Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment I suffer from Bullshit-Intolerance Syndrome (Score 5, Funny) 581

My condition causes me significant discomfort around people who say aggressively stupid things, internalize and repeat strange diagnoses they read on the internet, and causes me to have thoughts of self-harm when listening to security software vendor presentations. I have repeatedly asked my employer to accommodate my needs stemming from Bullshit-intolerance Syndrome (BS), but they all just say, "that's bullshit, we won't tolerate that" to which I say "yes, that's my problem too." Perhaps I also suffer from Jackass Impulsive Recursive Comment (JIRC) disorder, but they don't want to hear about that either. I'm gonna sue.

Comment Influence from Skype (Score 5, Interesting) 316

It is interesting to see not only the technical influence, but the design philosophy inherited from the Skype acquisition: That is, from the perspective of a running service, it's perfectly ok or even desirable to worm your way out and communicate with the hivemind, no matter what the user says. For example, if the user configures the app not to communicate with a voip service, the app will respect the exact letter of the user's intent -- not to make voip calls or display presence -- but it will still update itself, download patches, and update directory data so that you *could* make voip calls if you changed your mind... which it will assume you did at the next update when the settings are reset to default-open...

Opting out entirely is within reach for most people/orgs, it's the momentum that keeps people choosing this crapware. I keep Windows around because I like Visio, but my company does everything else in Google services, so my main machine for actual work has been Linux Mint for several years. The kids have Windows tablets but never use them; they just use pocketable android for comm and big iron for gaming/steam/AV/dev. It's not even worth much effort to criticize msft, they're not going to stop doing stupid things, they don't offer an advantage at the consumer level anymore, and I just don't have the time for it.

(Now, ask me as a security geek, do I like having windows event data along with netflow? Sure thing, but the infrastructure to get that is insanely costly to license and run. I just wouldn't build a company that way anymore.)

Comment Re:Shut up.. (Score 2) 174


Some of the "gardenburger" patties are quite good, but sometimes I still want bacon and cheese. Responses vary from "I'm sorry, we don't have veggie bacon" to **blink**

Same with a good bacon-cheese-fishburger. I get THE LOOK sometimes, as the impossibly young and anorexic waif behind the counter contemplates what a culinary pervert I am, for ordering bacon on fish. (And I, in turn, contemplate how best to administer the emergency cheeseburger she so desperately needs, without ending up in jail.)

And yet.... somehow I cannot abide the KFC Double-Down sandwich. Maybe it'd be ok without the gag-inducing mayo-cheez-spooge sauce they use as technical food glue?

Comment Hey Elon! (Score 1, Flamebait) 25

Hey Mr. Tesla! Surely the Solar Impulse team would be happy to slap a very thin sponsor sticker on a prominent spot, in exchange for Tesla waking up some of its lithium-Ion gods out in the desert. Can't think of a better entity to say "let me look into that" and return 48 hours later with a station wagon full of the latest Li-polymer batteries formed in precisely the right shape with precisely the right chemistry.

Maybe? I know Elon's other team needs a bit of a moral boost at this moment; why not get that boost from the team that's NOT fully occupied doing fault analysis at the moment, and totally qualified to solve this specific energy problem?

Comment Next year's budget for Hapeville: no bomb squad (Score 5, Insightful) 431

The article cites two excellent examples of why the Hapeville bomb squad needs to be dropped from next year's budget. I'm not sure of the county authorities would be any better, but if the local squad's hapless misjudgment of risk leads to wasted funds on response, wasted funds on defending their mistake, wasted funds on legal restitution (I sincerely hope the kid and his parents sue the city), and general loss of reputation for the city... then the bomb squad is a liability in terms of finance, risk, and reputation. The most obvious response is to take the toys away from the idiots.

Don't fight them, defund 'em.

Comment Re:IE? (Score 1) 49

I keep hearing this claim, and I see no evidence for it. Shit, I worked for redmond for years, and IE was *never* faster outside of a lab than Firefox, much less Chrome. I didn't particularly care for the immense amount of telemetry that Chrome shipped back to the goog, but it started fast and stayed that way. A fresh copy of IE/WIn8 on the other hand, was zippy for the first few days of use -- almost as fast as firefox on 32 or 64 -- but quickly bogged down with local cache writes and content inspection, tons of default temetry, and helper libraries that could not be unloaded without heading into the registry with an army of villagers weilding pitchforks and torches. Besides, it's UGLY. Why bother with it?

