Slashdot Mirror


User: mlts

mlts's activity in the archive.

Stories
0
Comments
5,534
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,534

  1. Re:What a concept! on Chinese Legislature Conducts Large Online Vote · · Score: 1

    There are some fair ways to do the voting, and decently secure too. However, it depends on how much anonymity you want in the voting process. If anonymity doesn't matter, you can have the government send each citizen a form with two scratch-off blanks. One is for yes, one no. Then the person goes to a Web page that asks for a number, and the person types in the number matching yes or no. Said pair of numbers are random and unique, so only the vote counters would know what the numbers actually meant (yes or no). Anyone between the voter and the vote counter with the reference list would have zero clue, and because the principle behind this is essentially the same as a one time pad, there is zero way to figure out which number meant what vote, unless the random number generator was not truly random.

    If being anonymous is a concern, maybe the simplest ways are the best... have polling booths and after identifying that the user can vote, have the user be given a key. He turns it in one lock, it releases a black ball into a big pile. The other lock releases a white ball. The key is turned back in, the "voting booth" is reset so the voter's key can be used again, and the next person is handed the key. The only information that a voter leaves is if a white or black ball was dropped signifying yes or no, and barring cameras, there is really no way to show who voted for what.

  2. Re:Just for rioting? Seriously? on Using Crowdsourcing To Identify Vancouver Rioters · · Score: 2

    Very wise statement. Government is a two-way street. If intelligent people don't play a role, dumb, psychopathic/sociopathic people will take up the banner and run with it.

  3. Re:TrueCrypt on Ask Slashdot: Tools For Linux Disk Encryption and Integrity? · · Score: 1

    What I find ironic is that Google has not included this with Android, as it is the perfect tool for securing data on SD cards.

  4. Re:TPM - no thank you on Ask Slashdot: Tools For Linux Disk Encryption and Integrity? · · Score: 1

    In the past, this might have been an issue, but virtually every x86 server and server motherboard out there comes with a TPM present, but disabled and unowned.

    Yes, it can be used for DRM, but since the functionality is there, might as well use it for good, and to ensure that a machine hasn't been tampered with, and that the MBR is intact.

    Another use for it is a secure keystore for public/private keypairs. For example for code signing, you copy a public/private keypair into it (keeping a backup in a secure, offline place), and if someone compromised the box, they can sign stuff, but do not have access to the keypairs.

  5. Re:TPM - no thank you on Ask Slashdot: Tools For Linux Disk Encryption and Integrity? · · Score: 1

    That is you have a recovery password or keyfile saved off on a USB flash drive. Same procedure with BitLocker.

    The TPM is an advantage, an option in addition to the usual typed in passphrase. I wish other operating systems would take advantage of it, and not just Windows, because it brings with it some good security functionality.

  6. TPM, please? on Ask Slashdot: Tools For Linux Disk Encryption and Integrity? · · Score: 1, Interesting

    It would be nice to have a TPM based authentication system as an option. This way, a Linux server can grab a memory image, have the hash of that passed to the TPM, and if unchanged, the boot process continues.

    Add a PIN to the process, and the TPM will start denying access after a certain amount of missed tries, so brute forcing a filesystem key isn't going to happen.

    This way, someone pulling disks, or booting the server from other media will be unable to decrypt the machine.

    Essentially, BitLocker functionality (which admittedly is very good)

  7. Re:Ubuntu One on Open Source Alternative To Dropbox? · · Score: 1

    It depends on how much you want security. If a person has two servers with full disk encryption present, both servers located in separate areas, and one server the one that replicates data via rsync over ssh to the other, this can be a secure and fairly reliable solution, although it doesn't factor in long term backups. Long term backups can be addressed by having a tape drive that supports encryption in hardware and doing basic hygiene when it comes to backups (tape rotations, off-siting media, etc.) On the cheap, backups can be done by using external 2.5" drives (ones that don't need a power supply) and rotating them in and out.

