Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

Comment Re: actually had this on my list today (Score 4, Informative) 157 157

YES. Port knocking solved this years ago. For those unfamiliar with the concept, the idea is simple enough: my computer doesn't even let you try to log in unless you first hit a specific combination of ports first. For example, your IP address gets no response to an attempt to connect to SSH unless you first try to open ports 2234, 5039, 16, 38 and 27 in that order. (You don't get a response on those either, but my computer records those attempts and when you do hit them in that order, it opens up the real SSH port to your IP address for a connection attempt.) Add on an extra layer of security by having some ports that cause an automatic ban, so hitting port 2232 or port 2235 would mean your computer wouldn't get any access even if you otherwise hit all the required ports in the right order.

The best part is that you don't need any special software to set this up. Iptables is already built in and a bash script is sufficient to process the logs created by Iptables and unblock or ban when appropriate. The client just needs to get to a web page with links to the server and ports in the right order, so nothing more sophisticated than a browser is necessary. The worst part is that your firewall will block non-standard outbound traffic if it's sophisticated enough and if you're in a corporate environment, making changes to it may not even be an option.

I don't like alternate possible suggestions either. If you put up a web page to first authenticate people before opening SSH for connections, then the web server becomes the week point and I think SSH has a better track record of being secure than any web server I can think of. If you put up a VPN to authenticate people before allowing SSH attempts, then the VPN becomes the week point, and again, I don't know if VPNs are any more likely to be secure than SSH itself.

Any time you put two layers of authentication in front of allowing access, it should be more secure than having one alone, but with zero day exploits happening on pretty much everything, I'm inclined to think the first layer should be the one most likely to be immune. If that's SSH, and I think there is a reasonable argument SSH has a better track record than most any other authentication method, then using any other piece of software that people can connect to in front of it makes the potential for a breach higher.

I'm actually in favor of layered security and I use fail2ban (as others have suggested) and I put together a script to automatically ban "evil ips" when they repeatedly try unsuccessfully to connect to my machines, but really I feel that's more for my benefit of having less logs of automated attempts than being a serious deterrent to any half brained targeted hack attempt.

Comment Re:Other opponents (Score 1) 446 446

Is there something I don't know?

Yes. Always. (What kind of fertilizer? What type of bees? What tilling method? What moon cycle was planting and harvesting done in? Did the farmer wear goatskin or cotton gloves?)

It is impossible, not to mention impractical, to require that a label should include all the information I might not know. What is possible and reasonable is to require labeling to give me information that I do need to know and make rules and laws against things that are known to be harmful.

With that background, the goal I expect from legislation is to both ensure that necessary information is included and exclude requirements to add unnecessary information.

So if I believe that GMOs are potentially dangerous, I'll take the time to find and buy foods labeled Non-GMO (still legal) or that I have researched enough to be confident I'm sure meet my personal preference.

The real issue here, as in so many recent issues, is the philosophy behind deciding: what is the purpose of law?

  • Law is to make society better? Legal requirements to require GMO labeling is fine. Laws to prevent labeling GMO is fine. Laws to make dogs wear sweaters is fine. Anything that makes society better, according to widely varying definitions of "better" is fine. All taxes are based on this philosophy, and generally accepted because the a lot of people have similar ideas of "better."
  • Law is to prevent harm? Legal requirements to require GMO labeling is fine. Laws to prevent GMO labeling is fine. People have varying ideas of what harm might might be.
  • Law is to maximize freedom? That's sort of all about making the best society possible for people to be maximally free, while still being about preventing harm which inhibits freedom. Freedom is individual but every freedom you give one person (freedom to kill) inhibits the freedom of another (lack of life is complete loss of freedom.) Everything is a compromise. Freedom to ensure knowledge about GMOs inhibits freedom to present products the way you prefer.

Freedom?

Yeah. Life isn't black and white. Making choices to determine what other people must or must not do, can or cannot do; that's complex but life is complex.

I've brought up a lot of potential nuance to add to the simple question of whether it should be legal to require GMO labeling or not. Given that nuance, I don't expect you, dear reader, to change your opinion since everything I've contributed can also be used to support your preconceived notions of what's appropriate. Are you asking what I think? Are you asking what someone who has both sides consideration thinks? You won't be satisfied with the answer.

