Slashdot Mirror


User: betterunixthanunix

betterunixthanunix's activity in the archive.

Stories
0
Comments
6,598
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 6,598

  1. Re:Which editor should he use? on Ask Slashdot: Best Linux Distro For Computational Cluster? · · Score: 1

    The POSIX standard editor of course.

  2. Side channel attack on Chapel Hill Computational Linguists Crack Skype Calls · · Score: 5, Informative

    The wording in TFS is a little misleading; they did not "crack Skype encryption," they found an exploitable side channel in Skype. The crypto itself has not been cracked, but it was being used in a way that leaked lots of information.

  3. Re:Does the principle apply to Linux? on Mac Malware Evolves - No Install Password Required · · Score: 1

    Personally, I was looking at it as a pain in the ass from a user perspective more so than a admin perspective.

    Only for those users who are adept enough to write their own scripts and programs; I would like to think that such users are not going to be downloading MacDefender.

    noexec is a pain in the ass for your home dir as a user, and is only really useful if they have no way they can write to any location that isn't noexec, which is easy enough to do, but easy enough to miss someplace as well.

    One nice thing about SELinux is that you can ensure that a user is unable to execute any file that they themselves created, or any file that another user at the same access level created. Combined with a policy that prevents users from executing programs that interpret scripts that could potentially modify the user's environment or write/modify files in their home directory (i.e. bash), or perhaps only allows such programs to be executed in a sandbox, you can mitigate quite a few PEBKAC-exploiting attacks.

  4. Re:Does the principle apply to Linux? on Mac Malware Evolves - No Install Password Required · · Score: 1

    If you're not using a Fedora-based OS then SELinux probably doesn't work,

    Well, there is also AppArmor, TrustedBSD, TrustedSolaris, etc. The real point here is that mandatory access control does not have to be a hard thing to use, especially if you are trying to do something common like prevent a particular user from executing programs in their home directory. I cannot comment much on how easy AppArmor/etc. are to use, since I have not actually used them.

    You also need to ensure that /tmp and /var/tmp are noexec, which Ubuntu, at least, seems to dislike.

    That screams "problem" to me, but theoretically an SELinux policy could be written to allow this for whatever specific program needs that privilege. I have tried a few lightweight things with SELinux, and there are quite a few surprises -- like the fact that Firefox tries to mark its stack as executable (seriously, in 2011, a web browser wants to execute code on its stack). Another option, which I have made use of, is the SELinux sandbox, which lets you confine an application so that it can get special permissions (like marking its stack as excecutable) without allowing it to affect other parts of the system (this also means that you cannot save files, unless you mount a special home directory just for the sandbox, which is allowed; the sandbox also allows you to set up the security context in a way that makes sense, e.g. Firefox should be able to access the web).

  5. Re:The difference on Mac Malware Evolves - No Install Password Required · · Score: 1

    That much is true, which is why I said "thwart" and not "completely eliminate." Now, with a bit of work, you could stop users from doing that as well -- set up the right SELinux policies/contexts and whatnot -- and thus mitigate the threat further. In the end, it really depends on what exactly you are trying to do, and what your users need to be able to do. If your users only need to be able to launch a web browser and email client, then go ahead and stop them from running bash.

  6. Re:Does the principle apply to Linux? on Mac Malware Evolves - No Install Password Required · · Score: 1

    you could probably use SELinux to prevent users from running any applications from /home, but that's a pain.

    How is that a pain? Have you ever tried it? In Fedora, it is a matter of setting an SELinux boolean (allow_user_exec_content) and setting the user as user_u. This is literally two things to click on in the SELinux GUI tool, or two commands to run in a terminal. This might annoy users who want to do things like write scripts, but if your goal is to defend against this kind of malware, then that is what you have to do.

    Of course, most home users are unaware of noexec/SELinux and would need the family IT guy to do this for them.

  7. Re:Market Share on Mac Malware Evolves - No Install Password Required · · Score: 1

    It depends on who is using the computer. GNU/Linux has many millions of desktop users, but it would be pretty hard to convince most of those people to run some random program they downloaded from some website. Mac OS X's userbase, on the other hand, is composed mainly of people who are not knowledgeable about computers and who wanted something that was "easier" or "more user friendly" than Windows (cue the comments from technically adept people who happen to like Mac OS X), and may more easily fall victim to social engineering.

