Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:Okay - that was quick. (Score 2) 890

that explains picking a Judge with only ten years of experience to the Supreme Court instead of the most experienced one that could be found.

Chief Justice John Roberts had five years of experience as a judge before being nominated for Associate Justice to replace retiring Justice O'Connor and then being nominated to replace Chief Justice Rehnquist when he died. While I don't agree with everything he says, he's done a good job of steering the court overall.

Going after the most experienced usually means going after the oldest, which has some potentially significant downsides not just in terms of time on the Supreme Court but also often least understanding of current issues. Going after the most qualified does not mean the most experienced.

Comment Re:I did a complete 180 on AV software (Score 1) 231

SEH has been present in some form since at least XP. It's old tech, with numerous bypasses. Windows 10's big improvement is Control Flow Guard.

Getting around ASLR is relatively easy if any library loads that does not use ASLR, and this is unfortunately very common.

Comment Re:I did a complete 180 on AV software (Score 1) 231

Win32 even had account personation services

Account impersonation is still there, even in 64-bit Windows. It's required for how Windows works. If you want to see it, set up a VM, run Metasploit against it (use smb_login) and get a meterpreter shell, load incognito, and list and impersonate tokens to your heart's content.

Vista god bless it made UAC, privilege speration, scrambled ram addresses with aslr, buffer overflow protected buffers in c/c++, and psuedo local admin accountants which instead used a token to run something.

UAC has numerous bypasses, privilege separation has existed since at least NT4 (maybe 3.51), ASLR only applies to the heap and only when the library or executable is compiled to do so (or is forced by EMET, which can crash some applications), buffer overflow protections can be bypassed using SEH or ROP gadgets, and as I mentioned above, tokens are still around. Another note on ASLR: it only takes one library in the entire chain of libraries called to not use ASLR to make it ineffective. Also, ASLR on 32-bit Windows is weak, having only 128 possible addresses without factoring in predictability that is inherent in the system, and if the process crashes and restarts relatively gracefully, it's not hard to hit a valid address. ASLR on 64-bit Windows is much more difficult to bypass.

Comment Re:In the U.S., why isn't this obsolete by now? (Score 1) 129

Failure to register a foreign birth with the State Department risks the citizenship not being recognized if it's not done before the child's 18th birthday. Depending on the citizenship laws of the nation of birth and the parents, this places a risk of the child becoming stateless upon his or her 18th birthday.

Comment Re:Encryption (Score 1) 319

It doesn't really matter. I'd do that with any job.

But for the current job, it means when I'm on vacation, out at dinner, or just don't want to be bothered by work, I can silence or turn off the work phone and not be bothered by customers, who have fallback contacts if I'm not available. At previous jobs, MDM was required for any phone connecting to the corporate network, and there is no way that I'm giving control of my phone over to someone at corporate, especially since I had no trust that I would have a job from day to day. (Not concerning my performance, but random cuts happened for little apparent reason because the company couldn't hit its stated profit goals, targeting some very good people.) I really didn't want my personal phone wiped either intentionally or accidentally by corporate, not to mention the possibility of reading it.

Comment Re:Encryption (Score 4, Interesting) 319

I do not, nor have I ever, used my personal cell phone for work purposes. Key work people may have the number for emergency purposes, but it's made clear that me providing that number is a serious point of trust, and that it should never be used except for the most dire circumstances. My work cell not answering doesn't count. Clients are to *never* get that number.

About a year ago, I took a job where they don't provide a phone. I chose instead to purchase a separate line that is used entirely for business. Only a few personal contacts have the number (parents and wife, basically). If I ever leave the company, the line gets disabled (phone was purchased off contract) so I don't have to field calls from clients. Even if I choose to use the phone with a new employer, it will get a different number. The cost of the phone and extra line comes off taxes each year.

When traveling internationally, the phone gets backed up, wiped, and reinitialized with a separate ID that has no links to the old except for necessary work contacts. Something similar happens to the notebook. After returning home, what little new data is present is backed up, then the pre-trip backups are restored.

All devices are fully encrypted, so reinitialization gets a fully clean start.

Comment Re: VISA program is GOOD. H1B is NOT. It is a joke (Score 1) 248

Desktop browsers don't capitalize by default. Some of us still use them. (Some of us also know where the Shift keys are and learned to type somewhere along the way, even if it was only using Mavis Beacon.)

That said, I've roundfiled plenty of resumes where the person clearly didn't bother to do any spell- or grammar-checking.

Slashdot Top Deals

Money isn't everything -- but it's a long way ahead of what comes next. -- Sir Edmond Stockdale

Working...