Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Re:Cheesy 80's movie excuse (Score 4, Interesting) 740

It's not an excuse. It's an explanation. Those are different things.

The problem with the emails is their source. WikiLeaks has shown great interest in anti-US material, and comparatively very little interest in anything that disparages Russia. Their bias has been analysed pretty thoroughly, and it calls their motives into question. That, in turn, means we must question the integrity of anything they release.

For example, consider the differences in the edited and un-edited versions of the Collateral Murder video. The raw footage shows a pretty typical battle, where a group of men, some of them armed, are loitering in an area where American troops have been under attack all morning. The edited version shows a group of men, and highlights that two of them are not armed, and in a slow-motion frame comparison, shows that one of the apparent weapons was actually a telephoto camera lens, then shows them being attacked by American fire. There are numerous other differences.

There's a huge difference in context between the two versions, which Assange himself has said was intentional for "political effect". In the raw video, the soldiers' actions are justified, though mistaken. In the edited version, they're portrayed as ruthless killers intentionally targeting civilians.

Now WikiLeaks has released a bunch of emails. That's great, but we must ask: what editing has been done here? Did they (or their possibly-Russian source) strip out any emails that conflict with the "DNC is corrupt" narrative? Are the emails signed? Is it possible or probable that some of the damning emails edited or completely faked?

These sorts of questions should be raised every time a leak is made public. The leakers always have an agenda, and it may not necessarily be to "inform the public".

With all that in mind, consider again what's being said. There is no denial of the emails' existence, and little discussion of the emails' content. Instead, at this point there's just a request to consider the trail the emails have followed, and the impact that has on their credibility.

Comment Re:BREAKING NEWS (Score 1) 109

A) actual skills, not just a script-kiddy with corporate backing.

Elitism. Got it.

B) when they were done, they would leave a place relatively more secure. For example, I can go to a place and say, "look, your windows are insecure, and if you put bars on the windows, it will be more secure." That will be 100% accurate, but not particularly useful, and in practice doesn't address most threats companies face.

That depends entirely on the client. Bars on the windows are important for a convenience store in a bad neighborhood. Similarly, a reinforced perimeter is important for any facility whose risk is more physical than electronic. One example that comes to mind is a store's cash supply. I've seen a restaurant whose cash was stored in the manager's office, which had a single-pane window into the dining area.

C) the primary focus generally should be on securing against remote attacks, because that's where your highest exposure is. Anyone can plop down a wifi pineapple, but most people who do so are security consultants. In practice, black-hats favor remote exploits.

Black-hats favor whatever gets to their target. Remote exploits are easy and safe, but also easily foiled by a suitable firewall. Rogue wi-fi is also already very common in business-oriented hotels, sometimes even going so far as to spoof the hotel's captive portal. Their goal is to capture corporate logins, providing easy access for corporate espionage. The only effective defense is user education.

Here again, it depends on the client's needs. If the attack is worth more than the price of a plane ticket, any suitably-motivated attacker could come to the office for a visit. If the company regularly sends travelers to hotels, those travelers should be aware of the risks they face. In a very obvious example, I once heard of a political convention with some rogue APs set up monitoring users' traffic. They could have easily injected drive-by downloads to try to get malware behind corporate firewalls, or even directly onto target devices.

The reality of information security is that the least-impressive attacks are often the most effective. The single most effective step to make a company safer is to ensure that they are thinking about all aspects of security, not just focusing on one particular class of attack.

Comment Re:BREAKING NEWS (Score 1) 109

You can't just hire a security consultant to run a test, then stick on his list of band-aid fixes and be done with it.

And yet that's what many snake-oil consultants offer.

...but a comprehensive practical test is what you complained about in the first place!

they set up a fake wireless access point in an office, and when a lot of people accidentally connect to it, th[e]y sniff some passwords. After that, they show it to the boss and say, "look how insecure you are!" The boss is shocked and they send a bill, even though they've done nearly nothing.

If they're a level up, they might have an automated Metasploit script to throw at servers.

So let me get this straight... a consultant who walks in and says "look how insecure you are!" and raises general awareness of security is a bad thing, per your earlier post. A consultant who offers a list of exploits is only "a level up" from that. Per your last post, you agree that a consultant delivering just a list of patches is bad.

What do you think a good security consultant would deliver, exactly?

Comment Re:BREAKING NEWS (Score 1) 109

The weren't "practically" secure before the test, and given the extreme lack of protection, probably weren't even aware of it. Now they are aware of it, and can start pursuing better options for protection. The servers and networks haven't changed, but the improvement in awareness puts them in a much better position. Now they can improve.

