Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Email Is Not Going Anywhere

Anonymous Brave Guy Re:Duh. (235 comments)

Ah, I see. I had intended the IPS/DLP example to demonstrate both the fact that it was technically possible to MITM SSL traffic if you have control of the client and the fact that this is actually done in practice. I didn't mean to imply that routine logging was necessarily going on in any particular organisation; I don't expect that it is in most places, at least not intentionally, for all the reasons we've talked about. Apologies if that wasn't clear.

Thanks for the courteous dialogue!!

Likewise.

2 days ago
top

Email Is Not Going Anywhere

Anonymous Brave Guy Re:Duh. (235 comments)

You can post credentials as much as you like. I've worked in the industry, and I know who some of the big customers are. (Given your background and the nature of the discussion, I hope you'll take my word for that and understand why I'm not going to post a list similar to yours here.)

I said before but will repeat: your liability concerns are fair and valid. In fact, there is a significant side market in devices that can pick out parts of the network traffic that might be sensitive one way or another and mask out or truncate the unwanted details, and that market is driven in party by exactly the kinds of liability concerns you mentioned.

The fact remains that from a technical point of view, if corporate IT want to log your traffic and if you're working on a company machine and talking over the company network, there are tools available that will do that for them and you would never know it was happening without inside information. Everything else is down to legal issues and how much you trust your employer to behave responsibly.

I get the feeling that we would agree about the fundamental ethics of the situation anyway. This little discussion started when BitZtream argued that a good sysadmin can control "what his company does and doesn't see on company time, company equipment, and company networks". Zero__Kelvin seemed to think SSL would be a barrier to that. It is not.

2 days ago
top

Email Is Not Going Anywhere

Anonymous Brave Guy Re:Duh. (235 comments)

Just to be clear, I'm not talking about small companies. IME, the smaller companies I've worked with have been far less likely to do this kind of thing, because the level of trust is greater when "everyone knows everyone".

The liability issue you raise with regulated external sites is a fair point, and so are your comments about internal segregation in some contexts. However, please remember that not everywhere has the same legal rules and precedents as the US.

This whole field is rather young to make too many general claims about what is and isn't considered acceptable, particularly if an employee has been explicitly told that company equipment and networks are monitored and use may be recorded. How much employees should be explicitly warned about -- for example, whether this kind of SSL-defeating technique should be highlighted even if you're already saying you might read communications -- is something of an open question at least ethically and possibly legally as well. Heck, workplace surveillance generally is a very two-sided issue, and even where the law is relatively settled already, it can be a source of serious problems and disagreements.

But the general principle we were discussing was that sysadmins can have a lot of control about what happens on company networks, and that stands. Even if, for legal, moral or ethical reasons, an organisation chooses not to log the content of things like IM and e-mail communications, the technical tools to do so exist right now. And while you (and I, for the record) might choose to avoid working for an employer who we knew to use such monitoring, the reality is that unless you actually work in their IT department, you're never going to be able to determine reliably what is actually being done and it's all a matter of trust.

2 days ago
top

Email Is Not Going Anywhere

Anonymous Brave Guy Re:Duh. (235 comments)

As I said, IPS and DLP devices are routinely used to MITM SSL connections. There's not much point having some stupidly expensive firewall setup at the edge of your corporate network if all its takes for malware to get in is Joe from Accounts opening his GMail and running cute_kitty_photoz.exe.

Typically, the volume of data transmitted through these kinds of links makes comprehensive long-term recording and storage prohibitively expensive. However, logging everything normally sent over plain-text, human-speed communications channels such as e-mail or IM is quite achievable, as is logging a complete traffic stream identified by some trigger.

Incidentally, these devices are often used precisely because they allow you to control and limit your liability. For example, it's easier to argue you're in compliance with regulations like HIPAA or PCI-DSS if you can demonstrate reliably that traffic leaving your network was scanned and nothing fitting certain suspicious patterns was sent. A simpler but no less significant consideration is the damage any large organisation could suffer if malware did somehow get into their network.

