Forgot your password?

typodupeerror

Comment: Re:Astoundingly bad idea (Score 4, Interesting) 312

by mlts (#43762631) Attached to: FBI Considers CALEA II: Mandatory Wiretapping On Every Device

I remember this with the Clipper Chip, and FBI Director Freeh. It is understandable that they want this -- makes their job a lot easier, and makes a lot more material to sift through.

However, there were the same issues with this wiretap stuff as with the Clipper Chip:

1: Bad guys getting access to the backdoor, just like back then, bad guys getting access to the LEAF (law enforcement access field, part of the key escrow mechanism.) When (not if) this happens, every single endpoint is wide open, and this becomes a national security issue when companies start getting hacked wholesale and there is nothing they can do except power off and unplug.

2: Abuse. Of course, this would allow anyone with access to this a lot of material they can scoop up, and sell.

3: There would be -billions- spent by rogue nations, criminal organizations, and others to get at those master keys. When the money is at stake, it will turn into a game of finding out what people are even close to the master keys, and kidnapping their family. The billions spent on compromising an update repository in order to get backdoored programs into the target would reward the rogues with trillions.

Securing the master keys is one thing. Keeping them secure while in use for massive eavesdropping and protecting them from leaks is a very difficult task. Someone in the chain can be compromised eventually, which leads us to point #1.

Plus, we already have a shitload of ways that an endpoint can be compromised. A lot of software updaters send a unique computer ID. It doesn't take much to have a certain ID get a slightly modified signed update while everyone else gets something else.

Comment: Re:What's really needed... (Score 1) 128

by mlts (#43759817) Attached to: Password Strength Testers Work For Important Accounts

There are always client certificates, but that means every web browser you use has to have a copy of your private key handy.

Another authentication system mentioned would be one that would have some random text, and would ask the user to select it, sign it with their private key, and paste the clearsigned text. Very simple and fairly platform independent, although PGP/gpg support can vary greatly depending on platform.

Comment: Re:Such a negative commentary. (Score 1) 115

by mlts (#43735291) Attached to: Google I/O 2013 Underway: Watch For Updates

It was more of a "bug fix" type of I/O announcement, which are some of my favorites. It means stuff gets fixed or works better. Android Key Lime Pie is going to almost certainly be 4.3.

The next Nexus phone is a rebranded Samsung Galaxy 4S, which means the next Android version doesn't require much in the way of new hardware.

The music service is going to be something to fill in the gaps. Although it is more like Pandora mixed with Rdio as opposed to something like Amazon or Apple's "scan 'em then download 'em elsewhere" services.

Comment: Re:store only? (Score 1) 490

by mlts (#43723071) Attached to: Windows Blue Is Officially Windows 8.1, Free For Existing Users

I'm going to guess that this is MS's way of making service packs more palatable -- call them free minor version upgrades.

Assuming this is the case, they likely will have a MSI or some .exe which can have its component files extracted for speed reasons to a share and machines pointed there for updates.

I hope for a WIM or a way to slipstream this into an install image, so if a box needs reinstalled, W8.1, perhaps with the latest Windows Update patches can be done in one pass.

Comment: Re:Outlook.com (Score 2) 154

It is obvious that once the data leaves your gateway, it is open season, perhaps even sooner if a router or switch gets compromised and a custom firmware uploaded. The endpoint is where the main security should lie.

Ideally, you want people using PGP or GnuPG with some sort of WOT in the company, and some mechanism of securing private keys (Self generated eTokens, or even just a USB flash drive.) For SOX reasons, an ADK might be needed, but it will be obvious that key is added to E-mail exchanges, and hopefully it is stored somewhere secure.

The second decent client utility is using S/MIME. Thunderbird and Outlook happily support it. Other mail programs have various degrees of support from complete to none. Done right, this is decently secure, but it falls into the same trap SSL does -- it is easier to admin than a WoT by having the usual CAs in a root cert, but that means a third party can easily get in and start a MITM attack.

Comment: Re:that is a massive rip-off of my data allotment (Score 1) 180

by mlts (#43659357) Attached to: Facebook To Introduce Video Ads

Their mistake was going public. That means they have to answer to the lash of threatened shareholder lawsuits should they do anything but focus on what profits are coming on the next quarter.

