Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment Re:God DAMN it! Not fucking again! (Score 1) 121

Maybe in retrospect, you should have just went with it and allowed Bush to have bad security.

That ramification of what facts my teammate and I (for 48 hours, only two of us knew what we'd found) knew crossed my mind for about a millisecond. But then, I thought of two things:

1, That he was (as much as I disliked it) elected lawfully, through due process. It went up to the ragged edge of that due process, but still. I was being trusted to help defend more than just one person, but rather the idea that an assassin shouldn't be allowed to negate or counter the rights of hundreds of millions of people.

2, Also, Cheney was next in line.

Comment God DAMN it! Not fucking again! (Score 3, Interesting) 121

I remember the days of the Clipper Chip, and of the prohibition on exporting strong crypto. I remember getting a package from Checkpoint in Ramat Gan, Israel (over international DHL, I believe it was) that was slathered with warning stickers that said it could not leave the USA...when it originated from Israel.

I remember in 2000, doing an IV&V of a VPN solution that did something really funky with their key generation, such that they were allowed to export strong (based on bit size) encryption without having to do key escrow. They put some of the key generation material in the handshake exchange...which means it went in the clear. I shit you not. Oh, and also, their algorithm had no forward secrecy...which was the whole point. Anyone who had sniffed the session could go to the operator of the VPN with a warrant, and have them re-generate the key that was negotiated between the two endpoints...making it possible to decrypt the session. Of course, this came along with a whole metric shitload of security problems, like the fact that compromising the VPN concentrator and pulling a little data off of it would give you the ability to decrypt any session that included that concentrator (we never got to the point of seeing if we could get the same effect by attacking the client). Basically, the whole thing was just a big pile of bitch cock, just waiting for disaster. (We also found a one-packed DoS, a buffer overflow, and other things...all unauthenticated attacks.)

And the best part? The client for whom it turned out I was doing this IV&V. It was the United States Secret Service...specifically the protective detail for the incoming Bush administration. This pig-fucker of a VPN solution was going to be used to protect the President of the United States. That was fun to find out...at the outset of the engagement, we thought our client was the Treasury Department in general (which was kind of true, in a way). When we had "The Meeting" to tell them what a disaster the solution was, they told us who we were really working for in specific. I really needed a drink after that meeting.

Needless to say, the Secret Service ended up going with a different solution.

And now here we are again...with different people but the same organizations bringing up the same dogshit reasons to try and justify demanding the same dumb-shit idea be implemented...backdoored encryption. I find it so incredibly interesting that, when it came down to it, the US Government wouldn't rely on a solution like that to protect themselves, but they would insist that the rest of us accept it for our own use. It makes me want to spew a litany of every obscene word and phrase I can remember, in alphabetical order.

Comment Re:Too late (Score 1) 402

Yeah and we are focused on fixing all the issues that have caused projects to move.

I want to commend you for participating in the forums, and keeping a remarkably calm demeanor as a significant number of Slashdot readers demonstrate that they go online primarily to yell at other people. It took me a minute to grasp that someone who is actually accountable for Slashdot and SourceForge was actually participating; we've become used to seeing strange behavior (Bennett Haselton *cough*) with no accountability, and not even someone willing to step up and speak to the complaints/arguments/whatever.

And now, here you are standing in the aftermath of that behavior...for which you are not responsible...and taking the brunt of it even after you announce that you've done a good thing that all the screaming howler monkeys actually wanted. Bravo, sir, bravo! Keep to the course, and I believe that it will get better.

As for those who are serving as the voice of reason, and pointing out that this new management is in no way responsible for past sins...keep that up too. We've got to help these people turn things back around by backing them up.

Comment Re:Meh (Score 5, Informative) 276

You could already get a good used one for $15,000-$30,000... http://www.hemmings.com/classi...

You don't have to worry about mileage because as soon as you drive one you'll understand why DMC went out of business. Also the added derp from all the people saying "OMG BACK TO THE FUTURE CAR" will wear off and you'll want to keep it locked away in your garage.

Trust me as someone who drove the the "Urkel Mobile" (BMW Isetta) for a few weeks.

Except that for a DeLorean, "good" is incredibly relative. The car's engine was an engineering disaster, and if one still runs it's on *very* borrowed time. There are a million kluges in the way they're built...for example, there was a problem where the throttle would stick in cold weather. It turned out that there was an issue with condensation forming, which would then run down into the throttle cable assembly...and freeze. Their solution? Put an l-shaped bracket above the assembly to make the water miss and land somewhere else.

In another example of how at-risk the engines are, an episode of "Comedians Getting Coffee" with Jerry Seinfeld and Patton Oswalt began...began...in a DeLorean. I say "began" because they didn't make it half a mile before the engine suffered a catastrophic failure, resulting in all kinds of fluids running freely and horrible sounds coming from inside. Chest-burster kind of engine failure.

