Follow Slashdot stories on Twitter


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment So black and white... (Score 1) 158

I love how the anti-smoking crowd is so black and white.
If you smoke you're an addict.
If you smoke you'll get cancer and die
If you smoke you'll give cancer to everyone around you
If you vape, you'll also get cancer and die, and give it to everyone around you.
If you smoke you'll be come more addicted than a crack addict.

Second hand smoke has never been thoroughly proven, when given the levels of tobacco smoke a person can reasonably expect to encounter. I enjoy a pipe or a cigar no more than once a month, but my doctor and insurance company treat it like I'm a two packs a day guy. I've been smoking an occasional cigar for years, never once have I ever run into some sort of addictive quality.

I have vaped in the past. All indication from serious studies on the matter are that nicotine by itself is a relatively harmless stimulant, with some actual positive benefits. It's bad for pregnancy, and some of the glycol solutions and heating elements may be bad for you, but again, we're talking extremely small doses, even if you regularly vape.

I love getting lectured about how I a terrible human being for occasionally enjoying tobacco and nicotine by a bunch hippies telling me about the miracles of pot, that will cure everything that ales you, and has no bad long term effects...

Comment As Some Who Worked in PCI... (Score 2) 76

This would never work in the US. As others have stated, the CVV number that you see is different than the one in the stripe. Since the advent of chip-and-pin finally starting to trickle into the US market, it has become less common, a lot of vendors still don't process transactions until the evening. For instance, when a restaurant uses your card, they may not go back and process your tip until the end of the day. In countries that have fully embraced chip-and-pin, transactions must be done at time of sale, so this type of dynamic pin can be utilized.

To be workable in the current US market, the bank would have to track the last several CVV patterns for a 24 hour period, however, if that is indeed what they are doing, they are effectively creating (60 / 3) * 24 = 480 valid pins in a sliding 24 hour window. That is far worse than a single pin. In fact, early implementations of chip-and-pin were vulnerable to these kind of problems due to the need to support long periods of time for transaction processing.

Bottom line: We can do a lot to fix fraud if the US would ever fully embrace chip-and-pin.

Comment So much whining (Score 0) 181

So Lenovo didn't want to out of their way to support a minor market segment. So what? They aren't selling to Linux users, if you don't like it, take your business elsewhere. Pretty sure the missing AHCI option was likely an oversight. If enough people want to run Linux, Lenovo will add back AHCI support or Linux/Lenovo will role out a driver.

I personally love Lenovo hardware. It's always been rock solid for me. Since I'm not a moron, I never keep the installed OS, so I don't have to deal with their crapware. Same goes with any other pre-installed laptop from anyone. Just a couple months ago I bought a Lenovo Y700-17ISK gaming laptop. I absolutely love it, and it is easy to work on (first thing I did was upgrade the hard drive size). Works fine with Linux. Right now I'm duel booting Qubes OS and Windows 10.

Comment Shying away from OOP(s) (Score 4, Insightful) 674

Few programs are more hellacious to write and maintain than code that has been overly-factored into classes, that inherit from other class, that implement some abstract that was inherited from other abstract, that isn't even called directly because it is actually a event handler or intent for yet another inheritance mess. OOP makes sense if used sparingly, if not, it makes GOTO spaghetti look sane.

Comment Re:Encryption != Integrity (Score 1) 89

You can prove that it is mathematical infeasible that your decryption, which is a valid file and displays a reasonable result, is NOT the one that the original user was expecting. That number, no matter how you arrive at it, is way, way less likely than a Fingerprint or DNA match being an accidental duplicate of an innocent person, so good luck making that argument to a jury...

