Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Comment: Re:Security and Performance? (Score 1) 285

by jeffmeden (#48661777) Attached to: Hotel Group Asks FCC For Permission To Block Some Outside Wi-Fi

Looks like the hotels are claiming this is security and performance related.

Mobile hotspots can be used to “launch an attack against [a hotel] operator’s network or threaten its guests’ privacy” by gaining access to credit card numbers or other personal data, the hotel group said in its petition.

Maybe. If the mobile hotspot is called "Marriot Free Wi-Fi" but is operated by someone collecting information on anyone who connects. Then again, this could happen anywhere. This is why you don't connect to strange wi-fi networks. If you must connect to your hotel's wi-fi network, make sure you're connecting to the right one, not just one with the same name. The solution here is guest education (post signs about which Wi-Fi network to connect to, etc), not running a jammer to block everyone else's Wi-Fi signals.

Multiple outside Wi-Fi hotspots operating in a meeting room or convention center can hurt the performance of a hotel’s Wi-Fi network, the group said.

My off-the-shelf router handles multiple wi-fi networks just fine. I connect to my Wi-Fi and my performance isn't degraded because my neighbors run Wi-Fi networks of their own. A hotel should be able to invest in the infrastructure to provide their own Wi-Fi that will work regardless of whether or not I turn my phone's Wi-Fi hotspot on.

The "security" and "performance" claims are garbage. The real reason is that they want to be able to sell you their Wi-Fi service for a ton of cash and it's hard to do this when you can bring your own Wi-Fi network in with you. As gurps_npc pointed out, if we let them do this, how long until they block all cell phone signals because it interferes with the "security and performance" of their phone system?

Educate? The users? Asking users to only connect to "The REAL Marriott wifi" is all kinds of nuts. You might as well issue them a 802.1x username/password since they are as likely to get all that shit right as they are to tell the difference between "Marriott" and "Marriot" and "Marriott Wifi" (and know which one is legitimate). Your best hope is that you are able to give them a unique WPA2 key that would fail when connecting to anything but the right AP. Even then you have to impress on the importance of actually putting the key in and not just connecting to whatever pops up and doesnt require a key, and since users follow the path of least resistance this option is bound to fail as well. A signed certificate for Wi-Fi SSIDs is hugely overdue, and the fact that we have gone through so many iterations (b, g, a, n, ac) and haven't even taken a crack at it is very disappointing.

While I don't think Marriott, etc should be allowed to do this (since it is clearly in violation of the ISM rules) it's sensible since it was clearly effective (otherwise they wouldn't have lost that judgement).

Comment: Re:Also affects Linux - patch now! (Score 2) 111

by jeffmeden (#48661095) Attached to: Apple Pushes First Automated OS X Security Update

Okay, not an open port, but if you request a time update wouldn't an attacker be able to respond with a spoofed malicious packet? By sending out a request, the (stateful) firewall will usually allow a response back. I'm not an expert, so I'd be interested to see if someone more knowledgeable could explain that in more detail.

From the description of the bugs, they are related to a server being queried and not related to the expected response. So, only when running ntpd as an internet-facing daemon do you have a problem. It's also a much more convoluted attack to spoof a response from a time server, assuming the attacker hasn't used the vulnerability to take control of the one you happen to be using. Since these vulnerabilities are not in a configuration a reputable time server is likely to use (i.e. the NIST servers) the general public is pretty safe.

Comment: Re: Does he stand a chance? (Score 2) 160

by jeffmeden (#48660379) Attached to: 'Citizenfour' Producers Sued Over Edward Snowden Leaks

They were hardly cavalier with the information. Our own government allowed a contracted network admin total access to everything... now that's being cavalier.

He had a top secret clearance and worked as a system administrator on some of the lowest level pieces of the NSA's infrastructure (backup systems, etc) meaning that for him to do his job they had no choice but to give him at least some possible paths to get at the data. Whether or not he used stolen credentials to facilitate the access that let him download all the documents is a question still open.

Comment: Re: Does he stand a chance? (Score 3, Insightful) 160

by jeffmeden (#48659983) Attached to: 'Citizenfour' Producers Sued Over Edward Snowden Leaks

That provision only covers money made from the information itself, and not the money made from how the information got divulged, nor information about the information.