Comment Re:All products of this type of shit (Score 1) 64

Not sure why I keep taking the bait on this, but... two things:

1. Just to pick an example: I proposed that one of your users receives *content* (not an exe) that first subverts the function of existing whitelisted exes, then inserts a logical payload; a mildly good version of this will never hit disk or appear as anything more than a new thread of an existing process. Impossible? You are /sure/ that configuring "about four different changes to the way the computers work" contains all risk of misuse or abuse of a particular function type, and all potential vulnerabilities that would unintentionally allow such, in an open system comprising 40 million lines of code in its default configuration? You are the very definition of an optimist.

2. Where the rubber meets the road: The systemic error you've made is assuming you are the smartest guy in the room. You might well be smarter them me, but you are assuredly not smarter than all of your adversaries... where "smarter" may be measured by totality of information about a complex and dynamic system (in which case, there is no condition in which it is possible to have total knowledge or control), or the ability to logically use and creatively combine the resources local to you (not humanly possible to disposition all possible permutations of a mesh graph with a nontrivial number of nodes). If you think you have accounted for all possibilities and logically made errors impossible, then you lack sufficiently deep understanding of the game.

It should be very easy to find you, either from the Hindenburg-size ego, or by following the immense target you painted on your own network. Wrong? Would you post your gateway's public IP ? (I say this to make a point. Please don't be so stupid as to actually connect your personal arrogant bluster with any professional responsibility to protect assets.) In a way I am grateful for opinions like yours, because I'll be fully employed at top dollar well into my old age, doing rescue jobs when your unsinkable ship does the impossible.

'Nother day, 'nother dolla, Dolla dolla dolla bill y'all...

Comment Re:All products of this type of shit (Score 1) 64


"users needing to exchange information.. [no]" and "protocols for file transfers...upload or download a specific file at time X."
No ad-hoc messaging in business? The environment you describe does not exist.

"Communication between the work stations or to unauthorized servers on the network is not allowed... again, at the appliance level"
Soooo.... you replaced the hub with a switch?

"refreshed from a template on login. You can't infect the workstations."
Check out Angler malware. Oh, and for two scoops of irony, use the browser in your liveCD Kali distro to read up on in-mem exploits for debian.

"unauthorized code" or "BestTrojanEVER.exe"?
Not required, nor is code persistence. The default OS contains more than enough helpful code you had to whitelist. But *is* terribly helpful of you to eradicate the host OS after user creds are compromised, so there's no pesky log data.

"about four different changes to the way the computers work"
You don't know much about Windows or *nix, do ya? Or computers?

"The system I've set up is the firmest security I've heard of short of building a secret air gapped network run by mole people under the earth with no door in or out."
Mole people? Who... who told you about the mole people?

"the sort of system I'm talking about... Doesn't get hacked. Its never happened. Ever."
Oh sure it does. Go read up on Buckshot Yankee and SIPRNet. Took three years for the US feds to clean up that shit, all because some lonely intel guy stationed in the sandbox wanted to look at boobies on a goddamn thumbdrive.

"attack with no physical component...just don't see how you could do it"
If you use anyone else's code.... Oh shit... are you forking TempleOS?


Comment Re:All products of this type of shit (Score 1) 64

Bullshit. Arrogance is always the undoing. Even in the most hardcore, wired-only, mac-whitelist, tightass-vlan, zone-enforced user minimum-privilege network, people have to get work done. That means if you have internet access, people will exchange data or even documents with uncontrolled sources. If you don’t, they will find some way to move or bring data in. If you have commodity operating systems or compatible office software, you have compromisable endpoints that need continuous maintenance. If you have shared resources like file servers, printers, and email, then you have nodes to emulate which facilitate lateral movement. If you have user accounts in the same directory as administrators, you have a venue for elevation of privilege. If humans administer the network, there exists a method for changing its configuration.

