×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Apple Locks iPhone 6/6+ NFC To Apple Pay Only

upuv Too Late for Aus (336 comments)

NFC has taken off in Aus in a big way. With most retail outlets having terminals that take Paypass/Tap&Go ( NFC payment brand names here ) accepted across competing financial institutions. There is zero chance Apple will make any headway here asking retailers to forgo the already established infrastructure. Also basically asking retailers to stump up money to install another payment network. Given the existing network was no additional cost to them. Apple is making a mistake here. I don't think it will hurt them too much but Apple Pay will certainly not be a reason for market share growth of the platform. The larger screens most certainly will give them some growth but not this ridiculous shackle.

about 2 months ago
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

upuv Re:No Excuse really these days. (348 comments)

Do you mean the position that we need firewalls?

Yes, was curious to understand reasoning behind position.

I would have thought that that the need for firewalls was self evident.

The industry is full of bad ultimately harmful ideas which see widespread adoption for locally optimal reasons. It is far from self-evident to me firewalls do not fall squarely into this category.

You are stating that firewalls are harmful. What back this statement up?

The smart devices we use today all tend to have a variation on mainstream OS's. All of which come with some form of host based firewall. Thus the management of these devices from a firewall perspective is even easier. So much so that it is now possible for most marginally technical people to ensure they are properly configured at least at the time of device activation / installation.

I think today anything claiming to be a "smart device" needs no firewall because it accepts no incoming connections. It operates by calling home to the vendor. If you want to access your "smart device" you connect to the vendors server and ask nicely to please access your own gear. A mega ultra cloud firewall...!!1!!!!1!

More generally would be interested in understanding why a device with a specific purpose is more secure when it listens for commands through an internal firewall vs the same listener without? Is a bluetooth headset more secure behind a Bluetooth firewall? Perhaps a concrete example...

Smart device do not only initiate connections. If you use a stock OS as a base for you smart device you are also accepting the fact that these devices will also implement service listeners. You may have a crack team of coders that does a very good job of inspecting each service and only allowing the bare minimum and none that have rogue listeners. But your developers are not always able to review each line of code that is used in patches moving forward. Things change. And they should change. As things improve a good vendor will patch these devices. So Where am I going to invest my effort. I'm going to invest effort into making sure my product works perfectly. If I spend a tiny amount of time ensuring that things are blocked with a firewall I don't have to worry if some changes in apps and services that I'm not in total control of all of a sudden have listeners. I could care less if the firewall is blocking them. This means I'm investing far less effort into on going maintenance and getting the same secure result. Easy win for me.

The interesting thing is you do have a firewall on bluetooth. You do if you use bluetooth to carry IP traffic. This is of course if you use a firewall. So yah you are more secure from bad blue tooth devices if you have a firewall.

Why do you feel firewalls are effective? There seems to be an implicit assumption that firewalls are effective... what makes that true?

What if all the worlds firewalls were thrown in the trash heap and in their place systems were configured to accept only Authenticated, Authorized, Integrity protected, Encrypted inquiries from acceptable locations?

Would that world have better or worse security outcomes than todays world? I think no question it would be better.

No more making security decisions by ports and trivially spoofed address headers or checking worthless boxes on a compliance chart only to have the whole house of cards collapse when Debbie in accounting clicks on the wrong untrusted email message with spoofed from header.

Instead of administrators configuring ports and addresses in firewalls what if they instead spent that same time managing the only thing that means squat in a secure system ... TRUST

It is not like the technology does not exist. People ignore it because it is easier to hide behind their precious firewalls. So they allow it and by extension allow their suppliers to continue to supply them with crap.

So how do you think acceptable locations are defined in this age? It's usually the firewall. It's almost always the firewall. Authetication and authorization are a different part of the comms stack.

