Slashdot Mirror


User: mysidia

mysidia's activity in the archive.

Stories
0
Comments
13,354
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 13,354

  1. Re:Find a new job on Ask Slashdot: Application Security Non-existent, Boss Doesn't Care. What To Do? · · Score: 1

    Yes and no... nowadays, with mandatory reporting in some cases

    So? They can ignore mandatory reporting, as long as it's not in the news and no end users can prove the breach. As long as management never acknowledges that there ever was a breach (experts can be cherrypicked to investigate, and eventually come to the conclusion that there was no breach for "formal documentation purposes" --- regardless if there was or not).

    If the authorities find out; it's just some fine anyways.

  2. Unless your job description specifically says, "Mitigate security vulnerabilities in code before deploying to production.", this is not your job. Your job is to do what your boss tells you to do

    This depends on your company, the organizational structure, and what your job actually is.

    If your boss asks you to do something that you can clearly demonstrate is illegal or against explicit company policy, and you have it in writing from the boss confirming they know about it, and to ignore the company's own policies ---- without the proper approvals from higher levels of management, then it might be time to visit HR, in order to report the policy violation so the HR staff can investigate/mediate.

    Some companies may very well have policies that say "No employee may deploy new software with any known security problems to a public-facing server."

    Frankly, I don't see what business a Senior Architect has doing deploying any code supplied by another department. Deploying software is clearly a system admin job, not a software developer job.

    If dealing with the security issues, or approving the release is not your job --- then you should not be standing in your team's way, or your boss' way.

    You might want to request a 4-way meeting with your boss, someone in QA, and someone in security, about the issue, and make sure the issues are in the relevant departments' radars, so that they will be addressed.

  3. Re:Bring boss facts and a tech recommendation, don on Ask Slashdot: Application Security Non-existent, Boss Doesn't Care. What To Do? · · Score: 1

    CxOs would sometimes ask "should we do this" or "what should we do". I try to remember to answer "that's a business decision that's up to you, but FROM A SECURITY PERSPECTIVE ...".

    Too wordy.... "We would recommend X, because Y and Z."

    A true security professional is not going to look on everything, purely from a perspective of maximizing technical security -- they will be concerned about the whole Risk management / Usability tradeoff thing.

    ....as I know the entire division that uses X may be getting laid off tomorrow.

    That's what is called pertinent critical information; that you had to know to make a reasonable recommendation in the first place.

    Obviously, you have to be informed about such known/planned things to make reasonable recommendations about anything they may affect.

  4. Re:Common knowledge on For First Three Years, Consumer Hard Drives As Reliable As Enterprise Drives · · Score: 1

    Did you consider; that the Dell drives may be self-failing due to special firmware?

    Whereas; the same drive mechanics in a software RAID, without the special array controller and drive firmware --- would still be "failing", but the failure could be undetected longer.

    In other words --- a portion of the consumer level drives are failing, but due to the absence of array scrubbing, and special drive firmware the failure, and potentially many bad sectors exist but have gone undetected, and a fair portion of the consumer drives may be ecking out silent data corruption, unreliable performance, or worse.

    In some cases; the drive appears to be working, but the undetected failure could be picked up by a full read/write test.

  5. Re:Common knowledge on For First Three Years, Consumer Hard Drives As Reliable As Enterprise Drives · · Score: 1

    , so the comparison is indeed pointless (more accurately, it's baseless).

    It's not totally pointless, but the claims made don't seem to be warranted.

    It doesn't pass as a scientific study: and relying on the supposed result could be hazardous, both to your data, and to your job.

    If Enterprise drives aren't any better: then why is Backblaze using them? Do they plan to retire all Enterprise and nearline drives from all manufacturers, and switch to consumer drivers, based on the results of their limited dataset?

    Perhaps they would like to do a comparative study of the effects on robustness, reliability, and performance; of their storage systems, disk drives, and applications -- during and after completing that complete media rotation out of Enterprise disk drives; including how and if disk longevity, failure rates, etc, seem to change on an Array-by-Array basis.

    Now... THAT if done carefully, could provide some meaningful data

  6. Re:Theft is theft, but... on EV Owner Arrested Over 5 Cents Worth of Electricity From School's Outlet · · Score: 1

    Sounds like a great excuse to charge $5+ for a bottle of pop

    It's $15 bucks; with a 33% discount/instant rebate available at checkout, if you actually pay for it, and the item appears on your ticket.

