Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Slashdot Deals: Prep for the CompTIA A+ certification exam. Save 95% on the CompTIA IT Certification Bundle ×

Comment Re:Marketplace Justice (Score 1) 69

So, you're home in the evening and your wife calls "Hey, honey, can you give me the credit card number for something I'm buying online?" and you tell her the number. The baby monitor hears.

That's just one example, and not a particularly scary one. Use your imagination. It's not just about whether or not you're home, it's about what information is available inside your house that you don't want shared with random listeners.

Comment Re:Marketplace Justice (Score 1) 69

Bingo. So someone can hack the monitor and listen to my baby sleep or not sleep. Or even watch him sleeping. What exactly is the threat? What information can they really gain that is of use? That the sheets are green instead of blue?

They can see and hear a lot of details of activity inside the house, not just the baby. Whatever is in range of the camera and microphone.

Comment This is a real threat (Score 5, Informative) 226

The PDF explicitly mentions DD-WRT as an example of what should not be permitted:

Third-Party Access
Control
1. Explain if any third parties have the capability to operate a US sold device on any
other regulatory domain, frequencies, or in any manner that is in violation of the
certification.
2. What prevents third parties from loading non-US versions of the
software/firmware on the device? Describe in detail how the device is protected
from “flashing” and the installation of third-party firmware such as DD-WRT.

Wrote a comment.

Comment Re:Programmed behaviour is programmed behaviour. (Score 3, Insightful) 411

It's not a no-win situation. It just means that self-driving cars have to know when to break the rules. They can and should behave like the best of human drivers.

If you program the car to just account for assholes but still drive safely, then it will basically choke in situations like a four way stop in southern California where every other asshole will just muscle or roll their way through the stop.

The current programming of the car handles that situation. Less aggressively than a human would, but aggressively enough to assert its intention to go, and go.

Comment Re:Programmed behaviour is programmed behaviour. (Score 3, Insightful) 411

Program to take account of these things, or don't plan on driving on the road.

Duh.

Technology in development is imperfect. Big surprise. These issues are why Google hasn't yet started selling them to the public. None of them are insurmountable, but it takes a lot of time and effort to build sophisticated systems.

What if that was a cardboard box and it swerved heavily in case that box "pulled out"?

The cars can easily distinguish between a cardboard box and a vehicle. Determining whether or not the vehicle has a driver in the seat and might move... that's often impossible. Likely the reason that the car swerved sharply rather than braking earlier is because the badly-parked car was obscured by other obstacles.

If it can't make it's way through a junction where the drivers are following the rules, that's bad programming.

Six year-old programming, note. The article mentions that the current version of the software inches forward to establish intent to move.

and potentially weighs up collision with non-hazard vs collision with small child and gets it wrong

Google cars recognize pedestrians (of all sizes) and regularly notice them even when no human could. I'm sure the car would choose to hit another vehicle over a pedestrian or cyclist.

Really, your whole comment is a mixture of outdated information buttressed by invalid assumptions and layered over with a veneer of blindingly obvious conclusions.

Comment Bring it on (Score 1) 411

The truth is most people suck at driving. Genuinely good driving takes effort and concentration and most people however skilled or well-intentioned have got other stuff on their minds when they get behind the wheel. There's no hope of ever getting people actually to drive according to the rules so the only way is take the human driver out of the loop completely and the sooner the better.

Comment Re:really... (Score 1) 609

Both Mormons and Muslims claim that their Scripture are merely copies of documents which came from heaven.

Actually, I don't think either claims that. I know Mormons don't. Mormons claim that the Book of Mormon was written by a series of prophets. The prophets were inspired, but wrote in their own words. Same as the Bible. The difference is in the method of collection and translation, not the method of authorship.

I think it's the same for Islam. Muslims believe Mohammed was a prophet, so his writings were inspired by Allah, but the Koran contains his own words.

Comment Re:A govt employee charged with a crime? Shock!!! (Score 3, Insightful) 81

That Shaun Bridges was even charged at all is amazing. He's a government employee, and in most of the world it's very rare for government employees to be charged with a crimes because fellow government employees refuse to prosecute them. Thank your lucky stars, America, you are not like Australia where the press reports alleged corruption, the police ignore it, and it piles up and up and up: https://archive.is/KUTAy#cases

Nah, it's pretty much the same in America.

The difference in this case is the nature of the crime and the victim chosen. No, not Ulbricht. The victim was the federal government, because they were going to seize that money anyway. You steal from the government, or attack the government in any way, they're going to drop the hammer on you. If your victim is an individual, well, it depends in large part on the socioeconomic status of that individual. A government employee can get prosecuted for killing a poor black man, for example, but it's rare. If you're a government agency and your victim is the entire nation, you're almost certainly going to get away with it. At most you'll be told to stop, but no one will be going to jail... well, except the guy who ratted the agency out. There's a good chance he'll go to jail, if he can be caught.

Comment Re:Headline leaves out one very important detail (Score 2) 209

The technical term for jailbroken, insecure versions of iOS is "Android."

