Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:Some Real Advice (Score 1) 81

by Burz (#49153843) Attached to: OPSEC For Activists, Because Encryption Is No Guarantee

You've got the wrong impression of BadUSB as impersonating a HID certainly isn't required. USB is fundamentally insecure in a number of ways...

https://www.blackhat.com/prese...

http://media.blackhat.com/bh-d...

https://srlabs.de/blog/wp-cont...

When the USB drivers themselves can be attacked with malformed protocol data there is a fairly direct channel to gaining access to the whole system. Also a USB drive controller can make itself look like an internal drive, meaning that DMA (yes, USB supports DMA) restrictions get lifted and then you have a hole in security similar to Firewire.

As for filesystem attacks being 'rare', that's only because other attacks (esp. remote) have offered so much opportunity to attackers. If an attacker wants an offline mode of exploitation then filesystems -- being complex data formats themselves -- then filesystems are a wide-open field of opportunity.

Comment: Re:Some Real Advice (Score 1) 81

by Burz (#49148981) Attached to: OPSEC For Activists, Because Encryption Is No Guarantee

Due to risks like BadUSB, or even attacks using the filesystem itself, those methods carry risk of exploiting the air-gapped system.

IMO, its actually better to use an isolating OS like Qubes because it uses a simplified and hardened protocol for data transfer between domains. Even copy-and-paste between domains has been hardened. It can isolate USB controllers and external disks at the hardware level using the IOMMU/VT-d feature in newer chipsets.

Comment: Re:Some Real Advice (Score 1) 81

by Burz (#49148705) Attached to: OPSEC For Activists, Because Encryption Is No Guarantee

- Firejail. Google it. Won't protect you against local kernel privilege escalation attacks, though.

Yes, contingency planning is good. Yes, single points of failure are bad. But you can get very, very good communication security if you really try.

Qubes OS should protect you against privilege escalation *and* VM breakout attacks where sandboxes like 'Firejail' do not. Its a hardened hypervisor-based desktop OS that isolates elements like graphics and network IO from each other using a system's IOMMU if necessary. Its single-user, and all security is implemented using the hypervisor.

Qubes is put out by white-hat hacker group Invisible Things Lab who switched their focus when they saw the need to do something about endpoint security. Their philosophy is to use the strongest means possible for isolation short of airgapping as a way to manage the complexity (large attack surface) of the personal computing environment; The security models of monolithic OS kernels

A bonus of isolating all the risky activities away from the graphics system is exposition: The windowing system becomes a reliable means to represent security context using window-frame colors and domain labels assigned by the user to the various VM domains.

Comment: Re:Moxie's security advice to me: (Score 2) 299

by Burz (#49129311) Attached to: Moxie Marlinspike: GPG Has Run Its Course

I'll grant that Enigmail rectifies the display problem ...but Enigmail is neither the OS nor the application. By default, the uninitiated will see gross text and that is because (as I said) crypto isn't given first-class treatment in UIs.

TB sans Enigmail could at a bare minimum parse the guard lines and fold the contents into something like the UI for attachments. Or it could just incorporate Enigmail functions in the main program.

Comment: Re:Moxie's security advice to me: (Score 2) 299

by Burz (#49125989) Attached to: Moxie Marlinspike: GPG Has Run Its Course

I'd like to add that I hate PGP signatures in email messages, too.

There is a lot that's wrong with the UI elements surrounding the crypto. For one, the operating systems and apps do not treat keys and sigs as first-class objects; they always end up looking like inlined ASCII barf, or little text files that have no informative icon + tooltips or associated apps. The presentation of crypto to the user practically begs the user to ignore it.

This is even true when you look as certs in web browsers. They are a monumental opportunity to educate people about crypto and give people the sense that crypto objects are tangible things, but the best we have seen are padlock icons in the address bar (while the handling of non-CA certs became fubar'ed with alarmist FUD warnings, further discouraging people from storing/managing public keys on their own).

With that said, I have to wonder if Moxie's outburst was somehow prompted by GPG's sudden funding windfall.

Comment: Moxie's security advice to me: (Score 4, Interesting) 299

by Burz (#49125897) Attached to: Moxie Marlinspike: GPG Has Run Its Course

I simply asked him -- in a private email -- if there was a signature for Convergence someplace because I didn't see any online.

He accused me of being "inflammatory" and stated it was necessary to "take a leap of faith" (i.e. download and run it without verification). This was back in 2012, mind you. He appeared to be oddly anti-PGP back then, too.

Frankly, after that I had no appetite for any more of his, erm, style and forgot about Convergence. Years later, I had to abandon DoNotTrackMe (by a Moxie-run company, Abine) nee 'Blur' for Ghostery instead when the former got an update that kept hogging the CPU. An email to Abine just yielded a response to keep updating Blur, but the problem never went away.

Comment: Actually (Score 1) 126

by Burz (#49125539) Attached to: Patent Troll Wins $15.7M From Samsung By Claiming To Own Bluetooth

Nurse Quarantined By Christie Comes Back To Haunt Him On Vaccines

Parents Fighting Against Gov't. Vaccination Agenda - The John Birch Society

Scott Brown Rents Out Email List To Anti-Vaccine Conspiracy Theorist

And lets not forget the John Birch-er conspiracy theory that fluoridated drinking water is a government attempt at mind control (whether or not certain fluoride compounds cause problems, the conspiracy angle is irrational).

