Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:Passed Time (Score 1) 130

by mysidia (#49177127) Attached to: Supreme Court Gives Tacit Approval To Warrantless DNA Collection

What are you, in law enforcement? This is a story about warrantless collection of DNA in a rape case. Not everyone is a rapist.

That's true.... but if enough people are in the DNA database, then it is likely for many innocent people to wind up being accused.

If police have sampled armchair DNA from 10 million people over the years and built a database of 1 million entries.

If the confidence of a match in the DNA test is 99.99%.

Then that means the test is still wrong 0.01% of the time, so in such a large database, there could easily be 1000 bogus matches.

If police had decided to interrogate the guy; and decided there was probable cause, then I think it was in their rights to get a DNA sample, just like it was in their rights to fingerprint any suspect.

What I see as abusive is covertly securing information from people.

For DNA to be analyzed by law enforcement and attributed to a person: it should definitely be required to be secured in a more reliable manner than gathering from the environment.

Unless the environment is the actual scene of the violent crime being investigated; gathering DNA surreptitiously and in a manner where it would likely be subject to contamination should not be allowed.

Comment: Re:Morale of the Story (Score 1) 212

Don't Kickstart something that seems like a good idea but has never been done before. If it's really a good idea then people have either tried and failed multiple times before

Why not? Sure it's a risk. But nothing good ever came out of not taking risks.

However.... It would probably be a good idea to not offer or promise 'donation rewards' that can only be delivered if the project is successful.

I do not see how some additional open source software and PCB designs being released is not a win for the community and the people who did the project. Sure, they did not have the success they hoped, and they effectively found their design wasn't viable to meet the objectives.

But just because the project didn't work out did not mean that the outcome was useless or not worth what went into it.

Comment: There's probably a simple resolution for this (Score 1) 523

The law must be satisfied to the extent possible.

For starters: No deleting any e-mail in the personal account until the go'vt can review. Hand over the credentials for the "personal" accounts and allow all messages contained or archived to be copied to the federal servers and go into the public record; contact the email service provider with a court order to hand over all backups, have a police seizure of all digital media Mrs. Hillary had access to, and charge Mrs. Hillary the cost of compliance with the order for recovery of official messages resulting from non-compliance with the law.

Comment: Re:Block off programmatic access to cert trust. (Score 1) 113

Unrestricted MS group policy push means all of TLS/SSL is a complete sham.

Correct me if I am wrong.... but group policy is downloaded over CIFS via SYSVOL, and there is no encryption or digital signing of the file being downloaded, so a MITM could insert an altered group policy of the attacker's choice, including bogus certificates to be installed... of the attacker's choice.

Comment: Re:Block off programmatic access to cert trust. (Score 1) 113

and if the OS can do it, so can any other software that has admin rights.

What would cause you to think that?

Administrator is a user privilege level inside the operating system. Nothing says that an admin level user can necessarily do everything. You can even make an operating system that has no such thing as admin rights, if you want.

You can certainly lockdown certain capabilities so they are available to the OS but not to 3rd party software.

One thing they could require you to do would be to visit a Microsoft website and go through a process that requires the end user to answer a captcha, login to an account, and supply a copy of the certificate, to receive a validation mark, before a local trust mark can be added, then the marked certificate can be downloaded and imported, before proceeding with a GUI-driven process.

Without the computer-specific Microsoft validation mark on the certificate, the 'Import' API calls will simply refuse to import the certificate to the trust database.

And when the cert is verified, the trust authorization validation chain's signature can be verified as well.

Comment: Re:Block off programmatic access to cert trust. (Score 1) 113

You want to be able to do this automatically at least in corporate environment, and manually for development tools.

We buy certs for corporate resources. It's not necessary to have an internal CA, and from a security standpoint it's probably not very safe, since the CA is more likely to be compromised than a public CA which has more carefully implemented and audited controls.

Woo, and now a company can't have its own internal CA deployed automatically.

Why not? Just make it so that upon joining to a domain a Volume licensed copy of Windows, a domain certificate trust mark will optionally be enabled, And certificates can be installed by group policy, but only to computers that are a member of the AD domain whose administrator digitally signed the policy, and only with Enterprise or Server edition of Windows installed on the workstation.

Comment: Block off programmatic access to cert trust. (Score 3, Interesting) 113

The browsers/OSes should harden by eliminating the ability for 3rd party software to automatically install a certificate or CA as trusted into the system database. They should also remove any functionality that allows a 'globally' wildcarded certifacte to be deployed to the browser

Basically, when the computer's hostname is assigned, or during user profile creation, the trusted certificate store should be reinitialized with only stock certificates approved by the OS maker or browser vendor.

A machine-specific keypair should be generated and used to stamp all the certificates with a local trust signature.

Any access to the machine keypair / stamp should be available only through an interactive approval process.

Sysprep'ing an image or changing the product key should invalidate the local trust mark and require manual re-approval of all certs not in the browser vendor's official trust list.

Comment: Re:Overstamp twice. (Score 1) 133

by mysidia (#49107463) Attached to: Crystal Pattern Matching Recovers Obliterated Serial Numbers From Metal

I'm not sure how easy it is to scan the internals of the metal.

