Forgot your password?
typodupeerror

Comment: Yeah, unfortunate reality of infosec (Score 1) 74

by astralagos (#47294383) Attached to: Over 300,000 Servers Remain Vulnerable To Heartbleed
This is to be expected, the only organizations that were going to aggressively patch HB were going to be the googles, the microsofts, the ones with millions of assets and awareness of how much damage that it can cause. The ones that aren't going to patch are going to be your Bob and Joe's Bait Shop with the inexplicable online shop that's being managed by their nephew whenever he's in town from college, if he knows to.

Comment: Re:this should apply to all domains worldwide (Score 2) 71

Because domain generation is one of the most basic techniques used by malware authors and phishers to organize their attacks, as exemplified in the stone age by fast flux networks, Rock Phish, and Conficker, and in modern cases by Kelihos and most of the crap on Zeus networks. Because when a floor has to figure out what's going on with an address, the first thing they do is look up information on whois, which is already a poorly organized hot mess and the problem is further exacerbated by inaccurate info, outdated info, or flat out lies. We know that half the NICs are sleazeballs, but we don't often know which half, and so every incident takes a few hours of gumshoe work to validate that yes, it's some idiot high school again and not a real network threat. Because we're paying a palpable bandwidth task for blind scanning and spam coming down the network from bulletproof hosting providers and god knows what else, and it's not even interesting attacks anymore because it's not technically literate kids doing exciting things -- it's organized crime rings. And then, after you've spent 2 hours ripping through a dozen poorly designed databases to decide whether or not you can block that network, somebody from ICANN comes floating down on their cloud and suggests Qu'ils mangent de la brioche. I'm all for privacy, you want to be private, be private. You want to go ahead and have a blog, post on tumblr or something. But once you register a name, you're opting to enter an already public resource. You want to drive, you put on license plates. You want to have your own domain, put in public information.

Comment: I think you need a different software solution (Score 4, Informative) 134

by astralagos (#46254303) Attached to: Ask Slashdot: E-ink Reader For Academic Papers?
I think what you're really looking for is a research paper management application, such as Mendeley, Zotero or Papers. I personally use Papers, but that's a very mac-specific solution. There is apparently a Mendeley-specific application called KinSync that should help with using it on the Kindle. In general, if you're reading a bunch of academic papers and you don't have a manager like this, I recommend getting one.

Comment: Something I've been ruminating about all day (Score 4, Interesting) 305

by astralagos (#45570325) Attached to: Bitcoin Thefts Surge, DDoS Hackers Take Millions
Somebody more familiar with bitcoin can answer this for me, undoubtedly, but based on my limited understanding, if the wallet file is lost or destroyed, the coins within it are effectively gone, correct? If so, then at some point there's an expected loss over time (fraction of the population who don't back up their wallet, expected size of wallet, drive failure rate), and at some point that's going to intersect with the size at which the pool expands, so that the total supply of bitcoins over time actually decreases. Theoretically, we'd hit some point where bitcoins are just being destroyed through loss. The situation will be exacerbated with thefts and personal storage.

Comment: It's debatable that you can (Score 5, Insightful) 174

About 20 years ago, I worked for a private detective firm. At the time, I could call up a consultant who given a couple of pieces of information (name and address), would produce for me a complete dossier on a person - their social security number, credit history, vehicular records, neighbors, etc. This was, at the time, a few hundred bucks and a few days of work. Companies such as spokeo now offer to tell you all that information for about 15 bucks.

I don't believe that technological privacy is achievable, and I'm skeptical that it's valuable. Whether cryptography actually works (an interesting mathematical question in itself), cryptosystems fail fairly often. Even when they do work, to truly be untraceable or private with them you have to effectively opt out of commerce. Don't logon to anything when you're using Tor, kids; also, don't use Google, since they can always watch your referer tags and see 3/4 of your pages that way. The problem with privacy as we normally talk about it is that it is extremely fragile -- what we've historically taken as 'privacy' was really laziness -- going back to my example from the detective firm above, all this information was already there, it was just split into a couple of dozen different archives and databases. Beforehand, it took time and effort, so you had privacy because unless something was really important, it wasn't worth the effort of searching. Now, it's very easy to record and archive, and we've been focused for many years on making recording and archiving easier, and we elect to be recorded and archived in order to participate with other people -- bank won't serve you if you're wearing a ski mask, visit vegas and you'll see that any table game has very specific gestures and rules to make what you're doing camera-friendly, want a loan you need to have a credit rating.

