Become a fan of Slashdot on Facebook


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Hmm, Canada got this one right. (Score 4, Informative) 349

For years, CRA, the Canadian equivalent to the IRS, has been including Web Authentication Codes (WACs) with the annual notice of assessment, that is, their summary of your personal income tax submission, snail mailed to your address of record some weeks after you submit your personal tax return.

Your WAC changes every year. Without it, you cannot access your account in CRA's online systems.

And it isn't enough: You also need your SIN and the amount recorded on a particular line of your return (or notice, I cannot remember which).

Now here is where my memory gets hazy: Once you register for online access, I think they might send a one-time code to your address, which is required to activate your account.

The only way to subvert this system is to tamper with postal delivery, which means fraudsters must take specific, intentional action and break multiple federal laws (postal acts, the income tax act, etc.). There ain't no easy to guess stuff in the Canadian system. The bar is sufficiently high, the risks to fraudsters very high, i.e., hard time.

Comment What's the term for a prophylactic prediction? (Score 5, Insightful) 677

There is an implication that Dijkstra was wrong about the goto - the implication being based on how conservatively it is used.

Perhaps it is wiser to conclude that the goto is used so conservatively because Dijkstra was right and that programmers have, in general, taken his wisdom to heart and avoided the goto except for those instances where, properly documented, it is the best tool for the job.

(By prophylactic prediction I mean the sort of warning or planning that completely forestalls the danger predicted, through awareness, preparation, etc. Kind of like the Y2K non-event.)

Comment Re:Briefing for management - reuse with attributio (Score 1) 318

Hey, I'm not saying the practices that make people vulnerable are wise - just that they exist and that unless positive steps are taken to test and, where necessary, fix, systems will be vulnerable. After all, we are seeing reports of the vulnerability being exploited in the wild, so we know there are affected systems out there. If we've done our jobs right, they won't be ours - but we cannot just hope that we've done our jobs right - and we do need to advise management that a) we're aware of the issue, b) we did our jobs right, and c) we're double checking, just to be safe.

Comment Briefing for management - reuse with attribution (Score 5, Interesting) 318

Folks, for what it's worth, here is a management briefing I wrote this morning. Please feel free to re-use, but please do give proper attribution. Please do comment and correct as appropriate.

Summary: Briefing for management on activities to minimize impacts of the "shellshock" computer vulnerability.

Status: Testing underway. Our initial scans and appraisals are that our public-facing systems are likely not subject to shellshock. NOTE: The situation is fluid, due to the nature of the vulnerability. Personnel are also reaching out to hosting providers to assess the status of intervening systems.

What is it? A vulnerability in a command interpreter found on the vast majority of Linux and UNIX systems, including web servers, development machines, routers, firewalls, etc. The vulnerability could allow an anonymous attacker to execute arbitrary commands remotely, and to obtain the results of these commands via their browser. The security community has nicknamed the vulnerability "shellshock" since it affects computer command interpreters known as shells.

How does it work? Command interpreters, or "shells", are the computer components that allow users to type and execute computer commands. Anytime a user works in a terminal window, they are using a command interpreter - think of the DOS command prompt. Some GUI applications, especially administrative applications, are in fact just graphical interfaces to command interpreters. The most common command interpreter on Linux and UNIX is known as the "bash shell". Within the last several days, security researchers discovered that a serious vulnerability has been present in the vast majority of instances of bash for the last twenty years. This vulnerability allows an attacker with access to a bash shell to execute arbitrary commands. Because many web servers use system command interpreters to fulfill user requests, attackers need not have physical access to a system: The ability to issue web requests, using their browser or commonly-available command line tools, may be enough.

How bad could it be? Very, very bad. The vulnerability may exist on the vast majority of Linux and UNIX systems shipped over the last 20 years, including web servers, development machines, routers, firewalls, other network appliances, printers, Mac OSX computers, Android phones, and possibly iPhones (note: It has yet to be established that smartphones are affected, but given that Android and iOS are variants of Linus and UNIX, respectively, it would be premature to exclude them). Furthermore, many such systems have web-based administrative interfaces: While many of these machines do not provide a "web server" in the sense of a server providing content of interest to the casual or "normal" user, many do provide web-based interfaces for diagnotics and administration. Any such system that provides dynamic content using system utilities may be vulnerable.

What is the primary risk? There are two, data loss and system modification. By allowing an attacker to execute arbitrary commands, the shellshock vulnerability may allow the attacker to both obtain data from a system and to make changes to system configuration. There is also a third risk, that of using affected systems to launch attacks against other systems, so-called "reflector" attacks: The arbitrary command specified by the attacker could be to direct a network utility against a third machine.

How easy is it to detect the vulnerability? Surprising easily: A single command executed using ubiquitous system tools will reveal whether any particular web device or web server is vulnerable.