Acoustic microscopy.

Also, since the identification info could be encoded in various formats... such as microscopic dimples in the metal, magnetic elements, digital circuit elements such as passive RFID, or other methods

It's possible that the criminal could be unable to know whether or not there is a serial number that is still readable which the criminal themselves cannot see, since mostly just law enforcement and gun shops would have both the scanning equipment and the know-how to operate it.

Comment: Re:Overstamp twice. (Score 1) 133

by mysidia (#49103123) Attached to: Crystal Pattern Matching Recovers Obliterated Serial Numbers From Metal

Each gun already imprints a unique microscopic signature on a bullet and casing. Just submit a scan of a fired bullet and cartridge to a central database for each new firearm sold

They already tried that in Maryland, and I understand it turned out very poorly, the government itself instead of the manufacturer wound up bearing huge costs; there were error-prone and labor-intensive steps involved in taking in test-fired casings submitted by manufacturer, photographing , logging to database.

But it was also noted California DOJ survey less than 70% of the casings of the same make as the fingerprinted device yielded the correct result anywhere in the top 15 matches of the database search, for the same type of ammunition. When a different type of ammunition was used, less than a 40% success rate.

Conclusion? Capturing the natural ballistics to a database is not the way to go, if you can do better.

Comment: Re:Overstamp twice. (Score 1) 133

by mysidia (#49102477) Attached to: Crystal Pattern Matching Recovers Obliterated Serial Numbers From Metal

See... why we should require the manufacturer of every firearm to include microstamping technology, where the serial number will be imprinted on the cartridge of every round fired.

Also, should include scannable RFID tags, one scannable by the public, another RFID tag only detectable and scannable by law enforcement.

And some concealed serial number imprints, also scannable.

I figure the manufacturer could punch out a pinhole in certain places with a punch containing adjustable ridges and serial number indicated by the bitting of the punch with digital signature and error recovery codes to verify the authenticity of the number, to get the message through even in a high-noise environment, then seal the holes with a liquified metal or epoxy to prevent criminals altering the code.

Comment: Re:Taken to the cleaners... (Score 1) 132

by mysidia (#49081595) Attached to: LG Exec Indicted Over Broken Samsung Washing Machine

Trespassing? In a trade show? Really?

Why not? You ever been to a concert, where the public is invited into the building, but you may be prosecuted if you sneak in back behind the stage without permission to be there, Or may be prosecuted if you use a pass to get into one area, then sneak into the show next door?

It would be like an actor going into the theatre before a talent show and messing with the props or lighting behind the stage, when they're supposed to be in the dressing room getting ready.

They have a right to be in the building, but not a right to be in their competitor's roped out prep area, or the lighting room, or other places.

The area is not open to the public until the curtain is lifted, and the show starts. The people allowed in generally have a conditional permission to go to certain areas and do certain things to prepare for unveiling.

Even after the show starts, not all participants are necessarily given a pass with access to all areas. In some cases, vendors rent exhibition space and get discounted passes, but they are restricted to remain in their area.

Comment: Re:Double Jeopardy! (Score 2) 227

I thought AT&T was already broken up three decades ago for monopoly abuse.

No... A different entity by the same name was broken up three decades ago, this is The New AT&T.

One of the entities that was split off went and gradually bought up companies that had been broken off and re-assembled a new ginormous monopoly.

And committing new monopoly abuses --- not vertical integration, but anticompetitive behavior, such as this latest stunt against Google.

Comment: Re:Thought process (Score 4, Insightful) 227

Our competitor launched an offering that blows everything out of the water that we offer. Let's provide a product to compete! But here's the catch: Let's make it suck! That'll show 'em.

ATT is acting like a monopoly that needs to be broken up by the courts.

Comment: Re:"Obstruction of Business" (Score 1) 132

by mysidia (#49070441) Attached to: LG Exec Indicted Over Broken Samsung Washing Machine

The original argument was that Large corporations are not ever called into account for violating the law. I'm asking for citations that prove that.

That's not true. You are essentially changing the original argument in order to weaken it. Noone stated large corporations are never called into account, until yourself.

What you have provided is a grand example of conjecture with zero proof that companies of a certain size just "get away with it"

The argument has more basis than mere conjecture. The existence of some companies being called into account is proof that it is true that some companies do break the law, and it also shows, that sometimes companies do get called to account.

There is no evidence to support the contention that all (or most) companies who do break the law get called on it successfully. There is no evidence you provided to support the contention that all companies who get discovered get punished.

I'm just saying that being a huge corporation does not exempt you from being found criminally liable and the perception otherwise is nothing more than mythology born of class envy and politics.

The argument is that the larger companies have more resources available at their disposal in order to conceal their wrongdoing, therefore, the larger company is very likely to get away with much larger amounts of wrongdoing.

It's not a myth, unless you can prove it is a myth.

There are very good inherent reasons to believe this would be true.

Conjecture is not necessary. You have only to look at human nature and basic logical deduction and statistics to figure out that this is more likely to be true than what you contend.

What this country needs is a dime that will buy a good five-cent bagel.

Working...