Slashdot Mirror


User: gstoddart

gstoddart's activity in the archive.

Stories
0
Comments
14,230
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 14,230

  1. Re:Missing the point on Indian Government To Ban Use of US Email Services For Official Communications · · Score: 2

    That's because corporations are now effectively 'citizens', and they contribute more to campaigns.

    So their wishes matter more.

  2. Re:Nobody should be surprised ... on Indian Government To Ban Use of US Email Services For Official Communications · · Score: 1

    Give me a break. All nations spy on each other.

    Sure they do, but if a government sets themselves up using a US owned/based service, they're inviting them in the front door.

    Knowing the other countries are doing it doesn't mean you bring in someone who you know is under the sway of the people spying on you.

    The problem becomes when you have a nation like China that is spying on everybody but working fervishly to block all others.

    What, you mean like the US is?

    It wasn't all that long ago the US was trying to chastise other countries for spying on their citizens. Now we know they do it to as much of an extent as anybody else.

    But, no matter how much you try, you can't make it out like hosting your data with a US controlled entity means you can even remotely have any data security. Because the reality is, you won't and you can't.

    If the US has decided to make these cloud service offerings something they will exert control over, simply not using them is the only choice unless you have decided it's easier to let the US spy on you.

    If the US businesses suffer as a result of US foreign policy causing them to lose customers -- too fucking bad.

    Let's just call this a 'market solution' to the problem of US spying -- if nobody buys products from companies they know are obligated to hand over data to the US government, then it's one less way the US government can access that data.

  3. Re:Missing the point on Indian Government To Ban Use of US Email Services For Official Communications · · Score: 2

    f I opened a small hardware shop on the corner of the street, and wanted to have an email address, do I hire a whole IT department to set up an email address for me?

    You don't have to. But if you have someone else set it up for you and host it, you don't control it.

    If you're willing to say "I don't care", then have at it and do it however you like.

    If you decide that on principle, or because you have some specific need, that you aren't willing to have this ... then the only secure way is to host it your own damned self.

    If you're an American company, well, the NSA can come into your shop and demand it anyway. If you're not an American company ... you need to make your own decision.

    You can't trust the US based/owned company, and you need to decide how you feel about that. You can decide to do it anyway, or you can decide "fuck that", and kick the US company to the curb.

    Nobody is saying you have to do anything, but you should at least be aware of what it is you're deciding and the risks involved.

    To me, any foreign government using any form of cloud service from a US controlled company is stupid, because you've more or less given the NSA free run of your data.

    But, make no mistake about it, as a direct consequence of the Patriot Act and this spying, foreign entities have zero basis to put any trust in a US based company hosting their data for them. Because, by US law, they simply can't be trusted, and you can't make them sign enough of a contract to change that -- because the Patriot Act is interpreted as trumping anything else.

  4. Re:Not seeing a problem with that. on Indian Government To Ban Use of US Email Services For Official Communications · · Score: 2

    Unless the NSA has a copy of the site's key or has broken SSL crypto, they can log all the trafic they want.

    Um, no. If it's an American owned company (anywhere in the world), or a US based server .. the NSA can walk in and demand the key and the decrypted content.

    The only way to (try to) keep data out of the hands of the NSA is to not have it in the hands of a US controlled company, and not on US soil.

    Google, Microsoft, Yahoo, Facebook ... every single one of them is covered under the Patriot Act. And any and all data you put in their hands (and many other companies) should be assumed as either in the hands of the NSA, or theirs for the asking.

    You don't need to break the crypto when you can threaten them at gun point.

  5. Re:Missing the point on Indian Government To Ban Use of US Email Services For Official Communications · · Score: 3, Insightful

    OK, so which couintry exactly would YOU trust to host your data and no spy on it.

    If you are a government, YOU are the only ones you can trust to host your data.

    If you are a company, YOU are the only ones you can trust to host your data.

    Having another company or country host your data was NEVER a good idea, and some of us have been saying so for some time. But all of a sudden people are realizing just how bad of an idea that was, and they're pulling back from it.

  6. Re:Not seeing a problem with that. on Indian Government To Ban Use of US Email Services For Official Communications · · Score: 4, Insightful

    American politicians use GMail because goverement accounts are archived and the contents are considered public property and not private communication.

    Ironic, since the NSA considers GMail to be public property and not private communication as well.

  7. Nobody should be surprised ... on Indian Government To Ban Use of US Email Services For Official Communications · · Score: 1

    The reality is, I expect to see more governments doing this.

    With the Patriot Act and all of the revelations about the NSA spying, American companies are not things you can trust. All of the cloud services ran by US companies are covered by the same thing.

    I've said it before, but when you turn your corporations into arms of your security apparatus, those corporations cease to be trustworthy.

