Posts by Dennis 25 publicly visible posts • joined 29 Oct 2007
In response to: "And Dennis with his omen of doom, well as they say round here; put up or shut up, let's see this mythical GPG 'malware' then."
Next time, please do some cursory research before flaming.
First, actually click on the link in the comment before writing your own comment.
Second, I would recommend using Google to search for relevant keywords.
If your searches are thorough, you should come up with some interesting stories surrounding the recent Chinese cyber activity against the Falon Gong and Tibetans.
Otherwise, nice use of a semicolon.
GPG == no trusted third party for keys == security theater.
Fail.
Leave GPG for hobbyists, and students of information assurance.
@Frank Gerlach:
http://www.internetnews.com/dev-news/article.php/64191
Good article. Want to use GPG? Good! There has been malware waiting for your keys for at least 9 years!
My coat is the one with the Alfred E. Newman GPG key pair in the pocket.
Herbert Meyer,
I think you got my subtle humor about the basement....thanks. I agree with your second comment 100%.
At those who feel like lecturing on not using Fedora for production systems:
I would suggest being a consultant for a period of time for exposure on just how bad some IT environments really are, especially in the SMB market. You are preaching to the choir and completely missing the point. Next time I will preemptively add caveats to my comments to try to prevent knee-jerk reactions from some readers.
I agree with Tom Chiverton. I would have really appreciated a heads up, to make sure the appropriate people were reacting properly to a potential issue. Actually, I could see this being a huge issue for any organization that uses Fedora for even one critical system.
I also agree with the last sentence Herbert Meyer left, especially since this story is already at least partially stale. I make it a habit of reading El Reg because of the (sometimes) pithy, (usually) in-depth background reporting I cannot easily find elsewhere.
Having said that, someone please push Herbert Meyer back into the basement corner with the rest of the Linux admins, and tell him to get back to his scripts.
Obviously there are issues, and this will most likely not prove to be the cure for malware.
Kudos to AVG for being proactive though....
I do not mean proactive as in trolling before clicking (as the first commenter already pointed out), but proactive as in not just twiddling their thumbs like we have seen from some other antivirus (etc) vendors.
For non-security people reading this: the reactive (juxtapose with proactive) approach to antivirus has not been working (nor been sustainable) for quite some time. There are plenty of white papers, etc. already written I recommend reading.
While reading all of the comments, I noticed people are questioning his intelligence because of some of his actions that got him caught. I would argue there is a big difference between acting based on naiveté and acting based on stupidity. He was a kid, and did things that kids do because they do not have the "common sense", "life experience", "street sense", or "life experience" to know not to do certain things. Unless, of course, you are stupid enough to think you really did have life mastered by the age of 18.
From reading the article, it is obvious his naiveté got him caught, not a lack of intelligence. Too bad he could not have met a better mentor to direct his skill and motivation to something more legal and ultimately profitable.
I grew up in Pennsylvania and lived there many years, until my career eventually took me to other regions. During my time there, I saw a level of incompetency and corruption in government there (both local and state levels) I have never experienced anywhere else. Not that other places are Utopia or anything. This development should just be seen as normal business. Good for the user who exposed this. That state needs more people like mtg169 to peek under the rug.
Not checking the validity of server certificates is transparent to whether you are shopping/banking online, logging into the SSL/TLS VPN, or using WPA-TLS. The media (wireless, wired, etc.) is also transparent at that level (see OSI model for a framework).
I believe your "simple answer" should be to no longer use SSL or TLS, or for that matter any technology that requires certificates (see PKI).
There is a valid argument about client-side security, but your post only displays a misunderstanding of the real issues involved in both the "client-side security" and "WPA-TLS" issues.
If you read the original paper, this is actually able to be fixed with proper administration. You just need to make sure the supplicant (that means the program on the client that will do the connecting) checks the server certificate's validity. The fix (for MS at least) is even shown in the article.
I understand the point is to get the most people possible read the article...but I think the article reads too much like FUD.
I went to an American inner-city public high school with gang problems (after something called "forced busing" was enforced). I left the inner-city soon after graduation (1998). Yes, the gang members could have thrown their guns, knives, etc. over the wall and through the fence, etc. After the metal detectors were installed, though, the police officers at the school did not have to deal with nearly as much hallway violence. It was noticeably safer for me to be in school, and the detectors never went off on me despite my school gear. Yes, things still happened, but most of the goons obviously kept their violence away from the school at that point.
Anyone who wants to attest to why this happened is, of course, speaking off of opinion and not fact. Of course, that does not seem to stop people from doing so. Perhaps the trouble makers decided there were better places to fight and oppress? Maybe the real effect of the detectors was deterrence, which is based more on psychology than "stopping power".
I suspect the British authorities looked at the "success" of American school metal detectors for the idea, or for an example. As an American, I am embarrassed that measures such as metal detectors must be used. Perhaps people should stop being angry about how effective the metal detectors could or could not be, and start being embarrassed at how bad things have gotten. The real problem in both countries, after all, is not the detector.
I understand your comment, but I have yet to meet a PhD in computer science who is good at anything but: academic research, writing academic papers, and sticking their hand out for grant money! Maybe leave that part out next time.
Otherwise, as a former consultant, this will be just one more hoop to jump through to do business. I'm sure the "qualified" companies doing this are thrilled at the prospect of not having to worry about pesky (and competent) competition from the "little guys".
Did anyone else notice that the same argument for biological metrics is used for polygraph machines? There is a reason polygraph tests are not used in U.S. courts for proof of guilt or innocence. Can we expect the same benefit from a company's management when HAL provides a false positive or negative reading?
I suppose this is to the other's who think the same way Ian does as well...
Your personal experience with the system (software + hardware) says very little about the presence or absence of bugs, and where those bugs lie. I suggest you become knowledgeable on the theory and methodology of software/system testing before making grossly inaccurate comments again. I suppose Wikipedia would be a good place to start, though I cannot personally vouch for its accuracy nor its completeness.
If you find this topic interesting, post a comment saying such, and I can refer you to some more thorough reading material on the subject.
I have attended a couple of presentations given by Microsoft executives in the last 12 months. Most have centered around some aspect of security, and all have been given (initially) on a laptop running Vista.
I do not run Vista personally, so I cannot personally attest to how Vista's qualities. I can, however, speak to the fact that at EVERY SINGLE presentation, the M$ executive speaking had to eventually switch to a machine running XP, because his/her Vista presentation laptop repeatedly crashed. I feel bad for the apologetic presenters, because I am sure there is a company policy concerning presenting on Vista.
If a new car model continually broke on the showroom floor, would YOU rave about it, let alone buy a fleet of them for your business?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
