Forgot your password?
typodupeerror

Comment: Biggest problem in IT security: ID-10-T errors (Score 4, Insightful) 129

by Stolpskott (#47499009) Attached to: Snowden Seeks To Develop Anti-Surveillance Technologies

Securing the technology is one thing - that in itself will be a huge job, because depending on how far you want to take it, you can end up needing to sandbox each application and harden each layer of the communication stack.
You might need a complete new protocol ecosystem based on only systems which are open source (not just because I like open source, but so that everything can be audited and peer-reviewed at the code level), built with compilers which themselves are not only trusted but also auditable as matching their published source code, and using communication protocols which are themselves open source and audited.

Put all of that together, and you still have the biggest security/privacy threat to deal with - the ID-10-T (aka the user sitting at the computer). Until users of a computer system are educated - not necessarily to the extent that they can themselves audit source code, but at least to the point where they can recognize compromised behaviour of a computer system - then they will always be the weak link in a security/privacy model for IT systems. Getting away from the Windows/local admin culture would be a huge step, but until the most idiotic and incompetent user of a given computer system is either isolated from the ability to do anything or educated to prevent them doing dumb stuff, the computer they use must be considered compromised and all users of that computer must be considered at risk.

Comment: Re:No excuses left (Score 4, Insightful) 388

by Stolpskott (#47482139) Attached to: Verizon's Accidental Mea Culpa

Too big to fail, too arrogant to concede, too greedy to care. This news is all the more reason to regulate.

But, but, but... regulation is the antithesis of the Capitaist way that our republican Democracy has weaned its children on since it was formed!!
I do tend to agree though - regulation of ISPs is probably the only way to deal with this.
Capitalist theory says that if an incumbent merchant/provider is too inefficient to provide a good service or if another potential merchant/provider thinks they can do a better job for a lower price, then that new provider will step in and provide said service. The threat of that is what keeps the incumbent lean and competitive, and the result is a competitive environment that is generally good for the consumer and rival providers seek to offer better deals to entice custom away from their competitors.
However, that theory assumes that there is a very low or non-existent barrier to entry into that competitive marketplace. Given the initial infrastructure setup costs and, in many cases, exclusivity contracts between providers and the municipal areas which would present the profits to drive services out into more marginal areas, the barriers to entry into the Tier 1 ISP market are prohibitive, to the point where you need to be a corporate entity the size of Google to be able to reasonably make the capital investment required.
As such, the local markets for each ISP more closely resemble non-competitive monopolies with the illusion of choice being provided by third party suppliers who typically have to by access to the resources from the incumbent monopoly - they get wholesale prices, and the consumer sees some small price reductions if the third parties can make enough money to operate by charging the consumer slightly less than the discount they got from the incumbent. But fundamentally, everything is still controlled by that original monopolistic provider, so services suck, progress is stifled because there is no incentive for change, innovation is discouraged, and the level of capacity/reliability is never going to be any more than "just barely enough so that we can maximise our profit margins".

Comment: Re:Final Objective? (Score 2) 76

by Stolpskott (#47480995) Attached to: The Hacking of NASDAQ

'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers

Ummm to make money or destabilize our economy?

Makes one feel good that you are the head of the Intelligence Committee.

The problem with the final objective is that Nasdaq's IT security was (and probably still is) pretty incompetent, because once the bad guys were past the outer defences, there was very little internally to audit unusual activity. The analogy used in the BusinessWeek article uses the analogy of physically breaking into a bank versus breaking into a private home - the bank will have internal security sections, cameras, password-protected doors, and so on. So when determining what was taken, you can look at what areas the bad guys had access to and where they went. In a private home, there is the external alarm - once that is down, you have no way of knowing where the guys went unless they leave a physical trail. In this case, while it might be expected that Nasdaq would be the IT security equivanelt of a bank, they apparently were the equivalent of a home owner who left the alarm deactivation code on a piece of paper taped next to the alarm console.

