Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×

Comment Re:BCP38 (Score 5, Insightful) 312

by PlainWhiteTrash (#48705999) Attached to: Ask Slashdot: What Should We Do About the DDoS Problem?
BCP38 is a fantastic idea. Being in a position in which I serve as a consultant to many indie-ISPs' network administrators on a frequent basis, I strongly encourage sane enforcement of source IP data at ingress-toward-the-ISP from customer-facing links. Many of my clients implement this. The trouble is, it doesn't help with many modern DDoS's. It certainly helps with the common traffic-amplification attack types, but many distributed bot-net based attacks now directly the target service by impersonation of legitimate client implementations. This will do nothing for those. The server side will see the many thousands or more of IPs that are attacking them, and see them correctly, but the trouble is, there are way too many to manage and they look like legit clients. Complicating things, it's likely that many of the infected machines ARE also LEGIT customers / clients. Implementing BCP38 is and will remain a good thing. But as DDoS strategies evolve, and upload speeds on consumer links increase in terms of throughput, this strategy not be a long term solution to many categories of DDoS.

Comment Re:Much like MTU handling (Score 1) 312

by PlainWhiteTrash (#48705911) Attached to: Ask Slashdot: What Should We Do About the DDoS Problem?

Send some sort of ICMP message upstream that indicates your maximum capacity for handling traffic. It's a DOS vector in itself, but you could minimize it.

Umm... No. Any such form of congestion notification, if respected by upstream parties, would certainly reduce traffic to you. The obvious problem, however, is that it will reduce NASTY/BOT traffic as well as LEGITIMATE traffic. So, you send this ICMP message, and the upstreams that hear it kindly shape what's exiting their network toward you? How do they choose from the available packets they have heading toward you what to let through and what to delay/drop? If some giant number N of senders wants to swamp you, it matters little that their ISPs or your ISPs or any transports between them know that they must reduce the traffic toward you. You still have a DDoS, but now it's a self-throttled DDoS, and the upstreams are still dropping or delaying legitimate traffic that you want, only now it happens before the natural limits and instead occurs upon artificial limits. The end result is less traffic hits you, and you still go out of service to most of the world (from the end-user experience perspective), because the senders who are politely throttling can't tell which packets are evil and which packets are sent by the people you want to receive from.
The Courts

Plaintiff In Tech Hiring Suit Asks Judge To Reject Settlement 215

Posted by samzenpus from the not-so-fast dept.
An anonymous reader writes with news that Michael Devine, one of the plaintiffs in a lawsuit accusing tech firms including Apple and Google of conspiring to keep salaries low, has asked the court to reject a $324 million settlement. "Apple has more than $150 billion in the bank, eclipsing the combined cash reserves of Israel and Britain. Google, Intel and Adobe have a total of about $80 billion stored up for a rainy day. Against such tremendous cash hoards, $324 million is chump change. But that is what the four technology companies have agreed to pay to settle a class action brought by their own employees. The suit, which was on track to go to trial in San Jose, Calif., at the end of May, promised weeks if not months of damaging revelations about how Silicon Valley executives conspired to suppress wages and limit competition. Details of the settlement are still under wraps. 'The class wants a chance at real justice,' he wrote. 'We want our day in court.' He noted that the settlement amount was about one-tenth of the estimated $3 billion lost in compensation by the 64,000 class members. In a successful trial, antitrust laws would triple that sum. 'As an analogy,' Mr. Devine wrote, 'if a shoplifter is caught on video stealing a $400 iPad from the Apple Store, would a fair and just resolution be for the shoplifter to pay Apple $40, keep the iPad, and walk away with no record or admission of wrongdoing? Of course not.' 'If the other class members join me in opposition, I believe we will be successful in convincing the court to give us our due process,' Mr. Devine said in an interview on Sunday. He has set up a website, Tech Worker Justice, and is looking for legal representation. Any challenge will take many months. The other three class representatives could not be reached for comment over the weekend."

Comment This is not a novel idea. (Score 1) 143

by PlainWhiteTrash (#37554768) Attached to: Rob Malda Casts a Jaded Eye at Amazon's Silk
It's worth taking note that this is not a completely novel idea. The Blackberry web browser when running the Blackberry Internet Service has also used server-side resources of RIM's infrastructure to slice and dice and optimize web services. The same is true of email attachments -- the RIM infrastructure intercepts and re-optimizes. Especially apparent in viewing PDF attachments to email. In the Blackberry Enterprise Server infrastructure, this functionality actually moves to ones own BES server instance, with end-to-end encryption between the BES server and the handheld. This fact, at least, provides a corporation with the ability to not have the security exposure of having RIM decipher the pages and content. Perhaps the objection is that for Kindle fire we don't have an independently implementable server-side browsing optimization node?
Security

Moxie Marlinspike's Solution To the SSL CA Problem 189

Posted by timothy from the disaggregate-someone-today dept.
Trevelyan writes "In his Blackhat talk on the past and future of SSL (YouTube video) Moxie Marlinspike explains the problems of SSL today, and the history of how it came to be so. He then goes on to not only propose a solution, but he's implemented it as well: Convergence. It will let you turn off all those untrustable CAs in you browser and still safely use HTTPS. It even works with self-signed certificates. You still need to trust someone, but not forever like CAs. The system has 'Notaries,' which you can ask anonymously for their view on a certificate's authenticity. You can pool Notaries for a consensus, and add/remove them at any time."
Censorship

