×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't)

jeffmeden Re:Sure... (328 comments)

From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.

Where did it actually say that? They know the credentials given to Fazio were used to access the Target systems as the point of entry, but they don't know how the miscreants came into possession of them. The most likely method was a spear phishing attack that allowed a keylogger on to one of the PCs at Fazio. It's simply too far fetched to think that someone trolling with a script happened across Fazio, then just realized they could use it as a backdoor into Target, and then also be in possession of some very sophisticated malware that, oh gee look, matches the Target POS systems exactly down to the firmware rev number.

2 days ago
top

Schneier Explains How To Protect Yourself From Sony-Style Attacks (You Can't)

jeffmeden Re:Sure... (328 comments)

He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.

That's not entirely true. It's not clear how many other targets the miscreants who hit Home Depot, Target, etc had, but they did a lot more than scripted attacks (they used social reconnaissance, then spear phishing, then multiple point-of-entry probes, for starters) in order to get inside, and once inside they put a hell of a lot of work into pulling off their attack, and mixed that with a ton of luck in order to actually succeed. The Target hack actually would have been dead from the start if Target trusted their FireEye consultants who tried to warn them of the impending data theft.

2 days ago
top

Grinch Vulnerability Could Put a Hole In Your Linux Stocking

jeffmeden Uh Oh (116 comments)

"Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September"

While a big deal, Shellshock was very limited in scope and the large scale exploit implications were stamped out very quickly through updates to vulnerable web front-ends (which was just about the only exploitable path, despite so many proclamations that the sky was falling and every internet-connected linux device will get rooted in a matter of days). If this is as severe as Shellshock, I will take notice but at the same time sigh that it's not going to be very bad at all.

3 days ago
top

Ask Slashdot: What Can I Really Do With a Smart Watch?

jeffmeden Re:Solar and sidereal time. (228 comments)

A true smartwatch would provide both in addition to time based on UTC. I find it amazing that a purely mechanical watch, albeit those that cost upwards of a quarter of a million dollars can do both (provided you set the cams inside for proper longitude and latitude) but a watch with a computer inside that can do these calculations is unavailable.

Or just buy 3 $10-dollar watches, and save almost 99.99% of your money.

Sidereal timekeeping is done to the absolution rotation of Earth as opposed to the rotation relative to the sun (which changes as we orbit) so a Sidereal hour is shorter than a solar hour. You would need to find a $10 watch that drifts at exactly +0.275% which is not impossible but rather hard to do on the first try.

3 days ago
top

Ask Slashdot: What Can I Really Do With a Smart Watch?

jeffmeden Re:How to write a good ticket (228 comments)

need access to my smart-phone for various reasons

[...]

various sorts of data access

Part of writing a good ticket is being specific about your use case and not presupposing the solution. From what you've written, the problem is not technical and has nothing to do with a smart watch. The problem is you are forgetful.

If you can be specific about what you are actually doing with your phone, we can give you solutions that may or may not involve a smart watch.

This is it exactly. The solutions to the problem of not having phone-like features attached to your wrist (where you can't forget them) are either a: purchase a several hundred dollar bit of tech that you clearly dont know suits your needs, or b: tie your phone to your fucking wrist.

3 days ago
top

Startup Magic Leap Hires Sci-Fi Writer Neal Stephenson As Chief Futurist

jeffmeden Re:I believe it! (48 comments)

According to the Magic Leap website, their Dynamic Digitized Lightfield Signal technology permits generating images indistinguishable from real objects.

...provided the real objects are themselves images. Look! That simulated JPEG looks exactly like a real JPEG!

I read it more like "this new gizmo permits generating anything! As long as you have some other way of generating it, then this thing won't get in the way at all!"

The word "enables" sounds more like technology that actually does something, and even that's a stretch. The word "permits" sounds like it's just a link in an otherwise useless chain.

3 days ago
top

Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

jeffmeden Re:Depends... (166 comments)

I would say that advertising the 'service' as end to end when it isn't even legal for it to actually be end to end is a legitimate moral shortcoming.

The term "end-to-end crypto" says nothing about who else might have the crypto key. Just blindly assuming that no one in the middle has it, it is a real shortcoming. The only way for a system like you are imaging (where only the caller and receiver have the key) to even work is for you to somehow establish a trusted key with every person you call, on the fly. How do you know no one is in the middle, ready to intercept the key before the first call? The only reason SSL/TLS is reliable is that there is a huge infrastructure of trusted root certificates to validate against (and you have to trust that third party who holds those certs). Guess what they are going to do for encrypted phone calls? The exact same thing.

