Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

mlts Re:Tower Systems (300 comments)

Next to using POS machines which are basically a 3151 terminal, a cash box, a PINpad and a credit card swipe item, I'd say this is the best approach one can get in this line of work.

Only thing I'd add would be some way of protecting if someone decided to hop onto the POS network (physically unplugging a cash register, plugging in their laptop.) This could be somewhat solved by a smart switch that locks ports to MAC addresses for starters. Not "serious" protection, but will stop some kid trying to get on the LAN in their tracks.

7 hours ago

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

mlts Re:It Depends (300 comments)

Out of habit, I like using iptables or firewallD with existing services. At first, there will be initial configuration breaks (especially outgoing stuff), but it provides me three assurances:

1: Machines not configured to talk with the machine will not be able to. This narrows down the attack surface greatly. For example, if a DB server only communicates to some machines in a DMZ, a limitation is put on to only allow that port, so another machine on the same subnet that gets compromised won't be able to access the DB. This also protects against unauthorized nmap scans.

2: If non-root malware gets on the box, it won't be able to phone home or get itself a connection outside. Defense in depth is often overlooked because it has been habit to focus on network security, with relatively little attention to paid to individual hosts and OS level security. Well, other than desktop malware that is.

3: It looks good in audits when you can prove that individual machines have packet filters in place.

7 hours ago

Ford, GM Sued Over Vehicles' Ability To Rip CD Music To Hard Drive

mlts Re:USB Import (260 comments)

I definitely do for a number of reasons:

1: Music formats used to change, and still do change. In the past it was ripping to whatever the device needed, (ATRAC3, WMA, MP3, AAC.) This is less of an issue now since the industry has standardized on AAC, but if I want FLAC or ALAC, I can always re-rip.

2: I like physical media. A pressed CD isn't going to be affected by malware, barring a clever flash of the firmware in a CD burner. Plus, I don't need much to play it.

3: Not all bands bare their souls to iTunes and other music stores. AC/DC, Tool, and a number of regional/folk bands just don't make much money by singles. Streaming services, the bands make even less. So much less, it isn't even worth bothering with.

4: It makes more money for the band to sell a CD than a single. Even if they only receive a couple dollars from it, it usually is more than what they would receive via an online store.

8 hours ago

Ask Slashdot: Open Hardware/Software-Based Security Token?

mlts Re:You can create a token but keep it off nets (110 comments)

I'm reminded of the IBM ZTIC. Great device, because it only used the computer as a means of getting power and a means of getting data from the device, via the USB port, over the network, to the bank, via a secured channel (encrypted from the device itself, so a malware-laden computer could only deny access, not tamper with packets.) When doing a bank transaction, the ZTIC would show on its screen the transaction and one would confirm/deny it on the device.

However, in the real world, I read complaints about the USB driver, and the fact that it only worked under Windows.

Since 3G chips are so cheap, I wonder about a device that is pretty much the same as a ZTIC, except uses its own low bandwidth cellular connection to contact the bank and be used as a second confirm/deny channel.

For general computer use, this device could function as a 2FA token, but when someone did an action like change a password or attempt to view/modify some critical records, the device would prompt for confirmation.

As for biometrics, I wouldn't trust them completely. A fingerprint scanner similar to the one on the iPhone 5S might be "good enough", but definitely have the ability to enter a PIN if needed.


Ask Slashdot: Open Hardware/Software-Based Security Token?

mlts Re:You can create a token but keep it off nets (110 comments)

There is "secure enough". A token on a smartphone is vulnerable to unknown backdoors... but for almost anything but some high profile target, it will do the job decently well.

I have an older HTC phone (HTC One X Plus) running CM whose job it is to act as a backup token. Since it has no SIM card, and the Wi-Fi antenna isn't on, it is good enough. Physically, it uses dm-crypt and encrypts the /data partition using a long passphrase that is separate from the screen lock password. I don't think access to my stuff will get someone wanting to make an ASIC mask, so for my stuff, this is good enough.

