Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

+ - Cyberlock lawyers threaten security researcher over vulnerability disclosure

qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states:

The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i .. hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results.

What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity?

Comment: "Monitors black hat sites??" (Score 1) 141 141

I was going to dissect the security service for not taking customer data importantly, but the linked articles have no mention of "Microsoft monitoring black-hat sites for employee credentials" at all. I don't know where the Slashdot article editor got that.

Advanced threat analytics is from Microsoft's acquision of Aorato last November, who's main product protected against internal threats by warning of non-typical login activity:

A compromised employee's mobile device exposes the organization, through Active Directory, to identity theft and information disclosure.

Monitoring and auditing solutions (such as tracking changes) of Active Directory cannot correlate information between entity behavior and information residing in Active Directory.

Comment: Re:islamist radical? (Score 2) 297 297

I doubt there would have been any attack unless he was "radicalized" by the FBI. He could have not had his enlistment in the US military canceled because of a Facebook post, and could have been taken in and counseled and put through boot camp instead of being manipulated like a foreign asset for months until he committed the crime that was orchestrated for him.

Comment: Re: If i can't work on my car (Score 1) 292 292

I have a 1993 Taurus. It doesn't require a code reader as it is before the mandated OBD port in 1996, but still has sequential electronic fuel injection and an engine management computer that can be chipped and tweeked. How to get the codes? Put a paperclip between two pins of the underhood diagnostic connector, and count the flashes on the dash to get the codes. It has engine-running tests to diagnose sensors and report weak cylinders. The number of times it has seen a mechanic other than me in the twelve years I've owned it? Zero. It also doesn't spy on me with black box data available for insurance companies and law enforcement.

Regarding the original premise that people be able to modify their software, most flash MCUs made these days have a secure or protected mode: the firmware goes in to the chip, but doesn't come back out. There is no external flash EEPROM or data bus to access or hack, and the only way you would be able to update it is to understand the entire MCU and how every one of its data ports and D/A and A/D IO is used by the manufacturer and the specs for those sensor lines, and write a completely new firmware. We are talking minutia like knowing whether individual data lines are set high or low by the internal configurable pull-up circuits.

Comment: Re:Nothing new (Score 1) 178 178

Wrong, it's more like AMD has abandoned video cards and chipsets less than five years old, no cares given. AMD is complete crap for drivers, and although I'm typing on an ATI card, It will be my first and last in a very long time. For example, I wanted to make a media center from a 2010 Dell Desktop with DDR3, Quad core CPU, Hybrid Crossfire using AMD GPU + chipset, HDMI output. And no AMD Linux support. HD 2xxx-4xxx series were dropped from drivers very quickly; the current driver doesn't support xserver 1.13+, and therefore even Ubuntu 12.04.2 can't run the proprietary driver. We are talking: You buy a Radeon HD 4890 launched in Feb 2011, and find it will never be supported by AMD drivers on kernels or X that appeared in distros like Ubuntu 13.04, April 2013.

Comment: I don't see how this delivery model can scale... (Score 2) 110 110

They currently are offering this service to 25 ZIP codes - likely those directly surrounding a distribution center. However, there are several logistical factors that just seem to make this unworkable to scale:

1. If I place seven orders a day, I alone have monopolized a driver and his vehicle for an entire work shift if the distribution center is 30 minutes away from me. That's the labor cost and vehicle cost for an entire day that my orders must pay for in "shipping".

2. 30 minutes one way trip is optimistic, I live in the 25th largest city, and it took me 80 minutes round trip just to go to a Radio Shack that had an item I needed in stock, 1/3 of the metro area away.

3. Even if there were distribution centers where every Walmart has a store in the US and they had a fleet the size of FedEx themselves (FedEx even just does a daily route), can they really keep the kind of items everywhere that I would order? Today, soldering iron tips, NiMH battery sub-c cells with solder tabs, replacement cherry mx keycaps, other days Loc-tite blue adhesive, 55" 4K TV, USB floppy drive, heat pump valve, that Spiderman comic from 1993...let alone that 80% of the items on Amazon are single-item-only things from marketplace sellers, very few of whom ship their entire inventory to Amazon for safe-keeping.

The challenges here are likely why they are thinking WAY out of the box, like delivery drones.

+ - Ask Slashdot: Why there is not a campaign against "Cloud Exclusive Hardware" ?

martiniturbide writes: Today we can see a lot of hardware that is being sold that only works only against a cloud. There are many examples, like the Belkin NetCam HD+ (wifi webcam) that only works if you run it against their service (by seedonk) and if you don’t want to use their cloud, this hardware is useless. This is happening with a lot of new hardware and it does mean that you get the device cheap for being locked to their cloud, you are paying full price for this devices. On the internet there are just little groups trying to hack some of this hardware, but the consumer does not seems to care that if the manufacturer discontinue the service the hardware will be useless. Why there are no complains against this kind of hardware on the internet? Is it useless to fight “cloud exclusive hardware”? Should we care about it? Or we are so used to disposable hardware that we don’t care anymore?

Comment: Re:Perception (Score 2) 420 420

I think that understanding photography and exposure is the key to recognizing the color in the picture - if you are familiar with photography, you can see that the background is light and almost blown out, and can use that as a reference for how the entire photo was lit when it was taken. However, if your brain doesn't process the context of the photo, and you evaluate it based on the blue background of a web site or a dark room around you, maybe you have the optical illusion that it is white. I can not unsee it as blue because I recognize the photo's lighting.

Comment: Re:Crusty Hardware (Score 1) 189 189

I specified and owned an EISA system, a rare 486-50 (not double-clocked DX2), with 16MB memory, $4000 or so spent.

EISA is a very odd beast, if you recall the original ISA bus that had jumpers you had to set on each card to non-conflicting IRQ, Address IO, and DMA values, then you will see the "brilliance" of EISA, which had a floppy disk config program for every card you bought to set the bus values. Seeing anyone that still has the matching and required EISA setup disks for their hardware is going to be the rare thing to find.

Comment: Re:Crusty Hardware (Score 4, Interesting) 189 189

This is also completely Microsoft's fault. In Vista they decided to kiss the ass of big media companies in order to play Blu-Ray content, which required encrypted end-to-end data transport, mandating the rewriting of the driver stack for everything from video and sound cards to imaging devices and audio mixing. They should have just given them the finger.

What Microsoft didn't have to do was just completely discard gameport support. Microsoft blatantly removed the code to support 15 pin gameports from the OS. In Vista 32 bit, it could be partially put back by driver hacks of old dlls, but that hack was made impossible in win7. You could literally buy joysticks at the same CompUSA that would not work on the Vista shitboxes they were selling.

A memorandum is written not to inform the reader, but to protect the writer. -- Dean Acheson