Slashdot Mirror


User: mlts

mlts's activity in the archive.

Stories
0
Comments
5,534
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,534

  1. Re:I prefer complete independence, thanks on Who Should Own Your Smartphone? · · Score: 1

    Call me a stodgy person, but I don't want corporate data on a personal phone. I much rather see employees get Windows Mobile devices, iPhones, or Blackberries where IT has full control of the device, including denying access to the camera (some contracts require cameras be disabled on phones), pushing out policies to wipe phones if they are off the network for x days, or remote wipe.

  2. Re:So basically on No More Firefox For Windows Mobile · · Score: 1

    Provided your phone maker doesn't push out an update that bricks your rooted phone. Find me an Android phone maker where I don't have to keep at a backlevel ROM so I can keep root (for example, the latest level on the Cliq locks out root and the holes to get root.)

  3. Re:This just in on Germany Warns Against Using Firefox · · Score: 1

    Sometimes I wonder if application virtualization like Sandboxie should be part of the OS. Not just Windows, but on UNIX as well. With ZFS, this is easier because a directory can be rolled back fairly easy due to the snapshot functionality.

    Another cool idea is how Thinstall (well, now called VMWare ThinApp) packages apps. The app thinks it has admin rights and can happily doodle around the Registry and the filesystem, but in reality, all it does is just modify stuff stored in \users\blarf\appdata\roaming\Thinstall\appname. Even the Registry changes are stored as a file. If an OS could do this for legacy apps, it would help security tremendously, so if an app is compromised via a code injection, only that directory ends up suspect, and not the whole user environment, or even worse, the whole system.

  4. Re:They call that a service pack? on Microsoft Announces Windows 7 SP1 · · Score: 4, Interesting

    What I'd love to see is BitLocker given the ability to encrypt system/boot drives the way BitLocker To Go drives can be encrypted with a passphrase.

    This way, I could have decent WDE protection on machines without having to make sure that a TPM is specced on each of them, or use a third party utility. (This is nothing against PGP, TrueCrypt, or others, but corporate clients get real nervous when you spec a utility they never heard of [1] that handles a core security measure.)

    [1]: IMHO, it takes living under a rock to not have heard of PGP or TrueCrypt and be in IT, but there are those PHBs out there, and they make the purse string decisions.

  5. Re:Microsoft on What Free Antivirus Do You Install On Windows? · · Score: 1

    MSE can easily let you ignore false positives. To test this, I downloaded the eicar.com test file. MSE caught it, put up a dialog, and allowed me to ignore it. It won't get rid of it unless you tell it to.

  6. Re:Microsoft on What Free Antivirus Do You Install On Windows? · · Score: 1

    I swear by MSE myself on the client side. The engine is the same as their enterprise level AV solution and so far has proven itself on a day by day basis. It also is very lightweight. I have used some AV products that have a lot of CPU/disk overhead, and in the end don't provide as much protection as MSE.

    To boot, MSE is licensed at no charge (its not free because it is paid for by a purchased copies of Windows, and will check if the Windows copy is genuine.) Another advantage is that MSE doesn't nag to be upgraded to a premium version like other "free" AV products.

    For clients who need audit trails, I either recommend Symantec Endpoint Protection or MSE's big brother, Forefront Client. Both work well on servers, and both can give a status of what the level of protection is on machines on the network with ease.

  7. Re:STUPID disgruntled employee on Disgruntled Ex-Employee Remotely Disables 100 Cars · · Score: 1

    Or, just don't hack from home without a proxy. Even with a proxy, don't do something that will honk off someone enough that they will drop a motion of discovery on the proxy owner, as even proxies who say they don't log likely do.

  8. Re:and on Disgruntled Ex-Employee Remotely Disables 100 Cars · · Score: 1

    Sometimes I wonder if some system like this that can affect so many people with a bogus login, why isn't the access controlled with more than just a username/password combo?