So, privacy has to be implemented, which means its going to be a combination of legal, technical and social elements. Technical in the same sense as breaking and entering -- the definition of B&E is that the breaker has to make -an- effort, regardless of how trivial. Lifting a latch is considered B&E, and similarly you need some indication that you're trying to achieve privacy. Legal in the sense of limiting the consequence when your privacy is breached.

Comment: I note that antispam is "under development" (Score 2) 116

by astralagos (#44470179) Attached to: New, Privacy-Oriented, FOSS Web-mail: Mailpile
I'll be deeply curious to see if they actually manage to produce a viable antispam solution. I find the thing that almost everyone walks past when talking about antispam is that it requires reading other people's mail. gmail takes advantage of economies of scale to notice that the same phrase is appearing repeatedly in multiple messages from different names, for example. Spammers are clever and will figure out ways past everything eventually, so I like to ask people if they're willing to trade infinite spam for total email privacy.

Comment: Skill (Score 1) 277

by astralagos (#44442709) Attached to: Ask Slashdot: Is Tech Talent More Important Than Skill?
Talent is the most grossly overrated commodity in the world. I find for most people, there's a point in life that they can reach by coasting; they coast to X, maybe it's high school, maybe it's freshman year in college. Then they have to sweat their asses off to reach X+1. I'm interested in the people who have to sweat their assess off from the beginning, because then they learn to do it as a habit. Spend too much time of your life coasting and you'll find that you constantly seek out situations where you can coast -- it's safer and it feels better.

Comment: No (Score 5, Interesting) 522

by astralagos (#43064131) Attached to: Can Valve's 'Bossless' Company Model Work Elsewhere?
If you read Varoufakis essay pointed to there, he'll note that Valve's own management doesn't believe the company will be able to scale. More importantly, he notes that the employment process is self-selecting, and that's the rub. I found a Forbes article which estimates that Google makes a profit of 350k per head, while Valve's is in the 87.5 million per head -- that's an estimate, but even if it's one twentieth, it's still ridiculous. Valve is in a unique position due to steam -- its a publishing house which effectively monopolizes PC digital distribution. They roll in so much money that they can run the company as an anarcho-syndicalist commune, a democracy, or by pulling suggestions out of a hat. They're very lucky that way and rolled the dice well -- most game studios pushing for artistic integrity have ended up as EA subdivisions for a good reason.

Running a real company or a real government requires dealing with people who don't want to be there. Not everybody wants a career, some people just want jobs. They want to punch the clock and go home. Some people steal habitually from the till. Had I my druthers, I'd spend all day at home reading, and I'm considered a sociopathic workaholic. Some people are going to cheat. Some people are going to lie on their interviews. The test of any organization isn't how it does when it's doing well, it's how it does when its under extreme stress. Valve hasn't been under extreme stress, so the question of the effectiveness of their organization is effectively mooted. We can look to other game companies with strong egos (Origin for example, or Ion Storm) and get a good idea, though.

Comment: Re:Dumbass parroting. (Score 5, Interesting) 349

by astralagos (#42924567) Attached to: SSH Password Gropers Are Now Trying High Ports
Security through obscurity is one of the most spectacularly misunderstood concepts in information security, partly because it's gotten confused with open source politics. The core concept behind it (Kerckhoffs' principle) is best stated as "assume that the enemy knows your system as well as you do". In cryptosystems this means that the secret is a controlled and limited entity - the key. The key must -still- be hidden and controlled, but Kerckhoff's principle ensures that you have only one thing to have to control. Various federal agencies used to, for example, assume that the first version of any cryptosystem they sold would be bought by Moscow and rapidly analyzed.

Well and good, but all any security implementation buys you is *time*. The real problem with StO is that the time it buys you is unpredictable, and in Kerckhoffs' era of large and slow system upgrades, it might take years to update a cryptosystem once it was broken. Malware authors have happily used StO for years -- for example, evading detection mechanisms by using a number of off the shelf packers in sequence. The approach works because they replace their malware faster than anyone figures out the packing sequence. The windtalkers during WWII were a security through obscurity approach, and it worked fine for the duration of the war, but would have gone horribly in the next one.

