Slashdot Mirror


User: mlts

mlts's activity in the archive.

Stories
0
Comments
5,534
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,534

  1. Re:Kind of silly. on The 'Three Ton' Hard Drive Destroyer · · Score: 1

    If done right, encrypted with a lost key can pretty much mean the data is not accessible:

    1: A diffuser needs to be used. This prevents an attacker from seeing the contents of sector 8 are the same as sector 5. TrueCrypt uses XTS mode. BitLocker uses AES-CBC and Elephant. Without this, it is easy to find patterns in the encrypted data.

    2: A keyfile must be used. Passphrases can be brute-forced. A keyfile ensures that an attacker has to guess out of the whole keyspace.

    3: The drive must be completely encrypted, to prevent spillage. For example, if I have a VM in a TC file based partition, there might be chunks of the VM in the main Windows's swap file (although Windows 7 can automatically encrypt swap.)

    Of course, a zeroization is a good thing to do, but forgetting the keys will pretty much render the contents inaccessible to virtually everyone but intel agencies with big budgets and supercomputers measured by the acre.

  2. Re:Kind of silly. on The 'Three Ton' Hard Drive Destroyer · · Score: 1

    I am lazier -- because I use TC with smart card encryption, with keyfiles on an IronKey drive.

    Zeroing out the data on the drive just means unmounting the volumes, and formatting the smart card, or forcing the IronKey (only the Basic one can do this) to erase all the data and regenerate new keys. For safety, I do a zero pass, but it isn't really needed.

    For Windows, I use BitLocker To Go, and post Vista, the Format command in Windows zeroes out the encrypted key sectors so unless someone saved off the unencrypted volume key out of memory, the drive is effectively erased.

    Full disk encryption makes worrying about data stored on flash cells or HDD platters a non-issue if done right.

  3. Re:Probably true. *sigh* on Iran Says Siemens Helped US, Israel Build Stuxnet · · Score: 1

    Bingo. Yes, the knowledge to do Stuxnet isn't exactly stuff you find on the street, it wouldn't be hard for a blackhat organization to obtain this information. This could be a group of people who didn't like Iran, the US, or Israel to do something like this, just for kicks, or like the Joker, "to watch the world burn."

    What one has to do is figure out likelihoods. Unlike most things, it is possible to fake an attack and have it look like it came from a completely different source.

  4. Re:Sysadmins VS Lusers, lets get ready to rumble! on Ask Slashdot: Do I Give IT a Login On Our Dept. Server? · · Score: 1

    ^^ This.

    It might help things to bring in a machine and work around IT, but as a lot of others said, it might bring a lot of bad things.

    An example scenario: The Linux box works well. However, a co-worker who manages to get root access (perhaps booting it into single user mode when nobody was looking) starts to use it as a MP3 server for those times when wanting to play "Ride the Lightning" when performing an ECT procedure. Said co-worker then finds a way (via tunneling via SSH or something) to allow people on the outside to listen to radio streams. Some astute blackhat figures out that the streaming program has a bug in it, punches a buffer overrun script and voila, gets a shell. The blackhat promptly finds the backdoor (or sudo entry) allowing root access. Said hacker decides to noodle around the hospital network, and mess with patient records, where all males checked in get scheduled for hysterectomies, or more malicious stuff (removing the record that someone is allergic to certain medicines on their record, prescribing brutal antipsychotics, etc.) All hell breaks loose in the hospital. The malpractice cases fly. The high dollar forensics guys come in and find the unauthorized Linux box that was the source of it all. The Feds move in with HHS asking why the hell this machine is there, and why nobody followed due diligence with security.

    Someone would be going to prison for a long time, and it would be the well intentioned guy with the Linux box, who really did nothing wrong other than not know how brutal things can get between the law, organizational structure, and outside attackers.

    Yes, this is an extreme scenario, but with a machine brought from home, if *anything* happens, it will be whomever brought the machine will be tossed under the bus first thing. The consequences may mean being blacklisted (PHBs talk at their golf foresomes, and some admin who did bad stuff at one company will be talked about pretty quickly), to facing actual prison time.

  5. Re:Sounds promising on Solar Breakthrough Could Provide Power Without Solar Cells · · Score: 2

    Bingo. Virtually everything we have and use on a daily basis has started in this manner where someone finds some phenomena which can be honed, researched, and turned into a viable product used daily.

