Forgot your password?
typodupeerror

Comment: Re:Opinion from industry insider (Score 4, Interesting) 140

by nhtshot (#47604437) Attached to: Least Secure Cars Revealed At Black Hat

I don't work with Fords, so I can't answer your question specifically. In general, the trend in cars is to have fewer controllers and devices on the bus controlling more and more things. In the VW/Audi world, all of the "body control" stuff is handled by a single module under the dash.

At the same time, many of those modules and the wires between them are accessible easily under the hood. I can reach under a VW, remove a plastic underbody panel and get to the powertrain (most important) canbus without opening the hood. I'd come up greasy, but I could certainly do it from under the car. With a little practice, I could probably do it in under a minute.

In the VW case though, that wouldn't do any good. I couldn't start the car or unlock the doors (door locks aren't on the powertrain can and the gateway won't pass through a door unlock message originating on powertrain). I could monitor their engine/transmission/ABS though and could turn off the car, change the gears or set/adjust the cruise control once the engine was running. I might even be able to trick the ABS into thinking the car is skidding and get it to lock up the brakes (I haven't played with ABS controllers much, so I'm not 100% certain of this one),

Comment: Re:Opinion from industry insider (Score 5, Informative) 140

by nhtshot (#47604141) Attached to: Least Secure Cars Revealed At Black Hat

"Does nobody do signing or encryption of signals to control systems"

VW/Audi does. The newest generation use 2048bit RSA signatures for everything. The previous generation used 1024, which is still pretty much unfactorable for a reasonable price.

But, they can't use encryption of any consequence or signing on the bus. It's all real time and needs to be that way. Would you want your airbag to wait to deploy until it had verified even a 512bit signature on the "oh crap we've been in an accident" message?

Same thing with ABS.

The only real place they can use that (and they DO use it here) is for starting. When you're starting a car, there is no imminent danger. In VW/Audi, they have the "immobilizer" system. It uses RSA again. The instrument cluster, ECU and each key have a coded serial number. Each devices holds a hashed/signed copy of the serial numbers of the other 2 and the VIN. If the 3 don't all agree, the car won't start.

There are some ways around the system, but they require opening the ECU and various other things that are quite time consuming and very obvious. Nobody has (to the best of my knowledge) beaten the immobilizer system via methods that don't require a grinder.

Comment: Opinion from industry insider (Score 5, Interesting) 140

by nhtshot (#47604021) Attached to: Least Secure Cars Revealed At Black Hat

I work in the automotive after market (ECU tuning). I can actually back up what they're saying. Even if they did come by it via speculation, they're actually pretty much dead on.

That is primarily because the german cars use what we call a "Can Gateway" but is better of though as a firewall. Every different system in the car has it's own private canbus. Anything that needs to travel between the busses has to go through the gateway. In the case of VW/Audi vehicles, it's locked down quite well. It knows what packets belong on what bus and only allows a very limited subset of properly formatted and required packets to pass between those busses.

Vehicles that share common can without a gateway are readily exploitable. I could plug a can interface into the headlights, A/C or any other system on the global bus and lock/unlock the doors, roll the windows up/down, trigger the traction control/ABS or even start/stop the car (if it uses a push button start).

Doing those things requires access to the can wires, but the bus is used for so much now-a-days, there's always plenty of places to access it. Many of them without requiring keys or an open hood.

Comment: Pilot - Experience being hit by a laser (Score 4, Informative) 445

by nhtshot (#46225399) Attached to: FBI: $10,000 Reward For Info On Anyone Who Points a Laser At an Aircraft

Night landings are, by their nature, more difficult and more dangerous than daytime landings. Assuming visual conditions, nearly everything is dependent upon being able to continuously see runway lights. About 10 minutes prior to landing, the standard procedure is to dim everything in the cockpit to it's lowest setting. The goal of this is to make sure the pilot's eyes are dilated as much as possible to see the runway lights and land safely.

About 5 years ago, I was landing at Chicago Dupage airport. About 1 mile from the runway threshold and about 500 ft above the ground, I was repeatedly hit by a bright red laser. Immediately after the first bright flash from the laser, I felt like I'd just walked from daylight into a dark room. I couldn't see anything. I couldn't see any instruments (Remember, they're all dimmed as low as possible) and the runway lights were suddenly very dim. After the second and third time, I couldn't see the runway lights anymore. My only choice was to add power, pull up and hope that I was still flying straight. I overflew most of the airport and remember finally getting good vision back about the time I was over the subdivision north of the airport. That subdivision is about 3 miles from where it all started. I turned over the subdivision and landed on a perpendicular runway.

I then released a torrent of profanities and considered all of the most painful ways to kill someone if I could ever find the #@(#*$@(#*$@(*##$(@* that hit me with that laser.

