plus sign in the email address and automatically strip out the + sign and everything after it. There are also websites that initially accept the plus address, but it breaks functionality when they need to send you an email, Or it trips up some "Fraud detection".

So the plus addresses only work for people getting started; In the long run it's best to move to a unique domain and use generated addresses which are not predictable.

Comment Re:A fool and his money... (Score 1) 34

They probably had their brokerage accounts breached by chinese hackers who then entered fraudulent Buy orders.

This stupid shit is the penny stocks scam all over again. Nasdaq should add market cap value and executive vetting requirements before you're allowed to be listed on an exchange. They should be at least twice as tough for overseas companies - require proof of compliance with SEC reporting regulations, etc.

Comment Re:Not only that... (Score 2) 73

There is an even better solution thanks to modern password managers.

Create a unique email address for each person or company you provide with your email address

The moment you want to unsubscribe.. Turn off the destination email address entirely, and all messages will bounce with a 550 error.

This also helps with annoying data brokers selling lists with your address AND database access to certain tools where you type in a phone number or name and address, and the database spits out what email address belongs to that phone number or name.

OR the reverse you type in an email address, and the data brokers' search provide a name, phone number, physical address, etc, lookup for search by email address.

Comment Re:What? (Score 2, Informative) 284

So all the selling off, or putting into trust, businesses done by prior Presidents is for show?

It is just a tradition. A gesture to show good faith and help maintain their decorum as an independent leader.
One of Trump's weaknesses, or strengths, depending on how you look at it; is he obviously tends to ignore traditions, and perhaps does not care what his opponents think of him anymore. I assume he's not planning to try campaigning for an election again, And have a need to make money now because of all his court losses in New York

Comment Re:About. Fucking. Time. (Score 1) 146

Very useful, but what's missing is:
  1. Take and upload pictures or start/stop recording a live stream from front and back camera uploaded to the service.
  2. Permanent text banner button (custom text banner that cannot be dismissed from the phone)
  3. Permanent alarm-sound on/off button (custom alarm sound for X seconds with volume and mute buttons on the phone disabled; can only be muted/ended from findMy service)

Slashdot Top Deals

Ya'll hear about the geometer who went to the beach to catch some rays and became a tangent ?

Working...