4 days ago
top

Email Is Not Going Anywhere

Anonymous Brave Guy Re:Duh. (235 comments)

They don't have to block SSL, they just have to MITM the connection if they need to analyse or log the traffic. IPS and DLP devices that can do this for all the major protocols have been available to professional sysadmins for some time. If you access the Internet from a company device at an organisation that is either very large or working in a particularly sensitive field, there is a good chance your traffic is already being processed in this way.

If you want some communications to be private from your employer, use your own device, not a company-administered one. It's really as simple as that these days.

4 days ago
top

Posting Soccer Goals On Vine Is Illegal, Say England's Premier League

Anonymous Brave Guy Re: Pinch of salt needed (226 comments)

Conditions of entry don't have any effect on copyright law, as far as I know.

Not by default, but I know of no legal reason an admission contract couldn't include a clause transferring copyright in any recordings made to the organisers.

4 days ago
top

Posting Soccer Goals On Vine Is Illegal, Say England's Premier League

Anonymous Brave Guy Re: Pinch of salt needed (226 comments)

... under UK Copyright law there is no "fair use" exception

That is correct. There are some specific exceptions, commonly referred to as "fair dealing" over here, and there have been some recent developments that will expand the scope of the exceptions, but there is no generic limitation on copyright determined by a set of qualitative tests like the Fair Use rules in the US. However, if we're talking about someone's own footage of the goals, the more important issue might be what the contract was when they bought their admission ticket.

If the conditions of entry clearly say no recording is allowed and that if any recordings are made anyway then all rights are assigned to the organisers, then my expectation is that the uploaders won't have a leg to stand on here. It would be very surprising in this day and age if such terms weren't routinely included, and I fully expect that this is how any debate about legality will wind up being resolved.

On the other hand, if there's nothing prohibiting the use of recording devices and nothing claiming any rights over recordings made by spectators, it might be tough to argue successfully in court along the lines that someone's personal recording was a copy or derivative work of some official recording that the organisers sell to TV networks. It's not an unprecedented idea: publishing photos of major public landmarks like the Hollywood sign or Eiffel Tower can be legally hazardous, particularly if commercial use is involved. However, those restrictions tend to result from some carefully contrived/created edge cases in the legal position for specific places, and it's hard to see how anything similar applies to a football match.

(IANAL so obviously you shouldn't trust anything you just read if it actually matters to you.)

5 days ago
top

Berlin Bans Car Service Uber

Anonymous Brave Guy Re: Uber is quite retarded (338 comments)

You seem to be conflating several issues, as well as setting up some straw men, neither of which encourages constructive debate.

One issue is statutory licensing, which may artificially limit the number of people who can drive for-hire vehicles in a given area. It is true that such regimes are vulnerable to local politics and regulatory capture, pushing expenses up for drivers and reducing competition. There are also some arguments in favour of reasonable licensing regimes, not least because there is only so much road space and so much demand for hire vehicles. There is certainly room for debate about how this side of the industry works and whether newer alternative models might be better.

Another issue is safety regulations, which typically restrict things like permitted time behind the wheel without a break or how often vehicles must be maintained and tested. This is quite a different thing from licensing to limit supply in the market, though clearly some method of identifying who is subject to the safety regulations is needed. Here it is common, at least in my country, for professional drivers who spend many hours behind the wheel to be regulated. For example, lorry drivers and coach drivers also have to comply with regulations that don't apply to individuals driving private vehicles for their own purposes. Here, there is much less room for debate. Normal people don't spend the equivalent of an entire working day behind the wheel, day in and day out, with relatively little to keep their attention focused on driving. Even when private individuals make long journeys by car, they rarely spend as long behind the wheel as lorry drivers do daily. And of course the service and mandatory testing intervals for private cars are set with private driving in mind, while vehicles used commercially tend to do much higher mileage.

