Forgot your password?

Comment: Did it on Linux last night. Without warning ... (Score 1) 152

by raymorris (#47575895) Attached to: "BadUSB" Exploit Makes Devices Turn "Evil"

Last night I programmed a chip to act as a USB keyboard and automatically "press" keys. The system did as you described, identifying it as a keyboard, and creating a node in /dev. Something like /dev/keyboard1. It then proceeded to accept the keyboard events exactly as though I'd typed them, without any confirmation by the user. Confirmation by the user would be problematic in the case of a broken keyboard or mouse - the system can't let you use the new keyboard to confirm itself.

I'm using it to brute force a PIN. Some iPhones and Android devices will now accept an external keyboard. With a 4-digit PIN, it should be guessed by the end of the day.

Comment: ftdi, Atmel are VERY common in devices. I did it. (Score 2) 152

by raymorris (#47575603) Attached to: "BadUSB" Exploit Makes Devices Turn "Evil"

I bet at least 20% of the USB devices use the same FTDI chip for USB functionality, and another 20% use Atmel AVR microcontrollers. If your malware patched or replaced the Atmel firmware, you could own a lot if systems.

It wouldn't even NEED to continue to work like the original device, so you could just replace the firmware with the Atmel firmware I wrote last night. The user plugs in their webcam or tries to turn it on. The webcam doesn't work anymore. The bad guy doesn't care, at that point he has already owned the machine, just a few seconds after the device was plugged in.

User Journal

Journal: Nobots: now in paperback 1

Journal by mcgrew

It annoys the hell out of me that my books are so damned expensive, which is why I wanted Mars, Ho! to be 100,000 words. I'd hoped that possibly Baen might publish it so it would be, oddly, far cheaper. I can buy a copy of Andy Wier's excellent novel The Martian from Barnes and Noble or Amazon for less than I can get a copy of my own Paxil Diaries from my printer, and Wier's book is a lot longer.

Comment: Re:ACM doesn't get it on (C) (Score 1) 181

by plover (#47573653) Attached to: Vint Cerf on Why Programmers Don't Join the ACM

Amen. When I was at University, I used our library's ACM and IEEE access to get to lots of useful articles, so I know the value of having that access. But once I graduated, up came the paywalls, and up came my revulsion. It's not about the money - I waste more than the ACM membership fees funding offbeat kickstarters. While I'm still tempted every year by those ACM offers. I'm not going to support an organization dedicated to preventing the dissemination of information, not at any price.

There are still some avenues of research I occasionally need, and fortunately many authors retain the rights to self-publish or pre-publish on arXiv, so DuckDuckGo can still deliver them. Most surprisingly, Microsoft Research has made thousands of papers freely available.

Ironically, it's a lot like the old Windows / Linux argument, and Linux has shown that open source doesn't implicitly mean low quality.

Comment: Re:Disengenous (Score 2) 256

by swillden (#47572125) Attached to: Amazon's eBook Math

in the long term, the book stores go out of business now its harder to find interesting books.


Look at Baen's model... the first few chapters of all of their books are available for free, all on-line, all trivially easy for you to browse and sample, at no risk, wherever and whenever it's convenient to you. For that matter, they offer full novels from their top authors for free. So you can read the first book of a 15-novel series at no cost, hooking you for the other 14.

How can book stores, with their limited shelf space and immobility, compete with that?

Of course, that's Baen, not Amazon. Because Baen is a publisher, they have the freedom to do things like offer the first ~50 pages free, while Amazon has to obey the publishers' rules. But in a world where browsing bookshelves is gone, Baen's approach, or something like it, will be necessary to generate sales, so it will be done.

Just because you're accustomed to one way of finding good reading material doesn't mean it's the only one, or even the best one.

Comment: different from my experience. Cult, speciality (Score 2) 45

by raymorris (#47572107) Attached to: Google, Linaro Develop Custom Android Edition For Project Ara

First, let me say I think this will have a cult following like the hackable versions of the WRT54, I don't think MOST people want it. That said, I've never experienced this:

> it's pretty beat up. Screen is scratched and dimming, the case is scuffed and creaky, buttons don't quite work, connectors are getting glitchy, the battery is dying and both CPU and memory are getting old.

I've experienced each one of those, but I don't think more than one ever.
My last phone, I bricked the internal storage when it was only a few months old and it wouldn't boot. Its replacement had very similar specs. Had I purchased a camera module, or IR module, etc. I would definitely have reused them. The device before that, the power button broke. The device was still up-to-date enough, it just couldn't be turned on and off. In both instances, the screen and other parts were fine. I don't think I've scratched up a screen since the days of WAP feature phones with plastic screens. Glass is hard to scratch up.

Of course your experience may be different. That's the point, actually, different strokes for different folks

The other category of use-case other than the hacker/maker types may be preconfigured specialized versions from value added resellers. You may have seen firefighters trying out Google Glass. A firefighter phone would have a water resistant case, an IR camera, which is just a regular camera with the IR filter removed, a very loud speaker, a close-proximity findme feature, etc. It could even have a software defined radio module to use as a radio.

Next door to the fire training field is the search and rescue training center, and nearby the paramedic training. Search and rescue professionals might like some of the features of the firefighter phone and buy one configured with search and rescue modules like an upgraded GPS, compass, and a larger antenna for extended range.

