Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:we can fix this (Score 1) 39

I think it depends on where you are and what is being done. Some places have restrictions on what companies can deny responsibility for, so there is usually (not bothering to look it up this time) a clause in the EULA saying the if part of it is invalidated, the rest still applies.

"There should be a law" is, perhaps, a better starting point. I've thought on this topic for a while and have some ideas about what should happen and how and when, but I am sure I'm missing some important issues and my wording needs improvement. Feel free to take my ideas and improve on them and pass them on to the appropriate agencies. Since "Comments owned by the poster" is clearly indicated, I hereby release this post and any of my comments related specifically to this post into the public domain.

Fast changes are bad for business so I believe this first part of my suggestion for new laws should be discussed now with an intent to have the laws become binding in 2025 at a state level.

BMC software law provision one.
The state of [insert state here] shall create and fund an agency with a free and public interface so that any software which is used to provide service or sold may be reported by the buyer as having a security vulnerability with replaceable results. If the buyer submits such a vulnerability to the state agency, there will be posted a public notice that the vulnerability has been reported which the software or software service vendor must review and patch in ninety days from the date of public notice. Software and software service vendors may request automatic notice by email or letter with proof of identity, of such public notices. Should a software or software service vendor fail to patch, and offer the patch without additional cost to all users of the software or software service vendor, the state of [insert state here] shall grant a permanent license to use the software or software service to the first reporter, individual or company or organization, of the vulnerability. The software vendor who fails to offer a free upgrade to all users of the software or software service without charge, shall be required to provide the software or software service without charge to the individual who first reported the vulnerability so long a the company continues to offer that software, software service or derivations on that software or software service commercially. This requirement shall apply to all sellers and buyers who reside or are conducting business within [insert state here] with the provision that if one of the entities involved in the transaction is outside of the jurisdiction of [insert state here] then all other commercial interactions by the entity outside of the jurisdiction of [insert state here] shall be prohibited within [insert state here] until the terms of this law are fulfilled.

Ten years is plenty of time for a state government agency to be formed and for companies and software developers to adjust to their business models to the first provision of of my proposed legislation. I think with that in mind, fifteen years is enough for the second provision of my proposed laws, and I think this should be at a federal level. I'd suggest that the NSA is the appropriate agency, but I'm open to a new federal agency being created or assignment to a better suited agency.

BMC software law provision two.
The federal government shall mandate [insert agency here] to provide a publicly accessible interface for the submission of software source code in the state used for development and production of the software and replicable instructions for any binary program produced using that source code which is offered for sale or as part of a paid service, hereafter referred to as replicable programming. Any person, company or organization offering software or service utilizing software for a fee must submit the replicable programming to the [insert agency here] interface within ninety days of the first sale or purchase of replicable programming or any buyer of the replicable programming shall be entitled to a full refund of fees. If the interface for public submission becomes unavailable to the public due to a technical problem or limitation, an alternate option for submission through the postal service shall be offered, but only if such submission is posted within sixty days of purchase. The submission of replicable programming shall become public and offered without cost to the public through the offices of the Library of Congress after a period of ten years from the date of original submission unless the submitter or legal owner of the applicable intellectual property of the submitter requests an extension of exclusive copyright and non-publication for a period not to extend beyond ten years from the request for such an extension. Extensions may be requested repeatedly but shall be denied for any period which would extend beyond fifty years from the time of the original submission, after which the submission shall become public. Exceptions may only be granted by a federal court, and only for a period of ten additional years at a time, if the submission contains information vital to national security. The replicable programming may be reviewed by authorized government agencies for security vulnerabilities and any which are not patched within a period specified by [insert agency here], not to exceed 120 days, may be made public by [insert agency here].

Comment Re:HOSTS file (Score 3, Funny) 415

Right, because keeping your browsing and application-utilization habits a secret is SO important.

OMG somebody might know you look at porn! Or that you play video games! Or that you are shopping online for a new printer!!!

The horror!

Okay, mostly I agree with you, and even if 99.9% of people were aware of what's shared, almost none of them would care. Of course, in reality, I'd be surprised if even 1% of people care enough to find out.

Lets just target that tiny fragment of the population that cares and wants to protect their privacy. Maybe you know the person behind the Ashley Madison hack, or want to blow the whistle on the NSA, or maybe you found out something terrible about Microsoft and want to email somebody about it, whatever. In this scenario, you're somehow also nuts enough that you are going to pass on your bombshell using your home Windows 10 PC.

