Forgot your password?
typodupeerror

Comment: Re:Not worth it (Score 1) 232

by vux984 (#47759959) Attached to: New Windows Coming In Late September -- But Which One?

Until MS forces OEMs to sell a clean copy of Windows with zero third-party crapware, I won't even consider it.

So let me get this straight. You'll install linux on bare metal without any complaint, but if you had to do that for another OS it would be reason enough that you won't even consider it.

How is that not hypocrisy?

. I've been a Linux user since 1998, and since then, have seen no compelling reason

Good for you. From programming my harmony remote, to running quickbooks, to watching netflix, to Microsoft Office, to playing many of the games I like there are lots of compelling reasons that keep me running windows on at least some of my computers.

Fact is, when you buy a new Windows PC, it's largely unusable what with all the Kaptalistic crapware and bloat already bringing the system down below peak performance.

Fact is, that's not even true. There's plenty of decent OEMs and venders out there. Plus whitebox system builders. Plus the fact that if your reinstalling the OS anyway, you can do the exact custom windows install you want just about as easily as any Linux distro.

This is a black eye for the Windows brand.

Android phones ship with all kinds of shit pre-installed by OEMs too. Even the google nexus -- given that I even consider stuff like "Hangouts" and the "gmail app" to be unwanted bloat.

Comment: Re:Backward-thinking by the DMV (Score 1) 439

by vux984 (#47759537) Attached to: California DMV Told Google Cars Still Need Steering Wheels

Any car that allows the driver to take "immediate physical control" makes the roads unsafer for all.

Yeah, it does sound pretty risky to take control of a car mid maneuver, at speed.

However, a control transition while stopped is reasonable, and there are lots of reasons that a car should support a driver.

Navigating around a major traffic incident. (Lets say hypothetically you are on a divided highway approaching a double bridge and one of the bridges becomes unpassable. What happens?

Police for example may divide the remaining bridge into two directions, and divert traffic onto it. Cars will need to turn around, go back up the highway they way they came (against its usual direction), probably use a restricted emergency vehicle access to cross over to the other side of the highway, and then be directed to drive in what would normally be an oncoming lane of the other route accross the bridge, before being diverted back to the usual side of the highway via another restricted access road... its going to be a long while before a driverless car is ready for THAT.

Other uses for manual controls -- off road event parking in ad hoc overflow lots, moving the vehicle after an accident that has damaged the sensors etc but it's still otherwise drivable.

  I'd love to see a google driverless car handle downtown Calcutta... where even if every car was driverless and "wirelessly communicating with eachother" there'd still be throngs of people, bicycles, livestock, and the only thing the other cars around it would report is "yup, its a huge mess here too".

Or even a major american city when half of downtown is shut down for an event and there are hordes of people on the streets... and police are directing traffic.

Comment: Re:Sigh (Score 1) 272

by vux984 (#47743003) Attached to: Among Gamers, Adult Women Vastly Outnumber Teenage Boys

A "gamer" is someone who plays games.

That's why pro-football players, the elderly Chinese men in a remote village playing Go, the seniors at the community center playing bingo, and the participants in the office hockey pool are all "gamers" too, right? They play games.

No, of course not. The vernacular use of the word "Gamers" doesn't include them.

And neither does it include grandmothers playing Candy Crush, no matter how many of them there are. That's a new thing. Its a big thing, but they aren't gamers.

But "gamer" means nothing.

Of course it means something. We use the word all the time and generally understand each other. A 'gamer' is someone who plays at least a subset of video games that meet certain complexity or difficulty thresholds, and considers them an important part of their identity.

You'd be included as a gamer even if you only play platformers. You can also be a gamer who only plays FPS. Or RTS, or MMOs or racers or roguelikes.

But it doesn't normally include people who only play casual mobile games, even if they play them a LOT. Nor if you only play chess, not even if its chess on a computer. And soccer? Maybe if its FIFA 2014, but not if your on a field somewhere with an actual ball.

As for your Mom... maybe. She plays a 'recognized' class of games to be gamer, and she's finished them... so if she considers it an important part of her identity etc then sure, she's a gamer.