  7. Re:Theft is theft, but... on EV Owner Arrested Over 5 Cents Worth of Electricity From School's Outlet · · Score: 1

    We just shoot them and then call the police. :-)

    In Texas; you are actually required to call in the police now, instead of just the garbage pick-up company, when that happens?

  8. Re:Theft is theft, but... on EV Owner Arrested Over 5 Cents Worth of Electricity From School's Outlet · · Score: 3

    My idiot son stole a 20oz bottle of 7Up at Walmart and had to pay a $200 fine to the Norman, OK court and $100 fee to Walmart.

    Big difference. The 20oz bottle of 7Up is a product on display for sale that has a price printed on it.

    This incident is more like getting a $200 fine or jail time after exiting the rest room at the Walmart, due to having "stolen" $0.01 of water and sewage used by flushing the toilet, $0.07 of toilet paper flushed down the toilet, $0.03 of soap used to wash the hands: all because you also dumped an extra half gallon bucket of horse poop down the potty, that came from your horse parked in the outside lot.

    But the water service belongs to walmart, and theft is theft: right?

  9. Re:What I fear will happen on How To Hijack a Drone For $400 In Less Than an Hour · · Score: 1

    Or you could just, you know, walk down the street and pick up packages left by the UPS guy today.

    You would look very suspicious if you did this, and there would be a great risk that a neighbor or homeowner would see you. Most packages left on a porch not requiring signature are not very valuable, so you would need many before it began to be worth it for the criminal ---- like winning the lottery, and the average criminal isn't going to think it's worth the high risk.

    Drones may change the equation; since no one will think a drone carrying a package around is suspicious --- Amazon does it. The worst that happens is you lose a drone to seizure/interference, after picking up probably hundreds or thousands of packages.

  10. What I fear will happen on How To Hijack a Drone For $400 In Less Than an Hour · · Score: 2

    If Amazon can make a drone to deliver packages ---- then someone else can make a drone to "tail" Amazon drones, and grab the package after delivery; taking it off to some prescribed location for reappropriation.

  11. Re:THE SOLUTION ! on Copyright Takedown Requests to Google Doubled In 2013 · · Score: 2

    But I could send a takedown notice claiming that the film at that URL was actually video I took at my friend's wedding (which I legitimately do hold the copyright to).

    All the better; if you own a couple hundred copyright works -- and claim something in the video as an infringement, because it contains elements "strikingly similar" to your video footage of trees and grass, and your audio recordings of various nature sounds.

    A single frame, or sound is enough. The more works you list alleged to be infringed, the more examples you find, the better

  12. Re:A limited number of Bitcoins on Bitcoin Thefts Surge, DDoS Hackers Take Millions · · Score: 1

    Buy them off ebay using paypal - easy enough?

    That works, but the premium you pay will be enormous, and the amount you can buy will be limited.

    The bit about the amount you can easily buy being limited is probably a good thing at this point in time ---- the supposed price of a Bitcoin is at stratospheric levels.

    Like Dutch tulip mania levels.

  13. Re:What RMS has in mind ? on RMS Calls For "Truly Anonymous" Payment Alternative To Bitcoin · · Score: 5, Informative

    In many countries, it's illegal to make paper money transactions over a certain amount of money.

    In other countries; the US included -- it is illegal to make paper money transactions over a certain amount: without filing a Cash Transaction Report (CTR), or under other conditions (e.g. A transaction $0.01 less than the reporting threshold; or multiple transactions suspected to be a structured transfer), a Suspicious Activity Report (SAR), with the feds.

  14. Re:Something I've been ruminating about all day on Bitcoin Thefts Surge, DDoS Hackers Take Millions · · Score: 1

    but how can you tell if a bitcoin has been lost, i.e. the PW is lost or wallet file destroyed, or if it is being horded, i.e. tucked away for a rainy day?

    There is no mechanism that allows you to prove that the private key has been lost forever.

    Some day in the distant future, you can probably guarantee the private key will be recovered; if it is still valuable.Because, eventually, technological advances, will allow the RSA algorithm to be defeated, and then the old private keys can be cracked ----- if cracking the older key can generate sufficient value to offset the cost of cracking it, then someone other than the owner will probably crack the asymmetric key, and recover the bitcoins; 100 years from now or so.

    it would seem wrong to artificially expand new bit coins in the future because some are being saved now.

