Slashdot Mirror


User: mlts

mlts's activity in the archive.

Stories
0
Comments
5,534
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,534

  1. Re:If you believe any of this is a good idea... on Punish Bad Users With Drupal Misery · · Score: 1

    Hermes (old Mac BBS program) had that as well. There was one annoying user whom we ended up kicking off multiple times via this method.

    Said user whined at a local gathering about how bad $BBS was and how often he got kicked off for line noise. It made him look bad about his complaints, because nobody else had one single issue.

    Even more funny was the fact that if he had a MNP3 or MNP5 modem (coupled with the fact the BBS had HST modems at the time that worked with anything), it would be VERY suspicious that he would be kicked off by line noise, had he had any type of clue. Mainly because both of those protocols dropped corrupted frames in hardware, so line noise would just mean no traffic, rather than stuff garbled.

  2. Re:If you believe any of this is a good idea... on Punish Bad Users With Drupal Misery · · Score: 2

    What may be better is to use the cave module, or Beehive's "worm mode".

    If you ban a severe troll, they will run around creating new sock puppet accounts. However, if you turn on code that allows them to post, with nobody else ever seeing it, they will happily run around flaming people left and right... then get their hackles up because they see nobody responding. Finally, the troll puts up a "bah, you guys suck" notice and leaves for good.

    Really dedicated trolls can get around bans [1]. The trick is to make them waste so much time spinning their wheels with their existing user, where it is easily watched, and on an extreme case, law enforcement can be notified.

    [1]: Of course, one can have manual user registration approved by an admin, but it is hard to tell a troll hiding behind a VPN address from someone genuine who is new to the board.

  3. Re:Glad this is over on Apple Updating iOS To Address Privacy Concerns · · Score: 2

    Here in the US, availability of cellphone location for civil/criminal actions isn't a good thing either:

    1: A DA could easily file a warrant for location info from cell providers to find who was in a park after dark, then go on a mass raid, filing criminal trespass charges on 20-30 people at once in a roundup.

    2: People who were at the location of a certain protest can be blacklisted from jobs, or even supermarkets, where they would have to ask friends or go out of town to get basic groceries.

    3: Foreign intel sources can get info what VIPs go to what meetings, and know what soft targets to attack.

    4: People who have sensitive jobs can have the location information used as blackmail.

    5: Blackmail/extortion in general. I remember a school district in California that had a security breach (with major PII compromise), and parents in that district got an anonymous E-mail with a map of how their kid walked to school and a note that their kid would have a greater chance of completing their journey from home to school if they paid a "fee".

    Location information needs to be treated as PII, as much as SSNs. However, I doubt we will ever see laws that actually punish anyone for PII loss anytime soon in the political climate in the US. Europe would be a different story just due to the past history.

  4. Re:Charter was doing this on Mediacom Using DPI To Hijack Searches, 404 Errors · · Score: 1

    It wouldn't really matter. If an ISP redirected a bank to another site, (likely compounded with the SSL CA attack), people would think they were at mybank.com when they were connected to a site in Elbonia. When people would start to get their accounts emptied, the ISP wouldn't suffer anything. In fact, their PR guy will shrug and say, "OMG, those hackers are good", and life will go on. At worst, the ISP with the compromise might have to pay for an ID theft subscription service for people for a year.

    Same with someone compromising an ad server and serving up malware, or even more maliciously having it look that only certain sites were having malware coming from them. Lawsuits would be filed, and almost nobody would ever suspect the ISP, much less get anyone who has any sort of oversight or power to do anything about it.

  5. Re:HTTPS on Mediacom Using DPI To Hijack Searches, 404 Errors · · Score: 1

    If an ISP starts doing that, that is more of an active attack and can be viewed in the courts as "OMG, they have an active backdoor!!!1" as opposed to the MITM spoofing which juries would be hazy on understanding.

