Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Social Media Is a New Vector For Mass Psychogenic Illness

endus Re:In other news (373 comments)

My shrink told me she doesn't do social media because all her patients tell her how horrible it is. .......I had just finished telling her how horrible social media was.

about 10 months ago
top

Survey: Most IT Staff Don't Communicate Security Risks

endus Re:Security = Liability (227 comments)

"if we don't do X, we going to get pwned" into "if we don't spend X$ and Y man-hours, we are exposing our business to $Z,000,000 -sized liability".

Um.

This sounds a lot like risk management.

Risk management is for COMMUNISTS.

Never do a risk assessment when you start a new project, it will just bring up uncomfortable information and make everyone feel sad. :(

about a year ago
top

Survey: Most IT Staff Don't Communicate Security Risks

endus Re:Of course not. (227 comments)

In the case of security, it falls into this classification of 'technical things nobody even wants to understand' and also into the classification of 'preventative measures that people will not recognize the importance of, until after it bites them in the ass.' You tell people that it's a bad idea to use "password" as your password, and they'll blow you off. The more you stress the point, the more annoyed the'll become-- all the way up until someone malicious gains access to their accounts. Once they've been hacked, they'll come back angry, demanding, "Why didn't anyone tell me it was a bad idea."

Until there's an actual security breach, people think you're chicken little. They'll tell you, "I've been using 'password' for my password for 10 years and I've never had a problem."

Face that kind of attitude for a several years, and you get awfully tired of warning people.

Exactly right.

Security professionals have had to be budget-minded for a while now. We're not telling you this because we want to bankrupt the business, we're telling you this because it is a reasonable precaution to take, in line with standards and industry norms, and will save your ass and pay for itself 100x over if there is a breach. People view their own internal security department as the enemy, rather than someone who is on the same side trying to get people to do things properly. We get that there's a margin and a budget, but if you always decide in favor of, "get it done now, as cheaply as possible, we don't have time to do it right" eventually it will catch up with you.

about a year ago
top

Survey: Most IT Staff Don't Communicate Security Risks

endus Adversarial (227 comments)

Adversarial is the key word here. Business doesn't view security as an entity trying to protect them from liability, get them on par with industry norms, and maybe even create some efficiency and ease support burdens, they view security as an impediment to signing the contract. Your own security team is just trying to save you from yourself...arguing with them as a proxy for the customer doesn't get you anywhere but into even more trouble.

about a year ago
top

Using Laptop To Take Notes Lowers Grades

endus Handwriting Notes (313 comments)

I was in college just at the cusp of people starting to take notes on laptops. It never appealed to me. Even today in meetings, the information just doesn't sink in like it does with hand writing notes. I take notes in meetings that I know I will never read, just because it helps pound it into my memory.

I can never keep notes on the computer organized either. Not that my paper notes are super organized, but at least there is an indestructible (unless I rip pages out) linear timeline to everything. You know everything is there somewhere and if you can't remember where the other things you were taking notes on at the time can help you zero in.

about a year ago
top

Obama's Privacy Reform Panel Will Report To ... the NSA

endus Re:Happy President (569 comments)

Only in theory, not in practice. Without ranked voting, a vote for a 3rd party candidate is effectively a vote against whoever your second choice is, so voters are often faced with voting for the lesser of 2 evils. In the past 4 presidential elections, the only time a 3rd party candidate managed to get more than 1% of the popular vote (yet still 0% of the electoral votes) was in 2000 when Nader had 2.78% of the popular vote and if a fraction of his votes had gone to Gore, George W Bush wouldn't have made it to the white house.

I agree that ranked voting would be a much better option and would make third parties more viable.

However, this transfers the responsibility for the sad state of affairs in which we find ourselves to the government. There is nothing stopping people from voting third party. If people are serious about their dissatisfaction with the government, they need to vote third party and not for the, "lesser of two evils". We bear the responsibility for the situation we're in.