    So in a few months when US companies start feeling the pinch as people do stuff like this, when they start whining about it (and the state department starts trying to pressure those countries into buying it again) ... the only reasonable response will be "sorry, but given your current laws we simply can't do that".

  8. Re:More government! on Why the Japanese Government Should Take Over the Fukushima Nuclear Plant · · Score: 3, Informative

    that oil spill was competently handled after the fact

    Oh, you mean like this?? Or this?

    How about this:

    In July 2013, the discovery of a 40,000 pound tar mat near East Grand Terre, Louisiana prompted the closure of waters to commercial fishing

    Sorry, but if you believe what BP has been telling you, you are gravely mistaken.

    If by 'completely handled' you mean done badly, incompletely, and we get lied about it sure .. if you mean actually remediating the damage from it, well, you're either delusional or on the payroll.

  9. Re:More than project management... on SimCity Mac Launch Facing More Problems · · Score: 3, Insightful

    but if a large company like EA repeatedly releases crap, the problem is not just one or two bad developers that were hired by accident.

    You're right. The problem is a systematically badly managed company.

    Your developers don't set your priorities, your deadlines, your feature set, or your budget. They don't cancel your project in the middle, they don't suddenly decide there's a pressing need to implement a new set of features.

    So, either management laid out a perfectly awesome plan and it was hindered by developers. Or management were idiots and incapable of shepherding good product out the door.

    This is kind of like saying your bridge is 6 months late because of the welders, when they've been working double shifts for months while the CEO vacations and collects his huge performance bonus.

    Sorry, but to me, it's the management of EA who gets to own this issue, not the developers. Because they're the only ones who can make any change in how they do things.

    Anybody who has ever worked for a publicly traded company has listened to those quarterly "rah rah" calls and thought to themselves ... "do we actually work at the same company?" Because it's staggering how often the people at the top don't have the slightest clue about what is really happening, and the front-line workers just say "whatever", and get on with their day.

  10. Re:about high-tech highways that light up at night on Raspberry Pi, Smart Highways Win World's Biggest Design Prize · · Score: 1

    "If the road could talk to you, what would it say?"

    i'm guessing it would be something like, "OWW! OWW! GET OFF ME! IT HURTS!"

    Bah, it's a road, so if you anthropomorphize it, it's saying "oooh, yeah, a little to the left".

  11. Re:Futile Fads on Raspberry Pi, Smart Highways Win World's Biggest Design Prize · · Score: 1, Offtopic

    Wrong - Communism is a death cult that has kept millions of people in misery.

    Strangely enough, so is Capitalism.

  12. Re:Fresh stuff on Raspberry Pi, Smart Highways Win World's Biggest Design Prize · · Score: 1

    LOL, I must have been the only kid who looked forward to when the Brussels sprouts came out of the garden. :-P

    Still my all time favorite vegetable, and I'm a vegetarian, so that's saying something.

  13. Re:More government! on Why the Japanese Government Should Take Over the Fukushima Nuclear Plant · · Score: 1

    LOL. You are right, of course ... apparently my fingers decided to do something else.

  14. Re:The continuing saga. . . on SimCity Mac Launch Facing More Problems · · Score: 5, Insightful

    Despite the vociferous pronouncements from many on here as to how high their salary's are as programmers and that you get what you pay for, it's amazing the amount of bad software, games or otherwise, the end user has to suffer with.

    And you might be amazed at how much of that is the fault of management.

    Between ridiculous timelines, cutting budgets for QA, management who change their minds fairly often, and salespeople who promise the world -- there's often quite a disconnect between what people are saying and what's happening.

    Having spent a lot of years in and around software, I lay more blame on bad PMs, clueless management, and overly optimistic forecasts.

    And the game industry is famous for the continual 'deathmarch' -- the constant scramble to finish it like the deadline is tomorrow, and when you finally get there you start all over again.

    I'm more likely to believe the management at EA is lousy, and the developers can only do so much. Because that matches my direct experience in the industry.

  15. Re:More government! on Why the Japanese Government Should Take Over the Fukushima Nuclear Plant · · Score: 3, Interesting

    With something such as crucial as this, we must make sure that the means chosen have a good (ideally, the best) likelihood of reaching the ends desired.

    And, of a company worried about their own profits and which has been doing a lousy job of the cleanup, or a government which is strongly motivated to get it done -- which would you trust?

    Corporations do a lousy job of cleaning up messes like this because they're more worried about spin than actually doing the work.

    So the whole time BT was saying "oh, it's only a little oil" they knew it was a load of crap -- but they were more interested in laying blame to contractors and spinning the PR.

    Me, I'd put far more faith in the Japanese government than the company who operated the plant and has been doing such a bad job of cleaning it up.

