Forgot your password?

Comment: The modem (Score 1) 319

by KevMar (#45110669) Attached to: Ask Slashdot: Mitigating DoS Attacks On Home Network?

If I had to guess, the modem is holding onto the same IP address regardless of what you do with your router. Take a weekend trip and unplug your modem in hopes that it will pull a new address when you return. You could go upstream to your ISP with the issue and suggest the tech release your IP and assign you a new one.

If the attack continues, then you have something inside your network leaking information to the attacker. And you will have to clean that up before you can resolve the problem.

Comment: Input validation (Score 5, Insightful) 598

by KevMar (#45066619) Attached to: What Are the Genuinely Useful Ideas In Programming?

I think he was missing input validation from his list. The idea that you can never trust user input and you must validate it. The idea that you should white list what you want instead of black list the things you don't want. Ideas that consider the security of the system and not just the working condition of it.

Comment: Less adds but feels like more? (Score 1) 1191

by KevMar (#45009889) Attached to: Come Try Out Slashdot's New Design (In Beta)

The ads stand out way too much on the beta site. I tried it out and my first impression was that it was a site that I would not trust for the news. I thought it was all the ads on the site.

BUT then I went back to the main site and discovered that it was showing me more ads than the beta site. The main top ad was smaller on the beta site. I am not sure what to think. I don't like it because it feels like it is a ad driven site. Before it felt like it was about the content (it just so happened to have ads). Leaves a different impression.

Comment: Another Idea (Score 2) 740

by KevMar (#44953463) Attached to: Somebody Stole 7 Milliseconds From the Federal Reserve

If someone was expecting one of two outcomes, they could have done the math on both of them. If I make this trade what can I win. They placed the trade not knowing the outcome. But they had a cancel order (or reverse order) ready to go. If the news was not what they expected, they could have canceled it with minimal losses. Buying a lot of gold and the market doing nothing on the FED's news would mean that they could sell it back without much market shift.

I know this is what happened because I did stay at a Holiday Inn Express last night.

The Military

United States Begins Flying Stealth Bombers Over South Korea 567

Posted by samzenpus
from the nice-day-for-a-flight dept.
skade88 writes "The New York Times is reporting that the United States has started flying B-2 stealth bomber runs over South Korea as a show of force to North Korea. The bombers flew 6,500 miles to bomb a South Korean island with mock explosives. Earlier this month the U.S. Military ran mock B-52 bombing runs over the same South Korean island. The U.S. military says it shows that it can execute precision bombing runs at will with little notice needed. The U.S. also reaffirmed their commitment to protecting its allies in the region. The North Koreans have been making threats to turn South Korea into a sea of fire. North Korea has also made threats claiming they will nuke the United States' mainland."

Comment: Re:Good for Google (Score 4, Insightful) 165

by KevMar (#42975983) Attached to: RIAA: Google Failing To Demote Pirate Websites

If people are looking for pirating sites, I would expect them to show up at the top of the rankings. Because if I was searching for [artist] [track] download, I am not looking for

What Google has done is reduced when these sites would show up when you were looking for legitimate sites. Just like they reduced the adult content you see unless you are looking for adult content. It's not Google's job to police what people search for, just to make sure they find what they are looking for.

Comment: great opprotunity (Score 1) 402

by KevMar (#39093359) Attached to: Should Microsoft Put Office On the iPad?

While I don't see MS porting full office to apple/android, I do see them building a very slick VDI client. Office on a tablet will end up as a vdi session to a private cloud server. It may sound crazy, but its the smart thing to do. It allows Microsoft to leverage all the existing tablets that everyone already has entering the corporate environment. They can support more devices quicker and extend the life of older tablets. The tablets 3 years from now will blow away today's tablets, but if its a VDI client then that wont matter.

Tablets are too personalized and a nightmare for IT security. But what if you could connect to a work desktop and get all your work apps in a way that makes IT feels good about it. Yet, allow the individual to keep personalized apps. I think this is why Windows 8 has such a tablet feel to it. Windows 7 already does a good job under VDI, and I expect Win8 to do so much better.

This would definitely be a corporate IT strategy that is in sync with the MS push of VDI and Private cloud that we see MS timing with the Win8 release. Home users are another story.

Comment: Re:Security without security? (Score 1) 138

by KevMar (#39089693) Attached to: Stealing Laptops For Class Credit

I would find that is a perfect opportunity for security to practice protocol. Do everything except report it to the authorities. Even do the data loss analysis.

