Follow Slashdot stories on Twitter


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:Good luck... (Score 1) 48

by mlts (#49371017) Attached to: India Mandates Use of Open Source Software In Government

This gets me curious what tools people use for their larger deployments. I've used Chef and Puppet, as well as Splunk to consolidate logs, but if I get asked to find a tool that is to Linux as SCOM/SCCM is to Windows, what would be the best bet, as I see the above statement, "Linux can't be managed" repeated a lot, and that should be addressed.

Comment: Re:Just disable it... (Score 1) 192

One thing that does help is virtualization and downsizing equipment. For example, moving from a desktop to a laptop, buying (or building) a decent server for virtualization, and even using low power devices for LAN services (I use an older Android phone to run a caching DNS service) can make a significant difference.

Especially with older hardware. Almost everyone has that old computer with sturdy hardware that works well. However, those older machines can eat a lot of power.

Comment: Re: What Would be a Trivial Amount? (Score 4, Insightful) 192

One idea I've found that works, provided this is possible (i.e. you own the property), and one has the electrical ability, is to have a dedicated circuit for the little devices that comes from an inverter [1] and a set of batteries that charge from a PV panel array.

This doesn't have to be expensive. A common setup winds up being two 6VDC golf cart batteries in series (12 volts total), 2-3 PV panels, a decent charge controller [2], and an inverter. This won't run your air conditioner unit, but it will be big enough to handle a number of low amperage devices, and one can build a decent setup for well under $1000.

In fact, I did a jerry rigged setup to light a shed on the far side of a friend's farm using a cast off extension cord (it had the proper gauge wires when stripped), a cast off 200 watt panel, a $8 PWM charge controller from eBay, an old deep cycle battery, and a DC-DC converter so I could use some 340 lumen SunJack LED bulbs (with built in switches) that run from a USB port. All of this cost well under $100. The SunJack LED bulbs would run 8-10 hours on a 1.2 amp (or 12,000 mAh as the packaging says), so a 200 amp-hour battery that only has 50-75 amp-hours left can run the bulbs for a very long time without solar.

Another added benefit of having all the devices on their own circuit is that they are essentially on a UPS, so if power fails, they will still keep running.

[1]: Don't skimp here... buy a reliable PSW (pure sine wave) inverter, and go for a 1500-2000 watt model even though running at full tilt will discharge the batteries quickly. This is so that if one plugs something in that has an inrush current (refrigerator compressor, microwave), the inverter can handle it.

[2]: You can go with a MPPT controller, which allows for higher voltage panels (as it converts the voltage higher than what the batteries use into a lower voltage with more amps), or have more panels to handle how a PWM controller "lops" off any voltage it doesn't need.

Comment: Re:Tipping point? (Score 1) 92

Platter technology will end up being pushed to the NAS/SAN, which is why WD is making their red line of drives.

Perhaps HDDs, now that speed and capacity are secondary, they will start evolving down the path of reliability, perhaps replacing tape as an archival medium.

NAS drives are going to be a big market, especially with devices like Apple's new MacBook with limited expansion capability, so people will use WiFi Direct hard drives as their main backup source, as opposed to USB drives. In this use, capacity is limited on the MacBook, and speed is limited, so drive makers (hopefully) will end up working on leapfrogging each other for reliability and security.

Comment: Re:Prepare to restore from backup often (Score 3, Interesting) 259

by mlts (#49350169) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess

I have a third option: An admin passphrase that is a lot longer than my user passphrase, but had more retry attempts. That way, if the short passphrase gets typoed, I can still unlock the device with the admin one.

You are right about backups... that is why I have three of the USB tokens, just in case.

Comment: Re:Why SSD in a "do-nothing" PC ? (Score 1) 92

Had a similar choice when giving a laptop to a relative. I went SSD instead of SSHD because SSDs are physically more resistant to shock.

However, if given the choice with a desktop... I'd probably still use SSD, just because when I delete a file and fstrim the drive, the file is -gone- for good, since the drive controller will come around, write "1"s to all the pages that file used and call it done. Of course, keeping good backups when using SSDs is wise, just due to this exact thing.

