Slashdot Mirror


User: mysidia

mysidia's activity in the archive.

Stories
0
Comments
13,354
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 13,354

  1. Re:Why bother? on Does Microsoft Need Bug Bounties? · · Score: 1

    Why pay bug bounties when you have a large backlog of unfixed bugs that were reported to you for free?

    So you can make the 'bounty submitters' sign an agreement not to reveal the vulnerabilities they discover, or the fact they discovered a vulnerability; for fixing at your leisure.

  2. Re:A Fundamental Problem with This Suggestion! on Does Microsoft Need Bug Bounties? · · Score: 1

    Oh, right. Well, I'm sure if they truly wanted my help making their browser better and more secure, they'd be okay with letting me take a peek at the source code

    It's called Microsoft Shared Source Initiative

    You just have to meet certain pre-requisites: you need to be an enterprise with 1500 licensed windows seats, sign a big fat NDA, and intend to use the source code for an eligible reason.

  3. Re:WMI on Ask Slashdot: Moving From *nix To Windows Automation? · · Score: 4, Funny

    WMI is great. If you liked the complexity of CORBA, COBOL, VB Script, and the syntax of SQL, you will love WMI.

  4. Re:Maybe it's just me... on LastPass: Users Don't Have To Reset Master PWDs · · Score: 2, Insightful

    Ok, that's neat and all... but where's the iPhone/iPad/Blackberry app to access the 'gvim gpg' password store on the go? Where's the browser plugin to auto-login and automatically fill forms based on the gvim gpg datastore?

  5. Re:Curious on LastPass: Users Don't Have To Reset Master PWDs · · Score: 3, Informative

    I'm sure they have backups. If you have Pocket, you can actually backup your passwords by exporting to an encrypted .XML file, and access them locally. It's not a bad idea to keep your own backups, in addition to your offline browser storage, even though Lastpass has them stored 'in the cloud', better safe than sorry.

    2 factor auth with Yubikey/USB token is also a good idea, as they encrypt the passwords not only with your master pw, but also with the hash of your authentication tokens

  6. Re:They didn't pull a sony on LastPass Password Service Hacked · · Score: 1

    The grid has a certain level of being 'interesting', but I recommend the Yubikey + Lastpass bundle instead.

    I like the fact that your passwords stored on the client are also encrypted with the hash of your Yubikeys, when using this. So even if your master password is compromised, they cannot be decrypted.

    I just wish Lastpass would give me the option to turn off the ability to recover from a lost Yubikey, as long as I register enough Yubikeys on my account, and keep a couple in secure secondary locations (as in bank safety deposit box), where they are not easily lost.

  7. Re:One key to rule them all... on LastPass Password Service Hacked · · Score: 1

    And what happens when somebody cracks their webserver and modifies their site to remove all the fancy Javascript and just have the client send the password to them? The browser won't complain

    The browser will detect this if you have the right addon, and the code isn't properly digitally signed However, if the hacker modify the Javascript code that is immediately detectable by the operator of the site -- it's one of the most obvious ways a hacker can tip off the company is by modifying a monitored page on their website.

    Suddenly, the monitoring device will detect a page has been changed, and their security alarms should go bananas.

    The concern about malicious site or software modification is one of the greatest concerns for any host-proof password cloud storage solution, including LastPass, Passpack, etc.

    Especially when they offer a web-based password vault.

    It's a concern; but it's also a concern the Lastpass folks know about and can easily monitor. It's a much smaller risk than silent information leak.

  8. Re:Straight from the horse's mouth: on LastPass Password Service Hacked · · Score: 1

    Yes, as a Slashdot user who bothers to read the whole article, you can come away with a high view of LastPass.

    But as for joe public who reads the headline, maybe a couple words, then takes a TLDR approach to the rest of the article, they come away thinking LastPass security was lax and they got hacked by 31337 hax0rs

  9. Re:Yubikey users do not need to worry. on LastPass Password Service Hacked · · Score: 1

    Users who bothered to set a strong password needn't worry either. Folks with 1234passw0rd might be more at risk

  10. Re:Ridiculous on LastPass Password Service Hacked · · Score: 1

    Seems like BusinessWeek might deserve a fat libel suit for such an outrageous headline....

  11. Re:Headline Edit on LastPass Password Service Hacked · · Score: 1

    Some of Mr. Gibson's opinions are a bit excessive (like the whole 'stealth ports' thing), but he usually gets the facts right.

    Excessive in some regards. There is a theoretical grain of truth to the whole 'stealth ports' thing. It just doesn't buy you any security in the real world; nor do closed ports hurt.

  12. Re:One key to rule them all... on LastPass Password Service Hacked · · Score: 2

    The problem I have with their site is that they use the same password to encrypt your password database that you use to log into the site. So, if somebody puts the equivalent of a keylogger on their server they get everything.

    Your browser doesn't actually send the password to their site when you are "logging in" to their website. They use client-side crypto via Javascript; or offloaded to their browser plugin if you have that installed.

    You need to ssl sniff your connection, and capture the data exchanges, to understand what's going on.

    You might find it interesting that they actually encourage you to do that; they even recommend tools in the FAQ for sniffing the SSL traffic, and in the forums have offered detailed explanations of what's going on.

  13. Re:Straight from the horse's mouth: on LastPass Password Service Hacked · · Score: 1

    It's an exemplary action, but it's a PR disaster, due to the headlines. Their actions are going to hurt (not help) them, unless there actually was a breach.

