Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:how ? (Score 1) 178

by wvmarle (#49158701) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

Copying some data is quite different from replacing data, and far easier to do unnoticed. The NSA copied existing SIM encryption keys; they did not attempt to replace them with their own keys or so.

It is pretty hard to detect an intrusion, access to data, and copying of that data. Especially if the attacker gets access through an authorised account by getting their hands on someone's login credentials.

It is much easier to detect the replacement of data: this can be done with e.g. automated cryptographic checksum tests against remotely stored known good checksums, or against a freshly compiled copy.

A lot of data will have to be replaced unnoticed (source code is being read by humans, who may detect changes if it happens to be the part they work with) to stand any chance of getting a compromised binary on someone else's site unnoticed.

Comment: Re:How much CPU power & storage in HDD control (Score 1) 178

by wvmarle (#49158545) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

I doubt you need much, really.

All the malware part has to do is to read the rest of the software from disk upon boot, then hide that part of the drive from the OS. This way you could hide a pretty big piece of software on the disk, and with today 500 GB kind of capacities being the norm, the user won't notice unless they look really really carefully at the numbers.

Comment: Re:how ? (Score 1) 178

by wvmarle (#49158491) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

How can you even know if the code you download off the manufacturers' web sites hasn't been tainted during production?

You can't, but you can be quite sure that the manufacturer will take serious measures to make sure this doesn't happen. This protection against tampering to compromise computers just piggybacks on more general protections to keep firmware sound, such as tests to make sure there are no bugs in the firmware that cause data loss, and that software published on the web site is the software the company intends to publish.

This for the simple reason that one mistake here may result in bankruptcy, as people may lose trust in the whole company. Without trust in its products by its customers, a company can't survive - especially when it's about storing valuable data.

Comment: Not considered a real risk - at least, until now. (Score 1) 178

by wvmarle (#49157777) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

Most likely there are no such tools as no-one thought it could be a vector of infection. Just like the BIOS; which used to be a non-reprogrammable ROM chip. I for one didn't know current hard drives even had firmware that can be replaced by the user, let alone that it may be a potential attack vector for malware.

Depending on how hard it is to read the installed firmware from a hard drive (is this even possible in the first place?) it shouldn't be too hard to write a tool that can read the firmware, and calculate a checksum for verification. The hard part is going to be, how do you know that your software gets the actually installed firmware - or just a known good but inactive piece of code provided by a compromised firmware, pretending that this is the software that's installed? The moment a firmware is installed, you probably need to call onto that very firmware to get a copy of it from the drive. Unless this read-firmware routine is provided by a special, hard coded circuit.

Comment: Re:Try to meet in person (Score 1) 146

by wvmarle (#49156767) Attached to: Ask Slashdot: Whiteboard Substitutes For Distributed Teams?

Exactly. What people also forget is that it's not just about the whiteboard, it's at least as much about the beers afterwards. Getting to know your colleagues in person helps a lot in getting cooperation going (it helps you interpret the writing in their e-mails properly, for example).

There is no real substitute for in-person meetings. And considering the problem at hand has already the budget of flying people around to get it solved, you'd better make use of it.

Comment: Re:Whiteboards and whiteboarding are a bad idea. (Score 1) 146

by wvmarle (#49156755) Attached to: Ask Slashdot: Whiteboard Substitutes For Distributed Teams?

I'm coding alone at the moment, and because I have no-one to bounce ideas off, I frequently find myself heading into dead-ends because the problem domain I'm dealing with is very large, and as there's no-one to discuss things with, I need to prototype to find my mistakes. Then I have to go back and rewrite.

Start with a partner or friends. If it's about UI issues or related things, they don't need to be programmers or versed deep into the problem at hand. People that know nothing about it actually can at times give you the best ideas, exactly because they know nothing about it and haven't yet restricted their minds by thinking about it. The programmatic implementation itself of course you have to do yourself, but that's generally the straightforward part (after you properly defined the problem, and the solution you want to work towards).

Comment: Re:Backups and Redundancy (Score 1) 127

by wvmarle (#49152967) Attached to: Vandalism In Arizona Shuts Down Internet and Phone Service

Part of the problem this is not that big news may be that it's about the US, where power outages and the like are the order of the day. Just ask around on /.: how many of you Americans routinely install a UPS in your home? How many have a generator on hand? Now compare this to the non-Americans that live in what we commonly call the "developed world".

Even emergency services were affected. Something that many Americans find so important that it's always used as a major argument against banning/jamming mobile phones in movie theatres and so, or as key reason primary school kids must carry a phone on them at all times. Even this major service was disrupted. So no matter what, something was terribly wrong here, and some company did not get their redundancies and automatic rerouting right.

Comment: Re:Major Version == Major Changes (Score 1) 199

by wvmarle (#49046751) Attached to: Torvalds Polls Desire for Linux's Next Major Version Bump

Lots and lots of minor fixes and changes add up to serious architectural rework. Ground-breaking new features are added when ready - one by one - every few months it seems I read about another major change to the kernel - so after a while you have several such major features added, it's unreasonable to add a major number every time.