Wireshark and a few tweaks to your router and there is now nothing goes out that you don't want going out. Problem solved. (It's not going to last ten seconds in keeping your identity secret from any of those entities, but hey, it's not Windows 10's fault at least.)

But wait, you must be saying, "my PC is connected without a router!" (How?) Don't worry your pretty little head about it. A couple host file edits and you're good. But "wait" you say, (complainer!) "these apps are still connecting!" So you add a handful of specific routes with the handy command line and boom (!) problem solved again. (For another ten seconds.)

"But ancientt," you say. "I'm posting and emailing stuff all the time that could get me in trouble and I don't want Microsoft to know!" To which I reply, "Tails and VPN my child." But you ignore my advice, because of course you do. "I must secure Windows 10 permanently!" I find you irritating, but alas, I cannot resist your wiles so I offer this further guidance. Edit your registry, run your own DNS server, set the default route to localhost and only allow an IP connection to sites you've intentionally pre-configured with the route command, and now my stupid but persevering student, you have a Windows 10 configuration which will communicate with nothing undesired.

I will not post bail.

Comment Re:Needs to move to Green Bank, WV (Score 1) 586

Of course it isn't Wifi that is causing the problem, but there are problems here. Taking up the court's time and spending money on the lawsuit is obviously not going to solve the real problem, but it's also obvious that the parents (at least) believe the problem is real. Imagine that your child is suffering and someone you respect tells you the problem is something that is not too hard to solve, and following that advice seems to work. It's easy to see how you could become convinced that the problem is real and that you understand the cause. Then when you try to get other people to take reasonable actions in order to accommodate your needs, pretty much everyone laughs off your problem.

I'm sure it sucks to be in their shoes too. There are so many things I interact with every day that I don't really understand that it's not hard for me to accept that I am likely completely wrong about how I think some of them work. It's even likely that there are things I'm sure I understand that I'm actually wrong about.

How do you convince someone that something they adamantly believe is wrong? If this and other forums I've seen on the internet were the sole standard, I could only believe it is impossible. I guess what I'm saying is, even while you can be certain the real problem isn't Wifi sensitivity, there is a saddening lack of empathy displayed in this discussion.

Comment Re:Where is Commander Adama when we need him? (Score 1) 189

I want that too, except with an additional requirement. I don't want anything involved in controlling the car physically wired to anything networked. If I want the car controlling system to connect to a network, I want to be required to physically turn a switch to allow it.

"Oh, they're firewalled" they say, and we know that fails.

Comment Re:He lost my vote (Score 2) 494

That phrase, "mostly harmless" rings a bell.

It was for the sake of this day that he had first decided to run for the Presidency, a decision which had sent waves of astonishment throughout the Imperial Galaxy -- Zaphod Beeblebrox? President? Not the Zaphod Beeblebrox? Not the President? Many had seen it as a clinching proof that the whole of known creation had finally gone bananas. ... The President is always a controversial choice, always an infuriating but fascinating character. His job is not to wield power but to draw attention away from it.

Comment Re:silly (Score 1) 392

Yup.

Nobody's hitting me with a brick to get my password. If you can credibly threaten to, you can have it. Nothing on my phone is worth a bloody nose, let alone a broken bone or my life.

With that in mind, I would NEVER put anything on my phone that would incriminate me of a felony or give a potential blackmailer the ability to ruin my life. In fact, I stay away from scenarios where such things even could exist for the same reasons.

Comment Re:The System Is Hardened Against That (Score 1) 392

You're absolutely correct on all counts. I certainly hope I didn't come across as implying that there is no point in having encryption, good encryption, on devices that may have sensitive data.

The latter is hard to extract by physical examination

I'm assuming that hard to extract is a description that applies to normal tools and access. I have every expectation that it would be at least moderately easy for the NSA. Ditto for a Colombian drug lord who is willing to invest a couple hundred million into getting the ability.

If law enforcement has a good case that the phone they have taken possession of is likely to contain evidence in a murder trial, I am surprised they don't have a department that passes the warrant and request to an agency that can handle the extraction of the baked in digital key.

