Forgot your password?

Comment: Re:Does it matter? (Score 1, Interesting) 63

by Shoten (#47697085) Attached to: Plan Would Give Government Virtual Veto Over Internet Governance

An American would think that. Citizens from other countries may well disagree there. Especially because of that unthinking American preference for Americans in charge everywhere.

Really? Do tell us about all the governments that would rather have Iran or North Korea in charge of ICANN. Please :)

Comment: Re:MUCH easier. (Score 3, Insightful) 239

You are speculating on a system that would be able to correctly identify ALL THE OBJECTS IN THE AREA and that is never going to happen.

It doesn't have to identify all the objects in the area, it simply has to not hit them.

Actually, since the whole question of TFA is about ethical choices, it does have to identify them. It can't view a trash can as being equal to a child pedestrian, for example. It will have to see the difference between a dumpster (hit it, nobody inside dies) and another car (hit it, someone inside it may die). It may even need to weigh the potential occupancy of other vehicles...a bus is likely to hold more people than a scooter.

The question at its heart is not about object avoidance in the's about choices between objects. And that requires identification.

Comment: Re:Alternatives (Score 1) 331

by Shoten (#47691403) Attached to: Ask Slashdot: How Dead Is Antivirus, Exactly?

Your analysis seems to assume that there are apps, and that is it. But in reality there are apps that are virus hosts in themselves. VB within Excel. Javascript within browsers.

Actually, no. There are apps and there is the OS itself. But by the time you're talking about the security model, the OS already exists, and anything you add to that is, essentially, an application. Delivery operates the same way, dependencies can as well. The VB that is within Excel is no less an app than the app that requires .NET framework be installed, a javascript that executes in the browser, or a java applet that requires a JRE. The fact that it depends on something else doesn't change the model. And any app can be malicious or friendly; even a friendly app can be modified or tied with a pre-executed piece of malware.

Comment: Re:us other engineers matter, too (Score 5, Insightful) 371

by Shoten (#47688425) Attached to: Companies That Don't Understand Engineers Don't Respect Engineers

/. may be a software-centric site, but those of us in mechanical, electrical, optical, materials, and other branches of engineering are in the same basic position. But sadly, even in businesses which promote engineers into senior roles end up respecting people primarily on the basis of how many direct reports (that's the term for peons whose salaries they determine) they control. Until you're able to rate people by the quality/quantity of output regardless of altitude in the org chart, this problem will continue.

Indeed; the underlying basis of the article could really match almost any profession. Accountants, HR personnel, programmers, even admin assistants. Not understanding the role of a job invariably means not understanding its challenges or the value it brings. So what? This is not news. Hell, I've seen companies where they didn't understand the value of managers...and thus, promoted/hired people into such roles who had no skill at doing their jobs.

Comment: Alternatives (Score 2) 331

by Shoten (#47688401) Attached to: Ask Slashdot: How Dead Is Antivirus, Exactly?

There are currently two solid alternatives to traditional AV. Unfortunately, one is not suitable outside of a well-managed (i.e., corporate) environment and the other probably would not work in a full-featured computer environment.

1. Whitelisting: Application whitelisting is really, really effective. There are ways to circumvent it, but that's true of just about any technical security control. The problem with it is twofold: one, someone needs to develop exactly *what* that whitelist is, and the average home user isn't really up to the task. Bit9 (the leader in the space) has gotten around this to some degree with a cloud-based archive of "known good" files and processes, but your standard home user will still run into a lot of things they don't recognize when they install. And what if one of those things is actually an existing infection? Then they will probably add it to their whitelist...or, on the other hand, err on the side of caution and end up breaking valid software on their systems. The odds of them hitting it exactly right are very small. And even then, they have to maintain the if they're taken in by that "YOU NEED TO UPDATE YOUR VIDEO CODEC LOL" popup window, they'll invariably end up authorizing whatever file gets downloaded ("'Trojan_video.exe'...sounds legit to me!") and infecting their system anyways.

2. The "Walled Garden" Model: In a lot of ways, this is like whitelisting built into the underlying OS, with the OS manufacturer being the custodian of the whitelist. This is how iOS works, so it's actually a proven model. There's only been one discovered instance of malware that's slipped into the App Store, and that was easily eradicated with the press of a button back at the Apple mothership. But on the other hand, there are ancillary effects to forcing all devs to go through a single clearinghouse for software. Apple's cut of the profits, and their cut of any revenue passing through any app sold through the App Store, are obvious issues, but the antitrust risk of a PC OS with only one place to go for software is a latent...and larger risk, going forward. One court decision can break the model entirely; if Apple doesn't collect at least some money from developers, then there's no money to support the App Store and the activities around it. But if there's no central authority, then there goes the chain of trust that's necessary to maintain the safety of the OS. And there's complexity in a PC-based OS environment that you don't find in a tablet or smartphone; in the tablet/phone model, each application is an island, separate onto itself for the most part. You don't have browser plugins, underlying execution environments or interpreters (Air, Java, .NET, Python, Perl, etc.).

