Slashdot Mirror


User: Bert64

Bert64's activity in the archive.

Stories
0
Comments
12,200
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 12,200

  1. Re:Look at the credits for Adobe Reader. on Adobe Warns of Critical Zero Day Vulnerability · · Score: 1

    PDF files are backwards compatible too, if you don't use any of the new cruft then the resulting files will open in positively ancient pdf viewers without problems...

    Attacks against acrobat are not always against the new cruft, there is plenty of scope for bugs to exist in the basic parsing features that even the most basic of pdf viewers would require...

    The problem is the monoculture, the fact that such a large proportion of potential targets are running the exact same software meaning that the return on investment for finding a hole in acrobat is much higher than finding a hole in a web browser which will cover at maximum around 40% of potential targets.
    If acrobat only had 40% of the market, and there were several other popular pdf viewers it would be a far less attractive target and users would be aware that acrobat isn't the only option so they could more easily move to something else.

    Also they need to keep bolting new crap on to keep selling, otherwise someone else will come along with an equivalent product thats cheaper or free and eventually force them out of the market. Pretty much all commercial software follows either this model, or locking people in (or both)... Otherwise it would simply be impossible to sustain a market where its possible for someone else to give the product away for free.

    What they really need to do, is give up trying to sell software and concentrate on providing support services for business users, as most businesses would rather pay an ongoing fee to have someone they can call for help.. Not so much software as a service, so much as services for software.

  2. Re:Depends how locked-down on Ask Slashdot: Ubuntu Lockdown Options? · · Score: 1

    The login they have doesn't need to allow shell logins, it only needs to allow logins to run the kiosk app so switching to another TTY won't help them.

  3. Re:Depends how locked-down on Ask Slashdot: Ubuntu Lockdown Options? · · Score: 1

    I googled for "Software Restriction Policies" and found a nice thread on seclists.org detailing at least one design flaw which make it possible to bypass them:

    http://seclists.org/fulldisclosure/2006/Jun/249

    the vendor response is especially amusing...

    There are other ways round, this is just the first google result.

  4. Re:Depends how locked-down on Ask Slashdot: Ubuntu Lockdown Options? · · Score: 4, Informative

    Kiosk mode is actually much easier on Linux...
    Instead of a full blown desktop environment, simply supply a minimal window manager (or none at all) and the desired application. Remove all unnecessary packages from the system, and ensure any area the user can write to is mounted noexec and gets automatically cleared each time the machine is used.

  5. Re:Depends how locked-down on Ask Slashdot: Ubuntu Lockdown Options? · · Score: 1

    Windows is so convoluted, and group policies are pretty much userland (eg the policies are enforced within programs themselves, not at the os level) that they are trivial to bypass...
    Eg browser policies apply only to IE, install another browser and those policies are gone.
    Policies on being allowed to run regedit and cmd.exe are similarly implemented in those binaries themselves, you can always run alternative programs which don't do the completely arbitrary "are you allowed to run this" check or just modify the existing binaries to remove it (they only check a registry key for its presence, if you change the string which stores the key name the check will fail and the program runs).
    Some of the restrictions on which directories you can browse in explorer are even more ridiculous, if you try to go directly to c:\ you get an error, but if you run another program (eg ie) that invokes an explorer window that will work, then you just hit the up button until you get to the root of the drive.
    And ofcourse these restrictions are implemented in certain userland libraries used by some programs, you can still access files on these forbidden drives you just can't browse them using the explorer functions... So again, running a different program bypasses the restrictions.

    A Unix box configured to load a specific app when a user logs in, instead of even loading a full blown window manager is far harder to break... Simplicity is the key here.
    Also configure the system so that any areas which are writable by users are not executable, since any enforcement is kernel level the ability to introduce their own binaries isn't a huge risk but its also easier to impede than on windows.
    You can also use iptables to prevent/restrict network access on a per user basis, so you can force browsing via a proxy regardless of what browser the users run.

    Unfortunately neither of these suggestions are valid given the submitter's criteria stating that he is unable to make changes to the OS or add users.

    And "disable all applications that you don't want users to access" is stupid, if applications are not needed they shouldn't be installed, the windows approach of leaving them installed but disabling them via group policy is stupid as its so easily bypassed...
    Instead, you want to remove applications that no user will need (again windows makes this hard for some things, linux makes it easy) and set appropriate FILE PERMISSIONS on those that only some users will require (even windows lets you do this, and its far more useful than group policy because its enforced at the kernel).

  6. Re:Depends how locked-down on Ask Slashdot: Ubuntu Lockdown Options? · · Score: 1

    The user could boot using the original media instead, therefore bypassing your restrictions...