Let's try a few plausible options, based on the article. Determining the probable source of the hack/attack will help there.
The core of the malware used was a 0-day exploit kit that had previously been attributed to a team within the Russian FSB's electronic warfare group, suggesting that the Russians may be behind this. At the approximate time the hack took place, the Russians were combining their two domestic stock exchanges into what they planned as a single super-exchange to rival Nasdaq, NYSE, LSE in London and the Hang Seng in Hong Kong. Probably a dual-purpose reason being (a) increasing international prestige and economic diversification, and (b) preparation for pressurising large Russian companies whose stocks were listed on international exchanges to draw back and list exclusively on the new Russian exchange, thus reducing the potential leverage and influence that US and international governments would have over those Russian companies (thinking sanctions, as with the current situation in Ukraine). For the Russians therefore, a plausible action would be to hack the Nasdaq exchange servers and copy the software code that powers the exchange, so that they can use it or modify it for their own exchange - believe it or not, the code for the Nasdaq exchange is generally considered to be world-beating, so that would be a viable target.

Second, the CIA apparently found some information in the real world suggesting Chinese connections - the Chinese Peoples' Liberation Army certainly had electronic warfare capabilities, and conceivably might plant an electronic bomb in the Nasdaq systems for use at a later date if it proved convenient. Equally, with the Chinese approach to IP and industrial espionage, hacking to steal the code in a similar way to the Russian scenario is possible.

Both of those governments' beurocrats are often known to be corruptable and have links to organised crime, so there is another possible source for the attack, with the goal of either blackmailing Nasdaq or gaining access to the not-yet-public information stored on the compromised systems to give them advance knowledge of information that would move stock markets and prices (financial gain).

In determining the source of the attack, the origin of the malware used is not the greatest indicator - malware kits can be copied as easily as any other software, so either an actor within the FSB may have sold a copy to someone, or another hacker may have hacked a completely different system infected with that malware kit and downloaded the elements of the kit they could find, reverse-engineering the rest. So just because the FSB are credited with creating a previous version of this specific kit does not mean they are involved.

Lastly, looking at the capabilities of the payload may give some insight into the objective - a malware kit with a keylogger and dial-out facility to a C&C server is generally not going to be paired with a logic bomb to fry the infected system. So a system with a keylogger will be used for industrial espionage, while a logic bomb is an offensive, destructive weapon. The NSA's original analysis of the malware apparently indicated all sorts of interesting/terrifying capabilities. Given their extreme interest in surveillance of computer systems, if they chose to deliberately scare-monger and make this breach out to be more serious than it may otherwise have seemed, they could use that as leverage to expand their intelligence remit to be the gatekeepers of data security and cyberwarfare within the US - expanded influence, and also a much more free hand to conduct their own domestic surveillance. Plus, it is definitely conceivable that they would already have laboratory copies of the FSB malware kit that they could use when hacking Nasdaq.

So, there you have 4 other possible actors and objectives:
Russia: Domestic economic control over large businesses to reinforce geopolitical strength, and industrial espionage.
China: Industrial espionage, or the future possibility of electronic sabotage.
Organised crime: Extortion or industrial espionage for financial gain.
NSA: Empire-building.

This is not to suggest that any of those groups actually did do this, or that if they did that they did it for the reasons I have suggested. But it does indicate that there are a lot of possibilities out there, and Mike Rogers is a politician, so he is not going to start slinging mud at someone unless they give him a good quote as justification.

Comment: Re:Chicago Blackhawks too? (Score 1) 646

by Stolpskott (#47271195) Attached to: Washington Redskins Stripped of Trademarks

What do you call people from India, Pakistan, Bangladesh, Afghanistan and that region?

Being from the UK myself, I asked some of my American colleagues who also work here ("here" being Sweden... more about that in a moment).
The response from two of the Americans was that they had no idea what to call people from that region, as they had no real idea of where those countries were. The other 3 promptly came up with "Terrorist", and were apparently not joking, judging by the lack of humour in voice or demeanour.

