Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Comment: Re:Cell phones must stop broadcasting MAC addresse (Score 1) 189

by darthflo (#44540485) Attached to: Londoners Tracked By Advertising Firm's Trash Cans

And, btw, you SHOULD use encryption to browse wikipedia.

Great advice, and not only for the reason you stated. Several recent attacks (BEAST, CRIME, BREACH) will use unencrypted connections originating from your browser to discover information transmitted in its encrypted connections.

Comment: Re:Cell phones must stop broadcasting MAC addresse (Score 1) 189

by darthflo (#44540451) Attached to: Londoners Tracked By Advertising Firm's Trash Cans

Find me a bank or online retailer that allows financial accounting data to be submitted over insecure connections instead of SSL.

There are a bunch of ways of working around and/or breaking SSL. Please read up on ssl stripping and the recent series BEAST/CRIME and BREACH. The former will terminate an ssl connection early, rewriting all links and references from http to https. The latter will place an agent script in any http pages requested and use cross-domain requests to disclose secure information.

I think I'll stick with what the IEEE working group came up with[...]

Parent posts' only requirement was to enable network discovery without clients broadcasting probe requests. As long as no hiden SSIDs are involved, this functionality is widely available. Windows (XP and up, as far as I'm aware) will only send probe requests if it is configured to connect to a network with a hidden SSID. iOS is severely broken, Android (again, as far as I'm aware) a bit less so.
Long story short: You don't need to send out your MAC address to discover broadcasting networks. You need it to join them, which is an entirely different matter.

Comment: Re:Just remove Java and get it over with (Score 1) 193

by darthflo (#42556491) Attached to: Java Zero-Day Vulnerability Rolled Into Exploit Packs

I never heard of anyone getting rooted over a voice-only phone call.

Hi. (Online) Security Officer for a large bank here. I deal with Phishing, Malware and the likes on a daily basis. You are partially right: Most of the attacks we observe tend to rely on an online vector. However, mixed-media has seen a great rise throughout 2012, the most popular attack being phishing coupled with voice-only phone calls.
From our point of view, we can bring a lot of defense mechanisms into our online services, while phone-based authentication isn't quite up to scratch. Leaving phone-based attacks aside, simply forging your signature on a payment order tends to be easier than obtaining access to your online banking account.

That being said: I don't work for your bank and am not aware about its security deployment. If you are interested in banking online but worried about security, shop around and compare security mechanisms. Whenever possible, favor two-factor solutions whose secondary factor is some device that is not connected to your computer (e.g. PhotoTAN, Flickering or a card reader); avoid mTAN and any variations of printed code matrices.

Comment: Re:Can't America get its acts together ? (Score 1) 1059

by darthflo (#42516699) Attached to: Congressman Introduces Bill To Ban Minting of Trillion-Dollar Coin

This sums up the real problem nicely:
"A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the Public Treasury. From that moment on, the majority always votes for the candidate promising the most benefits from the Public Treasury with the result that a democracy always collapses over loose fiscal policy always followed by dictatorship."
-- Alexander Fraser Tyler

But it can. If the population of that democracy is well-educated and far-sighted enough to realize how voting itself money from the Public Treasury would undermine the very basis of their community, it may just last. Case in point: Switzerland, whose employment law already dictates a minimum of four weeks' paid vacation per year recently held a public vote whether said minimum should be extended to six weeks'. The result? 67% of the voting public disliked the idea, a resounding no.

Comment: Re:WUXGA (Score 1) 266

by darthflo (#42476175) Attached to: My favorite resolution for the new year:

If you make it large enough, most people will be happy with a single monitor. I'm a sucker for high resolutions and tend to be very wasteful with screen estate, yet just last week put one screen of my triple head setup (30" 2560x1600, flanked with 20" 1200x1600 in portrait mode on each side) into storage and rarely turn on the remaining 20" screen. 30" and WQXGA will do fine for most purposes.

Comment: Re:Dumb users (Score 1) 57

by darthflo (#42214417) Attached to: How the Eurograbber Attack Stole 36M Euros

Not that dumb, actually:

Before even considering their cell phones, victims' computers are infected (by way of a drive-by exploit kit, e.g. Blackhole) with a variant of the ZeuS trojan. Upon their next log in at their e-banking site, ZeuS injects HTML and JavaScript into their browser. In this case, it'll inject a prompt for the victim's phone number and operating system. Since that prompt is shown within the (trusted) e-banking application, green address bar and all, it may look somewhat legitimate.

Only after entering their cell details, users will get an SMS directing them to a ZeuS mobile package. That text was solicited (seconds before, by the user themselves), though, and the banking app actually prompts for a confirmation code that'll only be displayed if the user installs said app.

All in all some naiveté is required, but to me, the whole setup is insidious and intricate enough not to ring any alarm bells in your average user.

Comment: Re:Data plan limits are a scam (Score 1) 202

by darthflo (#34788540) Attached to: Does Windows Phone 7 Have a Data Transmission Bug?

What I want is a committed rate and the option to pay in advance for a higher committed rate.

