Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

W3C Says Don't Use HTML5 Yet

azrider Re:W3C is the problem (205 comments)

>To replicate, cut and paste this into your URL bar:
>data:text/html,
>Then type one or two letters in the password field (not more) and try to submit.

Chrome 6.0.472.63 works
Opera 10.62-6438 fails
Firefox 3.6.10 fails

(All on Linux x86-64

about 4 years ago
top

Cryptome Hacked; All Files Deleted

azrider Re:vandalism, nothing more? (170 comments)

And for those who don't want to read the book, he used whatever dot matrix printers he had available. Remote syslog to a machine with WORM media works too.

If you can't afford such writers, mount /var/log (or /var/adm depending on your system) on a remote with a different authentication with the directories as 500(-r-x------) and files as 300(--wx------) with a specific user for whichever syslog variant you use. Then chattr -i on the remote system so that the directory is immutable. On the remote system (if using rolling logs) don't forget to change the logrotate (or other appropriate cron configuration files)

Works every time for system security stuff.

You can tailor the logs for as much or as little as you need. Until the cracker can compromise your remote logging system (which should have different root passwords, no sudo/ssh credentials and no other rot access than the physical console), everything is recorded. Once it is cracked, you will know when it happened, because without the proper credentials on the logging system nothing can be erased.

Tripwire/dnotify/inotify are your friends if you take the time to learn them and if you take the time to set them up properly.

about 4 years ago
top

Cryptome Hacked; All Files Deleted

azrider Re:vandalism, nothing more? (170 comments)

The slash and burn technique serves to cover up all sources of incriminating evidence, and better yet, hides the true motivation of the attacker unless they actually take the time to leave a message behind. You are not likely to find a trail of breadcrumbs laying around if their intent was business rather than pleasure.

Oh, really? See The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (by Clifford Stoll).

about 4 years ago
top

DC Suspends Tests of Online Voting System

azrider For this particular problem, RTFAFGS (170 comments)

Web-based clients are insecure simply because you don't have physical control over them. You don't control the network, the routers, or the client machine. Give me (or some malware author) the client machine, and who cares what you signed on the server or how?

These are military personnel voting (absentee) from overseas. I can guarantee you that I can control the originating network, the terminating network and the client machine.

And by the way, the system extends to 150 million clients running every kind of hardware, software, and configuration imaginable, maybe 25% of which are infected with malware, and to which we have no access and over which we have no control.

See above. If the machines which are eligible to be used to cast the vote are not under some sort of control, there is no way of doing this. However, the number of machines can easily be limited to the command and control structure, which makes this facet of the problem trivial.

If you are talking about people being to vote from home, I heartily agree with Bruce Schneier that the problem may well be intractable, not for reasons of malware, but for the impossibility of testing every potential configuration.

If you limit the problem to the overseas (or otherwise deployed) military, where the time between the absentee ballot becoming available and the last available date to return it, the problem becomes manageable, simply because the change management process for the available terminals can be controlled. Hell, simply send (under cover) a live cd with the software on it to each deployed service member. Now, no malware, no unknown configuration (at least what matters) and enhanced security.

BTW, see my post below.

about 4 years ago
top

DC Suspends Tests of Online Voting System

azrider According to the articles... (170 comments)

The "web site was hacked".

Who in their right mind uses a web served application for something such as this?

This calls for a secured, encrypted application, with a protocol that maintains it's own data security.

It can be done. I built one for the government in 2001:

  • No remote login
  • No ports open except for the three being used for the protocol:
    • Incoming request for software
    • Outgoing Datalink
    • Incoming Datalink
  • Special protocol used for the communication
  • End to end encryption (with AES-CBC signing on all packets except the software download link)
  • Active firewall and IPDS

On a server with one side connected to a classified network (here it would be the counting facility) and one connected to an unclassified network (here it would be the Internet). Gee, it took me and another guy less than 2 weeks from design to active testing.