Comment: Re:Still not allowed by many places. (Score 1) 259

by mlts (#49349543) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess

I wonder if the ideal password manager would be one that would use a typed in password as a seed/IV (hash a seed and the sitename), with exceptions stored for sites which don't allow passwords generated with that tool to work. Some sites require a number, a capital letter, lower case letter, a symbol (well, not all symbols work), or some other random, annoying combination of the above.

Of course, the ideal password manager would store the password database with a master volume key, then each device accessing it would have the MVK encrypted to its public key. This way, if someone wants to add a device, they just allow access on another device. If someone wants to remove access, it is doable, but it would be wise to re-encrypt the DB to a new key for security. This is how PGPDisk did its encryption, and it completely deters brute-forcing, should someone get access to the data stored on the cloud, since there is no password, so the attacker has to deal with the entire key's keyspace.

Since the private key is on the device, the user just needs a PIN to unlock (with a timeout after too many wrong attempts), rather than a longer passphrase. Both iOS and Android have secure storage (KeyChain for example) which makes this easy to implement securely.

Comment: Re:Memorizing site-unique passwords isn't possible (Score 5, Informative) 259

by mlts (#49349459) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess

I prefer 2FA when possible. Even a very tough password means nothing if by some means, it gets sniffed by some keylogger, or the password database on a cloud provider gets brute-forced.

For storage where one is using a passphrase for encryption, as opposed to authentication, I like using cryptographic tokens. TrueCrypt used to work with a PKCS#11 library so I could store a keyfile on a set of Aladdin/SafeNet eTokens. This not just made the key immune to brute force guessing... someone who physically possesses the token has three guesses of my unlocking passphrase before the token locks itself forever and zeroes out the stored keyfile. This also works with Symantec's PGP version, except that generates a public/private keypair, the private keypair always remaining on the token, while the public part is used for the file/drive encryption.

If 2FA isn't possible, then as above, some mechanism to help with password reuse is very wise. This is useful just in case some website decides to store passwords in plain text, so a person's secure "correct horse battery staple" is now compromised and added to every blackhat's brute forcing library.

Comment: Re:Run as user AND back-ups (Score 1) 167

by mlts (#49349239) Attached to: NJ School District Hit With Ransomware-For-Bitcoins Scheme

All consumer level ones are that shitty. Time Machine does have some OS level protection, but most just dump data to an external drive. Overwriting the files or just a format of the filesystem can easily destroy that backup.

Windows Server Essentials 2012 R2 has "pull" functionality to grab data from desktops. Another utility is Retrospect which can have a client installed on desktops.

Of course, the ideal would be a backup appliance like an EMC Avamar that deduplicated. Think Time Capsule, except that the appliance initiated the backups, stored them securely, and did the deduplication. Add decent disk encryption (perhaps a startup password or PIN entered on the appliance's webpage to mount the backup drives), and this would help versus malware.

Comment: Re:Run as user AND back-ups (Score 2) 167

by mlts (#49348067) Attached to: NJ School District Hit With Ransomware-For-Bitcoins Scheme

Most backups would be erased or encrypted by the ransomware. The problem is that people think in terms of disk failures or hardware failures, so have their backup solution based around this. Just this in mind, going with two SANs that replicate with each other asynchronously is the best thing to do, since the data is always available.

However, this doesn't factor in software designed to corrupt/encrypt backups over a long haul. This is going to take a dedicated backup server that pulls backups and stores them in a place where a machine cannot access (and thus tamper) with stored data. It also takes a long data retention policy, just in case.

However, in a lot of places, backups are like security -- they are viewed as having no ROI, so at best, you might get some mechanism to stash stuff on disk, but if a machine can back up to the disk directly, it likely can erase/modify stored data.

Comment: Same can happen at a cloud provider... (Score 1) 262

by mlts (#49338889) Attached to: RadioShack Puts Customer Data Up For Sale In Bankruptcy Auction

One scenario that I worry about with cloud providers is exactly this. The provider goes bankrupt, sells all data to someone else, and they now have all the servers and can use the container information, free, clear, with nothing the clients of the former cloud provider able to do about it legally, barring copyright violations.