Firewalls are not the end all and be all of protection. They are a part of the protections you should have in place. No one should ever feel completely safe with only a firewall. But you can feel safer with one. So Debbie does down load a bad file. And the file goes nuts. One of the common things these trogans do is they start to test other devices on the local network looking for more holes. Well if you do have firewalls in place this attack vector is stopped. Debbies machine is still probably cooked. You file shares are probably toast. But direct access to local machines is protected. Again this is only part of the solution. Corp AV software should also be present on all nodes. Intercepting viruses when they do start to infect things. And so on.

All of my builds have firewalls. It really is a no brainer. It costs me nothing in cash, time, or effort. I'm also religious about ssl which is far harder to enforce. I also enforce design patterns that use API's rather than RPC metaphors. All payloads that exit my applications are scanned for virus's. aka something that hits disk. In addition to all this I try to use NoSQL over SQL stores. Which mitigates most of the SQL injection issues.

There are a lot of bad trends in tech. Being security conscience is not one of them. Use the tools that are given you to secure a system. Simply because the people you hire are never going to be as smart of a globe full of resources that may want to harm you. Why not draw from this same pool of people to help secure your systems. Use firewalls. Use AV. Use IDS if you can.

Note: IDS is now starting to become mainstream. Thank goodness. With out it our home networks would be over run in ms.

about 4 months ago
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

upuv Re:No Excuse really these days. (348 comments)

Do you mean the position that we need firewalls?

I would have thought that that the need for firewalls was self evident. Especially in a business context. Even more so in this context were financial transactions are being processed.

The smart devices we use today all tend to have a variation on mainstream OS's. All of which come with some form of host based firewall. Thus the management of these devices from a firewall perspective is even easier. So much so that it is now possible for most marginally technical people to ensure they are properly configured at least at the time of device activation / installation.

How many times have we heard stories about POS terminals at places like McDonald's being compromised and the bad guys scoop tons of customer data. Far too many is the answer. These devices had little to no protection at all from would be bad guys. Simple protections put in place like firewalls go a long way to addressing these vulnerabilities. Are they perfect. Of course not. But they are a lot better than having nothing. Today these protections can be implemented in a manor that has almost no impact on how people do business. Which means that when implemented correctly they will not cause any additional labor on the part of the end user in order to ensure that they remain secure.

Since it cause none or very little impact on the way you do business why wouldn't you implement these simple safe guards?

Data breaches and losses are a significant threat to companies. Small one more so than the large ones. Small companies fold when bad things happen. It's a trivial insurance policy that shockingly very few actually implement.

about 4 months ago
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

upuv No Excuse really these days. (348 comments)

I do a ton of infrastructure builds. From a few boxes to 1000's of VM's. There is no excuse for no firewalls.

If a vendor is disabling the firewall then they should absolutely be approached. If the clown you are talking to says that's the way it's done then go over his head. Tell your boss.

Be gently of course. Doing the run around my hair is on fire dance is not going to win any one over.

You can even help the vendor. There are a ton of tools for all OS's that will help you determine the port that need to be open. Simply run up the software and scan the open ports. Tada you have a simple set of fire wall rules at least. Are they perfect? Of course not they can be improved on. But it's something at the very least. I'm not overly a fan of point to point rules in firewalls as they are self defeating in the long run. ( This is a longer story )

So yes host firewalls should always be enabled. And the rules you use better be documented.

about 4 months ago
top

Ask Slashdot: Unattended Maintenance Windows?

upuv Re:Puppet. (265 comments)

This pattern only works for single nodes.

if you have a complex infrastructure you can't rely on this pattern alone.

about 4 months ago
top

Ask Slashdot: Unattended Maintenance Windows?

upuv Re:Puppet. (265 comments)

Puppet is not orchestration. This problem is an orchestration problem. A very simple one but still orchestration.

Puppet is declarative which can mean it has no order to events. Most people make use of some screwball dependency chain in puppet giving the illusion of orchestration.

