793528 - Slashdot User

Comment Re:VeriSign (Score 1) 94

by ??? on Friday June 05, 2009 @12:03PM (#28223641) Attached to: ICANN and NIST Announce Plans To Sign the DNS Root

The basic idea is valid, but the implementation sucks

Umm... Perhaps, but probably not in quite the way you suggest. The current implementation doesn't allow the user to distinguish between certs issued by CAs with smart, rigorous CPS's (you do know what that is right), and certs issued by CAs that only check e-mail to admin@ postmaster@,...

(and can probably only be made to not suck in a closed environment). Some CAs being diligent isn't enough, they all (well, all the ones trusted by any major browser) have to be diligent for the system to work at all.

Yeah. Which is why the major browsers require that the CAs be audited (and if they delegate to resellers the resellers too) to verify that they actually comply with what they say they'll do (their CPS), and that their CPS meets a minimal set of standards.

It seems your argument really boils down to: there has been a race to the bottom on the documented signing policies in order to minimize costs because higher cost, more rigorous validation mechanisms can't be used to differentiate a cert in the marketplace. (Except EV, but that's a whole other story)

My choosing the best CA out there doesn't matter a bit, because they can't do anything to stop the worst from handing a phisher a cert for my domain.

And they can't do anything to stop the best from handing a phisher a cert. However, the browser producers require an audit (which serves as a detective and preventive control) to verify that appropriate and sufficient processes are in place to ensure that a) the CPS is followed and b) the CPS meets a (minimal) set of rules.

Now, all this means that when (as a user) you're presented with a cert [that is not EV], you can be strongly assured that at some point, that cert was issued to someone who could read and respond to mail at an administrative email account for that domain. Is this sufficient for the user? Maybe. If it's a forum site, or a blog site, then probably. If it's an eCommerce or online banking site, probably not.

The browser makers need to allow:
a) Certs with differing validation methods to be differentiated (on a finer granularity than EV / not EV)
b) Client-side policy to be implemented on the basis of that differentiation

In order to arrest this race for the bottom and competition solely on price by the CAs.

Incidentally, both of these can be achieved within the current CA infrastructure...

Comment Re:Oh, this sounds like a good idea... (Score 1) 209

by ??? on Thursday June 04, 2009 @06:45PM (#28216113) Attached to: Should Auditors Be Liable For Certifications?

"Unless your going to pay the auditors to run a compliance check after every change you make"

Not relevant to the case at hand, but:

1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations ...
6.3.1 Testing of all security patches, and system and software configuration changes before deployment, including but not limited to the following:
6.3.1.1 Validation of all input (to prevent cross-site scripting, injection flaws, malicious file execution, etc.)
6.3.1.2 Validation of proper error handling
6.3.1.3 Validation of secure cryptographic storage
6.3.1.4 Validation of secure communications
6.3.1.5 Validation of proper rolebased access control (RBAC) ...
6.4 Follow change control
procedures for all changes to system
components. The procedures must
include the following:
6.4.1 Documentation of impact
6.4.2 Management sign-off by appropriate parties
6.4.3 Testing of operational functionality
6.4.4 Back-out procedures ...
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
- Installing a web-application firewall in front of public-facing web applications ...
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the companyâ(TM)s internal staff.
11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment). These penetration tests must include the
following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests

Comment Re:Oh, this sounds like a good idea... (Score 1) 209

by ??? on Thursday June 04, 2009 @06:36PM (#28216023) Attached to: Should Auditors Be Liable For Certifications?

"If the banks [sic] implementation followed PCI-DSS and the auditor did its job with a generally accepted level of precision"

It did not and they did not. Unencrypted storage of PANs, for which a previous audit had failed.

Comment Re:Oh, this sounds like a good idea... (Score 2, Interesting) 209

by ??? on Thursday June 04, 2009 @05:49PM (#28215481) Attached to: Should Auditors Be Liable For Certifications?

And they failed to do that.

They knew the processor had previously failed an audit because of storage of unencrypted PANs and non-compliant firewalls.

They provided an audit report that said "fully compliant" with CISP.

In the aftermath of the breach, it was discovered that the processor still had non-compliant firewalls and was still storing unencrypted PANs.

It appears that Savvis did not do their job. This will not be the big question at the trial, though.

Merrick was not in contractual privity with Savvis. Savvis was contracted by CardSystems, not Merrick. The issue at trial will likely be whether Savvis owed a duty of care to others that relied on their report (rather than just their client).