Knowing that you are talking to who you say you are, and that no one outside of the org you *already* trusted to generate the software and the keys, is the only real assurance. Choosing the right provider of that infrastructure is obviously important. Given that Verizon is a huge, federally regulated company, do you really think anything passing through their hands is going to be immune from law enforcement attempts at seizure? No company at that level, moral or immoral, is going to be immune to state pressure. You should know that by now.

4 days ago
top

Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

jeffmeden Re:This should be free (166 comments)

if the keys aren't private then it is hard to claim the encryption is worth anything..

So all the SSL keys that have been generated by the root CAs aren't "worth anything", because the issuer has a copy of the private key? Seems like a funny system we spend billions of dollars on every year...

5 days ago
top

Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

jeffmeden Re:Depends... (166 comments)

From TFA:

"...the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law."

TFA is a plain ol' troll. CALEA indeed requires any switching systems used for voice traffic (land lines and cell phones) to allow for electronic eavesdropping of all calls going through them. The only caveat is that replacing/upgrading every switching system is completely impractical, even in decades-long time frames, so the FCC has been granting extensions for non-compliance. If Verizon went to the FCC saying that they were going to put software in that started to roll back CALEA compliance from any call that happened to be made using a pair of their cellphones running their provided encryption software, they would have thrown the book at them. New systems *do* have to be CALEA compliant.

5 days ago
top

Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

jeffmeden Re:Depends... (166 comments)

My kingdom for a modpoint! This whole submission is a troll right down to the last line, "Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world." Thinking that a large, federally regulated business is going to push a system without a central keystore (what they meant to jab at instead of the "end-to-end" nature) is laughable. Trying to make Verizon out as the bad guy over this is just taking away time that could be spent making them out as the bad guy over legitimate moral shortcomings. But, trolls will be trolls.

5 days ago
top

Tracking the Mole Inside Silk Road 2.0

jeffmeden Re:Protective custody (81 comments)

For all we know, "Cirrus" was a committee.

What this shows me is that there's just no way to keep a secret if other people are involved.

It's best to simply define secret as "that which you and you alone know".

about two weeks ago
top

Army Building an Airport Just For Drones

jeffmeden Re:And knowing is half the battle (48 comments)

plus FAA typically only cares when it's a powered craft being used for commercial purposes.

I agree with the rest of your comment, but this part isn't accurate, otherwise GA wouldn't even need a license.

The FAA has only pursued "drone" (R/C) pilots who stay below 700' AGL when they fly for commercial purposes (aka as a business). Plus, you can fly manned ultralights without a license; the FAA steps in with licensing when the craft is above a certain size or carries more than 1 passenger. So, yes and no. I should have said "The FAA typically only cares about unmanned flight when..."

about two weeks ago
top

Army Building an Airport Just For Drones

jeffmeden Re:And knowing is half the battle (48 comments)

I guess now we know who pushes those "news stories" about all the near-catastrophic near-misses

The FAA is an example of regulatory capture. It is run by aviators for the interest of pilots and aviation companies, who see drones as a threat to their businesses and jobs. So they push the stories that fit the narrative that drones are an evil threat. The FAAs regulations have become so draconian, that it is technically illegal to toss a frisbee.

You must have a hell of an arm, because the FAA is only responsible for airspace above 700 feet AGL unless you happen to be on or very close to an airport, plus FAA typically only cares when it's a powered craft being used for commercial purposes. And, until there is a standard frozen-drone-through-the-inlet test on jet engines to prove that a strike would be survivable for the aircraft, they do have a duty to take action to prevent a mid-air collision that could kill many tens or hundreds of people.

about two weeks ago
top

Royal Mail Pilots 3D Printing Service

jeffmeden Re:Unsustainable business model (59 comments)

The makers won't use this service. 3 years ago every hackerspace had a 3D printer, and it was a cool reason to join up. Now, the makers just buy their own printer. The cost has gone down, and designing a 3D object is an iterative interactive process.

There was, and is, and will continue to be, a huge difference in what you can do with a 3d printer that costs a few hundred (currency units) and one that costs a few thousand or tens of thousands of (currency units). A Maker who is not interested in mass producing things but instead wants to create a few interesting objects at a time will probably see a huge benefit to being able to just order up the object (instead of outlaying a huge amount for a printer) from a service that has both a very high quality printer, and a delivery chain to get it to them very fast. How many Makers like that are there? Who knows.

about two weeks ago
top

Ask Slashdot: Are Any Certifications Worth Going For?

jeffmeden Re:practical-based certs hold their value (317 comments)

I would argue that certs with practicals (CCIE, JNCIE, RHCE, etc) tend to hold their value much better than those that can simply be gotten by taking tests.

