×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

I prefer my peppers ...

Rene S. Hollan Re:Sriracha (285 comments)

Subway's Sriracha is adulterated with mayo. Not exactly great for the diet. Idiots: they have mayo. If people wanted both, they could ASK for both. But, no.....

about a month ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Rene S. Hollan Re:Not MITM (572 comments)

Actually, we'd push the CA on the enterprise desktops to make the "experience" identical to it not being there. because the product was advertised as "transparent" to traffic, for some marketting-speak definition of "transparent".

The bottom line is "do that which makes customers complain the least".

If enough employees complained that this interception and certificate resigning was unacceptable, or not disclosed clearly enough, things might change. They don't.

For my part, I was satisfied that the decrypted traffic would not leave the appliance. Of course, someone could later change things so this was possible, but one can't object to useful, legitimate functions, because another might expend non-trivial effort to twist them to nefarious ends.

about a month and a half ago
top

Crowdsourcing Confirms: Websites Inaccessible on Comcast

Rene S. Hollan Biz AND Residential connections (349 comments)

Hmm. I have BOTH Comcast residential and business class service. I wonder if the reponses are different.

about a month and a half ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Rene S. Hollan Re:Not MITM (572 comments)

Really? Adding untrusted sites always struck me as trivial.

We supported PKI integration simply to avoid the manpower lost in constantly trusting such sites, or having to manually import certs.

about a month and a half ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Rene S. Hollan Re:Not MITM (572 comments)

Furthermore, the mechanism is in the product to NOT decrypt and reencrypt selected sensitive whitelisted sites. The purchaser of the appliance has complete control.

It also does not work for some web applications which HAVE to be whitelisted because they do not permit import of new trust credentials.

about a month and a half ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Rene S. Hollan Re:Not MITM (572 comments)

Pfft.

Your whole privacy argument fails in the legal context because the unencrypted data does not leave the appliance.

Trust me, my employer and their lawyers went over these issues with great care, and I raised many of the concerns you pointed out. The issue hinges on two points:
1) enencrypted data does not leave the box (except whent the box actually does SSL termination), and 2) non-modified browsers (such as BYOD equipment) would pop up a Certificate validation error.

At that point it becomes an HR education issue.

about a month and a half ago
top

Apple Refuses To Unlock Bequeathed iPad

Rene S. Hollan Re:Why? (465 comments)

Perhaps, but anything not belonging to third parties DOES belong to the deceased and should be bequethed as directed.

Now, getting a court order in a case like this should be trivial: the order is quite specific, the motion to the court to make the order simple, and the evidence clear.

about a month and a half ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Rene S. Hollan Re:Not MITM (572 comments)

No, people do not lose their individuality at work, but they should have a resonable understanding of their use of corporate resources, and most HR departments issue employee handbooks that spell this out, including any monitoring of computing or network resources that may take place.

As for being "tricked", only a fool would consider equipment not their own to respect their privacy wishes without engaging in some due diligence: either establishing a VPN to trusted equipment, or carefully examining the trust anchors the equipment they use has installed.

A better complaint might be to question the use of such equipment in public access networks, with forged CA certs. Proper practice would have a captive portal explaining policy, and using a clearly non-standard resigning CA that had to be explicitly accepted. But still, it is ultimately the user's responsibility to establish due diligence with regard to network security.

There is nothing inherently nefarious about resigning SSL traffic. In fact, in the public access scenario it helps thwart drive-by virus attacks and other malware through secure web sessions, at the expense of end user privacy. Do what us "in the know" do: set up a VPN to trusted servers.

In any case, the problem only arises when using equipment administered by others wirh prior installation of the trusted resigning CA cert: your own equipment, lacking the cert would CLEARLY indicate signing by an untrusted source. That strikes me as an appropriate balance: you have no expectation of privacy using someone else's computer!

about a month and a half ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Rene S. Hollan Re:Not MITM (572 comments)

Wrong: behind our corporate router, it's our network. The users are in our employ. That's the reasoning.

