Please create an account to participate in the Slashdot moderation system


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:"old sata drives"? (Score 1) 73

by mlts (#49514929) Attached to: New PCIe SSDs Load Games, Apps As Fast As Old SATA Drives

I'm not sure why this is news. Sticking any device on the PCIe bus is going to allow for a lot more speed than using the SATA bus, and because SSDs are not limited by any mechanical mechanism, many layers of RAID 0 striping can be used to keep increasing performance.

Where I see this a big help personally is virtualization [1]. Even a SSD that is stuffed into an enclosure and is run over USB 3, because VMs do a lot of random I/O, performance is distinctively better than HDDs.

[1]: With all the Web based compromises lying in wait, it is wise to run VMs and separate tasks. Plus, with App-V, Unity, and other methods, it doesn't take much from usability.

Comment: Re:HP Moonshot Superior? (Score 2) 129

by mlts (#49493179) Attached to: AMD Withdraws From High-Density Server Business

I've personally played around with the Moonshot and being able to squeeze 45 blades in a 5U rack (the specs say 4.3U...) is a nice thing. Each blade has two DIMM spaces and a SSD, which is good enough to load a hypervisor, then use the onboard bus for going to a storage array.

I wouldn't say that each blade is as powerful as a blade in HP's conventional 16 blade enclosure (which takes 10 rack units), nor as powerful as a 1U standalone server... but you can choose what goes in, from a low end Xeon on the m710 to an AMD offering, to an Intel Atom, to ARM based procs.

High density enclosures like the HP Moonshot are quite useful. VM farms come to mind as well as privilege separation for security sensitive tasks. VDI also comes to mind (so the extremely sensitive stuff can be used and manipulated by RDP or Citrix Receiver as seamless applications, but a compromise of a user's desktop doesn't allow the entire database to be taken.) It also makes a decent testbed when doing production to test copies and staging OS/program updates for soak testing before they updates are pushed into the field. I wouldn't say high density server platforms will replace everything else (due to physical limitations, the blades are not going to outperform standard 2 Xeon machines), but they are a useful thing to have and help save space in the server room.

Comment: Re:"shoup" is not easy (Score 1) 105

by mlts (#49485455) Attached to: The Voting Machine Anyone Can Hack

To me, there needs to be a paper trail. Like the lottery issue a few days ago, if someone tampers with the RNG and does it in a manner that their modifications can be backed out, there is no way to tell it was done.

This doesn't have to be in a way that causes hanging chads. It just has to be a way of logging people's votes to a physical medium that is both machine readable and human readable.

This way, when someone votes, they get a paper ballot printed out that they can doublecheck. Then it shouldn't be an issue to tally up the votes via the printed cards. Hell, universities do this all the time with Scantrons for tests and finals, in far greater volume per location than voting precincts do.

Add Chaum's verifiable voting, and one has an open, secure system.

Comment: Re:Consumers are not going to notice much differen (Score 1) 72

by mlts (#49480049) Attached to: Samsung SSD On a Tiny M.2 Stick Is Capable of Read Speeds Over 2GB/sec

The concept of a workstation has been pretty much marginalized due to things being "good enough". I might see one that is mainly to interact with a dedicated appliance (CNC mill), or perhaps a few workstations when working with definite tasks, but they tend to be bit players compared to desktops or laptops.

The desktop is becoming a role, as opposed to a device. For example, the Surface Pro when plugged into a dock functions as a desktop role. Same with most laptops.

As for laptops, they are nowhere near as expandable as a desktop... but they will do. A laptop with a decent SSD, 8-16 GB of RAM, and four cores can do OK at virtualization for small tasks.

Comment: Re:M.2 Specification (Score 1) 72

by mlts (#49479941) Attached to: Samsung SSD On a Tiny M.2 Stick Is Capable of Read Speeds Over 2GB/sec

I have worked with people who could stick any object in any connector... they just had to get a big enough of a hammer. The most common I've encountered are VGA plugs into serial ports (which bend the pins in all directions.)

I am guessing that the people who designed this connector's configuration assumes it is not going to be user accessible for the post part, so they didn't really worry about it being 100% foolproof.

Comment: Re:Has anyone waited 60 days? (Score 1) 72

by mlts (#49479915) Attached to: Samsung SSD On a Tiny M.2 Stick Is Capable of Read Speeds Over 2GB/sec

Does the tool need to be run on MS just once (like a firmware flash), or is it a driver in the OS? If the former, I can probably slap Windows on briefly just to run the fix. If it has to be loaded and run... heck with that. Intel may not be perfect, but they are a good baseline of what SSD should be measured by.

Comment: Re: For work I use really bad passwords (Score 1) 136

by mlts (#49479139) Attached to: Cracking Passwords With Statistics

One thing about work passwords (and in general, I'm assuming this is an AD or LDAP user account), any sane setup should lock the account after a certain number of guesses [1], so 15-20+ character passwords are not as needed, assuming the account isn't an admin account or a service account which never will have its password changed. (For service accounts, I like using a randomly generated 128 character Unicode passphrases because those accounts are set to not get locked due to brute force attempts, so they have to have actual brute-force resistance.)

With this in mind, a "work" password with the Microsoft defaults (as shipped with Windows server releases) is reasonably secure.

For finances, I use not just a completely different password, but an E-mail address on a private domain that doesn't get used anywhere else. I also try to enable 2FA if possible.

