Slashdot Mirror


User: dgatwood

dgatwood's activity in the archive.

Stories
0
Comments
14,277
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 14,277

  1. Re:FYI, "secret" questions can not be changed. on Blizzard Says Battle.Net Has Been Hacked · · Score: 3, Informative

    That hasn't been true for over a year.

    Also, they're going to en masse make everyone change their security question/answer real soon now.

  2. Re:Face Palm on For Much of the World, Demand For Water Outstrips Supply · · Score: 2

    It's NOT easy or cheap to desalinate water.

    Actually, a giant solar still floating out on the ocean should be pretty close to energy neutral, and if designed correctly, ignoring the initial construction costs, shouldn't cost any more to maintain than the pumps that oceanside communities already have to employ to bring water up from underground. Actually, if you design it right, it should be cheaper, because the water should flow downhill to a pump-assist station on the beach.

  3. Re:All that will happen is migration on For Much of the World, Demand For Water Outstrips Supply · · Score: 1

    Californians? Why pick only on them? Try Californians, Nevadans, Utahans, New Mexicans, Arizonans, etc. There's more than enough "crazy arid place to build cities" in the southwestern USA to realize this is a problem that extends far beyond California. Las Vegas? Hello? And in the future it can be expected to spread to most of the midsection of the country.

    FTFY.

    At least California has an ocean, which makes the amount of water available solely a question of how much money we're willing to spend to filter it, as opposed to the rest of the country that's likely to be utterly screwed in a few decades, assuming the global climate change folks are correct.

  4. Re:Oh that kooky Obama on Data-Fed Monitoring System Will Put New Yorkers Under Police Surveillance · · Score: 1

    It was also interesting to see that political interaction in Europe is not that different from the United States Senate. There's a lot of -- I don't know what the term is in Austrian, wheeling and dealing." --confusing German for "Austrian," a language which does not exist, Strasbourg, France, April 6, 2009

    Hate to tell you this, but those sorts of expressions are not part of the language. They tend to be local. Tell someone in America to call the bobby and he'll be completely baffled. Tell someone in Britain to dial 911, and they'll look at you with equal puzzlement. His mistake was in saying "...what the term is in Austrian" rather than "what the Austrian term is", a much more forgivable misordering of words.

  5. Re:BYO on Secret Security Questions Are a Joke · · Score: 1

    And people only "lose" passwords because no two sites use the same scheme. You'll have one sit that disallows whatever special characer you use, while another requires it, one site that won't take it because it doesn't contain a capital letter (because it's a 36-digit number), and so on. If every site would just STOP doing that and instead provide a "password strength meter" that the user is allowed to ignore if desired, we would have no need or the security questions.

    No one will ever randomy guess any of my high-security passwords, and if they crack into your site and steal them, you're required by law to notify me. I have different passwords at diferent tiers of security so that someone stealing the password to a throwaway account like here on Slashdot can't get into my bank acount. And more to the point, if everyone were simply required by law to store all passwords hashed and salted, that wouldn't be a real issue worth worrying about anyway. That's what makes this so absurd is that the entire problem is artifficial, all caused by bad programmers who aren't willing to sanity check their databse inputs and incompetent security "professionals" who come up with arbitrary rules that all passwords must follow instead of just providing guidance to help users choose a good password.

    The reality of the matter is, if somebody gets cracked these days, it is either because their password is a single dictionary word or it is because of a social engineering attack through the security questions or something similar, because that's the weakest link in security—weaker than all but the weakest passwords by far. If all you do is a simple case-insensitive dictionary search for the user's password, you've prevented almost 100% of brute force attacks. Any rules beyond that just make it more likely that you'll need to implement back doors that weaken security.

    And don't get me started on the most harmful practice: password expiraion. I've watched highly technically savvy people use systems that have password expiration rules. Their passwords are invariably junk. They have hard-to-guess passwords for things that don't expire. For passwords that expire, they tend to be a letter followed by 1234567890, where anybody who watches them enter their passwords from thirty feet away can guess them in a couple of minutes. You know who you are.

    Of course, ultimately, the biggest problem is that passwords are fundamentally broken. Any password hard enough to guess is also hard to remember, and vice versa. This is compounded by having to remember different ones, but it is a serious problem even in the absence of that problem. And hacks like password managers don't help, either. When your computer gets 0wn3d, which statistically speaking, it eventually will, that password manager is also 0wn3d, and will dutifully provide those passwords to an interloper.