You would need physical access to the server in order to compromise the end to end system.

Total cost of the demonstration system (excluding our ~60 hours total development) was less than $2000 in 2001. Imagine what we could do with modern equipment.

about 4 years ago
top

Take This GUI and Shove It

azrider Re:Bad GUI and no CLI: way too common (617 comments)

Cisco's GUI stuff doesn't really generate any scripts, but the commands it creates are the same things you'd type into a CLI. And the resulting configuration is just as human-readable (barring any weird naming conventions) as one built using the CLI. I've actually learned an awful lot about the Cisco CLI by using their GUI.

Actually, Cisco's GUI stuff does generate the scripts and then stores the necessary commands in the config file.

Where it falls down completely is that none of them (IOS, ASA, CatOS or PIX) are capable of making all configuration choices. Take a moderately complicated config (split-tunnel VPN) and none of them can create it from the GUI. However, at least it does not overwrite and manual changes.

about 4 years ago
top

Why Warriors, Not Geeks, Run US Cyber Command Posts

azrider Re:I still think it's really dumb (483 comments)

I can understand about military situations being distinctly different from civilian ones. But this seems really dumb. What you want is people who can see patterns in stuff happening that nobody else would notice. You want human intrusion detection.

What you want is people whose training and experience says this smells wrong to me. Those are somewhat common among the higher echelon. What you really want is someone who will stand up to their decision.

The most dangerous cyber attacks are very subtle. I think talent and familiarity with the technical details are much more important than the ability to make quick decisions under intense pressure.

The two are not mutually exclusive. I can (and have and will) make the quick decision (regardless of the pressure) because those that sit above me do not want to second guess my decisions (ask any current or former military about what REMF means). My decision is for me to justify, and I had better be prepared to do so at any time.

The ability to make decisions under a lot of pressure can be an important skill,

Agreed

but spotting things that are subtly off, in my experience, requires intimate familiarity with the environment.

Agreed

A person's technical experience has a much greater correlation with that familiarity than combat experience.

FALSE. My technical expertise determines whether I can identify the threat. My technical (and OPERATIONS RESEARCH) expertise determines whether I can respond to the threat. My experience with the environment determines how I respond to the threat.

Ignore any of the three and see what you get.

about 4 years ago
top

In Canada, Criminal Libel Charges Laid For Criticizing Police

azrider Re:Less protection for free speech? (383 comments)

As the first reply said, is there a citation for that supposed ruling?

You would be more credible if you responded with something that actually backed up your assertion.

Instead, you provided a strawman argument:

The relevant Supreme Court cases (CITATIONS NOT PROVIDED) dealt with the race riots of the 60s and early 70s. During these riots certain black men and white men said things to one another, and were sued for issuing death threats (CITATIONS NOT PROVIDED). The SCOTUS (sic) reviewed the cases upon appeal and determined that "during the course of political protests, speech can become heated" but is nevertheless protected by the First Amendment. The men were let go without punishment.

Without CITATIONS as to the exact situation that was at issue, you are saying that all assault convictions should be voided on the basis of free speech.

I don't know about you, but if someone comes to me and says something to the effect of "I intend to do you bodily harm", I will call the paramedics or the morgue, whichever is appropriate.

more than 4 years ago
top

Developers Fork Mandriva Linux, Creating Mageia

azrider Re:Why not just merge with Fedora or Ubuntu (206 comments)

Fedora's way too experimental compared to Mandriva. There's no reason for MDV to merge with Fedora as Mandriva has always been a lot more stable and conservative as compared to Fedora.

That is because Fedora is to RHEL as other distributions "testing" is to "stable". On Red Hat style distributions, if you want stability (without the support costs), you use CentOS or Scientific Linux. If you want to be bleeding edge (like I do on my personal system), you use the latest version of Fedora (I am not so "bleeding edge" as to use the beta - Fedora 13 with custom kernels works just fine :-]).