For other passwords, I just use a mechanism that asks for a master passphrase, then uses a MD5 hash of the site + the passphrase to derive the password for that website. This way, there isn't much to store, and they are easily regenerated.

[1]: Of course, unlock it after a period of time has passed. I've seen some companies have a "keep accounts locked until manually unlocked" policy... only to discover that it takes more time in manning a phone bank 24/7 to have someone unlock accounts as opposed to just locking an account for a few minutes (which is good enough to help mitigate a brute force password guess attack, especially if logs that alert someone are used.)

Comment: Re:Honestly ... (Score 1) 342

by mlts (#49471829) Attached to: Allegation: Lottery Official Hacked RNG To Score Winning Ticket

Tamperproofing isn't that expensive. The SIM card on a phone will zap itself if decapped, same with my $45 eTokens.

Another example of this was the Java iButtons from Dallas Semiconductors (RIP.)

If a company wanted a tamperproof card, it could be done fairly easily with the entire module epoxy potted to further deter unauthorized modification.

Comment: Re:Off Site (Score 1) 443

BD-Rs are good, as well as the newer archival grade DVDs (Verbatim UltraLife, for example.)

My vote is to not just use a single medium. Every storage type has good and bad:

1: Cloud storage is easily accessible and easy to use... but is potentially insecure, and the provider can go down taking your data with it.

2: SSD is fast and usable, but when it dies, there is zero chance of data recovery, long term, once the electronics bail the gates.

3: Tape is archival grade with extremely long lifetimes, limited lifetime warranties on media (not data stored), is fast, and has a high capacity... but tape drives are extremely expensive. There is also the issue of a standard to put data on and off, although LTFS helps mitigate this.

4: Optical is widespread with plenty of drives... but doesn't have much capacity, and some disks wind up with bit rot.

5: Hard disks are quite popular, easy to use, fast... but most have just a year warranty, and tend to fail.

6: Printing to paper is possible... QR codes are one way. There is a utility called Paperback (formerly named Paperbak) which prints files out. However, I have had issues with the 1.0 version and scanning back documents, although 1.1 seems to be a lot better at getting back data. Of course, this doesn't store much data, but paper burns at a lot hotter temperature than most other physical media, so it would be useful for storing recovery keys and such.

I recommend using redundant backup media types, combined with different backup programs, perhaps different encryption mechanisms (TrueCrypt, PGP, GnuPG, etc.) This way, if one can't find a backup or encryption program (I doubt you might be able to find a copy of TC in 10-15 years, but something that decoded PGP is likely to be around), there are other ways.

Backup utilities are also something to watch out for. Every program has a different way of stashing data. You don't just need the utility, but you will also need the license key for it... and even then, I've encountered consumer level programs which will still fail and demand an upgraded version before they might consider restoring data.

tl;dr, diversify. At the minimum, use an external drive with encryption for bare metal backups, and then have documents synced with a cloud provider (encrypted of course)... and occasionally burn critical stuff to optical media.


Florida Teen Charged With Felony Hacking For Changing Desktop Wallpaper 626

Posted by Soulskill
from the climate-of-fear dept.
colinneagle writes: A 14-year-old middle school student in Holiday, Florida, was arrested this week and charged with "an offense against a computer system and unauthorized access," which is a felony. The student reportedly used an administrator password to log into a teacher's computer and change the background image to a photo of two men kissing.

The student also revealed his secrets after he was caught – the password was the teacher's last name, and the teacher had typed it in in full view of the students. The student said many other students used these administrators' passwords (their teachers' last names) so they can screen-share and video chat with other students. The student was briefly held in a nearby detention center, and the county Sheriff warned that other teenagers caught doing the same thing will "face the same consequences."

Comment: Re:If you don't control it it's compromised. (Score 1) 86

by mlts (#49431485) Attached to: Ask Slashdot: How Serious Is Hacking In Mobile Games?

For real security, the client should just be "eyes/ears" for the server, similar to how MMOs are. This was true back in the UO days, and is true now.

At least phones and mobile devices are easier to track and ban cheaters because you can ban an account and if any new accounts touch that device's IMEI, they get auto-banned after a random period of time as well. A simple check for a su binary on Android or a check if one can write outside the app's directory in iOS will deal with rooted/jailbroken devices.

Another trick is to update often, preferably with completely different offsets for code and/or obfuscation algorithms so if a group is making patches for the game, they would have to be constantly after a moving target, even if the update just changes a constant or two.

Comment: Re: Take a page from the China mobile game scene (Score 1) 86

by mlts (#49431177) Attached to: Ask Slashdot: How Serious Is Hacking In Mobile Games?

Only problem with that logic is that EA and Ubisoft are quite successful right now, which only sets an example that extreme DRM, DLC, and releasing only a few hours worth of content and calling it a game is the way to earn money in the industry. Especially with consoles where there is a 0% piracy rate and the game developers control everything on that platform.

Of course, it would be nice to see another ID or Bioware. I'm sure there is money to be made on games with a long tail like Neverwinter Nights and NWN2 [1]. However, there just doesn't seem to be an interest to push in that direction. It seems that almost all newer games either fall into the bottomless pit of F2P-P2W or are part a mediocre sequel in a franchise. Even the SimCity app on the phone was all about IAP in order to make your city not suck.

[1]: Ignore the NWN OC... IMHO, that was more of a demo of what one can do with the toolkit than something playable.

Technology is dominated by those who manage what they do not understand.