Slashdot Mirror


User: vux984

vux984's activity in the archive.

Stories
0
Comments
10,772
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,772

  1. Re: #1b: an Open UEFI Foundation for ALL DISTROS on UEFI Secure Boot and Linux: Where Things Stand · · Score: 2

    Then install your own key or disable secure boot. What else could you possibly expect to do? Secureboot isn't an issue for anyone running their own bootloader and kernel.

  2. Re:That *niche* market. on RIM CEO Says Company 'Seriously' Considered Switch To Android · · Score: 4, Interesting

    The Blackberry system ranges from not very secure at all to almost as good as you could get making your own.

    We talking BES or are we talking BIS?

    BES

    The base security model is as good as anything you can do rolling your own server using proprietary software. But the handset management and controls are unmatched. iphone or android + some linux server at the backend with SSL enabled isn't even in the same league. Sure they both do end-to-end email encryption, but that's about where the comparison ends. You cannot lock down and manage ios (or android) to anywhere near the same degree, unless your 'make your own' includes providing your own secure managed handset operating system... Android could be the basis for one but to my knowledge the 'community' has so far only focussed more on defeating carrier restrictions to open the platform up, not to deliver enhanced security and IT policy controls. You can't compare BB/BES to a theoretical open source handset OS that doesn't actually exist. Thus: BES is unmatched.

    BIS
    BIS is better than what you can accomplish with other handsets using a hosted 3rd party solution. The security is just as good as any other hosted solution -- but any two unrelated BIS users can communicate securely with no coordination.

    If your a drug dealer, how do you communicate securely with your contacts? Do you setup a linux server with SSL and then setup accounts for all your customers and distributors?... And run a help desk to provide them support when they have trouble sending messages?

    BIS gave them all that. Admittedly as a hosted service it was always known that RIM in Canada had the keys... and you had to trust them. And kudos to RIM for holding out as long as it did. And by making this a very public argument, RIM may ultimately have given keys to india, but at least the consumers aren't being decieved. Unlike say the secret NSA closet at your local ISP.

  3. Re:That *niche* market. on RIM CEO Says Company 'Seriously' Considered Switch To Android · · Score: 1

    Apparently there's some debate regarding if that's true or not.

    To which I'd reply
    http://crackberry.com/rim-encryption-keys

    I don't dispute there is some debate. But at this point I have no reason to doubt RIM, and think it is probably sensationalist headline grabbing... or just outright bad journalism.

    But given that all other corporate email systems... whether its exchange or dovecot or scalix or lotus notes all offer handset to corporate server encryption the whole notion that RIM would even be expected to be able to do this difficult to accept.

    I am definitely interested in knowing the truth. But I think the burden of proof lies squarely with those asserting its even possible to intercept BES communications.

  4. Re:That *niche* market. on RIM CEO Says Company 'Seriously' Considered Switch To Android · · Score: 1

    LARGE enterprises run their own BES

    And small ones run BES Express. Lots of them do it.

    Are you sure? What's to stop RIM from putting in their own backdoor?

    What's to stop any software you use from putting in their own backdoor? So, sure, I'll stipulate that its possible... in any hosted/proprietary system. Including the alternatives.

    ? The security from a system like that is necessarily LESS THAN OR EQUAL TO, not MORE THAN (as the GP claimed) any other solution you install yourself. If you use a closed VPN or sIMAP server you get approximately equal security,

    If you use a closed VPN or sIMAP server you get approximately equal security, if you use an open one you get better security.

    Apples to Oranges, and security is only half the concern - reliability is the other half.

    The use case for BIS and the "problem" it posed the Indian government was that two *unrelated* users could each go buy a blackberry independantly and with no setup or coordination exchange messages securely.

    Criminals didn't have to build, manage, and self-host systems and then also manage secure interconnects between them. All of which would still have been vulnerable government seizure within the country, interpol seizure in many other places, and if nothing else they could disrupt the network by blacklisting the ip addresses of the international entities hosting the service at the national edge routers.

    This was pretty much where things were headed with BIS - India was threatening to block it outright.

    Now, I challenge you to build a secure open source network and connect to it from inside the borders of a country where the government is intent on intercepting communications, or if that is not possible disrupting the network so that it can't be used at all. For bonus points also make it zero configuration for end users.

    That was pretty much BIS in India. The governement couldn't tap it. Blocking it outright was a nuclear scale measure because it was used massively by legimate users. And all you needed to do to use it was "buy a blackberry" setting the bar for criminals to use it effectively extremely low.

