-
dinh
edited
1 year ago
|
link
| on:
Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix
Why are the slot machines purely relying on pseudorandomness? There seem to be some sources of “true” randomness that they can use to seed the PRG without requiring additional hardware, e.g. the trailing digits of exact timing of various events (so, for instance, pressing a button or inserting a dollar bill exactly on the hour and 0.001 seconds after the hour lead to completely different results - I highly doubt any human, even an app-assisted one, is capable of being precise enough on timing to exploit that).
-
-
-
-
I’m taking a wild guess here based on how this happened elsewhere. The possible reasons I see are:
Programmer could make games but didn’t know cryptography or care about security. Just used what they learned in a programming book on random numbers.
Cost minimization. Simple RNG can run on dirt-cheap CPU (even MCU). Might add a dollar or ten to profit of each machine if this philosophy is applied throughout its development.
-
-
I’m really feeling justified in my refusal to use these things. Develop a personal algorithm for unique, memorable and strong passwords, and keep it to yourself. Write them down if you must (develop coded shorthand for it). It’s the only real way to do this.
-
-
It’s really not. If you use phrases (which have a large amount of entropy), and a way of deriving them that requires your own knowledge plus something you have, you’re not exposing yourself to any mathematical attack. In my algorithm there are at least 4 “things I know” and one “thing I have,” but it’s easy to remember.
-
I’ve started making heavy use of password reset flows. When I want to log in, I click on “forgot my password” and enter my email. When prompted for a new password, I generate a random password and paste it in, but don’t store it anywhere. I’m now either logged in, or can immediately log in by pasting the password again.
I’m looking in to automating this process somewhat, but have been discouraged by OAuth2 authentication for accessing the Gmail API.
-
-
-
-
Email is not a secure verification mechanism, in my opinion.
It’s trusting that your email provider has not been attacked; that there is nobody listening in in the middle of my connection to the website, my connection to my email provider, and their connection to my email provider; et cetera.
It seems to me that using a password offers fewer places to attack/intercept access to the website than using email does.
-
Definitely adding email to the mix increases the attack surface, and strongly disincentivizes using email providers who are small or otherwise probably-insecure. It is also intensely frustrating trying to convince people who are not technically inclined but want security advice, that their email password is very important and deserves special treatment. At the very least, I wish that more sites offered an option to turn off email as a reset mechanism on a per-account basis.
-
-
-
-
In this talk, Manuel Blum describes a pretty simple password generation algorithm with information-theoretic security guarantees. The basic idea is that given a private key (PK: char -> [char]) mapping from letters to strings (e.g. human names), a simple key generation algorithm that takes a site (“challenge”) and outputs a password defined by password[i] = PK(challenge[i])[i+1] is secure as long as the number of passwords that an adversary has access to is under a constant (~20 in one example).
-
-
-
-
Seems much-improved so far, but does anyone know if it’s possible to make it so zooming gestures work the way they do on mobile devices (i.e. by zooming in on one part of the rendered page, rather than reflowing the page)? It’s been an open bug for five years (https://bugzilla.mozilla.org/show_bug.cgi?id=789906) and it seems that there are no WebExtensions compatible add-ons to enable it.