Slashdot Mirror


User: mlts

mlts's activity in the archive.

Stories
0
Comments
5,534
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,534

  1. Re:Duh on Microsoft Sees Linux As Bigger Competitor Than Apple · · Score: 1

    Apple sells support too (AppleCare). One of the reasons a lot of consumers buy Macs is because they can call Apple about a problem, regardless if the issue is with iWork, OS X, or the Macintosh hardware. They won't get told, "oops, that's vendor 'x' that caused that. Go bug them." This a lot less aggravating for a nontechnical user (e. g. your usual Aunt Tillie) than having to figure out if it is Dell, Microsoft, the maker of a sound or video card, or the app vendor who is at fault for some problem.

    On the business end, IBM, Sun, and HP do the same thing (though you pay a lot for this). CATIA abends on your pSeries machine? Call IBM, and be it a problem with the app, AIX, or the underlying hardware, they will fix it.

  2. Re:That's really cool on Microsoft Unveils Windows 7 File-Sharing Beta · · Score: 1

    Perhaps combine the FUSE driver for this with an EncFS layer, or even a TrueCrypt volume that uses a keyfile (obviously not stored on any remote media)? This should help.

  3. Re:But the battery is still $189 on MacBook's "Unremovable" Battery Easy To Remove · · Score: 1

    This is one reason that Apple is doing so well. They sell a lot of machines to people who are not caring how much MHz the cores are, but what work they can do. If something breaks, there is both a place to call, and a place to physically talk to a live person in an Apple store. I've had to deal with PC companies who the second they even think they have a software issue, will immediately say, "aha, don't bother us, call Microsoft... ." This is also why companies pay the big bucks for enterprise class machines from IBM and Sun -- one entity to call and yell at if something goes toes up, and it doesn't matter if the problem is software, hardware, or drivers, someone will end up fixing it at that company.

  4. Re:What happened to the Torx screws? on MacBook's "Unremovable" Battery Easy To Remove · · Score: 1

    When you twist a screwdriver, Torx has one of the better mechanisms for ensuring force stays in the rotational axis. Philips tends to cam out (actually Henry Ford adopted Phillips screws because of the fact that they do cam out rather than break.)

    I also agree with you, although I think mechanics who use the existing Allen head fixtures like bicycles may balk at the change, however I think it would be good in the long run.

  5. Re:DRM is wrong. on Gamers, EFF Speak Out Against DRM · · Score: 2, Insightful

    The best "DRM" I've seen was a shareware program that shipped with source code for UNIX based systems. The directions were to register it for $25, then set the REGISTERED macro to 1. Of course, you could do that without registering it, but it was obvious that doing so was an EULA violation.

    Another example of this is iDupe, a program to find and optionally remove duplicate tracks in iTunes on OS X. When you register it, it has a very simple method to tell the program that it is registered (and not the shareware version). People setting this without registering know that they are violating the EULA. However, if you did register it, you don't need to keep an activation code, you just tell it that it isn't shareware and you have the functionality that you paid for.

    IMHO, that's all that is needed. Make it where a user has to explicitly know that an action they are about to take is infringing IP, but if he or she chooses to, don't get in the way. More Draconian DRM than this won't stop the dedicated people who will just download a patch, or just grab the download from the usual warez methods.

    Businesses and organizations don't need DRM to ensure license compliance. In fact, most volume licenses are not locked to a license server. However, the business will have hell to pay come a BSA audit, and the invoices for licenses are not greater or equal to the amount of licenses for stuff really in use at that site.

    If you have to have a DRM system, look at Neverwinter Nights 1 and how Bioware (before getting absorbed into EA) patched out the CD-ROM copy protection. This did not affect sales in the slightest. The fact that the game requires a unique serial number when online is more than enough to get people to buy copies, especially if playing multiplayer worlds.

  6. Microsoft might have a chance, but... on Competition For the App Store Is Mounting · · Score: 2, Interesting

    I can see MS making an app store, but the rub is to get people to be using Windows Mobile based smartphones. So, the key is to get Nokia, LG, and other cellphone makers who are using JVMs on their low end phones to move to WM as the OS of choice. These are the cellphones that people obtain for free with a one or two year service contract, such as Motorola RAZRs. The trick is to get the phones out there in volume. I don't know if this can be done, though.

    Once WM is very common, as opposed to now where it pretty much is in a limited selection of phones, both Microsoft, and the WM app makers would benefit. Windows Mobile is a decent platform to write code on. It does require signed code for smartphones for the most part (less with PocketPC devices), but app makers can buy their own certificates and do the distribution themselves.

