Slashdot Mirror


User: hawguy

hawguy's activity in the archive.

Stories
0
Comments
5,882
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,882

  1. Re:Encrypt it then on Google Asks 'Who Cares Where Your Data Is?' · · Score: 1

    Even if the data is encrypted, if you're using a virtual server in The Cloud, then the server requires the key to decrypt it, and anyone with access to that virtual machine can then read the data.

    Then don't do that -- obviously if your cloud provider has both your encyption key and encrypted data, they can decrypt the data.

    if your data is so sensitive that you're worry about it residing on a disk drive in Nigeria, then you should probably be just as worried when it resides on a disk drive in your own datacenter in NYC - someone can steal it either way regardless of local laws.

    Encryption would only make the data safe if you're reading it back from The Cloud, processing it, and sending updates back to The Cloud. Which would seem an odd way to do things unless you want to have access to the same data from multiple sites around the world.

    Many applications have sensitive data that a few people should have access to, and non-sensitive data that the world can see. So use client-side Javascript to PGP encrypt sensitive data before it's stored in the cloud. Then client side PGP (or a thick client) on your employee's workstations will let them decrypt the data, without giving Google a chance to see it at all.

  2. Re:That's Google for you. on Google Asks 'Who Cares Where Your Data Is?' · · Score: 1

    If that's the case why doesn't Google store its data with Amazon or Microsoft? I'm sure both Amazon and Microsoft will give Google a deal on data storage.

    I think because it's more expensive and has higher latency. For a small business, Amazon S3 is much cheaper than an enterprise storage system and if you use availability zones and regions wisely, you can end up with an extremely robust storage system for not a whole lot of money.

    But when you already have datacenters across the country and require petabytes of storage, it's generally cheaper to buy your own storage directly rather than buy from a intermediary... or even create your own cheap storage systems from scratch. At the scale of Google, I don't see how Amazon or MS can sell storage for less than what it would cost Google to purchase.

    Plus, having the storage close to their servers means lower latency and higher performance.

  3. Re:Encrypt it then on Google Asks 'Who Cares Where Your Data Is?' · · Score: 4, Informative

    If the data is sensitive, you should be encrypting it anyway

    Sure, because if the data is encrypted, the only people who can get into it are those with gigantic server farms. (Like Google)

    Besides, who would be interested in random encrypted data? It would be cost prohibitive to decrypt data to peek at it, unless there are advances in supercomputing. (Which google is actively working on)

    The only company which would want to do that is one which has a business model built on collecting and monetizing private data (See: Google)

    Yep. I can't see any reason why people should care about where they store cloud data.

    AES256 is crackable with a complexity of 2^99.5: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

    So, if Google's advanced supercomputer can crack a billion keys/second and they have 1 billion computers at their disposal to do the cracking, it would only take them around 1 x 10^17 years to crack your data.

    Of course, now that you've figured out their plan, they're going to have to kill you, and they will surely do so within 1 x 10^2 years.

  4. Re:With Google on Google Asks 'Who Cares Where Your Data Is?' · · Score: 2

    I know where your data is. I know it's located in a few data centers. I can kill those data centers and your business is dead.

    If you have the power to kill a few Google datacenters, why don't you just use that power to kill the business directly?

  5. Re:Encrypt it then on Google Asks 'Who Cares Where Your Data Is?' · · Score: 4, Insightful

    But if it's sensitive, it should still be encrypted, even if it's in your datacenter.

  6. Re:CVV data? on Citi Bank Reveals Attack... One Month Late · · Score: 1

    I'm not saying anything about this incident, I'm disputing your statement that a network attached system can be rendered impervious from outside attack:

    But it should be stored on systems so inaccessible to the outside, as to be impervious.

    I know, that. sounds. naive. But it can be done.

    I'm sure that RSA wasn't storing secret keys on a workstation running Flash, yet a Flash vulnerability gave hackers the stepping stone they needed to get into secure servers.

  7. Re:CVV data? on Citi Bank Reveals Attack... One Month Late · · Score: 1

    Well, one way is to santitize input and discard anything not expected. Most processing platforms do this. Try FTPing into any major platform some time. Another way is to ensure that whatever the external platform gets, it is parsed and sent on. No, our platforms don't even recognize characters used in injection attacks etc, and those don;'t even get passed on.

    It is possible. RSA and Lockheed got used because they failed. Not every other system is run by incompetents.