Comment Proactive Monitoring (Score 1) 148

I think what the EndGame CEO was trying to state was that security needs to focus more on indicators of compromise and less on "defense" against compromise. As a redteam hacker, I agree. The fact of the matter is that securing the perimeter and the endpoint against all attacks is an impossible exercise. Too many security teams have that type of mentality, "Oh, you got in? No worries, just tell us exactly what you did and we will block that specific attack vector." What they should be focusing on, is developing the capabilities to detect the intruder that has breached their defenses. We all like to talk about the magical "APT" that has unlimited time and resources and can teleport around your network without making a sound, but it just doesn't exist. Even a very advanced, skilled attacker, with months of time, is going to need to perform significant recon on the network. Much of that recon is atypical behavior for a non-malicious user.

Detecting malicious behavior isn't even that hard, it just takes some knowledge of what we hackers do. Alerting on specific domain events, looking for specific traffic patterns, and profiling normal system behavior. Even a small security shop can greatly benefit by well-placed honey pots around their network. These type of things are not visible to an attacker, and if your network is reasonably secure, the attacker is likely to trip over one or more of them before they get what they are after.

Comment Bunch of FUD (Score 5, Informative) 96

This whole kerfuffle is a bunch of FUD. I'm a KeePass2 user. As the author points out, the tool does not have an auto-update feature. The so called Man-in-the-middle only allows you to alert the client that there is a "new" version of KeePass. You still have to manually go to the website and download it. The files are Authenticode signed. In short you'd have to be dumb enough to not notice you were downloading the file from a trusted source or in the event that this was man in the middled, not notice that the file isn't signed or is signed by the wrong person.

Comment Anonymous FTP is the key (Score 1) 130

If I access a router with a known backdoor password, and someone failed to patch it, that is breaking and entering. It is clear that such access was not intended by the owner of the device, and I am effectively breaching their perimeter without their permission. In this case the guy use anonymous FTP. The entire purpose of anonymous FTP is to allow anyone to download files. FTP technology and anonymous access is routinely employed by companies and websites specifically to exchange files with everyone. Therefore, given the plain and regular use of the technology, one can easily argue that they effective were inviting file downloads. Until this guy was able to validate the content of the files, he would arguably not have known that the files were supposed to be protected. The fact that he reported the finding shows that he was not behaving maliciously and acting in good faith.

Comment Lots of FUD (Score 5, Informative) 135

Until less than three years ago, I worked on the Hanford site. My father in law, still works on the site a regularly oversees and checks on tank levels. At least a couple times a year, there is a minor leak, and the media breathlessly goes screaming that the end of the world is nigh. It is rarely serious, but between the media's antinuclear stance, and the Hanford project's desperate need to drag out the project as long as possible, for jobs, these things get over-reported. At this point, all the waste has been relocated from single shelled tanks to double shelled tanks where it is waiting disposal at their vitrification plant that was recently finished. None of this waste actually leaked anywhere. What it means is that one of the innermost shells on one of the tanks has finally failed significantly. The waste is still contained. This isn't a surprise as even the double shelled tanks are getting old, hence the plan to vitrify (glassify the waste).

Comment Nobody read the spec (Score 1) 131

I see that literally no one read the spec (yes, I realize this is Slashdot). To the creator's credit, they have thought about security from the point of malicious Javascript accessing USB. They spec makes that highly unlikely as the USB device has complete control over who can talk to it. The problem is that as far as I can tell, they have given a malicious USB device yet another way to talk to a command-and-control server and get code execution (albeit in a sandboxed browser, using Javascript). Of course I can already do that by emulating a keyboard, but why add to the list of ways a USB device can screw you?

Comment Easy answer, and it isn't sexism (Score 1) 571

I know these articles are SJW click-bait, but there is a perfectly normal explanation:

I work in cyber security, and it is while understood phenomena that both men and women implicitly trust a female voice significantly more than a male voice. This is so well established that many pentesting companies hire women with pleasant voices just for social engineering gigs. When an AI is already trying to overcome people's inherent distrust of technology, it makes sense to employ psychological tricks they can make people feel more relaxed and trusting.

Slashdot Top Deals

You will be successful in your work.