Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re: Our saving grace, perhaps? (Score 1) 33 33

Yes and no. Malware such as CryptoWall goes after the user data specifically. It can run for days or months without detection. By the time you figure out something ain't right, the first task is to figure out how deep that rabbit hole to hell goes. You can't simply roll back to a previous snapshot without losing all subsequent productivity. You will have to perform some reconciliation with data due to undetected daily data destruction. It's not a fun day to deal with that!

Comment: Re:Antivirus is useless. (Score 2) 33 33

It's polymorphic, so yeah, AVs won't find it. It's executes random, in random memory, does it damage to files and drops a few HELP_DECRYPT.HTML files in whatever directory got hit. Then it terminates itself.

It does this to prevent reverse engineering and detection by AVs. Also, it won't run in VM environments so as a snapshot can be created to reverse engineer it too, so I've read. I haven't confirmed that part however.

I believe the payload is hosted in random Google Doc sites.

Comment: Re:BECAUSE IDIOTS PAY IT! (Score 1) 33 33

It will only go after AD if the Domain User account is a member of Domain Admins, Schema, etc. Even IT Administrators should have their own User account, and leave the one for Domain Admin as a utilitarian account. Because, if you're a member of those high level privileges and run the virus, it will run with whatever your account has access to!

Here's a previous article on the subject. Be sure to block My_Resume.zip and My_Resume.svg from e-mail in the meantime.

https://threatpost.com/cryptow...

Comment: I've been writing code like this since 1985. (Score 1) 63 63

In all seriousness though, have you ever tried to analyse unstructured text? It's hard. How would you realistically improve it? Do you start with a preconceived list of technology key words and count them in the resumes? People misspell words. Words have multiple meanings depending on context.

I've been writing code like this since 1985. Then, it was in LISP.

It's actually trivial to me at this point. You end up with a meaning trie with differential probability vectors, and some of the roots wither away as you go down. Making a machine decision is harder, but not entirely impossible.

I get incredibly annoyed at people like Lazlo Bock who want to put everyone's resumes into a form that basically allows Google (Lazlo Bock works for Google) or other companies to magically allow you to come into a new job under the horse collar of a performance review of your previous job which they were in no way involved with.

The whole "HR metrics" industry... uh... kinda pisses me off? I pick companies based on criterion other than standard metrics. If they pick me that way... they do not deserve me. Mostly they stumble into me, I fix them, and then I exit.

I understand the "OMG we need people who know what they are doing and not recent graduates!" panic. Does not mean I sympathize.

Comment: Re:Who watches this crap? (Score 1) 128 128

the really valuable work is done while I'm in the shower or in bed

This together with the question "Why would anyone want to watch someone code?" makes me think in the lines of pornstars pretending to be programmers in the shower.

And then he opened the SPARCStation pizza box to reveal... a Zilog UART!

Comment: Re:Ummmm... (Score 1) 222 222

There's better options than PBKDF2, like scrypt. Also, both require you to chose some parameters; PBKDF2 with a salt of String.Empty, hash algorithm of MD5, and iteration count of 1 is... just an MD5-hashed password. Obviously, those are terrible and stupid parameters, but if people were *good* at choosing secure options then this whole thread wouldn't exist. At least scrypt *only* has the work factor, and it's pretty straightforward.

Comment: Re:Security theater questions (Score 1) 222 222

There's generally no way to send the user a secure (i.e. encrypted) message. All you can do is make the token short-lived and hope that nobody is intercepting server-to-server email traffic (and that the user's email account is secure, both from malicious clients and from server-to-client interception). It sucks, but until email encryption of one sort or another becomes more ubiquitous, it's the only workable option.

Comment: Don't encrypt! (Score 1) 222 222

Don't ever store passwords (reversibly) encrypted. Don't even (just) hash them; hash functions are way too fast (and yes, fast is bad here). There should be no way for anybody to get the password out of the info stored in the database, even if they know all your keys.

Use a slow key derivation function instead. PBKDF2 is popular, because it's easy to understand and widely supported; it's basically just taking a value (the password), salting it (you are using a strong, cryptographically random, per-user salt... right?) hashing it, salting the resulting digest again, hashing the salted digest, and repeating the last two steps over and over (tens of thousands of iterations are common). At the end of that, you compare the resulting digest to the value stored in the database; if they match, the user is authenticated. Obviously, don't try implementing this yourself; even simple crypto should always be written by an expert, and you should use the resulting library. There are lots of places to find it, though.

Alternatively, you can use the purpose-built algorithms like scrypt or bcrypt. These are more complex (and less widely implemented) than PBKDF2, but they also offer more advantages against brute forcing, such as requiring a lot of RAM during the computation so you can't build a massively parallel hash-cracking machine (a commodity GPU can do billions of hashes per second in parallel; these algorithms make those parallel attacks harder).

Comment: Re:Back Door (Score 2) 56 56

"I am a Marxist-Leninist, and I will be a Marxist-Leninist until the last days of my life" - Fidel Castro (Dec 2, 1961)

I propose the immediate launching of a nuclear strike on the United States. The Cuban people are prepared to sacrifice themselves for the cause of the destruction of imperialism and the victory of world revolution. - Fidel Castro (Oct, 23, 1992, as quoted in NY Times)

Forbes estimates Castro has a net worth between 550 million and 900 million dollars.

So yeah, keep wearing that Che Guevara T-Shirt there buddy.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...