Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Comment: Re:Prediction: (Score 4, Insightful) 203

by daveschroeder (#48680051) Attached to: N. Korea Blames US For Internet Outage, Compares Obama to "a Monkey"

First of all, you say, "North Korea didn't hack Sony," as if it is an indisputable, known fact. It is not -- by any stretch of the imagination.

The fact is, it cannot be proven either way in a public forum, or without having independent access to evidence which proves -- from a social, not technical, standpoint -- how the attack originated. Since neither of those are possible, the MOST that can be accurate stated is that no one, in a public context, can definitively demonstrate for certain who hacked Sony.

Blameless in your scenario is the only entity actually responsible, which is that entity that attacked Sony in the first place.

Whether that is the DPRK, someone directed by the DPRK, someone else entirely, or a combination of the above, your larger point appears to be that somehow the US is to blame for a US subsidiary of a Japanese corporation getting hacked -- or perhaps simply for existing.

As a bonus, you could blame Sony for saying its security controls weren't strong enough, while still reserving enough blame for the US as the only "jackass".

Bravo.

Comment: Re:Ooh, I Have An Idea! (Score 1) 192

by IamTheRealMike (#48679929) Attached to: MIT Unifies Web Development In Single, Speedy New Language

Speak for yourself. Hating on HTML and web tech because you're bad at it is the lamest of the lame excuses. My users much prefer our HTML GUI over our shitty old desktop apps

Sounds like you're hating on desktop apps because you're bad at them .... though certainly that's a common problem.

Comment: Prediction: (Score 5, Insightful) 203

by daveschroeder (#48679895) Attached to: N. Korea Blames US For Internet Outage, Compares Obama to "a Monkey"

Many of the same slashdotters who accept "experts" who claim NK didn't hack Sony will readily accept as truth that it was "obviously" the US that attacked NK, even though there is even less objective proof of that, and could just as easily be some Anonymous offshoot, or any number of other organizations, or even North Korea itself.

See the logical disconnect, here?

For those now jumping on the "North Korea didn't hack Sony" bandwagon that some security "experts" are leading for their own political or ideological reasons, including using rationales as puzzling and pedestrian as source IP addresses of the attacks being elsewhere, some comments:

Attribution in cyber is hard, and the general public is never going to know the classified intelligence that went into making an attribution determination, and experts -- actual and self-appointed -- will make claims about what they think occurred.

With cyber, you could have nation-states, terrorists organizations, or even activist hacking groups attacking other nation-states, companies, or organizations, for any number of motives, and making it appear, from a social and technical standpoint, that the attack originated from and/or was ordered by another entity entirely.

That's a HUGE problem, but there are ways to mitigate it. A Sony "insider" may indeed -- wittingly or unwittingly -- have been key in pulling off this hack. That doesn't mean that DPRK wasn't involved. I am not making a formal statement one way or the other; just saying that the public won't be privy to the specific attribution rationale.

Also, any offensive cyber action that isn't totally worthless is going to attempt to mask or completely divert attention from its true origins (unless part of the strategic intent is to make it clear who did it), or at a minimum maintain some semblance of deniability.

At some point you have to apply Occam's razor and ask who benefits.

And for those riding the kooky "This is all a big marketing scam by Sony" train:

So, you're saying that Sony leaked thousands of extremely embarrassing and in some cases damaging internal documents and emails that will probably result in the CEO of Sony Pictures Entertainment being ousted, including private and statutorily-protected personal health information of employees, and issued terroristic messages threatening 9/11-style attacks at US movie theaters, committing dozens to hundreds of federal felonies, while derailing any hopes for a mass release and instead having it end up on YouTube for rental, all to promote one of hundreds of second-rate movies?

Yeah...no.

Comment: Re: Sorry, not corporate enough. (Score 3, Informative) 69

You're probably unaware that the GP specifically used 'HSBC' because they were caught laundering trillions of dollars of drug money and nobody was indicted.

He probably isn't unaware of that. He may well have actually read the indictment itself or a detailed summary of it, which made clear that the US case was very weak to the point of hardly working at all. In particular, not only did they fail to clearly establish that drug money was really moving (their case was "there is so much cash, some of it must be from cartels") but in particular they failed to show intent by HSBC execs to help drug cartels. Actually their case boiled down to HSBC didn't try hard enough, they weren't suspicious enough, etc. (I'm ignoring the Iranian transactions here which gets into issues of international jurisdiction, as you only brought up drugs).

