Follow Slashdot stories on Twitter


Forgot your password?

Comment on to destroy the executive branch just like HP (Score 5, Insightful) 488

disclaimer: I have a household member who's worked as an engineer at HP under Carly.

The unending wellspring of universal hatred for Carly as a leader from those who worked under her (especially at HP) is impressive, and remains constant even from people whose politics are somewhat to the right of Genghis Khan. She did what she was told, she laid waste to that not-so-micro economy, and she shows no regrets whatsoever -- for either the human or financial disaster in her wake. There's no surprise, then, to find she was unquestioningly supportive of what she perceives to be rungs above her on the ladder of power. Godwin's Law is entirely appropriate for examples of where this leads; don't mistake "comfortable sociopath" for "hawkish."

Carly is precisely the sort of person who should never be allowed to have power over others, or even a sharp knife at dinner: Total obedience and no discernible ethics at all.

Comment "Digital and Cyber" (Score 2) 35

We can tell if you're working for an aging government agency if you still use the word "cyber" to describe anything since the 1980's.

The funny part is "Cyber" is Hill-speak for "newfangled stuff" and the linguistic contortions are hideous: "His section is going to focus on cyber (and get the modems working right)" or "We're going to call in specialists who understand cyber (so that the VCR won't blink 12:00)." Cyber fits right into totally, grody, bitchin', illin', schweet, and wigging out. Living through the 80's was horrible the first time, and these guys just won't let go.

The sad part is that it actually has a negative impact on recruiting for intel roles, on top of the fact that a .gov/.mil role pays half what you can make in the private sector with similar skills. Flash up the word "cyber" and the recruits that visualize Johnny Mnemonic and stand up quick... those are the ones you want to filter out. Eventually the professionals stand up, see that the pay is shit, and sit back down. So the system actually is biased toward low-skill chaff, or the equivalent of guys who will do anything to be a cop because they really really really want a gun and authority; precisely the kind that you want to keep out of intel positions. It kinda drowns out the good guys, the smart ethical ones who actually want to do the public good.

Not good.

Comment Re:Apple doesn't get it (Score 1) 279

...And KBB consumer reviews of the Aztek are 8.2/10 over those product years, which just go to show that opinions are all over the map. It's a slow morning, so...

Just the numbers: 119,700 Azteks sold
estimated they needed to sell 30,000 per year to break even (150,000)
sold 23,940 per year on average = about 6060 cars short of hitting that mark (30,300 total)
avg mfr invoice minus holdback for those 5 years = about $17.5k
530m shortfall over 5 production years = 106m/year loss

GMA (just the cars, not the rest of GM) had a 2001-2004 net income/profit of about $1 billion/year over net revenue of $150 billion/year before badder things happened in the larger economy. the Pontiac Aztek accounted for a 0.07% dent in revenue, and 10% reduction in total profit. Ow.
BUT, consider that the same assembly line made the Buick Rendezvous (the blander version of the Aztek) which substantially exceeded targets of 30k/year at about 57.9k/year. The two products off the same assembly line, same tooling, same costs totalled up, were a net positive (about 82k/year over a combined break-even point of 60k/year) -- meaning GM had a net profit from that production and assembly line, exceeding break-even production by 35%+. They didn't actually lose money.

One might argue that's a way of shuffling losses, but if you dig into GM's reports and strategy, they say (GM AR 2003, p 6):
>> GM brought brand differentiation to the world back in the
>> 1920s, when Alfred Sloan created the price ladder of GM
>> marques that offered “a car for every purse and purpose.”
>> ....
>> Those lessons are now being applied in North America to
>> our volume leader, Chevrolet, to our performance-oriented
>> brand, Pontiac, and to Buick, which is restoring its reputation
>> for refined, dignified elegance.

GM's Pontiac brand was *supposed* to be the edgy just-break-even part of the business (e.g. the subsequent GTO), the product and assembly lines were specifically structured that way, and GM's balance sheet was combined in a way to handle that. The whole notion of the Aztek/Rendezvous::loss/proft rests on the dumb assumption they were going to sell the edgy-version vs mass-market version of the same car at a 50/50 ratio. Want to see what killed Pontiac? Look at page 19 of that 2003 Annual Report, which shows in page-filling bold type the demise of Pontiac and Saturn were just speed bumps in GM's idle mismanagement:

>> Here’s what’s new
>> about GM’s strategy this year:
>> Nothing.
>> Our 2003 plan is the same as 2002.
>> We’re getting better, year by year.

Wow. Bankruptcy was about a year away.

Net net is that Edmonds can print hyperbole about a car they hate, and weirdos like me can spend a Sunday morning rattling on about what we like, but the long and short of it is that the Aztek was wasn't really significant in GM's 9-million-vehicles-per-year business, any more than the Newton MessagePad killed Apple. IMHO what is significant is the design influence, the things we talk about years later, and the encouragement to go do ballsy things despite the risk of failure.

