Slashdot Mirror


User: Alex+Belits

Alex+Belits's activity in the archive.

Stories
0
Comments
6,525
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 6,525

  1. Re:Perfection Has a Price on More Than Coding Errors Behind Bad Software · · Score: 1

    Strange.

    For me it always was:

    DON'T VALIDATE INPUT. YOUR IDEAS OF WHAT IS OR ISN'T VALID ARE MOST LIKELY WRONG. Yes, some person name may actually happen to be "Bobby'); Drop Table", or something else that is not supposed to be stuffed into the input of some interpreter you use. Assume that anything can be at the input, and make your code properly work no matter how exotic the input looks like.

    On the other hand, detect all error conditions and produce output that always corresponds to specifications. Never propagate chunks of input to output unless specification says to do so. Usually there is some conversion or validation procedure involved, and this is where it belongs.

  2. Re:The solution is... on IRS Eyeballing Virtual World Tax Policies · · Score: 1

    It most likely has something to do with this "business" providing no value to society as a whole.

  3. Re:Why didn't the FBI do the disruption? on A Hacker's Audacious Plan To Rule the Underground · · Score: 1

    With regards to credit card fraud, I don't care how much "harm" is caused to society. The harm is part of the learning process. When enough "harm" takes place, people will adapt. Until then, they will slog along and suck it up. My belief is the best way to increase innovation and to bring about change involves giving people the inclination to change. So long as the financial sector continues to push the burden of security off onto the consumers and the law enforcement agencies, they will never change.

    And this is exactly what I am doing -- end-users can't "adapt", but FBI can -- by switching from trying to randomly punish a small percentage of criminals to hindering all of them. With enough disruption their activity will become too unprofitable to justify even small risk, or will be reduced enough so society will be able to write it off as inevitable losses.

    That's nice. You're living in a fantasy world. That has become inherently obvious over the course of this thread. Your entire position seems to be based on some fantasy construct in your mind of how you would like the world to be. Meanwhile I have been putting it out there how things are.

    It's your assertion that criminals are punished when they "overreach". You completely ignore the harm caused by massive number of them before they "overreach" (or more likely through their whole career) even if each individual crime is insignificant. You think like a cop -- it's important to catch those who commit most noticeable crimes, and ignore everything else. That would work if society was mostly harmed by most blatant criminals, however there is absolutely no evidence that this is true.

    IF THE FBI WASN'T RUNNING A SITE TO CATCH CARDERS, THERE WOULD STILL BE OTHER SITES THROUGH WHICH PEOPLE PASSED THE EXACT SAME INFORMATION THAT THEY TRADED ON THE FBI SITE. Just like if I couldn't upload the latest Razor 1911 release to to BBS1, I would go ahead and put it on BBS2.

    Great! The "bandwidth" of those sites is limited, so in total there will be a delay, and increased activity will likely expose more criminals.

    I can point out that you're working on two different logical levels. The carders exchanging the data are often times not the people using the codes. The guy who has the numbers makes his money selling the numbers. Someone else makes their money putting the numbers onto a card. Another person makes their money actually buying goods with the numbers.

    Particular people are not important -- for any real harm to take place, the whole chain has to operate.

    The FBI deters people from using the numbers by attaching harsh penalities to using them. In reality, all that they deter are repeat offenders. Most people who spend time in prison don't want to go back.

    Harsh penalties don't deter people if they are applied to a very small percentage of people performing the same activity. Worse yet, they encourage more people to remain "under the radar" while causing just as much harm.

    It's pretty obvious that you have some deep seated issues and reservations with the way law enforcement works. That's fine, and you're entitled to your beliefs. In a similar manner, you're entitled to live in your fantasy world where crimes can be rendered ineffective and impossible to pull off.

    What?

    That world will never cross the plane of reality that the rest of us live on. Human beings are simply too creative and too intelligent to ever be completely thwarted or boxed in by other human beings.

    Particular "human beings" or "completely thwarting" are not important. Overall reduction of crime is.

    For the sake of discussion, I have an idea. What we need to do is to get chipped. We need to allow the financial world and the law enforcement agencies to track our every move. Once they are able to do that, they will b

  4. Ubuntu on OLPC Downsizes Half of Its Staff, Cuts Sugar · · Score: 1

    http://www.olpcnews.com/forum/index.php?topic=4053.0

    I maintain that port -- it's unofficial, so I don't have any connection to OLPC project or Canonical, however the port is intended to be an adaptation of the current Ubuntu release with minimal changes that allow it to work on XO hardware and support XO-specific features (screen, power management, etc.) It uses Ubuntu repositories for packages installation and updates.

  5. Re:Why didn't the FBI do the disruption? on A Hacker's Audacious Plan To Rule the Underground · · Score: 1

    The bottom feeders will always be the ones getting caught. 80% of all criminals eventually get busted because they over reach.