Since he mentioned that he is more into management than programming/engineering, the other very relevant "cert" is the PMI Project Management Professional endorsement. This would be the direction to go if he doesn't want to get deeper into the technical soup of vendor-specific credentials.

about two weeks ago
top

Book Review: Spam Nation

jeffmeden Re:bogus pharmaceuticals/unauthorized pharmaceutic (82 comments)

The FDA has rather strict quality control standards so my guess is these pharmacies have not gone through the process to be fully licensed. And another thing:

But worse than that, he believes that the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing, is that they are worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.

Yes...after the quality control of toys, toothpaste, dog food, and drywall from China, we're sure we can trust their quality with our pharmaceuticals.

Yeah, you know, they are "by and large" indistinguishable from the real ones. I mean, what's a few PPM of arsenic, or cyanide, or lead? The rest of the drug is still there, and that's what you ordered. You wouldn't send a gourmet steak back just because the cook brushed a little olive oil and salt on it, when it was listed on the menu as just a steak? So why are we rejecting these drugs?

/sarcasm

about two weeks ago
top

The Sony Pictures Hack Was Even Worse Than Everyone Thought

jeffmeden Re:Over what time interval? (528 comments)

Obvisouly a while but its not out of the question. Sony pissed off North Korea several months ago when they announced The Interview. If it takes a week to download ~100TB at ~1Gbps then a couple weeks/months is all they need for all that data.

Agreed, but, isn't someone monitoring internet usage? 100 TB being downloaded even in a week to 10 days is an increase of multiple terabytes a day over whatever they normally use. One would think that would cause a spike on a graph somewhere, that someone ought to have investigated.

I've been hosting websites for years, and the only time I was ever compromised (one server turned into a spam mail server -- how embarrassing) I caught it almost immediately by a sudden spike in the network traffic.

As someone else said, since Sony has been compromised before, it just seems amazing that there wasn't some higher level of scrutiny.

North Korea would no doubt draw suspicion by having that much data going toward their country anyway, given that they dont have an open internet. No, if this was in any way related to NK it was by money trail only. They perhaps incentivized a hacking group or an insider with a few hundred thousand USD (maybe a few million if its delivered as counterfeit 20's and 50's) and the rest was done on the ground in the US, from one or many different routes over long periods.

about two weeks ago
top

The Sony Pictures Hack Was Even Worse Than Everyone Thought

jeffmeden Re:Over what time interval? (528 comments)

"Plug in a device, let it download, then come get it the next night."

100 TB / 24 hrs... = 9259259259 bps. So, plug in a device which can store 100 TB into a 10 Gb network port which connects to every data source at full speed, and that's it? A device which can hold 25x 4 TB drives would be pretty big, and it's unlikely all their systems and interconnects are 10G.

By "next night" it was impossible for you to roll that into "in a week" or even "in a month"? Lights out facilities leave things untouched and even un-looked-at for months on end. And who says the 100TB is the compressed size? No doubt whoever did this was very skilled, packing things in compressed, encrypted chunks for easy exfiltration and minimal chance of detection. If it took them 1 night or 10 nights or 100 nights the plan would have worked the same way.

about two weeks ago
top

Programmer Father Asks: What Gets Little Girls Interested In Science?

jeffmeden Re:Yeesh (584 comments)

Claiming that biology cannot influence differences in the way boys/men and girls/women act is not just ignorant. It's flat out absurd.

Except no one claimed that it cannot, only that it is not likely in this circumstance. The question on the table is to what extent dimorphism influences intellectual pursuits. Numerous studies have shown that boys/girls/men/women do not have any measurable difference in cognitive function across domains like math, science, etc. so the question remains, does the fact that dimorphism leaves cognitive capability (the ability to learn and practice a given domain) completely untouched mean that the gender biases toward certain career fields exist primarily outside of genetics?

about two weeks ago
top

Consumer-Grade SSDs Survive Two Petabytes of Writes

jeffmeden Re:Most people write far less. (125 comments)

However my company found that in testing, the more number of writes to a flash device, the shorter time before the data is leaked out. So after 10,000 writes to the same location, I can read the data a month later with no errors, but at 50,000 writes I start getting errors after about 2 hours. It seems like flash storage is like a bucket of water, each erase pokes a tiny hole in the bucket. After awhile those tiny holes add up and the bucket leaks pretty fast. So long term storage is not as safe as a conventional hard drive.

