Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:Block off programmatic access to cert trust. (Score 1) 113

Unrestricted MS group policy push means all of TLS/SSL is a complete sham.

Correct me if I am wrong.... but group policy is downloaded over CIFS via SYSVOL, and there is no encryption or digital signing of the file being downloaded, so a MITM could insert an altered group policy of the attacker's choice, including bogus certificates to be installed... of the attacker's choice.

Comment: Re:Block off programmatic access to cert trust. (Score 1) 113

and if the OS can do it, so can any other software that has admin rights.

What would cause you to think that?

Administrator is a user privilege level inside the operating system. Nothing says that an admin level user can necessarily do everything. You can even make an operating system that has no such thing as admin rights, if you want.

You can certainly lockdown certain capabilities so they are available to the OS but not to 3rd party software.

One thing they could require you to do would be to visit a Microsoft website and go through a process that requires the end user to answer a captcha, login to an account, and supply a copy of the certificate, to receive a validation mark, before a local trust mark can be added, then the marked certificate can be downloaded and imported, before proceeding with a GUI-driven process.

Without the computer-specific Microsoft validation mark on the certificate, the 'Import' API calls will simply refuse to import the certificate to the trust database.

And when the cert is verified, the trust authorization validation chain's signature can be verified as well.

Comment: Re:Block off programmatic access to cert trust. (Score 1) 113

You want to be able to do this automatically at least in corporate environment, and manually for development tools.

We buy certs for corporate resources. It's not necessary to have an internal CA, and from a security standpoint it's probably not very safe, since the CA is more likely to be compromised than a public CA which has more carefully implemented and audited controls.

Woo, and now a company can't have its own internal CA deployed automatically.

Why not? Just make it so that upon joining to a domain a Volume licensed copy of Windows, a domain certificate trust mark will optionally be enabled, And certificates can be installed by group policy, but only to computers that are a member of the AD domain whose administrator digitally signed the policy, and only with Enterprise or Server edition of Windows installed on the workstation.

Comment: Block off programmatic access to cert trust. (Score 3, Interesting) 113

The browsers/OSes should harden by eliminating the ability for 3rd party software to automatically install a certificate or CA as trusted into the system database. They should also remove any functionality that allows a 'globally' wildcarded certifacte to be deployed to the browser

Basically, when the computer's hostname is assigned, or during user profile creation, the trusted certificate store should be reinitialized with only stock certificates approved by the OS maker or browser vendor.

A machine-specific keypair should be generated and used to stamp all the certificates with a local trust signature.

Any access to the machine keypair / stamp should be available only through an interactive approval process.

Sysprep'ing an image or changing the product key should invalidate the local trust mark and require manual re-approval of all certs not in the browser vendor's official trust list.

Comment: Re:Overstamp twice. (Score 1) 133

by mysidia (#49107463) Attached to: Crystal Pattern Matching Recovers Obliterated Serial Numbers From Metal

I'm not sure how easy it is to scan the internals of the metal.

Acoustic microscopy.

Also, since the identification info could be encoded in various formats... such as microscopic dimples in the metal, magnetic elements, digital circuit elements such as passive RFID, or other methods

It's possible that the criminal could be unable to know whether or not there is a serial number that is still readable which the criminal themselves cannot see, since mostly just law enforcement and gun shops would have both the scanning equipment and the know-how to operate it.

Comment: Re:Overstamp twice. (Score 1) 133

by mysidia (#49103123) Attached to: Crystal Pattern Matching Recovers Obliterated Serial Numbers From Metal

Each gun already imprints a unique microscopic signature on a bullet and casing. Just submit a scan of a fired bullet and cartridge to a central database for each new firearm sold

They already tried that in Maryland, and I understand it turned out very poorly, the government itself instead of the manufacturer wound up bearing huge costs; there were error-prone and labor-intensive steps involved in taking in test-fired casings submitted by manufacturer, photographing , logging to database.

