Slashdot Mirror


User: mlts

mlts's activity in the archive.

Stories
0
Comments
5,534
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,534

  1. Re:The way of the world on Bad Security Driving Out the Good · · Score: 1

    Bruce summed it up with his term for it, security theater.

  2. Re:He is talking out of his ass. on Researcher Has New Attack For Embedded Devices · · Score: 1

    Agreed.

    If he discovered an attack from the WAN side, that isn't new. People disassemble and scrutinize devices all the time. Most likely, a simple reflash of an updated ROM will take care of this.

    Access to the JTAG contacts on a chip isn't hard to disable either. One can set stuff read-only, or just do like Microsoft did with the Xbox 360, and encase the critical chips in hard epoxy blobs.

  3. Re:May not make much difference on Apple's Move May Make AAC Music Industry Standard · · Score: 1

    Cite sources. OK: http://en.wikipedia.org/wiki/Advanced_Audio_Coding

    AAC is patented, and requires a license to use. AAC content is free to distribute in, but codec makers (including hardware OEMs) must cough up royalties to use AAC legally. Obviously, this adds cost. Also, new chips that support AAC cost money to be designed, masked, and put into silicon, and the low-end MP3 player makers may not bother. Companies like Creative, Archos, and others may do so, but unless people absolutely demand the feature, they just may not bother, because most people with AAC files are using iPods anyway.

    Yes, you are right, MP3 files are bigger, but as I stated previously, they work everywhere, in virtually every device. This is why eMusic and other stores offer downloads in this format.

    AAC is not something Creative "can't afford not to make". It would be nice to have that functionality, but it won't be a make or break for any product. For example, the Zune has the ability to play any unprotected AAC files, and that has not noticably affected its sales either positively or negatively.

  4. May not make much difference on Apple's Move May Make AAC Music Industry Standard · · Score: 1

    The OEMs who make generic MP3/WMA players are not likely to pick up a new chip to decode AAC files unless there is high demand for it, because it will noticably affect cost. Also, most people I know, unless they are buying from iTunes or a WMA music store, rip their music into MP3 format because its the lowest common denominator. Any MP3 player, be it an iPod or some no-name USB stick for $15 from a drugstore, understands the MP3 format. With disk space being relatively cheap, the size difference of a MP3 file ripped in alt-preset-standard or alt-preset-extreme versus the size of a similar bitrate file in another format is less of an issue.

    AAC is a good format, but its another "standard" in a crowded field of compressed music file formats. I wish, if chipmakers started supporting more than MP3 or WMA, to support OGG as well as AAC.

  5. The Zune has potential. on How Microsoft Can Make Zune a Success · · Score: 1

    First, what MS did right: The Zune interface is decent, and I had zero issues with playing with a demo one at the store. The software is well done, although I use MS URGE service, so its pretty much the same.

    Improvements:

    Most importantly: Merge the Zune codebase back in the Windows Mobile/Windows CE codebase, and have the next Zune a Windows Mobile device. This will allow third parties to write games for it, and attract more customers to the platform. I don't understand why MS reinvented the wheel in this case.

    Second, For non-DRM files, have it work like a lot of generic WMA players -- have it show up as a drive or player, allow for copying files to and from it. Archos does this right, Napster's players also do this. Creative also has a number of players which allow for driverless copying of files. For DRM files, Windows Media Player already works well.

    Third, have some software to rip DVDs to play on the player, even if it means DRM. This will allow people to copy movies to it when they are on a trip, or bored, waiting in the DMV line or whatnot.

    Fourth, offer some way of user logging in. Be it a PIN, fingerprint scanner, or something that can't be easily bypassed by a casual thief. After securing the front door, then like many people above stated, offer wireless downloading of songs and movies.

    Fifth, offer some type of wireless streaming either to and from. This will allow someone to listen to music on their home PC streamed to the Zune, or have the Zune stream to the XBox songs or movies.

    Sixth, maybe offer a specific model of Zune aimed at music professionals who need a device that can play uncompressed high-quality .WAV files, like 96-bit, 192 kHz files fresh off a Protools mixer. Maybe add high-end inputs/outputs (AES/EBU, FireWire, etc.), so this specific model of Zune can be used as a hard disk recorder for single stereo tracks in a pinch.

    Finally, have a different control design. The round push-ring looks too much iPod-like for my tastes. It works and works well, but at first glance, people immediately think "iPod wannabe."

  6. Buzzwords aside, this would be cool on World's First Polymorphic Computer · · Score: 1

    Buzzwords aside, a chip that could, rather than require a hypervisor to translate machine code, change to execute the code for the VM whose task is being executed that quantum, would bring a large speed increase.

