Follow Slashdot stories on Twitter


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:chief enablers (Score 1) 85

To the Indians, people are giving them money for a service they sold on the phone. Even US courts in front of a tech-illiterate judge may not find much fault with their methodology other than that it's not entirely ethical, but to the law it simply doesn't matter whether you bought a car or a computer program that wasn't necessary, you made the decision to buy it because they demonstrated to you that you needed it.

The legal issue here is "fraud". They are calling and lying to the mark and telling them they are official agents of microsoft/apple/dell/etc and are lying about the "service" they are selling. "There's really nothing wrong with your computer, the website is just displaying a scary looking warning and we'd like you to pay us $150 to make it go away, do you mind giving me your credit card information?" Go for that and okay, I'll call you a fool that is honestly being parted from his money by a "service". But we know that's not how it works. It's 100% fraud, deception, and misrepresentation, which is against the law pretty much everywhere, including India.

But you're right, they don't really care that much, it brings money into the country and they can drop a thin veil of plausible deniability over it all. But it's allowed most of the time, until someone makes a big stink and then they jump in and assist with one or two takedowns out of the thousands that are running, to prove they're "not ignoring it".

Comment chief enablers (Score 5, Insightful) 85

two popular tools were used in 81% of the scams

My bet: TeamViewer and LogMeIn.

most were working in large, organized call centers.

This is part of why I don't understand why this continues to be a big problem. They're not some fly-by-night flighty twitchy boiler room working in a different hotel room every week to try to keep one step ahead of a door kick. These are established, stable, organized, stationary, predictable groups that ought to be easy targets for law enforcement. Seeing as this also coincides with only a few geographical locations (india and costa rica) I can only presume local law enforcement is either very lax, is complacent ("hey it brings money into our local economy, that's good right?"), or is on the take.

Comment Re:How... (Score 1) 143

But, you do know the "password" is not the key to the account?

As a "sysadmin" I can basically always use your account without you noticing and without knowing your password. How to do that ofc varies from OS.

I've seen that feature in directory services, when you go to the directory admin account configuration. "Use directory admin password to masquerade as other user". Basically means the diradmin master password will authenticate ANY account if you check that box. I've never used that before, and we don't have that option where I work now. It's a bad idea. Allowing an admin to access someone's data, okay, they may need to do that. But allowing an admin to login AS a user, so that they can take actions that appear to be done by the user, and everything they do is logged as though it WAS the user, that's dangerous and almost always unnecessary. If I'm having problems reproducing a problem, I'll go to the user who's already logged in and, while they are there watching, do what I need to do. It's important they stay there over my shoulder while I work because no one can question what I did while the User wasn't there because the user was always there. We also have a policy here of obviously turning our view away from a user's keyboard whenever we need them to enter their password for something. We make it VERY obvious that we are not observing their typing.

A lot of this is "CYA". There's no question whether or not you've done something if it's impossible for you to have done it. "Dave must have logged in as me and emailed that document to the reporter". No, Dave never had your password, and it's impossible for him to login as you. He could only do that if he reset your password to a known value, and then (A) the reset would be logged under his account, and (B) you would know about it because you'd have to reset it back again because Dave would have no way to reset it back to its previous password. If that happened, IT would know and you would know. This works more as a protection for Dave than it does for the User. When you're in a position of power, it's important to maintain your users' trust. And guaranteed accountability is a big part of that.

I've never seen this feature in a local OS environment. On windows or mac, you as an admin can reset someone's password and then login as them, but as above you have no (easy) way to change their password back to its previous value. So the user would be aware that something had happened, even if they don't know exactly what happened. The problem with a local OS is that a sufficiently skilled nerd could copy down the password hash, reset it, do the nasty, and then restore the previous hash. (I could probably pull that off) But this is far from a turnkey action, requiring a fairly high degree of skill and level of access, and not something the average user should need to worry about. If you have guys regularly mucking with the password hash file, you have much more serious problems to deal with than IT masquerading as users.

Comment Re:How... (Score 1) 143

I don't care if you ARE a senior system administrator, you have NO business having a list of user passwords. You have no business having anyone's password, EVER. There are times we need to connect as a user or login to their network account to fix a problem or test something. When that happens, we reset their password, do our work, hand them over the reset password, and their account has the "must change password immediately at next login" flag set. (A) we never know their password old OR new, (B) we get our work done, (C) they KNOW we were logging into their account for a time (this is important, don't skip it), (D) they immediately regain exclusive authentication to their account, and (E) the entire process is automatically logged from start to finish. It's nothing extraordinary, that's just how you do it. Any company stupid enough to have a plaintext password list for their employees is completely undeserving of anyone's pity when Bad Things(tm) happen as a result. Yeah he shouldn't have stolen your truck, but you really shouldn't have left the keys in the ignition.