    No, there is exactly one viable security solution: a smart-card-like device that is incapable of being accessed remotely, uses a simple serial protocol for communication through physical contacts (so the comms code is small and easily audited), requires the user to push a button to authorize each request, uses crypto to verify that the request came from a known server, and uses crypto to sign each request sent to that server. Then, different servers can have different levels of paranoia, from bulletin board servers that require a single token per session that expires in an hour all the way up to banking sites that require you to press the button every time you go to a new page.

    Over time, people would become conditioned to the behavior of a site, so if someone started trying to send requests to the user's bank behind the scenes when he or she hadn't gone to a new page in the browser, the user would hit the "No" button. More to the point, even if users hit their "Yes" buttons, the damage would be limited to whatever the bad guys could do while the users were connected to a given site. A user reading Slashdot who suddenly saw a request for

  6. Re:BYO on Secret Security Questions Are a Joke · · Score: 1

    But then there are those obnoxious companies that randomly ask you your security question in addition to your password. For those sites, when you do that, you're permanently locked out of your account. That's why there should be a law requiring companies to disclose how they use those security questions at the time that they are asking them.

  7. Re:Simple solution on Secret Security Questions Are a Joke · · Score: 1

    Exactly. This. Or over a video chat of your choice. Either one, of course, requires that the company in question have a photograph of you.

    Anoher acceptable scheme would be a visual recognition game in which they throw... say fifty photographs at you and you have to respond correctly whether you took them. If you answer correctly at least 80-90% of the time and do not ever falsely claim to have taken pictures showing people posing, it is probably safe to say that you are the real deal—unless all your photographs are online and somebody might have memorized all of them, in which case you should have the option of opting out of that scheme for your account, much as you should be able to opt out of answering security questions as an authentication option.

    I have consistently chastised every company that has ever forced me to answer security questions, questioning their competence. They make it easier for customer support, at a tremendous cost in actual security, and as such, I make it a rule to not trust such companies with anything important. Unless they spring them on me years after I've already trusted them with important stuff. Then, I give answers that are utterlly implausible and file bug reports demandiing that they STOP DOING THAT. Ahem. You know who you are.

  8. Re:Why would you want to raise the limit? on FCC Asked To Reassess Cell Phone Radiation Guidelines · · Score: 1

    For maximal handoff, each phone should always see 3 microcells to pick from.

    *shrugs* Most of the time, my phone can see anywhere from 5-8 full-size towers. I still have regular handoff failures (on average, 2-3 failures per hour) at highway speeds. I suspect if you crank the cell size down that much, you're going to need something closer to a 1 mile overlap zone, where you can always see the current tower, the last tower, and the next tower no matter what direction you're traveling....

    Then again, it's possible that the reason for the handoff failures is because the towers are just too congested to allocate me an open slot before I lose the signal from the previous tower, in which case the increased number of towers could make the need for large overlaps less necessary. Hard to say.

  9. Re:20 million gallons I know... on US Is Finally Cleaning Up Agent Orange In Vietnam · · Score: 2

    About 82 cubic feet, if you include storage on the roof. Though how they managed to send it back in time is still an open question. Or perhaps they meant a Galaxie.

  10. Re:Why would you want to raise the limit? on FCC Asked To Reassess Cell Phone Radiation Guidelines · · Score: 2

    For an urban areas, which is what the GGP was explicitly referring to, many small towers at lower broadcast power make all the sense in the word.

    Until you try to talk while riding in a car, on a bus, or on a train using a bunch of towers with coverage area comparable to that of Wi-Fi hotspots. Then, when those tiny cells have an overlap of only ten or fifteen feet and the tower handoff takes more than the hundred or so milliseconds available for such a quick handoff, suddenly your call drops every hundred feet instead of every ten miles. :-)

    In practice, even if you do 90% of your service on lower-power frequencies with tiny cells, you'll almost certainly want at least a few frequencies at higher power that you can kick phones onto if you see too much doppler shift. Otherwise, reliability will suck. Hard.

  11. Re:I have seen SSDs used just to load the OS on Are SSD Accelerators Any Good? · · Score: 1

    What the hell do you run, that you can fill over 100GB just with apps (not talking data - So for example, I need MSSQL on my box for dev purposes, but I sure as hell don't install 500GB of actual DBs on the system drive).

