• Someone (unregistered)
    You have a week to install a closed source replacement with the same protection
    How could she know? It's closed source, so you can only guess the protection level.
  • tldr (unregistered)

    Wow, great solution. Weird how the boss did not find it a weird.

    Although I do not understand the reasoning why being open source would make a program less secure.

  • (cs) in reply to Someone
    Someone:
    How could she know? It's closed source, so you can only guess the protection level.
    That's the WTF!
  • (cs)

    But if the source is open that means that {THE BAD GUYS} (where "The Bad Guys" can be anything from our competitors, to evil hackers, to terrorists) can use the same program we use! It won't be a proprietary trade secret anymore!!

    THE HORROR.

    Fucking morons. I also love the "You have a week to fix this or you're fired" threat. Because that always goes over well.

  • Roby McAndrew (unregistered)

    I remember using a video camera and a VHS recorder to record screen sessions, but that was in the late '80s...

  • Tim Phillips (unregistered) in reply to tldr
    tldr:
    Although I do not understand the reasoning why being open source would make a program less secure.
    About all I can come up with is there is nobody to sue if you get hacked.
  • (cs) in reply to tldr
    tldr:
    Although I do not understand the reasoning why being open source would make a program less secure.

    That's because you understand that proper security software relies upon mathematically and computationally difficult problems, and not on "you just haven't figured out my convoluted secret yet, and I'm not telling you what it is".

    Unfortunately, to non technical people, these two forms of security appear to be equivalent; they don't understand that the security of algorithms lies within the algorithm itself, and not the obscurity of the code which implements it.

    Crucially, it doesn't even matter if you use any of the above sentences to explain the difference to them; they'll either disagree with you because they know better, or they'll nod in agreement with you then demonstrate that they understood the exact opposite five minutes later.

  • (cs)

    Good thing Jerry's evil twin, Jeff, wasn't as savvy and didn't catch it was the same software...

    ** Fixed! --ed.

  • Mr. A N Mouse (unregistered)

    Video output - tick But how is she controlling the system?

    Captcha "opto" - how apt!

  • Don (unregistered)
    “We’re still running Windows XP here,” Walter replied. “It needs at least Windows 7.”

    “And we can’t upgrade because of our legacy plant software,” she replied for the umpteenth time.

    VMWare vPlayer? XP Mode?

    At least a dozen solutions for that if XP vs 7 is the only limitation. Or hell, put in a requirement for everything including the plant software to be upgraded so as to ensure security...

  • IN-HOUSE-CHAMP (unregistered)

    This smells all kinds of awesome from here.

    captcha: ingenium

  • (cs) in reply to eViLegion
    eViLegion:
    That's because you understand that proper security software relies upon mathematically and computationally difficult problems, and not on "you just haven't figured out my convoluted secret yet, and I'm not telling you what it is".
    Strictly, the key is a complicated secret. (I hesitate to use “convolved” as I'm not sure whether Fourier transforms are useful in cryptographic key systems.) The trick to a good system is ensuring that it is the only part that has to be secret, and that the other parts remain secure even if they're not secret.
  • RFoxmich (unregistered)

    TRWTF is that if it's only video coming back from the plant who the F cares if it gets hacked into? Nobody can modify plant operation much less take it down via that feed.

  • (cs)

    Hell, Lindbergh f*cked her.

  • Foo (unregistered) in reply to Don
    Don:
    “We’re still running Windows XP here,” Walter replied. “It needs at least Windows 7.”

    “And we can’t upgrade because of our legacy plant software,” she replied for the umpteenth time.

    VMWare vPlayer? XP Mode?

    At least a dozen solutions for that if XP vs 7 is the only limitation. Or hell, put in a requirement for everything including the plant software to be upgraded so as to ensure security...

    vmware player probably (!) isn't going to allow a hardware interface to the plant equipment, via a custom and overpriced PCI board or whatever.

  • d (unregistered)

    Rube Goldberg would be proud!

  • Tom (unregistered)

    Step #1: buy a new Windows 7 machine and attach it to the network Step #2: remote into the Windows 7 machine with SafeViewer Step #3: from the Windows 7 machine, remote into the production machine with anything

    It sounds as if they didn't implement this bs with the camera. They just mocked it up and to pass it off to the idiot CEO.

  • Bryan (unregistered)

    The real WTF here is that they had a Professional BetaCam just lying around. Why on earth did the manufacturer have that?

  • MrBester (unregistered)

    “You have a week to install a closed source replacement with the same protection, or your next meeting will be an exit interview.”

    “Yeah, Jerry, yours. Go fuck yourself.”

  • (cs) in reply to Bryan

    They had the Professional BetaCam for a reason. The commercial advertisements had to be proprietary. If anyone figured out their trade secret filming process, InstaPet would no longer have a marketing advantage.

