Forgot your password?

Comment: Re:This is just a repeat (Score 1) 133

The very LAST thing I can use is a yes-man. Then again, my job is security. I need people who have the balls to stand up against self-important board members who can't identify and threaten them with termination (amongst more unpleasant things) if my security people don't overlook said board members' blunders.

Comment: Re:This is news? (Score 1) 191

> So you prefer the risk of massive law infringement, including invasive species smuggling, drug running, and terrorism, to a 5% risk that somebody who shouldn't know about Natalie Portman's meal choices finds out whether she's keeping Kosher? No operation on the scale of COINTELPRO could come from the TSA, because the TSA doesn't have the resources to pull it off.

I'm afraid that's a straw man argument. It's not been shown that the massive metadata gathering on USA citizens has been effective against any of those. Where are the convictions? NSA data gathering, in fact, is not supposed to be applied to domestic communications. It's far more useful, and demonstrably so, for internal political abuse. Look at the history of the Stasi for examples of how decades of broad information gathering can be used against moral, law abiding citizens.

Decentralizing the databases, spreading them out, is actually a good goal. Broad, flexible databases with large amounts of data are much easier to steal, and much easier to abuse, than smaller, isolated systems. That's a harsh lesson from decades of security work. And "random searches" are much safer than having it all stored in a central database where it can, and it _will_ be used for political and personal abuse.

Comment: or not ... Re:Secure pairing is hard (Score 1) 116

by davidwr (#47505359) Attached to: The "Rickmote Controller" Can Hijack Any Google Chromecast

unless at least one party knows who it's supposed to be talking to & can independently verify the other party's identity and the integrity of key-exchange traffic supposedly taking place with it,

For short-range communications between devices operated by human beings, this isn't as hard as one might think.

Let's say I want my cell phone to communicate with a kiosk at McDonald's, without having to rely on the phone network to do the authentication.

Behind the counter, McDonalds has a poster-sized, easy-to-photograph representation of the kiosk's public key.

Now to exchange keys, I walk up to the kiosk and press a button. It puts a random picture on the screen. My phone takes a picture of it, combines it with a random picture I create, my public key, and a suggested random private key, then it encrypts it with the kiosk's public key. My phone tells me to turn it towards the kiosks's camera. It displays the random picture the kiosk created for a few seconds, then the random picture I created for a few seconds, then a pictorial representation of my public key for a few seconds, then a pictorial representation of the entire encrypted message for a few seconds. After all of this is done my phone tells me to flip it around again. The kiosk sends me new shared key that is based on the suggested shared key that I sent to it, but this time it is encrypted with my public key.

Now we can talk and I can place my order and provide my credit card information securely.

This all works because I got the Kiosk's public key from a trusted, independent source - the sign behind the counter that some human being put up and which the McDonald's employees would've noticed if it had changed recently (e.g. if a hacker had replaced the real sign with his own fake one and concurrently replaced the kiosk's public key with one he controlled).

By the way, this is a hypothetical example - there are easier ways to buy burgers than to spend half a minute or more playing "can we trust each other" with a kiosk.

Can this method be defeated? Yes - but you defeat it by removing the assumption that the McDonald's employees are paying attention to their surroundings for any suspicious changes and the assumption that the McDonald's employees are loyal enough to their employer to not "look the other way" if they notice a change or worse, collude with each other to BE the "man in the middle." But at this point, it's no different than walking into a bank and dealing with a crooked bank teller.

Comment: Re:Where's the factory-reset button? (Score 1) 116

by davidwr (#47505233) Attached to: The "Rickmote Controller" Can Hijack Any Google Chromecast

Please forgive me for taking the article summary at face value when it said

If the hacker leaves the range of the device, there's no way to regain control of the Chromecast.

The only way that could be true is if there was no properly functioning hardware reset button.

I've been around /. awhile, I really should know better than to assume article summaries are accurate.

Comment: Re:People need to read comment threads (Score 1) 203

by CRCulver (#47504485) Attached to: Verizon Boosts FiOS Uploads To Match Downloads

This statement just reeks of "noob".

I've followed ./ since 2001.

While trolling was greater, there was a larger diversity of troll posts, from "BSD is Dying" to the GNAA, from Last Measure to "Batman Touched My Junk". Now it's basically down to the two trolls I mentioned in my post above (there are also some mentally ill people who repeatedly post, but I prefer to consider them separately). I suppose that changes in Slashcode made it harder to crapflood, but I'd really like to see a return to the ingenuity of trolls of yore.

Comment: Re:Why are Zorro cards worth anything at all? (Score 1) 170

by drinkypoo (#47504233) Attached to: The Almost Forgotten Story of the Amiga 2000

Nice try, and I'm sure you can impress a few kids who never experienced the Amiga era, but to me you only look like a fool. You know what was really cool at the time?

Yeah. Having an Emplant board. I've owned several Amigas, and hung out with several other Amiga owners. Blow it out your arse sideways.

Comment: Where's the factory-reset button? (Score 3, Interesting) 116

by davidwr (#47503691) Attached to: The "Rickmote Controller" Can Hijack Any Google Chromecast

If the hacker leaves the range of the device, there's no way to regain control of the Chromecast.

Where's the factory-reset button when you need it?

Consumer-electronics that aren't so cheap they are "disposable" should have a "reset to last known good state" hardware button and for some types of devices, a "save current state as known good state" hardware button. If the second button is missing, the "factory fresh state" will forever be the only "last known good state."

The second button is needed for installing "bios-level" anti-theft software and the like that can't be undone by the first button, if the customer wants to make that software non-uninstallable by a security-savvy thief should it be stolen.

For some products, one or both of these buttons may require opening the case and breaking tamper-evident seals, but they should exist, and they should be true hardware buttons, not defeat-able by software.

They need to be hardware buttons so a virus or malware doesn't "press" them, defeating the purpose of being able to "roll back" the machine to a previous state.

Comment: Secure pairing is hard (Score 3, Informative) 116

by Animats (#47503637) Attached to: The "Rickmote Controller" Can Hijack Any Google Chromecast

This is a general problem with devices that are "paired". How do you securely establish the initial connection, when neither side knows anything about the other?

The secure solutions involve some shared secret between the two devices. This requires a secure transmission path between the devices, such as typing in a generated key (like a WPA2 key) or physically carrying a crypto key carrier to each device (this is how serious cryptosystems work).

Semi-secure systems involve things like creating a short period of temporary vulnerability (as with Bluetooth pairing). There's a scheme for sharing between cellphones where you bump the phones together, and they both sense the deceleration at close to the same time.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (9) Dammit, little-endian systems *are* more consistent!