    If I were running a car dealership and knew that all it took was one password and someone could crack in, kill all my customers' cars and cause me a lot of potential lawsuits, I'd make damn sure that everyone with any access to this system would have a SecurID keyfob at the minimum, preferably an online/offline authenticator such as the Aladdin eToken NG-USB. Of course, only a few employees would have access to the kill switch, and there would be a documentation trail showing that it has been past the contracted time for nonpayment and the time has come to send in the repo man. Of course, the software would have a sanity checker that would limit the amount of cars shut down at any one time unless it was someone like the owner of the dealership doing the work. This way, a booted employee would do little to no damage unless they physically stole another employee's smartcard (which would be fairly easy to get detected, especially if the card is used for opening a door lock, or clock in and out.)

    This is a sore point of mine, but why is username/password access the only thing protecting a lot of very sensitive services? It's 2010, shouldn't we have some sort of smart card standard by now, so client SSL certificates are easy to use, and widely accepted by websites? Perhaps a SIM card that holds the private key, and the cellphone acting as a trusted PINpad and screen, and this works regardless if the phone is a "dumb" phone like a RAZR, or a smartphone running Android, Windows Mobile, or OS X?

  9. Ugh, this isn't good. on MS Virtual PC Flaw Defeats Windows Defenses · · Score: 4, Informative

    The good news is that this doesn't affect the big iron (Hyper-V). However, for people who have Windows 7 and XP mode, using it for Web browsing, this will cause them a world of hurt.

    Since this essentially doesn't affect servers, I'm going to recommend to people that they move to VMWare Workstation if they want commercial support, or VirtualBox if they desire an open source solution. Either one of these has as many features as VirtualPC (although VirtualPC has one nice advantage -- it drops changes to the undo disk fast compared to the 2-3 minutes VMWare does.)

    A hole in a hypervisor is a really bad thing. A lot of people use VMs for honeypots, and this would cause unintended infections, or other damage, perhaps catastrophic.

  10. Re:Uphill Battle on Microsoft Previews IE9 — HTML5, SVG, Fast JS · · Score: 1

    I see IE6 used in three places:

    1: Users who are just dead-set on keeping IE6, no matter what.

    2: Businesses who like the parent stated, have internal web apps made by someone who wanted "job security" by making their stuff locked to IE6 where even subsequent versions of IE that are run in compatibility modes do not work.

    3: Businesses who have extremely long configuration change cycles. This means that only a certain OS/browser/app snapshot is used and deployed across machines, and it is either only updated via WSUS with a chain of approvals (attorneys, license monitors, "security" monitors, regression testers, etc.) Environments like this, it can take 4-5 years before another OS/browser/office suite snapshot gets vetted. In these environments, what I have done was get the bean counters to license ThinApp from EMC so the machines can remain locked down, but users are still able to use the latest Office products. Because ThinApp saves all Registry changes into a directory, not even the HKCU is modified. This way, a company can use newer Web browsers as well as the latest Office products without having to modify the core installed image.

  11. Re:I've said it before, and I'll say it again.. on 11th Circuit Eliminates 4th Amend. In E-mail · · Score: 1

    The two operating systems I know which support S/MIME in a mobile environment are Blackberries, and Windows Mobile 6.0 and newer. Both mobile operating systems also support encryption of memory cards, remote wipe, and erase if someone tries to guess the password/PIN too many times.

    Android NEEDS this functionality if it is to compete in the business sector. Even Apple, which is a consumer company, has put encryption and remote wipe capabilities into the iPhone so it can be used.

  12. Re:You can't really tell. on Best Resource For Identifying Legit Applications? · · Score: 1

    Even better would be a system similar to Android. Before a package gets installed, it has a manifest list of permissions that are presented to the user before it is allowed to continue. Android also doesn't use executable files as the installation format. IMHO, executables should never be used to install. Instead, .MSI files should be the primary way that programs get installed.

