Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:This is a GODDAMN DISASTER! (Score 1) 156 156

With most other currencies, there is always the chance that once a payment is done, it can be taken away. For example, you sell something on $AUCTION_SITE, get paid via credit card, then find the CC company slurped the money back out, as the credit card owner has disputed the charge... now it is your job to sue the individual and get your cash back, although you were technically "paid".

Or, you get a check, cash it, and get a NSF charge because of it bouncing.

Even cash has this problem. You take a $20, only to find it is a $1 note, except someone cut and pasted a part from a higher denomination bill on that, or the bill could be an entire counterfeit.

The good and bad about BitCoin is that once the transaction is made and runs through the system, it is permanent. No backtracking. That currency has transferred hands irrevocably, and outside of breaking cryptographic protocols, there is no reversing it, so a wallet with coins can have them pulled out without the wallet's private key.

If one knows that, and always takes that into account, it makes one extremely leery of exchanges and "BitCoin bank accounts", because eventually, someone is going to make off with the goodies, and there is nothing anyone can do about it. Caveat emptor.

This doesn't mean BitCoin is perfect either. If you want to be sure you are not going to on the losing end of a double-spending, you have to run the entire blockchain before accepting a transaction, and this takes a lot of time and a good net connection. Any shortcuts only can cause grief in the long run. BitCoin was designed so you didn't have to trust anyone, so might as well take advantage of it.

Comment: Re:both will produce "literature"? (Score 2) 19 19

With the boilerplate novels and cookie-cutter movies being cranked out, I wonder if a computer would eventually be a better writer/artist than what we have now.

One could even add music into the list as well, where a marketing person could click on an interface, randomly select what an album would have for songs, and the computer would create a band (name, color scheme), write the lyrics, compose the pieces, even pick people from YouTube who would become the band members. Or toss the physical band members, have an avatar like Miku and call it done. Pop music can just be relegated to a cronjob that fires off, weights lyrics on statistics gleaned from ad sites and news articles, makes the songs, mixes/masters the album, and spits out music for the music stores, no human effort needed in the creativity process.

Similar with movies. The computer would grab weighting on what social topics are being thought about when the movie is created (so the movie has some impact), create some characters, follow a meta-script to generate the dialog, generate terrain and scenery render the scenes and CGI action, and out pops a blockbuster hit at the push of a button, no actors needed.

Comment: Re:kernel developers on Macs - that would be me (Score 1) 209 209

I will give credit that Apple hardware is pricy.

However, Apple has one thing at the consumer [1] level... and that is very good CS. For someone nontechnical who is using their computer as their way of earning their living, if something glitches on a PC, generally they may rack up a hefty support bill. If they get an odd glitch on a Mac, Apple supports the hardware, OS, maybe even the application, so the infernal "everyone points fingers at each other" syndrome tends to be less of an issue.

With a new Mac, someone can pay a C-note and get a year's worth of handholding so they get some knowledge of how to do a task. For people like this, it isn't about the computer, it is using the machine to get the job done, be it music production, video editing, photography, or other items. For Slashdot readers, this isn't something that would be considered, but there are a lot of people who just want to buy the tool to do their work, even if it costs more. For example, MAC and Snap-On tools are more expensive than what comes off the boat to a Harbor Freight store... but the expensive tools tend to be better in the long run since they last longer, and if they do break, there is a no questions asked warranty. Similar with Macs.

[1]: Business level, it is completely different, because enterprise service is quite good from PC vendors... but this isn't relevant for most users.

Comment: Re:Looking to move off of iTunes (Score 1) 209 209

I'm the same way. If the music management program can tell the difference between 2-3 versions of the song, but are different remixes, as well as not overwrite the lossless version of a song with a MP3, I'm happy.

I used to worry about tags... but these days, I have so many other things on my plate that if some software can do the grunt work, so much the better.

Comment: Re:No way in hell (Score 1) 121 121

I hope that is the case. The fewer plug-ins, the better. Right now, if I wanted to watch a video on a web page, it may be in HTML5, it might be HTML+DRM, it may be in Quicktime, it might be in Silverlight, Java, RealAudio, or of course, Flash.

Even if we dispensed with all the plugins and the world magically ran on standards built in all browsers, there are always still security issues. Especially if they give any website it touches full access to hardware, which means it has the option of reflashing firmware or other nefarious tasks. All malware needs is a user context, or just the web browser's context (so it can use the browser for keylogging info in all windows.)

Browsers have to have more thought about security than even firewalls, because they have to deal thoroughly with untrusted, if not hostile code that can try to do anything (jam the CPU, spam dialogs.) The browser in itself really can't do it. It really needs help from the OS for separation, either via policies like SELinux or IE's Low context, or be placed in a sandbox or VM where all writes are virtualized safely away from the rest of the machine.