As a third related issue there is insurance. It is a legal requirement in my country for every driver to have proper insurance to certain minimum standards. Note that this is primarily for the protection of others: as far as I know, you can still drive a personal car without insurance to cover wrapping it around a tree and writing it off, but you may not legally drive it without "third party" insurance that would cover any damage you do if you wrap it around someone else's car and write off both vehicles. Insurance policies typically specify things like the type of vehicle and how it will be used and are priced accordingly, and the insurance industry probably has a better understand of the true risks of different types of driving than anyone else. So letting people drive commercially when their insurance doesn't cover it would just be a loophole and a clear risk to other road users who won't be protected as the law requires in the event of an accident.

I don't think the people who question services like Uber on regulatory grounds are necessarily against competition or innovation in the marketplace. I'm certainly not; I write software every day for businesses that do stuff no-one has done before that is only possible because of that software, so why would I want to hold back progress? But some of those regulations really are there for good, sensible, practical reasons, and I don't think a new entrant into the market should get a free pass on breaking the rules that apply to everyone else just because they're new.

5 days ago
top

Berlin Bans Car Service Uber

Anonymous Brave Guy Re: Uber is quite retarded (338 comments)

This is not one of those things where you need to "compromise" so that some people are disadvantaged SO THAT another group may be disadvantaged.

Unless you're the person in the lane next to the Uber car when its high-mileage, improperly-maintained components break, or the person crossing the road in front when the Uber driver falls asleep, and then you get to be in the accident too.

Regulations on commercial drivers exist for a reason, and it's not just for the benefit of the passengers inside a commercial vehicle.

Providing an alternative that is competitive merely by virtue of not following the same rules as everyone else isn't an improvement. Compete on the same basis as everyone else, and then if your service is otherwise better you can enjoy all the well-deserved support you like. Otherwise, you should expect regulators to close you down.

5 days ago
top

Study: Firmware Plagued By Poor Encryption and Backdoors

Anonymous Brave Guy Doesn't really solve the problem (141 comments)

Better idea: Give up on this stupid everything-as-to-be-on-the-Internet bullshit.

That's a good idea, but it doesn't solve the problem for devices that actually do have good reasons to be connected: streaming media players, IP-based phones/faxes, consoles with multiplayer games, and so on. Many of these devices are connected to household networks these days, both to access the Internet and to communicate for legitimate reasons with other devices also on that home network. The devices themselves or other devices on the home network may store sensitive data. They may also have sensors, and while cameras and microphones are the most obvious risks, less obvious things like accelerometers in mobile devices and GPS can also create huge security/privacy holes.

Sooner or later, we're going to have to confront the implications of connecting all of this stuff together, and we're going to need a more sophisticated strategy than "just don't do it", because a lot of the time doing it is very useful but also dangerous without proper limitations.

about a week ago
top

Study: Firmware Plagued By Poor Encryption and Backdoors

Anonymous Brave Guy Yes, much of this is unrealistic (141 comments)

Getting a signed certificate for an embedded device may cost more than manufacturing the device... per year.

It's actually worse than that, because you don't even have a fixed target to price up. You have to consider how long a certificate needs to be valid for, the longer the more expensive but if it's not enough for the working lifetime of the device people are going to get upset. There's also the risk that a link in the certification chain could disappear, which is presumably more likely the longer the certificate lasts. For serious equipment running on corporate networks you might also have to consider letting them install their own certs backed by their own in-house CA, which introduces overheads of its own for your technical implementation. And none of this matters for devices that aren't going to be available from a machine with Internet access, because then there's no way to verify certs signed by the major public CAs anyway.

But the AC's basic point is sound. There are genuine concerns being raised here, but there's also a degree of FUD. If you see "10 year old Linux kernel" and assume "security flaw", you're the guy embedded software developers hate. That's not because they don't like criticism, it's because what really happens is they get a report back from some suit in the sales team saying a customer ran a "vulnerability scanner" and it flagged something based on a simple version check or other heuristic and that "vulnerability" must be fixed before you can get the sale. When they point out that patches have been applied for all known vulnerabilities that are relevant to their system and ask the sales guy what actual vulnerability the customer is concerned about, all they get back is crickets.

