Slashdot Mirror


User: Antique+Geekmeister

Antique+Geekmeister's activity in the archive.

Stories
0
Comments
7,305
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 7,305

  1. Re:Other subversion flaws on Linus on Subversion, GPL3, Microsoft and More · · Score: 1

    But this is why you need to report it! Give your security and networking people the ammunition they need to do thing right, and explain it in small words to that gentleman who thought "the default permissions are 700, so you can't normally access it".

    There are powerful file sharing systems that do take security more seriously. CIFS is one of them, although its's lack of symlinks and odd permission handling is quite awkward. AFS is another one that has a huge startup cost but scales well and relies on much more serious levels of security (such aa Kerberos authentication.)

  2. Re:Important Differences on Linus on Subversion, GPL3, Microsoft and More · · Score: 1

    Oh. Oh, my. Have you ever looked at the *rest* of the Linux operating system? So much of it is GNU based, it's really unfair to call Linus the spritual leadre. Maybe the rock on which the church of open source was built, rather than its founder. Please review other core components like bash, gcc, and glibc, and look at how those came from Richard Stallman and the Free Software Foundation before you call Linus the spiritual leader.

    Linus is fabulous: I massively approve of his work and his attitude, but spirituals leaders need to be slightly more leading edge than Linus.

  3. Re:SVN vs. CVS on Linus on Subversion, GPL3, Microsoft and More · · Score: 1

    Yes. If I'm on a problem-solving trip, or a training trip, and the repository is an internal corporate one, I'm reliant on a secure connection all the way back to that repository for every single commit. This creates considerable difficulties in quite a few environments, and that makes frequent, small commits very difficult indeed.

  4. Re:Can't RTFA... on Linus on Subversion, GPL3, Microsoft and More · · Score: 1

    I have. It's awkward to handle large binary objects, because of one of the fundamental flaws of Subversion that the authors don't admit that it's a good idea to throw things out now and then. But if you throw out the idea of using the "move" function for anything bulky, and instead use the "import" function to create new tags, it becomes possible to actually prune branches that neverb wind up migrated back into the trunk.

  5. Re:Other subversion flaws on Linus on Subversion, GPL3, Microsoft and More · · Score: 1

    Please note that I do not discredit your personal efforts to handle this more securely: your approach seemms fairly sound. But the storing of passwords in plain text is an amazingly stupid part of Subversion, one that is by now a favorite attack vector against people like yourself who don't realize the nature of some of the security risks of it.

  6. Re:Other subversion flaws on Linus on Subversion, GPL3, Microsoft and More · · Score: 3, Insightful

    You've apparently not worked with NFS. Simply setting a username on your NFS client with the same UID as the user on the server allows access to all those contents of the the "chmod 700" home directory and .ssh directory. NFS is commonly known as "No Fucking Security" for a number of powerful historifcal reasons, most especially this one.

    You're also apparently trapped by the same error as the Subversion authors have made. You think the local disabling of permissions to read the data means that someone locally cannot actually read the plain text passwords. Other means for access include:

    * Booting with a live CD to access every file on the local drive.

    * Getting fools to run a USB device on Windows systems (which doesn't accss the TortoiseSVN stored passwords, but can easily access SSH keys and passwords stored under CygWin)

    * Removing hard drives for duplication (apparently a common practice in European hotels before international conferences, where thieves enjoy quite a lot of easy nabbing of passwords or even industrial espionage)

    * Accessing backup tapes (an extremely popular hobby for both amateur and professional system crackers)

    Setting the permissions to 700 keeps out only the most casual and polite of attackers. It's generally no more effective than putting a deadbolt on a screen door.

  7. Other subversion flaws on Linus on Subversion, GPL3, Microsoft and More · · Score: 2, Informative

    There are other issues: the Subversion authors have made a very real mistake here in keeping unencrypted passwords online, by default, in every public Linux or UNIX client compiled from Subversion's basic source code.

    I just had to have a polite conversation with a professional peer who kept his home directory on his laptop, then turned on NFS shares "to get work done". I waited, very politely, until he put his laptop on the DMZ with his NFS shares turned on. Then I pulled his SSH keys for a set of sourceforge projects from his directory, and his password from his oher Subversion repositories. Voila! I now have write access to his Sourceforge subversion epositories.

    I'm patient. But crackers aren't, and scan for this sort of vulnerability constantly. The Subversion authors should never have bothered to include the ability to store the password, at all.

  8. Re:tag: imminentdeathofthenetpredicted on Will Internet TV Crash the Internet? · · Score: 3, Funny

    45. Don't forget the 3 redundant slashdot stories today.

  9. Re:My alternative... on Will Internet TV Crash the Internet? · · Score: 1

    I'm finding your analysis perceptive. And I'm keeping my eye on the excited new small companies buying their first cool chairs with all the fancy knobs and levers.

