Forgot your password?
typodupeerror

Comment: Re:Toaster security (Score 1) 240

by mikew03 (#47150827) Attached to: The Coming IT Nightmare of Unpatchable Systems

I don't think that's realistic. If you are a city and you want to manage your traffic lights the desire to use the existing internet infrastructure is going to be irresistable. As I said in my post I would certainly prefer these systems not be hooked up to the internet either but cities aren't going to build out a second communications infrastructure. And even if they went to that effort you know that the computer sitting in the city managers office that controls this secondary network is going to have an internet connection because the guy managing the traffic lights needs email, HR websites, etc. For example a list of lights that needs replaced has to be sent to the city maintenance department. No one is going to air-gap that.

Comment: Toaster security (Score 1) 240

by mikew03 (#47150261) Attached to: The Coming IT Nightmare of Unpatchable Systems

I think we have to face the fact that we're moving beyond an era where we can secure systems and instead need to move towards mitigating the damage.

Let's think about our unupgradeable internet enabled toaster that counts our calories and orders fresh bread when it detects we've used up what we have. If that toaster gets hacked there are a few possible results:

1) It might set your house on fire. This should be mitigated by all toasters having appropriate physical sensors that are not software controlled to prevent a fire. A simple thermal fuse would cost only a cent or two. A manufacturer who builds a toaster that can be set on fire over the internet under any circumstances should face significant liability.

2) Your toaster might be turned into a spam machine or bitcoin miner or something similar. If this renders your toaster non-functional then you will throw it out because its broken and its no longer a problem.

3) Your toaster might be more carefully owned and remain functional. This is obviously the worst case. But the way to handle this is with improved perimiter defenses Routers should be enhanced to monitor for suspicious activity. You could get a virus alert or similar that notifies you your toaster is behaving oddly.

The level of protection needed depends on the device. Something with a camera or microphone needs more thoughtful security than a toaster. (Until our toasters include facial recognition to tune the desired level of toastiness).

Another related thought. One big issue we have is embedded systems are often networked together. Traffic lights for instance. My first choice would be that such devices not be on the internet, but if they must I think we could create some isolation or sandboxing. Imaging if each embedded traffic light had a mini-router chip that had some sort of unalterable channel code. Make sure that a traffic light can only talk to other traffic lights or control hardware with the same channel code. Beyond that, I think you are going to again have to rely on perimiter defenses built into routers to detect and interdict command/control from hackers and detect abuse of the traffic lights. Networked but safety critical systems such as traffic lights should have a fallback unnetworked mode (old fashioned timing in the case of traffic lights).

The point is there isn't any one size fits all solution but if we focus on risk reduction, periphery detection and, where critical, ways to disable networked behavior we can protect our infrastructure significantly better than it is now.

Comment: Re:FIPS isn't an Algorithm (Score 2) 138

by mikew03 (#44837615) Attached to: Ask Slashdot: Can We Still Trust FIPS?

There are two issues with this.

1) Some of these algorithms depend on receiving quality random number systems from the underlying operating system. It's possible some of those random number generators have been manipulated and its going to be pretty hard to check on Windows or OSX random number generators.

2) The backdoor's do not look like (if strncmp(pass,"NSA",3) == 0) { return plaintext }. The backdoors are sophisticated mathematical weaknesses in the algorithms. A code inspection is not sufficient to detect these kids of backdoors it takes dedicated analysis by experts. Just look at some of the discussions going on right now, some algorithms are suspect and you will hear real experts going back and forth on even if a weakness exists. AES have been around since 2001, approved by NIST based on a proposal by Belgian cryptographers. Does it have a back door? Let's hope to hell not.

DES was a good algorithm in its day but it's known (sorry I can't find the citation, I think it had something to do with how the S-boxes were chosen) that very slight changes to the algorithm dramatically weakens its effectiveness. Now in DES's case that didn't happen, good values were chosen, but it would have been easy to put in a nearly invisible weakness into the algorithm.

Comment: I knew the Cray-2 (Score 5, Interesting) 231

by mikew03 (#41367485) Attached to: Apple iPad 2 As Fast As the Cray-2 Supercomputer

I was privileged to program on the Cray-2 back in the day. It was an awesome machine if you had the right kinds of problems for it to solve. My hat is off to the company who let me use the fastest computer in the world for my vi sessions :). That said it;s hardly surprising that the march of Moore's law has resulted in an iPad today beating a computer 13 or so years its senior.

Comment: The Workplace (Score 1) 515

by mikew03 (#40569763) Attached to: Ask Slashdot: Old Dogs vs. New Technology?

Some perspective, anyone much older than the poster who is working in IT since they were 22 has had to deal with a VAST array of technology changes. Most people in the business are as eager as you are to stay on top of the latest technologies but you will find as you have a family and other life commitments that you won't have quite as much time to learn *everything*.

Sure some workplaces can be bad, I agree with other posters that if you don't fit in move along and find someplace you like better. But overall, I would guess you are not assessing your situation very clearly at the moment. Give it and your coworkers a little more time, I bet they know more than you think.

PC Games (Games)

Valve Releases Updated Alien Swarm For Free With Code Base 164

Posted by Soulskill
from the game-over-man-game-over dept.
baronvoncarson tips news that today Valve released an updated version of Alien Swarm, a popular Unreal Tournament 2004 total conversion mod. The creators of the mod were hired by Valve, and they've helped turn it into a stand-alone game running on the Source engine. Valve is also releasing the code base for Alien Swarm and an SDK. The game is available for free on Steam.

In order to get a loan you must first prove you don't need it.

Working...