  7. Re:Look at the credits for Adobe Reader. on Adobe Warns of Critical Zero Day Vulnerability · · Score: 1

    PDF is not the problem. PDF is a great format and massively preferable to sending msoffice files around..

    Acrobat is the problem, it is a lousy bloated pdf reader, and the fact it is installed almost everywhere makes it an extremely tempting target for hackers...
    Acrobat today is like IE6 was a few years ago, and the same thing needs to happen. Namely that enough people ditch acrobat to use alternative pdf readers that acrobat becomes a small enough minority that it is no longer such an attractive target.

    Using msoffice files is a ridiculous idea, these formats are even more complex than pdf while also lacking proper documentation... There have been many exploits against msoffice although most target corporate users as unlike acrobat, msoffice stands a good chance of not being installed on a typical home user machine primarily because its very expensive.
    Also because of the lacking format documentation, it is much harder to filter files on a gateway device than it is with pdf.

    Until the corps get tired of the bullshit and switch to something else there simply is no reason for Adobe to care. How many years have Adobe reader exploits been a running joke? yet they still have corporate by the balls and they know it.

    Same applies to MS, Oracle, Cisco, etc... pretty much any major vendor takes this attitude and it's why lock-in and monocultures need to be done away with.

  8. Re:Look at the credits for Adobe Reader. on Adobe Warns of Critical Zero Day Vulnerability · · Score: 0

    While i agree with your statements, it's not "indian" developers who are necessarily at fault...

    The real fault lies with the upper management that not only doesn't understand software development, but then attempts to outsource it to the lowest bidder and then due to their lack of understanding on the subject are unable to keep the outsourced developers in check or even identify the poor quality of their work.

    There are plenty of highly skilled indian developers, but the good ones are rarely very cheap. There are also lousy developers in western countries, but these generally arent very cheap either due to basic cost of living... The main reason indian developers are chosen instead of similarly cheap developers from places like china is because they generally have a much better grasp of english (albeit with an accent).

  9. Re:Listed mitigation: Adobe Reader X Protected Mod on Adobe Warns of Critical Zero Day Vulnerability · · Score: 3, Insightful

    It's the old Microsoft syndrome again...
    Take software which was designed for a non networked, single user standalone environment...
    Throw it onto a hostile network like the Internet...
    Then make sure that 95% of systems run exactly the same software...

    If there was a more even marketshare of PDF viewers out there, then they would be far less attractive to target.

  10. Re:Listed mitigation: Adobe Reader X Protected Mod on Adobe Warns of Critical Zero Day Vulnerability · · Score: 1

    Unfortunately, lots of end users equate bigger with better...

    Similarly many people consider PDF to be a proprietary format which is only supported by adobe, and refuse to even consider the idea that any alternative viewers exist. This is also perpetuated by the vast number of websites which offer PDF files for download and then include a statement that specifically says adobe acrobat is required rather than a generic pdf viewer.

    I have even encountered Mac users, who when faced with a PDF file make no effort to open it and instead immediately head off to download acrobat, despite the fact that OSX includes a decent PDF reader by default.

    And out of interest, what other readers are there which conform to the full ISO32000 spec, and how do they compare for size?

  11. Outsourcing... on Does Outsourcing Programming Really Save Money? · · Score: 5, Insightful

    If you pay someone by the hour, they will work as slowly as they can...
    If you pay someone by project, they will cut corners to finish quicker.
    If you pay someone by lines of code they will write bloated code.

    All of this is even worse when the developers are halfway round the world and you can't keep track of them so easily, and when you don't have sufficiently clued up people on hand to inspect the code they have written.

  12. Re:Go to the software producer's site on Download.com Bundling Adware With Free Software · · Score: 1

    Because people would rather trust a single central location (eg download.com) than a multitude of different websites, any of which could be pushing malware or owned.

    This is of course primarily a windows problem, linux users can get the majority of the software they want through the built in repositories while mac users now have the app store...

  13. Re:Number portability on Scammers Work Around Two-Factor Authentication With Social Engineering · · Score: 1

    Thats down to the network...
    For any GSM based network with sim cards, moving to a new handset is as simple as swapping the sim.

    Moving the number is completely separate, they ported the number to a completely different provider.

  14. Re:The first factor on Scammers Work Around Two-Factor Authentication With Social Engineering · · Score: 1

    This is exactly what they do...

    When i ported my number a few years ago, i had to:

    Show proof of address in the form of a utility bill (anyone can print a fake one of these)
    Make a random mark on a piece of paper with a pen, a "signature", anyone can fake this even easier

    and that was that, porting process started.