I don't really know for sure. I want freedom, and I want to ensure freedom for others. I don't know which side does the best job of either. In these situations, I generally go for the approach of not legislating, but this is about a law to prevent legislating. If I don't like unnecessary laws, is it better to prevent laws using law or skip the law at all? I think the best choice is to allow legislation to happen at the most local levels, which is to say no, I don't think this is a good law, even though I don't think the idea that legislating a requirement for GMO labeling is a good idea either.

So even though I sorta have a stance, t's not strong. If you'd like me and people like me to see your side, or even support it, please give me a good reason to support your perspective. Despite everything I've read (most of the discussion so far,) I still haven't seen that.

Comment Re:Experts? (Score 1) 102 102

But your clearly not familiar with how large companies do things, or even what a BACKDOOR is.

I'm familiar with both.

Also Nobody has proposed some 2 key system.

You're absolutely right. Even I'm not proposing it. I'm simply outlining how secure second party access can be managed. You and I both know that politicians don't want to go through a secure process, or have only limited access controlled by subpoenas.

If its the same key, then no that is not PKI, because i just lost the ability to revoke and renew a key without 3rd party intervention.

You're mostly right. What I described is PKI protected symmetric encryption, which isn't as secure as pure PKI, but that's what systems use now, just (hopefully) without second party access. (That's why you can change the password on your android phone or bitlocker container or truecrypt drive without it taking the time to do a full re-encryption. It can be as almost as secure, but not like I described it.) The example I gave wasn't representative of what politicians want... again, it's just one way dual access could be set up securely.

It's not wrong to say that any sort of backdoors are a bad idea, no matter how they're implemented. And you can absolutely bet that serious criminals and even geeks like me will re-encrypt with non-shared keys, so it's only effective for the kind of terrorists who don't train to fly planes into buildings.

I'm having a hard time defending even a process that could be relatively secure, because (like you) I have zero trust in the politicians calling for an end to privacy.

Comment Re:Experts? (Score 1) 102 102

A spokesperson for [Big Telco] said that even though they broke the law law pertaining to maintaining government security by putting the keys into network connected system, that no phones could actually be compromised because every piece of data [Big Telco] stores is useless without the corresponding PKI private keys secured by the [Three Letter Government Agency]. The spokesperson went on to say that replacement keys had already been automatically pushed to every online phone anyway as an extra security precaution. We spoke with the lawyers of the defendants accused of breaching national security and two of them confirmed their clients were considering plea deals to avoid longer jail sentences.

I wouldn't disagree that dual key systems make security weaker, but how much weaker the security is depends an awful lot on how you do it.

I don't know if you missed the PKI component in my previous post or just aren't familiar with it, but for the sake of other readers here's the essentials of Public Key Infrastructure:
A) Anyone can encrypt a message using a public key
B) Nobody can decrypt that message except the holder of the corresponding private key
C) No, not even you, the person who encrypted the message, not even you can decrypt it
D) Because math

The thing about the process I described is that it would be impossible for the [Big Telco] to cause the actual passwords to be breached, because they would never have them. It would be impossible for the government agency to cause the actual passwords to be breached because they wouldn't have them either. Both would have to fail dramatically, and at the same time, in order to prevent corrective measures from being effective.

Comment Re:I define terror ... (Score 1) 139 139

You and what army? Why, this army ... er, where do I get an army exactly? Maybe I just need to get a bunch of smaller government types to go along with me, maybe get a bunch of states together and make our own country? Has anybody tried that? Oh. How'd that work out? Oh.

So, yay America I guess?

So... hypothetical question, exactly what do you have to post in an internet forum to get put on watch lists and no-fly etc?

Comment Re:The fickle finger of fate..... (Score 2) 95 95

I'd never read that story, and I consider myself an Asimov fan. Thank you!

I was thinking of this one http://www.galactanet.com/oneo...

“How many times have I been reincarnated, then?” “Oh lots. Lots and lots. An in to lots of different lives.” I said. “This time around, you’ll be a Chinese peasant girl in 540 AD.”

Comment Re:The fickle finger of fate..... (Score 1) 95 95

Karma applies to your next life, not this one.

So do you remember or are you just guessing?

I read an interesting short story once where the protagonist died and before being reincarnated was surprised to learn that you could be born before you died. That in fact, you could be born at any point in time and might be interacting with yourself if you happened to be born twice in the same time period, and you wouldn't know because you forget everything when you're born. Then it was slowly revealed that not only could you be born multiple times in one time period, you absolutely were. Moreover, it was revealed that you were in fact the only soul, being born over and over throughout time, interacting with nobody but yourself and literally making your own karma by being the person you were kind to and also the person you were cruel to.