    For example, one can have a RS/6000 partition running AIX, a simulated ARM processor running a version of Windows Mobile, Solaris on SPARC, and Windows Server 2003 on x86, and when the task switcher changes to the next VM, the chip can natively execute that platform's instructions. No JIT caching needed.

  7. Large patches are needed for some companies on Microsoft Quietly Releases Windows 2003 SP2 · · Score: 3, Insightful

    A number of companies have applications which are only supported by the vendor at selected patchlevels, with no other software allowed. Microsoft releasing large collection of patches as service packs makes the job of vetting various hardware and software configurations easier. Its easier for a vendor to state that their application runs on Windows 2003 SP2, rather than Windows 2003, with a large amount of patch numbers needed.

    Plus, (IMHO of course), it was time for a service pack for Windows 2003 anyway.

  8. Hardware firewall on the a1630n on Intel Viiv vs. AMD LIVE! · · Score: 2, Interesting

    The HP a1630n has one interesting feature that wasn't documented -- it has a hardware firewall due to the nVidia chipset on the built in Ethernet port, and it works pretty well, as I've not had any issues with it so far with gaming (MMOs, some RTS games) and other general use. I have read some people have had trouble with it, but so far, its been a great addition.

    One side note. The AMD Live! device works with Windows XP MCE and Vista, but Windows XP Pro doesn't support it.

  9. DVDisaster? on TrueDisc Error Correction for Disc Burning? · · Score: 1

    Isn't there already an open source program which does this called DVDisaster?

  10. Some MMOs change totally after launch on Why Vanguard Sets a Bad Precedent for MMOGs · · Score: 1

    One MMO that came out around the same time WoW did was Everquest 2. At the time, it had its own issues, but it had time to mature, it had a few big expansions, and a couple mini adventure packs (which are worth the $5 or so for the time having fun playing them.)

    I took up EQ2 a couple months ago (after just burning out of WoW), and have been extremely pleased with the UI, the playing style, the graphics, pretty much everything in the game. I almost say that EQ2 is EQ2.5, because of all the major positive work that has been done to it since it launched. For those that are not into WoW, its worth a look.

    MMOs are games that are designed to be patched, content added, stuff modified, and old stuff overhauled every so often, so don't judge Vanguard for goot yet. Give it a thumbs up/thumbs down after six months or a year, after it had a major content patch or an expansion. Its common (but foolish) for players to hop on a MMO either in its public beta phase or at launch, scream about its faults and move back to their old MMOs. Just consider it a "gamma" release until the game is about a year old.

  11. Re:A good idea, though not a 100% new one. on A New Approach to Mutating Malware · · Score: 1

    I stand corrected, and you are 100% right. A program that is connecting to another host can have pretty much what it wants as an outgoing port on its local box (for example, Firefox is outgoing on port 4480), what matters is what port the outgoing program is connecting to on the remote box. I should have clarified that.

  12. Re:let the stupid slashdot fud commence on Some States Say National ID Cards 'Make Life Easier' · · Score: 1

    Call me pro-government or whatnot, but a properly done National ID card system would be a boon to Joe Sixpack compared to our existing system of using the same numbers over and over. One couldn't just grab a set of numbers that pertain to a person and commit identity theft (unless the thieves had a TWIRL machine and could factor 2048-bit public keys in a matter of weeks/months... then they likely wouldn't be bothering with average users), one could have cryptographic proof that a person graduated a university (the university's CA signing the user's public key with a statement saying they were awarded a degree in xx, on xxxx date.)

    Its not 100% secure -- the places that would be the targets would be certificate authorities rather than individuals, but one can harden a CA a lot more than hardening a billion or so users. Even if the CA gets compromised, the certificate expires... and can always be revoked.

    I don't consider an ID card to be a restriction on rights... Knowing who someone is has been part of commerce since the beginning of time (so caveman A makes his delivery of sheep to the real Caveman B, rather than Caveman M who is pretending to be Caveman B), and documents stating one's identity have been around for ages as well.

  13. US national ID cards most likely will be coming... on Some States Say National ID Cards 'Make Life Easier' · · Score: 1

    National cards, with this air of paranoia and terrorism, are forthcoming, pretty much whether we want it or not. The best thing is for someone to come up with an open system that not just proves that the cardholder is whom he/she asserts, but to also guard the cardholder's privacy.

    Tim May (IIRC) came up with a system almost a decade ago which helped with this. It came in two parts. The first was the ID card itself, with a high security smartcard chip. The second part was a "trusted" PINpad that someone also carried with them. The PINpad allowed for the card to be unlocked without worry that the store's keypad was bugged or would log the PIN for use by a criminal.

