Slashdot Mirror


User: raymorris

raymorris's activity in the archive.

Stories
0
Comments
10,114
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,114

  1. NSA should design your network? That spies ISIS? on Spy Industry Leaders Befuddled Over 'Deep Cynicism' of American Public · · Score: 1

    I asked how NSA, CIA, etc should do their job. They are supposed to know what Russian spies are up, and what ISIS sympathizers are planning.

    Your response is that networks should be airgapped. Okay, so the CIA should come redesign your company's network for you, you say. Is that everyone or just important networks like defense contractors, banks, etc? I'm not sure I want the NSA to design my bank's network, but okay. How exactly does airgapping the banks network help track Russian spies?

  2. that implementation won't work. ISIS has $billions on Spy Industry Leaders Befuddled Over 'Deep Cynicism' of American Public · · Score: 1

    You are correct, the implementation suggested won't work.

    ISIS has billions of dollars and wants to kill us.
    Russia is getting more and more aggressive.
    China's recent actions are becoming a bit more worrisome, and they hack us daily.

    Those organizations are supposed to protect us from these threats, enemies who are willing to spend billions of dollars to harm us. Suggestions on ways to accomplish that mission, reliably?

  3. Pretty decent article, though. More than the headl on Spy Industry Leaders Befuddled Over 'Deep Cynicism' of American Public · · Score: 2

    On the other hand, the article is a bit more than the headline. A pretty decent article for Ars, actually, if you read it remembering that these guys have been given a specific job to do.

  4. surprisingly affordable, if your code is decent on Ashley Madison's Passwords Cracked, Soon To Be Released · · Score: 1

    People are generally pretty bad at estimating their own level of competence in their work, and the quality of their work, but let's assume that your work is in fact reasonably secure. There are only a few small improvements needed, it doesn't have to be completely rewritten.

    Under that assumption, increased security can be quite affordable. I suspect you'll be very surprised by the low cost of a level 1 analysis. By security I don't just mean protecting confidentiality from malicious actors. If a system is put together such that you can't break it even if you're trying, it also won't break accidentally - it will be more robust. An example you're already aware of is prepared queries with bound parameters. The same coding practice protects against the same problem both as an attack and as an innocent error; both intentional injection and O'Malley trying to register. What this means is that a reasonable level of security review pays for itself in the form of better uptime and less time tracking down bugs. One hour of my time can save two hours of your time later.

    Most exploitable vulnerabilities follow one of about a dozen patterns. You are already familar a few of those patterns. If you're familiar with Perl's taint mode, you can probably think up a couple more. Here's the cool thing - patterns in text, such as source code, can be described and found via regular expressions. That means that a set of regular expressions can find most of the common types of issues, and therefore most vulnerabilities. All you need in order to improve your security to some degree is to borrow my regular expressions for an hour. They'll show you lines of code that are probably risky. It's kinda cool. We do in fact find vulnerabilities in most custom software when we run this $150 analysis. So that's the bottom of the price range - $150 will normally find a couple of issues. Obviously more in-depth analysis costs more, but normally just a few hours of work makes a big difference.

    How do you trust me, and how much do you need to trust me? At the least, you need to make a copy of your source code, then run my tool on that copy. I don't NEED any access to your systems at all. Better is to let me actually look st a copy of your code for a couple of hours, so I can filter through the results of the automated tool and take a closer look myself. It's also helpful to spend an hour on the phone talking about your system. If I hear you mention "login token", I'll be sure that gets looked at.

    So how would you know who you can trust? I've been doing this for twenty years, and have built a reputation. If I were going to do something bad, I probably would have done it by now. I have a federal security clearance, I'm licensed and insured. So if I DID do anything bad, you have the assurance of my million dollar liability policy. Perhaps more importantly, you ALREADY trust me. If you use the Linux kernel, you're running my code. If you use Apache, you're running my code. If you use WordPress, I've ALREADY fixed security issues that affected your systems.

  5. or go fight actual discrimination. Evidence says on Ellen Pao Drops Appeal of Gender Discrimination Suit · · Score: 3, Insightful

    If she really wanted to fight discrimination, she might go find some discrimination and fight it. The people who heard all of the evidence say there was no gender discrimination at her workplace.

