Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:Pretty pointless (Score 2) 229

by bill_mcgonigle (#49158741) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

I'm still waiting for the first CEO to go to jail for refusing this.

Dude, you're fourteen years behind the news. The technique is not to get you on the "refusing NSA" charge, but any of the other countless criminal acts you commit every day. This is the primary purpose of a hyper-criminalized environment - so that everybody can be easily bent to the whim of the power structure. See also: charge stacking and the de-facto abolishment of the Sixth Amendment through the plea-bargain process (or, if you're a corporation, the no-plea deal for really efficient fascism.

Comment: Re:Hashes not useful (Score 3, Informative) 229

by bill_mcgonigle (#49158717) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

Seagate is correct. Putting a hash on the website doesn't improve security at all because anyone who can change the download can also change the web page containing the hash. ... A company like Seagate doesn't rely on volunteers at universities to distribute their binaries so the technique is pointless.

There are many possible attacks. A hash on a website is not invulnerable to a rogue employee at Seagate (or one "just following orders").

A hash protects against a rouge insertion at the endpoint. Like if your PC is compromised by an attacker and then you pull the hard drive and [assuming there's a way to get a hash from SMART/ATAPI) you can compare the hash of the firmware that the drive is running to the list of published firmwares at the vendor's site. If the attackers are only modifying a small subset of drives, this works fine - they can't also intercept the check to the vendor's site - not unless they've broken TLS and/or have malware on every possible machine.

A tool to verify the firmware is poetically impossible to write. What code on the drive would provide the firmware in response to a tool query? Oh right ..... the firmware itself.

Well, today you can pull the image from JTAG, or so the experts have said (you can verify the firmware directly from memory with a hash if you have moderate funding). There's all sorts of talk about how ATAPI is write-only for firmware because the vendors don't want their competition to get their code and decompile it. This appears to be nonsense, as any other drive vendor already has the debug tools to pull such things from memory, and extracting it from an update isn't that hard - if a 16K DOS update utility can extract it, so can a multi-billion dollar R&D company.

To make it work you need an unflashable boot loader that acts as a root of trust and was designed to do this from the start. But such a thing is basically pointless unless you're trying to detect firmware reflashing malware and that's something that only cropped up as a threat very recently. So I doubt any hard disk has it.

They most certainly do not. So, here we are at today and need a way forward. There are a few ways forward, a fistful of crypto protocols to choose from to ensure future usefulness of hard drives for security applications, and INCITS/SATA-IO ought to be having emergency meetings _right now_ because this (NSA/GCHQ) is a major threat to the industry. The vendors may need to move operations outside of five-eyes to remain commercially viable.

Comment: Re: I should think so! (Score 4, Interesting) 93

by bill_mcgonigle (#49155435) Attached to: Blu-Ray Players Hackable Via Malicious Discs

but it doesn't seem to be a likely threat vector.

Do some traffic analysis on your target's porn habits at the ISP, leave a compromised disc about his favorite kink in a bag on the ground near where he parks his car, and use his "connected" player to zero-day the other equipment on his LAN, installing the APT without even needing to pretend about premesis warrants or anything.

Comment: Re:Does it matter? (Score 1) 101

I will preface this by saying "this is really true" because you probably would otherwise read it as a nonsense, sarcastic, or glib comment.

I heard a conversation the other day about some of the terrible new buildings at the nearby university. A very senior administrator said (paraphrased), "you need to hire a hot architect and pay him 20% of the project price to come up with some really shocking architecture, to prove to prospective students that the school is still relevant."

I think he was talking mostly about the atrocity that they added to the Medical School, which looks suspiciously like the post-accident Chernobyl reactor. The "architecture" part of the project probably added $20M over making it look like a classical higher-ed building. I believe this administrator had final sign-off on such an expense.

Comment: Re:Should come with its own football team (Score 2) 101

It is not like an educated population is some kind of public good.

It's not, if you're speaking about the economic term. A 'public good', to an economist, is something that cannot be provided by the private market (a "market failure") and therefore must fall to a government to provide. Education is one where the private market excels in comparison to the public provision, which would be a counter-example.

Comment: Re:Should come with its own football team (Score 2) 101

And how should the government do that? With the tax income that these companies managed to avoid paying? Cool story bro.

The government should take money from the poor and funnel it into the coffers of these corporations. Did you miss the part where government is for the privatization of gains and the socialization of losses?

Comment: Re:Single point of failure (Score 2) 127

by bill_mcgonigle (#49151807) Attached to: Vandalism In Arizona Shuts Down Internet and Phone Service

The alternative is asking for bankruptcy.

I can just about guarantee you that several buyers of bandwidth in Phoenix had contracts with the people who owned this fiber and those contracts specified multiple redundant paths out of the city.

Odds are we're looking at backup system failure or contract fraud. Probably the former.

Comment: Re:How about healing spinal cord injuries first? (Score 1) 208

by nospam007 (#49146189) Attached to: Surgeon: First Human Head Transplant May Be Just Two Years Away

"Right now, we can't even repair spinal cord injuries where head and body belong to the same person. Once that becomes a routine medical procedure, we might think about head transplants and how to solve the problems associated with them."

That may very well be, but there are no people with spine injuries on the boards that decide about the grants to scientists, but many old people with a need for a young body.

Comment: Re:Slashdot (Score 1) 299

"Anybody else's Slashdot break today?"

I had to click on every icon on the page, to try to log in.

Only when I clicked the icon with an arrow pointing to an exit door, I succeeded. (sic)

Also, why show me the crappy 'deals' stuff if I have a non-US IP, since you won't ship anything, even if I wanted it.

This has been the _worldwide_ web for a quarter of a century, assholes.

"Consequences, Schmonsequences, as long as I'm rich." -- "Ali Baba Bunny" [1957, Chuck Jones]

Working...