Slashdot Mirror


User: Sarten-X

Sarten-X's activity in the archive.

Stories
0
Comments
4,385
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 4,385

  1. Re:ITs the end of the small business mail server on Ask Slashdot: Is There a War Against Small Mail Servers? · · Score: 3, Informative

    Outsourcing is often not feasible. As an example off the top of my head, any American company working with medical data needs to be certain that personal medical data does not leave their control, or they get hit with huge penalties from HIPAA and HITECH. That eliminates a lot of outsourcing options, and especially anything cloud-related, because one mistaken message, even from someone outside the company, can have devastating effects.

  2. My experience on Milky Way Stuffed With an Estimated 50 Billion Alien Worlds · · Score: 4, Funny

    Based on my time in high school, I expect those 500 million habitable planets are all inviting each other to parties, picking each other for teams, and definitely getting laid. Earth is getting left out, and nobody has the heart to tell us.

  3. Re:How about a technical fix instead? on Industry IT Security Certification Proposed · · Score: 1

    This idea raises a few questions:

    • What manages the microkernel keys? Another kernel?
    • What prevents a disk driver from simply asking for the key to use the network?
    • If a filesystem driver gets infected, can any other driver stored on that filesystem be trusted?
    • Will the target micro-kernel validate the keys, or another system?
    • Could an appropriately misrepresenting system overwrite a target system in memory with code of its own choosing?
    • If every kernel call verifies a strong key, what effect will this have on system speed?
    • What will happen to applications with custom save/load dialogs that offer extra functionality, like previewing files or selecting format options?
    • Would an interpreter such as a JVM simply ask for every permission, and hope nothing goes wrong?
    • Will this stop the user from choosing "12345" as their password?
    • What happens when a USB device says it's a network device, gets the network key, then turns around and hands off that key to an untrusted program?

    I'm not saying the idea is inherently bad, but it brings many more levels of complexity than even what we have now, without addressing a few key problems like user competence. The "write it all from scratch" approach has been tried before, to little success. Verifying that implementations are correct is fine and dandy, but that doesn't cover the myriad ways for systems to interact, and potentially break.

  4. Re:Has half a chance of being useful-- on Industry IT Security Certification Proposed · · Score: 1

    The "get out of jail free" card already exists in some situations. HIPAA and HITECH set forth huge penalties for losing track of personal medical data, unless that data's on an encrypted device, sufficiently separated from whatever makes it personal, or a few other exemptions I don't remember offhand. It makes sense to me. If the information can't be accessed or linked to any particular person, losing it really doesn't matter.

    I think a certification could work similarly. If whatever's being protected (for example, storing usernames and passwords) is sufficiently mitigated by the minimum certification requirements (such as using a strong hash with a salt everywhere the password's kept), then it might be just fine to escape liability. If nothing else, being able to cut some liability provides a nice boost to the cost/benefit analysis, so the managers will decide it's worth the cost to follow decent security practices. Again, that's only if the minimum is sufficient for the situation.

  5. Re:WHOAH Nelly on US Gov't Mistakenly Shuts Down 84,000 Sites · · Score: 1
  6. Re:that is what I was thinking on US Gov't Mistakenly Shuts Down 84,000 Sites · · Score: 1

    If your business website is a subdomain of mooo.com, I doubt you have enough customers to worry about it.

  7. Re:Welcome to the USA on US Gov't Mistakenly Shuts Down 84,000 Sites · · Score: 3, Interesting

    I'm assuming that the warrant said that mooo.com was hosting child porn, which one of its subdomains likely was. What wasn't mentioned was that mooo.com is fairly special among domains, since it also carries 84,000 completely unrelated sites. To notice that, someone would have to be familiar with FreeDNS and what it does, which is a bit much to ask of an ICE investigator. This isn't a case of due process being ignored. It's a case of due process not covering every crazy special situation that changes the case.