Anyway, regarding Sweden, this country currently has a degree of nationalist racism against "Invandrare" - effectively immigrants, but used as a catch-all for those immigrants who are obviously not Swedish, have poor language skills or education, and typically who come from near/middle eastern countries or central/eastern Europe, but Asians can also be included. Broadly speaking, immigrants from other Nordic/Scandinavian countries are ok, and immigrants from the UK or USA are loved unless they are complete assholes.
Historically however, there has never been a huge problem with racism, particularly against "coloured" people - and in this sense I use the term "coloured" to refer to anyone who does not have the typical Nordic/Scandinavian/Aryan light skin/light hair/blue eyes combination, not specifically people of African descent. So up until very recently (10-20 years), it was possible to buy "negerbollar" - literally "Nigger Balls" - which are a small chocolate-based pastry typically dusted in coconut, and many people still call them negerbollar without feeling any discomfort or embarrassment. Now, though, their official name is "chokladboll" to avoid any problems.

Comment: Re:Internet (Score 1) 248

That's part of the problem of expanding into other countries, you have to either accept their rules or stay out. Consider Google or Yahoo in the case of China...

Compare to an example of a court order that forbids a third party railroad line from transporting a particular product into the country.

This is the part that I have a problem with - if a Canadian judge wants to mandate that all discussions of the health benefits of eating less Maple Syrup are blocked in Canada, I have no problem with that. If I live in Canada or if I live in China, then I expect what I see on the Internet to have to comply with local laws, and while I expect censorship in both Canada and China, I expect a hell of a lot more of it in China.
The precedent it sets, though, could allow a fundamentalist Islamic cleric to order Google to not index (and therefore censor) discussions about the interpretation of Islamic Sharia law so that his interpretation is dominant, not just in his country, but around the world as well.

This instance of the problem - a couple of embittered former employees of a company selling knock-off products - is not a bad idea. While I would like to know that they used to sell these goods, if I am looking to buy said equipment, I do not need to be able to see the actual site they were using as a sales portal. But the precedent it sets is a dangerous one.
Consider (not trying to derail the topic, honestly) the recent EU ruling that establishes the "right to be forgotten". If you look at it as the right for a woman who, as a dumb teenager, posted naked pictures of herself to show off a new tattoo, who now wants to see those pictures fade into obscurity, then it is a good thing. But many of the requests Google are receiving are from people who want to hide criminal convictions or other information which can legitimately fall under the heading of "in the Public Interest to know", so while Google can use that as a way to refuse the request, it shows that "good idea" precedents are often used to justify "bad idea" changes.

Comment: Re:Could the Tesla circle jerk be any more open? (Score 0) 455

by Stolpskott (#47270753) Attached to: NADA Is Terrified of Tesla

From my perspective, the most interesting thing about this is not the pro-Tesla/Elon Musk choir, or the Automotive lobbying juggernaut against it, but the fact that this is happening in America (statement of the bloody obvious, I know).
America, being the home and religious temple for Capitalism - Capitalism being an economic system where, if a new supplier in the market can provide more desirable products or with a more efficient/cheaper supply chain, that new supplier can gain a foothold in the market and offer their products/services in competition with the established actors, without political interference in the process.
The capitalist approach would be for the authorities in America to say to Tesla "You think you have a product which customers will want, which they will buy, and which will not blow up in their faces? Power to your elbow, go ahead and sell to Joe Public*!"
Instead, allowing the established automotive manufacturers to try and dictate "we sell through our Dealerships, they are a 'Good Thing' so you need to do the same, so that we are all doing things the same way smacks of something. I do not want to call it Socialism, but I cannot think what else to call it, because even collectivist Keynesian Capitalism does not really cover it.

* With the caveats that applicable advertising laws and standards are met.

Comment: Re:Internet (Score 5, Insightful) 248

Or as a car analogy: You don't tear out the road when one person is driving recklessly.

The car analogy would be accurate if the order was for the internet to be removed. In the Google case, it is more like "Someone is using a road to drive recklessly in Arse-end-of-nowhere, Ontario, CA. People who go to this God-forsaken place usually have a paper map made by Company X, so we are ordering Company X to remove Arse-end-of-nowhere from their maps."