I'm all for higher penalties for this crap. It's probably already killed people. We don't know for sure because plane crash victims don't tend to be very talkative.

Comment: App bubble already popped.. (Score 5, Insightful) 240

by nhtshot (#43343497) Attached to: Ask Slashdot: Preparing For the 'App Bubble' To Pop?

The App bubble has already popped. The only people that make money writing apps are contractors building them for companies that insist they need an app (even though they probably don't...), employees at companies like that drawing a salary, and the 1 in a million that comes up with the ugly meter. Eventually the marketing departments will realize that "Billy Bob's horse feed insurance" doesn't need a mobile app and all of that will dry up pretty quickly.

If you want to have a long career in development, learn databases. You don't necessarily want to be a DBA since they tend to get tied to a platform and their fortunes rise and fall with it (Foxpro anyone?). But, learn how to manipulate information. There will always be someone willing to pay you to manage their data. Maybe through an application, maybe through an app, maybe through a web interface.

At the end of the day, most of the decent paying technology gigs come from managing information for someone.

I got into this business in the early 90's and was told that by a friend of my father's who had been programming since the 60's. It's the best business advice anyone has ever given me.

Comment: Re:Mandarin Chinese (Score 1) 514

by nhtshot (#42336541) Attached to: Ask Slashdot: 2nd Spoken/Written Language For Software Developer?

Until you have a decent level of proficiency, reading books in Chinese is VERY difficult. Chinese dictionaries are almost unapproachable until you have a middle school level ability. Tablets improve the situation quite a bit, if you learn how to write, but it's still not much fun.

Background:
I lived in China for two years doing engineering work. I was in a small town in the middle of no-where and almost entirely cut-off from English speakers. I studied like crazy and by the time I left could do anything I needed to in Chinese.

It was a very hard road though. Not for the feint of heart.

Comment: Lived in China for years (Score 4, Informative) 218

by nhtshot (#41454789) Attached to: Ask Slashdot: Ideas and Tools To Get Around the Great Firewall?

I used overplay.net's commercial OpenVPN. There's several competing services specifically tailored to bypassing the great firewall. Overplay in particular has a huge list of servers in different countries. Occasionally one would get blocked, but one of the others would always work.

Best $10/month I spent while I was there.

Regarding the locals laws, etc.. it's a definite gray area. The laws don't say you're not allowed to post or view certain things. The laws just say that the government is allowed to "normalize" (filter/censor).

I used a VPN for years and registered for my internet account using my passport. They knew who I was and could obviously see the VPN traffic. I never heard a word from anybody about it.

Facebook

+ - Wall Street Investors Considering Removal of Zuckerberg as Facebook CEO->

Submitted by TrueSatan
TrueSatan (1709878) writes ""There is a growing sense that Mark Zuckerberg, talented though he may be, is in over his hoodie as CEO of a multibillion-dollar public company," said Sam Hamadeh, head of research firm PrivCo. "While in many cases a company founder can, and does, grow into the job, things are happening so quickly that there is precious little time here for Zuckerberg to do that."

  Zuckerberg would remain as the creative force propelling Facebook's technological innovation. But the 28-year-old would cede the CEO title to someone better suited to overseeing operations and building rapport with finicky investors — mundane but essential duties for which Zuckerberg has shown little appetite or aptitude."

Link to Original Source

Comment: Re:Teaching = best salary (Score 1) 402

by nhtshot (#40147673) Attached to: Ask Slashdot: Find a Job In China For Non-native Speaker?

This guy nailed it. I was in the tech business over there, but only because I came over with an existing business.

Going over there and trying to start from scratch? Forget it. If you do manage to find something, you'll do well to make 8k rmb/month. But, you'll probably never find anything.

Best bet is to teach english. You'll be hard pressed to get work doing much else unless you've already got connections.

Comment: Re:Start Studying - I did it (Score 4, Informative) 402

by nhtshot (#40147641) Attached to: Ask Slashdot: Find a Job In China For Non-native Speaker?

I moved to China two years ago with no background in the language at all.

Total, 100% immersion + whatever training material I could get my hands on.

Now, I'm pretty fluent. But, 3 months in? Forget it. I couldn't even talk to a taxi driver with any consistency. Forget ordering food from a normal menu. Picture menu or nothing.

Comment: Re:Thoughts from someone who lives in China (Score 1) 334

by nhtshot (#39029651) Attached to: Apple-Approved Fair Labor Inspections Begin At Foxconn

Of course they did.. they were embarrassed by western news reporting it first and had to. Plus, Foxconn isn't a mainland company and they ALWAYS like a chance to bash on the Taiwanese.

They would NEVER tell you about the real suicide rate in mainland china. Or any other thing negative about Chinese society.

OS/2 must die!

Working...