  8. Re:WHOAH Nelly on US Gov't Mistakenly Shuts Down 84,000 Sites · · Score: 0

    Where does the money come from to buy the bombs? And where does that child porn money go? And for that matter, who supplies the children?

    Sadly, it's all related. There aren't many American parents willing to give up their children, but there's a lot of third-world residents who'll pay a few years' savings to a smuggler for the chance to get their kid to America. If the kid ends up abused in a basement, there's nobody to complain about it. The various third-world crime lords smuggle people into America and Europe for a hefty fee, then turn around and sell their captives to other groups for prostitution and illegal pornography. When they're too old for that line of work, the victims are forced into manual labor, under the threat of being reported to the various authorities. They work for next to nothing, living in slums or outright condemned houses. The majority of what they do earn goes back to the crime lords, often to fund wars in their home country, which in turn drive more people to try to escape.

    DHS just happens to be investigating the child porn side at the moment.

  9. Re:Vandalized? on Attacked By Anonymous, HBGary Pulls Out of RSA · · Score: 1

    Of course it's as sophisticated as an elementary-school threat. This is Anonymous, after all.

    I'm not saying the various threats should be assumed to be real, but likewise they cannot be assumed false, either. The sign was potentially a last-warning threat, so it's reasonable that a company with vested interest in its security should treat it as such. If meant as a joke, I simply don't find knife-twisting to be "silly".

    There is indeed an aspect that HBGary could exploit for profit, but it's a bit of a gamble: If HBGary is able to obtain enough information on Anonymous, they become a bigger player in the upcoming online security industry. Many big companies became so through a single/few significant move(s). Google built a better search engine. Microsoft pre-installed Windows on OEM computers.

    Anonymous is the perfect target for a computer investigation firm. Anonymous is decentralized, capable of significant harm, and organized loosely through mostly legal channels. Anonymous is effectively immune to traditional law enforcement tactics. There are, however, enough low-hanging fruits for HBGary to reach for. The posters who initially called for the attacks can legitimately be classified as 'leaders' and identified. The IP addresses (and therefore, locations) of the most active DDoS participants can be identified, and compiled into a heuristic for rapid response to future attacks. Any autonomous botnets involved in the attacks suddenly become a much higher priority to shut down. The whole group, with their history of attacks, "not your personal army" refusals, and recurring opinions, can be condensed into an easy-to-read report for an unfamiliar politician.

    There's realistically nothing HBGary can do against Anonymous, but I doubt that's their goal. Sure, it's fun to laugh at how utterly ineffective the investigation will be in the grand scheme of things, but for an upcoming government contractor, they're doing everything right. They're gathering information, becoming a well-known name, and making a big report to hand over to the FBI/NSA/CIA/IRS once the contract's signed. They're going for a reputation of being thorough and getting information, rather than one of taking bullets for hire. Perhaps they will sink, yet perhaps not.

  10. Re:Vandalized? on Attacked By Anonymous, HBGary Pulls Out of RSA · · Score: 1

    1. There's no membership for Anonymous. If someone thinks you're in it, you're in it. There's no way to be sure the sign wasn't meant as a threat, and no way to be sure a psychopath isn't going to try to attack the HBGary presenters. Better safe than sorry, eh?

    2. Yes. Of course a death threat's sender will publicize the threat, and sign it with their public key, so we can be sure it's genuine.

    Unnumbered 3. I believe my words were close to "Hey, Obscure Security Company says they have information on that Sarten'x Project DDoS. There's a blog post on their main page." and his response was close to "Yeah... I'll get the guys to nuke 'em like we did to Sarten's Project." That's not entrapment. That's merely using misleading statements to extract information. As for having no business enforcing laws, people can actually do so here. There is no restriction on gathering information, either, so long as laws are followed. If that information is turned over to law enforcement personnel, it gets corroborated and may result in a criminal prosecution. In the case of my project's DDoS, the FBI had a lovely time for a few weeks verifying our information, and Israeli police had a visit with the guy in question, who has now lost his network of DDoS-loving friends, and their collective botnets.