    I am personally working on this for academic reasons, but this is an extremely tough thing to do, because one can't just have the national ID structure rely on a single point of failure. Smart cards would have to be able to be changed, so one can't freeze a specification, as one never knows if some encryption algorithm would be broken in the future. For example, if the nation received smart cards with crypto algorithm "A", and someone found a way to break all rounds of it, the PKI and the cards used would have to be able to be changed immediately.

    A national ID card system wouldn't just be a meta-PKI. A lot of thought has to be put in in how people work with it. It needs to be simple, but yet decently secure.

  14. A good idea, though not a 100% new one. on A New Approach to Mutating Malware · · Score: 1

    I'm not sure if this is a totally idea or not, but any help with this is a positive thing. Watching a machine and trying to find signs of malware behavior isn't new. NAV and other programs already have heuristics built in.

    What is needed is more of a "block all, allow only what is needed" policy rather than "permit all, find bad things, block them" which is a never-ending cycle. For example, unless an ISP's customer specifically requests it (and signs that he/she is fully responsible for any damage), a number of outgoing ports should be blocked by default (with obvious notice to the user on signup and in the ISP's help pages. For example, outgoing SMTP should be blocked, and the ISP will unblock it on user request as well as offer a mail server for authorized relaying.)

    Maybe one idea is for programs (doesn't matter what OS) to have a manifest (which after installation is stored somewhere protected by the OS) of what ports the program will be using for incoming/outgoing connections. Program uses a port different from what is listed in its manifest, the connection either is blocked, or the user is prompted to manually add an ACL entry allowing it. If a program is updated to use more ports, the manifest can be changed (although an administrative user will need to allow the request.)

  15. Re:One way of doing things on How to Measure Security ROI? · · Score: 1

    I'm not sure if deliberatly sabotaging a production server crucial to a company is a good idea. In most companies, that would mean the loss of a job. If management was really ticked, they could file a criminal mischief complaint, the value of which would be all those people's times, loss of income (for a lot of online stores, this could be sizable), the cost of getting the police to come for a false alarm, and other things. If this gets high enough, this could be into felony-hard territory.

    A determined DA could say that you stole the server (even though it was "returned"), and almost certainly that would be in the grand theft felony range.

    Of course, the employer can file civil charges as well, demanding the cost for the cost of the downtime, which can get pretty large.

    I'm sorry, but I'm too cowardly to risk my career, my right to own firearms, my right to vote, and my future on showing what "could" happen if a server goes down in a workplace.

  16. Proving a negative on How to Measure Security ROI? · · Score: 4, Insightful

    Measuring security ROI is proving a negative. Because stuff is not being broken into and information is not being stolen, the company is "saving" money by not losing money and gaining bad press.

    Your benchmarks are what type of security issues you do encounter and how they are handled. For example, if a security package catches would-be intruders, that can be shown as a sort of ROI (as the package prevented X dollars of loss.) Another example is the cost of whole disk encryption. Having a laptop that is protected by WDE get lost, one could state that the encryption software (assuming its properly deployed, proper password and/or security token policies set, etc.) saved the company the loss of the data on the laptop.

    Probably the best bet in proving ROI is how many, what type of, and the cost of, the breaches and incidents one had before a policy/software/infrastructure went into place versus afterwards.

  17. Re:Kind of radical, but I hope it works on California Proposes to Ban Incandescent Lightbulbs · · Score: 1

    I have a couple CFL bulbs that are dimmable, and advertise that on the packaging.

    CFLs are nice, but something about the 60 hz pulsing makes my eyes want to pop out of my head. Maybe the best of all worlds is having bright LEDs that use DC current.

  18. Re:Ban SUVs? on California Proposes to Ban Incandescent Lightbulbs · · Score: 1

    25MPG for a SUV is pretty darn good. For a full size pickup, much less a heavier SUV, most get in the real world (factoring in stuff like lights, traffic, taking routes due to drunks wrecking) around 10 miles per gallon.

  19. Re:Easy on Testing Commercial 2-Factor Authentication Systems? · · Score: 1

    What you could do is use PGP and multiple users for its whole disk encryption, the users being keys on separate eTokens. Then, you can put one eToken away in a safe place and use another eToken for daily use for logging in. As a third safety net, you could use diceware, generate a long passphrase, and store that passphrase in a really safe location.

  20. Re:But... you can copy the key file?! on Testing Commercial 2-Factor Authentication Systems? · · Score: 1

    With storing a private key on a plain USB flash drive, someone can just borrow the drive for a couple seconds, copy the files or image the drive, put it back, and the drive's owner would not know. Then, all is needed is a successful password guess or success with installing a keylogger on the mark's machine to get full access.