    Redirecting traffic is one thing. Installing software, adding "backdoor" SSL keys, and modifying a user's computer is something even a hung over Joe Sixpack or Jane Xanax might even understand. In fact, it can just be called "the ISP installs a virus" by the attorneys which gets the point across to almost anyone.

  6. Re:Exactly on Mediacom Using DPI To Hijack Searches, 404 Errors · · Score: 2

    https anywhere is an excellent suggestion, as it shuts down Phorm-like attacks down.

    I'd recommend some additional items as well:

    1: If you can do this on your router, I'd find the IPs for the dodgy ISP's ad servers, and block [1] them.

    2: Adblock, Ghostery, and BetterPrivacy are a must. At least Adblock, because this protects against incoming malicious software far more than any AV utility. Until ad rotating sites take responsibility and stop allowing clients to serve up malicious code, blocking ads is a security measure.

    3: Consider a VPN service. I use one for my mobile devices when using open wireless networks not just to stop FireSheep like attacks, but to keep my personal traffic just between me and the VPN provider.

    4: PeerBlock plus iBlocklist. This isn't just for people wanting to infringe on IP, but there are also well maintained IP lists for malicious sites, ad sites, and nasty stuff in general.

    [1]: Drop packets going from your machine to the ad server, reject packets going from the adserver to you. The reason behind this -- the drop sends an error packet back, telling your machine that there is an issue, and not to keep waiting until a timeout.

  7. #1 thing learned from Stuxnet... on DHS Chief: What We Learned From Stuxnet · · Score: 1, Insightful

    #1 thing learned from Stuxnet:

    Air-gap your production SCADA/embedded stuff.

  8. Re:Well... on What Happens To Data When a Cloud Provider Dies? · · Score: 1

    Bingo. It is only a matter of time before the following scenario happens:

    1: Company stores PII on a cloud provider.
    2: Cloud provider goes TU.
    3: Stored data gets made public.
    4: Company is now being nailed for violating SOX/HIPAA/FERPA/whatever privacy or security regulations, with officers facing prison terms.

  9. Re:What difference .... on Malaysian Government Offers Free E-mail To All Citizens · · Score: 1

    A government department would also have no financial incentive to spy on a person, as opposed to private E-mail providers looking to dig through stored E-mail for any information (even "anonymized") they can sell to anyone who is willing to pony up for it.

    I would also trust a government E-mail system because security is in their interest. In the private sector, oftentimes PHBs feel that because security has no obvious ROI, they can skimp on it. A breach in a private company has no consequences. In the public sector, it can have disastrous consequences.

  10. Re:Dual screen game system? on Sony's New Android-based Dual Screen Tablets · · Score: 1

    That is fair. If it allows for a complete unlocking, even with purging the DRM keys, that is just fine with me. Android's Marketplace uses LVL for its DRM, which is not dependent on anything on the device.

    I just hope the production models allow for this method of unlocking.

  11. Re:Well... on What Happens To Data When a Cloud Provider Dies? · · Score: 5, Informative

    Don't forget that all SLAs, privacy agreements, and other items are not worth the paper they are printed in come a liquidation. We all heard the adage that possession is 9/10s of the law. It applies here too.

    After a bankruptcy, the new holders of the servers can do anything they please with the data on the boxes. PII data about bank accounts and HR records? It can be put as a torrent for all to download, sold to a firm offshore for ID theft, sold to advertisers. There is not one single thing anyone can do about it, provided there is no confidential or classified data present. Trade secret? By law, it isn't a trade secret anymore.

    One of the downsides of cloud computing is that all data, be it E-mails on a cloud system, offsite storage, or applications in house can easily be made public to sell to all comers should a cloud provider go bankrupt or change hands. No amount of paperwork can ever go to assure against that.

    Only real protection? Encryption, with keys stored with the client, and ONLY with the client. Even then, it still isn't good for cyphertext data to be made public for all and sundry to try to figure out the contents.

