Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:If you are ABLE to be a hooker, detain you? (Score 1) 261

by khasim (#49494575) Attached to: FBI Accuses Researcher of Hacking Plane, Seizes Equipment

I hereby claim that I have hands, therefore I am able to stab someone. Should I be detained and my property seized because I am ABLE to commit a crime?


The government does NOT do jokes about fucking with airplanes.

I guarantee you that if you were walking around an airport with a knife talking about how you COULD stab then you'd be detained. And they'd probably keep your knife.

Comment: Re: For work I use really bad passwords (Score 1, Insightful) 136

by khasim (#49476647) Attached to: Cracking Passwords With Statistics

Read to the end for a secret revelation.

One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling.

The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.

One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done).

A different password but does it still have the same "reset answers" that the other category does?

And you are depending upon the admins of those sites to correctly secure them and keep them sites secure for THEIR ENTIRE EXISTENCE.

And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.

Just about all of the damage can be reversed. It's just a matter of how much time and how much money is lost doing so.

This is about preventing the damage before it costs you time and money.

Your Amazon account should NOT have the same password that your eBay account has. No matter how much you trust either of them.

My PayPal and banking accounts have their own passwords, ...

And they should have their own email accounts tied to them. If someone cracks your GameYouUsedToPlay.com account that should NOT give them the email address you use at your bank.

Now, for the secret revelation!

Passwords WERE once used for security.

NOW they are mostly (99.9%+) used for MARKETING. That is why almost all the sites out there require a unique login. And those sites are very lax with their MARKETING data (your username/password/answers).

Once you understand that (and what information you are leaking when you give it to them) you can make better decisions on how much RE-USABLE information you want to give them.

Think about what the minimum information an attacker would need to access your bank account (either login or social engineering) and then look at how many sites have that information.

Comment: Re: For work I use really bad passwords (Score 4, Insightful) 136

by khasim (#49475721) Attached to: Cracking Passwords With Statistics

It doesn't matter. If someone is cracking your (end-user) password at work then they probably have some other means of attempting it.

1. keylogger
2. some reduction attack
3. pass the hash
4. fake authentication request & server
5. etc

By the time the attacker has copies of the hashes and is trying to use any of the techniques in TFA on them it's too late for you as an end-user.

For non-work websites just remember 2 things:
b. If it is financial, don't use the same username/email-address as other sites.

Comment: Re:How many times .... (Score 2, Insightful) 33

by khasim (#49465439) Attached to: Book Review: Networking For System Administrators

Sure, the problem is probably not Machine X can't connect to Machine Y, and more likely to be VLAN 17 can't initiate a connection to VLAN 56 over port 8080, but maybe you're the only one at your company who needs to make that particular connection at that time.

And you call it in and the network engineer will ask some questions:

a1. Has this ever worked in the past? (they will always answer "yes")
a2. When was the last time you know it was working? (50% "yesterday" 50% "last week")
a3. Has anything changed on the boxes or were they moved? (100% no nothing same as always)

b1. Is this a new install? (95% of the time this will be the problem but they will only admit it 1% of the time)

But if your network has dozens of VLANs, multiple gateways and complex firewall rules, it very well could be a network issue that so far only you have experienced.

And the change control logs should IMMEDIATELY show you where the problem is, in that case.

In my example, if VLAN 17 and VLAN 56 are QA networks, there's a reasonable chance your network team won't give a shit and it'll take them a week to even take a look, so it's probably worthwhile as a sysadmin to make sure that A) Machine X is actually sending the data out the network interface and B) Machine Y isn't receiving the data and just discarding it.

That's the problem. Change control shows no changes on 17 or 56 in the last 6 months.

The alarm systems show no changes.

I can pull up the data on the ports X & Y are using in 30 seconds. No errors showing.

In another 30 seconds I can check all the stats for 17 & 56.

The network is SIMPLE! It really is. Troubleshooting a connection issue takes a few minutes at most.

In your example, the sysadmin will just say "the network is the problem" when the REAL PROBLEM is that the LATEST UPDATE of his app means it now listens on 443 instead of 8080.

And a quick Google search will bring up page after page of references to that just using the app name and the app version number.

Comment: How many times .... (Score 2, Interesting) 33

by khasim (#49464939) Attached to: Book Review: Networking For System Administrators

If there really is a "network problem" then it won't be just your machine that cannot connect to some other machine.

It would be lots of people and/or machines that would not be able to talk to lots of other machines and/or people.

And the network rarely experiences "problems" that only show up after you've applied a patch.

Bad things come from network and systems folks not understanding each other.

As a network engineer, I can quote almost EXACTLY what the sysadmin will say. Understanding them is easy.

Communicating something they do not want to hear is the issue.

Comment: Re:If you demand all your supporters be flawless.. (Score 4, Insightful) 653

by khasim (#49413465) Attached to: Carly Fiorina Calls Apple's Tim Cook a 'Hypocrite' On Gay Rights

"Hypocrisy" has a clear definition. Tim Cook is NOT a hypocrite on that issue. Fiorina is WRONG.

The worst that can be said is that Tim Cook has a "double standard" when it comes to advocating for gay rights in the USofA vs other countries.

Yet he also appears to be effective in advocating for gay rights in the USofA. Where is Fiorina's advocacy?

Fiorina is being a "concern troll" on these issues.

Even worse, she is being a concern troll for topics that she does not personally support. How much Saudi business did she turn down at HP? How much of her money has she spent on advocating for gay rights?

