Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:Copyright? (Score 1) 176

I'm not sure either of those applies. I'm no lawyer, but I doubt a judge or jury would agree with your interpretation of "intentionally causes damage". First of all, wear and tear is not damage. When you finish an apartment lease, the landlord cannot keep your deposit to pay for wear and tear. When you rent a car, you are not charged damages for wear and tear. When you borrow something, it would be unheard of to hold you accountable for wear and tear. Furthermore, how do you prove it? Due to the way hard drives and OSs work, I doubt the amount of damage is statistically significant. If it's not statistically significant, it doesn't exist. Finally, if AT&T is sending headers that tell the browser not to cache the data, it should not be written to the hard drive anyway.

Finally, you ignored "intentionally". Do you know how high a bar it is to prove intention rather than incompetence? It's hard, even when it's true. And in this case it just isn't. AT&T doesn't want to fuck your computer, they want to fuck your wallet.

In the wire fraud definition you cited, I don't think AT&T is fulfilling the core of the definition: "defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises". Advertising, by and large, is not considered fraud (as much as we might feel that way about most ads we see).

Comment Re:That is so cool (Score 1) 61

It is, I don't know if you're familiar with that "rooting the device" actually means, but it's putting the su binary into /system/, that's it.

Once su is in the proper directory, other applications can use su somecommand, this is what "root access" is on Android, nothing more.

That's one definition. Opening a root shell (regardless of the state of /system and su) is another. I've seen this called "temproot".

I'm familiar with rooting, but not with exactly what system-level permissions entails. And whether system permissions imply root-ability or not, I agree with you that it's dangerous.

But here's another question, if you know more about this than me: Once /bin/su is installed, and the user launches a "SU" app, how does the SU app prevent other apps from accessing /bin/su? Does it simply inject itself into the OS functions that let a process execute a file?

Comment Re:your HTC One M7 was rooted within two months (Score 1) 61

I was referring to the firmware it had when I bought it. *My* M7 was unrootable from within the OS. Those HTC tools don't operate within the Android OS, so that's why they get a pass in my book. This tool isn't launched from the phone, but from a computer, and it can only connect when the phone is in a hardware debugging mode (no apps, no configurability, not even a touchscreen interface).

I think I see our disagreement. If you consider playing with chips to be part of local access, then indeed local access is full access. I meant "local user" (i.e., local account). TeamViewer in theory shouldn't be able to do things the local user cannot do. The local user cannot escalate privileges (without an exploit). Hence, TeamViewer was designed in a naughty way (with Google's permission) and has access that in theory it should not have. Otherwise it could not be a gateway for a local or remote user to escalate permissions.

I would also expect vulnerabilities from TeamViewer: unwanted remote access. And unwanted remote access can do a lot of bad things, but it should not be able to circumvent Android's security model: it should not be able to sniff keys, nor capture the screen. It should not do anything a local app can't do. The fact that it can do these things is what makes this exploit notable, and that tells us that TeamViewer is not running as a normal app (subject to Android's security model).

Comment Re:bug yes, and local access is full access (Score 1) 61

I don't believe you've understood Android's security model (though I'm not an expert myself). The local user cannot do those things, and the user does not have ultimate permission. Unless there is an exploit on the device. There have been plenty of devices that were un-rootable. My HTC One M7 was un-rootable (probably still is), unless you use HTC tools to perform operations on the device when it is not booted into Android. There was literally no way for the OS's local user to gain escalated permissions. If this new exploit changes that, it's not because "remote user == local user" or because "access to the device == complete pwned". You're simplifying it. This is only possible because TeamViewer is somehow running arbitrary commands with system permissions. Prior to this exploit, a local user could not do that.

Comment Re:"infinitesimal percentage of devices". For remo (Score 2) 61

If you install TeamViewer on Mac, people can take over your machine over the internet. That's what it's designed for. Therefore, from a security perspective TeamViewer is a very bad idea.

It's no surprise that an application designed to give someone else full control of your machine is imperfect, and therefore can sometimes allow full access by someone who shouldn't have access.

Wee difference there. On Android, nobody is supposed to get full control of the system. If someone is using TeamViewer to control it, they should not need more permissions than the local user has. After all, it's a screen sharing app. The remote user can only do what the local user can do.

It seems like the app has additional permissions to do things that normally wouldn't be possible (screen capture is what the article mentions), but somehow these extra permissions are made available to one of the users. That must be the vulnerability.

Comment That is so cool (Score 4, Insightful) 61

> Check Point researchers found an app that is actively exploiting the vulnerability. A tool called “Recordable Activator” from UK-based Invisibility Ltd is advertised as an “EASY screen recorder” that doesn’t require root access to the device. But in fact once installed from the Google Play store, the app downloads a vulnerable version of the TeamViewer plug-in from another source... "“it’s [the plug-in] considered trusted by Android, and is granted system-level permissions. From this point ‘Recordable Activator’ exploits the authentication vulnerability and connects with the plug-in to record the device screen.”

Am I the only one that thinks this is incredibly cool? It's not clear to me whether this is exactly the same thing as a root exploit, but some screen recording app developers figured out they could hijack an old version of a well-known app that can do screen recording. This is just a beautiful hack.

But I didn't think having system-level permissions was enough to root a device. And furthermore, does this hack let you do arbitrary actions, or only the actions that the plugin would do?

Comment Article is a bit old, but current data is similar (Score 3, Informative) 182

This article is from April, and their data collection was presumably from some time before that. However, if you check the following map (updated hourly), it looks like the air is still terrible, despite China making some attempts to solve this problem:

http://aqicn.org/map/china/

Comment Re:Nerdlinger (Score 1) 37

But I gather the scene is still one file, mostly? I mean, it's easy to edit assets separately, but the summary makes it sound like almost *everything* can be edited concurrently. Have they just been really clever about how to separate every tiny little piece of data, so every detail is considered an asset? (And of course, they would need a clever way to store how information is mapped to assets, so the mappings themselves are not the cause of conflicts.)

Comment Do ads pay per view, or just per click? (Score 1) 1051

Do all ads pay per click, nowadays? Because I think I've only clicked one ad in the past year, so I shouldn't feel guilty about bypassing ads.

On the other hand, if some ads still pay per page-view, then I might want to think about tweaking my ad-blocking so that I don't block ads on a domain until they do something that bothers me (ad with sound, ads that severly slow down a page, inappropriate ad, etc.)

The best things in life go on sale sooner or later.

Working...