Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Comment Re:One time pad (Score 1) 108 108

What you've described has been known for centuries as a "book cipher". Benedict Arnold used one during the American Revolutionary War to protect his treasonous communication with England.

Anyway, there's a really fun way to beat this kind of encryption today. If Mallory can get Alice or Bob to send a copy of BLACK_SQUARE.BMP, it's literally game over. Imagine XORing your key against a bunch of binary zeros. The result is a big patch of the cleartext version of the data that is your key. Google will find that faster than you can.

I did this to a friend who had the same idea in a "you'll never guess my encryption" challenge. After getting him to download a copy of BLACK.GIF, I stared at the intercepted results for many seconds longer than I should have. It output a repeating string of something like SLASHDOTTODHSALS, so I said that's your key. He was arguing because his key was SLASHDOT, and his "algorithm" was to invert the letters of the key word and append a copy to the end of the key. My mind boggled because I was expecting encryption, not immediate success at recovering his key and data.

Now, let's say you're smart enough to avoid encrypting BLACK_SQUARE.BMP. I can still achieve most of the same results by predicting that your data stream will contain "Host:", "Content-Type:", "Accept: text/plain", "User-Agent:", "HTML", "BODY", and other such 'cribs' (I was all set up to apply this logic to the intercepted message from my friend mentioned above.) By matching fragments of my guesses with your message, I can look to see if I recover legible text. It only takes a surprisingly small amount of recovered text to be able to identify the source.

Comment Re:Different approach (Score 1) 76 76

There is this piece of Cat 5 that isn't remotely hackable. Unless it's tapped, or if someone puts an inductor on it, or if they use TDR to estimate the length of the wire to figure out the distance between routers and discover where the Intrusion and Detection Systems are located.

Comment Re: Silly but (Score 1) 471 471

Dress codes make a slight amount of sense when the company has a requirement that many employees must wear uniforms. It's not fair to say, "you people who stand in front of customers all day must wear a blue shirt, green tie, and khaki pants" but then say, "you people are in the main office, so you're exempt from dressing like a dork." Some of the line workers resent it. Management can then decide if they want to settle the matter by subjecting everyone to a dress code.

Of course HP doesn't require line workers to wear uniforms, so that's not the case here. This is just another stupid and capricious management decision by a company that's become famous over the last decade for having the most incompetent management of any (formerly) major corporation. HP's executives have been so bad it's easy to imagine an evil Michael Dell offered HP's board of directors one hundred million dollars -each- to sabotage HP into oblivion. (Hey, it makes a lot more sense than any other reason for imposing a dress code on engineers.)

Comment Re:Approach security the wrong way? No shit! (Score 1) 157 157

Good point. First, IANAAEE (I am not an automotive electrical engineer) so much of this is speculation, but not all of it. I do think small, hardware firewalls ("data diodes") could help prevent a lot of these problems. I also agree with you in that I don't think the direct access is necessary, but I think it might loop around in such a way that the holes end up being present anyway.

Consider: the crash message from the airbag sensors, which is on the high speed engine control bus (ECB) goes to the door locks. The door locks are on the low speed bus (security network), but bridge both networks. A data diode could stop messages from the door locks from flowing back to the high speed ECB. The door locks, ignition key, and immobilizer are all on the security network. The ignition key talks to the immobilizer. Finally, the immobilizer talks to the ECU, which is on the high speed ECB.

The security network is supposed to be isolated from the cabin comfort network (where the infotainment system, navigation system, and cell phone stuff are.) But the crash signal has to travel to the cell modem somehow, so another component has to allow messages from the ECB to the cabin bus. Plus, some of these cars have "remote start via cell phone", so something still has to enable messages from the cell modem to travel to the immobilizer. How do they get to the security network? (Bigger question: do the Chryslers even have a security network, or do all low speed messages share a common bus?)

If everything were perfect, the immobilizer would be the only potential spot for the bridge; and because the immobilizer's entire job is to prevent the engine from starting unless all the security is perfectly aligned, it seems like the natural place where the engineers would focus their security attention to isolate the low speed bus from the ECB. But obviously not everything's perfect.

It seems like they should have a set of dedicated data protection devices that would be similar in concept to a traffic signal's conflict monitor, somehow hard-wired with a rule that allows only whitelisted messages from the modem to go to the immobilizer.

Comment Re:Where's the hardwired switch? (Score 1) 157 157

Want a more adventuresome automotive experience? Go to India. During the three weeks I was there, our driver's car was struck more times by more vehicles and pedestrians than I've seen in my 35 years of driving in the US.

The drivers are worse than you can imagine. "Keep left" is more of a guideline than an actually obeyed rule; "keep center" seems to be the observed behavior. The few traffic police I saw were standing in small gazebo-like boxes in intersections - they were not driving interceptors or squad cars. Peddlers and beggars wander among cars slowed down on the roads, selling umbrellas and toys, and asking for handouts. Fuel tankers have signs lettered across the back: "KEEP BACK 25 FEET", but nobody pays attention. Lane markers are apparently nothing more than wasted white paint decorating the road. On the road in front of you you may encounter a farmer with a pony cart, bicycles, pedestrians, elephants carrying loads, and yes, the occasional unattended cow.

