Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: Re:Sure... (Score 1) 234

From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.

They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.

Where did it actually say that? They know the credentials given to Fazio were used to access the Target systems as the point of entry, but they don't know how the miscreants came into possession of them. The most likely method was a spear phishing attack that allowed a keylogger on to one of the PCs at Fazio. It's simply too far fetched to think that someone trolling with a script happened across Fazio, then just realized they could use it as a backdoor into Target, and then also be in possession of some very sophisticated malware that, oh gee look, matches the Target POS systems exactly down to the firmware rev number.

Comment: Re:Sure... (Score 4, Informative) 234

He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.

That's not entirely true. It's not clear how many other targets the miscreants who hit Home Depot, Target, etc had, but they did a lot more than scripted attacks (they used social reconnaissance, then spear phishing, then multiple point-of-entry probes, for starters) in order to get inside, and once inside they put a hell of a lot of work into pulling off their attack, and mixed that with a ton of luck in order to actually succeed. The Target hack actually would have been dead from the start if Target trusted their FireEye consultants who tried to warn them of the impending data theft.

Comment: Uh Oh (Score 1) 116

by jeffmeden (#48628955) Attached to: Grinch Vulnerability Could Put a Hole In Your Linux Stocking

"Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September"

While a big deal, Shellshock was very limited in scope and the large scale exploit implications were stamped out very quickly through updates to vulnerable web front-ends (which was just about the only exploitable path, despite so many proclamations that the sky was falling and every internet-connected linux device will get rooted in a matter of days). If this is as severe as Shellshock, I will take notice but at the same time sigh that it's not going to be very bad at all.

Comment: Re:Solar and sidereal time. (Score 1) 216

by jeffmeden (#48628723) Attached to: Ask Slashdot: What Can I Really Do With a Smart Watch?

A true smartwatch would provide both in addition to time based on UTC. I find it amazing that a purely mechanical watch, albeit those that cost upwards of a quarter of a million dollars can do both (provided you set the cams inside for proper longitude and latitude) but a watch with a computer inside that can do these calculations is unavailable.

Or just buy 3 $10-dollar watches, and save almost 99.99% of your money.

Sidereal timekeeping is done to the absolution rotation of Earth as opposed to the rotation relative to the sun (which changes as we orbit) so a Sidereal hour is shorter than a solar hour. You would need to find a $10 watch that drifts at exactly +0.275% which is not impossible but rather hard to do on the first try.

Comment: Re:How to write a good ticket (Score 1) 216

by jeffmeden (#48628649) Attached to: Ask Slashdot: What Can I Really Do With a Smart Watch?

need access to my smart-phone for various reasons


various sorts of data access

Part of writing a good ticket is being specific about your use case and not presupposing the solution. From what you've written, the problem is not technical and has nothing to do with a smart watch. The problem is you are forgetful.

If you can be specific about what you are actually doing with your phone, we can give you solutions that may or may not involve a smart watch.

This is it exactly. The solutions to the problem of not having phone-like features attached to your wrist (where you can't forget them) are either a: purchase a several hundred dollar bit of tech that you clearly dont know suits your needs, or b: tie your phone to your fucking wrist.

Comment: Re:I believe it! (Score 1) 48

by jeffmeden (#48624645) Attached to: Startup Magic Leap Hires Sci-Fi Writer Neal Stephenson As Chief Futurist

According to the Magic Leap website, their Dynamic Digitized Lightfield Signal technology permits generating images indistinguishable from real objects.

...provided the real objects are themselves images. Look! That simulated JPEG looks exactly like a real JPEG!

I read it more like "this new gizmo permits generating anything! As long as you have some other way of generating it, then this thing won't get in the way at all!"

The word "enables" sounds more like technology that actually does something, and even that's a stretch. The word "permits" sounds like it's just a link in an otherwise useless chain.

Comment: Re:Depends... (Score 1) 164

by jeffmeden (#48617045) Attached to: Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

I would say that advertising the 'service' as end to end when it isn't even legal for it to actually be end to end is a legitimate moral shortcoming.

The term "end-to-end crypto" says nothing about who else might have the crypto key. Just blindly assuming that no one in the middle has it, it is a real shortcoming. The only way for a system like you are imaging (where only the caller and receiver have the key) to even work is for you to somehow establish a trusted key with every person you call, on the fly. How do you know no one is in the middle, ready to intercept the key before the first call? The only reason SSL/TLS is reliable is that there is a huge infrastructure of trusted root certificates to validate against (and you have to trust that third party who holds those certs). Guess what they are going to do for encrypted phone calls? The exact same thing.