While you are positive that your environment is “basically impossible” to hack, someone will send your staff a slow trickle of emails every week or leave a few 32GB thumbdrives in the lobby that have a file “Confidential-Proposed2015Q4Layoffs.PPTX” and one of your std-priv staff will invariably open it. You might miss powerpoint.exe spawning flash.exe and a call to NativeProcess(); or something more subtle. You might not catch a call to or from their machine that’s missing an http referrer, and a plaintext C2 reply. Soon a regular user makes a few novel but authorized connections, then some hash files get read, then a few more users do the same. Someone with more than usual user privs makes an authorized filesystem write to a host in IT. Soon one of the service admins’ laptops ends up with a virtual USB HID device, and Windows helpfully mirrors all keyboard input to it. One or two more hops, and some patience, and the credentials for your core switch are lifted. Your own infrastructure is then mildly tweaked without disturbing anything you care about – an fspan modified here, some data staged on a low-priv endpoint there, with a path that appears for less than a minute each week to do something else before disappearing from affected tables. An adversary takes residence on one of the cards in your core cisco gear, resistant to even a chassis IOS wipe and reload. And when that’s stable, all the previous steps will be eradicated if not already done, though a diligent adversary might adopt a ‘rule-of-three’ method to ensure each re-entry stage has two fallbacks in case you get wise. But you’ll probably never see it, and you’ll likely insist that it’s not happening even when your adversary makes a mistake and drops a hint. And that’s just what bad guys can do without the advantage of walking in with a warrant and a 1U box.

Now, do the junior-birdman purveyors of “E-Detective” make the claim their sniffer owns up your network simply by being plugged in? They do? That doesn’t even pass the giggle test. But don’t be too smug about what could happen with an adversary that isn’t a fool, or about the efficacy of bone-simple tooling accurately matched to vulnerabilities. And don’t use words like “impossible.”

Comment Re:Market Niche Exists (Score 2) 113

Blackberry Passport. I got one last week. Holy shit, this is a great phone. Specs very close to the 1+One. Have a look.

Runs android 4.x alongside QNX, runs BB apps, runs Android apps, **sandboxes** the Android apps for better security than typical Samsung implementation. It took me two tries to get standard Google Play services installed, and now it handles both personal and work google accounts cleanly and separately. All the amusements are there, and all the business stuff is there too.

And it has a sweet physical keyboard with a capacitive surface, so I can gesture on the kbd without obscuring what's on that gorgeous 1440x1440 screen.
The weird hipster factor is pretty high on the Passport, but it's so damn functional.

Comment annoying downgrade, ingores major usage patterns (Score 4, Insightful) 101

I find it really ironic that Google, a company so used to being the new hotness upstart company, is so willfully ignoring usage patterns of a significant minority comprising "the youth" and people on the wrong side of the internet divide, and much of the third world, and anyone without a data plan outside of wifi range.

What these people have in common is they use sms or some form of text-like DM instead of email, so email notifications sit in an unread inbox and are effectively useless. Syncing calendars is fine as long as each individual maintains their own calendar, but sms is one of the nice ways to notify individual attendees without some major calendar confab.

For example, my kid's french tutor uses Google calendar for scheduling, and if you load the calendar it shows *every* person scheduled on that calendar, which is great for finding available spots, but it's not something you would leave visible. Turn it off/non-visible, and you lose web notifications. However, at present each person gets an sms notification for their appointment, even if they turn the calendar off. Sooo.... Google expects every person on a shared calendar to leave that calendar active at all times in order to receive web or email notifications, which are likely ignored if not disabled?

It's a tone-deaf move. Personally, I use sms to ensure my kids get the notification no matter what, and this downgrade will result in all sorts of ignored events and missed appointments. One workaround, at least for t-mobile, is to email the notification to ....tho there was some talk of the service being taken down to avoid abuse.

Comment Re:What happens when you have insular advisors (Score 1) 389

For an individual or small group, I won't assume malice where incompetence or failure is an entirely viable explanation.
For a large group, inhuman malice towards individuals is generally indistinguishable from studied and successful neutrality.

Why? Because open naivete and narrow cynicism are both excellent spices, but neither fills the stomach.

Comment What happens when you have insular advisors (Score 4, Insightful) 389

Note to Obama: You are being lied to.

