Forgot your password?
typodupeerror

Comment: Re:ATMs (Score 1) 386

by Halo- (#35418874) Attached to: $30 GPS Jammer Can Wreak Havok

Why would ATMs need GPS for accurate timing?

They don't. Article is wrong.

There is a strong trend recently to install GPS-based trackers inside the unit, and if they start moving, call the cops on the included cellphone.

Assuming you're not using the jammer to steal the unit, the only other use for jamming the GPS, is as a denial of service.

Actually, if you read the article, they do need accurate timing:

"And ATMs sometimes communicate wirelessly, using a time-based encrypted code that requires synchronisation."

Using a cryptographically secure PRNG seeded from a known time as an authentication token is a well-known, and frequently used technique. For example, many of the "keyfob" type tokens such as the RSA SecureID things. (Which didn't use GPS, and instead used an internal clock and server-based skew tracking if I recall correctly, but the the principle is the same.) I don't know enough about ATMs to weigh in on what schemes they actually use for authentication and encryption, but it certainly is plausible some could use a time-based, GPS-driven scheme. And, as a bonus, you then have a GPS in the machine for tracking. :)

Comment: Re:Persistent myth? (Score 1) 705

by Halo- (#35271974) Attached to: Why You Shouldn't Reboot Unix Servers

... what are you talking about? You know forward slashes don't need to be escaped, right?

grr.... of course there don't. However, as a long-term Unix-only developer, my fingers pretty much type forward slashes for paths, even when trying to write an example of backslashed paths.

But, if you replace my forward slashes with backslashes, my above example holds. :)

Comment: Re:Persistent myth? (Score 1) 705

by Halo- (#35270684) Attached to: Why You Shouldn't Reboot Unix Servers

Going the other direction, I can't count the number of times I've seen clueless software devs writing software for Windoze -- usually former Unix devs -- who use double backslashes in their pathnames, e.g.: ...
#if !defined(WIN32)
FILE* fp = fopen("/path/to/a/directory/filename"...);
#else
FILE* fp = fopen("\\path\\to\\a\\directory\\filename", ...);
#endif ..

(Not to mention the Java System.file.separator being "\\" on Windows.)

And before some twit tries to claim that those are actually not incorrect, let me remind you that command.com and cmd.exe are not the C/POSIX APIs and programming at the C library level has allowed the '/' path separator since DOS 2.0 (and probably even DOS 1.0 too. And yes, either one works, but '\\' is not necessary and it's a POS pattern that too many people follow because they don't or can't read the docs.)

I'd argue that have a variable which might end up being used in a string context not being properly escaped is a pretty sizable mistake.
For example:

const char* filename = "/wow/windows/lets/me/fopen/without/escaping/this";
#if !defined(WIN32) FILE* fp = fopen(filename,...);
if(fp == NULL) {
fprintf(stderr,"Failed to open %s\n",filename); // ut-oh...
}
...
#endif

Comment: Why allow such shoddy programming? (Score 2) 89

by Halo- (#34501610) Attached to: Chevron Got North Sea Contract Despite IT Safety Crashes

In Chevron’s North Sea drill, the oil firm said the spill modelling software usually crashed when left to run for long periods of time, adding that this was typical of standard industry systems.

If your software crashes when run for long periods, the root cause is almost always one of the following:

  • Memory Leaks
  • Boundary Overflow/Underflow (of either buffers or types)
  • Race Conditions

None of these should be present in the "standard industry systems" of multi-billion (trillion?) dollar industries, especially if they pertain the safety systems. Memory leaks and boundary overflow/underflow are trivial to avoid by any programmer who takes the time to code defensively. Race conditions can be a bit harder to detect and avoid, but they are a less common issue, and handling them is well within the expectations of even a newly-graduated programmer.

There are also more esoteric error conditions. For example, in locations which are higher above sea-level, the "average neutron flux density" (i.e. number of cosmic rays hitting your chips) is higher, and thus the incidence of random transient faults in electronics is higher. It is not unheard of in large computer clusters to have the occasional bit-flip error in RAM due to a random cosmic ray. At the same time, these systems have built-in checkpointing, and when for whatever reason the running software develops a fault, the entire system can roll back to the last known good checkpoint, and restart.

