Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment read the man page (Score 3) 550

> In short: I think chroot is plenty good for security

Check man chroot. The authors of chroot say it's useless for security.
Perhaps you think you know more than they do ,and more than security professionals like myself do. Let's find out.

> you get a shell in one of my chroot's used for security, then.....
ur uid and gid are not going to be 0. Good luck telling the kernel to try and get you out.
There aren't going to be any /dev, /proc, or other special filesystems

Gonna be kind of tthough to have a ahell without a tty, aka /dev/*tty*
So yeah, you need /dev. Can't launch a process, including /bin/ls, without /proc, so you're going to need proc. Have a look in /proc/1. You'll see a very interesting symlink there.

> mounted noexec

Noexec is basically a suggestion, not an enforement mechanism . Just run ld /path/to/executable. ld is the loader/lilinker for elf binaries. Without ld ,you can't run bash, or ls. With ld, noexec is ignored.

My company does IT security for banks. Meaning we show the banks how they can be hacked. When I say chroot is not a security control, I'm not guessing.

Comment chroot is not for security. like change directory (Score 0) 550

change root (chroot) is almost as easy to undo as change directory (cd) . You can ALWAYS "break out" of chroot. The only thing making it inconvenient is if you don't know the syntax to refer to the new root you'd like to change to.

Chroot is not for security, it was never designed for security, and if your suckurity depends on chroot you are Doing It Wrong.

Comment there are problems, but no (Score 1) 275

> And yet, the multiple giant private bureaucracies we have in the US health insurance system seem to perform so much worse (by cost, outcomes, pretty much anything you want to measure) than the big government bureaucracies managing the healthcare systems of just about every other modern industrialized democracy.

Not really. There ARE many things that could be improved, certainly. Outcomes are among the best in the world, however. Costs are high. People point to Canada as a "better" system. There are _some_ advantages, but people very frequently travel from Canada to get healthcare in the US. Those who live in the Canadian system would rather pay US prices and get the US level of care than wait a couple of years and then get the Canadian level of care "for free".

Part of the higher cost is that "you get what you pay for". The other part of high costs is various inefficiencies. Unfortunately, there truly are many different problems, which will require many different solutions. You can't identify THE problem with healthcare in the US, and propose THE solution. To make real progress rather than just scoring political points, you have to identify a problem, fix it, identify another problem, fix it, identify another problem ...

Comment unless it's a contract for hard drives, but funny (Score 2) 275

> Your argument is thus ridiculous and unfounded.

It's not really an argument, it just struck me as funny. Like a Dilbert comic. I used to work for the government, so I'm familiar with ridiculousness in procurement.

> The concept of no-bid contracts versus endless bidding wars is separate from this bureaucratic procurement process. You've conflated the spot purchase of a hard drive, which doesn't need any sort of contract bid, with a comment made about contract bidding.

Well if it's a contract to provide PC parts, or specifically hard drives, it's precisely the same thing. Where I worked, for Macs we had a contract with a local vendor to provide all Mac computers, parts, and accessories. For "other PCs" (Windows), we had a contract with a large national company. For a Mac, I'd say "I need a docking station" and a few minutes later the the boss would say "Ray, stop by Mac ***** and pic up a docking station." For Windows machines, it took a couple months.

Comment Lil Kim very efficiently removes rivals (Score 1) 275

I called the _government_ of NK more efficient (but worse) than the US process and bureaucracy. When Kim Jong-un decides that tanning salons shall be illegal, the tanning salons are shut down within a few days. If Obama wanted tanning salons to be illegal, it would take six years to get the law passed, then another several years before the Supreme Court overruled the law. A billions of dollars would be spent on all of this process.

All of that process, mostly designed to encourage fairness, isn't a bad thing. Public participation is good, making decisions carefully and with due deliberation is a good thing. It's not a fast thing, nor is it cheap. Good government is slow and costly.

We don't necessarily want to get rid of the processes, procedures, and precautions. We SHOULD keep in mind that if you want plastic forks, Walmart will get them to you from 99 cents per pack of 100; if you want _government_ to provide you with plastic forks, it's going to cost a lot more and take a lot longer. So if you want plastic forks, go to Walmart, not Congress.