    Difficult, yes, since so many stakeholders would have to agree to the change -- or else the network would face a divergence of the blockchain.

    But what do you mean here by "wrong" ?

    If someone is "saving" Bitcoins, say, without transacting ---- there is no promise to these people that everything about BTC will continue perpetually into the future, functioning exactly the way it does today, with no protocol updates or other changes. That would be a totally unrealistic expectation: and all participants are (or should be) aware, that potential changes to the protocol have the potential to create new risks --- your BTCs in BTC terms may be safer than most fiat currencies, but don't delude yourself into thinking Bitcoin itself isn't fiat, or delude yourself into thinking there are no economic risks.

    If circumstances arise, that cause the miners to collectively agree that increasing the total amount that will ever be awarded is the expedient solution, then Bitcoin will evolve that way.

  15. Re:A limited number of Bitcoins on Bitcoin Thefts Surge, DDoS Hackers Take Millions · · Score: 1

    You don't have any problem with that?

    Does it matter if I have a problem with it?

    Bitcoin IS mature.

    The uninhibited, unregulated trade; is Bitcoin's greatest strength.

    It's just all the "exchanges" or ways of trading USD for Bitcoin or vice-versa, are shady, and believed to be engaged in practices that are either outright illegal, or have questionable legality.

  16. Re:Why steal bitcoins? on Bitcoin Thefts Surge, DDoS Hackers Take Millions · · Score: 2

    It seems to me that we could follow the trail from source to destination accounts in the block chain, so we can identify who has the stolen bitcoins.

    That depends on what the person who got illicit control of the BTC does.

    What do you suppose occurs, if the "thief" doesn't spend their illicit booty? Perhaps they have their lawyer figure out the statute of limitations for any potential crime they might get charged with, and plan their BTC transactions to occur, after that all runs out.

    Perhaps they will pass the private key to access the BTC down to their great-great grandchildren; and the spends may occur, 100 years after the crimes have been forgotten.

    If they go deposit it in an exchange account, and take out $1m in US Dollars; then, yes, they will be identifiable.

    On the other hand.... what if they only use BTC in anonymous transactions with other criminals?

    Whether such evil black market transactions can ever be traced someday or not, depends if their partners in crime get caught.

    Other possibilities are: the thief just takes the BTC out of the market --- and benefits from the other BTC they are holding increasing in value (due to less BTC in the market).

  17. Re:Something I've been ruminating about all day on Bitcoin Thefts Surge, DDoS Hackers Take Millions · · Score: 1

    Somebody more familiar with bitcoin can answer this for me, undoubtedly, but based on my limited understanding, if the wallet file is lost or destroyed, the coins within it are effectively gone, correct?

    If the private key is lost or destroyed, then yes, those bitcoins are essentially dead for all intents and purposes; you need the asymmetric private key (encryption key) to sign a transaction using those bitcoins, and there is no recovery in that case.

    However, the total number of bitcoins in the system then goes down --- new BTCs will be mined in the future. And bitcoins are subdivisible down to as small as 1 Satoshi = 0.00000001 BTC

    If there is an issue; it is possible, in theory, that in the future, updates to the Bitcoin protocol, if accepted throughout the network could allow even smaller divisions -- or increase the total number of BTCs that will ever be awarded.

  18. Re:A limited number of Bitcoins on Bitcoin Thefts Surge, DDoS Hackers Take Millions · · Score: 2

    It depends. Will someone have the $1mil to buy them all? If they start selling in smaller lots, the value will go down with each transaction.

    No they won't; the exchanges that take a percentage commission, have an interest in keeping the price high.

    Buys while the prices is going up proceed at full speed. As the prices start going down latency will gear up, via the artificial braking that prevents a sudden price drop --- the volume of successfully completed trades is forced down, by artificially added processing delays

    If the price goes down too much, the exchanges will halt trading and blame it on DDoS

  19. Linux DRM on Intel Linux Driver Now Nearly As Fast As Windows OpenGL Driver · · Score: 0

    complying with the Linux DRM and Mesa infrastructure.

    I guess it was only a matter of time, before the media companies got DRM implemented in Linux media players and system software.

    NOT. This is the problem with using DRM and other 3-letter acronyms in the article body; they become quite ambiguous.

    The Intel Linux driver is still trailing the Windows OpenGL driver in supporting OpenGL4."