    Solar is important. Since nuclear power is essentially set back at least a decade, anything that gets us free from coal and oil is a must have, not just for global warming, but to prevent countries having to go to war for their dino juice stakes.

    What will be the key breakthrough that will change everything will be the ability to have room temperature superconductors on a large scale, like Niven's Ringworld. This would mean that a solar array in Mexico could power a brewery in Alaska on one set of wires without worrying about significant current loss.

  6. Re:stop moderating. on Crowdsourcing the Censors: A Contest · · Score: 1

    There is a difference between responsibility to not troll/spam/spew on a board, and being sued/arrested/tortured/killed/family tortured/family killed for a statement.

    It would be nice that there would be a way to have a system that dealt with trolls and spammers, but wouldn't affect people who have unpopular opinions, either unpopular in their country or unpopular in general.

    A system also would have to deal with grey areas: Lets say there is a person who says that iOS and OS X are 100% secure. Would this person be trolling, need some education about what the term "100% secure" really means, or would the post be considered sardonic humor? One person with moderation ability might flag it as a troll, another might consider it humorous, still another might absolutely agree with it.

  7. Re:stop moderating. on Crowdsourcing the Censors: A Contest · · Score: 1

    Here in the US, it isn't that bad where people fear for their lives (yet), but SLAPP cases are on the rise here. I wouldn't be surprised when companies start having bots which periodically check Google or traverse sites themselves and automatically file lawsuits against anyone for libel who complains. This is cheap for an organization which has a large law arm, but defending against these would be cost prohibitive for individuals.

    So, in the US, having the ability to separate a userID from the real person in case of a mass civil action will be important.

    Anonymity is one thing. However, it would be nice to have the ability to have the ability to have a userID that posts can be attributed to it, but it be completely separate from the real person. This way, spammers end up ignored, while people who contribute content, but don't feel like sticking their real life identity out there can achieve a reputation.

    What would be interesting is an authentication scheme based off of PGP/gpg keys. You log onto a site, the site asks for you to sign a chunk of text [1] with the key and paste it in, and you are now authenticated at that site. Want that identity never to be used again? Destroy the private key. Another advantage of this is that there are no passwords to worry about -- the website just stores a public key.

    Using a PGP/gpg public key means that posts can also be signed for further security. A site can offer to show the full signed post, but normally just show the contents of the message to hide the relatively ugly PGP signature by default.

    Downside: If forensics discover the private key on a machine, it will clench beyond a doubt that the person using that machine has access to that anonymous ID. However, that can be remedied with solutions often discussed here.

    [1]: Random text from a cryptographically secure RNG plus a timestamp. The goal is to ensure replay attacks do not happen.

  8. Re:is it just me? on America's Tech Decline: a Reading Guide · · Score: 2

    I'd say it isn't we as in readers here. We here know that seeding long term things will end up with cool, salable products down the road. We all have seen the lesson of Corning and Gorilla Glass, a technology that has sat on the shelf for decades previously.

    The "next quarter uber Alles" came from the MBA grads (ironically they have to pass ITIL/ITSM classes, but never seem to grasp the concept after graduation.) Other countries don't have this. Take China. They run in five year plans, and have extremely successful results. I'm hoping this eventually filters to the US.

  9. Re:is it just me? on America's Tech Decline: a Reading Guide · · Score: 1

    I have seen that sentiment too. What is ironic is that after the manufacturing jobs go, the other jobs will go as well.

    Academia used to have some insulation from the economy. However, with student tuition almost doubling yearly, there is a bubble forming which may end up seriously hurting universities as a whole once it pops, and they can't get the students in. As of now, a tenured professor can rail and say how evil it is to have manufacturing jobs, but when students can't pay his salary and the university shuts down, he will be competing to keep a roof over his head just like everyone else.

  10. Re:Now only criminals will be able to post anonymo on White House To Drop Details of Cyber ID On Tax Day · · Score: 2

    What is ironic is that properly implemented, this system can assure a truly kick-ass privacy ecosystem.

    One could base it around a smart card. The private key is stored, and a certificate from a trusted CA (county courthouse) states that this key belongs to this individual.

    Then start sticking certificates on the key. The user can determine who gets to see the certificates, and who doesn't.