Knowing that you are talking to who you say you are, and that no one outside of the org you *already* trusted to generate the software and the keys, is the only real assurance. Choosing the right provider of that infrastructure is obviously important. Given that Verizon is a huge, federally regulated company, do you really think anything passing through their hands is going to be immune from law enforcement attempts at seizure? No company at that level, moral or immoral, is going to be immune to state pressure. You should know that by now.

Comment: Re:This should be free (Score 0) 164

by jeffmeden (#48614223) Attached to: Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

if the keys aren't private then it is hard to claim the encryption is worth anything..

So all the SSL keys that have been generated by the root CAs aren't "worth anything", because the issuer has a copy of the private key? Seems like a funny system we spend billions of dollars on every year...

Comment: Re:Depends... (Score 3, Informative) 164

by jeffmeden (#48614131) Attached to: Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

From TFA:

"...the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law."

TFA is a plain ol' troll. CALEA indeed requires any switching systems used for voice traffic (land lines and cell phones) to allow for electronic eavesdropping of all calls going through them. The only caveat is that replacing/upgrading every switching system is completely impractical, even in decades-long time frames, so the FCC has been granting extensions for non-compliance. If Verizon went to the FCC saying that they were going to put software in that started to roll back CALEA compliance from any call that happened to be made using a pair of their cellphones running their provided encryption software, they would have thrown the book at them. New systems *do* have to be CALEA compliant.

Comment: Re:Depends... (Score 2) 164

by jeffmeden (#48614087) Attached to: Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

My kingdom for a modpoint! This whole submission is a troll right down to the last line, "Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world." Thinking that a large, federally regulated business is going to push a system without a central keystore (what they meant to jab at instead of the "end-to-end" nature) is laughable. Trying to make Verizon out as the bad guy over this is just taking away time that could be spent making them out as the bad guy over legitimate moral shortcomings. But, trolls will be trolls.

Comment: Re:And knowing is half the battle (Score 1) 48

by jeffmeden (#48574379) Attached to: Army Building an Airport Just For Drones

plus FAA typically only cares when it's a powered craft being used for commercial purposes.

I agree with the rest of your comment, but this part isn't accurate, otherwise GA wouldn't even need a license.

The FAA has only pursued "drone" (R/C) pilots who stay below 700' AGL when they fly for commercial purposes (aka as a business). Plus, you can fly manned ultralights without a license; the FAA steps in with licensing when the craft is above a certain size or carries more than 1 passenger. So, yes and no. I should have said "The FAA typically only cares about unmanned flight when..."

Comment: Re:And knowing is half the battle (Score 0) 48

by jeffmeden (#48573355) Attached to: Army Building an Airport Just For Drones

I guess now we know who pushes those "news stories" about all the near-catastrophic near-misses

The FAA is an example of regulatory capture. It is run by aviators for the interest of pilots and aviation companies, who see drones as a threat to their businesses and jobs. So they push the stories that fit the narrative that drones are an evil threat. The FAAs regulations have become so draconian, that it is technically illegal to toss a frisbee.

You must have a hell of an arm, because the FAA is only responsible for airspace above 700 feet AGL unless you happen to be on or very close to an airport, plus FAA typically only cares when it's a powered craft being used for commercial purposes. And, until there is a standard frozen-drone-through-the-inlet test on jet engines to prove that a strike would be survivable for the aircraft, they do have a duty to take action to prevent a mid-air collision that could kill many tens or hundreds of people.

Comment: Re:Unsustainable business model (Score 3, Insightful) 59

by jeffmeden (#48558339) Attached to: Royal Mail Pilots 3D Printing Service

The makers won't use this service. 3 years ago every hackerspace had a 3D printer, and it was a cool reason to join up. Now, the makers just buy their own printer. The cost has gone down, and designing a 3D object is an iterative interactive process.

There was, and is, and will continue to be, a huge difference in what you can do with a 3d printer that costs a few hundred (currency units) and one that costs a few thousand or tens of thousands of (currency units). A Maker who is not interested in mass producing things but instead wants to create a few interesting objects at a time will probably see a huge benefit to being able to just order up the object (instead of outlaying a huge amount for a printer) from a service that has both a very high quality printer, and a delivery chain to get it to them very fast. How many Makers like that are there? Who knows.

Comment: Re:practical-based certs hold their value (Score 1) 317

by jeffmeden (#48554997) Attached to: Ask Slashdot: Are Any Certifications Worth Going For?

I would argue that certs with practicals (CCIE, JNCIE, RHCE, etc) tend to hold their value much better than those that can simply be gotten by taking tests.

Since he mentioned that he is more into management than programming/engineering, the other very relevant "cert" is the PMI Project Management Professional endorsement. This would be the direction to go if he doesn't want to get deeper into the technical soup of vendor-specific credentials.

Brain damage is all in your head. -- Karl Lehenbauer