Slashdot Mirror


User: Tom

Tom's activity in the archive.

Stories
0
Comments
10,601
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,601

  1. Re:Are you serious? on It's Time To Start Taking Stolen Phones Seriously · · Score: 2

    No, it doesn't, because you can already do that. Remember, you are on the carriers network? He can deny service to you at any time, and he will if, for example, you didn't pay the bill.

    If I'm the NSA and want to get you shut down, all I need is your name, address, birth date or whatever the carrier uses to identify you, and a nice letter to the carrier who'll roll over anyways.

  2. Re:But not to give them a chance to correct it fir on Google Security Expert Finds, Publicly Discloses Windows Kernel Bug · · Score: 1

    That is constricted thinking. If brute-force becomes cheap your scheme is broken

    Errr... you need to upgrade your crypto knowledge. If brute-force means 1 mio. times the lifetime of the universe, and it becomes a million times cheaper, it is still a tiny bit impractical.

    Citing a real-world example, what is the difference between RSA-512 vs. RSA-2048 that you would consider one secure and the other insecure?

    Well, using a real-world metaphor, if RSA-512 is a grain of sand (let's say 10 micrograms) then RSA-2048 is the entire mass of the entire universe. Put into a grain of sand in yet another entire universe, where every grain of sand represents an entire universe and then taking that entire universe and multiplying it by a couple trillion.

    That's not a matter of "brute-force becoming cheap". If every grain of sand in the entire universe were a supercomputer that could break one RSA-512 per second, RSA-2048 would still be secure against brute-force attacks.

    Obscuring the version info increases the cost (time, bandwidth) of the attack.

    Yes, but it is not a security measure. It's a one-time tiny benefit. We recommend it because it doesn't really cost you much and thus it's a net-gain. Real-world example: If you have a server running at a version that has a known exploit in the wild, then you wouldn't consider obscuring the version number as a mitigating action, would you?

    It does not provide security.

    In ASLR you *obscure* addresses from an attacker. It's an important security mechanism, any modern OS is incomplete without it, and there's just no escaping the fact that it is nothing but a form of obscurity.

    No, you don't.
    ASLR has nothing to do with "security through obscurity". Please stop playing tricks with semantics. You won't be able to quote even a single serious source that puts ASLR even in the vicinity of "security through obscurity".

    You're missing my point again, which is that you *should* really be talking about *cost*.

    Negative. Cost is one factor, but not the only one. Plus you don't generally know the cost equations of your attacker. Sometimes, work time is expensive, sometimes it is cheap. Sometimes acquiring an exploit is expensive, sometimes it is cheap. Sometimes, you all you need is being a less easy target than the guy next door and sometimes, costs don't even matter to your attacker as long as they can afford it at all.

    You should be talking about security. Cost is one factor, since most security measures are imperfect. But sometimes, you have one that isn't. One-time pads can not be cryptographically cracked, for example. Cost of cryptoanalysis stops being a factor if you use one-time pads, and the efforts shift to stuff like key distribution.

    Established on slashdot, and in journalism circles perhaps.

    Nice strawman, I'm not biting. You are trying to re-define the meaning of the term in order to win an argument.

    Real world example: would you ever let your clients share even the slightest information about a DB schema publicly? Even if you authenticate all entry points? C'mon man!

    There's a difference between "don't tell them if it doesn't serve a purpose" and "the security of this system lies with this being kept a secret".
    If a client would ask me if they should publish their DB schema on their website, I'd not tell them the sky is falling, I'd ask them why. Because the security of their DB should not rest with the schema being a secret.

    I used to work with the SELinux crowd, contributed a couple patches, held a couple talks. For demo purposes, I once put the IP address and root password of my notebook on a piece of paper. With a proper policy, you can do that on an SELinux system. I wouldn't recommend it, but once again, the security of the system rests with the policy and

  3. Re:But not to give them a chance to correct it fir on Google Security Expert Finds, Publicly Discloses Windows Kernel Bug · · Score: 1

    In the sense that SHA has been broken. To cryptographers, that was old news 10 years ago. "Broken" in cryptography means "there is a way to break it that is considerably easier than brute-force". It could still take 10 billions years.

    my point is simple -- there's a ton of other techniques that go into creating a secure system.

    I agree with that.

    and some of those things will fall under what people love to call security through obscurity.

    I disagree with that. Security through obscurity is no security. If your systems security relies on obscurity, then it is broken by design.

    Now we do tell our clients to not display the version number of the webserver and stuff, but that's not because it would make it any more secure. It's because a large number of attacks these days are automated, untargeted and to save time and bandwidth they often scan for targets first. It's the old "I don't have to run faster than the bear" approach.

    High cost = high obscurity, if you will. Good crypto just represents the best obscurity there is (and therefore has the highest cost to break).

