Forgot your password?

Comment: True. But "how dare you do that to me!" (Score 1) 216

That's true. On the other hand, normal people are merely annoyed by this. We're also annoyed by the TSA; Senators are accustomed to walking right through. Security is there to protect them, the VIP. The ranking Senator from wherever is likely to be the type of personality that can't believe it someone did it to THEM. "How dare you! Don't you know who I am!" I wouldn't be surprised if a senator or two did something stupid when so greatly offended.

Comment: Re:This might be the one thing that gets Congress (Score 1) 216

> This is also why the only way we get any changes in gun legislation is if someone shoots one of their kids.
That, and the fact that the numbers show EVERY instance of reactive gun legislation since 1940 has always been counter-productive. It works much better for the politicians to retain it as a campaign issue rather than ending up line the UK, with TWICE as much violent crime after they actually banned guns.

Comment: should be exponential, but it's not (Score 1) 183

by raymorris (#47577785) Attached to: "BadUSB" Exploit Makes Devices Turn "Evil"

After the fifth try it locos it for 30 seconds. That's why it takes a day to try 10,000 four-digit pins. What it SHOULD do is delay die 30 seconds after the 5th try, 60 seconds after five more, 120 seconds after five more, 240 seconds ..

However, it looks like both companies had general purpose programmers design their security locks, rather than having security professionals do that. Which is a lot like having a handyman design your physical locks, without involving a locksmith. A handyman sometimes* competently INSTALLS a lock, but it should be security professionals designing them.

* very often a handyman or carpenter installs a lock upside down, resulting in early failure of the lock and making it less user-friendly.

Comment: Did it on Linux last night. Without warning ... (Score 1) 183

by raymorris (#47575895) Attached to: "BadUSB" Exploit Makes Devices Turn "Evil"

Last night I programmed a chip to act as a USB keyboard and automatically "press" keys. The system did as you described, identifying it as a keyboard, and creating a node in /dev. Something like /dev/keyboard1. It then proceeded to accept the keyboard events exactly as though I'd typed them, without any confirmation by the user. Confirmation by the user would be problematic in the case of a broken keyboard or mouse - the system can't let you use the new keyboard to confirm itself.

I'm using it to brute force a PIN. Some iPhones and Android devices will now accept an external keyboard. With a 4-digit PIN, it should be guessed by the end of the day.

Comment: ftdi, Atmel are VERY common in devices. I did it. (Score 2) 183

by raymorris (#47575603) Attached to: "BadUSB" Exploit Makes Devices Turn "Evil"

I bet at least 20% of the USB devices use the same FTDI chip for USB functionality, and another 20% use Atmel AVR microcontrollers. If your malware patched or replaced the Atmel firmware, you could own a lot if systems.

It wouldn't even NEED to continue to work like the original device, so you could just replace the firmware with the Atmel firmware I wrote last night. The user plugs in their webcam or tries to turn it on. The webcam doesn't work anymore. The bad guy doesn't care, at that point he has already owned the machine, just a few seconds after the device was plugged in.

Comment: different from my experience. Cult, speciality (Score 2) 45

by raymorris (#47572107) Attached to: Google, Linaro Develop Custom Android Edition For Project Ara

First, let me say I think this will have a cult following like the hackable versions of the WRT54, I don't think MOST people want it. That said, I've never experienced this:

> it's pretty beat up. Screen is scratched and dimming, the case is scuffed and creaky, buttons don't quite work, connectors are getting glitchy, the battery is dying and both CPU and memory are getting old.

I've experienced each one of those, but I don't think more than one ever.
My last phone, I bricked the internal storage when it was only a few months old and it wouldn't boot. Its replacement had very similar specs. Had I purchased a camera module, or IR module, etc. I would definitely have reused them. The device before that, the power button broke. The device was still up-to-date enough, it just couldn't be turned on and off. In both instances, the screen and other parts were fine. I don't think I've scratched up a screen since the days of WAP feature phones with plastic screens. Glass is hard to scratch up.

