×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:WTF? (171 comments)

You're cute. I've done this shit for a living for a while. Yes, many companies' incidence response procedures are crap, but they shouldn't, and it is perfectly possible to get an emergency countermeasure deployed within 24 hours with all the t's crossed and i's dotted and perfect SOX compliance and whatever else you need. It's just something you need to think about before the emergency hits you.

6 hours ago
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:Not that good (171 comments)

Of course everything else is never equal.

But what are you trying to accomplish here? Argue that a project with 100 developers has more eyes on the code than one with 4? Moot point, no argument.

We don't get the luxury of having 50 identical software projects with different team sizes and a size control, so we have to go with the real world and "everything else being equal" is just a way of saying that you if you want to compare closed vs. open source, you need to compare comparable projects, not an open source project with a handful of people with a closed source project two orders of magnitude larger - or the other way around.

6 hours ago
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:wtf ? (171 comments)

There's a difference?

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:WTF? (171 comments)

sysadmin, firewall admin - let's not pick nits here. The point is that there are mitigating measures, and if signing off on something that prevents your company secrets leaking out to the Internet without you even noticing takes more than 24 hours then your incident response procedures are retarded and you can hire me for a workshop to improve them dramatically.

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:WTF? (171 comments)

Yeah, there was absolutely nothing anyone could do. Oh wait, except for this brutally complex and technically challenging thing right from the official vulnerability announcement:

This issue can be addressed by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Software that uses OpenSSL, such as Apache or Nginx would need to be restarted for the changes to take effect.

That was definitely not a feasabole option for anyone on the planet...

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:WTF? (171 comments)

You are right on those.

Except for the "nothing can be done" part. That's not your judgement call to make. There is always at least one option - pulling the power plug - and it might well be a feasable temporary solution for some people affected.

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:WTF? (171 comments)

Absolutely.

But we were talking about mitigating measures. That is almost never patch and recompile, it's things like turning off a service, changing the firewall rules, moving servers into a different network - things that are very much within the duties of the sysadmin (with proper clearance and risk acceptance by management, etc. etc.)

Basically, if you have a bug that makes your internal network open to the world, but you can avoid it by disabling feature X in the config file, and your company doesn't require feature X, then that's something the sysadmin can do, and he can do it right now, while the vendor is working on a patch.

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:WTF? (171 comments)

The thing is that the manufacturer must not be the one to set the time they get to fix this

I agree on that 100%

most people are not able to do anything without patch.

That depends a lot on the particular problem. In many cases, there are mitigating measures that can be taken until a patch is available, and I'd argue strongly that the people affected should make the call on that, not you or I or anyone else.

By withholding information, you are making decisions for other people. But you are not in a position to make that call, because you are not the one who suffers the consequences.

I advocate for giving everyone all the information so they all can act according to their needs and abilities. I argue for letting people make their own decisions.

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:What (171 comments)

See other reply.

Yes, of course, a closed source development that does external code reviews can have more eyes on the project then an open source development that does no external code reviews. But then you're comparing apples and oranges.

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:Not that good (171 comments)

I didn't see it's the thousands of eyes that fanatics claim.

I'm simply saying that if your source code is open, your number of eyes on the project is (dev team) + (people looking at it) while for a closed source project the number is (dev team).

Since "people" cannot be negative, by necessity (dev team) + (other people) >= (dev team)

How does that guarantee that more experts will review a given piece of security code than in a proprietary, closed-source, locked-up development organisation that also has mandatory code reviews?

It doesn't.

It does guarantee that the number of reviewers is equal to or higher, provided everything else is equal.

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:WTF? (171 comments)

Yes, this argument is being made a million times and it doesn't prove anything because it rests on so many assumptions that may or may not be true that it's total truth value is about as good as tossing a coin.

The two most important:

First, you assume that the official patch is the only thing that can be done. In many, many cases there are other (temporary) measures that can be taken to mitigate a problem or limit its impact. Who are you to decide for everyone on the planet with their different needs and scenarios which is better?

Second, you assume that there are thousands of hackers who didn't know about it. Yes, it is likely that the number of bad guys knowing about the problem was less than 100% before the announcement. But any real professional doesn't care about number of hackers, he cares about risk, which is number multiplied by impact. If the people who are the worst danger to my business and are most likely to target me already have the exploit, I don't give a fuck about a thousand random script kiddies also getting it.

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:WTF? (171 comments)

So are you going to take your server offline until there is a patch?