Use something Ansible if you want to orchestrate a change

about 4 months ago
top

GoDaddy Files For $100 Million IPO

upuv Go-Daddy Bottom Feeder (110 comments)

This company has been a lowbrow bottom feeder since the beginning.

At first glance the pricing looks OK. But soon you realize you are fenced in. You find out your domain is held hostage by lack of features. Features that are ransomed off.

Buying Go-Daddy is purely a speculative exercise that is not backed by history or sane projections.

about 6 months ago
top

Perl 5.20 Released, and Mojolicious 5.0: the Very Modern Perl Web Framework

upuv Post Fix dereferencing about time. (126 comments)

I was very active back in the early days of 5.0 development. I fought for this and lost.

I always struggled with the non-nonsensical @{} ${} ..... style. It was difficult to mentally process. Long chains of dereferencing would be especially complicated.

I'm very pleased to see this finally make it in.

about 6 months ago
top

Cisco Complains To Obama About NSA Adding Spyware To Routers

upuv Re:Hypocritical (297 comments)

Can't help myself here. Using ridiculous reverse logic of a TV intelligence interrogator.

So you are admitting that you are aware of Chinese back doors that are not currently known about by legitimate parties?
Tell me what you know of these back doors.
And tell me how we can use them.

about 6 months ago
top

Cisco Complains To Obama About NSA Adding Spyware To Routers

upuv Re:Hypocritical (297 comments)

How do you think the NSA found the Chinese back doors?

Kinda of a duh moment don't you think?

about 6 months ago
top

Canadian Teen Arrested For Calling In 30+ Swattings, Bomb Threats

upuv Re:bleh. (350 comments)

And that just teaches the kid that there are no consequences. Dumb kids need to be punished. They need to be seen paying for the crime themselves. Their peers need to see that Jimmy in their class went to jail for a year because he was acting like a twit and caused some serious harm.

I also feel that the US would over penalize the kid.

about 6 months ago
top

Canadian Teen Arrested For Calling In 30+ Swattings, Bomb Threats

upuv Re:Good, but... (350 comments)

If it's something like a bomb threat of a hostage taking with weapons you don't really have much choice. It's clear the area ASAP.

People don't call in a SWAT saying. "I''m having bad day and I'm slowly filling my house with water till I drown." giving the Police ample time to make decisions.

about 6 months ago
top

Canadian Teen Arrested For Calling In 30+ Swattings, Bomb Threats

upuv Re:Autoimmune disorder... (350 comments)

911 is not only accessible via standard phone lines and cell/mobile phones. Location tech only has 3 basic methods of locating you. Generally only the first is ever used. Most often however the 911 operator asks, "Where are you right now?"
1. Land line billing / install address.
2. Mobile phone GPS location. First the police must have authority to activate GPS remotely. Second the phone needs to have GPS. Not all phones do.
    2.1 Kind of a third method. Cell tower location that the caller used. This takes a hideous amount of time to determine despite laws that say telcos must provide the capability. So generally not used. And this is horribly inaccurate.
3. Geo location of IP address of user. Horribly inaccurate and police forces around the world are very slow to use this tech. Also for example if you have a 3/4G phone your IP address is usually geolocated at the telco company headquarters. This is not generally used for 911 type locations.

Remember the operator only has a few seconds to establish your location during an incident call. They tend to only fall back on location tools when the caller is unable to provide the address them selves. So if the caller says they are at a location then generally that is the accepted location for the incident.

In many jurisdictions around North America and the world for that matter you can place an emergency call via any number of means. You can text, email, tweet skype, use a web form, etc. Note that most of the new forms of emergency notifications come over the internet. Since it is painfully simple these days to make it appear as if you are coming from basically any spot on the globe with internet communications a person can spoof their location with ease.

