Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:Not exactly like Superfish (Score 1) 289 289

You have to follow the money.

User doesn't update. User gets hacked. How much did user cost Samsung? Nothing.

Use updates. Drivers stop working. User calls Samsung tech-sup. Possibly, user gets told to restore machine, costing user all of their data. User posts bad reviews.

The economy of the matter is that sometimes the drivers mismatch (I'm not sure why this happens) or otherwise fail to work properly. Samsung has very little influence over what drivers get pushed through the update mechanism. When the drivers don't work, it costs Samsung money.

When I worked at Check Point, someone there used to joke that Check Point is in the connectivity business. People know you cannot connect to the Internet without a firewall.....

The truth of the matter is that there is no trade-off between security and usability. An unusable security device will get turned off by the user, resulting in less security. Usability is as important a driver to security as avoiding buffer overruns. Obviously, at least as far as Samsung is concerned, MS isn't doing a good enough job on that front.

Shachar

Comment: Not exactly like Superfish (Score 2) 289 289

This is not malicious. It is stupid and ignorant, but not malicious.

This reminds me of when someone got Verisign to issue a signed certificate saying "microsoft.com". Clearly Verisign, and not MS's, fault.

It turned out Microsoft could not issue a revocation, because Internet explorer does not check CRLs. MS's fault, right? Wrong. They were not testing CRLs because verisign would not bring up the web server that issues them, causing each and every SSL connection to time out. MS preferred, reasonably IMHO, to be insecure over not working.

Shachar

Comment: Sue them for defamation (Score 1) 180 180

Or is it slander? I'm not a lawyer.

In essence, these sites claim that your site is maleware/spam. This seems to me to be an actionable claim.

Furthermore, winning such a court case would also result in companies not automatically listening to those falsly reporting, or placing a proper appeal process into their blocking procedures.

Shachar

Comment: Re:so what about all the *other* stuff? (Score 1) 218 218

It does have a domestic function, but I suspect that's not what you meant. I thought it was implicit in my reply, but here it is explicitly: The NSA does not have any domestic spying function, charter or legitimacy.

Shachar

* By "spying", I mean data collection. Analysis of otherwise legally obtained domestic data is where I'm not sure where I stand. On the one hand, letting a military oriented organization perform police work (and vice versa, e.g. SWAT teams) leads to exactly the sort of bad behaviour we are all glad might soon be over. On the other hand, developing this huge organization specializing with data analysis, and then not using it when you need to seems like a waste.

Where things stand today, where the overstepping is so huge, I understand people's reaction in saying "no, do not let it do anything domestically". Then again, if we were to start from scratch, I could see a function for it as an operational arm carrying out search and computer related eavesdropping warrants for the FBI.

Like I said, I'm not sure where I stand on this.

Comment: Re:so what about all the *other* stuff? (Score 4, Interesting) 218 218

No. It does not all die.

First, please remember that the NSA is a spy agency. So long that their targets are legitimate (more on that in a second), they are expected to do everything within their powers to get to it.

Subverting the standards was a low blow, but as the ol' Tennessee saying goes "fool me once.... shame on... you?". Of course, by the time those standards were drafted, the standards body should have already known better (selling Enigma based encryption devices to foreign countries well into the 70's, anyone?). I'm hopeful, however, that we'll get spared "third time a fool".

As for the other activities, well, this is how spying gets done. That is how you spy on people in this day and age. With all of the justified criticism of the NSA, it would still be bad if they couldn't spy at all. They do, in fact, have a function to fulfill, and it is a function that needs fulfilling.

Circling back to who the targets should be. Spying against friendly foreign country leaders is not against the the law, or even, as far as I understand it, against the NSA's charter. It is an extremely foolish thing to do, but I don't think changing the law is the way to handle it.

Shachar

Comment: Re:israel? (Score 1) 63 63

100s more storys on this

Why don't you pick ONE that is actually about an actual Israeli company actually backdooring its own products for the Israeli government (or whatever)?