But it was also noted California DOJ survey less than 70% of the casings of the same make as the fingerprinted device yielded the correct result anywhere in the top 15 matches of the database search, for the same type of ammunition. When a different type of ammunition was used, less than a 40% success rate.

Conclusion? Capturing the natural ballistics to a database is not the way to go, if you can do better.

Comment: Re:Overstamp twice. (Score 1) 133

by mysidia (#49102477) Attached to: Crystal Pattern Matching Recovers Obliterated Serial Numbers From Metal

See... why we should require the manufacturer of every firearm to include microstamping technology, where the serial number will be imprinted on the cartridge of every round fired.

Also, should include scannable RFID tags, one scannable by the public, another RFID tag only detectable and scannable by law enforcement.

And some concealed serial number imprints, also scannable.

I figure the manufacturer could punch out a pinhole in certain places with a punch containing adjustable ridges and serial number indicated by the bitting of the punch with digital signature and error recovery codes to verify the authenticity of the number, to get the message through even in a high-noise environment, then seal the holes with a liquified metal or epoxy to prevent criminals altering the code.

Comment: Re:Taken to the cleaners... (Score 1) 132

by mysidia (#49081595) Attached to: LG Exec Indicted Over Broken Samsung Washing Machine

Trespassing? In a trade show? Really?

Why not? You ever been to a concert, where the public is invited into the building, but you may be prosecuted if you sneak in back behind the stage without permission to be there, Or may be prosecuted if you use a pass to get into one area, then sneak into the show next door?

It would be like an actor going into the theatre before a talent show and messing with the props or lighting behind the stage, when they're supposed to be in the dressing room getting ready.

They have a right to be in the building, but not a right to be in their competitor's roped out prep area, or the lighting room, or other places.

The area is not open to the public until the curtain is lifted, and the show starts. The people allowed in generally have a conditional permission to go to certain areas and do certain things to prepare for unveiling.

Even after the show starts, not all participants are necessarily given a pass with access to all areas. In some cases, vendors rent exhibition space and get discounted passes, but they are restricted to remain in their area.

Comment: Re:Double Jeopardy! (Score 2) 227

I thought AT&T was already broken up three decades ago for monopoly abuse.

No... A different entity by the same name was broken up three decades ago, this is The New AT&T.

One of the entities that was split off went and gradually bought up companies that had been broken off and re-assembled a new ginormous monopoly.

And committing new monopoly abuses --- not vertical integration, but anticompetitive behavior, such as this latest stunt against Google.

Comment: Re:Thought process (Score 4, Insightful) 227

Our competitor launched an offering that blows everything out of the water that we offer. Let's provide a product to compete! But here's the catch: Let's make it suck! That'll show 'em.

ATT is acting like a monopoly that needs to be broken up by the courts.

Comment: Re:"Obstruction of Business" (Score 1) 132

by mysidia (#49070441) Attached to: LG Exec Indicted Over Broken Samsung Washing Machine

The original argument was that Large corporations are not ever called into account for violating the law. I'm asking for citations that prove that.

That's not true. You are essentially changing the original argument in order to weaken it. Noone stated large corporations are never called into account, until yourself.

What you have provided is a grand example of conjecture with zero proof that companies of a certain size just "get away with it"

The argument has more basis than mere conjecture. The existence of some companies being called into account is proof that it is true that some companies do break the law, and it also shows, that sometimes companies do get called to account.

There is no evidence to support the contention that all (or most) companies who do break the law get called on it successfully. There is no evidence you provided to support the contention that all companies who get discovered get punished.

I'm just saying that being a huge corporation does not exempt you from being found criminally liable and the perception otherwise is nothing more than mythology born of class envy and politics.

The argument is that the larger companies have more resources available at their disposal in order to conceal their wrongdoing, therefore, the larger company is very likely to get away with much larger amounts of wrongdoing.

It's not a myth, unless you can prove it is a myth.