Wish I could remember the name of that story. Or a previous life so I'd know if karma applies to the next life or not. Maybe it's more immediate... sort of insta-karma, which would be a good name for a powdered coffee.

Comment Re:Experts? (Score 3, Interesting) 102 102

I can't believe I'm going to contribute to this side of the discussion. "Loathe" is the mildest word I can think of for how I feel about a government accessible decryption system, but I'm going to explain why it's not infeasible to maintain security and have government access, unlike so many posters seem to assume.

Lets take cell phones as a starting example. The encryption of my phone isn't done with the password I put into the phone when I reboot it, the encryption is done with a randomly generated key which my password decrypts. There is no reason the same key that is actually decrypting the phone couldn't be encrypted with a phone manufacturer password. That government mandated password would encrypt the real decryption key just like my password does, but the government password wouldn't change when I change the password I'm using.

Note the government password isn't the same for multiple phones, it's unique to each phone. The government password is a randomly generated complex string of numbers, letters and symbols and it's not stored on the phone.

The government password for my phone is created at OS installation time and then the phone manufacturer encrypts it with the public key provided by the government. Those encrypted password media are sent to the companies selling the phones and those companies keep that media physically secured.

The government must subpoena the key for a specific phone in order to decrypt its contents.

The government password is now protected by:
A) A PKI private key stored by a government agency
B) Physical security at a non-governmental agency
C) The somewhat abused but best available legal processes of our government

Encrypted computer drives work the same. The assumption in both scenarios is that people fall into one of these groups:
A) don't know it is there
B) use the system their device came with
C) don't understand how to change the system

That covers 99.999% of people, probably even 99.99% of criminals. I may repartition my drive and install varying operating systems, and I may install a different OS on my phone, but normal people don't. Even drug dealers and terrorists are unlikely to do that when there are far easier ways to avoid incrimination. The fact is we could have such a "backdoor" already in play and we wouldn't necessarily know about it. I'm geekier than most by far, and I don't recompile the kernel on my boot partition to make sure it matches the one that is actually there. Granted, I do tend to wipe drives and start fresh, but if Redhat and Canonical are compromised, the NSA is good enough at their jobs, that I'll probably never notice. Do you know for sure the signature of your running kernel matches the one that you could compile for yourself?

Comment Re:What were they thinking? (Score 1) 177 177

You nailed it.

We're subjected constantly to rules and laws that make no sense and most of them aren't enforced; Even the cops often don't know what the laws are and they're supposed to enforce them. It makes me think of the cop who was writing tickets to everyone with a GPS. It was a stupid law but he decided to enforce it and caught hell for it, but isn't that what we want? Don't we want cops to enforce the actual laws regardless of their own opinions? But instead, we've all come to accept an environment where it's practically impossible to follow all the laws all the time, not to mention all the rules. We're literally being trained to ignore the rules.

And of course, people act like the solution is to make more rules.

Observe all warning signs.

Comment Re:For people who don't speak buzzwords (Score 2) 54 54

I remember and it was terrible! The OS was never designed to keep applications from talking to other applications on the system. (As an AS/400 novitiate and SE adherent, I should say "practically never.")

OS application management is something that is not as secure as a virtual machine or a jail or a container, so if you miss the days when the OS was doing it, you didn't have the problems these things are designed to solve.

Containers aren't just virtual machines running a single application either. VMs are a full OS with all the overhead that comes with it, including hardware abstraction layers, boot times and a bunch of stuff you don't need for your application but you get anyway because you need it to run a full OS.

Ideally you should be able to have a virtual machine that only needs a sliver of resources because you only need it running one thing but that's not what VMs provide. (Though Xen came closer than most and I miss it.) An ideal VM should be fast to spin up, but with VMs you were typically booting a whole OS.

Jails on the other hand... Well jails are what you wish a VM running a single application would be. A jail gives you an application and only what it actually needs in order to run in an isolated package. You don't get the benefits of having an image you can snapshot or move around like you do with virtual machines, but it dramatically cuts down on resource requirements.

Containers are basically what people want from jails and what they want from virtual machines with desirable features of each and without the drawbacks of either. They're not the solution to every problem and they're not a replacement for chroot jails or virtual machine servers, but they do have their place.

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Working...