    Sorry to offend your privacy-is-paramount sensibilities, AC, but victims can fight, too.

  11. The plan on Freedom Box Foundation Wants Plug Servers For All · · Score: 5, Funny
    1. Make a bunch of tiny servers.
    2. ???
    3. Freedom!
  12. Re:Vandalized? on Attacked By Anonymous, HBGary Pulls Out of RSA · · Score: 2

    Wow. Three posts in a row claiming I'm somehow in the employ of HBGary. Since yours is surprisingly the most complete, I'll respond to you.

    I'm not connected to HBGary in any way (that I know of). I'm a software developer who's had projects sit on the receiving end of DDoS attacks, and has a bit of experience in the tactics used to investigate them.

    After any initial threat comes investigation. In my case, I had a list of timestamps and IP addresses. A quick Perl script compiled a list of the most offensive ISPs, and we contacted them first. Some cooperated, some didn't. One of the nicest ISPs handed over a list of other places the DDoS participant had frequented. I set to work joining that community. It took several months, with little in the way of new leads, but with a few particular identifiers popping up repeatedly. Now and then, I'd drop in a reference to the DDoS against me, acting as though I had helped with it. I was soon introduced to the guy who called for the attack, and convinced him to go look at a website I had just set up, with the intent to attack it shortly. I had an admission of guilt and an IP address. He's not starting attacks anymore.

    Mine was a trivially easy case, but it involved some misrepresentation, infiltration, and orchestrating another attack. Great security stuff, but I still wouldn't go speak in front of an audience of random people after getting a death threat.

    HBGary is following sane procedures after a threat: they're playing it safe. Anonymous is indeed "in i 4 teh lulz", and nothing else. If a psychopath finds it funny to kill a speaker at a conference, he'll do it, and Anonymous will find it hilarious. Would you risk your life on Anonymous's real-life cowardice?

    To most of the public, Anonymous is either an ill-defined group that connects with that Interweb thing, or they're a well-armed and well-organized militia that attacks online services. In truth, they're a bunch of people who merely act with no regard for consequences. As such, they are a threat. There is no central authority to broker peace with, and no predictable actions to defend against. In the case of the HBGary presenters, Anonymous simply may or may not kill them.

    Anonymous does whatever the hive-mind feels like. If someone has a particular grudge against an organization, and can convince others that it'd be fun to attack, they do so. There is no regard for morality or consequences. Scientology and HBGary may both be horrible companies, but that does not excuse Anonymous's ridiculous ignorance of the consequences of their own actions.

    If I promise to find it funny, do you mind if I burn down your house? Maybe your neighbors', too, because they called the fire department...

  13. Re:Vandalized? on Attacked By Anonymous, HBGary Pulls Out of RSA · · Score: 1

    Anonymous is all random people. What makes a guy with a sign any more random than a guy running LOIC, or a guy carrying a gun into a presentation?

  14. Re:The best way to protect the internet... on Clinton Calls For "Ground Rules" Protecting Internet · · Score: 2

    They also tend to produce inferior work, which may or may not (depending on the importance of quality) be profitable for the company. Using slaves is also a PR nightmare.

    Consider the case of companies currently operating sweatshops. The sweatshops may be far below American labor standards, but they're far above anything else in the area. Merely carrying the label "sweatshop" is a curse for any operation, so companies are forced to upgrade factories even further beyond the local standard. Of course, this is not always the case, but it happens often enough that companies will try anything to avoid the "sweatshop" label, including having factory tours include some of the surrounding villages.

  15. Re:The best way to protect the internet... on Clinton Calls For "Ground Rules" Protecting Internet · · Score: 1

    So a "large private entity" can pay off every ISP, because every ISP will opt to take the money, just because it's available.

    What happens when a single ISP declines the deal, or worse, makes the deal public knowledge? Public outrage damages the large entity's profits and every ISP they worked with. That's a pretty big risk to taking the deal.

