Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment: Re:its a tough subject (Score 5, Insightful) 634

by Minupla (#48883613) Attached to: Should Disney Require Its Employees To Be Vaccinated?

Sure, over an evolutionary timespan. Assuming that the disease in question kill before you can give birth, and that they kill enough of the population to be impactful in an evolutionary sense.

Call me soft though, I'd prefer we solve this problem in something less then an evolutionary timescale. I kinda care about the kids who'd die otherwise.

Min

Comment: Re:Absolutely fair.. (Score 4, Interesting) 114

by Minupla (#48883271) Attached to: Apple Agrees To Chinese Security Audits of Its Products

Hrmm, this might work out well for us non-govt people.

Consider:

NSA: "Apple, you must let us 'review' your code. We'll keep our findings to ourselves, you can't tell anyone"
Apple: "OK"
NSA digs through code, finds exploits, locks them up for future weaponization ...
China: "Apple, we'd like to "review" your code. We're going to tell the world about it"
Apple: "OK"
NSA: "Crap, now those evyl Chinese will find our exploits. Darn, I guess we'd better tell Apple to fix them after all or the Chinese will be spying on us!

At the end of the day, the best we can hope for is that the various spooks keep each other honest.

Min

Comment: Re:Time for the Ransomware (Score 1) 199

by Minupla (#48865621) Attached to: Insurance Company Dongles Don't Offer Much Assurance Against Hacking

Sadly the relevant research shows that while you would like this to be the case, it isn't.

If you'd like to know more, look at the defcon conference videos for the last few years.

Just as a for example, I'll direct you to this article:

http://www.nytimes.com/2011/03...

There was also a talk this last year that went into the architectural design of the car's network, and showed that in most cases there was no device between the head end unit and the sensitive items in a car, and where there was it wasn't a security device, merely a signal management unit, and the presenter expected to be able to jump it. But again, typically if you get access to the bus, you can talk to anything you want. There was also a lovely bonus bit where they showed you could update the to an arbitrary unsigned firmware due to some sloppiness in the process. (if you cut the power at the right time, the recovery process didn't do the appropriate checks. Once they got in and could analyze the python scripts being used, they discovered if you wrote a specific character (I think D but my memory could be playing tricks on me) to the right sector of the CD, it would bypass the signature checks and just update the firmware.

Engineers are generally smart, but they also tend to design to the specifications. If you don't TELL them to consider an attacker in their designs, they don't.

Min

Comment: Re:Time for the Ransomware (Score 1) 199

by Minupla (#48847509) Attached to: Insurance Company Dongles Don't Offer Much Assurance Against Hacking

No need to do such extreme damage, when the same effect can be achieved with a simple fuse on the positive voltage line of the port. Suspicious activity? Burn the fuse-- BAM-- port is dead, but easily fixed.

Doesn't protect against other attack avenues that have either been hypothoized or demo'd though. The entertainment unit always seems popular. Trojaned CD in the player, for example or exploit against the bluetooth system. Hey I wonder what happens to that cute bit of software that displays what song the FM station is playing if the station sends YourPawnedxxxxxxxxxx....?

I'm not sure most of the security sector put it together that someone might voluntarily install their own remotely exploitable device into the bus in sufficient numbers to be interesting. Guess we should know better then to underestimate the power of a discount!

(I do agree with the rest of your post btw.)

Min

Comment: Re:Time for the Ransomware (Score 4, Insightful) 199

by Minupla (#48847285) Attached to: Insurance Company Dongles Don't Offer Much Assurance Against Hacking

Just as a point of interest, there was a talk at Defcon last year where someone built a IPS (intrusion prevention system) for the bus of the car. It turns out that the communication matrix for a car is a very static system. The parts of a car that communicate with each other do so often (e.g. Engine controller and injection system), and predictably. Other parts that don't (e.g. entertainment system, or that ODBII plug from the insurance company and the traction control system) never do. So it's possible to build a device that models the system by listening on the bus and if it suddenly sees new traffic patterns shorts out the bus, leaving you with a less smart, but still on 4 wheels and not careening into oncoming traffic, car.