    This isn't as easy to use as a cloud provider, but at least by packing your own parachute, you know that an attacker would have to seize physical access to your boxes, then do some advanced forensic work in order to access your data, as opposed to a cloud provider where you will never know if access of your files to an attacker could just be a chdir away.

  8. Re:TrueCrypt on Open Source Alternative To Dropbox? · · Score: 1

    I wish KeePass supported keyfiles on both the iPhone app and the Android one. This way, one can have the key file manually copied to each device (and stored securely) while the password database is accessible by any device while an attacker who snarfs it will have to run brute force guesses against the entire 256-bit keyspace.

  9. Re:TrueCrypt on Open Source Alternative To Dropbox? · · Score: 1

    I use that on local machines with file wiping to ensure confidential data stays that way. However, when you open a file, it decrypts it. So, if you store it on DB, for a while, DB will have a version of your file in plaintext.

    If I were to recommend a solution, I would recommend TrueCrypt volumes (preferably using a keyfile). If TC can't be used, then on a Mac, use an encrypted sparse bundle filesystem (since it uses 8MB bands), or EncFS on Linux. An attacker may be able to figure out a file's approximate size with EncFS, but almost nothing else. In fact, it befuddles me that EncFS isn't part of Android because it would address the file encryption issue that keeps Android phones from being taken seriously in the enterprise.

  10. Re:TrueCrypt on Open Source Alternative To Dropbox? · · Score: 1

    I would be leery about that. Most people don't use a passphrase large enough to seriously resist brute force attacks (20 characters minimum is what TC recommends). Plus, even encrypted data is still useful, because an adversary can brute force it at their leisure when stored remotely. Keeping the passwords stored on a device that would require physical access to gives a lot better security and keeps the baddies from getting access in the first place.

  11. Re:this is great for law enforcement on Apple Patents Tech to Stop iPhones Filming in Venues · · Score: 1

    This isn't to say that a criminal wouldn't use this in places where the main photographs would be pictures from phones taken.

    All I'm stating is that it will become a standard part of a criminal's attire, with the ski mask and gloves. It won't stop everything, but if it keeps Joe Witness from snapping shots with his smartphone, the criminal is successful.

  12. Re:this is great for law enforcement on Apple Patents Tech to Stop iPhones Filming in Venues · · Score: 1, Insightful

    Actually, when will crooks start wearing the camera-stopper device? I'm sure people robbing a 7-11 wouldn't want to be spied on by random passerbys.

    When technologies like this get out there, it won't just be the PD that uses them, the crooks will be using them to, so there is no footage at a murder scene.

  13. Re:Not "remedies". on McAfee CSO Issues Warning On the 'New Cold War' · · Score: 1

    It shouldn't be too difficult to keep hashes of an OS executables and libraries, even with the updates coming out. Probably easier than trying to keep abreast of new signatures of malware.

    Of course, software not aware of what programs should hook into a machine might cause startup items like the HP printer driver stuff and reminders of having to buy ink to go away, but I'm sure most users rather have disabled startup items than missed items which contain malware.

    Essentially this would be a "gritty reboot" of the old shareware program called Integrity Master that would boot from a floppy, scan a volume, then store the signatures on another floppy, making it impossible for the potentially infected OS to attack it. Add some Registry checking and this would be a useful utility for delousing most machines. The only caveats are if it pulls a driver that it doesn't know about that might be used for RAID, or WDE.

  14. Re:The last person I'd take advice from... on McAfee CSO Issues Warning On the 'New Cold War' · · Score: 1

    I have ended up deploying McAfee on IBM and Oracle hardware. Not that AIX gets viruses (other than the directory that is shared via CIFS with the Windows boxes), but that it allows me to tick off a check-box saying "all computers, regardless of OS, have ICSA labs certified antivirus software running on them."

    In this case, McAfee does the job well.

