Follow Slashdot stories on Twitter


Forgot your password?

Comment: Re: Best pick up one of these (Score 1) 81

The protocol needs to start over clear voice, but than you do the equivalent of "STARTTLS" and see if the remote end answers. If it does you disable squelch and start applying the cipher to the payload in the audio packets as you build them, leaving the containers format in place, headers, sync bytes etc.

As far as the network is concerned it will still look like parametrized g.729 audio to the network. It will just decode as noise unless you possess the cipher. Which will be much more economical for most wireless customers until the carriers wise up and realize they ought to be metering the jitter controlled, packet loss intolerant voice traffic on their networks and selling best effort data as all your can eat, rather than the other way around.

Comment: Re:SMB, eh? (Score 1) 105

by DarkOx (#48640923) Attached to: Hackers Used Nasty "SMB Worm" Attack Toolkit Against Sony

I don't even bother "compromising" an initial host on many engagements when the engagement has me to go on site. Its trivially easy to tailgate your way onto most corporate campuses; and set yourself up in an empty conference room.

Then you wait for LLMNR or NetBIOS/tcp messages on your subnet; which nobody disables, ever. Then you just collect the hashes for a while. No need even to mess around with PTH half the time, more often than not hashcat can crack at least one before you finish your first soda and you have your foot hold.

Comment: Re:Conservatives mostly don't like the involvement (Score 1) 192

by Tom (#48640631) Attached to: Single Group Dominates Second Round of Anti Net-Neutrality Comment Submissions

identified as belonging to the house.

This is not how property works in any western country. Someone dug up the street years ago, bought the copper, and paid to have it put into the ground. They own that cable. You cannot just go around and declare someone else is owner of it, without compensating the current owner, and probably even that would be challenged in court as the "give to the house owner" doesn't even fall into eminent domain.

And then switching from one provider to another would mean going to the gray box and unplugging a wire from provider "A" and plugging it into the box for provider "B".

Which would be a step back from the current system, where most provider changes are done by switching, not by mechanically unplugging wires. If someone needs to actually drive to a gray box and change wires every time someone changes ISPs, the costs for doing so would go up considerably.

ou're trying to prove me wrong instead of trying to understand the issue. It isn't helpful.

You're painting a picture of a fantasy world, ignoring the status quo. Yes, in a perfect world, if we would start from scratch on empty fields, maybe it would be better to do it that way this time around. But we don't start, we inherit a world where certain things are the way they are, like it or not. If you want to change something, you can't just paint a fantasy utopia, you need to show how to get there from where we are now.

So you want to change ownership of the last mile? Might be a good idea, show how to do it. Explain how to buy all the cables and grant or sell them to house owners. Come up with solutions for all the situations in the real world, with multi-story houses, houses with multiple outgoing connections, office buildings and private homes. A solution that works both for dense cities and isolated farms. That will not die trying due to resistence by the ISPs, the old cable owners, the house owners or the two dozen laws involved.

It's easy to say "this ought to be so". Everyone can do 10 of those in one minute. Cars ought to be pollution free. Ebola ought to be defeated. World peace should be achieved. Any of these statements just make you one of seven billion people with a vision. Being able to show step-by-step how to actually get there is the hard part.

Comment: board and cardgames (Score 1) 99

by Tom (#48639335) Attached to: Ask Slashdot: Resources For Kids Who Want To Make Games?

Forget programming. Sit down with him and make a few board and card games.

Too many game designers these days look at the technology and the graphics and the monetarization and all the other crap and forget that first and foremost, there needs to be a game.

When you limit yourself to the bare essentials, you see the game for what it is, and learn to make games by focussing on what makes a game.

Comment: Re:Conservatives mostly don't like the involvement (Score 1) 192

Cable between the street and the house might have be redone.

Yes. But the cable doesn't connect to the street, that's just how we say it. It connects to that grey box on the corner, which means after the garden it runs underneath the street and/or sidewalk for typically a few hundred meters.

What is more, the cabling between the house and the street might be owned by the home owner.

Can't say for other countries, in my country almost never.

We could set up a junction box at the street that links into the home's network./quote

We not only could, this is what we do right now. But those boxes serve an entire block, not one house. Theoretically we could change the whole network layout and install such a box at the edge of every property and terminate there, but there are reasons why the system is the way it is, and changing it would require changes in the system, maybe even a partial redesign of the local loop.

Comment: Re:Conservatives mostly don't like the involvement (Score 1) 192

Your experience has clearly made myopic and unable to think creatively about the issue.

Of course. If you disagree with someone, it must be that the someone is an idiot. It's not possible that maybe you are wrong.

There's no point having a discussion on this level. People who have arguments don't need to use personal insults.

