Slashdot Mirror


User: Tom

Tom's activity in the archive.

Stories
0
Comments
10,601
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,601

  1. Re:Why are people not being alerted? on Misconfigured Open DNS Resolvers Key To Massive DDoS Attacks · · Score: 1

    The problem is that people can spoof source addresses (because ISPs arent stopping it).

    Bingo.

    I wrote a paper about a similar attack (called a reflection DDoS attack back in the days) in 2002. Mine didn't use DNS, but a different service, but same principle - massive amplification.

    I'm honestly surprised that IP spoofing is still possible today. Have ISPs been asleep for the past decade? The number of legitimate use cases for source spoofing across a WAN (there are a number in LAN) can probably be enumerated in a very short list. I personally can think of... one: Testing if your ISP is stupid.

  2. wrong people on Geeks On a Plane Proposed To Solve Global Tech Skills Crisis · · Score: 1, Insightful

    Good idea, bad choice of people.

    The real innovators and creative people are rarely the ones you see in the news or on the boards. More often then not, they are unknown.

    It does take a visionary CEO or such to lead these people and to make their ideas into products, I do not want to diminish the skills of those people. Steve Jobs was one of them. But Steve Jobs did not invent the iPhone - he lead a company that did. The inspired the creative people within Apple that did. The created the environment in which they could.

    Finding the really brilliant minds is no small task.

  3. scam on ICANN's Trademark Clearinghouse Launching Today · · Score: 5, Insightful

    Seriously? This is so close to various scams that you need a microscope to spot the difference.

    Not to mention that it borders on a protection racket. "Nice trademark you have there. Would be a shame if anything happened to it..."

    ICANN needs to be replaced.

  4. political on Bosch Finds Solar Business Unprofitable, Exits · · Score: 1

    summary ignores the current political situation in Germany (Bosch is a german company).

    For many years now, the government has supported alternative energy with various subsidies, etc. - before you cry foul and wave the flag of market capitalism, let me remind you that coal and especially nuclear power are also heavily subsidised. Without government "interference", there would be no nuclear power plants, because the technology would not have been developed.

    But that's not the point. The point is that originally the plan was set with a long-term strategy, reducing subsidies yearly in the anticipated speed of the technology maturing so that in the beginning, when R&D costs are high and profits low, the subsidies are high to compensate, and over time, as the technology becomes more profitable, subsidies drop.

    This system also provided players in the market with a reliable environment they could count on, making venturing into this market less risky.

    The current government has gone to great lengths to destroy that environment. They've been keeping discussions about extra and faster reductions of the subsidies in the news continuously for years, and have taken several steps to actually cut them. From people I know in the industry, the cuts are not the bad part, the uncertainty is. It makes any investment a high-risk project.

    Some commentators say this is all due to alternative energy growing quickly and the old energy companies becoming unhappy because other than they thought they can't control the market. Both wind and solar (the two primary sources of alternative energy in Germany) are mostly used in a de-centralized, small-plants way. There are very few huge wind or solar farms.

  5. Re:Not news on Schneier: Security Awareness Training 'a Waste of Time' · · Score: 1

    Couldn't have said it better. You and I should exchange notes on some of our talks one day. :-)

  6. Re:I thought features were passe? on Google Keep Labelled "Delete" · · Score: 1

    Well, it depends.

    Real applications I really want to run on my desktop Mac.

    There are two classes of apps that I want to run online, though. Either as a cloud/online app or on the web, I mostly don't care which it is.

    One, teamwork stuff. Redmine or a Wiki or other collaboration tools really rock if you've got a team distributed around the world.

    Two, "always with me" stuff. I use Evernote and tools like that because there's some stuff I know I will need when I least expect it, and then it is really good to take out your smartphone and be able to access it.

  7. Re:Not news on Schneier: Security Awareness Training 'a Waste of Time' · · Score: 1

    You are correct that nothing is ever 100% safe against accidental or intentional mis-use.

    That is not a reason to not make it 99% safe, however. Or as close to 100% as you can be.

    Would you fly in an airplane if nobody had thought about making sure it doesn't explode in mid-air or the wings fall off? Of course not. But you probably know that airplanes aren't 100% safe, and a number of them crash every year.

    Same with security. We never get 100%, but we try to be as close as we can manage. And making systems fool-proof is of the same category. There will be something you missed. Doesn't mean you shouldn't try.

  8. Re:Not news on Schneier: Security Awareness Training 'a Waste of Time' · · Score: 1

    Parent is correct in everything.

    Here's another piece of the puzzle: Mobile devices, or rather: The data on them. At the last contract I worked, I went some distance with the CTO to get language into the security policy that assures users that nothing bad will happen to them if they lose hardware or suspect its stolen, and really, really need to report such immediately. Even if they just suspect it's lost. Better report as stolen and find it the next day then give the bad guys a day to use it.

    That is why I'm an enemy of the whole security awareness and user training and other stuff that basically makes the users responsible and still has this 1990s attitude of "the user is the biggest security problem" attached to it.