Note, I am NOT suggesting that Ontario is the Arse-end-of-nowhere, but I do find it very troubling that a judge half way around the world from me thinks that my access to information on this matter should be curtailed. If the content is so objectionable, then the web host should be ordered to take the site down. As the plaintiffs in this case have named two Google entities as the non-party entities targeted for action, and the defendants as the individuals responsible for the actions that led to the case being brought, I see no action being taken to order the hosting provider to do anything.
If the rationale behind that lack of action on the hosting provider is that the hosting provider is outside Canadian jurisdiction, then the same rule must also apply to Google Inc., who are being ordered to comply with this ruling.

As a European, regarding the "right to be forgotten", I think it is a potentially good idea in some circumstances which is let down by dumb-assed execution opening the door for abuse by people and other entities looking to remove information of valid public interest.

Comment: Depends what you consider the "start" of the day (Score 1) 141

by Stolpskott (#47252809) Attached to: I typically start my workday ...

Out of bed by 5:00, because Monday to Friday I am on-call for "the shit hits the fan" stuff at the office from 5:30. I then start doing actual work at 7:00. For weekends and vacations, I am on call from 07:00. And yes, I am paid a lot extra for being on call :) One of the benefits of unionization!

Comment: Re:Too expensive for the goofiness (Score 1) 85

by Stolpskott (#47252789) Attached to: Shawn Raymond's Tandem Bike is Shorter Than Yours (Video)

Larger wheels do not make obstacles "easier", at least when it comes to anything you'll encounter while riding on paved or hardpack surfaces like this tandem is intended for.

The most obvious thing I can think of that you will encounter is a road-side kerb.
The physics of the situation means that, if the impact point of your wheel on the obstacle you are trying to get over is greater than or equal to the radius of the front tyre, then you will need to take action (lifting the front end of the bike) to get over the obstacle. In practice, you will have to take action for objects that are smaller than the radius, because the force required to mount the obstacle increases dramatically, increasing beyond the tyre and rim's ability to maintain structural integrity as the height of the obstacle-tyre impact point approaches the tyre radius.
As someone who has riden city bikes with small radius wheels and also mountain bikes with 29" rims, I definitely appreciate the ride quality differences that come with tyre properties beyond the wheel radius, but the ride is much smoother anyway with the larger rims, simply because the impact height of the obstacle is so much less than the diameter of the wheel.

Comment: Am I just evil, sadistic, or creative? (Score 1) 199

by Stolpskott (#47154693) Attached to: To distress my enemies, I'd force on them ...

Personally, if I was going to inflict ads on my enemies (as opposed to, for example, repeatedly stabbing their genitalia with a fork until they fall off), I would probably go for pop-over (always on-top, of course) ads that claim to be either security alerts or flashing advice that they have won something, and all they have to do to claim their $1 million is click on the ad, which then move when you try to click on them.

Comment: A Toastmasters manual (Score 1) 352

by Stolpskott (#47007121) Attached to: Ask Slashdot: What Should Every Programmer Read?

ok, this is more about what programmers should "do" than what they should "read". But for anyone involved in working as part of a team or dealing with either managers or subordinates (holy crap, I have just described everyone not working completely alone), I strongly recommend going to a few Toastmasters meetings.
No matter what programming language you use, development style, methodology, or approach, programmers today spend more time communicating with other people than they ever have done before.

Toastmasters - both in terms of giving speeches and also performing leadership tasks based on running the meetings, helps to improve communication and leadership skills (dramatically, in most cases).

If you are ok with being the anti-social loner who sits in the corner churning out code, and who thinks of communication with others as "one grunt for no, two for yes", then you need not bother. But for everyone else, it is a great place to go.

Comment: MS shop finds that MS has a lower TCO? News@11!! (Score 1) 589

by Stolpskott (#46926699) Attached to: Microsoft Cheaper To Use Than Open Source Software, UK CIO Says

Hampshire CC is at least a partially Microsoft environment, as their SAP ERP system is hosted on SQL Server (M$ have a case study from 2012 on the migration from Oracle/Unix), so their IT admins probably already have significant experience with the administration of MS packages.
http://www.microsoft.com/cases...