    Carded at the bar? The bar doesn't need to know the DOB. The bar finds a certificate stating that this person is over 21 years of age, signed by the state. That is good enough evidence for legal purposes to start slinging the drinks. The bar is legally covered, and the patron does not have to show when they were born.

    Criminal record? The potential employer sees a certificate from NCIC stating the bearer has zero crimes on his/her rap sheet. The employer checks to see if this cert was revoked, and it hasn't been. So, even without looking up the user in a database, there is legal proof of no felonies present.

    Degree from accredited institution? The employer finds a cert from Miskatonic University stating the person has graduated and has a B. S. Going up the cert chain, the university has a certificate from an accreditor stating that they are in good standing.

    Credit report? Vinny's Used Cars gets a certificate from Experion that the person is in the top tier of credit, and no other details are handed out.

    Of course, with keys and an active CRL mechanism, if someone was convicted, the criminal record cert stating there is no record would be revoked, or it can be a SLC that is pulled from a certificate server, with an expiration duration of minutes to hours.

    I have hopes... if done right, a good smart card would help privacy and security. However, if done wrong, it would rain down hell on anyone in the US.

  11. Re:is it just me? on America's Tech Decline: a Reading Guide · · Score: 5, Insightful

    I'd probably pin the decline of the US on a number of factors:

    1: The view that engineers, mathematicians, and computer scientists are "nerds" and deserve contempt, while someone who might kick around a ball for 5-10 minutes is considered a superhero. China and Russia value their scientists, like how we in the US did in the 1950s-1960s. Now since science is considered "beneath" most Americans, compared to business or law, not sowing out seeds in the field means a crappy harvest. You are right, we had a long while where attorney was the meal ticket. Now, there isn't much they can parasite off of, so those fields are drying up. Until people in the US as a whole start valuing the people that innovate, as opposed to a sports hero, or Justin Beiber, the economy will remain stagnant, and the jobs that don't move overseas will be taken by H-1Bs.

    2: Lack of interest in R&D. Companies here either license new stuff, buy the company that has it, or litigate the company that has something they want out of existence. Actual old school R&D like PARC or Bell Labs isn't done anymore, and it is blamed on "product liability". Even the government isn't that interested in keeping innovation. So, obviously (OB car example), when the gas is turned off to the engine, it stops moving. No seed funding == no cool new things coming from labs.

    3: Espionage. To a PHB, security has no ROI. They really don't give a shit if their corporate trade secrets mysteriously appear in Beijing or Tehran as long as they have good sales numbers for this quarter. So, even with innovation, it is stolen by other nations that actually value security. Until companies actually give a shit about keeping their stuff secure, any research done in the US is a freebie given to BRIC.

    4: Lack of education in the US. Other countries value education, and help fund it for their citizens. For an American to get to a similar education level as an average French or German adult at the age of 25-30, it will take $20,000 to $50,000 worth of tuition. For an average American to get to the level of education of a German cop (not a lawyer, a street policeman) it would take over six digits of tuition spent.

    Until these are addressed, the slide will continue.

  12. Re:So what? on The End of the "Age of Speed" · · Score: 1

    The sad thing is that all these are quite solvable, but it would take an interested government:

    Airport parking can be mitigated by having long term park and rides with CCTV and perhaps a live person for security. Park 20-30 minutes away, get a shuttle to the gate, call it done.

    One idea along these lines would be a remote parking garage at another end of town. People can park in the garage, then have airport security do the checking there. After that, board a shuttle that would take the passengers directly to the secure area of the airport. This way, the TSA screening areas are in more places and less of a bottleneck.

    Security can be done right. Regardless what one thinks of Israel, they lead in this department with little to no superfluous security theater.

    Getting planes in the air on time -- Airlines need to be fined if more than a certain percentage of their flights are late or cancelled, and it isn't due to inclement weather. In fact, airlines really need more regulation to stop the race to the bottom, as they really have zero interest in customer service these days.

    Getting through customs -- it can be done.