In the case where the doors were locked, hunt everyone down that had a key and question them. Track each breach down.

I would love to attempt stuff like this at work.

Comment: Re:Security without security? (Score 4, Insightful) 138

by KevMar (#39081589) Attached to: Stealing Laptops For Class Credit

I think its just the opposite. They didn't tell them to let the students steal the laptops, they let them know in advance that if they catch someone taking the laptop that it may be legit. Just by mentioning this would have made it harder because laptop theft would be on the security teams mind making it easier to spot.

Comment: Re:Be paranoid (trustno1) (Score 3, Informative) 333

by KevMar (#38568384) Attached to: Ask Slashdot: Writing Hardened Web Applications?

Above all, trust nothing.

That's the most important rule of thumb. Don't even trust your own client code.

Make definite security boundaries. Draw a circle, label it data. Draw a circle around that circle, label it prepared statements. Keep drawing circle adding layers for each security boundary so you have something like this.

Data-> prepared statements -> firewall -> web server -> business logic -> user state management -> browser -> client side code -> user input

Each layer needs to validate everything. Let each layer assume that the protected layer in front of it is missing. It just does not exists. One common issue is having only the client side code validate the user input. I love to modify client side code to bypass validation just to see what breaks. If its HTML, there are so many ways to do that.

Comment: Re:Web Applications aren't different (Score 1) 333

by KevMar (#38568260) Attached to: Ask Slashdot: Writing Hardened Web Applications?

There is a huge difference though. It is true that you should not trust any clients. But many people make incorrect assumptions.

They think that when you are working internally, there is a very small number of clients that can possible connect to it. The odds of a hacker getting onto your network are small. So of course it's secure, it's on a server behind a firewall. Opening an application to the internet strips those security blankets away.

To be honest, I think we all do a little of that too. We do what we can to write secure code internally. But we hesitate a little every time we think it may end up open to the wile. I see it as a scary door to open. We can't be 100% confident that we thought of everything, just like we can't be 100% confident that its bug free. It never is. A good student in the art of code should always seek to find more ways to secure public facing applications.

Comment: Re:Divorced (Score 1) 339

by KevMar (#38545326) Attached to: Ask Slashdot: Changing Passwords For the New Year?

Pick long words that are easy for you to remember.

Pick your state or town, full work phone, and favorite monopoly property(or first pet, author, or street).

That phone number will feel a little awkward to type at first, but try using the number pad. Before you know it, you fingers will type it faster than you can say it. That number adds 10 extra characters that you can remember with out thinking about.

Comment: My method (Score 2) 339

by KevMar (#38545284) Attached to: Ask Slashdot: Changing Passwords For the New Year?

My method has slowly evolved over the years. I grew up on a crappy dial up connection out in the country. Our ISP gave us a generated strong password. Our connection would constantly drop and I would have to enter that password in several times a night. I kept that password and slowly morphed it over time. It kept getting stronger and stronger with every evolution. I did this with 2 passwords. One for secure stuff and one for everything else.

Then not too long ago, I discovered rainbow tables. Pre-generated LM password hashes. My passwords were not in the free tables, but they would be in one of the more detailed collections. Then I started doubling my short passwords by typing them twice. Instant 16 char passwords that were easy to remember and type. Sometimes I would mix it up and use 2 of my old 8 char passwords together. I would think password1 then password2 and type them just as fast.

More recently with smartphones and now tablets, my passwords were just a monster to enter in. One password was lnnLllnnlnnLllnn where l = lower, n = number, L = upper. A total pain when you also have to swap from numbers to letter on the key pad. My current passwords are much simpler, very fast and easy to enter, and even longer than before.

One of the passwords that I just cycled out contained 2 swype-able (dictionary) words and a full 10 digit phone number. My short one was 19 character, easy to remember, and super fast to type on my computer and moble device. Entering the password is much more natural. I can swype on my moble and bounce over to the number pad on my desktop. I work in IT constantly get comments of shock from users when they see me enter my long passwords on systems.

I do reuse passwords on sites more often then I would like to admit. I treat my email as the master password. With that, all other accounts can be reset. I have my financial password, my work password, my social password, and then everything else password. That everything else password is used on all accounts that I don't care about or don't impact me financially. The everything else password never gets changed. I will usually take 3 guesses at a password on a site. If its not my current one, previous one, or the everything password. I then request a password reset and set it to the everything password.

I never know what to put for a password hint on the sites that ask.

When in doubt, mumble; when in trouble, delegate; when in charge, ponder. -- James H. Boren