Slashdot Mirror


User: raymorris

raymorris's activity in the archive.

Stories
0
Comments
10,114
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,114

  1. My comment to the FCC regarding several security on New FCC Rules Could Ban WiFi Router Firmware Modification · · Score: 5, Informative

    I submitted a comment to the FCC outlining several significant security concerns regarding the proposed rule.

    Based on 18 years of professional experience in network security, in both the private sector and government, the proposed rule causes significant concern for information security posture. There are three primary reasons. The legitimate goals of the FCC could be achieved in an alternate manner which does not cause the same widespread security vulnerabilities, by instead requiring that output power levels and any other critical parameters be limited to legal levels by a separate chip. This approach would be far superior to effectively banning proper security practice for the ENTIRE operating system and all utilities on the device, as the current proposal does.

    1

    The proposed rule which requires that manufacturers disallow firmware updates (other than signed manufacturer updates, typically provided for only a very short time), makes it much more difficult to prevent incidents such as the $45 million loss at TJX and the Target breach. In both cases, the victim companies were initially targeted because insecure wifi devices were in use. To reduce future occurrences of such breaches, it is imperative to be able to update devices which use wireless networking. Especially when a vulnerability such as Shellshock is discovered, it is imperative that risks be mitigated immediately.

    Updates provided by the manufacturer may at first seem to be a possible solution, but are not actually a viable solution for two reasons. Manufacturers generally do not provide long-term updates, updates for devices more than about one-two years old. In many cases, no updates are offered at all to handle issues after the date of sale. It is not reasonable to anticipate that organizations and families will replace their network gear every year or two - firmware updates are needed, including for devices which are a few years old. Perhaps ESPECIALLY for devices which are a few years old.

    Secondly, updates from the manufacturer are not a viable solution for more sensitive government and private organizations due to the response time required. In the first 24 hours after the release of Shellshock, thousands of systems were compromised. For many networks, it is critically important to mitigate the threat during this initial time frame. Manufacturer full updates were not available for several days to several months, as we first discussed the best long term solution and that solution propagated downstream from the authors, to the subsystem maintainers, distribution maintainers, OEM repackagers, and finally out to customers after testing at each level. In the meantime, temporary MITIGATIONS were performed on-site by network engineers and security contractors. These vital mitigations which protected sensitive networks in the interim would be illegal and prevented by manufacturer locks under the proposed rule. In simple terms, the proposal makes it illegal to manufacturer equipment which can be _quickly_ protected against new threats to our cyber security.

    2

    Another reason that the proposed rule is problematic is that the manufacturer default firmware, with all available features designed to be as easily accessible as possible, is not appropriate for any environment in which security is a concern. A central tenet of information security, and security in general, is that the attack surface should be as small as possible - services not needed for a particular installation should not be installed and enabled. The only software which definitely cannot be exploited is software which is not installed or not enabled. Therefore, the most secure firmware tends to be that with as many features _removed_ as possible, with only those items required for the current role installed.

    Manufacturer firmware does the exact opposite, for ease-of-use by ordinary consumers. All services which might be of use to any customer are installed, enabled, and wide open for

  2. Nope.FCC application form: "protected from dd-wrt" on New FCC Rules Could Ban WiFi Router Firmware Modification · · Score: 5, Informative

    That would be reasonable, perhaps, but it's not the approach the FCC is taking. The FCC instructions (linked below) require all applicants (manufacturers) to:

          Describe in detail how the device is protected
    from âoeflashingâ
          and the installation of third-party firmware such as DD-WRT.

    So indeed the rule they have proposed is to explicitly require that manufacturers prevent the installation of DD-WRT.

    https://apps.fcc.gov/kdb/GetAt...

  3. well it depends, in Saudi Arabia church vs state on Turkey Arrests Journalists For Using Encryption · · Score: 1

    I suppose "governmental entities " is somewhat all-inclusive. It's kind of hard to know what to include in all-inclusive since different nations and other political divisions are so different. Does the (all-inclusive) government of Germany include EU entities?

    Saudi Arabia has two completely separate entities. You may have noticed many hospitals in the US are run by religious organizations, and often have Saint in their name. Similarly with many schools. In Saudi Arabia, the religious groups run most hospitals, schools, and other domestic services. Does that make them a government? It's not entirely clear. The house of Saud basically handles foreign affairs, so they are clearly governmental. (The house of Saud has a friendly view of the US. The religious groups in the area often do not.)