    Perhaps worse, if every ISP does take the deal, that opens the large private entity to blackmail. Any ISP can threaten to open access again at any time. That would likely mean a lengthy lawsuit making the deal public knowledge and bringing huge legal bills. For a fraction of that cose, the large private entity can just pay more money to the ISP, until next week when they ask again.

    Other than abusing the large private entity, the deal itself can be abused. I can set up my own ISP, make a direct connection to Wikileaks (or some other "restricted" site), and bring in the profit from this deal. I can do it twenty times. I can get a lot of money for very little work, and again, the large private entity can't do much about it without the deal being public knowledge.

    It's almost a classic prisoner's dilemma problem, with thousands of ISPs playing the prisoners. If everyone works together perfectly, everyone wins. If anyone turns against the others, the traitor will win and everyone else loses. In this case, however, if nobody conspires, everyone goes on with business as usual. The risk of betrayal increases with the deal's payoff, so it's never beneficial to take the deal.

    Of course, real life is much worse, with disgruntled employees threatening the deal even if everyone does play along with it. One unhappy middle manager sends an email to an ISP saying "you aren't in the loop anymore", and it all falls apart.

  16. Re:Vandalized? on Attacked By Anonymous, HBGary Pulls Out of RSA · · Score: 3, Insightful

    HBGary is not in the business of preventing or withstanding attacks. They're the guys who will investigate events after the fact, compiling nice piles of evidence to hand over to the FBI/police/whomever.

    The sign on the booth is a threat. Note that "vandalized" was ITworld's chosen word. The message is clear: "Anonymous is here, and has the same utter lack of respect in real life as online." Given that there were many threats ranging from harassing the booth staff to heckling the speakers, and even up to death, the sign potentially serves as a last warning: Let Anonymous ravage whatever they want, or die.

    It makes sense for HBGary to step out of the line of fire, just in case somebody's crazy enough to act on those death threats. Death is not their business. I expect that the sign is being checked for fingerprints, the conference attendee list is being subpoenaed, and security cameras are being reviewed.

    I'd also expect that HBGary will use this incident to paint Anonymous as a group of people who constitute a real threat. They stalk and harass a target organization for as long as they're interested, with expenses and lost income costs rising daily. This dedication is as much a problem to Anonymous as to their targets, and HBGary is now playing a great game: they're trolling the trolls. With every public move HBGary makes, Anonymous is drawn into acting. That's another 4chan post, another analysis, another page in HBGary's final report on Anonymous, and another customer impressed by the company's thorough attention to detail.

  17. Re:The Dark Knight on R-Rating Sunk BioShock Movie Plans · · Score: 1

    The movie Bioshock is a story about a female scientist named Jackie working in an underwater utopian society on Europa producing a set of wonder-drugs that help control the population, along with a central mind-control device. She is romantically involved with a military man named Thomas, who routinely opposes Big Daddy, his commanding officer, but somehow avoids any significant consequences. After a conspiracy involving the woman's coworker floods the society with too much of one drug, the inhabitants go crazy. Thomas kills a few little (18-year-old) girls (wearing bikinis), has an allergic reaction to the drugs they contain, and promptly dies. Jackie then goes to the central mind-control system, and after a climactic fight with Big Daddy, who's wearing an improvised suit of body armor, discovers that the mind control device is actually a portal to Hell, and it starts turning her insane. Somehow not dead, Thomas shows up to inject Jackie with another drug that will suppress the madness. In her fleeting moments of sanity, Jackie shuts down the portal, saving what's left of the society from further decay. As the movie comes to a close, the audience sees peaceful scenery, until a still-crazy inhabitant attacks the camera.

    I know how this goes. I saw the Doom movie (which was coincidentally R-rated). I wouldn't have much higher hopes for BioShock, after the executive meddling and rampant censorship.

  18. Re:The best way to protect the internet... on Clinton Calls For "Ground Rules" Protecting Internet · · Score: 1

    Are freedom and profit inherently mutually exclusive?

