Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment How Kaspersky accidentally hacked the NSA (Score 2) 232

Bringing the thread back on topic, my experience at work shows how Kaspersky would have accidentally "hacked" this material.

For my day job I write software tools which scan networks, checking to see if any computers on the customers' network are vulnerable to any known vulnerabilities. Occasionally the antivirus/anti-malware that is mandated by corporate flags our on tools as likely malware. That makes sense, because our code looks a lot like malware code - we seek out vulnerable hosts, checking each to see if it's actually vulnerable. After that, our system reports to the customer where their vulnerabilities are, but to anti-virus / anti-malware systems our code resembles a threat. Our code also closely resembles some of the NSA code, which was basically malware. Our company has to conform to certain security standards, and those standards require all desktops and laptops to have anti-virus / anti-malware, so we aren't supposed to just disable it, even though it's troublesome when it flags our own files. Right or wrong, bureacracy requires that our systems have this protection.

The anti-malware vendors program their software so that when it detects a new strain of likely malware, it sends a copy back to the vendor so they can learn about the new malware. That's typical so they can provide better service by continually adding new detection for new malware varieties.

If, due to bureacratic fiat or any other reason, anti-malware were installed on an NSA system which had a copy of the NSA kit, I'd expect the anti-malware would detect a few of those tools as being possible malware infecting the system. (It is basically malware, after all). Standard practice would be for the anti-malware system to send samples back to Kaspersky, so they can update and improve their detection. Some low-level analyst at Kaspersky would receive several new zero days all "infecting" one computer. Since there are several and they are new, they'd alert their boss and Kaspersky would/should take a look at this customer system that contains several new zero days. Maybe look at the folder the zero days were in to see if more new threats are there. In the same folder the zero days came from, they'd find the NSA manual on how.yo use them. Suddenly Kaspersky would have the NSA kit without ever doing anything more than doing their job as expected.

The policy that would cause this to happen - without any malice by anyone, would be a rule that "all NSA desktops must have anti-malware installed", combined with choosing Kaspersky, a foreign company, as their vendor.

Comment Reading comprehension on Slashdot (Score 1) 170

Using the reading comprehension of Slashdot commenters as a gauge, I'm not a bit surprised that AI (or a child's toy) has better comprehension. Just this morning a guy here said "high explosives ... nobody is talking about low explosives" - in a thread about black powder. His own previous post said "explosives like black powder". Far too often, Slashdot commenters don't even comprehend their own posts, much less the article.

Comment HE yes. Which is why I said LE "like black powder" (Score 1) 183

Yes, high explosives don't require confinement to explode, or much confinement. As I said, they are also much more difficult to make or acquire especially to make safely.

  Which is why I discussed the two separately, saying "simple explosives like black powder", flash comp, etc ...
If they have ready access to modern high explosives ...

I can make LE at Walmart or Home Depot, using items readily available in those stores. HE is a different animal. If I tried to make HE from readily available ingredients, there would be a significant likelihood I'd die.

Comment What in the world would make you think that? Wrong (Score 1) 183

> I don't think you grasp why so much weight is in the casing... which is to produce shrapnel.

First, what in the world would make you think I don't know why I build my casings the way I do? Second, you are mistaken about the reason. With a low explosive such as black powder, flash, etc casing thickness is all about the pressure developed. Unconfined, these explosives don't so much as explode as burn quickly. The explosion comes from what's essentially a pressure vessel explosion. The burning composition produces a lot of gas very quickly, which creates a lot of pressure. Eventually it blows like a balloon that's been inflated too far. A weak casing will rupture exactly like a balloon - weakly. A strong casing won't rupture until there is a very high pressure, creating a powerful explosion.

A casing that's TOO strong will waste weight, peel open instead of fracturing, and some point not rupture at all.

Next time you think about correcting you might first ask yourself "do I have a clue what I'm talking about?" When you're considering educating someone about what they do, maybe ask yourself "have I ever even once *tried* doing this? Do I really know better than the people who do this stuff?"

Comment I forgot to subtract fuel weight (Score 1) 183

In my payload estimate I forgot to account for how far they are going. If they take off from the front line, 20 miles away, they'll burn very roughly a kilogram of fuel (could be half that, or twice that). So figure 5kg of payload.

The fuel burn over such long distance for a craft that small will significantly affect CG unless it's carefully designed to have the tank right at the CG. That makes design and flight harder.

Comment Payload around 6kg (13 pounds) (Score 4, Informative) 183

I just designed and built a similar, though smaller plane from scratch. Based on the reported wingspan of three to four meters, we estimate the payload capacity at around 6kg.

