Become a fan of Slashdot on Facebook


Forgot your password?

Comment: Irresponsible (Score 1) 181

by EnempE (#48849355) Attached to: NSA Hack of N. Korea Convinced Obama NK Was Behind Sony Hack
This is terribly irresponsible regardless of the validity of it. South Korea has been attempting to reduce tensions in the area to return to negotiations with the North. This could be considered as evidence of hostilities by the South and increase tensions in the area. This would have a negative effect on the talks, increase the resolve in the North and add legitimacy to Japan's quest to reestablish a military. Destabilizing an entire region of the world and putting millions of lives at risk, reducing the effectiveness of your and your allies' cyber divisions, just to add weight to your PR campaign is nothing but irresponsible.

Comment: Re:Legalities (Score 1) 301

by EnempE (#48378729) Attached to: Police Body Cam Privacy Exploitation
You are 100% Correct. In fact Washington State law reflects this. In the law on public Disclosure.

Besides the fact that an anonymous request should be ignored as the applicants name and address etc. should be included on the application.
RCW 42.56.240
Investigative, law enforcement, and crime victims.
The following investigative, law enforcement, and crime victim information is exempt from public inspection and copying under this chapter:
(1) Specific intelligence information and specific investigative records compiled by investigative, law enforcement, and penology agencies, and state agencies vested with the responsibility to discipline members of any profession, the nondisclosure of which is essential to effective law enforcement or for the protection of any person's right to privacy;
(2) Information revealing the identity of persons who are witnesses to or victims of crime or who file complaints with investigative, law enforcement, or penology agencies, other than the commission, if disclosure would endanger any person's life, physical safety, or property. If at the time a complaint is filed the complainant, victim, or witness indicates a desire for disclosure or nondisclosure, such desire shall govern. However, all complaints filed with the commission about any elected official or candidate for public office must be made in writing and signed by the complainant under oath;
(3) Any records of investigative reports prepared by any state, county, municipal, or other law enforcement agency pertaining to sex offenses contained in chapter 9A.44 RCW or sexually violent offenses as defined in RCW 71.09.020, which have been transferred to the Washington association of sheriffs and police chiefs for permanent electronic retention and retrieval pursuant to RCW 40.14.070(2)(b);
(4) License applications under RCW 9.41.070; copies of license applications or information on the applications may be released to law enforcement or corrections agencies;
(5) Information revealing the identity of child victims of sexual assault who are under age eighteen. Identifying information means the child victim's name, address, location, photograph, and in cases in which the child victim is a relative or stepchild of the alleged perpetrator, identification of the relationship between the child and the alleged perpetrator;
(6) The statewide gang database referenced in RCW 43.43.762;
(7) Data from the electronic sales tracking system established in RCW 69.43.165;
(8) Information submitted to the statewide unified sex offender notification and registration program under RCW 36.28A.040(6) by a person for the purpose of receiving notification regarding a registered sex offender, including the person's name, residential address, and e-mail address;
(9) Personally identifying information collected by law enforcement agencies pursuant to local security alarm system programs and vacation crime watch programs. Nothing in this subsection shall be interpreted so as to prohibit the legal owner of a residence or business from accessing information regarding his or her residence or business; and
(10) The felony firearm offense conviction database of felony firearm offenders established in RCW 43.43.822; and
(11) The identity of a state employee or officer who has in good faith filed a complaint with an ethics board, as provided in RCW 42.52.410, or who has in good faith reported improper governmental action, as defined in RCW 42.40.020, to the auditor or other public official, as defined in RCW 42.40.020; and
(12) The following security threat group information collected and maintained by the department of corrections pursuant to RCW 72.09.745: (a) Information that could lead to the identification of a person's security threat group status, affiliation, or activities; (b) information that reveals specific security threats associated with the operation and activities of security threat groups; and (c) information that identifies the number of security threat group members, affiliates, or associates.

[2013 c 315 2; 2013 c 190 7; 2013 c 183 1; 2012 c 88 1. Prior: 2010 c 266 2; 2010 c 182 5; 2008 c 276 202; 2005 c 274 404.]

Article (1) and (2) pretty much put a stop to this whole thing. Further, Article (9) there basically provides a precedent for this operation and most of the data would be covered under the other aspects previously noted. It would not be particularly problematic to amend this law to include body cam footage as it appears to have been done in the past to cover other things.

