Forgot your password?

Comment: Re:Problem traced (Score 4, Informative) 88

by plover (#47437271) Attached to: Chinese Hackers Infiltrate Firms Using Malware-Laden Handheld Scanners

The "scanner" portion of these devices is typically an embedded system that drives a hardware sensor, and speaks USB out the back side. You could probably open one up, solder a cable to the right points on the scanner board, and you'd have exactly the simple and transparent scanner you requested.

But because the business wants a truckload (no pun intended) of functionality out of these scanners, they need it to have more capabilities. First, it needs to be on the network, or it won't give them any benefit. Next, it needs to be multi-tasking so it can display alerts, etc. Its primary task may be to inventory the stuff coming off a truck, its other tasks may include assigning work items to line employees, displaying alerts on the supervisors' screens, punching the timeclock for breaks, and possibly even employee email. To a lot of businesses, a browser based interface lets them run whatever kind of functions they want, without the expense of continually pushing a bunch of apps out to a bunch of random machines. So taking all that together, embedded XP is one (bloated) way of meeting all that.

So while the scanner itself is simple, it's the rest of the hardware in the device that was infested with XP and other malware.

Comment: Re:Cry Me A River (Score 1) 586

by plover (#47422059) Attached to: Normal Humans Effectively Excluded From Developing Software

What I think a lot of the utopian visions miss, as well as a lot of the posters here, is that the problems with programming are not problems with the tools, but with the code that these amateurs produce. Writing clean, clear, correct, modular, maintainable, tested, and reusable code is still a skill that takes time to learn.

Generally, most people understand following a sequence of steps to achieve a goal. They can follow a recipe's steps to bake a cake. Some can even write down the steps they took to accomplish a task, which is the beginning of automating it; but recording and playing back steps is certainly not all there is to programming. Almost anyone who can write steps down can then learn enough of a language to string together a dozen or even a hundred individual steps to then achieve a goal: StepA(foo); bar = StepB(foo); StepC(foo,bar); ... another 97 steps here...; return(). The problem is that because writing down all those steps is possible, people who manage to do it once think they're programming. But all they're really doing is scripting.

Once someone tries to add logic to their scripts, the resultant code is generally buggy, slow, difficult to maintain, impossible to test, and probably should not be put into production, let alone reused. What a professional software developer does is recognizes the difference. He or she uses his or her experience, skills, and knowledge to organize those instructions into small groups of functionality, and wraps them into readable, testable, reusable, methods. He or she recognizes dependencies in the code, follows design principles to ensure they are properly organized, groups related methods into classes or modules, knows when to follow design patterns and when to break from them, groups related areas of modules into architectural layers, and wraps the layers with clean, testable, usable interfaces. He or she knows how to secure the code against various types of attack or misuse, and to properly protect the data it's been entrusted with. He or she understands validation, authorization, authentication, roles, sanitization, whitelisting, and blacklisting. And he or she understands the many forms of testing needed, including unit testing, system testing, integration testing, fuzz testing, pen testing, performance testing, as well as tools to evaluate the code, such as static code analysis and metrics.

On the other end of the developer's life are the inputs to the processes: requirements, stories, use cases, usability, scalability, performance. They know that following certain development methodologies can make a great deal of difference to the software's quality. And then there are the realities of all the non software development issues: equipment, firewall rules, IDPs, networking, vendor contracts, software licensing, hosting, distribution, installation, support, bug tracking, and even sales.

Tools can help with all of these steps, but as you pointed out, having a word processor does not make one a poet.

Comment: Re:seems like snowden did the exact same thing. (Score 1) 95

by plover (#47416707) Attached to: Thousands of Leaked KGB Files Are Now Open To the Public

Really? Because I don't seem to remember the purges that took place when Reagan took office, or Bush, or Clinton, or Obama. I don't remember when they arrested the political dissenters from the opposition parties, hauled them out of Washington and trucked them up to camps in North Dakota where the majority froze to death, or shot them in the basement of the Lubyanka after pronouncing them guilty in a secret "trial". Perhaps that all took place when the Ministry for Information took razor blades and cut out the encyclopedia pages for Jimmy Carter, and extended the entry for the Bering Sea to compensate, because we can't really trust our history books.

Go read Mitrokhin's books. Read the KGB's own history, stolen from their own archives. Compare it to what the USA claimed actually happened, and to what the USA claimed was Soviet propaganda. Mitrokhin's papers serve as independent corroboration that essentially everything the USA said about the Soviet Union's "active measures" was true.

Comment: Re:seems like snowden did the exact same thing. (Score 1) 95

by plover (#47416581) Attached to: Thousands of Leaked KGB Files Are Now Open To the Public

Wow, such hate and bile. The country Mitrokhin "betrayed" no longer existed. He turned over documents from the Soviet Union, not from "Russia". Yes, there is a distinction.

You completely failed to read what was written, which was a comparison of Mitrokhin to Snowden.

Apparently, that's what the fuck I don't get.