  15. Re:It's the Golden Age because it Will End Soon on Is This the Golden Age of Hacking? · · Score: 1

    We already had the great punishment for cattle rustling. The end result is that it left the US government with the inability to find whitehats, much less blackhats that are loyal.

    Operation Sun Devil forever changed things. Before that, a good blackhat might have taken a job with the USG for patriotic duty. After that, and the fact that there was the fear that anyone who showed skillz would be caught up in a possible witch hunt, pretty much nobody would offer help in manning defenses for fear they would be tossed to the wolves the next time someone wanted to see some arrests done.

    This has been done, and this is part of why American companies are paying the price. In other parts of the world, armies have their blackhat squads and actually have as much prestige as the guys on the ground with the rifles.

    If another pogrom against "hackers" happens, where some guy who finds a link not indexed by Google gets 20-life in a PMITA prison, it means the real blackhats will never be of assistance to the US.

    Unlike horse thieves, if you have a clue, it isn't too hard to cover tracks. Take the people that were caught recently for "hacking". The guy who got into Palin's account used a VPN service (which more than was willing to spill the beans.) Had the guy used an offshore VPN, or just used a wireless network while sitting in a van, he would never have been caught. Politicans will feel good going after the low hanging fruit, but it will cost them dearly in the long run.

    Also, one can look at criminal groups that form when laws banning stuff get passed. Prohibition brought us the mafia. The "war" on drugs has brought us gangs who possess actual tanks that put M1A1s to shame. Laws against "hacking" will just mean that hacking groups will form that will besiege US and European companies on a daily basis without mercy.

    It can be foreseen that the hacking groups could end up making deals with the drug cartels and criminal gangs, for both their mutual benefit. For example, a drug cartel would end up with the GPS coords of every single policeman in a district in real time, as well as the names and addresses of every LEO's family member. In return, the blackhat group would get a portion of the take of any home invasion done.

    We already have enough criminal elements from prohibition, and the war on drugs. Imagine what a "war on hackers" would bring down on us.

  16. Re:Not "remedies". on McAfee CSO Issues Warning On the 'New Cold War' · · Score: 1

    Bingo. I want to see an AV program that includes a bootable DVD, and can not just do an offline check for viruses and malware like the stinger.exe, but do serious heuristic checking. Some executable not Authenticode signed that is a Windows system file? Flag it, and optionally ask for install media to fix it after the executable is saved to a quarantine area. Another executable a different SHA-512 hash than what is in the original copy of Windows, or subsequent patches? Move it aside and replace it with a known uninfected copy. Files and folders with unknown alternate data stream that is not from a known application? Quarantine a copy of the object, strip the ADS info, and call it done.

    Then go for the disk. First check the disk for reserved/read-only space MBR malware isn't tough to spot. Checking for a part of the HDD marked read-only on a low level is a good idea. Then check partitions and such.

    Then comes the Registry. Not just an option to bump off known malware out of any crevice it can hide in to start as a driver or utility, but an option to rip everything out except the known Windows programs that need to start. This way, even if a rootkit buries itself as a filesystem driver, it will not run on subsequent bootup. If the offline AV scanner detects a rootkit that encrypts the HDD, either have a means to decrypt it, or a way for the user to recover data.

    After that, comes the user profiles. If malware just runs as a user, it can win the game, so cleaning out Web caches, unhooking unfamiliar browser add-ons, and disabling startup of code in the user's hidey-holes will ensure that the user logs into a clean box.

    For Joe Sixpack, the offline AV program could be bundled with an external HDD. Then, it could boot into "automatic clean" mode, make an offline image of the machine in case of problems, and start removing stuff that would be hidden by rootkits normally. Of course, the chance of false positives exist, so that is why stuff would be quarentined and snapshots taken, so the whole system can be rolled back.

    What is ironic is that the only full featured (stinger.exe isn't really that full featured) A/V protection I know of which works on a disk level is the plugin that works on EMC SANs, where the SAN itself can scan for viruses and rootkits, even if the machine can't see the malware on its presented LUNs.