    You seem to be very concerned about enough criminals being punished, and at the same time you don't care the actual amount of harm that they cause to society. I would rather prefer if no criminal was ever caught, but their schemes were rendered ineffective rather than keeping people getting hurt and then catching some poster boys who "overreached".

    Either we can have the FBI running one fraud site that they monitor, or we can just give them wholesale license to wiretap everything.

    How so? For all I care they can run an education campaign to make people less vulnerable to obvious fraud, or handing out hardware security tokens to banks by a truckload if those things happen to be more effective than what they are doing now.

    Fraud can't be actively prevented much more than it already is. There aren't enough agents out there to prevent crime.

    How many agents does it take to turn off the server that they already have?

    The best that they can do is deter it.

    If committing crime does not make person's life any more risky than not committing it as long as he does not "over reach" some limit, this does not deter much anyway. I can argue that if they can't keep carders from exchanging massive amounts of data, how can they deter them from using it?

  6. Re:Why didn't the FBI do the disruption? on A Hacker's Audacious Plan To Rule the Underground · · Score: 1

    You've been watching too many movies. I know people who have been prosecuted by the Federal government. I know people who work in law enforcement at both the local/state and Federal level. There are bad cops out there.

    "Bad cops" have absolutely nothing to do with this. I am talking about system working exactly as designed, and still ending up doing more harm than good because of misplaced priorities. Corruption and intentional abuse are the whole additional level that for the purpose of this discussion we can ignore.

    I shouldn't, but I'll take the bait. Back in the day when "good" internet access was a $1000+ US Robotics 14.4 courier modem connected to a SLIP connection, most of the fraud was still taking place closer to the real world. A voicemail system with a national 800 number was the best way to anonymously swap codes. Even after ANI became wide spread, people just moved to payphones and kept going.

    It doesn't matter -- voice mail records voice. Voice is not efficient for passing around numbers, unless they are short, and people have limited time. Voice mail is even less so because of distortion.

    Fraud hasn't ruined me. It is so common and prevalent that financial institutions have procedures in place to deal with it. The only person who gets screwed by the fraud is the merchant who loses the goods. More often than not, even they have insurance to cover those losses.

    Assault and robbery didn't leave me broke and crippled, either, yet it doesn't mean that it always works like that.

    You have to realize that the crime they are dealing with, on the scale they are dealing with it, is new. I don't know how long you've been involved in the computer underground. I've been involved on one level or another since 1991, right after Operation Sundevil. When I got involved, we couldn't even have dreamed of fraud on the scale that it is currently taking place. Everyone was separated into their own little niches. The fraud was taking place on a much smaller scale. The idea of getting legit looking bank cards from Russia would have been a wet dream. The idea of doing it from east bumblefuck no where with the convenience of a DSL line was fairy tale stuff. It was hard enough to get good numbers and plastic in the middle of a major urban metropolis like Los Angeles. Forget about going online to any sort of one stop shop.

    Then maybe when it was on a small scale it made sense. On the scale it happens now, it's completely inappropriate -- a criminal has better chance to be hit by a bus than to be convicted as a result of such a "sting", so why would he care? People don't commit crimes because they think, it's safer than a legitimate job, they accept or ignore the risk.

    I'm going to suggest that you're working with a false premise. Creating temporary disruptions in the world of computer aided financial fraud is the digital equivalent of busting crack dealers on the corner. You aren't any closer to stemming the supply, you aren't addressing the underlying problems, and you're wasting resources that could be spent on investigations. On top of it all, there will always be someone else who will step into to the place of whoever you disrupt. There is simply too much money involved to imagine anything else happening.

    Crack has to be "supplied" by someone more or less identifiable, however even then it's a losing battle. Financial data will be passed around as long as it is used, and computers will be broken into as long as there are security holes. There are thousand, maybe millions of "suppliers". Hell, when was last time someone I don't trust seen my credit card? Today a cashier in a store where I have bought groceries? Have I checked who issued certificate for my bank's web site? And that's me, a person who actually applies some effort to keep his computers secure.

    Exchanging this information is what makes it harder to notice, spread over t

  7. Re:Why didn't the FBI do the disruption? on A Hacker's Audacious Plan To Rule the Underground · · Score: 1

    Are you serious, or are you just arguing for the sake of doing so? Do you have any idea how the criminal justice system works in this country? Do you have any idea how investigations take place?

    No, I don't, and neither do you -- there is no oversight. For all I (or anyone) know, there may be more crime perpetrated by cops/FBI/informants/... in an attempt to convict a small number of criminals than by criminals who end up getting caught.

    If the FBI just took the site down the carders would move else where.