I would suggest that if an audit scheme is to have any benefit at all, it must accrue to those that rely on the audit findings. If 3rd parties cannot rely on the audit findings, then there is no reason to conduct the audit in the first place.

Nintendo Penalizing Homebrew Users? 95

Posted by Soulskill on Saturday April 25, 2009 @03:17AM from the thanks-so-much dept.

An anonymous reader writes "Bricked your Wii? Not only will Nintendo charge you for the repair, they will now add an additional fee if they detect any homebrew software. 'Should Nintendo have to pay to repair hacked Wiis under warranty? Maybe not, but they have no (moral) right to gouge customers out of spite for having the HBC installed. This actually poses a technical dilemma for us with BootMii. As currently designed, BootMii looks for an SD card when you boot your Wii, and if it finds the card and the right file, it will execute that file. Otherwise, there's no way to tell it's installed.'"

A Vision For a World Free of CAPTCHAs 168

Posted by Soulskill on Saturday April 25, 2009 @02:12AM from the is-that-an-oh-or-a-zero dept.

An anonymous reader writes "Slate argues that we're going about verifying humans on the Web all wrong: 'As Alan Turing laid out in the 1950 paper that postulated his test, the goal is to determine whether a computer can behave like a human, not perform tasks that a human can. The reason CAPTCHAs have a term limit is that they measure ability, not behavior. ... the random, circuitous way that people interact with Web pages — the scrolling and highlighting and typing and retyping — would be very difficult for a bot to mimic. A system that could capture the way humans interact with forms algorithmically could eventually relieve humans of the need to prove anything altogether.' Seems smart, if an algorithm could actually do that."

Comment The Australian Experience (Score 1) 16

by |>>? on Saturday April 25, 2009 @01:57AM (#27710259) Attached to: Is it moral to take gov't aid you don't need?

Your question of morality is interesting and I'll get to that in a moment, but I'd first like to share the experience in Australia where such a "First Home Buyers" scheme has been operating for some time. At one point it was AUD$21.000 if you were a first home buyer who built a home, I think at the moment it's "only" AUD$14.000. It started a few years ago at AUD$7.000.

From where I'm standing at the side-lines - I'm renting - it distorted the housing market in many unpredictable ways.

In essence it increased the price of all houses because the new builders would build a house with extras "for free", that incorporated the extra funding. Those first home buyers who didn't build got half the funding and that meant that existing home owners increased the value of their home by that amount so they could get the funding too.

Those same houses that were artificially increased in value caused a bubble in the price of housing, because the next owner saw the percentage increase in their area - as a result of the grant - and then they too wanted to see the same return on their investment, causing a self-feedback loop that made house prices increase like mad when really there was nothing to back that up. The result today is that the return on housing has in fact declined for the first time in decades - completely unheard of in most urban areas in the country.

The grant caused cases where the first home buyer was a child and many cases where people with extreme wealth found ways of getting the grant - for example, if the husband always bought their house as a company, then they could qualify for it as a private purchase etc.

By the examples I'm showing you might surmise that the grant brings out the worst in people. It goes directly to morality because it shows that when there is an opportunity to do wrong, a percentage of the population will in fact do so.

I don't think it's a good or sustainable means of stimulation, nor do I think it's appropriate to use aid that is not required. I think that shining the light on those who abuse the system will ultimately cause a return to common sense.

Those around me think it's appropriate to cheat on your taxes - for me, its the same thing. Ultimately you're cheating yourself and the society you are part of. Unemployment benefits, healthcare, education and infrastructure need to be paid for - even if I don't agree with all that is spent, that's the system I choose to be part of. Paying taxes is part of the responsibility that comes with being part of society - otherwise we'd be still living in caves, hunting and dying at age 22.

For me it's summarised in the following quote:

The ultimate result of shielding men from the effects of folly, is to fill the world with fools. --Herbert Spencer

Hundreds of Thousands of Chinese Black-Hats 247

Posted by kdawson on Friday April 24, 2009 @09:33AM from the defending-against-gnats dept.

An anonymous reader sends us to Popular Science for a long article on the loose, uncoordinated bands of patriotic Chinese hackers that seem to be responsible for much of the cyber-trouble emerging from that nation. Quoting: "For years, the U.S. intelligence community worried that China's government was attacking our cyber-infrastructure. Now one man has discovered it's more than that: it's hundreds of thousands of everyday Chinese civilians. ... Jack Linchuan Qiu, a communications professor at the Chinese University of Hong Kong [says:] 'Chinese hackerism is not the American "hacktivism" that wants social change. It's actually very close to the state. The Chinese distinction between the private and public domains is very small.' ... According to [James Andrew Lewis, a senior fellow at the Center for Strategic and International Studies], 'The government at a minimum tolerates them. Sometimes it encourages them. And sometimes it tasks them and controls them.' In the end, he says, 'it's easy for the government to turn on and hard to turn off.'"