If I were worried, I'd probably go with a vendor and a hardware, tamper-resistant key fob, such as what Amazon, PayPal, or Amazon ship. Still not 100%, but good enough.


Ask Slashdot: Open Hardware/Software-Based Security Token?

mlts Re:OATH (110 comments)

I'm using OATH/TKIP as well for my remote access as a backup if I can't SSH in via my private RSA key:

1: It is brain-deadly easy to implement. I use CentOS, so I can fetch the Google Authenticator code from EPEL.

2: Many different OTP apps out there. There is Google's. Amazon has one for AWS. There are a number of third party ones. All are interchangeable. At a desktop computer, I just plug the Yubikey in a USB slot, mash the button when the password is asked. Done.

3: The protocol is decently secure. Good enough for 2FA for Amazon AWS and Google's offerings.

Since the protocol is open, the hardware is inexpensive, and it is easy to implement, I'd go with this. Only exception is if someone needs it to work with AD... I'd probably say that SecurID is easier to get running... but a lot more expensive to buy seeds or physical authentication devices.


Ask Slashdot: What Would You Do With Half a Rack of Server Space?

mlts Re:Keep It Ready (206 comments)

I might add on to that. Keep it ready, and if it does get pushed to the cloud, keep the half-rack as a "disastrous recovery" [sic] site.

At the minimum, one can buy a small tape library (a single drive HP one that is 2-3U can store 300 TB, all encrypted, using LTO-6 tapes.) Add to this a 1U machine via a SAS card, and you now have archiving capability. A HP or Dell drive array is also 2-3Us, so add that onto the machine via your protocol of choice (SAS RAID 6), and now you have a place to stash critical data for long term backups. That way, if the cloud storage provider dies, you still have access to database dumps, old purchase orders [1], payroll records, and other critical info.

Even with the assurances of "we have 'passwords' and 'firewalls'" that cloud providers give, it is wise to have core company data in two physical (or realistically one physical, one logical) locations. Mainly because of the "all eggs in one basket" item. It is only a matter of time before some criminal organization hits a large cloud provider and dumps all the client data [2]. No large business trusts one data center completely, so why should one trust a cloud provider (which is likely just one data center, but might be without any oversight how it gets run.)

Other uses of that half-rack of space can be to have a VM farm. The drive array is changed out for a SAN with two drive controllers, a switch is added, and 1U servers using 10gigE iSCSI are put in. If density is an issue, an HP Moonshot can be tossed in for 45 blades in a 4.3U chassis [3]. That way, one may only have a half rack, but still be able to spin up plenty of VMs as scaled down critical hosts (be it AD DCs, Exchange replicas, database cluster nodes, and so on.)

Of course, this won't fit every situation, but if something happens to the cloud services, the half-rack can be used to keep the company limping along on the short term until things get restored.

Even after moving to the cloud, I'd keep that half-rack, if only as a place to archive data for the long term.

[1]: The receipts and POs will come in handy if the BSA comes a knocking and decides to demand an audit.

[2]: Could be for any reason. Any group who does cause a major, unrecoverable outage at a first name cloud provider will forever get their name on the map and in front page of the press, day after day.

[3]: The remaining 0.7 of a U can be plugged by one's method of choice in a hot/cold aisle. Plenum grade pipe insulation (which basically is a brown pool noodle that has a fire rating) is one way. The Moonshot is mainly for VDI, but when one is needing to replicate an entire enterprise's configuration on a scaled down basis, this is also a good use for this type of architecture.

3 days ago

Earth In the Midst of Sixth Mass Extinction: the 'Anthropocene Defaunation'

mlts Re:One small way I try to help. (326 comments)

I learned that lesson as well. However, I'm experimenting with aquaponics/aeroponics because it makes things less of a chore -- just add water and fertilizer to the tank, let the system take care of the rest, especially with a solar panel and timer.

Of course, gray water is useful (not on stuff you eat, of course) It is useful for keeping trees and such alive.

Similar with chickens. Done right a few hens that drop off eggs in the coop can be a good thing. Too many, and it can become a daily time-sink, especially if there isn't enough square-footage for them to forage.