And when you consider that a Mazda Miata genuinely has more horsepower than these cars ever had, the concept of having the look of a DeLorean, the body of a DeLorean, but NOT the original engine they came with...well, that sounds like a pretty good idea to me. I can see why they're giving it a shot, and it doesn't surprise me that the demand has been pretty high so far.

Comment Re:Pipe Dream (Score 2) 293

The idea that "self driving cars" will

A. occur anytime soon or
B. drive down car ownership,

is a pipe dream.

Billions have been poured into flight control systems and they all still require someone to sit behind the yoke and monitor them. While they do have an extra dimension, they also don't have to deal with as many variables, crappy roads, detours, crappy drivers to avoid, nonsensical roads, etc.

Before driverless cars are ubiquitous, nothing less than a complete overhaul of the roads to simplify routes, clearly mark boundaries, simplify interchanges, and reduce to a minimum possible conflicts, will be necessary. Billions and billions of infrastructure overhaul.

Comparing commercial passenger airline operations to driving cars is ridiculous. Airplanes are treated very, very differently from cars in a great number of ways..let's look at a few.

Okay, so let's start off with the regulations on maintenance of airliners. Logbooks are kept, specific forms of maintenance are required, people working on the planes MUST have specific training and credentials...and those are just the basics. Any material change to the aircraft, including updates to software or even flight mapping data, require re-testing. And failing to comply with any of these standards is actually considered a violation of law. Imagine if you'd get fined for being late for an oil change in your car, or for not getting the car re-certified when you got new tires?

Now, on for the more relevant point...training of the pilots. These are people who work their way up to being able to fly large jets, including a substantial amount of time in simulators...very expensive, elaborate simulators...before they even get to put their hands on the yoke of a real passenger jet. Compare and contrast this to student drivers with less than 30 hours of classroom time before they are driving regular cars on regular roads as the next step in their training, after which they are able to get a full-privilege license and drive just like anyone else.

Consider the accident rate of driving...32,675 deaths in 2015 in the United States (according to the Administrator of the NHTSA when he spoke last week at the Vehicle Cybersecurity Roundtable), of which "94%" (his number as well) were the result of "human error or human choice." Even if a car held as many passengers as a 737, that number of accidents (which actually represents fantastic progress, given that it's the lowest number of car-related deaths per 100,000 people since 1920) would cause people to go batshit insane if it happened in our airline industry. But in cars, it's just considered normal.

People...both the public and those in government...are WAY more tolerant of risk in cars than with regard to airlines. The head of the National Highway Transportation Safety Administration himself stood up last week in front of an audience of hundreds and espoused the expected life-saving benefits of self-driving technology. It won't be perfect, it'll need to improve, it will evolve over time...but those who would be in charge of promoting or limiting the technology have spoken and stated clearly that they are fully on the "promoting" side.

Comment Re:Not too shocking (Score 1) 76

Define "properly". Having domain users in the local administrators group can save a small fortune in IT related support costs in many scenarios. It just needs to be weighed against the potential risks.

I would imagine that the potential risks for randsomware hitting an organisation with proper IT support should be minimal... unless someone isn't doing their backups properly.

When everyone goes home at night, re-image all PCs, and restore backups. That shouldn't cost $1m.

So...you're a fan of building a whole new PC image every time there's a patch? Not to mention the bandwidth needed to push images to all PCs at the same time, every single night, and be sure that there have been no issues? Let's also keep in mind the fact that desktop configurations in nearly all organizations differ, so you'll have driver concerns for some devices, and one-off applications (especially for the most critical users) on others.

At first blush, your "re-image all PCs" idea sounds great...but I've seen it tried and it never works. I'm guessing you've never even tried it.

Comment Not too shocking (Score 5, Informative) 76

Most of these ransomware packages can traverse laterally within an org; they run in the rights context of the user on the first infected computer and use that to infect other systems, spreading within the local network. So if you don't have your permissions properly set up (having "Domain Users" in the local Administrators group on your desktops as a matter of standard, for example), it's a cakewalk for the malware to hit everyone.

Comment Re:What's wong with a rake (Score 1) 228

I already have an environmentally friendly, much much quieter leaf mover called a rake. And best of all it is cheap to own and maintain.


And if you have a lot of leaves, buy a cheap heavy tarp. Rake leaves onto tarp. Drag tarp to desired location to deposit leaves. Done.

Not only that, but it's exercise. I'm always amazed at the people who show up at the gym or go running around the neighborhood, but they don't take advantage of natural opportunities for exercise. Instead of buying the leaf blower, buy the rake. Instead of the riding mower or the "self-propelled" push mower, buy a decent reel mower (they are a lot better than they used to be) and run around the yard with it. Instead of buying the power edger, get the manual one and dig. Rather than the rototiller for your garden, dig it up and turn the soil with a shovel. A lot of times you get a decent workout while actually accomplishing something, and you frequently end up using different sets of muscles for different yard tasks, rather than having to come up with an artificial "routine" to try to keep your whole body fit.

