While an interesting solution, it only addresses the network part of the problem.

I think he might be limited by the software doing the updating. If he can't run multiple copies then how will the software understand responses from the pumps? Send one command get 8 responses? That probably won't work.

The whole multiple VMs may be his only hope depending on the client software.

It happens I could use remote USB port functionality.

(Right now I want to run, on my laptop, a device that requires a Windows driver and Windows-only software. I have remote access to a Windows platform with the software and driver installed. If I could export a laptop USB port to the Windows machine, it would solve my problem.)

So NetUSB is vulnerable. Is there an open source replacement for it? (Doesn't need to be interworking if there are both a Linux port server and a Windows client-pseudodriver available.)

I skimmed the start of the paper. If I have this right:

  - Essentially all the currently-deployed web servers and modern browsers have the new, much better, encryption.
  - Many current web servers and modern browsers support talking to legacy counterparts that only have the older, "export-grade", crypto, which this attack breaks handily.
  - Such a server/browser pair can be convinced, by a man-in-the-middle who can modify traffic (or perhaps an eavesdropper-in-the-middle who can also inject forged packets) to agree to use the broken crypto - each being fooled into thinking the broken legacy method is the best that's available.
  - When this happens, the browser doesn't mention it - and indicates the connection is secure.

Then they go on to comment that the characteristics of the NSA programs leaked by Snowden look like the NSA already had the paper's crack, or an equivalent, and have been using it regularly for years.

But, with a browser and a web server capable of better encryption technologies, forcing them down to export-grade LEAKS INFORMATION TO THEM that they're being monitored.

So IMHO, rather than JUST disabling the weak crypto, a nice browser feature would be the option for it to pretend it is unpatched and fooled, but put up a BIG, OBVIOUS, indication (like a watermark overlay) that the attack is happening (or it connected to an ancient, vulnerable, server):
  - If only a handful of web sites trip the alarm, either they're using obsolete servers that need upgrading, or their traffic is being monitored by NSA or other spooks.
  - If essentially ALL web sites trip the alarm, the browser user is being monitored by the NSA or other spooks.

The "tap detector" of fictional spy adventures becomes real, at least against this attack.

With this feature, a user under surveillance - by his country's spooks or internal security apparatus, other countries' spooks, identity thieves, corporate espionage operations, or what-have-you, could know he's being monitored, keep quiet about it, lie low for a while and/or find other channels for communication, appear to be squeaky-clean, and waste the tapper's time and resources for months.

Meanwhile, the NSA, or any other spy operation with this capability, would risk exposure to the surveilled time it uses it. A "silent alarm" when this capability is used could do more to rein in improper general surveillance than any amount of legislation and court decisions.

With open source browsers it should be possible to write a plugin to do this. So we need not wait for the browser maintainers to "fix the problem", and government interference with browser providers will fail. This can be done by ANYBODY with the tech savvy to build such a plugin. (Then, if they distribute it, we get into another spy-vs-spy game of "is this plugin really that function, or a sucker trap that does tapping while it purports to detect tapping?" Oops! The source is open...)

I suspect that statement may have actually trapped smitty in an infinite loop. He has stated before that he reads my comments assuming that I mean the opposite of what I say. Hence in the case of sarcasm the loop might never exit.

My first programming class: Punch cards. Punch your deck, take it to the input window, wait around an hour or two for it to run, pick up the printout at the output window, debug. Rinse, repeat until successful. The IDE was long nights at the computing center with a thermos of coffee. Finally getting a terminal and 300 baud modem at home was a really big deal.

Or you're still working your way through school.

LK

I use Putty plenty, but I haven't had a time yet where I have needed to use it on a new system and needed root access on the system I am logging in to. If I'm using it on a new box, I am logging in with my usual non-root account on my remote system. How exactly would they use that to gain root access?

What they advocated for, and what they actually did, were two very different things. I'm talking about the budget proposals that they actually signed into law (in the case of Obama) or voted for (in the case of Pelosi). These were really not even close to reflections of what they said they were campaigning for. Even more so, they resulted in higher government handouts to wall street and the military-industrial complex than the GOP presidents had ever dared dream for, and larger tax cuts to the wealthy as well. The cherry on the sundae comes in the continued dismantling of workers' rights.

Another way to put it in perspective is to look for any bill that Obama signed that Reagan, Bush, or Bush Jr. would not have signed. I can't find a single one.

Really? Obama has signed into law - including during the time when Pelosi was leading the house - bills that Reagan and both Presidents Bush could have only dreamed of. Under Obama - regardless of who controlled either chamber of congress - we saw huge tax cuts to the wealthy, and continued marginalization of the middle and lower classes.

Essentially, while the GOP was marching further to the right, the democrats decided it would be a good idea to follow.

... you buy a gun, and you become a republican. That's been the cycle for a long time. Yeah, lots of republicans have croaked lately but they're being replaced by democrats shifting over.

Besides, as we've seen the last 6 years there isn't much difference between the two. One party is right-wing, and the other is 1 order of magnitude further to the right. Either way the republicans and their supporters win.

Not a surprise that I raise an actual concern and you reply with a conspiracy. Obviously the constant flow of time in this corner of the universe is not important in the context of trying to banish people with the wrong consonant after their name from Washington.

A better use would be narcotics delivery service. Place the online order, pay with bitcoin, drone flies over with little packet within 30 minutes and drops it off.

The cheaper drones become, the less people will worry about losing one. Simple ROI calculation.

You will likely claim I am being pedantic about an unimportant detail, but this does matter in this case. The first attack started a bit before 4am Washington time. Hillary gave her response the following day. The question then is how much time elapsed between when she would have received this information and when she gave her speech to the press.

Had she waited longer to give that speech, you would be bitching that she was waffling and ineffective. Instead she took what she thought to be the most credible intelligence at the time and spoke about it.

And hell, it's not like we wasted 6 trillion dollars and over three thousand American lives on the mistake.

We've learned from other bridge collapses in the past that it is more important to place - or relieve - blame after the collapse than it is to actually do something about it. Will the satellites speed up that process as well?

Unless, of course, you're talking about Andrew "Dice" Clay, right? Really, can you be more up-market than him?

That said, I've been around here a lot less in the past few weeks. I get more useful and current tech news through google news and if I want to know what conservatives are yelling in an echo chamber I can witness that through other places as well. The utility of this site is dwindling rapidly.