Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:This (Score 1) 142 142

Encryption or not, if I had access to the internal network how long until I had the DB system account credentials? Then I can bypass all the data access rules, or even create database clones and start stripping the logs. The possibilities are numerous. Then feed the data out a bit at a time.

More than likely it's not that nefarious or complicated. Someone did a bit a social engineering and got lucky or planned to get a very close set of credentials. Then physically walked in and grabbed the data. You don't even need the whole database. It's possibly a couple HR or project tables.

tl;dr Encryption wouldn't have stopped this when the crackers had internal access.

But what they are saying is "Encryption wouldn't have helped" which is a lie. It would have helped, it would have made this a lot more difficult. It would still have been possible, just a lot harder. Stop furthering the myth that hackers have magic powers. This stuff is preventable.

Comment: Re:This (Score 1) 142 142

Encryption or not, if I had access to the internal network how long until I had the DB system account credentials? Then I can bypass all the data access rules, or even create database clones and start stripping the logs. The possibilities are numerous. Then feed the data out a bit at a time.

More than likely it's not that nefarious or complicated. Someone did a bit a social engineering and got lucky or planned to get a very close set of credentials. Then physically walked in and grabbed the data. You don't even need the whole database. It's possibly a couple HR or project tables.

tl;dr Encryption wouldn't have stopped this when the crackers had internal access.

But what they are saying is "Encryption wouldn't have helped" which is a lie. It would have helped, it would have made this a lot more difficult. It would still have been possible, just a lot harder.

Comment: Re:This (Score 1) 142 142

Right, encryption would have prevented:
Select * from employee records;

Forcing the attacker to go through a service that decrypted the data first, would have forced them to have to send every row through that service before getting the data. THAT activity would be truly trivial to detect. "Hey, Fred just ran a lookup on every spy we have in Russia... Fred? Hey, Freds on vacation!"

Even more trivial would have be designing the service to only allow 1 request per user per second. This would have almost no affect on a real user, but would severely handicapped a scripted attack. They'd only get 86k records a day. And if you had any sort of monitoring in place, at all, you'd hope to catch them within 12hrs.

Comment: Re:Fired? (Score 1) 142 142

When I worked at AT&T about 15yrs ago, our department was required to have our passwords printed (For easier reading) and hung up in our cubes. People were regularly written up when they changed their passwords and forgot to hang up a new one. The ticketing system they were using didn't allow one employee to see another employees work load so if you were out sick, the only way they could check your stuff was log in as you.

The password I hung up was intentionally wrong. I never called in sick, ever... if I had to I'd come in for an hour, take care of my stuff, then leave... When I went on vacation, I'd change the password before I left and hang it up, then change it back before I did anything else so I could encapsulate any activity that took place that wasn't my own. Some of us do care, most don't.

Comment: Re:Bullshit (Score 1) 401 401

Defamation = speech. Limiting it, is limiting free speech. I'm not sure I like it, but trying to control defamation leads to all sorts of far less palatable scenarios. I had a stalker a long time ago... it was very irritating... but I still don't support the sorts of legislation that would have stopped her. Because that sort of legislation would be used for all sorts of evil things that had nothing to do with preventing me from being annoyed by a crazy lady.

Comment: Re:This is evil! (Score 5, Interesting) 90 90

Your sarcasm aside, from TFA it looks like the town in question borrowed ~$1900 per person (NOT per household) to put in the system. They'll get that back with taxes eventually, but it's not clear whether the taxes will be on the locals or Statewide. Assuming a five year note, average household size of four, and the costs paid entirely by the locals, that should about double the $65/month that is the nominal cost of the system.

It says it's a town of 1900 people at the top, 800 premises so an average of 2.4 per household. They're borrowing $3.6 million which works out to $4500/household, but five years is generally too short. Most estimate that a buried fiber will last 30-40 years, if we say 20 years then it's an extra $20/month in taxes. Seems like a fair price, near my cabin they're building out to ~1200 premises for $5.2 million with a mix of government funding and extra sign-up fee, though the most part is covered by the fiber company who'll profit for decades to come. Still, if all goes according to plan I can get gigabit there at the end of the year and "only" 100 Mbit at home...

I work for an ISP. You're wrong on almost every point.

Most infrastructure repair costs are for what we jokingly call the "Backhoe disconnect"
We're talking upwards of 90% of our repair costs are construction related. And before you say it, no, they don't pay us back for it. It's almost always the city that cuts the cable, they can't afford to pay us, and if we tried to make them they'd issue a press release the next day stating "We're laying off 1 police officer and 2 kindergarten teachers to pay off your Nazi ISP, sorry" and we'd be driven out of town with pitchforks.

