Slashdot Mirror


User: plover

plover's activity in the archive.

Stories
0
Comments
7,233
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 7,233

  1. Re:Darn... no iPhone update on Apple Intros 17" Unibody MBP, DRM-Free iTunes · · Score: 1

    Actually, there was no update of any value. I walked past the Apple store at 7:00 tonight, and the place looked only as busy as any other ordinary Tuesday evening. This Macworld generated no buzz, drove nobody into the stores. When the iPhone came out, people were lined up outside the store to see them. When the Air was launched you had to jostle through a crowd to see the display in the store windows. Today? I didn't even see a line at the front counter. And I know it's not because their checkout magically got faster.

    At least their stock didn't tank on the (lack of) news. I have plenty of friends with money in them, they don't need more bad news.

  2. Re:flow? on Employees the Next (Continuing) Big Security Risk? · · Score: 2, Informative

    But using data flows to catch insiders? A doubtful proposition. Insiders would likely steal/sabotage the data they work with daily, so it would be expected to see flows to those people.

    Not necessarily.

    In a well-designed system, the data would flow only from the source to the destination, with as few stops in between as possible, right? In the case of credit cards, they would come into a cash register, travel to the authorizing system where they would be sent to an authorizer, then travel to the accounting system to be submitted for payment. While a guy who operates the authorizing system may have the authority to see the traffic trickling by as it happens, if he requests a block of 10,000 authorization records all at once, that's not the normal flow. An IDS can theoretically tell the difference.

    Or what if the guy in accounting suddenly emails a 10MB file? That's not his normal pattern either. Again, an IDS can see that difference between "normal" and "abnormal".

    They aren't necessarily crimes -- maybe the authorizer was researching a bug, or maybe the accountant was sending big JPEG pictures of his cat to his daughter. But they were both anomalies, and there's definitely a correlation between network anomalies and insider data theft.

    And I'm not saying IDS systems are perfect. Far from it. These systems can absolutely be worked around by a knowledgeable criminal, and there are plenty of false positive anomalies in a normal network to keep a team of investigators busy forever. But think about the damage they'd prevent if they did catch an evil insider before your data was sold to a Russian mobster. Just consider them one more layer in the security onion.

  3. Re:Potential "kick in the ass" that we need? on Four Threats For '09 You Haven't Heard of · · Score: 1

    Hrm. I hadn't thought about the drafted bills thing, but that's a good point. I'll disagree with you on bills outlawing cryptography though - intelligent people would be able to argue too strongly against such measures.

    Dude, reread what you just wrote. You seriously think intelligent discourse is going to sway votes in Congress? It's going to take a lot more than that: it's going to take some serious campaign donations or some other greased palms to avert a crisis of stupidity.

  4. Re:classic transferance on Four Threats For '09 You Haven't Heard of · · Score: 1

    You're mixing physical threats with electronic threats, and not properly sorting out the risk differences between them.

    Anything connected to a network can be "attacked" by another node on the network, if proper precautions aren't taken. On the bare Internet, malware attacks come knocking about once a minute as all the botnets come around probing for weaknesses. That's not a one-in-a-billion chance, it's a demonstrable fact. Sensible precautions there include firewalls, fully patched machines, intrusion detection systems, and laying down restrictions on people to not bring outside stuff inside the firewall. At least they're sensible to people who have to deal with these problems. But they probably seem like outlandish paranoia to Joe Sixpack, and they're expensive precautions in these days of reduced income. And inevitably, some hospital / clinic / fire station / public safety organization is going to fall down on the security job, and some sleazeball is going to take advantage of them, making headlines. It's an easy prediction to make: that one out of 11,000 hospitals will make a security mistake is not even a long shot.

    Is malware going to lead to an increased incidence of adblocking? It's an interesting concept, and one worth considering if you're in the business, (even if you personally think the idea is far fetched.) Will extremists try targeting Western sites? They already are, they just suck at it today, and I seriously doubt they'll get any better (although I'd laugh if CNN.com came up demanding jihad against the West.) Will some global exploit really lead to a giant security hole? We already call it "spam" or "phishing", although it hasn't led to mass panic.

  5. Re:Sounds like a sales job to me. on Four Threats For '09 You Haven't Heard of · · Score: 2, Interesting

    Actually, it probably wasn't as expensive as you might think. Hang Wi-Fi access points around the place and let those get to the "untrustworthy" network. Use the physical Ethernet jacks installed 10 years ago to access the critical network. Pile the rules into the routers to permit only the business ports to and from the business machines. And set IDS systems to keep watch for suspicious traffic there, too.

