Become a fan of Slashdot on Facebook


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:HP Moonshot Superior? (Score 2) 125

by mlts (#49493179) Attached to: AMD Withdraws From High-Density Server Business

I've personally played around with the Moonshot and being able to squeeze 45 blades in a 5U rack (the specs say 4.3U...) is a nice thing. Each blade has two DIMM spaces and a SSD, which is good enough to load a hypervisor, then use the onboard bus for going to a storage array.

I wouldn't say that each blade is as powerful as a blade in HP's conventional 16 blade enclosure (which takes 10 rack units), nor as powerful as a 1U standalone server... but you can choose what goes in, from a low end Xeon on the m710 to an AMD offering, to an Intel Atom, to ARM based procs.

High density enclosures like the HP Moonshot are quite useful. VM farms come to mind as well as privilege separation for security sensitive tasks. VDI also comes to mind (so the extremely sensitive stuff can be used and manipulated by RDP or Citrix Receiver as seamless applications, but a compromise of a user's desktop doesn't allow the entire database to be taken.) It also makes a decent testbed when doing production to test copies and staging OS/program updates for soak testing before they updates are pushed into the field. I wouldn't say high density server platforms will replace everything else (due to physical limitations, the blades are not going to outperform standard 2 Xeon machines), but they are a useful thing to have and help save space in the server room.

Comment: Re:"shoup" is not easy (Score 1) 104

by mlts (#49485455) Attached to: The Voting Machine Anyone Can Hack

To me, there needs to be a paper trail. Like the lottery issue a few days ago, if someone tampers with the RNG and does it in a manner that their modifications can be backed out, there is no way to tell it was done.

This doesn't have to be in a way that causes hanging chads. It just has to be a way of logging people's votes to a physical medium that is both machine readable and human readable.

This way, when someone votes, they get a paper ballot printed out that they can doublecheck. Then it shouldn't be an issue to tally up the votes via the printed cards. Hell, universities do this all the time with Scantrons for tests and finals, in far greater volume per location than voting precincts do.

Add Chaum's verifiable voting, and one has an open, secure system.

Comment: Re:Consumers are not going to notice much differen (Score 1) 72

by mlts (#49480049) Attached to: Samsung SSD On a Tiny M.2 Stick Is Capable of Read Speeds Over 2GB/sec

The concept of a workstation has been pretty much marginalized due to things being "good enough". I might see one that is mainly to interact with a dedicated appliance (CNC mill), or perhaps a few workstations when working with definite tasks, but they tend to be bit players compared to desktops or laptops.

The desktop is becoming a role, as opposed to a device. For example, the Surface Pro when plugged into a dock functions as a desktop role. Same with most laptops.

As for laptops, they are nowhere near as expandable as a desktop... but they will do. A laptop with a decent SSD, 8-16 GB of RAM, and four cores can do OK at virtualization for small tasks.

Comment: Re:M.2 Specification (Score 1) 72

by mlts (#49479941) Attached to: Samsung SSD On a Tiny M.2 Stick Is Capable of Read Speeds Over 2GB/sec

I have worked with people who could stick any object in any connector... they just had to get a big enough of a hammer. The most common I've encountered are VGA plugs into serial ports (which bend the pins in all directions.)

I am guessing that the people who designed this connector's configuration assumes it is not going to be user accessible for the post part, so they didn't really worry about it being 100% foolproof.

Comment: Re:Has anyone waited 60 days? (Score 1) 72

by mlts (#49479915) Attached to: Samsung SSD On a Tiny M.2 Stick Is Capable of Read Speeds Over 2GB/sec

Does the tool need to be run on MS just once (like a firmware flash), or is it a driver in the OS? If the former, I can probably slap Windows on briefly just to run the fix. If it has to be loaded and run... heck with that. Intel may not be perfect, but they are a good baseline of what SSD should be measured by.

Comment: Re: For work I use really bad passwords (Score 1) 136

by mlts (#49479139) Attached to: Cracking Passwords With Statistics

One thing about work passwords (and in general, I'm assuming this is an AD or LDAP user account), any sane setup should lock the account after a certain number of guesses [1], so 15-20+ character passwords are not as needed, assuming the account isn't an admin account or a service account which never will have its password changed. (For service accounts, I like using a randomly generated 128 character Unicode passphrases because those accounts are set to not get locked due to brute force attempts, so they have to have actual brute-force resistance.)

With this in mind, a "work" password with the Microsoft defaults (as shipped with Windows server releases) is reasonably secure.

For finances, I use not just a completely different password, but an E-mail address on a private domain that doesn't get used anywhere else. I also try to enable 2FA if possible.

For other passwords, I just use a mechanism that asks for a master passphrase, then uses a MD5 hash of the site + the passphrase to derive the password for that website. This way, there isn't much to store, and they are easily regenerated.

[1]: Of course, unlock it after a period of time has passed. I've seen some companies have a "keep accounts locked until manually unlocked" policy... only to discover that it takes more time in manning a phone bank 24/7 to have someone unlock accounts as opposed to just locking an account for a few minutes (which is good enough to help mitigate a brute force password guess attack, especially if logs that alert someone are used.)

Comment: Re:Honestly ... (Score 1) 342

by mlts (#49471829) Attached to: Allegation: Lottery Official Hacked RNG To Score Winning Ticket

Tamperproofing isn't that expensive. The SIM card on a phone will zap itself if decapped, same with my $45 eTokens.

Another example of this was the Java iButtons from Dallas Semiconductors (RIP.)

If a company wanted a tamperproof card, it could be done fairly easily with the entire module epoxy potted to further deter unauthorized modification.

Comment: Re:Off Site (Score 1) 443

BD-Rs are good, as well as the newer archival grade DVDs (Verbatim UltraLife, for example.)

