Please create an account to participate in the Slashdot moderation system


Forgot your password?
Polls on the front page of Slashdot? Is the world coming to an end?! Nope; read more about it. ×

Comment: Better than expected... (Score 1) 54

With 22 different models of crap home routers I would have expected the pen-testing equivalent of clotted rivers of gore pouring through heaps of smouldering rubble and pooling around the skull pyramids that seem to rise higher than the walls that once offered the false promise of shelter. Not merely 60 serious vulnerabilities.

Comment: Re:One connector to rule them all. (Score 4, Interesting) 165

Don't worry, things will still be nice and confusing: It is valid to use a "Type C" connector in conjunction with a USB2 chipset(at least on the peripheral end, and probably in practice on the computer end). Further, if the "Type C" connector is actually USB3, there is the matter of "Alternate mode".

"Alternate mode" allows the Type C jack and cable to act as a conduit for an entirely different protocol(Displayport and MHL have previously been announced, Intel's announcement presumably means that thunderbolt is along for the ride); but only if the system has the hardware necessary to implement whatever the other protocol is, and that hardware is suitably connected to the Type C jack in question. It doesn't actually give a USB 3.1(gen1 or gen2, yes there's that difference as well) device the ability to natively handle the other protocol in the USB silicon, merely to politely carry it from one end to the other, if the upstream device can generate it and the downstream device can accept it.

So, when you combine this with the inevitable variations in how much power is available(spec allows for up to 100watts; but given that very few laptops, much less littler widgets, even have a hundred watt brick for their own needs, it is clearly the case that most Type C ports will be good for substantially less); a Type C port can do almost anything; but is required to do effectively nothing beyond acting as a USB 2 slave device and not starting any fires when plugged in. It might have full USB 3 silicon, it might not. It might support 10GB/s traffic, it might only handle half that; it might deliver 100 watts of power on request, it might be incapable of doing much besides browning out without a powered hub to protect it. It might have implemented one or more 'Alternate mode' protocols, it might support none.

It will certainly be exciting, at least...

Comment: Re:DHS was never about Homeland Security (Score 4, Insightful) 322

It's never 'welfare' if it involves defense spending: the spending doesn't have to actually increase security, or deliver a product that actually works(it's even acceptable to putz along for a decade or two until the project becomes so hopeless that it is quietly killed without ever delivering a product); but so long as it's for 'defense' and involves some sort of visible business, it's not welfare.

Since this is bullshit, we simply treat it as axiomatically true, which sidesteps what would otherwise be a tedious and difficult matter of 'proof'.

Comment: Re:Still needs another vulnerability (Score 1) 82

by fuzzyfuzzyfungus (#49821107) Attached to: Macs Vulnerable To Userland Injected EFI Rootkits
Exactly. When it's your own gear, you only have to worry about vulnerabilities that can be exploited despite whatever measures you have in place.

If there's potentially malware that embeds itself hard enough to resist a disk wipe, or even replacement, you have to worry about the prior owner's security, incompetence, potential malice, etc. And that's even if you aren't cool enough to have the NSA 'implant' teams intercepting your mail.

Given the size of the secondary market for things with firmware in them(ie. basically all computer parts more sophisticated than cables; and even some of the cables these days), I'm a bit surprised that this hasn't already become an epic clusterfuck. Especially with scary little things like LOM modules, which are full computers, most commonly with independent NICs, that you graft right into the brainstem of your servers. Flooding the market with poisoned LOM cards/modules seems like the sort of thing that might even be worth it for a commercially minded criminal, much less a nation state looking for juicy secrets.

Comment: So, what's the plan? (Score 2) 63

by fuzzyfuzzyfungus (#49814547) Attached to: Intel To Buy Altera For $16.7 Billion
Given that FPGAs are big, slow, and hot compared to equivalent logic built as a fixed function chip(but with the obvious benefit of not being fixed function), Altera FPGAs manufactured on the fanciest processes available seem like a fairly obvious product of the acquisition.

Any bets on what other purposes they have in mind? FPGAs with one or more QPI links built in, for fast interconnect with Xeons? Xeons with FPGAs on die? Intel NICs with substantially greater packet-mangling capabilities, at full wire speed, thanks to reconfigurable logic?

Merely producing FPGAs on a nice process is logical; but could also be done just by selling them fab services. They presumably have a plan that goes beyond that.

Comment: Re:Douch move for sure on SF (Score 4, Insightful) 376

by fuzzyfuzzyfungus (#49813897) Attached to: SourceForge and GIMP [Updated]

Aren't we all smart enough to turn off the adware during install? I even know some old people who turn off "add-ons" that they don't need.

Well, given that adware 'offers' still get injected into installers, I'm going to use my incredible mental thinking skills to hypothesize "no, we aren't".

Aside from that, even if you don't get hit by the adware, having to defang an installer just to use a program leaves the indistinguishable taste of pure sleaze in your mouth for the rest of the process(looking at you, Oracle and the toolbar...)

Sourceforge is dragging the GIMP project's name through the mud by bundling this shit, even if they don't hit anyone. That alone is more than enough to be displeased by.

