This humourous essay [PDF] on modern computer security, I thought would be an interesting read for SN; here's an excerpt.
Security research is the continual process of discovering that your spaceship is a deathtrap. However, as John F. Kennedy once said, "SCREW IT WE'RE GOING TO THE MOON." I cannot live my life in fear because someone named PhreakusMaximus at DefConHat 2014 showed that you can induce peanut allergies at a distance using an SMS message and a lock of your victim's hair. If that's how it is, I accept it and move on. Thinking about security is like thinking about where to ride your motorcycle: the safe places are no fun, and the fun places are not safe. I shall ride wherever my spirit takes me, and I shall find my Gigantic Martian Insect Party, and I will, uh, probably be rent asunder by huge cryptozoological mandibles, but I will die like Thomas Jefferson: free, defiant, and without a security label.
[Also Covered By]: Schneier on Security
Original Submission
(Score: -1, Troll) by Anonymous Coward on Sunday August 30 2015, @05:23PM
No, shut up and install adblock and boycott Windows 10 because SCARY HACKERS
(Score: 2) by AnonymousCowardNoMore on Sunday August 30 2015, @05:40PM
Doesn't matter if I'm paranoid because they're still out to get us. There's money in it, so what do you expect?
(Score: 2) by davester666 on Sunday August 30 2015, @07:06PM
Really? Hypothetically, how much would I get for killing you?
(Score: 2) by frojack on Sunday August 30 2015, @09:19PM
In this liberal sentencing world, probably not more than 6 years, with time off for good behavior. Unless you are black.
No, you are mistaken. I've always had this sig.
(Score: 1) by Post-Nihilist on Sunday August 30 2015, @10:50PM
Since he used a computer to find you so, his 6 years become 18 and he cannot use the Internet until he has cataracts
Be like us, be different, be a nihilist!!!
(Score: 2) by q.kontinuum on Monday August 31 2015, @05:58AM
Depends. If he finds a way to invoke "stand your ground" (e.g. by pulling his gun and afterwards having a reasonable feeling that AnonymousCowardNoMore might also pull a gun and shoot him), he might walk free? Or if he waits for nightfall and claims he perceived him as a black person? (If ACNM is actually black, that would of course simplify matters enormously, while things would get difficult if davester666 turns out to be black...)
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2) by davester666 on Tuesday September 01 2015, @08:22AM
He clearly provoked me by claiming that I would get some amount of money for killing him.
(Score: 1, Informative) by Anonymous Coward on Sunday August 30 2015, @05:54PM
The one you should fear is Microsoft and the governments they do business with, not "scary hackers".
Of course you should install adblock and boycott proprietary software.
(Score: 4, Touché) by Runaway1956 on Sunday August 30 2015, @06:16PM
" Thinking about security is like thinking about where
to ride your motorcycle: the safe places are no fun, and the fun
places are not safe. I shall ride wherever my spirit takes me, "
But, it doesn't hurt anyone or anything to take a motorcycle safety course or two, and it CERTAINLY doesn't hurt to read authors such as Keith Code, or David L. Hough. Understanding the physics that govern when, why, and how your motorcycle turns doesn't detract from the enjoyment of the ride. Knowing the reasons that your lane is divided into three portions isn't going to slow you down any - in fact, it can potentially keep you "up on two" longer than failing to understand.
Yeah, I'll ride wherever my spirit takes me, but I depend on experience, knowledge, and judgement to keep me alive while I'm getting there.
(Score: 4, Insightful) by frojack on Sunday August 30 2015, @08:50PM
experience, knowledge, and judgement
Of those, only knowledge can be taught. The rest you just have to pick up as you go.
The whole business of survival is hoping insufficient quantities of those three qualities do not kill you before you obtain a sufficient quantity of at least one of them.
By and large, the world is far more benign than most suspect, and people somehow survive long enough to procreate.
By and large computers and the internet are far more vulnerable than we think. Its a good thing most of our computers contain so little of interest.
No, you are mistaken. I've always had this sig.
(Score: 2) by fritsd on Sunday August 30 2015, @08:39PM
Okay, but only because you command me to.