    Mind you, I've been part of that crowd before I wised up. So I think I can tell them in no uncertain terms that that's fucked up, because I used to make the same mistake.

    But you can not expect user cooperation and call them lusers, noobs, security problems or PEBCAK at the same time.

  9. nothing on Ask Slashdot: What Is a Reasonable Way To Deter Piracy? · · Score: 1

    [x] none of the above

    I've been in your shoes, releasing and selling an add-on tool for a 3D engine. My approach was no copy protection whatsoever. Instead, I offered my customers a fair deal and appealed to their good nature by offering them the same package for 4 different prices (10, 20, 30, and 50 US$). While that sounds weird, it worked. I added descriptive labels ($10 student/amateur, $20 indie, $30 big indie, $50 pro) and told them that if they don't have much money, they are free to pick the lowest price, that's totally ok.

    It turned out that half of the customers voluntarily pay more than they have to. And I'm not aware of any piracy. There's probably the odd guy who gave his copy to his friend, sure. So what?

    In the area you and I are in, piracy isn't that much of a problem, I believe. Contact is more personal, we aren't faceless corporations, and frankly, spending two hours on improving the tool will very likely do more for your bottom line than adding even a serial number check (which is also code that needs to be written, tested, etc. etc.)

  10. Re:Not news on Schneier: Security Awareness Training 'a Waste of Time' · · Score: 1

    And I believe that even these "simple" seeming user mistakes have underlying root causes.

    For example (because I gave a talk about that, I've done the research) - why do people write down passwords? Could it be, at least in part, because we ask them to remember crap like [|+DU%:,9}v2 -- actual output from an online password generator!

    Nobody who has other hobbies can remember that, much less 20 of those (because we also tell people to not re-use passwords).

    Solution: Write it down.

    Here's how I solved this problem when I wrote the security policy for a medium-sized company last year (yes, you can hire me): People are allowed to write down passwords into secure tools dedicated to this purpose, the IT will supply you with a list of tools they approve of for your mobile phone.

    Perfect security? No. But much, much better than post-it notes and something you can actually teach employees. You don't need an awareness training for that. Everything the user needs to know fits on a nice list that fits on one page of paper.

    ob-xkcd:
    http://xkcd.com/936/

  11. Re:Not news on Schneier: Security Awareness Training 'a Waste of Time' · · Score: 3, Insightful

    I really do not see how you can avoid security awareness training.

    To use a metaphor from my most recent talk: If you need to write "push" and "pull" on your doors, then they are designed badly. Same for security awareness. Improving the security tools is better than telling people how to safely handle broken tools.

    but users do happily respond to really poor phishing attacks

    Yes, they do.

    And all the security awareness training we've been doing for two decades has made which sustained change, exactly? That is the point. Not that we don't have a security problem, but that security awareness trainings are not a good way to solve them.

    Security is as much as a social problem as a technical one, and you simply cannot ignore the social aspect.

    I don't. On the contrary, I believe the security awareness training advocates do. They think that just telling someone solves the problem, when overwhelming evidence to the contrary proves them wrong.

    I believe the solution lies in asking a) why and b) how the users break security protocols and then tackling those issues, instead of telling them "don't do it" and thinking you've solved the problem.

    As someone else quoted earlier: never underestimeate the ingenuity of complete fools.

    I believe calling the users dumb and fools and "lusers" and such is a cop-out. It's an easy pseudo-solution to avoid the real problem, which is not so trivial. Redesigning your concepts, protocols, hardware and software to be fail-safe (or idiot-proof, if you want) is hard. Much harder than shoving everyone into a room to listen to a boring lecture, 90% of which they'll have forgotten as soon as they're out the door.

  12. Not news on Schneier: Security Awareness Training 'a Waste of Time' · · Score: 3, Informative

    Nice to hear it from someone with a big name. I'm an IT security specialist, giving talks every now and then, and I've basically been saying the same for years now. It is one of the topic where I face the most fierce opposition, usually from (big surprise) consultants and other people who offer security awareness trainings.

    I've been doing this for so long that I can sum it up in one sentence by now: If security awareness trainings would work, don't you think we would be seing SOME effect after doing them for 20 years?

    Of course, I am exaggerating a bit to make the point. I do think that training to make users familiar with specific security protocols is useful. I don't think general security awareness is. There is a plethora of reasons why it's a failure, from the context-specific nature of the human mind to the abstract level, but the main reason is that we have enough experience to show that it really is a waste of time and resources. Putting the same amount of money and effort into almost any other security program is going to give you a better ROI.

  13. Memories on Villians & Vigilantes Creators Win Lawsuit, Rights To Game · · Score: 1

    One of those games that I loved and then it was unavailable. I had a copy of the rulebook borrowed from someone who still had one. The game was so-so, but it had a couple really cool ideas and concepts, starting, of course, with character creation.

    I hope there'll be a new edition out now. Please?