Then you get someone from management being told by the sales guy who just lost his commission that the engineering team is incompetent, and wanting to know how much it would cost to upgrade the entire system to the latest Linux kernel. Manage gets told by engineering leadership about the cost, the time required to do the work, the time required for a complete regression test, and the risk of some regressions slipping through anyway because you're giving up tried and tested code and maybe being forced to change fundamental things like what kind of filesystem you're using on your internal flash storage. Somewhere around the point where the half dozen guys who normally work on the firmware for that product now need six more guys whose only job is to watch for every relevant update to any software component in the system, integrate it, regression test the results, issue the firmware update, and brief sales and marketing because reading a changelog is too difficult, the manager usually loses interest. It's a huge amount of wasted time and effort all around, for something that in many cases was never actually a real problem in the first place.

about a week ago
top

Hackers Demand Automakers Get Serious About Security

Anonymous Brave Guy Re:An easier solution (120 comments)

ABS cant be broken into externally because it's not connected to your stereo.

The major security concern in this debate is whether essential vehicle control systems like ABS can in fact be influenced remotely, because they are connected to non-essential systems that (some of us are arguing) they shouldn't be.

about a week ago
top

Hackers Demand Automakers Get Serious About Security

Anonymous Brave Guy Re:Shouldn't be necessary, but if it is... (120 comments)

Frankly, the existing systems are enough to scare me away from them, just for the privacy implications.

I share those concerns as well. I'm just trying to avoid conflating them with the security risks that pose a direct threat to life and limb.

But there are some very nice cars out there which don't have a navigation system built in

The trouble is, these remote functions are useful and they are seen as purely beneficial by people who don't yet understand the implications of the technology, which of course means most people who are going to buy a car. And so more and more cars, starting from the high end and pushing down over time, have this crazy stuff built into them.

I'm happy to see this campaign starting now, because hopefully by the time the technology is effectively mandatory at the price point where I want to buy a car, some degree of sanity will have been restored. I fear it may take a horrifically expensive lawsuit where the damages were multiplied up and maybe even some executives wind up facing jail time personally because the auto makers had been explicitly warned of the risks and failed to act on those warnings, though.

about two weeks ago
top

Hackers Demand Automakers Get Serious About Security

Anonymous Brave Guy Re:Shouldn't be necessary, but if it is... (120 comments)

Fair point, but perhaps not the one you intended to make: my house has high-spec security doors and windows. :-)

No doubt someone sufficiently determined and well-equipped could still break through, and this is deliberate, because that person might be a paramedic or fireman trying to reach a child in an emergency. However, no casual burglar stands much chance of getting inside, and even a professional thief has poor odds of getting inside, collecting valuables, and getting away again before someone arrives to arrest them.

I suppose this is equivalent to saying you could still cause a car with properly secured modern electronic technologies to crash, but beyond a certain point it would become easier to do so by simply running the car off the road with a big truck than by cracking its wireless link. What is out there in car security today is sometimes more like trusting that I won't even need a working lock on my front door because no-one bad would ever try to open it.

about two weeks ago
top

Silicon Valley Doesn't Have an Attitude Problem, OK?

Anonymous Brave Guy Re:It's not arrogance if... (260 comments)

As the old saying goes "It's not arrogance if you can back it up."

Which the overwhelming majority of them can't. That's kinda the point.

The culture in tech hubs today is in a very real sense based on gambling. VCs bet 7-8 figures on a company that might be the one to make 10 figure returns. It's a high variability strategy that rarely pays off, but pays out staggering amounts of money when it does. And because any VC always has a pool of investments on the go, they can stand to play the long game knowing their mean return is always going to be astronomical.

Many founder/entrepreneur types are playing the same game, just with fewer zeroes and one big shot at a time. Some will make it. Most will fail. Some of them will come back and try again. Many of them won't. It's just like the VCs, but a whole lot more personal, because VCs are the house that always wins, while first-time founders are more like the whales who bet it all on number 3.

Almost everyone else working at these businesses is just along for the ride, because the amount of money they're making is relatively good and they have a chance for a nice windfall if their employer's exit strategy does work out. Neither the founders nor the VCs much care because the salary and perks for decent technical staff are just table stakes in a much bigger game.