FB should not have IPO-ed. Instead, they should have kept to themselves and worked on honing their backend technologies, perhaps offering things for sale to the enterprise. For example, all their magic and redundancy lies in the top level app layer. A server failure isn't handled by a HA mechanism or a hypervisor sitting on a blade chassis, but the application running on the hardware deals with this. Enterprise stuff that doesn't care about clustering, SAN status, or what it is sitting on can be a hot seller, as it would compete ferociously against the high priced IBM/EMC/Oracle offerings.

FB also handles a lot of data. I'm sure they could offer technology to have an archiving service (to fulfill the eDiscovery requirements of SOX and other regulations.) Real businesses would pay real cash for this.

FB also handles authentication, as they are oftentimes used as an Internet gatekeeper. Why not add to those services? Offer dedicated SecurID keyfobs or OATH apps, OPIE style one time use password sheets, or perhaps some dedicated biometric device which connects via cellular for a multi-channel authentication method. Why not join the OpenID bandwagon, or perhaps work on some add-on so one can use their personal ID/password [1] to authenticate to a work account, and have a true SSO mechanism?

FB should have gone into enterprise-ready technologies. Amazon did with their cloud, and are vastly reaping the benefits.

[1]: Or ID/passwords, so one can have multiple items attached to various IDs. That way, if one leaves a job, they can kill that ID attached to their work items.

Comment: Re:that is a massive rip-off of my data allotment (Score 2) 180

by mlts (#43658785) Attached to: Facebook To Introduce Video Ads

It isn't that tough to leave. Google+ is getting just as entrenched via apps, web pages, "+1" buttons, and many other items. In fact, I know a number of people who keep both G+ and FB running because both are useful.

If FB disappeared entirely, it can be completely replaced. Even if G+ didn't take over completely, messaging could go back to SMS or one of the IM providers, posts/walls could wind up on livejournal, cat pictures would move to Flickr or some other site, phone numbers and contacts could be shared via Yahoo or iCloud, gifts could be given via Amazon, and third party apps like Farmville would end up either becoming standalone websites, or becoming Metro/Android/iOS apps.

FB has only one thing going for it: It is the US's central watering hole. If the beer gets too watered down, people will go find another dive bar to frequent.

Comment: Re:Egg that kills the golden goose (Score 1) 180

by mlts (#43658555) Attached to: Facebook To Introduce Video Ads

While Google Plus is a nice aside for them, Facebook (and the companies that make the apps) are completely dependent on the whims of their product... i.e. their subscribers. Squeeze too much, and FB's stock price will be hurting very hard, very fast.

FB is in a corner. If they don't find a way to dangle a carrot in front of developers and advertisers, they will stop paying money or writing for that platform, and with them being public, there is always the constant lash of the stockholders and the quarterly numbers. However, if FB starts going with animated ads with audio (which are great for the advertisers but will annoy everyone else to no end), people will give them the middle finger. People are already annoyed with them as it is about privacy, and a lot of other things, that it wouldn't take much for people to take their chat and cat pictures (and thus any ad/app revenue) elsewhere.

Comment: Re:that is a massive rip-off of my data allotment (Score 1) 180

by mlts (#43658417) Attached to: Facebook To Introduce Video Ads

You are not the only one. Bandwidth isn't growing on trees in the US. Adding streaming video ads that can't be stopped on iOS [1][2], and people will be starting to look elsewhere once the phone bills start rolling in.

I remember in the time frame when people started leaving MySpace to FB, where at first, it was the more educated people who went, then as they left, virtually everyone else followed suit. I'm starting to see the start of the exact same migration to G+.

[1]: Well, if you had a jailbroken phone and Firewall IP or another Cydia app, possibly. However, due to the 6.x SHSH blobs being unusable, it will likely be a year or two before another usable JB is released (iOS and hardware bugs are very rare.)

[2]: Android is a bit easier, as there are utilities for booth rooted devices and Web browser extensions for non rooted ones.

Comment: Re:Egg that kills the golden goose (Score 1) 180

by mlts (#43658219) Attached to: Facebook To Introduce Video Ads

People are already griping about FB. This might be the impetus that gets people looking at alternatives.

Google Plus is quietly waiting in the wings, and there are sites like vk.com which have virtually everything FB does.

Switching to G+ wouldn't be difficult -- most Android devices have a hook for it, and the iOS app is easy downloadable.

