×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Ask Slashdot: Best Biometric Authentication System?

mlts Re:RFID/card scanner (121 comments)

If I were deploying an infrastructure, I'd go with a basic layered approach. The sensitive stuff either gets put behind RDP or Citrix (with 2FA to log onto those servers), the edge VPNs definitely get 2FA, and average machines get "plain old" AD logins with passwords changed on a normal schedule like every 30-60 days [1].

Of course, network topology, and devices play a large part in this. This way, a guy in receiving who gets malware on his machine will not affect the computers in finance or development. Endpoint management also helps, but one doesn't know if an attack is going to go through a compromised Web browser, physical access, a disgruntled employee, or a backdoor in the main firewalling routers that allows an attacker full access from the Internet.

Wise use of 2FA does help, but as with all security products, it isn't a magic bullet.

[1]: Only real difference I'd have is that all user accounts would have expiration dates in AD going 6-12 months out, and that an audit every month or so would pop up ones about to expire so the accounts can be either re-validated or left to expire until explicitly needed again. This way, an admin that left quietly where people forgot about won't always have access, as it will end up getting pulled automatically.

11 hours ago
top

Consortium Roadmap Shows 100TB Hard Drives Possible By 2025

mlts How about transfer rate and reliability? (147 comments)

MTBF and transfer rate numbers are boring... but those can be just as important, if not more, than the drive's capacity.

With high capacity tier 3 drives, one reason that RAID 6 (or a RAID 50 setup with tiers/groups of disks) is used is because it can take days to rebuild a blown drive. If drives continue to have larger capacities, but I/O stays the same, then we will need to add more parity drives to RAID arrays to support multiple drive failures and still keep the data accessible, better algorithms that run in the background to detect (and fix) bit rot, and bigger/smarter caches.

Maybe this is just me, but I'd rather see drives with double the MTBF than double the capacity. I can always add more drives and arrays. A failed disk will cost time no matter what, even if it is just walking to the server room, pulling it out and replacing it with a spare. For non-enterprise customers, a failed drive can be catastrophic since not many users have RAID arrays for protection.

yesterday
top

Voting Machines Malfunction: 5,000 Votes Not Counted In Kansas County

mlts Re:open-source voting machines. (107 comments)

Bingo. Having computer assisted voting that produces a ballot that is both machine and human readable is a must. Without this paper trail, you have absolutely nothing. Even with crypto, crypto doesn't protect against erasure, and an "accidental" erasure of votes on a voting machine can sway an election.

I was working on an e-voting prototype using Java in the late 1990s. No matter how it worked, there was no way to secure it, so I gave up on the project, because if the device couldn't be hacked, the data on it was destroyable. Distributed storage could easily be hacked/tampered with, and would be hard to admin by volunteers. The hardware could be made more secure, but it would completely destroy voter anonymity.

Instead, David Chaum's Verifiable Voting system is the absolute best thing out there. It provides not just anonymity for votes, but validates ballots were done correctly.

yesterday
top

Ask Slashdot: Best Biometric Authentication System?

mlts Re:RFID/card scanner (121 comments)

Biometrics might be useful for a lock inside an already secure company, but there are so many existing solutions which work well with AD that cobbling up something can be pointless:

1: Why not just use regular AD authentication at the core, move the 2FA to the edges? I've seen this done using either Cisco software for VPNs, Citrix, or other means. This way, to authenticate from machine to machine (especially if UNIX machines use AD and there isn't a way to add anything), it doesn't take that much. Plus, this saves cash by limiting the need for devices to users who need access from the edge.

2: If 2FA is needed, then why not use CAC/PIV-like cards? Since the US government uses them everywhere, the software for them is available.

3: If 2FA is needed on the cheap, there might be a way to use the Google Authenticator (part of OAuth as above). I have that in place on ESXi machines and other items. However, this means that one has to have a device showing the numbers with them at all times. I also use OAuth and Google's app for Linux VMs that are Internet facing as a backup if I don't have the local machine's SSH key in the remote VM's authorized keys file.

Personally, I'd just use 2FA on the edges or on the machines which need that security. Fewer hassles, and cheaper.

yesterday
top

Multiple Manufacturers Push Hydrogen Fuel Cell Cars, But Can They Catch Tesla?

mlts Re:Where do you fill up? (280 comments)

Hydrogen also takes a lot of energy to split from water. Technically it is renewable... and it also is energy source independent (got a hydro plant nearby, like Paraguay, then there may be energy to spare.) This can be a good thing, because the vehicle isn't tied to petroleum like it would be with CNG/LNG or other fossil fuels.