  13. Re:Actually very true on The End of the "Age of Speed" · · Score: 1

    Passenger rail is vital to national security for another reason: It is the most effective way to get people out of a metropolitan area should a disaster happen:

    An average train car can handle 30+ people. Compare that to how many vehicles a highway must be able to handle for a similar total. All it takes is one person to panic and crash, or just have a faulty vehicle and the whole highway is shut down as a means of egress. Using trains for evacuation, it would take someone physically cutting into the train tracks in hopes of derailing it for evacuations to not be possible by that method.

  14. Re:Actually very true on The End of the "Age of Speed" · · Score: 1

    I wouldn't say too stupid:

    If you asked any /. reader who resides in the US, almost all would state that there should be some type of decent rail system put in.

    The problem is that the government is too beholden to special interests. Follow the money. Who makes cash by having people in the US drive cars and burn gasoline when an electric grid, hybrid cars, and passenger rail would make common sense to anyone otherwise?

  15. Re:Actually very true on The End of the "Age of Speed" · · Score: 1

    There are ways to help mitigate that. I'd like to see grid computing with cars, so we can have highways that the vehicles can drive themselves. This way, Jane L'oreal who is putting on makeup can do so without affecting other drivers, and Buffy Texter can write a novel to her BFF, while letting car computers and central traffic control do the work for them, including spacing out vehicles to accommodate ones entering and exiting the freeway, and leaving a gap of 5-10 feet to allow for more vehicles per chunk of lane that would be possible with a human.

    Rail would be nice, but here in the US, what is needed is medium range high speed rail -- get people up and down from LA to the Bay Area, and possibly up to Seattle in record time. Long range rail (LA to Houston) would be nice as well, although anything not air based will take about a day to get coast to coast even at 200 miles/hour with no stops.

  16. Re:Chrome has a privacy mode on Apple Adding "Do-Not-Track" To Safari · · Score: 1

    If Web browsers were engineered to value privacy, they would have some way of masking fonts and other identifying info. Even with privacy browsing, one can use EFF's panopticlick to find out that in most cases, one's browser is unique, either due to the fonts used, the OS and browser, or a distinct combination of the above. I have yet to find a browser that obfuscates this info in a good manner.

    Until this is done, advertisers still can track on this information.

  17. Re:Chrome has a privacy mode on Apple Adding "Do-Not-Track" To Safari · · Score: 1

    One can use tools like sandboxie to help with making sure browsing traces are isolated from each other, and when done with the site, end up being gone, which helps local security, as well as remote security.

    For local security, putting the sandbox from sandboxie on a TrueCrypt partition and having sandboxie do a wipe when deleting the sandbox is good. Not just security from someone nosy with an undelete utility, but having file isolation so that possibly damaging stuff never ends up on the same drive as the OS or documents. The TC volume can be used for security (making sure that even if stuff is missed by a wipe, it is inaccessible to an intruder), but it mainly is used as a separate filesystem for isolation reasons. Should some compromised Web browser add-on fill up the filesystem or try to corrupt it (like a script that just makes directories until all inodes are used), the worst that would need done is a format of that volume.

    For remote security, using different web browsers in different sandboxes, or even instances of the same web browser in different spaces helps with separation of content -- something that takes over the browser that is doing banking transactions won't be able to take over the browser that is used for viewing pr0n and slurp up the pr0n subscription IDs and passwords.

  18. Re:More info on Self-Wiping Hard Drives From Toshiba · · Score: 1

    The advantage of Ironkeys is that they are potted with hardened epoxy, and that Dremeling access to the chips is quite tough. Who knows if they would have any tamper resistant issues if someone drills small holes to connect wires.

    Ideally, all the crypto, including key storage should be on the same die, in a well thought out tamper-resistant package. Putting all the crypto on one chip means that an attacker would not just have to have a desoldering station, but access to a chip fab for technology. This is one reason Apple is playing in the semiconductor business -- locking things down on the die level means that it will be extremely hard for their trade secrets to come out, and also difficult for the JB scene to free up future devices.

  19. Re:Law enforcement... on Self-Wiping Hard Drives From Toshiba · · Score: 1

    I more likely will see a hacker, or perhaps an employee selling the ability on the black market.

    This would be a nice bonus for thieves and industrial/national espionage professionals. While someone is staying and enjoying the Elbonian hospitality, their intel agents can pull the HDD out of the laptop, attach a specialized controller that has this protection disabled, dump the data, and then slide it back in, and nobody would notice.