Depends, but yes for many non-essential services, that is indeed an option. Imagine your actual web service doesn't use SSL, but your admin backend does. It's used only by employees on the road, because internal employees access it through the internal network.

Sure you can turn that off for a week. It's a bit of trouble, but much better than leacking all your data.

Or if it's not about your web service, but about that SSL-secured VPN access to your external network? If you can live without home office for a week, you can turn that off and wait for the patch, yes.

Most importantly, who are you to decide that everyone should wait for a patch instead of giving people the opportunity to deploy such mitigating measures?

I think giving the software vendor 2 weeks to fix the bug (...) is reasonable

People don't learn.

We used to do that.

Full disclosure evolved primarily as a countermeasure because vendors took those grace periods not as a "we need to get this fixed in that time", but as a "cool, we can sit on our arses doing nothing for another two weeks".

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:WTF? (171 comments)

As usual, the answer lies somewhere between extremes.

My preferred choice of being left alone or being beaten to a pulp is being left alone, not some compromise in the middle, thank you. Just because there are two opposing positions doesn't mean that the answer lies in the middle.

I've given more extensive reasoning elsewhere, but it boils down to proponents of "responsible disclosure" conveniently forgetting to consider that every delay also helps those bad guys who are in posession of the exploit. Not only can they use it for longer, they can also use it for longer against targets who don't know they are vulnerable.

Many, many companies run non-essential services that they would not hesitate to shut down for a few days if they knew that there's an exploit that endangers their internal systems. Other companies could deploy mitigating measures while waiting for the patch.

Don't pretend sysadmins are powerlessly waiting with big eyes for the almighty vendor to issue a patch.

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:wtf ? (171 comments)

There's a black market where you can buy and sell 0-days.

Sure you give it to more people (and for free) than before. But the really dangerous people are more likely than not to already have it.

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:"the underground" (171 comments)

That is true. However, you also need to take a few other things into account. I'll not go into detail, I think everyone has enough knowledge and imagination to fill in the blanks:

  • There is an actual black market for exploits where they are bought and sold.
  • Not announcing a weakness withholds the information not just from the bad guys, but also from sysadmins, preventing mitigating measures and proper risk awareness.
  • We have over 20 years of history proving that vendors regularily move slower or not at all until a weakness is making headlines
  • There have been many cases where several researchers had partial information about an exploit, and only once combined was the true impact known. For example, one research might know about the problem and how to exploit it, but thinks it can't be leveraged to a compromise. Another might know about the potential compromise, but think it can't be triggered in a real-world scenario.

Despite all the theoretical arguments seemingly in favour, security through obscurity does not work and we've known that for like forever.

yesterday
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:Not that good (171 comments)

Several fundamental mistakes in there.

First, OpenSSL is not typical of Free Software. Cryptography is always hard, and other than, say, an Office Suite, it will often break spectacularily if a small part is wrong. While the bug is serious and all, it's not typical. The vast majority of bugs in Free Software are orders of magnitude less serious.

Second, yes it is true that the notion that anyone can review the source code doesn't mean anyone will actually do it. However, no matter how you look at it, the number of people who actually do will always be equal or higher than for closed source software.

Third, the major flagships of Free Software are sometimes, but not always picked for price. When you're a fortune-500 company, you don't need to choose Apache to save some bucks. A site-license of almost any software will be a negliegable part of your operating budget.

And, 3b or so, contrary to what you claim, quite a few companies contribute considerable amounts of money to Free Software projects, especially in the form of paid-for support or membership in things like the Apache Foundation. That's because they realize that this is much cheaper than having to maintain a comparable software on their own.

2 days ago
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom Re:WTF? (171 comments)

The only possible way is to disclose to the responsible manufacturer (OpenSSL) and nobody else first, then, after a delay given to the manufacturer to fix the issue, disclose to everybody. Nothing else works. All disclosures to others have a high risk of leaking. (The one to the manufacturer also has a risk of leaking, but that cannot be avoided.)

It's not about leaking. The reason I'm not alone in the security community to rage against this "responsible disclosure" bullshit is not that we fear leaks, but that we know most of the exploits are already in the wild by the time someone on the whitehat side discovers it.

Every day you delay the public announcements is another day that servers are being broken into.

2 days ago
top

Heartbleed Sparks 'Responsible' Disclosure Debate

Tom wtf ? (171 comments)

IT security industry experts are beginning to turn on Google and OpenSSL, questioning whether the Heartbleed bug was disclosed 'responsibly.