Either way, the "blacklist" approach doesn't work. It's all fine to point out that other things (firewalls, IPS, etc.) need to be in place, and that's true...but malware is its own threat, and cannot be fully addressed by solutions that only focus on the attack. Applications will have vulnerabilities; railing against this hasn't accomplished anything in two decades. People will make mistakes, or be social-engineered into doing things they should not do. Supply chains will become infected (remember cameras, USB drives, etc. that have come with malware?) and sometimes those mistakes will affect people besides the mistake-maker. So there needs to be a way to address malware itself.

There are two approaches that, while theoretical, also hold promise. The issue is that they are pretty much theoretical; there's no existing implementation of either of them on any scale, or as a deployable off-the-shelf technology today.

3, The Managed Immunological Response: Assume that malware will exist, and somehow get onto systems. Most complex organisms hold pathogens within themselves that are harmful...and in many cases, even contain them in a symbiotic relationship. Eradicate E. Coli from a human's lower GI tract and they'll develop problems, for example...but E. Coli outside of that part of their body causes major issues and is a health problem. Catch a cold, and you'll be sick for a bit...but your body will get over it. This is what some researchers are aiming towards, and the approach shows a lot of promise in theory. But it requires that the OS operate in a functionally different way, a way that does not currently exist. So...yeah, that's a ways off, if it will ever happen.

4, The Sandboxed World: This is where applications are walled from one another...this is another feature of the iOS model. And as with the Walled Garden, the challenges of this grow severely when you move to the PC world. If it's hard to exchange data between your email client and your word processor, you're going to have a hard time getting things done. This is already something of a nuisance in the tablet/phone world. But if you open up access to the file system, then you create an avenue for bad things, and punch holes in the sandbox walls. So I don't know if it can be fixed in a way that would suit PC users, or if, in a lesser implementation, it could support something akin to the Managed Immunological Response model.

Comment: Re:Too much surplus (Score 0) 264

If we have this much surplus, clearly we're buying too much. I know that if I find myself giving away cans of green beans, I make sure I don't buy a whole pallet the next time I'm at Costco.

We just demobilized from one war, and are nearly done pulling out from another. Surplus is what inevitably happens as a result.

Look at it like this: when you get back from a camping trip, do you set the tent back up at home, and use the cook stove to cook your meals at home too? Of course not. And military equipment is usually better off sold rather than mothballed, especially since the threats keep changing and the cost of upgrades on gear that's in storage (don't forget the logistics) is greater than the cost of replacement, all other things taken into account.

That said, I wonder how much of this billion dollars is from MRAP donations. The military is giving nearly all of their MRAPs to law enforcement agencies, and they aren't exactly cheap. So that could be the bulk of this, easily.

Comment: Re:Gettin All Up In Yo Biznis (Score 1) 419

by Shoten (#47681523) Attached to: Swedish Dad Takes Gamer Kids To Warzone

Great dad, in my opinion. My kids grew up involved in hunting, fishing, and shooting sports - but a trip to a refugee camp would probably have cured them of the FPS BS faster than anything.

Fortunately, they were never really into videogames.

Aaaaand...what kinds of movies did they watch, perchance? Did their dad keep them on a strict diet of Barbara Striesand? No? A few action movies, then? Hm.

Games are one form of entertainment. If someone is going to condemn simulated (and unrealistic) violence in one medium, they really should do so across all media, don't you think?

Comment: Re:Apologies not accepted (Score 1) 64

The one nice thing about Android (assuming a rooted device) is the ability to turn on and use Linux's iptables to prevent apps from phoning home. After that, Xposed and XPrivacy are good (although the interface is nowhere as nice as Protect My Privacy from Cydia on iOS) to enforce restrictions on apps that ask for more than they should.

It would be nice if XPrivacy would fake data like PMP does, so if an app asks for GPS info, it will get GPS info, but not anything useful, or if an app asks for contacts on the phone, it gets random sets of garbage.

This is all fine and good, until one app that you want to phone home uses AWS or Cloudfront, and so does another app that you don't want phoning home. Firewalls have never been a good approach to application security...evidenced by the fact that "application security" became a concept long after firewalls were commonplace.