My mom, though? With her Candy Crush on her ipad. No. She's not.

That's not what people actually mean when they say gamer, just as they don't mean people who are obsessed with golf.

 

Comment: Re:tl;dr (Score 1) 87

by vux984 (#47733761) Attached to: Researchers Hack Gmail With 92 Percent Success Rate

Although I agree with you in general, the thing is that you need to think of what the effects of a false positive are. Imagine starting up your game of solitaire and then seeing a Gmail-like login window.

I'm not an android dev.. but on platforms I do write for, any app can determine the name of the foreground process/task.

So the worst that happens, is an oddly timed credentials box for the app you WERE using. That's going to set off far fewer alarm bells than you would think.

Comment: Re:tl;dr (Score 1) 87

by vux984 (#47733527) Attached to: Researchers Hack Gmail With 92 Percent Success Rate

Everybody knows that 'carefully designed timing' and generalisable match very poorly.

Agreed -- however, a visible glitch or hiccup would that really set the majority of android users on guard? I'm skeptical.

Honestly, the entire timing element is almost superfluous; for a large number of users simply throwing up a fishing screen while they are IN another app would garner high success rates.

Launch gmail app... Popup "connection to server failed", "please enter username password". It would be horrifying to see how high a success percentage that gets you."

This attack is impressive in that it generates 98% success rate at detecting and invisibly injecting its phishing screen 'just so'. But honestly -- they'd probably snatch a shocking high portion of credentials simply timing the popup to coincide with 1-2 seconds after a given app starts for a large number of apps.

Granted the sophistication of a finely tuned and well crafted attack would mean even I'd fall for it without being any wiser, and it enables them to go after some more complicated apps, in more complicate scenarios. And yes, a finely tuned profile using knowledge about the particular model of phone, and particular application set etc are required for to pull it off.

But the reality remains that the low hanging fruit (dumb users + easily predictable apps) is going to be very easily harvested.

Comment: Re:Blast from the past (Score 3) 87

by vux984 (#47733231) Attached to: Researchers Hack Gmail With 92 Percent Success Rate

Memory allocation is still controlled by the OS. (At least insofar as apps request memory from the OS, and release it back to the OS).

Normally, an app would have no need to know what another app was doing with memory. However, the instrumentation for another app to track the memory usage of another app exists and is not restricted to elevated / trusted apps.

Clearly it should be.

I can't honestly imagine what a regular app would need this for anyway. Its very much a 'task manager' or 'debugging tool' class of information - and only developers and system level apps need this information.

That along with the fact that apps should not be able to pre-empt eachother and go into the foreground on their own. (iOS apps for example, apparently can't pre-empt; unless they have exceptional permissions (e.g. sideloaded by developers or enterprises or if the device is rooted/jailbroken) so on ios even if the app can determine the app activity, it won't be able to prempt it with its phishing screen.

Comment: Re:tl;dr (Score 4, Interesting) 87

by vux984 (#47733097) Attached to: Researchers Hack Gmail With 92 Percent Success Rate

An immediate work-around would be to randomly place the log-in screen within a pre-determined area such that the hostile app would be unable to immediately overlap it. The double image will tell the user something is wrong.

The double image will tell the user something is wrong.

How is that a work around?

Its a phone. The login 'window' is going into a 3" to 5" space and is full screen in nearly every implementation. The 'popup' that the hostile app preempts simply covers the whole screen.
All in all not a particularly powerful attack vector.

Quite the opposite. Its a very powerful attack vector; and given the surprisingly good ability to time the pre-emption a very dangerous one.

Comment: Re:Blast from the past (Score 5, Informative) 87

by vux984 (#47732993) Attached to: Researchers Hack Gmail With 92 Percent Success Rate

Blocking access to the memory space of other processes has been a solved problem since timesharing in the '60s and '70s, right?

Sure it was. That isn't what is happening though.

Its not accessing the apps memory itself. Its accessing the shared memory *statistics* of a process.

Then its using pre-calculated patterns of the shared memory usage (presumably allocation order, sizes allocated, NOT the actual memory contents etc) to guess what the user is doing in the other app. Then, when it detects a pattern that corresponds with "I'm about to log in" it pre-empts the app with its own phishing login screen skinned to look like the original. The user is -expecting- a login screen to popup, and one that looks right does... so they enter their credentials.

