Slashdot Mirror


User: raymorris

raymorris's activity in the archive.

Stories
0
Comments
10,114
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,114

  1. Why make stuff up and post it? CVE-2015-7359 on TrueCrypt Safer Than Previously Thought (ec-spride.de) · · Score: 2

    Why do people completely make stuff up out of their ass, without having any idea what they're talking about, then post it?

    CVE-2015-7359, for example, is a user impersonation and privilege escalation. In other words, it blows past chmod 600, it allows one user logged into the machine to impersonate another user. There's no removing the hard drive necessary. The user's authentication token is globally accessible.

    Some of us actually know this stuff, because we've been doing it for a living for decades. YOU could also actually know something by -learning- from us who already do. Or you could completely make stuff up and then believe your own pure fantasy. In which case you're worse off than someone who knows nothing - you "know" everything, but everything you "know" is wrong.

  2. lay down with dogs, wake up with fleas on Sued Freelancer Allegedly Turns Over Contractee Source Code In Settlement · · Score: 3, Informative

    I'm 100% with you on that. For 15 years I was kind of a freelancer, runnung a three-person shop most of that time. Certain people we didn't do business with because they were devious or deceptive. Not necessarily -criminal-, but certainly not upstanding citizens who were careful to always do the right thing.

    I've seen a lot of people get burned by associating with the wrong people, from business issues related to associates who push the limits of spam to charges of drug dealing against someone who hung around drug dealers and hookers. Sometimes the slimeball burns you, sometimes the slimeball gets involved with another slimeball who burns you, sometimes you're collateral damage when the authorities go after the slimeballs. All too often, when you lay with dogs you wake up with fleas, one way or another.

  3. do you not understand your own user name? on TrueCrypt Safer Than Previously Thought (ec-spride.de) · · Score: 1

    > someone have access to the system already (in other words you are boned from the beginning).

    Is it possible that you really don't understand your own user name?
    Consider chmod 600. 600 means it doesn't matter if they have access to the system, they don't have access to your file. And that's the simplistic 1970s security model, called discretionary access control.

        These days, most systems have what's called mandatory access control, and it means that YOUR programs don't have access to YOUR files; only the specific programs that use those particular files have access to them. With a standard DAC configuration fully enforced, somebody could have 100% full control of your browser and that gives them zero access to your financial records, for example.

    So no, access to the system does NOT imply access to YOUR data, and if you move past 1970s security and update to circa 2003, access via your account doesn't mean access to all your files.

  4. Two things: update to 1970 and running unmounted on TrueCrypt Safer Than Previously Thought (ec-spride.de) · · Score: 3, Insightful

    Yes, senstive files -should- be safe from people with access to the system. I'll explain.

    Until the mid 1980s, computers were used via terminals. The company would have one computer used by dozens of people. Obviously, one person shouldn't be able to mess with a different person's files, processes, etc. Since these computers were used over a network, they ran a network operating system such as Unix.

    One day someone decided to make a PERSONAL computer which would cost a lot less. To be affordable, it had only a few kilobytes of memory. It didn't need (and couldn't afford) all the multi-user networking stuff; it ran from the local disk. It used the Disk Operating System (DOS) rather than a network operating system. By its nature the Disk Operating System didn't need to protect one user's files from another user, and resources like RAM were really expensive, so DOS didn't bother. But -only- DOS and its successors! Virtually all other operating systems treat your stuff as yours, whether or not there are other users on the system (authorized or unauthorized) . Even the DOS successor Windows added this type of security a few years ago, first just in the GUI, by hiding other people's folders in GUI (everything was still fully accessible from a command prompt) , then more recently by adding a security model to the OS itself. It's now very much like the 1970s Unix mainframes in that access to the system shouldn't mean full control of everything on the system. (Meanwhile the Unix family moved to a more advanced model, with SELinux and GRE being implementations) .

    Consider also my use case, the model that probably should be used by anyone who actually cares about the security of certain files. I don't decrypt and mount my most confidential information every time I want to read Slashdot or XKCD. I mount my encrypted volumes only when I need to access those confidential files. So 99% of the time, my computer is -running- and those files are completely -inaccessible- . A Flash exploit which provides access to my machine shouldn't mean they have access to my encrypted file system, which I haven't opened since July.