Both Borders and RS both show a lesson -- yes, there is a privacy policy with company "A", but when the servers get under the ownership of a new company, that policy is out the window, and the data can be used for anything that the new owners desire. Multi-TB torrent? Perfectly legal.

If a cloud provider changes hands, I can see a new company digging through data just to extort people. Say they find a sex toy maker's customer list on a server. They can then send out a note that all customers of this maker will have their named published unless they "buy into" a privacy policy (removing the name from the list) for the low price of $99.99. Since the new company 100% owns the data, free and clear, this is perfectly legal.

Comment: Re:Sooo .. (Score 1) 127

From a root command line, you can do:

vdc cryptfs changepw newpass

(where newpass is your new password for the dm-crypt volume... which is your /data partition.)

There is also apps that do this as well, but you need root.

Of course, when you change your screen lock PIN, it will change the boot password, but that is a given.

Comment: Re:Sooo .. (Score 1) 127

Those are some good suggestions. I might add a few myself:

1: If your device is rooted, you can separate the password that unlocks the /data partition from the PIN that unlocks the screen. This way, you have 4-5 digits that are quickly typed in... but if a thief decides to reboot the phone or power it off, they are facing the 20-30+ character passphrase... and most newer Android ROMs only allow 30 guesses before they do an erase.

2: Enable encryption of the /data partition. This is worth mentioning.

3: There is an app that will detect if the power button is pressed six times quickly, and send out a duress code. Forgot the name, but might be worth having.

4: Some ROMs will do some form of encryption on the SD card. If not, you can get an EncFS app, or BoxCryptor (which is a commercial/subscription version that uses EncFS as its base.)

5: Consider a backup program like Titanium Backup which uses a very reliable encryption mechanism (it uses a passphrase for a private key, and uses a public key for backups), and can save the encrypted backups to a cloud provider.

6: Consider a utility that requires a PIN to access some apps. For example, the app for a terminal and other rooted apps on my Android phone is PIN protected, FB and other apps are under another PIN, etc... so if a bad guy gets the phone while its unlocked, they might have access to the Web browser, but not the other parts. If they reboot the phone, they are faced with a very long /data encryption password as stated in #1.

Comment: Re:Golden Rice (Score 2) 573

by ChromeAeonium (#49310939) Attached to: Greenpeace Co-Founder Declares Himself a Climate Change Skeptic

I can't tell if you're trolling or not but enough people do believe that keeping people impoverished and hungry is somehow good for them, and that it is somehow ethical to sit idly by and watch and do nothing while people starve just for being born in the wrong part of the planet. It's completely idiotic of course. Everywhere we see a reduction in poverty and increases in the standard of living we see lower birthrates. Do you really think we are going to bring about a greater human development index without first addressing the issues of starvation and malnutrition? Unlikely. Normal Borlaug once correctly remarked that the first essential component of social justice is adequate food for all mankind. You want to fight poverty, start by ensuring that no one goes to bed hungry. It's pretty hard to work your way to economic prosperity when you're dying of vitamin A deficiency.

Comment: Golden Rice (Score 5, Insightful) 573

by ChromeAeonium (#49310267) Attached to: Greenpeace Co-Founder Declares Himself a Climate Change Skeptic

Moore breaks with what might be expected of a Greenpeace founder as well in that he is currently chair of Allow Golden Rice.

Well, while he is wrong about climate change, his stance on Golden Rice is pretty well on. We know it works, we know it is safe, Greenpeace still opposes it because they know damned well that their cries of genetic engineering being a dangerous horrible thing that you should totally give them loads of cash to fight are going to look a bit silly when it is saving the lives of thousands of children. It's despicable that they are willing to allow unnecessary death and human suffering in developing countries just to further their careers as professional activists. They're no different than anti-vaxxers who bring back vaccine preventable disease, not in my book. I don't agree with Moore's stance on climate change, but at least he's doing good on this front to bring attention to the harm Greenpeace and other anti-science groups are doing.

Somebody's terminal is dropping bits. I found a pile of them over in the corner.