Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Comment: 5 min? Actually those keys are STILL on GitHub (Score 1) 119

by gurnec (#48727527) Attached to: Bots Scanning GitHub To Steal Amazon EC2 Keys

In addition to the various other oversights already mentioned, OP doesn't seem to understand Git (or perhaps SCMs in general) given that those (now revoked) keys are still on GitHub -- there was no need for a bot to be all that quick.

Although I wouldn't blame OP for any single one of these oversights -- nobody's perfect -- it's fair to say that it took a number of different oversights / misunderstandings on OP's part for this to become a real problem.

The Courts

Hacker Threatened With 44 Felony Charges Escapes With Misdemeanor 219

Posted by Soulskill
from the my-days-of-not-taking-you-seriously-are-certainly-coming-to-a-middle dept.
An anonymous reader writes: It's no secret that prosecutors usually throw every charge they can at an alleged criminal, but the case of Aaron Swartz brought to light how poorly-written computer abuse laws lend themselves to this practice. Now, another perfect example has resolved itself: a hacker with ties to Anonymous was recently threatened with 44 felony counts of computer fraud and cyberstalking, each with its own 10-year maximum sentence. If the charges stuck, the man was facing multiple lifetimes worth of imprisonment.

But, of course, they didn't. Prosecutors struck a deal to get him to plead guilty to a single misdemeanor charge, which carried only a $10,000 fine. The man's attorney, Tor Eklund, said, "The more I looked at this, the more it seemed like an archetypal example of the Department of Justice's prosecutorial abuse when it comes to computer crime. It shows how aggressive they are, and how they seek to destroy your reputation in the press even when the charges are complete, fricking garbage."

Comment: Re:How did the Constitution Fail? (Score 1) 450

by gurnec (#48341501) Attached to: Joey Hess Resigns From Debian

What are the options, then?

  1. 1. A small handful of individuals who manage to work things out in an amicable way amongst themselves.
  2. 2. A project headed by a benevolent dictator for life (e.g. Slackware).
  3. 3. A governance model that is not dependent on a BDFL, and can scale better than "a small handful of individuals".

Even though option 2 works well for some projects, it's not always ideal. This doesn't seem to be a problem with a simple solution (and it probably doesn't help that not many techies are great at politics).

Comment: Unfortunately, she's not quite that stupid (Score 2) 105

by gurnec (#48290567) Attached to: Video Raises Doubts About Attkisson's Claims of Malicious Hacking

According to WaPo, she claims that this iPhone video was taken in September 2013, and not related to the alleged December 2012 incident. It looks like crooksandliars jumped the gun here.

The rather blatent Dancing with the Stars episode playing in the background may have even been intentional to provide additional credence to the video (the timing is dead on with her claim).

That's not to say she's not otherwise mistaken (or outright dishonest), but this isn't the smoking gun you're looking for.

Comment: Re:Victim Blaming (Score 1) 275

by gurnec (#48229223) Attached to: CHP Officers Steal, Forward Nude Pictures From Arrestee Smartphones

if you're going to store it on someone else's system (iCloud, etc) then this is what happens.

Maybe, but this has been argued to death, no need for a repeat.

First, if you're going to have that crap on your phone

First, if you're going to have that crap on your tablet
First, if you're going to have that crap on your laptop
First, if you're going to have that crap on your home PC
First, if you're going to have that crap in your car
First, if you're going to have that crap in your home

Is that really what you're implying?!? Without more context, it's hard to tell if you're uninformed or just trollin.

Comment: Re:Easy to fake... (Score 2) 109

by gurnec (#48192125) Attached to: China Staging a Nationwide Attack On iCloud and Microsoft Accounts

I don't see a mistakenly created certificate. It looks like it is legitimately for hotmai.com
...
Or another way - if Microsoft is catching typos, why would a nation state be amateurish for doing the same thing?

Microsoft isn't doing the same thing, though. You're right that the (real) hotmai.com site does redirect to outlook.com, however it doesn't have a certificate, nor does it even have https enabled.

Furthermore, the packet capture shows that whoever created it was trying to visit "login.live.com" (it's in the SNI field of the SSL Client Hello message), and so the server should have responded with a cert for that domain, not for hotmail.com nor hotmai.com.

I'll stick by my interpretation that this was amateurish, I just don't know if it was intentionally so.

Comment: Easy to fake... (Score 2) 109

by gurnec (#48191917) Attached to: China Staging a Nationwide Attack On iCloud and Microsoft Accounts

Just an FYI... I've no reason to disbelieve the story, but it would be simple to fake the evidence presented...

I also wonder why the hotmail.com certificate was mistakenly created for the hotmai.com domain... that seems rather amateurish for a nation state. (Of course, perhaps plausible deniability is the reason.)

Regardless of whether or not it's fake, it does serve to point out the intentional flaws of Qihoo’s Chinese 360 "Secure Browser" pointed out by Rosyna above -- certainly a good thing to publicize.