  5. well that would be the vast majority on Happy 30th Birthday, Windows! · · Score: 0

    As I mentioned, the vast majority of people do in fact choose Android. Sorry if you're having trouble selling your 50 pound, $1,200 relics these days. On the bright side, some offices still use them.

    Btw, in case you're not familiar with basic computer terminology, "general purpose computing" doesn't necessarily mean Visual Studio and CAD. It means a computer which runs more than one or two programs. A DVR is a special-purpose device, a Nest networked thermostat is a special purpose device, as is a fire-control radar system. On the other other hand, a computing device which can run hundreds of thousands of different applications is called a general purpose computer. And for that, for most of the applications released in the last three years, people use Android.

  6. Basic computer terms 101 on Happy 30th Birthday, Windows! · · Score: 0

    You may have missed some basic computer terminology back in grade school. Yes, a computer that runs hundreds of thousands of different applications is called a general purpose computer. A DVD player, a Nest thermostat, and the ECU is in your car are not.

    Other basic terms you might wish to become familiar with:
    CPU
    RAM
    email
    keyboard
    mouse
    server
    USB

  7. Not most used, sorry on Happy 30th Birthday, Windows! · · Score: 2, Insightful

    There are more Linux devices in the world than Windows devices, and the gap is growing quickly. Perhaps you're thinking of which operating system is popular on general-purpose consumer devices only. Gartner reports than in 2014, 14% of general computing devices purchased ran Windows, while 49% run Android.

    For about another month, until Christmas, you CAN make the following claim;
    In English speaking countries, during work hours Monday through Friday, the majority of web surfing is on Windows. Android is the most popular on weekends, and after the another few million Android devices are unwrapped on Christmas morning it may beat Windows during work hours too.

  8. White House made made excuses, didn't deny it on Journalist: NASA Administrator Has Short Memory on Changing Space Policy (spacenews.com) · · Score: 1

    The White House made first tried excuses ("work with the best engineers from around the world") . Then they sent out a spokesman who said only that he, the spokesman, didn't know what Obama had told Bolden. The spokesman said he didn't know, he didn't say that Obama had not directed NASA to make caressing muslim egos their "foremost priority".

    Bolden apparently DID know what Obama directed him to do.
    "I don't know" is really not "yeah, no".

  9. USB hub, $10. Or keyboard with ports on Google's Chromebit Micro-Computer Launches (techcrunch.com) · · Score: 2

    It has USB. Plug a in hub (which can also be pocket sized) and you've got four or five USB ports. Of course, some keyboards have a USB hub built-in, so you don't need a separate hub.

  10. "just" an implementation of what Android/Google on Microsoft's Plan To Port Android Apps To Windows Proves Too Complex (networkworld.com) · · Score: 3, Insightful

    The Android API is some thousands of functions. Android and Google already implemented that API on top of Linux . I don't see any fundamental reason that a company with Microsoft's resources -couldn't- implement the same API as follows:

    Android.textbox.Draw(blah, x, y) {
            Winforms.textbox.Draw(x, y, blah);
    }

    Sure there are thousands of functions, but Microsoft can put hundreds or thousands of programmers to it. It's not an easy task, but mostly it seems -big-, lots of functions, not necessarily anything all -that- complicated.

    Looking at it another way, not only did Android and Google implement the Android API, Google also re-implemented the Java API from scratch, while the Mono project and Wine have re-implemented the Microsoft APIs. Given that they've done that, I don't see how it would be impossible for Microsoft re-implement the Android API, mostly with simple stub functions which call the corresponding Windows function.

  11. Very different priorities indeed on Journalist: NASA Administrator Has Short Memory on Changing Space Policy (spacenews.com) · · Score: 4, Interesting

    The different presidents have certainly had very different priorities for NASA. Mr. Bolden (the head of NASA), said these are the three things Obama asked him to do with NASA (quoting):

    When I became the Nasa administrator, he [Obama] charged me with three things.
    One, he wanted me to help reinspire children to want to get into science and math;
    he wanted me to expand our international relationships;
    and third, and perhaps foremost, he wanted me to find a way to reach out to the Muslim world and engage much more with dominantly Muslim nations to help them feel good

  12. they have root in major US company networks on China To Spend $47 Billion In Bid To Become 3rd-Largest Global Chip Manufacturer (reuters.com) · · Score: 4, Insightful

    China has infiltrated the networks of most major US companies, so in all likelihood all of the schematics and blueprints from Intel are available to them, and will continue to be for the foreseeable future. China is far and away the world leader in computer espionage, certainly in terms of the relentless volume of constant attacks and probably also in the sophistication of their best attacks. Some companies block all of China's IP space from accessing their networks because the daily attacks are relentless.

