Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Comment: Re:Can't avoid medical records (Score 1) 528

by Aaden42 (#48548165) Attached to: The Sony Pictures Hack Was Even Worse Than Everyone Thought

And one of the more out of shape folks lands wrong and blows out a knee, or runs too much and drops of a heart attack, or... The opportunities to get sued are practically limitless with such a thing. My own employer gave up on the idea a few years before I came on when somebody ended up with a compound fracture in their leg as part of a friendly basketball game. Ran, fell, landed wrong, bones sticking out of torn muscle, not a good day for anyone...

If there was any chance of benefit from a once-a-week thing, maybe it’d be worth it, but someone who habitually overeats and is significantly overweight isn’t going to see that “exercising can actually be fun” from a half-assed sportsball game once a week. They’ll see that exercising makes them hurt and sweaty and out of breath and oh-by-the-way they worked out, so they “earned” a “treat” after work which puts them an extra 1000kcal over their BMR for the day, and they get bigger as a result

You can’t outrun a bad diet. Encouraging someone to exercise without convincing them to also bring their intake inline and preferably below their maintenance calorie level is more likely to injure them, turn them even more off on the idea of exercise, and make them fatter.

Unfortunately an employer can’t realistically convince anyone to change their eating habits. Even if anyone would listen, the idea of my employer being able to say, “Put down the extra slice of pizza, or you’re fired,” isn’t something I’d like nor respond well to. For most people, even their closest friends and family can’t convince them.

It takes a personal moment of clarity, and for some people that never comes. Mine came after seeing a friend who was always about my size drop half is body weight over a couple of years between seeing him. It was the kick in the ass I needed. If he could do it, maybe I could too. 180lbs down, maybe another 70-80 to go...

Comment: Re:Free from captivity... for how long? (Score 2) 341

by Aaden42 (#48526285) Attached to: New Effort To Grant Legal Rights To Chimpanzees Fails

Even strict liability offenses aren’t generally chargeable against otherwise normal children who lack the reasoning to understand they committed a crime. I think the most generous figure I’ve read compared chimp intelligence to that of a human five-year old (and that was challenged as an over simplification and they’re really not equivalent to a kindergartener at all).

You wouldn’t charge a five-year old with disturbing the peace for throwing a tantrum in public. (The fact that I’d occasionally like to se the parents charged for it has nothing to do with this discussion...)

Comment: Re:Free from captivity... for how long? (Score 4, Interesting) 341

by Aaden42 (#48525741) Attached to: New Effort To Grant Legal Rights To Chimpanzees Fails

If it came to that, you’d have to appoint an attorney to stand for the critter’s interests who would argue diminished capacity and no ability for form mens rea.

So at best, they’re arguing for defining chimps as mentally challenged persons. I think we have enough mentally challenged persons as it is, several of whom can no doubt be found on one end of the ‘versus’ in this court case...

Comment: Re:I don't get it... (Score 1) 98

by Aaden42 (#48385651) Attached to: US Gov't Issues Alert About iOS "Masque Attack" Threat

But we don’t have Steve Jobs to tell us that we’re doing it wrong!

He did tell you. He was against the Enterprise provisioning system from day one. I can only assume it was because it would make attacks like this possible. The other ways of running non-Apple signed code are all per-device limited (you need an Apple-signed profile with each device’s UDID in it, max of 100 devices). Enterprise provisioning allows running on unlimited devices without needing to know the UDID’s in advance.

Comment: Re:I don't get it... (Score 2) 98

by Aaden42 (#48385621) Attached to: US Gov't Issues Alert About iOS "Masque Attack" Threat

You also have to enter your phone’s unlock code (assuming you set one) to install the provisioning profile.

I’d have a *tiny* amount of concern if it was tap-tap-tap-pwn3d, but it’s not something anyone could realistically do accidentally. Do without realizing the impact of it yes, but not “tap the wrong thing and you’re dead”.