Comment 1 hard drive. Hire a consultant or go to Walmart? (Score 2) 275

I see where you're going and in some sense I agree. I had to laugh at this, though:

> approval processes make sense; bidding wars and approved vendor sources don't. I'd just as soon have them start troubleshooting, identify the problem, carry out a Kepner-Tregoe decision analysis to figure on how to address it,

The problem is that the 80 GB drive in a PC is full. Super Walmart (an approved supplier) sells Western Digital 1 TB replacement drives for $100. They could either:

A) Stop at Walmart while they're out picking up donuts.
B) Carry out a Bulshet-Hokey determination analysis process, with the help of a consultant.

There is something to be said for "if the local Walmart sells it, you can just pick it there rather than going through a month-long procurement process", aka having Walmart as an approved vendor.

Comment N Korea economy inefficient. NK govt ... (Score 1) 275

I was unclear about exactly what I was saying. As an entire country, North Korea isn't efficient, their economy isn't efficient, agreed. The NK government does the wrong thing quickly, compared to the US.

The efficiency (but not goodness) of a GOVERNMENT organization can be measured by how quickly and inexpensively they do whatever it is they are told to do. In other words, we can compare:

Kim Jong-un decides that sun tanning salons be illegal. How much time and money does it take before the tanning salons are shut down? Lil Kim tells his goons to go handle it and they probably have the tanning salons gone within a day or a week.

Barak Obama decides that tanning salons should be illegal. How much time and money does it take before the tanning salons are shut down? First Obama mentions the idea to Pelosi ... a year later a bill is actually drafted ... congressional committees have hearings .... etc. Hillarycare was a priority of the Democrats in 1993. It was passed in 2010, with most provisions going into effect between 2014 and 2020. So 17 years to pass it, then another 10 years to put it into effect.

Comment There are good reasons for gvt bureaucracy, rememb (Score 5, Insightful) 275

There are, however, good reasons for bureaucracy in government. If government officials can just do whatever they think makes sense, without any accountability to the people, you end up with North Korea. Efficient, but at a cost.

One reason we have processes in place is so that Sgt Blow doesn't buy a $5000, 200 GB hard drive from his brother. Another reason is that doing bad things on a wide scale costs money. With specific budget items, the citizens of Oakland could decide to cut the budget for license plate readers to $0, and end the program.

So all the red tape in government in the US is inefficient and annoying, but it's there for a good reason - a few good reasons in fact. Where we get into trouble is in when we pretend it doesn't exist. Like a few years ago, people saying "we can all have healthcare like VA provides, they do a great job". Well, the VA is a giant government bureaucracy, with all of the problems that come with a giant government bureaucracy. It's when we pretend that more government bureaucracy will make things more efficient, less costly, or faster that we get in trouble.

Comment "should", "supposed to" vs "unsurprising" (Score 1) 61

I think our apparent "disagreement", might stem from talking about different things. You seem to be talking about how things _should_ work, how it would be if people were perfect, their designs were perfect, and their implementation was perfect. I hear you saying "this shouldn't be, it's an error".

I agree it's an error. I _expect_ errors. I've looked at a lot of code over the last 20 years, thousands of examples written by thousands of different programmers. I can count the bug-free instances on one hand. So bugs are not surprising, they are expected. Team Viewer is doing something it's not supposed to do - well yeah, practically all software does something it's not supposed to do.

So we have some software which is designed to allow someone remote access. Because it's software, it has bugs. One of those bugs affects the remote access. That's not surprising. That's expected. If you install a remote-access app, you will probably have remote-access bugs, because apps have bugs.

Comment trademark as well as by applying your brand to it (Score 1) 178

There's also a trademark issue. Suppose I load Bruce Schneier's web site and his site has an ad for some bogus "security" software. That reflects poorly on Bruce because it appears that Bruce is endorsing, or at least tolerant of, the scam software. Similarly, suppose I load and his page contains ads questionable financial products. Dave's brand is damaged by falsely associating those products with his trademarked brand.

Comment your HTC One M7 was rooted within two months (Score 2) 61

The M7 was released in March 2013. By May 2013, there were youtube videos showing how to root it.