My cell's data plan includes 500 MB of data per month. That's not a lot, but it's enough for my push E-Mail, some browsing, Android Market downloads and whatnot. Each month spans a duration of some 2.5 Million seconds. If I had a commited rate, my data plan would be equivalent to (less than) 200 bps. A 2 MB Download would take three hours. Downloading Skype (at some 15 MB) would take approximately a day. And actually using Skype, I might transmit a second of audio every ten and receive another every other ten seconds.
I prefer to download Skype in a minute and tone back the data use for the rest of the day. Or use the bandwidth I won't be using while asleep for an hour-long call while I'm awake. Long story short, there's a reason server(-style) bandwidth is sold and metered in mbps and consumer bandwidth is sold in GB/month: completely different usage patterns.

Comment: Re:A Snippet from the Criticism (Score 1) 338

by darthflo (#33676908) Attached to: Security Lessons Learned From the Diaspora Launch

That snipped looks bad. But, if the model was implemented right*, it may be close to best practice.
Rails allows you to overload functions. Ideally, Album#destroy would check if the current user is allowed to delete the object and either delete itself or ignore the request if the user isn't authorized to delete it. Implementing security checks at the model level has the great advantage of limiting all security-related functions to a single, easily audit-able, consistent code path. The snippet still lacks reporting for permission (or missing album) errors, so it's not really nice, but possibly still secure.
Additionally, photos_controller could be using a before_filter checking if the user is authorized to do whatever he's trying to do. Given the snippet, a matching filter function would have to be rather strange, but it could be done.

* Two problems: The code lacks any exception handling and, as far as I know, relying on the user credentials gathered from the session object in a model is not considered best (or even good) practice. This could be somewhat mitigated if Album#destroy were to allow an optional parameter providing a user [id].

Comment: Re:Those names are a mistake (Score 1) 396

by darthflo (#33075166) Attached to: HDMI Labeling Requirements Promise a Stew of Confusion

Consumers would be far better off if the labelling was required to carry the standard name (HDMI 1.3 or HDMI 1.4 with whatever add-on) and a URI pointing to the standards documentation.

Even simpler: Require the (required/tested) bandwidth to be printed on all devices and cables. Cables would be advertised as capable of 5, 10.2 or however many Gbps, devices would sport a table along the lines of 720p = 4 Gbps, 1080i = 6 Gbps, 1080p = 8 Gbps, 1080p60+3D (highest quality) = Over 9000 Gbps. To pick a cable, consumers could look at the packaging, manual or sticker on their devices, pick the greatest mode both devices support and buy a cable capable of at least that throughput. Problem solved, maximum compatibility achieved.

Comment: Re:I'm puzzled (Score 1) 384

by darthflo (#33066874) Attached to: Chevy Volt Not Green Enough For California

That was either a couple of decades ago or they eased up on you because of the pre-existing license. As of now, you'll take a written exam consisting of some 40 questions, most about road signs, some about the right of way on strange intersections. Passing that grants you a learner's permit with which you're expected to take about 15 lessons of driver's ed and a mandatory training programme spanning some three evenings before taking the actual exam of some 45 minutes of driving around with an examiner in the passenger seat who will be watching you quite critically.
Passing that, you get a license for three years during which you'll have to visit two whole days of training. Finally, at the end of those three years, if you haven't had your license withdrawn, you'll finally get the definitive one. Total cost starts at at least $1k (just exam fees and trainings), usually around $2-3k (including driver's ed).

Comment: Re:Customer service (Score 1) 202

by darthflo (#33066618) Attached to: Valve Apologizes For 12,000 Erroneous Anti-Cheating Bans

[...] for 12,000 people, eliminating any chance that they will pay Valve for it [...]

They actually seem to have handed out two copies to every affected account, i.e. 24'000 copies total. If even half of the gift ones end up with people who'll play them, Valve gets an 18'000 player boost to their L4D2 community and 18'000 people who might potentially mention L4D2 to their friends and invite them for a round of play.
Valve gets goodwill by the truckload, a large expansion of their player base and tons of inexpensive (but highly valuable word-of-mouth) marketing, those affected by the ban get a free game to play and one to give away -- everybody wins.

Comment: Re:dual-screen setups... (Score 1) 375

by darthflo (#33063776) Attached to: How Big Is Your Primary Display?

Does not. Windows will gladly do everything related to screen rotation, including adjusting ClearType.
Just be sure to configure them through the Screen Resolution application in your Control Panel, not the driver configuration window. Tested in 7, for other versions: Upgrade and run whatever legacy apps you've around in a VM.

Comment: Re:dual-screen setups... (Score 1) 375

by darthflo (#33063690) Attached to: How Big Is Your Primary Display?

now he has a three-monitor setup with that in the middle and the dual 2007FPs on the sides.

Same here, except with two NEC 2080UXis flanking an HP LP3065. The 20" panel width quite perfectly matches the 30" panel's height, and the awesome mounts of the NECs allow for rotating and matching to the center display with, well, no work at all.
You'll need four DVI channels, though. Two (through a dual-link cable and plug) for the 30" and one each for both 20" displays. I'm not sure if you could handle them both through a dual-link interface, so i threw in a second video card and attached a 1920x1080 projector, which brings the whole system to just above 10 MPixels of display space on 4 sq meters or so.

"Any excuse will serve a tyrant." -- Aesop

Working...