Forgot your password?
typodupeerror

Comment: Cut the cable (Score -1, Offtopic) 179

by PopeRatzo (#47734521) Attached to: "MythBusters" Drops Kari Byron, Grant Imahara, Tory Belleci

What is this, a TV show or something?

I love not having cable. It's one of the most liberating things I've ever done. With the time I saved by not watching TV for the past seven or eight years, I've learned to play jazz pretty well, and my eyes don't burn in the morning from staring at stupid television for hours. I'm not a great player by any means, but I'm good enough to play out at clubs with professionals. It's not that I'm at a high level, but I can hold my own, and people like it. Learning to improvise jazz as an adult has really lit up parts of my brain that were sitting dormant for decades, and that's a good feeling. All because I decided to ditch TV.

From what I can tell, the past seven/eight years have been nothing but reality TV, dramas with titles that are acronyms, and shows where you pay a subscription AND get commercials. Really high quality stuff, like Deadwood or The Wire, I'll get when it comes to Netflix or via other means, but I'd have to be so interested in it that I'm willing to go look for it. The thing that was the killer for me was when I found myself flipping through channels looking for something to watch. There just seemed something really wrong about that.

Anyway, if this is some big show for nerds where they confirm your bias about the world, I hope the changes turn out to your satisfaction. Back in the day, I was an avid TV watcher I seem to recall something about a cartoon about a family where the father was stupid, the son a smart-ass who road a skateboard and the mom had big blue hair. It's probably not on any more, because the guy who did the voice for the really old rich guy who owned the nuclear plant where the stupid father worked would now be almost as old as, what was his name..."Mr Burns", I think. I don't look down on people who watch television, it's just not for me any more. I suppose it's something of a social hindrance though, because all I can do is have a quizzical expression when someone mentions some show like "Iron Chef", which I assume is about a super hero.

Comment: Re:Simulations are limited by imagination (Score 1) 127

by PopeRatzo (#47734119) Attached to: Google Wants To Test Driverless Cars In a Simulation

Real life is far more creative than any scenario designer.

Ain't that the truth.

This is why I don't see everyone in driverless cars in any of our lifetimes. I'm thinking it's at least 70 years out. And not least because a) who's going to pay for all the necessary infrastructure? and b) shared liability will make it a nightmare.

Maybe first let's see if we can have a driverless NASCAR race without crashes. And then I want to see the CEO of a driverless car company put his kids in the car and send them on a coast-to-coast road trip, including LA at rush hour, Chicago's Dan Ryan Expressway Southbound at 3:30am and on small roads crossing the Appalachians.

Comment: Re:tl;dr (Score 1) 69

by vux984 (#47733761) Attached to: Researchers Hack Gmail With 92 Percent Success Rate

Although I agree with you in general, the thing is that you need to think of what the effects of a false positive are. Imagine starting up your game of solitaire and then seeing a Gmail-like login window.

I'm not an android dev.. but on platforms I do write for, any app can determine the name of the foreground process/task.

So the worst that happens, is an oddly timed credentials box for the app you WERE using. That's going to set off far fewer alarm bells than you would think.

Comment: Re:tl;dr (Score 1) 69

by vux984 (#47733527) Attached to: Researchers Hack Gmail With 92 Percent Success Rate

Everybody knows that 'carefully designed timing' and generalisable match very poorly.

Agreed -- however, a visible glitch or hiccup would that really set the majority of android users on guard? I'm skeptical.

Honestly, the entire timing element is almost superfluous; for a large number of users simply throwing up a fishing screen while they are IN another app would garner high success rates.

Launch gmail app... Popup "connection to server failed", "please enter username password". It would be horrifying to see how high a success percentage that gets you."

This attack is impressive in that it generates 98% success rate at detecting and invisibly injecting its phishing screen 'just so'. But honestly -- they'd probably snatch a shocking high portion of credentials simply timing the popup to coincide with 1-2 seconds after a given app starts for a large number of apps.

Granted the sophistication of a finely tuned and well crafted attack would mean even I'd fall for it without being any wiser, and it enables them to go after some more complicated apps, in more complicate scenarios. And yes, a finely tuned profile using knowledge about the particular model of phone, and particular application set etc are required for to pull it off.

But the reality remains that the low hanging fruit (dumb users + easily predictable apps) is going to be very easily harvested.

Comment: Re:Blast from the past (Score 3, Insightful) 69

by dgatwood (#47733347) Attached to: Researchers Hack Gmail With 92 Percent Success Rate

Then its using pre-calculated patterns of the shared memory usage (presumably allocation order, sizes allocated, NOT the actual memory contents etc) to guess what the user is doing in the other app. Then, when it detects a pattern that corresponds with "I'm about to log in" it pre-empts the app with its own phishing login screen skinned to look like the original. The user is -expecting- a login screen to popup, and one that looks right does... so they enter their credentials.