To further complicate things, when we transfer that responsibility to the government, i.e. electoral process reform, we are transferring the responsibility to the one entity with a vested interest in maintaining the status quo. Washington has no interest in enabling third parties or democracy, and they have attacked them at every possible opportunity.

Bottom line, the responsibility lies with the citizens whether we like it or not and whether we choose to accept that responsibility or not.

about a year ago
top

HP Keeps Installing Secret Backdoors In Enterprise Storage

endus Typical (193 comments)

No one listens to the security group no matter how badly they get hammered. This is just dumb shit. If I ran the world everyone who was involved with implementing this would be fired immediately.

Remote access for customer support is a great thing...just build it right. It's really not that hard at all to build it right...probably even easier than building it this stupid ass way.

1 year,13 days
top

HP Keeps Installing Secret Backdoors In Enterprise Storage

endus Re:Eh? (193 comments)

Right, so when someone writes a worm that exploits this, NBD!

1 year,13 days
top

PC Sales See 'Longest Decline' In History

endus Re:This is the slope before the cliff (385 comments)

The PC is here to stay. What we are seeing is a longer life cycle. There is no need to update the hardware these days, there's plenty of power and storage for people writing the odd letter/email, social media and most games. Unless you're a developer or working with huge amounts of media data, PC users aren't going to notice a shit load of RAM, loads of cores CPU and a GPU capable of real-time Avatar level of rendering.

This is exactly what I was going to reply. There haven't been significant advancements in processing power, or in applications which require that increased power. Everyone has what they need. They'll replace them when they break or maybe upgrade them once in a while, but there's no need for the turnover we used to see...we've reached a point of diminishing returns where upgrading every 2 years or less just isn't worth it.

1 year,14 days
top

Calif. Attorney General: We Need To Crack Down On Companies That Don't Encrypt

endus Re:Encryption (127 comments)

The big problem is that the database uses a shared hosting plan and a shared database server run by my ISP. I have no control over whether the database is encrypted on disk or in transit between the shared hosting server and the database server.

You're freaking out over nothing. Hosting providers are not going to leave people high and dry. Actually, it would be nice if they started encrypting their databases. Shared hosting will live on and solutions will be generated.

In order to add that protection, I would have to crank my hosting plan up to a dedicated server at a monthly cost that is equivalent to several years on my current hosting plan and buy a multi-subdomain SSL cert that also costs (annually) as much as several years worth of service.

You're being extremely, extremely silly. SSL certs can be had for next to nothing. Do they provide as much assurance as better certs? No, but they encrypt the traffic and the root cert is trusted by common platforms. Depending on the law you could use self signed certs as well.

Everything you're saying here is hyperbole.

And then, because I cannot possibly dedicate the time to manage my own server on an ongoing basis (hence the shared hosting plan as opposed to a VPS for the web server side), I would have to hire someone to manage that on an ongoing basis.

So if this law is not very narrowly tailored to sites that contain SSNs, financial information, and medical information, I'll have no choice but to shut my site down. I can't afford to personally spend potentially many thousands of dollars each year to run a website out of the goodness of my heart.

Even if everything you're saying here about the requirements of certs and VPSes is true (which its not), you're still wildly inflating the costs. I run a site with a cert and a fully managed VPS that I can take as much interest in or leave up to support as I want. The cost is under $400/year for the hosting and like...I think like 6 bucks a year for the cert? That's super high, because I am a bit picky and because I run a site that needs a bit of performance overhead, but the service is actually amazing.

In my experience, any security practice that is not onerous also has little effect on security.

Then your experience is extremely limited.

Physical theft of spinning storage is an exceptionally rare cause of data breaches.

Which is why I didn't cite that among my reasons for supporting this.

However, data theft caused by attackers remotely cracking into servers overshadows both of those loss mechanisms by orders of magnitude.

Right, and to restate, depending on how the encryption is implemented (database/table/row level) this may help with that...especially with breaches resulting from the installation of malware.

Because remote data compromises are completely unaffected by encrypting the database on disk,

You're looking at one particular type of very common breach. There are others.

