Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment Re:How to make any antivirus software safer? (Score 5, Insightful) 351

AV software is a fundamentally flawed product

Actually, it's our OS fundamentals that are flawed. In a properly designed system, the AV would not need full access to everything. Of course I'm talking 1970s "properly designed" here, not 2000s "ship half-ready to customer, then patch" philosophy. Sorry, I think they re-branded it "Agile Development".

AV is a workaround, a hack, for serious weaknesses in our fundamental systems design. That your e-mail system can access business secret documents when you open the wrong mail - that is the actual problem that needs solving. We have AV for the same reason we have condoms - there's a lot of STDs and for most of them we don't have good vaccinations.

In that sense, AV is not fundamentally flawed, because in a fundamentally non-flawed world, we wouldn't even have it. It's an at-least-this-works-most-of-the-time solution because we can't be arsed to tackle the real issues.

Comment Re:How to make any antivirus software safer? (Score 5, Insightful) 351

Perhaps anti-virus wouldn't be even necessary if there were less users infected with anti-intelligence.

So tired of this bullshit argument.

I've been working in infosec for 20 years.

For about half of that time, I also said that "lusers" are the main problem.

Then one day I grew up and realized that they are just being humans and that's a bullshit excuse for not doing my job properly by complaining that water is wet and gravity sucks.
Guess what? We're paid good money for solving exactly these problems. If you can't bring a rocket to the moon because of gravity, you don't belong into rocket science. If you can't build a ship that floats because water is so difficult to work with, you don't belong into shipbuilding. And if you can't deal with people being people, you don't fucking belong into information security.

Comment or maybe... (Score 1) 351

The problem isn't so much in the horse and pony show, but in the fact that you install software on your devices which you bought from an external party and allow it to read all your data. I mean, if that is not a leap of faith, I don't know what qualifies as one.

Proper compartmentalisation would solve this issue. Let the virus scanner manage only incoming data, have defined communication channels for pattern updates, don't let it phone home. Keep your data in trusted DMS. Use non-rich data formats (why people use MS Word to write a letter is beyond me). Stop putting convenience above security.

And think three steps. "Only US companies" - seriously? Because it would be so incredibly difficult for some Russians to start a US company, right? Because your US company doesn't get half its hardware from China, right? And because it absolutely didn't outsource its software development to India.

Comment look at Europe (Score 2) 158

You can see right now in Europe how to do it. We've tried it the hard way for 30 years, worked not so very much. For about the same time we tried to convince politics that this is a danger, not much happened. Oh yeah, one day SOX happened and that brought a tiny benefit, but mostly on the paperwork and consulting-hours side.

In Europe, right now massive investments into information security are being made, because of two laws that politicians have finally passed, both at the EU level. One is the General Data Protection Regulation and the other is the Council Directive "on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection". You have an equivalent (referenced in the EU) from the NIST.

The fundamental change, and that answers your question, is that violations of these laws, and especially data breaches or other infosec events that could have been prevented with proper security, now carry massive fines. Let me quantify "massive":

â20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater

The magic bullet is the 4% rule. It refers to global revenue, and it refers to corporate revenue - no more reducing risk by seperating your corporation into tiny "independent" companies. If a five-person subsidary of Facebook suffers a severe data breach, the fine can be $ 345 million.

Also, the law puts the legal liability to top-level management. That is the second magic bullet. Put CEOs and directors on the front line. Unless they can demonstrate that they took steps to comply to the technical and organisational requirements, they could go to jail. Now that gets top-level management moving.

So the simple answer is: Hit them where it hurts. Money and personal liability. Take away the corporate shield and diffusion.

Disclaimer: I do this stuff for a living. We are currently being drowned in projects to implement ISMSs and the GDPR is a main driver behind that.


Addendum: This gets you basic security levels. As soon as the risk management labels the residual risk as acceptable, that's it. My personal opinion is that our security is still shoddy at those levels, and the main reason we're not all dead is that most hackers are imbeciles and the only reason they can make a living with their laughable hacking skills is that security is such a joke. For illustration, look at the typical spam / phishing mails you get. Who would fall for that shit full of spelling errors, grammar mistake and my-blind-grandma-could-spot-this forgery? The answer is: If you send it to enough people, you will find enough idiots who do.

Once we have a basic security level across the board, the game will change. Lots of "hackers" will have to go back serving burgers and fries, but those with any actual skills will step up their game. And then we'll be in a world of hurt. There'll be an Equifax every month. My daily rate will probably skyrocket because supply and demand, but I'm still not looking forward to that.

If you are serious about security, as the saying goes you don't have to run faster than the bear, only faster than your friends. But don't walk just because they do. Start running now, because once they are eaten, you have to run faster than the bear.

