Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment So much whining (Score 0) 181

So Lenovo didn't want to out of their way to support a minor market segment. So what? They aren't selling to Linux users, if you don't like it, take your business elsewhere. Pretty sure the missing AHCI option was likely an oversight. If enough people want to run Linux, Lenovo will add back AHCI support or Linux/Lenovo will role out a driver.

I personally love Lenovo hardware. It's always been rock solid for me. Since I'm not a moron, I never keep the installed OS, so I don't have to deal with their crapware. Same goes with any other pre-installed laptop from anyone. Just a couple months ago I bought a Lenovo Y700-17ISK gaming laptop. I absolutely love it, and it is easy to work on (first thing I did was upgrade the hard drive size). Works fine with Linux. Right now I'm duel booting Qubes OS and Windows 10.

Comment Shying away from OOP(s) (Score 4, Insightful) 674

Few programs are more hellacious to write and maintain than code that has been overly-factored into classes, that inherit from other class, that implement some abstract that was inherited from other abstract, that isn't even called directly because it is actually a event handler or intent for yet another inheritance mess. OOP makes sense if used sparingly, if not, it makes GOTO spaghetti look sane.

Comment Re:Encryption != Integrity (Score 1) 89

You can prove that it is mathematical infeasible that your decryption, which is a valid file and displays a reasonable result, is NOT the one that the original user was expecting. That number, no matter how you arrive at it, is way, way less likely than a Fingerprint or DNA match being an accidental duplicate of an innocent person, so good luck making that argument to a jury...

Comment Proactive Monitoring (Score 1) 148

I think what the EndGame CEO was trying to state was that security needs to focus more on indicators of compromise and less on "defense" against compromise. As a redteam hacker, I agree. The fact of the matter is that securing the perimeter and the endpoint against all attacks is an impossible exercise. Too many security teams have that type of mentality, "Oh, you got in? No worries, just tell us exactly what you did and we will block that specific attack vector." What they should be focusing on, is developing the capabilities to detect the intruder that has breached their defenses. We all like to talk about the magical "APT" that has unlimited time and resources and can teleport around your network without making a sound, but it just doesn't exist. Even a very advanced, skilled attacker, with months of time, is going to need to perform significant recon on the network. Much of that recon is atypical behavior for a non-malicious user.

Detecting malicious behavior isn't even that hard, it just takes some knowledge of what we hackers do. Alerting on specific domain events, looking for specific traffic patterns, and profiling normal system behavior. Even a small security shop can greatly benefit by well-placed honey pots around their network. These type of things are not visible to an attacker, and if your network is reasonably secure, the attacker is likely to trip over one or more of them before they get what they are after.

Comment Bunch of FUD (Score 5, Informative) 96

This whole kerfuffle is a bunch of FUD. I'm a KeePass2 user. As the author points out, the tool does not have an auto-update feature. The so called Man-in-the-middle only allows you to alert the client that there is a "new" version of KeePass. You still have to manually go to the website and download it. The files are Authenticode signed. In short you'd have to be dumb enough to not notice you were downloading the file from a trusted source or in the event that this was man in the middled, not notice that the file isn't signed or is signed by the wrong person.

Comment Anonymous FTP is the key (Score 1) 130

If I access a router with a known backdoor password, and someone failed to patch it, that is breaking and entering. It is clear that such access was not intended by the owner of the device, and I am effectively breaching their perimeter without their permission. In this case the guy use anonymous FTP. The entire purpose of anonymous FTP is to allow anyone to download files. FTP technology and anonymous access is routinely employed by companies and websites specifically to exchange files with everyone. Therefore, given the plain and regular use of the technology, one can easily argue that they effective were inviting file downloads. Until this guy was able to validate the content of the files, he would arguably not have known that the files were supposed to be protected. The fact that he reported the finding shows that he was not behaving maliciously and acting in good faith.

Comment Lots of FUD (Score 5, Informative) 135

Until less than three years ago, I worked on the Hanford site. My father in law, still works on the site a regularly oversees and checks on tank levels. At least a couple times a year, there is a minor leak, and the media breathlessly goes screaming that the end of the world is nigh. It is rarely serious, but between the media's antinuclear stance, and the Hanford project's desperate need to drag out the project as long as possible, for jobs, these things get over-reported. At this point, all the waste has been relocated from single shelled tanks to double shelled tanks where it is waiting disposal at their vitrification plant that was recently finished. None of this waste actually leaked anywhere. What it means is that one of the innermost shells on one of the tanks has finally failed significantly. The waste is still contained. This isn't a surprise as even the double shelled tanks are getting old, hence the plan to vitrify (glassify the waste).

Comment Nobody read the spec (Score 1) 131

I see that literally no one read the spec (yes, I realize this is Slashdot). To the creator's credit, they have thought about security from the point of malicious Javascript accessing USB. They spec makes that highly unlikely as the USB device has complete control over who can talk to it. The problem is that as far as I can tell, they have given a malicious USB device yet another way to talk to a command-and-control server and get code execution (albeit in a sandboxed browser, using Javascript). Of course I can already do that by emulating a keyboard, but why add to the list of ways a USB device can screw you?

Comment Easy answer, and it isn't sexism (Score 1) 571

I know these articles are SJW click-bait, but there is a perfectly normal explanation:

I work in cyber security, and it is while understood phenomena that both men and women implicitly trust a female voice significantly more than a male voice. This is so well established that many pentesting companies hire women with pleasant voices just for social engineering gigs. When an AI is already trying to overcome people's inherent distrust of technology, it makes sense to employ psychological tricks they can make people feel more relaxed and trusting.

Submission + - BadLock: Potential Serious SMB Protocol Vulnerability (badlock.org)

shellster_dude writes: If you believe the hype, a massive protocol level vulnerability was found in SMB which affects most versions of Windows and Samba. A member of the SAMBA team found the vulnerability and both groups are patching their software on April 12th. The team that found it is planning to also release the details on the 12th.

Comment Re:Uh, just pay extra (Score 1) 644

Competition is right, but not in the way you think. These guys all have their money squirreled away in off shore accounts, tied up in business ventures and live largely on their stock market earnings. They don't care about income tax, because they largely don't pay it. Those people who are trying desperately to make it into the club (their competition), are the ones that don't have enough liquid funds to keep it out of Uncle Sam's hands.

Slashdot Top Deals

Some people carve careers, others chisel them.

Working...