Fedora and stable?, use Fedora 12 or one of the LTS versions of any of the distributions. I started my distribution experience with Red Hat and will stay with it.

more than 4 years ago
top

Developers Fork Mandriva Linux, Creating Mageia

azrider Re:Name (206 comments)

"Why not just grab a copy of The GNU Image Processor from the web to get the intern working on some of these images you want?"

Better yet, why not refer to it's correct name: The GNU Image Manipulation Program.

About GIMP Introduction to GIMP
GIMP is an acronym for GNU Image Manipulation Program. It is a freely distributed program for such tasks as photo retouching, image composition and image authoring.
It has many capabilities. It can be used as a simple paint program, an expert quality photo retouching program, an online batch processing system, a mass production image renderer, an image format converter, etc.
GIMP is expandable and extensible. It is designed to be augmented with plug-ins and extensions to do just about anything. The advanced scripting interface allows everything from the simplest task to the most complex image manipulation procedures to be easily scripted.
GIMP is written and developed under X11 on UNIX platforms. But basically the same code also runs on MS Windows and Mac OS X.

From the GIMP website: http://www.gimp.org/about/introduction.html

more than 4 years ago
top

In Canada, Criminal Libel Charges Laid For Criticizing Police

azrider Re:Less protection for free speech? (383 comments)

Very few. The Supreme Court of the US has even ruled that death threats are protected speech, unless the issuer of the threat is carrying a gun or knife. But simply walking up to someone (say a KKK guy) and saying, "I hate racist mother fuckers and I'm going to kill you" is protected speech if said person is unarmed.

As the first reply said, is there a citation for that supposed ruling?

The definition of assault is the threat coupled with the present ability to do bodily harm. That is in no way protected speech in any state in the USA.

more than 4 years ago
top

Microsoft Patents OS Shutdown

azrider Re:unsaved documents (404 comments)

This is one of the most annoying things about computers. If I want to shut it down, shut it down!

When the IBM 303X/308X/309X processors were the state of the art, the power switch was labeled Power Off Request . This initiated a microcode and control processor sequence to start saving critical system information to disk (unfortunately not the OS information itself).

The only way to really shut the system down right now (with no guarantees that it would come back up in anything approaching a reasonable time frame) was the Emergency Power Off switches on each cabinet.

Unfortunately for the customer, this method required a visit from the CE in order to recover (you can't use this method and then say "I don't know what happened" - it's obvious and billable).

more than 4 years ago
top

Microsoft's Security Development Process Under CC License

azrider Why not say what you mean? (164 comments)

Other then implementation bugs, it's a secure virtual machine that can run applications in sandboxes, just like Java applets.

Other than that, Mrs. Lincoln, how did you like the play???

more than 4 years ago
top

.Net On Android Is Safe, Says Microsoft

azrider History Revised (377 comments)

OS/2: Originally Microsoft developed Windows NT as OS/2 - a microkernel which was OS/2 on the front backward compatible with DOS and Windows, and switched to Windows, only after IBM started to show less and less interest in coding, and more interest in their process.
(http://en.wikipedia.org/wiki/Windows_NT)

Perhaps you should rely less on Wikipedia and more on actual history. IBM did not believe that the desktop would take off, and so partnered with a company that wound up (deliberately) stabbing them in the back.

OS/2 was a superior product, but did not have the marketing strength (within IBM) to push it. Microsoft is a marketing giant, not a coding giant. How else can you explain a bug that showed up in IE4 (fixed within 24 hours), again in IE5 (same bug, same fix - after IE4 fix was released - same timeframe also), again in IE6 (you get the point).

Think someone did not say hey, I've seen this one before?

more than 4 years ago
top

The Case For Oracle

azrider Re:If they can do it to Google, they can do it to (341 comments)

Maybe Google never formally said that, but here is how Wikipedia describes Android:

The Android operating system software stack consists of Java applications running on a Java based object oriented application framework on top of Java core libraries running on a Dalvik virtual machine featuring JIT compilation.