And if you say, "But, but... my yard is too big for this sort of thing -- it would take me way too long to maintain it manually." Well, then have a smaller yard. Even if you have a large piece of property, install perennial flower beds, install ground covers that don't require cutting every week (and often excessive fertilizer and irrigation), plant some trees. If you're rich enough to own a large piece of property and pay people to keep it like a golf course, pay a landscape designer to make it lower maintenance and with greater variety than a giant lawn or whatever.

That's actually the real problem behind all the leaf blower noise -- Americans in the suburbs often have giant pieces of property with unnecessary huge lawns and unreasonable expectations that they be kept up continuously as if they were part of a golf course. Maybe we should attack the underlying problem -- like avoiding giant unneeded lawns or getting rid of this notion that any leaves on the ground are bad or "untidy" (they can actually be good fertilizer if they aren't excessive).

Okay, you had me with the first two paragraphs...absolutely, for the overwhelming majority of homes, the "rake and tarp" method is the way to go. One way to assess how much your possessions own you (as opposed to the opposite) is to "count the cylinders". Count how many internal combustion cylinders you have...the higher the number, the more likely it is that you are those cylinders' prison bitch. And, as you say in the second paragraph, it's exercise, which everyone needs...boy do we ever.

But when you say, "Well, then have a smaller yard," uh...yeah, no. It doesn't work like that. You are confusing leaves...which do not come from the ground...with a lawn. Leaves (which fall from trees...FYI on that one) still land on flower beds; the flowers do not have magical force fields to disintegrate the leaves. And you can't rake flowers...which leaves you with only one option. Using a leaf blower!

It sounds like maybe you should get out in the yard yourself and try some of this stuff out, so that you see how it actually works...or perhaps you live in a >1-floor home with no yard to care for, in which case you shouldn't be putting forth your uninformed opinion on these things in the first place?

Comment Re:Volkswagen`cf. Juniper/Fortinet (Score 1) 71

What CEO got fired for the VW emissions scandal. I though,t after a thorough investigation by VW, it turned out to be a couple of rogue programmers acting on their own.

Au contraire...it turned out that the actions went way up the management chain, and indeed CEO Martin Winterkorn stepped down in late September 2015. Google is your friend.

Comment ANALogy (Score 1) 71

A spokesperson for Fortinet told El Reg, "This was not a 'backdoor' vulnerability issue but rather a management authentication issue."

Hm. To me, that reads like this:

A spokesperson for the Zeta Beta Tau chapter told El Reg, "This was not a surprise unwanted group buttsex situation but rather a dating faux pas."

This kind of "management authentication issue" IS a backdoor...it's exactly what the term "backdoor" was created to refer to.

Comment Re:On the one hand ... (Score 1, Insightful) 132

On one hand, kudos for being ballsy and doing this.

On the other hand, if you go messing around with the Director of National Intelligence ... well, you should expect some pretty heavy consequences.

And I'm sure they'll find all sorts of trumped up charges to make your life miserable.

Yeah, no kidding...


Yeah, he's a real fucking genius.

Comment Re:Not Zigbee's Fault, either (Score 1) 119

I have done some development (albeit limited) using a Zigbee stack, and this failure has nothing to do with the Zigbee protocol, per se. That "explanation" sounds like some of the project-engineers trying to pull the wool over the eyes of Comcast's management (and Customers).

It has a little to do with ZigBee, since ZigBee as a standard uses 2.4 GHz. Beyond the part of spectrum that ZigBee uses, there's nothing else about the protocol that is a problem here...but there's no such thing as a ZigBee implementation that exists outside the 2.4 GHz public spectrum band.

On the other hand, the issue here is an interesting one. ZigBee's actually a pretty secure protocol for communications, with regard to integrity and confidentiality. But for applications that depend upon availability, it's something that you could jam with a baby monitor, a wifi AP or a cordless phone. I wouldn't expect Comcast to come up with a home-grown solution that was nearly half as secure as ZigBee, and I also can't imagine that it could be worth it to license a piece of spectrum just for their solution; it would cost too damn much. So where does that leave all of us when it comes to this kind of use case?

Comment Bulletproof vest analogy (Score 1) 95

Both Whitehat and Greyhat find that a particular make of bulletproof vest degrades after a year and no longer offers protection. They both notify the manufacturer, who blows them off. Then the paths diverge:

Whitehat: contacts a member of the press and demonstrates the problem for them by putting one of the vests on a mannequin and shooting the mannequin through the vest. (Extra points if he puts a DVD copy of the movie, "Mannequin," inside the vest and shoots a hole in that too.)

Greyhat: contacts a member of the press and demonstrates the problem by shooting people who happen to be wearing the vest in public.

The latter may be a bit better at getting the attention of the press, the public, and the manufacturer, but it's not an acceptable way to accomplish that goal. The ends do not automatically justify the means.

Slashdot Top Deals

A meeting is an event at which the minutes are kept and the hours are lost.