  14. They didn't clam up on DHS Wants Mozilla To Disable Mafiaafire Plugin, Mozilla Resists · · Score: 1

    Unsurprisingly, when faced with legitimate concerns about the legality of their domain seizure program, the DHS has decided to clam up."

    This just means that they are in process of preparing the papers to get Mozilla.org, and related domains seized.

  15. Re:No jurisdiction on FAA Wants Your Opinion On Commercial Space Rules · · Score: 1

    The US FAA has no jurisdiction over space.

    But they have jurisdiction over US aviators going into space. As long as your craft is of US origin, they have some jurisdiction surrounding your plane no matter where it travels outside US airspace

  16. Re:Good. on Attachmate Fires Mono Developers · · Score: 0

    Don't tell me you already forgot the TomTom lawsuit. Microsoft is basically saying you can't release a product based on the Linux kernel without getting sued. You either have to pay royalties and violate the GPL, or get sued by MS over patent issues.

    Also, look at all those lawsuits by BedRock Technologies LLC over their Linux kernel patents. They just won their patent suit against Google earlier this month; Google's use of the Linux kernel containing infringing methods was found to make Google liable for infringement.

  17. Re:Good. on Attachmate Fires Mono Developers · · Score: 0

    I would question your use of the word "Enterprise."

    In this case 'Enterprise' refers to enterprise developer mindshare and ecosystems.

    To efficiently meet the needs of an enterprise, you need mature, complete, reliable, well-accepted, APIs and Frameworks to facilitate development.

    There are not many languages that can come close to Java/C# in that department.

    C++ perhaps, but that's just not "cool" anymore. And it has not nearly as vibrant an ecosystem; re-inventing the wheel is not cool in any decade. Enterprises require reliable code with minimal development effort, to achieve cost efficiency.

    Perl, perhaps, but it has too much a reputation as a toy scripting language, lacks a well define language specification, lacks a true compiler or VM, and while CPAN provides many frameworks, it doesn't give enterprise folks the assurances they need about the quality, to build their business on the reliability of those frameworks.

  18. Re:Good. on Attachmate Fires Mono Developers · · Score: 1, Insightful

    Except he said nothing about Java whatsoever. Why do you (and the first person to reply) insist on stuffing words in other people's mouths?

    Because C# and Java have duopoly for modern enterprise programming languages with critical mass; there aren't credible alternatives besides those two. Discouraging C# use, means encouraging Java use, and vice versa.

  19. Re:Good. on Attachmate Fires Mono Developers · · Score: 0

    Microsoft and Novell struck a deal related to patent cooperation, and Mono was Novell's product, so there should be naught to fear in any case.

  20. Re:Good. on Attachmate Fires Mono Developers · · Score: 3, Insightful

    The danger is that Microsoft is probably planning to force all free C# implementations underground some day using software patents.

    No, C# itself is covered by an open standard. Your suggestion of Microsoft Patent Ire is entirely academic, and Microsoft's patents covering Linux kernel technology are much greater concern

    And with Java, the danger is not academic. Oracle is actually suing Google over patents for their implementation resembling Java.

  21. Re:How does it run the installer? on OS X Crimeware Kit Emerges · · Score: 0

    You just include the mpkg file in the DMG, and it should find and run the installer automatically.

  22. Re:How do you execute the script? on OS X Crimeware Kit Emerges · · Score: 1, Insightful

    You can? I don't think DMGs have anything like windows Autoplay, there's no ability to automatically run a script.

    The DMG flag is called internet-enable.

    When the file is mounted MacOS will automatically copy the files to the desktop, and execute the installer inside the DMG.

  23. Re:Well? on OS X Crimeware Kit Emerges · · Score: 0

    Sorry to disappoint, but following the Apple HID guidelines would ruin the whole beautiful malware experience.

    This is one of the few things that Windows has correct.

    If they are truthful to the Apple HID guidelines, they'll not be able to do things malware needs to do like display deceptive balloon boxes, masses of popups, and fake security center dialogs.

  24. Re:Masses reaction on OS X Crimeware Kit Emerges · · Score: 1, Insightful

    What *has* been claimed is that the automatic propagation of evil over OSX (and BSD and Linux and *every other sane OS out there*) is terribly inefficient, because unless you pack the evil in a container, permissions (including the permission to execute) are stripped as soon as you send your file. And then you have to either unpack it or you have to manually assign the execute bit through right clicking and using the dialog or using chmod. And only then can you run the file.

    Or you can just distribute through a .dmg with script that executes as soon as the user mounts the .dmg file by downloading it in safari, or double clicking it in Firefox. The scripted portion runs as soon as the .dmg is mounted, so the malware can be deployed without further user intervention.

    By the way, downloading a .dmg file, mounting, and copying its contents to /Applications is the de-facto standard practice for software deployment on MacOS.

  25. Re:Masses reaction on OS X Crimeware Kit Emerges · · Score: 2, Insightful

    Not to worry, my faithful, mandatory binary signing will be here soon enough.

    Yes, worry. The "malware" binary will be validly signed; and in some way, not technically malware -- the malware will be part of the unsigned data payload loaded by the benign binary. The benign binary will be something like /usr/bin/python, and may be shipped with the OS itself... (how much higher a level of trust can you get for a binary?)