Because that was and is your claim, and neither of the two stories you linked discuss that. The first discusses Skype setting a backdoor, but does not mention Israel in any way or form (and even if it did, Skype is not, and has never been, an Israeli company). The second talks about how the NSA is cooperating with Israeli intelligence, and uses Israeli produced technology. Again, no mention of products shipping to either individual or governmental users being backdoored.

If there are, as you said, 100's of stories, I'm sure you can do better than these two.

still no reason to trust israeli companys.. when it comes to safe software packages

Still bullshit FUD.

Shachar

Comment: Re:israel? (Score 1) 63 63

Spreading FUD all over, aren't we?

First, Skype is not, and has never been, Israeli. ICQ hasn't been Israeli for ages and ages (sold to AOL, that's America Online) in 1998. That's 17 years ago. Either way, a search for "ICQ snowden backdoor" shows nothing relevant in any of the first 10 results, causing me to question the validity of trusting you as a source. If I'm wrong, by all means, please do provide sources.

Second, I used to be in charge of Check Point's product security (late 2000 to early 2003). If any Israeli product is backdoored, you'd expect Check Point's Firewall-1 to be it. In order for that to work, I'd need to know about it, or I might accidentally close the back door. I give you my word as a non-anonymous long time user of this site that no such intentional back doors exist in the product. I have never been asked to not fix a problem I've found, or to not look for certain types of security problems.

During my time there, a few security problems were found in FW-1. If memory serves me right, most were in the management and not in the actual enforcement unit. Either way, I have never seen such a problem and thought "this seems intentional". They always seemed like no more nor less than the usual sloppy programming creating security holes.

Israel has a notorious "cypher law". I actually did produce an encryption product. I only registered it after several years in which it was freely available through sourceforge. The registration process included me sending a request with links to the web site, and a reply saying it was approved as a "free encryption device" (i.e. - I do not need to re-validate it unless I change the crypto).

Now, I know the usual FUD about rsyncrypto, and I know people will say that that's because rsyncrypto's encryption sucks to begin with. All I can say about that is that the cypher law makes it legal to use freely available encryption from the internet without restriction (i.e. - gpg, ssh etc.). They also list the number of applications they processed and denied, and the last time they denied any application was around 2002 (I cannot find the page right now, sorry).

So, all in all, I think this:

i never seen anything come out of israel that wasnt backdoored.. Icq skype etc
i think showden files had things about this also

is concentrated bullshit.

Shachar

Comment: Re:Unicomp makes quality keyboards (Score 2) 147 147

Started a new job about eight months ago. Asked for a Unicomp keyboard, but said I'd bring my own first so people have a chance to object before money is spent.

In a room with two other people, one didn't mind and the other did object. Went with a MS ergonomic 4000 or something.

Moved to another room. Room mate said he also owned a unicomp. Next room over had people sensitive to noise. We decided to both bring our buckling spring on April 1st and see what people say. March 31st, one of the next door programmers talks to me how another programmer in his room has noisy keyboard (membrane with keys not going up all the way, nothing on the order of magnitude of a buckling spring). Asks if he can move to our room. I put on a straight face and say "sure, come by tomorrow and see how things work out for you".

Due to unrelated circumstances, I am away from work for the next week. When I come back, to my surprise, next door programer has not moved in. It appears that, despite repeated assurances from my room mate that this is all just an April Fools joke, the mere fact that the keyboard is on my desk, unused, has deterred him from moving.

Shachar

Comment: Re:He screwed up. (Score 1) 148 148

Let's tone down the ad-hominem, please.

I brought forward the period of time the data was published as indication of intent. It does imply that the publication was unintended.

There is a Hebrew proverb, "the law will puncture the mountain". It means strict adherence to the letter of the law, regardless of circumstances (or common sense).

If you say "that's the agreement, and he violated it, however brief and however unintentional", then you still have to account to the 30 other vulnerabilities, for which Groupon is also refusing to pay, for no good reason at all.

Shachar

The major difference between bonds and bond traders is that the bonds will eventually mature.

Working...