"Unless you use HTC tools", what kind of criterion is that? If HTC provides a tool to root the phone, why wouldn't you use it? You _could_ write your own tool that does the same thing as the HTC tool, but why bother? With your M7, like all other devices, local access is in fact full access. (Btw I do this stuff for a living.)

My claim is that if you install Team Viewer, you can expect security vulnerabilities. As it turns out, Team Viewer does indeed cause vulnerabilities, so that's correct.

Sometimes I work with explosives. From time to time, you'll find that an explosive device might go off under certain conditions other than when it's designed to. The "bug report" would look like:

XYZ can explode if heated to 280F rather than the design temperature of 350F.

So the device isn't quite within design spec, but you shouldn't be surprised that an explosive can explode. Team Viewer is made give other people control of your device. Don't be surprised when Team Viewer gives other people control of your device.

Comment bug yes, and local access is full access (Score 2) 61

> If someone is using TeamViewer to control it, they should not need more permissions than the local user has. After all, it's a screen sharing app. The remote user can only do what the local user can do.

The local user can root the device and can replace operating system files. As expected (but not exactly as designed), TeamViewer can be used to get quite a bit of access.

The design is that the local user has some limits, or at least that it's _inconvenient_ for the local user to do certain things, including installing a new OS. The local user has to be technically saavy in order to install a new OS. The psuedo-local user using Team Viewer has to be technically saavy to use TM to do exceed the designed permissions. Same thing, really.

The permissions are more than designed, and exactly as expected.

Comment "infinitesimal percentage of devices". For remote (Score 3, Insightful) 61

The article states it "discovered installed on an infinitesimal percentage of devices". These are devices with TeamViewer installed, an application DESIGNED to allow someone to remotely control your device over the network.

If you install TeamViewer on Windows, people can take over your machine over the internet. If you install TeamViewer on Mac, people can take over your machine over the internet. That's what it's designed for. Therefore, from a security perspective TeamViewer is a very bad idea.

It's no surprise that an application designed to give someone else full control of your machine is imperfect, and therefore can sometimes allow full access by someone who shouldn't have access.

Comment We don't WANT guns to our heads quickly, our money (Score 1) 253

> Maybe you should do something about it i

No way. Government in the US is slow because it's SUPPOSED TO BE. It's supposed to be transparent, fair, accountable to the public, careful with what government imposes on people - all of this means slow.

If you refuse to pay your $100 Comcast bill or otherwise violate their terms of service, they worst they'll ever do is cut off your service and you'll switch to a competing competing, maybe even DSL.

If you refuse to pay your government bill, roughly 40% of your income, or violate their edicts, they'll force you to comply. If necessary, they'll send their armed enforcers to your house and point guns at you while they take your stuff and haul you off to prison. Any organization exercising that kind of power needs major decisions to be made carefully, cautiously, publicly, and in a way that's very accountable to the citizenry.

A private company can act quickly when the CEO says "do it, get it done right away" and those who report to him get to work right away, they don't hold public hearings and debates, they do what the CEO said to do, if the CEO wants it done immediately. You CAN have government like that, where the leader is the absolute authority and there is no debate, no public discussion, no accountability to the public, so things get done quickly. North Korea has such a system I don't want that.

I WANT our government to have public hearings before they spend $10 billion of OUR money. If Comcast wants to spend $10 billion of THEIR money, they can just do it, immediately. If they waste THEIR money, so be it. If the chief executive of Comcast wants to change their IT policies, he can do that today. No skin off my nose. If the chief executive of the government wants to change public policy, making something else illegal, meaning people will be sent to prison for doing _____, I WANT that to be implemented slowly, cautiously, carefully. US government is SUPPOSED to be slow, cautious, fair, and accountable, not fast.

Comment True. If that's the criterion, I'm disadvantaged (Score 1) 211

> Your daughter has the great advantage over a sad number of other Black kids â" a father

True. A damn good one, at that. Of course, if having a father is the criterion, _I_ am the disadvantaged one. Yet I had to work two jobs to pay cash for a third-rate college after aceing most everything in high school. Hmm.

When you make your mark in the world, watch out for guys with erasers. -- The Wall Street Journal