    If data transfer to and from the critical network is a requirement, such as exchanging X-rays with a partner clinic or whatever, a bastion host would be the only way to pass data between them.

    Then you can go after the desktops with physical access to the critical network, and make sure they're running an absolutely stripped down installation -- no USB ports, no autorun, no unneeded services, one-minute timeouts on screen saver activation, etc. If I were configuring them, I'd even remove Explorer as the shell, and restrict them to a custom menu of blessed applications.

    It really just takes time, money, and planning, but it's doable. And it's something they can't afford to get wrong.

  6. Re:"The Unthinkable" on Four Threats For '09 You Haven't Heard of · · Score: 2, Funny

    "He didn't fall? Inconceivable!"

    "You keep using that word. I do not think it means what you think it means."

  7. Re:The Cure to Cancer on A Robotic Cyberknife To Fight Cancer · · Score: 1

    That's because cancer is a catch-all word that describes the overall effect of unchecked mutated cell growth, but not the mechanism that causes it, nor the mutations that continue. Some cancers may have a common genetic cause, but the environmental cancers are thought be caused by damage to the DNA.

    Things like flaws on the BRCA1 gene are associated with breast cancer, for example, and may initiate the disease on their own over time. These might be eventually preventable with a gene therapy designed to target the mutation. Others, such as mesothelioma, are due almost exclusively to a specific external exposure (such as asbestos.) Mesothelioma is thought to act when a tiny sharp fiber works like a little blender, chopping up random bits of DNA inside a cell that are then propagated as hundreds of tiny chromosomes that mix and match with each other. It's completely unpredictable. Essentially, each individual case of mesothelioma is a unique disease.

    The other thing to understand is the "cure" is almost always surgical excision or other means of killing the cancerous cells (gamma radiation, chemotherapy, or whatever.) Prevention is likely to be the most effective solution we come up with. Gene therapy might someday help prevent BRCA1-caused breast cancers, but the cancerous cells that reproduce in weird, non-repeating ways will be likely be virtually impossible to target with off-the-shelf drugs. Avoiding exposure to those carcinogens is the only sure way to avoid the cancer.

  8. Re:Wait a pain... on 400,000 PCs Infected With Fake "Antivirus 2009" · · Score: 2, Interesting

    I hope one of those fakers takes Microsoft to court over this and publicly identifies themselves. There are many pissed-off users that would be happy to take a baseball bat to them. One of them would likely be on the jury.

  9. Re:Don't get me too far wrong... on AMD Releases Open-Source R600/700 3D Code · · Score: 1

    But when his company uses sham "donations" of software licenses to reduce their tax liability, I have a problem with that.

    That's the same thing. YOU think Microsoft's donations are a sham tax dodge. So do I, but as I'm trying to point out, our individual opinions are irrelevant. That's up to the IRS and the courts to decide, and if it's wrong, there will be repayment with penalties and interest. If it's judged OK by society, then there is nothing wrong with it, and we simply have to accept it. It's just not our individual choices that count.

    Besides, if Microsoft saved half a billion dollars in a shady tax dodge and billg gave away a billion, his foundation will probably spend the difference more effectively than Congress ever would.

  10. Re:No weakness on CCC Create a Rogue CA Certificate · · Score: 1

    That makes a lot more sense now, thanks for having the patience to explain it to me. I kept trusting the linked page and the illustrations which implied the new cert was a pure derivation from the cert they purchased.

  11. Re:No weakness on CCC Create a Rogue CA Certificate · · Score: 1

    Again, RTFA. They start by acquiring a legitimate certificate with an MD5 hash signed by a trusted root authority. They then create a new certificate of their own that produces the same signature as the one the certificate was assigned. That is the latter of your choices that you claim can only be brute forced, and it is the approach they claim to have optimized. To optimize "brute force" means they must be taking advantage of some weakness in MD5.

  12. Re:This is neither on AMD Releases Open-Source R600/700 3D Code · · Score: 1

    I see many responses in this thread, all with the same kind of complaining about Microsoft having made too much money, or not deserving the money that they made ("skimming"). It's very much the same as the argument for piracy that the RIAA / MPAA charges "too much" for their product. You've all established some mental threshold of bits per dollar, and because Microsoft / RIAA / MPAA charges more than you think it's worth, they're somehow overcharging or that it costs them nothing.

