Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment: Re:Home of the brave? (Score 1) 397

by mlts (#48622145) Attached to: Top Five Theaters Won't Show "The Interview" Sony Cancels Release

What were the smaller threats? A brick through a window? Used to happen all the time when Austin was in a recession in the early 1990s.

Would I go? Yes, because it is very hard to find a barber here in Austin at a reasonable time.

Would I say yes, no matter what? Not without more info, but in general, it wouldn't affect me. If it was a threat significant enough to be worried about, the local PD would have their MRAP there.

Comment: Re:The cloud is... (Score 3, Interesting) 273

by mlts (#48601025) Attached to: Eric Schmidt: To Avoid NSA Spying, Keep Your Data In Google's Services

The cloud is more than just storage, but usually people use the storage functionality for this.

Realistically, the cloud needs to be treated as another storage medium, just like optical, tape, floppy disks, HDDs, SSDs, and everything else. You plan for media failure, and you build in anti-compromise measures.

The cloud is the same way. If you are an enterprise, you turn on encryption in NetBackup or other program, create a storage pool, and have a mirror on other media (be it an Avamar, a tier 3 disk, or a LTO-6 silo.)

If you are a home user, you encrypt your cloud backups, either by storing things in an encrypted container (TrueCrypt, BitLocker protected windows image, Mac Disk Image, LUKS, PGP Disk volume, etc.), or using a backup program that encrypts. At the worst, there are utilities like BoxCryptor which act similar to CryptFS and map an encrypted layer on top of the cloud drives. Any of this is better than nothing.

Of course, with encryption comes the major bugaboo -- key management. You may have the data securely stashed on the cloud... but without keys, it will be inaccessible. I like having several printed out physical notebook with keys in it, as well as archive grade optical media, and a USB flash drive. Each copy of the notebook goes with a key person (corporate officer), and there is one kept in the local tape safe. This way, if the data center gets completely flattened, it may take days to weeks, but data is still recoverable. This also helps if there is an audit or motion of discovery.

The cloud has its big issues... but treat it as its own piece of media, and it can come in handy. To be more specific, treat each cloud offering as its own media. Amazon Glacier is great for long term archiving, but one needs to well index it, to minimize the stuff retrieved, and Glacier should be the absolute last resort if data is needed, due to the charges for fetching data.

Comment: Re:Ignored Niches (Score 1) 265

by mlts (#48587603) Attached to: Apple's iPod Classic Refuses To Die

This is a niche that nothing fills. In the past, there were a number of players (Archos, Creative, etc.) which filled this place. However, some players required special software, others would not allow copying music from the device (as it encrypted the files, not just renamed them), and some had poor build quality (one brand of player failed to deburr the metal case, and after two returns due to obvious machining fails, I gave up.)

Eventually, the third parties moved to "media" players, so if one wanted something for audio, one had to buy a much larger physical box because the maker assumed people would watch movies on it.

For a time, only Apple and MS's Zune had MP3 players that had reasonable (greater than 64 GB) capacities.

Right now, there is a hole in the MP3 player market. Someone who can make a MP3 player with 250 gigs of capacity, a MTP/PTP interface (or just allowing the device to mount as a physical drive), support for popular audio formats, and a reasonable battery life even when playing FLAC, would have a definite niche. Not a huge place... but it would have a spot in almost every studio.

Comment: Re:bring back the green IBM 3270 (Score 1) 238

by mlts (#48584969) Attached to: Is Enterprise IT More Difficult To Manage Now Than Ever?

For work use, a 3270 terminal does the job well, especially for point of sale systems. Just a terminal is pretty secure, as most likely the serial term servers are not connected to the Internet, and physically tapping the RS232 cable would require physical access.

I would agree that now, having a 3270 emulator is a clean way of doing things. However, I wouldn't be surprised for an intruder to be able to use a RAT on someone's Windows box to slurp the user's password and use the 3270 via remote. If this wasn't the case, then I'd definitely recommend this route (although I'd present an alternative using a 3151/3153 and an AIX/Solaris backend with a curses interface as opposed to VM/ESA since old school UNIX experience seems easier to come by than Big Iron guys.)

I definitely want to sub to your newsletter. In a way, all these breaches are making serial terminals sexy again, just because of the simplicity. Going back to serial terminals may not look as cool at some POS display with a flashy logo, but they do work, and with a good application designer, would work just as well as a graphical application, perhaps better, if the UI was made to be responsive. An attacker would have to have physical access, or have to go after the UNIX server, which is likely extremely hardened [1].

[1]: Solaris 11 turns root into a role, and AIX can be configured to disallow root altogether, so UID 0 is just another user, no special attributes attached. Modern commercial UNIX variants can be locked down quite well.

Comment: Re:Is it more difficult? (Score 4, Insightful) 238

by mlts (#48584807) Attached to: Is Enterprise IT More Difficult To Manage Now Than Ever?