I personally like the idea of getting away from anything dino related as fuel, be it batteries, a la Tesla, or hydrogen fuel. This is going to have to happen sooner or later, and better now as opposed to when a crisis happens, such as Iran deciding to stop letting tankers cross through the Strait of Hormuz.

Long term, hydrogen does use more energy... but getting energy is a matter of will than technology. Thorium reactors have been around for decades. China has gen IV reactors up and running, and are doing their best to get off the imported oil teat. If vehicles can be moved from oil, it would be a major coup for energy independence. Investing in other forms of energy and separating the fuel needed for vehicles from the energy used to power it is a lot better long-term than another oil pipeline which will only run dry in 5-10 years.

3 days ago
top

Google Launches Service To Replace Web Ads With Subscriptions

mlts Re:Welp, sold (309 comments)

I'm signing up for this as well. If I frequent a site, and they have a subscription, I'll pay for it. Some sites have a lifetime of no ads if you toss them half to a whole C-note, so I do that. Other sites offer donations, so they get â25 or so every so often. I'm sure subscription revenue higher than ad revenue, so it is a win/win.

about a week ago
top

What is your computer most often plugged into?

mlts Solar powered install count? (233 comments)

I have one computer connected to a PSW inverter feeding from two six volt golf cart batteries. The power to the batteries comes from a decent charge controller and few PV panels. This setup doesn't give much juice, but it is enough to keep a laptop and other accessories charged no matter what happens to the mains power.

about a week ago
top

Microsoft Rolls Out Robot Security Guards

mlts Re:Help .. I've fallen over (140 comments)

Yes, these things are vulnerable to "cow tipping", but I can see these used to patrol some disused strip mall or other complex to keep the squatters at bay, where having a solution that one can just set up and forget would be quite handy. It also would discourage thieves because squatters or trespassers would have to deal with the robot and either book it or attack it (which now makes them felons for malicious mischief charges.) Shooting the robots then brings armed trespass charges.

If I owned some empty real estate space in a suburban or rural area, with sidewalks smooth enough that the K5s would not topple over, it would make sense to have two units on patrol as an enhancement to a CCTV installation.

about a week ago
top

Apple Swaps "Get" Button For "Free" To Avoid Confusion Over In-App Purchases

mlts Re:why can't we go back to the old shareware syste (103 comments)

I wish that happened. Realistically if Doom were done like how most IAP games are laid out these days, we have to buy IAP for the chainsaw and everything past the fist and pistol, IAP so we can use the powerups, IAP so that the secret panel unlocks, and when we died, either wait 2 hours, or pay $1.99 for three more lives... then the next few levels would be an entirely different app, and we would have to re-buy the rocket launcher and BFG all over again.

about a week ago
top

Android Botnet Evolves, Could Pose Threat To Corporate Networks

mlts Re:key words (54 comments)

I wish Android had the ability to have a "default store", so that Google's Play Store, Amazon's store, F-Droid, or other stores/repositories could be used without having to turn on the "unknown sources" option. That way, a device could be shipped, and the user pick a store they use, or have the ability to download and install from multiple items without needing to go through the sideload mechanism.

about a week ago
top

Android Botnet Evolves, Could Pose Threat To Corporate Networks

mlts Re:Root Your Device? (54 comments)

It depends on how savvy the person is. If one has basic UNIX abilities, then yes. Set a firewall, set it to not allow anything out unless it is explicitly granted by you.

Even better, using Xposed's XPrivacy is also a major security boost. If some flashlight app is demanding root, trying to get to contacts, trying to get to sites offshore, it will be obvious to the user and thus stopped.

Of course, if the user isn't UNIX savvy, they may end up blocking some outgoing task that needs to phone home and then get mad why their phone isn't working.

As for the malware, if it is an app, the worst it can do is try to install itself as a device administrator (which will require a prompt from the user) which gives it the ability to lock and erase the device at will, as well as the ability to hide itself. Of course, if the user has a rooted device and allows the app access via su, the game is over. However, newer su versions will disallow apps from even prompting for su access unless they declare a permission for it (ACCESS_SUPERUSER) which will be obvious when downlaoded or installed.

about a week ago
top

Lessons Learned From Google's Green Energy Bust

mlts Re:This is a good reminder for all technocrats (219 comments)

Sometimes the new technology was just sitting there disused all along. There are a lot of things that are sitting around that are waiting to be rediscovered. Hybrid cars for example were made in the late 1800s/early 1900s.