  7. Re:Though inevitable, this saddens me. on Palm Pulls the Plug On Palm OS · · Score: 1

    I am sorry to see Palm OS go, although a company has to do what they need to do to survive. I have an old Palm V. It is one of the few devices I have that can be said to have a timeless style. It has a metal case, a simple, clean style, and the old PalmOS 4. The dock it goes in is simple, but elegant. It may not have the bells and whistles that modern cellphones or PDAs have, but it is extremely usable and does the tasks it was made for exceedingly well.

  8. Re:Fantasy: Apple computers aren't overpriced on Telling Fact From Fantasy In the World of Apple Rumors · · Score: 1

    One reason Apple is making money is that they are selling computers for people to get work/play done, as opposed to focusing on how fast their machines are. Apple sells the fact that machines running OS X have fewer security problems [1], and that they get the job done with little fuss. One of the Mac's strong selling points is that a customer can take a Mac home, plug it in, power it on, and be doing work/play almost immediately, with no nagware/crapware apps, pop-ups, or demands to install other utilities (antivirus protection, etc.) Macs also are more forgiving for people who don't keep with computer security basics, while it can be pretty easy for someone to get their Windows machine jammed up with malware.

    Apple also offers good service. In these days where most PC makers force customers to withstand 3-4 hour hold times only to get an offshore phone bank with people reciting from a rote script when they try for customer support, Apple's availability of a Genius Bar for face to face talk, as well as good phone and web support is a breath of fresh air. A lot of people don't mind the premium for a Mac because they want their computer working, and Apple's support is excellent.

    There is also the fact that Apple is also the vendor of their OS. There is no need to be transferred between the PC vendor and Microsoft, which often happens when the PC hardware techs think the problem is Windows, and the Windows guys think the issue is with software.

    Yes, Apple hardware is more expensive at some platform levels than competing PC hardware, but a number of people buy Macs because they want to do work and have a single place to yell at if something goes wrong.

    [1]: OS X's security can be argued endlessly why, from malware writers getting more bang for the buck from hitting Windows to the UNIX security model where application designers have been writing with the user/root distinction for decades.

  9. Re:TrueCrypt on How To, When You Have To Encrypt Absolutely Everything? · · Score: 1

    On Windows, one can get this functionality, but it requires Active Directory and smart cards (Aladdin eTokens, a CAC + reader, etc.) Almost all smart cards will lock and prevent access after a number of bad attempts (usually 3-5). Other cards will add an exponentially lengthening delay.

  10. Re:Heh on Vanguard Dev Talks About the Game's Future · · Score: 1

    The funny thing is what WoW is becoming so standard, it gets used as a communications medium. A lot of people have friends that the best (perhaps only way) to get in touch with them is through the game.

    This is the reason that I keep my WoW sub current. There are so many people I know that their E-mail address, IM handles, and Facebook messages are changed or never watched, but people do log into WoW to check on their auctions and WoW mail tends to work well almost all the time.

    Add a Blizzard Authenticator (a rebranded Vasco Digipass Go 6) to minimize the chance of an account being stolen if a box gets compromised, and for most things, its a decent means of communication.

  11. Re:Possible solution... a SecurID like card on Major Spike in Security Threats To Online Games · · Score: 1

    I agree. Thankfully I've never had to deal with a dead token yet, but the battery life of those are only a couple years. I wish these type of tokens would have some mechanism to replace their battery and resync them with the atomic clock so one doesn't have to worry what to do when the words "disabled" or runs out of battery.

  12. Possible solution... a SecurID like card on Major Spike in Security Threats To Online Games · · Score: 3, Informative

    Similar to the concept of OpenID, perhaps the solution to password theft would be a SecurID card that all the main game companies would have as an option to attach to an account. Right now, Blizzard has one, which is an OEM-ed Vasco Digipass Go 6. I just wish SOE, Valve, and other networked games would offer this.

    Of course, this brings with it its own can of worms, like what to do if a token is lost, disables itself, or stolen. Blizzard requires a fax of a lot of RL info before it releases control of an account if a token is lost. PayPal/eBay have a mechanism of calling one of the phone numbers on file.

    The advantage of two factor authentication is a big thing, as game accounts are worth a lot of money. Not just for characters to sell, but to use as farming/exploiting/spam bots until the MMO company bans the account.

  13. Want to know how to make a card private? on "Privacy Baseline" For European EID Cards · · Score: 1

    OK, this is rough thought, but this is one way off the top of my head to make privacy as integral as part of the structure as security.