  17. Re:No clue on EU Ministers Seek To Ban Creation of Hacking Tools · · Score: 1

    Here in the US, we already had that happen. ITAR classified cryptosystems as munitions, and the same criminal penalties applied back then as exporting nukes.

    Same crap all over again... we had discussions of exactly this on the cypherpunks list in the mid 1990s. The only difference was that the Four Horsemen of the Infocalypse were theories for the most part, not something happening in reality.

    Sad thing is that pulling "hacking tools" will not stop the intrusions. They will still happen -- only the whitehats will be punished.

  18. Re:Why lock it? on The Most Common iPhone Passcodes · · Score: 1

    Same here. If a phone is lost, remote wipe it ASAP, then call the telco to zap the SIM and put the IMEI of the device on the stolen list.

    Where I live, the phone likely would be on eBay within minutes of being found, or within hours as parts (it is likely that the thief will just disassemble it, and sell the parts for as much, if not more than the entire unit, and not have to worry about serial numbers.)

  19. Re:Useful for audiophile pirates, though on Music Pirates Won't Rush To iCloud For Forgiveness · · Score: 1

    The first part sort of makes sense, especially on media which may get corruption over time. However, this is exactly why we need filesystems like ZFS which can detect bit rot rather than allow a file to have bits flipped at random. This, plus some ECC and plenty of good old fashioned backups will completely take care of this "digital dust".

    I'll just ignore the second part of turning HDDs upside down.

  20. Re:Useful for audiophile pirates, though on Music Pirates Won't Rush To iCloud For Forgiveness · · Score: 1

    This is something I have never understood. Why do audiophiles use expensive stuff of dubious use. Instead, why not just use the pro studio offerings?

    A pair of high end monitors have excellent clarity and response. Yes, they are flat across the board, but if someone wants the "tube sound", that is easily added in via a unit, stomp box, or other device. Same with amps. Why bother with an "audiophile" one when you can get a pro model made to be used with obnoxiously high digital bitrates?

  21. Perfect storm actually... on Is This the Golden Age of Hacking? · · Score: 5, Informative

    There are a lot of reasons for this to be an age of intrusions galore:

    1: Corporate philosophy. I mention this often, but it is very true -- security is a cost center, so in a lot of firms, it gets hind teat in the budget.

    2: Ease of getting away with intrusions. Got a botnet? Just create some PPTP/L2TP connections and you can manually try breaking into machines and one can either not be traced, or have the blame shifted to another party. Especially if the intrusions come from a country that is disliked.

    3: Lack of international cooperation. All it takes is one proxy to be in a country that doesn't like another, and there is no way an intrusion can be traced, much less prosecuted.

    4: Lack of meaningful security tools. A lot of the tools used in businesses are all sizzle, and not much steak. Take AV programs. They are great at catching last week's stuff. However, most attacks are polymorphic 0-days that just zing past AV program detections.

    5: Ease of infecting via ad rotation services. Ad rotation services can sling malware without ever getting caught because people will blame the website, not the servers slapping the ads on it. The same ad servers that can target by demographic can target a company and just that company for malware.

    6: Using the Internet for all traffic. In the past, there were backbones that were not accessible to anyone that transactions ran across. Now the same wire that gets pr0n to Joe Sixpack also carries bank data and transactions.

    7: Failure to use basic security protocols in password storage. Hell, crypt(3) is better than most ways passwords are stored. The best thing is to look at known secure utilities like TrueCrypt and follow their example.

    8: SQL injections and parametrized queries. Simple stuff, but because a lot of dev projects just want a code base regardless of bugs, this stuff gets ignored until the breaches start.

    9: No real network security. A firewall doesn't cut it anymore. Instead, companies have to use VLANs and keep departments separated. This way, a compromise in receiving doesn't mean finance or HR is pwned too.

