5623 posts • joined 21 Dec 2007
- Next →
Re: Is there a Firefox setting for this ?
The exact same security issue that the researchers in this article 'discovered' was actually discovered by Tor 5 years ago.
It is odd that the paper claims "To the best of our knowledge, we are the first that investigate the applicability of TLS session resumption for user tracking". I was just reading Ristic's Bulletproof SSL the other day, and he mentions the privacy implications of TLS session tickets two or three times. It should be pretty obvious to anyone who studies IT privacy issues.
The paper seems to have some solid, if unsurprising, work, but the claims in the abstract are a little broad.
I still have never understood why browsers were designed to identify themselves [ or their individual users ] in the first place.
When you visit a website which has sensitive information, would you like to authenticate yourself for every request? Note that HTTP conversations may terminate at any time (prior to HTTP/1.1, there wasn't even a standard mechanism for them to last longer than one request-response exchange), and a series of requests from a single browser may be handled by multiple servers with no shared ephemeral state.
Similarly, TLS session resumption exists to avoid the overhead of TLS negotiation on each connection request. You can get by without it - many TLS clients and servers (though usually not general-purpose web browsers and servers) do so - but it significantly affects performance, which users don't like, and resource consumption on the server, which server owners don't like.
Now, you may argue that a great many sites use client-identification mechanisms for no good reason. I'm sympathetic to that argument myself. But that ship has sailed.
Re: out of curiosity
Everything wants to be iron.
It doesn't so much want to be iron, as it just eventually gives up and settles for being iron.
Iron is what matter becomes when it runs out of ambition.
Re: How long before the courts move into the modern world?
If you think the scam of emailing to a target to change the bank account number they're paying their builder on is new, then you haven't been around long
Yes. What electronic communication has done is lower the unit cost of sending malicious messages, and the cost of discovering potential recipients.
Of course this fits a broader trend of decreasing cost of communication, benign or otherwise, that goes back centuries. Eisenstein's The Printing Revolution in Early Modern Europe is a good, if dry, survey of the process in Europe for the early modern era (as you may have guessed), and Yates's Control Through Communication is an engaging look at it in the US from 1850 to 1920, when many key innovations happened.
Re: How long before the courts move into the modern world?
fax was considered a legally-admissible format for a document but other electronic means such as email were not due to the possibility (however small) of being compromised in-flight
IANAL, certainly, but in the US the 1997 UETA (adopted by 47 states and DC) applies to "business, commercial ... and governmental matters", and the 2000 ESIGN Act establishes the validity of electronic signatures for interstate commerce, including things like contracts.
I have in recent years electronically signed numerous legally-binding documents, such as real-estate contracts. No faxing was involved.
Re: He should have simply faked his own reviews
After all that's what everyone else does
Bite your tongue. Real IT professionals use machine-generated fake reviews. Writing your own is for the noobs.
Re: Sooo, they fined him less than he spent to do it legally
gave him 6 months
Nine months, according to the article. And as has been pointed out, he'll have to serve them all. Though, frankly, even two months in a prison seem pretty unpleasant to me - probably unpleasant enough to discourage most people from doing something as stupid as continuing to forge court orders just to silence some critics.
Re: Would he have bothered?
If he had reservations about shark-jumping in the genre he created, I am sure it would have happened way back when with "E.T.: The Video Game"
While ET:TVG was universally excoriated, no doubt because it was indeed complete crap, I have to admit that my brother and I put some hours into it, generally laughing hysterically as we tried to make it all the way across the screen without needing to levitate out of more than half a dozen pits.
I'm pretty sure we never won the game, unlike the bad-but-playable Raiders of the Lost Ark game. We also had the 2600 Superman game, which was pointless but did feature an idiosyncratic 2-player mode: One person controlled Superman's flight, and the other his various powers. This, too, lent itself to some hilarity.
Re: That other guy is an idiot
the fault isn't with jQuery itself, but with someone else's plugin for it that happens to rely on server-side code as well
Correct. jQuery is crap (though it's much-improved crap, compared to early versions), but in this case the fault is divided between Sebastian Tschan / Blueimp (jQuery File Upload author and maintainer) and Apache.
