Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:All the data hasn't been released (Score 4, Interesting) 440

An article I saw said what wasn't released was mostly a database of pictures and messages exchanged through the site. It said there were two problems with releasing the pictures, the database is very large (compared to the text files that compress fairly well), and 40% of the pictures were dick shots and they didn't want to release those. They could still release the database of messages though. I think they are doing the same things as the Snowden leaks, release parts at a time to keep the interest alive, and slowly drive the spike through AM's heart.

Comment Re:Headline is stupid (Score 2) 220

It's not a false claim, it's a joke. Laugh. Relax.

So someone takes a swing at me and I say WTF? and they say it was just a joke, then swing again and say it is still a joke. I can still hit him and call it self defense, joke or not, and he would deserve it. People will often call their bad acts a joke after the fact to avoid responsibility. It's like in this video where a guy tries to steal a purse, then laughs as if a prank, then tries to steal it again (only to get beat by the bus driver).

Did the student mean for his tweet to be a joke when he did it? I don't know, but based on what little I have read, which I admit isn't enough to ACTUALLY know the truth, it at least seems it wasn't and he is now in delf-defense mode.

Comment Re:I know it's not the entire point but... (Score 2) 161

You don't seriously think the handbrake is an "emergency brake", right? Good grief, please be kidding.

It isn't a handbrake in my vehicle since it is on the floor, and such systems were originally put in place to provide a backup braking system in case the hydraulic system failed, especially since hydraulic braking systems used to be single-cylinder systems and were only mandated to use dual master cylinders starting in 1976. They were later adapted to provide a backup parking brake to supplement the vehicle being left in gear, and are now often also referred to as a parking brake.

So yes, I think of it as an "emergency brake". But then ideas like yours is why most people never think to use it when their regular brakes fail, just like they don't think to turn off the ignition if the throttle sticks.

Comment Re:I know it's not the entire point but... (Score 1) 161

That is the CAN bus, not the ODB-II

First, How is that you feel qualified to speak on this subject when you don't even know the difference between the second coming of Ol' Dirty Bastard, and On-Board Diagnostics?

The linked article explicitly spelled out the ODB-II, so I addressed that. The article said "The device that the UCSD researchers exploited for those attacks was a so-called OBD2 dongle"

Second, CAN is a protocol which is used with OBD-II. It is also used for communications between modules. Getting onto any bus on which the PCM speaks is sufficient for making an attack against the powertrain.

Which is why I said "accessing the CAN bus will probably yield the same capabilities."

Third, if the PCM is located under the hood, which it often is, then the diagnostic line (whether it's a CAN line like it usually is on modern cars, or one of the other protocols used with OBD-II) may well run through an exposed harness under the hood.

If you are going to break into the engine compartment, then it isn't that different than breaking into the car.

For example, in the Audi A8, the E-Box which contains the PCM, TCM and so on is right up against the firewall and there's a very short bit of harness with the diagnostic line in which doesn't get exposed. And in my particular vehicle, a very early 1997 A8 Quattro, the ABS controller is located inside up under the dashboard, so that diagnostic line (in my case a K-line, not CAN) is also inaccessible. But since there's only one diagnostic line which literally goes to all the modules, in the cars which immediately follow mine (starting in late 1997) which have the ABS controller located directly on the ABS module under the hood, it's relatively easy to access the bus — upon which live the PCM, TCM, ABS, and SRS. I think those vehicles actually have a gateway between the powertrain (which includes the ABS in modern vehicles) and SRS, and the infotainment bus, which includes the steering wheel controls. Some of the details of cars which are not mine are a bit hazy.

TL;DR: You don't know what you're on about, and sometimes a sensitive wire is accessible from beneath the hood, even if you can't raise it.

What sensitive wire is under the hood isn't that big of a problem, unless it is at the bottom of the compartment and easily accessible from underneath, because breaking into under the hood is almost the same as breaking into the car's interior. Climbing under a car and accessing directly exposed wires via a harness is a different matter, and what I was talking about. I never mentioned breaking into the hood-protected area to get to the bus.

Comment Re:I know it's not the entire point but... (Score 1) 161

The difference is to access the ODB-II requires getting into the vehicle without the owner knowing,

That depends on the vehicle. Some can be raised up, crawled beneath, and the harness accessed. Some, you can't get to it from there. Once you get there you only need three lines for OBD-II.