Even clearer, Google says

The Android SDK provides the tools and APIs necessary to begin developing applications on the Android platform using the Java programming language.

in developer.android.com.

Talking points:

  • "here is how Wikipedia describes Android": Now there's a cogent, accurate description... I don't think so.
  • "using the Java programming language (not copyrightable, not patentable), not "using a Java Virtual Machine" (patent - maybe, copyright - yes).

See any difference?

more than 4 years ago
top

Denials Aside, Feds Storing Body Scan Images

azrider Re:Of course they can (560 comments)

I am neither defending the existence of Gitmo, or the shutting down of Gitmo. Only that the President said he would shut it down and did not do it.
It is only an example, one of many, of the promises that were broken.

And just how, exactly, will he shut it down safely when Congress will not appropriate the funds? Remember, even though the Democratic party has a numerical majority, they do not have the votes to override the obstructive Republican party. The Republican party will vote against their own interests rather than give the President a "win".

more than 4 years ago
top

Microsoft's Ad Team Trumps IE Developers' Privacy Aims

azrider Re:Business as usual (149 comments)

You ask:

Microsoft built its browser so that users must deliberately turn on privacy settings every time they start up the software.

And how exactly is this different than what Chrome or Firefox does? Last time I checked, you had to actively enable the privacy feature for each session in all browsers..

First:

Many also have big stakes in online advertising. Microsoft bought aQuantive, a Web-ad firm, in 2007 for more than $6 billion, to build a business selling ads online.

Second:

When Microsoft released the browser in its final form in March 2009, the privacy features were a lot different from what its planners had envisioned. Internet Explorer required the consumer to turn on the feature that blocks tracking by websites, called InPrivate Filtering. It wasn't activated automatically.

What's more, even if consumers turn the feature on, Microsoft designed the browser so InPrivate Filtering doesn't stay on permanently. Users must activate the privacy setting every time they start up the browser

Firefox (and possibly Safari and Chrome do not reset to allow tracking once it is set.

Since Microsoft (like Google) owns a web advertising firm, they have a strong vested interest in being able to track "consumers" usage (note I did not say "customers").

more than 4 years ago
top

Justice Department Joins Fraud Lawsuit Against Oracle

azrider The nature of GSA Contracts (100 comments)

I think that government entities should be working hard to do that but what I don't believe is that corporations are required to make their bidding lower to the government because they aren't as capable as private entities to ensure their contracts are reasonable.

You obviously don't understand the reason for GSA contracts. It is not only to save money (though that is good for the government), it is also to streamline the purchasing process.

Once a company agrees to be bound by the terms of the GSA contract, it is no longer necessary to go through the bidding process for each unit purchase (which would require separate contracts for each purchase). It also gives that company a competitive advantage over any company that does not enter such an agreement.

If the Department of State needs additional licenses, they simply submit a purchase order. Same with the Department of Justice. It is not necessary to complete a request for quotation, submit it for review, get a sales manager out to negotiate etc.

Result: quick turnaround on orders at best possible price.

more than 4 years ago
top

Wi-Fi WPA2 Vulnerability Found

azrider Re:Doubtful... (213 comments)

The point of mad wifi is he can use that to exploit the WPA2, it seems that you think it's an exploit within the drivers.

No, the article (as I quoted) states that it is the driver. Pay attention to what you are responding to.

Also, this exploit is useful if you have access to the network, since you have physical access to some machine near the AP

Not on MY NETWORK, since with Radius or TACACS+ there is more to the authentication than you think.

Besides, this is broadcast traffic (which should not have critical information) as opposed to point-to-point authenticated traffic.

If you are sending sensitive traffic over broadcast protocols, you deserve what you get.

If your network security administrator (who might be your system administrator too) allows it, FIRE THEM NOW.

more than 4 years ago

Submissions

Journals

azrider has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?