    That will likely take time, and criminals will lose data in the process, expose themselves to some real undercover cops, etc. Certainly it will decrease the total amount of fraud even if slightly smaller number of people will end up being convicted.

    Back before the internet was big, I used to know people who swapped codes over voicemail systems. What do you think happened when a compromised system got shut down? Everyone just jumped to another one.

    Voicemail? Really? It would be easier to swap codes by carrier pigeons than by voicemail.

    Collecting enough evidence to prosecute involves long term investigation. I doubt that the admins of the carding sites are keeping detailed transaction logs for the Feds to pour through. Therefore the Feds have to setup their own site to get enough evidence to tie the codes to the person providing them.

    So just to have a satisfaction of "nabbing" a couple of guys it's OK to dedicate public resources to defrauding thousands of innocent people with no recourse to those victims? I am sure, you will be happy to know that if was FBI and not criminals who spread your ID/cards/bank account information through such a system when you'll end up broke, unemployed and with a couple of outstanding warrants for your arrest in states where you never been.

    It's one thing when undercover cops join robbers to arrest them after a bank robbery. It still kinda make sense when cops get involved in multiple crimes and end up destroying massive criminal organizations, though considering how widespread is organized crime I am not convinced that it actually works that well. But when they run some continuing "operation" for months and years, with not even slightest hope to stop any noticeable percentage of criminals involved (most are unidentifiable or foreign), end up throwing a book at few skr1pt kiddies and fraudsters, leaving the rest alone, how does it balance with plenty of crime that would be hindered if their "sting" site did not exist?

    Since you've suggested that the Feds should just take down the sites themselves, please tell me how that would achieve anything more than a temporary disruption in the system?

    By constantly creating "temporary disruptions", so there will be less crime. Not all problems have easy and permanent solutions, certainly not crime in general and fraud in particular.

    How would that lead to prosecutions?

    See above -- when site goes down, criminals have more chances to expose themselves in the process of organizing another one. However the fundamental problem is, why should we (the society as a whole) care about prosecutions? We should care about having less crime, and with the numbers of people involved in computer-assisted fraud, their lack of hierarchy and low rate of successful prosecution, how does it solve that problem -- or any problem?

  8. Re:Why didn't the FBI do the disruption? on A Hacker's Audacious Plan To Rule the Underground · · Score: 1

    What legal protections? They are still passing around stolen (possibly mine, and tens of thousands of other people) data on their "sting" site, continuously causing real harm to the victims -- if there was any real protection, they would have to be charged with fraud along with those few "real criminals" they have fished out.

  9. Re:phone next? on Apple Introduces "MacBook Wheel" · · Score: 1
  10. Re:crime also goes up on Employees the Next (Continuing) Big Security Risk? · · Score: 1

    No, it's "password".

  11. Re:crime also goes up on Employees the Next (Continuing) Big Security Risk? · · Score: 1

    1.

    - One teacher launched a tirade over a one-hour idle lockout, since she's too busy to hit Ctrl+Alt+Del and type her password once a day. I claimed I couldn't edit this GPO, since the principal would have forced me to.

    2.

    The worst: a teacher who gave her 10-year-old son her password so he could play games on her workstation, since the local private school's day off made her declare her personal "bring your son to work day".

    I see the problem.

  12. Re:Why didn't the FBI do the disruption? on A Hacker's Audacious Plan To Rule the Underground · · Score: 1

    And participating in fraud (and providing public resources, no less) is any better? A honeypot site may gather evidence on some people and get them caught, but at the same time it will also assist many others criminals and be involved in crimes that will never be solved. FBI doesn't have resources to go after any meaningful percentage of site users, so how is it supposed to be a benefit for society? How come, they are immune to those charges (fraud with massive numbers of victims) yet not to "computer trespass" that targeted a site operator who probably will be charged with fraud anyway?

  13. Re:Capture or hire the black hats? on A Hacker's Audacious Plan To Rule the Underground · · Score: 1

    No. When someone discovers security holes, every user will have to rely on the free market to get his security patches from white hats before getting his computers broken into, or to pay ransom to black hats after that.

    (Welcome to Libertopia)

  14. Re:They are both DLLs. on IE Market Share Drops Below 70% · · Score: 1

    And will it actually correspond to events that should be processed by a plugin?

  15. Re:It probably won't last another 4 years on Microsoft Issues Workaround For Zune Freeze · · Score: 2, Insightful

    Because software does not wear out?

  16. Re:They are both DLLs. on IE Market Share Drops Below 70% · · Score: 1

    And how do you determine what calls to pass and what not to pass to something running in embedded window? You have to take into account that to be secure, filtering has to go in both directions -- input and output.

