Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Hashes not useful (Score 5, Informative) 290

by IamTheRealMike (#49157781) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

Seagate is correct. Putting a hash on the website doesn't improve security at all because anyone who can change the download can also change the web page containing the hash.

  The fact that this practice is widespread in the Linux world originates from the usage of insecure FTP mirrors run by volunteer admins. There it's possible for a mirror to get hacked independently of the origin web page. A company like Seagate doesn't rely on volunteers at universities to distribute their binaries so the technique is pointless.

A tool to verify the firmware is poetically impossible to write. What code on the drive would provide the firmware in response to a tool query? Oh right ..... the firmware itself. To make it work you need an unflashable boot loader that acts as a root of trust and was designed to do this from the start. But such a thing is basically pointless unless you're trying to detect firmware reflashing malware and that's something that only cropped up as a threat very recently. So I doubt any hard disk has it.

BTW call a spade a spade. Equation Group == NSA TAO

Comment: "Hack?" (Score 1) 98

by Sloppy (#49155605) Attached to: Blu-Ray Players Hackable Via Malicious Discs

Isn't the very point of this player's system, that the player serves the interests of the disc's publisher over the interests of the users, where the users' needs should always yield whenever there is a conflict? That's not a mere technicality; it's the very essence. From the spec's pov, this is desirable operation. Nothing has been subverted.

Comment: Re: Great, fully owned by Silent Circle (Score 4, Interesting) 59

The issue with Silent Circle isn't their jurisdiction. It's that their code is of deeply questionable quality. They recently had a remote code execution exploit that could be triggered just by sending a text message to their phone. It's been literally years since one of these affected mainstream software stacks, so how was that possible?

Well, they wrote their own SMS parsing code, in C, and used JSON to wrap binary encrypted messages and there was a bug that could cause memory corruption when the JSON wasn't exactly in the form they expected.

The amount of fail in that sentence is just amazing. They're a company which justifies its entire existence with security, writing software to run on a smartphone where the OS itself is written in a memory safe language (Java) and yet they are parsing overly complex data structures off the wire ..... in C. That isn't just taking risks, that's playing Russian roulette over and over again. And eventually it killed them. Remote code execution via SMS - ye gods.

After learning about that exploit and more to the point, why it occurred, I will strongly recommend against using Silent Circle for anything. Nobody serious about security should be handling potentially malicious data structures in C, especially not when the rest of the text messaging app is written in Java. That's just crazy.

Comment: Re:When groups like this attack you... (Score 0) 98

I think the Gemalto response seems reasonable, actually. The documents suggest they weren't doing anything more sophisticated than snarfing FTP or email transfers of key files, which Gemalto say they started phasing out in 2010. And the documents themselves say they weren't always successful.

NSA/GCHQ are not magic. They do the same kind of hacking ordinary criminals have been doing for years, just more of it and they spend more time on it. If Gemalto are now taking much better precautions over transfer of key material and the keys are being generated on air gapped networks, then it seems quite plausible that NSA/GCHQ didn't get in. Not saying they could NEVER have got in that way, but these guys are like anyone else, they take the path of least resistance.

Besides, it's sort of hard for them to do something about a hypothetical hack of their core systems that they can't detect and which isn't mentioned in the docs.

Comment: Would there be a detectable EM pulse? (Score 1) 203

by Beryllium Sphere(tm) (#49125421) Attached to: What Happens When Betelgeuse Explodes?

Poul Anderson pointed out in a 1967 story that a supernova could have devastating electromagnetic pulse effects.

Since then, we've found that supernova explosions are asymmetrical. There is plasma moving at very high speeds near a new neutron star's magnetic field and not in a neat way where the effects cancel out.

How far away would you have to be in order not to have all your electronics fried?

Comment: Re:Ugh. Just ugh. (Score 5, Insightful) 406

by IamTheRealMike (#49121137) Attached to: NSA Director Wants Legal Right To Snoop On Encrypted Data

It's hilarious. For a moment I wondered if the transcript is even real. This makes Eliza look sophisticated.

Q: Which of those countries should we give backdoors to?

MR: So, I’m not gonna I mean, the way you framed the question isn’t designed to elicit a response.

AS: So you do believe then, that we should build those for other countries if they pass laws?

MR: I think we can work our way through this.

AS: I’m sure the Chinese and Russians are going to have the same opinion.

MR: I said I think we can work through this.

He seems to believe, "I think we can work through this" is an acceptable answer to a simple yes/no question. The guy doesn't even have a coherent answer to one of the most basic and obvious questions he could possibly be asked. I thought Comey did a poor job of explaining his position but this takes it to a whole other level.