    That's why computer security is so hard - hackers rarely come in the way you expect them to. In RSA's case, they exploited a previously unknown Flash vulnerability - you can sanitize inputs all day long, but when the hacker takes over your workstation because they managed to get you to view an infected Flash ad, he suddenly gets the same access to your secret data that you have. (you may say "I'm safe because I don't run flash", it doesn't matter - exploits can live in any software or operating system, maybe the next hack will come from infected hard drive firmware)

    At Lockheed, hackers (supposedly) compromised RSA tokens based on information from the RSA hack and used those tokens to hack into the network. The very same RSA tokens that many companies use to implement 2 factor authentication to make sure that hackers can't get in.

    There is no absolute security for any computer connected to a network (or any exposure to computers that are connected to a network) - no security expert I know will guarantee security. It's all about mitigating risks to make a compromise less likely. I think it's unlikely that the people protecting top secret data at Lockheed are complete incompetents

  8. Re:CVV data? on Citi Bank Reveals Attack... One Month Late · · Score: 1

    Precisely. But it should be stored on systems so inaccessible to the outside, as to be impervious.

    I know, that. sounds. naive. But it can be done.

    Really? You should tell RSA and Lockheed how to make computer systems storing high value data impervious to the outside. I'm sure they could use the help.

  9. Re:How to get the attention of Banks on Citi Bank Reveals Attack... One Month Late · · Score: 1

    If we want to get the attention of the banks, the fine for compromised credit card accounts should be equal 10% of the credit limit for the cardholder. So if my card has a $10,000 limit and my personal information is compromised, I get a *CHECK* from Citi in the amount of $1,000, not a credit to my account I get real money.

    How would you justify this fine? What is the cost to you for a lost name and account number and a reissued credit card? The bank is already on the hook to eat unauthorized charges and reissue cards, but what are your real losses? And why is it based on your credit limit? Shouldn't it be more of a factor of your average activity? I have a $15,000 limit on a card that gets maybe $100 or less of use in a typical month.

    Now if the SSN was released, that's a whole different scenario and the banks should pay dearly - not just some credit monitoring service.

  10. Re:CVV data? on Citi Bank Reveals Attack... One Month Late · · Score: 1

    how does amazon get away with this, then? I'm curious. amazon has 'one click' and even if you don't use that, I've NEVER had to re-enter cvv strings to use my 'on file' CC with them.

    I imagine that they just don't use the CVV for future transactions. They use it the first time to make sure that you have possession of the card, but after that first transaction, they just process transactions without the CVV. The CVV isn't required, though it reduces the merchant's chance of chargeback and often results in a lower transaction fee (though Amazon's negotiating power probably means that they don't pay a higher transaction fee for future non-CVV transactions).

    On Amazon, if you ship a product to a new shipping address, they ask for the card number + CVV again (or maybe it's just the CVV?) to make sure that you're the one that authorized the new address.

  11. Re:I MAY believe them... on Citi Bank Reveals Attack... One Month Late · · Score: 1

    I agree that the data breach is inexcusable, but wait a minute -- you claim it's somehow their problem that you are apparently emotionally attached to a 16 digit number?! WTF? I wouldn't mind not having a fixed CC number period. For all online transactions I'm using their single-use number generator (virtual account number), and for brick-and-mortar stores I try to use cash whenever possible.

    I've memorized my account number and use it nearly everywhere. Over the years I've had it compromised twice, but fortunately they've only changed the last 4 digits (plus the CID) so it's easy to remember the new one.

    Since I have it memorized and it's quick and easy to type for a new purchase, I never check the box "Remember this credit card for your next purchase" to help limit the chance of someone getting the card number, though I don't know if merchants really prevent it from being stored if I check that box.

    I do use a virtual account number when dealing with a shady merchant.

  12. Re:CVV data? on Citi Bank Reveals Attack... One Month Late · · Score: 1

    Um, of COURSE CVV data wasn't compromised... What nimrod would store CVV in the same system as PAN? (That's Primary Account Number, for those of you who don't play with credit card data enough to stop using 'card number' as the term).

    I don't play with enough credit card data to call the card number a PAN, but Card issuers/processors are allowed to store the CVV (duh, otherwise they wouldn't be able to validate it) so it wouldn't be surprising if Citi lost the CVV too.