    I'm sorry, I won't follow there. You're just playing semantic tricks there and re-defining a word. "Obscurity" is not a synonym for "cost". Never was, never will be. If you want to talk about cost, then talk about cost, and not about obscurity.

    This is a pretty standard rule of evaluating threat models -- I don't know why people are resisting it so much.

    Because you are using words in meanings that are private to yourself and contrary to established meaning.

    My initial point was merely this: When security issues are discussed on Slashdot some idiot (several of them actually) will come along and put in a one-liner about security through obscurity being no good -- and that spells the end of rational discussion on the topic. The fact of the matter is that there has always been a balancing act between obscurity, and transparency, and cost when it comes to security, and that clichéd effing line contributes absolutely nothing of value to the conversation.

    Maybe you need to step back and ask yourself why we security professionals - otherwise not exactly known for making anything simple and straightforward - apply such a strict one-liner? It's because too many scammers and idiots have done so much damage to IT security by labelling something as "security" that really was just obscurity.

    And obscurity is not security. Anyone claiming otherwise is trying to sell you snake-oil.

  4. Re:But not to give them a chance to correct it fir on Google Security Expert Finds, Publicly Discloses Windows Kernel Bug · · Score: 1

    First, all your examples are looking at crypto which has long been broken.

    Next, of course circumvention is the technique to use. That's the whole point of a good crypto algorithm: Making sure that the actual encryption is too tough to crack.
    ob-xkcd: http://xkcd.com/538/

    My point still is that asymmetric keys are not some kind of "better obscurity". Obscurity is a non-security theatre crap, encryption keys of some actual encryption algorithm are real security. Won't save you from the xkcd-approach, but other than some obscurity method, it'll force your attackers to actually use a method like that instead of laughing for a minute and then breaking it like a toy because most of the crap out there isn't even as obscure as its victims think.

  5. Re:But not to give them a chance to correct it fir on Google Security Expert Finds, Publicly Discloses Windows Kernel Bug · · Score: 1

    No, it wouldn't.

    You still assume that it takes a lot of effort to figure out your method. Most likely, you are vastly overestimating this factor. The crypto community is littered with the bodies of those who came before you. Well, the bodies of their "clever" schemes, at least.

    Yes, you gain some additional factor. But a) that factor is insignificant compared to the actual workload of decryption, at least if your algorithm is worth anything at all and b) it's a one-time benefit. Basically, you're giving all your machines the same default password. As soon as one person on the planet figures it out and posts it on Usenet, you're fucked.

    That is why we dislike security through obscurity - obscurity is easily and terminally defeated. If someone figures out your encryption key, you can re-encrypt all your stuff with a new key (but the same tools) and you're safe again.

  6. Re:But not to give them a chance to correct it fir on Google Security Expert Finds, Publicly Discloses Windows Kernel Bug · · Score: 1

    Agreed.

    I personally thing that things have shifted too much towards "responsible disclosure" (which, at least in its originally proposed form, is just an euphemism for "help us cover everything up"). I'm all for telling the vendor first. I don't think holding the rest back for more than a few days gives anyone any advantage at all.

    Because, frankly, most exploits these days are discovered when they're already being used. They are discovered by being used.

  7. Re:huge conflict of interest on Google Security Expert Finds, Publicly Discloses Windows Kernel Bug · · Score: 1

    Studies show 87.3% of statistics are made up.

    That's a bullshit argument. In a seriour argument, you go with the most reliable evidence you have.

    All I can offer in return is anecdotal evidence.

    Which is worthless. Read stuff like the Verizon report, available for free from their website. That's not the whole truth as a lot of stuff is never reported anywhere outside the company it happens to, but at least it is some data, and actually a pretty large sample size.

    I have yet to see zero-day exploits in the wild, personally.

    That doesn't mean they don't exist. I've personally done forensic analysis on machines that did contain zero-days on them, but that only proves that at least one instance of such a thing exists.

  8. Re:But not to give them a chance to correct it fir on Google Security Expert Finds, Publicly Discloses Windows Kernel Bug · · Score: 1

    Responsible disclosure, so MS has at least a chance to respond -- that's all people are calling for.

    We've been there, done that. Every argument pro or contra full disclosure has been made a hundred times.

    Do you have any statistics I don't know about that show a clear advantage for "responsible disclosure"?

  9. Re:But not to give them a chance to correct it fir on Google Security Expert Finds, Publicly Discloses Windows Kernel Bug · · Score: 4, Informative

    Asymmetric keys are merely *better* obscurity than most other means.

    You are using a false information model.