  12. This is pretty much the only way cars can improve. on The Future of In-Car Computing · · Score: 1

    Without a complete re-engineering, car MPG isn't going to be increasing. Nor, with traffic as congested as it is, does horsepower mattered as it used to.

    So, what is left is making the ride more comfortable and safer. Because smaller modes of transportation are becoming more common (motorcycles, mopeds, bicycles, pedicabs), vehicles that have the ability to warn about stuff in blind spots are becoming more important, especially modern cars where visibility is impaired by the pillars airbags are stashed in.

    Of course, a safe driver is a safe driver, but having a warning system so Jane Xanax who is on the cellphone and putting on makeup gets buzzed that if she is about to turn a motorcyclist into an organ donor, or that the beer tap on Joe Sixpack's dash cuts him off after four servings of Miller Light, before his BAC gets to the legal limit.

    I am all for automatic driving cars that use a mesh network. This means freeways that can run at the max speed of the slowest vehicle, not the minimum speed of the most drunk, stoned, high, baked, moron on a cellphone. Taking the human equation out on the freeways is a good thing, as it allows for much higher vehicle density as opposed to having to deal with people's reaction times (or lack thereof).

  13. Re:Honesty vs Convienience on Computer Opens Unmanned Store For Holiday · · Score: 2

    Doesn't take much to shuffle the basket aside, perhaps replace the refrigerated/frozen food items so they don't spoil and head out.

    It may be inconvenient to go to another store, but I'm not the type of person who would steal for convenience's sake.

    Don't forget what one would lose by making it out with a basket of unpaid goods, on different levels of ethics:

    1: If someone has so poor ethics that they steal the relatively small cost of food and other grocery store goods, how can one ever trust that individual with big ticket items? If someone is willing to blow their good name on a cartful of groceries, how can one ever trust that person in any position whatsoever?

    2: If one does get caught, here in the US, it means that getting a job becomes almost impossible. Employers check for *arrest* records, not convictions. A booking for *any* charge, no matter how small, can mean curtains for any type of career outside flipping burgers. Of course, a shoplifting conviction means mortal turpitude, and that is a virtual guarantee that someone's life will be free of any type of work other than minimum wage positions.

    3: Civil bans. Wal-Mart enforces bans across all its stores. Someone on their no-entry list at one store tries to buy at another, the LP guys show up at the cashier and hold the person for the police for criminal trespass. Who in their right mind would want to risk being banned permanently from the grocery store they use all the time, if not the whole chain. It is only a matter of time before businesses cross-reference bans, similar to casinos (one ban in one LV Strip casino == banned from every one), and one wouldn't be allowed entry to *any* supermarket.

    4: Civil demand letters. Wal-Mart automatically will levy a $225 fine against any shoplifter (reference found via Google.) Paying for groceries + gas (for driving to another store) is a heck of a lot cheaper than that.

    I don't intend to bloviate about ethics. However, there are a lot of bad consequences that await someone who engages in petty larceny, not to mention what it shows about character.

  14. Re:bollocks on New Tool Hides Data In Plain Sight On HDDs · · Score: 1

    Encryption is done beforehand for three reasons:

    1: The hidden data is essentially static, with no discernible patterns.

    2: If the stegoed data is located, it cannot be used as plain text.

    3: Plausible deniability. If a stego detector finds random numbers, that is one thing, versus plaintext as another.

    Don't forget -- a lot of encrypted files have a pattern to them, such as PGP, ZIP, etc. One will need to find a utility that does to files what TrueCrypt does to partitions and has a complete unreadable structure. This is harder than it sounds, because almost all file encryption programs have some type of header in their encrypted output.

  15. Re:Can someone answer this? on Bizarre Porn Raid Underscores Wi-Fi Privacy Risks · · Score: 1

    Mac filtering == joke. Macs are easily faked.