I'm inclined to give the lion's share to Apache - disabling .htaccess in the default configuration was really stupid - but Blueimp is not free of blame either. They should be following changes in their dependencies.
Also, frankly, I am not impressed with a file-upload widget that relies solely on .htaccess for security. (And their "fix" is to restrict the widget to image-file types by default; also not impressive.)
Re: Or the fourth option...
Im sure the owners of Samsung devices will miss the regular and timely security updates
Miss what, now? Neither of my Samsung Android phones have ever received "regular and timely security updates". Rare and apparently random updates, perhaps.
Re: Or the fourth option...
I have been running my phone without google apps and services installed since January. It started as an experiment, but I've not ever felt the need to go back.
When I deGoogled a previous phone,1 the only thing I had trouble with was finding a calendar app that would work without access to the Google calendar service. I didn't want one that sync'd with anything, just something that would show a valid calendar and let me note things in it. None of the ones I downloaded off F-Droid, including supposedly "offline" ones, worked with the Google calendar service disabled.
So I just created notes for appointments, and transcribed them into my work calendar whenever I got around to it. Worked OK. Back in the Dark Ages we used to do the same thing with pen & paper.
1Which I'd still be using, if the screen hadn't spontaneously failed completely. Replacement phone didn't last long enough for me to get around to deGoogling it; the touchscreen stopped responding to touches less than a year after I bought it. Haven't even gotten around to rooting the current phone, and I'm not sure I want to take the time, because these things are crap that breaks far too quickly. (My Nokia Symbian 6 phone worked fine for 3 years, and still works when I need it as an emergency backup, though the battery life is rubbish and there are few dead pixels on the screen. None of the Android phones I've had have made it past the 2-year mark.)
Alexa heard what you did last summer – and she knows what that was, too: AI recognizes activities from sound
I wonder if they realise that those sorts of sound libraries are often built with fake sounds?
Irrelevant. They build the model, then they test it against the gold standard, which in a case like this is typically human judges.1
If the system does well relative to the standard, then it doesn't matter whether it was trained on authentic or synthetic data. The proof of the pudding is in the eating.
1Hopefully a representative pool of them, tested using a methodologically-sound approach, so the baseline is useful. I'm just assuming that here.
We keep hearing about more and more ways that these "boffins" are trying to come up with better ways to spy on people.
That research will happen regardless. It's much better when it's made public, as in this case, than when some giant corporation keeps it to itself. This way we at least know what's been done in the field, and can consider how to use or counter it.
Re: GPL & C. were thought before the "cloud"....
starting more or less with Google, someone understood they could offer services without distributing software
"Starting more or less with Google"? True, I suppose, for vanishingly small values of "less".
Timesharing systems, BBSes, Service bureaus... People have been offering software-as-a-service since at least the 1970s.
Re: A different name for every site?
You would end up with sons called "Opening Batsman" and daughters called "Big Tits"
And this would be a problem, why, exactly?
Well, Mavis Altounyan wasn't very fond of it.
(This is my entry for the Obscure Literary Reference Of The Day contest. SAAFE!)
Re: Why it looks to me like..
Why are you storing certificates in an HSM?
Keys you store in an HSM. Certificates are supposed to be public. That's the whole point of certificates.
And the proposal suggests using keys stored in an HSM. They're not reinventing that wheel; they're suggesting you use it.
Microsoft has signed up to the Open Invention Network. We repeat. Microsoft has signed up to the OIN
Re: maybe Plan L from outerspace?
Until MS started doing server versions of Windows the two were largely complementary.
Yes. Meanwhile, Xenix wasn't making MS a lot of money, and before Windows NT Microsoft was invested for a number of years in OS/2. Xenix simply wasn't a priority for them. I don't think there was anything more subtle than that going on.