    Those of us who actually have a hint on how much providing reliable video download services cost to provide are laughing sadly, and selling our services dear to clean up the messes and salvage *something* out of it. I wish I had a nickel for every recruiter who's tried to hire me the last few weeks for these thngs. I'd have.... enough to pay for nice latte on my way to work. And I'm referring them to my younger, less experienced friends, who can use the resume filler contract work.

  10. Re:It's not rocket science on Will Internet TV Crash the Internet? · · Score: 2, Interesting

    Notice also that they didn't sell *us* the service. They sold their excited investors the business plan to sell exponential growth, based on badly researched growth of their businesses and excited sales plans.

    We saw this all about 7 years before the first dotbomb, with web businesses. We're seeing it now with new online video businesses. The people who learned their lessons last time are selling their acumen this time around, selling the datacenter space and storage acumen to people willing to pay on credit for massive expansion that is never going to happen. These people are snickering as they carefully insist on cash up front.

  11. Re:I'm not buying any more WoTC products... on Dungeons & Dragons 4th Edition Announced · · Score: 1

    You had paper? We had to chew up our own papyrus and spit it out, then pick up Ogg and use his flat head to pound it into sheets.

    For graph paper we'd use his sister who liked to cornrow her beard, and use her gigantic jutting chin to mark the resulting sheets. She'd do anything for a date after the somewhat successful gender-change surgery. (It didn't really work, but we were too polite to mention, and hey, graph paper was graph paper, and it's not like any of were likely to get a date with Ogg eating anyone foolish enough to ask her or him or whatever out.)

  12. Re:It's telling, but of what? on Alienware Won't Sell Consumers CableCard PCs · · Score: 1

    It doesn't take an MBA. Customer support calls are very, very expensive to handle, especially when you get several hundred of them at once and you have to have a tech support who actually has a clue to help handle it. They can eat up your profit margin very, very quickly, especially if soome of the customers are really unhappy and start shipping the PC's back.

    I've seen companies embrace exciting new technologies with exciting new business plans without actually testing them together, and it's often disastrous. It's also why building your own PC is so much fun and so educational, but you have to enjoy losing operation of your PC for days while working out how to get that hard drive controller driver into your OS's boot system and getting that video card to actually be used by your OS, even though the driver overwrites and breaks other software.

  13. Re:not really on TSA's "Behavior Detection Officers" · · Score: 1

    Yeah, we just send money to the repressive governments who happen to cooperate with US policy. Kind of like Panama did, until Noriega let the dope dealing get out of hand and wound up seized and locked up without public trial or a chance to expose the elder Geoorge Bush's role in funding his regime, back when the elder George Bush headed up the CIA.

    Then there's Cuba, which is its own historical adventures. Hijacking planes to Cuba used to be a fairly regular occurrence.

  14. Re:I might be in the minority here on TSA's "Behavior Detection Officers" · · Score: 1

    It's much, much, much cheaper to get one member hired as a member of TSA and have them mail home the details of the guidelines. There's no need to spend all that money blind-testing such a security porous, locally trained, and overworked group.

  15. Re:not really on TSA's "Behavior Detection Officers" · · Score: 1

    Worse yet, try practicing that xenophobia and see how many Jews you get. The "middle eastern profile" involves beards, face structures, and colorations that are common among the admittedly diverse Jewish community. And better yet, try it on the privileged sons of one of the wealthier Saudi families. You know, the families where the Palestinians do their fund-raising, like Osama bin Laden's family? Then watch the billions of dollar deals that fund their wealth and keep US oil prices low start falling through.

    You know, this might actually be a good idea in a number of ways. OK, let's just have the racial profiling at airports nearest the univresities and hospitals and resorts where the wealthiest Arab families visit.

  16. Re:For a different take on this program... on TSA's "Behavior Detection Officers" · · Score: 1

    It's not much good for her. But it's *great* for the 1500 people in the skyscraper the nutjob wants to smash into, and for the people on that airplane whom the hijacker cannot drive into that building. It's just a flipping nightmare for the cabin crews. They'd need their own toilets, that space is *already* cramped, it would mean adding a lot of weight and a serious wall to thousands of business aircraft, weakening the nose cone by putting a door in it instead of a smooth panel, etc.

    By the way, the "madmen with knives" scenario is gone from airport hijacking threats. It only worked because it was a complete surprise: until then, hijackers wanted to redirect the planes somewhere else, not smash them into buildings. Within only a few hours, the risk wsa over: even on the same day, a group of informed passengers dealt with the risk on the plane itself. The risk now is suicide bombers: a few successful ones would ruin tourist industries and major transport companies and help discredit this "war on terror" as being successful in any way.