  4. read the RFC on Microsoft's Telemetry Additions To Windows 7 and 8 Raise Privacy Concerns · · Score: 1

    If you're interested, you can read the actual DNT RFC rather than guessing about what it says.

    There's nothing in the spec about "reason other than the provision of the services". There is one mention of advertising- tracking is ALLOWED under an exemption for advertising fraud detection. So almost the opposite of what you guessed it says.

  5. results, not theories on Machine Learning Could Solve Economists' Math Problem · · Score: 5, Interesting

    My understanding of the difference is that this produces somewhat testable results WITHOUT requiring a theory of how and why those effects occur.

    To give an extremely simplified example, assume that a certain coin is flipped every day. For the past 20,000 days, it has always come up heads. (Obviously not a fair coin). The machine will predict that it will probably come up heads tomorrow. Traditional economic theory will try to understand WHY it keeps coming up heads before making predictions. That's the first difference.

    The requirement for a theory that explains how and why economic effects occur also means that the theory is subject to subject to be supported or decried based on political considerations or other irrelevant factors. A system which accurately predicts what will happen without comment on politically sensitive policy questions may be useful.

  6. That's British English, not US. Parliamentary syst on Turkey Arrests Journalists For Using Encryption · · Score: 3, Informative

    That's the British sense of the word "government", not the US sense of the word. Turkey, like many nations, has a parliamentary system.

    It goes something like this. The people elect parliament, who make laws much like the US Congress. The parliament then elects or nominates two heads. One handles foreign affairs. That's the head of state. In the US, the president is head of state. The other top person forms "a government" which handles internal affairs. The US is weird in that then president is both head of state and head of government. In parliamentary systems like Turkey and the UK, they are two seperate positions. (Though sometimes the head of state now has only nominal power, if the head of government and the parliament have slowly taken more and more power).

    Seperate from "the government" and parliament is the judiciary. The head of government can't fire judges.

    In this type of system, as in the early US system, the head of government doesn't have nearly as much power as the US president does. Other branches can and do act independently.

  7. I don't entirely disagree on Microsoft's Telemetry Additions To Windows 7 and 8 Raise Privacy Concerns · · Score: 1

    I don't entirely disagree with you. However, consider this. You not only got on the web, you also LOGGED IN and posted your private opinions publicly. For whatever reason, you just chose to make your private thoughts public, and chose to have Slashdot track your /. user id. That shows that SOMETIMES, you want Slashdot to identify you. Sometimes, privacy is not the most important thing to you.

    If you're like me, you clicked the "don't redirect me to beta" button. You're probably glad that Slashdot remebers that preference, so you don't have to click "no beta" every time you visit the site. In over words, you WANT Slashdot to recognize you and track your preferences.

    Privacy isn't a yes or no thing, and it's not without it's costs. The question is, "how much convenience do you want to give up, right now, to get how much privacy?"

    For most of us, e answer changes throughout the day. If I was on Ashley Madison, I"d want that to be very private. On the other hand, I want my Google maps to be very convenient. I'd rather it remember frequently used addresses rather than make me type em in every time.

  8. What it IS, not SHOULD be. I prefer both on Microsoft's Telemetry Additions To Windows 7 and 8 Raise Privacy Concerns · · Score: 1

    I didn't say anything about my opinion of what SHOULD be. I described what the DNT spec does actually say. It says the header means that user actively chose to give up convenience and features , choosing more privacy instead. That's the meaning of the DNT header, per the DNT spec. I didn't write the spec, I just read it.

    As written, DNT is well matched with Private Browsing mode. Sometimes I use Private Browsing. Most of the time I don't use it, because I LIKE auto complete. But I don't like my address bar to autocomplete xvideos.com during a presentation at work. So I use private mode for xvideos.com, I don't use it for Slashdot.

    If I were writing the standard, I might have three choices:

    More private, less convenient ( don't remember any preferences)
    Default (features based on anonymous cookies, opaque IDs)
    More convenient ("keep me logged in")

  9. I use alternate browser with Flash twice yearly on Chrome 45 Launches, Automatically Pauses Less Important Flash Content, Like Ads · · Score: 2

    Yep. I don't have Flash installed at all for my main browser. I haven't for a long time. Once or twice per year I find some Flash I want to see, so I open Opera, which does have Flash.

    Some sites will use Flash IF it's installed, but if not they'll generally "fall back" to HTML or some other method. People used to ask me "don't you watch YouTube"? Sure, and for a long time it has worked fine if Flash isn't detected at all. Apparently if Flash was detected but disabled, YouTube wouldn't work.

