Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

+ - Lenovo pre-installs malware injecting ads and spoofing SSL certs->

Submitted by janoc
janoc (699997) writes "Lenovo is pre-installing adware/malware called Superfish on their laptops which serves ads for products you may be browsing/shopping for, "but cheaper". Unfortunately it also breaks into SSL sessions by installing a false root certificate, allowing for potential snooping on secure sessions."
Link to Original Source

Comment: Classic DRM flaw ... (Score 2) 215

by janoc (#49048065) Attached to: New Encryption Method Fights Reverse Engineering

As this, by definition, requires that the encryption key is present in the clear on the machine where the decryption is happening in order to make it possible to decrypt the instructions (CPU cannot execute encrypted code), then it can be trivially circumvented. Finding where the key is stashed is going to be only a matter of time and then the encrypted code can be conveniently decrypted off-line, repackaged without the stupid performance-impeding encryption (caching will suffer badly with it) and released on a torrent somewhere, as always ...

Fundamentally this is not different from doing ROT13 on your code - code obfuscation.

Comment: Re:How can someone think that this is a good idea (Score 2) 157

by janoc (#49006709) Attached to: Automakers Move Toward OTA Software Upgrades

Having cars reflashed at a dealership is something different - the mechanic will usually do at least some basic sanity tests that everything works before handing it over to the client.

Anyway, my point wasn't that reflashing firmware is bad - it may be even required and I am fine with that. It needs to be done safely and securely, though!

And yes, Toyota had a big software problem too, even though it wasn't why they have lost that accelerator pedal lawsuit:

http://www.edn.com/design/auto...

Comment: How exactly is this news ... (Score 2) 83

In particular, BMW has a history of similar cockups - just search youtube for various "iDrive problems", "Check engine reset" issues, "Engine stalling" issues, etc. Those software problems go back years. The first iDrive implementation from 2002 using Windows CE was a legendary lemon.

It isn't just BMW, though - http://www.edn.com/design/auto...

I had a Renault Clio and Renault's unreliable electronics is legendary too, even though there it was more a poor design than necessarily bad code. But you will never know - nobody has seen the source code of the firmware in many of the control units. Often not even the manufacturer has it - it is outsourced and subcontracted, even for critical systems like ABS or ECU.

And I am pretty sure that this is industry-wide problem - the same control units are in many cars, especially today with all those shared platforms and alliances between manufacturers.

If someone is thinking about drive-by-wire cars (Nissan, uses a safety clutch to be legal atm, but they have publicly announced a push to go fully by wire http://www.caranddriver.com/fe...) or the recent idea about the OTA updates in this sort of cesspit of horrid and unaccountable code, they must be insane.

Comment: How can someone think that this is a good idea ... (Score 4, Insightful) 157

by janoc (#49000101) Attached to: Automakers Move Toward OTA Software Upgrades

I am not against the ability to perform an OTA update in principle, but considering how abysmal record with firmware (and software in general) these companies have, this is a major disaster waiting to happen.

When Microsoft, Apple or Google botch an update, there will be a few dead computers or phones at worst. If someone like e.g. Toyota or BMW (both with a "proven" record of poor quality firmware - think "stuck" accelerators or the famous BMW video of stalling car spitting out its key at the driver) push an automatic OTA update and something unexpected fails, there will be *dead people* in addition to dead computers. And something *will* fail sooner or later - we are far far from the ability to write provably correct code as a matter of course. And embedded code is often one of the worst examples of both software engineering (non-)methods and quality, mainly because it costs money and time to do things properly instead of outsourcing the firmware to the lowest bidder somewhere in a sweatshop. Nobody will ever see that code anyway, right?

The only way this can work safely is with previous user's authorization - i.e. *never* automatically and unattended. In that way I can make sure that I am safely stopped and not going 130 kph on a motorway when my engine or brakes decide to go bust on me. That is, AFAIK, what Tesla is doing (a message pops up and the driver needs to accept the update). However, unless this mode of operation is made mandatory, some dickhead will for sure push an automatic update at some point. It is just too tempting to not to and I would be surprised if Tesla didn't have an option to push a "silent" update too already ...