Comment Re:Tools are tools. (Score 1) 204

I was just thinking about architecture. Sure, computers have freed architects from the tedious task of drafting floor plans with pencil and ruler. But we're a long, long, perhaps infinitely long way from, "I see you're trying to remodel your kitchen. Would you like some help with that?"

My other question is, do we really need AI for this? For computers to "write code," don't we really just need a high degree of automation? And we already have that -- as someone else said, optimizing compilers are an example of that -- and we're dreaming up new ways to optimize the build/test/deploy pipeline all the time.

Could machine learning be used to create a better optimizing compiler? Interesting question, and I'd be surprised if nobody's tried it. If you told me they have, though, I'd say, "right, thought so." I wouldn't wiggle my fingers like a wizard and go, "Woooooo, it's AI!"

Comment Re:Reviewed by an attacker? (Score 1) 121

But we should be cognizant of who our enemies are

That we should be.

So what, exactly, has Russia as a country, or the Russian government, done to make your life worse?

Compared to, say, the corporations that poison our water and air, the politicians who demolish our social security systems, the banks who stole unbelievable amount of tax payer money to cover up their gambling that lead to the financial crisis?

And he's been invading neighboring countries like Georgia and Ukraine. He's not our friend and he's not someone we should be helping.

The correct method for this is a trade embargo, i.e. don't sell them security software at all. But our leaders don't want that, because they are not interested in values or good. They are interested in geopolitical power games and their own personal profits and influence. All the fear-mongering is just a means to an end. Today it's Russia, last year it was muslim terrorists, before that it was this or that. What a load of bullshit.

Oh yeah, on invasions: If you are from the US, shut your stupid mouth and look up the list of countries that the USA has invaded in the past 50 years. Yes, always under the pretense of democracy and liberation and peace and bla bla bla. Now look at the effect that the invasion had on those countries, then name three where the invasion actually did have the effect that was claimed on TV.

Your own leaders sent more young Americans to their deaths in the past decade than Russia has killed in a century. What is the actual threat?

Comment Re:The movie was superb; what's the beef? (Score 1) 264

What's even worse is that TFA is uncredited. It's clearly an editorial (i.e. - "opinion") piece, but there is no attribution to an individual writer to be found.

Really? The version I saw is attributed to Brenden Gallagher. Clicking on his name reveals he's written three movie/TV reviews for Motherboard.

Comment Re:So all of you asking where the evidence is (Score 1) 57

How is Google a monopoly? If I were to use Bing I would be able to do nearly everything that Google has.

I can vouch for that, as I actually do use Bing as my primary search engine. I started as an experiment and I just never turned it off. Google is still superior for some things (mainly, its index seems to be more up-to-the-minute) but for the most part I don't even notice that I'm using Bing and there's nothing that keeps pulling me back over to Google (hence, no monopoly).

Comment Re:So you're in favor of "security through obscuri (Score 1) 121

I'm saying the US government shouldn't be using code that's neither open source nor fully closed source.

While there are theoretical advantages to Free Software in this context, they do not manifest to the degree that many Free Software advocates think. And I say that as a stern believer in Free Software (to the degree that I refuse to call it "Open Source").

OpenBSD is about the only project that actually does this right - by not relying on the assumption that Free Software actually gets read, but making sure it happens and running regular code reviews.

From a security perspective, I'd rather take a piece of close source software that I know has been through code reviews, than a piece of Free Software that may or may not have been looked at by anyone else besides the creator.

Comment wrong promotion (Score 5, Insightful) 372

20 years ago, that might have been a good choice. These days, not so much.

Yes, the conspiracy theories around that shooting are probably out of control. I checked about five videos of it, 2 handy videos from the grounds, 1 short news blurb and 2 conspiracy videos and boy do these guys need to take less of whatever drugs they are taking.

But (and that's a big butt, in the words of Ben Goldacre) the mainstream media is not exactly an impartial, reliable and thorough reporter of news anymore. Too many real journalists have been cut in the name of profits, too much funding diverted from investigation and background checking, too much power given to click counts and advertiser demands.

I won't trust the mainstream media on anything more deep than the basic facts. Too many stories where I know the backgrounds have been reported incorrectly, or shortened in simplified so much that they are barely recognizable. Too much clear bias has been uncovered by media studies. Too much press releases and press conference statements are parrot-like repeated instead of properly checked before reporting.

Putting less weight on conspiracy theories - good. But it's a step too little. The balance should be tilted against all sensationalist and click-bait reporting, including that of mainstream media. Balance should be up on reporting that includes background information, fact-checking and independent investigations. But hey, that would require some actual human judgement and is hard to put into a couple lines of code.

Slashdot Top Deals

To be is to program.