Again, a consultant's job really boils down to the terms of the contract. If the contract says to evaluate the company security, that's what you do. If the result of that evaluation is to simply say "your company is horrifyingly insecure", then sometimes that's the job. To that end, it's rather silly to spend a week deeply probing Apache vulnerabilities or zero-day injection attacks when executives are broadcasting their passwords in plaintext. Attackers don't care if their exploits are inelegant or obvious. Low-hanging fruit is still fruit.

Security is not a checklist, despite what managers might think. You can't just hire a security consultant to run a test, then stick on his list of band-aid fixes and be done with it. Rather, every employee, vendor, contractor, and visitor must have the appropriate training and controls to ensure that the company is secure, and that diligence must continue even when the contractor's gone. From the manager's perspective, a consultant who's done a thorough investigation and turns in a textbook for a report has done impressive work... but a consultant who brings clear attention to an endemic problem of security negligence has done better work.

If I'm a manager, that kind of concise finding is something I can elevate and focus on fixing, rather than having it buried inside a report of a thousand low-exposure vulnerabilities.

Comment Re:BREAKING NEWS (Score 3, Insightful) 109

So in other words, they did their job and got paid.

They were contracted to find vulnerabilities, and they accurately determined that user credentials were easily compromised with a basic attack. If they were not pentesters, but rather actual attackers, they would have everything they need to access the company servers and start wreaking havoc. Even if they only sniffed users' personal credentials, they still have enough access to start social engineering or coercion attacks against the employees.

Depending on the terms of the contract, the consultants may not be allowed to test passwords they find. They may only be allowed to report that they found something that looks like it should be a password.

Of course, it may also highlight some other key details, like company devices automatically connecting to known SSIDs, or a lack of encryption on the legitimate wireless network. If their attack went undetected by the company's security team, a suitably-paranoid company may want to install systems to detect rogue access points.

A colleague of mine once was hired to do a week of pentesting. The first morning, he tailgated through a locked door by carrying some boxes, found an unlocked network closet, and connected to the client's network and started sniffing unencrypted traffic, including plaintext passwords for the admins. Those let him access every server he tried, and he ended up cutting the test short by lunch. He delivered a brief report in the afternoon, essentially saying that the general approach to security was so bad that further testing wouldn't be productive. His recommendation was to cancel the security testing contract and move the budget to basic security training.

Comment Re:intent or consequence? (Score 1) 85

Please try reading.

It indicates that their systems are so old as to require special purpose hardware.

A VGA monitor is now considered "special-purpose hardware"?

Having a CRT monitor indicates only that the system is compatible with a CRT monitor. If you're making further assumptions about the system's capabilities based on the age of a peripheral device, that's your fault, not the system's.

As one example, in the mid-2000s, I worked at a company whose main computer was built in 1988...

Sure, one single system in the back of one company did not get upgraded.

No, that was the main system running the whole industry-leading company.

I'd be willing to bet that the reason it didn't get upgraded was simple - it had got so old that it was at this point a major pain, and a major cost to upgrade.

That's only half of it. The other half was that it wouldn't bring any benefit. The company's production was limited by physical processes and market demand, not the computer's record-keeping.

Furthermore, how many of the systems sat on the desks of average employees were that old?

Outside of the customer service area (who had shiny new Windows XP boxes, with DSL Internet access!), there were three other new computers in the company, all for special-purpose workstations that needed to do processing-intensive tasks. Most desks had VT terminals (ranging from VT300s to VT520s) to connect to the mainframe.

Care to take a guess at the reason?

I'll go with "the cost/benefit analysis did not support an upgrade", since that was the CEO's answer when I asked. Each department did one thing, and one thing only. The system already existed, and was known to work well for the necessary tasks. The company had the source to the software, and made software changes when necessary to support improved workflows, but for the most part the process was mature.

It takes a bunch of literal paper pushing, and probably a bunch more employee time in the back office.

So it's not actually related to the CRT monitors?

In the UK, this is 5 minutes of the customer's time to fill on a form on the internet, and no time spent by employees at all (bar the amortised cost of the guys running the IT system and database).

...that you know of. Realistically, there could be a herd of paper-pushers in the back end that you'd never know about, because you're getting distracted by the shiny interface.

The act of ...

Let me just interrupt this rant with "your mileage may vary". The last time I went to the DMV, it was for a full re-issue of a driver's license after a relocation, and required a test. The whole process, from entering the building to walking out, took about an hour.

After the queue, the agent scanned my old license to read the data, checked it for accuracy, and sent it to the back for processing while I waited for an available test machine. The tests were administered on kiosks built around CRT touchscreens, that looked like they had been operating since I was using that aforementioned mainframe. One test machine was being serviced, and I noticed that the kiosk was just a commodity desktop PC running Windows 7. The PC had a small form factor case, sitting in a cabinet just the right size for a full tower. Clearly, the machine had been upgraded, but the cabinet and interface was original.

