Slashdot Mirror


User: raymorris

raymorris's activity in the archive.

Stories
0
Comments
10,114
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,114

  1. BIOS loads modules from cards, to boot raid or pxe on Ask Slashdot: Linux Security, In Light of NSA Crypto-Subverting Attacks? · · Score: 3, Interesting

    The reason you can boot from a raid card or network is because the BIOS loads and runs BIOS modules from those cards. You may be familiar with the Linux kernel, where most of the functionallity is in modules that become part of the kernel. BIOS is the same. One differentiator between a server motherboard and a consumer one is how much BIOS memory it has, to load modules from many different pieces of hardware. I have one machine with at least four different pieces of hardware that include BIOS. MOST of the BIOS on that machine didn't come with the motherboard.

  2. the whole thing is stupid on Could Technology Create Modern-Day 'Leper Colonies'? · · Score: 1

    Yep, the whole thing is stupid. My "black" wife is lighter in color than our "white" friend Kristi, also known as Krispy because she tans often. So there goes the whole black/white thing.

    There is such a thing as thug culture. In Boston, you'll find plenty of pale redheads engaged in that culture. It has little to do with race or color, and for Al Sharpton to tell "black" people that they should be part of thug culture is offensive.

  3. get crime data and screw the race baiters on Could Technology Create Modern-Day 'Leper Colonies'? · · Score: 4, Insightful

    High crime is high crime. The areas are what they are. Fuck Jesse Jackson. He's one of the reasons that areas with high black population tend to also have high crime rates.

    (This statement has been approved by both my wife and me, who are caramel colored and slightly tan.)

  4. so 58,000 years, you say? on Most Tor Keys May Be Vulnerable To NSA Cracking · · Score: 1

    > No, your key is #125125215 in the queue.

    In that case, at four hours per key, they'll get to mine in 58,000 years.
    It's too bad we can't know for sure that it takes at least a few hours per key, and that it always will. It would be ideal if it took about a day or so per key, with US government level resources.

  5. Re:specifically, HASHING multiple times weakens it on Most Tor Keys May Be Vulnerable To NSA Cracking · · Score: 1

    Which is better marketing than cryptography. To make it REALLY secure, they could add another step, hash it using this function:

    function slashHash() {
      return('a');
    }

    You could never predict the result if they added slashHash to the sequence! :; Note that it doesn't matter if you put slashhash as the last step, the first step, or anywhere in the middle - the whole thing is broken if you have a breakable step anywhere in the procedure.

    In the case of KeePass, it's not THAT bad because the thing they are hashing (your password) is probably shorter than either of the hashes, thus easy to guess. An eight character password doesn't provide much security, so not much is being lost. (8-12 characters is insufficient against offline attacks. 10-12 isn't bad for online systems that have server-side brute force /dictionary protection.)

    The idea is that because most people's password is their pet's name or something equally easy to guess, KeePass might as well force the attacker to spend a second hashing each guess 500 times. That's not terrible IF you assume the users will choose short, weak passwords. However, it means the attacker does NOT have to guess the right password. They only need to guess any password which collides on any of the 500 rounds! Once the hash matches, hashing a match many more times still results in a match. In that way, it makes it 500 times easier for the attacker.

    What that means is that if you did ten million rounds of SHA-256, ANY password would open your KeePass, 'dumb' would always work as an extra password because any password short enough to type will probably collide with "dumb" at one of those 10 million rounds. Of course the user and the attacker both have to sit around waiting for 10 million rounds to finish.

    So in summary, more rounds means a) it's easier to guess and b) both the attacker and the user have to wait longer while the rounds run.

  6. specifically, HASHING multiple times weakens it on Most Tor Keys May Be Vulnerable To NSA Cracking · · Score: 1

    To be specific, a hash or signature should only be done once. A DES hash of an MD5 hash is weaker than either DES or MD5, for example.

    There is a small exception to the above. Running multiple rounds of the SAME algorithm in a very specific way can sometimes make it slightly more secure against one particular type of attack - brute force. That's a narrow exception, though.

  7. that's my point on Most Tor Keys May Be Vulnerable To NSA Cracking · · Score: 2

    That's my point. They won't spend any money tracking me. Well, not more than about $10-$50, since I'm pretty sure I'm on a list or two. They WILL spend money tracking whoever appears to be the next bin Ladin. Cool. I'd like them to be able to track bin Laden, while it's not anywhere near worth it to track me.

    If I were using "1 bit encryption" they WOULD break it. They proof of that is that they DO track people who use 0 bit (plain email, phone). That's bad. I prefer that everyone use encryption enough so NSA finds it worthwhile to track 0-100 people.