Comment: Re:Terrorists steal registered SIMs (Score 1) 134

by IamTheRealMike (#49119617) Attached to: Pakistanis Must Provide Fingerprints Or Give Up Cellphone

Why would people not report a SIM as stolen currently? They have every incentive to. They'd need to do so, to get their old number back anyway.

But seriously, if you're a terrorist, you're not going to be fazed by just doing some street muggings to obtain cell phones first. It doesn't matter much if the cards get de-activated a day later. Heck, just point a gun at a SIM vendor and force them to activate the cards with fake data. If the vendor doesn't have the IMSI codes for every SIM in their inventory, they can't even report them as stolen.

Comment: Re: Oomph. (Score 1) 70

by StillAnonymous (#49105887) Attached to: Intel Core M Enables Lower Cost Ultrabooks; Asus UX305 Tested

That's assuming you can even buy quality any more. Try buying a jacket or sweater where the zipper isn't a total piece of failing crap. Sure the jacket's still in great shape, but you can't do it up because the zipper broke. You can replace a zipper, but unless you go to a value store to harvest a really old jacket for the good zipper, you're just going to get another lousy one.

Comment: Re:Unfortunately, these days... (Score 1) 257

by StillAnonymous (#49105763) Attached to: Ask Slashdot: Parental Content Control For Free OSs?

Correct. In the usual dose of nanny-state irony, the knee-jerk demands for legislated zero-tolerance reactions to minor issues is far more damaging to the development of society than just leaving things alone.

The idiotic "think of the children" people are actually the ones harming the children. It's just that it happens over time, instead of immediately, so they're incapable of processing that. Just like government and companies who can't think long term anymore. It's like some kind of disease where the victim can't think anything but short-term.

Comment: Yes, a variety of ways (Score 1) 183

by IamTheRealMike (#49101113) Attached to: Ask Slashdot: How Can Technology Improve the Judicial System?

The judicial system is, at heart, a method of resolving disputes. Sometimes those are disputes between civilians (civil suits) and sometimes they are criminal cases, disputes between people and the state.

The most obvious and easy place to start is with small claims courts. Commercial arbitration handles many disputes that would otherwise end up in small claims courts, but we don't exploit this anywhere near enough. Most people just rely on their bank to act as a dispute mediator via the credit card chargeback mechanism, but this is a one-size-fits-all solution and banks are often not good at mediating disputes. There's lots of fraud and problematic outcomes.

The place where most of the better-law-through-tech research is happening right now is the Bitcoin community, because of the general focus on decentralisation, global trade and frequent desire to avoid relying on government. So we have for example BitRated which is a platform for doing dispute mediated Bitcoin transactions, where anyone can be the dispute mediator. So you can get a fluid, international market of specialised judges who are experts in very particular types of transactions, like software contracts etc where "I didn't get software of sufficient quality" is not a dispute that makes sense to handle via a chargeback. And it can all happen over the internet.

That's a very simple example. More complex examples involve specifying a contract in the form of a computer program and then effectively having the program be the "judge". I wrote about how to implement this, again with Bitcoin, several years ago. The technology is not that complicated actually. The hard part is figuring out the right user interfaces to make it easy. Presumably only very simple and precise contracts could be managed that way, so there's still open research in how to craft these digital contracts such that you can escape back to human judgement if there's an exceptional case.

When it comes to criminal rather than commercial cases, probably the best way to apply technology to reduce costs is to allow remote lawyering. That is, you should be able to outsource your legal representation to someone who isn't physically present. They may be rather good and experienced, but just lives out in rural areas or in a country where the cost of living is cheaper. The issue here is not really technical but rather just institutional inertia.

The UK is putting its judicial system under tremendous financial pressure at the moment, to the extent that some criminal cases are just being abandoned because there's insufficient money to run them. They're (finally!) starting to experiment with allowing small claims court cases to be resolved over the phone, and also looking at decriminalising TV license violations to reduce pressure on the system. But you get the idea - the judicial system innovates extremely slowly even when being sliced to the bone. So don't hold your breath.

Comment: Encryption Castle (Score 1) 192

by Sloppy (#49096631) Attached to: How NSA Spies Stole the Keys To the Encryption Castle

Cell phone SIMs are the "Encryption Castle", really? From a practical perspective, they are essentially plaintext, since everything gets fully decrypted at each hop.

Maybe I will start calling my previous car a "Dining Palace" in honor of the epic glorious time that I once ate a chili dog while driving, shifting and making a left turn (alas, this was before I had a cell phone) without getting any chili on my shirt.

If it's not in the computer, it doesn't exist.

Working...