There are already laws that require encryption for anything that could be considered high-risk. HIPAA has strict requirements for how health-related data can be stored.

Actually, no it doesn't. There is no requirement to encrypt data at rest within HIPAA. Have you even read the reg, or are you just making assumptions based on what seems like it must be true? (Hint: you're making the assumptions)

PCI DSS compliance requires encryption of credit card data.

Sigh. I feel like I'm writing an email at my job.

PCI is an industry regulation, not a government one. Compliance with it can be very subjective, and auditing of compliance can also be very subjective. Actually, no external audit is even required if you're under a certain number of transactions per year, and auditors vary greatly in quality. There can be some overlap with local regs, which is absolutely a good thing...so lets have more local regs. The fear of legal consequences is usually more motivating than the fear of failing an audit conducted internally.

And so on. Any company that sanely should be required to use database encryption is already compelled by law to do these things.

You're just not correct at all, sorry.

1 year,16 days
top

Calif. Attorney General: We Need To Crack Down On Companies That Don't Encrypt

endus Re:Encryption (127 comments)

Yea, I work in the security industry and I don't really agree. I hear what you're saying about considering each application and you're not wrong, but I think the potential benefits of this easily outweigh the negatives. It will apply pressure to companies who really do need to encrypt their data and just cannot get the will from the business to do it.

Its not a magic bullet, but especially in the absence of any legitimate way to wipe data from databases in a secure manner it's a reasonable compensating control to put in place. It really depends on the actual implementation whether or not the encryption will help if the server is compromised while it's running. If companies encrypt at the database or table level and implement things decently then at least it's not just a matter of compromising the server and copying the entire database off to get the information. Web based attacks are probably going to compromise the database's security, but at least information secured in this way would be safe(er) from network based worms and other malware. That is not a trivial or uncommon attack vector, and I think it's worth serious consideration.

The other aspect of this is that it would force a lot of companies to implement real key management procedures in order to not lose access to their data. Once they need to do that to maintain the business, they'll be much more receptive to rotating and expiring keys, etc. because it's a low hanging fruit. Right now key management is kind of a nightmare and not something I see a lot of companies handling effectively. If you have to deal with key management in order not to take down your entire business being more selective about who has access to those keys, split knowledge, etc. become a much more realistic proposition. That will demonstrably increase security as well as compliance with other regs/standards.

I'm both a Libertarian and a security professional...I am suspicious of government regs but I think they are needed in this case. The industry is not keeping up with the security landscape well enough, and this stuff is far enough out of the public's line of view that it has the potential to negatively impact their lives out of nowhere, and there is no ability for them to audit or verify a companies security measures before engaging with them. I think that is a threat to the public welfare, and something that does fall within the role of government. Implementing encryption in this way is not going to be that onerous, and it will have a tremendous impact on people who really REALLY do need to encrypt their data at the price of a bit of a hassle for those who don't. As this becomes more widespread key management and implementation of encryption will also become easier, making it less onerous for people who don't necessarily need extremely tight security.

1 year,22 days
top

China Criticizes US For Making Weapon Plans Steal-able, Alleges Attacks From US

endus US Infosec Incompetence summed up in one sentence! (209 comments)

'Even following the general principle of secret-keeping, it should not have been linked to the Internet.'"

You think so??? Really? This is a novel concept to our American Information Security Industry, please, tell us more! Surely you don't mean that power plants and water treatment facilities and power grids and other sensitive facilities should not be linked to the internet...HOW THE FUCK ARE THE OPERATORS GOING TO GET TO FACEBOOK IF WE DISCONNECT THEM!?!?!?!?

about a year ago
top

GMO Wheat Found Growing Wild In Oregon, Japan Suspends Import From U.S.

endus Monsanto's master plan (679 comments)

...and so it begins.

about a year ago
top

US DOJ Say They Don't Need Warrants For E-Mail, Chats

endus Re: Obama lied, Chris Stevens Died (457 comments)

These are essentially the same people who had solid intel that could have prevented the 9/11/2001 attacks, but did nothing with it.