People interested in ML should take a look at the first link in the article. It goes to a Microsoft blog post that has quite a bit more information about Infer.NET (which has been available for academic use for ten years, by the way, and has been studied pretty extensively), and that links to a free ebook.
I've just started skimming through the book, and it seems quite good, at least in terms of explaining the concepts. I know most of the Reg readership is content to sneer at ML and toss out some clichéd comment to prove that they've paid no attention to the field in decades, but anyone interested in actually learning a bit (even to formulate stronger arguments about the failings of ML) who hasn't been following the research ought to take a look at the book.
I think I'd find using a PC without workspaces (virtual desktops) or something similar to be extremely confining.
Windows has virtual desktops - has had since NT4, actually, though Microsoft didn't actually expose the capability to users for a long time. Even now they don't go to any effort to publicize it.
You'd probably still find it pretty confining, though. Windows has a way of making everything seem meager.
But as another person has noted, virtual desktops are nothing like Piles / Stacks / Fences.
It's configured so it doesn't even have the usual max/min/close decorations on the windows...
In the Good Old Days, I ran uwm on RT PCs with AOS (BSD) 4.3 and RS/6000s with a similar configuration. No window decorations except a 1-pixel border. No desktop GUI controls; everything was mouse buttons + keyboard modifiers. "Minimizing" reduced the window to a shortened title in a small italic font - just a little colored rectangle with a small bit of text, in place of the normal-size window for that application. (You could drag the minimized windows around if you wanted.)
Excellent use of screen real estate while minimizing WIMP condescension.
Alas, uwm eventually disappeared from the X11 distribution and I never got around to recreating it. Now I spend most of my time with Windows and hardly ever run X, so I probably never will. (A lot of the code I work on runs on Linux and various UNIX platforms as well, but they require much less attention than Windows. When they do, I just ssh or telnet into the appropriate box; there's no need for a GUI. If I'm using X it's probably for my Kali VM.)
Re: For the love of God...
Stop these shit “in my day” Monty Python pastiches. Now! The originals were barely funny. These... even less so.
So you're saying nostalgia was better when you were a lad?
Re: Once upon a time
I have to say that when I first joined LI (as a favor to a friend who was looking for a new position), it would fairly often recommend posts I actually was interested in. I probably read on average about one post a day.
Over the past couple of years, I've read maybe one LI post a month. Either their recommendation system has gone to hell, or the quality of the content posted to LI has.
There have also been various ill-considered UI changes - someone at LI has a pathological z-order fetish - and other problems. And I dislike many LI "features", such as the endorsements, which I feel are worthless (some random person claims I have skill in some area - so what?) and tacky.
I've kept my account, again because I have friends who occasionally use LI for job-hunting, and because I now have a friend who's a developer there. But I have to admit that I make very little use of it myself, and it does not tempt me.
Re: Holes by design (costs $1M per hole, DOD rates)
I think your malice / incompetence ratio is way off there.
I'm sure the DoD runs some honeypots. It's not impossible that some are done in cahoots with State to try to ensnare and persecute token victims, and there may even be some quid pro quo (though really DoD has no trouble getting funds; it receives quite a lot of money it doesn't even request in its budget, thanks to legislators who want to keep jobs in their districts).
But the vast majority of the problems highlighted by the GAO are going to be due to poor management, incompetence, and systemic problems like legacy systems.
Re: How long have processors *connected* to a network been part of miltiary systems?
Decades at least.
Sure. Stoll's The Cuckoo's Egg came out in 1989, so for nearly 30 years it's been popular knowledge that there are DoD systems connected to the public Internet. Even many non-techies were aware of that.
Of course, since the Internet was itself a DoD project to begin with, there have always been DoD systems on it. But not everyone's aware of how many production DoD systems are exposed.
Re: "instructing them to insert two quarters to continue operating.”
"For three quarters, I'll trigger an immediate Windows update, and you can have the rest of the day off."
Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials
After the lawsuits shut down their company and drove it into bankruptcy,
Yeah, just like Equifax! Oh, wait.
the principal board members might actually face criminal charges
Considering the vast difficulty of proving any of them knew anything about it, I doubt any AG would even try to take it to trial. If I were on the board of a company, and decided to engage in shady dealings, you can damn well bet that my lawyer would be copied on any communications, to attach privilege.
breech of contract being #1 on that list
OK, I admit that if your breeches contract, you may have something to worry about. But let's not get our knickers in a twist over it.
Re: This Ryan Satterfield person is full of it...
Eh, I skimmed his feed, and not everything he says is bullshit.
The tweet that Richard quoted in the article is kind of stupid - IT security researchers should think long and hard, and then phrase their arguments carefully, any time they come down against disclosure. That's as sacred a cow as you'll find in this business. (And as the subhead notes, Google themselves are happy to wave the disclosure flag as it pleases them.)
And yes, I didn't bother looking at those card-image posts, but I had a feeling they were probably rubbish too.
Some of his other comments are reasonable, though. I'm willing to give him a pass on this one, and hope he grows out of the habit of tweeting without thinking.
Re: Never trust the +
Hey! My blood is AB+ and I ... eh, you know what? I don't trust that stuff either. Stupid blood.
All priorities are top priorities, for sufficiently large values of "top".
Securing your products is a way to make money - if your competitors take the view that they don't need to. The choice as to who gets my money is mine. Your choice to not secure your product would automatically exclude you from my shortlist.
You aren't representative of the broader market. The evidence for that is overwhelming.
Not securing your products is also a sure fire way to turn an insecure product into one or more business-ending expensive legal cases.
No, it is not. Such litigation (much less prosecution) is rare, and even more rarely successful. You're living in a fantasy.
If a car manufacturer produced a car that was race-car fast, but dangerous to drive, the car manufacturer can absolutely be faulted for it even if the market overwhelmingly wants race-car speeds.
Many car manufacturers do sell models that are very fast and difficult to control when they are operated at high speed. Notorious examples include many of the Porsche 911 models, the Aston Martins of the 1990s, pretty much all American muscle cars, ...
And most of the security (safety) measures that cars incorporate are present due to government regulation, because given the choice, the market would prefer faster and cheaper over safer. There's no evidence to suggest that a significant portion of the automobile market is willing to pay more (either in direct price, or in reduced features elsewhere) for safety.
There is no similar regulatory regime for CPUs or other IT components, except in extremely limited areas such as FIPS 140 compliance for cryptographic systems sold to the US Federal government (and FIPS 140-2 is arguably counterproductive). A "more secure" CPU would almost certainly have failed, or at least been a niche product.
Consider that Intel ended up canceling the '432 because no one wanted to buy it. The AS/400, a not-quite-a-capability-architecture system, succeeded only among IBM's largely captive market. How many Burroughs mainframes (B5500 and its successors) or MCP-based ClearPath systems do you run into?
By and large, people have been unwilling to spend money on security beyond the point where they believe they have achieved parity with their peers.
Didn't you get the memo ?
Hell, my Win10 machine gets the memo several times each month. The text is a little strange - something about "You need to reboot your computer to make Windows even better!". But the meaning is clear: "Fuck you, we own this box, and we're going to push our crap software onto it whenever we like".
Re: Insiders - should be better than this
We were told to expect that StrangeEffects will be a regular occurrence.
We are clearly warned that BadThings might happen.
We are absolutely encouraged to keep backups.
When did they tell you that you might have to travel from Ottawa to Toronto to get your system fixed? Just curious.
Re: @AC But that wouldn't bring three thousand million...
Oh "shock horror" doing a quick sync/backup before updating?
This is Win10. It decides to do the update for you, without warning, if you leave the OS running overnight.
Re: Why even touch user folders?
They tend to be huge, 1.5-3GB. A far cry from the old windows updates most are familiar with.
On the plus side, they're also appallingly slow. When my Win10 machine (a recent-model Dell laptop, supplied by my employer, of course, since I wouldn't pay money for Dell equipment or Windows 10) updated a few weeks ago, it took over three hours to finish the "update", not counting download time. Three hours, during which the machine rebooted four or five times, and sternly warned me not to turn it off or touch anything or look at it sideways.
