Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Back for a limited time - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×

Comment Re:Wait, they shipped the private key? (Score 1) 65

for example Lenovo did it so they could inject ads into web pages that were supposedly cryptographically protected from tampering

This makes no sense. Why do you need your private key to be located on the users' computer for that?

Why because you can't defeat the certificate checking logic of the local SSL stack. You need 'a' private key there for a trusted root CA so you can generate certificates on the fly other parts of the system will see as valid.

Browser tries goolge.com -> You intercept it -> You go fetch the cert from the original destination ip -> you validate it or don't -> you generate a new cert based on the content of the one you got and sign it with the private key -> send the response to the browser ( which then validates the cert checking it against the local trusted root you installed).

That is it in a nutshell. There are some other details but basically that is how its done and that is why you need the local private key because without you could not generate signed certs.

Comment Re:Using Firefox Meantime (Score 1) 65

The latter, certutil works fine, but you have to build some custom fix packages to use it. Which can get complex if you have cases where those installations are not in the default locations.

ie. non local admin users can't install FF to its usual places so they install it to a directory inside their profile. Now you are playing find the Firefox / SeaMonkey install.

Comment Re:Using Firefox Meantime (Score 5, Informative) 65

You need to wait for the holiday to delete a certificate out of your trusted roots on your personal machine? Wow.

Secondly Firefox did not protect you from anything, the fact they don't share the system cert store did. Yeah it worked out this time to your favor but I honestly don't think Mozilla's failure to integrate with system certificate stores is a win in general. Its actually one of the biggest reasons I think about leaving my beloved SeaMonkey for something else.

For one thing you now have not one but 2 certificate stores you need to audit. That sucks! If a CA says they have been compromised I have to remember to fix it in 2 place instead of one. That isn't a security win. Many users don't probably even realize they don't use the system trusts, so if they get instructions to fix an issue by removing a CA they will likely fail to fix the Mozilla based browser.

Second in managed environments revoking a trust in Mozilla isn't easy to script out, that means Firefox and SeaMonkey installs likely just don't get fixed, again not a security win.

Frankly I think its rather a shame Mozilla does not provide at least the option to use the system trusteded roots.

Comment Re:Exactly (Score 2) 591

This is a very good point. Much of the mess that is the Middle East is because these despots manged to enrich themselves playing NATO against the USSR for decades. They knew perfectly well any attempt to sort them out would have been seen as an act of aggression by the other world power. That provided them with cover to run their little shit stands, and get all sorts of cool toys (fancy high tech weapons systems).

If we could get past or conflict narrative with Russia we could re-draw the boarders agree on some buffer / DMZ regions and go in and occupy these places. If we did it long enough we could wipeout the stain on human culture that exists there.

Comment Re:I have an idea (Score 0) 591

I would argue its time we roll back our policy of NATO expansion, and even consider ending NATO. When we faced an existential threat from another single nation state actor it made sense. NATO is now just a 'dangerous entanglement.' We would be wise to encourage the core members to eject some of the newly added peripheral members under threat of our own withdraw if they don't. These fights are not worth it and the expands NATO just threatens to draw us in.

The middle east is of rapidly decreasing value to us. EU only alliances would be better positioned to defend Western Europe geographically than we are. We don't need anyone else's help to defend our own territory if we simple concentrated or efforts on that.

Comment Re:Nothing to hide (Score 1) 75

They're threatening to release SSN and related information that is being used as verification for credit applications

Irritating yes but troubling not really. The fact is you SSN is out there for anyone who wants it.

Its in all the major subscription database PI's and LEOs can subscribe to, almost for certain. Some of my licensed co-workers have access to that information and they shown me they can pull the SSN for just about anyone I could name. It would be naive to think the identity thieves don't have straw accounts and leaked creds for many of these sources.

I an not suggesting anyone go posting their SSN all over the internet, but I don't think its nearly as big a deal as many people thing. Certainly anyone who targets you specifically can obtain it. Having it come out in one of these mass document dumps only means someone trying to open a large number of fraudulent accounts might hit you opportunistically.

As far as I am concerned to the hackers I say bring it. I don't care if the world knows I pay Ali Spangnola a dollar every time she makes one of her cover-band videos. Actually I think you can already read my name on her thank you page so whatever.

Comment Re:Comedy of errors (Score 1) 806

What they don't look like is the innards of an electronic clock.

Right because somone who does not possess electronics knowledge can tell the difference between a PCB for a cheap electronic clock and one that is some kind of detonator. I think that expectation is unreasonably. Ask youself had 'you' carried that thing thru the airport security line would you average TSA agent have likely pulled you off for some questioning?

You and I both know the answer is yes. The reality is here some people did know what it was at the school and they told him he should put it away. He did not do that. He continued to be disruptive, which could have been mistaken for agitation and when he encountered other people who were not sure what it was the responded out of an abundance of caution; and followed procedure.

The kid is NOT in the right here.