  10. No, that guy killed DoNotTrack dead. DNT for Beta on Microsoft's Telemetry Additions To Windows 7 and 8 Raise Privacy Concerns · · Score: 4, Informative

    No, the guys who wanted more tracking took that guy out for a beer. That's the guy who killed off DoNotTrack. Like Private Browsing in Firefox or Incognito Mode in Chrome, DNT was about the balance between privacy on one hand and convenience/features on the other hand. DNT was supposed to mean that the user valued privacy more than convenience and features at the moment. Here's what was supposed to happen, what DNT was intended for:

    Case 1, no DNT header:
    I go to Slashdot, and have not set a specific DNT header. I therefore get the DEFAULT tracking/personalization behaviors of Slashdot, including:
            I'm not redirected to Beta, because Slashdot tracks that I set "do not showme beta".
            On my mobile device, I'm not redirected to m.slashdot.org, because again Slashdot tracks my preferences based on some identifier/cookie.

    Case2, with DNT header:
    I launch a Private Browsing window in Firefox, or an Incognito tab in Chrome.
    The browser prompts "DNT: Do you want to tell web sites to avoid identifying you or tracking your preferences? Some features and preferences may not work in DNT mode."
    I click "yes, send the DNT header".
    Slashdot sees that I have expressed that I want a higher level of privacy than the default, that I am willing to give up personalization in exchange for privacy.
    Slashdot does not set a cookie, and I get redirected to m.slashdot.org or beta.slashdot.org each time. It does not track me to know my preferences between sessions.

    It's all about the balance between privacy and convenience. Much like Incognito / Private Browsing mode disables the browser history, autocomplete, and other useful features in exchange for better privacy.

    In short, the purpose of DNT was to communicate the user's desire to value privacy over convenience.

    By violating the spec and sending DNT as the DEFAULT, the DNT header in IE suddenly meant "the user probably wants the DEFAULT balance between privacy and convenience". Since IE sent DNT by default, it no longer provided any information about the user's priorities regarding convenience vs privacy. It therefore became completely useless for it's purpose. That guy killed DNT.

    -----

    Here's a concrete example. Quoting from the DNT policy:

    | all user identifiers, such as unique or nearly unique
    | cookies, "supercookies" and fingerprints are discarded

    Do you really think that all sites are going to get rid of cookies, including "don't show me Beta" cookies, for anyone and everyone using IE? Just because Microsoft thought it was a good idea? No friggin way. If the USER chose to actively ticked the box, perhaps so. Because Microsoft's marketing team thought that "Do Not Track" sounded good and that breaking most web sites was an acceptable side effect? I don't think so.

  11. easy to argue, to show a path of action is stupid on Citi Report: Slowing Global Warming Could Save Tens of Trillions of Dollars · · Score: 1

    Also, this is prima facie false (althpugh liberals often rely on it being true):

    > it is hard to argue against a path of action

    Not at all. Here ya go:

    Sticking a pencil in your eye is a path of action.
    Sticking a pencil in your eye is obviously stupid.
    Therefore, the path of action is stupid.

    The question isn't "should we get out of bed and do something today?" The question is "WHAT should we do today? Should we go to work, rob our neighbor's house, plant a tree?" Another important question that is often debated, though in different terms, is "who is this 'we'?"

    It's pretty obvious that things need to get done.
    WHAT should be done? HOW should it be done? WHO should do it? What are the COSTS? How will it be PAID for? What are the alternatives? These are the questions of the day, and of every day.

    Many, if not most, discussions with liberals follow this pattern:
    Something should be done.
    Plan X is something.
    Therefore, plan X should be done.

    Note they don't bother to read plan X. Plan X is something, and something should be done, so we should do plan X.

    You have to pass the bill to know what's in it.

    The other question about "we should do something" is "who is we"? My wife and I have a daughter. She's a year old, so she can't read yet. We should teach her to read. Who is the "we" who should teach her? My wife and I? The local school district? The federal government? These are questions worth discussing.

  12. s/mobile broadband/mobile wireless/ on Ask Slashdot: Can Any Wireless Tech Challenge Fiber To the Home? · · Score: 1

    I typed that wrong. I meant to say it can be combined with mobile wireless. A phone will get a weak signal from an AP on a telephone pole some distance away. A stationary, directional antenna mounted on a roof and pointed at the pole will get much better signal and speed.

