Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment: Re:Loose procedures (Score 1) 52

by mellon (#49518263) Attached to: Baltimore Police Used Stingrays For Phone Tracking Over 25,000 Times

It depends what they are doing. TFA describes a situation where a murderer was found because he kept the victim's phone (on!) in his house. I have no problem with using cell phone intercept to track down a murder suspect in a situation like this, although the degree of stupidity required for this to work is astonishing. So based on the article we don't actually know that there were lax procedures. I'm not saying there weren't, but getting a court order for this sort of thing is precisely what they should be doing, so I'm having trouble seeing this particular revelation as something about which we should be deeply concerned. 25,000 searches over eight years is really not that many in a city the size of Baltimore if, e.g., they are using the device to track down stolen phones.

Comment: failed industry (Score 4, Interesting) 47

by Tom (#49517301) Attached to: How Security Companies Peddle Snake Oil

I've exited the security industry after 15 years, no longer believing that it does any good. And TFA is pretty spot on.

The issue is that security is both wide and deep. You need to cover all your weak spots, and you need to cover them completely. As an industry, we have succeeded in finding technical solutions to almost every challenge, but we've failed in creating a systematic approach to the field. Look at the "best practice" documents - they are outdated and mostly a circle-jerk. I did a quick study some months ago checking the top 100 or so for what the academic or scientific or just substantiated-through-sources basis is, and the result is pretty much: None at all.
Even the different standards, including the ISO documents, are collections of topics, not systematic wholes. It's like high school physics: This month you get taught optics, next month Newton mechanics, the third month electromagnetism. The only thing they have in common is the class room.

Nowhere is it more visible than our treatment of the user. It's clear that most security professionals treat users as disturbances, as elements outside their field of security. I imagine what roads would look like if their planners would look at accidents and say "cars are a threat to our road system. They clog it up and very often they crash into each other and cause serious issues to traffic. We need to protect the road system against cars. Can we automate roads so they work without cars as much as possible?"

We need a much more systematic, holistic view on the whole field than we have right now. In a pre-scientific field, snake oil is the norm. It was the same in medicine (where the term originates), in chemistry (alchemy), in psychology (astrologie, numerology, one hundred other primitive attempts at understanding and predicting human behaviour) and virtually every other field, even many non-scientific areas, such as religion/magic.

Comment: Re: How about basic security? (Score 4, Informative) 269

by jd (#49516499) Attached to: Why the Journey To IPv6 Is Still the Road Less Traveled

IPSec is perfectly usable.

Telebit demonstrated transparent routing (ie: total invisibility of internal networks without loss of connectivity) in 1996.

IPv6 has a vastly simpler header, which means a vastly simpler stack. This means fewer defects, greater robustness and easier testing. It also means a much smaller stack, lower latency and fewer corner cases.

IPv6 is secure by design. IPv4 isn't secure and there is nothing you can design to make it so.

Comment: Re: Waiting for the killer app ... (Score 3, Informative) 269

by jd (#49516451) Attached to: Why the Journey To IPv6 Is Still the Road Less Traveled

IPv6 would help both enormously. Lower latency on routing means faster responses.

IP Mobility means users can move between ISPs without posts breaking, losing responses to queries, losing hangout or other chat service connections, or having to continually re-authenticate.

Autoconfiguration means both can add servers just by switching the new machines on.

Because IPv4 has no native security, it's vulnerable to a much wider range of attacks and there's nothing the vendors can do about them.

Comment: Re: DNS without DHCP (Score 4, Informative) 269

by jd (#49516387) Attached to: Why the Journey To IPv6 Is Still the Road Less Traveled

Anycast tells you what services are on what IP. There are other service discovery protocols, but anycast was designed specifically for IPv6 bootstrapping. It's very simple. Multicast out a request for who runs a service, the machine with the service unicasts back that it does.

Dynamic DNS lets you tell the DNS server who lives at what IP.

IPv6 used to have other features - being able to move from one network to another without dropping a connection (and sometimes without dropping a packet), for example. Extended headers were actually used to add features to the protocol on-the-fly. Packet fragmentation was eliminated by having per-connection MTUs. All routing was hierarchical, requiring routers to examine at most three bytes. Encryption was mandated, ad-hoc unless otherwise specified. Between the ISPs, the NAT-is-all-you-need lobbyists and the NSA, most of the neat stuff got ripped out.

IPv6 still does far, far more than just add addresses and simplify routing (reducing latency and reducing the memory requirements of routers), but it has been watered down repeatedly by people with an active interest in everyone else being able to do less than them.

I say roll back the protocol definition to where the neat stuff existed and let the security agencies stew.

The world is coming to an end. Please log off.

Working...