    I have several problems with your reasoning:

    • Try explaining to an average user that there's more than one hard drive in his or her machine.
    • Try splitting data across multiple drives in most laptops (single drive bay).
    • Try to convince users that they need to carry around most of their files on an external hard drive because their internal storage is too small, but that this doesn't mean their new computer is crap. GFL.

    Sure, if you're willing to work at managing your files, you can deal with the limitations of a small SSD. That doesn't make it pleasant, and that doesn't mean that most people are going to be willing to put up with it. Most people either A. don't have much data and can cleanly fit their digital lives on a small SSD or B. have a crapton of data and aren't willing to put up with the headache of multiple drives. The number of folks outside those two camps is vanishingly small. This is why we need bigger, cheaper SSDs.

  12. Re:No. on Are SSD Accelerators Any Good? · · Score: 1

    I think what you're missing is that the things SSDs excel at are things that people do infrequently. I boot at most weekly, at least monthly. I launch a couple of apps in any given day that haven't been launched recently enough to still be in the cache. So for all practical purposes, the improvement from removing the seek overhead isn't that important.

    BTW, if multitasking causes a huge speed hit because of your disk performance, that usually means you don't have enough RAM. Just saying. :-)

  13. Re:bcache on Are SSD Accelerators Any Good? · · Score: 1

    See here for info about a soon-to-be-released ZFS implementation based on that source code.

  14. Re:So much for Bilderberg conspiracies... on Wikipedia Edits Forecast Romney's Vice Presidential Pick · · Score: 2

    I suspect their exact words were, "If you think you can do a better job at running this university on such a small budget...".

    Besides, I think it's perfectly apt. It gives him a chance to put his money where his mouth is. If he succeeds, then American universities are horribly inefficient. If he fails, the Republican education policy will be unimpeachably shown as an abject failure.

  15. Re:Apple on Wired Writer Hack Shows Need For Tighter Cloud Security · · Score: 1

    I just choose random words and phrases that have nothing to do with the original question. For example:

    • Best friend's first name: Ontario, Canada.
    • Place where your mother was born: Sam Donaldson.

    And so on.

  16. Re:Too cool on NASA Releases HiRISE Images of Curiosity's Descent · · Score: 4, Insightful

    Unfortunately, things are going the other way. NASA's unmanned space budget is being cut.

    Here lie the last remaining artifacts from a once-great race—the humans—their great potential cut down in its prime by their tremendous lack of foresight. For centuries, the great thinkers had shouted the need to venture among the stars, but their leaders were too busy worrying about building bigger and better weapons to defend themselves from their neighbors. When the great war came and the environment was poisoned beyond the ability to sustain life, the politicians pointed fingers and blustered their "I told you sos", but in the end, it made little difference. Their fate was sealed long before.

  17. Re:The Steve at Apple everyone SHOULD listen to on Wozniak Predicts Horrible Problems With the Cloud · · Score: 1

    The number may be mostly bogus. I have no idea. It's the only number I could find on the subject, so it's the best I could do. :-)

  18. Re:Victims of their own greed on Carriers Blame the iPhone For Data Caps and Increased Upgrade Fees · · Score: 1

    I'm all for hating on the telcos, but sometimes "just build more towers" is much, much easier said than done. For instance, it takes three years [techcrunch.com] to get one built in San Francisco. Granted, not every place is as downright insane as San Francisco is, but it's worth mentioning.

    Yeah, but unless the problem you're trying to solve involves the actual inability to cover a particular area because of geographical limitations (e.g. houses in the shadow of one of San Francisco's hills), most of the time, you don't need to build new towers. You just need to switch the existing antennas to use more tightly focused patterns, then double or triple the number of antennas on the existing tower. Boom. Instant increase in tower capacity. That should almost always work, with the possible exception of high-density "problem" areas (e.g. convention centers, stadia, etc.). And, of course, those problem areas (high density areas) are almost never the areas where people scream about unsightly towers anyway.

  19. Re:No. on Wozniak Predicts Horrible Problems With the Cloud · · Score: 1

    Those folks buy a Time Capsule. It's a NAS box, but designed to be easy enough for your average person to use (at least on a Mac; I've never tried doing backups on Windows, so YMMV).

    Or if you're really paranoid, you do what I do, and buy a fireproof hard drive and attach it to the USB port on an Airport Extreme. Better yet, attach it to the USB port of a Time Capsule, and tell Mountain Lion to alternate between both disks.

  20. Re:The Steve at Apple everyone SHOULD listen to on Wozniak Predicts Horrible Problems With the Cloud · · Score: 3, Informative

    It's maintenance. No one does it.