But you only have to look at the kind of recruitment processes and qualifications some of these big name SV firms advertise/leak, and then look at the quality of the software they actually produce and/or what some people who used to work there can (or can't) do when they move on, and you can see that having Google or Facebook on your resume doesn't actually prove that you're some sort of super-elite 10x genius geek demigod. Unfortunately, a significant proportion of the people working inside the bubble didn't get the memo.

about two weeks ago
top

Hackers Demand Automakers Get Serious About Security

Anonymous Brave Guy Re:Separate Physical Concerns.... Physically (120 comments)

I couldn't agree more. I was just challenging the idea that not using modern technologies at all was a viable solution to the problem. Some technologies do make cars safer, more reliable, and more efficient, and the important practical question is how we secure those technologies, not whether we should use them in the first place.

about two weeks ago
top

Hackers Demand Automakers Get Serious About Security

Anonymous Brave Guy Re:Shouldn't be necessary, but if it is... (120 comments)

And in the winter, I'd love to be able to warm the engine and the interior from inside my house while I gather my things for work.

This is clearly a case of prioritising convenience over security, which you're welcome to do as your own personal preference but I would never choose myself.

This data is used to help triage the severity of the crash before the EMTs roll out.

Well that's probably the single most disturbing thing I've seen in this whole discussion. Are you really telling me that in the event of a known road traffic accident, which is severe enough that no-one on the scene can immediately respond to verbal contact, they don't routinely send the full works where you are?

In any case, I would point out that this is purely status reporting, i.e., read-only data. There is no need for anyone to control anything remotely in this situation.

Also, in extreme cases, the OnStar / Bluelink / et al. system can actively end a felon's joyride by cutting throttle, braking, or cutting the engine entirely. Then it can honk and flash the lights to attract the authorities' attention.

This is my main problem with the whole debate: any system that can do this kind of thing can also be used for less welcome purposes.

Car theft is essentially a solved problem without any remote control needed. Technologies like immobilisers have become so good that stealing the car keys has been the preferred technique for some time. Trackers, which need no integration with any control system, provide an effective deterrent and means for police to locate a vehicle that has literally been put on the back of a lorry.

Again, YMMV, but personally I would rather be careful about where I keep my keys than risk a hostile party, or simply a human error or software bug, doing something like cutting the engine and applying the brakes when I'm driving at high speed or through a hazardous area.

about two weeks ago
top

Hackers Demand Automakers Get Serious About Security

Anonymous Brave Guy Re:An easier solution (120 comments)

You find me a human driver who never makes a mistake, and I'll find you someone who has little need for ABS, ESC and their friends.

No human can outperform a modern ABS system using manual cadence braking. ABS is essentially cadence braking judged at the speed of a computer and applied to each wheel independently.

You don't need to control a skid you never got into.

And speaking of skids, for driving on public roads under normal conditions, I don't know what handbrake turns have to do with the price of fish.

about two weeks ago
top

Hackers Demand Automakers Get Serious About Security

Anonymous Brave Guy Re:Shouldn't be necessary, but if it is... (120 comments)

It's the combination of Wifi/remote accessable parts of a system, that once gotten into leads to total control.

Exactly. Think how many people run WiFi in their homes that is insecure. Now imagine a world where every script kiddie with a grudge can kill everyone on each of those homes just by running some software they found on the Internet.

about two weeks ago
top

Hackers Demand Automakers Get Serious About Security

Anonymous Brave Guy Re:Shouldn't be necessary, but if it is... (120 comments)

I'm afraid I don't buy your examples.

Why does anyone need the ability to mess around with starting my car remotely, ever? I see no need to start my car if I'm not in the driver's seat, and if I'm in the driver's seat and we've got cell reception why I can't I just turn the key or push the button?

Accident detection and related safety systems absolutely should be independent of engine control and the like. Why can't they be? (If your answer involves having both the normal control systems and the safety systems relying on common sensors, please consider that there is a significant likelihood that if an accident happened it was precisely because something electronic or sensor-related failed, and therefore you really want redundancy here.)