    Ps - I said I'm probably on a list. I've worked in security for many years, so my footprints can be found looking at information about exploits, etc. I run a system where we teach cybersecurity to state and local government employees, so I frequent sites that a bad guy might find interesting. On top of that, I use words like "freedom" and "Constitution" and we now know the Obama administration considers those words to be red flags.

  8. billion dollar terrorists, yeah on Most Tor Keys May Be Vulnerable To NSA Cracking · · Score: 3, Insightful

    Yeah, actually if someone is bad enough to make the NSA's top 10 list, it'd probably be good for someone to be reading their email. I have a BIG problem with the fact that the NSA is tracking everyone's emails and phone calls. I've contacted my congressman about that more than once, calling them out very publicly.

    The top NSA agents know who the really bad guys are, the guys who will probably be involved in the next 9/11. Maybe they can't publicize the intelligence that proves it, maybe they are missing a few details, but we knew who bin Laden was. I'm fine with invading their privacy.

    But but but if they invade anyone's privacy, they'll invade everyone's privacy. If we let them, yes. Ideally what we want is systems, including budgets and oversight, which only allow them to spy on a few people, so they have to pick which ten people they really do need to spy on.

  9. true, I skipped step 1, that is step 1 on Survey: Most IT Staff Don't Communicate Security Risks · · Score: 1

    True, I skipped step 1 "get a few levels above helldesk".
    However, if you can speak business, or translate a little bit of techspeak into something that makes business sense and do it in front of a mid-manager or above, that may help you GET into a position where you can do so regularly.

  10. a few hours for one key would be good on Most Tor Keys May Be Vulnerable To NSA Cracking · · Score: 4, Interesting

    If that speculation is right, that a billion dollars will buy hardware that takes a few hours to break one key, great. That would mean nobody is going to break MY key, and that al Qaeda's keys were broken soon after they started using them. Works for me.

  11. management isn't reading this thread on Survey: Most IT Staff Don't Communicate Security Risks · · Score: 1

    Perhaps they should do this and that. They aren't reading this thread, so talking about what they should do is not helpful.
    What can we nerds do to help the situation? If speaking in terms of business risks solves the problem ...

    You see relevant news stories on CNN / MSNBC / Fox. How hard is it, really, to send your boss the link with a note saying "I noticed we're vulnerable to this. I'd like to discuss securing our systems from this type of problem"?

  12. We logged over 10,000 attacks last month. Data. on Survey: Most IT Staff Don't Communicate Security Risks · · Score: 1

    I don't know about you, but I HAVE hard data to base my estimates on. If you don't, a professional opinion giving a rough estimate isn't "made of whole cloth". If you're making recommendations, you should be able to say with some confidence that an SQL injection attack on a public web server is at least 100X more LIKELY than having your WAP cracked. Management may not know that, but somebody in IT should know it and be able to communicate it to management.

  13. based on professional knowledge or desired outco on Survey: Most IT Staff Don't Communicate Security Risks · · Score: 2

    If you are asking for resources to be spent to avoid a particular risk, you either have the professional knowledge to discuss the level of risk, or you're talking out your ass.

    How can you get that knowledge? We logged just over 10,000 brute-force attacks last year on the x,000 sites we monitor. I can query those logs to provide various numbers. So logging is one way. The major security lists get several reports per day. MMonitoring those lists will help you understand the threats - how common they are, how costly they are, and how to mitigate the risk. Sometimes engineers focus on mitigation, but knowing how to mitigate risk is pointless until you know which risks you should be focused on.

    Suppose you don't have time to learn about all that. You probably don't have time to learn about a lot of things, so you listen to some experts. Bruce Scheiner or myself might post something you'll want to read and feel you can trust. If we security professionals do our jobs right, we'll include some risk assessment data. You can always ask us questions. Every three years, you might call one of us in to look at your systems and provide some specific recommendations, along with information about WHY we recommend those things.
     

  14. what does blame buy you? on Survey: Most IT Staff Don't Communicate Security Risks · · Score: 1

    > If the boss doesn't understand still doesn't ask why you think something is important then
    > he is just as much to blame for the communication failure

    That's true for ANY communication failure. What does blame get you?

    If I'd like to get something done, I can either communicate it in a way that gets it done, or not.
    It does me no good to go about it such that it fails and I can blame the other guy.
    Blame and $2 will buy a cup of coffee ($8 in California).