I assume they...

All your assumptions and proposed solutions were completely wrong.

The solutions are:

a) to remove untrusted apps ability to monitor memory USAGE statstics

b) to remove untrusted apps ability to pre-empt the screen.
c) better permissions controls and better CURATION limiting
d) it may also help to let apps enter 'critical sections' that cannot be preempted by other apps (?)

Comment: Re:Gravity isn't SF (Score 1) 178

by vux984 (#47724369) Attached to: The 2014 Hugo Awards

Gravity isn't science fiction

Of course it is.

We actually do send people into space, and that kind of disaster could sort of happen.

But we didn't send anyone named Dr. Ryan Stone on space shuttle mission STS-157, and none of the other events in the film ever happened... so its CLEARLY fiction.

And it is science fiction because many of the antagonists/obstacles are consequences of the known rules of physics.

It handily meets any definition of science fiction I would ever care to use.

And that's really cool--what seems so much like SF is actually a real-life job that some people do everyday.

We all live moments away from science fiction. A fictional story about the challenge of escaping a car after it goes over a bridge into a river can be science fiction if the accident is modelled according to our understanding of science instead of just done for dramatic effect. The juxtaposition of the vehicles crumple zones with how they'd react hitting a river from 30 feet up, how much time would the occupants REALLY have, how could they REALLY get out... etc.

Most good Science fiction are simply stories about people reacting to their environment within the bounds of their humanity, and the constraints of known science.

That environment can be trumped up with constructs which are not explained... whether its faster than light travel, or an alien race governed by a hive mind... or it can be entirely mundane (as in Gravity or my imagined car accident story).

What makes it science fiction is that once the rules of the environment is established, the characters react to it constrained by the rules of science.

What separates good science fiction from fantasy is that fantasy is not bound to establish and then follow a set of physics. It's free to continually introduce whatever capabilities the characters need as the story needs it. Fantasy follows whatever path the author wishes without constraint. Science fiction's defining characteristic is that the narrative is constrained and driven by known physics or known or speculative physics.

Now you might say, but that's true of James Joyce's Dubliners; it too is constrained by the rules of phyiscs. None of the characters are magical or fantastical and nothing impossible according to known physics happens. And that's true. The difference between science fiction and ordinary (non-fantasy) fiction is that in science fiction the narrative is driven in part by the science. Dubliners narratives are not driven by science.

So even CSI could have been really good science fiction. Except its not, because despite the trappings of science they toss it out the window left and right. Star Trek with its particle-du-jour ... often is science fiction, because you are allowed to "pre-suppose" an alternate physics -- the trick is to play out the rest of the story constrained by it. Star Trek of course, as often as not, also fails to follow the rules it sets out for itself, and so deviates to space-fantasy or something... but many of its good episodes are good SF.

Comment: Re:Findings... (Score 1) 80

by vux984 (#47716001) Attached to: Tor Browser Security Under Scrutiny

They say ASLR is disabled

I *think* what they are saying is that:
ASLR is disabled in their build of the software. (It must be enabled via compiler option).

However, ASLR is enabled in windows itself.

from Microsoft:

http://www.microsoft.com/secur...

Address Space Layout Randomization (ASLR): In older versions of Windows, core processes tended to be loaded into predictable memory locations upon system startup. Some exploits work by targeting memory locations known to be associated with particular processes. ASLR randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the location of a given process. The combination of ASLR and DEP creates a fairly formidable barrier for attackers to overcome in order to achieve reliable code execution when exploiting vulnerabilities.

ASLR was introduced in Windows Vista and has been included in all subsequent releases of Windows. As with DEP, ASLR is only enabled by default for core operating system binaries and applications that are explicitly configured to use it via a new linker switch.

As for EMET and ASLR:

Basically EMET can force recent versions of Windows to use ASLR even on applications that don't explicitly build with support for it:

http://krebsonsecurity.com/tag...

EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, youâ(TM)ll need to have Microsoftâ(TM)s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...