Become a fan of Slashdot on Facebook


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:How's this any different... (Score 2, Informative) 114

by nyet (#49114115) Attached to: Lenovo Hit With Lawsuit Over Superfish Adware

This fine bloatware didn't merely act as an MiTM, it do so so incompetently that it exposed the user to basically any MiTM attack on an SSL connection(the root cert it used to sign bogus certificates was identical across every installation and effectively unprotected and the MiTM component would re-sign any cert handed to it, even an invalid one, opening the user to downright trivial MiTM attacks.

Many "enterprise" (lol) class proxies (deployed by corporations to "protect" their internal networks") do the exact same thing.

Comment: Re:Block off programmatic access to cert trust. (Score 1) 113

There shouldn't be any ability to tamper with the OS so fundamentally and so easily.

Guess what? If you use a windows machine at work, your boss can already install whatever bogus root CA's he wants into your machine without you knowing it, via GP. And he'll claim he has to, because w/o it, the corporate proxy can't MITM you.

Comment: Re:Block off programmatic access to cert trust. (Score 1) 113

That is a feature, not a bug. The whole point to Windows GP is to allow your boss to push bogus root CAs into your work machines' store (without you knowing it, let alone preventing it) so the corp proxy can MITM sniff all of your https traffic at will. Remove that ability, and expect your local PHB to whine incessantly.

Never mind that the idiots running the IT dept have no clue how bad it is to deploy a CA that can automatically sign forged certs arbitrarily. And most employees are clueless enough to never bother checking their trust root CA list.

Unrestricted MS group policy push means all of TLS/SSL is a complete sham.

Hopefully this Superfish fiasco will bring this to light, However, I am not optimistic, given the quality of reporting on it so far, and the fact that employers do not want their employees to know exactly how much the corporate proxy has compromised the entirety of internet security.

I know the response is "well just trust your IT dept, they won't let their bogus root CA priv key fall into the wrong hands; corporate proxies are for your own good".


Comment: Re:Other computer manufactures (Score 1) 134

by nyet (#49104061) Attached to: Homeland Security Urges Lenovo Customers To Remove Superfish

Superfish is just the tip of the iceberg.

Corrupting a Windows machine's CA store is very common in "enterprise" environments where your employer wishes to proxy all outgoing SSL/TLS connections.

The fact that most people are completely unaware of this is disturbing, but unsurprising.

Comment: Re:What are the actual risks to your network? (Score 1) 114

by nyet (#49089337) Attached to: Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk

No, in this case, knowing the host key would let you pose as the host.

Then again, you don't even generally need the host key to post as the host because 9 times out of 10 nobody actually verifies that the presented host key matches the expected host key.

If the host is unknown, generally they simply assume the key is correct.
If the last stored key and doesn't match the one presented, they generally ignore the error that ssh spews telling you of a potential MITM attack.

Comment: Re:WTF? (Score 1) 114

by nyet (#49088739) Attached to: Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk

The host key pairs are NOT used to authenticate the incoming user.

They're used to prevent MITM attacks (by uniquely identifying the endpoint), so this statement

"It’s hard to say if the key errors means that a remote attacker could log into all of the devices, as it would depend on how the routers are configured for remote authentication."

It's complete bull; the article is written by a clueless moron.

Attackers would have to use the keypairs to setup MITM attacks for EVERY machine they wish to compromise.

Comment: Re:Business problem != technology problem (Score 1) 343

by nyet (#49078633) Attached to: Ask Slashdot: Version Control For Non-Developers?

Revision controlling machine generated xml (or any other machine generated code) with the assumption that it is human readable (because of the format) is a bad idea, just like keeping compiled binaries under revision control is a bad idea. It is just as non-human readable.

You want to keep the actual human generated source under revision control... which you obviously can't do for any document generated by a GUI.

Sure, you can use revision control to simply keep a history of versions, but that doesn't do anything for any of the multitudes of other reasons to use a RCS.... hell, you can keep a history by just timestamping every revision of file in their filenames.

Using TSO is like kicking a dead whale down the beach. -- S.C. Johnson