My vote is to not just use a single medium. Every storage type has good and bad:

1: Cloud storage is easily accessible and easy to use... but is potentially insecure, and the provider can go down taking your data with it.

2: SSD is fast and usable, but when it dies, there is zero chance of data recovery, long term, once the electronics bail the gates.

3: Tape is archival grade with extremely long lifetimes, limited lifetime warranties on media (not data stored), is fast, and has a high capacity... but tape drives are extremely expensive. There is also the issue of a standard to put data on and off, although LTFS helps mitigate this.

4: Optical is widespread with plenty of drives... but doesn't have much capacity, and some disks wind up with bit rot.

5: Hard disks are quite popular, easy to use, fast... but most have just a year warranty, and tend to fail.

6: Printing to paper is possible... QR codes are one way. There is a utility called Paperback (formerly named Paperbak) which prints files out. However, I have had issues with the 1.0 version and scanning back documents, although 1.1 seems to be a lot better at getting back data. Of course, this doesn't store much data, but paper burns at a lot hotter temperature than most other physical media, so it would be useful for storing recovery keys and such.

I recommend using redundant backup media types, combined with different backup programs, perhaps different encryption mechanisms (TrueCrypt, PGP, GnuPG, etc.) This way, if one can't find a backup or encryption program (I doubt you might be able to find a copy of TC in 10-15 years, but something that decoded PGP is likely to be around), there are other ways.

Backup utilities are also something to watch out for. Every program has a different way of stashing data. You don't just need the utility, but you will also need the license key for it... and even then, I've encountered consumer level programs which will still fail and demand an upgraded version before they might consider restoring data.

tl;dr, diversify. At the minimum, use an external drive with encryption for bare metal backups, and then have documents synced with a cloud provider (encrypted of course)... and occasionally burn critical stuff to optical media.

Comment: Re:If you don't control it it's compromised. (Score 1) 86

by mlts (#49431485) Attached to: Ask Slashdot: How Serious Is Hacking In Mobile Games?

For real security, the client should just be "eyes/ears" for the server, similar to how MMOs are. This was true back in the UO days, and is true now.

At least phones and mobile devices are easier to track and ban cheaters because you can ban an account and if any new accounts touch that device's IMEI, they get auto-banned after a random period of time as well. A simple check for a su binary on Android or a check if one can write outside the app's directory in iOS will deal with rooted/jailbroken devices.

Another trick is to update often, preferably with completely different offsets for code and/or obfuscation algorithms so if a group is making patches for the game, they would have to be constantly after a moving target, even if the update just changes a constant or two.

Comment: Re: Take a page from the China mobile game scene (Score 1) 86

by mlts (#49431177) Attached to: Ask Slashdot: How Serious Is Hacking In Mobile Games?

Only problem with that logic is that EA and Ubisoft are quite successful right now, which only sets an example that extreme DRM, DLC, and releasing only a few hours worth of content and calling it a game is the way to earn money in the industry. Especially with consoles where there is a 0% piracy rate and the game developers control everything on that platform.

Of course, it would be nice to see another ID or Bioware. I'm sure there is money to be made on games with a long tail like Neverwinter Nights and NWN2 [1]. However, there just doesn't seem to be an interest to push in that direction. It seems that almost all newer games either fall into the bottomless pit of F2P-P2W or are part a mediocre sequel in a franchise. Even the SimCity app on the phone was all about IAP in order to make your city not suck.

[1]: Ignore the NWN OC... IMHO, that was more of a demo of what one can do with the toolkit than something playable.

Comment: Re:Why different policy on this to Junior IT posit (Score 1) 69

by mlts (#49429263) Attached to: Feds Boost Goal To 75k New Solar Power Workers By 2020

Same reason why plumbers, electricians, HVAC workers, and vend a goat repairmen don't get offshored... it just costs too much to grab people off the boat, train them in US standards [1], then them licensed in the specific state.

Here is what I don't get: What exactly is a "solar job"?

First, there is the actual placing of PV panels. This is just physical moving of the object, dropping it into place and bolting it down, perhaps making sure the single or double-axis controller is calibrated.

Second, and this is the most important: Electrician work. PV panels, wiring to proper code, not getting high voltage across the nipples, getting power from the PV panels to the inverter or the battery charge controller (depending on if the person wants an on grid or off grid setup.)

Third is architecture and placing panels. Will the panels be too heavy for a roof, are they facing south, etc.

All these skills are not really just "solar skills", but items used from other occupations.

[1]: Since the US was the first country to go electric, the standards in place are primitive. Tesla's three-phase system helped things, and 120VAC was good for the time, but as metals and materials improved, 240VAC is a better standard overall because it allows for thinner gauge wires.

Comment: Re:So what are people using anyway? (Score 3, Insightful) 83

by mlts (#49425701) Attached to: TrueCrypt Alternatives Step Up Post-Cryptanalysis

I like having all of the above:

All disks encrypted, which is mainly so the meth-head who breaks in and grabs the hardware doesn't have access to the data. Hardware can be claimed on insurance. Data opens up blackmail, extortion, and many other avenues.

Encrypted VMs as a way to isolate programs from each other, where I can keep my Quicken/QuickBooks in a VM, move it between computers when needed. Backup? Burn the .vmdk or the .vhdx to a BD-R disk.

File based encrypted volumes as a way of stashing client projects, as well as stashing document backups by date before burning to CD.

Of course, it would be nice to have encrypted archives as well, when one doesn't need to hide the length of the files. PGP Zip covers this, but it would be nice to have a higher level of compression like xz, bzip2, or LZMA, as well as the ability to add an ECC record (similar to WinRAR), so if an archive is damaged, it has a chance of being able to be completely repaired.

User hostile.