This was problematic not only because of the obvious failure modes (hey, Microsoft, some people have desktop machines that aren't on a UPS...), but because I had to leave for a trip that morning. Of course, I wouldn't have chosen to install an update right before I had to leave, but Microsoft decided to force one on me overnight "to improve my experience" and "make Windows better".
You know what would make Windows better, Microsoft? Stopping the compulsory "updates", and firing whoever approved that idea in the first place.
Re: If this was an Apple product
there are some nice little features of Windows 10 that make it enjoyable to use
Like what? Honestly, there is not a single change in Windows 10 that I feel is an improvement on Windows 7. Not that I'm fond of Win7 - but Win10 is a fucking unmitigated nightmare. Windows 95 was better. OS/400 V3 was better. Using MVS via JCL jobs and TSO is better. Frickin' MS-DOS 2.0 may not have been better, strictly speaking, but it was less annoying.
I've used a lot of operating systems, and none has come close to the continual stream of aggravations and outright horrible behavior of Win10.
On the seventh anniversary of Steve Jobs' death, we give you 7 times he served humanity and acted as an example to others
Re: An exhaustive list of really nice people who built a multi-billion business:
"Other people are bad, so let's ignore the bad things this one did."
if he wants to eat, one of twenty servants immediately brings him what he would like, and if he thinks about his favorite song, it starts playing
Perhaps it's just me, but this sounds agonizingly awful. Every inclination immediately satisfied without effort? What a dreary and unrewarding existence that would be.
Of course, it's also completely incommensurate with the notion of nirvana, so the idiot that said it (in the article OP linked to) is obviously a cheap charlatan who's just peddling bullshit for attention. Still, if that's what the afterlife is like, I don't want any.
Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?
Re: Fun and games
Bloomberg is being overly picky about what constitutes a "sermon" and a "congregation".
Certainly many sects observe the practice of laying on hands. And you can't fault their faithful devotion.
They seem to think that software developers will tolerate it from Visual Studio as well. That's also on a rapid release cycle and is become rank.
Oh, yes. Venomous Studio 2017 is remarkably terrible. Painfully slow when it runs at all, and less stable than an elephant on a pogo stick.
I try to use VS only for debugging .NET code. I have bash+gvim+msbuild (or whatever build engine a particular project uses) for an "IDE".1 I have windbg for debugging native code on Windows; it's a lot clunkier than, say, gdb, but it has decent features and generally works correctly. I don't need Intellisense because I am capable of reading documentation. I don't need a bunch of "designers" at all, thank goodness.
But even in my very limited use of VS 2017, it hangs or crashes at least half the time. I frequently resort to instrumenting my code because it's faster than getting the VS debugger working. Earlier VS versions were annoying, but they were far more reliable.
1My Integrated Development Environment is the entire OS. Why would I want something less than that?
Re: You remaining folk that still run Windows...
It's a work machine, and must be joined to the corporate domain. I can do what I want in VMs running on it (and I do, to some extent, but both VMware and VirtualBox occasionally give me problems with network bridging), but the host OS has to be Windows.
Re: mapped network drives
The problem with mapped network drives not reconnecting automatically is there in Windows 10, like forever.
And, oddly, whenever my Win10 machine reboots (at least weekly, thanks to Microsoft's limitless store of incompetence and malice), it tells me it couldn't reconnect to mapped drives even though there aren't any. I always set my mappings to non-persistent, typically by doing a "net use /persistent:no" before I ever map any.
But Win10 is such a pile of garbage that I can't be bothered to investigate. There are far more obnoxious issues to worry about, such as the machine's failure to get its updates from our corporate SCCM servers (instead it continues to insist on pulling them directly from Microsoft), and its failure to keep my default application choices across reboots. That latter problem has been documented by hundreds of people in various MS forums and such, and so far Microsoft's response has been "ha ha, fuck you guys".
