Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment: Re:Easily defeated.... (Score 1) 312

by mlts (#49751787) Attached to: Ads Based On Browsing History Are Coming To All Firefox Users

Or use a VM with snapshots or change logs, and when done, roll back all changes, so no matter how much the browser tries to stash, all gets eradicated.

It also works well to deal with compromised browsers, especially if the VM is run in its own NAT segment, so the compromised instance can't gain knowledge of network topology.

Comment: Re:Firefox becomes Netscape (Score 1) 312

by mlts (#49751709) Attached to: Ads Based On Browsing History Are Coming To All Firefox Users

I actually paid for Netscape because it was a good browser at the time.

If the Mozilla Foundation needs cash, maybe a commercial browser may not be a bad idea, especially if it had enterprise level items like being able to be shipped as a .MSI, updated from an internal server like WSUS (not all internal machines have access to the Net in a lot of companies), offered GPO-like functionality to allow for insertion of internal keys, allowed for a recovery mechanism to the security key store, and so on.

This may not mean much to the average consumer, but a supported browser version that can be managed by IT quite well might be a good revenue source, especially with it being platform independent.

Similar with Thunderbird and SeaMonkey. Other than Outlook and, there are not many good MUAs out there these days. Eudora is dead, and the Bat and Lotus Notes are niche products. Having an alternative to Outlook might be a good thing for businesses, especially if enterprise level management/update functionality could be added in.

Comment: Re:bye (Score 1) 312

by mlts (#49751537) Attached to: Ads Based On Browsing History Are Coming To All Firefox Users

If it is sitting empty on Windows 8.1, it is being used for read/write cache by the OS. Same with Linux.

With RAM as relatively inexpensive as it is today, one shouldn't have less than 16-32 GB of RAM on a desktop, especially if one is using virtualization, sandboxing, or other type of container usage to keep their Web browser separate from their sensitive stuff [1].

[1]: In fact, it doesn't hurt to keep different things in separate VMs, and with SSD and a decent amount of RAM, the performance loss is negligable, while one gains a lot in security. Plus, it is easy to move to new hardware... just copy the VM's images to the new machine.

Comment: Re:Android. The "PC" of mobile devices (Score 1) 81

by mlts (#49751209) Attached to: Factory Reset On Millions of Android Devices Doesn't Wipe Storage

I like Android's customizability and the ability to replace things. For example, I toss the launcher and go with Nova's. The keyboard app gets replaced, and I use a custom texting app that supports encryption.

Plus, I have more privacy on Android with XPrivacy. For example, a lot of apps pull your ad info, IMEI, hardware serial number, and anything they can find for behavioral tracking. With XPrivacy, the app will happily get a number... but it will be a random one. I can also ad block on the IP level.

Comment: Re:All using ancient devices (Score 1) 81

by mlts (#49751147) Attached to: Factory Reset On Millions of Android Devices Doesn't Wipe Storage

Newer phones respond to fstrim/blkdiscard, so one can use those tools to fire off TRIM commands, zeroing all data. For example, if one wants to ensure /data isn't available, one could do a blkdiscard of /data's device, or run fstrim on the mounted /data partition to have the SSD zero out all free pages. Similar with /system. Delete all extraneous data, mount it read-write, fstrim it.

Comment: Re:All using ancient devices (Score 1) 81

by mlts (#49751111) Attached to: Factory Reset On Millions of Android Devices Doesn't Wipe Storage

The good news is that there are apps (which require root) which will modify SELinux so that the SD card is usable. Since most SD cards are using FAT32, there isn't any real way to enforce permissions, so for security reasons, the card wound up being locked from most apps completely.

Of course, it would be nice if the SD card could be formatted with ext4, so permissions could be enforced.

Another option, which was part of Linux, but pulled out a long time ago, was the UMSDOS filesystem. What this did was put Linux permissions and ACLs atop of FAT/FAT32. Yes, this was a kludge... but it worked without having any changes to the filesystem (other than the marker files) in place. This might be a way to go, since it would allow the phone to enforce app permissions on a filesystem that normally doesn't support it.

Comment: Re:If that's possible, then it isn't encryption. (Score 2) 81

by mlts (#49751049) Attached to: Factory Reset On Millions of Android Devices Doesn't Wipe Storage

The Windows format command does this. If one uses it on a BitLocker encrypted volume, it will go and zero the parts on the volume that hold the BitLocker master key, so even if someone later has a recovery password, the data is still completely gone. Same with secure erase on a number of SSDs.

Since Android is sitting on a SSD, it might be wise to move to a smarter wiping system. One that would wipe the dm-crypt data, core places of the filesystem, and after that, TRIM the entire data partition before formatting and rebuilding it. The TRIM command helps ensure that the data present isn't recoverable at the drive level, and likely will get utterly destroyed when the drive erases the TRIMmed pages.

I read about some newer phones using a chip to store the encryption key for /data, similar to how iOS does it, but when hardware starts getting involved, it becomes harder to deal with a potential backdoor.

Maybe the ideal is a small bit of storage that is used, and if it is erased, the erasure is guarenteed (where there is no way to recover previously stored data.) Then, the master key is stored there. On initial bootup, the phone prompts the user for the PIN, decrypts the key stored on that small bit of storage for the master key to /data, and proceeds from there. On an erase, /data gets force unmounted, the small storage is erased, and a blkdiscard is issued for the /data's device. Not 100%, but it will pretty much ensure anything stashed in /data is gone.