  17. Re:Um, no. on TSA's "Behavior Detection Officers" · · Score: 1

    And I've walked through security with Exacto utility knives, big syringes of epoxy, and once even with a small power drill. I forgot I had them in by over-occupied knapsack while visiting a worksite to handle on-site network issues. This is all since 9/11, in busy urban airports. Often the staff at the returning flight, in less overwhelmed and less urban airports, caught them easily.

    American airport security theater is a serious joke, because it's too easy to find airports that have awful, awful, privately contracted, understaffed, overworked security. Boston was apparently a classic example of this, and still is reported as one of the worst secured airports in the US: it's a major reason so many of the 9/11 attackers took off from Boston.

  18. Re:"Gold standard" on TSA's "Behavior Detection Officers" · · Score: 1

    Unfortunately, the Israelie security is permitted techniques of discrimination that are blatantly illegal in the US. Standards based on religious or national dress, for example, are very handy when you have vehemently devoted followers of religions and warring nationalities who actually bother to shave faces differently, wear different hats, and treat women so very differently indeed.

    For body and facial language differences, simply watch an Israeli man, woman, and child's reaction to an Israeli woman in uniform waving a metal detector over a man's groin, and an Israelii man waving the same detector over a woman's groin and breasts. Then watch a Palestinian's reaction.

  19. Re:I'm not buying any more WoTC products... on Dungeons & Dragons 4th Edition Announced · · Score: 1

    Gosh, you had hands? And already had bosons? You youngster!

    We had to use our bare wet brains to grab the particles and manipulate them. How do you think so many quarks wound up "sticky"?

  20. Re:But on Anti-Bacterial Soap No Better Than Plain Soap · · Score: 1

    It would be best if you didn't get zero her files before forcing the system to reboot. (Go look Hans Reiser's murder of his wife and the flaws of ReiserFS.)

  21. Re:Everybody dies on Dungeons & Dragons 4th Edition Announced · · Score: 1

    I *loved* that game. It was only surpassed by "Bunnies and Burrows" (http://en.wikipedia.org/wiki/Bunnies_and_Burrows) , which was great fun to play with gamers who'd started taking themselves too seriously.

  22. Re:I'm not buying any more WoTC products... on Dungeons & Dragons 4th Edition Announced · · Score: 4, Funny

    Greyhawk. Now, *that* brings back memories. Graph paper, polyhedral dice rounded off from rolling, the original cardboard dungeon master's shields with the critical hit tables listed on them. Scrounging for money to pay for new lead figures and paint. Way too much soda and chips all evening, the leaden sound of grades dropping below passing as we spent nights playing instead of "studying at a friend's house, mom, honest!" The smell of far too many unwashed young men in a room, great fat older men sitting on and breaking every chair they sat on as they tried to reach over the table to move their elven-princess-wearing-only-a-tiara leaden figures.

    Now send me your address so I can mail *you* these memories and kill your desire for sex for the next ten years.

  23. Re:storing secrets; security through obscurity on TJX Security Breach Described · · Score: 1

    Don't blame the industries solely. There have been repeated attempts to organize robust encryption in network protocols, for use in data storage, and for various basic computer operations. On the corporate side, it tends to run headlong into the US encryption export regulations, which deal with encryption technologies as materials of war and keep us all safe by trying to make sure we don't provide any to anyone else unless they promise, honest and for real, that they are allowed to have it.

    If you've never dealt with this, go try to download the Kerberos source code, at http://web.mit.edu/kerberos/dist/index.html. While the regulations against exporting encryption have already been ruled unconstitutional at least once, they were simply transferred to another regulatory department and are once again winding their way through the courts,and have been for years.

    The desire by various software vendors to have robust built-in encryption and its kissing cousins, authentication and DRM, are the force behind the "Trusted Computing" tools by Microsoft. The desire to have central control over a registered database of keys that can be accessed at any time by law enforcement or governments, at any time they wish and by any authority they can bring to bear, explains why they use the approaches they've published. Centralized keys for everyone's machines in a Microsoft signed master repository, with the master keys able to unlock or revoke other keys, is at the heart of the technology.

    It may be extremely helpful to prevent this kind of casual hackery: the technology is being built into the latest Intel and AMD CPU's. But you should be very, very frightened of the centralized database and who has official and unofficial access to it.

  24. Re:Firewalls are fail on TJX Security Breach Described · · Score: 1

    Oh, if you want to see that sort of physical security violation, think back to high school and the candy machines and ice cream freezers for the cafeteria. Or go visit Defcon and see how many hacker wanna-be's try, and occasionally succeed, in breaking into the telephone closets or go riding on elevator rooftops.

  25. Re:shaving is for female interest on Boston Judge Denies RIAA Motion for Judgment · · Score: 1

    Lady, just because *you* have to shave at 10 AM to avoid 5 o'clock shadow, doesn't mean the rest of us have to.