    Nothing you could construct could even come close. Sure you may be able to setup a secure VPN and mail server...and be safe from borderline conspiracy theory back doors. But so what? A couple phone calls and either your server is in custody or it can't be reached from inside the country. Sure you could play some fancy games with international vpns and proxies but the bar to use this system would have been raised massively. You think every drug dealer and small time fence in the country would be on that system?

    Not foolish at all. I don't use gmail for anything sensitive either (and I work in health research, so I do actually send sensitive data occasionally). In fact, it's contrary to US, European, Canadian and international law to use gmail for certain things, BECAUSE Google has the encryption keys.

    You missed the point. I didn't say it was foolish to note that a given host had the encryption keys. I said it was foolish to complain about a given host when ALL HOSTS work exactly the same way.

  5. Re:That *niche* market. on RIM CEO Says Company 'Seriously' Considered Switch To Android · · Score: 2

    I think the point he's making is that the channels aren't "double blind"; e.g. like a hashed-salted password.

    I don't think your password example really fits, but I get your point.

    But he criticised BIS with the phrase "their security isn't very good" while suggesting SSL enabled SMTP/IMAP is "far superior". That is plainly ignorant or dishonest.

    Encrypted IMAP/SMTP certainly isn't "double blind". And unless you are self hosting the mail server, and only send to recipients on that mail server it has FAR FAR more trust issues and vulnerable points than pin-pin messages over BIS.

    So, with that as context, I remain convinced the poster I was responding to had no idea what he was talking about.

    Realistically the only way to do better than BIS is to self-host. BIS is as good as a hosted service can be.

    If we -wanted- a double-blind 3rd party hosted communications channel -- the only way it would ever be truly blind to the host would require an out of band key exchange with your intended recipient -- and that's hard to do.

    And even then the host would know who and when you were communicating. To beat even that then you need out of band key exchange with the recipient, a decentralized p2p service like tor for message transit, and to generate noise traffic on all endpoints to ensure the carriers/ISPs can't pinpoint communications based purely on traffic timing analysis.

    You aren't going to get all that from a simple "hosted service".

  6. Re:That *niche* market. on RIM CEO Says Company 'Seriously' Considered Switch To Android · · Score: 1

    Oh that's fine then, given that covers the majority of users ( non-corporate ) and the most innovative small companies.

    Again, this is no different or worse than any other hosted service.

    If you are using hosted exchange, your host has the keys. If you are using hosted encrypted IMAP your host has the keys. If you run everything through a VPN host, your VPN host has the keys.

    Do you honestly not see that as a problem?

    No, if you truly care about security you self host, because everyone knows that if you use a hosted service the host has the keys.

  7. Re:That *niche* market. on RIM CEO Says Company 'Seriously' Considered Switch To Android · · Score: 4, Informative

    Bull. The very fact that RIM CAN give away the keys to governments (or whoever they like) means their security wasn't very good.

    You don't know what you are talking about.

    They gave away the keys to BIS. That's the service they HOST THEMSELVES used mostly by individuals and small companies who don't want to host their own server. Of course they have the keys for it.

    BES (blackberry enterprise server) is the enterprise service. Enterprises run their own BES on their own hardware under their own control. RIM doesn't touch it. RIM hasn't (and can't) give away the BES keys because the enterprise has them not RIM.

    But complaining about RIM having the keys to BIS is as foolish as complaining google has access to the encryption keys to https://www.gmail.com/

  8. Re:It would have counted me too on 400,000 American Homes Have Dumped Pay TV This Year · · Score: 5, Insightful

    At-least watch Olympics

    Why do I need to watch a corporate orgy of sponsorship and advertising where the public foots the bill and they take profit?

    So I can see which individual blessed with the right genes and the most funding can run faster or jump higher?

    I'd rather watch a Coke commercial. At least its not pretending to be something its not, and it usually has good production values.

  9. Re:Year of... on Valve Shares Performance Numbers On Port of Left4Dead · · Score: 1

    Desktops are dying anyway, almost everyone has moved to laptops.

    As much as i dislike Steve Jobs, he got this right: "Desktops are like trucks".

    Desktops are like trucks in a world without cars., and then introduce cars and see what happens to trucks.

    Introduce cars (laptops) and what happens to trucks (desktops)?