    WPA2 PSK == all dependent on how secure your preshared key is. Here is what I do: Every six months, I fire up KeePass, have it make for me a 63 character random passphrase (using additional entropy collected from the keyboard/mouse). I save this as a text file to a USB flash drive, copy and paste it into the router and all clients. This is as secure as it gets for preshared keys. The only way you will do better is having your own RADIUS server and WPA2-Enterprise.

  16. Re:Is it that hard... on Bizarre Porn Raid Underscores Wi-Fi Privacy Risks · · Score: 1

    I helped with a friend with a similar issue with a router that had wireless, and the ISP was jacking around with the router password. Solution? I took apart the router and pulled the antenna. Problem solved.

  17. Re:But I want to share on Bizarre Porn Raid Underscores Wi-Fi Privacy Risks · · Score: 1

    Liability is liability. The car example is that I don't let someone who broke down in front of my place borrow my vehicle, because if they get in a wreck, I'm out the cash for the vehicle, as well as how much damage they caused.

    Same with Wi-fi networks. I'm not going to let someone get on my network who might expose me to lawsuits in the civil arena for IP infringement, or long terms in a state/federal prison in the criminal arena. Especially with the court precedent that an IP address is considered identifying information.

    I wouldn't want to put my fate in the hands of a jury. Especially in most parts of the US where technological knowledge is just what they have learned on Fox News.

  18. Re:Fuck Geohot on Sony Rebuilding PlayStation Network Security After Attack · · Score: 1

    Devil's advocate stance here:

    Sony's position did send a message though -- it means that the origin of future PS3 cracks and other items will have be kept secret so the Sony legal brigade doesn't make an example out of someone else.

    Why is this a major victory for Sony? Simple. There is no way to tell exactly where a supposed crack came from. This means that it will be extremely difficult to tell a "good" patch to allow homebrew modding from malicious code that permanently bricks a device.

    Long term, it means that patches for Sony devices will be gambles for people who are trying them out. How will one know it will be something that actually works, versus something that will trash the device? There is absolutely no way to tell.

    It is like the PC cracking scene now. How do you tell a bona-fide scene release versus a Trojanized release that will install a botnet client and rootkit? You can't. With the Apple jailbreaking scene, the iPhone Dev Team is identifiable and has a sterling reputation. This cannot exist in the Sony ecosystem.

  19. Re:That's nice and all. on A Glimpse Inside Google's South Carolina Data Center · · Score: 1

    People don't think of data center robberies, but with the economy in the skids, the guys who would rob banks are starting to wise up to data centers.

    Until recently, the most security a data center would have on staff would be a guard in front, and maybe another to run rounds. Data center locks are intended to keep geeks and skulkers out. Most places do not factor in people who will be more than happy to blow the brains out of the secretary at the desk to get her badge and keys, so they can get access to the server room.

    Having the data center be at an unmarked location was a great help too. However, this is something being wised up to, and more sophisticated thieves are starting to find ways to locate them.

    This is why that IBM, EMC, and other storage makers are making encrypted hard disks for the basis of their SANs, where the array checks with a server on the LAN segment, gets a key from that to unlock the individual drives. Pull a drive or drawer out, and there will be no useful data (even barring the fact that the drives are RAID members which requires a full quorum for access.) This is also why DAR encryption on the server end is becoming an important selling point for US Federal contracts.

    As of now, a lot of data center robberies tend to be inside or well-skilled jobs (like the people who ripped off Peter Gabriel's webserver.) However, the bad guys are getting smarter. I wouldn't be surprised that data center robberies become a common plague, especially due to the fact that the other ways of criminal activity (bank robberies, drug sales) are either "owned" by a more well-armed organization, or the risk/reward is not worth it (car theft). Couple this with the the knowledge that a criminal can make money not just selling the stolen server hardware, but money from selling data on the drives, and even holding the drives for ransom [1].