The other point that nobody reacted on so far - do you really want an always-on, always phoning home wireless connection in your car? That's a wet dream come true for anyone who wants to track your car for whatever reason. Tesla is doing it for (ostensibly) performance tracking (and, conveniently, busting lying journalists), your insurance may start to require access to that data if you want to keep your premiums low and finally police and spooks will rejoice, because they don't even have to bug your car or bother with license plate cameras anymore ...

Comment: WindowsRT anyone? (Score 4, Insightful) 307

by janoc (#48958843) Attached to: Microsoft Announces Windows For Raspberry Pi 2

People are getting all excited about this, but they are forgetting that this is *not* going to be a full featured Windows able to run their Office and what not. First of all, it is an ARM architecture, so regular Windows apps won't work unless they have an ARM version (extremely rare). The OS is most likely going to be the cut-down WindowsRT and running on an underpowered hardware - the new Raspberry Pi 2 is still much slower and has less RAM than even the first Microsoft Surface RT, which wasn't exactly known to be a speed demon ...

Microsoft is pushing this as "Internet-of-Things" platform, but I honestly don't see how WindowsRT presents any advantages there over a dedicated OS without the unneeded GUI bloat. And for education? Yes, there will be perhaps Office RT and few Microsoft's apps available, but that's all. What are the kids going to run on this? Visual Studio?

Comment: Let's hope ... (Score 4, Interesting) 38

by janoc (#48907741) Attached to: Virgin Galactic Dumps Scaled Composites For Spaceship Two

That this isn't going to come back to them in the form of another smouldering crater, except with paying passengers this time.

Delays and problems notwithstanding, dumping a company that has essentially designed and developed the entire thing and handing the project to someone else who doesn't have the know-how about this particular system sounds really unwise, especially after the enormous amount of resources that were spent already. Probably the wealthy investors started to push on Branson and Rutan didn't want to compromise on something, so they decided to bypass them. Or Scaled isn't trusted to not mess something up again as it wasn't a first serious safety-related incident there.

One way or another, this isn't really a confidence inspiring move from an engineering point of view - I cannot imagine the motivation and morale of the people building the craft after being told that no, they won't be allowed to be involved in the testing, except as consultants.

Comment: This guy shouldn't be teaching (Score 0) 648

by janoc (#48857459) Attached to: Justified: Visual Basic Over Python For an Intro To Programming

This fellow has obviously no clue about Python and likely not much about programming in general when he can spout such nonsense about Python being "C-based" and "unable to do more complex things".

I read this more as - "I know Visual Basic so I will do everything in VB to save time". If he has said that, he could have avoided presenting himself as an ignoramus spouting techy mumbo-jumbo to get that parent off his back that doesn't really know much about the subject he is supposed to be teaching. I had colleagues who were teaching object oriented programming at a university using Max/MSP and dragging/connecting boxes - "These are objects in Max, so it is an object oriented programming!". But that is what you get when you have a music composer assigned to teach computer science (not kidding ...).

I am really sorry for those kids, because Visual Basic is a pretty terrible language to start from - it is very limited in what it can do and then anything more complex is directly linked to the Microsoft Windows idiosyncrasies, with little abstraction. They would have been much better off with something like Python & Pygame combination (I did teach a first semester programming class like that). Or even better some language actually specifically made for this purpose - like Logo. Or even start with Scratch, Alice or Lego Mindstorms kits for complete novices that have really no clue yet and then move on to Logo or Python once the basic concepts are settled.

People that are advocating C here have obviously never tried to actually teach it to complete novices (we are talking high school kids here!) - there you need to get the kids to first understand the abstractions like code, execution flow, the correspondence between real world objects and their modelling in a computer (variables, types, use of arithmetic etc.) Having to battle compiler errors, strict typing and stuff like pointers required even for printing a simple "Hello world!" message is really distracting and not helpful in that context. They will have plenty of time to learn about that later.

Disclaimer: I did teach undergraduate programming courses, both in Python and C/C++, including using those Lego Mindstorms kits.

Comment: Windows installer has a similar "feature" (Score 3, Insightful) 329

by janoc (#48831793) Attached to: Steam For Linux Bug Wipes Out All of a User's Files

The Windows installer has a similar issue and apparently it is not even considered as a problem (red box):

https://support.steampowered.c...