Comment: Re:No way in hell (Score 3, Interesting) 121 121

Here is the big question: How do the plugins (Flash, Shockwave, Java, Acrobat, DRM video players) run? Are they running in the same context as the browser (like current IE), run in a separate process (like Firefox), or run in a more isolated VM where each tab and window is in its memory space (Chrome)?

The Web browser is the first source of attack, and one of the primary means for malware to get on a system. Even with the low security context that IE had starting in Vista, that wasn't sufficient for isolation. It almost takes running the browser in a sandbox (sandboxie) or a complete VM (with its own filesystem) to protect a machine against browser weaknesses, just because a browser is always in constant contact with untrusted code.

I hope MS designs Edge with a lot more isolation (so a compromised add-on in one window can't attack another window or tab), because when designing a new browser is the only real time that they can do it right with security, as opposed to reactively fight fires, as with IE.

Comment: Re: Our saving grace, perhaps? (Score 1) 36 36

There has been a few cases where I've ended up doing a V2P migration (which is extremely rare, but usually for something that, by policy, has to be on its own hardware, or that I create the VM and get the app in place and tested, then image it to a machine's bare metal for production use via WIM or another mechanism.) I'm sure these will leave the VMWare client files running, but not doing anything, similar to how a Hyper-V to VMWare migration leaves the Hyper-V files present.

In fact, if one turns on Hyper-V in Windows 8 and newer, it might register as a VM to malware, even though it essentially is just a single instance.

Ideally, depending on environment, I've found that separating the system from programs under Windows is tough. Reinstall the system, and most programs will need to be reinstalled due to Registry entries missing. Some programs can allow this (mainly MMOs, oddly enough -- WoW, Rift, EQ, and EQ2 can be split off and run on a Windows instance without reinstallation), but most won't. So, for Windows, keeping one's data separate is more of a focus than splitting the application from the OS.

OS X has a similar issue (mainly because /Applications can't really be moved to a separate partition [2], but I could be wrong.) However, it is easy to move /Users to another partition.

Other operating systems, a system, application, and data separation makes sense. In AIX, this is something you are supposed to do, so you can have multiple rootvgs available [1]. Linux, it is good as well, since you can split /opt off and reinstall without affecting applications.

[1]: In high security installs of AIX, no process has root. UID 0 can be configured to be just a schmuck user. To update these where no process has the ability to install software, the rootvg needs to be rebooted, another instance of AIX loaded that will do the OS updates to the secure one, then the machine (or LPAR) gets booted back to the secure OS root.

[2]: Wish Apple would bite the bullet and add ZFS into OS X as a root filesystem (and not via FUSE.) This way, it really doesn't matter where what data is physically located where, other than the code for booting.

Comment: Re:BECAUSE IDIOTS PAY IT! (Score 1) 36 36

I read people saying the exact same thing about Macs, with statements that OS X is "100% secure". After recent events, I don't read much about that (although with the fact that most Mac programs are downloaded from a secure repo does help put the kibosh on Trojans.)

Linux isn't bulletproof. There are new programs that wind up even in enterprise distros that can wind up being avenues for remote attack. Plus, Firefox under Linux will behave the same if compromised just as Firefox under Windows does. I do agree the AdBlock/ghostery/noscript addons are the most important frontal defense, arguably more important than an AV program, but nothing is completely secure, not even on Linux.

This isn't to bash Linux... but it isn't invulnerable, especially if it started picking up traction on the desktop.

Comment: Re: BECAUSE IDIOTS PAY IT! (Score 1) 36 36

This does exist, and is the UDF filesystem. This allows writing in packets and sessions, without affecting existing data on media. However, having a hard drive controller enforce this (to prevent a blkdiscard /dev/sda or a dd if=/dev/zero of=/dev/sda) would take some engineering.

Next to an appliance, the real answer to this might be good old fashioned tape. The newer LTO drives can use WORM media, can be hardware set read-only, and encryption can be set on the drive itself. However, tape has wound up being aimed at the enterprise. Maybe if some maker of the LTO consortium made a drive that could tolerate lower speeds and run at USB 2.0 as a low common denominator, this would improve the ability to have reliable backups.

Comment: Re:You know it's not going to work (Score 1) 256 256

I just wonder where the point of pushback is. For example, one reason I see kigurumi becoming popular is because it allows people to interact with each other, except FB and other pictures only have the person's doll masks as photos. Yes, wearing masks and zentai suits can be made illegal, but it only ensures people will push back harder, especially here in the US where prohibition, and the War on Drugs have showed that making something illegal only makes it more popular... basically a long term Streisand effect.