By the time I had finished the test, my forms had been processed, and the agent handled the registration of my vehicle while my license was being printed. The agent submitted the vehicle paperwork to be processed while retrieving the license and handling payment. Once the vehicle processing was finished, I was handed new vehicle plates and wished a pleasant day.

Every single interaction with the DMV involves 3 hours of the customers time, 20-30 minutes of the time of various employees filling out and stamping forms, and all of this has to happen in a pretty large building which has to be maintained. Those buildings have to be regularly spread out all over the place, because the amount of time taken is huge. Meanwhile, the DVLA manages to process all this, with far far fewer employees, because they actually had some investment in setting up database systems and web pages so that most of the job can be automated.

Do you really think that a large computer system doesn't need employees? In addition to the sysadmins keeping the thing running, there is also a team of programmers handling the incompatibilities with clients' new browsers and operating systems, a support team to handle the users who can't figure out the new-fangled system, and a security team trying to make sure your personal information isn't being handed off to any script kiddy with a new exploit.

Of course, they're also in a huge building which has to be maintained, and the servers are in a data center that needs maintenance, and there are offsite facilities to ensure availability. The expenses are different, but they're hidden.

The US's government systems are *hugely* inefficient and bureaucratic, not because they're doing things that they don't need to be doing, but instead because no one has spent any money on doing those things in an efficient way.

That may very well be the case, but you have absolutely no evidence that it's any more the Republican party's fault than the Democrats, or the Independents, or the Green, or the Whig, or anybody else's. All you've managed to say is that the UK does things differently, for a different demographic with different service requirements under different regulatory needs, and they have a different efficiency. It's absolutely shocking.

Now, if you'd like to provide some actual statistics to back up your flames, I'd love to see them. How about comparing Republican-favoring states' DMV budgets and satisfaction ratings to those of Democrat-favoring states?

Comment Re:intent or consequence? (Score 3, Informative) 85

The problem is that that assertion doesn't line up with reality. Go down to your DMV some time, and observe the kinds of systems that they're using. They're using databases built in the 80s and 90s on top of DOS, running on ancient computers with CRT monitors (at least around here).

...And is that a problem? Does the thickness of the monitor really impact how legibly they can print your drivers' license?

What reasonable business do you know of that hasn't upgraded their systems since that time to allow for more efficiency savings, faster processing, reduced staff costs etc?

As one example, in the mid-2000s, I worked at a company whose main computer was built in 1988, with only minor upgrades (disk capacity, and a modem that was occasionally plugged in so it could be maintained remotely) since its construction. It had survived the obsolescence of its product line, the rise of DOS and Windows, and had only a minor stumble for Y2K. For a system whose primary purpose was tracking orders moving through departments, and tracking employees' time cards, it did the job perfectly well. That particular company was in the top 10% of the industry by order volume and profits, so it seems to have done just fine by most standards of "reasonable".

There's a lack of investment in this kind of system, plain and simple, being disguised as "government efficiency" by the republicans.

Again, to show the other perspective, there is grossly excessive spending in other kinds of systems, being disguised as "upgrades" by the Democrats.

I'm not promoting any particular political party here. Rather, my point is to illustrate that every partisan criticism in this thread has an equally-valid counterpoint that is too-often glossed over. When the Republicans shout about "spending", the Democrats shout "obsolescence". Nobody ever seems to want "get what's useful and nothing more", or "review the cost/benefit analysis for every component in the system".

I've worked for the federal government before, notably on one particular system whose lifespan was about 20 years. The system was designed and built to be state-of-the-art, using top-of-the-line COTS hardware available at the time (as a cost-saving measure, naturally). Ten years into the system life, those original components were obsolete, and being replaced with new top-of-the-line hardware, with the promises you mentioned: efficiency savings, faster processing, reduced costs, et cetera.

However, the basic workflow hadn't changed at all, and the software hadn't been rewritten (as that'd be prohibitively expensive), but only ported up to newer technologies. Even though each part of the process was indeed faster, the system as a whole hadn't changed significantly. It could run perfectly fine on modern (for the day) mid-grade or even low-end hardware, but because "upgrades" were seen as desirable, the system continued to be built with top-of-the-line parts, for about triple the cost.

Towards the end of the project lifespan, there was an effort to re-engineer it using minimal hardware, but by that point the idea had grown into something of a legend. The managers (and bureaucrats) who had seen the system's early versions and knew its original cost couldn't believe the system could actually run on such a low hardware budget. Every actual test was successful, but the mantra that "you get what you pay for" had become such an integral part of common sense that actually getting approval for a cost-efficient system was impossible. Eventually, my team ended up inflating our quoted costs to get approval, then delivering a working system under budget and getting extra praise.