The reason you think the are guilty is twofold. Firstly US anti money laundering laws are unbelievably extreme. The PATRIOT Act removed the need to have intent to be found guilty of money laundering. Bankers can now be found guilty of AML violations even if they genuinely tried hard and had no intent to break the law. Hence the accusations from the DoJ that were of the form "HSBC should have designated Mexico as high risk", etc. Secondly as part of the plea agreement HSBC had to act guilty and accept whatever the DoJ said about them. So you only heard one side of the story, the prosecutions side (except there was no court case). No surprises that you think the whole thing is cut and dried.

It's no crime to be ignorant of such things, but just try not to hold any policy positions on the subject.

Given that there was never any court case and HSBC was never able to defend themselves, pretty much everyone is ignorant in this case because we never heard the full story. But I'm pretty sure if DoJ had emails from HSBC execs that looked like the ones from BitInstant there would indeed have been prosecutions.

Comment: Re:Under US Jurisdiction? (Score 1) 281

No but if you got a government request for your keys you'd know about it.

The government "request" would come in form of customised malware and you'd never even know you got hacked.

If google gets such a request you wouldn't know you were compromised.

You aren't gonna know, no matter what.

It isn't like they are sending l33t hackers to break in and get the data.

Schmidt isn't an idiot, despite how the press like to portray him via selective quoting (note that TFA does not provide much context for this quote). When he says Google is the safest place to put your data, he's probably comparing Google to other companies that provide similar services, not some hypothetical fully self hosted system - bearing in mind self hosting of email is rapidly going the way of the dodo even in business situations (it died for home email a long time ago).

Given that Yahoo still have not fully deployed SSL everywhere let alone encrypted their internal datacenter links, and if Microsoft have a similar effort they aren't talking about it, there's some evidence that he might be right. After all, if you get a government warrant for your data you're just as stuck as Google is: not much you can do about it. On the other hand, you are unlikely to secure your infrastructure as well as Google does.

Comment: Re:Under US Jurisdiction? (Score 1) 281

But Google makes money from targeted advertising

Google makes significant sums of dough from paying corporate customers who use Google Apps. These clients can switch off advertising if they like. These are also the places where some of the most sensitive data is stored.

So Google have both the financial means and incentive to solve the end to end crypto problem for such clients. The difficulty is not financial. It's technological. Matching even just the feature set of Gmail with end to end crypto is insanely hard, and that's before you hit the "everything is a web app" problem.

Comment: Re:Under US Jurisdiction? (Score 2) 281

The point of forward secrecy is there are no such keys to seize. The "master keys" are only used for identification, not encryption. So whilst a gov could theoretically seize Google's keys, this does not help them decrypt wire traffic. They'd have to do a large MITM attack, and to get everything? They'd have to decrypt and forward ALL Google's traffic. Not feasible.

Good use of applied cryptography means that realistically the only way for a government to get data out of it means requesting it specifically from the providers. In places where the warrant system has been vapourised (which certainly includes the USA and UK), this might not seem like much, but it does help prevent fishing expeditions.

Comment: Re:Here come the certificate flaw deniers....... (Score 3, Informative) 80

by IamTheRealMike (#48564187) Attached to: New Destover Malware Signed By Stolen Sony Certificate

In practice, a certificate is nothing more than a long password

Fail. A certificate contains a public key. This is nothing like a password. You're thinking of a private key. The whole point of a certificate is that you can prove your identity to someone without sending them your password.

Unlike the password in somebody's head or even on a sticky note behind the monitor, these certificate files can often be stolen remotely!

Double fail. Firstly, nobody actually steals certificates. Certificates are public. When someone says something was signed with a "stolen cert", what they actually mean is "stolen private key the public part of which is contained in a certificate signed by a trusted third party", but that's a mouthful, so we simply and say "stolen cert".

Secondly, private keys can and absolutely should be protected with a password! Or they can be kept in special hardware. However, as you may have noticed, Sony got pwned pretty hard so presumably whatever private key was stolen either had no password, or they were able to just keylog the password when it was used.

