Please create an account to participate in the Slashdot moderation system


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:Tipping point? (Score 1) 82

Platter technology will end up being pushed to the NAS/SAN, which is why WD is making their red line of drives.

Perhaps HDDs, now that speed and capacity are secondary, they will start evolving down the path of reliability, perhaps replacing tape as an archival medium.

NAS drives are going to be a big market, especially with devices like Apple's new MacBook with limited expansion capability, so people will use WiFi Direct hard drives as their main backup source, as opposed to USB drives. In this use, capacity is limited on the MacBook, and speed is limited, so drive makers (hopefully) will end up working on leapfrogging each other for reliability and security.

Comment: Re:Prepare to restore from backup often (Score 3, Interesting) 234

by mlts (#49350169) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess

I have a third option: An admin passphrase that is a lot longer than my user passphrase, but had more retry attempts. That way, if the short passphrase gets typoed, I can still unlock the device with the admin one.

You are right about backups... that is why I have three of the USB tokens, just in case.

Comment: Re:Why SSD in a "do-nothing" PC ? (Score 1) 82

Had a similar choice when giving a laptop to a relative. I went SSD instead of SSHD because SSDs are physically more resistant to shock.

However, if given the choice with a desktop... I'd probably still use SSD, just because when I delete a file and fstrim the drive, the file is -gone- for good, since the drive controller will come around, write "1"s to all the pages that file used and call it done. Of course, keeping good backups when using SSDs is wise, just due to this exact thing.

Comment: Re:Still not allowed by many places. (Score 1) 234

by mlts (#49349543) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess

I wonder if the ideal password manager would be one that would use a typed in password as a seed/IV (hash a seed and the sitename), with exceptions stored for sites which don't allow passwords generated with that tool to work. Some sites require a number, a capital letter, lower case letter, a symbol (well, not all symbols work), or some other random, annoying combination of the above.

Of course, the ideal password manager would store the password database with a master volume key, then each device accessing it would have the MVK encrypted to its public key. This way, if someone wants to add a device, they just allow access on another device. If someone wants to remove access, it is doable, but it would be wise to re-encrypt the DB to a new key for security. This is how PGPDisk did its encryption, and it completely deters brute-forcing, should someone get access to the data stored on the cloud, since there is no password, so the attacker has to deal with the entire key's keyspace.

Since the private key is on the device, the user just needs a PIN to unlock (with a timeout after too many wrong attempts), rather than a longer passphrase. Both iOS and Android have secure storage (KeyChain for example) which makes this easy to implement securely.

Comment: Re:Memorizing site-unique passwords isn't possible (Score 5, Informative) 234

by mlts (#49349459) Attached to: Generate Memorizable Passphrases That Even the NSA Can't Guess

I prefer 2FA when possible. Even a very tough password means nothing if by some means, it gets sniffed by some keylogger, or the password database on a cloud provider gets brute-forced.

For storage where one is using a passphrase for encryption, as opposed to authentication, I like using cryptographic tokens. TrueCrypt used to work with a PKCS#11 library so I could store a keyfile on a set of Aladdin/SafeNet eTokens. This not just made the key immune to brute force guessing... someone who physically possesses the token has three guesses of my unlocking passphrase before the token locks itself forever and zeroes out the stored keyfile. This also works with Symantec's PGP version, except that generates a public/private keypair, the private keypair always remaining on the token, while the public part is used for the file/drive encryption.

If 2FA isn't possible, then as above, some mechanism to help with password reuse is very wise. This is useful just in case some website decides to store passwords in plain text, so a person's secure "correct horse battery staple" is now compromised and added to every blackhat's brute forcing library.

Comment: Re:Run as user AND back-ups (Score 1) 166

by mlts (#49349239) Attached to: NJ School District Hit With Ransomware-For-Bitcoins Scheme

All consumer level ones are that shitty. Time Machine does have some OS level protection, but most just dump data to an external drive. Overwriting the files or just a format of the filesystem can easily destroy that backup.

Windows Server Essentials 2012 R2 has "pull" functionality to grab data from desktops. Another utility is Retrospect which can have a client installed on desktops.