  16. Re:Man with keys to Ft Knox says anyone can get in on Snowden Spoofed Top Officials' Identity To Mine NSA Secrets · · Score: 1

    Well, I can go out and shoot someone tomorrow, or take an 18 wheeler for a drive down the interstate, or hop in a plane and fly across the country, or set up a music station on amateur radio bands. Those are all illegal, and there's *nothing* stopping me from doing any of them - except trust.

    Well, that and the men in suits who will likely pay you a visit soon.

    Because you've clearly said you plan on doing something illegal.

  17. Re:"Brilliant"? Hardly on Snowden Spoofed Top Officials' Identity To Mine NSA Secrets · · Score: 1

    but could they not implement a system whereby sensitive files are encrypted and only accessable by authorised users(correct security clearance)?

    Sure, it sounds like they did .. and it also sounds like this super awesome system had a gaping hole that admin could become anybody else and then just read it, because that user has access.

    That would involve the users managing their own passwords on the encryption software in question

    And then that's going to be the failure point in your system -- all it takes is one guy who writes his password down, and the whole thing is screwed.

    I'm not crypto expert, but let's do a thought experiment.

    Let's say that I've got a bunch of people, and 3 levels of security.

    So, if we want all of the people (all of whom have the lowest level of security for sake of argument) to have access, we get one of two scenarios. You have a single decryption key they all share, and the first person to accidentally leak it screws it up for everyone. Or, you have to build a crypto system which will allow the same information to be decrypted using multiple decryption keys -- and my first thought is the more different ways you can decrypt the more likely it is that someone can break into it by crafting a key which also works because it's no longer unique.

    Same goes the other way ... does the decryption for the most secure level also open up all of the low-level stuff? In which case, you can narrow your targets down to just the ones with the most permissive key. Because those give you the keys for absolutely everything.

    You could try to have a broker which authenticates you, and from there grabs the key it will need to decrypt and then use that .. but then your broker becomes the target because it's got access to everything.

    And, you'll probably have corner cases in which generally someone is only allowed the lowest level of access, but for specific things you can get 'read in' on stuff that needs you to escalate your access -- but *only* for that and nothing else. You could also have cases where you have a second group of documents in the "highest access possible" category not accessible to everyone at that level -- say, the OPR at the FBI where you might be investigating the top people and need to keep that secret from them.

    I'm sure there's been literally volumes written on this, by people who have far more qualifications than I on the topic. But in general, I think the whole problem of guaranteeing only authorized users can ever access something at a given time is a hard problem. Because the more permutations on what you're trying to do, and the more people involved in it, the more places where there could be gaps.

  18. Re:"Brilliant"? Hardly on Snowden Spoofed Top Officials' Identity To Mine NSA Secrets · · Score: 1

    Forgive me if I'm forgetting something, but couldn't you just encrypt your home directory?

    Yeah, but then we're talking about individual silos of information ... you can't hide that there is an encrypted file there, but I may not be able to find the key. Your admin could still grab the file and attempt to brute force it since you can't hide its existence. The encrypted content is still in any backups you make. And if *you* lose the encryption key, your admin can't help you.

    We're talking more about multi-user systems which are designed to actually hold and retrieve this information -- databases and other systems which have the information in it to be accessed by multiple people. At which point you either need to trust at some point, or implement a mechanism which has all of the smarts built into it to only show to the 'right' people at the 'right' time.

    Secrets get harder to keep with the number of people you share it with. So, you can keep a secret that only you know fairly easily -- even easier if nobody knows you're keeping it a secret. Keeping a secret with two people is possible, and you know who the potential leak is right away. Even with 3 users you may never truly know which of the other 2 leaked something, but you can narrow it down easily.

    By the time you have 50,000 people involved in keeping your secret there's a LOT more risk involved. If your security is then boiling down to the expectation people won't do more than they should, then your security is inherently flawed and much weaker than you want it to be.

    In this case, we have people decrying how it took a 'brilliant' admin to masquerade as another user and see stuff. Which was true the moment he or anybody else gained full access -- and is something which the people who built and maintain this system could have probably told them up front.

    This is why spies try to target people, because they're always the weak link in your chain.

  19. Re:Then it is not properly compartmented. on Snowden Spoofed Top Officials' Identity To Mine NSA Secrets · · Score: 1

    They have been created. Several times in the last 20 years.

    They are NOT trivial to administer

    I have no doubt it's something which you can do, and that there are places where this is legitimately needed.

    And I can only imagine how much of a PITA they are to keep running or do any admin work on .

    But, without actual mechanisms in place that prevent the access (and I mean real barriers here), it's just lip service and security theater. Sure. there's all these policies, but if I can stick a paper clip in the lock and bypass it ... it's as good as useless.

    If you are working in an environment which has to be that secure, you almost have to assume that you'll trust your users within reason -- at the end of the day still act as if you don't trust them and put up real barriers.