Submission + - mmo comunity rallies for an artifact

Submitted by on Friday April 24, 2009 @02:34AM

An anonymous reader writes: "The gaming community involved in Funcom's recently-revealed online game, "The Secret World," (TSW) is rallying support to raise USD$15,000 in donations to bid on Roald Amundsen's Expedition Flag — an item of great importance to the Norwegian people. The flag is being sold at auction on May 7th in London with an estimated price tag of USD$10,000 — $13,500.

The journeys of Amundsen have played a central role in the mysterious story surrounding "The Secret World." Tørnquist, has woven real events from Amundsen's travels with puzzles and mysteries that have required countless hours of research by the community to solve. These puzzles and mysteries have received wide-spread attention in the gaming community."

This project is very unique in that a community for a game that has not even been released has come together to raise money to bid for national artifact of Norway at an auction in London, and return this artifact to the people of Norway. More info at campaing site www.questfortheflag.com.

Submission + - SPAM: Get those six channels plus a SPDIF digital input

Submitted by

lucy

on Friday April 24, 2009 @02:15AM

lucy writes: "Get those six channels plus a SPDIF digital input and support for HRTF 3D positional sound Equipped with standard input and output connectors to add great stereo input and output performance Best choice for the high quality sound effect pursuers! Fully compatible with your Surround Sound 5.1 channel computer speaker system This PCI card uses the C-Media CMI8738/PCI-6-CH-LC chipset Full duplex 64-bit PCI bus master Integrated SRS 3D sound technology Compatible with sound blaster, sound blaster pro and Windows sound system Advanced MPC-3 compliant input and output mixer Enhanced stereo full duplex operation Dual Type-F DMA support Delta-Sigma data converters Programmable power management Hardware master volume control Center/bass-out Microphone-in Line-in Line-out (Front Speakers) Rear-out (Rear Speakers) 15 pin standard game/midi port PCI interface System requirement: Windows 98/ME/2000/XP Market Price: $ 9.82 Your Price: $ 7.55 [spam URL stripped]"
Link to Original Source

Using Light's Handedness To Find Alien Life 210

Posted by timothy on Friday April 24, 2009 @01:18AM from the let's-skip-some-steps-in-the-middle dept.

Rational Egoist writes "Scientists working at the National Institute of Standards and Technology have come up with a novel, easy way to detect life on other planets. Rather than try to measure the composition of atmospheres, they want to look at the chirality of light coming from the planet. From the article: '"If the [planet's] surface had just a collection of random chiral molecules, half would go left, half right," Germer says. "But life's self-assembly means they all would go one way. It's hard to imagine a planet's surface exhibiting handedness without the presence of self assembly, which is an essential component of life."' And they have already built a working model: 'Because chiral molecules reflect light in a way that indicates their handedness, the research team built a device to shine light on plant leaves and bacteria, and then detect the polarized reflections from the organisms' chlorophyll from a short distance away. The device detected chirality from both sources.' The article abstract is available online."

Submission + - Ubuntu 9.04 is as slick as Win7, Mac OS X (zdnet.com.au)

Submitted by Anonymous Coward on Friday April 24, 2009 @12:53AM

An anonymous reader writes: Opinion: Here's what the official press release won't tell you about Ubuntu 9.04, which formally hit the streets overnight: its designers have polished the hell out of its user interface since the last release in October. Just like Microsoft has taken the blowtorch to Vista to produce the lightning-quick Windows 7, which so far runs well even on older hardware, Ubuntu has picked up its own game.

Contrasting User-Driven Play With Developer Vision 60

Posted by Soulskill on Friday April 24, 2009 @12:42AM from the dance,-puppets dept.