Coffee, I need coffee.

Comment Re:Apple doesn't get it (Score 3, Informative) 279

Fair call on much of this, but citing the Pontiac Aztek as "incompetent" would be inaccurate; it was a niche product that had an insanely high customer satisfaction rate among those that bought it. ("The Aztek had among the highest CSI (Customer Satisfaction Index) scores in its class" and JD Power 2001 cites: "The Aztek scores highest or second highest in every APEAL component measure except exterior styling)."

Most people didn't like it, but the mark of incompetence would have been producing the Aztek as the main-line product. (Oh wait, they did: the Buick Rendezvous; just as ugly but without balls.) Producing weird shit that the corners of the market eat up -- Pontiak's Aztek, Nokia N900, Apple Newton, Saturn EV1, the first decades of online "remote" shopping and of television, and other things we love(d) to hate but keep talking about or ended up using -- they generally fall in two categories: they move the entire market/industry forward significantly despite losses, or their makers lanugh all the way to the bank. (Cadillac's styling for their entire current lineup owes more to the Aztek than any other ancestor. It just took GM a while to figure out who wanted Klingon cars.)

To the point: It may take a decade for a ballsy move like the Aztek to translate into a shitpile of cash, but it's better than standing still. Microsoft's failing is that they keep making a large number of unremarkable things, while competitors like Apple and Google make fewer things that are much more memorable, much better milestones. Do you remember what search was like before Google Search? Tablets before the iPad? Can you recall many jumps forward in Windows, Office, or Azure that feel the same? Google ships Chromebooks to schools and makes "lost homework" and quaint archaic idea, and Microsoft shuffles buttons in the ribbon, has us scrolling sideways in Metro, and ships a tablet with a flaccid keyboard. Utterly forgettable if not a step backwards. Repackaged Windows that brings back Win7 UI features? A kickstand idea they got from Archos? Active tiles from IOS? Win10 and Surface: New, yes; revolutionary or memorable beyond the next product announcement, no.

Comment sucks to be Scott Charney, I guess... (Score 4, Interesting) 112

After all that bluster about security and privacy, ten years of "Trustworthy Computing" and Scott Charney poised to head to some White House role as the voice of Microsoft, it's all fallen apart. Scott's sidelined, TwC effectively disbanded and it's security and privacy groups laid off or rolled into the Windows group, and all the new hot noise and hubub is about sending Brad to grow the army of sheltered Satya-style bro-grammers to churn out even more shit code. So much for the idea of BETTER products; We'll just brace for MORE of the same minimally-tested, designed-by-assumption, cloud-based/bing-telemetry-sucking, insecure dreck. Woohoo.

The H1B debate is irrelevant; when the direction and mission of the enterprise is so fundamentally disorganized, orthagonal to real-world business use cases, and requires dismantling national labor legal structures, the "need" for more tech workers to get there is a nonsequitur. Microsoft is looking at Google in 2015, with the same curious lack of understanding as IBM looked at Microsoft in the 1990's -- not understanding the landscape itself had changed, and vigourosly agitating for more mainframe system programmers. More H1Bs would make the same difference to Microsoft now as IBM then.

Comment not the test case we would want (Score 1) 195

I *would* agree with Microsoft on this one, except that it's a lousy test case, and likely to set a bad precedent.

What would be good to test in the courts -- and have protected by case law -- would be something like: Can a US court demand access to data generated by Notamericastan clients using a US-based software service that stores their logic in datacenters in Notamericastan. In this case, *some* of the data makes a roundtrip through US circuits, but generally the US company is providing logic for non-US clients in a non-US location with non-US data storage; is that enough for a US court to reach out and retrieve data that appears to be thoroughly out of its jurisdiction based on the contractual agreement of the client to use a US-based service? Would be nice to know.

But that's not what's at stake here. What appears to have happened is that some clever people in Redmond (US-based workers), working with some data submitted by non-US people, ended up working with intermixed US- and non-US-sourced data, and then the US-based workers decided to park the data on non-US servers in order to claim that it was out of US jurisdiction. IANAL, but that seems a lot like a guy speeding across a state line, and being surprised when the state trooper doesn't stop pursuit. This is not exactly good material for Brad to make a blustery moral stand. How does Msft think this turns out?

Comment I suffer from Bullshit-Intolerance Syndrome (Score 5, Funny) 588

My condition causes me significant discomfort around people who say aggressively stupid things, internalize and repeat strange diagnoses they read on the internet, and causes me to have thoughts of self-harm when listening to security software vendor presentations. I have repeatedly asked my employer to accommodate my needs stemming from Bullshit-intolerance Syndrome (BS), but they all just say, "that's bullshit, we won't tolerate that" to which I say "yes, that's my problem too." Perhaps I also suffer from Jackass Impulsive Recursive Comment (JIRC) disorder, but they don't want to hear about that either. I'm gonna sue.