    We can assume that any technology US or European companies have is in the hands of the Chinese government, or soon will be. Keep in mind too this electronics company is part of the Chinese government - the same organization that employs armies of hackers. So if not a question of if the government will provide this IP to the company- the government -is- the company and company is the government.

  13. allow it to spin, duh on Louis Friedman Says Humans Will Never Venture Beyond Mars (scientificamerican.com) · · Score: 1

    If you want the convenience of gravity similar to earth, you simply allow the craft to spin at the desired speed. G force is indistinguishable from gravity. Current craft ALREADY have the needed systems in place. They are used to set zero spin for the convenience of the cameras.

  14. less than 1% error in our driving testing on GPS Always Overestimates Distances (i-programmer.info) · · Score: 1

    We tested a gps a couple of times over a few miles each time. This was using a handheld Windows device, for which my friend built software to function as a taxi meter.

    I think TFA tried to measure distances that are two small - 1 meter and 10 meters. It describes one source of error - random errors increase the measured distance. However, there is another source of error in the opposite direction which compensates for the first. Due to sampling occasionally, the GPS-based measurement measures a curve as a series of straight lines, which is shorter. In practice, these two balance out for driving around the city.

    The correction we do make in the taxi meter is that random error becomes significant when the receiver isn't actually moving, or is moving at under 5 MPH. It appears they tested at under 5 MPH. For the taximeter, at under 5 MPH we ignore the supposed motion and only add it to the wait time; in other words we treat any speed less than 5 MPH as if there were no motion at all. This gives very accurate results for driving.

    * The other adjustment (not correction) we make is that we intentionally under-report by about 0.5%. That's because the law allows us to under-report by 2% or over-report by 1%. Trying to be 0.5% low gives us more margin for error before a customer is unlawfully over charged.

  15. sexual assault reporting doesn't change murder rat on Islamic State Claims Responsibility for Paris Attacks; Death Toll At 127 · · Score: 1

    The reporting standards for SEXUAL ASSUALT other than "rape" changed around the same time. Tell me how changing the reporting codes for- sexual assault- caused by murder rate to double.

    It's hard to admit that your first guess regarding what the outcome might be was wrong. But the actual outcome is 20,000 more women getting raped. In the future, when this issue comes up, you'll have to decide, do you:
    a) recognize the available evidence and adjust your predictions
    b) stick to your first guess to protect your pride, and advocate policies that cause 20,000 women to be raped

    Your choice.

  16. double and triple is a HUGE coincidence on Islamic State Claims Responsibility for Paris Attacks; Death Toll At 127 · · Score: 1

    Maybe it's coincidence, here are the numbers.

    Handguns were banned in 1997. Official crime rate information from the Home Office indicates that in the five years prior to the ban, 1.2 million violent crimes were reported. After the ban took affect, there were over 5 million violent crimes in the following five years.

            Home Office data shows that rape went from 27,000 to nearly 47,000 when potential attackers were assured there was no risk that a law-abiding woman might defend herself with a firearm. Other serious crimes show the same pattern. For example, total sex offenses increased from 158,000 to over 245,00.

    Note I didn't look at just the month before and the month after - month to month numbers may vary by chance; the five years before vs the five years after is long enough you shouldn't see a huge swing by random chance. Note also it's not an increase of 10% or even 25% - crime doubled, no matter how you measure it, and it happened immediately. That's an awfully big coincidence.

    The same occurred in Australia, and to a leeser extent in US cities which have implemented near-bans. The effects of these laws are no longer a matter of predicting what might happen - we've tried it and know what happens. 20,000 more rapes is what happens.

  17. 1997. See also Australia on Islamic State Claims Responsibility for Paris Attacks; Death Toll At 127 · · Score: 1

    Handguns were banned in 1997. Official crime rate information from the Home Office (2002, 2013) indicates that in the five years prior to the ban, 1.2 million violent crimes were reported. After the ban took affect, there were over 5 million violent crimes in the following five years.