It's a subtle but significant difference.

That's presuming that Citizen Four is about simply how the leaks took place, and does not mention any of the material in them. Given the completely cavalier attitude adopted by the central figures (Snowden, Poitras, Greenwald, etc) toward sharing the information, I doubt that this is the case.

Comment: Bioshock feels oddly prescient (Score 1) 430

by jeffmeden (#48654517) Attached to: How Venture Capitalist Peter Thiel Plans To Live 120 Years

His secret — taking human growth hormone (HGH) every day, a special Paleo diet, and a cure for cancer within ten years. "[HGH] helps maintain muscle mass, so you're much less likely to get bone injuries, arthritis," says Thiel. "There's always a worry that it increases your cancer risk but — I'm hopeful that we'll get cancer cured in the next decade [...] a modern nutritional diet designed to emulate, insofar as possible using modern foods, the diet of wild plants and animals eaten by humans during the Paleolithic era. [...] investing in a number of biotechnology companies to extend human lifespans, including Stem CentRx Inc., which uses stem cell technology for cancer therapy. [...] plans to launch a floating sovereign nation in international waters, freeing him and like-minded thinkers to live by libertarian ideals with no welfare, looser building codes, no minimum wage, and few restrictions on weapons.

If anyone played those games and thought "well how could all this batshit stuff all happen in the same place?" now you have your answer.

Comment: Re:Sure... (Score 2) 339

From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.

Where did it actually say that? They know the credentials given to Fazio were used to access the Target systems as the point of entry, but they don't know how the miscreants came into possession of them. The most likely method was a spear phishing attack that allowed a keylogger on to one of the PCs at Fazio. It's simply too far fetched to think that someone trolling with a script happened across Fazio, then just realized they could use it as a backdoor into Target, and then also be in possession of some very sophisticated malware that, oh gee look, matches the Target POS systems exactly down to the firmware rev number.

Comment: Re:Sure... (Score 5, Informative) 339

He is phrasing it incorrectly. The attacks are scripted and BLIND. They don't attack X and skip Y if X is vulnerable. Or attack Y if X is not vulnerable. They attack A - Z regardless of the success or failure of any single attack.

That's not entirely true. It's not clear how many other targets the miscreants who hit Home Depot, Target, etc had, but they did a lot more than scripted attacks (they used social reconnaissance, then spear phishing, then multiple point-of-entry probes, for starters) in order to get inside, and once inside they put a hell of a lot of work into pulling off their attack, and mixed that with a ton of luck in order to actually succeed. The Target hack actually would have been dead from the start if Target trusted their FireEye consultants who tried to warn them of the impending data theft.

Comment: Uh Oh (Score 1) 118

by jeffmeden (#48628955) Attached to: Grinch Vulnerability Could Put a Hole In Your Linux Stocking

"Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September"

While a big deal, Shellshock was very limited in scope and the large scale exploit implications were stamped out very quickly through updates to vulnerable web front-ends (which was just about the only exploitable path, despite so many proclamations that the sky was falling and every internet-connected linux device will get rooted in a matter of days). If this is as severe as Shellshock, I will take notice but at the same time sigh that it's not going to be very bad at all.

Comment: Re:Solar and sidereal time. (Score 1) 229

by jeffmeden (#48628723) Attached to: Ask Slashdot: What Can I Really Do With a Smart Watch?

A true smartwatch would provide both in addition to time based on UTC. I find it amazing that a purely mechanical watch, albeit those that cost upwards of a quarter of a million dollars can do both (provided you set the cams inside for proper longitude and latitude) but a watch with a computer inside that can do these calculations is unavailable.

Or just buy 3 $10-dollar watches, and save almost 99.99% of your money.

Sidereal timekeeping is done to the absolution rotation of Earth as opposed to the rotation relative to the sun (which changes as we orbit) so a Sidereal hour is shorter than a solar hour. You would need to find a $10 watch that drifts at exactly +0.275% which is not impossible but rather hard to do on the first try.