That's a common belief. In practice, I don't think it's true. In particular, although the Android world sees lots of announcements of vulnerabilities that affect X hundred million devices, the actual exploitation doesn't seem to follow. One reason is that many of the vulnerabilities aren't actually as widespread or are harder to exploit in practice than the researchers describe. Another is that the diversity of the Android ecosystem often means that an exploit has to be customized for each different manufacturer and model, making broad exploitation harder. A third is that Google is often able to successfully mitigate vulnerabilities with the Play store, Verify Apps and updates to the Play services app. There are other reasons as well.

Whatever the reasons, it's interesting to note that we don't see reports of large numbers of Google accounts being compromised via Android vulnerabilities. I'm not claiming that's impossible, and it wouldn't shock me if it happened tomorrow, but the fact that we don't indicates to me that there is actually more right with the Android security situation than is commonly believed. The low real-world malware numbers disclosed in Google's Android security "State of the Union" report further buttress that view.

(Disclaimer: I'm a member of Google's Android security team. I'm speaking only for myself, not for Google.)

Comment Re:Headline leaves out one very important detail (Score 5, Interesting) 209

I expect to be able to go in and out of my door. That's what doors are for. Apple doesn't even give you a door. You have to break your way through the wall. Then there's a hole there. That's why Apple products are only sufficient for sheep. They don't break down walls, they just wander through holes.

It's worth pointing out that if you root your Android device you're doing the same thing, breaking through a wall. That's fine if it's what you want to do, but you are giving something up in terms of security.

As a member of the Android security team, I'm involved in lots of discussions about lots of different threat models and attack vectors, and while we do think about trying to maintain security on rooted devices, I'd say that 90% of the time we end up deciding that we just can't, so "device is running an official image[*] and is not rooted" becomes a foundational assumption of the analysis.

This isn't because rooting is inherently bad, or because we're trying to control user's devices, but because it's impossible to reason about security in a vacuum. You have to know what you can depend on. For example, we might argue that apps can't break out of their sandbox in a particular way because the information they need to do it is managed by a particular system daemon which validates access in a particular way... but in a rooted device that daemon may be modified, or simply bypassed. We just can't know that stuff is still working the way it's intended to. Some members of the modding community do an outstanding job of adding flexibility without breaking the security model, but many others don't.

Ideally, devices should provide enough native flexibility to allow users to achieve what they want while staying entirely within the normal mode of operation. In the case of Android that means staying within Google's "walled garden": install apps only from the play store, keep Verify Apps enabled (and follow its recommendations), don't root, definitely don't disable SELinux, etc. Where that ideal fails, and users want to do stuff that can't be done in the garden, they should have the option of stepping out of it, and they should be able to do so in a progressive way, not all-or-none... but each step they take increases the probability that they'll change something that violates a security assumption and thereby increases their risk of compromise.

I suspect that Apple security engineers even more strongly assume that devices are not jailbroken. That's just a guess, but it's consistent with the general philosophy of iOS and, if correct, it means that jailbreakers have even less expectation of security. iOS users also live in a software monoculture, which exacerbates the risk. (Android users get security benefits from ecosystem diversity, though there are obvious costs to that diversity as well. Including the update problem.)

[*] Note that given the state of updates in the Android ecosystem, we often don't assume that the device is running an up to date system image. From our perspective that's often easier to work with than a rooted device because at least we know how it behaves and can look at trying to mitigate risks at other layers. We're also working on the update situation, but that's hard given the nature of the ecosystem.

Comment Re:Great experience (Score 1) 182

Google knows my location due to my use of Google Maps

Google receives the map tile requests, etc., but if location history is turned off nothing about it is stored. I have no idea what your cell provider may store, though.

Again, I actually like the location history. I find it convenient to be able to look back and see where I was at a particular date and time. But it's under your control.

Comment Re:Great experience (Score 1) 182

I really have no concern about sharing it with Google, because no one is ever going to see it.

Well, an individual person doesn't need to see it. If they're willing to use searches to send people job offers and ads, what else can they automate?

They can also remind you when it's time to leave for an appointment, and that you have a coupon you can use at the store you just entered, and that your wife's birthday is coming up, and much, much more... but only with your permission. If you don't want it, turn it off and delete the data. Google provides the tools.

And what happens when Google has a breech or a bad setting. Remember when Google signed people up for G+,. and a lot of private data got exposed.

I think you're thinking about Buzz, not Google+. That was bad; Buzz auto-friended contacts, exposing relationships. The fact that that's the worst thing that's happened, and that happened before all of the internal privacy review policies were put in place is pretty indicative, IMO.

As for a breach... nothing is impossible, but I spent 15 years as a security consultant to US corporations, mostly banks, and Google has dramatically better security systems than anyone I ever saw. I'm not worried about my data at Google.

However, if you are I highly recommend going to your Google account dashboard and deleting whatever information there you're concerned about.

When a fellow says, "It ain't the money but the principle of the thing," it's the money. -- Kim Hubbard

Working...