Then there is the external SD card. Unlike /data, there isn't a real standard to encrypt that storage partition. Usually it winds up being encrypted on a file by file basis with some EncFS offshot. The key for this is stored in /data, so if the phone is wiped, there isn't any way to retrieve the SD card's data. What might be an idea would be to offer the file based mechanism, but also offer the ability to format the SD card and encrypt the entire card on a device level, not just on a file by file basis.

Of course, something like phonebookfs could be used so that someone looking at the encrypted file stash on the SD card can't tell between real data and randomly generated chaff, but that may not be something for mainstream phones.

Comment: Re:Durability concerns valid, but... Tampering? (Score 1) 88

by mlts (#49728433) Attached to: Yubikey Neo Teardown and Durability Review

I use a Yubikey Neo mainly for 2FA with Google's services. The main security boost from it for me is that it is a physical object, and the main avenue of attack for my stuff is via remote. Same reason I use Google's Authenticator app as backup on my smartphone.

Since my Yubikey devices tend to be sessile resiliency isn't that important... but I am definitely not impressed with the durability. My eTokens [1] from SafeNet are far more durable, tamper resistant (once they started one piece epoxy manufacture), and can handle far more insertion cycles than the YubiKey can.

I wish Yubico could charge more, and put some money into a stronger USB keyfob. For me, the delicate construction is OK (because I use multiple keys that stay with my devices)... but for people like the parent who actually tote it around, the construction is pretty much unacceptable.

As for a key format for security, I wish the industry would have a special slot for that, as in some cases, NFC isn't acceptable. The best I've seen was the old Dallas Semiconductor "one wire" reader which worked even with high traffic. Since that is long gone, perhaps it is time to have something, even if it is just two small, durable conductive contacts on the side of a device for using a key, or using it for a key interchange.

[1]: I have multiple for PGP, and use the keys as ADKs (which were generated on the device and never leave.) Other than finding drivers for them, they have served me well. Plus, if one uses PGP Desktop (er, now SED), one can use the eTokens as keys, so an attacker would have to have the token, and the PIN (which can be set to lock for good after a certain amount of guesses) in order to boot the machine.

Comment: Re:The reason you don't buy into Bitcoin (Score 1) 61

by mlts (#49719193) Attached to: Decoding the Enigma of Satoshi Nakamoto

I've mentioned this before... but times have changed. For better or for worse, BitCoin is the currency that people have latched onto, similar to how Facebook is the social network of choice these days.

Even though there are details that the currency is fraught with, it is becoming stable and accepted by the mainstream, where it is becoming trusted enough for people to actually not just use it for a means of exchange (quickly changing from their preferred unit of stored value to BTC, then the seller quickly changing from BTC to their favorite unit), but as a means of holding wealth, since it is a deflationary currency.

Comment: Re:DB Cooper and Jimmy Hoffa (Score 2) 61

by mlts (#49719011) Attached to: Decoding the Enigma of Satoshi Nakamoto

Satoshi has dropped out of sight long enough that statute of limitations laws are going to come into play soon, especially once the seven year mark hits. The only two things that are able to be used in the US are murder or failing to file a tax return, and an anonymous entity has no requirement to file a tax return.

Even if taxes are involved, it would be similar to capital gains. Satoshi would not have to pay taxes until those coins are sold or exchanged. If kept "under the mattress", they can legally stay out of play indefinitely.

Comment: Re:How long (Score 1) 72

by mlts (#49698239) Attached to: GE Is 3D Printing a Working Jet Engine

A local place (Solid Concepts) made a 1911 out of DMLS sintered Iconel. All parts including the barrel, sear, trigger mechanism... everything but the grips. It didn't blow up or have any issues after 1000 rounds ran through it.

Mitsubishi has a DMLS machine that does both the sintering and machining (both additive and subtractive), which not just would allow a 1911 to be made, but the parts coming out just needing final assembly.

Of course, there are other uses than firearms.

Comment: Re:Stupid toys (Score 1) 72

by mlts (#49698193) Attached to: GE Is 3D Printing a Working Jet Engine

I remember it called stereolithography, but that was mainly a type of 3D printing that used a laser and either a photosensitive liquid or powder which fused together, combined with a tray that slowly moved.

These days, I'd just go with a DMLS setup, since if I use a decent Iconel alloy, the finishing/grinding/polishing needed iis minimal.

Comment: Re:Don't convert needlessly (Score 1) 200

by mlts (#49692297) Attached to: Ask Slashdot: What Is the Best Open Document Format?

Even with programs that can import Word/Excel/etc. documents, they do a good job, about 99% well. However, that one percent that is missed can do quite a number on a document.

The answer for a document format... depends.

For a document format that keeps formatting exactly, and isn't intended to be edited, PDF/A is the best thing going, since barring a major world-ending disaster, we will still have utilities that can read PDFs, and PDF/A ensures that the fonts and such are present and readable.

For a document that is edited... there are a number of different standards. As stated elsewhere, it might be best to have a tarball or ZIP file that has multiple document formats in it, where there is a .txt and .PDF file available for quick viewing, then SGML/HTML/XML/nroff/TeX/LaTeX version included for editing.

Comment: Re:personally (Score 1) 461

by mlts (#49684135) Attached to: Does Using an AOL Email Address Suggest You're a Tech Dinosaur?

With all the UI churn of not just Gmail, but every other provider, I've thrown in the towel, and just use a decent MUA (Thunderbird for E-mail, Outlook for calenders/meetings/tasks/contacts.)

A MUA is a lot more resistant against attack than a Web browser, and gives more options when it comes to rulesets (I can move vital E-mails that hit Yahoo to my hosted Exchange server which I actually look at.) Plus, I can use features like PGP or S/MIME quite easily with it.

Don't hit the keys so hard, it hurts.