    Also I realized there is some justified dislike of certain cable operators here, so I should be clear:
    I'm not actually saying that coax cable is "better" than fiber.

    I'm saying that more information about the requirements is needed. _IF_ one of the requirements was "must be operable next week", THEN cable might well be the best option because it's probably already available. I all depends on the requirements- costs, time frame, geographic area, population density, types of construction common in the area, new development or historic neighborhood, quality of service required, etc.

  13. yes, cable beats fiber. More info. Fixed wireless on Ask Slashdot: Can Any Wireless Tech Challenge Fiber To the Home? · · Score: 1

    Challenge ftth for what, under what requirements? If the measure is market share, cable beats fiber-to-the-home. Quick deployment? Cable internet service can be activated today.

    In the city I recently moved from, fixed wireless was an option that made sense for some people. Fixed wireless means there is a stationary antenna on hour house, similar to satellite, but it points at a local tower rather than a satellite, so latency isn't bad. I used a similar setup in another city, where I pointed a cantenna at the provider's tower two miles away.

    One thing that can make sense is combining this with mobile broadband. You run fiber only along major electrical and telephone right-of-ways, with APs every so often. That costs a lot less than fiber to each individual home. Mobile users will get usable speeds because signal levels won't be great,
    directional WiFi antennas attached to houses can get high speed. APs can be upgraded as better and faster standards are introduced.

  14. Yeah, can spoof the header, not the connecting IP on Ask Slashdot: Should I Publish My Collection of Email Spamming IP Addresses? · · Score: 1

    Exactly, if the submitter is talking the IPs of machines that connected to their mail server, that can't be spoofed. The "received from" headers for servers on previous hops CAN be spoofed, and often are.

    As you said, while a _single_ packet can be spoofed, that wouldn't allow an SMTP connection to be established, so the IP which connected to their machine is reliably known. Their mail server adds a "received from" header with that known IP.

  15. half a billion on World's Most Powerful Digital Camera Sees Construction Green Light · · Score: 1

    The budget is $483 million.

      I do wonder if the iPhone 9 won't have similar resolution, and be completed at around the same time.

  16. part of the image at a time. One pic b/c free $bil on World's Most Powerful Digital Camera Sees Construction Green Light · · Score: 0

    I imagine they'll look at, or process, a small part of the image at a time. If you eyes can only see a few megapixels at a time, and your GPU can only analyze a few megapixels at a time, "why not just take a thousand images of 10 megapixels each?" you might ask. Because the tax payers won't give you a half billion dollars if you do that. When the government is ready to hand you half a billion dollars, why not go ahead and have bragging rights to the highest resolution in a single image? At least until the iphone 9 comes out, anyway.

  17. actually that's net of inflation on Ask Slashdot: What Would You Do If You Were Suddenly Wealthy? · · Score: 1

    Actually the 6% number is net of inflation. Over the long term, stocks tend to return about 9% including dividends. Some calculate 10%. On average, bonds yield about 6%-7%. So the gross yield on a balanced, diversified portfolio will be about 8 or so. Subtract inflation and you get 6%.

    Also, as one might expect, an overall price increase (inflation) tends to correlate with bond and stock prices rising too. So inflation serves to dampen volatility a bit. That is to say, when inflation is high, returns tend to also be high, so net returns are more consistent than gross.

  18. you're both right on Ask Slashdot: What Would You Do If You Were Suddenly Wealthy? · · Score: 4, Informative

    You are correct that a million will net about $60k. That's in a diversified portfolio of long-term investments, a fairly reliable income. Actually $600K per ten years is reliable - year to years gains will fluctuate and that's okay - your spending doesn't have to fluctuate to match each year.

    What will ALSO net $60K spending money is earning 100K, saving 12% for retirement, spending 15% on your mortgage, etc. Once you retire, you're no longer saving up for retirement. If you pay off your house before you retire, you're no longer paying mortgage. You're probably not saving for your kids' college anymore. Therefore a $1 million retirement fund will provide approximately the same lifestyle as a $100K / year job.

    This assumes you're under 55 currently, so you don't count on any social security at all. *

    * You know based on how people are 55 today that 20 years there will be more 75 year-olds than there is money to pay benefits.

  19. Slashdot links to itself! See top of page. on Google Facing Fine of Up To $1.4 Billion In India Over Rigged Search Results · · Score: 1

    Omg now Slashdot is doing it too! Right at the top of the page there are links to Slashdot and Dice's other pages and services. We should sue them for a hundred quadrillion dollars!