  15. "6% of $1M loss = $60K, can be avoid for $4K" on Survey: Most IT Staff Don't Communicate Security Risks · · Score: 5, Insightful

    To take that a step further, it would be interesting to see what happened if those complaining of poor communication emailed their boss saying:

    You may have seen the Forbes and WSJ articles related to the security breach at XYX Corp.
    We are currently at risk for the same type of issue. I estimate a 6% chance of a breach in the next three years which would cost the company around $1 million,
    so we have an actuarial liability of $60,000. If we secure the system, I estimate the risk would be reduced to 3%, eliminating $30,000 of the liability. I estimate the cost as $4,000 to eliminate that $30,000 liability and much of the $1M risk.

    That you you are presenting management with this decision "do we want to save $30,000 by spending $4,000?" That's not too technical, that's exactly
    the decisions they are trained to make.

    Looking at it that way can also teach we engineers something. We might estimate the cost of a breach at $30,000 with a 1% chance of it happening. That's a $300 liability. If it would require 10 man-hours to fix, including meetings and stuff, the company would lose a lot of money trying to fix it. (Remember people cost approximately double their salary, once you pay for health insurance, taxes, their office space, etc.) Management would be "right" to simply accept the risk, knowing that bad might happen, at a cost of $30K. Better to risk a $30,000 problem that probably won't happen than to spend $2,000 avoid it. (Best would be to make a note to fix it in the next version / rewrite, when the _extra_ cost is only 1 man-hour.)

  16. almost all said "too technical". Wrong words, then on Survey: Most IT Staff Don't Communicate Security Risks · · Score: 3, Insightful

    6x% said there was a communication problem. 61%, or almost all with a problem, said it was too technical for management to understand.

    One commenter talked about trying to explain escalation attacks and ssl issues to the boss. Yeah, my boss wouldn't understand that either. He does understand BUSINESS RISKS. If I point to a WSJ or Forbes article about a company that got owned and say "we are vulnerable to the same thing" he'll understand that. He doesn't understand SSL ciphers, he's not supposed to. He does understand "PR nightmare" and "noncompliance".

    If I want business managers to do something, should I maybe explain the business case for what I'm proposing? Maybe point to a line in the WSJ article that says "the attack is estimated to have cost the company $2.4 million so far. No word yet on when their services will be back online". Perhaps that's what management understands better than the technical details?

  17. something done != military action on Leaked Documents Detail Al-Qaeda's Efforts To Fight Back Against Drones · · Score: 2

    It's possible that many people "want something done" while realizing that the military strikes proposed by Obama aren't the right something, or that there is no effective "something" to do. I would have been in the majority in that poll, counted as "opposed". I DO want somebody smart to come up with some effective action. I do want something done, and understand there's nothing we CAN do that will help.

    Of course "most Americans" are probably busy watching Honey Boo Boo and have no idea who "Assad" is.

  18. no, they have a duty to not screw shareholders on Ministry of Sound Suing Spotify Over User Playlists · · Score: 1

    Fiduciary duty means the officers have a duty to not place their personal interests above those of the shareholders. For example, they can't take corporate money (shareholder money) and put it in their own pocket.

    To understand fiduciary duty, think about housesitting. A house sitter has a fiduciary duty to take care of the home as the homeowner would, not throw a wild party that wrecks the house.

    So the question for the executives is "what would the shareholders do?" Many corporations have charters explicitly laying out things like environmental protection etc.

  19. Not what I meant at all. Anonymous changes me on Lenovo CEO Shares $3 Million Bonus With Workers · · Score: 1

    "And also the way you mean it, in that you expect some kind of return for the investment of your generosity."

    That's not what _I_ meant at all. While it does make sense to be friendly with our friends, when I said spending foolishly I meant things like cars.
    I can buy a lot of meals for people who need it with the money I could otherwise spend on a flashier car. The flashy car losses it's shine quickly.
    On another level, I take my lunch to work, rather than eating out. 270 lunches X $5 = $1,350 every year, multiply by me and my wife, that's $2,700.
    Over ten years, $27,000 from lunch. Instead, I could buy someone their first starter car every year and still come out $700 ahead, just by taking
    lunch with me.

    Really, ANONYMOUS giving does something to me that I don't get any other way. I'd like to do that more anonymous giving.
    I can't quite explain it, but I think the effect is has on me likely makes more a more successful person, certainly a happier person.

    I mentioned foolish giving. By that I do not meaning giving where I'll get nothing in return. I always get something in return because
    it does something to my psyche / spirit / brain that's good. I mean that just as it's foolish to rent furniture from RAC, it's foolish to
    "give" by bailing that same person out of jail AGAIN, or bailing them out of whatever situation they habitually put themselves in.
    Just as the rented furniture ends up going back to the store, my brother ends up going back to the jail. Much better use that money
    on someone whose actions show they intend to never go back to jail again.

