Forgot your password?
typodupeerror

Comment: Re:So! The game is rigged! (Score 1) 269

by shutdown -p now (#47563479) Attached to: 35% of American Adults Have Debt 'In Collections'

You might need to apply for a crappy card at first if you really have NO history

Getting a credit card with no history whatsoever might be tricky unless you're really young. But even in that case, pretty much any bank will happily give you a credit card if you place a security deposit with them (the credit limit will then be tied to the amount of said deposit). That still counts as credit and lets you build up credit score - and eventually they will release the deposit. I had to resort to that when I moved into US from another country - given my age and employment, combined with the complete and utter lack of any credit score records whatsoever, that's the only arrangement that I could find. I got my security deposit back on the second year of using the card, and started getting more card offers from other banks at about the same time, which I assume coincides with crossing some threshold on the credit score.

Comment: Re:Appalling (Score 5, Informative) 88

by swillden (#47562755) Attached to: Old Apache Code At Root of Android FakeID Mess

I don't know the fine details of this bug, but am I the only one appalled at how obvious this bug sounds? It doesn't even properly check the certificate? I mean buffer overflows and such are one thing, but not properly testing your certificate code seems unforgivable.

No, it's not that it doesn't check certificates generally, it's that if there's an additional, extra certificate of a particular form in the list that forms an app's certificate chain (but isn't actually in the chain) then that extra certificate gets included in the list of signatures associated with an app... making other apps that query the signature list believe that the app is signed by a certificate it's not. This doesn't, for example, fool the Play store into believing an app is from developer A when it's really from developer B. But it can fool other apps. There are some apps that load others as plugins, and make decisions about which plugins to load based on whether they're signed by a particular key. This flaw allows malicious apps to subvert that, convincing the plugin-loading apps to execute them, thereby giving the malicious app the same permissions as the plugin-loading app.

It's a serious security flaw, no doubt. But it's a little more subtle and less obvious than the summary makes it appear. Also, it appears that no app in the Play store, nor any of the other apps that Google has scanned, attempt to exploit the flaw. It's very easy to identify them by scanning the certificates in the package.

I've implemented tests for certificate chain validation code several times (not in Android), and it never once occurred to me to test for this particular odd construction, nor, I think, would anyone else think to test for it without some specific reason. This sort of bug requires inspection of the code.

(Disclaimer: I'm a member of the Android security team, but I'm not speaking in an official capacity, just summarizing what I've read of the vulnerability -- which isn't a great deal. Others on my team are well-informed, but I haven't followed this issue closely.)

Comment: Re:Don't let the facts get in your way (Score 1) 688

by Jeremiah Cornelius (#47562731) Attached to: Gaza's Only Power Plant Knocked Offline

So. You are able to regurgitate the Israeli propaganda that was fed to the world's press organizations, 40 years ago - building the myth of the ruthless Palestinian and the incomparable IDF.

But the BBC - that revolutionary hotbed of anti-Israeli sentiment - had this to report, confirming what Victor Ostrovsky and others had intimated for many years:

But newly released documents contain a claim that the 1976 rescue of hostages, kidnapped on an Air France flight and held in Entebbe in Uganda, was not all it seemed.

A UK government file on the crisis, released from the National Archives, contains a claim that Israel itself was behind the hijacking.

An unnamed contact from the Euro-Arab Parliamentary Association told a British diplomat in Paris that the Israeli Secret Service, the Shin Bet, and the Popular Front for the Liberation of Palestine (PFLP) collaborated to seize the plane.

The flight was seized shortly after it took off from Athens and was flown to Entebbe, where 98 people were held hostage, many of them Israeli citizens.

http://news.bbc.co.uk/2/hi/uk_news/6710289.stm

Comment: Re:You must be kidding. (Score 1) 44

by PopeRatzo (#47562525) Attached to: EA Tests Subscription Access To Game Catalog

I think EA and Microsoft should do their best to charge customers whatever their customers voluntarily agreed to

"Do their best"? That assumes any overcharges are accidental. You're giving those companies way too much credit.

What was the last time you heard of EA or Microsoft undercharging someone by accident?

There's got to be more to life than compile-and-go.

Working...