×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Why the IETF Isn't Working

skids Re:Corporatization (103 comments)

Yeah, to say that "standards don't keep up with technological progress" is a one-sided perspective, since technology doesn't keep up with standards. If it did, I'd be more of a coder and less of an implementer, because 80% of my time is papering over standards noncompliance in vendor equipment.

Better to say implementors and standards bodies don't coordinate like they should.

5 days ago
top

Nat Geo Writer: Science Is Running Out of "Great" Things To Discover

skids Re:Until warp drive is invented... (291 comments)

First of all, science is trying to better understand the world, by making models predicting something. It isn't engineering.

Engineers don't just apply known science, they deal with the parts of the system that aren't obeying the textbook rules and find places to look for new phenomena in the process. To do so they analyse behavior and build models that predict the tolerances needed to get things working with a high degree of confidence. The difference is they don't go off on tangents because they have an objective, but engineers are often the initial discoverers of phenomena. It usually takes a pure scientist to then go in to spend the time explain more precisely why they had to make the tweaks they did, but there is plenty of overlap and there are plenty of people you cannot put into one category or another.

most of the basic ideas in (mechanical) engineering are pretty much settled since Newton got hit by the apple

Um, no, mechanical engineering has more to deal with now than they did then, because materials science and nanotech are increasingly important components.

I don't know where you get your ideas about the engineering disciplines. They pretty much all have frontiers.

about a week ago
top

Nat Geo Writer: Science Is Running Out of "Great" Things To Discover

skids Re:Level of public funding ? (291 comments)

Again, I am not supporting or disclaiming Horgan's thesis, but I am suggesting that it is an interesting topic worthy of discussion.

It's a worn out thesis echoed many times over by the occasional erudite edlder for some physchological reasons that will perhaps never be fully understood, even by said erudite elders.

If you want an interesting discussion along these lines, it's much more interesting to discuss how educational techinique could be improved to bring people up to speed faster, given the amount of knowlege needed to make an impact is arguably higher but we obviously haven't managed to figure out how to teach faster. Or how we are starting to get culturally desensitized to discoveries that actually would be ground shaking back in the day. Or how emergent behaviors have suddenly made new areas of math not formerly considered worthy of the title of "science" much more pertinent, and after all, physicists were really doing just math to explain observations back when they made their Nobel winning discoveries.

about a week ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

skids Re:Not necessarily known since 2012 (303 comments)

I don't think so in this case. I normally would have waited on the firehose for a submission with a better writeup, but this was relatively urgent news so I upvoted it anyway.

(Yes someone did understand you weren't talking about the potential intentionality of the bug, don't despair there are people capable of comprehension out there and you may even meet one face to face someday :-)

about two weeks ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

skids Re:It's really annoying (303 comments)

There may seem to be more now because there is more auditing going on since the NSA revelations reminded people what had to be done, and also the slower trend of case law starting to punish mishandling of customer data. The halcyon days are over and the backlog is being cleared up.

about two weeks ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

skids Re:Yet again C bites us in the ass (303 comments)

Only the smallest core of the OS should use unmanaged code with direct memory access. Everything else, including the vast majority of the kernel, all drivers, all libraries, all user programs should use managed memory.

My computer is too busy calculating an MD5 in a managed memory VM that doesn't even have an unsigned or sized integer types and thus must perform basic left barrel roll operations in about 50 opcodes worth of abstraction container dereferencing, to allow me to respond to this post appropriately.

about two weeks ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

skids Re:Is SSH affected? (303 comments)

For sshd there was possibly some protection afforded by the privilege separation model. I'd store your old keys and wait to see something from someone who knows it cold.

about two weeks ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

skids Re:Things are starting to turn around (303 comments)

Somewhere higher up the bug is described as a "simple bounds check" — which would be easy to implement. The truth is, probably, in between somewhere.

It's not the fix of the code that's messy. It's the fix of the trusts using that code to function. They are all broken. After the upgrade keys need to be replaced, certificates re-issued, endpoints and clients reconfigured to trust new keys, and in some cases customers and end-users may need to be involved. For anything of CDE level security or higher, it's as big a cleanup job than the one that gave us openssl-blacklist, but the blacklist for this would be neither complete nor easy to assemble.