There are very good inherent reasons to believe this would be true.

Conjecture is not necessary. You have only to look at human nature and basic logical deduction and statistics to figure out that this is more likely to be true than what you contend.

Comment: Re:"Obstruction of Business" (Score 1) 132

by mysidia (#49068871) Attached to: LG Exec Indicted Over Broken Samsung Washing Machine

What you are claiming is mealy a common mythology, foisted on us by the likes of "Occupy Wall street" and the politicians who use class envy as a wedge issue to get votes. It is not reality true.

It might be a mythology. That does not necessarily mean there is no truth behind it.

I point to the many recent examples where large corporations where indeed cited for breaking laws, fined for it and where individuals involved where convicted.

The analogy I would use, is the lawyers and courts found and crushed a roach that got a bit too careless and gorged themself, so was laying on the kitchen counter and got accidentally discovered.

The fact that a few roaches have been killed, does not necessarily mean that the walls and attic aren't infested with more.

There are also bound to be more careless roaches or injured roaches than others.

They don't "get away" with illegal stuff just because they have an army of lawyers at their disposal.

They don't often break the law and don't get away with it when they do. It's bad business...

How would it be bad for business? These roaches cannot easily be detected. They are hiding in the wall. You just think they are savvy businessmen, or perhaps not so savvy. Probably most of them cheat a little bit, and only a few of them cheat a whole lot. Some people can make very slight transgressions from the law over a very long period of time quite covertly and not get caught, especially if they have the resources and persuasiveness to hide their transgressions.

They might earn $1 billion legitimately and steal $50 million by neglecting to pay some taxes, for example, by exploiting the tax laws of different countries and creative accounting.

Citation, please?

Most corporations are quite concerned about not breaking the law and go out of their way to avoid even the appearance of it.

Correct. Corporations are quite concerned about the appearance of having broken the law, and they wish to avoid liability that could lower profits, but have you already forgotten about how vehicle manufacturers have been concealing hazards from NHTSA and hiding product defects, deeming the risk of lawsuit as cost of doing business? (More expensive to recall than the perceived loss from lawsuits). Companies will even construct policy manuals and other paper trail in order to show 'by the book' policies respecting the law. But do you have a cite showing most larger corporations concerned about adhering to the law, even laws that lose them big $$$, for their own sake, And not solely as a form of risk management?

Comment: Re:"Obstruction of Business" (Score 2) 132

by mysidia (#49067507) Attached to: LG Exec Indicted Over Broken Samsung Washing Machine

Seems to me that if what you *think* is true that there are a pile of DA's out there who would be vying for a chance to seal their re-election by reeling in the "big fish" you seem to think are there

The big companies have lawyers, and they work the system thoroughly. The "big fish" are not merely "big", but they have intelligence and many smart people working for them as well. They also have folks surrounding them to help take the "fall" or steer the investigation towards designated scapegoats.

Attempting to go after so-called "big fish" would not seal their re-election, and it would likely be career suicide.

They don't get where they are without having a large social network and plenty of contacts within government to call in some kinds of favors with.

Young bright "hot shot" DA won't be such a hot shot, when there are higher execs in his chain of command breathing down his/her neck, and DA needs to leverage the social network to advance.

Comment: Re:"Obstruction of Business" (Score 1) 132

by mysidia (#49067455) Attached to: LG Exec Indicted Over Broken Samsung Washing Machine

Yeah, but in the US, you don't go to jail for that. Tortious interference is a civil violation.

If I understand correctly, the Obstruction of business charge is criminal, and can contribute to the exec's potential prison sentence.

The concept might come to the US by way of international treaty, but for now, I think for now the officials are concentrated at getting copyright extended from civil to criminal with felony jail terms added to the most menial of copyright violations for file downloaders / P2P traders, as part of the upcoming "War on downloaders"

"Don't tell me I'm burning the candle at both ends -- tell me where to get more wax!!"

Working...