Comment: Re:How to write a good ticket (Score 1) 229

by jeffmeden (#48628649) Attached to: Ask Slashdot: What Can I Really Do With a Smart Watch?

need access to my smart-phone for various reasons

[...]

various sorts of data access

Part of writing a good ticket is being specific about your use case and not presupposing the solution. From what you've written, the problem is not technical and has nothing to do with a smart watch. The problem is you are forgetful.

If you can be specific about what you are actually doing with your phone, we can give you solutions that may or may not involve a smart watch.

This is it exactly. The solutions to the problem of not having phone-like features attached to your wrist (where you can't forget them) are either a: purchase a several hundred dollar bit of tech that you clearly dont know suits your needs, or b: tie your phone to your fucking wrist.

Comment: Re:I believe it! (Score 1) 48

by jeffmeden (#48624645) Attached to: Startup Magic Leap Hires Sci-Fi Writer Neal Stephenson As Chief Futurist

According to the Magic Leap website, their Dynamic Digitized Lightfield Signal technology permits generating images indistinguishable from real objects.

...provided the real objects are themselves images. Look! That simulated JPEG looks exactly like a real JPEG!

I read it more like "this new gizmo permits generating anything! As long as you have some other way of generating it, then this thing won't get in the way at all!"

The word "enables" sounds more like technology that actually does something, and even that's a stretch. The word "permits" sounds like it's just a link in an otherwise useless chain.

Comment: Re:Depends... (Score 1) 170

by jeffmeden (#48617045) Attached to: Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

I would say that advertising the 'service' as end to end when it isn't even legal for it to actually be end to end is a legitimate moral shortcoming.

The term "end-to-end crypto" says nothing about who else might have the crypto key. Just blindly assuming that no one in the middle has it, it is a real shortcoming. The only way for a system like you are imaging (where only the caller and receiver have the key) to even work is for you to somehow establish a trusted key with every person you call, on the fly. How do you know no one is in the middle, ready to intercept the key before the first call? The only reason SSL/TLS is reliable is that there is a huge infrastructure of trusted root certificates to validate against (and you have to trust that third party who holds those certs). Guess what they are going to do for encrypted phone calls? The exact same thing.

Knowing that you are talking to who you say you are, and that no one outside of the org you *already* trusted to generate the software and the keys, is the only real assurance. Choosing the right provider of that infrastructure is obviously important. Given that Verizon is a huge, federally regulated company, do you really think anything passing through their hands is going to be immune from law enforcement attempts at seizure? No company at that level, moral or immoral, is going to be immune to state pressure. You should know that by now.

Comment: Re:This should be free (Score 0) 170

by jeffmeden (#48614223) Attached to: Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

if the keys aren't private then it is hard to claim the encryption is worth anything..

So all the SSL keys that have been generated by the root CAs aren't "worth anything", because the issuer has a copy of the private key? Seems like a funny system we spend billions of dollars on every year...

Comment: Re:Depends... (Score 3, Informative) 170

by jeffmeden (#48614131) Attached to: Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

From TFA:

"...the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law."

TFA is a plain ol' troll. CALEA indeed requires any switching systems used for voice traffic (land lines and cell phones) to allow for electronic eavesdropping of all calls going through them. The only caveat is that replacing/upgrading every switching system is completely impractical, even in decades-long time frames, so the FCC has been granting extensions for non-compliance. If Verizon went to the FCC saying that they were going to put software in that started to roll back CALEA compliance from any call that happened to be made using a pair of their cellphones running their provided encryption software, they would have thrown the book at them. New systems *do* have to be CALEA compliant.

Comment: Re:Depends... (Score 2) 170

by jeffmeden (#48614087) Attached to: Verizon "End-to-End" Encrypted Calling Includes Law Enforcement Backdoor

My kingdom for a modpoint! This whole submission is a troll right down to the last line, "Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world." Thinking that a large, federally regulated business is going to push a system without a central keystore (what they meant to jab at instead of the "end-to-end" nature) is laughable. Trying to make Verizon out as the bad guy over this is just taking away time that could be spent making them out as the bad guy over legitimate moral shortcomings. But, trolls will be trolls.

What the world *really* needs is a good Automatic Bicycle Sharpener.

Working...