I predict a lot more interest in turning on CRL pathways in the future.

about two weeks ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

skids Re:I take it this is a server concern (303 comments)

You really think the guy behind hotgritsnatalyportmanphotos.org is trustworthy?

about two weeks ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

skids Re:Things are starting to turn around (303 comments)

While you're right this was very negligent for a project of the stature and importance of openssl, merely discovering this bug in closed source software would have required a fuzzer and much luck, leaving it unfixed for whoever had managed to get a a copy of the source to exploit for much longer.

All I can say personally is I sure picked the right two years to get lazy about patching up.

about two weeks ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

skids Re:definitely news for nerds (303 comments)

Basically it means if you know any UNIX sysadmins, they'll be pretty cranky for the next week or so as they've been busy trying to put the poop back in the baby.

Oh yeah, and lots of your gadgets and favorite cloud services may be vulnerable, so anything stored on them may be in the hands of others.

about two weeks ago
top

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks

skids Not necessarily known since 2012 (303 comments)

Who knows who knew what and when, but the 2012 statement is a misinterpretation of TFA where they seem to be saying it essentially started "hitting the shelves" in distros about then, whereas before then it was mostly only distributed in beta builds and head code.

about two weeks ago
top

Ask Slashdot: User-Friendly Firewall For a Brand-New Linux User?

skids Re:www.fwbuilder.org (186 comments)

Though the leading edge of development of end-user level UI for firewalls is on embedded projects like OpenWRT, firewall builder definitely deserves a look. It's close to many of the tools targeted at small-network administrators, like Cisco's ASDM for their ASA product. It may take a short time to learn about service objects and network objects, but that time will be payed back many times over.

The biggest issue an end-user will face with it is setting up the backends as it is less than totally flexible in that department (it has a particular deployment model in mind and is missing a couple hooks in certain places that prevent it from being used for certain purposes.) That said, it is very capable of allowing one to change backends easily (e.g. switch from one brand of firewall to another) with minimal adjustments.

about two weeks ago
top

FCC Boosts Spectrum Available To Wi-Fi

skids Re:Aren't most wireless networks still on 2.4Ghz? (73 comments)

You don't have to have an especially powerful signal to be able to see other devices. The occasional lucky packet will bounce around "just right" and leak through enough to see the device. So if GP said he didn't see many devices, it's because there just plain weren't many devices.

That said, even with the cheap vendors not putting dual-band in their crap devices, we're seeing a good number of devices in our dorms that are 5GHz capable. Enough to improve life significantly for everyone still stuck on 2.4GHz. Unfortunately many of them are Apples and they manage to turn this advantage into a liability because their drivers stick their heads up their own asses the minute they find AP using the same SSID on both 2.4 and 5, so they spend most of their time roaming between APs every two or three minutes and torturing their users with bad performance during roams. Supposedly OSX 10.9.2 helps undo some of this damage.

about two weeks ago
top

WPA2 Wireless Security Crackable WIth "Relative Ease"

skids Re:EAP? (150 comments)

But AFAIK, there is no preloaded CA for EAP. You install only the CA of your organization, which narrows the opportunities to have a valid certificate.

Depends on your security requirements. Most OSes trust anything in the OS default trsuted CAs which includes most major CAs. If you're satisfied with the integrity of all the CAs in that list, you can buy a RADIUS server-side cert form them and the clients will trust it.

The problem comes in making sure the self-service user checks the box to perform the validation and also types in the expected owner name. By default most OSes do not validate this information so anyone with a stolen priate key from a CA-certified website can pose as your RADIUS server.

Now, for most OSes other than Android, this vulnerability only exists the first time a user connects to the network (or again whenever they delete the network manually) because the OS then takes the certificate it found and assumes it valid, but then will not accept any other certificate.

Android is a total slut about this and never validates, and the phone would have to be rooted just to be able to turn on validation. Word has it the newest version at least contains hooks that would allow a supplicant configurator to turn on validation, but I have yet to see an android that lets me type in an owner name. When even Apple is doing a better job at security than you, hang your head in shame.

about a month ago
top

WPA2 Wireless Security Crackable WIth "Relative Ease"

skids Re:EAP? (150 comments)

In my view EAP-TLS with mutual certificate authentication is still the most secure authentication option available.