That tale doesn't meet my idea of "reasonable", but it was definitely the reality that I saw.

Comment Re:intent or consequence? (Score 2, Insightful) 85

Political flamebait works both ways. The other side of the coin is that Democrats set up overly complicated systems that can't work without an ever-increasing price tag, then complain (loudly) that they just aren't getting the support they need.

Let's move on.

When the Federal government is [involved], don't blame on intentional malice that which can be explained by...

...anything else.

Bureaucracy in general is a breeding ground for unintentional malice. There are literally thousands of people in the federal government with the ability to influence programs like this, and they often have conflicting priorities. Some are mostly concerned about the economic cost, thinking that a strong economy is the clearest path to "general welfare". Others want social support services, being of the opinion that minimizing hardship makes everyone's lives better. Some think that government should do as little as possible, allowing individuals to decide for themselves how to pursue happiness, while still others believe that a life led according to religious principles leads to a better eternity.

Those are only a few examples, and not terribly nuanced, either. People can have multiple opinions, conflicting opinions, and even different opinions for different subjects derived from the same principles. The representative government reflects the opinions of the people, and in a country of over 300 million people, it is perfectly reasonable to have a very complicated set of opinions in government.

The most that we as individuals can hope for is that occasionally, enough people agree on an issue that they'll do something matching one of our strong opinions.

Comment Re:technicality (Score 1) 101

I understand the difference; they already had him on numerous charges without playing the entire episode out to the point of placing a fake bomb.

Maybe, and maybe not... either way, if they let him just continue, the prosecution's case is that much more complete.

Yes sure, they offered multiple alternatives, prayer, made him aware there will be children and women present, no one is saying this terrorist aint a stinking pile of shit, but the FBI had him when they did the "practice run".

And at all those points, he could have said "no", and walked away... That'd be the law-abiding thing to do, and would be the easy way out of the sting.

While technically waiting to make the arrest with the fake car bomb is not exactly entrapment, the sting operation could have concluded with the detonation or even construction of the "test" bomb.

It depends on the particulars, but probably not, actually. In several states, building bombs is perfectly legal. Setting them off is also perfectly legal. In fact, I have done so personally in the past. Usually (and in my case) what would be illegal would be for that bomb to damage anyone else's (or public) property, injure any person or animal, or be transported on public roads without the proper approvals. Again, there may have been minor crimes along the way, but not enough evidence to make a case that the perpetrator was trying to commit a serious offense.

Actually, it probably could have concluded long before that with a conviction. Yes, I understand getting prosecution is harder than it sounds, but they have ample evidence prior to the fake bomb run, shit prior to the test run of his intention and activities.

What kind of irrefutable evidence did they have, exactly? Prior to actually executing the fake attack, the defendant could just argue that he took the opportunity to gather names and details into a nice little package that he planned to turn over to the authorities, and had to play along to do so. The defense could claim he was a hero all along, and the FBI just sprang their trap before he sprang his. To a jury of scared citizens who keep being told that if they "see something, say something", and with the common fantasies of being a big hero, if only they had the opportunity... Who wouldn't sympathize with this guy who just tried to do the right thing?

Also, what went wrong in this young mans head to push him this direction? Could have the perceived assistance of these agents, who to this idiot were willing accomplices (knowledgeable ones) that apparently supported his position?

How is that any different from the willing aid of an actual terrorist organization? He started by seeking willing accomplices. His head already had the criminal element. The agents just let it run its course in a (somewhat) controlled environment. In his mind, he was willingly committing a crime, and that's the ambition that the justice system is trying to remove from the rest of our law-abiding society.

Comment Re:technicality (Score 4, Interesting) 101

If that's not entrapment, I'm not sure what is.

You're not sure what entrapment is, then.

Entrapment is when the government agents make you commit a crime that you weren't otherwise willing to do. For example, if they threaten you or your family, that's entrapment. If they make you believe that what you're doing isn't actually a crime, that's entrapment. If they manipulate circumstances to where you believe you have absolutely no choice but to commit the crime, that's entrapment.

What is not entrapment is asking "Hey, are you willing to commit a crime?". It is also not entrapment to hand you the tools to commit the crime, and it's also not entrapment to drive you to a location for the crime, hand you the tools, and pay you a lot of money to commit the crime. Those things are not entrapment (though their legality may depend on having proper authorizations and approvals in place). You still have the option to avoid all criminal culpability by not doing the crime (though even if it turns out the tools they gave you were fake, what matters is that you thought they were real). If someone offers to help you and/or pay you to commit a crime, you can walk right down to the local police department and tell them all about it.

Slashdot Top Deals

MATH AND ALCOHOL DON'T MIX! Please, don't drink and derive. Mathematicians Against Drunk Deriving