  15. Re:People are so careless about security on Scammers Work Around Two-Factor Authentication With Social Engineering · · Score: 1

    The bank could supply a LiveCD... You want to do online banking (or require that transactions over a certain amount) then you boot the livecd.

    Instead, they try to foist snake oil software on you like Trusteer Rapport (http://www.digit-security.com/blog/?p=47) which just adds additional unnecessary cruft onto your machine.

    If someone got a keylogger installed on your machine they have privileged access to it, so then its purely a case of pot luck as to which software is able to bypass the other first.

  16. Re:Doesn't two factor mean 2 pieces of info? on Scammers Work Around Two-Factor Authentication With Social Engineering · · Score: 1

    I wouldn't call RSA at all secure... The fact that they provide all the keys is a terrible idea and always was, them fucking up was always an accident waiting to happen.

    I wouldn't trust any such system unless i could seed the device myself. There is no reason for the vendor to supply the seeds.

    With a properly configured Yubikey, only two parties would have the necessary seed values - myself and the organisation i'm dealing with. If someone successfully hacked Yubico it wouldn't help them attack me.

  17. Re:The Blame Game on Scammers Work Around Two-Factor Authentication With Social Engineering · · Score: 1

    In the UK, a card issuer is required to immediately credit the money back to you and then carry out their investigation... I imagine this is specifically so interest charges don't rack up in the interim. That way the customer doesn't have to care how long it takes.

  18. Re:The Blame Game on Scammers Work Around Two-Factor Authentication With Social Engineering · · Score: 1

    You bring up an interesting point, a lot of companies including banks will call you up to discuss various things...
    They often block their caller id, so the call comes up as anonymous...

    When you answer, the company expects *you* to authenticate yourself to them and will often refuse to authenticate themselves to you... I even had someone use the line "well we're a big company" on me this week... How do i know that? Anyone could call up and say the same thing...

  19. Re:Account security on Scammers Work Around Two-Factor Authentication With Social Engineering · · Score: 1

    Security is inconvenient, if a business implements tougher security than its competitors then users will flock to the more convenient competitors...

    Losing customers in this way has been judged to cost more than the resulting fraud from weaker security, and so this is how its done.

  20. Re:Account security on Scammers Work Around Two-Factor Authentication With Social Engineering · · Score: 1

    Well, not RSA, some other form of token where the customer (in this case the bank) keys it themselves.
    The idea of buying a token that's already loaded with key material is an epic fail, as proven by RSA when they got owned a few months ago.

  21. Re:What's the point of this story? on Scammers Work Around Two-Factor Authentication With Social Engineering · · Score: 3, Interesting

    1) no it's a hole in the auth, since they used a known weak method that relies on the security of the telco over which they have no control

    2) the problem is how do they authenticate that it is the customer requesting the number porting?
    Most likely they will ask some "security questions" over the phone which a good social engineer will know the answers to...
    If doing it in person in a shop they just ask for a signature, which ofcourse is totally arbitrary and trivially easy to fake...

    Even if the telco has strict policies, how is the actual number porting carried out? Usually it is based on carriers trusting each other not to submit rogue requests, so all it needs is one rogue or compromised carrier...

  22. Lucky they are small... on The Rise and Fall of Kodak · · Score: 1

    If Kodak were larger and more influential i'm sure they would be lobbying hard to get digital media banned so they could continue with their obsolete business model of producing film...

  23. Re:UNIX family tree on The Strange Birth and Long Life of Unix · · Score: 1

    The IRIX source code is available if you know where to look...

    Speaking of chinese MIPS cpus, the only machines i've seen available are using the Loongson 2f chips which are pretty mediocre, whereas the Loongson 3 chips look really interesting (quad core, low power)... I've been trying for a while to get one of the dual cpu loongson 3 motherboards they talked about a while ago but they're impossible to get hold of... Contacting loongson direct they told us to go to their "oem partners" but wouldnt tell me who they were, and i couldnt locate any of them myself.

  24. Re:UNIX family tree on The Strange Birth and Long Life of Unix · · Score: 1

    Linux supports X on the Octane series, might as well get one of those since they're pretty cheap these days...

  25. Re:UNIX family tree on The Strange Birth and Long Life of Unix · · Score: 1

    Funny thing about the IRIX C compiler (on 6.5), if you tried to use it you got a big warning about it not being licensed, but then it worked anyway... You also had a second compiler tucked away in a subdir somewhere which was for rebuilding the kernel modules.

    I think the compiler on 5.3 just worked normally and shipped with the OS, but that was quite some time ago.

    Would you part with a copy of IRIX? i have a bunch of old SGI boxes, and no original media for them...
    Also if you want a box to run your IRIX on, i have a spare octane and a spare onyx.