    I've heard only a tiny bit of the evidence, only enough to know that she does some really foolish things.

  6. broken but not stirred = sand castle on Xerox PARC Creates Self-Destructing Chip · · Score: 1

    > Entropy cannot be reversed

    Everybody who has ever assembled a jigsaw puzzle begs to differ. Unlight something? You can burn hydrogen and oxygen to make water, then electrically reverse that process as many times as you want. Reversing entropy requires energy.

    In this particular case, cracking the glass into many pieces, without stirring those pieces, creates something like a fully-assembled jigsaw puzzle. If the pieces of glass are really small, they're called sand. An object composed of many pieces of sand would be a sand castle- the structure is still intact until the pieces are stirred.

  7. that's what I do now. Better might be algorithmic on New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste · · Score: 4, Interesting

    That's what I do now, I basically classify things as low, medium, or high security. I don't want to remember a thousand different passwords and don't care to use a password manager for sites like Slashdot or other news sites I comment on. So low-impact sites all get the annual password when I register.

      I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.

    For a while I did something that might be better. I had an algorithm and a little utility program which generated a unique password based on my master password and the domain name. So something like sha1(mypassword, 'slashdot.org'). That gave me different passwords, without remembering them all, and without being tied to one specific password manager. I could "recall " my password on any device at any time. Actually, I chose an algorithm that I COULD compute in my head, though with considerable difficulty.

  8. Do great app devs now understand security is hard? on Ashley Madison's Passwords Cracked, Soon To Be Released · · Score: 3, Interesting

    The Ashley Madison developers did a lot of things right. They even used strong encryption for the passwords. They improved their security over time. Yet, a couple of security bugs ended up taking the company down completely. With security, if you score 98 and the attackers score 2, finding two vulnerabilities, the bad guys win. Bugs happen. Security bugs are not okay, however.

    I have a lot respect for good application developers. The blend of skills required is fairly comprehensive - UI design, database, understanding scalability, etc. With your wide breadth of skills, are you fine folks starting to understand that security is HARD, and requires a depth of understanding? That it's one of those things where it is wise to get expert assistance?

    I've been programming professionally for 20 years, and I'm pretty competent; yet I'd never design and implement my own filesystem, because filesystems are HARD to do well. There are maybe a dozen people in the world who have the specialized knowledge and experience needed to design and implement a filesystem that rivals btrfs or even ext4. I KNOW that I don't have that specialized skill. One of my best friends has also been a professional developer for 20 years. Every month, he asks me about a security related issue, because he knows that he's not a security specialist, and that bugs happen, but security bugs are not okay. Will you let those of us who live and breath security 24/7 lend a hand before you release it next time?

  9. Duplicate of Bennet on Digg, Bennet on petitions, on An Algorithm To Stop Joke Plagiarists · · Score: 1, Informative

    Flagged as a duplicate of Bennett's thoughts on Digg, which is a duplicate of Bennett's thoughts on petitions.

    Rated -1, lame and unoriginal.

  10. Steam recommends Ubuntu on Microsoft Is Downloading Windows 10 Without Asking · · Score: 1

    I'll give you two answers. First, I'll point you to my reply to the same question a few hours ago:
    http://slashdot.org/comments.p...

    In that reply I said that Ubuntu is a good choice for newbies. Since Steam is important to you, the fact that Steam officially supports Ubuntu LTS is an additional good reason to choose Ubuntu.

    Suppose that in a couple of years you've really gotten into Linux, understanding what is going on under the covers. Ubuntu (which is good for newbies) is descended from Debian, and SteamOS (currently in beta) is also built from Debian. So I'd expect that over the next year or so Steam support on Debian will become very good. Debian is targeted more to advanced users.

    So if web browsing and Steam were my main interests, I'd use Ubuntu now. After a while, if you want to change, I'd consider changing to Debian (or even SteamOS).

  11. Re:usps.gov, Mono, same testing on Microsoft Is Downloading Windows 10 Without Asking · · Score: 1

    > Will an application tested on Mono for Linux necessarily work on .NET Framework on Windows?
    > I thought there were subtle implementation differences that could break an application if a developer inadvertently relies on unspecified or undefined behavior.