    Only in the Windows world. On the Mac platform, where reasonably convenient backup functionality is built into the OS itself, and where it is cleanly integrated with the manufacturer's wireless access point/NAS solution (Time Capsule), about 55% of users back up regularly (source: PC Magazine), as compared with only around 11% of Windows users (source: TechTarget).

  21. I'm surprised the TSA didn't arrest them. on MIT Students Reveal PopFab, a 3D Printer That Fits Inside a Briefcase · · Score: 4, Insightful

    After all, they could use it to make a box cutter and then hijack the plane.

    Yes, this is sarcasm, in case your detector is broken.

  22. Re:Why? on US Missile Defense Staff Told To Stop Watching Porn · · Score: 4, Insightful

    I don't think the GP was claiming that it doesn't happen. Image formats are relatively complex, and compressed audio and video formats doubly so. If you're going to have a security hole in an OS or a browser, odds are good that it will be in a codec somewhere.

    That said, what we have here is a pretty egregious misuse of the term steganography. Steganography refers to hiding data inside other data. A trojan image file that exploits a bug in your browser to load malware isn't steganography because there is no actual image. There's no hiding. It is merely the misrepresentation of one type of data as another type of data, which is a trojan horse, not steganography.

    Steganography would be Chinese dissidents using image files that contained a subtle watermark in the least significant bits to send coded messages to one another, or someone embedding a piece of software in the low order bits of an MPEG stream. Those examples meet the core requirement that the enclosing data be at least ostensibly plausible data. Note that opening such a photo or MPEG stream reveals a photo or a movie. It does not execute anything, because if it did, the secret payload wouldn't be very hidden, now would it? :-)

  23. Re:Oh, Google. on Google+ Account Suspended? You Won't Find Out Why · · Score: 1

    My bad. There was an error; I missed the one word you were referring to. That word should have been thee, as you implied. But the point still remains that it does not quite follow the same rules.

  24. Re:Oh, Google. on Google+ Account Suspended? You Won't Find Out Why · · Score: 1

    But seriously, it follows the same rules as "me", "my", and "mine".

    No, it doesn't. The GP's usage was correct. The word "thine" is also used instead of "thy" when the word after it begins with a vowel.

  25. Re:we already got a thread on Cybersecurity Bill Fails Today In US Senate · · Score: 2

    Actually not only are their bugs in software which let hackers in, but have you heard of social engineering??? That is the social problem that lets hackers in, people trust them too much.

    Social engineering is, indeed, a social problem, but it isn't specific to cybersecurity. You can do social engineering just as easily by postal mail as email, just as easily by telephone as by IM, etc. The only way to solve it is by convincing people that they need to think before they disclose information.

    More importantly, the most damaging social engineering risks, at least as far as cybersecurity is concerned, can usually be thoroughly mitigated by proper design. For example, the old "I'm from your ISP. Could you verify your password?" trick fails completely if you require a physical token in addition to a PIN. To the extent that social engineering attacks are still successful, it almost always points to fundamental failures in the design, like requiring the user to keep something secret that the user doesn't perceive as having any importance.

    Oh, is that why everyone is getting hacked, because they are putting resources into security?

    First, not everybody is getting hacked. Second, my proposed solution, making government-paid security pros available to audit and scrutinize businesses would solve those problems. It might be beneficial to add laws to make those audits mandatory whenever companies over a certain size or with certain pieces of information roll out major redesigns or something, but just having the resources available without huge costs associated with using them would be a great first step.

    Either way, no amount of network surveillance could possibly prevent any cyber attacks other than the most trivial denial of service attacks. In order to detect that bad requests are bad, you have to know that the flaw exists. Otherwise, you'll end up blocking legitimate requests. There's no reason I shouldn't be allowed to have "dgatwood'; drop table users" as my username, and unless you know that you have a quoting problem in your handling of usernames, there's no legitimate reason to disallow it. For that matter, if you treat such patterns as suspicious, I wouldn't be able to post this comment, so legitimate security discourse would be impossible.

    You don't prevent attacks by trying to chase after the bad guys. Period. That can't ever be effective because there are simply too many people outside the reach of U.S. law that have reasons to want to compromise our security, whether to steal money, pirate software, steal credit card numbers, or whatever. The only thing you can do is to try to make those systems as robust against attack as possible, and you can't do that through surveillance; you can only do it through actual code hardening, design hardening, etc.