I encrypt my phone because I believe that my password is highly unlikely to be guessed by the thief who manages to snag it from me in a bar or on the subway. If a cop takes it, I expect it to hold out until that point they decide it is worth getting an acronym agency of your choice involved. (I expect that the HSA, CIA, FBI, NSA wouldn't have trouble getting the baked in key, but I doubt that San Diego PD has the capability.)

If a thug with a gun wants my password, I'll hand it over because nothing on my phone is worth endangering my life. If a thug with a badge wants my password, I'll resist as long as feasible on principle, but I wouldn't expect my data to last against a serious concentrated effort. If a drug kingpin decides to break into my phone, I expect my password and the keys are good enough, but not if that kingpin is willing to throw multi-million dollar investments against it.

The concern I have is that my senator will cast a deciding vote making a backdoor mandatory and then the kid hanging around the bus stop will have a black market resale value incentive to steal it, because I have no expectation that law mandated security will be secure enough to keep black hats from finding out how to take advantage of it. Is it possible that law mandated back door access could be secure against black hat access? Yes. Is it likely a senator would have a clue how to mandate that? Not in the least.

It's just the locked door debate. Good locks, strong doors and a security system stop petty criminals or hopefully at least slow them down. It doesn't stop SWAT or Ismael Zambada Garcia if they decide they want in. So it's a good idea to invest in security, but it's a bad idea to trust it absolutely.

Comment Re:silly (Score 1) 392

Just for the sake of anyone who hasn't thought this through: The device's hard drive may be encrypted, that that doesn't mean you have to use the screen to enter all the possibilities or have to wait or have to worry about getting locked out.

When decrypting the hard drive (card/whatever) of a device, you pull the media out, copy it and then access it in an environment you control. So you can try a billion guesses a second if your computing resources can handle it. A phone's storage capacity is small enough that you could actually distribute a couple hundred thousand copies to a couple high end clusters and have them all trying their unique possible combinations in parallel.

Having lock-out features and delays only stops the casual criminal. The well financed criminal or government can hit your encrypted data with an unimaginable number of guesses per second. If you think your password is good enough to keep out the government or drug lord, I recommend you bear in mind that they are going to guess every possible eight digit password in under three seconds.

Comment Re:Hovered over property for only 22 seconds .. (Score 1) 664

I vote that the legal definition of your right to airspace above your property should be "shotgun range." (I don't know who is in the moral right here, but I do think it's important to note that the man was not arrested for shooting the drone, but rather for firing a gun outside of legal limits.)

Comment Re: My big hope (Score 1) 321

You're right, for setting environment variables permanently you use setx instead. http://ss64.com/nt/setx.html

I learned the DOS command line well in the early nineties, and a surprising amount has stuck with me. I use Windows 10 at work, admin Hyper-V and Linux servers there and run Linux at home 99% of the time. This kind of review looks exactly what I'm looking for but really, since I do much of my work from the command line in both environments, I'm surprised the GUI gets so much focus. It just seems like the hard way most of the time to me.

The first thing I usually do on a Windows machine is pin cmd to the task bar, and from there, right click and run as administrator. I have a c:\bin folder where I stick all the PsTools, Sysinternals, putty/kitty and unix utils tools I need, so I usually

setx PATH "%PATH%;C:\bin\;C:\bin\usr\local\wbin\"

and then custom create a bat file or two to point to my cloud stored resources. All that works on Windows XP - Windows 10 without any special effort.

I started using Windows 10 shortly after it first came out for Windows Insiders. I noticed that some of our proprietary business software doesn't work, but it still doesn't work on Windows 8 either, so that's hardly a surprise. All my command line stuff seems to work without any effort and nearly all my normal software works, the exception being Outlook's search which seems to have been broken in 8 too. (My setup is abnormal enough that I'm not really surprised, just frustrated.) The RSAT took a couple tries to get running, but was working.... until I did a clean install of Win 10 with the official release and now can't get it to work for love or money. (Apparently that's coming out in the next couple weeks and the stuff I was using in Beta won't install in the released version.) Also the Hyper-V manager seems to have a problem with one of our servers now, but I suspect that's a problem on that server rather than with the tool. We don't reboot those things very often, so I'm optimistic the next reboot of that server will resolve the issue.

