Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.


Forgot your password?

Comment: It's worse-Verizon also injects for non-customers! (Score 2) 70

by BUL2294 (#48825365) Attached to: Ad Company Using Verizon Tracking Header To Recreate Deleted Cookies
Verizon also injects the UIDH header even for those who aren't Verizon customers--like those of Straight Talk, a reseller that uses Verizon's network.


Because the header is injected at the network level, Verizon can add it to anyone using their towers, even those who aren't Verizon customers. Notably, Verizon appears to inject the X-UIDH header even for customers of Straight Talk, a mobile network reseller (known as a MVNO) that uses Verizon's network. Customers of Straight Talk don't necessarily have a relationship with Verizon.

Comment: Glenn Seaborg - a great man (Score 4, Informative) 85

by Cliff Stoll (#48783809) Attached to: The Mystery of Glenn Seaborg's Missing Plutonium: Solved

I was honored to know Glenn Seaborg while working at Lawrence Berkeley Labs in the 1980's. By then, Manhattan Project was long behind him, as was his Nobel prize, the Atomic Energy Commission work, and his chancellorship of the University of California. Yet he was still a kind and supportive scientist who was deeply interested in any research - whether in physics, astronomy, chemistry, or biology. He recognized the need to teach music and art alongside science and math, and would visit local high schools to encourage students.

I once met him at the Lawrence Hall of Science, walking around the old cyclotron. When I asked him about it, he said that he'd been wondering how the field magnets had been mounted (it was perhaps 40 years after the Manhattan Project). After a short chat he invited a few 12 year old kids over, and told stories about using the beast to create new elements. Amazing guy.

Comment: Great, more items to ransomware! (Score 4, Informative) 252

by BUL2294 (#48733781) Attached to: The Missing Piece of the Smart Home Revolution: The Operating System
After reading a few Slashdot articles ago about ransomware, and given what can happen via hacking such devices, the last thing I want is more of my home-based devices going online. The last thing I want is for my IoT thermostat (of which many exist already) to get hacked. I can see the thermostat's screen now...

"We turned your thermostat up to 85 degrees and you can't change it. We want $5000 worth of Bitcoins in 72 hours--or we find out if your furnace perpetually on full-blast will burn your house down. Think we're kidding? We also know that you have an [some brand name] WebOS-based TV (it was easy--the IP address was the same as your thermostat) and an [some brand name] Android-based refrigerator that we also pwned. In 24 hours fridge will be set to 50 degrees spoiling your food, and in 48 hours your TV will be permanently stuck showing random videos from Xtube. So, your only options are to pay us or cut off power to your house--but when it comes back on, we still own your pwned devices! Good luck replacing the devices we pwned but didn't mention here... TIMER: 71:59:59...71:59:58...71:59:57......."

Seriously, I'm not for government regulation in a competitive landscape, but such devices, especially given their manufacturers will abandon writing security updates for them--6 months after the new model comes out, are ticking time bombs... I'm not about to replace my oven, furnace, dryer, refrigerator, thermostat, dishwasher, home security system, TV, toaster, and toilets every 3-5 years because someone thinks such devices should be IoT and wants to gather even more "big data" about me...

Comment: Do you mean getting 1099'd? (Score 2) 117

If you do mean getting a 1099 for the "loss", then you're wrong. Getting 1099'd (1099A or 1099C) is dischargeable in bankruptcy, even if you get the 1099 after you're discharged. All you do is file Form 982 with your taxes and it's gone. (Of course, IANAA - I am not an Accountant...) I filed BK7 in 2011, got discharged in 2012, and had a property foreclosed on that was discharged, and got a 1099-C in 2013. The full amount of the 1099-C was not considered income on my 2013 taxes (filed & payable in 2014...)

Comment: Re:Blameless Random Employees? (Score 1) 343

And who isn't to say that, as part of the hack, once they found someone high enough with the right credentials, they didn't create a couple of AD accounts? In mid-size organizations, identity management is dealing with thousands of accounts, having to create numerous exceptions for specific people and applications (oh, this Task Scheduler task can't allow for the account to change--and it needs super-duper-Admin rights to these particular servers; this Windows Service that runs on the production CRM server can't change password). So, a hacker could just hide some new accounts with fake descriptions for applications in-house (e.g. "SQL-Salesforce sync"), give them super rights even allowing for password changes, and presto... Or worse, pick such a valid account and start adding servers it has rights to. Security by Obscurity (ironically on the security platform).

