WingNews logo WingNews GitHub [2]

trimble-alum's comments

trimble-alum | 10 years ago | on: Stealing keys from PCs using a radio: cheap electromagnetic attacks

There are optical-domain attacks for CRT monitors (including diffuse reflections off walls from the "blue glow"), likely similar for LCDs. And there are Van Eck attacks on CRTs and LCDs. Cables don't usually leak by definition of twisted pair and coaxial being solenoids (the ideal model of solenoids emanate zero net EM flux at distance and immune to external EM fields), but connectors, unshielded traces, straight wires, untwisted ends of twisted pair and component joints tend to be the usual suspects.

http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf

http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf

http://www.hack247.co.uk/blogpost/van-eck-phreaking/ (unscientific/not peer-reviewed)

trimble-alum | 10 years ago | on: A week with a Rails Security Strategy: More security, new habits

It's imporant to pick out vulnerabilities and deficiencies compared to other projects to get them addressed, rather than only say nice things. However, the core issue is that people raising them are usually ignored until there's an embarrassing hack or demonstration (Homakov).

For example, all new gem releases should be signed and `HighSecurity` should be the policy but it's taken years to get very little progress. Changing to that policy would prevent entire classes of attacks, attacks that could subtly inject code into all sorts of apps in difficult-to-find ways. Large projects are still shipping unsigned gems, unsigned commits and unsigned tags. If RubyGems were hacked, progress might move slightly faster.

trimble-alum | 10 years ago | on: What It's Like to Have Severe Lyme Disease

For example, the hills around Almaden Valley and Santa Cruz mountain foothills are full of deer which are known positive carriers of Lyme Disease. In the 1990's, there were or are signs on the trails indicating this. I believe the same caution applies to hills extending towards San Francisco, which includes walking The Dish at Stanford.

Needless to say: wear long socks and have someone else completely check all of your limbs and back under bright light and magnification for those very tiny deer ticks.

trimble-alum | 10 years ago | on: No, you're not 'running late', you're rude and selfish

The way to be more productive when the reality of actual unforeseen circumstances hits is for the 10 people to bring their work with them and/or not get sucked into unnecessary meetings or any meeting lacking an attendee relevant agenda. (No agenda, no meeting). Wasting time is a choice on any side of the table. Blame games are bikeshedding, signalling a likely lack of valuable industriousness. ("If you want something done, ask the busiest person you know.")

trimble-alum | 10 years ago | on: Infection inflicts a persistent decrease in IQ: study with 180,000 participants

It's possible to push oneself "harder" and regain function ("neuroplasticity"), as evidenced by stroke rehab.

This is why it's vital to do challenging mental exercises like crosswords puzzles, etc. ("use it or lose it.)

Generally though, the article makes sense because the common cell machinery of nerves (which don't divide as much as say intenstine or dermis cells) can be hampered by underlying issues affecting organelles within nerve cells, which then manifests as functional, quantitative deficit at the macro level.

trimble-alum | 10 years ago | on: Ask HN: Where can I buy real software companies?

Again, if a side hobby/business is getting too time-sink, boring or unsure how to scale it, selling off the value, happiness of customers, employees, vendors, etc. created, is a rational act. Shutting down is only advisable if the business model cannot ever have hope of being monetized AND folks running it lack ideas (and asked around to advisors and such) how to adjust the consumer/producer relationship.

trimble-alum | 10 years ago | on: Ask HN: Where can I buy real software companies?

Poker face and cordial until all the bodies are dug up and the figure and most importantly, terms and conditions of sale and transition plan are agreed and the check is deposited, because it's tire-kicking until the ink is dry. It's important to telegraph genuine admiration to suggest a shop might have a better home than competing bids.

It's a hard thing to do, trade-in somwthing more precious than cash, labor, time and effort, life... so have a good time and aim make people consistently, insanely happy and always satisficed

trimble-alum | 10 years ago | on: Ask HN: Where can I buy real software companies?

Any decent marketplace for one-app or brand companies needs to prominently display intedependently-verifiable, evidence-based due-diligence metrics than can be dug into by your legal and forensic/tax accountant folks before a transaction. Saves lots of time. BTW: on apps, it is usually more profitable to license source code to games and similarly common apps (say for gyms, restaurants, etc.). If it's a FNAC app that you're bored of try to sell it, first, don't just throw out your work (or at least salvage the best parts business of assets/staff/knowlege)! Reduce, reuse, recycle.

(Some, but not all, due-diligence is worry alleviation through hazing ritual business theatre.).

trimble-alum | 10 years ago | on: Ask HN: Should I charge my electronic devices with 5W, 10W or 12W power adapter?

Likely the smallest wattage will limit the maximum amount of waste heat the batteries experience, which means less wear (physical, chemical, etc. thermal/electrical damage). Also, opt to charge the device at the lowest device operating temperature and with the most available cooling (battery side up or standing near vertical, not in a sleeve under a blanket). And from previous articles, charge from 50% up to about 70%, discharge, rinse-lather-repeat. Store device for extended times at about 60% charge at the lowest possible non-operating temperature (probably 40-50 •F, 4-10 •C)

Beware: cold->heat too quickly often leads to internal condensation in humid weather and extreme temperature changes, shorting out a device if ionic impurities are on internals, when bringing a cold device into a much hotter or humid room too quickly. Instead, give it enough time to warm gradually, so condensation doesn't form (say limit temperature change to 10 •F / 4 •C per 30 minutes). Most devices still power some components while "off," so a condensation short is a still a remote but plausible possibility, which is why avoiding condensation is a good idea. BTW a "perfect" gadget would be waterproof, float AND either include a hygrotherm to evaporate thermal transition condensation or not have internal air pockets to prevent condensation.

trimble-alum | 10 years ago | on: Logjam TLS attack

For OpenSSH, take a close, hard look at /etc/ssh/moduli (or wherever it's at) too, in addition to EC curves. I would consider deleting the default moduli and regenerating it.

https://stribika.github.io/2015/01/04/secure-secure-shell.ht...

In my mind, more generally: EC attempts to make crypto algos stretch using fewer bits but implementations are harder to prove both theoretically (by being more esoteric, therefore fewer eyeballs are able to catch errors) and functionally correct (by having more moving parts). Why haven't more conservative stretching / extension of proven algos happened?

Also, even more broadly, this and at lot of other crypto decisions in TLS come off as seat-of-the-pants, guesswork, cooking by committee rather than simple, feature-minimal and bullet-resistant standards (how many way over-engineered and over-featured encodings do certs need?). The result smells like a pile of poo that will get recall after recall, patch after patch until something about the inputs and decision-making process changes. We can't keep having OpenSSL and the TLS committee saying "yes" instead of "no" to (feature creep) throwing every little edge use-case live into production 1.x branch, the codebase is huge enough, and it's nearly impossible to compile out all the little used crap, even in forks. Doing the same thing and expecting a different result is either stupid or insane, or both. OpenSSL and TLS leadership, process changes perhaps?

page 1
more