    Yeah, that's how web pages work. They have links. A page on a company's site will primarily link to the company's other pages.

    IF Bing, Yahoo, etc. didn't exist, and Google was virtually the only way to find web sites, THEN they would have a special position that would justify special laws. Since Bing is the DEFAULT search engine on Windows, Google isn't in a special position where they should be forced to promote Microsoft.

  20. we know she ruins what she runs on Where the Tech Industry's Political Donations Are Going · · Score: 4, Insightful

    Most people in tech, or business, know Fiorina as the person who ruined HP. So the lack of support for her may indicate that most people don't want the country ruined.

    Well, they don't THINK they want it ruined, anyway. They may well be uninformed such that they advocate for policies which have been ruinous to countries and states which have tried them. Those who don't know history are doomed to repeat it and all.

  21. OFFER, acceptance, "consideration" on T-Mobile Starts Going After Heavy Users of Tethered Data · · Score: 2

    > I'm not a lawyer, but there's a big difference between an ad and a contract.
    > A contract requires consideration: both parties must exchange something real for the contract to be valid.
    > But an ad has no consideration (beyond wasting your time, etc.)... it's a 1-way offer.

    The classic test for a contract is that a contract requires:
    An offer
    An acceptance
    Consideration (deliver, pay or exchange, etc)*

    You said "an ad has no consideration (beyond wasting your time, etc.)... it's a 1-way offer". Right, the ad is the offer.

    When you walk into the store, point to the sign, and say "I'll take that plan", that's the acceptance.

    When you pay the bill, that's exchange of consideration.

    Offer, acceptance, exchange of consideration. The ad is the "offer" part of the contract. If you accept the offer that's in the ad and you pay, without anything else happening, that's a contract.

    Of course something else normally does happen before you pay (consideration). The provider normally whips out the FULL offer, the 12-page "contract" document. THAT is in effect a second offer, which you accept by signing and exchange consideration by paying. If the provider failed to present you with the 12-page contract offer, the ad would be only written part of the contract.

    * Consideration has partly gone out the window as courts have ruled that SAYING you'll pay or deliver counts. Well the ad SAYS they'll deliver unlimited data. Part of accepting is saying "okay, I'll pay $35 for unlimited data", so there ya go. You're left with offer and acceptance, with no real exchange of actual consideration required.

  22. Have your cake and eat it too on F-35 To Face Off Against A-10 In CAS Test · · Score: 1

    > your right, the f-35 won't sit on the ground, it will engage in A2A. Then the troops won't have any air support, as it will get chewed up by the existing enemy jets.

    There are enemy fighters in the area? Then you can't fly the A-10. At all. It does nothing but sit on the tarmac until the air is clear of enemy planes.

  23. MUZZLE velocity. Then drag happens, squared on F-35 To Face Off Against A-10 In CAS Test · · Score: 2

    The MUZZLE the velocity of the A-10 rounds are just below and just above 1000 m/s. Then the hit air and immediately start slowing down. At high velocities, drag is approximately proportional to the SQUARE of velocity, which means that an object loses most of it's velocity in the earliest portion of it's flight.

    At the design range of 4,000 feet, the rounds will be traveling at somewhere around 200 m/s or so. My ballistics tables don't cover that exact round at that exact distance, so I'm extrapolating.

  24. and 50,000 is more than 6,000 on F-35 To Face Off Against A-10 In CAS Test · · Score: 1

    > The a-10 gun aims DOWN 2 degrees, so to shoot another aircraft it must be intentionally mis-aligned with the target.

    That brings up an interesting point. In air-to-air combat, there is a huge advantage for a plane firing down at the other plane. The diving plane maintains speed and energy, while the lower plane, pointed upwards, is losing speed and energy. So you REALLY want to be able to get above your opponent.

    The A-10 can climb 6,000 feet per minute. That's almost twice the climb rate of the Boeing 777, at 3,500 fpm. The F-16 can climb 50,000 fpm. Which aircraft do you think is going to end up on top, literally?

  25. at mach 2+ however, faster than the bullet at rang on F-35 To Face Off Against A-10 In CAS Test · · Score: 2

    I love how you said "at 1400 mph". I guess if the fighter slows down, and places it's engines 2 feet from the A-10's muzzle ...

    Calculate the velocity of the gun round 2,000 feet down range, after it's encountered air resistance, and compare that to even a 1980s fighter like the F-16. The F-16 is literally faster than a speeding bullet.