And the honking! Seriously, India, WTF is up with the continual honking? You can drive a full week in many cities in the USA without hearing a single car horn.

We saw all this on every single trip, including a 2AM drive from the airport.

An inattentive driver would cause an accident within a split second; this may be why minor accidents and collisions are so common.

Comment Re:Approach security the wrong way? No shit! (Score 1) 157 157

Consider the safety network, which has data from the crash sensors, rollover sensors, seatbelt sensors, and seat occupancy sensors, and mixes all of that data together in a set of rules that instantly trigger the correct airbags and seatbelt pre-tensioners. It also needs to connect to the infotainment system to take over the car's data or phone connection to send a message to emergency services. In turn it may also get data from the navigation system to report location information. It may trigger an unlock of the car doors to assist bystanders in rescuing the occupants, and it may shut off the engine to prevent further injury. It may talk to the signalling systems to turn on the 4-way flashers to help first responders find the car. The car door lock system is part of the security bus, which talks to the engine immobilizer, responsible for talking to the ECU to start and run the car. All of those data feeds that seem like they could be isolated have real operational needs to come together in multiple devices.

The rules in a car are exponentially more complex than ever before, and they're increasingly vital for safety; not just comfort or entertainment. Consider how many lives have been saved because their airbags deployed, and the emergency responders were able to dispatch an ambulance in time to save a crash victim from dying. Now consider how many people have died from crashes directly induced by CANBUS hacking.

The safety systems of today are doing their jobs better than ever, which is the topmost goal of the engineers. Also consider the safety systems need to guarantee reliable operation to work for the first time ever in an actual crash. If they can layer on system security without compromising occupant safety, they will, but not at the expense of crash survivability.

Comment Re:It is the oppressive governments that are uneth (Score 2) 70 70

So how is Hacking Team different than a company that sells grenades to Syria? Are all companies that make grenades unethical, because there is no non-violent application for hand grenades? What if they're used for defense purposes?

What about a dual-use item, such as selling cattle prods? Are all companies that make cattle prods unethical? If cattle prods are used for an off-label application (torture of humans), is it ethical to sell them to someone you suspect might be using them for torture, even if they don't explicitly say "we want to buy 10 cattle prods for our Glorious Leader's Torture Squad"?

Conversely, Hacking Team might be selling the 0days to legitimate law enforcement agencies, who may be using them to prevent kidnappings and murders. Is that ethical or unethical? Can you absolutely tell based on the customer's return address being London vs. Pyongyang?

Comment Re:I'm an idiot (Score 1) 70 70

Hacking Team is the company that sells 0-day exploits to repressive governments so they can spy upon their citizens. Regimes like Syria, North Korea, etc. Presumably, they've used the Hacking Team exploits to spy on political or religious dissidents and arrest/silence them.

They are NOT the hackers that broke into the cheating site.

Comment Re:I hate it already! (Score 1) 118 118

As I pointed out in that same paragraph, Android has actual user interface controls, including a labeled home button, a menu button, and a back button. I can at least clumsily navigate with them, even if I don't know their magic gestures. Does that solve your dilemma of it being impossible to implement a useful UI on a phone sized device?

Anyway, thank you for frothing up into a true iFanboi rage at my comment. No criticism of Apple is complete without receiving the expected how-dare-you-diss-my-iPhone response. Especially welcome were the swearing and the ad hominem attacks. Classy.

Comment Re:I hate it already! (Score 1) 118 118

It's rumored that a big part of the reason Apple has stuck with one-button mice is that, if you're not relying on context menus, multiple buttons are largely unnecessary for normal productivity uses, and not having multiple buttons deters developers from putting important functions in context menus.

I don't get it. Context is everything - when you're watching TV, you expect the controls in your hand to be able to control TV functions. When you're using a map, you expect the controls in your hand to set destinations, points of interest, identify features etc. Once you're there, you sometimes need to indicate one of several things, select multiple things, etc. A discrete button that says "press me and something will happen" is useful as a hint how to do the thing. A hidden magical swipe of the fingertips does not provide any usable way to accomplish the task. iOS gestures are among the worst design choices Apple has ever made: tap, tap and hold, swipe up, swipe down, swipe right, swipe left, slide two fingers, pinch with two fingers, expand with two fingers, grab with four fingers, tilt the whole phone to the left or right - WHAT THE HELL, APPLE? How do I even know all these options exist without external training or external clues? There is absolutely no way to guess at a gesture. But put a physical button there, and now I know there are things it will do, so I know I can press it to do something. Add two buttons and now I know there are at least two things I can do.

I've been using iOS for many years, and it just keeps getting worse. When I pick up an Android phone, I feel that at least I can find ways to accomplish the basics, even though most apps are inconsistent and have screwball interfaces. And this proves there is a disciplined middle approach that allows for a better UI, but Apple refuses to go there even though they own the entire platform. They'd rather have cutesy flicks and swishes, so that only those "on the inside" know the magic gestures, and can feel superior to the unwashed masses who don't have iPhones. [Sorry, it's an I-hate-Apple-for-this-shit topic with me.]

The gent who wakes up and finds himself a success hasn't been asleep.