There are a lot of factors involved... the invention, making the invention marketable, getting the factories able to mass produce it and the parts required. Just small innovations like a machine that can twist metal links for a chain can mean immense improvements in product availability.

After that, there is legal stuff, and slapping a book's worth of warning labels on it. For example, why does 9mm ammo need a warning of "do not eat" on it?

It is a long and treacherous road to get ideas to market. In theory, it should be easy, such as the time period between 1900 and 1950 where life went in the US from dwelling in mud houses to modern life. Now, the rate of inventions making it to market has all but stopped due to all the hurdles in the way, be it regulatory, vague patents, people that need paid off, or the fact that a lot of VCs are not interested in inventions, but pyramid schemes with built in exit strategies.

Of course, this gives me a worry about the future of the US. The reason why English is the lingua franca of the planet is because of innovation. This can change quickly. Twenty years from now, it may actually be a toss-up if the default language will remain English, or shift to Chinese, Arabic, or even Russian for the global tongue of trade.

about a week ago
top

Lessons Learned From Google's Green Energy Bust

mlts Re:Simple (219 comments)

Solar and wind are just pieces of a puzzle. If I take an average house, I have to either tear it down and rebuild it so it could use passive solar heating/cooling or I would have to either use a fuel or the electric grid to keep the temperature bearable, especially in Texas.

What Google should have done is look at the missing pieces -- storage and transportation. This could be batteries, super caps, or even relatively energy-consuming conversions like converting water to hydrogen or CO2 in the air to propane. After storage, it becomes transportation. Over really long distances (hundreds of miles), it might be worth it to power a reaction that pulls CO2 from the air to generate propane, ship that via pipeline to be burned and turned back into electricity at the receiving end.

about a week ago
top

Rooftop Solar Could Reach Price Parity In the US By 2016

mlts Re:My two cents... (516 comments)

This is an offshoot from off-grid and RV solar charging systems. Oftentimes one will end up with one unit that takes 120 VAC, converts it into the right voltage for the batteries to use at the proper state of charge. However, as inverters become more of a standard fixture in RVs, one unit does the converter/rectifier work, as well as takes 12 volts DC, and turns it into 120VAC.

Most RV systems have a converter/inverter, and the solar panels are fed into a charge controller which is a separate unit. MPPT charge controller prices are dropping, so it is only wise to go for something along those lines (so your 24 volt panels get a lower voltage, but higher amperage going to the batteries, as opposed to a PWM controller which will "lop" off half the voltage, making a 24 volt, 100 watt panel into a 50 watt panel for all intents [1].)

Even though it is a misnomer, since more units are springing up with the inverter/converter/rectifier functionality, they end up getting called inverters, although it is wise to check what type of inverter (MSW versus PSW), and what added functionality is present.

[1]: Note, these are rough numbers.

about a week ago
top

Launching 2015: a New Certificate Authority To Encrypt the Entire Web

mlts Re:quick question (210 comments)

HTTPS requires active MITM attacks to eavesdrop. If one looks at the trail afterwards, there isn't any real way to glean the session key the two machines created... to get that key, Charlie has to actively step between Alice and Bob and capture their pieces, while pretending to be the other person. If both use some signature mechanism, Charlie is SOL.

What might have been better is early on, have Web browsers accept self-signed SSL certs, and show some grey icon for that. Certs validated and signed by a CA, a blue icon. EV certs, green. Couple that with a mechanism that detects an unexpected certificate change, and this could provide a decent level of protection, while making it obvious to the user that if they are concerned about security, do transactions with the green or blue color present.

about a week ago
top

Microsoft Releases Out-of-Band Security Patch For Windows

mlts Re:Better go kick WSUS into a sync... (178 comments)

That applies to all operating systems. When it comes to production, three things apply: Has the patch been tested in an environment as close to what the field is like, can it be applied without much downtime, and is there a way to back it out without causing major headaches.