These people are a joke.

The joke is on you ..... certificates are not a replacement for passwords and if you think they are, you didn't understand what they're used for.

Comment: Re:Culpability? (Score 1) 180

by IamTheRealMike (#48547237) Attached to: Uber Banned In Delhi After Taxi Driver Accused of Rape

More news (seems this story is unfolding right now) - apparently the driver did NOT have a prior conviction for rape at all, but in fact had only been arrested due to an accusation. So it seems that the first possibility was the correct one, and there's really nothing that could have been done here (unless you believe anyone should be able to ban anyone else from being a taxi driver for life with nothing more than an accusation).

Comment: Re:Culpability? (Score 3, Informative) 180

by IamTheRealMike (#48546953) Attached to: Uber Banned In Delhi After Taxi Driver Accused of Rape

W.R.T background checks, someone on Twitter has found a photo of a notarised police certificate stating the guy has no criminal record. So either whoever reported he has one is lying, or the police verification process in India is as unreliable as people say it is.

Regardless, I expect it will make little difference in the court of public opinion.

Comment: Re:Culpability? (Score 1) 180

by IamTheRealMike (#48546871) Attached to: Uber Banned In Delhi After Taxi Driver Accused of Rape

If that is the case, and the guy came up clean but yet still went on to do X, how is Uber any more culpable than a taxi company hiring a cabbie with no record, who subsequently goes out and does X, or a tour company hiring a bus driver with a spotless background, who nonetheless does X?

They aren't. But it seems like there's a new trend in town - when a foreign tech company could potentially have guessed that someone using their service might potentially have done something bad, they're automatically at fault. See: Facebook and Lee Rigby in the UK.

In this case, the logic seems fairly simple - the guy apparently had a prior conviction for rape, thus, should not be allowed to be a taxi driver. If Uber had checked then the rape wouldn't have happened (assuming it did). The problem is the guy's prior conviction was also for raping someone in a taxi cab, so obviously this isn't a solution to all such problems because there's always a first time. Another problem is that I've read India doesn't actually have a national conviction database system, indeed they barely have a coherent national identity scheme at all (I remember reading about programmes to try and introduce biometric identity nationwide to fix this but it's a huge job). Apparently the way you do a background check is walking in to the local police district office and asking. If the crime happened elsewhere, tough luck. For anyone who knows the real situation in India, I'd be interested to know if this is true.

Anyway, even with reliable background checks, you can quickly end up in a situation like the USA where former felons cannot get jobs anywhere (see recent /. story about this problem), and then you get rules like in Europe where former convictions get wiped from the record after a few years to stop that happening, so there are no solutions that make everyone happy.

Comment: Re:Who cares (Score 0) 216

by IamTheRealMike (#48500059) Attached to: How the Rollout of 5G Will Change Everything

you think they put in the caps because they dont have enough bandwidth coming from their towers? you, sir, are sadly mistaken. they do it for one reason. PROFIT.

Do you think radio spectrum is an infinite resource?

Mobile networks absolutely have capacity constraints, often very complicated ones that exist in multiple dimensions or vary by region. But that'd be too complicated for people to deal with, so we end up with an approximation of 1 or 2 GB/month. Which by the way is very standard across the developed world. In Switzerland most carriers are also providing this sort of quota and there are several competing, with a new (UPC) just entering the market now. They are all doing roughly the same thing, although I'm sure they could hoover up customers by offering a lot more bandwidth for the same price. For what most users are doing on the move 1G is currently enough and giving everyone lots more quota would simply result in a small number of people doing craploads of torrenting or downloading multi-gigabyte operating system updates over the air instead of over wires.

You can sum up this situation as "PROFIT!!!1!" if you like, but in reality the market is just optimising for resource usage - building more towers and more backhaul and more core routing capacity so a tiny number of users can chew up 10 GB/month instead of 1 GB/month is just not a good use of limited resources.

Still, bandwidth quotas have gone up over time as technology improved. Remember the days when 3G was new? I wrote a J2ME app back then and we counted every last byte.

"If you don't want your dog to have bad breath, do what I do: Pour a little Lavoris in the toilet." -- Comedian Jay Leno

Working...