Forgot your password?

Comment: Bash needs to remove env-based procedure passing (Score 4, Interesting) 236

by m.dillon (#47999281) Attached to: First Shellshock Botnet Attacking Akamai, US DoD Networks

It's that simple. Even with the patches, bash is still running the contents of environment variables through its general command parser in order to parse the procedure. That's ridiculously dangerous... the command parser was never designed to be secure in that fashion. The parsing of env variables through the command parser to pass sh procedures OR FOR ANY OTHER REASON should be removed from bash outright. Period. End of story. Light a fire under the authors someone. It was stupid to use env variables for exec-crossing parameters in the first place. No other shell does it that I know of.

This is a major attack vector against linux. BSD systems tend to use bash only as an add-on, but even BSD systems could wind up being vulnerable due to third party internet-facing utilities / packages which hard-code the use of bash.


Comment: Re:"unlike competitors" ??? (Score 1) 504

by m.dillon (#47938615) Attached to: Apple Will No Longer Unlock Most iPhones, iPads For Police

It's built into Android as well, typically accessible from the Setup/Security & Screen Lock menu. However, it is not the default in Android, the boot-up sequence is a bit hokey when you turn it on, it really slows down access to the underlying storage, and the keys aren't stored securely. Also, most telco's load crapware onto your Android phone that cannot be removed and that often includes backing up to the telco or phone vendor... and those backups are not even remotely secure.

On Apple devices the encryption keys are stored on a secure chip, the encryption is non-optional, and telcos can't insert crapware onto the device to de-secure it.

The only issue with Apple devices is that if you use iCloud backups, the iCloud backup is accessible to Apple with a warrant. They could fix that too, and probably will at some point. Apple also usually closes security holes relatively quickly, which is why the credit card companies and banks prefer that you use an iOS device for commerce.


Comment: VPN is the only way to go, for those who care (Score 1) 418

by m.dillon (#47909791) Attached to: Comcast Allegedly Asking Customers to Stop Using Tor

I read somewhere that not only was Comcast doing their hotspot crap, but that they will also be doing javascript injection to insert ads on anyone browsing the web through it.

Obviously Comcast is sifting whatever data goes to/from their customers, not just for 'bots' but also for commercial and data broker value. Even this relatively passive activity is intolerable to me.

Does anyone even trust their DNS?

Frankly, these reported 'Tor' issues are just the tip of the iceberg, and not even all that interesting in terms of what customers should be up in arms about. It is far more likely to be related to abusing bandwidth (a legitimate concern for Comcast) than to actually running Tor.

People should be screaming about the level of monitoring that is clearly happening. But I guess consumers are mostly too stupid to understand just how badly their privacy is being trampled.

There is a solution. Run a VPN. If Comcast complains, cut the T.V. service and change to the business internet service (which actually costs less).


Comment: High perf SMP coding is in a category of its own (Score 5, Informative) 195

by m.dillon (#47615991) Attached to: Facebook Seeks Devs To Make Linux Network Stack As Good As FreeBSD's

Designing algorithms that play well in a SMP environment under heavy loads is not easy. It isn't just a matter of locking within the protocol stack... contention between cpus can get completely out of control even from small 6-instruction locking windows. And it isn't just the TCP stack which needs be contention-free. The *entire* packet path from the hardware all the way through to the system calls made by userland have to be contention-free. Plus the scheduler has to be able to optimize the data flow to reduce unnecessary cache mastership changes.

It's fun, but so many kernel subsystems are involved that it takes a very long time to get it right. And there are only a handful of kernel programmers in the entire world capable of doing it.


The Military

The High-Tech Warfare Behind the Israel - Hamas Conflict 402

Posted by samzenpus
from the who's-got-the-best-guns dept.
Taco Cowboy writes The Israel — Hamas conflict in Gaza is not only about bombs, missiles, bullets, but also about cyberwarfare, battles of the mind over social media, smart underground tunnels and cloud-based missile launching systems. The tunnels that Hamas has dug deep beneath Gaza are embedded with high tech gadgets, courtesy of Qatar, which has funded Hamas with billions to equipped their tunnels with intelligent sensors which are networked to control centers enabling the command and control staff to quickly notify operatives nearby that IDF units are advancing inside a certain tunnel, allowing for rapid deployment of attack units and the setting up of bobby traps inside the tunnel.

In addition, Hamas has automated its rocket firing system using networked, cloud-based launching software provided by Qatar which can set off a rocket from any distance, and set them to go off at a specific time, using timers. "Anyone who thinks they have dozens of people sitting next to launchers firing rockets each time there is a barrage is mistaken," said Aviad Dadon, a senior cyber-security adviser at several Israeli government ministries. While Doha is allowing Hamas to use its technology to fight Israel, it's their own cyber-security the leaders of Qatar are worried about. For the Qataris, the war between Israel and Hamas is a proving ground to see how their investments in cyber systems have paid of — Qatar is very worried that one of its Gulf rivals — specifically Saudi Arabia — will use technology to attack it, and Qatar spends a great deal of money each year on shoring up its cyber-technology.

Comment: Re:How has slashdot come to this? (Score 1) 150

Utter crap. Codenomicon are very friendly to FLOSS and FLOSS developers. They're also great guys. They have been providing free test services to the Samba project for many years now, and have helped us fix many many bugs.

In case you hadn't noticed, the code they're reporting on here is closed source proprietary code...

Comment: Re:S'not Wooden (Score 1) 82

by jesse (#47539713) Attached to: A Warm-Feeling Wooden Keyboard (Video)

Hi @dotdancohen, We're using Matias Quiet Click switches. We're definitely aware that different folks have different preferences and assuming we can make the numbers and logistics go, we hope to offer several other Matias Alps options including their louder variant.

The ÂTron isn't for sale. (Nor is the Fingerworks or any of the other weirder stuff.)

I'd love to hear/read more about the leather keycaps.

And yep, I've actually been documenting my prototypes on GH :)

Comment: Re:good wood? (Score 1) 82

by jesse (#47528447) Attached to: A Warm-Feeling Wooden Keyboard (Video)

We're planning to launch a crowdfunding campaign this fall. But we'd rather delay the campaign than launch something that we're not confident we can deliver and be proud of.

Initially, we intend to ship fully assembled & working keyboards. We believe pretty strongly that open hardware shouldn't require users to pick up a soldering iron. But we know that some folks _want_ a kit and we hope to get there eventually. If you're looking for something sort of like a Keyboardio keyboard in kit form, check out the ErgoDox on Massdrop: (They require login before you can see things. It's unfortunate.)

Comment: Re:S'not Wooden (Score 1) 82

by jesse (#47528425) Attached to: A Warm-Feeling Wooden Keyboard (Video)

There are definitely many awful MicroUSB ports out there, but there are also high-quality MicroUSB ports out there. The price difference between a cheap MicroUSB port and a high-end one is several orders of magnitude. As _specced_ they're supposed to be rated for more insertion cycles than MiniUSB.

We haven't made final component choices yet and this is something we're keenly aware of (and have debated internally). I'd be pissed if my keyboard's USB port failed. I'd be even more pissed if my customers' USB ports failed.

He's dead, Jim.