This is one reason I like virtualization with clusters [1]. If a patch does make it past testing and fouls up a production VM, I'm a snapshot away from going back to a working machine. This isn't a magic bullet solution, but it does help, and there is software which can sit atop the virtualization platform to catch intrusions and automatically roll boxes back to a working snapshot (perhaps taking a snapshot of the hacked VM for forensic purposes.)

[1]: VMWare's fault tolerance mechanism is limited to a VM with one vCPU, but the ability to restart a VM if the physical machine is dead is a good one. Same with Hyper-V.

about two weeks ago
top

Military Laser/Radio Tech Proposed As Alternative To Laying Costly Fiber Cable

mlts Re:Yes, it could be much cheaper (150 comments)

That's the rub. Turning on encryption is easy. However, how does one do key management?

Arguably, the most secure way would be to have a true secure RNG (using radioactive decay, high speed flip-flops, or political flip-flopping on issues) as a source of randomness, perhaps multiple sources so if one ends up having something periodic, a "bit blender" (be it a hashing algorithm, or just XOR-ing the random number streams.) Then having two copies of the OTP, one at each endpoint.

Realistically, don't see a OTP being used, but maybe the quantum key generation used as a way to create a highly secure key that session keys are generated from.

However, for relatively cheap devices, if they implement crypto even up to WPA2-PSK spec, I'll be impressed. My ideal is to use a set of preshared keys (preferably both a set of symmetrical and assymetric) to generate random session keys via a D-H exchange, and periodically generate a new key.

about two weeks ago
top

Toyota Names Upcoming Hydrogen Fuel Cell Car

mlts Re:No, really -they don't say how. (194 comments)

Maybe that might be the best answer -- if one can spend the energy it takes to pull apart hydrogen from water, one can pull CO2 from the air and make propane. Propane has 73% of the energy of gasoline... but for most tasks, that is good enough. Plus, Truma has their VeGA [1] fuel cells which can use propane, so it can be actively burned in a vehicle's engine, or used in a fuel cell to keep the batteries topped off.

[1]: Would be nice if Truma sold more than their propane gauge in the US. I'm not sure if they are afraid of lawsuits, or just find Americans not good enough for their products, but they are at least two generations ahead of the RV appliance makers on this side of the pond with what they offer.

about two weeks ago
top

The New-ish Technologies That Will Alter Your Career

mlts Re:Some technologies I worry about... (66 comments)

SDN as a concept is sort of evolution. Things like OpenFlow just make sense, and was only a matter of time before we would see L2 and L3 packet manipulation merged into one device just like we saw hubs and switches merge. Cisco's Nexus series is an example of this.

The big hurdle is combining network fabric with storage fabric. FCoE does this, but the big leap will be FC, so a switch can function either as a FC switch, or use FC just for media and be an Ethernet device. This way, one can deploy network devices, and it doesn't really matter if part of the device is zoned for logical devices and part of it is for IP addresses.

Of course, there is the issue of redundancy... you don't want a DDoS on core fabric taking out your SAN. However, as time goes on, we will see two devices that would combine with LAGGs or MPIO (depending on the storage technology) to provide redundancy both for storage and network. You will see smarter devices that can separate getting hammered due to network traffic without that interfering with I/O for disks. It might be that even drive controller functionality winds up part of the core fabric, with features like caching, deduplication, encryption, snapshots, WORM functionality (where once files are written, they stay in place until they expire), and other features normally handled by the SAN.

about two weeks ago
top

The New-ish Technologies That Will Alter Your Career

mlts Re:Some technologies I worry about... (66 comments)

It likely will come back. As of now, a company has to use the Internet for all transactions, which means every ingress and egress avenue is vulnerable. It only is a matter of time before carriers will move to dedicated lines and creating their own WANs which are not connected to the Internet for specific tasks (B2B communication, payment processing, etc.)

As stated above, non-interconnected networks are coming, be it China, Russia, Brazil, or others. North Korea has their own "public" WAN, not connected to anyone else. It is about doing this job right that is going to change things fundamentally. Select the wrong trunk on the ESXi cluster, and it can cause a catastrophe.

Ironically, this might be the thing which might help IPv4 address space.

about two weeks ago

Submissions

top

Truecrypt is now dead

mlts mlts writes  |  about 6 months ago

mlts (1038732) writes "Visting the TrueCrypt website, they have posted that all development has ceased, and instructions on how to move to BitLocker from their product.

If this isn't a joke, this is a very sad day for crypto usage everywhere."

Link to Original Source

Journals

mlts has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?