Similar with VKontakte and other FB-like sites. It may not be a US social networking site, but Americans are tolerated.

Comment: Re:Where are the stand alone machines? (Score 1) 157

by mlts (#43655801) Attached to: Internet Explorer 0-day Attacks On US Nuke Workers Hit 9 Other Sites

Even better, why not keep the internal machines completely locked down with zero ability to connect to the Internet (and perhaps have the IDS/IPS that monitors that segment set to look for packets that are not that IP range, just to make sure.)

Then have a Citrix server (preferably on a VMWare or other hypervisor for quick snapshot rollbacks) for the Web browsers and anything that connects to the outside world directly?

This isn't rocket science, and I've seen places who used Citrix not just to keep the outside stuff out so a Web browser compromise is on an external machine, but to keep internal use applications on secure servers, and they stood extreme amounts of intrusion attempts without issue.

Microsoft has similar with App-V, but Citrix is nice because one can get receiver software on almost any platform.

Comment: Re:Because "IT People" are not "Professionals" (Score 1) 178

by mlts (#43624819) Attached to: Ex-Employee Busted For Tampering With ERP System

That is the irony of it all. Certs tend to have very little correlation with how clueful a person is. A technically savvy IT person knows enough to blow away the smoke, toss a broken machine in front of a candidate, and say "fix it". Either the guy fixes it, makes a good attempt, or obviously fails. No amount of BS is going to magically create a yum repository or ifconfig an adapter up.

However, when you get to the levels above the IT people, they don't see how good/bad people are at the jobs unless the blamestorming downstairs is so loud that someone gets tagged with something nasty. They don't see Alice in the context of her competency, they see Alice and a list of certs behind her name... and that is their basis for judging promotions as well as hires/fires.

It only seems to be getting worse. It has become not out of the ordinary to expect the "ticket taker" appearing up at IT's doorstep one day. Said person will go to each and every person and demand they show what certs the employees have, or hand in their badge on the spot. This started with Sarbanes Oxley, but seems to becoming a matter of routine, perhaps to hire H-1Bs in their stead. I've seen people who are true giants in the field tossed out on their ear, just to hire someone who has no IT skills [1], but who managed to get the MCSE tests done.

[1]: IT skills are the meta stuff that you learn, that isn't taught anywhere. Passing by a server, and hearing the "tick, tick, tick" of a trashed drive that isn't on an array so it doesn't have a light showing it failed, or making a signed internal repository mirror so you don't have to justify connecting each machine to the outside world, or knowing the right decision to make when the sales guy wants domain admin rights "just to show a customer an ad-hoc demo".

Comment: Re:Because "IT People" are not "Professionals" (Score 1) 178

by mlts (#43624121) Attached to: Ex-Employee Busted For Tampering With ERP System

One lesson I learned the hard way: Certifications seem meaningless to the IT person and the people immediately surrounding them. However, out of the direct hierarchy, the only thing that matters are those colorful pieces of paper with alphabet soup abbreviations on them.

In fact, I've had jobs where some muckety-muck comes in, demands every single IT person produces certificates to "prove they are capable of operating the equipment." Ironically the most experienced guy in the bunch who has been in the industry since I was in third grade got axed on the spot because he didn't bother with keeping his MC-ITP or RHCE current.

People think certificates don't matter, but saying, "RHCE, cert id " means *far* more on a resume than almost any interview questions/answers. In fact, I've sat on interviews where the HR person asked the candidate the very first thing:

"Do you have a MC-ITP? No? Exit is to the right. Please fetch the next candidate in line."

Comment: Re:Why bother with either (Score 1) 82

by mlts (#43622801) Attached to: Barnes & Noble Adds Google Play Store To the Nook

You hit the nail on the head. The e-book providers have a vested interest in having their device locked down in some way, either to help reinforce their e-book DRM, or so they can have their device not lumped in with general-purpose tablets when it comes to hardware performance (allowing cheaper hardware to be used.)

A Nook or a Kindle Fire is tempting, but with the price of a Nexus 7 with built in 4G around three C-notes, it is hard to go wrong with that, as it is as open as any Android device can get. One more $100 and I can get a N10.

Why worry about "nooting" or dealing with various rooting/bootloader exploits when one can get a very solid tablet for an inexpensive price which does everything the non e-ink Kindle/Nook models do?

You own a dog, but you can only feed a cat.

Working...