Wear leveling will prevent any cell from getting even close to that. The article is in reference to the wonder of SSDs getting over 2,000,000GB of writes across 240GB of flash. That's 8,300 erase cycles in what is certainly considered an "Extreme" scenario. In consumer desktop usage almost no one will pass the 1,000 mark, and most will stay below the 500 mark before they scrap their PC for a new one.

about two weeks ago

Submissions

top

Motorola sticks to guns on locking down Android

jeffmeden jeffmeden writes  |  more than 3 years ago

jeffmeden (135043) writes ""These aren't the droids you're looking for" proclaims Motorola, maker of the popular Android smartphones such as the Droid 2 and Droid X. At least, not if you have any intention of loading a customized operating system, according to Motorola's own Youtube channel used to show off upcoming products. Motorola:"@tdcrooks if you want to do custom roms, then buy elsewhere, we'll continue with our strategy that is working thanks." The strategy they are referring to is a feature Motorola pioneered called "e-fuse", the ability for the phone's CPU to stop working if it detects unauthorized software running. More information available via a story at Android blog site AndroidCentral"
Link to Original Source
top

Hosting Provider The Planet offers 500 free hosts

jeffmeden jeffmeden writes  |  more than 4 years ago

jeffmeden (135043) writes "The folks over at The Planet are into recycling, but are giving it quite a twist by putting 500 retired servers back into use for the first 500 developers to come to them with a worthy idea. A nice server and 10mbit of bandwidth are up for grabs, apparently perpetually (or at least, we would hope, until the idea starts turning a profit). Data Center Knowledge describes it this way: "The program, known as Sand Castle, was conceived by Chairman and CEO Doug Erwin of The Planet. The company has a stockpile of recycled servers that are no longer being used by its dedicated and managed hosting customers, but still have useful life." Additional info available directly from The Planet."
Link to Original Source
top

Smartphones receive holy blessing

jeffmeden jeffmeden writes  |  more than 4 years ago

jeffmeden (135043) writes "Plow Monday is normally for blessing laborers and their tools; as the name suggests it is aimed at those that work the land. A church service in London, England Monday decided to go after a more modern audience: office workers and their modern communication gadgets. From the Times article: "The congregation at St Lawrence Jewry in the City of London raised their mobiles and iPods above their heads and Canon Parrott raised his voice to the heavens to address the Lord God of all Creation. 'May our tongues be gentle, our e-mails be simple and our websites be accessible,' he said.""
Link to Original Source
top

Microsoft order to pay $388 million in patent case

jeffmeden jeffmeden writes  |  more than 5 years ago

jeffmeden (135043) writes "BusinessWeek reports today that Microsoft suffered a loss in federal court Monday. The judge rendering the verdict ordered Microsoft to pay $388 Million in damages for violating a patent held by Uniloc, a California maker of software that prevents people from illegally installing software on multiple computers. Uniloc claims Microsoft's Windows XP and some Office programs infringe on a related patent they hold. It's hard to take sides on this one but one thing is certain, should the verdict hold up it will be heavily ironic if the extra copies of XP and Office sold due to crafty copy protection end up not being worth $388 million."
top

AMD semiconductor sales fell 22% for 2007

jeffmeden jeffmeden writes  |  about 7 years ago

jeffmeden (135043) writes "TGDaily is reporting that the new numbers from the semiconductor industry are in, and AMD has dropped 22% in sales for 2007, ranking them #11 worldwide. This is likely the result of a major push by competitor and #1 ranked semiconductor supplier Intel, which has been aggressively producing dual and quad core chips. This is a major turnaround for AMD, who up until now had been making steady progress in winning market share away from Intel."
Link to Original Source

Journals

top

-1 overrated

jeffmeden jeffmeden writes  |  more than 10 years ago

Last week a few of my extremely accurate and well on-topic posts relating to the X-box got moderated, from the 1 which i post at, to 0, due to a -1 overrated. What tool motherfucker mods a comment at 1 'overrated'??? for extremely valid posts??? if you have something against me you better say it, hiding behind mod points will get you nowhere (i can post way more than you can mod, i guarantee). that's all.

Slashdot Login

Need an Account?

Forgot your password?