    The subtle implementation differences between versions that break unexpectedly are exactly what developing first on Linux will prevent. You won't use some fragile thing specific to a certain version of Windows, with a certain version of MS Office installed along with a specific version of IE. You're forced to either use standard interfaces in the standard way, or EXPLICITLY add a platform-dependent section for those cases where you need to interact deeply with the OS. To put it another way:
    If it works on Windows 7 and Vista, it _might_ work on Windows 8. If it works on Linux and Windows 8, it'll almost surely work on Windows 7 too.

    > automatically paste package weights from your scale and shipping addresses and declared values from your order manager into ups.com and usps.gov,
    > how do you specify that labels shall be printed on a label printer instead of the computer's primary plain-paper inkjet or laser printer, and how do you automatically copy the tracking number and postage amount back out into your order manager?
    > That's what it would take to get several packages per minute out the door.

    If you're doing several packages per minute, that sounds like more of a shipping appliance than a desktop. If you're happy with your current shipping appliance, by all means keep using it. If not, I haven't researched existing high-speed shipping systems that run on Linux. I could implement those things you've described in a couple hours using Perl. I see that both USPS and UPS use Linux/Unix internally, so their systems are of course quite compatible.

  12. Tap Scroll down Save new offline map on Microsoft Is Downloading Windows 10 Without Asking · · Score: 1

    For a little while now you've been able to save maps of your intended area in order to use Google maps offline. Turn-by-turn directions offline are coming soon.
    http://trendblog.net/google-ma...

  13. usps.gov, Mono, same testing on Microsoft Is Downloading Windows 10 Without Asking · · Score: 1

    I'm not a hardware guy, so I'll lave the first question to other people.

    I print my mailing labels directly from ups.com and usps.gov. UPS has pretty decent account management on their web site.

    I write Windows programs using Mono, which is .Net on Linux. If you write Windows software for a living, and have spent thousands of dollars on Microsoft development tools, you probably want to keep Windows. One of my best friends is a professional Windows programmer. He uses Windows at work, and only at work.

    You can of course test your Mono/.Net software on any Linux. That's advantageous because it helps ensure that you aren't relying on an API that is specific to a certain version of Windows, or at least let you know when you are. If you choose to do testing on specific different versions of Windows , you will of course want to use those versions of Windows , regardless of which OS you use for development. Whether you develop on Windows or Linux, virtual machines make sense for testing on six different versions of Windows. CentOS, and probably other distros, makes virtualization easy with virt-manager, a point-and-click GUI for installing and running virtual machines.

  14. yeah, several good options. For you, one best on Microsoft Is Downloading Windows 10 Without Asking · · Score: 1

    I know what you mean about hearing different opinions. Asking which is the BEST distribution is a bit like asking which is the best car. You probably want to know which is the easiest/ best FOR A NEWBIE. That's like asking which vehicle is best FOR A HANDYMAN, it narrows down the choices considerably.

    If you focus on the opinions which actually seem to answer the FOR A NEWBIE question, two or three choices will get the modt votes. Ubuntu and Mint will be suggested, and maybe CentOS. None of those is wrong! Any of three would be good.

        I would suggest that for initial setup you get some help from a friend who uses Linux, although there are eady installation guides for all of those distributions. If you DO get some help, the "best" choice for you is whichever of the three above that your helper is most accustomed to. I install CentOS for people because I can most easily answer CentOS questions over the phone. If your friend uses Ubuntu, he or she will be bedt able to help you if you also use Ubuntu.

    You may also see Fedora suggested. Fedora is designed for people who want to always be on the cutting edge, updating regularly, and don't mind dealing with rough edges on new software. It's good for some people, but not the best choice for newbies .

  15. mp3, TaxAct, garminplugin, SweetHome 3D on Microsoft Is Downloading Windows 10 Without Asking · · Score: 1

    > Yeah? And my existing iTunes library? My tax software? The software to keep my GPS up to date? The home design software I used when I needed to file a building permit?