    Of course, desktop GNU/Linux use is expanding to more people who are not so technically inclined, so this may change over the next few years.

  8. Re:The difference on Mac Malware Evolves - No Install Password Required · · Score: 4, Insightful

    This means the problem would be isolated to that particular user's account.

    For many home users, that is all that really matters. We are not talking about an enterprise setup here, we are talking about some person's laptop. Frankly, in an enterprise setup I would be surprised if user home directories were not mounted with noexec (or whatever such an option would be called in Mac OS X), which would thwart this problem.

  9. No surprises here on Mac Malware Evolves - No Install Password Required · · Score: 2

    ...is anyone actually surprised by this?

  10. Re:Why are nuclear plants so hard to shut down? on Fukushima To Become Nuclear Dump? · · Score: 1

    Hello nuclear engineers, can someone explain why it takes so long to shut down a nuclear power plant?

    I am not a nuclear engineer, but my understanding of the problem is that the fission byproducts decay very fast and release a lot of heat in the process, so until those byproducts are gone the rods need to be cooled.

  11. Re:Why does encryption never work? on Apple's iOS 4 Hardware Encryption Cracked · · Score: 1

    Read the part of my post that you quoted, and you'll see that I did not say anything that contradicts what you or Schneier said. When using a 128 bit block cipher, the recommended size for your asymmetric keys is 3072 bits for non-ECC algorithms (e.g. RSA). That is not a ridiculously long key size, given the state of the art attacks on the RSA problem, nor does it exclude the smaller symmetric key size. I was responding to a statement about "256 bit RSA," which is ridiculously short.

  12. Re:Why does encryption never work? on Apple's iOS 4 Hardware Encryption Cracked · · Score: 1

    Computer experts have cracked the encryption

    Can you please point out the experts who have cracked RSA, DSA, DH, ElGamal, or ECC? Oh, right, the math has not been cracked, the only things we hear about are:

    1. Specific implementations being attacked, due to bugs or poorly thought out optimizations (i.e. that lead to side channel attacks).
    2. Proprietary crypto being cracked; why anyone would be using proprietary crypto in this day and age is a mystery to me, but people continue to do it.

    Also, nobody speaks of 256 bit RSA in this century; the recommended key size for use with a 128 bit block cipher is 3072 bits when I last checked.

  13. Re:History repeats? on Apple's iOS 4 Hardware Encryption Cracked · · Score: 0, Troll

    Apple doesn't actively prohibit "rooting" of their devices.

    http://gizmodo.com/303171/apple-says-unlocked-iphones-will-brick-after-software-update-+-what-does-it-mean

    Apple doesn't pursue the iOS "hacker" community with legal threats, DMCA takedown notices, etc.

    http://news.cnet.com/apple-iphone-jailbreaking-violates-our-copyright/

    Apple doesn't infest its products with an OS (Windows 7) that has DRM from the driver-level up.

    http://tech.slashdot.org/story/05/08/01/0421248/Mac-OS-X-Intel-Kernel-Uses-DRM

  14. Re:Oh, great on Apple Acknowledges MacDefender · · Score: 1

    Yes, if my mother was cleaning up the computer and not just calling me and having me do it (or worse yet, paying someone else to do what I would have done), then yes, I would agree. Like I said, if she wants to start, the SELinux could be put into permissive mode or even disabled at any time -- the security is only mandatory to the point of booting into single user mode. I would even give her step-by-step instructions on how to do it, if she wanted or expressed even the slightest bit of interest.

    I became the family IT guy over a decade ago, and in that time, I have been the one who gets called in to clean up when things go bad. With malware getting nastier and me getting busier, that really cannot continue; things cannot go bad as often as they used to, and that is where SELinux comes in.

    Just so the message is clear, since you seem to thing that I have set up some kind of iOS clone: all anyone would have to do is boot into single user mode and run three commands, and the system has the same SELinux policy it had when it was freshly installed. There is really no effort to stop anyone from learning if they want to, this is just a way to get more time between phone calls asking for help.

  15. Re:like Netscape FastTrack & LiveScript in '96 on JavaScript Servers Compared · · Score: 1

    I said the underlying structure has not changed much, but that there have been superficial changes. Can you please point out where the underlying structure of the Internet or the Web has undergone a significant change? When last I checked, we are still using IPv4 and we are still using HTTP, and we are still using a client-server model. This most significant change that I can think of is AJAX, and that is not a terribly significant change (it really just means that things people would have done in an applet can now be done by the browser itself).

