Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:Doubleclick serve malware (Score 1) 236

they vet, but they problem is they don't serve. I assume due to bandwidth issues (why pay for it when the advertiser will). In any case, malvertising is very sophisticated and the ads are often *not* malicious. But an approved ad is swapped out with the malicious (even if only 0.1% of the time) so the brokers are not aware.

The system is broken and advertisers are floundering. It used to be a small minority group who blocked ads (I still have a custom stylesheet in place that marks ads as being "unimportant" based on some simple pattern matching of where it is served from so they are not displayed. (The problem with that old system is that they are still *fetched* and likely *parsed* by the browser so they offer no security advantage.)

Comment Re:WTF??? (Score 1) 236

hmmm... how about:

adware (which has been around a long time) focuses on advertising although it displays malicious characteristics.

malvertising focuses on infecting a system in a persistent fashion that makes it part of a "network". Infected systems are used to steal passwords, send spam, display advertisements, participate in ddos, and in general anything that can be monetized.

Comment Re:How to fix ALL the app stores... (Score 1) 249

A pretty good list, IMO, although perhaps a bit drastic or unrealistic as rasmusbr points out. Instead of removing all crap applications (your #1), move them to the "Junk" category then have a default hide for the category. That allows the teenagers to have their stupid apps -- and they can feel even cooler by having to go in and enable the category -- while not bothering the rest of the user base.

I suppose one way of addressing #2 (duplicating stock apps) would be to have another (hidden by default) category. That way someone who wanted a replacement music player could get one without forcing everyone to slog through garbage apps.

And while #4 (eliminating in app purchases) is important as it cuts to the core of some problems, it simply isn't realistic. Originally, Apple did not have them. They were added to appease large developers. Not going to happen, but it would help if it did.

Even though rasmusbr is correct about what will happen with #6 (time limited 100% refund policy), without in-app purchases the model would not be particularly successful.

Comment Re:So really bitcoin is incidental (Score 1) 101

Pre-Snowden there was a huge BGP attack that re-routed lots of traffic, so much so that it was hard to tell who was targeted (instead of small things like this, think more like "all western Chinese traffic routed through US"). At the time there was lots of useless conjecture as to what it was about and whether or not it was really an attack or just a seriously stupid misconfiguration. Of course, nowadays we know that TLAs use this as one of their tools to grab target traffic that would otherwise be out of reach so that they can inspect it and record it.

BGP is a seriously large, gaping security vulnerability in how the Internet works due to the inherent trust of the system. The only plus side is the wider you cast the net the more obvious it becomes that it has been cast. The attack I refer to was glaringly obvious due to the huge distortion to routing. So for someone to use it for evil they need to keep it small and focused which means they need to get close to the target network. The point being that there *is* a measure of tamper evidence that gets stronger the farther the attacker has to reach. At least its something.

Comment Re:Legitimate engineering uses (Score 4, Informative) 98

not to mention "...creates a disk image of everything that’s on the phone..." is misleading, even with the following caveat. It would be far more accurate to say something like "...creates a copy of file access times of everything that's on the phone, and other metadata such as file size and other timestamps." But that wouldn't be bait for journalists and misquotation. (And if the dumped iOS file system metadata includes other things, perhaps mention those -- but timestamps and file size are the main things.)

Comment Re: Only because they're stupid. (Score 1) 435

I think it is worthwhile to just discard the point about abuse of power because I don't think it is necessary to even bring up.

While at first blush the "running a red light" bit might sound silly the reality is that it *isn't* always safe to just pull over and stop. Sometimes it has to do with predictable things (like not having a shoulder to pull onto) and sometimes it isn't (dynamics of traffic, which may not have previously been obeying the traffic laws). The point is that once you get past the easy things (pre-identifying pull over spots so that the vehicle knows where to redirect to) you get into hard things. Like the tractor trailor that is on fire. Or that stopping would obstruct another vehicle that is *not* stopping (and resulting collision would block emergency vehicle).

In the end, there is a need for judgement calls, *especially* when emergencies are involved. A simple "pull over and stop" is too simple.

Comment Re:Obviously... (Score 1) 435

you made a real jump from tracking to remote control, but it is unlikely a car stolen by criminals who were planting a bomb could be recalled. Unless they were nut jobs who just happened to have access to explosives or made them, but killing a recall mode would be high on the list for a number of people (not all of them necessarily evil). Presumably, safeguards against tampering would be put in place, but I wouldn't hold my breath on them holding up.

Lets put it another way: lojack works fairly well and is on a number of computers. But can it be subverted? Are systems with lojack installed and enabled still stolen and sold for money? And all you really need for the case you mention is a temporary work around.