    I'd be glad to answer those questions.

    > My existing iTunes library
    Seven years ago, iTunes started selling music without DRM, so you can just copy your music files to any device, running any operating system. If you bought DRM music, Apple will charge you $25 to liberate your library, or you can cheat.
    http://www.usatoday.com/story/...

    > Tax software

    Since tax preparation software is only used once before it's replaced with the new version, I stopped downloading and installing it. Instead, I use TaxAct.com. It works well. For book keeping and accounting, I use Gnucash.

    > The software to keep my GPS up to date?

    Which GPS? For some, you simply copy the update to an SD card and put it in the GPS - the PC software doesn't really do anything. Some Garmin devices are easiest to update by using PC software. If you have one of those, you might want garminplugin:
    sudo add-apt-repository ppa:andreas-diesner/garminplugin
    sudo apt-get update
    sudo apt-get install garminplugin

    > The home design software I used when I needed to file a building permit?

    Looking for this?:
    http://www.sweethome3d.com/

    You didn't really say what exactly you mean by "home design software", so I guessed at what you might need.

  16. We'll be here to help on Microsoft Is Downloading Windows 10 Without Asking · · Score: 5, Interesting

    > Looks like I'll probably make the jump to Linux in a few years

    Those of us who have been Microsoft-free for decades will be here to help whenever you're ready. Only if you're a Windows expert, they'll be a little bit of a learning a learning curve. For example, if you edit the registry manually on a regular basis, there's no registry on Linux. If you DON'T delve into the internals of the OS, you may hardly notice the difference, other than that you don't have to worry about software license keys anymore.

    My main tip to make transitioning simple:
    Don't ask "how do I run [brand name of software] on Linux?"
    Instead I ask, "How do I [accomplish task] on Linux?"
    As an example, it's much easier to do basic and moderate photo editing in Gimp than it is to buy Photoshop and get it running on Linux.

  17. transistor to IC: 6 years, CPU in 9yr. Moore's law on Cryptographers Brace For Quantum Revolution · · Score: 1

    From the first commercial transistor to commercial integrated circuits six years. Nine years later, we had Intel CPUs.

    Right now we have machines with a few cubits, analogous to a 1960 IC. It wouldn't surprise me too much if, in six years, we had machines with 2300 qubits. Maybe it'll be called the Intel Q4004. :)

    As you probably know, for decades after, transistor counts doubled every TWO years. If the cubit count doubles every two years, that's going to be a problem for cryptography.

    We don't know if that's possible, but we didn't know that 386 was possible in 1970.

  18. might be stupid, not a catch-22 on Microsoft Continues To Resist US Warrant For Irish Data · · Score: 1

    > Microsoft is put into a catch-22, where they must either violate U.S. law or violate EU law
    > to avoid the catch-22 is to do business in the U.S. or the EU, but not both. That's why the U.S. government's position on this is stupid.

    The position of the US government in this particular case may be stupid. Or not. That depends on more specific facts than are generally considered on Slashdot.

    It's NOT an impossible situation, not a catch-22. As you admitted, one way to follow the laws is to completely separate the EU customer service business from the USA business, so that Microsoft US doesn't have access to the details about EU customers. That's not convenient, but it is POSSIBLE. It might put Microsoft in a position they'd not prefer, but it's not an IMPOSSIBLE position. It's much harder because apparently Microsoft's lawyers didn't plan on following the laws of the countries they are in, which requires separating the entities. They didn't have the foresight to see that EU law may require something different from US law. We can learn from this that if you want to have international operations where regulations are highly likely, you should compartmentalize your business, so that you CAN separate them without too much pain.

  19. wholly owned, fully controlled, yes. Spinoff no on Microsoft Continues To Resist US Warrant For Irish Data · · Score: 2

    Yes, for a wholly owned subsidiary, a part,of Microsoft which is fully controlled by Microsoft headquarters in the US, the US government has a potential claim. A separate spin-off company which has an exclusive contract with Microsoft, but isn't directly owned and controlled by Microsoft, would be in a much stronger position.

    Microsoft CAN order the employees of a Microsoft subsidiary to turn over the data. They have no authority to order a separate, contracted company to do so.