    A lot of people who used to buy trucks will now buy cars. But a lot of people will still buy trucks, because they need trucks. The market for trucks will shrink, but its not going to die.

    I guess to carry the analogy further...tablets are like scooters or maybe those little smart cars. They aren't going to kill cars (laptops) or have any further effect at all on the market for desktops (trucks).

  10. Re:Oracle vs Google on How Apple v. Samsung Was Explained To the Jury · · Score: 1

    only Ford can make something with 4 wheels and a body (a form so established) - but we know that's not true, because we have thousands of car models... but you can differentiate a Honda from a BMW from a Hyunday at a distance...

    Now try differentiating LCD monitors or big screen TVs. Sure the ones with some flair stand apart, but the minimalist ones? Good luck...

    all black - check
    rectangular - check
    aspect ratio -- same
    rounded corners - check
    small black bezel - same
    power LED - on bottom bezel check
    small row black button controlls on bottom bezel check
    matte screen

    lets see... I have an HP, a Dell, and a Viewsonic and I'd have to look for the logo to tell them apart. Do you think a lawyer could tell them apart from accross a room? I don't.

  11. Re:A bit over the top on OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot · · Score: 1

    What about ARM?

    What about it? WinRT (arm) is to Windows 8 (x86) what ioS is to OSX.

    Is the boot loader locked on your iThing?
    How many boot loaders are locked on arm Androids?

    I agree they shouldn't be, but Microsoft isn't breaking new ground here by locking its ARM devices down. And they aren't leveraging their desktop monopoly to do it.

  12. Re:Boo hoo! on Swiss Bank Threatens to Sue NASDAQ Over Facebook IPO · · Score: 1

    Exactly. Absence of a confirmation is not confirmation that there is no order.

    Why not? If I send a TCP packet over the wire and don't get an ACK, within the window, then the protocol is to retransmit. If you don't get an ACK, you assume the packet was lost.

    In that case, the transactionally correct action would be to cancel the original order, and receive confirmation of the cancel, before attempting to place another order.

    So... what happens if Nasdaq has received the order, sent the confirmation back and then filled the order?

    Meahwhile, although nasdaq sent the confirmation, an error of some sort prevents it from being received. That looks the same to the sender as not having received it. So now you argue the swiss bank's proper course of action is to cancel the order it actually wanted to make and which has already been filled.

    I'm not sure that's even possible, never mind correct.

  13. Re:Brace yourselves on Windows 8 Is Ready · · Score: 5, Informative

    No sub directories? The whole thing turns microscopic if you install too many things?

    Uh... no... it pages.

    Apps mixed in with what you're actually looking for? Ugh.

    Uh... no... search results are categorized.

    I don't dispute that you are a UI designer, but I seriously question whether you've actually used Windows 8 yet.

  14. Re:Betteridge's Law (OH SNAP!) on Should Developers Support Windows Phone 8? · · Score: 1

    It would be more interesting seeing statistics of sold games

    Why would that be 'more interesting' ? Because 'as a developer' 3rd party attach rate is a really important metric? Right? But then you claim that most 3rd party offerings for the platform are: and I quote "shallow crap". So even if we knew the 3rd party attach rates and could confirm your hypothesis that its lower on the Wii that wouldn't realy be interesting at all... we already have a hypothesis explaining why the wii attach rate is low: most of the games are shallow crap.

    The wii buyers seem to be the least likely to buy games since most are shallow crap.

    You agree the Wii has a 50% larger installed base.

    You then assert it simultaneously suffers from a weak library without enough good games.

    Wouldn't the smart thing be to write a good game for the Wii?

  15. Re:Oracle vs Google on How Apple v. Samsung Was Explained To the Jury · · Score: 2

    Apple ain't making that mistake.

    Yes, in this case, the form factor being fought over is called a "tablet" a form so established, we can find examples of 'rounded rectangle tablets for displaying content' that date back to when humans discovered you could bake clay.

    Its not a new design.