This reeks of serious incompetence or negligence, in my opinion - writing installers that blindly mass-erase files instead of tracking which files did the software actually install and erase only those on uninstall/move is not acceptable in my book. Whether or not it is documented in some disclaimer that nobody reads or not is irrelevant. This really is asking for a lawsuit if someone gets seriously bitten by it.

I really wonder what the devs at Valve were smoking when they consider this as acceptable.

Comment: Lets fight for the freedom of speech ... (Score 4, Interesting) 319

by janoc (#48791587) Attached to: Several European Countries Lay Groundwork For Heavier Internet Censorhip

... by censorship!

The governments will be busy chasing Facebook and Twitter "jihadists" while the ones with kalashnikovs will be killing people in the streets. *facepalm*

The hypocrisy of the politicians that "were Charlies" this weekend in Paris and at the same time are calling for more Internet censorship really is staggering.

Comment: In other words ... (Score 1) 219

by janoc (#48782679) Attached to: LAPD Orders Body Cams That Will Start Recording When Police Use Tasers

The cops will just shoot you or beat you senseless with a baton instead. Or even strangle you with bare hands ... How convenient is that taser-activated camera, indeed!

This is nothing else but a nice juicy piece of pork for Taser and some politicians getting contributions/kickbacks from them, "sold" to the public as a mean to improve the excessive force use.

Comment: Asking for the impossible (Score 2) 325

by janoc (#48767073) Attached to: Ask Slashdot: High-Performance Laptop That Doesn't Overheat?

Ok, so the OP wants a desktop i7 chip in a laptop case that doesn't overheat. Hmm. Ain't gonna work, pal!

You can have fast, cool and portable - but pick two. All laptops are at best a compromise from a thermal design/cooling point of view and if you add desktop chips that aren't designed to really run cool, because powerful cooling is assumed, you are asking for the impossible. BTW, this is the same (or even worse) on mobile devices - a today's smartphone cannot run on full power for more than about 15 minutes before it overheats and shuts down.

There simply isn't enough cooling, because customers are asking for devices that are smaller, slimmer, less noisy, ideally fanless, all the while demanding high performance. There used to be times when a laptop could run with power management disabled and at worst it was a bit noisy and the battery drained quicker. Modern laptop will fry itself if you disable it.

Do you really really REALLY have to have laptops? For running those test databases on? I know, laptop is cool, but can't you, you know, have a server farm to connect to instead? Do your engineers lug those machines somewhere constantly? Doubt it, those gaming machines are neither robust nor lightweight to lug around on a daily basis.

Comment: DNT is useless by design (Score 4, Informative) 145

by janoc (#48681559) Attached to: Google and Apple Weaseling Out of "Do Not Track"

Did anyone actually believe that the do-not-track flag was effective? There is pretty much no way it can be enforced and the companies can do whatever they want in most cases. E.g. Facebook does not honor it outright, most advertising networks ignore it as well. It was only a silly boondoggle to quickly placate the regulator/lawmakers by showing that the self-regulation in the advertising industry actually "works" and thus no heavy-handed regulation is necessary. That flag is completely useless otherwise.

If you want some semblance of privacy from the pervasive tracking, you must use a solution that is completely under your control - i.e. ad blockers, NoScript, Ghostery, block Flash, etc. and not something that relies on the good will of the advertiser that they will obey some silly flag.

Comment: Stupid and sad ... (Score 4, Insightful) 83

by janoc (#48679099) Attached to: Lizard Squad Targets Tor

Bunch of bored kids over Christmas break that got fed up with CounterStrike and Call of Duty, so they are wreaking havoc for fun and getting way too much news time for it. I have almost gagged when I have seen a reporter saying on TV with a straight face that "it is not confirmed whether the attackers are linked to North Korea" and that "The attack is not thought to be a terrorist attack". *double facepalm*

I am not sure what is more sad, whether these jerks getting off on griefing others or the mom of one kid who couldn't play XBox over Christmas because of the DDOS and she lamented on camera - "What is he going to do now? He has nothing else to do!" I don't know - like going outside for a while?

Our society is really going downhill :(

If this is timesharing, give me my share right now.

Working...