Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment Re:90% (Score 1) 141

And thus began the arms race where eventually the only way to use the internet requires buying an up to date bot plugin for your browser... ^_^

I once tried submitting a tip on a possible terrorism lead to the FBI's website. Then it put up a CAPTCHA, and that pretty much ended it. I hope he didn't blow up anything important.

Comment Re:Moar tin foil! (Score 1) 178

OK, this statement really points that you aren't involved in information security (at least in a serious capacity anyway).

And we're off to a brilliant start here with a classic ad hominid abuse fallacy. Or as it's known in IT circles... The Handwave. Not that it matters, but I worked for a fortune 50 company in systems administration; My job role included maintenance of workstations and ATMs at over 3,700 retail locations throughout North America. But again; you're attacking the messenger, not the message. Not cool.

Do you really guarantee you can hide from Anonymous or even script kiddies 100% of the time if they really want you?

Number two burning up the charts is a Nirvana fallacy. Brilliant. No, nobody can guarantee 100%. But I can be pretty confident of 99.997%, yes. And you do recall that the "script kiddies" and "Anonymous" (an aggregate group of script kiddies) have about .01% of the funding of the NSA, right? Yes, they regularly make headlines breaking into computers, but the odds of them breaking into any specific computer is quite low. Unlike the NSA, which has cultivated the ability to point at something and say "I want it. Make it mine." You're comparing the mongolian hordes to the Knights Templar here, buddy.

If you answer yes, then again we know you aren't involved in information security. So since the answer is no, what is your solution? Do you simply throw your hands in the air and say screw it? I cannot guarantee to stop them anyway, so lets just toss our firewall and anti-virus in the trash?

Up next, we've got ourselves a false dilemma, with a bonus -- another ad hominim. This harkens back to high school where you'd say "If you don't answer, you're gay!"

Heck even your sarcastic comment about a physically secured facility, in a faraday cage, with no internet access cannot promise the information will be secure.

That wasn't sarcasm. That's how the professionals protect highly classified, compartmentalized information. Perhaps you misunderstand what "physically secured facility" means. These are places like military bases; They have men with shotguns, lots of cameras, a perimeter, barbed wire, high explosives, and thick concrete walls.

A simple warrant, guys with guns, breaking down your door and taking the server easily gets around that.

This time, a less obvious one: the single cause fallacy, otherwise known as oversimplification.

Please show me the "easy" plan you have for bypassing all of the layers of security at a typical military base, in order to access the server in the middle of it that contains the secure data, and to either do it so quickly that nobody has time to push the self-destruct button, or so quietly nobody thinks to.

I'm sorry for you (really more for your clients) if you don't want to hear about this, but it isn't going anywhere.

I feel sorry for you too, because you spent a couple kilowords demolishing an argument that wasn't made to begin with. Your entire post is a giant strawman, and a poorly executed one at that. I didn't say to give up on information security; I said that a guy on a shoestring budget is no match for them. Somewhere in your brain, a process caught a signal 11, trapped it incorrectly, and you vomited out a four page error message onto Slashdot.

Comment Voted down (Score 1) 1

an invasive species native to South America has been threatening biological diversity in the ear which can have lasting consequences on the ecosystem

Threatening biological diversity in the ear? Huh? Plus, when I tried to go to your link it wanted a username and password. Fix the summary, find a better link, and resubmit.

Comment Re:Would have walked away? (Score 2) 73

do they ground military aircraft like they do commercial ones?

Yes, when I was in the USAF they often grounded whole fleets. The C5As were out of service for a few months after a piece of equipment used to service the tail fell over and killed a guy. Unlike civilian planes, when military planes get grounded it seldom makes the news.

Submission + - Even the Author of the Patriot Act Is Trying to Stop the NSA (vice.com)

Daniel_Stuckey writes: Republican Congressman Jim Sensenbrenner will introduce an anti-NSA bill tomorrow in the House, and if it makes its winding way to becoming law, it will be a big step towards curtailing the NSA's bulk metadata collection. Wisconsin Rep. Sensenbrenner, along with 60 co-sponsors, aims to amend one section of the Patriot Act, Section 215, in a bill known as the United and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet Collection, and Online Monitoring Act—also known by its less-clunky acronym version, the USA Freedom Act.

Comment Re:Moar tin foil! (Score 4, Insightful) 178

You're trying to convince a lot of IT professionals, who know damn well that its technically possible to secure communications end to end, that they are powerless to do what they know they can do.

No, I'm merely suggesting that locking those IT professionals in a room and beating them with a metal pipe, is an effective method of "unsecuring" those communications. It's only in the imagination of Anonymous Cowards and hollywood screen-writers that the police kick in the door, seize the computer, and then say "Oh shit! He's using a 8192 bit encryption key. We'll never recover the data! I guess we better just leave then, defeated."

It's just short notice, we thought we lived in a system of rules that protected our privacy, we thought TLS worked and so on, stupidly thinking there were warrants and judicial courts and so on. Silly us! No matter, it's a bug. We need to switch to end to end encryption to fix it.

The people who designed these systems, those venerated IT professionals you mentioned earlier? Yeah, they knew from day one that TLS, SSL, certificate authorities, etc., were not truly secure. They were a compromise that provided "reasonable" security -- and it still does do that. Millions of internet-based financial transactions are secured using SSL, TLS, etc., every day and are not compromised. Is it a perfect solution? Of course not. Is it a decent one? Sortof.