As for recovering my car in case of theft... Unless you are suggesting that someone is going to take over control of my car and auto-pilot it home against the will of someone physically in the driver's seat, again I don't buy it. And if you are suggesting that, I really don't want that system in my car. If I'm in the driver's seat and responsible for what happens with my vehicle, then any system that someone could use to take over lawfully and drive my car is also by definition vulnerable to being taken over unlawfully and used to crash my car, and I know which one I am more concerned about.

about two weeks ago

Submissions

top

YouTube blocking premium music videos in UK

Anonymous Brave Guy Anonymous Brave Guy writes  |  more than 5 years ago

Anonymous Brave Guy (457657) writes "What happens when the might of Google clashes with the might of Big Media? We're about to find out: after failing to negotiate a licensing deal with the PRS (one of the UK's collective licensing bodies for music), YouTube has simply pulled the plug, and as of 6pm Monday, premium music videos will start disappearing for visitors from the UK. From the BBC article, it seems the PRS asked for an unspecified but large increase in the royalties, and when Google worked out that they would actually be losing money on the service at that price, they firmly declined. The PRS has asked YouTube to reconsider as a "matter of urgency"."
Link to Original Source
top

Virgin's demise: illustrating the problem with DRM

Anonymous Brave Guy Anonymous Brave Guy writes  |  more than 6 years ago

Anonymous Brave Guy (457657) writes "The BBC have an interesting article up today about the demise of Virgin Digital, which has offered music on a monthly subscription system, and how this is leaving their customers in a jam because they signed up to a DRM-based subscription service. This is no doubt not a new concern to many here, but it's the second real-life example of such a service folding within a matter of weeks, and interesting that a well-regarded mainstream news source is now openly condemning DRM and vendor lock-in, and advising people to avoid such services."
Link to Original Source
top

Anonymous Brave Guy Anonymous Brave Guy writes  |  more than 7 years ago

Anonymous Brave Guy (457657) writes "The BBC reports that CD-Wow, the third largest on-line music retailer in the UK after Amazon and Play, has been found in contempt of court for selling illegally imported CDs into the UK. Describing the verdict as "CD woe", the company claimed that all they were doing was bringing CDs into the UK that had been legitimately purchased from the big media companies elsewhere, with any breach of copyright down to human error, and that "At a time when the record industry is losing vast revenue to piracy, it seems ludicrous that they can set out to destroy a section of the market that is actually making them money.""
top

Anonymous Brave Guy Anonymous Brave Guy writes  |  more than 7 years ago

Anonymous Brave Guy (457657) writes "The Gowers Review of Intellectual Property, a large-scale, government-commissioned review of the current IP framework in the UK, has today published its final report. The report itself doesn't seem to be available yet, but the government's response (which includes a summary of the Gowers recommendations) is contained in the pre-budget report, linked from the same site.

Highlights include: proposing much stronger enforcement/penalties for infringement of IP rights, possibly including a fast-track litigation process and up to 10 years in prison for on-line copyright infringement; introducing a "private copying" exception to legalise format-shifting; and a recommendation that the European Commission should not extend copyright protection in sound recordings and performers' rights any further than the existing 50 years.

The government seems to be endorsing the Gowers recommendations pretty much in their entirety, and in particular has acknowledged the recommendation on not extending copyright terms via the European back door."
top

Anonymous Brave Guy Anonymous Brave Guy writes  |  more than 7 years ago

Anonymous Brave Guy (457657) writes "It looks like Tesco, the UK's biggest supermarket, is planning to take on software giants like Microsoft with a new range of cheap, own-brand software covering office apps, photo editing and more. Tesco's Daniel Cook said, "When it comes to software there is little choice and prices are high. Our new range of software changes this." There's no sign yet on Tesco's web site, but an October date is mentioned in the BBC article. Sounds like a good time to be buying sell options... But in which company?"

Journals

Anonymous Brave Guy has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>