    I'd like to see Windows do the same. Present a user with "this program wants these permissions" and give the option to install, abourt, or custom select permissions. For example, a Tetris clone shouldn't need to take incoming connections in general.

  13. Re:It could be related to ACTA, or. . . on Major ISPs Help Fund BitTorrent User Tracking Research · · Score: 4, Informative

    It could also be a last-ditch effort for ISPs to show they can police themselves before they get shackled by Draconian regulations. ISPs also hate high bandwidth usage (expanding networks cost money, so to the bean counters who failed ITIL class in MBA school, it is better to charge fees, throttle, and kick off users than it does to expand networks to handle new growth and new applications.)

    ISPs are not going to like ACTA so they want to avoid it as much as they can. Having to record not just packet headers, but every single packet a user has sent/received and store it for 7 years is going to make them have to spend large amounts of cash for disk farms. They also don't want to be the focal point for customer outrage when Big Brother-eqsue stories happen: For example, a divorce happens, the ISP gets a motion of discovery, and has to go data mine in the archives to come up with the exact web pages a husband was viewing in the past on a certain day.

  14. Re:bzip2 on Long-Term Storage of Moderately Large Datasets? · · Score: 1

    In ages past, there was an IBM mainframe that did just this. It automatically "wrote" blocks to negatives, dropped them in developer/stop/fixer bath, then put them in another space ready for indexing.

    Maybe this is something that we might be able to use again. If we used good error correction codes, high quality microfiche which is stable over a long time (centuries), doesn't yellow or get brittle, this might be one of the better archival processes.

  15. Re:I don't really see what the big fear is. on Tethering Is Exhilarating (With the Nexus One) · · Score: 1

    I don't mean to be a party pooper, but be careful when rooting Android phones. For example, one can briq their CLIQ (won't even boot to the USB flash loader screen) if they don't be VERY careful on what version of radio ROM they are on (that may get flashed OTA) versus the main OS ROM. Before grabbing something and flashing willy-nilly, read the stickies on the forum, and look for any warnings. Then check the first few pages out to make sure the latest root method doesn't turn your device into e-waste.

    Some phones have no trouble being rooted, such as HTC. Others, be careful. I know another brand that one could get root, but since there were no images to flash back to if there was an issue, a hosing of the filesystem would mean a dead phone.

    Oh, and if one doesn't know what the difference between "#" and "$" mean on UNIX, please read and understand why running as root for anything other than admin tasks is very, very bad.

    I'd highly recommend not rooting a phone at all, unless there is a specific reason that requires it, or that one knows what the risks entail (usually by checking the phone's forum fairly often). Since I like a custom ROM with as little stuff loaded as possible, I decided to take the risk of a custom flash. However, Android doesn't need jailbroken to run most apps, so unless one wants something like nandroid or a ROM level backup, rooting isn't necessary for most things.

  16. Re:Stupidity of leadership..or quite the contrary? on US Unable To Win a Cyber War · · Score: 1

    Actually, ACTA is something that repressive governments want. It gives them everything they dreamed of in a way that short circuits any and all legal checks and balances, just like WIPO did:

    24/7/365.25 surveillance on all people? Check.
    Ability to permanently disconnect people without due process of law? Check.
    A police force whose burden of being paid for is not on the government? Check.
    Ability to make someone's writing and opinions disappear forever from the Internet? Check.

    This is a tyrant's wet dream. Repressive governments have already signed off on it.

  17. Re:Stupidity of leadership... on US Unable To Win a Cyber War · · Score: 1

    Don't forget the cost of education:

    An American who gets a B. S. degree usually has $25,000.00 to $50,000.00 in student loan debt. Get a Master's, and it can hit six digits.

    Someone from Chile, China, Argentina, Venezuela, Russia, or most nations, the cost of their bachelor's degree to them? $0.00.

    What does this mean? The American has to find higher paying work to pay off the student loan debt while virtually anyone else in the world can undercut them and have a better standard of living.