Re: What could go wrong?
You can have less supply than you want and guarantee it’s secure
Such a guarantee is only valid when supply reaches zero.
A guarantee of security in a general sense is nonsense; it is either ignorance or fraud. It's possible to make certain specific guarantees regarding certain classes of attack under certain threat models with certain assumptions and qualifications. That's the best anyone can do.
And having an adequate supply is itself a security benefit. The trade-off here is not between "supply" and "security"; it's between two aspects of security.
Re: That is a moon
watch out for furry midgets
Definitely, because the Ewoks are the most dangerous species in the Star Wars universe.
I am looking forward to the message back from the telescope:
"That's no moon"
[Paul Hogan voice] That's a moon!
So in theory, the Presidential level is even worse than an Extreme Threat.
Yes, that fits with my analysis of the President, too.
Not sure why it needed to be called the "Presidential" warning test.
Because there are different classes of WEAs. You can, in fact, opt out of all of them except the Presidential ones, which are only supposed to be used in world-is-burning sorts of emergencies. Though I personally struggle to think of a use case where this will actually be helpful.
I've opted out of everything except Presidentials myself. I have never been in any position to do anything useful with an Amber Alert (which are nearly always "look for a car matching this description, last seen hundreds of miles from where you are a couple of days ago, so good luck with that, particularly if you're not actually on the road"), and the other sort have proven equally useless. I think the only time I've ever heard one of the "severe weather" ones, it was for thunderstorms that were, again, far away from my current location. Useless.
And the alert klaxon is fucking horrible. The first time it went off while I was driving I nearly jumped out of my skin (particularly since my phone was Bluetooth-linked to the car, so it played through the speakers). I thought I had hit an air-raid siren or something.
I grew up in a world without mobile phones and push notifications from the Feds,1 and many of us survived to adulthood, despite the odds. I think I'll continue to take my chances.
1Aside from the old EBS, which we hardly ever noticed, because we didn't have the television or radio on all the time.
isn't all security based on some dependence on obscurity? whether it's an 8 char easy-to-guess password or a 1024 char key - they're both dependent on how hard it is to guess the information, no?
No. For one thing, many security mechanisms have vulnerabilities with a work factor smaller than brute-forcing the secret.
More importantly, "security through obscurity" refers to violations of Kerckhoffs's principle. The information about a security system which is not known to the attacker is in effect part of the key. You'd like that information to be uniform: equally difficult to derive from side channels, equally easy to change, etc. That makes it amenable to analysis, among other things.
If part of your security comes from keeping a mechanism secret, then part of your key is undesirable. Mechanisms can't be changed as easily as pure-data keys. They're vulnerable to discovery, because they're repeated in every instance of the system. For cryptosystems, it's hard to analyze their strength, because they contain redundancy; useful machines are not evenly distributed in the universe of all possible machines.
So what you want - and this is Kerckhoff's point - is to consider only the actual key as secret. Assume the attacker has everything else. That makes analysis tractable, and avoids overestimating security based on a fragile secret.
Re: And the consequences are?
There aren't any to speak of, for "IT security" considered broadly.
Malware scanning contributes only slightly to an organization's security. Most malware is not caught by scanners - developers make use of services that check it against extant signature lists and detection systems, then tweak it if it's detected, often using an automated process.
Scanning email is an even smaller portion of that.
Of the various companies selling email-scanning products and services, either they'll pay royalties to Glasswall, or they'll fight Glasswall, or Glasswall will never ask them for royalties in the first place. (If Glasswall come after any of the big players, they'll probably be acquired and squelched.) This is one small patent in one small corner of IT security.
Time to get that promotion file ready
Donna Strickland, an associate professor at the University of Waterloo
Man, even at Waterloo, I bet a Nobel counts for something when you go up for full professor.
In all seriousness, congrats to the lot of them. The Nobel certainly isn't an ideal mechanism for recognizing the best work (too few recipients, takes too long, etc), but that needn't stop us from applauding those who get one.
- Next →