And lets not forget that, in general, denial of medical care on religious grounds is far and away dominated by right wing religious affiliation.

So, by eliding the nuclear and GMO issues with vaccines (or other medical care) you're trying to erect a rather disingenuous straw man. If anything seems to go hand-in-hand with anti-vaccination sentiment, its freemarket ideology among the "sovereign individuals" crowd. I think Rand Paul would agree.

Have a nice day.

Comment: Mod Parent UP Please! (Score 1) 82

by Burz (#49117141) Attached to: Apple To Invest $2B Building Green Data Centers In Ireland and Denmark

You should read up on the irish-dutch sandwitch tax dodge. That is exactly what they are doing.

http://www.investopedia.com/te...

"DEFINITION of 'Double Irish With A Dutch Sandwich'

A tax avoidance technique employed by certain large corporations, involving the use of a combination of Irish and Dutch subsidiary companies to shift profits to low or no tax jurisdictions. The double Irish with a Dutch sandwich technique involves sending profits first through one Irish company, then to a Dutch company and finally to a second Irish company headquartered in a tax haven. This technique has allowed certain corporations to dramatically reduce their overall corporate tax rates."

Comment: Re:Drama queen (Score 1) 196

by Burz (#49054377) Attached to: Firefox To Mandate Extension Signing

Signing doesn't change in any way whether AdBlock Plus can be blocked or not. We get complaints about it on occasion and it's still hosted on the official add-ons site.

Its not the same thing, and I'd hope you would have the sense to realize that.

Blacklisting an addon requires an action on the part of Mozilla. But now with the way the signing requirement appears to be implemented, the use of new or unusual addons can be stopped by simple neglect on Mozilla's part... LACK OF AN ACTION will now block addons!

And even that would be OK with me if you gave the user some way to click some extra buttons or context menus to make an exception as is done in Windows and OS X.

But no..... lets be inspired by iPhones and iPads.

Comment: Re:Drama queen (Score 1) 196

by Burz (#49054337) Attached to: Firefox To Mandate Extension Signing

I'm in favor of signing as a way to protect against MITM attacks when installing or updating addons. And I think Mozilla curating its own AMO site is a good thing. These two practices, implemented together flexibly, would be a boon a Firefox users if Mozilla had the sense to arrive that decision.

However, the way you're implementing this is cutting across PC culture by giving the user no recourse. That is a big mistake. Whether you intend it or not, a de-facto walled garden is still a walled garden.

Neither Windows nor OS X completely tie the users' hands when encountering un-signed programs, and there are good reasons for this.

Comment: Developers like a solid platform (Score 1) 140

by Burz (#49002833) Attached to: Why It's Important That the New Ubuntu Phone Won't Rely On Apps

...that makes neat features accessible to both developers and users.

And by "solid platform", I mean something that demonstrates a consistent philosophy and design from the UI and APIs down through the kernel and the hardware.

There should also be a specification (like Multi-Media PC was for Microsoft in the 90s) of what a minimum hardware configuration should look like for a given platform (mobile, desktop, etc) to support most of the apps users will find enticing.

If you build a consistent, feature-stable platform with neat features the app developers will come. Maybe not in droves, but you will start seeing some very interesting new ideas and apps written by the sort of people who do NOT like to tinker with kernel options in grub.cfg or have to dig through /etc with a text editor to get things working.

Tim Berners Lee wrote the first web browser on the NeXT platform which had a tiny user base. Now Ubuntu is trying to compete with iOS, which is the progeny of NeXT.

+ - New Microsoft iOS and Android Outlook Apps cache your email and credentials->

Submitted by Anonymous Coward
An anonymous reader writes "New Microsoft Outlook Apps cache your credentials and *temporarily* store all incoming and outgoing mail. Outside of the obvious corporate security concerns, even for those outside the US, this mean sends and stores all your mail and passwords on US servers even if you are connecting to a private exchange server."
Link to Original Source

Comment: Re:Umm..and telnet is insecure. (Score 1) 375

by Burz (#48938111) Attached to: Why Screen Lockers On X11 Cannot Be Secure

Qubes handles video playback just fine even at FHD (although within a frame, to show security context).

The MS Office website says Excel requires DirectX "for acceleration". IOW, it runs without acceleration if DirectX hardware is not available. Its not something I really notice, given that Excel mainly deals with text on a grid.

If you really need 3D, Qubes can handle it as long as you supply an additional GPU that behaves well with an IOMMU, such as an Nvidia Quadro. Otherwise, you have to wait for ITL to incorporate GPU virtualization into the Qubes codebase... but virtual GPU tech has only been demonstrated by GPU vendors very recently.

Granted, 3D is an important feature in PCs today, but the inability to /safely/ incorporate it thus far highlights the kind of negligence that has held sway in the computer industry.

You'll have more luck 3D-wise with a Hyper-V server combined with Windows new RemoteFX technology. I know that this is unpopular option, and if anyone can set me straight on hypervisors and 3D for Windows guests not running on Windows hypervisors, please do. I've researched KVM, LXD, Jailhouse, or ESX, and of those, only ESX has experimental Windows 3D guest support.

Most hypervisors are designed for the convenience of users and sysadmins to either run another OS, or better manage server resources... Securing desktop PC features is secondary at best with them.

The less time planning, the more time programming.

Working...