    So, just due to this fact alone, the US is hamstrung in global competition.

  18. Re:Just like desktop linux. on Google Android — a Universe of Incompatible Devices · · Score: 1

    Even better, you can distribute your programs three ways on Windows Mobile: A .cab file that installs on WM, an executable that runs on the PC and installs it via ActiveSync (downside is that Windows is required on the PC), and an executable that runs on the WM device.

    Windows Mobile is great, but what seriously injured it in the marketplace (not killed -- it was only fairly recently that the iPhone got more marketshare than it) was the lack of two things (which Microsoft is taking pains to address): A centralized app store where people can buy apps in one place, and a "finger friendly" UI. WM's UI worked perfectly in the days of stylus based use. However, since the iPhone, people are used to gestures, typing on the touchscreen, and multitouch.

  19. Re:Good on Microsoft Confirms Update-Linked BSODs Required Compromised Machines · · Score: 2, Insightful

    Even better, it gets the machine off the net, so other people are not victims of DDoS attacks, spam, automated scans, and other crap that might come from a botnet client.

    I admit I sound like a jerk here, but I'd rather have a machine with a BSOD than a rootkitted box. Reinstalling or reimaging a machine may be a bit time consuming, but it is nowhere the time it would take to recover access to compromised bank accounts, Web accounts, gaming, and dealing with identity theft issues.

  20. Re:Hmmm...listen closely... on I Use Twitter, Please Rob Me · · Score: 1

    This is not just auto, and this is why I *highly* recommend people get high security locks on the doors of their house. If someone can't pick an Abloy PROTEC and kicks down the door, this leaves an obvious signature that there was a break-in. However, if someone successfully picks a lock, it is a lot harder to prove that an intrusion took place.

    At the minimum, I recommend people consider something like Kwikset Smartkey locks. These use a sidebar and can be picked if given enough time and effort, but someone with a bump key isn't going to be able to pop it open in seconds.

    Best of all worlds would be to get some solid high security locks (Medeco, Schlage Primus, Abloy PROTEC, Mul-T-Lock MT5, etc.) High security cylinders don't just provide pick resistance, but they also help ensure that keys don't get copied without some effort, and tend to work better on a day to day basis due to tighter tolerances and better materials used.

  21. Re:Question on How To Replace FileVault With EncFS · · Score: 1

    On the Mac, I see five popular utilities for encryption: FileVault/sparsebundle, PGP WDE, TrueCrypt, and EncFS.

    PGP WDE of course is good against leakage. Since everything is encrypted even the OS, there is nothing an attacker can figure out about the contents of the drive.

    TrueCrypt also good against leakage. One can't tell what filesystem is used inside a TC volume, much less actual contents unless they are able to find details outside the volume (most recently used history, etc.)

    FileVault/sparse bundles are a great solution because they not just go a good way in hiding contents, but 8MB bands which get changed are a lot easier for a backup utility to back up than a full image. The downside is that this is an Apple-only utility, so there is no cross platform compatibility.

    EncFS is good because it takes no additional partitioning or volume storage, offers a good amount of choices for security, and has been around in some incarnation since Matt Blaze made CFS. It also hasn't had any major weaknesses in security.

    What I use:

    PGP WDE for starters. Not just data files are important. I like protecting programs and license keys which cost a pretty penny, as well as data which is important but does not reside in the home directory, such as stuff that lands in /tmp.

    FileVault. It is transparant, and the version in SL seems to be robust enough that I don't have to worry about the glitches which bit people in previous OS versions. I use this for separating various projects by users, so work stuff doesn't mingle with general home directory stuff. The bad thing is that with FileVault, you can't ssh in via remote and have it automatically mount your files. But on a laptop, this isn't really an issue.

    Truecrypt is good for archiving files, because other platforms can read it, assuming one uses FAT32 or FAT. NTFS is also an option, with a commercial utility.

