Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Slashdot Deals: Prep for the CompTIA A+ certification exam. Save 95% on the CompTIA IT Certification Bundle ×

Comment Re:really... (Score 1) 484

Both Mormons and Muslims claim that their Scripture are merely copies of documents which came from heaven.

Actually, I don't think either claims that. I know Mormons don't. Mormons claim that the Book of Mormon was written by a series of prophets. The prophets were inspired, but wrote in their own words. Same as the Bible. The difference is in the method of collection and translation, not the method of authorship.

I think it's the same for Islam. Muslims believe Mohammed was a prophet, so his writings were inspired by Allah, but the Koran contains his own words.

Comment Re: Long Live XP (Score 1) 171

Games that won't run on a 64-bit platform and the newest version totally sucks but the old version runs on new hardware like a bat out of hell, software that still does the original task but without the bloat of later releases, or the requirement to always be connected, etc. 10 is a Trojan horse. Beware of geeks bearing gifts.

Comment Re:A govt employee charged with a crime? Shock!!! (Score 3, Insightful) 72

That Shaun Bridges was even charged at all is amazing. He's a government employee, and in most of the world it's very rare for government employees to be charged with a crimes because fellow government employees refuse to prosecute them. Thank your lucky stars, America, you are not like Australia where the press reports alleged corruption, the police ignore it, and it piles up and up and up: https://archive.is/KUTAy#cases

Nah, it's pretty much the same in America.

The difference in this case is the nature of the crime and the victim chosen. No, not Ulbricht. The victim was the federal government, because they were going to seize that money anyway. You steal from the government, or attack the government in any way, they're going to drop the hammer on you. If your victim is an individual, well, it depends in large part on the socioeconomic status of that individual. A government employee can get prosecuted for killing a poor black man, for example, but it's rare. If you're a government agency and your victim is the entire nation, you're almost certainly going to get away with it. At most you'll be told to stop, but no one will be going to jail... well, except the guy who ratted the agency out. There's a good chance he'll go to jail, if he can be caught.

Comment Re:not so obvious to everyone it seems (Score 1) 273

It is because the studios asked them for a monetary number well outside Netflix's ability to pay and still stay afloat.

Good content costs good money. Netflix doesn't even own its most successful shows (Media Rights Capital owns "House of Cards" and Lionsgate owns "Orange Is the New Black"). Their first cheap Starz streaming deal was a weird technicality. Everyone knew when it ran out that Netflix could not support its streaming of quality content by charging less than what a cable or satellite provider would for a collection of content of similar quality.

Comment Re:Headline leaves out one very important detail (Score 2) 196

The technical term for jailbroken, insecure versions of iOS is "Android."

That's a common belief. In practice, I don't think it's true. In particular, although the Android world sees lots of announcements of vulnerabilities that affect X hundred million devices, the actual exploitation doesn't seem to follow. One reason is that many of the vulnerabilities aren't actually as widespread or are harder to exploit in practice than the researchers describe. Another is that the diversity of the Android ecosystem often means that an exploit has to be customized for each different manufacturer and model, making broad exploitation harder. A third is that Google is often able to successfully mitigate vulnerabilities with the Play store, Verify Apps and updates to the Play services app. There are other reasons as well.

Whatever the reasons, it's interesting to note that we don't see reports of large numbers of Google accounts being compromised via Android vulnerabilities. I'm not claiming that's impossible, and it wouldn't shock me if it happened tomorrow, but the fact that we don't indicates to me that there is actually more right with the Android security situation than is commonly believed. The low real-world malware numbers disclosed in Google's Android security "State of the Union" report further buttress that view.

(Disclaimer: I'm a member of Google's Android security team. I'm speaking only for myself, not for Google.)

Comment Re:Headline leaves out one very important detail (Score 5, Interesting) 196

I expect to be able to go in and out of my door. That's what doors are for. Apple doesn't even give you a door. You have to break your way through the wall. Then there's a hole there. That's why Apple products are only sufficient for sheep. They don't break down walls, they just wander through holes.

It's worth pointing out that if you root your Android device you're doing the same thing, breaking through a wall. That's fine if it's what you want to do, but you are giving something up in terms of security.

As a member of the Android security team, I'm involved in lots of discussions about lots of different threat models and attack vectors, and while we do think about trying to maintain security on rooted devices, I'd say that 90% of the time we end up deciding that we just can't, so "device is running an official image[*] and is not rooted" becomes a foundational assumption of the analysis.

This isn't because rooting is inherently bad, or because we're trying to control user's devices, but because it's impossible to reason about security in a vacuum. You have to know what you can depend on. For example, we might argue that apps can't break out of their sandbox in a particular way because the information they need to do it is managed by a particular system daemon which validates access in a particular way... but in a rooted device that daemon may be modified, or simply bypassed. We just can't know that stuff is still working the way it's intended to. Some members of the modding community do an outstanding job of adding flexibility without breaking the security model, but many others don't.

Ideally, devices should provide enough native flexibility to allow users to achieve what they want while staying entirely within the normal mode of operation. In the case of Android that means staying within Google's "walled garden": install apps only from the play store, keep Verify Apps enabled (and follow its recommendations), don't root, definitely don't disable SELinux, etc. Where that ideal fails, and users want to do stuff that can't be done in the garden, they should have the option of stepping out of it, and they should be able to do so in a progressive way, not all-or-none... but each step they take increases the probability that they'll change something that violates a security assumption and thereby increases their risk of compromise.

I suspect that Apple security engineers even more strongly assume that devices are not jailbroken. That's just a guess, but it's consistent with the general philosophy of iOS and, if correct, it means that jailbreakers have even less expectation of security. iOS users also live in a software monoculture, which exacerbates the risk. (Android users get security benefits from ecosystem diversity, though there are obvious costs to that diversity as well. Including the update problem.)

[*] Note that given the state of updates in the Android ecosystem, we often don't assume that the device is running an up to date system image. From our perspective that's often easier to work with than a rooted device because at least we know how it behaves and can look at trying to mitigate risks at other layers. We're also working on the update situation, but that's hard given the nature of the ecosystem.

Comment Re:wan port (Score 1) 121

If you plug your modem into the LAN port you're an even bigger idiot than the first guy. The blurb is wrong, RTFA it has two ethernet ports, one for LAN one for WAN. The article specifies it has one LAN port. Which is all a router needs.

So, which LAN port routes to the DMZ, if it only has one?

Comment Re:Great experience (Score 1) 182

Google knows my location due to my use of Google Maps

Google receives the map tile requests, etc., but if location history is turned off nothing about it is stored. I have no idea what your cell provider may store, though.

Again, I actually like the location history. I find it convenient to be able to look back and see where I was at a particular date and time. But it's under your control.

He: Let's end it all, bequeathin' our brains to science. She: What?!? Science got enough trouble with their OWN brains. -- Walt Kelly

Working...