Comment Re:Drug mule? How? (Score 1) 435

"legally tied to someone": Dammit, I never rented that driverless car. Yes, I know that it was my credit card and I hadn't reported it stolen, but it wasn't me!

"has not been reported stolen": paid for rentals aren't generally reported as stolen. If you are a business with a driverless car and a wide region of operation, it could easily take longer than a simple "hijacked for crime" to discover and report.

"How many legal trips match that?": who knows. You're speculating, I'm speculating. Unless you have data to show it is significantly anomolous, it is irrelevant. But you *are* arguing for more government surveillance. "Hello citizen, I see that you have been on the road for more than two hours without filing a travel plan with Department of Homeland Security."

"legally, search": random stops? that would likely have to be settled. But there's *always* cause for pulling a vehicle over. And without a human to contest the search...

"It is not enough to obey the laws": true, but the "greater effort" is usually required to escape when one is already labeled. Local police have you fingered as a "troublemaker" you'll discover just how much they can get away with and no lawyer will take your case. But when discussing traffic -- if the vehicle is in proper working order (e.g., no headlights/brakelights out, etc.) and is being used properly (e.g., no traffic violation) unless there is something else to draw attention to the vehicle ("hey, Mark, isn't that the deviant druggie we busted up last night?") they are going to ignore it. Cops don't just go pulling over and searching vehicles on a random basis. (Well, infrequently, at any rate -- they just don't have the time to harrass that many people.)

(Please, don't take this as an anti-LE post. But just like there are good cops, there are bad cops. And if you have the misfortune of getting labeled by local LE it can be tough. And good cops don't go randomly pulling over vehicles so in your scenario we are talking about the less well behaved ones. You bring up the whole in a category they aren't interested in.)

Comment Re:Simpler approach... (Score 1) 280

you wouldn't be so infuriated with their stupid requirements (and, I agree, most are stupid) if you just used a password manager. Then the only thing that is annoying is figuring how what parameters of the random generator you have to weaken to get an acceptable password. Instead, you have to remember how you had to adapt your generation rules to their site.

Humans are terrible at selecting passwords, and it isn't just the obvious 123456 or password. If you think you have a clever password method, it isn't. If you think you are randomly selecting characters, you aren't. The bad guys know all of this and exploit it. It may not have fancy equations, but there's some practical information at Ars Technica (e.g., and

Personally, I use a lot of rather weak passwords. You know, for the site that insists I create an account to read it. Whatever, they get the "stupid" password. (And I mean "stupid".) Those are throwaway "accounts" that I couldn't care less if they were hacked. I know the password, because its "stupid", just like all the rest (or "stupid123" if they require numbers). OTOH, if it is a password for access to something I *do* care about it gets a computer generated password that is stored in a password safe. I don't care how hard it is to type, because I don't have to. I don't care how hard it is to remember, because I don't have to.

The only middle ground are login passwords (e.g., to a computer, or something I have to type into a mobile device, ugh!). There the ability to actually input the password can become a consideration, and for a desktop login it has to be memorable -- but when you don't have to remember a laundry list of passwords, the two or three you *do* have to remember aren't that bad (home system, work login, mobile phone -- you *do* lock your mobile devices, right?)

Comment Re:About that.... (Score 1) 223

I'm going to go out on a limb here and guess you're someone who loves the recent hobby lobby decision that grants freedom of/from religion and specific religious rights to corporations. By the rationale of the decision a corporation owned by a muslim family should be able to enforce sharia on its employees. But you are comfortable believing that this cannot happen because you have faith that the courts will only give religious rights to corporations that are identifiable as christian.

Two faced hypocrites are the worst.

Comment Re:Seems appropriate (Score 2) 353

Actually, every file in the system does not have different time stamps and they tend to be in clusters (e.g., different groups of system files).

Timestamps can be manipulated in various ways and they are often taken at face value, but it does get quite a bit harder if the investigator digs deeper. For example, in your proposed situation the inodes for the newly created files would not be as expected for files having those time stamps.

Comment Re:the naivety is painful (Score 1) 247

I think this is really what is bothering me about the MAYDAY PAC. The idea that the game can be beat by playing it on the terms of those who have rigged it... I understand the principle is to back politicians who will vote for reform, but a couple of seats -- even if it happens -- don't mean squat. Having a few bought-and-paid-for stooges who will vote for something doesn't actually work: it has to make it into a bill first, in a form that hasn't been mangled into the opposite of the intent, and brought to a vote. To actually get a bill into law requires seniority and support from senior politicians. And those will be the ones least susceptible the MAYDAY PAC. This seems like much ado about nothing.

I think the people behind it have good intentions, but I fail to see how the effort will produce any meaningful change or reform.

As of next Thursday, UNIX will be flushed in favor of TOPS-10. Please update your programs.