Follow Slashdot stories on Twitter


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re: Micro$slop requires virtualization? Really? (Score 3, Interesting) 156

Virtualization != sandboxing. You can sandbox on Windows with SandboxIE, where all writes from the sandboxed app are redirected elsewhere. Doing this doesn't require a separate OS or filesystem, so it doesn't add that context shifting as overhead.

You can also run your Web browser in a VM. You get better separation, but at a price, although with hypervisors becoming the norm and not the exception, running VMs may not have as onerous a penalty as they used to.

I like a combination of the two. I like browser windows and tabs separated from each other, like what Chrome/Chromium does, but the browser should run in its own VM so if something does get out of the browser, it is in a completely separate user and machine context. Without the VM isolation, even if malware just has context of a user, that can allow files to be uploaded and ransomware to do its dirty work.

Jails are another solution, but it can be argued that it might be best to completely isolate filesystems, especially if some software decides to do stuff like mkdir foo; cd foo loops, or just create tons of files in order to use up all inodes. Done on a VM, worst case, it means one dumps the VM and rolls back. Done on a desktop, it can mean work stoppage.

Comment Re:How is this different from any university? (Score 1) 327

I've wondered about this myself, because I took some time out of my career to pursue my degree full time. Are companies using a B. S. or a B. A. as a filter these days, or has the filter mechanism moved to the keywords and/or certifications like a MCSE? Times have changed. About 10-15 years ago, in a recession, you could sidestep stuff by going back for a M. S., and when you got the degree, it would mean higher pay. Now, I don't see that being the case.

Comment Re:How is this different from any university? (Score 1) 327

It depends on countries. When I was in college, I had classmates from Germany, China, and Chile. The Chinese government paid for the education for their citizen. The German had his paid for. The Chilean had his paid for by his government. It was the people in the US who were paying for their own education in a STEM major. The US needs to stop eating its seed corn.

Comment Re:E.g. We can't use it if we can't cheat (Score 1) 87

If there is a need for transactions to be atomic, perhaps multiple signatures with expiration dates would be useful. One to "pre-sign" the transaction, and if that transaction isn't cancelled (perhaps with a nonce that is stored as a hash), after "x" amount of time, the transaction becomes permanent. Or, a signature to start a transaction, another to end it. One can use blockchain technology in a lot of ways, and allowing people to "un-sign" something is just asking for trouble.

Comment Re:... formerly most secure computer (Score 1) 126

At least it can ship with Ubuntu by default. If W10 is needed, it can be run under VMWare, VirtualBox, or one's virtualization utility of choice. That way, Windows 10 can be run, but it is isolated from the hardware.

As for options, I would go with the M7, 480GB SSD, and glass case. One can't argue with a beefier CPU (assuming cooling isn't an issue), and more disk space. The glass case is useful for tamper resistance.

My only wish is if the device had a port for a Kensington lock slot, with some mechanism to zero out keys if someone yanked out something out of the slot by force.

Of course, there is blue-sky stuff. For example, a S/PDIF port that would be used with a fiber optic cable as a tether. If the S/PDIF port got unplugged or the fiber optic cable got cut, the keys would be zapped. This would provide extreme security, with the only way to get around it is to destroy what the fiber optic cable was looped around.

Comment Re:Too late (Score 1) 87

I've ended up using VPNs to get around that. It isn't cheap, but a Linode box acting as a NAT/proxy box [1], with a VPN to your real machines can get around most of that. You can also use AWS, a router OS like VyOS or PFSense, and a VPC to also allow for your home servers to have a "legitimate" IP to handle incoming traffic.

[1]: Assume the Linode box can be compromised at any moment, so don't terminate your TLS connections there. Terminate them on your machines. It also is wise to have provisioning scripts (or Ansible playbooks) so if your Linode instance gets compromised, you can zero it out and rebuild it quickly.

Comment Re:Too late (Score 1) 87

That can be solved. It would take a PKI, but I can see something like USENET with some trusted CAs, ability for people to chose whom they trust, and signed messages doing a good job at stopping spam. If someone does spam, their cert gets revoked, or if a SLC based system is used, the CA just doesn't bother to sign the certs, and the nodes forwarding traffic just drop anything from that key.

