Forgot your password?
typodupeerror

Comment: Re:Network-based IPS and IDS are obsolete (Score 2) 60

by thermowax (#47581059) Attached to: Multipath TCP Introduces Security Blind Spot

"Your IDS/IPS cannot look inside SSL traffic, either, which could contain exploit code (conveniently packed and encrypted by the SSL container)."

You might want to go read up on SSLStrip before you make that assertion. There are a bunch of other utilities that do basically the same thing, but their names escape me at the moment.

Admittedly, SSLStrip relies (generally) on the target ignoring the bad cert warning, but if you've compromised the target and inserted your root CA into the "trusted" list, well... no more warning. And, as someone else mentioned, if you're a netadmin and control the end nodes, there are lots of companies that will sell you inline appliances that will do exactly the same thing- completely transparently.

WebSense and PaloAlto 6.0- and probably others- will even let you take the cleartext off-box for DLP, or "archiving".

How much you want to bet that one of the trusted root CAs distributed with all browsers (eg, VeriSign) is an NSA plant? Trust no one.

+ - Massachusetts SWAT teams claim they're private corporations, immune to oversight->

Submitted by thermowax
thermowax (179226) writes "Massachusetts SWAT teams claim they’re private corporations, immune from open records laws. Kind of amusing this is in arch-Liberal Mass, but enough editorializing: I don't even know where to start here. No FOIA demands, no investigations, or reviews... the police state gets more real on a daily basis."
Link to Original Source

Comment: Re: Nothing "near" about it (Score 1) 236

Amusingly, if you go to the Smithsonian Museum of Technology (iirc) there is/was a display of some Bell Labs stuff where they were (until fiber immediately- at the time- made it obsolete) doing *exactly that*. Little 1cm or so tubes, carefully soldered together, to form microwave waveguides.

I bet you could pick that patent up for cheap... er, maybe not any more.

Comment: Re:Political stunt (Score 2) 256

by thermowax (#43078165) Attached to: White House Urges Reversal of Ban On Cell-Phone Unlocking

Not debating your points, but I'd like to see people stop regurgitating the bullshit fucking meme about "half the people are below average". Half the people are below the *median*. Half the people are below the *mean* only if the data happen to fall that way, a perfect bell curve being one distribution for which this is true.

Data: 1, 1, 1, 1, 10. (n=5).
Mean: 2.8.
Q: How many points are below the mean? (Hint: it ain't 2.5.)

Comment: Hmm, books causing life pivots. (Score 1) 700

by thermowax (#41638563) Attached to: Ask Slashdot: What Books Have Had a Significant Impact On Your Life?

1. Out of The Inner Circle, Landreth. Read this in 1986 or so when it originally came out. Holy shit, did that change my life. It put me on the vector that, among other things, has me reading Slashdot today.
2. M*A*S*H- Hooker. Besides being ripping funny, introduced me to the concept that if you're really good at what you do, you can get away with a lot. A whole lot.
3. 1980 Signetics Linear IC Databook. Never underestimate the learning capability of a curious kid on a remote farm with no internet access ('cause it didn't exist. Well, not as we know it.)
4. War Games. Yeah, so it's a movie, but life-changing nonetheless. See items 1-3.

Comment: Re:They don't enforce snooping on everything (Score 1) 782

by thermowax (#40349079) Attached to: Ask Slashdot: What's Your Take On HTTPS Snooping?

No, not really, at least not in my experience. The primary motivation is to be able to peer into SSL/TLS traffic to see if there's malware using it as a transport. Internet caching is... well, I won't say a dead technology, but at least in the enterprises where I've worked bandwidth is sufficiently cheap (and caching proxies tend to break stuff unpredictably) that they typically don't bother.

Consider: if you don't block 443, and you don't decrypt/examine it, that's a wiiiide open hole out of your network for any botnet members to phone home or exfiltrate data... or a host of other things. It's a real problem.

Comment: Re:They don't enforce snooping on everything (Score 5, Informative) 782

by thermowax (#40349033) Attached to: Ask Slashdot: What's Your Take On HTTPS Snooping?

Wrong.

The https proxy server is trusted as a signing CA. It generates server certs real-time for any requested https content, then retrieves the content for you on the other side- via it's own https session- before sending it back to you. Since the proxy is trusted by your browser, it doesn't complain.

Without getting into a protracted discussion about x.509 certs and their completely fucked implementation, suffice to say that while the proxy can effectively decrypt your https traffic, noone else can. There's still a reasonable amount of security there.

Although it depends a great deal on the proxy admin to keep it secure...

Comment: Re:Let's just be clear about that. (Score 1) 273

by thermowax (#39610559) Attached to: Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages

You're almost right. There are a number of commercial appliances (Websense makes one, which I've deployed for corporate use) that do exactly this so the corporate powers-that-be can peer into SSL encrypted traffic. This is generally (hopefully) for IDS/IPS purposes.

The key is that:

1. Corporate workstations have to be loaded with a CA cert generated by the appliance so they trust all certs issued by the appliance, and
2. The fake server certs are generated *real time*. Pre-generation isn't necessary.

So the reality is that this happens every day if you're running one of these systems. You raise an interesting point, though, that if a CA with their CA cert already in browser distros did this, it would be pretty much undetectable. However, then anyone with one of those appliances could do this man-in-the-middle attack, rendering the CA's infrastructure/reputation worthless. Additionally, they'd have the CA's private key, which is the crown jewel of a CA- so I doubt that would happen.