Comment Influence from Skype (Score 5, Interesting) 316

It is interesting to see not only the technical influence, but the design philosophy inherited from the Skype acquisition: That is, from the perspective of a running service, it's perfectly ok or even desirable to worm your way out and communicate with the hivemind, no matter what the user says. For example, if the user configures the app not to communicate with a voip service, the app will respect the exact letter of the user's intent -- not to make voip calls or display presence -- but it will still update itself, download patches, and update directory data so that you *could* make voip calls if you changed your mind... which it will assume you did at the next update when the settings are reset to default-open...

Opting out entirely is within reach for most people/orgs, it's the momentum that keeps people choosing this crapware. I keep Windows around because I like Visio, but my company does everything else in Google services, so my main machine for actual work has been Linux Mint for several years. The kids have Windows tablets but never use them; they just use pocketable android for comm and big iron for gaming/steam/AV/dev. It's not even worth much effort to criticize msft, they're not going to stop doing stupid things, they don't offer an advantage at the consumer level anymore, and I just don't have the time for it.

(Now, ask me as a security geek, do I like having windows event data along with netflow? Sure thing, but the infrastructure to get that is insanely costly to license and run. I just wouldn't build a company that way anymore.)

Comment Re:Shut up.. (Score 2) 174


Some of the "gardenburger" patties are quite good, but sometimes I still want bacon and cheese. Responses vary from "I'm sorry, we don't have veggie bacon" to **blink**

Same with a good bacon-cheese-fishburger. I get THE LOOK sometimes, as the impossibly young and anorexic waif behind the counter contemplates what a culinary pervert I am, for ordering bacon on fish. (And I, in turn, contemplate how best to administer the emergency cheeseburger she so desperately needs, without ending up in jail.)

And yet.... somehow I cannot abide the KFC Double-Down sandwich. Maybe it'd be ok without the gag-inducing mayo-cheez-spooge sauce they use as technical food glue?

Comment Hey Elon! (Score 1, Flamebait) 25

Hey Mr. Tesla! Surely the Solar Impulse team would be happy to slap a very thin sponsor sticker on a prominent spot, in exchange for Tesla waking up some of its lithium-Ion gods out in the desert. Can't think of a better entity to say "let me look into that" and return 48 hours later with a station wagon full of the latest Li-polymer batteries formed in precisely the right shape with precisely the right chemistry.

Maybe? I know Elon's other team needs a bit of a moral boost at this moment; why not get that boost from the team that's NOT fully occupied doing fault analysis at the moment, and totally qualified to solve this specific energy problem?

Comment Next year's budget for Hapeville: no bomb squad (Score 5, Insightful) 431

The article cites two excellent examples of why the Hapeville bomb squad needs to be dropped from next year's budget. I'm not sure of the county authorities would be any better, but if the local squad's hapless misjudgment of risk leads to wasted funds on response, wasted funds on defending their mistake, wasted funds on legal restitution (I sincerely hope the kid and his parents sue the city), and general loss of reputation for the city... then the bomb squad is a liability in terms of finance, risk, and reputation. The most obvious response is to take the toys away from the idiots.

Don't fight them, defund 'em.

Comment Re:IE? (Score 1) 49

I keep hearing this claim, and I see no evidence for it. Shit, I worked for redmond for years, and IE was *never* faster outside of a lab than Firefox, much less Chrome. I didn't particularly care for the immense amount of telemetry that Chrome shipped back to the goog, but it started fast and stayed that way. A fresh copy of IE/WIn8 on the other hand, was zippy for the first few days of use -- almost as fast as firefox on 32 or 64 -- but quickly bogged down with local cache writes and content inspection, tons of default temetry, and helper libraries that could not be unloaded without heading into the registry with an army of villagers weilding pitchforks and torches. Besides, it's UGLY. Why bother with it?

Comment Re:All products of this type of shit (Score 1) 64

Not sure why I keep taking the bait on this, but... two things:

1. Just to pick an example: I proposed that one of your users receives *content* (not an exe) that first subverts the function of existing whitelisted exes, then inserts a logical payload; a mildly good version of this will never hit disk or appear as anything more than a new thread of an existing process. Impossible? You are /sure/ that configuring "about four different changes to the way the computers work" contains all risk of misuse or abuse of a particular function type, and all potential vulnerabilities that would unintentionally allow such, in an open system comprising 40 million lines of code in its default configuration? You are the very definition of an optimist.

2. Where the rubber meets the road: The systemic error you've made is assuming you are the smartest guy in the room. You might well be smarter them me, but you are assuredly not smarter than all of your adversaries... where "smarter" may be measured by totality of information about a complex and dynamic system (in which case, there is no condition in which it is possible to have total knowledge or control), or the ability to logically use and creatively combine the resources local to you (not humanly possible to disposition all possible permutations of a mesh graph with a nontrivial number of nodes). If you think you have accounted for all possibilities and logically made errors impossible, then you lack sufficiently deep understanding of the game.

