Comment Re:Update to Godwin's law? (Score 4, Insightful) 575
Almost makes you wonder if it isn't the news reports themselves that are the real terrorist attacks.
Almost makes you wonder if it isn't the news reports themselves that are the real terrorist attacks.
> I'm far more afraid of a terrorist/criminal organization getting access to these back doors, and reading all of the
> encrypted documents that companies (including government contractors) want to secure, than hidden
> communication allowing them to get away.
Well overall, terrorists are the least concern since there are really so few of them and they hardly need this sort of break. If anything, they are helped more by the encryption than hindered by it....but....who cares? They are a minor concern at best, regardless of what they want you to think.
Criminal orgs however, now we are talking. This sort of backdoor can be used for everything from extortion to corperate espionage. I am far more afraid that this will be used by someone with an agenda to find people in positions of power he can blackmail. I am FAR more worried about the influences of modern day J Edgars than a few organized criminals so despised that they need to hide from everyone at every turn already.
Thing is, we would never really even know the extent of the damage done because so much of it would be so quietly kept.
However, this time it was based on a credible threat of reports of pidgeons overheard shortly before the event exclaiming "Coup! Coup!"
The thing is, search and rescue efforts, wildfire inspection, all make sense for this sort of exception; but you are right a blanket "emergency situation" may as well be no requirement at all because anything can be viewed as an emergency and anyone claiming emergency is almost always given the benefit of the doubt for anything short of an outright hoax.
> Another technique would be leaking a fake script, claiming to have read a draft manuscript, etc.
Of course, the interesting thing about this techinique is you can only tell it if it fails to work, because the case where it works, and the case where it fails but the desired result was going to happen anyway are indistinguishable unless the author actually pipes up and comments on it.
This reminds me of a friend of mine who used to flash his high beams erratically as he came up to red lights because he knew thats how the fire trucks signal to give them a green. I tried to tell him that there was no way this was going to work, but he was convinced it did because....of course.... fairly often he would flash his lights and the light would turn green for him....
I do the same thing with my hand pretending I have the force....it "works" pretty well too. Which is to say....the light always changes.
I really have to say, deus ex machina endings are one of my personal pet peeves across literature, its the hallmark of lazy uninteresting story telling. In fact, about the only place I was amused to see one was at the end of the one Deus Ex game I played to the end.... and not because I thought it was even particularly good, it wasn't, its just.... its the name of the game, so its at least amusing in that one context.
Then please explain why the single most common reason for a person to be fired from the entire network of hospitals I worked for was inappropriate records access? Perhaps you would like to tell me why one of the major projects then was to move from offline records access auditing to real time auditing and flagging?
Perhaps you might have some insight into how it failed by causing us to start encrypting all of our laptops? \
The problem with healthcare is momentum. Its huge, there is a lot of it, and its highly federated and highly disorganized.In fact its often less a case of "we don't care" and more a case that they tend to be in over their heads keeping up with the infrastructure they have and the way its growing, and balk at allocating more resources to IT, since it already has eaten up more than they naively expected.
I have had to watch entire presentations that boil down to "we want to generate terabytes of data at an alarming rate and we don't see why it should cost very much based on just ignoring any other costs and looking at hard drive prices"
Seriously, the disconnect in healthcare is serious, and I agree the law is only somewhat helping but.... fact is the institutions really are scared of the penalties and those penalties really do trump their other considerations many times.
Its not perfect, but, on the security front, I have to say, I really think nearly all forward progress on security in healthcare can be directly attributed to it. I mean, I can think of a few minor exceptions like.... general concern about certain rare but frightening events like baby swaps or thefts that caused a good bit of increased security around birthing areas, but aside from that, I can't think of much that wasn't directly HIPAA requirement driven.
Why, yes it would, that is a good point. That was hardly the only real issue.
To add insult to injury, it would change the password by generating ldiff files, and storing them in
Which, is pretty much why I just verified it could be exploited to touch a file in tmp and immediately began re-writing it.
I don't disagree that it has problems but, lets not pretend that things were better without it. I worked for several years in healthcare IT. I was there when we started encrypting our laptops by policy.... it was because of HIPAA. Prior to that, there were no exceptions.
A good part of the problem is that hospitals grew up doing their own systems support for medical devices and tried to grow IT out of that, and they tend to be non-profits that budget their departments like universities do. Its a huge mess.
They just never cared about security because they built up their entire system for a single purpose of providing medical care, they were so focused on that the idea that they were exposing themselves was an afterthought, security has always been an afterthought in the the industry that brought us the word "triage"
Yes but the intent wasn't to exploit so much as to have a way to raise a flag when connecting to a vulnerable system, so as to know it still needs updating.
If you think that is bad, you should see the parts I didn't mention, the contents of that if statement was something like "$ERRORNO = 101"
The structure of the program was very simple....it had 4 functions which were called in sequence, each one would set global variables, which would be read by the other. So, if ERRORNO was set, a whole nother function with a whole different big if statement block would then print out the error message..... which is why I opened the code up...one of the errors was wrong.
So basically, it was written in the era of perl 5, to a perl 4 standard, by someone who really liked BASIC.
I was actually just thinking another way to use this might be to have ssh pass x='() {
> I too was suspicious of that fork-bomb potential. So the first time I ran it was on a test-vm.
lol well, as annoying as they can be, I have beaten a fork bomb before without rebooting so, I was confident enough after a quick perusal to not be afraid, especially since....come on, the function isn't even being called how can it possibly exec.....fuck
I have to admit, my suspicous old self had to spend a minute making sure this wasn't a fork bomb. Which, I have to say, this would be the perfect thread for if you were into that sort of mischief. In any case, yah that shouldn't worl. That really shouldn't work at all.
Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.
That said, you know someone does this. Hell, I have had to deal with web applications written mostly in shell and did much of their processing in shell.... the only thing that really topped it for idiocy was when I dove into some perl4 code for a password change form and found this gem:
$password = $q->param('password');
if "`grep $password
}
No taint checking, nothing, just shell out with whatever someone put in the form. I loaded it up and added a "; touch
Kleeneness is next to Godelness.
