Become a fan of Slashdot on Facebook


Forgot your password?

Comment: Re:Fairly easy way to protect data. (Score 1) 75

I find that's one of the more useful bits about PCI, is that at some point, somebody tells the company to get their house in order. Maybe not the whole thing, but there's some value to moving all of the CC data tot he closet and locking THAT.
My general security side says they should apply that principle elsewhere, but it's a harder sell when the rest isn't directly tied to cash flow.

Comment: Re:Lots of tools, not a lot of experience (Score 1) 75

These companies seem convinced there is financial reason to keep everyone else's data, and maybe there is. If so, it behooves them to do so correctly, according to the value of what they hold. If they think the data is worth less, a painful lawsuit judgement may change their minds. (See Ford, and Pinto gas tanks.)

Comment: Re:Fairly easy way to protect data. (Score 1) 75

I'm in the security industry, and this approach pretty much sums up what I try to instruct my clients to do. It differs of course from the piles of unprotected, unaudited, unmanaged fluff that some management wanker thought might be handy to keep around. Even restricted to such a constrained, specific scope as credit card data makes them blanche, I can't imagine them making the leap to more loosely guarded information without a business case.

Comment: This grief can bite you a few ways (Score 1) 204

I deal a lot with clients who have compliance requirements such as PCI. This sort of thing is an endless source of grief, where the, "it doesn't matter, it's just an appliance" phrase comes up all the time. You have devices put into PCI-scoped network zones to do a job, but which are either using a dusty version of a commodity OS under the hood, or don't support a bunch of requirements like account controls such as password complexity and account lockouts.
Being big-name security appliance and networking companies, it's tough to justify taking them all out back to the shooting range. But I'd love to...

Comment: Securing cloud data (Score 2) 24

by Tool Man (#47952231) Attached to: Dropbox and Google Want To Make Open Source Security Tools Easy To Use

What they need to do is implement client-side encryption before it gets uploaded. Sure, we can use something like EncFS to let Dropbox host only files I've already encrypted, but other cloud-storage companies like SpiderOak have written themselves out of access to my file contents.

Comment: Yikes. This handles people's money (Score 1) 348

In my humble experience, POS systems are those most forgotten, and least protected once you get on to the network. Few patches if any, and the vendors often squawk about only supporting ancient versions of Windows XP. Yes, the POS systems are probably Windows. Probably no AV either, and quite likely all administered with shared accounts that everybody knows. A firewall is by far the least they should be doing.

Comment: Re:Run it all through Tor? (Score 1) 184

by Tool Man (#47295083) Attached to: EFF To Unveil Open Wireless Router For Open Wireless Movement

Something comprehensive would indeed be much better than solving for one layer. The challenge I find is trying to get people to pay attention to any of it at all, never mind changing everything they do in one fell swoop. For sure, making secure options the default is a huge step, but in this case, we're still relying on whatever compromised client gets allowed on to the wifi.

Comment: Run it all through Tor? (Score 1) 184

by Tool Man (#47294513) Attached to: EFF To Unveil Open Wireless Router For Open Wireless Movement

I've had a FON device, and I think its main protection against malicious (illegal, stupid) use is that other users on the open FON channel are either authenticated FON users roaming to your access point or paid users who again aren't really anonymous.

What I was wondering though is whether each of these openwireless devices could also be set up as a Tor entry node for all of the free traffic going out that way? Think something like the Tails distro, where you don't record anything, and don't really want to either. Keep it somewhat bandwidth-friendly for the rest of your network, and worry less about what some anonymous user does with it.

Comment: Re:What about security? (Score 1) 170

by Tool Man (#46805905) Attached to: Ask Slashdot: Professional Journaling/Notes Software?

What you call "notes", the local prosecutor calls "evidence". Something you write that might seem totally harmless to you - "today I spent three hours daydreaming about putting bleach in my idiot boss's Diet Coke" suddenly becomes damning when presented out of context to a jury, after someone put bleach in your boss's Diet Coke and he wound up in the hospital.

I have been keeping a plain text log for the better part of two decades. They are just individual text files, one for each day, with titles like 2014-04-20_sue_party, a date and a quick description of anything unusual. The encryption mechanism has changed, but right now they are all stored on a Truecrypt volume. A vanilla search only takes a minute at most.

I'll chip in with a combination that works for me. This may or may not overlap with the OP, but YMMV.
Anyway, I want to be able to have access to my data in multiple places, including mobile. On the other hand, I also expect a certain control over my data, including the ability to encrypt (and still have access).

Org-mode has some support for iOS and Android apps, including syncing to a central location via Dropbox or WebDav. Encryption is available too, using the OpenSSL command-line tool IIRC. WebDav is also supported by ownCloud, so the central sync point isn't DropBox and their snoopy new board member, but my own VPS elsewhere. Of course, one of the beauties of org-mode too is that in the end, the data is still plain text once decrypted, so the local copy is never stuck in an opaque format. If I'm concerned about my local copies' security, then that is in an encrypted volume.

Comment: Re:Burn after reading? (Score 1) 222

by Tool Man (#45973067) Attached to: TrueCrypt Master Key Extraction and Volume Identification

The thing with hibernate is that it's capturing an image of memory, and storing on your disk. Handy when you want to wake up from really-powered-off, but also handy for anyone who wants to do a forensic analysis of everything in memory when it went to sleep. Ditto iPhone backups too IIRC, which is why (a) I don't use hibernate, and use sleep unless I'm expecting something invasive like going through US Customs where they apparently have free reign over your constitutional rights, and (b), iPhone backups are set to use encryption.

Powered off with no image written to disk is a good combination.

Comment: Re:Here we go again... (Score 3, Interesting) 170

by Tool Man (#45934855) Attached to: Google Confirms Shut Down of Schemer

Well, unless it's based on a a free, open protocol that you can host yourself if required.

And you can easily get your data out of the system. Because if you cannot get your data, you cannot host it elsewhere.

That part at least is something that Google does put some work into. You can use Google Takeout to get quite a bit back, in a form you may conceivably use elsewhere. Not sure about Schemer specifically though.

"Stupidity, like virtue, is its own reward" -- William E. Davidsen