And the notice is in the trusted certs installed on the client PCs.

End to end security was in place AS FAR AS THE CORPORATE ORGANIZATION IS CONCERNED. Security from the standpoint of the employee is a different issue that the employee has to take up with the employer.

Do you really think your corporate network traffic is secure from your employer? It's easy enough for you to check, you know.

about a month and a half ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Rene S. Hollan Re:Not MITM (572 comments)

HTTP Proxy, SMTP Proxy "encrypted traffic" features. (There was also an HTTPS proxy, but all it did was drop connections to destinations on a blacklist by domain name as specified by the certificate the remote server provided: it did not decrypt, reencrypt, and resign).

It properly IS a proxy since it proxies the traffic for you. Whether you consider that a MITM attack on encrypted traffic depends on whether you trust the proxy or not.

SSL does not prevent MITM attacks: it just makes MITM mangling of encrypted traffic discoverable. IF the "man" is "your man" (or your employer's man) then it presumably is not an attack.

Realize the target audience of vendors of procducts like these: IT managers who want to "protect" against malicious traffic, whether encrypted or not. Of course we can only do that as a MITM. But they way they see it, all network connections "inside" are "theirs", so our box is "their" man in the middle. Often they are clueless and just ask salesmen "Does it work with HTTPS and SMTP/STARTTLS and SMTP/SSL?" without knowing what that means, only that encrypted traffic is "difficult" to scan.

about a month and a half ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Rene S. Hollan Re:Will be the norm shortly.... (572 comments)

There are non-nefarious uses for this: SPAM and virus filtering of encrypted email and blocking of undesirable encrypted web content.

As for being a mini-NSA, the appliances that I helped develop to do this did not allow unecrypted traffic to leave the box (unless we were deliberately doing ingress SSL-termination), though theoretically someone could hacl the box to do this.

The best way to assure users of such a proxy that their content is not being monitored is to disclose the make, model, and confiuration of the appliance and, short of a hacked appliance, decide for themselves if the plain text content is constrained to be in the appliance.

about a month and a half ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Rene S. Hollan Re:Not MITM (572 comments)

Oh, we also did SPAM filtering on encrypted email with this capability.

There are non-nefarious reasons for an organization wanting to do this, though it clearly compromises end-to-end security if either end does not trust the organization deploying it.

about a month and a half ago
top

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Rene S. Hollan Re:Not MITM (572 comments)

At a former employer, we produced firewall hardware where this was SPECIFICALLY available as a feature. In fact, I developed the software for it. The certificates provided by the external servers are resigned by a CA cert installed on the appliance which is accepted by client machines behind it. Our equipment allowed the option of generating an internal CA cert, which would then be exported to all clients; generate a Certificate Signing Request, which could be signed by a CA already trusted by clients and imported back to the appliance (if the organization had it's own PKI infrastructure); or allow a resigning certificate and key to be imported.

The justification is simply this: "Our network, our traffic."

The practical reasons for this are to permit the firewall to do virus scanning on encrypted web pages and email (I handled SMTP STARTTLS and SMTP/SSL as well).

At least as far as the work I did went, there was no official way to take the plain text traffic off the appliance - it was not "designed" to snoop on employee traffic, though if someone managed to hack the appliance this would be theoretically possible.

Of course, if you are a contractor or employee concerned about the confidentiality of your traffic, you should exercise due diligence with regard to the CA's your machine trusts.

In our case, we DID have the capability to specify domain names for which this resigning would not be done: those that were "trusted" by the organization installing the firewall. This made it possible to go the extra mile and make some banking site traffic secure end-to-end, but it was on a site by site basis.

As I recall, I left the employ of this company prior to SNI support ever being implemented (we barely supported TLS 1.1, and certainly not TLS 1.2 when I was there, much to my protestations, and SNI is a TLS 1.2 Client Hello extension).