But fundamentally, you're asking for the impossible with your "end to end" encryption non-sense. The very first in a long list of problems is: How do you securely exchange keys with an entity you have no prior relationship with? How does Alice know she's talking to Bob, if she has never met Bob before? The solution that TLS/SSL used was certificate authorities; A trusted third party that both Bob and Alice trust. Unfortunately, like any trust model, it is only as strong as the weakest link, and as certificate authorities proliferated... rogue CAs and stolen keys became a very real threat.

But simply switching the protocols around won't solve the very first problem: How do you securely exchange keys over what is, inherently, an insecure medium? You can't.

Well I bow to your superior knowledge and will immediately stop writing this Thunderbird OTR add on and step away from my keyboard.

First, yes, I do have superior knowledge (obviously). And I'm willing to put my reputation on the line by not posting anonymously. This frequently comes back to bite me in the ass, especially when dealing with Anonymous Cowards, but karma is not as important to me as getting as accurate of information as possible in front of as many eyeballs as possible. If a few -1, Troll mods is the price I pay, I do so gladly. Second, Thunderbird has an OpenPGP addon... developing another addon is silly, and frankly, you and I both know you lack the chops to actually program.

But regardless, if I'm going to get serious about personal privacy, I'm not going to do it by sitting down to write my own crypto addon. For one, it would almost certainly be more buggy than the ones that have been reviewed and certified as correctly implimented by crytologists... and crypto is amazingly easy to get wrong, and devilishly difficult for someone without loads of experience to detect the failure. For two... why would I spend hundreds of hours doing that, when I can spend dozens of hours making phone calls and writing letters to the people who have far, far more power than I do, and convince others to do the same?

I'm sorry, but looking at my large list of tools available to me, the one labelled "Democracy" seems far more likely to get me what I want than one labelled "Amateur Crypto".

Comment Re:Yeh, it's not like the NSA (Score 2) 178

So why *does* the NSA do that?

Because it's easier to store all the data now, and only access and analyze it when traditional investigative techniques identify a potential threat. It also eliminates the time wasted once a potential threat is identified going back and trying to reconstruct/recover/access data from many different sources. In other words, it saves time and resources; A counter-intuitive conclusion, given that most people look only at the costs and implications of gathering and storing all that data, but not very much on what happens after.

Nah, just arrest every hacker you find and don't give hackers 0 day exploits and you'll fix a lot of problems.

I'd prefer a world where people were only arrested when they've actually committed a crime, or there's strong evidence that they intend to. Mere capability is not sufficient to justify an arrest. At best, a knock on the door and "Can we come in and ask a few questions?" At best.

Don't you think we shouldn't *have* to ask? It's written into the constitution and the EU privacy right.

Actually, it isn't. There is no right to privacy in the US Constitution. And as far as the EU; They are a sovereign foreign power. The NSA has not just the mandate, but an obligation, to monitor foreign threats; Allies can become enemies, and when surveillance is pervasive and shared, it keeps everyone a bit more honest. And when it comes to international politics... dishonesty and rhetoric are pretty much the order of the day for everyone, allies or enemies.

What do we need to do to get the NSA to read the constitution, send it in an encrypted email to our kids?

There was an article not very long ago about a book published by someone who spent a considerable period of time investigating the culture of the NSA. His takeaway was that they do respect the Constitution. They also want to ensure as few Americans as possible become a part of some terrorist's political statement. Balancing these two goals is not so easy or cut and dry as internet pundits say.

"There are no high tech solutions to this that are within your budget, ok? Just... deal with it already guys."

Hah! you wish.

Actually, I do. I am not overly concerned with the NSA reading my e-mail or even keeping a file on me. It will not adversely impact my life in any meaningful way. As long as it continues to not affect me, surveil away. I am far, far more concerned with commercial interests accessing and misusing my data; There is little legal recourse to such activities, and it is readily apparent to me that no matter how unethical people claim the NSA to be, corporations are several orders of magnitude worse in almost every measure.

But unlike the NSA, I believe we can, with the budget and resources available to the average person, mount effective defenses against those corporations. And I would rather people start taking the threat corporations pose seriously, instead of pointing to the NSA like (a) they're the biggest problem and/or (b) we can honestly hope to accomplish anything against them.

Ultimately, it's a question of practicality. I simply don't believe that I can defend against an organization with half a trillion dollars in assets and an operating budget bigger than that of the majority of the countries on the planet. But by happy coincidence, I do not feel they are a threat to me in any meaningful way.

Comment Re:Moar tin foil! (Score 5, Interesting) 178

During the sneakernet era you had computing ability, but if they wanted your data they'd have to get a warrant or ransack your office illegally.

Neither of which you'd necessarily be informed of. There's two ways to approach security; tamper-evident, and tamper-resistant. Everyone is focusing on tamper-resistant right now to deal with the NSA; "How do we stop them?" ... Have you noticed nobody is asking the question; How do we detect them? Sneakernet also had the benefit of being tamper-evident... if they broke down your door, you'd come home to a broken door. It'd be pretty obvious that something was up. Legal or illegal, when you physically search a property, you leave evidence behind that you did so. However, much of the technology the NSA is using doesn't leave any proverbial fingerprints behind.

Slashdot Top Deals

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...