Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re: Krebs (Score 1) 89

I like Krebs, so DO NOT put him in a position where he has to think about protecting your identity. For the love of all that is holy, boot Tails on a junker laptop at a cafe you never go to and use a throw-away mail account or pastebin it and leave a comment.

Or just walk away. You have no duty to put your life on the line here - everybody who supports the system that will throw you to the lions for being a good guy will suffer for it in kind. You're not obligated to be their saviour. Sucks, but play the shitty hand you're dealt - don't bet all your money wishing you didn't just have a pair of threes.

Comment: Re:Bad move (Score 4, Insightful) 156

by hey! (#49161319) Attached to: Google Wants To Rank Websites Based On Facts Not Links

It is seldom the veracity of facts that the debate is over; it is their significance. But that happens to be where this falls idea falls short, because misinterpretation of facts is where the most potent misinformation comes from.

Case in point, "vaccine injury" -- which is a real thing, albeit very rare. Anti-vaccine activists point to the growing volume of awards made by the US "Vaccine Court" (more accurately called "The Office of Special Masters of the U.S. Court of Federal Claims") as proof that vaccine injuries are on the rise.

It is a verifiable fact that the volume of awards has grown since the early years of the program. That is absolutely and unquestionably true. However, that this is proof vaccine injuries is gross misinterpretation, because the "Vaccine Court" program is no fault. You don't actually have to show the defendant *caused* an "injury", you only have to (a) show the child got sick after being vaccinated and (b) find a doctor to sign off on a medical theory by which the child's illness *might* have been caused by the vaccination.

Since you don't have to actually prove injury in "Vaccine Court", the rise in cases and awards doesn't know vaccine injuries are on the rise. All that is necessary is that more people think that their child's illness was caused by vaccinations, and the low burden of proof will automatically ensure more awards.

And so there you have it. A perfectly factual claim can be cited in a way that leads people to preposterous conclusions.

Comment: Re:Thrilling (Score 1) 18

by hey! (#49160063) Attached to: Spacewalking Astronauts Finish Extensive, Tricky Cable Job

Yeah, cause Mars Exploration Rover, GRAIL, Dawn, New Frontiers, Solar Dynamics Observatory, the Spitzer and Kepler telescopes, all those things are boring science. Only nerds find things like discovering Earthlike exoplanets or determining the origin of the Moon thrilling. They should get their own news site so the rest of us don't have listen to stuff that only matters to them.

Comment: Re:Hashes not useful (Score 1) 266

by hey! (#49159733) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

Again not necessarily. For example the web page and the download server might not be the same, in which case it is not true that being able to modify the download necessarily means you can also modify the webpage checksum.

Another example is when people download and stage a large file on their local network, which is very common practice. If the server on their local network, in a sense the file is modified "in transit", but the malware needn't be anything special or exotic. I'd go so far as to say if you stage anything on your own servers you ought to check its hash religiously before using it.

Yet another example of "not necessarily" is monitoring. It wouldn't be hard to automatically monitor the download page for unauthorized modifications. Of course you should monitor the downloads themselves for modifications, but that takes more time. You can monitor the hashes on the download page continuously from another computer, automatically shutting the page down if anything changes. That wouldn't prevent your download page from unauthorized modifications but it would contain the consequences and it's very easy to do.

This is what I mean by it's the stuff that goes *around* a security measure that makes it work. A hash doesn't do anything unless people check the hash. That includes people who are hosting the file. I often think of this as a kind of diminishing returns exercise; since people often have spent *no* effort on preparing to respond to being hacked, often the best marginal expenditure is in that direction.

Comment: Re:The law makes no allowances for irony. (Score 2) 86

by hey! (#49159617) Attached to: Craig Brittain (Revenge Porn King) Sues For Use of Image

It's well established that a person may become an "involuntary public figure" -- someone who does not intentionally thrust himself into the public sphere, but whose actions (or inactions) a reasonable person would expect to draw public scrutiny.

So the question is whether becoming a "revenge-porn" impressario is something a reasonable person would expect to draw public scrutiny. You be the judge.

Comment: Re:The law makes no allowances for irony. (Score 2) 86

by hey! (#49159313) Attached to: Craig Brittain (Revenge Porn King) Sues For Use of Image

Copyright is not necessarily the only law which applies here. It is possible, for example, to have copyright on works you have no right to distribute. If I write a libelous story about you, I *own* that story, but I can't publish it because it is libelous -- unless I alter the story so you aren't obviously recognizable.

