Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Submission + - Ask Slashdot: How to report security incidents to software companies?

jppiiroinen writes: It was few weeks ago, when I found out that Microsoft had shipped their git credentials with one of their software, I was trying to evaluate if to trust their software or not, the credentials did allow activity and I did report it asap and deleted everything on the encrypted disk and did a full reinstall of the operating system, as that was the last thing on my computer which I wanted to have.

I just started to wonder that how on earth it should have been handled, as I am not sure if the whole report has gone to /dev/null (if any of the guys at Microsoft are reading, check MSRC Case 30746), I have sent few emails, but no reply at all. Just in case I did inform the local CERT if there is anything what I could do and I did gave them the id as well, in order them to map it to me, if needed. Anyhow I just feel frustrated of being ignored, when I feel that I have done a favor to them.

As I did have a full git log, so I could have sent emails straight to the developers themselves to fix the issue (as the fix would have been 15 minutes or less of their time) and then also send the security incident ticket, so that they would close down the related account, I am not sure if they have done that, but I do hope that they did, as I did provide all the necessary information for that (username and then guide how to get the password).

But all in all, have you experienced any company with any transparency or how have you being handling any similar issues, as a reporter or as an employee on recipient side?

As now I just feel that I should not have reported anything..

Comment Thanks guys! (Score 1) 178

I do see that many of you prefer the idea of having stuff encrypted and stored in many different locations, some on the cloud and some on your own property.

The topic itself might be easy to answer, but I do feel that it is not that simple and there is no single right answer either.

For example, the data (pictures, videos etc) might have value for the younger generation, but if you encrypt it, those will be gone after you are away. I know that that is a far fetched topic, but still valid. I think that one big question is that how do you document all the places where your data is stored an in which format for the younger generation, so that they can access it and know it that it is there.

For the physical devices, like the old disks, the weak point has been the controller boards, and for the floppies, I must have stored them in near speakers etc. CD's and DVD's must have gotten too much UV radiation from the Sun. Once I did try to keep up with the storage media wars, but it was too time consuming and error prone as well. And I did have setup offsite backup, but the upload bandwidth was too narrow to handle the huge data uploads, some days 32-64GB of raw images.

During the years I have been thinking that maybe it would make sense more to develop some kind of software to provide data to paper conversion, such as High Capacity Color Barcodes. Then I could just write a software which would convert the data into raw photo files and then ask the some shop to print them on some real photograph paper. This way the data would be accessible for the next generation and it would be kept private, while the source code and technical papers would be made available as open source. But having something like that might not be doable right now, giving that the resolution which the images can have might not be good enough to store more than few 100kb per image. But it would be good enough for storing some source code. Does this sound like a good idea? As if it does I could start to work on it on GitHub on my spare time.

For this I did do one experiment few years ago, where I was checking how fast I could transfer data using barcodes. I made a software which was synchronizing data between mobile phone and desktop without any cables or wireless connections. It was just using the display and the camera. The funny part for that is that the laptop failed and the data was lost, but the idea was simple and it worked.

But I do thank you for your time and I feel a lot better knowing that I am not the only one puzzled by this long term data storage issue.

Submission + - Ask Slashdot: Who do you trust your long term data?-> 1

jppiiroinen writes: A Finnish based company F-Secure Oyj has sold its cloud storage business Younited to a US company (Synchronoss Technologies, Inc) which has speculated NSA connections ([1], [2]). Earlier they used in their public announcements arguments equal to "trust us, your data will be safe".

I know that it is obvious that the F-Secure realized that competing against the big players, such as Google and DropBox, might not make any sense.

However it makes me wonder:
Who do you trust your data?
And who really owns it?
What about in 3-6 years from now?
How should I make sure that I retain access to data today from 20 years from now?

I am sure that I have a lot of floppies and old IDE disks from 90s around here, but no means to access them, and some of the CD/DVD's has gone bad as well. And now at the time of the SSD disks, there is no physical data writing which might make the data recovery impossible to be done.

Link to Original Source

Comment Not really, a licensing deal for their Nokia brand (Score 1) 60

I think that the story has a misleading content, as it is not the Nokia itself, it is just some OEM from China with a license to use Nokia brand.

From their press [1] release:

"The N1 will be brought to market in Q1 2015 through a brand-licensing agreement with an original equipment manufacturer (OEM) partner responsible for manufacturing, distribution and sales."

"The OEM partner is responsible for full business execution, from engineering and sales to customer care, including liabilities and warranty costs, inbound IP and software licensing and contractual agreements with 3rd parties"

[1] http://company.nokia.com/en/ne...

Submission + - Nokia paid millions of euros for stolen signing keys

jppiiroinen writes: I find it very odd that back in the days 2007-2008 when Nokia had a huge market share with Symbian devices, that they did not disclose the information that somebody had stolen their encryption keys. Being a listed company after all. They did even ended up paying millions of euros and the local Finnish police manage to fail to investigate who was behind it.

The blackmailer had gotten hold of the Symbian encryption key used for signing. The code is a few kilobytes in size. Had the key been leaked Nokia would not have been able to ensure that the phones accept only applications approved by the company.

God doesn't play dice. -- Albert Einstein

Working...