(the entire password reset process is online for the user - we don't just take a new password over the phone, and we state in numerous places in addition to our AUP at the login window that we will never ask you for your password, and if anyone ever does, to report it immediately)

Of course there were numerous other serious fails in this embarrassing story, but IMHO this was the most disgraceful fail of them all.

Comment not surprised (Score 1) 240

Apple ostensibly was trying to target the pro market, but was trying to spearhead it with aesthetics and novelty like you'd use to target the consumer market with.

Consumers didn't want a super expensive box. Pro users are like "THAT is definitely not going in the rack". So they missed out on both markets. I don't see how this took anyone by surprise.

Now I see they're going to push the iMac into the pro market. Clearly they're still trying to keep themselves on the desktop and out of the data center, but there's plenty of room to work with inside an iMac. Put a few hatches on the back. Give me lots of soldered ram WITH a slot or two to upgrade it. Give me access to BOTH M.2 SSD slots (or 3... or 4?) from the outside. Give me 4 (or 6) thunderbolt ports and a mix of USB.C and USB3. Now that's more like it.

The black dustbin was no more practical than the cube. This is where Apple needs to go if they want to be in this middleground between consumer and pro... call it "pro-desktop".

Comment Re:"a devastating blow to manatees" (Score 4, Interesting) 89

While I'm a strong supporter for saving endangered species, there hopefully comes a point when any endangered species isn't endangered anymore. It takes time and resources to protect endangered species, and when you can call your job a success and strike one off the list as done, you do so in order to direct your resources at the next needy species. There's only so much to go around, and you need to put it where it will do the most good.

If lowering their protection now results in a significant decline, they'll get their name back on the list. But until then, there are many more in need of that assistance.

And to the gentleman that's upset about the lift and says there aren't enough of them, I ask you, how many is enough? Can you put a number on it? Do you even have a number in mind? The EPA etc have entire divisions of bean counters whose job is to run the numbers and calculate the risks when deciding where to spend their money and dedicate their resources - they're not just pulling this one out of a hat. You can count on this decision being the result of examining the numbers closely, and that beats any activist's armchair-quarterbacking on the issue.

Comment Re:This is bullcrap (Score 1) 522

This is different. They are trying to break into a human being, as a way of breaking into a secured hard drive. They are also saying that they know the mind of the defendant.

Not quite. They ARE trying to break into a physical thing, an encrypted device. However, the key is no longer a physical thing. If it's a locked door, they don't force you to turn over the key, they simply break down the door. The key need not be involved.

In the case of encryption, they need the key. So they turn to you.

This becomes a question of "they are authorized to search it, and to use force if necessary, but in this case force isn't effective" They are then taking a step back to the purpose of the law, which is to allow them access to search for evidence. No one seems to be contesting this point, they are allowed, but they are also physically powerless. The route they need to take from there is not the route of force, but the route of key. And that leads them to YOU.

So... it's now a question of "are we looking at the intent of the law, or the (outdated) description?" The kneejerk response is to say "we should follow the letter of the law, not make exceptions based on the intent", because that option appears to offer greater protection to the citizen, which is a good legal default. But this is also the opposite argument used in other cases like where police are charging citizens with federal wiretapping laws when they are filmed beating a suspect that's handcuffed. Now you want to look at the intent and not the words, again to offer better protection to the citizen.

The problem is we can't have it both ways, so we have to pick (either as a whole, or on a case-by-case basis) whether to follow the letter or the intent. Case-by-case is sloppy and inconsistent, and as-a-whole is itself just as much a problem as going by the letter. I personally prefer "intent". In a democracy it's very rare for a badly-intended law to get on the books, but we're always having problems with badly-worded laws with good intentions getting on the books. It seems to happen continuously and certainly is a problem as laws age. So I conclude that "intent of the law" is the more appealing option. Our legal system with police and courts makes up both facets, the police enforce the letter, and those that pass that filter go to the courts where intent can be applied. Citizens can get out through either door, and so they should only successfully get prosecuted when both letter AND intent pass muster.

I think if you want to make a defense here you're going to have to give up defending the key and look to defending the data. If you can get a court to believe that the data on the hard drive should be considered part of your fourth amendment protected status, you may have a case. If I think to myself "I wish my ex was dead", that's protected. Once I type it into a word document, suddenly my thoughts become searchable and admissible evidence. One can't be used to incriminate me, the other can. If you want to call the document protected, now what happens if I print it out? Is the printout protected too? What if I copy the file? Upload it somewhere? It's a difficult hair to split.