At best, their excuse for this is that they just had too much information to process and could not sift out the relevant information.

And yet they continue to delve further and further into sources of information which wouldn't have identified any attack on us that's ever taken place. They just keep increasing their surveillance powers with no concrete justification and, in fact, most likely to the detriment of their ability to predict attacks.

At first, this was due to the culture of "doing something about something" which pervades politics now. An invisible solution that solves the problem doesn't get politicians reelected. A solution which is visible, controversial, and inconvenient allows pols to send the message that they're, "getting tough on _______". Most people in America are pretty stupid, shortsighted, and fearful so they go right along with this.

Now surveillance has become an end in and of itself. The legal framework for collecting basically any communications at all times has been laid and there's no more political capital to be gained from it. Now the paranoid, the statists, the contractors who need contracts have taken over the fight. They have the legislative framework already, so it's best to keep their operations as quiet as possible to avoid scrutiny of both the obvious unconstitutionality of their actions, and the immense budgets they are getting with no real justification or goals at all. The politicians benefit from the campaign contributions paid for by the tax dollars they funnel in to these companies, and so they keep towing the line.

I work in infosec, and you can even see this mentality at a corporate level when you have poor security management. More tools! More information! More money! Never mind that the quality of information keeps declining, the need for additional analysts to handle that information keeps increasing and that the incidents these systems are identifying are almost entirely the most trivial and inconsequential events which the organization experiences. Meanwhile, the tools fail to identify really serious issues because they're too immature to do so, and all the analysts are too busy chasing nonsense to have the time to look at the big picture. Policy and product-impacting security measures which would make a real difference are never implemented, because they're too much of a pain in the ass for the people holding the purse strings who, by the way, know absolutely nothing about security and even the regulatory framework in which they operate.

It's a failing of humans in general. You can see it pretty clearly in US foreign policy since WWII. We escalate conflicts we're ostensibly trying to avoid. We arm and fund people who will eventually become our enemies and cost us even more lives and money to eradicate.

about a year ago
top

US DOJ Say They Don't Need Warrants For E-Mail, Chats

endus Why does this surprise anyone? (457 comments)

The government has been wrangling this legislation since (at least) the first iteration of the Patriot Act. There are no 4th amendment protections on electronic communications. None. People need to realize that. Since phone calls all traverse digital networks now, even those are subject to eavesdropping without a warrant.

The 4th amendment doesn't apply to communications, and barely applies to your personal spaces. This is the world we live in, the world which we have allowed to come about through our own laziness, ignorance, and fear. This should surprise no one.

about a year ago
top

ZDNet Proclaims "Windows: It's Over"

endus Re:Whats the alternative? (none for business) (863 comments)

Absolutely right.

Windows also incorporates centralized management features that either don't exist or are not as easy to use in other operating systems. It's all standardized, easy to implement, and relatively seamless. These traits allow relatively low-skilled people to support Windows.

I was having some authentication issues and didn't have the permissions to remove and readd my computer to the domain (pretty sure the machine password was out of sync). The tech that came to my computer didn't know how to run a command in DOS, but she did know how to remove my computer from the domain, rename it, and re-add it. Is this a good thing for the computing environment? Definitely not. But it's definitely good for companies' bottom line because they don't have to pay people who really know what they're doing and are highly educated.

Unfortunately the ability for low-skilled people to keep the lights on extends to servers too. No doubt Windows can develop some REALLY complex problems, but by and large getting services up and running isn't that big of a deal.

Software support is definitely critical too. Legacy applications are the bane of my security-focused existence. They cause all sorts of problems, but they keep the work going.

There are just no realistic alternatives at this point. You can point to one OS or another as having some of the desirable traits needed in an enterprise OS, but the point is that none of them have ALL of those desirable traits. Application support goes way way beyond a word processor, spreadsheet, and power point...there are thousands of specialized applications that are critical for businesses to run. Companies like hospitals have made HUGE investments in software to manage EMRs and issues with the user interface of one version of windows are not going to cause them to abandon that investment overnight.

about a year ago
top

Google Glass and Surveillance Culture

endus Re:minority report (318 comments)

So don't use the product.

