Become a fan of Slashdot on Facebook


Forgot your password?

Google Unveils New Self-Driving Car Prototype 90

Posted by samzenpus
from the drive-off-into-the-sunset dept.
colinneagle writes In May, Google released a teaser image showing a mock-up of the autonomous vehicle it planned to build. Today, the company followed up with an image showing the finished product. Google says the first edition of its self-made self-driving car will feature "temporary manual controls as needed while we continue to test and learn." When Google introduced its prototype back in May, the company claimed its self-driving cars "won't have a steering wheel, accelerator pad, or brake pedal because they don't need them." Apparently, it still has yet to reach that point. The development is an important step forward for Google's driverless car efforts, which have been deemed impractical by many of late. Last year, the Financial Times reported that Google had difficulty finding manufacturing partners that would build vehicles featuring the self-driving capabilities used in its Prius. In that light, maybe Google's willingness to build its own hardware just to get the technology on the road means that its self-driving car team knows something the rest of the industry doesn't."

Major Security Vulnerabilities Uncovered At Frankfurt Airport 91

Posted by samzenpus
from the how-many-fluid-ounces-is-that? dept.
jones_supa writes "According to a report published in this Sunday's edition of the mass-circulation Bild am Sonntag newspaper, investigators sent by the European Commission found it surprisingly easy to smuggle banned items past security at Frankfurt Airport. It said undercover investigators posing as passengers were able to smuggle weapons or other dangerous items through security every second time they tried to do so. One of the biggest problems was improperly trained staff, who were often not able to recognize dangerous items when viewing the screens they use to look at x-ray images of baggage. The staff is sourced via a privately owned service provider. Germany's Federal Police said they introduced new measures immediately after learning of the security deficits to ensure that passenger safety was guaranteed. Fraport AG, the company that operates the Germany's biggest airport, also took the findings seriously and begun an operation to retrain a total of 2,500 workers."

Comment: Re:What took them so long? (Score 1) 212

by Entrope (#48648739) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

The single-session CD is supposed to come from an unsecure network. What good will putting it back there do an attacker?

I am not thinking small, I am thinking rational. You are assuming an "insan[e]" attacker, which is rather silly. I'm not claiming that single-session CDs will make a system unbreachable, or that you should try to. My claim is simply that using single-session CDs (in a controlled, hygenic way) makes the cost to breach a system much higher than the alternatives that were suggested (network and USB) -- not even that single-session CDs are always the right solution.

Comment: Re: What took them so long? (Score 1) 212

by Entrope (#48647763) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

Do you have any idea what the error rate for manual data entry is? Typically about 0.5% of the entries will be wrong. Retyping information is a very error prone process.

Do you have any idea that there are known good practices for checking entered data before committing to it? And that most people would want to apply this kind of check before kicking off a production run, of just about anything, regardless of how the order was sent to the system?

What is it about this topic that makes people forget basic engineering practices?

Comment: Re:What took them so long? (Score 1) 212

by Entrope (#48647671) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

If you have a air-gapped system, you don't let people plug either random USB devices or random Ethernet devices into it. You help enforce this by disabling USB ports, MAC-locking switch or router ports, making it clear that only specific authorized people can import data, and making sure those authorized few use hygienic practices. It's IT security, not brain surgery.


Dish Pulls Fox News, Fox Business Network As Talks Break Down 268

Posted by samzenpus
from the no-fox-for-you dept.
An anonymous reader writes Fox News and Fox Business were pulled by Dish Network over the weekend, as both continue to argue over a fee agreement. From the article: "Dish said in a statement early Sunday morning that 21st Century Fox had blocked access to the two networks after Dish balked when rates for other networks owned by the media conglomerate were made a part of the negotiations. Tim Carry, executive vice president of distribution at Fox News Channel, countered in a statement that "Dish prematurely ceased distribution of Fox News in an attempt to intimidate and sway our negotiations. It is unfortunate that the millions of Fox News viewers on Dish were used as pawns by their provider. Hopefully they will vote with their hard earned money and seek another one of our other valued distributors immediately."

Comment: Re: What took them so long? (Score 2) 212

by Entrope (#48646491) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

Sure... if.

1) If you can define the protocol to be simple enough, and
2) if you can be sure that only the intended application will process the data stream on the secure side, and
3) if you actually test that application enough to be confident it is secure, and
4) if you can ensure that sensitive information will not (improperly) leak back down the other direction, and
5) if you use it often enough to pay for that development cost, and
6) if you can resist the pressure to add features or "generality" to the protocol that makes it more costly to ensure secure processing...

then maybe such a protocol makes sense. Maybe somebody somewhere has satisfied all those ifs, but I would suspect not. For your simplified example, it is probably cheaper -- and just as secure -- to have an operator enter the dozen or so keystrokes to order "produce x amount of class y steel" than to design, build, install and support a more automated method. Human involvement has the added bonus of (nominally) intelligent oversight of the intended behavior for the day.

Comment: Re:What took them so long? (Score 1) 212

by Entrope (#48646289) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

The point of an air gap is to make data transfers much more controlled. Some can be crossed regularly (with appropriate control), and some should not. One should only adopt any security measure after a cost-benefit analysis. The depth and rigor of that analysis should be determined by the expected costs (ongoing/operational) and potential costs (from a successful exploit).

Thus, I said "If I really wanted to reduce exposure", not "Everybody should do this to reduce exposure". If the productivity costs are very high, you had better impose enough oversight to deter or catch any policy violations... or choose a security policy besides "air gap". My basic points stand: much more software regularly talks to a network than regularly reads from CDs, and the protocols involved are much more complex for network communications; and USB sits in between those two.