Note all of this does not mean they can't find the location of the caller. After the incident a wealth of information can be investigated and fairly precise locations can be determined. So don't take what I have said as a open ticket to SWAT. This case proves it's only a matter of time before you get nabbed.

about 6 months ago
top

China Using Troop of Trained Monkeys To Guard Air Base

upuv Re:180 nests gone, at 6 nests/monkey/day? really? (119 comments)

You forgot that from the total number of monkeys you must subtract those monkeys involved in:
HR
Project Management
Engineering
Catering
Procurement

Once we do this it's clear that the actual number of Monkey's involved far exceeds those quoted. The Chinese are clearly fudging the numbers to make the project appear to be viable.

about 7 months ago
top

Not Just a Cleanup Any More: LibreSSL Project Announced

upuv Re:Please don't (360 comments)

SSL is the standard.
OpenSSL is an implementation
LibreSSL is an implementation

The standard isn't forked.

In this instance the standard mostly applies to the protocol. The on system interfaces will most likely mutate rather quickly. Most specifically at the user interaction level. The library interfaces will most likely remain steady.

This isn't a bad thing.

SSL and it's related crypto cousins is all about trust, but paradoxically Crypto people don't trust crypto people so there is very little trust out there. So really powerful things like personal / corporate certificate authorities just don't exist in practice. Imagine the power of a CA for personal certs. It would change authentication forever. Good bye 300 passwords. But since no two people can build two independent systems that truly trust each other there really is no hope for personal certificate authorities. Maybe this reboot of an SSL implementation can move us one step closer. Or even an inch/2.2cm.

about 7 months ago
top

Most Alarming: IETF Draft Proposes "Trusted Proxy" In HTTP/2.0

upuv Unfortunately it only takes one to abuse this. (177 comments)

This is laughably a bad idea.

This will be abused the instant it hits code. The temptation is too great. This will sink the adoption of http 2.0 and 1.1 will live for a far greater time.

With all of the news around man in the middle attacks I just can't believe this will be a feature.

This needs to be amended. I can see trusted chains, Where you would trust a chain from end to end, but just the proxy? With each node in the chain being able to cache.

about 9 months ago
top

Ask Slashdot: Should Developers Fix Bugs They Cause On Their Own Time?

upuv It's outline in the contract. (716 comments)

There are a few types of basic contract.

If you are full time employee.
- The employer pays for time and materials. No matter what the cause of the bug was the employer absorbs the costs of it's own mistakes.

If you are a contract employee on a Time and Materials contract.
- This is virtual the same as full time. The customer in this case pays for everything including bug repair.

If you on a contract to deliver a service or product.
- Well now the Contract owner is responsible for paying for all errors that fit with in the bounds of error as outlined in the contract.

There are a few variations on the above. Usually there are caps on all contracts to prevent excess expenditures. Things like T&M that can only reach X amount ever.

about 10 months ago
top

Linux 3.13 Released

upuv Re:configuration languages (141 comments)

A firewall in a sandbox?

Do you see the issue here?

Sandboxes are good for consuming applications. The firewall is not a consumer. It's a part of the command and control chain. It's a the heart of the system. Sandboxing the kernel is self defeating. As it's the kernel and everything spawns from it. So you can't really protect your child processes if your kernel is compromised.

about 10 months ago

Submissions

top

Comcast bandwidth throttling, US vs Aus.

upuv upuv writes  |  more than 5 years ago

upuv (1201447) writes "Yet another chapter in the story of Comcast Throttling users.

http://www.neowin.net/news/main/09/01/06/comcast-bandwidth-throttling-effective-in-all-markets

Snippets:

Comcast is fighting back against what it calls excessive bandwidth users. The company confirmed that it has successfully deployed throttling technology to all its markets. Comcast claims that the technology is to help make everyone get the same experience and have equal opportunity to the bandwidth. ....

On top of this throttling technology Comcast has also placed a 250 GB monthly cap for all users. If you exceed the 250 GB monthly cap your account can be terminated and you can be banned for using the Comcast service for up to one year. ....