(Score: 1) by darkengine on Sunday August 30 2015, @06:26PM
James Mickens is my fucking hero. Here's another great piece he wrote about systems programming:
https://www.usenix.org/system/files/1311_05-08_mickens.pdf [usenix.org]
(Score: 0) by Anonymous Coward on Sunday August 30 2015, @08:46PM
Sounds like it's way too hot and humid where he lives, and the Dengue mosquitoes are after his head..
(Score: 1, Insightful) by Anonymous Coward on Sunday August 30 2015, @06:33PM
(Score: 0) by Anonymous Coward on Sunday August 30 2015, @06:48PM
about:config > pdfjs.disabled=[boolean]true?
(Score: 0) by Anonymous Coward on Sunday August 30 2015, @06:49PM
What is wrong with a pdf? Any security flaws associated with it are the fault of document readers i.e. the same developers that unleashed the locust locus that is flash.
(Score: 4, Insightful) by Runaway1956 on Sunday August 30 2015, @07:15PM
There are a number of PDF readers, and writers as well. PDF isn't especially secure, nor is it especially insecure. Adobe reader, however, has proven to be terribly insecure.
$ pacman -Ss PDF
extra/cups-pdf 2.6.1-2 [installed]
PDF printer for cups
extra/evince 3.16.1-1 (gnome)
Document viewer (PDF, Postscript, djvu, tiff, dvi, XPS, SyncTex support with
gedit, comics books (cbr,cbz,cb7 and cbt))
extra/gv 3.7.4-2
A program to view PostScript and PDF documents
extra/poppler 0.33.0-1 [installed]
PDF rendering library based on xpdf 3.0
extra/poppler-data 0.4.7-1
Encoding data for the poppler PDF rendering library
extra/potrace 1.12-1
Utility for tracing a bitmap (input: PBM,PGM,PPM,BMP; output:
EPS,PS,PDF,SVG,DXF,PGM,Gimppath,XFig)
extra/pstoedit 3.70-2
Translates PostScript and PDF graphics into other vector formats
extra/qpdf 5.1.3-1 [installed]
QPDF: A Content-Preserving PDF Transformation System
extra/texlive-bin 2014.34260-8 [installed]
TeX Live binaries
extra/zsh-doc 5.0.8-1
Info, HTML and PDF format of the ZSH documentation
community/apvlv 0.1.5-1
PDF/DJVU/TXT viewer which behaves like Vim
community/dblatex 0.3.4-2 [installed]
DocBook (XML and SGML) to DVI, PDF, PostScript converter using latex.
community/epdfview 0.1.8-6 [installed]
Lightweight PDF document viewer
community/erlang-docs 18.0-1
HTML and PDF documentation for Erlang
community/gambas3-gb-pdf 3.7.1-2 (gambas3)
PDF component
community/impressive 0.11.0b-1
A fancy PDF presentation program (previously known as KeyJNote).
community/libharu 2.3.0-1
C library for generating PDF documents
community/mupdf 1.7_a-2
Lightweight PDF and XPS viewer
community/pdf2djvu 0.8.1-1
Creates DjVu files from PDF files
community/pdf2svg 0.2.2-1
A pdf to svg converter
community/pdfgrep 1.3.2-1
A tool to search text in PDF files
community/pdflib-lite 7.0.5p3-3
PDF manipulation library.
community/pdfmod 0.9.1-6
Simple application for modifying PDF written in C Sharp
community/pdfsam 2.2.4-1
A free open source tool to split and merge pdf documents
community/podofo 0.9.3-1 [installed]
A C++ library to work with the PDF file format
community/python-pyx 0.14-1
Python library for the creation of PostScript and PDF files
community/python-reportlab 3.2.0-1
A proven industry-strength PDF generating solution
community/python2-pdfrw 0.1-3
Basic PDF file manipulation library
community/python2-pychart 1.39-8
Python library for creating Encapsulated Postscript, PDF, PNG, or SVG
charts.
community/python2-pyx 0.12.1-2
Python library for the creation of PostScript and PDF files
community/python2-reportlab 3.2.0-1
A proven industry-strength PDF generating solution
community/python2-rst2pdf 0.93-8
Create PDFs from simple text markup, no LaTeX required
community/wkhtmltopdf 0.12.2.1-1
Command line tools to render HTML into PDF and various image formats
community/x-docs-pdf 20140422-1
X documentation
community/zathura-pdf-mupdf 0.2.8-1
PDF support for Zathura (MuPDF backend)
community/zathura-pdf-poppler 0.2.5-2
Adds pdf support to zathura by using the poppler engine
(Score: 2) by Dunbal on Sunday August 30 2015, @10:58PM
Exactly what I thought. Oh the irony. I'm not downloading THAT!