    First of all, start with your average smart card, have your user private key on it and a PIN. The key stored can be revoked by whatever the EU's CA is and reissued.

    Now, start adding certificated by whatever certifying agencies. For example, a county adds a certificate that this user is born in their county. A university adds a certificate that the user got a B. S. in chainsaw fencing at this time. The immigration authority signs a certificate saying the owner of the key is a bona fide citizen of the country. Finally the police department signs a certificate (perhaps a normal life, perhaps a short-lived certificate that is renewed when asked) stating the person has no felonies on their record.

    Something that happens to change this (someone drops their citizenship), it gets revoked.

    Now, by starting on the principle of assume nothing, a pub can ask for someone's smart card, check that the picture of the person holding it is the keyholder, then check a certificate on the key that the user is over 21 for drinking (if in the US.) The certificate does not give a birthdate. All it states is that the person is of legal age to get plastered. If someone is applying for a job that requires no felonies, the card will have a certificate stating this. All that is answered is just the question, no personal details are offered.

    If a place finds no certificate stating a user isn't a felon, then they can do a background search with the user's consent, but if a user isn't a felon, no searching is needed.

    Of course, a user can hide/show certificates, so when signing a pay receipt, the merchant doesn't get free access to all the details of citizenship, etc.

    The one problem I see is a lost or compromised key. This can be fixed by one of two ways. One is to revoke the core key and have all the CAs re-sign certificates to a new key. Another way is a certificate granted by the core card authority basically stating that all the goodies on revoked key "x" now apply to current key "y".

    Voila, people get privacy, and security is also assured (as best a PKI and other structures can. Nothing is perfect, and I'm SURE there are flaws in this idea.)

  14. Re:Surprise to Anyone? on More Indications Windows 7 Is Coming In 2009 · · Score: 1

    Without comparing amount of shares, its sort of like comparing (pardon the pun) apples to oranges. You can point to stock history and comment that Apple's has gone up in the past several years, but a stock value in a vacuum means little.

    Long term, I'd buy and hold both. IMHO, Apple's stock is shining since 2003 and the iPod so it is a long term growth candidate. I'd also buy and hold Microsoft's because they have nowhere to go but up. Now is a great time to buy established tech stocks and put them away for 10-20 years if you have the funds.

  15. Re:Here we go again..... on Exchange Comes To Linux As OpenChange · · Score: 4, Insightful

    There is also Sarbanes-Oxley and other issues. Part of the costs of keeping "Due diligence" valid by doing Exchange is that Exchange comes with a lot of the features needed for compliance built in. For example, with E2007, it is almost a no brainer to set up archiving and retention so incoming and outgoing E-mail is retained as per laws... laws that are a bad thing to break.

    An OSS product is going to have to not just grok the Exchange 2007 protocol, but be able to support features that Exchange offers, from OWA, to replication and clustering (larger installations have one Exchange server on their DMZ and a cluster for their mailboxes.) Most importantly, companies will need to rely on the solution to be able to archive and audit. If a solution can't produce logs when auditors come by, people go to prison, as per HIPAA, Sarbanes-Oxley, or CALEA.

    Maybe RedHat could do something like this and get it FIPS/Common Criteria/whatever certified so people have an alternative to Exchange, but until then, a lot of companies will remain tied to it and Active Directory.

  16. Re:what happens if google folds on Google Unofficially Announces GDrive By Leaked Code · · Score: 2, Informative

    TrueCrypt is an excellent solution, its only drawback is that you have to specify fixed-size containers. Because the GDrive won't be NTFS, you can't use TC's sparse file option. There are some ways of making containers that can expand to fill up whatever quota Google gives a person:

    If on Linux, you could use EncFS.

    OS X can use EncFS + FUSE, or one can use the Disk Image tool and create a sparse bundle image which is in actuality a directory with 8MB files (called bands) under it. When something is changed, only the relevant changes to that 8MB band are propagated, which both allows for the image to dynamically expand and be easily backed up. You can also use PGP and PGPDisk. So, you have three good options.

    With Windows you will need a commercial solution: PGPDisk creates expanding drive images that expand as files are saved to them.

    There are other options too. You can use 7Zip, WinRAR, or PKZip for decent (AES-128) encryption for archives and store those.

  17. Re:You'll still have to keep ahead of the tide on US-CERT Says Microsoft's Advice On Downadup Worm Bogus · · Score: 1

    That is a good idea, and I think some Linux distros implement just that. However, I wonder if a browser exploit could be used so the HTML code (or Javascript run) might be used to execute something anyway.