    A separately owned company with an exclusive contract would be significantly less convenient for Microsoft. Sometimes following different laws by operating in many countries is inconvenient.

  20. if you can't do it legally, legally you can't do i on Microsoft Continues To Resist US Warrant For Irish Data · · Score: 2

    There are good arguments on both sides of this issue. One thing that should be understood is that the idea that US citizens have to obey the laws of the US does NOT require them to break the laws in other countries. The argument that this puts companies in an impossible position is deeply flawed, because it's actually the same as this argument :

    I want to murder someone.
    It's illegal the murder someone with poison.
    It's illegal to murder someone with a knife.
    It's illegal to murder someone with an ax. ...
    Oh poor me, they've made it so there is no legal way to do what I want to do!

    The obvious answer is of course "don't murder at all".

    Similarly, if there is no legal way to do cloud storage of financial records in both the US and Germany at the same time, then legally you can't provide such a service. It's not an impossible position, it simply means that can't conveniently do exactly what they want to do.

    What WOULD be legal would be to have an exclusive contract with a spinoff company called MsCloudEU , which operates in the EU and follows EU laws.

  21. Good point regarding precedent on Why Patent Law Shouldn't Block the Sale of Used Tech Products · · Score: 1

    You have a good point regarding precedent. Of course the landmark case specifically ruled "sold at full price", so it makes Lexmark sense that Lexmark is pointing out the discount.

    Myself, I'm a bit conflicted. Obviously, some attempts to put limitations on things are unfair. On the other hand, I could see instances where agreements to sell with a condition make sense. Suppose I developed a tool for finding and buying things on eBay, which I successfully use for buying used RAID cards at the best prices. You want to buy baseball cards at the best prices. So I offer to sell you the tool, on the condition that you not use it to buy RAID cards, in competition with me. You can use it to buy anything else. That's fine with you, because you don't WANT to buy RAID cards, you want to buy baseball cards. Should it be illegal for us to make a mutually beneficial deal? (BTW I actually DID build such a tool, and it also benefits the sellers).

  22. Bold print, 20% discount on Why Patent Law Shouldn't Block the Sale of Used Tech Products · · Score: 3, Insightful

    One court upheld it, another may not. The argument AGAINST Lexmark is pretty obvious. Two things argue FOR Lexmark. First, this has to do with discounted cartridges sold at a 20% discount IN EXCHANGE for agreeing to return them to Lexmark (and only Lexmark) for refurbishing. Cartridges without the discount and return agreement were widely available. Secondly, it's stipulated that the return provision was obvious on the signs and packaging, along with a statement "unrestricted catridges are available at Lexmark.com and elsewhere."

    If I were the judge, I'd not allow Lexmark to REQUIRE consumers agree to those terms. But that's not what happened. I might ALLOW consumers to choose between an unrestricted catridge for $15 OR agreeing to return it in order to save $3. That's the case here. Consumers could have their cartridges refilled any where they please, or they could instead choose to get a discount by agreeing to return them only to Lexmark. In general, I have hard time making it illegal to offer consumers more choices.

  23. Borland CDs are read only on Debian Working on Reproducible Builds To Make Binaries Trustable · · Score: 1

    > Why do you think a new trojan can not infect old binaries?

    CD, and floppies with the tab set, are read-only. Unless this virus changes the physical properties of aluminum, your old Borland CD isn't going to get infected.

  24. candy bar $1.25, Amazon store door fee $100, dev b on Raspberry Pi Touch Screen Released · · Score: 1

    And a candy bar is a $1.25
    Does the door fee Amazon charges to get a portal to their store have any logical relation to the cost of chocolate or development boards?

  25. makes sense, but don't tell them on Facebook Thinks Occlusion Is the Next Great Frontier For Image Recognition · · Score: 1

    That sure makes sense. Don't tell them, though. The inability of image recognition software to handle cropped pictures is one thing which my better replacement for CAPTHCA depends on. CAPTHCA sucks because humans aren't much better at computers at recognizing squiggly letters. We are, however, MUCH better at recognizing certain specifc types of images when they are cropped and rotated.