Please create an account to participate in the Slashdot moderation system


Forgot your password?
Slashdot Deals: Cyber Monday Sale Extended! Courses ranging from coding to project management - all eLearning deals 20% off with coupon code "CYBERMONDAY20". ×

Comment Re:Is this really as typical as it seems? (Score 2) 110

New technology market deployments go in stages, including the following:
  1) The underlying technology becomes available and financially viable. The window opens.
  2) An explosion of companies introduce competing products and try to capture market share. They are in a race to jump through the window.
  3) There is a shakeout: A handful become the dominant producers and the rest die off or move on to other things. The window has closed.

We've seen this over and over. (Two examples from a few decades back were the explosions of Unix boxes and PC graphics accelerator chips)

IoT applications recently passed stage 1), with the introduction of $1-ish priced, ultra-low-power (batteries last for years), systems-on-a-chip (computer, radio peripheral, miscellaneous sensor and other device interfaces) from TI, Nordic, Dialog, and others. It's in stage 2) now.

In stage 2) there's a race to get to market. Wait too long and your competitors eat your lunch and you die before deploying at all. So PBHs do things like deploy proof-of-concept lab prototypes as products, as soon as they work at all (or even BEFORE they do. B-b ) They figure that implementing a good security architecture up front will make them miss the window, and (if they think that far ahead at all) that they can fix it with upgrades later, after they're established, have financing, adequate staffing, and time to do it right - or at least well enough.

So right now you're seeing the IoT producucts that came out first - which means mostly the ones that either ignored security entirely or haven't gotten it set up right yet. Give it some time and you'll see better security - either from improvements among the early movers or new entrants who took the time to do it right and managed to survive long enough to get to market. Then you'll see a shakeout, as those who got SOMETHING wrong fail in competition with those who got it right.

If we're lucky, one of the "somethings" will be security. But Microsoft's example shows that's not necessarily a given.

In this case, though, the POINT of the product is security, so getting it wrong - visibly - may be a company killer. (I see that, in the wake of the exposure, the company is promising a field upgrade with this issue fixed in about a month. If it does happen, and comes out before the crooks develop and use an exploit, perhaps this company will become another example for the PHBs to point at when they push the engineers for fast schlock rather than slow solid-as-rocks.)

Comment Re:The HELL they can't! (Score 1) 74

Being in the industry, the reason I was given was (1) the electrolyte is very expensive right now

Vanadium pentoxide (98% pure was about $6/lb and falling as of early Oct and hasn't been above $14 in years) and sulphuric acid?

and (2) investors need a demonstration of return.

Always the bottom line. B-)

Comment Three cheers for selfishness! (Score 1, Interesting) 62

It works at three levels: 1. Selfish ... It's fine for people to play the game at level one, because they are also helping others learn and work their way up the skill ladder

Wow - that is a really cool observation. Atwood just went way up in my estimation for expressing this.

Comment Re:Yeah, but that just means... (Score 2) 201

The anti-vaccination craze? Fad ketosis dieting? Near-worship of media figures like the Kardashians? Climate change skepticism? I'd go on but that's already more than enough to refute your statement.

"Less" means "not as many as before"; it doesn't mean "none". Also, as long as reality continues to defy the Warmist Cult doomerism, skepticism is the most rational choice. There are three factors lining up right now that could make the climate cool down markedly in the next 5-10 years. If that happens, it will be very entertaining to watch the Warmists explain how the $trillions they bilked from the not-skeptical-enough public was well spent.

Comment Re:Sorry guys, Israel doesn't care what you think. (Score 1) 485

I read the freaking summary and it mentioned Israeli soldiers executing people, so I'm not sure how that's not the topic of the OP. Maybe you are asserting that the summary is inaccurate and doesn't match the article? If that's your argument it would make more sense if you would assert that explicitly so we can follow.

Comment Re:Source Code (Score 1) 48

The ransomware gets its name from the fact that the "DecryptorMax" string is found in multiple places inside its source code.

They distributed the source code with the ransomware?

Or the strings in the source code ended up generating strings in the object code and something like the "strings" tool found them.

Comment Re: Because backups are important (Score 1) 48

We can only assume they are too cheap, lazy or distracted with other things to keep frequent backups.

Or they think they ARE keeping backups, because they ARE - on a different part of the same disk, using automated processes provided and touted by the vendor - but the ransomware disables the tools and deletes the backups. Oops!

There's a difference between "backups" and "adequate, off-machine, backups".

Comment Looks to me like an oversight. (Score 1) 48

Why would you need a random .png from the Internet? Can't they just keep whatever part they need (header?) as part of the binary?

I'd guess:
  - The authors wrote the tool to use enough of the start of an encrypted/clear file pair to generate / sieve the key and deployed that.
  - Some used discovered, after the tool was deployed, that the invariant header of a .png file was long enough that any .png file could function as the "clear" for any encrypted .png (or at least that many unrelated pairs could do that.)

I'd bet that, if the authors had thought there was a nearly-universally-present file type the ransomware would chose to encrypt, with a large enough header to pull off this trick, they'd have included a canned header and the option to use it in the tool.

365 Days of drinking Lo-Cal beer. = 1 Lite-year