Of course your experience may be different. That's the point, actually, different strokes for different folks

The other category of use-case other than the hacker/maker types may be preconfigured specialized versions from value added resellers. You may have seen firefighters trying out Google Glass. A firefighter phone would have a water resistant case, an IR camera, which is just a regular camera with the IR filter removed, a very loud speaker, a close-proximity findme feature, etc. It could even have a software defined radio module to use as a radio.

Next door to the fire training field is the search and rescue training center, and nearby the paramedic training. Search and rescue professionals might like some of the features of the firefighter phone and buy one configured with search and rescue modules like an upgraded GPS, compass, and a larger antenna for extended range.

Ps - I with the fire instructors and I'm a step ahead on that particular market. There are many other markets, though - extreme sports fanatics, outdoorsmen, MUSIC phones with great speakers ....

Comment: That's funny! MLK was a leader. Jackson a whiner & (Score 3, Interesting) 491

by raymorris (#47569403) Attached to: Jesse Jackson: Tech Diversity Is Next Civil Rights Step

>. I pray, when they die, the ghost of MLK spends eternity bitch-slapping the both of them day in and day out.

  That put a smile on my face. MLK was a leader, one of the best. Jackson is not a leader, he's a whiner. Also a liar. WWhas it Jesse or Sharpton who was about 8 years old when he started calling himself "Reveren"? Either way, they're the same - professional whiners. Where exactly is your church, reverend? I'll try to avoid having my daughter exposed to either of them, lying and telling her she can't do anything because of her complexion.

Comment: You seem to think I like Verizon (Score 1) 271

by raymorris (#47567985) Attached to: Verizon Now Throttling Top 'Unlimited' Subscribers On 4G LTE

Basically, your post boils down to "Verizon is bad" and "taxpayer subsidies to Verizon are bad".
I agree on both points. I didn't say Verizon is good. I said Verizon isn't scared of losing customers who use their cell phone as a hotspot to provide their home internet servIce and use 150 GB / month or more.

I wouldn't use Verizon or any other contract carrier. Years ago I switched to an off-brand carrier with no contract. The no-contract carrier charged half as much as Verizon or Sprint, while using Sprint towers. So, fuck Verizon and Sprint. I pay $35 / for "unlimited" with LTE, which is a lot less than Sprint charged.

Here's the weird thing - a few years ago, Sprint bought the no-contract carrier that was competing with them, Boost Mobile. Now, it's actually the same company, Sprint, providing the service for $35 under their Boost brand. When I left Sprint years ago, Sprint charged about $70 for a plan with a few hundred MB. Now, the same company sells me unlimited for half the price. That's what we call a price cut of over 50% that was caused by Boost competing with them. There's not enough competition in the industry, obviously. When there is competition, it cuts my bill in half.

Comment: you CAN choose your roommate at normal times (Score 1) 54

by raymorris (#47564453) Attached to: Airbnb Partners With Cities For Disaster Preparedness

> There's a reason we don't allow housing discrimination and I don't see why we'd want to suspend those rules in an emergency;

Actually you CAN choose who you want to live with. If GP feels comfortable living with an older man, that's his choice. Fair housing laws apply when you rent out an otherwise empty structure - when they are just getting a house from you, not living WITH you.

Comment: Java sandboxing helped in this case (Score 1) 127

by raymorris (#47562993) Attached to: Old Apache Code At Root of Android FakeID Mess

Essentially, what Java sandboxing is designed to do is to completely separate different apps, so for example your text messaging app doesn't have access to your browser's password storage. On a regular OS, traditional applications have access to all of your files and all of your hardware, meaning one piece of malware can get everything on your computer. Sun hasn't done a great job of implementing the sandbox in their Windows Java plugin. Google may have done a better job on Android.

In Android, you specially allow each app to have access to different things. If a flashlight app requests permission to read your text messages, you don't install that flashlight, because a flashlight has no legitimate reason to be reading text messages.