The appliance could also be used in a reverse-fashion: protecting web servers (but not virtual ones, for lack of SNI support, unless they shared a domain name), where it could just do SSL termination, with the site-specific certificate (presumably signed by a CA trusted by most browsers), though we allowed resigning here as well, in the event the internal traffic had to remain encrypted.

 

about a month and a half ago
top

Inmates Program Logistics App For Prison

Rene S. Hollan Re:Food in prison is a commodity. It’s curre (98 comments)

It's not supposed to be a currency: prisoners are all supposed to be fed the same thing and are not allowed to swap or trade items.

I don't know where this choice of "popular" comes from: if you don't want to eat something, it gets discarded after being served to you.

about 6 months ago
top

Shots Fired At US Capitol

Rene S. Hollan Re:Isn't it empty? (608 comments)

No.

A terrorist is someone who acts to frighten the public at large, often with the aim to incite political pressure on the government to stop doing whatever it is they do to which the terrorist objects.

A citizen shooting at their government is not a terrorist, but rather a rebel.

about 7 months ago
top

Shots Fired At US Capitol

Rene S. Hollan Re:Zombies. (608 comments)

Wrong.

Employees can not use employer insurance subsidies to purchase Obamacare, only insurance through their employer. The exemption in question specifically permits members of congress to do just that: use their employer's (that is us, via our tax dollars), insurance subsidy to purchase Obamacare.

They could have at least tried to obscure this with a commensurate (taxable) pay increase, but as so bold as to not even both with the faintest attempt to hide their corruption.

about 7 months ago
top

Yahoo CEO Says It Would Be Treason To Decline To Cooperate With the NSA

Rene S. Hollan CEO needs to read the U.S. Constitution (524 comments)

"Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort. No Person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court. The Congress shall have Power to declare the Punishment of Treason, but no Attainder of Treason shall work Corruption of Blood, or Forfeiture except during the Life of the Person attainted."

-- U.S. Constitution, Article III, section 3.

So... bullshit.

about 7 months ago
top

Social Media Is a New Vector For Mass Psychogenic Illness

Rene S. Hollan The Shadow People (373 comments)

There was a (bad) horror movie along this principle: people dying in their sleep from no known cause. Apparently, if people believed that "shadow people" were out to get them, a negative placebo effect would take place, and they'd actually die from the belief alone.

The protagonist trying to expose the phenomenon was convinced, at the last moment, not to, lest an epidemic result.

about 7 months ago
top

Ask Slashdot: How Do You Fight Usage Caps?

Rene S. Hollan Re: Caps (353 comments)

And in my area that gets you a static IP and you can run whatever server you want. They do prefer that you don't run open relays on port 25, but that's reasonable.

about 8 months ago
top

US Charges Edward Snowden With Espionage

Rene S. Hollan Re:Should Have be Charged With Treason (442 comments)

If Obama's arming of al-Qaeda friendly rebels in Syria isn't "adhering to their enemies, giving them aid...", I don't know what is.

about 10 months ago

Submissions

top

FBI: U.S. Constitution supporters "Terrorists"

Rene S. Hollan Rene S. Hollan writes  |  more than 3 years ago

Rene S. Hollan (1943) writes "Also, the pamphlet alluded to is here: http://www.radioliberty.com/fbipam.htm

This was brought to my attention on a Facebook page.

To be fair, the offending phrase is "'defenders' of the U.S. Constitution against federal government and the UN" suggesting some form of perversion or extremism in said "defense". But it was Barry Goldwater who said, "Extremism in the defense of liberty is no vice; moderation in the pursuit of justice is no virtue" at the 1964 Republican Convention in a sentence attributed to his speech writer Karl Hess.

Coming from a federal organization sworn to uphold said Constitution, this is troubling."

Link to Original Source

Journals

Rene S. Hollan has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...