Become a fan of Slashdot on Facebook


Forgot your password?
Slashdot Deals: Cyber Monday Sale Extended! Courses ranging from coding to project management - all eLearning deals 20% off with coupon code "CYBERMONDAY20". ×

Comment Re:WTF??? (Score 1) 109

No, I'll make this explicit: this is a web-cam, pretending it's a security/alarm system.

Buy a nanny cam. Buy a better door lock. Buy a dog.

This is about the same level of protection that a typical alarm company offers you.

I very much doubt a typical alarm company is providing you with something which is broken on the level of this thing

The entire authentication process is decoupled from the actual device, and attackers can easily spoof device IDs and gain access and control over someone else's alarm system.

To make matters worse, nothing is encrypted, all communications are blurted out in cleartext, there is no message integrity protection mechanism and no sequence numbers for network packets.

Sorry, but that level of defective is beyond anything you can try to excuse.

But then again, people seem to have accepted that IoT will have security written by blind and drunk monkeys, but that it's good enough. So you buy one, and I'll continue to believe the IoT is just another opportunity for assholes in marketing to pretend they have a useful product.

Comment Re:The IoT of now and the future. (Score 1) 109

This just goes to show you that even with a security-centric product like an alarm system, even basic security features cannot seem to be prioritized over cost or first to market.

You know, looking at their company history, I'd say they're a video-centric product, which some ass in marketing decided to start selling as a security-centric product.

"The RSI Videofied system has a level of security that is worthless," concluded the Cybergibbons team. "It looks like they tried something and used a common algorithm - AES - but messed it up so badly that they may as well have stuck with plaintext."

Sorry, that's not security. That's pretending you have a product that has any business being used in security.

Epic incompetence. Be that at the management or technical levels, it really doesn't matter.

Comment Re:Is this really as typical as it seems? (Score 1) 109

My guess would be that they were told to implement it in a certain way. They may have had objections but were overruled by managment.

To the consumer, incompetence by managerial decree is impossible to differentiate from incompetence technical design.

The product's security is shit. Why it's shit is irrelevant.

So, sure, blame whoever you want. The key thing is here that as many people as possible should be told the product is so terribly insecure as to defeat its entire purpose.

Unless, of course, actual security isn't the purpose. In which case it's doubly important to tell people not to use it.

Comment WTF??? (Score 2) 109

today we hear about an IoT smart home alarm system that works over IP. Made by RSI Videofied, the W Panel features no encryption, no integrity protection, no sequence numbers for packets, and a predictable authentication system. Security researchers who investigated the devices say, "The RSI Videofied system has a level of security that is worthless.

So, the makers of the "W Panel" are lazy, incompetent people who have no business making a security system? Or they're greedy, cheap people who have no business making a security system?

Blah blah blah Insecurity of Things written by people who are either incompetent or indifferent to security, yet another product which is more marketing than substance, and yet another product which sounds like it's utterly useless.

Tell you what, can we assume all IoT shit is broken, defective, and insecure ... and then only have the stories when someone builds one which isn't?

Yet another product created purely by the marketing and sales people, and stunningly incompetently done at the tech level.

They make know something about video. But apparently they don't know a damned thing about security. This is worse than vaporware ... this is a product which is so utterly unfit for the purposes it's being sold for as to be dangerous.

Comment Huh? (Score 5, Insightful) 168

learning the basics of programming, despite having no access to the vast educational resources on the internet

Bah, when I learned programming there weren't "vast educational resources on the internet".

It's been done.

Since when the hell have we reached the point of "zomg, someone learned something without teh intertubes"??

Because if other people haven't learned to basics of coding over the last few decades without the use of the internet, I'd be completely shocked. The internet is not a pre-requisite to learning, as much as people seem to think it is.

Comment Re:OK, so I can use it anyway I choose? (Score 1) 241

If they make it part of Unicode, they should lose all ability to tell me what I can do with that character.

If they wish to have "an emoji clause", then they should be getting told to piss off and go away now.

As I said ... either it's just a character, and they have no right to ever say anything about how that character is used ... or it's a trademark they wish to restrict, and it has no business being in unicode.

But letting corporations stake out parts of the unicode standard AND continue to tell us how we use those unicode characters simply cannot be made to work, because they're incompatible things.

Comment OK, so I can use it anyway I choose? (Score 1) 241

So if KitKat and Durex get their own emojis, then I can use those emojis any way I choose and without licensing or trademark considerations?

Because that's what happens when you put it into the standard code pages.

So I can put (KitKat)(Condoms)(Donkey)(TacoBell)(IceCream)(PartyHat)(Cigarette) ... and KitKat and Taco Bell have NO legal right to say anything about how I use that image, right?

That will be awesome, and I'm sure the marketing clowns will love what happens when they make their trademark part of a standard code set. Because if you make it part of my standard character set, you turn your trademark into something which anybody can use.

What you can't do is turn your trademark into a standard part of what is in Unicode and then demand I have restrictions on how I use that trademark.

So either they are idiots who plan on diluting their trademark. Or they are idiots who think they can put their trademark into a standard character set and have no control over how it is used.

We should NOT be putting corporate defined images into Unicode unless there is an understanding that what people then DO with those things is no longer under any control by the people who asked for it to be there.

Comment Re:thats strange (Score 2) 170

But those worse figures wouldn't be what VW advertised, they would be advertising the better 'regular' numbers.

