Follow Slashdot stories on Twitter


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:About time... (Score 1) 152

by StikyPad (#49148471) Attached to: Invented-Here Syndrome

Well there must be a balance between code reuse and custom solutions. To use the trusty car analogy: a car manufacturer doesn't create a new battery for every vehicle (or, indeed, make batteries at all). Unless it's top end, they don't create a different engine for every car, or a different transmission.

If you're making top-end software, then sure, spare no expense. But most projects will suffice just fine using existing libraries. Knowing when to go third party and when to stay in-house is a skillset that a good lead will have.

+ - CIA Wants to Increase Digital Spying Capabilities

Submitted by StikyPad
StikyPad (445176) writes "CIA Director Brennan wants to increase cyber capabilities. His plan calls for the creation of a new branch within the CIA, alongside existing operations and analysis branches, to support cyber. It's unclear to what extent the program would duplicate or expand capabilities already held by the NSA, but Brennan clearly wants to bring some of those capabilities in-house. If you find this concerning, you're not alone. The plan is so controversial within the agency that the head of the National Clandestine Service recently resigned in protest, taking several high-ranking officials along with him. This, in the same week that the Director of the NSA publicly renewed the call for backdoor encryption."

Comment: Re:Dear Michael Rogers, (Score 1) 406

by StikyPad (#49128219) Attached to: NSA Director Wants Legal Right To Snoop On Encrypted Data

Why don't you use some of those billions of dollars used to build those mega data centers and spend them on more undercover agents and actual investigation, instead of simply sifting through everyone's e-mail looking for interesting keywords?

To be fair, the NSA's mission is SIGINT, not HUMINT. I do agree that intelligence gathering needs to be more targeted though. The only people who can change that is us, and it requires a combination of technological and political changes: End to End Encryption for Everything using a global PKI system, and explicit prohibitions on collecting bulk data, or accepting bulk data from other countries, or purchasing bulk data from the private sector.

Comment: Re:Dear Michael Rogers, (Score 1) 406

by StikyPad (#49128043) Attached to: NSA Director Wants Legal Right To Snoop On Encrypted Data

It isn't up to the NSA to set the balance, the NSA job is to push the balance one way.

That's true to some extent, but every member of the military -- which runs the NSA -- and sworn officers of other agencies take an oath to support and defend the Constitution of the United States first at foremost, and to disobey unlawful orders, in the military at least. (Apparently they don't instill this value in other agencies, but it's well taught within the DoD.)

Now, is asking for more access unconstitutional? Probably not. But it's impossible to compromise security for just the good guys. Compromised security is compromised security, and that makes all of us less safe, which goes against the mission.

Comment: Re: Any ideas how long these exploits have existed (Score 1) 144

The KTH cannot exist, because the KTH can't possibly recognize all instances of "a compiler," and/or "a login." If it could, it could be used to solve the halting problem.

Therefore one need only evade detection in order to produce a clean binary from an infected compiler, which should, in practice, be trivially done by obfuscating the code. With obfuscation, detection would have to rely on algorithm detection, but that's easily avoided as well, much to the bane of antivirus software.

But, for the sake of argument, even if KTH could reliably infect all compilers, disassemblers, and debuggers produced with an infected compiler, it would still be detectable through dumping memory and/or debugging, because lying about the contents of memory or the step of execution takes time, and you can't lie about how long it takes to complete an operation. You could try to hide it by throwing in NOOPs, but you can't lie about it, and any deviation between the number of actual and expected operations to complete a task would raise a huge red flag. In fact, if KTH existed in the wild, the effects of its existence would have been detected by now through performance testing and/or timing exploits. The fact that unexplained universal slowdowns haven't been observed in the wild, and that timing exploits do in fact work seems to be conclusive evidence that KTH does not exist.

Security is an arms race to be sure, and I would bet my life that there are, and will always be, undetected hacks in the wild, but there is no such thing as an *undetectable* hack. If someone is looking, they can find it. Even the "Equation" turned up once someone bothered to look.

Comment: Re:Stasi Tech? (Score 1) 129

by StikyPad (#49091003) Attached to: Gadgets That Spy On Us: Way More Than TVs

voice processing and searching on the scale of some of the applications such as SIRI require centralized processing

Only in the short term. Longer term, it will be doable on-device. Of course, a server farm/supercomputer will always provide superior processing capability, but at some point it becomes "good enough" on less capable devices.

Comment: Re:No surprise... (Score 2) 114

by StikyPad (#49089779) Attached to: Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk

FIPS may not be a joke, but most government networks are, especially, but not limited to, those outside of the DOD and IC. They are (in large part), administered by people who follow proscribed procedures, not people who understand what they're doing or why. While some "rogue" administrators will implement best practices beyond those they're required to do, they are the exception, not the rule -- especially admins who actually understand what they're doing rather than overestimating their own competence, which is its own problem. One need only look at the recent public government network compromises to see the consequences of these security procedures, and then apply the iceberg principle -- for every compromise that's seen, there are almost certainly many more that go unseen.

And of course, all the best technical precautions in the world can't protect you from social engineering, insider threats, and/or 0-day exploits. If we've learned nothing else in the past year or two, it's that the deck is stacked very highly in favor of attackers, especially targeted attacks by determined state actors.

Given the above, and the high-profile targets that government networks represent, I would be surprised if most, if not all of them, have been compromised. We like to make a lot of noise about China attacking us, but we almost never mention the country known for the "best" malicious software, which is Russia. Google "Turla," or "Uroboros," for example, and they're hardly mentioned in popular media, let alone in official statements. I suspect that the Russians are either as good as us at avoiding detection, that we just don't want to rattle any sabres by mentioning them publicly, or a little of both.

I think Kaspersky was spot on when he said: "this war can't be won; it only has perpetrators and victims. Out there, all we can do is prevent everything from spinning out of control. Only two things could solve this [permanently], and both of them are undesirable: to ban computers -- or people."

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (7) Well, it's an excellent idea, but it would make the compilers too hard to write.