        Home Office data shows that rape went from 27,000 to nearly 47,000 when potential attackers were assured there was no risk that a law-abiding woman might defend herself with a firearm. Other serious crimes show the same pattern. Total sex offenses increased from 158,000 to over 245,00.

    The same occurred in Australia, and to a leeser extent in US cities which have implemented near-bans. The effects of these laws are no longer a matter of predicting what might happen - we've tried it and know what happens. 20,000 more rapes is what happens. Now that you know that, in the future you have the choice- do you want to cause twice as many rapes, or admit that your first guess was wrong?

  18. doubled murder, rape, and total violent crime on Islamic State Claims Responsibility for Paris Attacks; Death Toll At 127 · · Score: 1, Informative

    Immediately after UK citizens were disarmed, murder, rape, and total violent crime DOUBLED. Yes, they were murdered with knives, hammers, etc - twice as many people murdered. Not exactly what I'd call a resounding success.

    Did you know that if you ban food, removing all public access to food, far fewer violent crimes will be committed with food as the weapon? Did you also know crime will skyrocket? That's precisely what has happened in the UK. Twice as many murders and rapes, and those (like you) who disarm the victims are now directly responsible because this pattern has been repeated enough times that the deadly results of the actions you advocate are entirely predictable.

  19. the (real) effect not dependent on ingredient on UK May Blacklist Homeopathy (bbc.co.uk) · · Score: 2

    > "Placebo effect" != placebos having an effect. If the placebo itself had an effect then it is not a placebo. Any curative effect has nothing to do with the contents of the placebo.

    Your second sentence is precisely correct. The effect is not dependent on the ingredients in the placebo. THE effect. In most cases, giving a patient a placebo (which has no useful ingredient) does in fact result in both better outcomes reported than giving them nothing. So there IS an effect, which has nothing to do with the contents of the placebo.

    Acetaminophen has an effect through a chemical process caused directly by the chemistry of the drug. A sugar pill has an effect caused by a psychological process which may in turn trigger a chemical process (does hope increase serotonin? ). Both are real, measurable effects. One depends on the active ingredient, one doesn't.

  20. It's called a check, or ++. Forums are the problem on Same Birthday, Same Social Security Number, Same Mess For Two Florida Women (cio.com) · · Score: 2

    > if the forum makes a distinction between the screen name (the visible name) and the actual login name, then the login name (often an email address) can be seen as at least somewhat secret.

    That's precisely what causes the problem. In some well-known forum scripts, the user name (for logging in) isn't different from the visible "screen name". So it appears to be kinda secret. HOWEVER, a less-used feature of the forum uses the username as the identifier in links, something like profile.php?user=dgatwood. So it's not actually secret. Since it's not what is -normally- displayed, developers of the forum itself and of plugins sometimes treat it as secret, as if an attacker wouldn't know your user name. But there it is, right in your profile and elsewhere. So it's not secret, but it's being trusted as though it were secret.

    It's not okay (security-wise) to have something publicly available, but then trust that it's not. It's either secret or not. "Somewhat secret" is really dangerous.

    > the username could theoretically be an account
    number... In that case, the username actually would be secret

    I thought you were old enough to have written a check before. Your account number is on your check, which you handed to all of the clerk at the various stores you shop at. You might also notice account numbers are SEQUENTIAL. If I want to know someone's account number, I take mine and add one. If I add two, I get another valid account number. My bank account number is on my web site, so people can wire payments to me. Not secret, not even a little bit.

    The PIN number to my debit card and my password for the bank's web site are the secrets. Anybody who knows how to add one to a number (any third grader) can enter my account number into the bank's web site. Entering my password to go with it is the tough part.

  21. More specifically, IDENTIFY, not AUTHENTICATE on Same Birthday, Same Social Security Number, Same Mess For Two Florida Women (cio.com) · · Score: 3, Insightful

    > The US social security number as an id is seriously broken. After consideration, I'd epect my ssn to be in at least 100 poorly-secured databases: bank accounts, insurance accounts, doctor/dentist/hospital facilities, employers, etc. The number is hardly secret

    More specifically, it's fine as an IDENTIFIER, and ID must necessarily be different from AUTHENTICATION. My name identifies me (approximately), my password authenticates me.