Comment: Re:And Chicago is relevant to Australia? (Score 1) 60

TFA tries to compare the legal aspects of one country's police using a legitimate cell tower's data (a "tower dump") with a court request for a copy of the purchase order of a surreptitious TriggerFish by a police force located in a different country. Different countries, different laws, different technologic approach to collecting the data, different accusations. The primary thing they share in common seems to be the outrage they spark.

Comment: Re:And in 20 years (Score 1) 95

by plover (#47408609) Attached to: Thousands of Leaked KGB Files Are Now Open To the Public

The declassification rules in the US are such that all documents are to be publicly released 50 years after the end of their active life. That's why they were compelled to release ULTRA and VENONA information in the 1990s, 50 years after the end of WWII. The declassification process is not automatic, in that someone still redacts the names of involved people who are still alive, and they make sure that the release won't endanger any current activities, but for the most part they are compelled to release it all.

If you are at all interested in the history of our intelligence services, and you find yourself in the D.C. area, I strongly recommend visiting the NSA's Cryptologic Museum.

Comment: Re:seems like snowden did the exact same thing. (Score 5, Informative) 95

by plover (#47408547) Attached to: Thousands of Leaked KGB Files Are Now Open To the Public

Here are a few more differences and corrections:
* Mitrokhin turned the data over to British officials only after the collapse of the Soviet Union. He did not endanger his country's ongoing intelligence operations. He may have embarrassed several former Soviet officials, but the revelations were not a crime against his country, as that country no longer existed at the time of their release. While the act of copying the classified data would certainly have been a crime against the Soviet Union, again, that country was gone. (Snowden released the data of his own still-active country, including information about active operations.)
* The data he turned over was archival material spanning decades and ending in the 1980s; he gave it up in the early 1990s. Some of it was less than ten years old at the time it was delivered. (Snowden's data was indeed more current and relevant.)
* After the publication of his notes in two books, the SVR actually provided academic access to the old KGB archives for a time. I think that was ended after the wrong person was embarrassed by his historical record, perhaps a former lieutenant colonel in the KGB. (The NSA has not yet opened their doors to the public in response to Snowden's release.)
* He was not a "whistleblower" in that he did not release this data in an attempt to change any ongoing practices. He was a historian who respected the truth, and did not want the facts distorted or destroyed by a regime with a long history of rewriting history. (Snowden is an activist, who is trying to effect change.)
* Mitrokhin's position was a Senior Archivist. He had access to essentially all KGB historical records, not simply operations of which he was a part. (Snowden was an administrator of systems, and had access to the records they contained; he also used other people's credentials to gain additional access to other records.)

Comment: Re:Nobody check this (Score 1) 95

by plover (#47408353) Attached to: Thousands of Leaked KGB Files Are Now Open To the Public

Well, considering Mitrokhin had Christopher Andrew publish selected information in two English language volumes already, "The Sword and the Shield", and "The World was Going Our Way", I think your pleas for ignorance are not going to have much effect. This is simply a release of the rest of the materiel he exfiltrated.

Comment: Re:Why can't the Swiss company be named? (Score 1) 24

by plover (#47392907) Attached to: Industrial Control System Firms In Dragonfly Attack Identified

I was watching a TV show about Alaska, where some small town had their generator go out and they needed to fly in an engineer. In those tiny villages, the kind where an engineering degree means you can get a job somewhere else that can afford to pay you, remote monitoring and diagnosis is the only option they have. They had one guy in the town who had the keys to the building, knew to keep the fuel tanks filled, and could do some minor mechanical repairs to the system, but that was pretty much the limit of his capabilities.

Nobody in that town would be qualified enough to even understand those notices. Nobody there would likely know what software was being used, let alone visit the home pages of the company providing it. A town like that won't have the money to pay for monitoring services - they're going to be on a repair-only basis. And they're going to be the ideal consumers of a remote solution like the kind these firms are selling.

While this town may be a worst case scenario, it exemplifies the kinds of bad luck circumstances that would lead someone right into this risk, and CERT notices probably won't ever help them much.

Comment: Re:what is internet of things (Score 1) 136

by plover (#47378703) Attached to: Microsoft Backs Open Source For the Internet of Things

I realize you're trying to make a joke in that all things are "things", but there's value in having a phrase that narrows the topic a bit. It's basically a catch-all term, like referring to the Internet's plumbing as "the cloud." The "things" in the Internet of Things are devices that aren't primarily information devices by design. A refrigerator may have a microcontroller to maintain temperature, but it wouldn't be called a computer. Adding internet connectivity to it still doesn't make it an information device, so it falls into the category of "Internet of Things".

Mobile phones, iPads, laptops, computers, these are primarily information devices that are generally not considered part of the IoT, although they may serve the user to interact with the things. And the line is very squishy. An IP-enabled TV set seems to straddle the border, and depending on context may or may not be part of the IoT discussion.

Ernest asks Frank how long he has been working for the company. "Ever since they threatened to fire me."