Of course, the ideal would be a backup appliance like an EMC Avamar that deduplicated. Think Time Capsule, except that the appliance initiated the backups, stored them securely, and did the deduplication. Add decent disk encryption (perhaps a startup password or PIN entered on the appliance's webpage to mount the backup drives), and this would help versus malware.

Comment: Re:Run as user AND back-ups (Score 1) 166

by mlts (#49348067) Attached to: NJ School District Hit With Ransomware-For-Bitcoins Scheme

Most backups would be erased or encrypted by the ransomware. The problem is that people think in terms of disk failures or hardware failures, so have their backup solution based around this. Just this in mind, going with two SANs that replicate with each other asynchronously is the best thing to do, since the data is always available.

However, this doesn't factor in software designed to corrupt/encrypt backups over a long haul. This is going to take a dedicated backup server that pulls backups and stores them in a place where a machine cannot access (and thus tamper) with stored data. It also takes a long data retention policy, just in case.

However, in a lot of places, backups are like security -- they are viewed as having no ROI, so at best, you might get some mechanism to stash stuff on disk, but if a machine can back up to the disk directly, it likely can erase/modify stored data.

Comment: Same can happen at a cloud provider... (Score 1) 257

by mlts (#49338889) Attached to: RadioShack Puts Customer Data Up For Sale In Bankruptcy Auction

One scenario that I worry about with cloud providers is exactly this. The provider goes bankrupt, sells all data to someone else, and they now have all the servers and can use the container information, free, clear, with nothing the clients of the former cloud provider able to do about it legally, barring copyright violations.

Both Borders and RS both show a lesson -- yes, there is a privacy policy with company "A", but when the servers get under the ownership of a new company, that policy is out the window, and the data can be used for anything that the new owners desire. Multi-TB torrent? Perfectly legal.

If a cloud provider changes hands, I can see a new company digging through data just to extort people. Say they find a sex toy maker's customer list on a server. They can then send out a note that all customers of this maker will have their named published unless they "buy into" a privacy policy (removing the name from the list) for the low price of $99.99. Since the new company 100% owns the data, free and clear, this is perfectly legal.

Comment: Re:Sooo .. (Score 1) 127

From a root command line, you can do:

vdc cryptfs changepw newpass

(where newpass is your new password for the dm-crypt volume... which is your /data partition.)

There is also apps that do this as well, but you need root.

Of course, when you change your screen lock PIN, it will change the boot password, but that is a given.

Comment: Re:Sooo .. (Score 1) 127

Those are some good suggestions. I might add a few myself:

1: If your device is rooted, you can separate the password that unlocks the /data partition from the PIN that unlocks the screen. This way, you have 4-5 digits that are quickly typed in... but if a thief decides to reboot the phone or power it off, they are facing the 20-30+ character passphrase... and most newer Android ROMs only allow 30 guesses before they do an erase.

2: Enable encryption of the /data partition. This is worth mentioning.

3: There is an app that will detect if the power button is pressed six times quickly, and send out a duress code. Forgot the name, but might be worth having.

4: Some ROMs will do some form of encryption on the SD card. If not, you can get an EncFS app, or BoxCryptor (which is a commercial/subscription version that uses EncFS as its base.)

5: Consider a backup program like Titanium Backup which uses a very reliable encryption mechanism (it uses a passphrase for a private key, and uses a public key for backups), and can save the encrypted backups to a cloud provider.

6: Consider a utility that requires a PIN to access some apps. For example, the app for a terminal and other rooted apps on my Android phone is PIN protected, FB and other apps are under another PIN, etc... so if a bad guy gets the phone while its unlocked, they might have access to the Web browser, but not the other parts. If they reboot the phone, they are faced with a very long /data encryption password as stated in #1.

Comment: Vote for Mickey Mouse? (Score 1) 1087

by mlts (#49295411) Attached to: Obama: Maybe It's Time For Mandatory Voting In US

I have read about mandatory voting in other countries... what can happen is that in elections that people really don't care about, they wind up voting for Mickey Mouse, the FSM, or some other character just for kicks.