    But since payment systems are often complex systems with software pieced together from multiple vendors, it's easy for a merchant to inadvertently store the CVV without even knowing it, I have an open bug request for a supposedly PCI compliant application (it's on the list of Validated Payment Applications) that drops the entire card number + CVV into a transaction log file under certain circumstances.

  13. Were they PCI compliant? on Citi Bank Reveals Attack... One Month Late · · Score: 4, Interesting

    Did the systems that had the data stolen meet PCI compliance guidelines? If not, can I levy non-compliance fines on the bank for not following their own standards for protection of cardholder data?

  14. Re:You're approaching it all wrong. on Ask Slashdot: What To Do With Other People's Email? · · Score: 3, Insightful

    I have the same problem, I particularly like the misdirected emails send by law firms - they invariably have a disclaimer saying that if I receive an email in error, I must destroy all copies of it.

    I like to reply and tell them that in order to comply and delete the email off of all devices that the email ended up on (which is at least 5 different devices), I'll need to bill them for the work. So far none of them has offered to pay the bill.

    I've often wondered if I could just spend an hour or two to go around deleting the email from everywhere it was delivered, and send them a bill. After all, they told me that I *must* do it and since it was their error that sent me the email, I shouldn't have to pay for it.

  15. Re:how do they know? on 25% of US Hackers Are FBI/CIA Informers · · Score: 1

    But I think the problem is that you can't identify the set of "all hackers" as "set A".

    They are purposely trying to be invisible and hard to identify.

  16. Re:how do they know? on 25% of US Hackers Are FBI/CIA Informers · · Score: 1

    While your complaint is legitimate, there's nothing inherently uncountable in a vast, anonymous group. Consider a group where (a) there are lots of members (b) you don't know the real identities of any of those members (c) you do have a complete listing of the fake identities of all of the members. It's vast, anonymous, and countable.

    I have over a dozen online usernames and I'm not even trying to hide my identity, but these anonymous "superhackers" somehow decided to identify themselves with a single unique identifier?

    There's very tenuous anonymity behind a unique identifier.

  17. how do they know? on 25% of US Hackers Are FBI/CIA Informers · · Score: 4, Insightful

    They say there are vast, anonymous networks of hackers, yet somehow they know they they've gotten 25% of them to work for the FBI? How do you calculate 25% of an unknown number? Or is there some Hacker registry at 2600 magazine that I'm not aware of (not being a hacker myself, I didn't get an invitation to join).

  18. It's not just Bitcoin on Bitcoin Used For the Narcotics Trade · · Score: 1

    Is this really a surprise? Everything with some intrinsic value is used for the drug trade. Dollars, Euro, Yen, Gold, Weapons, iPods, Other drugs, etc. People even barter services for drugs (i.e. I'll fix your car if you give me pot).

    Since drugs are a physical product that has to change hands eventually, the drug trade would continue to thrive even without some virtual electronic currency.

  19. Re:Should have gone like Southwest on Court Demands American Airlines List Its Flights On Orbitz · · Score: 1

    Trust me, you don't want to book a multi-carrier flight through a third party website anyway.

    While I do avoid multiple carriers on one leg of the flight, I just booked a multi-carrier open-jaw itinerary on Orbitz where I used one carrier on the way there, and another one on the way home. Saved me $150 (times 2 tickets = $300) over the single-carrier options.

    This is where having all of the carriers on one website is really valuable, otherwise I'd have to price one-way flights on every carrier's website, then put them in a matrix to figure out the cheapest combination myself. I don't even know if two one-way flights are a cheap as a round-trip multi-carrier itinerary? American doesn't fly to both airports I'm going to, and their one-way flight cost more than my entire round-trip ticket.

  20. Re:Patents can be avoided and new servers created on Skype Protocol Has Been Reverse Engineered · · Score: 1

    It doesn't have to work with Skype, it just has to be as good as Skype and to be open.

    I don't think that's true - there are a number of other video conferencing products out there, some are open, others are not, but as long as Skype continues to work on Windows/Mac and is free, there's not much reason for most people to switch.

    Imagine people being able to set up their own private Skype-like servers for personal and business use

    I'd be surprised if significant numbers of people set up their own servers - small businesses aren't likely to have the time (or desire) to set up their own servers, large businesses don't care if they have to pay (and many probably already use OCS/Lync)

  21. Re:What the story really means on UK Government Ditches Cloud Concept, Consolidates Data Centers · · Score: 1

    I thought that Amazon would be more reliable than even a system that I was maintaining myself, until that outage. They must have multiple engineers, redundant servers and connections, insane amounts of bandwidth, etc.. it's weird that it would go down at all when you have that much money and resources to throw at it, barring someone hacking the system.