Serious customers would never accept a system or simulator which exhibited the sorts of problems these "industry standard systems" seem to be plagued with. More to the point, I have worked indirectly with some petroleum companies on simulation software, and know for a fact the acceptable "unrecoverable error rate" was written into the contract in a very forceful way. Then again, the simulation software was being used to locate oil, so I guess that says something about the industries priorities. (And it was designed to run on a "real" cluster)

Comment: But is there a "right" to impartiality? (Score 0) 193

by Halo- (#34388056) Attached to: Google Faces EU Probe Over Doped Search Results
I'm not in favor of Google "weighting" their search results in favor of their own interests; however, where does it say they have to be impartial? A search engine is fundamentally a "weighting" engine, and what makes (made?) Google more successful is that the public (in general) agreed more with their method of weighting results and with other engines. If the quality of the results (as perceived by the users) falls off, then other search engines will become more popular.

Comment: Re:Only link that matters (Score 2, Informative) 191

by Halo- (#32828834) Attached to: 'Robin Sage' Social Hoax Duped Military, Security Pros

I actually find it rather odd that they choose that picture. I know pretty much instantly that if I get a friend request of a girl in a bikini - unless I know her instantly I know it's just spam and ignore it.

If you read the article, you'll see the picture was intentionally chosen to throw up some red flags. FTFA:

He purposely left several clues that Robin was a fake, including choosing a woman who appeared to be Eastern European and a potential spy, he says.

Comment: Re:Dr. Joshua Wurman.... (Score 3, Interesting) 402

by Halo- (#32618500) Attached to: Tornado Scientists Butt Heads With Storm Chasers

This just sounds like sour grapes. You could see the annoyance on the part of the "funded" scientist when that little no-name crew successfully flew a model airplane around a tornado and dropped sensors into it. The fact that was done on a budget put together by selling Tornado videos to news channels sounds like a win/win for me. Took none of my tax dollars, and reaped novel data.

I think you are seriously blurring the line better "serious amateur" and "asshat with his kids in the back of his pickup truck".

While I agree that banning storm chasing is stupid, there is a huge difference between someone with a thought-out (if unfunded) passion, and some yokel who sees a tornado on TV, and loads all his kids in the car on a whim.

Just because you have a "right" to be somewhere or do something, doesn't mean you should. Especially if your actions take away from others. And yes, I am saying that in the case of storm chasers, the guy with IMAX camera, or bad-ass RADAR is more special than you. Why? If those guys get a peek, everyone can benefit from it. If Cletus Q. Localhick drives the ol' F150 right into the tip of the funnel and takes some crappy iphone pictures, I don't see the payoff for the rest of humanity being as large. (Unless Darwin comes out to play)

Comment: Re:I suspect this was totally legal (Score 1) 317

by Halo- (#31753130) Attached to: Facebook Crawler Speaks Back
Making physical analogies to Internet issues always runs into problems, since eventually the differences between "real" and "virtual" start becoming obvious. However:

You can go into that store and take as many pictures as you like. You can go into the store, take pictures, and then write a story about what you think of the store.

Actually, I don't think you can. Well, you can go in and start taking pictures, but can be asked to leave or be declared trespassing.

And the fliers my be on FB's property, but they're posting the fliers to the outside of their wooden fence. I can take pictures of that and post them on the internet as much as I like. You have no right to privacy in public. FB posts data in a public forum. They have not right not to have pictures taken and redistributed.

I think this is mostly right in spirit. The issue here is not so much "right to privacy" but of "usage agreements". Facebook is trying to have it's cake and eat it too here. Essentially, they want to say: "you can stand on the sidewalk and look at the stuff on the fence, but you can't look TOO much, and you can't tell people what you saw" which doesn't work. Facebook has no authority over what you do while standing on the "sidewalk". If the guy was using a crawler which required him to "log in" then Facebook may have a point, but if he was making generic "public" requests, they do not. (In my completely-not-a-lawyer opinion)