    A good compromise most likely would be disallowing everything but a limited HTML subset (no Javascript, no remote links, no redirects to other pages) Another idea would just offer a text file shown to the side of the media's root directory.

  18. Re:You'll still have to keep ahead of the tide on US-CERT Says Microsoft's Advice On Downadup Worm Bogus · · Score: 1

    At the time, it wasn't worms and viruses for UNIX. Viruses were mainly MS-DOS based back then, with a couple being for Macs. In that time period the last big worm was RTM's. However, there was the threat of script kiddies, either university students with a lot of time on their hands and access onto their university Suns. Other platforms had their weaknesses too, from catting text to other people's TTY devices (which was fun to do to mudders) to finding systems with non-shadowed /etc/password.

    This threat gave system admins headaches, especially for SVR4 programs that they didn't have source for. Yes, they could compile a BSD binary or replace something with GNU, but then they end up in the unsupported territory if something subsequent happens.

    However, the point does remain -- during that time period, UNIX variants were the biggest target for security breaches because they was the predominant OS on the Internet. These days, Windows is the largest, so it is the most probed.

    Should some other OS take the crown as #1 for popularity, expect black hats to spend billions of dollars looking over every bit of it to find a vulnerability, because there is a lot of cash that can be made for a remote root zero day.

  19. Re:You'll still have to keep ahead of the tide on US-CERT Says Microsoft's Advice On Downadup Worm Bogus · · Score: 4, Informative

    I remember the days pre-Windows when UNIX vendors were cursed and sworn at because they didn't patch the latest bugs quickly.

    People will attack whatever operating system gives them the most bots for the buck. If the predominant OS is a UNIX, then it will be invisible .ko/.kext modules that will be the sysadmin's bane.

    Right now, there are two main attack vectors other than the PEBKAC "hole" and social engineering. The first, a direct attack on a machine, can be mitigated by a solid firewalling router, so an attacker has to deal with a hardened attack surface before touching the more chewy machines behind it.

    The second attack vector is the Web browser. It is in constant contact with untrusted code. To secure this beast takes more than just good defensive programming because even with a solid browser, a third party plugin might cause issues. It takes cooperation on multiple levels, where the OS has hooks to run the browser in a sandbox, but yet allow it to have upload/download functionality that users want. Vista's protected mode of IE7 is a great start, but all Web browsers need this protection, whether it be done by SELinux type profiles that exist in various Linux distros, or actual virtual machines that completely roll back all changes except to the bookmarks when the user is done and closes the browser session. Solving this problem will close a lot of potential security threats.

    Finally, autorun just needs to go, and be replaced by a different, more secure system. Autoplay can stay, but it should never run anything other than showing the root of a CD or DVD, or pulling up a media player if a CD or DVD is inserted. In no way should an executable ever be automatically executed by default. Its just too easy these days to make a U3 flash drive with a bogus CD partition with malware present.

  20. Re:Pre-scrambling drive on Single Drive Wipe Protects Data · · Score: 1

    Another idea is to have the drive controller keep a free space bitmap... tell the drive its zeroed out, then on subsequent reads, if it reads from a sector that hasn't been written to after the zero out, it just returns a stream of zeroes regardless of the real data on that sector.

    Bonus points if the drive controller does encryption, storing a key in protected memory, and on a zero out, change the encryption key, so if someone replaces the controller, the data is still inaccessible.

  21. 48VDC pros/cons (IMHO) on DC Power Poised To Bring Savings To Datacenters · · Score: 5, Interesting

    Pros:

    No power supply needed for each machine. This removes a major point of failure. Instead, one would need to just step down voltages to the 5 and 12 volt rails. This also helps with cooling because the room AC/DC converter can be cooled with a dedicated system, either liquid, or part of the HVAC system.

    Cons:

    48 VDC needs a dedicated connector with a high plug/unplug cycle rating that people know is 48 volts and 48 volts only. It sucks when you have to manually wire it up, because this takes time and there is always the risk of getting zapped if you don't throw the right circuit breaker (or pull the right fuse) on a telco rack where 48V is in use.

    Because there is only one 48VDC power supply for a room, it has to be held up to a lot more rigorous standards than average mains current. It has to not just provide 48VDC, but provide it under extremely heavy load without the voltage dropping by much.

    Maybe 48 volts would be a new computer standard. The key is not having to wire it up manually like some stereo speakers, but giving it a dedicated, foolproof, power connector that Joe Twelvepack who is slurping down his seventh can of Bud Light can easily and reliably plug and unplug while staggering around in the back of the server room until his shift ends.