I hop this whole thing is a play to get this kind of change made and not can the program.

Comment: This is not a zero sum issue (Score 1) 549

by EnempE (#48141289) Attached to: Password Security: Why the Horse Battery Staple Is Not Correct
I agree and yet I disagree with the article

I think that the solution to this issue will both overcome true brute force and selected sample attacks (aren't these called rainbow table brute force ? )

I reject the password manager as the default as many people switch between multiple machines some of which are not in their control as such assuming that people own the machines that they use is designing a scheme that does not work for a large number of people. It would be difficult for the multitudes in developing countries that use shared (internet cafe, school etc) computers to get online to implement this scheme.

I agree on changing passwords rarely, but again this depends on the type of use and different users should be able to adjust their behaviour to suit their personal risk profile. For example if I had no choice but to use hotel and airport wifi and access services often I would change my password more frequently than if I only used a machine in the office or at home due to the increased risk from less secure networks and surveillance of my activities.

We are struggling currently to change habits that were introduced 20 years ago. If we make the learning curve too steep we risk the majority finding someway to avoid the process. People tend to ration the mental effort they dedicate to security based on the perceived risk ( If we make the effort too high then they may develop a coping strategy that is not productive.

I think that Diogo Monica makes a very good point. But the implementation should be slow and should follow the widespread adoption of pass phrases. In the meantime, if all (some already do) password assessment tools could give a poor mark to the top ten passwords, and passwords containing the service name, user name or birthdate.

Comment: Re:Not a medical professional, but: (Score 2) 30

by EnempE (#48113759) Attached to: Prosthetic Hand Capable of Delivering Texture Sensations
Very interesting. Not quite the same as the article because the subject in this case is blindfolded and its a referred sensation.
Nonetheless I didn't know about this and was happy for the reference.
I think the /. appropriate content is at the links below

Synaethesia in phantom limbs induced with mirrors (1996)
V.S. Ramachandran & D Rogers-Ramachandran

Phantoms Limbs and Neural Plasticity
V.S. Ramachandran & D Rogers-Ramachandran (2000)

Comment: Generalizations not helpful (Score 1) 299

by EnempE (#48075353) Attached to: Why Military Personnel Make the Best IT Pros
This just in, some individuals are better suited to some situations than others.
I don't think that anyone had decided that they wouldn't hire ex-military with relevant experience because of where they acquired it. Most organizations require some adjustment from their staff in order to understand and fit into the culture of that place. That is why they still interview potential staff, to see if as a person they would likely fit into the social environment.

Comment: Re:Security is too hard (Score 3, Informative) 70

by EnempE (#48051257) Attached to: User Error Is the Primary Weak Point In Tor
It is not just you that thinks this. But I think it is a convenient thought not a considered one.
I don't think there is anything in terms of research to support the 'criminal subclass' idea (i.e. a group too stupid to succeed without breaking the rules), it is just a rationalization that outlived phrenology.
Even if the measure of criminal intelligence was not being caught, it assumes that the entire criminal justice system is composed of exactly average people with the same resources as the criminals. That is clearly not the case, as their 'situational awareness' tools are what motivates those without criminal intentions to consider these technologies.
Regarding the use of TOR, when imagining the criminal 'eptitude', you have to balance the fact that the risk would motivate them to expend additional effort in using the system. These things are more about discipline than intelligence. You might be more disciplined in your approach to paid work than a hobby, it would be reasonable to expect that criminals would similarly be more disciplined with the use of TOR than a hobbyist.
I think mveloso's heuristic for measuring a security tool is still valid.

Comment: The outcome is that there is probably a problem. (Score 1) 460

by EnempE (#47948719) Attached to: Science Has a Sexual Assault Problem
Have a look at the original article the authors even note the major problems of this study. The sample (Only 666 respondents) is not representative. The subject matter is more likely to be responded to by those with strong negative views. The link was referred, making it a snow ball sample, those who know others with strong view are likely to pass it to those people. The group was uncharacteristically composed of women They assumed a different email name signifies a different person. The researchers pointed this out along with the face that there is not way of singling out any group as being worse than any other group. This in combination with the differing understandings of the questions. That said however, there are issues here. It is important to highlight the different understanding and norms between genders and age groups that can cause problems as well as bring attention to the options open to victims to seek help and remedy issues. Note that the survey found that none of the men knew what to do if they felt they had been sexually harassed.