    The real answer in a free market economy is "the value of X is whatever people are willing to pay." If some people are willing to fork over $399 for a copy of Office, then Office is worth $399 to them. It is not up to you to pay only what you think it's worth, nor is it up to you to judge what others think it is worth -- if I think it's worth $199 and buy it on sale for $199, at no point does your opinion of the price matter in that transaction. And if you think it's only worth $20, well, Microsoft begs to differ, and they are under no obligation to sell it to you for that price.

    You may complain that the price is too high -- then don't buy it. Download a free alternative. Go without. Buy a Mac. Write your own. But that does not change the value to me, nor to Bill Gates, (unless enough people find alternatives, at which point the whole demand curve thing kicks in.) Microsoft earned the money they have, despite your opinions about the manner in which they earned it.

    If you think they earned it illegally, that's a different issue, and one our society is well-suited to solve. You have every right to file a lawsuit against them, claiming that they overcharged for their products, or that they did something unethical that caused them to make more money than they should have. Even then, you do not get the right to judge that trial yourself. That goes before a judge and jury, who make the decision on behalf of all of our society. And even then, the punishment or remuneration will be handed out by the court -- you may say that Office is only worth $0.50 for the disk and box, but the court may say it's worth something else. But the trials have been held all around the world, and Microsoft still has swimming pools filled with money. It all seems very legitimate to me.

    Bottom line: it is not now, nor will it ever be your decision that counts whether or not he made or deserves the money. He has already made it. It's done. Now, if he wants to spend a truckful of it in Africa, that's also his choice. Whether he wants to clean a guilty conscience, buy himself a place in the history books, get a giant statue out of the deal, or whatever, that's also up to him and not you. The rest of the world calls that philanthropy. Just because you don't agree because it doesn't fit your situational definition doesn't invalidate that claim either.

  13. Re:Alright this Internet is ruined on CCC Create a Rogue CA Certificate · · Score: 3, Interesting

    I wonder how broken the intarwebs would be to me if I simply deleted all the MD5-based root certificates from my box? Would I even notice?

  14. Re:No weakness on CCC Create a Rogue CA Certificate · · Score: 2, Interesting

    Brute force? Not according to TFA:

    In the interest of protecting the Internet against malicious attacks using our technique, we have omitted the critical details of our sophisticated and highly optimized method for computing MD5 collisions.

    It says they compute collisions, which is indeed a weakness in MD5. Even if they use brute force, the fact that it's forceable is still a weakness.

    Now, MD5 still probably makes for a pretty good checksum for utilities like Tripwire and such, but for security it's broken, broken, broken.

  15. Re:Why trust the PKI? on CCC Create a Rogue CA Certificate · · Score: 1

    Better yet, why don't they give you a smart card containing their certificate, your secret key, and provide your key encryption functions? The U.S. Army does something similar to this today -- their ID cards contain private keys for the personnel. (Unfortunately, adding the CA certificate needed to trust the card is a tedious process.)

  16. Re:this is either on AMD Releases Open-Source R600/700 3D Code · · Score: 4, Insightful

    Why can't it be both? I'd say the Gates Foundation has been far more successful at promoting Microsoft than some of their more direct efforts.

    We all joke about his billions of dollars, but to see them put to use attempting to vaccinate an entire continent, I gotta tell ya that is a pretty damned impressive thing to do.

    Don't get me wrong, donations of time and money to Open Source projects are also good and noble things, and they provide infinitely-copyable and long-lasting amounts of good. But if someone asked me "who did more good, the guy who saved x-hundred-thousand kids or the guy who donated an improved scheduler algorithm to the Linux core?" there's only one way a human being could answer that question. There is a different question in there, and that is "who donated more overall effort?" Gates' money made him rich enough that he may not even feel the pinch of spending $37 billion, but the coder likely sweated over his efforts for months, sacrificing evenings and dinners with his S.O., etc. And I suspect its part of the job of the foundation to ensure the first form of the question is asked on camera, and not the second.

  17. Re:What a bunch of Crap! on Worlds.com Sues NCSoft Over MMO-Patent · · Score: 1

    Q: How do you stop a Patent Examiner from choking to death?
    A: Take your foot off his throat.

  18. Re:Someone actually listens to NPR? on Penny Arcade On NPR · · Score: 1

    No, he listens to Faux News.

    Fixed that for you.

  19. Re:Can't seem to run the virus on my mac on Walmart Photo Keychain Comes Preloaded With Malware · · Score: 1

    Ever hear of the Virus Creation Laboratory? Better than open source, it was a code factory that emitted them without heavy duty coding at all.