    There are many companies who have chosen to make "bad" business decisions, in favor of "good" moral ones. As a result, those companies build a better reputation than their competitors, and reap greater profits. If there's any sign that ISPs have started blocking access to particular services, it's a perfect opportunity for another company to offer a secure forwarding service. Such places already exist (for privacy reasons, rather than content access). If it comes at the small cost of seeing some advertising for that company's other services, so be it.

  19. Re:LOL, you got GWB again! on White House Wants Phone Records Without Oversight · · Score: 1

    It's an opinion. I don't expect you to share it, but only to respect it.

  20. Re:LOL, you got GWB again! on White House Wants Phone Records Without Oversight · · Score: 1

    Mubarak, who ignored years of peaceful petitions, got kicked out for good reason.

    Do you have any actual statistics on how many congressmen are actually corrupt, with actual evidence pointing to them beyond just vague accusations? Out of 535 current members of Congress, plus those who served previous sessions, you've pointed out two from several years ago. I'm sure there's more, but that's a ratio I can live with. Despite Hans Reiser, not all computer scientists are murderers, either.

    I'm certainly not suggesting that every politician is perfect, or will follow their constituents 100% of the time. I'm merely suggesting that those who pursue public office remain human, and retain the ability to make decisions based on reason.

  21. Re:LOL, you got GWB again! on White House Wants Phone Records Without Oversight · · Score: 2

    So you're not going to try to change anything until someone else changes it first? That's some impressive laziness, right there.

    power to the people

    One of my favorite phrases, with the implication that politicians are somehow not people, despite outward appearances. That somehow, the very act of entering office turns them into slaves, controlled by corporations which are also somehow comprised of non-people employees, and supplied by other non-people companies, right down to the non-people producers of raw materials. That somehow, ex-politicians like my hometown barber turn back into people after leaving office. Such a simple phrase, such classic rhetoric, and such immense implications.

  22. Re:LOL, you got GWB again! on White House Wants Phone Records Without Oversight · · Score: 1

    All the more reason for those who can write to do so.

  23. Re:LOL, you got GWB again! on White House Wants Phone Records Without Oversight · · Score: 1

    If I ever find a politician that reads Slashdot, I'll point him your way.

  24. Re:LOL, you got GWB again! on White House Wants Phone Records Without Oversight · · Score: 2

    Politicians can discern reason from insanity by examining the arguments presented. If you write a clear letter stating your exact opinion, with facts and figures as available, full citations, and a well-phrased persuasive argument, you're much better off than simply writing "I want this". I exaggerate, of course, but erudite writing is vital.

    No matter what decisions are made, someone always benefits. To use an old phrase, it takes two to tango. There are multiple sides to any debate, and yes, sometimes an opinion in a slight minority will still get their way. It's not an issue of forcing people to think a certain way. It's an issue of making tough decisions with very little information representing less than 1/20th of the US population, amidst constant propaganda campaigns from all sides, and political opponents ready to criticize every decision, regardless of its justification.

    Running a nation is hard, and it's made more difficult by an overwhelmingly apathetic population. Changing which party sits in what chair won't change anything significant. The United States was founded as a government of the people, and that's the only way it works.

  25. Re:LOL, you got GWB again! on White House Wants Phone Records Without Oversight · · Score: 5, Interesting

    Those of us who aren't so anti-government realized this even earlier.

    Each side tries to do what they think is best for America, whether that's promoting human rights, economic security, or international stability. Each administration tries to make decisions based on what they believe to be right. For advice in that regard, they turn to expert advisors (usually chosen for their general views, rather than opinions on specific issues) and the public. Of course, when only a tiny fraction of the public actually cares enough to state their opinion, the administration's ability to make an informed decision is severely crippled.

    When was the last time you complained to your representatives about defense spending? Or the education budget? Or the overreaching power of the FBI? This is your government. Participate in it.