Comment: Re:How long things take.. (Score 1) 216

by roman_mir (#48637749) Attached to: Marissa Mayer's Reinvention of Yahoo! Stumbles

How about I prove you wrong in such an embarrassing way that you will have to eat your words? I have that account because at some point I bought Rogers Internet service, and email was part of what I was buying in the package. Eventually Rogers outsourced their email to Yahoo!, so I have an email account that is paid for and that I never imagined would be handled by Yahoo! I am actually a paying customer, you dumb shit.

Comment: Re:Sony security: strong or weak? (Score 2) 307

You do have to cut them a little slack, here. If we were talking about a coal mining company or something and terabytes of data going out the door would be pretty unusual, and SEIM systems would be trained to flag that sort of thing.

This is Sony Pictures, though, terabytes probably go out the door all the time. I mean that might be less than a few hours of uncompressed video going to a contractor for post processing or something.

No my bigger question having done this kind of thing for a living now for some time is why would a basically purely IP organization not have effective controls in place, to know what kind of data is going out the door and to put a hard stop to it the moment something that should not be there is spotted.

Ok you can't maybe do that with the aforementioned video data, but you certainly can watch for byte patterns that look like address, SS numbers, e-mails in usually great quantity etc on the wire.

You certainly do not allow anything encrypted to go out unless you MITM it. Could an attacker do something like slap some mpeg headers on top a big encrypted data stream? probably, but they'd have to know to do it.

  If my entire world was IP like Sony Pictures id probably take it a few steps further make sure my firewall devices knew the common container formats for various media types and continued to make sure sync bytes and frame markers occur where they ought to, anytime more than a hanful of megabytes of something I can't recognize flowed it would alert and some form the CERT team would pick up the phone a call whoever it was associated with that source IP. No attribution shut it down, no explanation shut it down.

The hardware and software to do this is commercially available, more or less off the shelf and has been for at least five or seven years now.


Comment: Re:BS (Score 1) 307

No hack would ever result in that kind of control


Lets face it the reality is lots and lots of BIG companies use things like Active Directory. Lots of this BIG companies might even have only a tiny handful of Enterprise Admins, who may even be very good at what they do. Chances are they have centralized and integrated the authentication against AD. Its not uncommon for Network infrastructure administrative interfaces to use an authentication gateway like say NPS (RAIDUS for AD).

So if you could get that Enterprise Admin access, well it might be a house cards from there. Given the recently published MS14-068 it might not even be that hard:

So if you can get your foot in the door, however you do it just grabbing some tools off git hub and few blogs can get you near total ownage without having to do much of anything in the way of exploit development on your own. Consider this vuln was an off cycle patch put out in November, think there ~4 weeks on there are some big orgs that have lead times to get Windows patches applied to DCs longer than that? I would bet so, think an org like Sony stands a chance against a vuln like that when its an unpublished zero day? So get any access to the network at all, brute force one password for basically any user account crack a hash sniffed off the wire etc, and boom your a member of any windows groups you want!

Frankly I would not be surprised given the timing if MS14-068 was involved in the breach and I would not be surprised to hear of other major compromises thru leveraging it.

Comment: Re: Best pick up one of these (Score 1) 81

I did not give them a back door either. I you can check the thumbprints of the certs are not changing or not trust any third party CA's if that what YOU want to do under my scheme. For most folks that won't be practical, we will want to be able to call people and organizations we have never been in a position with to safely exchange keys; so just like on the web we will have to trust some third parties.

By making it easy to exchange certs directly with people you do meet in person you remove the CA chain from that point on and encourage the system in a way third parties can't compromise unless the cryptography is eventually broken. Nobody not a LEA or anyone else than has the capability to MITM calls between your devices from that point, provided they don't hack your phone somehow and change your settings modify your cert store etc.

My acceptable compromise isn't really with the LEAs but more with reality. You can't very well use a third parties network without them being able to identify the end points, TOR even if it was untraceable and its not would not be practical for a wireless voice network. My proposal has the benefit of being possible to implement with out replacing the existing cellular and telephone network infrastructure. You just need handsets that no how to negotiate with each other. In that sense its plausable that it could actually get off the ground because as we all know expecting AT&T or VZW to do anything ever without first bending over for the spooks is a non starter.

So AC and Mods who marked my post flamebate for some reason let me ask you?

[1] Do you have a better technical solution?
[2] Does your solution work without requiring the carriers to spend billions radically altering/upgrading their infrastructure
[3] Can your proposal somehow conceal which endpoints calls are between?
[4] Can your proposal somehow conceal the duration of the call, beyond padding it out for some additional period?
[5] Can your solution easily inter-operate on with existing endpoints?

Comment: Re:Is SONY breaking the law with this (Score 1) 190

(When he ordered the first five rows of the Colosseum thrown into the arena, those were the ring side seats, filled with the rich and famous, which went down very well with the common man).

But he's a *populist* sociopath. :) Awesome, thanks for the correction!

We will have solar energy as soon as the utility companies solve one technical problem -- how to run a sunbeam through a meter.