Comment: Re:Shouldn't be necessary, but if it is... (Score 1) 120

by Shoten (#47648251) Attached to: Hackers Demand Automakers Get Serious About Security

It's kinda terrifying that the people making fast, heavy lumps of metal with computerised control systems don't already routinely isolate those control systems from any other computerised technologies in the vehicle, particularly any that can interact remotely. They shouldn't need to be publicly admonished about the dangers of these situations. Don't these organisations employ actual engineers any more?

But given that it does seem to be necessary to make a public display of this -- which presumably removes any plausible deniability if the auto makers do get sued after an accident later, so I can believe it will at least get their attention -- I'm glad it seems to be a responsible group with the right motivations who are starting the ball rolling. If it were just a bunch of lawyers or insurers, the general public could write the campaign off as the signatories just looking out for their own interests.

Problem #1; you can't isolate those systems, in the context of the reason for why they exist.

So, let's look at OnStar, or Hyundai's Bluelink. These are systems that connect to larger infrastructure over public or semi-public communications channels (i.e., cellular) for a variety of purposes. Such purposes include being able to start your car remotely, notify authorities of an accident even if you are incapacitated and unable to call for help (especially in that case, actually) and recover your car in case of theft. All three of those functions inherently require access to engine functions (in a read-write sort of way), GPS, and/or OBD-II data. And you can make a strong argument that many of these things are beneficial from a safety perspective as well. But you can't have them if you isolate the control systems from any other computerized absolutely cannot.

On the flip side, you *could* isolate the systems that manage our financial accounts...banking, stocks, pensions...from any other computerized systems. But then you'd lose online banking, bill pay, ability to trade in stocks and other financial instruments without going into an office, etc. But that industry has figured out how to connect things together without the world coming to an end, despite the tremendous opportunity and motivation it provides for criminals. The car industry can figure this out too. I dare say it's easier to figure out how to develop a reference architecture based on the CAN II that is secure than it is to secure all the various interconnections of the financial industry. And it also bears mentioning that once upon a time, the financial industry got egg on their face too for security problems. This is the normal evolutionary process.

Comment: Re:Normal now (Score 2) 164

by Shoten (#47641887) Attached to: F-Secure: Xiaomi Smartphones Do Secretly Steal Your Data

The only way around it is to avoid storing sensitive data on the phone.

This must also be an important issue for those that uses phones as security tokens, i.e. banks and other important institutions that sends an SMS with credentials to provide verification - it's a very insecure solution since the phone may have an app that forwards the credentials to a third party that can use this to access the system.

Avoid storing sensitive the phone numbers of other people? Like the text messages you send? Just using this make phone calls, mind you...results in data being uploaded. I don't see how "not having that data" on your phone is really an option. It's a goddamned phone; you're going to have to use it, some day.

Comment: Re:Normal now (Score 1) 164

by Shoten (#47641881) Attached to: F-Secure: Xiaomi Smartphones Do Secretly Steal Your Data

I also seem to remember that Apple got into problems because they were uploading user data without permission.

Nope. They got into trouble because somebody found location data in logs on the phone, and assumed it was being uploaded without actually testing that theory.

Right...and even then, this was location-based information that Apple said the phone wasn't collecting. It could just as easily have been a misunderstanding about underlying software behavior at a low level (or even that the programmer who built it that way didn't even work at Apple any longer) as anything else.

Comment: Re:Why is (Score 3, Insightful) 201

by Shoten (#47638863) Attached to: Netflix Now Works On Linux With HTML5 DRM Video Support In Chrome

"due to Netflix arbitrarily blocking the Linux build"

i.e., generating a valid page based on detection of a Linux-based USER-AGENT from the browser, to save the user from trying to troubleshoot what has been, until recently, a problem that the user could not fix. Hardly sinister.

Comment: Re:Which company is next in line? (Score 1) 353

by Shoten (#47629315) Attached to: Microsoft Tip Leads To Child Porn Arrest In Pennsylvania

It's also trivial to change the pics slightly (change one pixel from black to white, for instance), and completely change the hash so it doesn't match. Thus matching hashes is... less than useful... against an even moderately smart CP'er.

Very true...but the point of any technology is never to be a 100%, totally foolproof approach; that is never possible, with anything. And if only one image in a collection is a match, then you have caught the person who owns it; you don't need to match more than that. Human investigation, at that point, will catch the rest. Going one step further, you don't even need to catch every single person...catch one in a group that have some form of relationship to one another, even just online, and you can round the rest up through a combination of digital forensics and plain-old gumshoe investigation. This tactic also doesn't come at the expense of other means of catching people who trade in child's a net increase in the availability of means to catch such people.

God help those who do not help themselves. -- Wilson Mizner