You;re half right, but EAP-TLS doesn't have a password/account component, just the cert, so you are missing an authentication factor. If you're going through the trouble of actually making sure clients are running a secure supplicant to the point of making users add a client cert and a local CA trustpoint, just secure the settings on the TTLS/PEAP client and ban OSes like android that don't validate. Turn on verification of the client-side cert if you like, too.

about a month ago
top

WPA2 Wireless Security Crackable WIth "Relative Ease"

skids Re:MAC filtering and PSK (150 comments)

MAC filtering should only be used as a herd immunity measure: people who don't update their AV are less likely to find it easier to spoof an existing MAC address than they find it to register in a captive portal and download their updates before they are allowed in.

about a month ago
top

WPA2 Wireless Security Crackable WIth "Relative Ease"

skids Re:why crack my Wi-Fi (150 comments)

Try to have an effective browsing experience with port 80 blocked.

about a month ago
top

WPA2 Wireless Security Crackable WIth "Relative Ease"

skids Re:why crack my Wi-Fi (150 comments)

WPA2 keeps the neighbors from eating mah bandwich?

Try "it keeps people from injecting exploits into your computer by impersonating web servers." Be glad you enabled it.

about a month ago

Submissions

top

MA "Right To Repair" initiative still on Tuesday ballot, may override compromise

skids skids writes  |  about a year and a half ago

skids (119237) writes "MA voters face a complex technical and economic question Tuesday about just how open automobile makers should be with their repair and diagnostic interfaces. A legislative compromise struck in July may not be strong enough for consumer's tastes. Proponents of the measure had joined opponents in asking voters to skip the question once the legislature, seeking to avoid legislation by ballot, struck the deal. Weeks before the election they have reversed course and are again urging voters to pass the measure. Now voters have to decide whether the differences between the ballot language and the new law are too hard on manufacturers, or essential consumer protections. At stake is a mandated standard for diagnostic channels in a significant market."
Link to Original Source
top

House Panel Approves Bill Forcing ISPs Log Users

skids skids writes  |  more than 2 years ago

skids (119237) writes "Under the guise of fighting child pornography, the House Judiciary Committee approved legislation on Thursday that would require Internet service providers (ISPs) to collect and retain records about Internet users’ activity. The 19 to 10 vote represents a victory for conservative Republicans, who made data retention their first major technology initiative after last fall's elections. A last-minute rewrite of the bill expands the information that commercial Internet providers are required to store to include customers' names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses. Per dissenting Rep. John Conyers (D-MI): 'The bill is mislabeled ... This is not protecting children from Internet pornography. It's creating a database for everybody in this country for a lot of other purposes.'"
Link to Original Source
top

CIA drones may have used illegal, inaccurate code

skids skids writes  |  more than 3 years ago

skids (119237) writes "Coders hate having to rush code out the door before it's ready. They also hate it when the customer starts making unreasonable demands. What they hate even more is when the customer reverse engineers the product and starts selling their own inferior product. But what really ticks them off is when that buggy knockoff product might be used to target military unmanned drone attacks, and the bugs introduce errors up to 13 meters. That's what purportedly happened to software developer IISi based on an ongoing boardroom/courtroom drama that will leave any hard-pressed coder appreciating just how much worse their job could get. The saddest part? The CIA assumed the bug was a feature. The tinfoil-hat-inducing part? The alleged perpetrators just got bought by IBM."
Link to Original Source
top

Hacking Big Brother with help from Revlon

skids skids writes  |  more than 3 years ago

skids (119237) writes "All those futuristic full-face eyeliner jobs in distopian cyberpunk fiction might not be that far off the mark. A New York University student spent his thesis time exploring computer vision technology (OpenCV) for ways in which one could confound first-stage algorithms that initially lock onto faces. Then he mixed in a bit of fashion sense to predict future geek chic. Now, whether you want to go for the coal-miner look just to stay out of the data mine, that's up to you..."
Link to Original Source
top

Digital Photocopiers Loaded With Secrets

skids skids writes  |  more than 3 years ago

skids (119237) writes "File this under "no, really?" CBS news catches up with the fact that photocopiers, whether networked or not, tend to have a much longer memory these days. When they eventually get tossed, very few companies bother to scrub them. Coupled with the tendency of older employees to consider hard-copy to be "secure", and your most protected secrets may be shipped directly to information resellers — no hacking required. "The day we visited the New Jersey warehouse, two shipping containers packed with used copiers were headed overseas — loaded with secrets on their way to unknown buyers in Argentina and Singapore.""
Link to Original Source

Journals

skids has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...