This bug isn't directly related to sandboxing, but sandboxing does reduce the impact. This bug allowed the author of an app to lie about who they are, about who made the app. So Joe Hacker could have marked his app as being made by Microsoft. If you trust Microsoft, you might install the app thinking it was made by Microsoft, but it wasn't really. So you go to install Microsoft Flashlight and the system says "Microsoft Flashlight wants to read your text messages". You'd click the "fuck off" button because a flashlight app doesn't have any business reading your text messages - even a flashlight app made by Microsoft. So while the bug allowed them to lie about who made the app, you can still see what the app is trying to access and deny if if doesn't make sense.

Comment: contributions on top, etc scare me. Once you know (Score 1) 80

by raymorris (#47562807) Attached to: seL4 Verified Microkernel Now Open Source

True, theoretically once you know about it, you should be untangle any GPL3 code and any contributions on top of that GPL3, and any other code that borrowed from the GPL3 code. As an example of what I'm thinking of, suppose you have something modular like WordPress or Apache. Someone contributes an authentication module that includes gpl3 code. Because it includes GPL3 code, the whole module is gpl3. Someone else writes a different type of authentication module and rather than writing boring parts from scratch, they start by making a copy of the existing authentication module and replacing the "guts", the actual authentication function, with some other type. That second authentication module would be a derivative work of the first, and therefore gpl3. The project maintainers have no way of knowing how the author went about writing it, though, so they don't know if it's gpl3 or not.

My primary 8-5 job is maintaining and enhancing a gpl3 project called Moodle. I appreciate what the licence APPEARS to say, but I'm always nervous about what it DOES say. I'm careful to only contribute or distribute under my personal name, never hosting a copy of the source on my employer's servers. When I get an email at work asking for a copy of a module I wrote, or some help with something, I reply from my personal email address in order to protect my employers IP by avoiding any indication that the organization is distributing. Even with that, I also have to watch the entire project for anything that might infringe on my personally held UP because if someone puts infringing code on the project github I'll arguably lose my rights.

Comment: You can't choose forever. Once v3 touches it, gone (Score 0) 80

by raymorris (#47561373) Attached to: seL4 Verified Microkernel Now Open Source

> since you can choose forever, everyone can pick
You cant choose forever. As soon as someone touches it with v3, it's v3 and you can't get it back.
The most common and easiest case where that happens if that someone integrates some other GPL code into the GPL project.
The contributor didn't realize that GPL(2) and GPL(3) are two very different things. The code integrated / copy-pasted from elsewhere was GPL3. If not caught and removed immediately, the presence of ANY GPL3 code, just one line, requires that the entire project be released _only_ as GPL3. It can no longer be used under GPL2.

The reason for that is that the new contribution that is GPL3 licensed wasn't licensed under GPL2. Since that bit isn't licensed under 2, the whole package can't be distributed under 2.

The wording in GPL3 is unclear in such a way that it could pose a very significant risk to people who aren't even remotely involved in open source at all. Whether that wording is merely stupid or devious, who knows. The problem was pointed out before the license was approved, and the wording wasn't changed, so perhaps Stallman actually did intend to leave the threat there, while claiming the threat didn't exist.

Comment: Good point. Doesn't outlaw anything they are doing (Score 1) 175

by raymorris (#47560787) Attached to: Senate Bill Would Ban Most Bulk Surveillance

That's an excellent point. The executive, including the NSA, reports to the president. If the president wants them to stop doing something, he doesn't need a law - he can just say "stop doing that". We've seen him do exactly that, he said "stop deporting illegal aliens under 18 years old", and they stopped. Therefore, we know that they aren't doing anything the president cares to stop. He would have already stopped it if he wanted to.

Probably, the extremely specific language of this bill bans something they weren't doing anyway. They aren't allowed to spy on a specific area code, which is fine since they are spying on all customers of the telecom, not a specific area code.

I came, I saw, I deleted all your files.