    This is why I like smartcards. Even if someone gets the smartcard, copying the private key data off (especially copying it without it being noticed) will require a lot of specialized hardware that pretty much nobody but major governments, universities, or Fortune 100 corporations even have access to. Plus, with modern smartcards, if someone guesses the PIN or password too many times the card zeroes the keys, locks, or fries itself [1]. Older smartcards/USB tokens could be opened, but the newer ones are sealed in with epoxy which makes it far more difficult to disassemble and have anything working when done.

    [1]: I have an old GemSafe (1998 vintage) card that after 3 wrong guesses of the user password, 7 guesses of the administrator password, the card zeroes everything and bricks itself. The Aladdin eTokens I'm using are more configurable, and one can initialize them with similar functionality (x wrong guesses it locks), or if a person is prone to typos, not have it lock at all no matter how many bad guesses are done. There are always attacks on smartcards, but for what people I do work for do, they are more than secure enough.

  21. Re:RTFQ on Testing Commercial 2-Factor Authentication Systems? · · Score: 1

    You could have one USB token have the Truecrypt keyfile on it, the other the drive with the data on it.

    The one with the keyfile can just have the file on the disk, or if its one of the "secure" USB drives (JumpDrive Secure for example,) have it on the protected partition. The drive with the keyfile, you can keep locked up in a safe, only pulling it out to insert and unlock the other drive.

    Of course, you have a couple decoy keyfiles on both the open and secure partitions so you can tell an adversary that you "forgot" the passphrase.

  22. I ended up going PGP and eToken on Testing Commercial 2-Factor Authentication Systems? · · Score: 2, Informative

    The Kensington token looks OK, but if I'm recommending a whole disk encryption system, I would use something that has been battle tested in corporate environments, and where the physical token meets FIPS 140-1 level 1 or 2 standards. Standards don't mean something is free of security holes, but it means that peoples' eyes have looked the software and hardware over and the company stands behind their product enough to pay for it to be validated. Its similar to the Sold Secure Gold rating on physical locks -- it doesn't mean they are 100% secure, but locks certified with it will be tough for most thieves to break.

    There are a number of WDE utilities which are solid, certified, and proven over time. I have personally have excellent results with SafeBoot, WinMagic, DriveCrypt Plus Pack, CompuSec, and PGP Whole Disk Encryption. For hardware tokens, Aladdin's eToken PRO 64k.

    Snake oil encryption is common, one who is deciding on a solution for themselves or a company needs to do their homework and know the basics of cryptography as well as what certification levels mean what.

    PGP Whole Disk costs $49.99 for a year license, and $119.99 for an unlimited length license. This, plus the cost of an Aladdin eToken (about $70-80) gives a person a known good security setup where each major link is certified by an independant security agency. Yes, $200 is more expensive than the $50-$70 for the Kensington token, but the price premium pays for a product that has been around for a long time and security issues are found and fixed.

  23. Re:car mechanics do it too on Is A Bad Attitude Damaging The IT Profession? · · Score: 1

    IT infrastructure isn't like a wall, erected and forgotten. Operating systems and programs need updating, users need password changes, other users need deleted, logs need to be looked at and potential threats need to be dealt with promptly. This is basic stuff and part of any company, just like sales, account receivable, accounts payable, and payroll.

    There is a difference between "rebuilding failing infrastructure" and keeping a network current, users happy and productive, and the bad guys away from the payroll and accounting records.

  24. Re:RSA SecurID on Secure Ways to Determine 'Something You Have'? · · Score: 1

    Surprisingly, AOL... yes, AOL offers SecurID keyfobs to paying customers. E-Trade is another place that offers SecurID.

    I wish more banks and financial institutions (I'm looking at you, eBay/PayPal) would offer this.

  25. "Pre-hosed" -- always wipe it on Acer May Be Bugging Computers · · Score: 4, Interesting

    On all new computers, be PCs, Suns, RS/6000s, or anything, after getting the machine out of the box and plugged in, I tar (or ghost in the case of PC recovery partitions) off anything preinstalled to two backups, then format the hard disk (or disks/arrays) on the machine. After the disks are formatted, I then install the OS and drivers and get the machine to the latest patches that I can via CDs. Only after this and a lockdown check does the machine see the network.

    I've just seen too many machines come pre-hosed from the factory. For anything that sees production use, I want to pack my own parachute and know exactly what is on the machine.

    On PCs, I try to find drivers from the underlying OEM rather than depend on the PC vendor, as usually the PC vendor's drivers tend to be outdated, except for motherboard/system board/IO planar flash.