I am very big on privacy, but we're developing this culture of "inevitable consumerism" where we view these devices as something we MUST have, MUST use, and MUST take advantage of all the features of, rather than something we can choose to use.

It's true that for many professions having a smartphone or other similar technology is more or less mandatory, but there are other ways to earn a living and you can always "vote" by choosing employers which are not so stringent about connectedness. I just don't like this paradigm we're developing where all technological advancement is mandatory to continue to exist. We have the power to resist these devices, but we choose not to. Sacrificing privacy for convenience/features is a trade off that most people are obviously willing to make, so they are getting the technology they deserve.

There's nothing stopping anyone from going out and making devices which do support real privacy. I'm sure it would be well received by the market. The only problem is that it has to be a product which recognizes the market's desire for ease of use, simplicity and features. These are not typically goals which privacy advocates are willing to submit to, but these goals and privacy are hardly mutually exclusive. The trick is finding a simple way to give people choices about how their information is used.

Either way, we should focus our efforts on preventing the *government* from gaining access to and misusing our personal information.

about a year ago
top

Can You Really Hear the Difference Between Lossless, Lossy Audio?

endus Are we still talking about this? (749 comments)

How many articles have I seen on this on Slashdot?

The answer is that, yes, you can tell the difference and your ability to tell the difference increases with how discerning a listener you are and how good your audio equipment is. We don't need to debate this any more.

about a year ago
top

Decade-Old Espionage Malware Found Targeting Government Computers

endus Re:decade long op!? (69 comments)

And you don't understand the concept of monopoly abuse. There were few "better products" because Microsoft used its monopoly power to suppress them. Microsoft did not make products that were better than the competition, instead, they used illegal means to prevent the competition from developing and releasing competing products.

So, go make a better product then.

I saw a fair number of products in process that may have provided a better experience in particular areas, but none that seemed to have the same goals as Windows had in mind. OS X is a pretty good example on the desktop. In some contexts it is a better product, but it's not enterprise focused.

We can cry foul all day, but that's the way life goes. Move forward.

about a year ago
top

Decade-Old Espionage Malware Found Targeting Government Computers

endus Re:decade long op!? (69 comments)

You're obviously very young or have worked for smaller companies, which is why you think that their status as "convicted monopolist" makes any difference to anyone. If their products didn't fill a need which there was not a better product available to fill, trust me, they wouldn't retain the business they do.

No one cares about ideology or even ethics. What they care about is making money. Windows fits into some big but very specific niches, and it performs that role extremely well. That's why it's still around.

That's also why it's been pushed out of certain segments of the market: because it *doesn't* do certain things very well. The key is the evaluation of the requirements of the project to determine what is the best fit.

Working in security, I deal with it all, all the time. I would say that operating system is probably the least important factor in judging the success of an implementation. One company I worked for had a network that was divided in half. Half the network was the officially supported infrastructure and included both windows and linux. Windows was 100% of the desktop infrastructure, and a mixture of OSes powered the server infrastructure. It worked amazingly. It accommodated extreme-novice users, who had way more important things to worry about than what OS was on their desktop, extremely well. Once they got their patching routine down, it was surprisingly resistant to worms and viruses. It was actually extremely impressive.

Then there was the other side of the network which ran from datacenters in closets and servers under peoples desks. It was a mixture of windows and linux and I would say a solid 60% of it was dismally run. Constant compromises and virus infections. Extreme resistance to common sense security precautions. Blatant outrage when servers were taken offline because they were affecting other life-and-death critical machines, etc. No patching at all. A complete lack of understanding of what they were even running, much less what version. I could go on and on.

The point is, shitty administrators make for shitty implementations regardless of OS. Good administrators make for good implementations, regardless of OS. Good administrators choose the best tool for the job and use it. Shitty administrators are ideologues who will force a tool to do a job that it's not that good at.

about a year ago

Submissions

endus hasn't submitted any stories.

Journals

endus has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...