Are you fucking kidding me? What kind of so-called "experts" are these morons?

Newflash: The vast majority of 0-days are known in the underground long before they are disclosed publicly. In fact, quite a few exploits are found because - drumroll - they are actively being exploited in the wild and someone's honeypot is hit or a forensic analysis turns it up.

Unless you have really, really good reasons to assume that this bug is unknown even to people whose day-to-day business is to find these kinds of bugs, there is nothing "responsible" in delaying disclosure. So what if a few script-kiddies can now rush a script and do some shit? Every day you wait is one day less for the script kiddies, but one day more for the real criminals.

Stop living in la-la-land or in 1985. The evil people on the Internet aren't curious teenagers anymore, but large-scale organized crime. If you think they need to read advisories to find exploits, you're living under a rock.

2 days ago
top

Mercedes Pooh-Poohs Tesla, Says It Has "Limited Potential"

Tom IBM (349 comments)

"I think there is a world market for maybe five computers"

Even if Thomas J. Watson never actually said it, the quote fits well here. Or you could say "company says competitor has limited potential, news at 11".

2 days ago
top

First Glow-In-the-Dark Road Debuts In Netherlands

Tom Re:Maybe that's intresting trivia to you... (184 comments)

Fernlicht goes further. At night in the countryside, you can often use it because you're literally the only car on the road.

Or maybe that's just me because when I drive long distances at night, I make it deep in the night so there's no traffic.

I've rarely driven through NRW, but at the northern edge to Niedersachen, around Osnabrück for example, there's definitely lights on the Autobahn. There most definitely are in Berlin, Hamburg, etc. But yes, it's mostly near and in the large cities.

5 days ago

Submissions

top

Supreme Court strengthens First Sale Doctrine

Tom Tom writes  |  about a year ago

Tom writes "The Supreme Court has sided with Supap Kirtsaeng regarding the resale of textbooks. Publisher Wiley had tried to keep a $600,000 judgement from the lower courts because the student had sold textbooks in the US that he had imported from his home country Thailand, where they are sold much cheaper. The Supreme Court ruled that while it realizes that US companies often try to get different prices in different markets, the copyright law does not provide a right to such business models."
Link to Original Source
top

Hotfile countersues Warner

Tom Tom writes  |  more than 2 years ago

Tom (822) writes "Hotfile went out of its way to bow to the movie industry and gave the likes of Warner a special account that they could use to delete content — any content. Apparently, that's just what they did as Hotfiles countersuit claims after Warner sued them anyways. They claim Warner deleted Public Domain content, Free Software and many other items that could not possibly be confused with copyrighted movies if one took even a single look.
The funny part? They are suing Warner under the DMCA, the very law the music industry bought/bribed for themselves."

Link to Original Source
top

MS loses European anti-trust case

Tom Tom writes  |  more than 6 years ago

Tom writes "The court has spoken in Microsoft's case against the EU anti-trust commission, and the result is even more damaging to the monopoly company than analysts expected.
The court upholds all major decisions of the commission, including the record half a billion Euro fines. Most importantly, it smacks down MS entire defense line of "we can't make interoperability possible because we need to protect our copyrights and patents"."

Link to Original Source

Journals

top

The Trolls

Tom Tom writes  |  about two weeks ago

Wow, it's been 15 years but I've finally got my own personal troll! :-)

I must apologize to everyone I've ever called a troll now that I've seen a real one. Yeah, there are trollish comments, but this... it's a different league. If you ever wondered who these brain-damaged morons were who set up geocities homepages with blinking purple text on blue background with red dots in Comic Sans - that kind of different league.

Now it does make me wonder about trolls in general. Has there been a study on this? I really wonder if psychologists have tackled this because quite honestly, you cannot be mentally stable and post in this and this content at the same time. So I do wonder if trolls on the Internet (the real trolls, not the people occasionally posting something stupid) do have a mental problem. It definitely looks like it. Probably insecurity issues, definitely an exaggerated need for attention, might be related to borderline syndrome or schizoprenia.

And, of course, the Internet provides:

As someone who has had to deal with family members suffering from mental illness, let me tell you that it's not funny. So despite the fact that they are, in fact, obnoxious, aggravating assholes, these sad little fucks also need help and their miserable little existence is not something you'd want to trade for yours, no matter how much you think your life sucks. Trust me, with a mental illness on top, it'll suck more.