  • noname (unregistered) in reply to Bryan
    Bryan:
    The real WTF here is that they had a Professional BetaCam just lying around. Why on earth did the manufacturer have that?
    According to the article it is *private* property.

    eros: Nice try, TDWTF. ;-)

  • (cs)

    So basically, TRWTF is Jerry not understanding Kerckhoff's Principle, a fundamental principle of cryptography which tells us that any system that you can't trust to be secure if everything but the key is known to an attacker, can't be trusted to be secure at all.

    In other words, all other things being equal, it's not possible for an open-source system to be less secure than a closed-source system. (Note: all other things being equal. Certainly there are open-source systems that are insecure and closed-source systems that are secure, but, for example, if you take a closed-source system and publish the source to it, it does not become any less secure than it was before you published the source.)

  • Paul Neumann (unregistered)

    TRWTF is anonymizing the open source software name. What open source screen sharing software supports "symmetric key encryption" above and beyond what is available in commercial alternatives?

    If we don't know the answer to what the software was, we will never know. Maybe that is the security?

  • (cs)

    All she really needed was something to show the boss. If he's convinced it's secure, then it IS secure. How would he ever find out otherwise? All she needed to say was that she installed a hardware encryption board in her home computer that munges up the data being sent. A quick google search probably can find such a board, in case she needs "proof" that such a thing exists.

  • (cs) in reply to MrBester
    MrBester:
    “You have a week to install a closed source replacement with the same protection, or your next meeting will be an exit interview.”

    “Yeah, Jerry, yours. Go fuck yourself.”

    hah. this.

  • (cs)

    Its nice to see an actual picture of the setup. So many of these stories are so edited that it's possible they're just made up; but a picture sort of proves it.

  • (cs)

    Everybody who comments about cryptography is missing a point: Many systems can be hacked by exploiting security flaws that have nothing to do with encryption.

    Of course, in an open source system, anyone can find a security flaw. What Jerry is missing is that this "anyone" can just as well be a good guy, so if this software is around for long enough, someone will already have fixed all flaws.

  • Calli Arcale (unregistered) in reply to DrPepper
    DrPepper:
    All she really needed was something to show the boss. If he's convinced it's secure, then it IS secure. How would he ever find out otherwise? All she needed to say was that she installed a hardware encryption board in her home computer that munges up the data being sent. A quick google search probably can find such a board, in case she needs "proof" that such a thing exists.

    In many respects, I rather think that's what she actually did. ;-) Only with an ancient video camera instead of a PCI card. Remember, the first rule in constructing an effective placebo is that it has to appear elaborate.

  • (cs) in reply to tldr
    tldr:
    Wow, great solution. Weird how the boss did not find it a weird.

    Although I do not understand the reasoning why being open source would make a program less secure.

    Because all corporate (and military) security experts know that (1) Microsoft products are the only secure ones, and (2) open source means it was written by Commie Ruskie Chinese hackers.

  • (cs) in reply to levbor
    levbor:
    Everybody who comments about cryptography is missing a point: Many systems can be hacked by exploiting security flaws that have nothing to do with encryption.

    Of course, in an open source system, anyone can find a security flaw. What Jerry is missing is that this "anyone" can just as well be a good guy, so if this software is around for long enough, someone will already have fixed all flaws.

    Er, as interesting as that is, it's completely irrelevant to the point of actual story, as what you said applies to all software (in a closed source system, anyone can find a security flaw also).

  • (cs) in reply to eViLegion
    eViLegion:
    in a closed source system, anyone can find a security flaw also.

    It's a bit harder without the sources.

  • (cs) in reply to levbor

    Yes, but if the algorithm is correct then its exactly as hard with OR without the sources. E.g. your only choice it to brute force it.

    In this case, the person in charge seems to think that open source means unsecured, because he clearly has no understanding of what security actually is. Assuming that it is already known that their open source implementation is secure, then a closed source alternative may only be less-than-or-equal-to the security of what it is replacing.

  • Slapout (unregistered)

    Windows is closed source while Linux is open source. People find security flaws in both.

  • Inigo (unregistered)

    You have a week to fix this or you're fired = You have a week head start on finding a better job

    I'm kind of sad that she apparently didn't understand this translation.

  • (cs)

    TRWTF is using the name of a non-existent open-source program. Obfuscating the corporation's name I understand, but if this were a true story they would name an actual open-source program. There's been far too much of that here lately.

  • (cs) in reply to Inigo
    Inigo:
    You have a week to fix this or you're fired = You have a week head start on finding a better job

    I'm kind of sad that she apparently didn't understand this translation.

    If this were a true story, yours would be a true statement.

  • ¯\(°_o)/¯ I DUNNO LOL (unregistered) in reply to eViLegion
    eViLegion:
    In this case, the person in charge seems to think that open source means unsecured, because he clearly has no understanding of what security actually is. Assuming that it is already known that their open source implementation is secure, then a closed source alternative may only be less-than-or-equal-to the security of what it is replacing.
    Closed-source just means you have no way to find out which corporate secrets the software is forwarding to the NSA.
  • fa2k (unregistered)
    “QuantoView? It was hardened at the company’s request, with symmetric-key encryption, an algorithm that’s only a few years old--”
    This is a borderline WTF. New algorithms are more prone to problems than older ones just because fewer people have been hacking at them for shorter time.