What are we doing? Technical personnel are using these commands to test all web servers and other devices we manage and are working with hosting providers to ensure that all devices upon which we depend have been tested. When devices are determined to be vulnerable, a determination is made whether they should be left alone (e.g., if they are not public facing and patches are either not yet available or would be disruptive at this time, or if there are other mitigations or safeguards in place), patched (e.g., if patches are available and are low impact), or turned off (e.g., if patches are not available, risk is high, and the service is not mandate critical).

Updates to this briefing will provided as the situation develops.

Comment An odd mild R-G - but only now do I know.... (Score 1) 267

I've known for 30 years that I was colour confused, it was diagnosed during my pre-hire medical at IBM. I've always described it symptomatically, as in "certain pinks and purples appear grey, my favourite brown shirt is green, but occasionally, I'll see a hint of green". And I've long thought that my CC was partly influenced by diet (the shirt would be greener after meals in certain restaurants, but I could never pin down the magic ingredient combo).

I have it on good authority that Mars is red, but I see it as a faint light of undetermined colour.

I had my eyes checked last week. I said all of the above to the examiner. He said something along the lines of "Huh, I've never heard of that before".

Then I described how I have a hard time scooping the yard: I have to work really hard to see the shit for the grass, but when I do, it becomes more obvious. There isn't enough contrast for me to pick it out without cognitive effort, but with said effort it becomes clear.

"Huh", he said, "It sounds like you have a very mild form of red-green colour blindness".

Interesting. I've never had a problem with traffic lights, red is one of my favourite colours, and I love the infinite variety of greens of spring. But picking a cardinal out in a dark green tree is tough - do-able, but tough. It's much easier in a light green tree.

So two weeks ago I would have answered "different form" but today I chose "mild R-G".

As my daughter would say, "That was a great old man story, thanks for sharing".

Comment Slightly misleading, fearmongery headline (Score 4, Informative) 114

This was on HN a few days ago; my comment there was the same: In the case of LastPass, the headline is misleading and a little fearmongery.

There were two issues with LastPass and NEITHER affected its storage of persistent passwords, that is, neither affected the feature the vast majority of us use passwords managers for!

One concerned a targeted attack against one-time passwords (OTP), the other concerned bookmarklets, which are used by less than 1% of the user base, according to LastPass. Personally I didn't know either feature existed until I read the LastPass blog entry about these two vulnerabilities.

A truer headline would have been Vulnerabilities found in less-frequently used features of LastPass; persistent site password storage unaffected".

Comment I love my Viera and was hoping to upsize.... (Score 3, Interesting) 202

We have a c.2003 52" Viera and love it.

The brightness is not an issue: it's on the North wall of the living room, facing a large window, and if it is "too sunny", I close the drapes. Done.

The viewing angle is amazing. Sunday night suppers are often prepared standing at the counter "just this side" of the family room, watching football.

I've stayed away from L[CE]D TVs because plasma just seemed like a better solution.

And now they will go the way of Betamax.

Silly consumers, believing hype and myth, buying poorer tech, and not saving a whole lot doing it....

Comment It's free. Why does App Store need a credit card? (Score 0) 222

I don't use iTunes or iBooks or any other Apple media apps. I've only had my Air for a few months, and I do love it so, but.... If Mavericks is free, why does the App Store need a credit card in order for me to download it?

I do not plan on purchasing anything through iTunes. Never say never, sure, but I don't. Ever.

Guess I can't have Mavericks.

Even though it's free.

Kudos, Apple, you've given me my first reason to feel less than happy about a hardware purchase I reveled in.

(Originally posted in wrong discussion, mea culpa; since then, I've discovered one can bootstrap iTunes/AppStore integration without a CC, but it requires attempting to download a free app and entering tombstone info - still too much for a free OS update, IMHO, but better in a kludgey, hackish way.)

Comment It's free. Why does the App Store need a CC? (Score -1, Offtopic) 166

I don't use iTunes or iBooks or any other Apple media apps. I've only had my Air for a few months, and I do love it so, but....

If Mavericks is free, why does the App Store need a credit card in order for me to download it?

I do not plan on purchasing anything through iTunes. Never say never, sure, but I don't. Ever.

Guess I can't have Mavericks.

Even though it's free.

Kudos, Apple, you've given me my first reason to feel less than happy about a hardware purchase I reveled in.

Comment ...teleports the douchii to random places.... (Score 1) 443

Well, not quite random - to the polar opposite of current weather conditions.

It's winter (I live in Ottawa - think Minnesota with Chicago's wind and Houston's humidity).

Dude cuts me off.

I press the button

Dude finds himself in Kandahar.

It's summer (think Kandahar temperatures with Houston's humidity - detect a theme yet?).

Dude cuts me off.

I press the button

Dude finds himself in McMurdo.

I used to think I wanted photon torpedoes, but those would create debris, which might damage my vehicle. Or me.

Then I thought phasers. But that would still take life and teach nothing.

So semi-random, climactic-coupled teleportation. That's the ticket.

And the car should fly. Of course. VTOL.

Slashdot Top Deals

Nothing is faster than the speed of light ... To prove this to yourself, try opening the refrigerator door before the light comes on.