Posts by Neil Graham

Last ←Newer Page 1 2 3 4 5 Older→ First

  • OnPoint: MSD's Leaky Servers,

    I don't understand the reasoning behind physical segregation for security. Could you enlighten me Matthew? It seems to me you take the position that networks must be separate because privilege escalation is easy.

    I'm not a sysadmin so I don't get to see the pragmatic view from the field. I am a programmer of the fairly low level variety so I think of things in terms of architecture and theory. My view, from that theoretical position is that you should assume that everything is connected to your network and untrusted connections have low privileges. Any system where you can easily escalate your privileges has effectively no security.

    That doesn't appear to be the way systems are set up. Surely it would be easy to make a bridge across any barrier if you can escalate privileges anyway (even with just a couple of usb wifi sticks)

    Christchurch • Since Nov 2006 • 118 posts Report

  • OnPoint: MSD's Leaky Servers,

    This is a gif showing an ancient hack on win95 where you could access the system without a password.

    http://i.imgur.com/fqjnK.gif

    The steps you go though to get a File Open dialog are rather convoluted, but once there the principle is the same. From the File Open window you can right click on items to get plenty of options. This mechanism has been known about for years.

    You can pretty much run anything the system lets you do from this view. What systems are supposed to do is not let you do those things. A properly configured system will let you ask for anything and if you are not allowed say no!. Instead, MSD have a system where they tried to hide all of the possible ways to ask. If you could find another way (which Keith did, using a technique known for years) the system will happily comply.

    Christchurch • Since Nov 2006 • 118 posts Report

  • Hard News: A week being a long time in politics, in reply to Bart Janssen,

    For all the sound and fury, for all the photo opportunities, the polls seem to show that people made up their minds 6 months ago or more.

    People may not change to a different party but if they have a sour taste in their mouth about their pick on election day then they might think it's not worth heading down to the voting booth.

    Christchurch • Since Nov 2006 • 118 posts Report

  • Hard News: Any excuse for a party,

    To the kitsch I add this work of genius.

    http://guandongenterprisesltd.com/

    Christchurch • Since Nov 2006 • 118 posts Report

  • Hard News: Book review: 'Wikileaks:…,

    Psychopath is one of the most misued word in the English language, given it has a reasonably precise medical definition.

    I'm not sure I would call it misused. It has a technical meaning which is more precise than the common usage. Just like force, speed, theory, significant, etc. The difference is that the term originated on the other side. They can all be misused by people deliberately conflating the different usages, but I think the better solution would be to educate about context.

    But while we're on the topic of scary nutbars, I read the New Yorker piece on Scientology yesterday. I'd heard a bit about Miscavige before, but yeek!

    Christchurch • Since Nov 2006 • 118 posts Report

  • Hard News: Book review: 'Wikileaks:…,

    Really, really, really weak response. Computer security enjoys the benefit of an ultimately binary world. Meat-space, not so much.

    Indeed. A wise man once said "the real world cannot be reduced to a cryptographic style problem"

    Christchurch • Since Nov 2006 • 118 posts Report

  • Hard News: Book review: 'Wikileaks:…,

    You’ve hopefully made the best choices, but you’ve made choices – and if the bad guys know your choices, they have a significant advantage. Because you sure as hell don’t know theirs.

    You get to make your choices once. If you are significantly disadvantaged by the bad guys knowing your choice then you haven't stopped them. You've just awarded the prize to the bunch who guessed right. It may be worth the gamble if you were trying to stop one attack once, but there's more out there than that.

    Of course the real world is going to provide a stickier situation to one comprised of math problems, but I'm not sure if the principle can be rejected that simply.

    I don't think it is a matter of prioritizing resources. The war on Terror seems to prioritise everything it can identify and half as many that it can't.

    Christchurch • Since Nov 2006 • 118 posts Report

  • Hard News: Book review: 'Wikileaks:…,

    A former colleague was a transparency absolutist, who believed that even tactical response plans to terrorist incidents should be public information. The problem with that is that terrorists will read the plans, adapt their plans accordingly, and their attacks will become vastly more successful through the expedient of hindering, if not killing, the responders.

    In IT terms that's known as security by obscurity, and is considered poor practice. While the real world cannot be reduced to a cryptographic style problem. I think there is merit in the notion that you plan your actions as if your adversaries can see everything you are doing and planning.

    To plan a response that relies on secret not only requires you to keep the secret but that your adversaries cannot consider what you would do and independently come up with information that is just as useful.

    I thought about the idea of a totally open government a few years ago, it may have been around the time that Afghanistan was being set up with a new government. I tried to imagine a system that could maintain individual privacy but no government secrecy. That posed the questions "Could it be done?" and "Would it be better?". It is definitely a difficult problem considering the government needs to work with details about people. There may be a cryptographic solution with some form of ID hash where you can compare two hashes for equivalence but not in a manner where it is feasible to scan one list for a match with an entry from another list. A far easier to imagine method is to allow a minimum level of secrecy to allow private details for necessary activities.

    The question of whether or not it would be better of course depends on better than what? I think it's a no brainer that it'd be better than governments with entrenched corruption, but at the other extreme is the ideal nation that Russell describes "if a great state was behaving entirely virtuously, and in accordance with its public positions...". I don't think they would need, in an absolute sense, to be able to speak in confidence. It could easily be beneficial however. I think that's the heart of the idea, the openness would cost you something, it would also gain you something. I think the benefits would outweigh the costs. A nation acting in accordance with its public positions is probably far more likely if people can see everything they do.

    I can't see any way an existing government would transition to such a state of affairs though. That might have been why the ideas were flowing in my head when Afghanistan was becoming a new government. At least an open government would probably stop people taking $50M as carry on luggage to Dubai.

    Christchurch • Since Nov 2006 • 118 posts Report

  • Hard News: The next creative industry?,

    I'd be very surprised if NZ could hold onto really top notch developers. Unlike with film, there's no particular attraction to this location. So the ambitious ones will follow the cash.

    The best developers are attracted to the best projects more than the cash I think. I was once in the position of asking a friend if he wanted to do some work on Fitznik 2, Valve asked him to work on HalfLife 2. He's quite happy now in the states.

    Christchurch • Since Nov 2006 • 118 posts Report

  • Hard News: The next creative industry?,

    I can't say I'm keen on the idea of the NZ Game industry developing a Fonterra analogue.

    Perhaps a few things can be learned from the local music industry. It's been a while since I did a (commercial) game myself, but I ended up by doing it as a result of a conversation with another game maker and we just felt we had an idea that might work so we knocked it together. It worked very similar to how I imagine musicians join up for projects. The music industry isn't all musicians though, there's a significant infrastructure that gets the creative product to the people who want it. That doesn't exist so much for games. There are plenty of services that provide a similar service to iTunes but they only reach a fraction of the market (and often take a larger chunk).

    For the larger projects, games work like the film industry, huge teams and huge budgets. The huge budgets make people extremely risk adverse. Unless there is a lot of faith in the developer, the end product will be just like Transformers, crap but sufficiently hyped to make money.

    To make a gaming Lord of the Rings, you need a Peter Jackson to make someone fund a really creative effort. To get a Peter Jackson, You should be looking for the crazy genius gaming equivalent to Bad Taste. Even then It'll take a decade and a bit of luck to get there.

    Christchurch • Since Nov 2006 • 118 posts Report

Last ←Newer Page 1 2 3 4 5 12 Older→ First