IANAL, but I suspect that what matters here is the subject's "expectation of privacy". Even if you got her permission to take her photo with the understanding it's for your *personal* use, she probably has a reasonable expectation that you won't post it on a public website. In that case after a breakup you would retain copyright and the right to use the image for your personal use (although really how pathetic is that?), but you don't suddenly gain the right to share it with the world if that's not the terms under which she agreed to let you take her picture.

Comment: Re:Pretty pointless (Score 2) 266

by bill_mcgonigle (#49158741) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

I'm still waiting for the first CEO to go to jail for refusing this.

Dude, you're fourteen years behind the news. The technique is not to get you on the "refusing NSA" charge, but any of the other countless criminal acts you commit every day. This is the primary purpose of a hyper-criminalized environment - so that everybody can be easily bent to the whim of the power structure. See also: charge stacking and the de-facto abolishment of the Sixth Amendment through the plea-bargain process (or, if you're a corporation, the no-plea deal for really efficient fascism.

Comment: Re:Hashes not useful (Score 3, Informative) 266

by bill_mcgonigle (#49158717) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

Seagate is correct. Putting a hash on the website doesn't improve security at all because anyone who can change the download can also change the web page containing the hash. ... A company like Seagate doesn't rely on volunteers at universities to distribute their binaries so the technique is pointless.

There are many possible attacks. A hash on a website is not invulnerable to a rogue employee at Seagate (or one "just following orders").

A hash protects against a rouge insertion at the endpoint. Like if your PC is compromised by an attacker and then you pull the hard drive and [assuming there's a way to get a hash from SMART/ATAPI) you can compare the hash of the firmware that the drive is running to the list of published firmwares at the vendor's site. If the attackers are only modifying a small subset of drives, this works fine - they can't also intercept the check to the vendor's site - not unless they've broken TLS and/or have malware on every possible machine.

A tool to verify the firmware is poetically impossible to write. What code on the drive would provide the firmware in response to a tool query? Oh right ..... the firmware itself.

Well, today you can pull the image from JTAG, or so the experts have said (you can verify the firmware directly from memory with a hash if you have moderate funding). There's all sorts of talk about how ATAPI is write-only for firmware because the vendors don't want their competition to get their code and decompile it. This appears to be nonsense, as any other drive vendor already has the debug tools to pull such things from memory, and extracting it from an update isn't that hard - if a 16K DOS update utility can extract it, so can a multi-billion dollar R&D company.

To make it work you need an unflashable boot loader that acts as a root of trust and was designed to do this from the start. But such a thing is basically pointless unless you're trying to detect firmware reflashing malware and that's something that only cropped up as a threat very recently. So I doubt any hard disk has it.

They most certainly do not. So, here we are at today and need a way forward. There are a few ways forward, a fistful of crypto protocols to choose from to ensure future usefulness of hard drives for security applications, and INCITS/SATA-IO ought to be having emergency meetings _right now_ because this (NSA/GCHQ) is a major threat to the industry. The vendors may need to move operations outside of five-eyes to remain commercially viable.

Comment: The law makes no allowances for irony. (Score 2) 86

by hey! (#49158485) Attached to: Craig Brittain (Revenge Porn King) Sues For Use of Image

Nor should it.

So this guy has *exactly* the same privacy rights as any other public figure has, neither more nor less. These rights are fewer than those enjoyed by non-public figures, but they are not zero. He can't stop people from using his image and name, any more than Kim Kardashian can. While in a sense she owns her public persona, she doesn't own every image of her that is taken in public. In other words people can't use her image to sell things as if she endorsed them, but they can use and even sell the image itself.

If this guy owns the copyright to an image, he can reasonably file a DMCA takedown. If the image is taken in a situation in which a public figure would have a reasonable expectation of privacy (e.g. inside his house), then he can take other legal steps, even though allowing that to happen would be poetic justice. The law doesn't deal in poetic justice, and judges aren't allowed to stop enforcing the law just because it would be cool.

Comment: Re:We need hardware write-protect for firmware (Score 2) 266

by hey! (#49158449) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

That's a bit like saying that having a portcullis in the castle gate doesn't help you if the enemy is already inside the walls, which is unquestionably true, but misses the point that having the portcullis makes it harder (although not impossible) for the enemy to do that.

I agree that a more secure way to update firmware, but we have to be realistic in that this would also tend to create new targets for malware writers (e.g. stealing signing keys).

I suspect what we really need is stuff that will occur *outside the box*, such as better vendor of firmware downloads and some kind of police agency tasked with discovering and investigating dodgy firmware. But of course the objection remains -- such an agency itself would be a potential source of problems.

Show me a man who is a good loser and I'll show you a man who is playing golf with his boss.

Working...