    In X it's simple, messages/events for a plugin window should be only handled by plugin, and never are, or should be seen by the application that embeds it, and vice versa. They don't have to know about each other's input and redraw events -- X server has to decide who gets the input and who obscured or resized whom before saying anything to either application, so everything a proxy has to do is to make sure that all events that aren't supposed to go to a client, are blocked even if sent to this client, and all requests from the client only affect its own windows, embedded or not. This allows to completely separate applications' access to GUI, and if necessary block dangerous or obnoxious behavior (popups, everything modal, large fonts, etc.) without breaking applications' behavior.

  17. Re:They are both DLLs. on IE Market Share Drops Below 70% · · Score: 1

    But what if plugin has to be embedded in a page, like flash usually is?

  18. Re:I doubt this was AirTran's fault on Overzealous AirTran Boots 9 Passengers Off · · Score: 1

    So what? If Homeland Security insists on making companies violate rights of their customers, companies are still responsible for the consequences. Maybe being entities that exist to turn profit for their shareholders, they should've actually opposed the rules that make them LOOOZ MUUUHHHNAAAY over this idiotic behavior. What did they lobby the Congress for last time, again?

  19. Re:They are both DLLs. on IE Market Share Drops Below 70% · · Score: 1

    More important issue is having access to input and output in other applications' windows. A lot can be done by adding passive listener, input injector or full-blown man-in-the-middle to, say, a web browser or remote shell/desktop client.

  20. Re:They are both DLLs. on IE Market Share Drops Below 70% · · Score: 1

    On Windows most likely you are going to see whole pages being rendered by processes running as separate users (what you can already do now by running the whole browser as that user, just with easier to use GUI), and likely there will be no security restrictions on what plugin can do with GUI that won't be easily bypassed.

    With X11 you can have some processes treated as untrusted or even proxy and filter their GUI-related calls/events, and run them in top-level or embedded windows, still keeping all local access separate regardless of any GUI integration. Then untrusted application will never be able to listen on other applications' input, access other applications' windows, crash browser or other applications, access network directly, etc with OS-level security implementing those restrictions that can't be bypassed by merely dragging another library with themselves. On Windows it can be done by messing with Terminal Services, however it would be tough to implement something that will be both compatible (as not to break existing events and objects model) and secure.

    On neither system it actually was implemented at that extent, so at this point plugins are still supposed to be treated as trusted applications, however I am sure, this is the direction that will be eventually taken because of growing amount of code running by a browser -- as part of the browser itself, plugins, applications, scripting engines or extensions.

  21. Re:They are both DLLs. on IE Market Share Drops Below 70% · · Score: 2, Informative

    Under systems that use X11 the solution is trivial -- plugin is a wrapper that runs a separate process under another user ID, embedded in a window. Then plugin's permissions can be pretty much anything configured for that user (plus anything configured with capabilities if anyone would bother using them). X11 controls access to display, filesystem controls access to files, capabilities control everything else, with all kinds of combinations.

    I don't think, anyone bothered to go that far, however nspluginwrapper provided that functionality for at least a decade, and Red Hat actually used it with SELinux to achieve similar security isolation of applications running in it.

  22. Re:Mozilla plugins == Active X... on IE Market Share Drops Below 70% · · Score: 4, Informative

    1. ActiveX is an all-encompassing Microsoft object-handling infrastructure (descendant of OLE, DDE, COM and DCOM) that is also implemented as a part of remotely-installable code in a browser. A page with ActiveX controls can only work if ActiveX controls are allowed to run in a browser, and Windows permission models prevents any kind of isolation, so this technology is inherently insecure regardless of the purpose of the controls.

    2. Mozilla plugins are applications that use browser's interface model. They can be installed or uninstalled to view various kinds of data identified by MIME Content-Type. Same type of data can be handled by different plugins or external applications, and pages can easily make plugins-supported data optional. Also it's important that page is not tied direcly to any executable code -- user has to install plugin like any other application.

    The only plugin that was ever used for control of navigation was Flash -- and the idea became very unpopular very soon because it lacks browser-provided infrastructure (history, bookmarks, cookie management). On the other hand, ActiveX is primarily used for either highy intrusive things that are meant to break security models (Windows updates, antiviruses, not to mention viruses and worms themselves) or serve as a replacement for IE abysmal support for scripting and interactive graphics.

  23. Re:Two multiple hundreds of thousands of years eve on Is the Yellowstone Supervolcano About To Blow? · · Score: 1

    History books will refer to late 2008 as The Year God Decided He Really Hated America.

    But without Americans who would place God in history books?

  24. Re:Constitutionality on Sex Offenders Must Hand Over Online Passwords · · Score: 1

    and Humanism is entirely a derivative of Christianity

    lol American Christians and their wacky beliefs.

  25. All thosr MP3 will be lost... on Microsoft Zunes Committing Mass Suicide · · Score: 2, Funny

    ...like tears in rain.