    Of course, Amazon's cloud is more reliable than what most small companies are able to put together.

    A car accident that takes out the utility pole or transformer outside of their building can result in a longer outage that what Amazon experienced. (trust me, I know - a small office complex I once worked at had the power down for 72 hours to replace a large transformer that was clipped by a piece of construction equipment, causing some spectacular sparks and blown fuses somewhere in the 10,000 volt feeder. A large part of the delay was bringing in a large crane to lift the transformer over the building since there was no usable path for a truck to drive around the building. Fortunately, I wasn't working in IT, so the only impact on me was a 3 day paid vacation while the building was dark).

    Most small companies can't afford a backup generator, redundant cooling, diverse internet connections delivered over multiple physical paths, 24x7 NOC, etc.

  22. Re:Less Successful than Other Reboots on DC Reboots Universe · · Score: 1

    er... really? your comment imagines that a ship in space should take the stress of a deep gravity well. I'd believe cobbwebs over scrith anyday, for what the future will bring.

    My comment doesn't imagine anything, I'm talking about a known (fictional) starship - we *are* talking about the Starship Enterprise, right? The starship that (at least in some versions) was designed with landing struts:

    http://www.foundation3d.com/forums/showthread.php?t=11037

    You can argue that there's no reason to design a starship such that it can land on a planet, yet the fictional builders of the Enterprise apparently feel differently. After all, these are the guys that decided to build it on the planet's surface.

    I could be persuaded that there's no reason to design it to withstand gravity - why don't you give me some rough calculations of the stresses on the hull of a ship at Warp 9 compared to the stresses encountered at rest in earth gravity. I haven't done the calculations myself, but I bet you'll find that gravitational stresses are minuscule compared to warp drive induced stresses. So there's no reason not to build the ship on earth.

  23. Re:Less Successful than Other Reboots on DC Reboots Universe · · Score: 1

    Building the Enterprise on the Earth's surface? Really?

    Why wouldn't you? The ship (at least one (or some) versions) is designed to land on planets, so it has to be able to withstand gravity. By building on the ground, you're eliminating the need to either build a huge pressurized hangar in outer space, or force thousands of workers to don mobility impairing space suits when they go to work.

    Submarines aren't built underwater, why should a spaceship be built in space?

  24. Re:Sounds like on Activists Destroy Scientific GMO Experiment · · Score: 1

    Most, if not all, GM plants are engineered so that they don't produce pollen. That's why farmers need to buy new seeds every year. This is done in order to prevent flux of engineered material to nature.

    Apparently not all:

    http://www.percyschmeiser.com/conflict.htm

    .. he has never, says Schmeiser, purchased seed from the St. Louis, Mo.-based agricultural and biotechnology giant Monsanto Co. Even so, he says that more than 320 hectares of his land is now "contaminated" by Monsanto's herbicide-resistant Roundup Ready canola, a man made variety produced by a controversial process known as genetic engineering. And, like hundreds of other North American farmer, Schmeiser has felt the sting of Monsanto's long legal arm: last August the company took the 68-year-old farmer to court, claiming he illegally planted the firm's canola without paying a $37-per-hectare fee for the privilege. ...

    I wish I shared your optimism that GMO crops are sterile out of a desire to protect the environment rather than a way to finacially lock-in farmers to annual seed purchases.

  25. Re:sad on Flight 447 'Black Box' Decoded · · Score: 1

    I believe GPS fixes your position in 3D space, difference in successive fixes can be crunched to yield speed and direction of travel.
    So it would not matter if you were on a road, or there is a strong jetstream on an aircraft.

    There is no question that GPS can calculate your ground speed and heading with great accuracy (usually).

    However, the more important speed for flying an aircraft is its speed relative to the air, i.e. the airspeed. Speed relative to the ground is nice to know for calculating ETA to the destination and fuel reserves, but it's the airspeed that matters to the control surfaces.

    If the GPS says that the airplane is traveling west at 200 knots and there's a 150 knot tailwind from the east, the effective airspeed is 50 knots - that's the speed the pilot wants to know and he won't find out from the GPS. Add in variable gusts from a storm system, and it makes it very difficult to fly the plane without airspeed indication.