    "Obscurity" in the context of IT security does not refer to private information of any kind.
    "Security through Obscurity" refers to the false assumption that my ROT13 encryption algorithm is any better if I don't tell you that I'm using ROT13. The assumption being that it'll take you additional time to figure out what algorithm I'm using, making it more difficult to crack my code.
    That assumption is false, because with any actual security measure, the amount of work required to figuring out the algorithm is insignificant compared to the amount of work required to break it.

    Asymmetric keys are not "better" obscurity. You can't break a good encryption algorithm with even a huge cluster. That's the whole point - that I don't need obscurity. I can tell you what algorithm I used, what size my key is, absolutely everything except the key itself - and it'd still take you a century with all the current computing power on the planet to break it.

    Obscurity is usually a weak algorithm that can be broken in minutes once you've figured out the one "trick" they keep secret.

    If you still don't see the difference, re-read Applied Cryptography.

  10. Re:huge conflict of interest on Google Security Expert Finds, Publicly Discloses Windows Kernel Bug · · Score: 1

    Clue: if he waited and waited until there WAS an exploit in the wild created by a Black Hat, MS might have patched in time. Because he didn't, MS definitely hasn't. Now he is the Black Hat.

    Chances are quite good that blackhats already are using an exploit. The days where the black hats were students testing their skills are long, long gone. Most bad guys these days are in the employ of organized crime, and they are experts with a decade of experience. In Russia or China, these are some of the best-payed jobs for a security professional.

    We don't know about this particular exploit, but we do know in general, from things like the yearly Verizon report, about the gap times between compromise and discovery and about disclosure rates of corporations. Both are abysmal.

    tl;dr:

    You assume that he was the first to discover the bug and create an exploit, not just the first who went public with it. Based on past known facts, your assumption is likely to be wrong.

  11. Re:aiding and abetting 8 computer fraud and abuse on Google Security Expert Finds, Publicly Discloses Windows Kernel Bug · · Score: 1

    No.

    We've been there. The discussion about full disclosure is a decade old and absolutely every argument for or against it has been made, back and forth, hundreds of times.

  12. Re:Every society... on Turkish PM: "To Me, Social Media Is the Worst Menace To Society." · · Score: 1

    Be careful what you wish for. There's no reason to believe that social media, like any other tool, can not be used both ways.

    He does have a point there - social media gives a voice to those who don't have one right now. But unlike an election, we have no assurance that these are representing a majority opinion. We all know how loud and apparently widespread a dedicated minority can appear online. Sure, thousands of people on the street sounds impressive, but Turkey has 75 mio. people.

    Let's see if you're of the same opinion when the radical islamists use Twitter to organize themselves.

  13. dumb on Questioning Google's Disclosure Timeline Motivations · · Score: 1

    What a dumb opinion piece.

    The main difference between a client-installed application and a web-app these days is that a patch on a web application is available as soon as you deploy it, while the patch for the client application needs to be downloaded and installed, which is mostly done automatically.

    So, in terms of time, the difference is on the order of minutes, hours at most.

    Is it more difficult to create and/or test updates for clients or for browsers? Hard to say, but the difference isn't fundamental. On the one hand you have to test a variety of OS versions, maybe hardware versions. and environments. But you have to do that for any update and for development, so you already have your test lab up and running by the time you need to roll out a security fix. On the other hand, you have to test a variety of browsers and OS versions... and again you already have... basically, same thing with a different test lab.

    Will customers, especially corporate customers, delay the deployment by running their own internal tests and/or waiting for their next internal patch day? Sure, but that's not your problem.

    Can you afford to delay a security fix? No. Ever since Code Red, Slammer and my own and other people's work on various worst-case scenarios for flash worms, we know that a remotely exploitable issue that allows code execution can be used to infect 90% of the vulnerable systems in less time than it takes humans to react with any temporary workaround such as additional firewall rules or service shutdowns.

    And before someone starts the argument: That is true for undisclosed 0-days as well. If some whitehat found it, chances are good some blackhat has also found it already and is at least working on an exploit.

  14. Re:why? on New York City Wants To Revive Old Voting Machines · · Score: 1

    I call bullshit.

    Other countries are also diverse, and they manage to get it done. "Community involvement" is often low, but the political parties have an interest in watching each other, so there's pretty much a guarantee that enough volunteers will show up, if only to keep eyes on the other guys.

    I don't see a political reason to look for alternatives. I see some others that have to do with lobbying and money and other legalized forms of bribery.

  15. why? on New York City Wants To Revive Old Voting Machines · · Score: 2

    Ever since the US election system hit the international news in the first Bush election, the rest of the world has collectively been shaking its head and wondering why the US doesn't adopt the system that almost everyone else uses successfully: Paper and pens.

    Every argument against it has been solidly debunked.

    So what is it that feeds your fascination with deploying the most convoluted, crazy voting machines instead of using the more reliable machines you have in abundance - humans?