  22. Re:The new battle ground on Interview With an Adware Author · · Score: 1

    I'd love to see virtualization as a solution, perhaps on an app level like Thinstall where the apps have their own filesystem and Registry and can only crap their own part up, other than the My Documents folder so a user can save documents, and some way of sanitizing clipboard output. Win16 apps can have their API, Win32 apps can have theirs, etc.

    There are issues though with this:

    Performance. How does one do Direct3D calls from Win32 apps to the screen in a fast amount of time? This can be addressed, but is something to consider.

    What level of virtualization? The most secure is having every CPU instruction virtualized like how Bochs works. This prevents F00F bugs and other items. However, there is a big performance hit if translating at this level. As one goes up the chain, performance becomes greater, but of course, encapsulation and security come into play. For example, a Web browser. Do you isolate it at the machine level so it is completely separate and damage is limited if it gets compromised, or does an OS limit it at the application level similar to IE7 and Vista's low priv mode for it.

    Also, how would one share data. If an app is completely virtualized, it needs to write in a space so another app can pick up the files. For example, Word would need to put documents in a place so Acrobat could pick them up, or a printer can print them. If this is not implemented right, it either would cause security issues or prevent proper info exchange between apps.

    MS is on the right track though, especially with Hyper-V. I'd like to see them work more on application level isolation, so someone can install an adware app, and it can happily muck around with what it thinks is the Registry and the host computer's filesystem, but in reality, all the registry deltas are saved to a different spot, and are only visible to that adware program.

  23. Two other options... on "Smash Your Hard Drive" To Fight Identity Theft · · Score: 1

    One option is something I try to recommend, but often times its not doable in practice:

    Don't have unencrypted data on the drive in the first place. TrueCrypt has the capability to overwrite sectors while encrypting to ensure that unencrypted data isn't on the drive. On the Mac, you can use PGP whole disk encryption for similar functionality. For data drives, the latest version of TC allows one to encrypt a volume in place (also offering an option for multiple overwrites.)

    Combine this plus a good password (or use of keyfiles for even better security), and for all but classified data, one can just run a zero pass and call it done. For better security, one can restore a dummy keyfile (overwriting the areas with the volume master key 36 or so times) and unless someone can crack AES-256, they won't be accessing that drive's data anytime soon.

    Disclaimer: Know your threat model, and who might be after your data. For someone who just doesn't want their data to fall in the wrong hands if their laptop is stolen, TrueCrypt or FileVault is more than enough. If someone has stuff that some organization is willing to pay big bucks to try to disassemble it with a SEM, then use one of the techniques mentioned in previous posts to reduce said hard disk to component atoms.

    Another option that isn't mentioned much because its difficult to gain access to it is the low level ATA spec secure wipe of drives. All recently made hard disks have a built in secure erase function that erases on the disk level. A utility, HDDErase (http://cmrr.ucsd.edu/people/Hughes/HDDEraseReadMe.txt) might be usable depending on the computer and how fast the BIOS tells the hard disks to lock down access to the password protection commands. I use this secure erase function with a pass of DBAN to ensure that non critical workstations which are changing owners have blanked drives.

  24. More intrusive ads for the same revenue? on How Web Advertising May Go · · Score: 4, Insightful

    What I fear is that due to this, websites will end up having to host more intrusive ads (interstitials, the whole website being a Flash object that demands not just Flash enabled but the saving of shared objects) for the same money, as well as more code to try to block ad blocking programs (which makes it worse long term as people go elsewhere for similar content.)

    Even now, a good number of Web forums will insta-ban someone just on the mention of Adblock and NoScript because the sites are so desparate for revenue.

    Long term, I wonder if the solution is a page click clearinghouse, where people pay a central subscription center (in return for no ads and other membership benefits to all subscriber websites) which pays websites by how many pages that user browses from their account. Essentially, similar to how Slashdot does its subscriptions, except with member sites getting paid per view.

  25. Re:Why trust the PKI? on CCC Create a Rogue CA Certificate · · Score: 1

    I'd like to see banks print out their cert's SHA-512 hash onto printed material, and as stated above, have a mode in the browser to scream bloody murder if www.bank.com's cert is anything but the cert with the hash pre-entered.

    Web browsers could also distribute a list of certs for major sites that are doublechecked to be actual certificates for that site, similar to how root certificates are maintained. One could even go to the next step of precaching the actual public keys on the Web browser so there is no chance of a site trying to inject a bogus key for a known site. Of course, there are weaknesses in this... SSL certs expire and too many precached certs would add a lot of bloat, similar to including a huge /etc/hosts file rather than using DNS.