Comment Re:Reads like a script (Score 3, Insightful) 806

They not only duped the SJW crowd, but even duped Obama

Obama is a member of the SJW crowd. The more I listen to him the clearer it is he has never a thought of his own. He has been spooned leftist nonsense from birth and learned to repeat it, sometime eloquently. We should just put a picture of him next to 'Social Justice Warrior' in the urban dictionary.

Comment Re:That won't last long... (Score 1, Informative) 806

He did not build shit, he put the guts of a commercial clock in another box. So first off clock-boy does not deserve credit for being some kind of STEM hero. Here that is the kind of stuff I would expect a fifth or sixth grader to be doing.

Second schools are what they are. They are full of little people that we all worry about and place a higher value on the safety of than we probably should. Look 'zero tolerance' is stupid but its the governing priciple. This isn't a case of discrimination really, its not. Schools have ejected white children for biting pop-tarts into the shape of hand gun. Its a panicky place, just like an airport.

You can be safe or you can be sorry. You can be safe and still end up sorry. I suggest we learn to be more tolerant of being sorry on occasion so we don't create problems like this in the way of safety. What I can say is knowing what I know about schools, and the whole of the situation, if I were on that jury the kids family would not be award one thin dime.

Comment Re:What is the option (Score 3, Interesting) 806

You could sue for a realistic damages figure. If its about principle and not money than wining a case like this should be enough in itself. I can understand why he might want to get the school to admit wrong doing or have a finding against them that they did wrong.

How exactly was he harmed to the tune of $15 Million? I mean seriously if nothing else thanks to Obummer deciding to make a political football out of him he gained from it.

Now if they family said he now needs therapy for anxiety or something, and does not want to go back to that school, and sued for oh I don't know $300 - 400k and an apology for the cost of private school, therapy and pain suffered; I'd say well lets see what comes out in court or if the district settles.

$15 Million on the other hand is a naked cash grab. 15 Million isn't about fair compensation.

Comment Re:That won't last long... (Score 1) 806

The question is "was it a lawful arrest" We know now that more of the story has come out, he had this suspect looking thing. Some people recognized it for what it was and told him to put it away.

He didn't follow their advice and continue to wonder around the school with it, not obeying other instructions, which could be seen as suspicious. Assuming there was not communication among the staff that knew it was just a stupid clock to those other people, I can see who it would meet a standard of 'reasonable suspicion' to justify an arrest. Would it have happened to someone who isn't brown skinned I don't know, but I am not sure that matters. If it does matter maybe the problem is authorities are not cautious enough about what white people are doing near high impact (I won't say value) targets like schools.

Comment Re:WTF is with the US utility tie-in? (Score 2) 151

I doubt very much anyone in this thread things thinks 'they' need to suicide bomb anything. If you are on the planning end of things though suicide bombers have some advantages:

1) Dead men tell no tales - they won't be caught later and give up any intel on where your group can be found or how you communicate.

2) Less effort there is no escape or extract part of the engagement to plan. Which may mean few assets, which is probably harder to detect. Consider attacking power infrastructure as that is the topic. Which is more suspect 1 truck traveling down the access road or two? The second being to transport the driver of the bomb truck back out.

3) Less compensation required. People, even people fighting for a cause want to be paid, and have to eat. What's cheaper cash or a nice story about 72 virgins?

4) Suicide attack concept defeats a lot of security that was always built around the assumption someone would want to 'get a way with it' How much security should we put around this substation? Well figure that we put a barb wire fence and some high voltage signs up for safety sakes. If someone is stupid enough to throw a blanket over the fence climb in anyway and try to nab this copper they'll wind up a crispy critter. It'll get on the news and it won't happen again for quite a while, that's for sure. That thinking falls down when the attacker isn't thinking about getting out alive.

So if I am a terrorist commander fighting a symmetric war and have lots of low skill fighters I have invested pretty little in training and developing, well using them in kamikaze attacks has some major advantages, and they probably often out weigh the small price in head count.

Comment Re:WTF is with the US utility tie-in? (Score 2) 151

I think the point is there are some major not very well protected long haul power lines outside some of our major population centers. Events of 2004 proved there isn't enough redundancy in the system overall and there exist some points of failure that would likely lead to large scale blackouts that could last days. The lead time on replacement of some large transformers is weeks to months as well.

A well researched attack that took out difficult to replace infrastructure like those transformers or perhaps took down multiple high capacity links in the north east or south west, at the same time could easily cripple a region.

I don't think it would be easy to do but it probably is within reach of some guys with truck bombs and suicide drivers. Most of the information I think you would need to decide where and how to cripple the grid most effectively is out there. There are a lot of mile of electrical infrastructure, while monitored have security geared around catching a vandal after the fact or grabbing your 'I am gonna set these fireworks off next to this propane cylinder and hope something impressive happens' type would be terrorist struggling to find his ass with both hands after his plot fails due to his own incompetence.

Intel CPUs are not defective, they just act that way. -- Henry Spencer