Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:Code reuse exacerbates the problem? (Score 2) 83

If you have physical access to the machine, it doesn't matter. You can rewrite the BIOS. And then, yes, it is an advantage to malware authors if there's only a couple of kinds of BIOS, because their malware only has to support those kinds. So yes, reuse of code becomes a "problem" for the rest of us if viewed from that perspective. It's not clear though that life would be any better for users overall if there were more kinds of BIOS. As bad as Phoenix, Award et al can be at making BIOS that works, I shudder when I imagine vendors rolling their own. I'll live with the disease, thanks.

Yeah, I agree with with regards to the physical access vector. I have a background doing IT in a DOD TS/SCI environment for three years and a TS environment for eight with DOE. Our (those of use who knew what we were doing) had the philosophy that if you had physical access to a system then you could pwn it. AT DOE it wasn't our duty to design systems with any consideration of the "insider threat" unless it was for the use of FORNATs. Systems for US use relied mostly upon personnel and site physical security.

I do disagree that a greater number of targets being more burdensome for the black hats outweighs the security benefits of supporting a smaller code base. The former is merely supposed security through obscurity. A basic rule of thumb of security is to minimize the attack surface. One of the primary strategies to accomplish this with regard to information security in a software environment is to reduce the amount of code running.

Comment: Code reuse exacerbates the problem? (Score 5, Insightful) 83

Manufacturers/vendors don't write their own BIOSs; they license them from the likes of Phoenix Technologies and Insyde. These licensors don't write a completely new BIOS and bits for each licensee, let alone for each motherboard and their variants. As such, of course there is code reuse. Imagine the probable security issues there would be if each Vendor, let alone motherboard, received a BIOS that was written from scratch. QA would be a nightmare, as would the security of the code.

The problem isn't the reuse of code. The problem is that the code that was reused had security vulnerabilities.

Comment: Re: Unfair comparison (Score 1) 447

by LazLong (#49246209) Attached to: Homeopathy Turns Out To Be Useless For Treating Medical Conditions

Here's a link http://www.fda.gov/NewsEvents/... to an announcement for an obesity treatment that modifies the signals of the Vagus nerve via a surgically implanted device. The study implanted the device into two groups of patients, but was only actually activated for one group, though both groups thought it was for both. I'd say that was the use of the placebo effect via surgery.

Comment: Sensationalistic title and wording used in OA (Score 5, Informative) 37

by LazLong (#48147823) Attached to: Analysis of Linux Backdoor Used In Freenode Hack

The OA uses the term "Linux backdoor," but then goes on to describe it as a add-in kernel module. It's not a backdoor, but rather a rogue kernel module someone has written. The module in question, ipt_ip_udp, isn't part of the Linux kernel. It's merely a module some black hat wrote to provide remote access to an already compromised system. This is just FUD and self-promotion by NCC Group to make what they found sound much more important than it really was, no doubt to increase their client base. What crap.

To sum up, it isn't a Linux back door and it isn't a vulnerability in the Linux kernel source code. It's merely a rootkit.

Comment: Re:Who uses mice? (Score 2) 361

by LazLong (#45666541) Attached to: How long do your computer mice last?

+1 for the clit. I first learned to work the clit when I bought a Toshiba Satellite Pro 2400CT back in '94 that had a green clit. I totally fell in love with the clit as it allowed me to mouse around without the need for a hand to leave the keyboard, which I'd think a great deal of touch-typists would appreciate. I loved it so much I went out and bought an IBM keyboard with a nice red clit that cost me over a $100; which back then was 1/3 of a month's rent. Since then every Intel PC keyboard that has been attached to a system I used regularly has had one. It kinda annoyed some of my co-workers as I'd always get the KVM keyboards replaced with clit-endowed ones; praise be to the ergonomics fad which makes it easier to justify.

Unfortunately, the clit has fallen on disfavor and is mostly only available on business-class laptops. You can, however, still buy nice IBM Model M-type mechanical-keyed keyboards with a clit from the company who bought IBM's IP for their keyboard technology and the factory in which they were manufactured - Unicomp. www.unicomp.com

Comment: Re:Unless, of course, you study the author... (Score 5, Informative) 726

by LazLong (#45364137) Attached to: Critics Reassess <em>Starship Troopers</em> As a Misunderstood Masterpiece

Niven's Law: "There is a technical, literary term for those who mistake the opinions and beliefs of characters in a novel for those of the author. The term is "idiot."

I have seen no evidence that Heinlein believed that the idea of Citizenship in ST should be realized. If you can cite some credible, non-fiction source where Heinlein advocates the realization of the governmental form for found in ST, I would be most interested. I believe Heinlein was a strong believer in one realizing the existence of, and paying one's debts to society, and nothing more.

Secondly, you err in your statement re: ST "That only those who serve in the military and commit violence...." Full-Citizenship afforded one the opportunity to vote, hold elected office, and teach the high school History and Moral Philosophy course. Obtaining this required NATIONAL SERVICE of some sort, the form of which was based upon the needs of society and the aptitude and skills of the individual in question. There was ABSOLUTELY NO requirement that one serve in the military nor participate in some form of violence (war?) in the name of their country. You are incorrectly trying to tie the requirement of jingoistic beliefs with citizenship requirements in Starship Troopers. Perhaps you should go back and read it again.

Thirdly, the article is about the MOVIE by Paul Verhoeven, not Heinlein novel. The movie does indeed poke fun at jingoistic ideals, portrays a fascist government, etc. whose military intelligence service wears SS-like uniforms, has a national news service that uses heavy-handed propaganda techniques. I had not read any of the critiques of the movie upon its release, and am surprised that these obvious themes and messages weren't remarked upon.

I guess by my 'nick you can guess I'm a bit of a Heinlein fan. :-)

Comment: Re: I dislike M$ as much as the next guy.... (Score 1) 404

by LazLong (#43920289) Attached to: Google Security Expert Finds, Publicly Discloses Windows Kernel Bug

Your attitude is typical of egocentric anarchistic coders with zero sense of social responsibility. Thankfully the majority of Western civilization believes and acts otherwise in relation to their fellow humans. Else we'd live entirely in a 'might makes right' society.

I hope your lack of a sense of professional responsibility extends to those professions upon which you rely, and that you do not expect them to act out of anything other than base mercenary motivations. And I hope you accept personal responsibility for all ill that comes your way in life. After all, it isn't anyone else's fault than your own that you don't have limitless resources and time to spend to prevent it.

Comment: I dislike M$ as much as the next guy.... (Score 3, Insightful) 404

by LazLong (#43909087) Attached to: Google Security Expert Finds, Publicly Discloses Windows Kernel Bug

...but not disclosing it to the vendor first and giving them a chance to release a fix is both unprofessional and irresponsible. Add in the fact that this is coming from a Google employee makes it inexcusable, and reflects poorly on Google. If I were his manager he would certainly receive a reprimand.

Comment: Re:Where is the jurisdiction? (Score 2) 58

by LazLong (#40726567) Attached to: US Charges Russian With Launching 2008 Amazon DoS Attack

One might think that the jurisdiction is that in which the damage occurred. i.e. if the servers were in the US, that is where it lies. This is simply an international attack, the same as mailing a bomb from one country to the next.

There is a far too prevalent belief or ethic amongst the techno-educated from the former Soviet republics that it is their right to take advantage of whoever is 'stupid' enough to be vulnerable to their skills. This needs to come to an end. The Internet is not the cyber wild west. I am not saying that the US should be the marshal, let Interpol do it, or whoever. It just needs to be done.

You can be replaced by this computer.

Working...