Become a fan of Slashdot on Facebook


Forgot your password?

Comment my credit union calls me in seconds. Cashiers shou (Score 1) 87

I've been happy with my credit union's fraud prevention and detection (which is outsourced to some company). Sometimes I'm 100 miles from home when I spend about $800 on electronics at Fry's or Microcenter. (The datacenter is 100 miles from my house, for now.) The transaction sometimes returns a "call to verify" code. The merchant COULD call, they are supposed to, but most cashiers just say "it didn't go through". This is a training issue on the merchants' side, in my opinion.

At the same time that the cashier is saying "it didn't go through", my phone rings. It's the fraud department calling to verify the purchase. The cashier re-runs the card and it works fine. It seems to mainly happen when buying from an electronics retailer, as I also remember the same thing at Best Buy. I'm fine with that. I know that if a crook gets my card, the bank is watching out.

Occasionally, they'll call about an internet purchase or some other purchase after it happens (fraud detection). It's quick and easy to verify the transaction.

I used to do another type of fraud prevention and detection, not directly related to credit cards, and I know our false positive rate was under 0.1%, probably under 0.01% - we stopped at least a thousand fraudulent instances for every one we declined in error.

Comment an example for those unfamiliar (Score 1) 347

I figured I should add a citation here in case the next reader isn't familiar with McCain's stance on various military interventions and doesn't know what I'm talking about. Here's an example of what I mean (he had two sons serving in the line of fire at the time):

War is an awful business. The lives of a nationâ(TM)s finest patriots are sacrificed. Innocent people suffer. However just the cause, we should shed a tear for all that is lost when war claims its wages from us. But there is no avoiding this war. We tried that & our reluctance cost us dearly. While this war has many components, we canâ(TM)t make victory on the battlefield harder to achieve so that our diplomacy is easier to conduct. That is not just an expression of our strength. Itâ(TM)s a measure of our wisdom.
  2004 Republican Convention Speech , Aug 30, 2004

McCain generally opposed interventions where there was no clear "win", no exit strategy. He has repeatedly argued that once we are engaged, we need to be "in it win it", get it done and over with.

Comment Actually you are flat out WRONG (Score 5, Informative) 318

The recent rulings have been that laptop searches are unconstitutional. The courts have said this is so because a ) laptops and phones contain highly personal information, much more so that suitcases normally do, and b) customs is to be searching for things like products being smuggled in, or drugs. Hard drives can't contain drugs and wouldn't contain smuggled products. Two recent examples include:

The Obama administration has argued that they don't need a warrant, but the courts have ruled against them.

Comment I sure hope one of the other ten candidates (Score 2) 299

I sure hope neither Fiorina or Trump gets the nomination. And Biden rather than Sanders or Clinton. Dr. Carson seems like a far more capable and thoughtful person. Cruz knows what he's talking about and has actually produced full workable legislation like a federal budget, whereas the other candidates only produced sound bites. There are several options better than Fiorina and Trump.

Comment just a few companies. Pay defendants' legal costs (Score 4, Interesting) 150

This particular judge invited defendants to file to have the troll pay their fees. That puts this troll, who is 10% of the problem, out of business.

It wouldn't take too many cases in which Intellectual Ventures has to pay the people they sue before IV would run out of money and be gone. They are responsible for around 30% of the trolling.

Four companies file 90% of the patent cases. Of the remaining 10%, many are legitimate disputes, so well over 90% of the trolling is those four entities. Put those four out of business and you've pretty much solved the problem of patent trolls. (And by making it costly for those four, others will be discouraged from attempting it).

Comment Kyle Wiens. Must Apple investigate every developer (Score 1) 361

It seems likely that the developer account would be registered in the developer's name (perhaps Kyle Wiens), or perhaps in the company name, which is probably something like IFI LLC. It probably wasn't registered using the domain name of the web site.

  So even assuming someone at Apple looks at all new developer accounts, how are they to know that Kyle Wiens is associated with Should Apple launch an investigation of everyone who wants a developer account?