  16. Re:Interesting note about the robot on Giant Mech Robots From Japan · · Score: 2

    I guess the OSX version would be:

    Operator: Kill pedestrian *points at a little grandmom with a walking-aid*
    OSX: ---- no response
    Operator: clicks the little lock next to the triggers to unlock it
    OSX: please enter an admistrator password
    Operator: type type type type type
    OSX: loading bullets, barbershop pole
    OSX: loading bullets, barbershop pole
    OSX: loading bullets, barbershop pole
    OSX: loading bullets, barbershop pole
    OSX: loading bullets, barbershop pole
    Operator: any day now
    OSX: loading bullets, pinwheel
    Operator: uhoh
    OSX: loading bullets, pinwheel
    OSX: The operation could not be completed.
    Operator: No shit. Why not?
    OSX: An unexpected error occurred.
    Operator: thanks for nothing.
    Little grandmom: *already safe at home making tea*

  17. Re:A bit over the top on OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot · · Score: 1

    As long as Windows 9 can be booted from the same bootloader as Windows 8, SecureBoot in UEFI wouldn't get involved.

    Otherwise it would get involved.

    The most common time to install Linux on a computer is when it is brand new, out of the box. Most often before it ever boots into Windows.

    No. People buying windows PC dedicated to installing Linux on first boot know will how to go into UEFI to turn of secure boot, and will be comfortable with that. They won't have any trouble.

    The people Red Hat and Canonical are looking to help don't buy a dedicated computer for Linux, they either try linux using a liveCD on their windows PC, or they decide to try linux on an older used PC they have... that previously ran windows. Those are the people secureboot impacts on.

    But the most key point in this is that the option exists to sign whatever you choose with a 1 time key, quickly and easily so that other OSes are not unfairly disadvantaged by an overly complicated procedure.

    One major problem with this, as I have already said, is that it does nothing to authenticate that the bootloader you are self-signing has not been tampered with.

    Ideally, there would be a simple "install OS" option in the UEFI that would take care of clearing out the old key and signing the new OS.

    But it would still require users go into UEFI. If we assume users can go into uefi without trouble, disablign secure boot is a non issue.

    An hour's thought could have come up with any number of better approaches if the real goal was actually securing the system for the user,

    I'm not sure how much time you've put into it, but your suggestions so far fall short if the 'it-just-works' scenario that's actually in place with preloaded windows 8.

  18. Re:All of them on Mac OS X Mountain Lion Gets Three Million Downloads In 4 Days · · Score: 2

    Yes, and everyone who bought mac in the last few months had it ship with lion, but was entitled to upgrade and download mountain lion for FREE.

  19. Re:Not really surprising. on Ubisoft Uplay DRM Found To Include a Rootkit · · Score: 1

    Steam passes the evilness checks with only a few caveats

    As long as you remember its a glorified rental service, and despite everything being presented as a purchase the fine print claims its a subscription.

    You will have to go online at least once to authenticate

    Agreed. No real problem here. When you are buying them online anyway being online at least once isn't a problem. Its a little more disagreeable when they sell you the game in a box and you still need to instal and register with steam though.

    you need to prepare a bit ahead of time before going offline

    And that's getting harder and harder what with steam cloud for save games, game settings, acheivements, etc. Even single player games are often tied to being online, so that you can't just "go offline".

    and it does encrypt pre-loaded games.

    Pre-ordered games you mean? If so I can't imagine how anyone could be upset by this, the game is unreleased until date X? In a perfect world with unlimited bandwidth they simply wouldn't let you have it until date X, but letting you pre-download an encrypted copy does spread the load on their servers a bit, and I can't get upset by that. The alternative would really just be that you can't download it until release date, and then instead of playing on release day you can sit through a big download instead.

    And then there's the whole "no reselling/used games" thing, but honestly, I'm fine with that. I've never found selling my old games to be financially worth it, and the very phrase "used digital games" is an absurdity.

    I've never re-sold games myself either, but easily 2/3rds of my Wii library was picked up used, so I'm definitely going to miss the used market as it goes away.

    However, while I don't have much interest in reselling games, I -am- regularly bumping into steam restrictions. I'd like to lend my brother games I've finished for example.

    I'd like my wife & kids to be able to play games on my account without it being a royal HASSLE. And without it being a violation of the ToS. Just the other day my daughter wanted to play one of my games which was fine and I logged her in and got her going, and then an hour later I wanted to play one of my other games... and oops nope... can't ... both games are on the same steam account. That's just wrong.

    And since I absolutely AM going to violate the ToS and let my wife and kids play "my" games. It would be nice if they could have their own steam friends etc. The guys I play games with are not the same people my kids play with.

    What I'd really like are "family accounts" -- one library, a limited number of logins accounts that can access it. With parental controls on some of the logins restricting what games they have access to, and preventing them from spending money, etc.

    Each login has its own friends list, etc.