GameSetWatch is running an opinion piece (sparked by a lecture at NYU by Deus Ex developer Warren Spector) about the difference between game experiences that are specifically planned by the game's creators and experiences that are either constructed by players or arise unexpectedly. Quoting: "One thing Spector said during the NYU discussion was that he feels multiplayer games are 'lazy.' This is the designer in him talking, of course — his theory that in letting players build stories via Left 4 Dead-style happy accidents in open worlds, the designer doesn't have to tackle complex challenges like making choices meaningful, or making characters believable. Spector wants to take on those challenges, and he doesn't like the idea that user-driven play, from his standpoint, effectively allows game design to bypass them. It's actually an idea I relate to a lot as a writer — I was raised in an era of authoritative media, when individual voices drove culture, opinion and information. The internet's changed everything, of course; the authoritative voice has evolved into a conversation between writer and audience, and the writer now leads the community discussion rather than acting as a single determiner, a unilateral judge."

Submission + - Apple's Approval Process Strikes Again (alkalimedia.com) 1

Submitted by

Alkali Media

on Friday April 24, 2009 @12:39AM

Alkali Media writes: "After reading the stories about the iPhone "Baby Shaker" application, we thought we would share a similar experience that baffled us with the Apple app approval process... Originally named CrudeBox, Apple rejected our application from the iTunes App store twice for being overtly 'obscene and offensive'. The third time around, we decided to make the app simply *look* less obscene and offensive (screen shots attached). From the ashes of CrudeBox rose the ironically flamboyant PrudeBox, paying much needed respect to Apple's fabulous application review team. I've included our blog post about our experience with the App store if you're interested in reading more. — Crudebox Renamed PrudeBox, Goes All the Way on the Third Try: It would be like preaching to the choir if anyone were to complain about the disappointment of having an app initially denied from the iTunes App Store. With hundreds of new applications released each week, there are sure to be a handful of apps Apple fundamentally disagrees with. It's quite disheartening when your app falls into the latter category. However, there's no greater success than beating Apple at its own game. Alkali Media, LLC is run by three recent college grads. For three guys fresh out of college with business and advertising degrees, the iPhone marketplace is one of the best places to apply four years of textbook knowledge. Alkali Media's foray into the iPhone market has been focused on branded soundboards. The first of many soundboards has been deemed the "Crudebox." Crudebox consists of 16 high-quality and mildly disgusting sounds. However, it does not contain any sounds more disgusting than the 30+ "I shit myself" applications currently found in the iTunes App Store. Naturally, it was assumed that the Apple would approve our application soon after it was submitted. Six days after the first submission of Crudebox, we received an email stating: We've reviewed CrudeBox and determined that we cannot post this version of your iPhone application to the App Store because it contains objectionable content and is in violation of Section 3.3.12 from the iPhone SDK Agreement which states: "Applications must not contain any obscene, pornographic, offensive or defamatory content or materials of any kind (text, graphics, images, photographs, etc.), or other content or materials that in Apple's reasonable judgement may be found objectionable by iPhone or iPod touch users." Apparently the seemingly tame soundboard, bodily sound effect application was far too offensive for Apple's strict moral guidelines. We unanimously agreed that maybe it was the female orgasm sound that set the app over the edge. The orgasm was replaced with a cartoon-like spring sound. The kind you hear when a male cartoon character finds himself awkwardly aroused. The application was submitted a second time. Seven Days later we received word that once again Crudebox was too obscene and offensive for the iTunes App Store. After moving past the inevitable feeling of frustration towards Apple, we decided to poke some fun at Apple's app approval team. What if we were to submit the same sounds as before, except this time around we make the app look extra flamboyant and change the name to the ironically appropriate, Prudebox? Eight days later we would received an e-mail from Apple stating that our recently submitted application, Prudebox, has passed the approval process and is now ready for sale. After a name change, and an overtly flamboyant reskin of the application (complete with a pink bunny and a a fleeting sunset), we were able to get our app approved. To this day, we're still questioning what sort of quality assurance is in place for Apple's quality assurance team. I'm sure you can only imagine what other quality apps you've been missing out on thanks to Apple's ever-so-stringent approval process. You can check out our flamboyantly fabulous Prudebox application in the iTunes App store by visiting here (URL: http://bit.ly/SSETT)."

Submission + - Microsoft 'Invents' Using a Timer to Turn Off TV

Submitted by

theodp

on Thursday April 23, 2009 @11:21PM

theodp writes: "If you've spent any time in a Greyhound Station over the past four decades, you're probably familiar with the concept of timer-controlled TV viewing. And if not, you're certainly aware of the existence of sleep timers on clock radios. Still, this didn't stop Microsoft from claiming three of its employees have invented Time-Based Access Control For An Entertainment Console and asking the USPTO for a patent covering shutting down TV (IPTV) and music (MP3s) after a timer expires. Microsoft better not catch you Penguin-types infringing on this innovation!"

Slashdot Top Deals