Comment: No exemptions for zero-knowledge services? (Score 1) 82

by gurnec (#47702611) Attached to: Delaware Enacts Law Allowing Heirs To Access Digital Assets of Deceased

A "zero-knowledge" service provider (allegedly) has no access to most of the digital assets stored by their service (e.g. LastPass, SpiderOak, etc.). They store encrypted blobs of data on your behalf, and send you these encrypted blobs at your request. Your PC (and not their servers) then decrypts this data using your password (of which the service provider has no knowledge).

I scanned through the bill, and it doesn't seem to acknowledge that such services exist. It doesn't even acknowledge that passwords themselves may not be retrievable, and instead groups passwords into the same category as other "digital assets."

Now IANAL, and it's entirely possible that some other bit of language in the bill or in a service provider's ToS could help to alleviate this, but if I ran such a service, I'd be a bit concerned....

Comment: Re:They used to call me paranoid... (Score 1) 427

by gurnec (#47634389) Attached to: Ask Slashdot: Life Beyond the WRT54G Series?

When a provider needs to decide on it's next 100,000 "free" routers to provide to new customers, it shouldn't come to anyone's surprise when "cost-effectiveness" turns out to be its first priority. So I'm all for removing as much functionality as possible from any ISP-provider CPE; no wireless, just simple bridging.

But I really must respectfully disagree when it comes to separating out the wireless from the NAT box.

From a security point of view, having two manufacturers and two devices where one would suffice increases the attack surface -- it increases the likelihood that you have a security-related bug somewhere.

It increases the management burden -- now you have twice the number of devices whose firmware you have to keep up to date (if you're security conscience).

It doesn't scale well if you want more than one extra guest SSID or VLAN - sure you could attach a USB hub and half a dozen usb nics, or buy a VLAN-capable smart switch, but do you really want 3 Wi-Fi boxes, 3 unmanaged switches, and one router when just one Wi-Fi router would have worked fine?

There are definitely some advantages to separate wireless boxes. You can run guest SSIDs on different frequencies than your trusted SSID for example for better spectral efficiency. There are also cases where it's more convenient to have a NAT box near the CPE, and a separate Wi-Fi box centrally located. However in the average home setting, a single Wi-Fi/NAT box from a manufacturer with a decent track record is more practical.

Comment: Re:I've moved to Mikrotik (Score 1) 427

by gurnec (#47634123) Attached to: Ask Slashdot: Life Beyond the WRT54G Series?

I own an RB2011 at home too, and I've used both it and other RouterOS-based products professionally, and although they're not perfect, I can certainly recommend them for many cases. Here are a couple of random thoughts off the top of my head:

  • New major firmware versions (once every couple of years) are always buggy, avoid. That said, they're pretty good about releasing regular bug fixes, and they continue to support older routers for quite a while (the 500 series, released in 2006ish, is still supported on their latest firmware for example).
  • They can't seem to get a good OpenVPN implementation, which is a common complaint (but they have a lot of other styles of VPN which generally work well).
  • They use some open source software (e.g. it's Linux kernel based), but they only release the bare minimum required source code. This is definitely not an open tinker-and-recompile OS.
  • It does support virtualization, so you can run e.g. OpenWRT as a guest of RouterOS (yup, your router can have a router). You can also replace RouterOS with OpenWRT without worry of brickage. I haven't done either in a while, so I'm making no claims of either being easy or stable, but it can be done, and reverting back is easy.
  • It's really more business-oriented than consumer-oriented. That means its configuration is very flexible, but also rather complex unless you're used to configuring non-web-based routers.
  • Despite being complex, I find the configuration quite logical. It has no fewer than 4 different configuration interfaces (Web, CLI, Windows-based client app, and an API for automation). All present pretty much the same set of options in similar hierarchical arangements.
  • The documentation is much better than it once was, for most uses it's quite good.
  • The support community (via forum) is pretty good. Occasionally one of the Mikrotik staff will be a bit rude/condescending, but for the most part they're friendly (as are other posters).

+ - Stephen Hawking Was Wrong, So Ignore Whatever Scientists 1

Submitted by Anonymous Coward
An anonymous reader writes "Following Stephen Hawking's latest work on black holes (http://www.nature.com/news/stephen-hawking-there-are-no-black-holes-1.14583), Republican Michele Bachmann has brilliantly deduced that this proves "the danger inherent in listening to scientists" (http://www.newyorker.com/online/blogs/borowitzreport/2014/01/stephen-hawkings-blunder-on-black-holes-shows-danger-of-listening-to-scientists-says-bachmann.html?intcid=obnetwork). Expanding on her thesis, she said, "If black holes don’t exist, then other things you scientists have been trying to foist on us probably don’t either, like climate change and evolution." Her recommendation? All students who were "forced to learn" about black holes should now sue Dr. Hawking for a full refund. But not Bachmann — "Fortunately for me, I did not take any science classes in college,""

"There is no statute of limitations on stupidity." -- Randomly produced by a computer program called Markov3.

Working...