    I'm of course, perfectly fine with limiting a given title to being in use by one person at a time. And it would be nice to be able to add a 2nd or 3rd copy of a title to a single catalog then. (at a discount?!) for multiplayer fun.

    Would there be some potential for abuse? Sure, I guess, some potential... but really, the people who would abuse it are already sharing their steam passwords between friends, or creating separate accounts for each steam game and trading them around. So it just gets easier for legit users.

    And finally, there should be a way of severing a catalog in 2 and splitting games between two or more users. Ie... "transfers of ownership of games". It doesn't need to be "free for all reselling" but kids grow up, couples form and split, kids move out, households sharing accounts need to be able to divide things up. If one could redistribute the catalog between accounts... hell it could be limited to 1 time per year, and cost 10 bucks to do it, and I'd still be fine with it.

  20. Re:A bit over the top on OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot · · Score: 1

    My proposal wouldn't affect drivers at all, each link in the chain is free to handle trust any way it sees fit

    Right, pardon me. It would still impact the upgrade path to Windows 9 potentially though.

    And I'm not sure what it really accomplishes in terms of making other OSes easier to support? Your new dell comes shipped with windows 8 preloaded and secureuefi disabled, and on the first boot the system offers to secure itself and enable uefi?

    a) So their is an opportunity to infect the system prior to UEFI being enabled, especially if you use it at all prior to enabling it.

    Self signing your already infected and rooted system is counter productive.

    b) It doesn't make installing other OSes any easier for end users -- unless the user takes delivery of the system, and immediately installs linux before enabling secure boot. Once they've clicked yes to the prompt, they are back to going into uefi to manually install keys or disable it.

  21. Re:A bit over the top on OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot · · Score: 1

    I'd suggest that most people using smaller distros will be tech savvy enough to go into uefi to disable secure boot.

  22. Re:A bit over the top on OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot · · Score: 1

    There's no need for the Microsoft key at all if the REAL reason for this is to protect the user from viruses and trojans. The system could create a key pair on the spot, sign the OS, set the public key as the root and discard the private key.

    Secure boot affects all kernel mode drivers. Your "solution" prevents driver updates, not to mention most hardware upgrades. It also prevents easily installing Windows 9 down the road...

    I'm fairly sure the user would just click OK because I have yet to hear of a warning message sufficiently dire to prevent click through.

    Do you have any idea how often I boot up a 6month+ old computer and half the OOBE popups are still there nagging for an answer. The owner just clicks close or later on them rather than making a decision. This is not uncommon at all.

    A LOT of users will click "later" or just close window and defer the decision to the future indefinitely if the software gives them that option.

  23. Re:gun safe? on How a 3-Year-Old Can Open a Gun Safe · · Score: 1

    Interesting comment. I'm not trying to be a an ass, I'm genuinely interested ... do you have a source for that?

  24. Re:A bit over the top on OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot · · Score: 1

    And they all suck so much that they have to choose "e" which is not even in the standard.

    e) cost the distro $100 bucks, and made even the slight effort of disabling secure boot disappear.

    That says everything you need to know about UEFI provisions.

    Yes it does. It tells me that Red Hat couldn't figure out a way of getting its key installed on every motherboard built for less than $100 bucks. You know what? I can't either. And if I spend more than an hour trying to think of a better solution, it's going to cost more than $100 of my time...

  25. Re:two problems on OpenBSD's De Raadt Slams Red Hat, Canonical Over 'Secure' Boot · · Score: 1

    1) They can only install other OSes on x86 machines. On ARM they cannot. There will be no rooting your Win 8 phone/tablet.

    Same as you can't root your iphone or ipad (without jailbreaking it)
    Same as a bunch of androids.

    Indeed, same as you can't root your xbox 360...

    Win 8 ARM or "Win RT" is a different product in a different market, and that market has different norms. I am not suggesting they are good norms, but lets not paint microsoft as doing anything to change the norms. They certainly aren't leveraging its desktop monopoly to bring about changes in the ARM device market.

    2) As they point out, making non-technical people boot into the bios and disable secure boot is a significant barrier to allowing them to install other OSes.

    Yes. Putting a lock on the front door to keep thieves out also serves as a significant barrier to your neighbor getting in while you are away on vacation to turn the stove off... and yes if you want your neighbors to get in you have to go get an extra key cut and trust your neighbors with it, and so forth.

    Yes. Security is a "barrier". But its not an unreasonable one.