Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:How can foreigners be charged under US law? (Score 1) 107

by IamTheRealMike (#49390185) Attached to: Obama Authorizes Penalties For Foreign Cyber Attackers

it's established that Commanders-in-Chief can freeze the bank accounts of enemies of the US. This did require a statute, the PATRIOT Act, because it would not have been in the toolbox of an 18th-century monarch or George Washington. But now that it's established, and it's widely considered to have been a useful military tool against Al Qaeda, the administration can use it against anyone it thinks is a military opponent.

The case for financial sanctions against Al Qaeda is not as clear cut as you might think. The cost of 9/11 was in the low tens of thousands of dollars.

Regardless, the US sanctions list include many non-military targets, and the definition of "terrorist" is so flexible that it can be used to justify punitive non-judicial action against literally anyone. The US constitution specifically forbids laws of attainder, which are laws that specifically enumerate lists of victims. The PATRIOT Act doesn't include an actual list (though the Magnitsky act does), but a law that refers to a list maintained by a bureaucracy under direct command of the President is hardly different given the bans intent.

Unless you intend any form of punishment at all to be OK against any "military target" i.e. anyone, then no, this sort of thing is not OK.

Comment: Re:How can foreigners be charged under US law? (Score 1) 107

by IamTheRealMike (#49390155) Attached to: Obama Authorizes Penalties For Foreign Cyber Attackers

For those that are wondering how foreigners can be charged with US law, look up "extradition treaty". For those with whom we haven't signed such a treaty, look up "financial sanctions" or "asset forfeiture".

Neither of those things involve charges. That's why they're effective - if they had to be backed by actual charges that went through an actual judicial system, the targets could win cases and get the sanctions dismissed. An arbitrary blacklist is a lot better from the viewpoint of the POTUS and his minions because what are you going to do about it? File an appeal?

This isn't about citizens in other countries simply minding their own business

Pretty staggeringly stupid position. Lots of countries have extradition treaties with the USA, including Germany. If you are OK with the head of the NSA being extradited, charged, found guilty of espionage and imprisoned in Europe or China then go right ahead and say such things ...

Comment: Re:Woop Di Do Da! (Score 1) 229

The government is not writing checks out of the general fund to pay people to drill for oil.

So, the trillions of taxpayer dollars we've spent on wars to protect energy interests just don't count? The hundreds of thousands of lives that were spent in these wars, counting the civilian casualities?

You might have an answer to that question if you weren't one of the "people who don't really understand this stuff".

And you're worried about 30% of the cost of solar panels. You're a special kind of person, you are.

Comment: Re:Woop Di Do Da! (Score 1) 229

Is there any other mainstream technology that repeatedly makes outlandish claims, and just shrugs it off as if it never happen when those claims don't deliver, and yet gets massive taxpayer-sponsored support?

Coal, hydraulic fracturing, the pharmaceutical industry. The defense industry.

Shall I go on?

Comment: Re:Boo hoo (Score 4, Insightful) 234

by IamTheRealMike (#49386095) Attached to: NSA Worried About Recruitment, Post-Snowden

If it is so easy to do this, why haven't the Russian internet criminals rolled anything out on this scale? It seems to me that a platform like this would be all kinds of ideal for criminal purposes.

They have. That is exactly what I just said - Zeus is also a modular, plugin based malware platform that is developed by Russian/east European fraud gangs. It bears a lot of similarities to the NSA/GCHQ malware platforms in terms of how it gets onto people's systems, general design, etc.

because of the work they do and the requirements that work puts on their infrastructure they were probably into the whole "big data" mindset several years before mainstream commercial, civilian IT companies got there

It's not the case. For instance the NSA scalable data store (Accumulo) is basically a reimplementation of Google's BigTable, and they don't try to hide it. They adopted tech from the civilian space for their own requirements but it wasn't invented there.

With respect to your other points, I never said they don't know what they're doing, only that what they're doing is not particularly interesting and I don't think it will keep the best people interested for more than a few years before they find it becomes humdrum routine. And by "product" you knew perfectly well what I meant - not some crappy in house web app used by a few hundred people who have no other choice, I mean a product that's available in the marketplace which competes for end users, probably consumers or professionals. Something where quality matters.

Comment: Re:Woop Di Do Da! (Score 1) 229

Is there any other technology, besides renewable energy, that makes certain Slashdot readers so darn mad? It's like they would prefer that it just didn't exist.

If you say Apple has 13% of the personal computer market, they're popping corks and doing the peepee dance. If you say a newer technology, solar energy, has reached 5%, while facing enormous geo-political resistance and the enmity of the most powerful corporations in the world, it actually pisses you off for some reason.

I'm curious. What is it about solar energy that spurs such surprising anger among this segment of Slashdot readers? What did solar energy do to you?

Comment: Bullshit non-story (Score 3, Insightful) 40

OK, so we have an article claiming Facebook is tracking everyone for evil advertising purposes, even when logged out. Facebook denies it and says it's garbage.

Let's go do 30 seconds of digging and see who is right, shall we?

  1. Open an incognito window. Open Chrome developer tools.
  2. Load a Facebook "page" (i.e. a product page for some third party product or service)
  3. Be amused by the giant "STOP!" warning printed to the console, apparently people are being tricked into copy/pasting stuff into the developer console to get their accounts hacked.
  4. Observe the cookies that are set.