    Realistically, physical robberies are low on the list compared to network intrusions, compromised/disgruntled employees, and laptop theft. However, this is something a data center planner needs to factor in, having some sort of duress/holdup alarm, possibly coupled with remote monitoring of the area via CCTV.

    [1]: A lot of companies have little or no backup policies. A lot of businesses would pony up if handed a ransom notice for stolen drives because the data is so vital for their day to day operation.

  20. Re:This shouldn't be news on Police Using Apple iOS Tracking Data For Forensics · · Score: 1

    What may not be interesting for civil/criminal action now may be in several years time, as it becomes easier to go through stored information and obtain patterns.

    What keeps a county DA, who knows about a park that is closed after disk, to do a motion of discovery against cellphone providers, find anyone whose phone has been located in the park from 10:00am to 5:00 AM, then launch a mass criminal trespassing arrest for anyone who set foot in the park in the past 3 years? Right now, this may be daunting. It may be trivial in the future. In 2000, nobody thought people would be nailed for millions of dollars because they shared an album of MP3s online. Of course, the argument is valid that a cellphone presence != personal presence, but can a defense lawyer convince a jury likely with little or no computer experience this. Probably not.

    What keeps a principal of a high school from asking cellphone companies a history of locations of their students, then expelling students whose phone locations showed they were off campus for lunch, or not physically at pep rally? There may be a time where this info is handed to the schools.

  21. Re:Laser beams you say? on Lasers To Replace Sparkplugs In Engines? · · Score: 2

    It also saves $300-$1000 from the production of the car, which is good all around, due to the platinum used for the catalytic work.

  22. Re:the love of cloud on Dropbox Can't See Your Dat– Er, Never Mind · · Score: 2

    This answers the question right here, combined with the fact that password recovery is doable by E-mail.

    I'm guessing that it might be encrypted server side... but hell, all my data on my personal domain is encrypted server side (my Linux boxes use LUKS, my Mac uses PGP Whole Disk Encryption, my Windows boxes use TrueCrypt or BitLocker, and external disks use Truecrypt.) So, having data stored encrypted may provide a defense against someone yanking out disks out of a drive array, but against remote attacks, it provides no protection.

  23. Re:Blu-Ray kicks butt... on Why Has Blu-ray Failed To Catch Hold? · · Score: 1

    This is more of an offsite backup (D2D2Optical) than disks.

    The advantage of this method is that restoring may take a bit flipping 20 disks through, but overall, it is faster than a WAN connection, especially these days where connections are getting metered, so 1TB would cost $200.

    CrashPlan is a good system, provided your ISP doesn't throttle or meter. Otherwise, having local backups (perhaps with an offsite rotation) is a good idea.

  24. Re:Not bothered on Why Has Blu-ray Failed To Catch Hold? · · Score: 1

    There are programs to fix that. I use them not that I care to save a 10GB copy of a music I don't care to watch, but to kill off the UOP crap... so I can put it in and press "menu", and not have to sit through a half hour of lame previews.

  25. Blu-Ray kicks butt... on Why Has Blu-ray Failed To Catch Hold? · · Score: 1

    I find that Blu-Ray kicks butt. Not for watching movies, but as a backup medium. Disks are relatively inexpensive, so I can do backups pretty easily, and they store a good amount (50GB or so.) So, the terabyte of stuff sitting on my NAS? Split it into 50 GB chunks, make disk based images (finalizing the session so no writes can be done), put the disks on a spindle, and call it completely backed up, where it can't be altered by malware in the future.

    Next to having a modern high capacity tape drive, Blu-Ray is the best thing going for backups.

    Of course, I use more than just one set of BD-R media, and make sure it is verified. In Windows, Nero's SecureDisk helps here as a tool for easy validation of a volume.

    Now if Retrospect could start supporting BD drives not on its "blessed" hardware list, and allow autoconfiguration like they do with CD and DVD hardware, I'd be golden. But Nero works as well, though nowhere near as elegently.