Follow Slashdot stories on Twitter


Forgot your password?
Back for a limited time - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×

Comment Re:Wait, they shipped the private key? (Score 1) 65

This part is actually FUD I think. This particular Dell private key does not chain up to a trusted root CA.

Also - Windows will only install drivers silently that are Microsoft WHQL signed - they are the only ones who sign these drivers, and this key does not chain up to that either.

At most you could sign a driver with this key, and install said driver onto a machine that had the public key already installed - assuming you had local admin as well - and for a user mode driver (like a printer) it will give you a soft warning "are you should you really want to do this", for a kernel mode driver it will give you a red "this will potentially harm/wreck this computer" warning.

Yes this is a terrible security problem, but the attack surface is relatively small (none of the Dell PC's I had - have this cert - I believe it only gets installed when using the support portal's check my serial/warranty feature).

Comment Re:OS/2 is still alive? (Score 1) 262

There's a reason you'd want to emulate an Amiga or a C64 - there are some cool games you can play on it.

One problem with OS/2 is it ran all the same apps that Windows did - other than vertical markets (like ATM's, zOS management etc) OS/2 had the exact same apps Windows does.

Sure OS/2 was more reliable than Windows 3.1 or Windows 95 (when OS/2 Warp shipped), but with Windows NT that all changed.

Comment Re:Robots (Score 1) 284

Even though 12 bucks an hour is above Virginia's minimum wage - there's plenty of research that if minimum wage was tied to inflation it should be around 22 dollars an hour.

I'm genuinely surprised congress doesn't talk about this more often - or as you suggest a guaranteed basic income wage (actually I'm not surprised this isn't a topic) - or at the very least corporate housing like they do in China.

Comment Re:About that 911 thing.... (Score 1) 284

Why not call both? You're acting like the paramedics who rush out there have zero clue how to get a hold of local security.

I work at a university campus - local security work closely with the police and they know to get a hold of them and absolutely rely on them to direct the real paramedics/police to the situation.

Comment Re:Unionize (Score 2) 350

I work for a union shop in IT - and while the organization is under constant attack our contract has a section outlining the rules for hiring outside contractors. We actually have really qualified people working here. I think stability attracts those kinds of people even though we pay less than most places in town.

I've found enforcing the contract relies on catching management in the act, but at least there is a process lowly me can take that the upper upper upper executives take seriously - and if the violation is egregious enough lawyers can get involved, but I've never seen that happen.

Comment Re:There are good reasons for gvt bureaucracy, rem (Score 1) 275

So for anyone who has worked for the government I've seen this scenario play out dozens of times. So what happens when the IT department can't or simply won't keep up with customer demands? Customers outsource those demands - and these days you really can run all of your essential IT services from various cloud providers. There's even a Gartner term for this - "Shadow IT". So the money gets spent anyhow, without any oversight or governance that their central IT department has mandated as a policy. Worse - when the guy who setup said system moves on - the central IT dept often has to take over and manage this now essential system.

Windows XP working as a file server for license plate cameras? Please - that has shadow IT written all over it. Guy needed a file server, the IT guys told him to fuck off (because they have no money or staff), so he rummaged around for whatever piece of shit would power up and used that. And now thats its a national news article - guess what central IT's next project is? If he really cared about IT governance the file server wouldn't be a single XP box, with internal storage. This could have been a VM using some network storage system for FAR less.

These days any IT dept really needs to do what it takes (and that means having a CIO with the political willpower) to make IT keep pace or at least placate these requests in some way. One thing we would do is go ok - your budget, your servers, but we spec them to our standards, they live in our data center, use our storage systems, our backups and our physical/endpoint security.

Comment Re:Written (Score 3, Informative) 86

PCI Compliance? While I agree its not 100% perfect - having documentation from some compliance officer at your company that you met or exceeded all their baseline recommendations should get you out of hot water if something bad were to happen.

If you work in the medical field - there's HIPAA - which again most hospitals, clinics and labs probably have a compliance person on staff that is supposed to set policy on this sort of thing and audit systems for compliance.

If you google around there's a standard for every single business/market you can think of.

Comment Re:Even more pathetic than that (Score 1) 193

Thats a pretty big deal when your on the hook for actually supporting what you release - at that volume - and maintaining compatibility.

I was working at Adobe ages ago on testing Vista and they let us know the app compatibility toolkit shims (which you can google - its a rather fascinating framework) they were putting in for Acrobat Reader 3 and 4 - to work around a window sizing issue. Reader 3 originally ran on Windows 3.1 and Windows 95 and Reader 4 was really only intended for 95/98/NT/2000 - but both products work just fine on Windows Vista and Windows 7 - if for some insane reason you don't want to upgrade.

I dunno - currently with all the applications we run on Centos, RHEL or Suse - if the vendor says has to run on xyz - I've found that upgrading and patching is a somewhat perilous process.

Comment Re: Oracle's monopoly? (Score 1) 457

APIs are copyrightable.

I think if this is true - you have to wonder what the statute of limitations is on this concept. One could easily argue that Java, C#, AS were all inspired by C/C++ - which was developed by AT&T Bell Labs. I'm sure there's some lawyer who could craft a case that they need to pay royalties now.

Comment Re:More proof... (Score 1) 60

To change the command line in a microsoft signed patch you'd have to edit the patch manifest file (big xml file with installable rules, installed detection rules, etc etc) - which would break the code signing cert on that package.

Again - by default the windows client only installs MS Signed packages - you can set a policy to install packages signed by your own code signing cert, but that's not the default behavior (that action requires domain or local admin).

To bypass that you'd have to exploit MS's "authenticode" checking system, or have the signing password/key for MS's code signing cert or your Enterprises code signing cert. If any one of those 3 things is a thing - you have more serious problems anyhow.

Comment Re:More proof... (Score 1) 60

This article is honestly a lot of fud - it relies on lazy Windows admins (and yes I admit there are far more of them around than lazy unix/linux admins).

Look at the attack vector - you can't just change where Windows checks for updates without local admin, or modifying the policy for the domain the machine is bound to - and you can't update the cert store for the same reasons. Yes privilege escalation attacks exist, but if someone has local admin on your windows box - why bother hacking the windows update service? Mitm attack would have to either exploit some bug in windows certificate trust, or have local admin on the box - and if you have local admin why bother hacking windows update.

And then mitm'ing the sync between WSUS and Microsoft - say you did leave in insecure - and do you download hackyourshit.exe, but its not signed by a root ca your clients recognize - the actual endpoints still won't install it - even if it did come from your update server. WSUS won't deploy non-ms signed updates out of the box fwiw. SUP (System Center's Software Update Point) will, but only if they are signed by a trusted root ca and the vendor is configured on the trusted list on the site server itself.

These guys might as well have written an article about hacking the SCCM Management Point and injecting rogue policies into its clients - its about as feasible tbh (ie not really).

Comment Re:My big hope (Score 2) 321

Learn to powershell?:

To read a variable:

Get-ChildItem Env:

and to set


evening doing this from cmd.exe isn't all that hard - in fact its just like ms-dos was:

SET variable=string


echo %variable%

Seriously - this hasn't changed in 34-35 years.

Adding features does not necessarily increase functionality -- it just makes the manuals thicker.