Based on the wording of their "Hantsweb" site detailing their software standards, the standard desktop OS is Windows 7, with Vista/XP being phased out or supported on a "best effort" basis and other operating systems not allowed to connect to the domain, so with the exception of any Unix admins left who used to look after their old database servers for the SAP environment, they are an exclusively MS shop possibly with some iOS expertise so that they can look after iPhones and iPads. They do not even support non-IE web browsers, having standardised on IE8...
http://www3.hants.gov.uk/itsch...

On that basis, the cost of user training and admin training for non-MS systems plus the added complexity of a platform change within the organisation is going to make the TCO of future MS solutions lower than an open-source alternative, especially if they get a good discount in return for another positive case-study.

The open source options may well be a better technical fit, once the pain of a platform migration is out of the way, though.

Comment: Re:Uhm... since when are non-competes a bad thing? (Score 1) 97

by Stolpskott (#46722729) Attached to: MA Gov. Wants To Ban Non-Competes; Will It Matter?

Don't they stop employees from taking any kind of IP and running away with it, which would basically kill the industry?

No, it stops the "competing" company hiring employees of the other company. The standard employee contract in most companies typically includes a clause that everything the employee does on company time and hardware belongs to the company, and that if/when the employee leaves they acknowledge that the IP to all work performed or used by the employee stays with the company and cannot be taken, copied or used by the employee once they leave.

Non-competes limit the free flow of employees (resources, if you like) around the marketplace. If a company feels they need to justify a non-compete by citing IP concerns, then they are being disingenuous. Sorry, I mis-typed there... I meant to type "they are lying through their ass".

Comment: Re:That's pretty stupid (Score 1) 135

by Stolpskott (#46703291) Attached to: A 2560x1440 VR Headset That's Mobile

I was on the fence about buying a DK2, but the Facebook purchase convinced me for sure I should do so - because I want to own and program against a prototype of something that is probably going to deliver.

It's kind of dumb to back up a company that is not only still catching up to DK1, but also lacks the financial resources to even keep up with further Oculus advancement going forward.

There's a reason why Facebook bought Oculus and not one of the other VR wannabes. They are years behind.

As for "interference", what the hell are you talking about? There's been none so far, only speculation - the only known thing about interference is they have said there will be none.

I think the thing that has most people worried about the Facebook purchase of Oculus is the difference in emphasis between the two companies - Oculus are/were looking to bring a reasonably-priced viable VR display to the market. Facebook are a social media powerhouse which makes revenue by monetizing it's users' details for advertising purposes. There is very little obvious synergy there, meaning it is not clear which direction the Facebook-piloted Oculus ship is going to go, but very few business lay down this kind of money and just let things carry on as they are, so there will almost certainly be some form of redirection.

If Oculus had been bought by a VR competitor, the direction would be largely unchanged; if the purchaser was an OS company - Microsoft, for example, the approach would probably be one of monitor-replacement for the Xbox and also for the Windows OS, other buyers with their own agendas, and so on. If the purchaser was Google, the synergies are again less apparent and the deal would probably be greeted with some skepticism laced with hope/expectation for what improvements might come when paired with Google's resources, but the question is - what is Facebook doing at the moment that makes a VR display the last piece of the puzzle for a killer app? VR Social Media? (Would not really work if the interaction is real-time, as all you will see are loads of people with Oculus headsets on. Not very social...)

Comment: Betteridge's Law in effect... (Answer = No) (Score 4, Insightful) 156

Journalists (as the world's professional content creators) versus Bloggers (the world's amateur - sometimes very much so - content creators) are similar in the same way that the guy hacking together application code in his bedroom in his spare time is the same as the salaried analyst programmer employed full time to do that.

They both produce content, and the amateur may produce content which would be considered of an acceptable standard by the professional. But the average amateur produces content which is of a much lower standard than the average professional (no, I have no specific citation to prove that, other than my own experience of working with both types on projects).

An Ada exception is when a routine gets in trouble and says 'Beam me up, Scotty'.

Working...