    Yes, things look a lot different now, and we are making more sophisticated use of the underlying technology (sometimes), but for the most part we are still talking about the same system.

  16. Re:Oh, great on Apple Acknowledges MacDefender · · Score: 1

    Like I said, whenever she has a question, she asks. She also does, in fact, have full control over her computers -- at any time, she can have anything changed by myself or by others (I left single-user-mode available) if the security settings become a problem. It has never been a problem, and I have never "scolded" anyone -- a gentle explanation of why some action is being prevented is more than enough. If she wants to learn about her computer, she is entirely free to do so -- I have not actually done anything that prevents her from removing the security, and like I have repeatedly stated, I am entirely willing to explain anything that she asks about.

  17. Re:like Netscape FastTrack & LiveScript in '96 on JavaScript Servers Compared · · Score: 2

    We used to call it "SSJS" -- server-side Javascript. Times really have not changed, but why would you expect them to? Despite the superficial changes, the underlying structure of the Internet and the Web has not really changed. We have not really seen much in the way of "revolution" in the past 15 years, just incremental changes (or if you would prefer, "improvements") to the way everything works.

  18. Re:Oh, great on Apple Acknowledges MacDefender · · Score: 1

    She is glad to not have to deal with malware, and since she generally called me up to ask for help with things before, there really is not much of a change. It is not like I failed to inform her of what I was doing to her system, and I am entirely willing to explain to her whatever it is that she asks. Really it is not as big of an issue as you seem to think -- in no way is there any disrespect and nobody is being treated as if they are unintelligent. We are not talking about a censorship/parental control program, we are talking about the equivalent of mounting home directories with the noexec flag.

  19. Re:Mac App Store-only APIs in Lion? on Apple Acknowledges MacDefender · · Score: 1

    It is when there are entire genres of games that are underrepresented on PCs and Macs compared to consoles.

    You are assuming that these games are something that I (or even most people) have the time or desire to play. I have seen console games, and I used to play them when I was a kid, but to be honest I really do not play video games much anymore. I play games, sure -- strategy games like Go -- but intense 3D video games are really not something I spend much time on these days.

  20. Re:Towlie says. on Happy Towel Day! · · Score: 1

    No we just want to play our video game!

  21. Re:Oh, great on Apple Acknowledges MacDefender · · Score: 1

    Yeah, is that so hard to believe?

  22. Re:Oh, great on Apple Acknowledges MacDefender · · Score: 1

    My point was that there's no reason to inflict Linux on them either ;-) The user might be more comfortable with an OS other than Linux.

    In my experience, the only time users become uncomfortable with GNU/Linux is when they start doing exactly the sort of things that a lock downed account should prevent them from doing. When all a user knows or cares about is launching a few programs -- a web browser, an email client, and a word processor -- then it hardly makes a difference what OS they are running. Once users start doing things like installing "cool little applications" that actually leave them worse off, or trying to fiddle with settings they need guidance for, things can become a problem -- but the great thing about locking down their accounts is that they are forced to contact you when they try to do that, before it can become a problem, and you have a chance to either teach them or at least explain why they cannot do what they were trying to do (e.g. because of malware or because it would make their system unusable).

    The argument that users are "uncomfortable with GNU/Linux" is predicated on the belief that users are not uncomfortable with some other system. When you are talking about moving someone from a Windows system to a GNU/Linux system, why do you think they will be more comfortable if instead you move them to a Mac OS X system? If they need to be given a locked down account for their own good, then it sounds like they are not very adept with computers to begin with, and GNOME would be no worse for them.

  23. Re:Karma on Sony Suffers Yet More Security Breaches · · Score: 1

    Unfortunately, their customers are getting hurt in the process, which is what makes this sad. If it were just a matter of Sony getting beat down everywhere they turned, I would have no problem.

  24. Re:That's not completely true. on Apple Acknowledges MacDefender · · Score: 1

    I doubt that security is their objective with the walled garden.

  25. Re:Oh, great on Apple Acknowledges MacDefender · · Score: 2

    Then I will stop buying from those computer makers. The lock down has to be under my control, and nobody else' -- I am the one who owns and administers the computer.