What I do like in Windows 10 is the improved command line defaults. I didn't really need it, but I like the color options making it easier to spot which command line I'm after and default equivalent to Quick Edit settings so I don't have to remember to do it myself. I'm still getting used to being able to use Ctrl+C on it. I also like the improved snap window (Windows + arrow key) settings, being able to use quarter screens easily and the prompts to choose second windows is quite nice.

I enabled Cortana and the search function improved. I expected to hate it since I only use the search for finding things already on my local computer, but that improved too. I'm not sure I like sharing everything with Microsoft but I share so much already, I'm willing to live with it in exchange for better search responses for now.

Comment Re:So 30% of 4% is 1.2%. What is attractive here? (Score 2) 299

Lets say, just hypothetically, that this is implemented at a federal government level. Further, lets take as a given that this supplement makes cows healthier, happier and cheaper to feed. Additionally, lets assume that we want this enough to subsidize this for farmers to the point that they're actually paid slightly to implement it. I'd call this set of givens the ideal situation.

Even if we had such an ideal situation, there will be a lot of ranchers and farmers who don't trust the government's plan (my father will probably be one of them) and people in that group won't implement the change. Then there will undoubtedly be the "organic" beef people who demand 3NOP free labeling and some farmers and ranchers will target that market and not implement. Other countries won't necessarily follow suit. Some will, but some certainly won't.

However, knowing that some people will resist change isn't a valid reason to avoid considering whether change needs to happen. Civil rights, the abolition of slavery, freeing jews in internment camps... all are changes that every normal person now would agree needed to happen. There was resistance at the time and there are still people who don't like the changes even now, but that doesn't mean we shouldn't have put the effort in.

Change is bad. Not changing is bad. No matter how elegant and beneficial a solution is, no matter how bad the problem is, there will always be some struggle implementing the solution. Even knowing leaded gasoline is bad, and having some idea how bad, there are still quite a few engines (small planes jump to mind) which still use it. Changing to unleaded gasoline was beneficial and a struggle, and it was worth it. (Do some reading if you are unfamiliar with how significant that change was.)

My point is that we can acknowledge there will always be issues with implementing big changes without weakening the argument that change is good and needed.

Comment Re: actually had this on my list today (Score 4, Informative) 157

YES. Port knocking solved this years ago. For those unfamiliar with the concept, the idea is simple enough: my computer doesn't even let you try to log in unless you first hit a specific combination of ports first. For example, your IP address gets no response to an attempt to connect to SSH unless you first try to open ports 2234, 5039, 16, 38 and 27 in that order. (You don't get a response on those either, but my computer records those attempts and when you do hit them in that order, it opens up the real SSH port to your IP address for a connection attempt.) Add on an extra layer of security by having some ports that cause an automatic ban, so hitting port 2232 or port 2235 would mean your computer wouldn't get any access even if you otherwise hit all the required ports in the right order.

The best part is that you don't need any special software to set this up. Iptables is already built in and a bash script is sufficient to process the logs created by Iptables and unblock or ban when appropriate. The client just needs to get to a web page with links to the server and ports in the right order, so nothing more sophisticated than a browser is necessary. The worst part is that your firewall will block non-standard outbound traffic if it's sophisticated enough and if you're in a corporate environment, making changes to it may not even be an option.

I don't like alternate possible suggestions either. If you put up a web page to first authenticate people before opening SSH for connections, then the web server becomes the week point and I think SSH has a better track record of being secure than any web server I can think of. If you put up a VPN to authenticate people before allowing SSH attempts, then the VPN becomes the week point, and again, I don't know if VPNs are any more likely to be secure than SSH itself.

Any time you put two layers of authentication in front of allowing access, it should be more secure than having one alone, but with zero day exploits happening on pretty much everything, I'm inclined to think the first layer should be the one most likely to be immune. If that's SSH, and I think there is a reasonable argument SSH has a better track record than most any other authentication method, then using any other piece of software that people can connect to in front of it makes the potential for a breach higher.

I'm actually in favor of layered security and I use fail2ban (as others have suggested) and I put together a script to automatically ban "evil ips" when they repeatedly try unsuccessfully to connect to my machines, but really I feel that's more for my benefit of having less logs of automated attempts than being a serious deterrent to any half brained targeted hack attempt.

FORTUNE'S FUN FACTS TO KNOW AND TELL: #44 Zebras are colored with dark stripes on a light background.

Working...