FWIW, industrial control instructions can be made much more regular than arbitrary data, making it easier to detect a compromise before it reaches its ultimate target. For example, if the usual file size is 1 MB, you had better have a good reason for it to suddenly be 3 MB. If you are really paranoid, you might have a format checker or sanitizer to act like a very application-specific antivirus.

Comment: Re:Sometimes 'air gap' is impossible (Score 2) 212

by Entrope (#48646215) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

What compels the management to hook the control network up to the Internet? If a vendor told me that their safety-impinging product needed Internet access to run -- for a license check or for any other reason -- I would tell them to go pound sand, and I'd be happy to take my business to a competitor. If Internet access is not mandatory, you are describing "sometimes an air gap is inconvenient", not "sometimes an air gap is impossible".

Comment: Re:"sophisticated social engineering techniques" (Score 1) 212

by Entrope (#48646201) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

There are techniques like "Hello my name is Solicitor Darren White, my client has just deceased and left you a sum of $1,000,000,000 (ONE BEEELLION DOLLARS)...". There are also techniques like "Registration is now open for [industry-relevant convention], please visit [malware-infected site] to sign up so you can keep up with new developments." Beyond that are very individualized attempts to gain the target's confidence, perhaps involving apparently independent contacts -- persona A contacts the target over a job board, persona B uses some of that information to ask for a supplier reference, eventually culminating in executable code delivered directly to the target in hopes that it will bypass virus checks and be executed on a sufficiently privileged computer. More sophisticated social engineering techniques will usually be more narrowly tailored and more costly for the attacker to use.

Comment: Re:What took them so long? (Score 1) 212

by Entrope (#48646179) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

On the one hand, you have to worry about security holes in the USB driver and file system.

On the other hand, you have to worry about security holes in every piece of software that talks to the network.

If I really wanted to reduce exposure for a network, I would probably use single-session CDs to cross the air gap, and make sure to pack any extra space with random data.


Study: Red Light Cameras Don't Improve Safety 281

Posted by Soulskill
from the automated-law-enforcement dept.
An anonymous reader writes: Ars Technica summaries a study by the Chicago Tribune (paywalled) that found red light cameras do not improve driver safety. "[W]hile right angle crash incidents have been reduced, rear-end crashes that resulted in injuries went up 22 percent." Chicago officials recently claimed that the cameras led to a 47% reduction "T-bone" injury crashes, using that statistic as evidence that the program is worthwhile. But the study's authors, who "accounted for declining accident rates in recent years as well as other confounding factors, found cameras reduced right-angle crashes that caused injuries by just 15 percent."

They also noted that the city chose to install many cameras at intersections where crashes were rare to begin with. Chicago has raised roughly $500 million from red light camera tickets since 2002. "[O]fficials recently admitted to the city inspector general that they had quietly dropped the threshold for what constitutes a red light camera ticket, allowing the tickets even when cameras showed a yellow light time just under the three-second federal minimum standard. That shift earlier this year snared 77,000 more drivers and $7.7 million in ticket revenue before the city agreed to change the threshold back.

Comment: Re:Established science CANNOT BE QUESTIONED! (Score 2) 718

by Entrope (#48634423) Attached to: Skeptics Would Like Media To Stop Calling Science Deniers 'Skeptics'

Which people do you think I am describing? There certainly are a lot of weirdo extremists in the environmental-activist camp, but I wasn't really thinking about them. If you want me to ignore the weirdo extremists on that side, will you ignore the weirdo extremists on the other side? More significantly, will media and activists stop focusing on the (conveniently distracting) anti-AGW weirdo extremists so that we can pay more attention to what actually can and should be done?

What specific steps do the reasoned thinkers recommend as "what actually needs to be done"? Last I heard, European countries were revising or just rolling back climate agreements because (a) they realized they couldn't achieve their goals without reducing their quality of life, (b) they realized the system was being gamed, and/or (c) they wanted to keep up with the countries who didn't sign up to those agreements.

Comment: Re:Established science CANNOT BE QUESTIONED! (Score 3, Insightful) 718

by Entrope (#48633595) Attached to: Skeptics Would Like Media To Stop Calling Science Deniers 'Skeptics'

Lots of people believe in ghosts. Lots of people also believe in people who "think[] that human activities have no impact on climate change". There's about as much hard evidence in one of these beliefs as in the other.

When climate alarmists stop pretending that the dispute is over the degree of human influence on climate, and how much different countries should spend to mitigate anthropogenic climate change (or other kinds!), they might start to get traction with skeptics. Also when they start acting like the situation is as bad as they claim it is.

I know that when I used an electric sous vide cooker to make pork chops for dinner last night, it was worse for the climate than if I ate raw vegetables, and better than if I grilled a slab of steak over a bonfire. I know that living in the suburbs emits more greenhouse gases than living in a tiny apartment in a big city. I am thoroughly unconvinced that forcing most people to live like the alarmists claim we should (but usually don't live themselves) will yield the claimed benefits, or be worth the costs even if the benefits would be as claimed.


Grinch Vulnerability Could Put a Hole In Your Linux Stocking 118

Posted by timothy
from the pretty-generic-description-there dept.
itwbennett writes In a blog post Tuesday, security service provider Alert Logic warned of a Linux vulnerability, named grinch after the well-known Dr. Seuss character, that could provide attackers with unfettered root access. The fundamental flaw resides in the Linux authorization system, which can inadvertently allow privilege escalation, granting a user full administrative access. Alert Logic warned that Grinch could be as severe as the Shellshock flaw that roiled the Internet in September. Update: 12/19 04:47 GMT by S : Reader deathcamaro points out that Red Hat and others say this is not a flaw at all, but expected behavior.

If an experiment works, something has gone wrong.