At the point that you’re keying in your phone’s password (something you’d never do when installing a normal Apple app store app, unless your iTunes account & phone use the same password, in which case WTF???), you have to be pretty willfully ignorant OR dead set on installing some l33t p1r4t3 w4r3z to go though all those hoops. If the former, seriously, get a clue. If your das compüterbox is asking you to do something it’s never asked you to do before and you have no idea why, STOP and ask a grown up FFS! (If the latter, enjoy your malware. You earned it!)

As much as I hate to admit it, this thing actually validates Apple’s original stance that users can’t handle side-loading intelligently. Before the enterprise provisioning program was created, this attack would have been impossible. The only way to run non-Apple signed code would have been with a developer profile which requires each individual phone UDID to be encoded in it with an Apple-imposed maximum of 100 devices. Enterprise provisioning profiles are pretty much exactly equivalent to Android side-loading.

This is why we can’t have nice things...

Comment: Re:Now (Score 5, Informative) 59

by Aaden42 (#48327913) Attached to: WireLurker Mac OS X Malware Found, Shut Down

RTFA, please. This didn’t require jailbreaking to infect the phone.

Infection process:

1) Download pirate-friendly AppStore app for your Mac.
2) Download & run one of the trojaned, probably pirated apps on your Mac.
3) Plug in your phone.
4) Accept the prompt to install an enterprise provisioning profile, enter your device’s unlock code to authorize that, confirm one more time that you’re certain you want to install the profile (at least that was the process last time I added a custom profile: Two “Are you sure?"’s and an authentication prompt, not just TouchID).
5) Trojaned apps on Mac scan for interesting apps on the phone & replace them with trojaned versions of the iOS apps.

No iOS or Mac bugs were exploited.

The Mac side was just downloading & running dodgy software from (software) houses of ill repute.

The iOS side relied on a legitimate Apple-signed key that was issued to some company (haven’t found the name of the company yet — redacted to protect the careless?) It does seem that the key had greater than usual entitlements to allow additional background execution beyond what’s usually allowed. The trojaned iOS apps ran on a non-jailbroken, non-compromised (by bugs anyways) phone because the user allowed installation of the enterprise provisioning profile which allows the phone to run apps signed by someone other than Apple.

As far as mitigation, Apple added signatures for the Mac-side stuff to Gatekeeper so OS X won’t run them any more unless you stand on your head and accept a bunch of, “This will explode your computer!” prompts.

They also revoked the provisioning profile signing key on the phone side, so it can’t create newly trojaned apps on the phone, and the profile won’t be installable on new phones. I’m not sure at the moment what effect that revocation has on phones that have already installed the profile or on apps that were already modified by it. I’m also not sure if it’s vulnerable to the “change the date on your phone” thing that was used to installed NES emulators a while back. At one point, apps’ signatures were only checked on initial install, but I *think* expired or revoked enterprise profiles are actually checked at each launch and the apps should die now.

Comment: Re:Don't buy American. (Score 1) 63

by Aaden42 (#48326041) Attached to: The Fight Over the EFF's Secure Messaging Scoreboard

Right, I forgot about WinCE, I mean WinMo, I mean WinRT, I mean “just-Windows, but it’s different and doesn’t run the same apps”. That’s a much more trust-worthy option than Android or iOS. Or were you talking about WebOS (US-made, essentially defunct) or Blackberry (long standing tradition of rolling over for oppressive governments to prop up their bottom line).

Anything else?

Comment: Re:don't use biometrics (Score 1) 328

That’s a very nice delusional world you live in that you believe that you need actual evidence that would stick in court and lead to a jury actually convicting you in order to have your life ruined.

“Leak” to the press or your employer from the cops or DA? Nice knowing you

Comment: Re:don't use biometrics (Score 1) 328

If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.
  -- Cardinal Richelieu

Do you have any idea how many “lines written by [your] hand” are on your phone? I would bet you your phone that a dedicated investigator could find either evidence of a crime OR evidence sufficient to bolster suspicion of a crime which would be adequate to secure further warrants to search your home, vehicle, person, etc. The only question is whether you’re interesting enough to an investigator or if one of those crimes is in vogue for “zero tolerance” prosecutions at that time.

To restore a sense of reality, I think Walt Disney should have a Hardluckland. -- Jack Paar