There are three cookies set. Two of them appear to simply encode the loaded URL and have no ids or other interesting info. The last is the "DATR" cookie. What does DATR do? Well, we know what it does because last time this garbage blew up in the press Facebook explained what it does:

We set the ‘datr’ cookie when a web browser accesses (except social plugin iframes), and the cookie helps us identify suspicious login activity and keep users safe. For instance, we use it to flag questionable activity like failed login attempts and attempts to create multiple spam accounts.

(link from here)

So it's an anti abuse and security feature. Nothing to do with advertising. Also, guess what - such cookies are common across many websites. They are quite useful for detecting spammers. Presumably Facebook tried to explain this to the Belgian regulator in question, but it's just so much better politically for said regulator to pretend they caught some evil company in their terrible advertising habits red handed, than learn how large websites work.

The problem is the more time the media and government regulators cry wolf over this stuff, the more inclined I am to believe they're all harmful idiots who want to break the web.

Comment: Re:Boo hoo (Score 4, Interesting) 234

by IamTheRealMike (#49385039) Attached to: NSA Worried About Recruitment, Post-Snowden

Yes The Equation Group [] really seemed "2nd rate" and they sure didn't "make" anything.

TAO is what you would expect to see given a sufficiently large budget spent exclusively on hacking everything possible. The hacks are impressive in the sense that they take a lot of resources and time to develop and it wasn't previously obvious to what extent governments were committing resources to infrastructure subversion. They are not especially impressive from a technical perspective: it's basically a more professional and larger scale version of the types of malware produced by Russian banking fraudsters. Working from that down into BIOS hacks and the like is the inevitable result of spending billions on hackers year after year - they need to keep finding new things to exploit. Interesting, but only because it reinforces the idea that everything seems to be hackable.

But, what kind of people find this work interesting? I can imagine it would be interesting for a few years, especially if you're young and trapped inside a heavily propaganda controlled environment where you're told daily you're the Forces of Good in an epochal struggle against the Axis of Evil. But the amount of technical design work involved is minimal. The level of new technology is minimal. The "research" is simply finding ordinary bugs and flaws in other people's code. People oooh and aaah about the fact that these state malware platforms use a plugin architecture, whilst simultaneously finding the same thing in Photoshop entirely mundane.

Even the data analytics stuff is essentially just an A-B-C application of big data tech originally developed elsewhere, like at Google.

And the advanced maths the NSA is supposed to be famous for hardly shows up in the Snowden documents. It's pretty clear that their success against even crappy crypto is fragile at best (RC4), probably non-existent at worst (AES/strong RSA or anything past it). Their botched attempt to back door Dual-EC DRBG smells of desperation. They wouldn't build huge infrastructures for storing and obtaining stolen private keys if they had the mathematical tools to undo modern ciphers. So I suspect there are a lot of mathematicians at the NSA feeling kind of obsolete these days and wondering what they can contribute.

I'd say the only genuinely technically interesting work the FVEY guys are doing is the way they've been combining passive intercept with active, automated exploitation. QUANTUM is a pretty interesting thing and I'm not aware of anyone discussing anything like it before Snowden's leaks. However, it's also now a done deal. Beyond incremental improvements, there don't seem to be any obvious further directions for that project.

So as a programmer, developing hacks and malware can be entertaining for some years, but eventually I think most skilled people will want to flex their muscles in other ways. They will want to build something instead of break something. The best people will have a broad span of interests. In an organisation like Google or Facebook that's OK - you can work security for a few years, do some exploit research, then go on and transfer to some other project. Or leave but keep your work on your resume. At the NSA? There it's more limited. You can't easily leave the classified world because your work experience is a gaping void. They don't do product development. You will never make something that your family uses. You will never even develop the skills needed to do that.

Stories like this give me some hope that despite it's apparently bottomless budget, the NSA can still be beaten technically. They discard most of the qualified people because they aren't US citizens and the ones that are left would be well advised to take a career at a Silicon Valley firm where they can do very similar sorts of work, but for things that are unquestionably useful. If you go do big data analytics or security work in order to fight spam on Gmail (like I did), you don't have to worry about the moral impact of your work - spammers and hackers are unquestionably bad, so booting them off the platform is unquestionably good. If you go do the same work at the NSA you have to worry that the "terrorists" might just be random unlucky guys in Pakistan who were in the wrong place at the wrong time, or that the targets are simply foreign politicians or CEOs .... much murkier stuff.

Comment: And it was really bad in the new SW movies (Score 1) 306

by Sycraft-fu (#49384399) Attached to: Why More 'Star Wars' Actors Don't Become Stars

The actors had nothing to react to and nowhere to go. Basically the whole damn thing was shot on green screen, with a two camera setup. Lucas could just park his ass in his chair, look at the monitors, and do nothing. Makes it hard when you are not only having to imagine the entire set and everything you are supposed to be seeing and reacting to, but also are on a small stage and can't even more around much.

Comment: Also in the original movies (Score 1) 306

by Sycraft-fu (#49384377) Attached to: Why More 'Star Wars' Actors Don't Become Stars

He had a lot of people he was answerable to. Sure he wrote the script for the first one (other screenwriters did the second and third) but it wasn't the Lucas show. The producers worked for the studio, not him, he had others who would question his decisions, make changes, etc. He was in charge only in so far as being the director, who does have a good deal of control, but still plenty of limits.

Not the case for the new three. It was an all-Lucas team. He was in charge, surrounded by yes men and did whatever the fuck he wanted. The result was really bad.

Consultants are mystical people who ask a company for a number and then give it back to them.