    Symmetric key crypto is sort of a given, the real question is how they handle key management and how the algorithm is integrated with the software. It's very easy to make mistakes in crypto, even when using industry standard algorithms (see WEP). I guess that she could have meant "pre shared key" when she said symmetric key crypto.

  • dilligaf (unregistered) in reply to DrPepper
    DrPepper:
    Its nice to see an actual picture of the setup. So many of these stories are so edited that it's possible they're just made up; but a picture sort of proves it.

    Or it's the usual made up story with an interesting albeit completely unrelated picture.

  • (cs) in reply to eViLegion
    eViLegion:
    Yes, but if the algorithm is correct then its exactly as hard with OR without the sources. E.g. your only choice it to brute force it.
    Yeah..

    But in the actual real world, there is no such thing as a 'correct algorithm', at least not when we're talking about an entire application, when the only option is to brute force it. Every application of sufficient complexity will have security vulnerabilities, no matter how well you design it. And if the vulnerability is not with the application, then it is bound to lie with the other software, hardware, or even the user that it interacts with.

    So yes, in theory, it should not matter one iota whether or not you publish the source of your application. In practice, there will be things you have overlooked. And it is a hell of a lot easier to find these things when you can look at the source directly.

  • jay (unregistered)

    Years ago I read a book by someone who was involved in developing security for early Unix. They had two men who played good-guy/bad-guy: One would develop security software, and then the other would try to break it. He said that one of their early decisions was that they would give the source code to the bad guy. After all, they reasoned, if the software was out there long enough, sooner or later someone would leak a copy of the source code, or someone would de-compile it, etc. Relying for security on the idea that you could keep the source code secret forever would be naïve.ppppppppppppppppppppppppppppppppppppppprrr

  • jay (unregistered)

    Please disregard the ppppppppppppppppppprrrrrrrrr on my last post. I was scraping some piece of random gunk off my keyboard. :-)

  • jay (unregistered) in reply to dilligaf
    dilligaf:
    DrPepper:
    Its nice to see an actual picture of the setup. So many of these stories are so edited that it's possible they're just made up; but a picture sort of proves it.

    Or it's the usual made up story with an interesting albeit completely unrelated picture.

    Or they just found a strange picture on the Internet, and wrote a story to go with it.

    We had exercises like that in elementary school.

  • skepticjew (unregistered) in reply to DrPepper

    look carefully at it - they bs'd the bosses: the description of the wichita computer says it's running xp and has a CRT monitor. however, the picture they supplied the bosses shows a 7 system with a flat screen... well done, i see what you did there!

  • trtrwtf (unregistered) in reply to fa2k
    fa2k:
    “QuantoView? It was hardened at the company’s request, with symmetric-key encryption, an algorithm that’s only a few years old--”
    This is a borderline WTF. New algorithms are more prone to problems than older ones just because fewer people have been hacking at them for shorter time.

    Yes and no. A couple of years is a good sweet spot. People have been working at it long enough that you can be sure anything relatively obvious has been found, but you can be pretty sure that they're learned from more recent mistakes. Also, if you use a relatively recent algorithm you're more likely to get something that can extend into future requirements. (such as longer keys)

    I wouldn't call it an obvious WTF to use a three year old algorithm.

  • (cs)

    Hopefully this works:

    http://www.tineye.com/search/d387179df431df864b00de9ef42cc422c4496f2c/

  • Conrad (unregistered)

    Nice! Security through obscurity is so much better than Kerckhoffs' principle... oh wait it's the other way around isn't it.

  • 3Doubloons (unregistered) in reply to tldr
    tldr:
    Although I do not understand the reasoning why being open source would make a program less secure.

    Somewhat related, my old boss had a ban on freeware that included open source. The reasoning was that if you didn't buy it, you had no guarantee that the program would be maintained and that you could get the changes you needed (in his mind, if you paid for something, you had the right to pester the developer to add the features you wanted)

  • (cs)

    I've done something very much like this before. Needed to put a streaming demo of the software I wrote up on the projector. Seemed simple enough.

    Well.. Can't VNC over the network, it sucks. Can't move the workstation, its got too much stuff plugged in and there are neither enough outlets nor enough time to move everything. Hey, heres an old-ish camcorder, miles of unused of RCA cable, and I have a tripod in my trunk.

    It looked very much like the picture, only the camera was smaller and the tripod far flimsier.

    Thankfully, it was only needed for a few minutes, and we never spoke of said setup again.

  • (cs) in reply to SamC
    SamC:
    and we never spoke of said setup again.

    whoops...

Leave a comment on “Screen Recording HARDWARE”

Log In or post as a guest

Replying to comment #:

« Return to Article