Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment Re:Maybe a good thing (Score 3, Interesting) 372

The sensor does not do the decryption or authentication. The attack vector would be a sensor that has been replaced with a mechanism that replays a snapshot of the phone owner's fingerprint and sends that down the wire to the mainboard. Apple is attempting to curtail that type of attack by authenticating the physical sensor to the mainboard.

So disable the sensor if it's found to be invalid. You don't destroy a $500 phone. What if the sensor goes bad? New phone? Seriously people.

Comment Re:Maybe a good thing (Score 2) 372

OTOH, this appears to still happen if the phone itself is reset to a factory image. It doesn't seem to be that much of a security risk if instead of refusing to work, the phone, after being reset, would renegotiate encryption with the sensor. There's no data to be stolen in that scenario. And there's other mechanisms to prevent a stolen phone from having resale value.

It's still a security risk. You could imaging intercepting new iPhones, replacing the fingerprint sensor with a compromised one containing a backdoor, then reimaging the phones, putting them back in the box, and selling them to your target. After your target loads their sensitive data on to them, you could then retrieve it using the compromised sensor.

I agree this is somewhat contrived and Apple is likely just looking to block third party repairs, but it still is a valid security risk.

So the solution is to permanently brick the phone? Gimme a break. You generate a warning on the phone to let the user know. Better yet, brick the phone and charge to repair it correctly. You don't screw your customers out of a perfectly good phone.

Comment Re:This makes sense if gov is the customer (Score 1) 281

Computer salesperson: "Hey, it's time to replace your old machines." Gov buyer: "Fuck off, they work just fine." Computer salesperson: "But these shiny new Intel models SAVE ENERGY." Gov buyer: "On second though we've got plenty of taxpayer money to blow on 'energy efficiency' projects. Why don't ya' put us down for half million new laptops and two million of those tablet thingies so people can plug them in next to their desktops - I mean 'replace their energy-sucking desktops' - and see if you can't find a new boat for 'my nephew' and a trip to the Caribbean for 'my travel agent' while you're at it."

Nearly every company is thinking about energy efficiency. Every company that moves to a cloud setup is saving energy/power in exchange for a slice of a datacenter that is energy efficient.

Comment Re:GOOD (Score 1) 165

There is nothing about 'java' the language that did that; but it is very hard to deny that vulnerabilities in the implementation of support for embedded java applets have been a huge source of desktop infections. Adobe might be slightly worse; but that's damning by very faint praise. I'll leave arguing about the merits of the language and the JVM to the experts; but applet support has, quite simply, been painfully unsuitable for use on anything except fully trusted, ideally internal, material more or less forever, and neither Sun nor Oracle ever got it up to snuff for use in a mostly-untrusted web browsing environment.

Oracle inherited it and has been scrambling ever since to patch vulnerabilities. Every release contains dozens of fixes.

Comment Re:The sad thing is (Score 1) 539

Yet these websites choose not to for two reasons. The first is laziness.

No. Until now the percentage of ad blocker users were low. Web sites accepted that, saying that a non-paying user also has some benefit, namely he brings paying users. Today ad-blockers become so popular that the loss affects the bottom line. Moreover an ad-blocking user likely brings only other non-paying user, therefore he is a pure loss. I predict that within a year there will be serious changes and polite requests for ad-blockers to either subscribe or turn off ad-blockers become usual.

No. What will happen is people will stop visiting these websites if they can't block the ads. There's always other places to get the news, stories, etc.

Comment Re:If AdBlocking is freedom-hating... (Score 2) 539

Random untrusted executables are THE attack vector for malware.

Advertising that forces you to accept executables from a wide array of random untrusted sources are forcing you to completely forgo any sort of security precautions.

I've had colleagues taken out of action for days for browsing the wrong site with the wrong browser. This did not include any destinations that would be obviously suspicious.

The industry really only has itself to blame for escalating the abusiveness of advertising. They work hard to earn everyone's distrust and hate.They should spend some of that effort on being less obnoxious. They employ enough effort at psychological manipulation.

False. You can become infected by visiting a website where they have a compromised flash ad. You don't need to execute anything today. But at the same time your employees did visit websites that weren't mainstream. It's those websites that rely on ad revenue from agencies not on the most trusted list that get you infected.