--------------
As an Australian I personally would love to be able to have a cap of 250Gig. Here we can typically only get at max 60Gig. ( Of course you can pay a fortune and get more ). I can't feel too bad for these customers. As the US bandwidth plans blow our plans down under away for value for your money.

Here is an example of the Plans we can get.
http://bc.whirlpool.net.au/bc/?action=search&exc=1&state=nsw&class=0&type=res&cost=100&pre=3000&conntype=1&conntype=4&conntype=5&speed=2048&upspeed=0&contract=99&needhw=no&upfront=999999

As you can see The Aussie plans suck in comparison to what we can get from even Comcast."

Journals

top

Virtual What the Who's it's?

upuv upuv writes  |  more than 5 years ago

I'm an IT professional for as long as the term IT professional has existed. I work in Enterprise. I work with Telcos, Banks, Entertainment the lot.

Can some one please fill me in on where the money is in virtual / cloud computing?

18 months ago if your project didn't have something VM it didn't see the light of day. I have yet to see a project that had a cloud component.

Now I'm making stupendous amounts of money de-constructing VM anything. Take the silly little app housed in a VM of flavor XYZ and replanting it on a native OS. Oh Gee Golly they run faster and more predictably. ( Sorry I don't take any work involving .net C# or anything MS. Yes I'm a bigot )

Seriously. Is the VM hype finally over? I bloody well hope so. It's as ill founded as Bush's economic policy.

top

Alien Life and it's mutual toxic effect

upuv upuv writes  |  about 6 years ago

Just a random thought.

While looking at the stars tonight this came to mind.

If we were ever to encounter complex alien life does it not seem obvious that we would poison each other?

Given that we have evolve gradually or in spurts in order to improve our chance of generating future generations. Is it not natural to believe that we also evolve such that we are more resistant to threat by acquiring resistance and defense to threat? Such defenses would include those of a toxic nature. Since some of those defenses would also include a toxic component. For example we as humans have an immune system that aggressively attacks threat, thus toxic to the threat. Now our personal defenses would have evolved as a direct reaction to the threats presented to us over the eons. Thus the complexity of our defenses would both be quite elaborate and in it self aggressive. But at the same time would be a counter point to the other biology around us.

Now given an equally complex life form(s) had evolved in a completely alien environment. It equally is likely that these life forms would have evolved in a similar fashion. However most likely taking several evolutionary branches that our world did not or deemed evolutionary dead ends.

If those two complex biologies were to mix does it not seem likely that we would kill each other by simply coming into contact? Of course there would have to be sufficient amounts of each biology to result mutual death. An alien microbe has less of a chance of killing us in this manor as compared to a complex life form of such mass to be anywhere from mite size to elephant size. ( To pick two easy to relate to volumes. ) As the single microbe would have very little success against a comparative mountain of domestic biology attaching and consuming it.

To me this seems obvious at the moment.

If this proposition is true, then does it not seem likely the reason that we have not been contacted by alien life is that simply because our world is a big ball of plague? Thus why bother with taking to the sentient bags of salt water fresh from the primordial stew!

top

What will happen if Windows 7 Tanks as bad as Vista?

upuv upuv writes  |  more than 6 years ago

As it is clear to even the most remote Brazilian forest tribe Windows Vista is a public relations nightmare.

Will Windows 7 suffer the same fate?

Will Microsoft survive if Windows 7 results in a puppy skid mark on the carpet?

top

Why hasn't Firefox 3.0 been trashed in media?

upuv upuv writes  |  more than 6 years ago

Usually a highly public software release like Firefox 3.0 is trashed by someone somewhere.

With Firefox 3.0 I have seen very little bad press if any. Is Firefox 3.0 that good that it doesn't justify bad press?

I personally love it. Best software release of any product every. It works great on every platform I care about.

So is there any bad things about Firefox 3? Stuff that simply is wrong?

Slashdot Login

Need an Account?

Forgot your password?