Comment: Re:Time for the BIOS to be EEPROM again? (Score 1) 82

by fuzzyfuzzyfungus (#49813669) Attached to: Macs Vulnerable To Userland Injected EFI Rootkits
Given that laptops(especially Apple's) are an increasingly heroic enterprise to open; 'internal jumper' probably isn't happening; but you might be able to get away with some other 'physical presence verification' mechanism that exploits buttons that the system already possesses(similar to the way that Chromebooks killed physical dev-mode switches, because OEMs didn't like the added cost, so now it's some multi-key combo during boot).

Not as good as a true hardware write protect(in theory, a suitably capable attack might be able to emulate USB HID or ACPI button events); but much more likely to actually happen than anything that requires cracking the case or increasing the BoM.

Comment: Re:Will anyone exploit it? (Score 4, Insightful) 82

by fuzzyfuzzyfungus (#49813651) Attached to: Macs Vulnerable To Userland Injected EFI Rootkits
If I'm just harvesting nodes for my botnet, macs are pretty lousy targets, no more capable than PCs and substantially more obscure.

If I'm attacking systems for the data on them, or to MiTM/trojan/keylog the users of the systems; grab banking credentials and the like; mac users are a conveniently self-selected group of people atypically worth harvesting. Sure, there are a bunch of underemployed baristas with degrees in Individuality using the macbook pro that mommy and daddy bought them to watch movies in their dorm room; but as a whole, thanks to the higher prices, users of OSX devices skew upmarket pretty substantially(iOS devices have some of the same effect; but much less, since at least an iPhone 5c or the like is probably available as the 'free'-with-usurious-contract model on most telcos).

If you are attempting a corporate/institutional intrusion, macs vary in value: they are way, way, less common, frequently absent entirely; but where they are present, their minority status often means very limited integration into the enterprise's legion of 'security' products, IDSes, and everything else that the Windows users complain is causing logins to take 30 minutes. This makes them handy 'beachhead' systems, especially if they are loaded up with Office, Adobe Malware Runtime, and similar stuff that may well have cross-platform or partially shared libraries of vulnerabilities; but much reduced vigilance on OSX clients.

Comment: Re:Still needs another vulnerability (Score 3, Interesting) 82

by fuzzyfuzzyfungus (#49813579) Attached to: Macs Vulnerable To Userland Injected EFI Rootkits
Less of an issue among people/organizations who exclusively buy new, from manufacturer or authorized retailer; but (at least on the PC side, I don't deal much with mac procurement), refurbished off-lease units are an enormous market. Very, very, popular with organizations that can't afford to ride the latest-and-greatest. It's not glamorous (something like the Optiplex 780 is nothing to write home about; but if you need a few computer labs or a cube farm on a tight budget, the fact that you can get units with an adequate 3rd party warranty, no DOA, 4GB of RAM, and an adequately punchy CPU for ~$150, sometimes a little less, each, is pretty compelling.

"Previous owner" isn't a scary vulnerability for exploits that live at the OS level; all the refurb stuff typically gets wiped once by the refurb house during their testing process, and re-imaged when it reaches the customer; but it is damn scary for firmware-level exploits. Especially motherboard firmware(HDD firmware exploits are scary; but taking out the HDD and shredding it, then replacing it with another low-capacity-everything-is-on-the-network-anyway boot disk is at least cheap); which compromises the system at a scary-deep level, and also compromises the component that makes up most of the value of the computer.

Without a good OS-level vector, preferably with a nice internet infection capability, it isn't a good candidate for a pandemic; but if this sort of firmware fuckery makes the used market about as reliable as buying street drugs, it will have a major impact.

Comment: Re: Simplistic (Score 1) 355

When it comes to 'software replacing teachers', we really haven't made many fundamental advances since Gutenberg(who at least substantially increased the percentage of the world's books that weren't produced by students taking lecture notes in class, which presumably meant that you at least had the option of reading the textbook and skipping the class). If you just need information, technology has done quite well, and continues to make improvements; but if you aren't ready to turn information into knowledge all by yourself, there isn't much on offer.

Comment: Re:Simplistic (Score 1) 355

There is a certain amount of irony; but it's those years of expensive and supply-limiting training that are precisely what make such an attractive target.

It's not an easy target; the computer system that ends up replacing your radiologist or your lawyer or whatever will likely have cost far, far, more to develop than the human it replaced did to raise and train(even if you count the human's recreational spending); but the computer's ability to do work will just keep increasing if you buy more silicon, while the human doesn't scale. If you could hire a single radiologist and make him more productive just by buying additional office chairs, you probably wouldn't bother with the robot.

Comment: Re:Mental health and substance abuse social worker (Score 1) 355

Mental health and substance abuse social work looks to be doubly golden. Because the takeover by machines will surely increase the number of unemployed people with mental health and substance abuse problems.

Depends on the political climate: if some bleeding heart is calling the shots, sure; but if it's tough-on-crime time, then the rapidly maturing world of combat robotics will be tapped to provide low-cost 'treatment' solutions to these populations.

Comment: Re:nope (Score 1) 355

'Real' empathy would require a strong AI, more or less by definition(and a relatively human-like strong AI at that). Conveniently, though, there's no externally visible difference between real and fake empathy, and faking it is on the level of passing a Turing test, which is hardly trivial; but likely to actually happen in the comparatively near future.

Make headway at work. Continue to let things deteriorate at home.