Ps - I with the fire instructors and I'm a step ahead on that particular market. There are many other markets, though - extreme sports fanatics, outdoorsmen, MUSIC phones with great speakers ....

Comment: That's funny! MLK was a leader. Jackson a whiner & (Score 3, Interesting) 477

by raymorris (#47569403) Attached to: Jesse Jackson: Tech Diversity Is Next Civil Rights Step

>. I pray, when they die, the ghost of MLK spends eternity bitch-slapping the both of them day in and day out.

  That put a smile on my face. MLK was a leader, one of the best. Jackson is not a leader, he's a whiner. Also a liar. WWhas it Jesse or Sharpton who was about 8 years old when he started calling himself "Reveren"? Either way, they're the same - professional whiners. Where exactly is your church, reverend? I'll try to avoid having my daughter exposed to either of them, lying and telling her she can't do anything because of her complexion.

Comment: FTFY (Score -1, Troll) 477

by argStyopa (#47568501) Attached to: Jesse Jackson: Tech Diversity Is Next Civil Rights Step

Jesse Jackson: "I desperately need a new cause to trumpet, or I'm no longer going to be able to afford my lifestyle. Therefore, I shall identify a desperate need for my community, for which I shall naturally be named the spokesman. By this method I shall articulate a set of vague, impossible goals such that we can once again identify an entire culture as 'victims' of the nebulous (but nevertheless nefarious) forces that keep us "down". I shall continue attach myself to this I-hope-ever-growing-movement, in order to be able to pay for my cars, mistresses, and if I'm lucky, even the lawyers needed to keep my son out of prison. Perhaps I have finally found the cause celebre that will even allow me to ride into media sinecure, like that dirty sellout bastard Al Sharpton."

Well, that's what I heard, anyway.

I'd call his plan for IT diversity the Nationwide IT General Graduate Effectiveness Resource System. Come up with your own acronym as required.

The real question, for the IT community is, of course, does his plan ensure enough vaginas in IT departments? If not, then his victim train will have to wait until that one leaves the station.

Comment: You seem to think I like Verizon (Score 1) 271

by raymorris (#47567985) Attached to: Verizon Now Throttling Top 'Unlimited' Subscribers On 4G LTE

Basically, your post boils down to "Verizon is bad" and "taxpayer subsidies to Verizon are bad".
I agree on both points. I didn't say Verizon is good. I said Verizon isn't scared of losing customers who use their cell phone as a hotspot to provide their home internet servIce and use 150 GB / month or more.

I wouldn't use Verizon or any other contract carrier. Years ago I switched to an off-brand carrier with no contract. The no-contract carrier charged half as much as Verizon or Sprint, while using Sprint towers. So, fuck Verizon and Sprint. I pay $35 / for "unlimited" with LTE, which is a lot less than Sprint charged.

Here's the weird thing - a few years ago, Sprint bought the no-contract carrier that was competing with them, Boost Mobile. Now, it's actually the same company, Sprint, providing the service for $35 under their Boost brand. When I left Sprint years ago, Sprint charged about $70 for a plan with a few hundred MB. Now, the same company sells me unlimited for half the price. That's what we call a price cut of over 50% that was caused by Boost competing with them. There's not enough competition in the industry, obviously. When there is competition, it cuts my bill in half.

Comment: Re:Wikipedia is unreliable (Score 1) 169

by plover (#47567767) Attached to: An Accidental Wikipedia Hoax

My point is there are not enough searchers working on our behalf, primarily because there is not enough incentive. (The NSA and Chinese may have found the bug years ago, for all we know, but they have a strong incentive to find vulnerabilities. Not enough people are paying White Hats to find these bugs and get them fixed.) Linus' Observation uses the clause "given enough eyeballs", which implies to the reader that someone is actually providing the appropriate number of eyeballs required. That implied assumption is made every time someone says "Open Source software is more secure than proprietary software, because of Linus' Law." But it simply hasn't proven to be a realistic assessment, or a very effective guarantor of security.

There's an unwritten corollary at play here: "given enough code, you won't have enough eyeballs." And that's something else keeping Linus' Observation from becoming a valid hypothesis. It even applies to this story, as well. "Given enough Wikipedia articles, there aren't enough fact checkers."

Comment: Re:Fire(wall) and forget (Score 5, Informative) 335

It doesn't matter if it's a rational argument backed up by facts or not, or if he's done a risk assessment, or if it's a free, cheap, or expensive firewall. The Payment Card Industry's Data Security Standard (PCI DSS) has as their very first requirement 1: "Install and maintain a firewall configuration to protect cardholder data." It's not an optional requirement, and you can't justify not having one.

If you're going to handle credit cards on the system, it has to be protected with a firewall.

If your POS vendor isn't requiring a firewall, either they are not selling a system that takes credit cards, or they are selling shoddy, insecure systems that are in violation of PCI DSS. Fixing these problems will cost you dearly; worst case, they are setting you up for a breach.

Comment: Re:Wikipedia is unreliable (Score 2) 169

by plover (#47566779) Attached to: An Accidental Wikipedia Hoax


It took 4 years before it was discovered, and even then, it was only found because it was a security-related bug. Shallow bugs don't cause the Internet to break.

"Linus's Law" is a failed hypothesis; it is not a theory, and certainly not a law. The distinction is important. At best, it could be rewritten as "Linus's Oft-Repeated Wish."

May the bluebird of happiness twiddle your bits.