  14. Re:Hopefully, EA's Frank Gibeau gets the message on Electronics Arts CEO Ousted In Wake of SimCity Launch Disaster · · Score: 2

    would be to destroy a man's livelihood

    Please. We are talking CEOs here. They can live comfortably on their savings for a decade, provided they didn't blow it all on whores and drugs.

    I'm all for sympathy, but against handing it out indiscriminately. Doing so reduces the value of the times it really is meaningful.

  15. Re:Perception is reality on Microsoft To Abandon Windows Phone? · · Score: 4, Insightful

    You're misreading the quote you quoted. It doesn't say this is fact, it says this is image. Or, in other words, after the past experiences we've had with MS products, nobody sane would even consider buying a phone from them.

  16. Re:RTFA on Microsoft To Abandon Windows Phone? · · Score: 1

    18 months sounds like an incredibly stupid length, though, given that most mobile phone carrier contracts are 24 months.

  17. Re:Because the Vatican Has Its Own TLD? on Cyber Squatters Grab Up More Than 600 'Pope Francis' Domain Names · · Score: 1

    None of this really matters considering Vatican City has its own TLD of .va

    My first thought upon reading the summary. What are the spammers going to do with... oh, damn. Great, so we're going to see "forward this post to 100 of your friends or your soul is damned, also, you can buy absolution online" spam?

  18. Re:since you asked... on Ask Slashdot: Mac To Linux Return Flow? · · Score: 1

    If you use Spotlight to launch programs, you'll love Alfred, or Quicksilver, or any of the other launchers:

    http://www.alfredapp.com/

  19. Re:Oracle sucks. on Solaris Machine Shut Down After 3737 Days of Uptime · · Score: 2

    Actually, last I checked Linux can not show you an uptime of 3737 days.

    No, that's not a dig on Linux being unstable. The real reason is both more boring and more interesting at the same time. A Linux system with that kind of uptime would have to be running a kernel from a time where the uptime counter overflows after around 400 days.

    And yes, I've seen that happen. :-)

  20. 10 years up, 1 day until copyright removal on Solaris Machine Shut Down After 3737 Days of Uptime · · Score: 1, Informative

    If you live in Germany, the video is unavailable. Apparently it contains some music from UMG (or someone claimed it does).

    10 years of uptime and one day until the video was killed by the copyright mafia. Way to go, guys!

  21. Re:since you asked... on Ask Slashdot: Mac To Linux Return Flow? · · Score: 1

    Yes, and I've written about them at length when I still cared. These days, all that's left is instinctive. It just feels wrong, all over. I could start on individual points, but that would create the wrong illusion that these are the real problems, and people would begin providing solutions. That's like talking to a cancer patient with 3 months of life expectancy and telling him that he looks horrible, but a little make-up can fix that, so see there, problem solved, now cheer up.

    And if I were to attempt a full list of everything that's wrong and why - get me a book contract and I'll consider it, because that's going to be the mother of all lists.

  22. Re:since you asked... on Ask Slashdot: Mac To Linux Return Flow? · · Score: 1

    and by the time Lion came along, iOSsification had already made it unbearable.

    Can you elaborate on what exactly you're talking about? I also own two iOS devices, and I haven't noticed much of this "iOSification" that people keep talking about. Ok, Launchpad. I think I used that once to see what it looks like, but since I have Alfred installed, I can ignore it completely.

  23. Re:since you asked... on Ask Slashdot: Mac To Linux Return Flow? · · Score: 1

    Never change a running system. I've been running Debian servers for more than 15 years, I know their quirks, and my main priority is that they work, not learning new quirks.

  24. Re:There and back again on Ask Slashdot: Mac To Linux Return Flow? · · Score: 4, Interesting

    2009 must've been a different year.

    I installed a PostGIS, Apache, PHP, QGIS, mapserver stack on both a Debian server and my OS X desktop. Getting it to run on Debian required moving the entire server to unstable, but after that it was easy and painless. Getting it running on OS X required a few manual downloads, but no other troubles.

    I mean, if you're happy then all is good. I'm just saying. Because I just did the mostly same thing.

  25. since you asked... on Ask Slashdot: Mac To Linux Return Flow? · · Score: 3, Insightful

    You can have my Mac when you pry it from my cold, dead fingers. :-)

    I'm not going back. I'm exactly as you describe - my desktop runs OS X and my mobile devices run iOS, but my servers run Debian.

    Neither of which is going to change. Specifically, you would have to shoot me before I use Windows as my work environment. I'm happy that I can run a very similar environment on my OS X and Debian machines, which makes development just so much easier. I boot Win7 once a decade or so when I want to play a windows-only game, though mostly I pick games available for OS X (Guild Wars 2, League of Legends, yeah!). Every time I have to use windows for anything other than launching the game I want to play, I cringe. It's just so... words fail me. I don't understand why it's not considered a violation of human rights.

    You wanted emotions, there you got em. OS X is the best desktop I know. Debian Linux is the best server operating system I know. Windows is the best reason to shoot someone.