Further, Fiber does have a lot of longevity, you are correct there. But what doesn't have a lot of longevity is wired internet service as a whole. By 2025 we'll start seeing the first 5g cellular plans they'll offer 1gig+ service for a lower price and using less spectrum than 4g. When that comes along, the residential side of my industry will die. The financial people have to plan for that, and would be idiots if they approved infrastructure projects to invest in that part of the buisness. We'll still have a lot of business services, and we are, of course, the trunks between those cellular towers. But the industry as a whole has been exiting the residential market lately. It's becoming less and less profitable. Even televisions services are a losing proposition. The tiered television services ensure that TV is VERY expensive and the only people getting those profits are the channel executives. This is why all the cable companies are trying to merge now... they want to be big enough to fight those big content providers like Viacom.

Long story short, focus your ire on the cellular industry. They will be your ISP in 10 to 20 years and you'll have forgotten all about us.

Comment: Re:Who the fuck would use something like that? (Score 1) 206 206

I know. That's just a disaster waiting to happen. "We got hacked." "You don't say ..."

For the first and last time:

ANYTHING on the internet is NOT secure

Use a local password manager.

Well, now that we have the word of someone that has absolutely no clue how infosec works I guess it's case closed right?

As far as how secure this service is... well... meh? Who the hell knows. Would I keep the launch codes there? No. My password for that Cartoon network? Sure. The point is, you seem to be claiming that your local hard drive is safer than a websevice literally dedicated to security. That's laughable to say the least. IF this site really is what it claims to be, then it's definitely more secure than your local hard drive, but certainly not as secure as simply memorizing the password.

The concern I would have immediately would be that you have to trust that vendor. Are they located in the US (or whichever country you live in so you can sue them) and subject to the jurisdiction of US courts should they turn out to be bad actors? And almost more importantly, do they keep all of their data on US servers? Being headquartered in the US but outsourcing your database to China would kind of defeat the purpose right?

When you get down to it, when you get into big-time security in major corporations, it's not really that you're jumping through lots of hoops to make sure the data is secure. You will ALWAYS fail at that. You just can't stay that on top of things. What you're really doing is trying to ensure that if there is a breach, you can recover from it and that you have someone to sue/blame to pay for the recovery. So you make sure you pick a service that's in the US, and is well insured. Then you leave it up to them and their insurance company to duke out the difference between higher premiums or more security people.

But if you're just Joe-schmo at home, and you want to store credentials to your netflix accounts and such? And it's a huge well know company like lastpass? Yes, they are more secure than your windows harddrive. A lot more secure. Maybe keep your bank login on a post-it note in the back of your sock drawer just to be safe though.

Comment: Re:More important 3rd question ... (Score 2) 546 546

IMO yes, it was worth it. Having secret programs authorised by secret laws and secret alliances to reduce or remove the privacy of the population as a whole for some geopolitical goal is not something that should happen in democratic countries.

Actually there is a much more important 3rd question. Was it necessary to do a mass dump of NSA files that went far beyond mass domestic surveillance in order to bring that mass surveillance to the attention of the people?

The answer is a definitive NO. Snowden overshared. He may have inadvertently harmed legitimate intelligence programs and agents. He should have pruned his dump and kept it on topic.

That's the problem, there were no files (as far as we know) that contain the kind of information you describe.

Comment: Re:Two questions need to be asked (Score 1) 546 546

First (as stated in the summary): "Have the actions of Snowden, and, apparently, the use of weak encryption, made the world less safe?"

Second (not asked, but as important as the first): Was it worth it? Did the revelations made the world a better after the revelations?

IMO yes, it was worth it. Having secret programs authorised by secret laws and secret alliances to reduce or remove the privacy of the population as a whole for some geopolitical goal is not something that should happen in democratic countries.

You're asking the wrong questions. The first question is: "Did this even happen" and the answer is no. This is FUD spread by the UK government just before an important vote on new security laws.

Comment: Re:Trying to figure out how this works... (Score 1) 86 86

I received a $30 credit from Uber when I installed the app. That's free money. However, Uber only lets me spend it on my first Uber ride. So I can't just put that $30 into my bank account. In my case, it was raining one day, and I didn't have an umbrella, so I called an uber and got a short ride home. It came to $8, which used up my $30 credit. I didn't cleverly hatch a scheme with the driver.

If I were in China, I could say, hey, dude, bill me $30, it's coming off my new user credit anyways. Then give me $10. The driver makes $20 instead of $8, and I make $10 instead of $0. The loser would be Uber. Now, if I were to make a criminal enterprise out of it, I could say, hey, why even get a $8 ride? Let's have NO rides, and just keep billing $30 to get that juicy new user credit! We'll get keyboard farms to keep creating new uber accounts and riding and get that sweet $30 snatch!

