Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Comment: Re:Hasn't this been known? (Score 4, Insightful) 160

by maccodemonkey (#48662523) Attached to: Thunderbolt Rootkit Vector

Well, now I'm reading specs on USB 3.0 controllers. Ugh. There's a lot on mapping a bus address to a memory address for DMA, but nothing addressing the security implications of doing so, or what devices are allowed to do, just broad hints like the buffer has to exist in a DMA-able part of memory without saying if that's a security implication or a hardware implication.

It would be nice to see a follow up article on if/how USB 3.0 protects against these things, because I'm not a kernel USB developer sort of guy, so while I know DMA is there, I'm not feeling like I'd be able to dissect these implementation specs.

Comment: Re:Hasn't this been known? (Score 1) 160

by maccodemonkey (#48662417) Attached to: Thunderbolt Rootkit Vector

same thing as a pci-e / pci / cardbus / express card with a boot ROM or flash. They load pre boot at least on non mac systems you can go to bios and trun off option roms / set it to EFI only mode.

Apple exposes a bunch of pre boot options for the firmware on the command line, but I'm not sure if you can disable pre-boot EFI drivers from there.

Comment: Re:Hasn't this been known? (Score 4, Interesting) 160

by maccodemonkey (#48662393) Attached to: Thunderbolt Rootkit Vector

I'm pretty sure in the case of USB 3 that DMA is a function of the host controller. A device by itself cannot inject into arbitrary memory. This thunderbolt "vulnerability" is the equivalent of the windows autorun on insertion function that was disabled years ago. Only this functions above the level of the current user (aka much worse).

I'm looking up DMA for USB3. Although there are some ways to secure DMA (like a white list of addresses/sizes that are safe to write to), all of the advertised functionality of USB3, such as the sustained data rates, would be very hard to achieve if you didn't have direct access to memory. That's why Firewire ruled for live streaming of data for so long: DMA made it's rates reliable, whereas USB's dependence on the controller and CPU for memory transfers made the throughput more flakey.

Comment: Re:uh - by design? (Score 3, Informative) 160

by maccodemonkey (#48662191) Attached to: Thunderbolt Rootkit Vector

Thunderbolt is more like USB to the user - it's a thing you use to connect untrusted devices to your system. You wouldn't expect that plugging in a USB thumbdrive would magically own your system (well, maybe you should, because it's happened in the past, but I think it's fair to say that it shouldn't). You'd think that plugging in a random Thunderbolt device would be designed to be safe. Apparently not: apparently Thunderbolt is unsafe by design.

USB 3.0 has this exact same feature (DMA), so yes, yes you should expect a USB thumb drive to be able to do this.

Comment: Re: Ethics? (Score 3, Informative) 553

by maccodemonkey (#48631961) Attached to: FBI Confirms Open Investigation Into Gamergate

Dude, the entire industry is dirty. Here's a tip: if you're worried about ethics start boycotting every video game.

It's funny how when it comes out that a gaming company acted unethically Gamergaters suddenly lower their standards by a few notches rather than give up their favorite toys.

Comment: Re:Huh? (Score 1) 191

by maccodemonkey (#48612017) Attached to: Apple Wins iTunes DRM Case

Wait, what? People no longer use MP3s? They don't buy iPods?

iTunes, the iPod, and the iPhone (which are either the default software player or the default hardware for most people, especially inside of the US) have been using MP4/AAC for years.

Google still seems to be using MP3 strangely (AAC compresses much better with higher audio quality, and you'd think they would like to save on bandwidth costs), but they could be doing that because they have to support a wider range of devices. Amazon falls into the same category.

So yeah, while MP3 is still around, but with 63 of all digital music sold in the MP4/AAC format, it's hard to argue it's the universal standard it once was.

Comment: Re: STEM is for suckers.. at least now. (Score 1) 454

by maccodemonkey (#48467211) Attached to: Researchers Say the Tech Worker Shortage Doesn't Really Exist

You forgot 1812? Or the Civil War? You apparently don't like either side of the civil war, but there was an entire group of people who's freedom was won at the end of the rifle.

The same holds true of World War II, one of the last cleanly justifiable wars. They weren't US citizens, but there was a large group of people being shoved into ovens whose freedom was won at the end of a rifle.

Normally I'm a liberal against unnecessary war, but the military has also has it's place.

Comment: Re: Embrace has started (Score 1) 192

by maccodemonkey (#48395787) Attached to: Visual Studio 2015 Supports CLANG and Android (Emulator Included)

The iOS support I've seen so far requires you rewrite any API facing code in the Cocoa APIs. You'll get to do it in C# instead of Swift or Obj-C, but you do have to rewrite.

Not that I'm complaining. I'd hate to see all the Java style train wrecks that would come to the platform from developers blindly hitting recompile buttons.

Comment: Re:They ARE a utility. (Score 1) 706

by hazydave (#48351641) Attached to: President Obama Backs Regulation of Broadband As a Utility

Regulation can lead to higher prices. But that's generally only when that regulation is restricting competition in some way. Like the airlines, or the telco industry back in the days of AT&T as The Official Regulated Phone Company Monopoly.

However, its the telcos themselves today, in an environment of unprecedented freedom compared to telcos throughout most of the rest of the world, who are keeping the prices high, and that largely by limiting competition on their own. Everyone's basically trying to be Apple -- particularly in wired telecom, they're optimizing for maximum profit per customer, not trying to net the most customers. Verizon's not laying miles of new fiber anymore, trying to reach everyone. And most of these guys are making 40-50% profit margins. Meanwhile, US internet service is #10 in the world... didn't we frickin' invent the Internet?

Regulating certain aspects of the Internet can definitely improve it for every user and most connected companies. There's no need to make things better for Verizon or Comcast... they're doing just dandy. And realistically, an Internet connection is a utility -- this is obvious to everyone. If it weren't for all the money being spent to buy Congresscritters on behalf of the telcom industry, this wouldn't even be a newsworthy thing. Of course it's an utility. Maybe leaving off the Title 2 classification was a useful thing in the early days to make life easier on the ISPs. But twenty years ago, my ISP was a 5 person company run by an old buddy of mine. Now you're probably getting your service from one of the largest communications companies in the country, if not the world. Comcast owns Universal and NBC for f's sake. Verizon made over $30 billion last year.

Comment: Re:Just like "free" housing solved poverty! (Score 1) 262

by NewYorkCountryLawyer (#48265833) Attached to: Power and Free Broadband To the People

You know that you don't have to just add useless and uninteresting words to something that already had substance, right? At least borrow some quotes from Socrates' Dialogues to spice things up: There is admirable truth in that. That is not to be denied. That appears to be true. All this seems to flow necessarily out of our previous admissions. I think that what you say is entirely true. That, replied Cebes, is quite my notion. To that we are quite agreed. By all means. I entirely agree and go along with you in that. I quite understand you. I shall still say that you are the Daedalus who sets arguments in motion; not I, certainly, but you make them move or go round, for they would never have stirred, as far as I am concerned. If you're going to say _nothing_, at least be interesting about it, post anonymously, or risk looking more clueless / foolish. This is why the moderation system is in place, and mods typically don't listen to inanities like "Well said" when deciding on what to spend their points.

1. I'm too busy to sit around thinking up additional words to throw in so I can score "mod" points

2. The people I like on Slashdot are too busy to read a bunch of additional words I only threw in so I can score "mod" points

3. It's not in my nature to waste words, or to waste time

Pohl's law: Nothing is so good that somebody, somewhere, will not hate it.