    EncFS is a good choice, and it is cross-platform, so another machine can read the files. However, I just don't get around to using it because the sparse bundle functionality in Apple's Disk Image is so useful. An attacker can't discern what is in the sparse image, but a backup program is easily able to back up changes.

    All in all, I wish Apple would implement something like BitLocker. It would take a TPM [1] to be present on Macs, but what it would give a user is completely transparent encryption in day to day use, but still keeping data out of the hands of an attacker, unless the blackhat both knows the user's password and is able to gain physical possession of the Mac. It is not completely secure, but it is as good as one is going to get for most things. If a blackhat is able to read the RAM of a machine, they would be able to do this with FileVault if a user is logged on. A blackhat who has the cash to decap a TPM chip nondestructively usually has the cash for a rubber hose, and rubber hose decryption has a far higher success rate of working. Another advantage of a BitLocker type encryption system is that the OS is protected too, keeping keyloggers and Trojans from being inserted.

    [1]: Shipped turned off and disabled as per spec, of course. The user can enable it if/when he or she wants to.

  22. Re:Chip and Chip security... wait a second! on European Credit and Debit Card Security Broken · · Score: 1

    That is why I wished the banks took the high road and went with on-chip signing and validating. This way, a terminal could tell if the request for a transaction was actually signed, versus not, and deal with that.

    Any other method than the tried and true public key standards is just asking for trouble. Had these banks took the time and trouble to do a PKI-based transaction process, the blackhats would be attacking the physical cards for the keys one by one, as opposed to cracking the whole system wide open.

  23. Re:Docking station? Who cares? on Why Apple Doesn't Market Squarely To Businesses · · Score: 1

    A good docking station (one that isn't just one that hangs off a USB port) is a very excellent thing to have. It allows you to not just have a good monitor and keyboard ready as soon as you push the machine in, but also provides security (a lot of docking stations are lockable to the desk, and can lock the laptop in docked mode.)

    More advanced docking stations even offer items like PCI (and IIRC, PCI-E) slots, ability to offload onboard video, additional disk storage (which can be used in combination with a backup utility to have a secure place of documents and make bare metal restores easier), and more network ports. The nice thing is the ability to completely disconnect with a press of a button and a tug of a laptop, and not have to worry about unplugging a tangle of cables. However, laptops progress so fast, that very advanced docking stations are rare. Usually in most cases, the best one will find when it comes to a docking station is a port replicator or a monitor stand.

  24. Re:Chip and Chip security... wait a second! on European Credit and Debit Card Security Broken · · Score: 2, Interesting

    How about storing the PIN similar to how TrueCrypt validates a hash? One value is a random salt, which is decrypted by the PIN the user types in, and that is compared to the second value. Add in a number of rounds to help deter brute forcing.

    However, what really is needed is for the smart card to either delay access with an exponentially increasing time, or after 3-5 bad guesses, the card blocks access to the PIN, until released by the provider, similar to how GSM SIM cards work.

    Best of all worlds is if the European banks just went with a true smart card system in the first place, where offline transactions were signed/decrypted on chip by the card, and the card readers presented the transaction to be signed or declined.

  25. Re:Huh? on A "Never Reboot" Service For Linux · · Score: 1

    Nobody in their right mind would trust a single machine if 99%, much less 99.9%, or even 99.99% uptime is required. A HA infrastructure is critical. Yes, a single machine [1] does have a good chance of running at 99% over a year, but that is pure luck.

    I have seen companies run multiple HA layers. From the applications being clustered, to the VM the app runs on being clustered onto multiple machines, to multiple SANs in geographic separate areas of the US. This stuff is insanely expensive, but compared to downtime (especially for anything financial), it is a good investment.

    [1]: I'm mean PCs to the rackmount Suns. An IBM mainframe with high RAS is a completely different story, as some have multiple CPUs execute the same instructions and the results compared.