Now, what we're dealing with here is network defense, which isn't crypto. In network defense, creative lying is enormously helpful because you can use it to differentiate between your ignorant attackers and knowledgeable members of the community. The majority of attackers scan horizontally (all hosts on a fixed number of ports) rather than vertically (all ports on a number of hosts) because vertical scanning is a waste of time. Most attackers normally hit 9-10 ports and then move onto the next potential target -- they don't see the network in terms of what the hosts *are*, just what they can *exploit*. Moving SSH to a random port means that the attacker now has to spend 6000x the effort to figure out of there's anything on the host he cares about, and he's probably not going to bother when there are nice sysadmins out there happy to put everything on port 22 (as always, I don't have to outrun the bear. I just have to outrun you.) Copy it with some aggressive port blocking (like port 22) or a threshold random walk scan detector and you've got a perfectly fine way to ignore idiots. It's also worth noting that the mentioned port is 2222, which tends to be "stupid port manipulation rule #2" among folks (the other one being to add 1 in front of the port numbers, I can't tell you how fascinating it was to watch port 16888 the first time we blocked bittorrent).

Comment: Re:Attack details? (Score 4, Interesting) 135

by astralagos (#42771369) Attached to: Washington Post: We Were Also Hacked By the Chinese
APT attacks are well understood, it's just that they're not very technologically complex. They are, fundamentally, con jobs. You research somebody with a public identity, send a forged email with a trojan, and wait for somebody to open it. The success of the attack is dependent on finding a large enough group that somebody will open the mail. If you want an early example of a discussion of this, read Shishir Nagaraja's and Ross Anderson's "Snooping Dragon" paper.

As for malware signatures, they've been increasingly ineffective for years. Attackers can buy AV as well, and it's easier for them to tweak their software to evade AV then it is for defenders to generate new signatures. AV's very good at protecting you from yesterday's attack. If you don't have a signature though, it usually takes month to identify a subverted host.

Comment: Re:the point is to keep the leachers in line (Score 1) 320

by astralagos (#42739939) Attached to: Pushing Back Against Licensing and the Permission Culture
There's a specific (patent) example I recall from the history of Sweet'N'Low. Ben Eisenstadt, the developer of S'nL had originally developed a method for packing sugar in sugar packets, which he tried to sell to Domino Sugar. He didn't have the patent, so the Domino people said something to the effect of "we'll talk to you in a few weeks", at which point they replicated the invention and manufactured it without him.

Comment: Interesting problem (Score 3, Insightful) 200

by astralagos (#42737289) Attached to: Excessive Modularity Hindered Development of the 787
Systems design in engineering basically involves drawing a box around a bunch of parts and saying "this is a system". The interfaces after that are hopefulyl clean -- good systems design does that, but implicit in the choice of a system breakdown is efficiency loss. I might not, for example, think about the fact that the giant engine at the heart of my car could also run heating. There's this long term conflict in engineering between the need to abstract, which enables all forms of delegation, including outsourcing, subcontracting and even building teams, and the loss of efficiency. Good engineers learn things at an almost inexpressible level,developing jargons for the systems under their purview -- in the case of Boeing, there was literally one guy who was their expert on cabling. If you wanted to submit a drawing change, he could envision the change in the cabling of the plane and whether the change was physically possible. That's always been the bane of system abstraction - you find these things that have to cross systems and, if you don't recognize them early enough, they come back to bite you in all sorts of creative ways. Kelly Johnson was a big believer in this. His rules for skunkworks explicitly required that engineers had to be within a specific number of feet of the shop floor -- that way they weren't too divorced from the reality of the products they were making. You see this in the design of a lot of the early computer systems as well, parts bolted together in weird ways before we started developing this high-level view of what systems actually made up a computer.

Comment: Re:VisiCalc (Score 5, Insightful) 704

by astralagos (#42709997) Attached to: What Early Software Was Influential Enough To Deserve Acclaim?
Indeed. If there's a piece of software that launched the personal computing revolution, it was VisiCalc - the first software business actually _needed_. I'd also throw in: * WordStar - which was the PC world's answer to emacs. If you did text processing on DOS systems, it was done with WordStar or another program which emulated it. * WordPerfect - the word processor, I imagine that without the Windows Hegemony, Microsoft would -never- have been able to kill wordperfect * Bank Street Writer - the first -educational- word processor, I imagine X'ers like myself lived off of this in school

Comment: Re:Ah, naysayers... (Score 2) 354

by astralagos (#42652253) Attached to: Why Ray Kurzweil's Google Project May Be Doomed To Fail
Oh, among the list of projects Google's done, it won't rank even among the 10 dumbest. However, if somebody came to me tomorrow afternoon and said that they had plans for a cold fusion reactor, and that I should just trust them and dump the cash on them, I -would- reserve the right to say the project stinks to high heaven. Kurzweil might be right; however the track record of AI suggests he's wrong. A good experiment is always the best proof to the contrary, but what he's talking about here sounds very material to ideas tried, tested and tossed out a while ago.

"An open mind has but one disadvantage: it collects dirt." -- a saying at RPI

Working...