    To be useful, a personal ID must be more or less public - the name "Barak Obama" is useful only because everyone knows who that is, it's public. Also, in order to be useful, authentication information must be private. So as you said, two pieces of information - one that is the ID, the other is the authentication.

    This seems obvious, but people who should know better routinely treat user names as "a little bit secret". This is wrong. It's either secret, in which case it's hashed so nobody can read it, and it can be trusted to be secret, or it's it's not. Since a user name is not protected as a secret, don't start thinking that maybe it's a little bit secret, kinda maybe, and start putting any trust in people not knowing it. User names aren't hashed, they are sometimes displayed, so they aren't secret. Not even a little bit (especially not a little bit).

     

  22. ob_flush() and flush(), Content-Length, x-sendfile on Ask Slashdot: Automated Verification For Uploaded Files? · · Score: 1

    You need to flush() and ob_flush() after each echo, or PHP will buffer ~ the entire thing in RAM. When a bad guy hits it, he'll have it buffer 100,000 copies in RAM.

    You'll also need to send Content-Length header manually in the PHP, otherwise the header can't be set without buffering the whole file. Compression and encoding can bite you here, so disable compression. Of course you've kinda broken resume, if someone loses their connection halfway through the download. OR ...

    Check out X-Sendfile. That's an all around better. Content-length, compression, partials, HEAD - all of that is already taken care of. If you use an older version of Apache, it will need to be installed as a module.

    As to #2, fopen_url - there are a shit ton of ways that gets exploited, so really the "right" answer, IMHO, is to make it's disabled, then double check the input anyway,

  23. have a friend who works at a bank or airline on Ask Slashdot: How To Determine If One Is On a Watchlist? · · Score: 3, Interesting

    My name came up as similar to a listed person when I opened a bank account. A banker friend may be able to run your name.

    I also got more attention from the TSA, but that may be because I used the same bag for a carry-on that I had previously used to go to the gun range, leaving a bit of powder residue all over the bag.

    I assume I'm on a few lists because I work in internet security, meaning I frequent web sites related to hacking and such, plus I (legally) work with fireworks, so I order chemicals and such that could be used to make explosives. Lastly, I'm a conservative who once checked out a Tea Party event, so the current administration is definitely notices that. The IRS started calling after I followed a tea party page on Facebook. Might be coincidence.

  24. yes, but directory traversal and buffer dos, so. . on Ask Slashdot: Automated Verification For Uploaded Files? · · Score: 3, Informative

    This is on the right track, because as others have said, just because it's valid png doesn't mean it's not also valid PHP and Javascript. I just pulled a file like that off a server yesterday.

    HOWEVER, -all- of the "download.php" scripts I've ever looked at have at least two of the same three vulnerabilities. Protection from directory transversal is harder than it looks, fopen_url, and memory depletion from failing to disable the output buffer before reading and writing chunks of the file.

    A better, safer, higher performance option is to RemoveHandler PHP and RemoveHandler cgi-script in the designated upload directory, which should be the only directory that's writeeable.

    A further problem this solves is since the directory is writeable, the designated upload script which checks the files probably is NOT the only mechanism to put files there. Imperfections in other scripts will allow bad guys to upload any file they want, to the world-writeable directory* . Therefore, use httpd.conf to ensure that any scripts in that directory can not run.

    * Instead making it -explicitly- world writeable, you can instead use SuExec, which effectively makes the ENTIRE SITE world-writeable. This is extremely stupid.

  25. Yes. "Can't be done" like cracking encryption on Getting Started With GNU Radio (hackaday.com) · · Score: 1

    >There's no way to shield that form of RF leakage through the antenna without shielding the antenna... which would make it unable to detect anything to begin with.

    Yeah I mean to add it would not be easy, if it's possible at all.

    "There's no way" to do it, much like we used to say "there's no way" to alter a file without changing it's MD5 hash, and we said "there's no way" to install 3rd-party software on an iPhone, etc. Impossible, until some clever person figures out how to do it.

    I was a professional magician before I was a locksmith, which was before I was a "vulnerability assessment engineer" (hacker). My my entire career has been doing what can't be done - you -can't- open a good safe without the combination, you -can't- tell which card someone looked at before shuffling it back into the deck, and you -can't- install software on a computer without being logged in to the machine. Of course I do these things all day, every day.