(Score: 2) by cafebabe on Monday August 31 2015, @04:09PM
A Microsoftie publishes a PDF that says not to worry about security? That's a good troll because a Word document would have been too obvious.
1702845791×2
(Score: 0) by Anonymous Coward on Sunday August 30 2015, @06:56PM
money also buys humour.
however my NOTE II is still perfectly fine just like 3 years ago.
it hasn't gotten any "over-the-air" updates (i assume it means it needs a SIM card which it hasn't) since then.
today it is full of holes just like the day it left the factory.
sure, just buy a new one .. even if it costs a arm and a leg and doesn't really bring anything new to the
table except the "missing updates".
so sure, smile and laugh, security is over-hyped, if you can afford it ...
(Score: 4, Insightful) by Gravis on Sunday August 30 2015, @07:23PM
I feel it might just be bad timing but I think it's worth noting that James Mickens is an employee for Microsoft and Microsoft just dropped one hell of a security threat on the world. So he may be just putting out a paper as expected or maybe his employer asked him to turn up the hyperbole to make light of a serious problem. Either way, we are left with a serious security breach that is only getting wider.
(Score: 0) by Anonymous Coward on Sunday August 30 2015, @07:42PM
... or it goes to show that even the great Satan has some fun employees.
(Score: 5, Interesting) by fritsd on Sunday August 30 2015, @08:36PM
Yeah, the article was fun to read, but I can't tell if it makes a lot of sense. Is he trying to tell us: "ignore SELinux, give up on security, and just keep paying for Microsoft products"?
The thing with computer programs is, that *one programmer or small team* can write software that can then be verified by *even more programmers* and used by *a lot more people*, so his premise "security is difficult, YOU can't do it, so give up" is wrong: He may be correct about the "security is difficult. you can't do it" part, but then there's always the option of choosing to trust people that you believe to be reliable experts, or that you believe your distro-makers believe to be reliable experts.
I use OpenSSL (post-heartbleed patched) because I have some (posibly misjudged) faith in its code, I don't decide to just use telnet or HTTP because "some people say HTTPS is not secure either, so let's just give in".
I once studied a bit of bitcoin code, out of curiosity; and there was a *VERY SUSPICIOUS* function to discard keys based on certain patterns. So, I wrote a little test program, generated a million keys, and what do you know... about 10 (don't recall the exact number) of those 1000000 test keys were rejected by this function. So I trust it (I wouldn't have if it had rejected a substantial number of keys, because that sounds like it tried to make brute-forcing a lot easier for the authors of that bitcoin code). But reject 10 in a million keys for a reason I don't understand? Go ahead. Later I made a guess that those rejected keys might have had really small RSA mantissas or something (if that big number is called the mantissa). My point is, you'd have to be a really clever security-oriented programmer to think of this, if you were asked to implement RSA. You'd have to understand the underlying integer maths.
About the previous paragraph: try do that if the code had been Microsoft proprietary closed-source code. So there!
(Score: 3, Insightful) by frojack on Sunday August 30 2015, @09:04PM
My point is, you'd have to be a really clever security-oriented programmer to think of this, if you were asked to implement RSA. You'd have to understand the underlying integer maths.
But also a really bad programmer to not include even a single comment as to why that code existed.
Non trivial, obscure, and unexplained code is always suspect.
I've sent even senior programmers back to their desk with red marked listings for that kind of stuff.
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by inertnet on Sunday August 30 2015, @08:43PM
you can induce peanut allergies at a distance using an SMS message and a lock of your victim's hair.
Easy, just make sure there's DNA in the lock of hair:
1 Macguyver a peanut allergy into the DNA, then make a clone.
2 Artificially age the clone to match the victim's age.
3 The SMS message is to lure the victim into a dark alley where you can make the switch. Keep your distance.
4 ???
5 Profit.