Seriously, and trying to sidestep most of the political angles: This is what happens when a person with authority collects a small set of advisers -- in an effort to cut noise/increase focus/get to data-driven decisions -- and then those advisers are not challenged or regularly rotated or infused with new thinking.

This instance pains me, partly because by my citizenship I'm on the wrong end of the Patriot Act aka "Putin's Law" ...but even more because I make my living by gathering and giving security and privacy advice on both the technical and compliance sides. When Obama's not even getting the quality of mid-market commercially-available advising, we're all in deep doo-doo.

To wit:
- Let's get real: metadata IS the data. Who/when/how/where you called is just as important as the what/why content of the call. The ears don't get much more totalitarian than this, we just don't have totalitarian fists yet. (Oh wait... *watches news about street cops outfitted with combat armaments and light tanks, then acquitted for movie-style executions*)
- NSA's collection of citizen's communication data and metadata have not led to even one single foiled terrorist plot. Not one. It's not even the right model to catch the stuff we know about in hindsight. The only reliable detection tool for decades has been manual notification by family and friends to authorities, and there's still no good unified repository and workflow system to handle it.
- There are multiple documented instances of abuse where the collected information was too tempting for federal employees not to do something stupid or illegal or both. (LOVEINT is almost funny, but multiple instances of commercial espionage have been alleged and documented.) If we amass this kind of information, people will use it for whatever purpose they imagine -- justified or illicit -- because admitting there's no legitimate function is the worst option of all.
- In the big picture, total security really does obliterate freedom. How I wish we could discuss that without hyperbole. Maybe we could stay grounded by involving the French, who are further into a discussion about how overreaction to Muslim immigration will destroy their governing principles as effectively as any perceived human threat.
- It deeply troubles me that Obama appears to have no better tech-sourced intel than 3rd tier CEOs buying security guidance from consultancies with 800 number to a sales guy and $150/hr bill rate.

What a sad state of affairs.

Comment King Midas in reverse (Score 4, Insightful) 129

I'm horrified, partly because I'm on the verge of buying a BB Passport. It's the best thing they've done in years, and since playing with SWMBO's (she bought one instead of a galaxy edge, after much comparison). The BB has a nice android implementation, simple hack to add the Google apps, better security and sandboxing of droid apps, and real keys with a touch surface that flows right onto the 1440x1440 touchscreen. Oh, and all that stuffy Blackberry stuff. It's a truly awesome piece of hardware. And now Redmond wants to gut 'em for their IP portfolio and security reputation?

In the mobile market, Microsoft is like King Midas in reverse: everything they touch turns to shit.* But this isn't a rant about Microsoft, it's a worry that Blackberry -- having done the amazing job of pulling out of the total nosedive they were in -- might get stomped just as they level out, and ship something even better. What a disappointment that would be.

*apologies to Tony Soprano

Comment single-purpose tools better be awesome + durable (Score 2) 270

Yes, kitchen counter space is limited. And toolbox space, and desks, and dressers, etc etc. Keurig has a functional niche (places where mess is intolerable or there's no one to clean it up, like medical lobby or a low-use office), but their marketing has convinced a broader market that it's too cool not to have one. It won't last. Already there's blowback about the amount of waste produced by this particular device, and popularity is waning... just like most other uber-popular single-use doohickeys.

In order to survive past initial novelty-driven sales, a single-purpose/non-flexible device had better be utterly awesome at what it does, and seriously durable in both function and regularity of need. That's why the regular pan stays while the egg-magic pan goes to Goodwill (not durable, don't want eggs every day), and virtually every Rolodex has been replaced by a free app on a general-purpose portable computing device (not flexible, need changed). The Keurig makes consistent mid-grade coffee (not awesome), and is moderately durable at best (and DRM is a form of intentional breakage), which means market survival will eventually come down to flexibility. Can JoeBob consumer make ramen with a Keurig? No? Then eventually he'll keep the kettle and throw out the Keurig.

'Jus sayin... as I sip decent coffee out of a mug, made with a 15yo Cuisinart kettle, an $0.80 sbux Via packet, and less waste/cleanup than Keurig. The packet will change, the kettle will stay.

Oh, so there you are!