Comment yes one bug, fixed years ago. Compare Windows (Score 1) 66

Yes, virtualization isn't guaranteed to always be 100% perfect. There was one bug that was fixed years before it became public. Compare the number of bugs in Windows over the last 10 pr 20 years. I'd say running within the hypervisor is several orders of magnitude safer.

As I mentioned, that's one reason we use the simplest practical virtualization- to avoid bugs in hypervisor features or related utilities. It's pretty darn effective, though not 100% perfect.

Air gaps and disposable images can of course be pretty safe too. If you're paranoid, you can keep the test hardware only for malware testing - never move a box from testing to production. That adds a layer of protection against damage from firmware exploits.

Comment not downloaded , but included outside of signature (Score 2) 66

I simplified a bit. The malicious code can be inside of the .app package- it does not need to be downloaded separately. It LOOKS like the signature is on the package, but it's not. It's on some parts of the package. Here's a quote from the Apple developer documentation for you:

Changes That Don't Invalidate a Code Signature
There are a few changes you can make to a signed bundle that won't invalidate its signature.

If you have optional or replaceable content you wish to change without invalidating the code signature, nested code can be replaced ... without disturbing the outer signature.

Throughout the Apple documentation, you will find references to the "main exectuable ". This is the file that's primarily protected. In my example above, that's setup.exe.

Comment Bug is I can modify code signed by Apple (Score 5, Informative) 66

The exploit is for users with #2, registered developers. A bad guy who is not a registered developer can publish code which appears to be signed by a trusted developer.

The root of the problem is that it checks a signature on the -executable-, not the -package-. A typical package has a setup executable, which we'll call setup.exe. That's signed by Apple, Adobe, or whoever the developer is.

Setup.exe loads whattodoo.dll and runs some functions in it, then runs register_filetypes.exe, does some other stuff, then runs photoshop.exe. Neither whattodo.dll, register_filetypes.exe, photoshop.exe, nor the package the came in need to be signed. MOST of the executable code isn't signed.

A bad guy can download the Photoshop package and replace whattodo.dll and register_filetypes.exe with code of their choosing. Just rename backdoor.dll and botnet.exe. Mac treats it as signed because setup.exe is signed.

So the victim would download a malicious package and because setup.exe is signed, OSX would run it by default- thereby running backdoor.dll (renamed as whattodo.dll) and botnet.exe (renamed as register_filetypes.exe).

This is normally avoided on Linux by signing / hashing the entire package, not just one file in the package.

Comment wonder what else you could etch. Circuit boards? (Score 2) 146

The idea of having a cheap consumer device that can so easily etch any bitmap with such fine detail intrigues me. I wonder what else you could etch. If there was a coating for circuit boards that these lasers could etch that would be really cool. Pop a board in your CD burner amd minutes later have a perfectly etched board.

Comment That is probably true. Also, indications NSA, FBI (Score 1) 86

That's certainly true, few people were expecting that type of attack, or had any reason to suspect such an attack might occur, AS FAR AS WE KNOW. (We don't know what all information the spooks had.) They were thinking of terrorist acts as being old-fashioned hijacking.

ALSO, we know that the CIA had names of people suspected to have links with Al Quaeda (the hijackers), the NSA had indications that a Al Quaeda was planning something big in the near future.* The FBI had some other relevant info.

So it's POSSIBLE that someone (or some software) looking at all the information could come up with the following thought:
Al Quaeda is planning something big, and these two guys seem to be Al Quaeda operatives, so maybe we should check in on them and see what they're doing this week."

They wouldn't need to suspect exactly what happened- suspected terrorists both buying plane tickets screams "hijacking" (the old fashioned kind). It would have been possible to do a "random search" on these two suspects and discover the box cutters.

Having said that, I'll repeat I don't think it's worth it. The NSA and CIA should be clearly and fully separated from domestic law enforcement. Of course that requires the balls to call terrorism "terrorism" and have it handled by the appropriate agency.

If it's worth hacking on well, it's worth hacking on for money.