And then you would demonstrate you don't know the law around those numbers.

Car makers have ZERO option except to publish the EPA approved numbers. They MUST publish the EPA numbers. The problem is the official EPA numbers are meaningless, derived from a fairly old process, and not indicative at all of actual mileage figures.

So, using those EPA numbers, hybrid owners have been really annoyed to find they're not getting anywhere NEAR the mpg they've been told -- because the hybrids were measured using the old and not-very-useful formula. Similarly, 15+ years ago, I knew people with diesel VWs. Those cars regularly got more mpg than they could advertise, because for those cars the formula was fairly useless in the real world as well.

The important thing here is that, right or wrong, high or low ... car makers can only legally give their mpg numbers based on an EPA formula which is, effectively, an estimate based on a calculation. If they tried to use other numbers they would get into trouble.

VW would advertise based on the only number they're allowed to. They can't cherry pick the ones they like; which means you could get significantly worse or better than the EPA figure. Even if the EPA figure is pretty much known to be meaningless and out of date.

Comment Depends if you want to support it (Score 4, Informative) 320

That really is the big issue with a self build: If something goes wrong, you have to track it down and handle all the support. If you get a pre-built from a good vendor, they'll handle it all. Say what you want about Dell, but all you have to do is run their diags (baked in to the UEFI) and call them with the code, they'll send a dude with the parts needed.

So that should be the major thing you think about. If you don't want to do support, then buy it from a vendor that will provide you with support to the level you require. I tend to recommend Dell because their hardware is reasonable and they have support available everywhere. They subcontract it, but it all works well. We use it at work all the time.

If you are willing to do support yourself, then building it gets you precisely what you want. I build my system at home because I have very exacting requirements for what I'm after and nobody has that kind of thing for sale. Like I don't want a "good large power supply", I want a Seasonic Platinum 1000, nothing else.

Also you'll find that generally at the higher end of things you save money building a system. For more consumer/office range stuff it usually is a wash: They build the mass market systems around as cheap as you could afford to. However when you start talking higher end gaming stuff, you can pay a large premium for things.

As an example I just built a system for a good friend of mine. He wanted some very, very high end hardware and pretty specific requirements. Origin PC would get him what he wanted... for about $9,000. I put it together for around $6,000. The gamer stuff often commands a hefty premium.

Comment Re:IANAL, but I know one & (Score 1) 65

You seem to imply there is legal "duty of care" (or whatever you'd call it).

They don't care. They never promised to care. The license probably says they don't care. The people who run the company don't care.

Taking steps to care presupposes they care. If they don't care what happens to your "sensitive data", they're sure as hell not going to take steps to protect it. Because that would involve caring.

What part of greedy corporation shielded by license agreements and only interested in their own profits do people not understand here?

Oh, and did I mention that the license probably includes terms which says you can't sue them and need to agree to binding arbitration in a forum of their own choosing?

And that forum of their choosing will simply say we don't fucking care and never promised to.

Comment Re:Uber and pirate bay (Score 4, Insightful) 52

I guess the people with money are allowed to bend the law now and apply it how they see fit

More accurately ... the copyright lobby has bought and paid for laws which they interpret how are applied, enforced outside of the judicial system, with abysmally low thresholds for evidence ... and with shockingly little penalties for them if they misuse it.

In case you have missed, copyright related laws have reached a special level of stupidity, because they've been paid for and written by the people who benefit from them. This shit is now routinely entrenched in high-level treaty negotiations, where governments act on behalf of the interests of multi-national corporations -- and literally just use whatever text provided by the lobbyists.

They're not bending any laws, they're outright financing the adoption of laws which are entirely written to give them massive amounts of latitude to do as they please without penalty.

Governments these days are pretty much openly working for the corporations in this matter.

Copyright is like kiddie porn and terrorism; it lives in a special place outside of most other forms of laws, and builds in shortcuts and bypasses to legal protections you would normally have.

This is way beyond bending the law, it's about buying their own laws.

Comment Honestly ... (Score 4, Insightful) 65

VTech doesn't use SSL web encryption anywhere, and transmits data such as passwords completely unprotected. ... Hunt also found that the company's websites "leak extensive data" from their databases and APIsâ"so much that an attacker could get a lot of data about the parents or kids just by taking advantage of these flaws

Just stop using this crap ... over and over and over and over we see these same damned stories.

Stop handing all this information over to companies who are too indifferent and incompetent to give a shit about how badly they misuse your data.

Comment Re:Now only if... (Score 5, Interesting) 52

Yeah, well, don't hold your breath ... if the US doesn't launch some form of trade sanctions I'll be surprised.

The US is leading the charge on entrenching in law that the copyright cartel has absolute veto over technology and the internet.

There's a reason why US foreign policy has been pushing to have treaties include this shit, and why the representatives of the copyright lobby are effectively writing the text of the laws and treaties -- and it's because the US politicians have been bought on behalf of these industries.

I wish more rulings like this would happen, and these clowns would find themselves on much shorter leashes (if not short ropes and long drops).

But things like the TPP and every other treaty has proven that the US government is essentially now working on behalf of the copyright cartel, and are prepared to keep giving them bullshit laws which give them all the power, and with little or no penalties and oversight.

Copyright owners have far more legal rights than you or I, and increasingly an accusation of copyright supersedes your right to have someone show you their evidence.

Those who claim the dead never return to life haven't ever been around here at quitting time.