Now, in the U.S., Uber stops me from creating new accounts on my own to take that $30 repeatedly because it requires a credit card. Now, if I were savvy, I'd use a new credit card with a cousin's billing address on a wiped phone and create a new uber account. If I have 12 credit cards and 12 cousins, I could register 12 new accounts. The only overlap would be my name, but Uber has zero way of telling if two John Smiths with different credit card numbers and different billing addresses could possibly be the same person. They rely on the fact that no one cares so much about $30 to bother with wiping their phone, swapping in a new sim card, using a new card and a cousin's address. And, they're right, in the U.S. In China, people will go through a lot more hardship for less. Clickfarms in China pay something like 10 cents per hour.

Yea, and then the most hilarious part is:

Uber's spokeswoman told the Quartz writer that the company has an on-the-ground team who investigate into these various type of fraud, then uses "deep analytics, and new tools developed by our Chinese engineers in our dedicated fraud team to combat against such fraud." The Uber spokeswoman declined to elaborate on the nature of these tools.

So they are bragging about how smart they are for thwarting the scammers with "Deep analytics" whatever the hell that means. If you were smart enough to do "Deep analytics" should you also have been smart enough to design a system that wasn't so easily scammed? I dunno... like you don't get your payout for 3 months or something? or your payout's in the form of an Amazon Gift card that you can only use from your Uber account? There's about 100 different trivial ways to completely subvert the scam from the start, it's mind boggling that they allow it to continue.

Comment: they suck (Score 1) 235 235

About 10yrs ago I decided to do some volunteer work. By the time I was done, I decided not to volunteer anymore. It's just too depressing that most, if not all, of the charities are run so poorly. But the red cross was one of the worst. I told them I was a programmer and a DBA so they made me the "host" meaning I handed out cookies and made people frozen pizzas while they donated blood. For this I had to go through a background check, speak with a councilor. They told me that if I couldn't pass the background check, that was ok, I could drive the trucks if I had a record. You know, the trucks with the blood in them. Really.

Then they needed help with this Access database, I was a DBA right? No, get back to the cookies! they say. They hired this consulting firm to help them with Access, who charged them $20k and sent it a kid strait out of community college.

They'd run adds on TV "We're running low on blood! We desperately need you to donate this weekend!" but that came out of marketing, who didn't tell the doctors or nurses, so they'd get slammed when they weren't staffed to handle it.

The red cross is completely mismanaged, disorganized, and clueless. But then again, so was every other charity I found so...

Comment: Re:Entry level job? (Score 1) 293 293

There are no entry level jobs. Not for Americans at least.

Elitist and racist comments that trigger the like reflexes pretty much everyone on slashdot right?
Buy American! Be American! lol

I see "Entry level" programers float in from the local community college every other day. They usually can't figure out how to use our vending machine, much less write a line of code. The people from India/Pakistan show up and just get shit done. They also bring awesome stuff to our pot lucks.

The problem isn't H1B visas. The problem is the rub stamp educational standards colleges have in this country and completely destroyed employers faith in what a US degree means.

Comment: Trivial (Score 5, Insightful) 73 73

So, I think that the word we need to get out to the uninformed public is that hackers do not have magic powers that are impossible to defend against. Governments and Corporations responsible for these breaches keep trying to portray the hackers as if they were mad-men flying planes into buildings. How can you stop a fully loaded 747 flying at 800mph right?!?!

But that's not the case. Every single one of these breaches has been the result of mistakes made my the organization that was attacked as trivial as leaving keys in the lock of your safe with a big sign that says "Money inside!" These agencies and companies could easily, and with little monetary investment, make breaches like this nearly impossible.

In most cases the mistakes aren't even technological, they're institutional. Usually those attacked had well qualified security folks on staff who were doing their best to prevent the attack. But when the "VP of operations" (or whatever) comes in and says "The project is late, everyone's telling me it's because you're department is insisting on two factor authentication. I'm going to sign off on that and we're going to move forward" there's not much they can do.

Look at the Sony attack. You had executives of the company sitting there with the entire companies financial records down to the penny sitting on their windows desktop... WHILE their security department was telling them the entire network had an active virus infection running rampant. Basically nothing happened to any of the people responsible.

Comment: Re:Why is this on Slashdot? (Score 4, Funny) 221 221

Here's a concept...

Why don't you google "some person" and find out if they are credible.

I know, having to do this kind of work oneself can be distasteful, so let me help you out here.

  Lauren Weinstein

First: What the fuck is a "Technologist?" Personally, I reffer to myself as a Pornomancer, but what that means outside of my secret closet in the basement, I'm not sure.
Secondly: Since when did having a 4 line wikipedia entry mean you were a notable person? This guy has a bigger article: http://en.wikipedia.org/wiki/J...

Every program is a part of some other program, and rarely fits.

Working...