The problem is that decentralized PKI research stopped at PGP, and the world moved to SSL/TLS's model of all or nothing trust. If we had various amounts of trust, a decentralized model would stop spam, but would also keep the same anti-spam mechanisms from being used for censorship.

Comment Re:A good thing. (Score 2) 87

I remember a few years back, having a FB account was pretty much a job requirement, where I got told to bugger off because I didn't tell the world how many coils I dropped in the commode that morning. It has gotten better, but for a while, I eventually just wound up making a dummy account on there, Twitter, and other places just to make the HR people happy.

It isn't just Facebook. I'm seeing companies put all their eggs in the AWS basket. My fear is that cloud providers overtake having servers in-house, and we are back to the mainframe era. Cloud places have their use, but there is always the security question, and there is always the grave concern about data sitting on a remote site where you have zero physical control over it. If there is a security breach and the data is local, you can physically yank the network cable. If there is a breach at a cloud provider, trying to staunch the bleeding is a lot tougher, especially if one of the cloud accounts got hacked, and the rogue admin has just as much power as you do.

Comment Re:what a load of shit (Score 2) 233

Right now, we are at the point where a technology is starting to be widely adapted, and people are nervous about it (perhaps rightly so.)

However, I can list a number of things that can save time:

1: Being able to use commute time for something else than watching the taillights of the car ahead. You can have a vehicle which can function as a mobile office, or a bedroom, where with longer commutes, use that time for useful things, be it reading, doing some work, or just going back to sleep.

2: Vehicles can take themselves to get oil changed and inspected. This can save a day's worth of work.

3: Fewer trips would be needed. With a self-driving van, one can call Home Labyrinth, run the credit card, have the van drive to the pickup depot, and come back. This way, if someone runs out of plywood, but still has stuff to do, all it takes is a quick order via a web page, and work can continue.

4: If you are drunk, stoned, tripping balls, high, or all the above, you can still go home in your own vehicle. This in itself will save a lot of time because the police will have to clean up fewer wrecks.

5: Vehicle safety can improve. Cars can be packed closer together, intersections for highways can be made into simple four way intersections, with the cars slowing up or speeding up so vehicles can fly through without having to stop.

6: It saves time parking. Parking of automated vehicles can be handled far more densely than normal parking. Vehicle parking can be moved to the outskirts and not downtown, with a small lot used for quick unloading/loading.

7: It would allow for long trips easily, assuming vehicle auto-fueling. Speed limits can be tossed out the window, with the speed of the vehicle being what it can do, as well as environmental conditions.

8: If you need to carry a lot of stuff to a jobsite, and you just have one person, you can load multiple vehicles.

Of course, there are a few issues that need to be solved:

1: Security. If a blackhat could lock a vehicle's doors and demand ransom, or else it will ram the vehicle (and its occupants) off a bridge, that would be a show-stopper.

2: Third party control. It could be done that cars could be told that they cannot stop at or near areas, or that when someone hops in their car, it takes them downtown for jail processing because of a warrant. Or, some bill collector gets with the car maker and shuts down cars.

3: Corner cases. Thankfully few, but there will be many people out there looking for many ways to get a driving AI to fuck up, so they can play the lawsuit lottery.

All and all, there are issues, but the benefits are quite useful, and far outweigh the risks (which can be mitigated.) Security can be done. For example, the XBox is going on years, with not a single working jailbreak. Similar with the PS4. Even humble old Blu-Ray is still a cat and mouse game, with fewer and fewer decoding utilities available. Third party control can be legislated. Corner cases are relatively few, and that is what insurance is for, as well as dash cams to show if it was a true deliberate action.

Comment Re:Wait, the story is in error (Score 1) 57

Linux is nice because one can secure at as they see fit. Someone on the operator level can enable patching at certain times in RedHat and downstreams, Debian, and Ubuntu, with ease. This isn't something you would do in production for obvious reasons, but with modern mainstream Linux distros with their default installs, it actually is more work to not enable patching than to enable it.