5 days ago

Earth In the Midst of Sixth Mass Extinction: the 'Anthropocene Defaunation'

mlts Re:One small way I try to help. (326 comments)

I like having a major chunk of the lawn be a garden. A co-worker has turned his front yard into one that is extremely productive, with a couple solar panels, a timer, and some PVC pipe for aeroponics (which actually is pretty water thrifty.)

The ironic thing is that a lot of HOAs detest gardens... but when the food gets ripe, people there usually are the first who want the 100% organically grown items.

Since people pay for that front yard space, might as well make it productive. If not a garden, then maybe have a chicken coop and a few hens (no roosters, obviously) and have a source of usable protein from the eggs.

The ironic thing is this was done pre-WWII, with victory gardens. I don't get why more people don't do this.

5 days ago

Amazon's Ambitious Bets Pile Up, and Its Losses Swell

mlts Re:Avoiding Amazon Web Services? (168 comments)

I think AWS is the primary brand for cloud services, with Azure right on its heels, then other providers (Rackspace, etc.)

Amazon has some unique services that nobody else has. Glacier comes to mind for long term storage [1]. There are other services they provide which can be useful.

Amazon is not going anywhere... the shareholders may be unhappy right now... but it isn't like Amazon's market is drying up anytime soon. They are the only big company which can fight Wal-Mart and win on price alone. [2] If Amazon so chose, they could actually wage a battle on every front Apple is making money on, and actually make headway. Very few companies can do this.

Even if Amazon "failed", the cloud part would be spun off to a different entity. If not, because of all the critical data on AWS... Amazon almost certainly would receive a bailout, just like the car makers did.

[1]: Glacier is not going to replace a normal offsite volume anytime soon. The cost for uploading and storing is very reasonable. However, you do pay for accessing the data. If you use this for backups (I use it as the media of absolute last resort), it can be a useful tool.

[2]: This isn't a good thing with the race to the bottom, but a notable point.

5 days ago

Intel Launches Self-Encrypting SSD

mlts Re:How is this news. (91 comments)

IIRC, just a simple TRIM command can zap all data from a drive, no chance of recovery, no way, no how... and all modern operating systems constantly use TRIM to return freed up space to the SSD's controller.

about a week ago

China Has More People Going Online With a Mobile Device Than a PC

mlts Re:Long live the 'desktop' and mobile 'laptop'. (58 comments)

I wonder how long it will be for a phone to take over the desktop role in a meaningful way (assuming a docking station). We have had some attempts at this, especially with the Motorola Atrix line (RIP) which were pretty good, although the best use (IMHO) was a Citrix receiver [1].

Already, we are seeing the tablet/desktop line blur, as Microsoft's Surface Pro [2] models get better. I wouldn't be surprised to see in a few years, a phone with 256-512 GB of SSD be usable in a docking station for basic desktop functionality, with USB 3.1 ports, maybe even Thunderbolt ports.

[1]: Would be nice to have a multiplatform F/OSS project comparable to Citrix Xen Desktop. No, VNC with its eight digit max password, does not count. X-windows over SSH is good, but doesn't play well with MS-Windows based items.

[2]: The Pro is the keyword... The plain old Surface is ARM based. The Pro is an X86-64 machine.

about two weeks ago

Critroni Crypto Ransomware Seen Using Tor for Command and Control

mlts Re:Backups (122 comments)

I wonder how many generations of ransomware we will see before backups come back into "style". It used to be in the '90s that people actively did some type of backups, and even PCs shipped with some form of tape drive. Then disks got cheap, and offsite storage become viable, so backups were not done, or if done, were just kicked to the cloud.

Any backup is better than none, but I wouldn't be surprised if the next generation of ransomware would either encrypt files slowly (but use a shim driver to decrypt stuff until it is done, and then completely zap all decryption keys and tell the user to pay up), or if it does notice a backup program being run, actively or passively corrupt it... or just erase the hard disk or the file share it is being backed up to. A simple TRIM command would make the data on a SSD unrecoverable. An overwrite of a directory synced with a cloud service will make that unrecoverable.