It should be very easy to find you, either from the Hindenburg-size ego, or by following the immense target you painted on your own network. Wrong? Would you post your gateway's public IP ? (I say this to make a point. Please don't be so stupid as to actually connect your personal arrogant bluster with any professional responsibility to protect assets.) In a way I am grateful for opinions like yours, because I'll be fully employed at top dollar well into my old age, doing rescue jobs when your unsinkable ship does the impossible.

'Nother day, 'nother dolla, Dolla dolla dolla bill y'all...

Comment Re:All products of this type of shit (Score 1) 64


"users needing to exchange information.. [no]" and "protocols for file transfers...upload or download a specific file at time X."
No ad-hoc messaging in business? The environment you describe does not exist.

"Communication between the work stations or to unauthorized servers on the network is not allowed... again, at the appliance level"
Soooo.... you replaced the hub with a switch?

"refreshed from a template on login. You can't infect the workstations."
Check out Angler malware. Oh, and for two scoops of irony, use the browser in your liveCD Kali distro to read up on in-mem exploits for debian.

"unauthorized code" or "BestTrojanEVER.exe"?
Not required, nor is code persistence. The default OS contains more than enough helpful code you had to whitelist. But *is* terribly helpful of you to eradicate the host OS after user creds are compromised, so there's no pesky log data.

"about four different changes to the way the computers work"
You don't know much about Windows or *nix, do ya? Or computers?

"The system I've set up is the firmest security I've heard of short of building a secret air gapped network run by mole people under the earth with no door in or out."
Mole people? Who... who told you about the mole people?

"the sort of system I'm talking about... Doesn't get hacked. Its never happened. Ever."
Oh sure it does. Go read up on Buckshot Yankee and SIPRNet. Took three years for the US feds to clean up that shit, all because some lonely intel guy stationed in the sandbox wanted to look at boobies on a goddamn thumbdrive.

"attack with no physical component...just don't see how you could do it"
If you use anyone else's code.... Oh shit... are you forking TempleOS?


Comment Re:All products of this type of shit (Score 1) 64

Bullshit. Arrogance is always the undoing. Even in the most hardcore, wired-only, mac-whitelist, tightass-vlan, zone-enforced user minimum-privilege network, people have to get work done. That means if you have internet access, people will exchange data or even documents with uncontrolled sources. If you don’t, they will find some way to move or bring data in. If you have commodity operating systems or compatible office software, you have compromisable endpoints that need continuous maintenance. If you have shared resources like file servers, printers, and email, then you have nodes to emulate which facilitate lateral movement. If you have user accounts in the same directory as administrators, you have a venue for elevation of privilege. If humans administer the network, there exists a method for changing its configuration.

While you are positive that your environment is “basically impossible” to hack, someone will send your staff a slow trickle of emails every week or leave a few 32GB thumbdrives in the lobby that have a file “Confidential-Proposed2015Q4Layoffs.PPTX” and one of your std-priv staff will invariably open it. You might miss powerpoint.exe spawning flash.exe and a call to NativeProcess(); or something more subtle. You might not catch a call to or from their machine that’s missing an http referrer, and a plaintext C2 reply. Soon a regular user makes a few novel but authorized connections, then some hash files get read, then a few more users do the same. Someone with more than usual user privs makes an authorized filesystem write to a host in IT. Soon one of the service admins’ laptops ends up with a virtual USB HID device, and Windows helpfully mirrors all keyboard input to it. One or two more hops, and some patience, and the credentials for your core switch are lifted. Your own infrastructure is then mildly tweaked without disturbing anything you care about – an fspan modified here, some data staged on a low-priv endpoint there, with a path that appears for less than a minute each week to do something else before disappearing from affected tables. An adversary takes residence on one of the cards in your core cisco gear, resistant to even a chassis IOS wipe and reload. And when that’s stable, all the previous steps will be eradicated if not already done, though a diligent adversary might adopt a ‘rule-of-three’ method to ensure each re-entry stage has two fallbacks in case you get wise. But you’ll probably never see it, and you’ll likely insist that it’s not happening even when your adversary makes a mistake and drops a hint. And that’s just what bad guys can do without the advantage of walking in with a warrant and a 1U box.

Now, do the junior-birdman purveyors of “E-Detective” make the claim their sniffer owns up your network simply by being plugged in? They do? That doesn’t even pass the giggle test. But don’t be too smug about what could happen with an adversary that isn’t a fool, or about the efficacy of bone-simple tooling accurately matched to vulnerabilities. And don’t use words like “impossible.”

The program isn't debugged until the last user is dead.