IT can be completely different, depending on organization structure and people involved.

I have worked in companies where the IT department always had stuff in testing and stayed ahead of the game, not just putting out reports, but workarounds when it became time to roll major upgrades out. I've worked in other departments which were purely reactionary, and the only thing they really did was fight fires with every purchase being under an emergency budget. I've seen the spectrum in between the two extremes.

The problem with IT's reputation is that it is a cost center, and a highly visible one. IT also has a lot of factors, some at opposed ends. For example, if a sales guy demands that he is able to store confidential un-announced products on his personal laptop, how does one answer that demand and still preserve security? The exact answer depends on the organization [1].

IT has always had that pitfall of the new and shiny, be it internal wikis that were deployed, then just sit there, untouched for years, to the cloud, to business social networks, to internal chat mechanisms, and so on. It takes both technical and social expertise to take all the noise and clamor from vendors busting down the door and create a usable, secure setup, while keeping in budget.

The one most important factor is reacting to change. Flexibility is crucial. For example, even though individual machines with drive arrays work well, moving to a SAN in the data center [2] is a necessary move for most applications. Similar with moving from racks of physical hardware to a VM infrastructure [3]. Network-wise, the future will be about dealing with edge devices (IoT stuff), and perhaps even having a separate WAN that is shared among companies that uses leased lines so that business transactions run on a separate network than the Internet.

[1]: One organization would give the sales guy the middle finger. Another would just allow him to email the plans to customers and call it done. In between would be a company laptop with decent FDE on it (BitLocker + TPM), and so on.

[2]: Pick your protocol. iSCSI is the cheapest to implement, but FC is decent, as it is most likely a separate fabric so if the network goes down, your drives stay up. Ideally, if you have compute nodes (like ESXi machines), you have everything boot from the SAN.

[3]: Again, this varies on application.

Comment: Re:bring back the green IBM 3270 (Score 1) 238

by mlts (#48584503) Attached to: Is Enterprise IT More Difficult To Manage Now Than Ever?

I think text consoles, though secure, are dead. Instead, for a network that has to be secure, keep the machines on an isolated subnet (no traffic in/out except to the domain controller, the app server, and a RDP/terminal server.) That way, private data is secured, but people can hit the Web and do what they want, and data can't leak into the RDP link. Best of all worlds.

Another idea is putting the data behind Citrix. Internal machines will still need to be secured, but the machines are more of glorified thin clients, as opposed to actually handling/manipulating internal stuff.

Comment: Re:Cloud (Score 2) 238

by mlts (#48584465) Attached to: Is Enterprise IT More Difficult To Manage Now Than Ever?

The cloud is cheap, but so is stashing one's valuables in a box underneath a bush by a park bench as opposed to a safety deposit box. As intrusions become more brutal (where sensitive data like employee bank accounts and HR records just doesn't go to the bad guys, but gets posted for the world to see just out of spite), the cloud solution that worked in 2010 has a good chance to destroy a company due to lawsuits in 2015.

Comment: Re:Riiiiight. (Score 1) 232

by mlts (#48582403) Attached to: Ford Ditches Microsoft Partnership On Sync, Goes With QNX

Only reason I can guess is politics. QNX makes sense from a legal standpoint because if something does happen that is caused by the audio head, Ford could attest that they used a "known realtime hardened OS", with FIPS, Common Criteria, and other certifications.

With function creep, even though it is abhorrent, the audio head is becoming more and more a part of the CAN, where if it glitches and shits the bus, there goes the ECM and TCM. While something like Linux can work well, I'm guessing Ford wants some CYA documentation and having anything that touches the CAN be a realtime OS might be important for the legal eagles signing off on vehicle models.

In an ideal world, the audio head (especially with remote app functionality) should not be let near the core CAN, and if it has to have some functions (like climate control), that goes through a controller that has sanity checks and the ability to ignore requests if they don't make sense or would cause damage. That way, if the audio head's BlueTooth stack glitches or someone's cat picture uploaded as a background is malformed and crashes the graphics rendering part, the vehicle will still function normally.

Comment: Re:First part seems good (Score 2, Insightful) 157

by mlts (#48582267) Attached to: Google Closing Engineering Office In Russia

There is also unintended consequences. Say every country demands this where their citizens' stuff is stored on domestic data centers. Now, the government of Elbonia passes a law stating that for anti-"terrorism" purposes, their version of a secret police has to have real time access to all servers, which in addition to a vague law or two about seditious speech, starts getting people tossed into prison.

It is the lesser of two evils. The US isn't perfect, but I can have a banner in a window cursing the President and Congress out and not worry about a knock on the door, or a kick in the door. Other countries, citizens there may not be so lucky, and a law forcing Google and others to store data domestically might just be the exact thing a repressive government is dreaming of.