A legal system that requires the assistance of the defendant to prosecute them is clearly going to experience failures. And that's what encryption is currently doing. "Contempt of court" seems to be getting a lot of use nowadays in cases where the law indeed does require the assistance of an uncooperative defendant - it itself is not a problem, but it IS a symptom OF the problem. I'm not against it for the sake of privacy, but I think when it becomes evidence, (and they have jurisdiction) they need access one way or another. This issue has been getting kicked around for quite awhile now and nobody's come up with an easy solution to it yet so I'm not holding my breath.

Comment Re:This is bullcrap (Score 2) 522

This is a case of secured evidence, not self-incrimination. If you have a locked safe that you won't give the combo to, they have the legal authority to break into your safe (and not compensate you for it), this is just an issue of where they are authorized to use force, but don't have sufficient force. (and this does indeed piss off the law / govt when it happens, they fancy themselves omnipotent and take enormous offense when proven otherwise)

It really comes down to more of a case of getting the book thrown at you for not respecting their authority. Can they do it? Definitely. Should they do it? probably. but not definitely.

Though this defense seemed to work for Ronald Reagan iirc? precedent by president!

Comment Re:Columbia needs auditing (Score 5, Informative) 63

One of the two accounts he was using was a "service account". You probably have a few of those on your system also, that were not created by any system linked into your HR. The manning account probably should have been automatically disabled however.

Seeing as he had IT level access, no automated steps are going to be very effective. If he created the manning account manually and there never WAS a mannning user, any automated HR system that removes employees on departure will never trigger on it since it was never in HR to begin with. If your HR system does whitelist filtering instead of blacklist, it has to know which internal and service accounts to skip. (or chaos insues!) An intelligent IT person will simply flip the necessary switches to make the account not show up in the pool that's being whitelist-checked. There's probably an "Employee" checkbox in the account list, and he just unchecks that, and now the HR script ignores him.

dscl . -list /Users | wc -l
shows there are 103 accounts on my laptop, only four of which are actual interactive users, the rest are system users like sandbox, daemon, windowserver, etc. A marauding system admin can pretty easily sneak in another plausible looking system account into the list of users that don't show up in most userlists.

tl;dr: it's not so easy to detect when someone in a privileged position like IT (or your IT admin) has installed a back door. Hiring someone to come in and do an audit (or hiring a competent replacement that does the same) is your best response to an IT departure, and is really a NECESSARY response to any departure of upper IT, even if the departure was on good terms.

Comment Re:perfect opportunity (Score 1) 62

The closed-captioning does speech-to-text, not lip reading.

Closed Captioning is the transmission of text of what is being said along with the video and audio stream. It's up to the receiver to do text to speech.

The benefit of CC here is that you have the "problem" (the video of the speaker) AND the "answer" (the text that they spoke) to work with, and this is precisely what you require to train a neural network. A large volume of problems and correct solutions. "When you get THIS input, you are supposed to produce THAT output". Over and over again, with as much volume and variety as possible. That sort of training is how you end up with a high-accuracy neural network.

To compare that, go do a google image search for "cat". A network properly trained to recognize a picture of a cat needs to see a lot of pictures of cats. But you'll notice the search is polluted with a large number of drawings of cats, more than one cat, and things that aren't cats at all. If a significant number of those get fed into the training process, they can severely affect the network's performance. This almost always means you have to comb over the training material by hand, removing anything that's either not correct or not a good example. CC on the other hand is available in a HUGE quantity, with a very high purity, making training so much easier to do and producing so much higher quality performance from the trained network.

Comment perfect opportunity (Score 2) 62

Sseeing as there's so much closed-captioning going on, they've got an enormous volume of material to train their neural network on.

I've done this sort of thing before, and often finding a large set of quality training material is a significant challenge.

Getting half the words correct, then feeding that into a grammar / context engine should yield very close to 100% accuracy. That's what deaf (and hearing impaired) lip readers have to do since the stated 12% initial recognition is about right. They have to stay very focused on the speaker and make heavy use of context to work out what's being said. And that's a perfect job for a computer.

Comment Re:why does this "East District of TX" keep happen (Score 2) 47

None of that seems to explain though why the trolls win in this lower court so often? Especially in stupid cases like this where on appeals all the judges are looking at each other like "HOW did this possibly make it to us? no. just NO. Now go away."

If it all came down to "they have the time to deal with it and have the most experience", you'd expect better and more consistent judgements. Or are some of the defendants just doing stupid things? (I can't imagine Apple/IBM/MS sending incompetent lawyers to a patent trial)

Slashdot Top Deals

Surprise due today. Also the rent.