I'm also noticing that physical gaming at stores is resurging, so people are trending away from stuff like WoW, and going back to Warhammer or just playing pencil and paper AD&D or Pathfinder. Having people not interested in doing every bit of communication electronically is a positive step.

Comment: Re: Our saving grace, perhaps? (Score 1) 36 36

For now that is. Right now, malware writers are going for low hanging fruit, who don't even know what a VM was, or if they ran one on their desktop, would complain about performance (not knowing the VM disk images belong on a SSD, or at least their own spindles to not contend with the host desktop OS [1].

Once VMs gain traction (say someone combines dedupe with COW and applications wind up with their instance of an OS with just the footprint of the application so VMs become as common as applications with their own separate stack/heap are now), it will be a different story. We will start seeing attacks on hypervisors start being attempted [2], but since hypervisors have historically been built from the ground up for security, this will help mitigate things. Of course, as stated elsewhere, the bad guys can always have their code pull chaff such as a fake malware instance to lead researchers on rabbit trails.

[1]: Desktop OS. This isn't as big an issue with ESXi, especially with compute nods and big fat disk caches on the HBAs or CNAs.

[2]: Mixed bag. I'd like to see hypervisors get hardened, but if there is some sort of attack at the CPU level, that means malware in one VM has it made on the entire machine... and there would be no way to ever address that short of tossing the CPU or entire machine.

Comment: Our saving grace, perhaps? (Score 2) 36 36

This may be our saving grace, something as simple as doing one's work in VMs, using the bare metal OS pretty much as a hypervisor and method to back up the VM images. With SSDs, this makes the job easier (because booting an OS isn't that I/O intensive, but you have multiple instances fighting for the drive head on conventional HDDs, which causes I/O slowdowns across the board.)

VMs are one of the few tools that can fight ransomware effectively. If the software doesn't play and deletes itself, no major loss. When hypervisors start getting "smarter" and are able to use heuristics to detect zero day infections that are hidden to the OS in a VM, this will raise the barrier significantly. Of course, the ability to roll back to a known, good snapshot in seconds completely negates ransomware's ability to destroy stuff, forcing the software to have to be inactive for a long period of time to hide its functioning.

Comment: Re:BECAUSE IDIOTS PAY IT! (Score 1) 36 36

I'm reading this as basically creating a tar file of the machine and documents, throwing it to a remote machine's incoming directory, and that incoming machine moving the file to somewhere inaccessible to the client?

This is a way to do it, but might be better to just have the NAS or other appliance initiate the pull so the data can be better stored in snapshots.

Comment: Re:Not a Federal priority (Score 2) 36 36

Now that's the rub. All it takes is for the trail to hit a country that is overtly hostile to the US, or just not willing to cooperate, and the trail goes cold. For example, if the perp who made malware tools was situated in Yemen, Brazil, or Venezuela, the local government would be giving the person accolades for doing such a thing.

As for Bitcoins, they are definitely traceable. However, efforts like tumblers and CoinJoin may be new and holes found, but they are getting better, and if combined with an exchanges that would trade BTC for another currency, that would leave the trail cold. If worse comes to worst, there will be someone who makes a BitCoin 2.0 that has anonymity built in.

US law enforcement can't really fix this problem, just because it is almost invariable that any investigation will lead outside of the country's borders, forcing any police work to become an international effort, and other countries tend to really not care if a foreign citizen gets taken for a ride, as opposed to investigating domestic issues.

This is a problem that has to be fixed by technical means. Legal means will not really work here.

Comment: Re:You know it's not going to work (Score 5, Interesting) 256 256

It also is going to backfire.

Take SSL/TLS. Are they going to demand both parties stash the session key, or do their handshaking through a proxy logging each packet? The first time some intruders nail that data store and find out a bunch of banking passwords, the cost of that breach will be incredible. If they alter the SSL/TLS algorithm, will it bring unexpected changes that destroy the algorithm's security, or the code used not implement the changes in a secure fashion?

As for outlawing it, it -could- be done, but it would require far-reaching internal and external controls, with very sophisticated algorithms to detect unauthorized encryption, and pull that machine from the net. However, this is a cat and mouse game... and ultimately, the bad guys are just going to do like Daesh, and AQ before them... and go back to couriers, dead drops, and burner phones. Yes, it doesn't give as fast results as the Net, but it is a lot tougher to intercept. So, it an be done... but it is doubtful that even the British people would tolerate this much interference in their lives.

After an instrument has been assembled, extra components will be found on the bench.