So while I agree with your general ideas, it's certainly not that easy in the "release early, release fast" world of open source software, as with the fairly rapid addition of many bigger and smaller features to the kernel, and the fairly frequent release of new versions. Alternatively you may just have stick to major versions, like recently Firefox (currently my Firefox is at version 35) and Chrome (no idea what number they're at now) are doing, and as a result indeed the numbers are big enough that you can't really distinguish them. Which is bound to happen sooner or later to any piece of software that's under active development for a prolonged time.

Comment: Re:Don't give your bitcoins to someone else!! (Score 1) 148

by wvmarle (#49025565) Attached to: Alleged Bitcoin Scam Leaves Millions Missing

Not sure about this, but the SCMP (local HK news paper) reported about people sending cheques to this company. That's real money, not BTC, that they gave that company. Details are thin, but it seems that this company asked for payment for to-be-mined BTC. At least they were running a BTC mining operation as well.

Comment: Re:Proof that there's too much money in the world (Score 1) 148

by wvmarle (#49025547) Attached to: Alleged Bitcoin Scam Leaves Millions Missing

Maybe they bought a flat in 2003 (end of the SARS period), and sold it recently. They'd have easily tripled their money in that period of time (the housing market has gone up by that much, and it still going up fast - Hong Kong property prices are currently between ridiculous and simply out of this world). If they bought a $2M flat in 2008, they could sell it for like $6M now. That'd be $4M cash profit in hand, plus whatever they have left after paying off the original mortgage. Or take out a new mortgage based on the current value, mortgage interests are around 3% with banks all too happy to sell you mortgages.

Comment: Re:Cry wolf (Score 1) 127

by wvmarle (#48984807) Attached to: FBI Put Hactivist Jeremy Hammond On a Terrorist Watchlist

Why would they have the right to "preferential treatment" compared to, say, the parents of the children killed at Sandy Hook?

That perpetrator was not considered "terrorist". Yet his victims were children (who did nothing to him), while this Jordanian pilot was a fighter himself, who knowingly and willingly put himself in harms way.

Comment: Re:I don't mind some ads... (Score 1) 619

by wvmarle (#48977057) Attached to: Google, Amazon, Microsoft Reportedly Paid AdBlock Plus To Unblock

With click-through rates in the ppm range nowadays, that's probably not worth the effort.

Lots of advertising on the Internet is probably going back to basics: designed as non-interactive, like in newspapers or magazines, just making sure people see a brand name again and again and that way when they are in a shop making a decision to buy a phone, they go for the brand that they know so well from the advertising.

Comment: Re:Bound to happen (Score 1) 619

by wvmarle (#48977031) Attached to: Google, Amazon, Microsoft Reportedly Paid AdBlock Plus To Unblock

I'm not particularly interested in the 'sustainability' of the Internet. Google and a couple of other companies that have more money than the Catholic Church can worry about that. I'm interested in my privacy and peace of mind.

I am not going to cry if the commercial ventures on the Internet die. IMHO, the Internet was better back in 1994-5 anyway when it largely was NOT commercial!

Define "commercial".

I have a web site that I pay for and maintain myself. It's a purely commercial web site, yet it's free and there are no ads: this as it's the front of my company. It's advertising my tour business, and is visited by people that are interested in my tours, and allows them to book tickets to tours. I also add general information on hiking in Hong Kong, which people may use to set out by themselves. It's set up for purely commercial reasons, and I think such commercial sites are by and large a great addition to the Internet. I'm using such sites myself: to find information on products, to order stuff from. The Internet would lose a lot of its value if such commercial sites would all disappear and we would have to resort to calling companies, visiting their shops (which may be the other side of the world) to get a catalogue, etc.

For my business it is a great help to have this site, I sell a lot through it. It makes the whole ticket sales easier as well (very little manual interaction from my side needed). I wouldn't want to do without - people can't find me nor can they easily get the information about my tours that they need to make a decision on whether to join, ticket sales would become cumbersome; basically I'd have to close this part of my business.

What would be great if lots of this "targeted advertising" and collection of personal information goes. So I'm still running AdBlock Plus and Flashblock, and recently installed Self Destruct Cookies - an add-on that destroys cookies moments after you leave the site. Sure you have to re-login all the time, which LastPass makes dead easy, it does take care of most of the tracking across sites by outfits like Google and Facebook. This is just one aspect of the commercialisation of the Internet, something that my commercial use of the network can perfectly do without. I'm even collecting only the most basic information of my clients: name (I don't care if it's their real name - they just have to give me that name when they show up at the start), telephone and e-mail. All I need to be able to contact them, and for them to claim their place on the tour.

Counting in octal is just like counting in decimal--if you don't use your thumbs. -- Tom Lehrer

Working...