Comment: Review often. Review quickly. (Score 2) 261

Make sure that everyone knows what they're supposed to do, what's expected, and when it's due. It's really not that hard, except that apparently it's really hard.

The problem is that the day-to-day emergencies get in the way of the 11-month-projects.

But the day-to-day emergencies are soon forgotten and the 11-month-projects are what you are judged on.

Most people here are probably familiar with the "annual performance review" and how much they hate it. So drop it.

Instead, replace it with a LOT of shorter, more frequent reviews. Weekly if possible. Every 4 weeks at the very latest. Lasting between 10 and 15 minutes. Then the annual review for HR is simply a roll-up of 52 weekly reviews.

This helps because EVERYONE knows what the situations are AT ALL TIMES.

There will be problems and the sooner you've identified them and resolved them (or mitigated them) the better.

Comment: Re:How 'bout.. (Score 1) 212

While the semantics over what was 'authorized' can be debated, that large numbers of agency personnel had access to the data to troll at their leisure without fear of reprisal still hasn't been refuted.

And, apparently, there were no safeguards set in place to detect such activities.

It SHOULD have been easy to have a few internal people randomly checking the legality/applicability of searches.

From TFA:

Those who don't pay too close attention think the NSA is out there gathering up whatever it can without rhyme or reason. But, in fact, [collection] is in response to things called intelligence requirements, which are made through a big, formal process across the executive branch, by which different parts of the policy apparatus articulate needs for information.

If those statements were accurate than Snowden's "betrayal" would be meaningless.

You cannot have it both ways.

Comment: Re:Money (Score 1) 353

by khasim (#49366117) Attached to: Former HP CEO Carly Fiorina Near Launching Presidential Bid

And that's not all. From her Wikipedia page:

Following an August 4, 2010, federal court ruling that Proposition 8 was unconstitutional, Fiorina expressed disagreement with the ruling, saying that California voters spoke clearly against same-sex unions when a majority approved the proposition in 2008.

And she wants to lead the Executive Branch?

Majority != Constitutional.

And she's got a bit of money. So .... what's she been doing with it AS A PRIVATE INDIVIDUAL to help with any of the "problems" that she's talking about?

So far it looks like a lot of paid speaking engagements. She is paid to be "concerned" but she doesn't fund anything herself.

Comment: How is it a "rite of passage"? (Score 4, Insightful) 49

by khasim (#49361155) Attached to: Startups Increasingly Targeted With Hacks

They're getting cracked because they're not paying attention to their security.

After resetting users passwords, Twitch initially introduced longer password character requirements, but had to dial back its new 20-character password length requirement to 8 characters after users complained.

Fuck you! If you cannot detect and mitigate a brute force attack then hire someone who can.

Twitch also said it encrypted passwords, but warned that hackers might have been able to capture passwords in the clear as users were logging on.

And make sure you know the difference between encrypted and hashed.

Comment: Re:Yes, but.... (Score 3, Interesting) 267

by khasim (#49349791) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess

Let's be a bit more specific about that.

If they're restricting the length to something like 8 or 12 or 16 instead of 128 or 256 then they are PROBABLY not hashing the passwords.

Which means that your password is PROBABLY being stored in plain text (or possibly encrypted). NEITHER of which are acceptable methods today.

Comment: Re:change your username (Score 1) 267

by khasim (#49349671) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess

Seconded on the different email addresses. And you don't have to own your own domain for that. Just make some random'ish gmail account and use that ONCE for more secure requirements (like your bank).

The trick is to prepare them in advance. And write them down in a PHYSICALLY secure location.

If you're using the same email account for your bank as you use on Facebook then your security could be improved.

Comment: Re:Black and White (Score 1) 177

by khasim (#49349595) Attached to: German Auto Firms Face Roadblock In Testing Driverless Car Software

Well because the mass amount of data that would be grabbed in the event of an accident would far overshadow a reasonable amount of capture memory during normal driving, which would utilize a lesser set of sensors and maybe lower grade video, which didn't have to factor into the explanation for the accident.

256GB of flash is just over $100 right now. Storage is not a problem. Even AIRCRAFT do not have a problem with storage and they have a LOT more data to store.

Step 2 would include choices such as hit the breaks if it would work. I just used summary steps to make it easy to understand.

Taking power from the engine is NOT the same a braking.

Taking your foot off the gas is NOT the same as stepping on the brake.

Seriously. Try it on a hill. You might end up going FASTER at the bottom of the hill than at the top.

Your plates store information about your car, hence you know from looking the number up, everything to know about the car via reference lookup.

Make/model/year/VIN/owner/owner's address. And maybe whether it passed inspection or not.

How will knowing the VIN tell you anything about hitting it?

Or the owner's address?

Or the owner's name?

Or any of the other information?

And what happens when the site you're trying to use to look up that useless information is slow?

Comment: Re:Black and White (Score 1) 177

by khasim (#49349139) Attached to: German Auto Firms Face Roadblock In Testing Driverless Car Software

If not, how will you avoid hitting him if he suddenly decides to sprint and jump infront of your car?

That would be "suicide".

And the sensor logs of the car should be able to show that it was suicide.

But more to the point, how would that situation be any different in a faster-reacting-autonomous-car than in a human-controlled-car?

Or are you postulating a world where there are no cars because someone might try to commit suicide by jumping in front of one?

Civilization, as we know it, will end sometime this evening. See SYSNOTE tomorrow for more information.