An admin that is more versed would be using some sort of patch management system, if only to ensure that SSH, OpenSSL, the kernel, and other critical components are not just patched, but there is validation that things are at that patch level.

Next tier up, the admin would have a CM tool which either gets pushed or runs locally with a stanza like this:

- name: Update openssl
    package: name=openssl state=latest

The above stanza would get pushed to all boxes every so often.

Of course, Linux can be horrific if unpatched, because there is so much a blackhat can do on a Linux box, even if root access is unavailable. However, in general, because Linux is open, there are fewer moving parts which are hidden away from the user. For example, when Shellshock came out, and a quick patch had to be done, it wasn't hard to build a static busybox binary as a workaround until a few hours later, bash was patched.

Comment Re:Just buy a Synology raid (Score 1) 98

I agree with you. I have had very good luck with the apps Synology has. The Git app, though bare-bones, is useful. The Hyper Backup function works with many sources (especially with something like Amazon Cloud Drive that provides unlimited storage), the device easily supports 2FA (I just copy my google-authenticator file to /usr/syno/etc/preferences/, and the web server will ask for the Google Authenticator ID. SSH can be locked down as well.)

For a NAS, it is surprising how much stuff the Synology (and the QNAP offerings as well) support.

Comment Re:Just buy a Synology raid (Score 1) 98

SynoLocker is an old issue, with DSM 5.x and 6.x patching it, and future items get autopatched if one turns that on during initial setup (the default is to auto install security patches). It also is wise to not have your internal NAS devices on the Internet (mine have a firewall script that allow incoming from the local segment, outgoing to Synology's patching sites, and blocking all other traffic.) It also is wise to use the Hyper Backup utility to back data up to somewhere (external HDD, cloud provider, etc.), preferably using encryption.

There isn't anything wrong with using unRAID, FreeNAS, or another utility. However, the main reason I use Synology products (QNAP is another good maker that tends to have an edge on hardware for the same price), is wattage use. The two I have use at most 40 watts, and significantly less than that when idle. A modern PC is thrifty on power, but having an ARM appliance is also quite nice. Of course, the PC gives a lot of flexibility, but having a NAS designed from the ground up, hardware and software for the dedicated purpose doesn't hurt either.

The price is right as well. I picked up a two drive unit with an ARM CPU for about $150, added drives, and it has been running 24/7 quite reliability.

Comment Re:Funny how Slashdot users are okay with criminal (Score 5, Interesting) 98

The criminals are virtually untouchable:

1: They are likely in countries of the world that have zero interest in turning them over for justice. In fact, they may be regarded as folk heroes or equivalents of Robin Hood, taking money from corporations or countries and bringing it to the region.

2: They are likely using employees to do the dirty work, with plenty of anonymity between them and the higher ups.

3: Malware can be traced, and a lot of people suggest origin, but code can be edited and spread anywhere in the world, so code that originally came from Latveria can be used and abused by people from Lower Elbonia, and if distribution is done, the whitehats may never know the real origin.

4: Compromising an endpoint isn't too difficult these days. If someone hacks a wi-fi router and compromises a home computer, all it takes is deleting the offending stuff securely, and that becomes a dead end.

5: For every one criminal, there are others behind them.

6: LEOs have many cases on their hands. It might be doubtful they may have the resources to handle anything but the big names, so chasing after every bad guy would be about as fruitful as chasing every pot smoker in the US.

Going after criminals is nice, but that is a game of whack-a-mole. Unfortunately, computer security is a defensive war, but there are useful tools on the whitehat end which can help mitigate attacks.

Long term, it may not be something is wanted in any shape or form, but I think what may end up happening is that countries themselves will demand control of the routers that go from one nation to another and enforce rules there. China has that, Iran is building it, and other countries are looking into blocking at their virtual borders, just like physical borders. It might be a token thing now, but as time goes on and money is put into it, it may become something all countries have in place, just so another country that has IP ranges that are hotspots for attack are blocked there, so every single Internet entity in the nation wouldn't have to deal with them.

Slashdot Top Deals

try again