  20. Re:Man with keys to Ft Knox says anyone can get in on Snowden Spoofed Top Officials' Identity To Mine NSA Secrets · · Score: 1

    So the whole "anybody could get access to this data at any time, even without a court order" is really more like "anyone with the appropriate privileges, which is limited to a select number of analysis, can access these records, which are protected by a court order. Except, of course, the sysadmin who breaks all of the rules, steals the credentials of authorized analysis, and then downloads whatever he wants.

    What you're describing though is pretty much true of any system.

    So, just how many people had this administrative privilege?

    If it was 2 people, well, you had a pretty small pool of trust and it didn't work out. If you had 2000 people who could have done this, then what you have is a system where you hope that everyone follows the rules or doesn't realize they can play with the system. At which point, something like this happening would be more or less inevitable over time, because the real access is far more widespread than you think it is.

    This is security by policy, but it sounds like what they really needed was a system in which it's not actually possible to be peeking at things you're not supposed to.

    As an admin, I routinely get asked by people to go into things that my non-admin account has no access for, and that I (except as admin) have no business looking at.

    I go to great lengths to insulate myself from the content, and just treat it as generic data. I don't want to know about the financials for the quarter, or anything HR is doing -- because it's none of my damned business, and because knowing things you shouldn't can cause you grief.

    But, if as part of my job I discovered they were stewing down babies to make skin cream ... I'd probably be forced to help that information get where it needs to be.

    The problem with keeping secrets, is you have to trust some number of people. And there's always a chance that if they decide those secrets are stuff which is illegal or unethical.

    The only way I can think of to prevent something like this (and even then not 100%) is to implement a two-man policy. Yes, you have admin privilege, but it takes two of them to actually get in, and everything you do needs to be confirmed by the second.

  21. Re:"Brilliant"? Hardly on Snowden Spoofed Top Officials' Identity To Mine NSA Secrets · · Score: 3, Informative

    Is it really, though. Wouldn't it be technically possible to create a system where not even root is able to login as a user

    Not in any system I've ever seen.

    The admin needs to be able to pretty much do everything on the system .. create stuff, delete stuff, raw access to whatever the data is stored in. That's kind of how you do the admin stuff in the first place.

    I've been the admin on various systems over the years, and I've never seen a system where you don't have access to everything. That I only look at stuff when I'm supposed to, and even then strictly just enough to do what I need to means I take it seriously. And because I don't want the hassle of knowing more than I need to in order to do my job (and keep it).

    I've also been in places where the admin did step outside of their role and poke into things out of curiosity or spite. Those can be fun to identify or fix.

    You essentially have to trust your admins and choose carefully. But if you need someone to be able to fix or repair stuff, that requires full access in most cases.

    I can almost guarantee you, your DBA, your Exchange Admin, and your sys admin can access pretty much everything on those systems. I'm not even sure what you'd need to have in order to have a system which allowed you to not trust the admin -- but it would have to be a significant departure from most everything we have now. And it would probably leave you a lot of situations in which the admin looks at you and says "bummer dude, but you guys locked me out, so I can't help you".

  22. So everything was true ... on Snowden Spoofed Top Officials' Identity To Mine NSA Secrets · · Score: 4, Insightful

    It sounds like despite the initial protestations of how he'd exaggerated his abilities, and those of the surveillance program ... it's all proving to be true.

    That his sysadmin privileges let him access stuff which was much more classified doesn't change that the system is capable of doing this, and likely is on a large scale.

    So we've got a wide-reaching, in cases probably illegal system which can and does tap into everything -- and apparently the amount of oversight and controls they have on this is very limited.

  23. Wow ... on Down the Road, But In the Works: 3-D Video Calls From Skype · · Score: 1

    Is there a big pent up market demand for 3D skype calls?

    Sounds like a problem in search of a solution to me ... because except for the obvious porn applications, would the average skype call be improved by being in 3D?

    Maybe I'm just missing something here, or not the target audience. I just don't see the value in this.

  24. Re:It is really a mac mini at that point? on The Camera That's Also a Mac Mini, Or Vice Versa · · Score: 0

    Are you really that ignorant?

    Are you always this much of an asshole?

  25. Re:It is really a mac mini at that point? on The Camera That's Also a Mac Mini, Or Vice Versa · · Score: 1

    In hindsight they could have just as well started from a different platform.

    Are there many other PCs as small as a Mac Mini?

    In this case, it sounds like they started with the smallest thing they could find, put whatever software onto it they needed, and built this case around it.

    Sounds like it's far easier to work with something that has already been designed and built to be that small instead of trying to do it yourself -- because if it was harder, they probably wouldn't have done it.

    If you've already got a small form-factor x86 PC, why reinvent the wheel?