Comment: Re: Not the full story (a.k.a RTF) (Score 1) 248

For an act to be criminal it often is required that the person is aware that the act is illegal. It is not fair for a the courts to punish a person for breaking a law that doesn't reflect current social norms and is collectively forgotten. Those weird sex laws that you read about would be an example. In that case you could honestly state that you believed you were acting lawfully. That belief needs to be backed up by fact, your behavior should reflect your understanding. In this case, he would need to be able to refute the evidence presented by the prosecution. The had the log files from the server and his machine that showed he visited the front page that showed that the documents were restricted to those that had logged in. He could have maintained that he didn't understand that the particular files in question were restricted but it may have been unconvincing as he works in it security.

Comment: Not the full story (a.k.a RTF) (Score 2, Insightful) 248

He admitted in court that he had been to the front page of the site where they were hosted and was aware that the documents were not intended to be available to the public. Finding them by accident on Google is one thing and not the point of contention here. Then downloading all of them and then republishing them knowing full well that what you are doing is definitely unethical and probably illegal is another matter. The blogger runs a security company and should have informed the company of the fault before blogging about it. This is not the kind of practice that is considered acceptable in the security community. Given that it could be considered as a criminal offence in Europe to access the documents without the requisite authorization you can take the fine (no prison time, no criminal conviction) as not a bad outcome. The issue here is that the court had no idea about the the online environment or what crime online is before the trial which speaks to a definite problem in regards to the training of judicial staff.

Comment: Re:There goes another Swiss Army knife (Score 1) 298

by EnempE (#43970247) Attached to: TSA Decides Against Allowing Small Knives On Aircraft
About 10 years ago I lost a small voltage test screwdriver on my way to a meeting with security management which was moved en route to a room inside the secure area of the terminal. No way to prepare for that.

That wasn't TSA though, that was their cousins in Australia.

That's a pretty rare case though, those guys are pretty good normally.

Comment: Re:An eminently sensible policy (Score 1) 76

by EnempE (#43705261) Attached to: How an Aussie University Creates the World's Best Hackers
Unfortunately that practical advice goes beyond immoral. In many states it is illegal to produce a device or code that allows unauthorized access, in the others, facilitating a crime is bad juju. Selling that code will not be viewed in the best light and will destroy any chance of a defense based on lack of intent. Lord only knows what will happen if you sell your exploit to a guy, who sells it to a guy with terrorist ambitions. Talking to a CERT about it seemed like a good idea. Also it is high time universities stepped up and provided support to their students/researchers. Government talks a lot about public private partnerships in the war on cybercrime, this would be a good place to start.

Comment: Lets Define these things then (Score 1) 126

by EnempE (#43397025) Attached to: The Rise of Everyday Hackers
I think that everyone on /. more or less has a good understanding of the terms, it is the media that simplifies the environment to write shorter headlines.
To clarify:
Hackers are those that delight in taking something apart and putting it back together again, either in its original form or with some modification to improve the thing in their point of view. Hackers was at one stage those who enjoyed pranks between universities, so there is an implied cheekiness in the execution of this experimental interaction with things. In the information realm, taking something apart to see how it works often involves finding out how to do that. Exploiting a flaw is analogous to taking the screws out of something to get the cover plate off. If a hacker broke into your house it would design a tool for doing so, disassemble your lock and put it back together again or find a weakness in the design of the lock that allows it to be opened without the key.

Script kiddies are those who are interested in getting into things, but either aren't interested in or able to take things apart themselves. The find tools that will work and need only enough understanding to roughly match a tool to a thing. There is a level of juvenile immaturity in this, like a child disassembling a radio with a hammer to find what is inside, with no thought as to how it might be reassemble or if this tool might cause permanent damage. If a script kiddie broke into your house they would break your lock with a Jimmie bar and probably spray paint a tag on your wall.

More recently we have criminals who will find / buy the tools to get into something for selfish gain. They may buy the understanding from a hacker, a duplicated key, or use a script kiddie type tool and find some way to monetize it

Neither of the first two implies malicious intent, however they may break the law in their pursuit of either learning something or showing their ability to affect their environment.

Would anyone modify these definitions in anyway ?