Now, if someone maliciously inserted their CA key into a browser distro, well, that opens the door for all kinds of fun...

J-.

Comment: Re:Do you even bother to edit submissions anymore? (Score 1) 185

by thermowax (#38348028) Attached to: Researchers Create a Statistical Guide To Gambling

Sigh. Not always. You have to look for positive expectation games in casinos, but they can be found. Google "positive expectation video poker" if you don't believe me.

Also, there's card counting at blackjack, of course, but you'll be detected quickly and summarily removed.

That said, if becoming a VP playing drone is your idea of fun, that's your business. I'm there for the free beer and to have fun, and I'm willing to pay a nominal fee to do so. Playing craps, getting loaded, and minimizing that fee are what I enjoy. Did you know that depending on how you play craps, you can make the house advantage asymtotically approach zero?

J-.

Comment: Well, not really. (Score 1) 212

by thermowax (#38014482) Attached to: With Troop Drawdown, IT Looks To Hire More Vets

I've worked in a number of military-oriented institutions (TLAs, if you get me) and while I have nothing but respect for the warfighter, I rarely found any of them to be technical superstars. Like any population, there were a few, but overwhelmingly they were put-the-square-peg-in-the-square-hole guys. They could memorize a manual and know everything about a piece of equipment (well, on a sysadmin level), but innovation was not their strong suit. At all.

And this is why the government/military has had and will continue to have immense problems attracting really, *really* good people to work in their CyberCorps or whatever they're calling it now. There's too much procedure in those circles; good techies quickly go insane.

One thing I did find, though, was that *usually* the officers had damn good project management skills and knew how to solve problems, support their people, and get the job done. That skillset is really universally applicable to all fields, though, and not just IT.

Comment: Re:Blackjack team? (Score 1) 108

by thermowax (#36003964) Attached to: MIT Blackjack King Takes SMTP Public

You've never seen those rules? Where do you play? They're all over the place in Vegas and Atlantic City. I've also seen games where you could only double on 7, 8, and 9, no resplits, all kinds of stuff. Wizardofodds.com has a table with all those stupid rules and their impact on the house edge. Interesting reading. And don't just mistrust the CSMs, they help the house too- since there's always the same (many) number of cards in play naturals are less likely. Bastards.

But people still play them... Oddly, I've found- especially in Vegas- that the higher end casinos have the worst rules. You'll almost always find the best rules in the dumpy little off-strip places. Hmm, Fremont St. is calling to me...

Comment: Re:Blackjack team? (Score 1) 108

by thermowax (#36003512) Attached to: MIT Blackjack King Takes SMTP Public

With the wealth of information available at your fingertips, you really should have done some research before posting that. I even told you what to look for.

I'm quite serious- and I'm right. You have to read the pay tables and find a video poker terminal that has been configured for positive expectation. Why the casinos do this I have no idea, since yep, they're potentially losing money on that one- but in any decent sized casino you can usually find a couple. I suppose the likelihood of a skilled player wandering by is low enough that they don't care. After all, you still have to play the game in mathematically optimal fashion. There's certainly no shortage of idiots in casinos.

War story- I've seen- more than once- a roulette pit where half the wheels were single zero and half were double zero. Every wheel had players. (Hint: the double zero table has roughly twice the house edge of the single zero game.) I've also seen a 6:5 blackjack table next to a 3:2 table, with identical rules otherwise- both occupied. Sadly, people are, on average, not very bright.

Comment: Re:Blackjack team? (Score 1) 108

by thermowax (#36003234) Attached to: MIT Blackjack King Takes SMTP Public

Actually, I posted AC accidentally. Oops.

Yes, the dealer can pound out cards fast, but if you're at 5th base there's plenty of time to count while the other bozos consult their tea leaves or strategy cards to figure out what to do.

Um... I *have* done it and *do* do it. Actually, the hardest part now is finding a game with good enough rules that you can get a positive expectation while counting. Most of the corporate casinos are running CSMs, naturals pay 6:5, no double after split, and other annoying crap that increases the house edge to the point of absurdity. Personally, I practice maybe 10 minutes a day. I find that's enough to keep it more or less automatic. If I have to think about it, it becomes too much like work. ProTip: Hoyle Casino (I use a custom driller I wrote, but for anyone wanting to mess with counting) will track the hi-lo count so you can check yourself.

Which brings us to your final point: "if you get it slightly wrong you will lose". Bullshit. I count hi-lo- other schemes may be different- but It depends on how large the house edge is to start with. If you're counting against a low-edge game there is a margin of error before you move into negative expectation territory.

Comment: Another example of mgt/tech staff disconnect (Score 1) 484

by thermowax (#34560828) Attached to: America's Cubicles Are Shrinking

Thankfully, I have an office (and an officemate, but he's cool) now but I have done the cubicle sea thing in the past. I realize the apparent economy of cubicles, but the loss of productivity must be staggering. If I'm deep in the middle of a firewall hack, or trying to configure a router without bringing the entire company down, I *really* need to be able to concentrate. I know my productivity suffers greatly. I found myself working off-hours just to avoid having to listen to the idiot two rows over yap with his bookie or frat brother or whatever he was doing. This also probably impacted productivity, because my hours then overlapped less with the rest of the company.

And, to those of you who can screen out the world with headphones: I envy you. Maybe it's a by-product of being a musician, but even if I put classical music on, it's distracting because I actually find myself listening to it. The noise canceling headsets make me feel like my head is full of cotton.

On the Internet, nobody knows you're a dog. -- Cartoon caption

Working...