Comment Re:Dose of common sense. (Score 1) 184

We"re also living in a global market. Let's say the US banned strong encryption tomorrow. What's to stop someone in another country from posting the source code to a strong encryption scheme? How would you prevent people from downloading and using this? You'd need to implement a "Great US Firewall" and filter all encryption-related sites. Even if you were able to do this, all you'd wind up doing is making US businesses less secure than foreign businesses. More US business hackings would leave the (valid) impression that you should trust foreign companies over US-based ones and the economy would suffer.

Encryption opponents like to pretend like they can just have Congress pass a law and all that pesky encryption will vanish with no consequences. In reality, banning encryption would create a horrible mess for businesses and consumers.

What's stopping a smart person from growing up and writing their own cryptography method as well? All it takes is 1 person. They don't need to leverage current encryption at all. That's why the whole thing is pointless. They need to embrace the different encryption protocols and devise a way to crack them. Or understand there will be things they can't crack.

Comment Re:Translation (Score 1) 184

See as a tax paying American citizen I say they can, to paraphrase Star Wars, pass a law to a standing ovation that blatantly violates key elements of previously written law (while being silent as if it does not), but that doesn't mean its 'legal'.

In fact, regardless of what the un-elected justices have to say about the matter, as a citizen as far as I'm concerned the FISA/Patriot act/whatevers are themselves illegal.

And they DO need to abide by the 4th amendment.

And if they DONT want to abide by the 4th amendment then they'd better hurry up and collect all the guns because the fact that the 2nd amendment comes before the 4th amendment and after the 1st amendment seems to be no coincidence to me.

Amendments 1 through 5 are very clear:

1) I can say what I want 2) I can exercise self defense 3) keep your soldiers out of my life 4) keep your spies out of my life 5) keep your lawyers out of my life

Given the historical context they can be summed up as: "Get off my lawn, government"

So if tyrants wish to violate previously written law, even if they do it unanimously in fashion of standing ovation, it is still illegal. It goes against the nature of the foundations of this nation and its basic laws. It goes against the very context and reasoning of why the constitution was written and why it was written the way it is.

Also since I'm at it, our president may be an expert on the constitution, but I do not think he is using that expert knowledge to enforce it. I think he is using that expert knowledge to subvert it. That is the fallacy behind 'I'm a constitutional professor' or whatever he has claimed and his crones have peddled.

The 1st amendment only says the government can't write laws to stop you saying what you want. It doesn't mean you can say whatever you want. Speaking or inciting violence/terrorist actions through your words violates the amendment.

Comment Re:Naughty cannabis (Score 1) 232

Mod parent up please.

Also don't forget about the HU series as well. HU-210 and JWH-018 were the primary chemicals in the "old" Spice before the DEA cracked down on HU-210. Spice was reformulated.

Several JWH chemicals were still available then for a while longer, then the DEA cracked down. Spice was reformulated again.

The Spice you, dear reader, probably read about in the news contained the chemicals from the AM series, and it sent people to the hospital. That time laws were made.

Horray big government! Sending people to the hospital and killing them and enriching drug lords (both the kinds with guns and the kinds with MDs) instead of just letting us have the perfectly safe plant for our own quiet enjoyment! The cannabis must flow!

Many of the chemicals in the designer drugs, spice are landing people in the hospital as well. The latest one, dubbed fruity pebbles is very dangerous. So there's definitely a precedent to prohibit the uncontrolled creation of cannabis like drugs.

Comment Re:ARGH (Score 1) 720

Actually, Apple users DON'T tolerate it. You can trivially and easily turn off automatic updates on Apple, and they don't push patches with godawful numbers to dick around in the godawful registry to unset the godawful hex values you painstakingly set.

On Apple you tell it not to update and it doesn't.

Also even if Apple DID suck in this way, it's not a reason for Microsoft to suck in this way.

Instead Apple's IOS updates brick your machine, disable your 4g wireless calls until reverted, replace your google maps with one that drives you into a canyon, and turns on shit like "receive calls only from favorites" when you have no favorites selected.

Comment Re:ARGH (Score 1) 720

Unless your IT department didn't bother doing their job you're not being cajoled into anything right now. Computers registered on a domain are not subject to the same update policies as standalone, personal PCs. As for the ${x}00K cost to upgrade your legacy software, you're going to have to eat it some time within the next four years...

That's incorrect also.

Slashdot Top Deals

Dealing with the problem of pure staff accumulation, all our researches ... point to an average increase of 5.75% per year. -- C.N. Parkinson

Working...