Comment: Re:Riiiiight. (Score 5, Interesting) 232

by mlts (#48581605) Attached to: Ford Ditches Microsoft Partnership On Sync, Goes With QNX

QNX may not be everywhere, but it was a mature product when Linux was just a kernel and people were grafting Minix functionality into the user space.

It does sound like an advertising pitch, but this is accurate about QNX. The OS isn't cheap, but it does offer realtime functionality. It also is designed to be quite stable to where a bug or a hang can cause tremendous disasters, be it software with X-ray machine or figuring out what position to move a set of control rods in a reactor. QNX has excellent internal security, and a decent development kit.

In embedded development, I'd probably use Linux for most items (because it has a wide variety of tools available), however if it is any way connected to something that can kill or seriously injure, like a component on a car's CANbus, I'd go QNX because it is going on 30 years and a very mature product. Realtime OS functionality isn't needed everywhere, but when it is needed, nothing else will do.

As for Ford's use, is it better than SYNC? This is more of an opinion question than anything else. I have had good luck with SYNC across a number of devices (Android and iOS), but others have had horror stories. Time will tell if end users prefer the QNX based audio head over previous ones.

Comment: Re:PRIVATE encryption of everything just became... (Score 2) 378

by mlts (#48577467) Attached to: Congress Passes Bill Allowing Warrantless Forfeiture of Private Communications

Incorrect. The NSA/NIST produce official, standardized versions of crypto libraries (which is a good thing because there are a lot of people who are clueless about the math principles behind crypto, and would use something braindead like ECB, or if hashing passwords, not bother with a salt.)

In the early 1990s, there was the Clipper chip that would have Skipjack loaded onto it on a secure site. This was something cryptographers were worried about because once that chip became common, the other shoe would drop, which was to make crypto illegal.

There were attempts to make crypto illegal. Around 1991, the honorable senator from Connecticut, Joe Lieberman, was trying to pass bills to make encryption illegal, which is why PRZ wrote PGP 1.0 (and subsequent versions) in the first place, so there was a tool out there, legal or not, to protect people.

As it stand now, whatever encryption algorithm I use is legal here in the US. Realistically, a mainstream algorithm is a good choice since there are a lot of homegrown ones which would get easily broken by a decent cryptographer.

Comment: Re:might work at big companies (Score 1) 415

by mlts (#48556937) Attached to: Microsoft's New Windows Monetization Methods Could Mean 'Subscriptions'

RedHat is in an interesting niche, where it can work on an OS that is a direct downstream of what it makes as a product, and not worry about revenue.

Two reasons: Certifications like FIPS and Common Criteria, and paid support. No company past a SOHO business is going to run production critical servers on an OS without support, especially when contracts, regulations (Sarbanes-Oxley, HIPAA, FERPA, PCI-DSS3), or other items are involved... especially come audit time, both for licensing as well as security and financial.

Comment: Re:Boy that will win more users.... (Score 3, Insightful) 415

by mlts (#48556891) Attached to: Microsoft's New Windows Monetization Methods Could Mean 'Subscriptions'

Apple's system is better, and it is worse in a number of ways. A Mac only will get a certain number of OS X releases, and after that, if you want major security fixes, updates for applications, or other items, you have to replace your hardware. So, OS X is "free" in one sense... but if one factors in the fact that the hardware only will work with new releases for a certain amount of time (for example, six years and counting for my late 2008 aluminum MacBook), Apple does get its due.

With MS, even the latest edition of Windows can run on some pretty ancient hardware, so MS earns their cash by the OS and revisions. If MS got a chunk of change for every PC made, the model might be different.

Comment: Re:Counterpoint (Score 1) 415

by mlts (#48556849) Attached to: Microsoft's New Windows Monetization Methods Could Mean 'Subscriptions'

I think Microsoft sees that the RedHat model of machine subscriptions is lucrative, and wants to go with that. The infrastructure is in place for this. All it would take is moving all machines to a KMS-like model for activation, except pointed at either a server on the LAN to authorize the activations or go to MS to pick up the activation credential.

However, MS pretty much already has that model with SA contracts. No SA contract, then the new versions will cost a good chunk of change.

Problem is, who is going to buy it? Businesses don't want to have further infrastructure aggravations, and already the KMS model ties all Windows machines in a company to the Internet, as the KMS server has to be Internet connected, and machines have to connect to that. People don't want to dig up an old, disused computer, then have to pay a fee to MS per month to turn it on.

Of course, there is the cost issue. Not everyone has the money to pay a monthly subscription, especially in this economy. What will happen is that machines will get activated... but it may not be a genuine MS server or genuine MS OS doing the activation process. Even a price of $10 a month can be too much for a lot of people, either in the US or abroad.

Excessive login or logout messages are a sure sign of senility.