    Sigh.... matters have improved, but it's still the same old story --- Windows is the only first-class citizen.

    Also; Where is the DirectX support on Linux at ? :)

  20. Re:Incorrect on Bitcoin Miners Bundled With PUPs In Legitimate Applications Backed By EULA · · Score: 1

    Yes, because I would just love having to go through regulatory channels and potentially paying fees in order to publish software that I don't even make any money from.

    I would say you should be exempt, providing -- (1) You don't generate any significant revenue from the software, from your users, for you, or any third party --- OR substantially all revenue generated was obtained from selling upfront licenses, less than $10,000, AND (2) You don't partner with a distributor who generates significant revenue from distributing or providing any of your software.

    In that case; downloading your software should just come with a disclaimer, that it has not been audited and inspected for safety.

  21. Re:Incorrect on Bitcoin Miners Bundled With PUPs In Legitimate Applications Backed By EULA · · Score: 4, Insightful

    Software that includes "PUPs" from the original software producer is not "legitimate". Any company with a EULA such as the one described is not a "legitimate" software company.

    I agree with you about it not being "legitimate"; HOWEVER, certain major vendors have a conflicting opinion; including the operators of sites such as Download.com and Sourcforge.net.

    The trouble is; they're able to hide behind the EULA, and if they are aggressive --- they can sue and win against anyone calling their software malware, since the behavior is "disclosed" as expected operation of the software.

    Unfortunately; we ultimately need some prescriptive guidelines for consumer software.

    And probably a regulatory regime... including certification marks; example a "SafeSoftware" seal for publishers, similar to the idea behind TRUSTe ---- if the software isn't digitally signed by a vendor holding a SafeSoftware seal; then perhaps, your browser should warn you before releasing the file to the Downloads folder

    Then we could use something like an FDA, as it were, to regulate the labelling and safety of software sold to consumers, or provided as a free download.

  22. Re:Waiver of rights on Woman Fined For Bad Review Striking Back In Court · · Score: 4, Insightful

    based on the actions of the wife, who didn't agree to anything.

    Ah.... that is indeed another wrinkle. Marriage does not give a spouse the ability to legally sign and bind the other spouse to contracts. Utah is not even a community property state. Therefore, any value from the Kleargear contract would be separate property --- the wife would not be party to the agreement, and would have received no consideration from it. The husband is legally unable to bind the actions of the wife.

    Clearly, they would have known that the order was not placed by the reviewer, by examining the contents of the order form. The fact that Kleargear chose not to, can only be attributed to an attempt to maintain a false pretense (deception); for the purpose of damaging another individual, by impeding their rights, and/or eliciting financial gain ("defrauding the husband out of $3500").

    Read: 18 U.S.C. 1343 Wire fraud

    Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both.

  23. Re:Just wait for more EULA's and the TPP / ACTA on Woman Fined For Bad Review Striking Back In Court · · Score: 1

    The EULA's can say what they like. If it's deemed unreasonable, especially if it's one-sided, courts will just ignore those portions of it.

    It's true, but the EULAs also typically require binding arbitration, and preclude class actions ---- the courts tend to respect those terms.

    Also; the arbitrators used to conduct the binding arbitration, tend to be more sympathetic to the business than to the consumer.

    While consumer law may always win in theory ----- it becomes more muddled, when the big company is able to select the venue, in which any challenge to the agreement will be conducted.

  24. Re:Waiver of rights on Woman Fined For Bad Review Striking Back In Court · · Score: 3

    First amendment is about what the government can't restrict you fromdoing, not anyone else.

    The government includes the courts, and all the laws passed by the federal government and state legislatures ---- including contract law.

    No contract that purports to accomplish something, that is illegal or outside the government's power in the first place, has the force of law.

  25. Re:Waiver of rights on Woman Fined For Bad Review Striking Back In Court · · Score: 5, Interesting

    IIRC, at the time the transaction was said to take place, KlearGear had not yet even PENNED that clause in their contract, and as such any such term was never a term even presented to the customer at the time of said transaction.

    That is even worse for KlearGear; as it changes the violation from harassment, FCRA violations (for reporting a false loan, from which no goods or services were exchanged) and FCBA violations --- into fraud.

    Changing your "terms" after the fact, and pretending as if your new terms apply to a previous sale, so you can extort your customer, is fraud.