South Korea Censors Its Own Censor 56

Posted by Soulskill from the take-care-not-to-criticize-starcraft dept.
decora writes "The EFF reports on an internet censorship case in South Korea. The blog of Professor K.S. Park was recently brought up for consideration by the Korean Communication Standards Commission, which presides over South Korea's online censorship scheme, blocking about 10,000 URLs per month. The unusual thing about this case is that Park himself is a member of the commission; he was appointed to it by the opposition party as a well known free-speech advocate. The other members of the committee allowed him to make changes to his blog for now, but have vowed to 'take action' against it in the future."
The Courts

Usenet Group Sues Dutch RIAA 90

Posted by Soulskill from the best-defense dept.
eldavojohn writes "With the Pirate Bay trial, it's been easy to overlook similar struggles in other nations. A Dutch Usenet community named FTD is going on the offensive and suing BREIN (Bescherming Rechten Entertainment Industrie Nederland). You may remember BREIN (along with the IFPI & BPI) as the people who raided and cut out the heart of eDonkey. This is turning into a pretty familiar scenario; the FTD group makes software that allows its 450k members to easily find copyrighted content for free on Usenet. The shocking part is that FTD isn't waiting for BREIN to sue them. FTD is refusing to take down their file location reports, and is actually suing BREIN. Why the preemptive attack? FTD wants the courts to show that the act of downloading is not illegal in the Netherlands. (Both articles have the five points in English that FTD wants the courts to settle.) OSNews has a few more details on the story."
Data Storage

Encrypted But Searchable Online Storage? 266

Posted by timothy from the give-some-to-that-lawyer dept.
An anonymous reader asks "Is there a solution for online storage of encrypted data providing encrypted search and similar functions over the encrypted data? Is there an API/software/solution or even some online storage company providing this? I don't like Google understanding all my unencrypted data, but I like that Google can search them when they are unencrypted. So I would like to have both: the online storage provider does not understand my data, but he can still help me with searching in them, and doing other useful stuff. I mean: I send to the remote server encrypted data and later an encrypted query (the server cannot decipher them), and the server sends me back a chunk of my encrypted data stored there — the result of my encrypted query. Or I ask for the directory structure of my encrypted data (somehow stored in my data too — like in a tar archive), and the server sends it back, without knowing that this encrypted chunk is the directory structure. I googled for this and found some papers, however no software and no online service providing this yet." Can anyone point to an available implementation?
The Courts

Copyright Scholar Challenges RIAA/DOJ Position 168

Posted by Soulskill from the whom-some-might-call-an-expert dept.
NewYorkCountryLawyer writes "Leading copyright law scholar Prof. Pamela Samuelson, of the University of California law school, and research fellow Tara Wheatland, have published a 'working paper' which directly refutes the position taken by the US Department of Justice in RIAA cases on the constitutionality of the RIAA's statutory damages theories. The Department of Justice had argued in its briefs that the Court should follow a 1919 United States Supreme Court case which upheld the constitutionality of a statutory damages award that was 116 times the actual damages sustained, under a statute which gave consumers a right of action against railway companies. The Free Software Foundation filed an amicus curiae brief supporting the view that the more modern, State Farm/Gore test applied by the United States Supreme Court to punitive damages awards is applicable. The new paper is consistent with the FSF brief and contradicts the DOJ briefs, arguing that the Gore test should be applied. A full copy of the paper is available for viewing online (PDF)."
Privacy

Privacy In BitTorrent By Hiding In the Crowd 240

Posted by CmdrTaco from the even-kids-can-still-find-waldo dept.
pinguin-geek writes "Researchers at the McCormick School of Engineering and Applied Science at Northwestern University have identified a new 'guilt-by-association' threat to privacy in peer-to-peer (P2P) systems that would enable an eavesdropper to accurately classify groups of users with similar download behavior. While many have pointed out that the data exchanged over these connections can reveal personal information about users, the researchers shows that only the patterns of connections — not the data itself — is sufficient to create a powerful threat to user privacy. To thwart this threat, they have released SwarmScreen, a publicly available, open source software that restores privacy by masking a user's real download activity in such a manner as to disrupt classification."
Media (Apple)

Update — No DRM In New iPod Shuffle 264

Posted by kdawson from the nothing-to-see-here dept.
An anonymous reader writes "BoingBoing Gadgets has updated their story from yesterday on DRM contained in the new iPod Shuffle. (We also discussed this rumor last week.) It's a false alarm. There is a chip in the headphone controls but it is just an encoder chip. There is no DRM and no reason to believe that third party headphones wouldn't work with the new Shuffle. (Apple would still prefer you to license the encoder under the Made for iPod program, but with no DRM, there is no DMCA risk to a manufacturer reverse engineering it.) The money quote: 'For the record, we do not believe that the new iPod headphones with in-line remote use DRM that affects audio playback in any way.'"
Data Storage

Long-Term PC Preservation Project? 465

Posted by timothy from the solid-state-drives-perhaps dept.
failcomm writes "I've been talking with my son's (middle-school) computer lab teacher about a 'time capsule' project. The school has a number of 'retirement age' PCs (5-6 years old — Dells, HPs, a couple of Compaqs), and we've been kicking around the idea of trying to preserve a working system and some media (CDs and/or DVDs), and locking them away to be preserved for some period of time (say 50 years); to be opened by students of the future. The goal would be to have instructions on how to unpack the system, plug it into the wall (we'll assume everyone is still using 110v US outlets), and get the system to boot. Also provide instructions on how to load the media and see it in action; whether it is photos or video or games or even student programs — whatever. So first, is this idea crazy? Second, how would we go about packing/preserving various components? Lastly, any suggestions on how to store it long term? (Remember, this is a school project, so we can't exactly just 'freeze it in carbonite'; practical advice would be appreciated.)"

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close