    Giving very publicly is fun, the recognition strokes the ego. Giving anonymously WITHOUT the ego boost, remaining humble, has longer
    lasting benefits. I'm reminded that I'm actually the steward of what I have. It's been trusted to me because I've made wise decisions,
    worked hard, etc., so it would be irresponsible of me to hand it out to drunks who will waste it, but ultimately it's not really mine. It was
    created by the creator, and when I put it use with that in mind I become closer to what I'm made to be.

    * I am no saint. I give far less than I "should", far less than many people do. I'm merely speaking of what happens _when_ I give in different ways.

  20. so Windows won't run on HP, Acer, Lenovo Chrome bo on Official: Microsoft To Acquire Nokia Devices and Services Business · · Score: 1

    So your issue with Google is that Windows can't run on small devices built by HP, Acer, Lenovo, etc. but Linux can?

    If you want an old fashioned Intel laptop, with it's 2 hours of battery life and 10 pound heft, there are plenty available.

  21. this. employees prefer bonuses to unexpected cuts on Lenovo CEO Shares $3 Million Bonus With Workers · · Score: 1

    I do bonuses when the company can afford it for just that reason. Employees want a stable, guaranteed pay check. If they didn't, they'd be entrepreneurs. It would be cruel to give them a raise and have to take it be back six months later. Most would much rather have stable pay that won't be cut plus a bonus once a year than have their pay go up and down every month depending on company financials.

  22. I beg to differ. Most of my money is from being on Lenovo CEO Shares $3 Million Bonus With Workers · · Score: 2, Insightful

    There are a few really good reasons not to do business with me, but I've always had as many clients as I can handle. Most of my money (over a million dollars) has come from people who choose to do business with me BECAUSE of what kind of person I am.

    When they see me being generous with my time and money, they know I'm the type of person they want to do a deal with.

    Secondly, without a generous and grateful spirit, you can have $200 million and not be nearly as rich as someone with a spirit of gratitude and generosity who earns 1/10th as much.

    Sure, it's POSSIBLE to get a lot of money by being obsessed with money. Some people do that. It's EASIER to get rich by being of service, solving people's problems. Who would you rather buy from, someone who is obsessed with getting your money, or the other guy who is trying to help you solve your problem? If you were really good at what you do, which of those people would you choose to work for?

    You don't get rich spending money FOOLISHLY. Every rich person I know is generous, applying the same wisdom to their giving that they apply to their business. (Disclaimer - generous people are over represented in the list of people I know because I don't hang out with, or do business with, scumbags.)

  23. They are warrantless- DEA agents subpoena AT&T on AT&T Maintains Call Database For the DEA Going Back To 1987 · · Score: 1

    From the article:

    "It is queried for phone numbers of interest mainly using what are called “administrative subpoenas,” those issued not by a grand jury or a judge but by a federal agency, in this case the D.E.A."

    So the DEA agents themselves decide to have AT&T pull your phone records.

  24. sounds pretty tough on The Cognitive Cost of Poverty · · Score: 1

    That sounds like it's pretty darn challenging. I feel for you.

    You have a list of things you can't do. It would be nice to see a list of what you're good at, but whatever. It seems pretty obvious that someone who is deaf isn't going to be a composer or a talk show host. Other things are better suited to their abilities. Beethoven went right ahead and became one of the best composers who ever lived. He couldn't hear the music he was composing, but he went right ahead and did it anyway. The most successful talk radio host in America is 90% deaf. He just keeps on using his talent for being obnoxious on the air anyway.

    Ask Temple Granden about disabilities and bigotry.
    If you haven't seen the biopic about her, please do.
    She, like you, had some really good, perfectly valid excuses. The thing about valid excuses is that they're still excuses, not solutions.

  25. sounds like you're on a good track on The Cognitive Cost of Poverty · · Score: 2

    It sounds like you're doing the things that will get you where you want to be, the same things my parents did.

    I never said anyone would be on a Lear jet at 26. I said that working hard, no matter what, and education will get you far and that's what you're doing. I bet you'll really enjoy the payoff in a few years if you stick to it. You've even recognized that the consumer debt is something you want to avoid as much as possible.

    I actually did talk about myself a couple of times in this thread. The short version is that when I started college at 16, did dumb things and ended up living under a tarp behind KMart, then worked hard, stopped doing some of the dumb, and got a place and built a business. Sold the business, didn't use the money to finish school and that was dumb. Struggled with no degree, started wising up, bought a house, took a great class on money, now finishing school twenty years after I started.