    The scary thing is how advanced the concept was, especially back when viruses weren't even a source of income. Picture a fully funded criminal organization pouring money into virus research and development today!

  20. Re:Did you tell Walm*rt? on Walmart Photo Keychain Comes Preloaded With Malware · · Score: 1

    I agree with you that it's almost certainly a false positive (I also saw the only "specific" virus signatures reported weren't found by the major products, but visiting their web sites showed that they indeed knew about the specific viruses the others reported.) However, it would still be of value to contact the retailer and let them know what he found. If nothing else, they need to be able to reassure their other customers that they've researched the problem and found that it's a mistake in the anti-virus software. That's part of the whole "don't threaten them with a lawsuit" approach I recommended.

    The other thing to consider is if the average Walm*rt customer pays for 'decent av products' or if they just leave the 3-year-old shovelware that came with their $199 computer in place? Your average /. reader probably won't see a false positive, but the average American might. Walm*rt, above virtually all other retailers, has to deal with the least common denominator on a frequent basis.

  21. Re:more to come... on Walmart Photo Keychain Comes Preloaded With Malware · · Score: 1

    Maybe you need to get down with the Hooked on Phonics conspiracy; it's ulterior, not "alterior".

    Depends on the news server. I used to claim to read alt.erior until my wife discovered I was just downloading the pictures.

  22. Did you tell Walm*rt? on Walmart Photo Keychain Comes Preloaded With Malware · · Score: 4, Informative

    Write them a letter telling them what you found. Try this link http://walmartstores.com/contactus/feedback.aspx to get to their headquarters, where something might get done about it. Include enough technical detail for them to replicate the problem, especially the model number or any other identifying information from the package.

    If you want someone to care enough to write back, try to not sound accusatory or threaten to sue them. I'm sure they get enough of that on a daily basis.

  23. Do these get better just because of time? on First Look At Windows 7 Beta 1 · · Score: 4, Interesting

    Everyone seems to have the opinion that Vista was a failure. My wife (a non-techie) hates Vista because her ancient accounting app periodically crashes ever since switching to Vista. I assume many other people had the same sorts of issues with many other apps.

    But now three years have gone by, and many of those apps have been patched, become obsolete, or replaced with working alternatives. That means the remaining apps are now in an ideal position to work correctly in Windows 7. Is it possible that Windows 7 could be exactly the same crap as Vista, but because so much time has gone by it doesn't matter as much?

    I think we saw the same thing with the transitions from Windows 98 to Windows ME to Windows XP.

  24. Re:SUVs on Can the Auto Industry Retool Itself To Build Rails? · · Score: 1

    Why not use taxes to modify our behavior? The free markets won't do it by themselves. They can't. The free markets will pump oil from the ground and dump it into the air and water, damn the consequences. Only government interference through various punitive legislative actions changed that. Taxation on pollutants is simply a more productive way to accomplish the goal.

    Even supposing for a minute that most of us are smart enough to boycott an industry that's poisoning our planet (which we have repeatedly demonstrated we're not) it only takes a few rich people making money off the product to keep production up.

    No, the bigger reason I agree with you is that governments are historically notoriously bad at figuring these problems out and solving them. Even if they nailed it right the first time (which they never do,) and even if they were able to keep corruption out of the process (which they never do,) they'd never adapt quickly enough to keep up with market or social changes.

    Anyway, if the free market can't fix the problem by itself, how else will it get fixed? Or are you saying there's no problem with continuing to pump the remaining fossil fuels out of the dirt, because you'll be 90 years old when we hit the bottom of the well? Bad choice.

  25. Re:SUVs on Can the Auto Industry Retool Itself To Build Rails? · · Score: 1

    This seems to be the ideal problem to employ a Pigovian tax (assuming the politicians can keep their hands out of the money stream, a not very safe assumption.) Take the revenue from the tax and apply it strictly to alternative energy or transportation sources. It could be used to pay for rail improvements, mass transit systems, hybrid energy research, biofuels, electric cars, battery systems, or even urban planning activities to reduce suburban sprawl.

    Theoretically, it's a money feed that will shut itself off as the alternatives rise in popularity. Should the premier alternative falter, the tax can even be used to prop up other alternatives.

    Of course, the bigger problem is a money hose like that doesn't go ignored. Auto makers, railway companies, battery makers, gas companies looking to produce hydrogen, etc., etc., etc., will all be clamoring for money, and that environment invites corruption with both arms held wide open.