    I'm less worried about LEOs getting access to data than thieves. The market for stolen data has grown, and it is about to enter its infancy. It is only a matter of time before fences start using a bogus controller like this to dump data out of a laptop. This then would be sold to clearinghouses, or to local thugs to find victims to case out for burglary, kidnapping, blackmail, or home invasions.

  20. Re:Law enforcement... on Self-Wiping Hard Drives From Toshiba · · Score: 2

    That is true, as a forensics professional. Strict rules of police work apply in the business, and they make sense. For example, if someone does not use a hardware write blocker to copy the drive to an image, then performs study only on that image, the case is pretty much screwed up.

    However, where the rubber meets the road is in front of a jury of people who likely have little clue, nor really care about official P&P. They have zero interest that a forensics officer failed to use a hardware write blocker to pull data from a drive. Instead of jurors hearing "this disk was seized and was booted read/write with files changed after it was taken", the jury will hear "blahblahblahblah", rubber stamp a guilty verdict, then head to the nearest watering hole for some Duff Light from the tap to talk to their friends about putting some "evil hacker" behind bars.

  21. Re:For storage in certain devices... on Self-Wiping Hard Drives From Toshiba · · Score: 1

    It would be nice if printer companies would do something fairly simple:

    When saving a file to be printed, AES256 encrypt the file with a random key (from a secure RNG), then store the key in RAM. If the file is to be stored for more than just a print job, have a small area of easily zeroed out, battery backed up storage for this.

    When the file is finished, zero out the key from RAM, and unlink() the disk file. Since the file is not recoverable once the key in RAM is destroyed, there wouldn't be a real need to wipe the drive, other than just peace of mind. It wouldn't hurt if the printer had a low priority thread in the background to zero out free space when the machine was idle.

    At the minimum, printer makers should have an option on the printer for a decommission. This option would purge all settings (network, local, security), then use an ATA secure erase on the internal drive (or drives). At least with this, one knows that the drive is at least zeroed and it would take a data recovery person (assuming this is even possible -- I have yet to hear of someone recovering stuff from a DBAN-ed drive) to find anything worthwhile.

  22. Re:So ... on Windows 8 App Store Screenshots · · Score: 1

    I'm sure most /.'ers have encountered people like this. You don't have to be a burned out IT vet. There will always be the clueless (but with good intentions) Aunt Tillie type, the "OMGLALA" teen/tween type installing every animated emoticon program available, but the archetype that most people encounter that is one of the hardest to deal with is the Joe Sixpack one -- the person who has no interest in keeping his stuff secure ("because that is what my geek friends and Geek Squad are for"), and has an ego about it, so cannot be trained to perform even minimum computer sanitation duties.

  23. Re:So ... on Windows 8 App Store Screenshots · · Score: 1

    It is a good thing in one sense -- getting Joe Sixpack to only download stuff from one central store or repository. This way, he might put down his Bud Light and not follow directions to manually install some "pr0n codec" from some sleazy site he is browsing because it doesn't show up as a link to MS's Application Market, or whatever it will be named.

    Of course, the dancing bunnies security hole remains, but having it become the exception and not the rule that software is downloaded manually and installed (versus going to a repo/store) will help to mitigate that infection vector.

  24. Re:Dropbox is already a "private cloud" on The End of Content Ownership · · Score: 1

    This is why I like the idea of having one's personal PC or a NAS do the streaming via an encrypted protocol. Someone monitoring traffic will be pretty sure that what is going from the user's server to their phone may be music, but the contents would be almost [1] impossible to discern.

    [1]: I state almost -- there are always side channel and timing attacks that might be able to tell if one song ended and stuff like that.

  25. Re:This is like the end of history, right? on The End of Content Ownership · · Score: 1

    Don't forget copyright/patent/trademark/other IP law that potential litigants may step in with. The lesson of mp3.com is a good example of this.

    Best solution? A private "cloud". Perhaps a way to stream from a computer or a NAS one's MP3 stash over an encrypted connection to one's smartphone or MP3 player. I'd love to see an app that does this, where I can have a backend part on my file server, while a frontend player app exists on my phone that groks dynamic DNS, uses a VPN or encrypted connection, and can use a streaming protocol with a fairly large buffer size for playlists. This way, it is truly *my* collection, and the storage space on the device doesn't matter.