However, the perfect is the enemy of the good, and maybe it might be a wise idea to at least get people to the polls somehow, even if they just play Tetris with the checkboxes on the voting machines, just to get rid of voter apathy.

Comment: Re:Battery tech on 2500 and 3500 pickups? (Score 1) 229

by mlts (#49286587) Attached to: Ask GM's Exec. Chief Engineer For Electric Vehicles Pam Fletcher a Question

The hybrid didn't have that much towing capacity, I think it was 3500 to 5000 pounds.

The 1/2, 3/4, and 1 ton truck designations tend to be there for name only, and to deal with some municipal codes (where a 3/4 ton and heavier is a "commercial vehicle", and a 1/2 ton can be a POV.)

However, with most of the truck lines, the 1/2 ton is a different model, and the 3/4 and 1 ton are very similar. For example, the difference between a F-250 and a F-350 from Ford is a leaf spring in the rear and a different GVWR/GCVWR.

The reason for the separation is that 1/2 ton trucks are popular sellers in the US, so for automakers to keep up with CAFE standards, they are made to save weight and MPG, as well as make an attempt at general hauling/pulling.

3/4 and one ton pickups get less MPG... but because they are generally built for commercial/farm use, they tend to be better at constant towing, carrying loads, or both. For example, if one wants to have a truck camper, there are almost zero models (other than tent-tops) available for half-ton models, while a 3/4 to one ton has a fairly wide range of choices, from a basic model to one with three sides, movie chair seating, and a dry bath.

Comment: Re:Why is bitcoin popular again? (Score 1) 254

by mlts (#49285475) Attached to: Evolution Market's Admins Are Gone, Along With $12M In Bitcoin

I think part of it is a Robin Hood type of mystique. Someone anonymous having something that bypasses the establishment, similar to being able to sneak on the King's grounds and hunt deer without being drawn and quartered as a poacher... but Robin Hood is most often a myth, and most often, it could be someone like O'Brian from "1984" looking to see who dissents... or a mercenary who would then turn right around and hand the people with the deer to the Sheriff for a reward.

BitCoin does have its place. Right now, it is still in its "cool" stage so it gets used for everything... similar to how radioactive substances were put in bath water and soaps until people realized they got cancer and other unpleasant things by doing so.

Comment: Battery tech on 2500 and 3500 pickups? (Score 3, Interesting) 229

by mlts (#49285089) Attached to: Ask GM's Exec. Chief Engineer For Electric Vehicles Pam Fletcher a Question

GM has tried a decent hybrid system on their 1500 Silverados.

Where a hybrid system would be very usable, would be on the heavier duty pickups like the 3/4 and one ton models:

First, electric motors provide their best torque at near 0 RPM, which is quite useful.

Second, on a rural jobsite, if a PSW inverter is available, this would allow the truck to completely replace a generator in the field. Just plug the welder, saw, or other tools into that and use the onboard battery for that, perhaps running the IC engine to keep everything topped off.

Third, for farms, it might be economical to have the trucks charge and run on batteries, as it saves on fuel.

My question: Would we see this technology being used on the heavier duty series of pickups?

Comment: Re:Free is still too expensive (Score 1) 322

by mlts (#49283423) Attached to: Microsoft Offers Pirates Amnesty and Free Windows 10 Upgrades

I've found 8.1 not that bad. BitLocker can be used to protect the startup drive without a TPM needed, chkdsk can be run on a drive without needing to be dismounted, Storage Spaces, ReFS, and deduplication are quite nice features. Even running BitLocker on drives without needing a key protector is useful, since a format command zeroes out the master volume keys, making data virtually impossible to retrieve. Plus, Hyper-V is a decent hypervisor (tier 1 hypervisors are relatively rare... especially ones which let you use the computer's main console for daily work.)

Only complaint I have is that 8.1 needs the same backup utility that Windows Server 2012R2 has. Technically both are wbadmin utilities, but the server version is extremely useful.

It is the quality rather than the quantity that matters. - Lucius Annaeus Seneca (4 B.C. - A.D. 65)