Please create an account to participate in the Slashdot moderation system


Forgot your password?

Comment: Re:this is a mountain out of a mole hill. (Score 1) 328

by evilviper (#48929211) Attached to: Why Screen Lockers On X11 Cannot Be Secure

I use i3lock, which would mean attackers would have to find a way to get into /usr/bin to usurp my locker

Umm... No. Changing your PATH, setting LD_PRELOAD= or one of many other envs, changing Xsesson scripts or your WM's menu entries... Any of those would do just fine.

You also missed the entire point of the article, that an X11 screen-locker is just a normal user application like any other, a black image over top and only just TRIES to steal focus and input.

Comment: Re:Security is a process ... (Score 2) 46

There will -always- be flaws. However, part of a company selling security is how they respond to issues, and here, BlackPhone has performed quite well. There was a problem, they fixed it, and that is what matters.

I agree that how a company handles incident response is important and the BlackPhone guys have apparently handled this well.

However, there are several things that are troubling about this story which lead me to not trust BlackPhone and question the security experience of the people designing it.

The first thing we notice about this exploit is that the library in question appears to be written in C, even though it's newly written code that is parsing complex data structures straight off the wire from people who might be attackers. What is this, 1976? These guys aren't programming smartcard chips without an OS, they're writing a text messaging app that runs on phones in which the OS is written in Java. Why the hell is the core of their secure messaging protocol written in C?

The second thing we notice is that the bug occurs due to a type confusion attack whilst parsing JSON. JSON?! Yup, SCIMP messages apparently contain binary signatures which are base 64 encoded, wrapped in JSON, and then base64 encoded again. A more bizarre or error-prone format is difficult to imagine. They manage to combine the efficiency of double-base64 encoding binary data with the tightness and simplicity of a text based format inspired by a scripting language which has, for example, only one kind of number (floating point). They get the joy of handling many different kinds of whitespace, escaping bugs, etc. And to repeat, they are parsing this mess of unneeded complexity .... in C.

Compare this to TextSecure, an app that does the same thing as the BlackPhone SMS app. TextSecure is written by Moxie Marlinspike, a man who Knows What He Is Doing(tm). TextSecure uses protocol buffers, a very simple and efficient binary format with a schema language and compiler. There is minimal scope for type confusion. Moreover, the entire app is written in Java, so there is no possibility of memory management errors whilst trying to read messages crafted by an attacker. By doing things this way they eliminate entire categories of bugs in one fell swoop.

So yes, whilst the BlackPhone team should be commended for getting a patch out to their users, this whole incident just raises deep questions about their design decisions and development processes. The fact that such a bug could occur should have been mind-blowingly obvious from the moment they wrote their first line of code.

Comment: Re: not the point (Score 2) 328

by Lumpy (#48926483) Attached to: Why Screen Lockers On X11 Cannot Be Secure

Not mine, when I get up the prox card reader sees that I am not near the workstation and instantly locks, it will not even offer an unlock until I am within proximity again.

Really cheap to put in place less than $10K for the whole company. and increases security 80 fold. Problem is most IT departments are not savvy enough to do it nor convince management that it's more important than a new Jaguar for the Director of marketing. Heck my old Dell laptop supported it.

Comment: Re:If it's accessing your X server, it's elevated (Score 1) 328

by Lumpy (#48926399) Attached to: Why Screen Lockers On X11 Cannot Be Secure

Yeah that doesnt work.

If it's sitting there on what looks like a normal login they will not hit CTL-ALT-DEL they will just type away. Hell it's hard to not get users to open up every single attachment no matter where it comes from or to not click on every pop up window they get.

Comment: Re:Frickin' Lasers! (Score 1) 232

by prisoner-of-enigma (#48925075) Attached to: White House Drone Incident Exposes Key Security Gap

You can get around this by using an array of lasers, each of which is individually rather harmless, but focused together would be enough to destroy such a target. The "danger area" would be restricted to the focal point. Anything outside/beyond/inside that point would receive much less laser power and likely escape damage.

Now if your drone is using active terrain masking, that makes it more difficult to hit at range. However, such a system would probably require a human remotely controlling it, making that susceptible to jamming. I don't think automated terrain avoidance (in real time) is practical just yet for anything a non-military entity could get its hands on. And in any event, such a terrain-avoidance system would likely need its own sensors (radar/lidar) which could be detected, jammed, or both.

Comment: Re:Stronger regs ? Try a better radar (Score 1) 232

by prisoner-of-enigma (#48924983) Attached to: White House Drone Incident Exposes Key Security Gap

If you shield a drone it becomes heavier and then needs to be bigger. Also at that point the drone needs to either be self guiding or have a communication/control system that won't be knocked out. You get the old little more weight little more propulsion to carry the weight cycle going and all of a sudden your drone isn't small anymore.

So what's your point? That a more capable drone is also bigger? So? So what? That's obvious. Do you think the added size/complexity of such a thing would be any impediment whatsoever to a determined aggressor? If you want to penetrate controlled airspace to do something nefarious, you're perforce going to want something that's difficult to detect, difficult to jam, difficult to shoot down, and has enough payload to carry whatever you need to cause the damage you're looking for.

That seems an incredibly strong statement. So strong that it looks like it doesn't have enough thought behind it.

Really? Then let's hear your alternative options. I already covered sensors and weapons, but let's recap. Radar is vulnerable to stealth, so it won't do the job alone. Lidar is too short ranged to do the job alone. Acoustic is even worse. But put together, a web of such sensors would be very difficult to overcome. If there are other sensors out there that are even remotely applicable, please enumerate them.

As for weapons, you have only three options: ballistic, missiles, or directed-energy weapons. Ballistic weapons have all kinds of downsides, from trajectory computation to wind to limited ammo, not to mention the inevitable collateral damage from misses (of which there will be MANY). Missiles have similar downsides. DEW's have (almost) none of these, the sole one being the potential for (minor) collateral damage in the case of a miss. You could even potentially mitigate this by using an array of low-power lasers, individually almost benign, but focused together to take down a drone.

Comment: Re:radar would have no problem distinguishing quad (Score 1) 232

by prisoner-of-enigma (#48924865) Attached to: White House Drone Incident Exposes Key Security Gap

This assumes you can get a good doppler signature on the rotors at all. I'm not an expert on radar/stealth construction, but I know a fair bit about it. A rotor made of radar-transparent (or absorbent) material would make it rather hard to detect, at least until it was well within range to do damage.

Comment: Re:Not need, but useful (Score 0) 258

by Lumpy (#48924161) Attached to: The iPad Is 5 Years Old This Week, But You Still Don't Need One

No it's to avoid people looking like idiots with a tablet against their head.
Problem is it seems that that is the trend lately with idiots having a tablet pressed to their head. Watched a low IQ woman driving down the road with a big ass Fad-let stuck to her head side swipe a pickup truck because she could not see past the stupidly large phone pasted against her head.

The superior man understands what is right; the inferior man understands what will sell. -- Confucius