Based on my experience with people professional pyro, I'd say that a 6kg weapon using a simple explosive like black powder would be a dangerous item to have laying around the house, but not particularly effective as a military weapon. (Remember most of the weight is the casing, it would be less than a kg of explosive composition.). Modern military explosives are significantly more powerful, and much harder to make, if the people launching these have access to a good supply of military explosives.

Comment You know you can register by mail / internet, righ (Score 1) 498

All that about voter registration. You know you can register by mail, right?

The topic is showing SOME kind of ID when you vote, so we know how many times you voted. In Texas, any of seven different kinds of evidence of ID are accepted. If a person has some reason that they have nothing with their name on it, they can instead sign an affadavit at the polling place attesting to what their name is. Lying on that affadavit to vote under someone else's name is a crime.

So either bring something with your name on it, or sign a sworn statement of who you are.

Comment Everyone has a RIGHT to vote, or sing. I shouldn't (Score 1) 498

> If there's no universal natural right to have an equal voice, there's no point to any of this discussion.

Every citizen has a *right* to vote. They also have the right to sing. I shouldn't sing publicly, because I'm a terrible singer. You would be foolish to encourage me to sing for everyone.

Comment That would be good, not bad (Score 4, Insightful) 498

Over half of Americans don't know who the vice president is. That's how interested many of us are in policy and the political process. A supermajority can't distinguish the Republican platform from the Democrat platform when it is handed to them with the party name redacted.

I don't have my car fixed by someone who doesn't know what an "engine" is, I don't have dental cavities filled by someone who can't point to my bicuspids, and I don't want national policy decided by people who don't recognize the name "Mike Pence", nor know how many senators there are.

> I think it's clear that if you want representative democracy to work and be considered legitimate, you need fewer barriers to voting, even if people like you think a DMV visit is reasonable.

And that's the reason the founders created a republic, not a democracy. The federal budget isn't American Idol. If you're not interested enough in participating in society to either have a driver's license or swing by and pick up a (free) ID, maybe you're not the person who should be deciding federal law and other national policy, based on "I heard he was born in Africa"or "because she's a woman". Maybe the decisions of national policy SHOULD be made by people who have enough interest to do more than "text your vote to 1-800-bumper-sticker".

Comment That's the topic, not the patent (Score 5, Insightful) 57

Each patent has a couple pages describing *exactly* what is patented and how it's different from what was done before (prior art).

They didn't patent the concepts mentioned in the summary. Slashdot summaries often mention the general topic or concept that a patent is *related to*, phrased in a way that makes it sound like someone patented the whole concept. That's not how patents work. For example, with a video cassette (vcr) you can pause it in one device, then take it to another VCR and resume watching. Nobody can patent that idea, and their patent calls out how their invention is different from what has been done before.

If you read (part of?) any of the patents and see one that seems like it was obvious at the time (not in retrospect) I'd be curious to see it. There may be one, but don't think that just because the TOPIC mentioned in the Slashdot summary is obviously interesting, that means their invention was interesting. When Slashdot says "Space X" patents rocket guidance system" that means they patented something they invented that has to do with guiding rockets; it doesn't mean they patented the idea of rocket guidance in general.

Comment Didn't have to bribe anyone to break every DRM (Score 1) 348

Companies have spent hundreds of millions of dollars trying to encryption this and that, from various forms of DRM to game console and locked bootloaders. It ALWAYS gets broken, sometimes shortly *before* the product is released. No need to bribe anyone;security is just hard because breaking things is easier than making things. It's a fact that if people can make it, people can break it.

Comment Not when it's horribly exaggerated (Score 1) 233

If Microsoft released an update that required two key presses to fix and some moron claimed in the headline that it "bricked" computers, we'd have chorus of people saying "the author is an idiot. That's not bricked.". I imagine we'll get the same response today.

It's like most of MD Solar's submissions. There may be a kernel of truth somewhere in them, but they are so wildly exaggerated that the appropriate response is an outpouring of derision for the misleading articles and headlines, not hunting for so hint of something kinda true among the bullshit.

Comment Not theoretically possible (selector IS a mitm) (Score 1) 214

> Looks like it's time to somehow wrap that handshake before moving onto the "I'd like to talk to XYZ site" and adopting that one's certificate.

I guess I wasn't clear about that point in my post. The thing that selects which certificate (which site) IS a man-in-the-middle. So you can't do that while protecting from man-in-the-middle.

Perhaps the best you can do is through some other, out-of-band secure channel, publish a list which men in the middle are allowed. So you'd have a DNS record (DNSSEC signed) saying "traffic to may be intercepted by".

Note DNSSEC doesn't hide your DNS requests, it only authenticates the replies.

Slashdot Top Deals

The rich get rich, and the poor get poorer. The haves get more, the have-nots die.