Really? Android allows one app to take control of the screen and become foreground without explicit user interaction? There's the security flaw right there. The shared memory stuff is noise by comparison.

Comment: Re:Blast from the past (Score 3) 69

by vux984 (#47733231) Attached to: Researchers Hack Gmail With 92 Percent Success Rate

Memory allocation is still controlled by the OS. (At least insofar as apps request memory from the OS, and release it back to the OS).

Normally, an app would have no need to know what another app was doing with memory. However, the instrumentation for another app to track the memory usage of another app exists and is not restricted to elevated / trusted apps.

Clearly it should be.

I can't honestly imagine what a regular app would need this for anyway. Its very much a 'task manager' or 'debugging tool' class of information - and only developers and system level apps need this information.

That along with the fact that apps should not be able to pre-empt eachother and go into the foreground on their own. (iOS apps for example, apparently can't pre-empt; unless they have exceptional permissions (e.g. sideloaded by developers or enterprises or if the device is rooted/jailbroken) so on ios even if the app can determine the app activity, it won't be able to prempt it with its phishing screen.

Comment: Re:tl;dr (Score 3, Interesting) 69

by vux984 (#47733097) Attached to: Researchers Hack Gmail With 92 Percent Success Rate

An immediate work-around would be to randomly place the log-in screen within a pre-determined area such that the hostile app would be unable to immediately overlap it. The double image will tell the user something is wrong.

The double image will tell the user something is wrong.

How is that a work around?

Its a phone. The login 'window' is going into a 3" to 5" space and is full screen in nearly every implementation. The 'popup' that the hostile app preempts simply covers the whole screen.
All in all not a particularly powerful attack vector.

Quite the opposite. Its a very powerful attack vector; and given the surprisingly good ability to time the pre-emption a very dangerous one.

Comment: Re:Blast from the past (Score 5, Informative) 69

by vux984 (#47732993) Attached to: Researchers Hack Gmail With 92 Percent Success Rate

Blocking access to the memory space of other processes has been a solved problem since timesharing in the '60s and '70s, right?

Sure it was. That isn't what is happening though.

Its not accessing the apps memory itself. Its accessing the shared memory *statistics* of a process.

Then its using pre-calculated patterns of the shared memory usage (presumably allocation order, sizes allocated, NOT the actual memory contents etc) to guess what the user is doing in the other app. Then, when it detects a pattern that corresponds with "I'm about to log in" it pre-empts the app with its own phishing login screen skinned to look like the original. The user is -expecting- a login screen to popup, and one that looks right does... so they enter their credentials.

I assume they...

All your assumptions and proposed solutions were completely wrong.

The solutions are:

a) to remove untrusted apps ability to monitor memory USAGE statstics

b) to remove untrusted apps ability to pre-empt the screen.
c) better permissions controls and better CURATION limiting
d) it may also help to let apps enter 'critical sections' that cannot be preempted by other apps (?)

Comment: Re:Apple (Score 2) 210

by Opportunist (#47732519) Attached to: When Customer Dissatisfaction Is a Tech Business Model

That's because Apple can afford this. Apple customers are not the "gimme discount" crowd that is flooding the countries (don't think I'm lashing out at the US, it's entirely the same crap in Europe here).

People don't give a shit about quality anymore. Maybe because they're too used to getting quality that's on par with what they need. Customer protection laws pretty much ensure that getting swindled is getting harder. So whatever you buy, there's a good chance that it will work, at least initially, because you could take it back and get your money back if it didn't. Sure, it will break in a year or two (or whatever the laws of your country dictate it must work so you can't take it back and make the vendor eat it), but at least it works NOW, and who cares what's going to be in 2 years.

So people want cheaper. Because, hey, if that $no_brand laptop costs just 300 bucks and that $quality_brand costs 800, and they have the same CPU, same memory and same screen size, who in their sane mind would get that $quality_brand one?

Of course they'll complain as soon as (not if, not even when, AS SOON AS) that shoddy piece of plastic junk falls apart and they spend 3 hours in automated phone system hell to talk to Bob who has a weird accent that you can't quite pinpoint, but sounds like it would be Bangalore or Calcutta, who gets your data all wrong and messes up your mail-in repair request so you can have your laptop back within 6-8 weeks. Probably even repaired. More likely you get another one that someone else sent back in.

But that's what those other 500 bucks paid for in that more expensive laptop. Those 500 bucks paid for the guy that shows up at your door a day after your call to Bob (whose accent you can't quite put but you'e guess Kansas or Iowa, but at least he picked up at the second ring), hands you the replacement laptop where you just have to plug the harddrive (which you can easily take out of the laptop, unlike that $no_brand one where you'd probably need a CS degree, not to mention that taking the drive out would void the warranty) in and you're back in business.

But we want cheap.

So we get cheap.

And cheap is rarely if ever high in quality.

"The trouble with doing something right the first time is that nobody appreciates how difficult it was." -- Walt West

Working...