Seems like something the OEMs should be looking into.

Min

Comment: Re:some things for any judge to consider (Score 3, Interesting) 67

by Minupla (#48827981) Attached to: Simple Rogue WiFi Hotspot Captures High Profile Data

An open network connection at a security conference. That's either a honeypot or a freebie.

This. At the security conference I attend (defcon), assuming you got drunk enough to be dumb enough to connect an open hotspot, you'd be thanking your lucky stars if the worst that happened to you was getting on the wall of sheep (which is essentially the same stunt this guy pulled, with the information projected on a wall for everyone to see). I personally VPN *everything* during that week, and if I have to absolutely connect to a work system, I drive to a random McDs outside of the conference and do my VPNing from there (it's usually faster and more reliable then any network at the conference too, since it's not the prize in a big game of Spy vs Spy).

Min

Comment: Re:Practical certs like GIAC help and hold value (Score 1) 317

by Minupla (#48552261) Attached to: Ask Slashdot: Are Any Certifications Worth Going For?

+1 to CISSP, I had essentially the same experience as the OP, and decided that IS manager tedious. I went and wrote my CISSP, got 'lucky' a couple of times with breach issues and poof, 5 yrs later I'm a Sr Infosec Manager.

While it doesn't have a practical component, I've met very few people who honestly say they left the exam knowing if they passed or failed. Most nerve wracking test I've ever sat for anyways. And most of infosec (absent specialties such as pentest, and even then arguably) is 90% thinking anyways. Very seldom is it important to know what command to type. Much more important to know the theory like the back of your hand.

All that having been said, if you don't like handling people, infosec is likely a poor fit. You'll top out soon if you can't have a coherent argument with someone that doesn't degenerate into "Because I said so".

Min

Min

Comment: I've hired people with misdemeanors before (Score 4, Informative) 720

by Minupla (#48542609) Attached to: Ask Slashdot: Can a Felon Work In IT?

I've hired people with misdemeanors before.

Be honest about the crime, don't have it be a surprise that I find out during the background check part of the hiring process.

I also know other managers who've done the same. Its tough to find good people. A drug offense 5 yrs ago, with proof of a completed drug treatment program for instance isn't going to stop me from hiring a good IT worker.

Min

Comment: Re: Check your local community first (Score 1) 112

by Minupla (#48395405) Attached to: Ask Slashdot: Who's the Doctors Without Borders of Technology?

I did YKnet around the same era then, out of Whitehorse. Set up an 8 line dial up pop in Old Crow, using bound analog sat channels.

I also did a stint down in the Eastern Carribean. I remember the bribes, favors, etc required to get a UPS from the dock to our building, and members of our team blocking off the main drag in town while we used the (borrowed) cargo forklift from the docks to lift the UPS up the side of the building. While we were discussing how to get it in the window the forklift driver disappeared, leaving the UPS balancing on top of a power pole. Driver was asleep under the lift. Waiting for the ex-pats to make up their minds.

Cricket games were something else too!

Min

+ - Silk Road 2.0 Seized By FBI, Alleged Founder Arrested In San Francisco

Submitted by blottsie
blottsie (3618811) writes "The FBI has arrested the online persona "Defcon," identified as Blake Benthall, a 26-year-old in San Francisco, who the agency claims ran the massive online black market Silk Road 2.0. Benthall's FBI arrest comes a year after that of Ross Ulbricht, also from San Francisco, who's alleged mastermind of the original Silk Road and still awaiting trial.

The largest of those reported down is Silk Road 2.0. But a host of smaller markets also seized by law enforcement include Appaca, BlueSky, Cloud9, Hydra, Onionshop, Pandora, and TheHub."

Utility is when you have one telephone, luxury is when you have two, opulence is when you have three -- and paradise is when you have none. -- Doug Larson

Working...