Comment: No real need for updates, either... (Score 2) 343

The other advantage of the air-gapped network is that you no longer "need" to update the computers within the network with most of the security updates that come across Windows Update. Build them from DVDs & SPs with known hash values, never having connected them. Who cares if those PCs are still stuck on Win7-SP1 or Win8.1 RTM. Their primary attack vector (e.g. the big bad Internet) is unavailable. Even if these machines are built with malware, the worst that could happen is that they get erased, but the data still doesn't go out.

But what about e-mail? IM? Interwebs? Facebooking? Really??? Buy a 2nd, low end PC, wirelessly connect it to the corporate network, and volia! Hell, you could even use a KVM for this purpose, if you'd rather not spring for the expensive $400 laptops. Don't take the easy approach of connecting the networks in a way that only allows for RDP sessions--a determined hacker with unlimited funds (e.g. state sponsors) would figure that one out.

But what about Adobe Cloud or whatever program needs to connect to the Internet? Most such programs have alternative options for air-gapped networks (e.g. a license server), and a company like Adobe could be brow-beat by a company like Sony into disabling phone home. For high-risk applications where you can't talk your vendor out of phone-home, it's time to look for a new vendor...

Comment: Brian Krebs received one & posted it... (Score 4, Informative) 250

by BUL2294 (#48604101) Attached to: Sony Demands Press Destroy Leaked Documents
Brian Krebs got one, reported on it, and was kind enough to post it for the world to see Sony for their true colors...

Demand Letter:

I can hear Barbara Streisand's voice now... (Well, what I hear is "her" voice from the Mecha-Streisand "South Park" episode...)

Comment: Re:Something is dodgy here. (Score 2) 184

I wouldn't be surprised if someone at Sony were responsible for sending this email as a false-flag operation.

False-flag operation or not, that's a crime. If someone within Sony (or hired by Sony--e.g. their cybersecurity contractor) sent such an e-mail, that person is doing the equivalent of "screaming 'fire' in a crowded theater, when there is no fire". Not protected by free-speech and that person should be criminally charged with a felony.

Comment: Re:$1tr question--Why is all this Internet-facing? (Score 1) 528

by BUL2294 (#48531383) Attached to: The Sony Pictures Hack Was Even Worse Than Everyone Thought
Explain how airgapping doesn't make you immune to Windows Updates? If your PC can't talk to Microsoft, and unless you're going old-school sneakernet with flash drives, how is it going to get updates? Most Windows updates solve some sort of security hole, usually caused by the execution of malicious software or some sort of security hole that's exploitable from the Internet. Take away "the Internet" and lock down what people can execute on their PCs within "the island" and problem solved. Yes, you now have a known unpatched security hole--but one that can't be exploited without access to the Internet. No malicious links, attachments, unauthorized software, browser toolbars, etc. Just people using limited specific software & specific versions on (for example) Windows 7-SP1.

As has been proven by Stuxnet and this breach, unlimited state-sponsored funds ALWAYS beats "networks with layered protection". Big-name companies that spend shitloads of money on security still get breached. 15+ years of "breeding a culture of corporate security" also hasn't worked. But if you require the network to have a physical presence, then you've eliminated your primary attack vector.

Comment: Re:$1tr question--Why is all this Internet-facing? (Score 1) 528

by BUL2294 (#48530431) Attached to: The Sony Pictures Hack Was Even Worse Than Everyone Thought
So how did companies handle such networks 20+ years ago, where employees in "other offices" (cities, other locations in the same city, etc.) could access files, databases, etc., without any vector out to the Internet? Wouldn't be that hard to create a disconnected network island "war room" in each office--disconnect some ports & buy new routers. The real issue ultimately becomes that you now might want to consider multiple such air-gappped networks (e.g. R&D, HR, Finance, etc.)

I have to assume that data breaches are much worse cost... This one has lost sales, lost goodwill, lawsuits, potential government fines (e.g. HR data), network design changes, etc. Even a $10 million air-gapped network would have been a bargain compared to this mess...

I'm still waiting for a massive Salesforce data breach... That'll be interesting when it happens.

"More software projects have gone awry for lack of calendar time than for all other causes combined." -- Fred Brooks, Jr., _The Mythical Man Month_