I wouldn't mind seeing tape come back, as it isn't slow, and it is relatively cheap (I've seen ads for LTO-6 tapes for $10 each.) The drives are pricy [1], but tapes are reliable [2], LTO4 and newer have AES-256 encryption in hardware (and very easy to turn on, be it by third party software, the tape silo's web page, or the backup utility.) A tape sitting on a shelf takes zero energy to store (other than HVAC), and if dropped, unless there is major physical damage, it is almost certain the media will be usable.

Will tape be 100% against malware? Nope. However, it keeps the data offline, so that a single "erase everything" command won't touch the data [3]. One can buy WORM tapes to protect against erasure/tampering as well, as well as flip a write protect tab.

In a ransomware scenario, WORM tapes would be very useful, especially if the malware decides to try to force an erase on all backups. The fact that tapes tend to be offline brings even more security since if the tape isn't physically in the drive, it can't be touched. Again, nothing is 100%, but the barrier for ransomware to destroy all backups goes a lot higher with offline media than with cloud storage or an external HDD.

I wouldn't mind seeing backups be done again, and done in a smart, time-tested way... done to local, archival grade media that is very inexpensive, but yet super reliable.

[1]: I think there is a market niche for USB3 tape drives at the consumer level. Newer drives have variable speeds to minimize/prevent "shoe-shining", and with all the space on a tape, if areal densities similar to HDD are present, it would store quite a lot of data, even with multiple layers of forward-ECC. LTO tape drives are even bootable so a bare metal restore can be done with just the tape in hand and the drive on the machine, no other media.

[2]: In the past decade at multiple IT shops, I've gone through thousands, possibly tens of thousands of LTO tapes. The total number of tapes that I introduced to the degausser were fewer than five, and all the errors thrown when read/written were all soft errors, so all data was recoverable. This is pure anecdotal evidence, but it has impressed me personally on the reliability of these drives. It is wise to have a backup process of rotating tapes and having some task just verify data when nothing else is going on, and goes without saying to use multiple media just in case hard read errors do happen.

[3]: One can tell a tape silo to zero out all tapes sitting in it, but that is going to take some time, and not be instant. It can be done... but if one has a basic offsite procedure in place (where all tapes leaving get the write protect tab sent), even this can be mitigated without much time and effort.

about two weeks ago

New Mayhem Malware Targets Linux and UNIX-Like Servers

mlts Re:How does one detect these things (168 comments)

Tripwire/AIDE is passive. It can tell me if a binary is changed, but won't actively block a dropped script.

SELinux is great for assigning roles and denying execution in directories. However, it doesn't sign executables, nor keep a manifest in place.

AppArmor is similar to SELinux.

All of these are quite useful, but what would be an addition which would stop this type of Trojan cold would be something that checks an executable to see if it is on a manifest, checks its signature, then allows/denies/logs access. One can use -noexec flags and ACEs in SELinux for similar effect, but having a feature overlap wouldn't hurt.

about two weeks ago

New Mayhem Malware Targets Linux and UNIX-Like Servers

mlts Re:How does one detect these things (168 comments)

Sometimes I wonder if Linux should have functionality similar to AIX's trustchk.

This command on AIX can make a list (signed with an OpenSSL key), then either warn when something runs that isn't on that list, or block it entirely. Functionality can be turned on to watch libraries as well, so if a library was changed, execution stops or a syslog entry is generated. In fact, it can be locked down so a reboot into another OS instance would be required to modify the trustchk settings.

If someone has static scripts that don't change often, this functionality would come in handy and would nip something creating scripts or executables on the fly almost immediately.

Even better would be to combine trustchk with BSD's securelevel so that a signed list of executables can be created, then locked down until the machine reboots.

about two weeks ago

New Mayhem Malware Targets Linux and UNIX-Like Servers

mlts Re:Derp (168 comments)

It might be that if one uses a VPN, and a limited number of IP addresses, maybe just block everything except for those ranges, and the VPN (preferably a less known, but reliable provider, maybe even a static IP on a linode box) would allow one access if one wasn't on that range.