Comment: I suspect this was totally legal (Score 3, Interesting) 317

by Halo- (#31747628) Attached to: Facebook Crawler Speaks Back
I am not anything even approaching a lawyer, but I suspect his actions were probably legal. The Internet is a public medium, unless you specifically put walls around content, it has the same protection as if you posted fliers on a physical bulletin board in a public place. Yes, you retain copyright over your content, but you have ZERO ability to say "by reading this, you agree to additional terms". If I want to produce a review of all the fliers posted around town, I can. If I want to make excerpts (within "Fair Use") I can. Pretty much the only thing I can't legally do is deface them or copy them outright. Unless he was doing this from a logged in account, I can see how they can limit what sorts of derivative works he makes. (So long as the derivative doesn't violate copyright)

Comment: Mechanisms exist to prevent these "attacks" (Score 1) 168

by Halo- (#31627840) Attached to: Government Could Forge SSL Certificates

A lot of these "attacks" can be prevented by properly implementing your PKI. For example, some of the articles (and several commenters) make mention of "using a Root CA to generate sub-CA's which then generate rogue certs". Sure, the system allows this to happen, but it also provides constraints to prevent it. One of usual "basic constraints" (which is an X.509 attribute) of a certificate is: "Max path length" which means: "how deep can a signature chain extend from me, if I am trusted" For most people, there should never be a trusted CA in their keystore which has a max path length greater than 1. (Meaning it can vouch for others, but those others cannot vouch for a second level of trust).

Additionally, all X.509 certificates contain a "Key Usage" field, which specifies what the key can be used to validly sign. For most people, they should never have a certificate in their root store which has the "CA signing" bit set. This is another way to prevent a "trusted" CA from creating a rogue CA which can then issue bad certs.

Finally, there are multiple methods for checking if a certificate is still trusted as part of a regular, ongoing, and sometimes even per-use basis. (OCSP, CRL, etc...) In the past, when I worked on PKI's, these often weren't implemented, but increasingly they are today most browsers support them. (Which is not to say browsers are the only users of X.509 certs.)

What this should mean is that as soon as evidence emerges that a formally "trusted" CA has done something shady, it can quickly be disabled in the field.

In a perfect world, a CA should be sufficiently incented by the threat of being "revoked" via OCSP or whatever that it would never entertain the idea of creating a rogue cert. Imagine the pressure on a large CA like Verisign if they got a root cert yanked. Suddenly ALL of their customers get labeled as compromised.

Comment: Small vs. Large problems (Score 4, Insightful) 622

by Halo- (#31168536) Attached to: US To Build Nuclear Power Plants
No one will say nuclear is without serious drawbacks, but modern reactor design has pretty much reduced those to a single large "what do we do with the waste?" issue. I would rather have a comparatively small amount of containable waste and eons of time to figure out how to make it "go away"(TM) then have much larger environmental impacts which aren't so simple. It's reasonable to expect the human race to come up with a way to render a few hundred tons of radioactive waste inert in the semi-near future. It's much less reasonable to expect us to figure out how to scrub (billions/trillions/quadrillions?) tons of CO2 and other nasties out of the atmosphere, and deal with the other larger scale issues coal/oil/gas produce.

Comment: Re:No, Seriously... (Score 3, Informative) 651

by Halo- (#30768816) Attached to: Google Attackers Identified as Chinese Government
I doubt this had anything with them doing business in China. Google is a big, juicy target. This attack would have happened even if Google had been giving China the finger for a long time. In fact, it would have been more likely, since China was apparently after information of people who disagree with Chinese policies. What's interesting, is that rather than saying: "Yeah, well, we got hacked, what can you do?" Google is actually looking to smack them.

Comment: Re:So to everybody complaining ... (Score 1) 621

by Halo- (#27688669) Attached to: Time Warner Cable Won't Compete, Seeks Legislation

For all those complaining about TW and Embarq's business practices, how many of you are currently using TW or Embarq - regardless of where in the country you are located? How many of you are planning to cancel your service along with a clear and concise letter stating that you are leaving them in disgust due to their conduct in North Carolina?

Okay, so they write a fantastic letter, discontinue, and then go where? This is the crux of the issue. Businesses like TW and Embarq are virtual monopolies. In the case of this town (and many, many others) there is no other option. Either pay them, or use dial-up (which still would require a phone line provided by one of these people usually...) "Voting with your feet" is great, but in this case the only other option is standing outside in the cold.

OS/2 must die!

Working...