That is the CAN bus, not the ODB-II, but you are right, and I didn't want to spend the time explaining it, that accessing the CAN bus will probably yield the same capabilities. The CAN bus runs to a lot of components like the transmission and is often also exposed on the car's underside.

Comment Re:I know it's not the entire point but... (Score 1) 161

yes but you can't snip the brakes when the vehicle is going 75 MPH on the freeway...

With a small remotely operated tube cutter, yes. (two actually due to dual-cylinder brake systems) Same as this device, other than one device versus two. The difference is to access the ODB-II requires getting into the vehicle without the owner knowing, while attaching a tube cutter only requires access to the underside of the vehicle. The latter is actually easier. In both cases pressing the emergency brake (ever wonder why it is called that?) would activate the rear brakes unless that physical cable were also cut.

Comment Re:Facepalm. (Score 2, Insightful) 95

Sounds like the ideal sort of thing to be able to disable (or provide a random response to) in the browser.

Everything your browser does that is different than other browsers can be used to fingerprint you, so sending a random response would be an identifiable trait to narrow the group they think you are in. Better to send nothing, assuming most people's browsers don't send anything, or whatever the response a desktop sends when asked for its battery level.

Comment Re:Used it for 5 years, happily, but... (Score 1) 113

Unlike the first commenter, I regularly see savings of 10-15 cents per gallon. With an 18 gallon tank, that could mean $2.70 in savings...much more than 30 cents.

The first poster said "it's not worth saving 30 cents a gallon on gas", so for an 18 gallon tank that would be $5.40.

It also does not take very long... And when you are in an unfamiliar area, it has benefits for savings and simply locating gas! Going to read the new terms now...

I agree. My tank is much larger 18 gallons, and prices around me vary by about 60 cents, so I can easily save $5 to $10 if needing to fill-up in an unfamilar area versus stopping at the first place I see.

Comment Re:Seems like a piece is missing (Score 1) 140

Also missing is the motivation - possible oil and gas reserves under the South China Sea. China wants to strengthen their territorial claim and then say the entire area is theirs.

They already say the entire area is theirs (see the dotted red line in the article). Their plan is for these islands to give them a stronger presence so they can militarily force the issue in the future.

Comment I foresee a sudden demand for raises (Score 4, Interesting) 430

Baker claims the spreadsheet compelled more Google employees to ask and receive "equitable pay based on data in the sheet."

90% of drivers think they are better than the average driver, and I would bet 90%+ of workers think they are better than average, and would therefore expected to be paid above the median (note for the statistically challenged - 90% of a group cannot be above the median). This study will give them data to know where they are on the graph. How will management deal with 90% of their workers demanding to be paid more since they are being paid below what they think they should be based on their (biased) self-assessment?

Comment Re: But can it be a Tweet? (Score 5, Informative) 130

It's a hip way of saying small. He found that invoking DYLD_PRINT_TO_FILE runs as root, and as such can allow a user to write to /etc/sudoers, giving the user sudo privileges, letting them sudo to root. echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s

He found that invoking DYLD_PRINT_TO_FILE runs as root, and as such can allow a user to write to /etc/sudoers, giving the user sudo privileges, letting them sudo to root. echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s

Small correction. DYLD_PRINT_TO_FILE doesn't run as root, it just tells the dynamic library where to write error logs. The problem is it is accepted and used by child processes, even setuid ones, so by setting the environment variable, then calling sudo (which runs as root) with an invalid argument that will cause an error to be logged, he can create or append to any file on the machine he wants. He used the sudoers file for his example, but I am sure there are many other possibilities.

BTW, this is a similar exploit to the LD_LIBRARY_PATH exploit from many years ago where you could get a setuid program to use your dynamic library instead of the system one, thereby getting your code to run as root. It was fixed by having the loader check if the program uid doesn't equal euid and if so ignore the LD_LIBRARY_PATH variable. Apparently programmers at Apple are guilty of not learning from history and are therefore repeating it.

Comment Re:This NOT about a Private Call (Score 2) 179

That was a major point toward the end of the linked article. The court said:

“The district court’s holding would logically result in the loss of a reasonable expectation of privacy in face-to-face conversations where one party is aware that a participant in the conversation may have a modern cellphone.”

Basically, if you are having a "private" conversation, and know that someone present may have a cell phone, then this precedent may mean you no longer have an expectation of privacy for the conversation.

"Why should we subsidize intellectual curiosity?" -Ronald Reagan