Of course, the attacks I see coming are often compromised Windows boxes on DSL or cable modem IP ranges, so blocking Elbonia directly may not help much. The best bang for buck is maybe blocking the obvious hotspots, then rate limiting dynamic IP pools.

I've wondered, at an extreme, having a custom sshd that had a list of IPs in place, and if someone connected from a blacklisted IP, it would randomly just deny them, or perhaps give them a fake shell before closing the connection. Of course, tarpitting can't hurt either, but a botnet only connecting 2-3 times from an IP at a time, that won't help much.

Another idea would be to combine it with port knocking so that the sshd would give bogus reponses to anything that connects unless it previously knocked on another port. Of course, this would be in combination with blacklists.

about two weeks ago

New Mayhem Malware Targets Linux and UNIX-Like Servers

mlts Re:Derp (168 comments)

I use fail2ban and RSA keys as my primary login mechanism... but I also use the RFC 6238 TOTP tokens (Google Authenticator code available from git, or just fetch it from EPEL if on RedHat or a downstream distro like CentOS. For an app, one can use RedHat's FreeOTP, Google's app, Amazon's, or a slew of others.)

This isn't 100%, but two factor authentication should be the minimum standard for Internet communication these days.

After that, what may or may not help is the push to run everything in containers (think domains in Solaris, or WPARs in AIX.) Docker seems to have a lot of enterprise support, and it is relatively new, and that would put another layer of security in place.

This isn't to say malware can misbehave in a container. In fact, malware running in the user context on Windows can do a lot of mayhem. However, containers provide better defense in depth, same with SELinux.

about two weeks ago

HP Claims Their Moonshot System is a 'New Style of IT' (Video)

mlts Re:4.3 U (68 comments)

A swimming pool noodle cut to fit works perfectly with gaps in the hot/cold aisles. Don't ask how I know...

about two weeks ago

Led By Nest, 'Thread' Might Be Most Promising IoT Initiative Yet

mlts Re:That good, eh? (79 comments)

The advantage of a even an easy-bump tumbler lock is that it requires physical presence to do that, with immediate risk (big dog waiting for his/her next meal behind the front door.)

The problem with these devices is that someone can be -anywhere- and break them. Done right, one button push from a script kiddie in Elbonia can unlock hundreds of thousands of deadbolts without warning, and no way for the perp to ever face consequences. This can be done either out of sheer malice, or perhaps extortion/blackmail against each and every user of the device, as well as the device maker.

Of course, if they have an easy mechanism to get flashed, that means an easy mechanism to get hacked, or perhaps bricked as well.

I can put packages down for a second while I stick my key in the lock. Fumbling for an app on my smartphone to unlock the deadbolt actually would take longer.

about two weeks ago

Critical Vulnerabilities In Web-Based Password Managers Found

mlts Re:Storing cloud passwords in the cloud? (114 comments)

The problem is that there is an conflict between a password suitable enough for protection (i.e. 20+ characters), and something quick enough to access in a short time.

mSecure addresses this in an interesting way -- they cache the extra long sync password used for the cloud. The password that is used to encrypt the synchronized database that sits in iCloud or DropBox is different from the app's passphrase. Since most phones have decent innate protection, it is not impossible, but very difficult to dump the data on a locked device [1], so one can have a fairly easy to type in PIN on the device, but the synchronized backend file is protected with a much longer (and more secure) passphrase.

[1]: iOS on the iPhone 4 and up always encrypts. Android since 3.x has the option of using md-crypt and encrypting the /data partition, then using another tool to separate the password asked on boot to decrypt that partition from the screen locker password.

about two weeks ago



Truecrypt is now dead

mlts mlts writes  |  about 2 months ago

mlts (1038732) writes "Visting the TrueCrypt website, they have posted that all development has ceased, and instructions on how to move to BitLocker from their product.

If this isn't a joke, this is a very sad day for crypto usage everywhere."

Link to Original Source


mlts has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>