    10: Legacy protocols. FTP (other than anonymous FTP), telnet (except for use for debugging), and other insecure protocols need to either be limited via packet filtering mechanisms and router ports, or eliminated altogether. Instead, if two machines need to share data, have them use a LUN presented to them and a filesystem that allows for this.

    11: Lack of internal policies and procedures. Security isn't just clicking "secure mode" on an appliance and walking off. There needs to be a process if someone calls in from an internal line demanding info, or someone physically is picking a lock.

    12: Separation of duties and data. This is expensive relatively, so it tends not to be done, and the same server with the source code build may have the HR payroll data. This makes for a field day for an attacker.

    13: Chain of custody of data. Either the machine it sits on is properly secured, or the data is stored encrypted with proper key management. For example, some enterprise level backup programs have data encrypted at the client end, and only that end has the key. This way, if the enterprise backup server gets compromised, the data can be destroyed, not accessed or modified.

    14: Morale. Morale is so easily forgotten, especially with companies that do the low bidding among the last 3-5 candidates. High morale means people are proactive on security. Low morale means people will ignore breaches assuming they won't be thrown under the bus.

    15: Cloud computing. There is no benefit for a cloud provider to give anything but token gestures for security financially, so one is begging to be compromised unless there is solid encryption with good key management done before the data leaves the client. Even then, blackhats can have free and unfettered access to the encrypted data and can detect patterns over time. SLAs are meaningless; a cloud provider can change hands or go bankrupt and all the privately stored data can be made into a torrent or sold to anyone with cash.

    Because most businesses pay lip service at best to security, it is no wonder why blackhats are having a field day.

  22. Re:the iphone makes good passwords hard... on The Most Common iPhone Passcodes · · Score: 2

    Actually, iPhone passwords are easy. If you use an all numeric passcode, instead of pulling up a full keyboard, it pops up a PINpad with the enter button, just like the pad used for entering a SIM pin.

    So, entering an 8-12 digit PIN can be done quite quickly.

  23. Re:Who does this? on Unlocked iPhones in US For $649 · · Score: 1

    I'm not that worried about the cost for an unlocked phone. Why? The secondary market. If I keep the iPhone in a case and have it in good condition, an unlocked phone will be easily worth $500-600 on eBay. Some auctions get so crazy that people actually may pay for more than what the phone is worth, although one has to be careful because of potential cheats [1]. So, if I sell my iPhone 4 after picking up the next gen, I'm really not out $600... but out $100-$200.

    [1]: It is an old trick for scammers to have a broken iPhone lying around then claim that the seller shipped them that. Then they demand their money back from PayPal, or do a chargeback.

  24. Re:Am I the only one? on Inside Amazon's Data Centers · · Score: 1

    It hasn't just taken off, it has already made a sonic boom that has rattled eardrums of anyone in virtually every IT shop worldwide.

    Every company out there hears that the mystical Cloud can solve all computing problems, has no security issues, etc. Reality hits when the realization comes into play that choosing a cloud provider means a permanent relationship -- it is virtually impossible to change providers due to each having different APIs. The fact that one will have to pay for a data center somewhere also rings true. Almost invariably, a cloud solution will be more costly than having the capacity in house in the long run.

  25. Re:Real world at scale. on Inside Amazon's Data Centers · · Score: 2

    I would disagree at the same rate figure.

    What you pay for with the bigger servers is redundancy. The higher end servers that Oracle and IBM offer cost more, but they engineer for reliability, not absolute cheapness of price as in the commodity x86 market. Yes, you can improve uptime by adding redundancy on upper layers up to and including the backend app.

    On one end, you have FB's solution where reliability isn't as much as issue as deploying fast. The top layer backend app handles the redundancy. On the other end, you have mainframes and IBM Parallel Sysplex. Most businesses end up somewhere in between.

    Almost always, you get what you pay for when it comes to servers.