Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Comment Re:Not useful (Score 3, Interesting) 914

Bottom line: drugs like this have no place in or penal system, regardless of the ethical ramifications of using them on prisoners.

Our current penal system has no place in our penal system.

What we have now amounts to a mockery of justice-as-rehabilitation, where we give otherwise-good people multi-year "we need to do something" sentences for obvious accidents (involuntary manslaughter, for example, or virtually all victimless "crimes"). They then come out as actual hardened criminals, far more likely to go on to commit real crimes (one well-studied population, nonviolent drug offenders, come out four times more likely to go on to commit a violent crime than the general population).

That said, I have to admit that this woman strikes me as likely a dangerous psychopath herself. Sentencing someone to a thousand years of boredom? "A lot of people seem to get out of that punishment by dying"??? Holy shit, woman, what kind of sick fuck would come up with something like that??? And I say that as someone who supports the death penalty, and personally would rather we use straightforward and effective punishments like caning over merely wasting a decade of someone's life on the taxpayer dime.

But hey, at least you would effectively reduce the cost of prison, since virtually everyone would resort to suicide after their first few "sessions".

Comment He did the wrong crime (Score 1) 246

If he raped, stole, did drugs, mugged someone, I bet he would get far less time. There are even whole groups of people that get arrested over 60+ times!!!

Don't hack. To do so might mean maximum prison in solitary confinement. You think I'm joking, but that's how afraid these clueless people are. They view hackers as some magic wizards that can open cell doors with thought alone.

Comment Re:Fuck that guy. (Score 1) 397

racist, narcissistic, caste-based hiring practices to gain jobs they're in no way qualified for in a country thousands of miles from home

Hmm... Iranian? Chinese? Slavic? Israeli? Strange, none of them seem to quite meet your description.


Sounds like you are referring to people of one particular country.

Hmm, yes. Yes, it does sound like you have one particular country in mind. Clearly, one of you has a race card in play, but you might want to check the instant replay before you stick your neck out too far on this one...

Comment Re:After seven years you know what I've realized? (Score 1) 112

It's a quote from The Matrix. The name 'Morpheus' should have clued in the idiots that modded this down.

Cypher: You know, I know this steak doesn't exist. I know that when I put it in my mouth, the Matrix is telling my brain that it is juicy and delicious. After nine years, you know what I realize?
[Takes a bite of steak]
Cypher: Ignorance is bliss.

Comment Re:I have admin'ed such a server... (Score 1) 220

You should set it up so their only ingress is through a reverse ssh tunnel outward. Preferably secured with a key you send to them so their reused passwords aren't the only thing keeping people out. You should also restrict it by IP range to whatever machine they're coming from.

I like to think I would do better today than I did back then - My primary role involves coding, not network hardening. I just tend to get ownership of Linux boxes because, surprisingly, not many folks in the business world (even in IT) know it all that well.

That said, you have to understand the pure obstinacy of some of these vendors - As in, still using Telnet and actively refuse to use SSH (because they had a harder time pre-breaking it, and protested that most of their customers couldn't handle the idea of using preshared keys to authenticate). As in, threw a fit that required me to defend just blocking them at the firewall to not just my boss, but the owner of the company, and painted me as completely paranoid (at least that stopped and I got to gloat for a few days when we finally got hacked - Though I got to spend the 70-hour weekend rebuilding the machine so the company could function come Monday morning... yay).

Comment Re:Name and shame (Score 1) 220

Partially, no need - You can literally Google "linux $program root password" and get all the names you want.

But more, because I sadly no longer consider this behavior unusual (it floored me the first time I saw it, as I said - I consider it almost standard procedure, now). Vendors look at Linux as an exploitable free resource, a base platform they don't need to license, complete with an impressive collection of development tools. Except Linux has all these pesky permissions, heck, it doesn't even like letting you in without a password, so the first "project" these jokers embark upon consists of gutting the security from Linux.

So not much point in shaming individual companies, for a problem endemic to an entire industry.

Comment I have admin'ed such a server... (Score 4, Insightful) 220

I have (grudgingly) admin'ed such a server, and will readily admit it as a form of public shaming (though not of myself, as you'll soon learn).

As TFS points out, the attackers didn't use a zero-day exploit. They didn't use an unpatched old exploit. They didn't even use the fact that huge "trusted" swaths of the filesystem, including standard executable paths (such as /usr/local/bin) had both the directory and everything contained within world-writable (no, I didn't have the option of fixing that - it would have broken "features" of the reason this box existed, as I'll soon explain).

This system ran a fairly popular POS software suite, and absolutely depended on all its serious security flaws. The vendor had even installed what amount to pre-compromised binaries for "convenience" in diagnosing end-user problems (connect to the right port, bam, you can monitor any user's session). But even that egregious level of incompetence didn't cause the breach.

No, the breach came from the fact that the vendor had their own company name as the root password (and had it hard-coded in literally dozens of (world-readable) scripts, so I couldn't just change it). And did I mention, the vendor required this box have a publicly facing IP or they'd refuse to honor their SLA?

Needless to say, my first action on learning all this, I blocked it at the firewall and told the vendor that we'd let them in when, and only when, we needed assistance. That, amazingly, enough kept the box safe for about a year (and floored me that we hadn't gone down long before I got stuck with that albatross)...

Until an upgrade. Took a total of half an hour. Didn't matter, because we had someone in as root in a tenth that time.


But, distant past. Couldn't happen again, and no other vendor would ever have such an extreme level of cluelessness, right?

So, currently, I work with (but thank Zeus, don't have to administer) a CRM system by an entirely different vendor, running on an outdated Linux distro. Pretty much everything I just said applies to this box. But hey the firewall keeps it safe, except the once-a-year the vendor demands access to audit our license compliance...


So yeah, Linux systems get hacked - For reasons that wouldn't protect the otherwise-most-secure system on the planet. You want to make it stop? Tell your vendors to go fuck themselves when they rationalize having a weak root password, and piss-poor system-wide security, and ban patching known vulnerabilities because it "might" break something the vendor used. Really that simple.

Slashdot Top Deals

Machines certainly can solve problems, store information, correlate, and play games -- but not with pleasure. -- Leo Rosten

Working...