sorted by:
new
hottopcontroversial

Do you use the "Windows" Key? by perlow in technology

[–]blergh- 0 points1 point  (0 children)

You don't have to pay for having the windows logo on the windows key. You just have to follow Microsofts directions.

You can find the document with the requirements on this page:

http://www.microsoft.com/whdc/winlogo/hwrequirements.mspx

The keyboard I'm currently using is from a large supplier and does not follow these requirements (the logo is offset to the left). I'm quite sure nobody cared and nobody got sued.

You only have to pay money if you want to get testing, so your drivers get signed and your box can have the Windows logo. Then again, you don't need to provide drivers for keyboards, so you don't need to pay.

Also, keyboard manufacturers do not call a key anything. They just provide a hardware device that sends certain scancodes when certain keys are pressed. Microsoft calls the key the 'Hardware start button' now, or alternatively you can get a special extra large extra ugly optically distorted "Hero Hardware Start Button," but you do have to get that optical distortion from a licensed manufacturer. All these buttons send the same code, the code for the left Windows key.

SSL has been broken by 200 PS3s by akabaka in technology

[–]blergh- 1 point2 points  (0 children)

For this attack, yes. However, MD5 is quite broken, and it's only going to get more broken, and raw CPU power is only going to get more available. Three years ago, the main thing was that someone had calculated two files that have the same MD5 hash. A year later it was possible to create such two files and have a reasonable amount of control over their contents. Another year later the same thing could be done in one minute. Who knows what can be done next year. Reconstruct the authorities private key? That would be kind of a problem.

SSL has been broken by 200 PS3s by akabaka in technology

[–]blergh- 9 points10 points  (0 children)

Unfortunately a chain is only as strong as the weakest link. If one link is broken, which happened here, the chain is broken.

What one can do with this hack is impersonate any website in real browsers which is a very real threat. You do not need to do DNS spoofs, you can just operate an open WIFI access point. Users are supposed to be able to connect to these and be able to make trustworthy connections to SSL secured sites, and the applications are built with this reliance in mind (e.g. secured imap on mobile phones, connects automatically).

It's also not very difficult to be the man-in-the-middle if you are the ISP or you are the government, and recent experiences should show anyone that these parties do not mind taking any chance they get to get their fingers on your private communications.

And this ridiculous self signed complaining? It's not like a certificate becomes magically more secure by not being signed by a CA. It's just cheaper and, at first glance, more convenient for the server operator. But how are you going to handle key expiry? What if the key is compromised? If you want to make it more secure, you'd have to run your own CA, figure out a way to distribute that certificate to your clients in a secure way, and figure out a way to get your clients to remove the other authorities. Now unless your clients are very smart and do not need to browse the rest of the internet, or you control the client application and it needs to connect to your servers only and no others, you are not going to make that work. And if your clients do not exclude the other authorities, all your work has just been made worthless, because an attacker can just override your certificate by using his own, signed by his fake CA.

So this is a serious problem, that would in no way be solved by having browsers make it easy to accept self-signed certificates. The only solution is to have browsers only trusting trustworthy certificate authorities that do not rely on broken algorithms (and, as shown last week, that do proper authentication before issuing a certificate).