Obviously, we can't offer therapy to people who usually comment anonymously and will often go to great lengths to avoid being tracked down. What we can do, however, is get a better understanding for how they act this way (they can't help it, mental illness is stronger than your conscious mind) and that the best thing we can do for them is to not continue the feedback loop. "Don't feed the trolls" - old wisdom there.

The last link in that list contains a few more ideas.

Now that I'm at the end, I kind of regret the smiley face at the top. But I'm leaving it in because this journal entry is a bit of a journey, even if it is short. Thanks to some Internet resources, a bit of research and connecting the dots, I've come a short way, changing my mind a little on this particular sub-sub-sub-part of life.

-----

A short additional statement on how to treat trolling. From what I've gathered from the resources above, a few comments (both here and in the various spammed threads) and my own life experience:

First, don't feed the trolls. Most of them seek attention, so if you stop giving it to them, they become frustrated and go away. Notice that they seek attention, not validation. A rebuke or an angry rant or even a shootout of personal insults satisfies them as much as anything else. Much like the old PR saying "there is no negative publicity", it is all about the attention itself, not about its content.

Second, stand your ground. Do not leave the site or stop commenting just because you're being trolled. It takes a bit to do that, yes. Trolls consider it a "victory" if they shut you up, either by simple flooding or by frustrating you enough to disappear. In their twisted minds, it gives them validation and somehow proves that they were right.

Third, if you see someone else being trolled, give them support. Doesn't take much - a single sentence is more than enough. Someone under attack by a real troll is being flooded. The troll will commonly post under multiple aliases or otherwise attempt to appear as more than one person. Psychological experiments such as Solomon Asch's show how we humans as social animals experience conformance pressure. So give that other person support by showing him that the flood he's getting is no the only opinion around. It doesn't matter if he consciously knows it's just one troll, the pressure is subconscious.

-----

I'd like to have comments disabled on this journal entry, for obvious reasons, but you can't publish a journal entry with comments disabled, so... 1000:1 bet that he's stalking the journal as well and will add his drivel below?

Also, if the formatting looks atrocious, turn off beta and revert to classic. Seriously.

top

The "new" and "de-improved" Slashdot

Tom Tom writes  |  more than 4 years ago

If you've known /. for a while, you've certainly noticed all the recent changes. The front page articles auto-load-extend (presumably through AJAX code), the link to get to your own page has moved twice, and now there are two (that both look alike - your username - but work differently), and checking if anyone has replied to your comments has been a two-click journey instead of the old one-click for a while now.

Then there's the annoying inline popup (so it's not caught by popup blockers) that tells you that "Firehose is paused due to inactivity". Whatever that means, it doesn't seem nearly important enough to interrupt my reading.

Quite frankly, from a user interface design standpoint, the "new" slashdot sucks. Badly. Maybe I'll try disabling all javascript for slashdot.org and check if that improves the experience.

top

Giving up on Wikipedia

Tom Tom writes  |  more than 6 years ago

I'm giving up on Wikipedia today. Which means no more editing, and a lot less using it.

The reason is one word: Deletionism.

The details are three points:

a) It goes so against the spirit of Wiki, because a deletion is a non-reversable, non-reviewable change. The history gets lost, all work of everyone gets lost, and nobody can see and check it later. Every other change in a Wiki is documented, and you can see exactly what was changed, by whom, and when. Not so with a deletion. If you are lucky, you can find out that there used to be a page named this, but nothing about its contents.

b) It is destructive. You put hours of work into something, and it just gets deleted. Not updated, changed or even vandalised, but deleted. Poof, gone, as if it never existed. Have you ever lost your documents folder with no backup? Then you know the empty feeling. Don't do that to people, especially not those who might be new (and could have become worthy contributors, if they hadn't be hit in the face for their first attempt).

c) Notability-Nazis. Some time ago, the main reasons for deletion where actually valid. Nowadays, the main reason for deletion is notability, or in simpler words "I've never heard about this". My position on notability is very simple: Add a "non-noteable" category, namespace or at least archive and move stuff there, but it should not even be on the list of reasons for deletion. To me, an encyclopedia is where I look up the stuff that I've never heard about, so it'd better be there.

So for all these reasons, and a few minor ones, I've really switched sides over the past few weeks. I think I even begin to understand why large parts of the science community view Wikipedia with scepticism, and that much of the media's portrayl of their reasons is grossly simplified.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...