Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: I worked on the ConnectedDrive system (Score 4, Interesting) 83

While I do not work for BMW directly, the company I work for does do projects for BMW. One of the projects I worked on was the iOS app which is part of this ConnectedDrive system.

To be precise, for the 'old' version of the app (My BMW Remote App) for non-i models we started off with this black box library (CD lib) which handled all the communication with the BMW servers.

While I didn't do any protocol analysis or looked at the communication between car and servers, even for this iOS app it was pretty clear to me and my colleagues what the security implications would be if someone were to be able to obtain log-in data just for that part of the communication.

Depending on the market (America, Europe, Japan, etc.) there are some limitations to what one can do with the app (based on the type of account, IIRC), such as from what range one can see where the car is on a map and whether one can unlock doors with the app or not (not allowed in the US market, from what I recall). Where these limitations are enforced I'm not sure. It might be based on the server, in which case this hack would bypass such limitations as well.

At any rate, this security leak does demonstrate quite succinctly how important it is to properly security audit such systems before releasing it into the wild. Even for the current project I do for BMW (related to the headunits), having an active internet connection means that security is essential, including plugging buffer overruns and similar.

Nobody wants to have one's headunit go blank during navigation, in a constant reset cycle or be turned into a spying device, after all :)

Note that I'm still under NDA for all of these projects, so I can't go into much detail.
Crime

13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites 149

Posted by timothy
from the watch-your-bill dept.
The Daily Dot reports that yesterday a "group claiming affiliation with the loose hacker collective Anonymous released a document containing approximately 13,000 username-and-password combinations along with credit card numbers and expiration dates." Most of the sites listed are distinctly NSFW, among other places, but the list includes some of the largest retailers, too, notably Amazon and Wal-Mart.

Comment: Not really an 0day exploit (Score 5, Informative) 83

by El_Muerte_TDS (#48677631) Attached to: Lizard Squad Targets Tor

Either way, @LizardMafia's Tor relay attack isn't new. There's a paper on how Tor loses anonymity if over 50% of relays are compromised.

https://twitter.com/kaepora/st...

I was going to go with botnet, but many LizardNSA relay IPs appear to route back to Google Cloud. Thousands of tiny VMs at low bandwidth?

https://twitter.com/kaepora/st...

You can see this whole list of tor nodes here: https://torstatus.blutmagie.de...
All Lizard nodes resolve to *.bc.googleusercontent.com

Comment: Re:Are there any good alternatives? (Score 4, Interesting) 184

by El_Muerte_TDS (#48559901) Attached to: Swedish Police Raid the Pirate Bay Again

iTunes does not work on my 10 month old Panasonic "Smart" TV, or Linux based HTPC, or Sony PS3. Amazon only recently started selling ebooks here, nothing else. Netflix is great though, now if they can finally convince content providers to license them more content.
So what are these alternatives?

Comment: Human Intelligence (Score 2) 68

by Elledan (#48441045) Attached to: Upgrading the Turing Test: Lovelace 2.0
All I can think of while reading up on the Turing and related tests is how many humans would fail such a test.

With the many assumptions made about what constitutes 'true' intelligence, how sure are we of the assumption that a human being of at least average intelligence would pass it? What's the research telling us there so far?

Or are human and artificial intelligence somehow considered to be mutually exclusive?

Promising costs nothing, it's the delivering that kills you.

Working...