  16. Re:journalism on Apple Leaves Journalists Jonesing · · Score: 1

    Nonsense, all of it.

    Apple has multiple revenue streams. Even though I bought the original iPhone and then an iPhone 4, i.e. skipped 2 generations twice, they still made money off me in the meantime, via the App Store.

    And mentioning the Zune is just ironic, because MS is the company that's driven entirely by marketing. :-)

  17. journalism on Apple Leaves Journalists Jonesing · · Score: 4, Insightful

    A good example to watch.

    A successful company, ahead of its markets, does not need a new product every 6 months.
    Journalists, on the other hand, do need news.

  18. Re:New strategy in criminal law? on Jeremy Hammond of LulzSec Pleads Guilty To Stratfor Attack · · Score: 5, Informative

    It's not new in the least.

    It's a standard feature of the legal system. You can claim many things, they can even be mutually exclusive, and the court case is there to check which ones hold up.

    It applies to both sides, as well. Defendants routinely claim that a) they didn't do it, b) they were intoxicated when doing it and c) it was an accident. The geek in you winces that these can not all be true, so how can you claim them all - but to a lawyer, that's not even worth mentioning.

  19. Re:Their country, their rules on First Video Broadcast From Mt. Everest Peak Outrages Tourist Ministry of Nepal · · Score: 1

    You are making a technical argument on a legal issue - see the disconnect yourself?

    The technical and the legal definitions of the word "broadcast" aren't identical. Just like the TCP/IP and the postal service definitions of the word "packet" aren't.

  20. order of action on First Video Broadcast From Mt. Everest Peak Outrages Tourist Ministry of Nepal · · Score: 1

    If you don't like the rules, change them.

    The four boxes should be used in order.
    http://en.wikipedia.org/wiki/Four_boxes_of_liberty

    There are cases when intentionally ignoring the rules is the right thing to do (see Rosa Parks). But that is always after first trying to get the rules changed.

  21. Re:Surprise is that this doesn't happen already on US Entertainment Industry To Congress: Make It Legal For Us To Deploy Rootkits · · Score: 1

    Try to install and run Steam in a restricted user account without ever granting any elevated access.

    Uh, been there, done that.

    Steam starts SteamService.exe

    Ah, there's your problem. You're running an antiquated OS that pretty much already is a rootkit. :-)

  22. Re:..but it's the same for everyone on Eric Schmidt: Teens' Mistakes Will Never Go Away · · Score: 1

    We do in my country as well. And we've had them a lot longer than your country has had them. But as a Euro-nationalist, of course, you wouldn't know that.

    I'll leave the argument at this point. There was no reason for an ad hominem attack, and I've got better things to do then getting insulting on a forum. cy.

  23. Re:I could never defend a cyber squatter on Microsoft Files Dispute Against Current Owner of XboxOne.com · · Score: 2

    That's OK, your domain is safe. In the case of xboxone.com, the domain was created based on an existing trademarked name and it was not in active use.

    As a private individual, you can never be sure that pretty much any name you pick is not trademarked as, say, a brand of cat food in Botswana.

    The trademark system and the DNS system should never have been allowed to meet. A trademark always applies to a trade, i.e. a specific area. DNS records don't. You can register a trademark for "Xbox" just fine if it's not for a games console or anything related but, say, a type of gift wrap. But there can only be one xbox.com domain.

  24. Re:..but it's the same for everyone on Eric Schmidt: Teens' Mistakes Will Never Go Away · · Score: 1

    That's a stupid argument.

    Of course there are things one can do, there always are. What it takes is a consensus.

    You can't do anything about people killing each other short of jailing everyone. That doesn't mean you can't make it a whole lot less likely to happen by making it illegal and dedicating resources to preventing it and hunting and punishing those who do it anyways.

    We do have laws regulating certain kinds of information (personal data) in my country. And while it doesn't work perfect, they do provide some assurance and work reasonably well. No democracy destruction has occured.

  25. Re:..but it's the same for everyone on Eric Schmidt: Teens' Mistakes Will Never Go Away · · Score: 2

    But they were subject to human memory and limited record-keeping. And thus, to a kind of "gossip evolution". Minor stuff would be forgotten, important stuff remembered. And memory is not a very good recording device. Memory is constantly adjusted, memories years old keep changing in your mind, just so slowly that you never notice. There's some really fascinating research into this area.

    What does that mean for your village? It means that if you made a big mistake 10 years ago, but then after that came around and became a really positive member of the community, the memory of your mistake will change within people's minds. It can and will change to the point where it has little connect with what really happened.

    This, btw., is why people like Gates or Rockefeller turn towards philanthropy in their later lives, and why it works if you do it that way, but doesn't if you simply leave all your money to charity at your death.