Become a fan of Slashdot on Facebook


Forgot your password?

Comment respectable websites constructed by? (Score 1) 362

I encourage you to consider the response regarding the local caving website. There are millions of small-time websites hosted by vendors who might be inclined to increase their revenue by injecting this malicious javascript into their customers' websites.

It might not always be the decision of the 'respectable website' to monetize traffic in this manner.

Comment Re:allowing attackers to manipulate websites?? (Score 1) 136

Please go back and read the examples I gave in my original post.

This vulnerability opens up the user's session to being hijacked in a way that alters the content being submitted to any non-HTTPS website. That content could be forum posts or article comments. It could mean any URL posted in a comment could be changed to point at a pharma scam website. The user's browser could receive javascript injection that starts comment-spamming (as the user) a forum or wordpress site in the background.

Packet-level manipulation works both ways-- what the browser receives as well as what the server receives.

Comment Re:allowing attackers to manipulate websites?? (Score 1) 136

So long as HTTPS isn't implemented, websites could be subjected to modified content submitted by visitors. For instance, browsers visiting self-hosted Wordpress blogs could see a javascript injected into the HTML received. In the background of the session, the user's browser could be comment-spamming the site. If the user is an admin of the site, then the javascript could use the admin's credentials to create other superuser accounts in the background.

Even if the site's content submission forms are protected by captcha, the attacker could simply modify comment submission text to include links to pharmaceutical websites, etc. every time someone posts a comment to a self-hosted, non-HTTPS Wordpress blog. The same would hold true for forum posts.

Comment Re:How serious is this? How exploitable is it? (Score 5, Insightful) 262

"Not remotely exploitable."

The security industry would define this as a remote exploit as it does not require physical access to any of the devices nor does it require the attacker to be logged into the target devices. While the attack would result in decrypting any clear text being sent over wifi, the saving grace is that an increasing amount of traffic is sent via HTTPS or SSL, which would provide an additional barrier to an attacker seeing login credentials for remote websites, etc.

The most dramatic concern here is that non-HTTPS traffic is prone to injection of malware and exploitation of vulnerabilities on the client devices. Even if a user doesn't browse a sketchy website, suddenly a site like might seem to send code to a user's phone or laptop that could perform a remote code exploit.

As 140Mandak suggests, it would be trivial to assemble a cheap box (think raspberry pi 3) that sits at a public wifi location and automatically attempts to hack all older Android phones that connect to the network.

Comment black and white purity (Score 1) 219

I think you're missing the point of the OP preferring the certainty of vision enabled by the black-and-white format. As the name implies, "Green Acres" and its ilk introduce a slippery slope of variable color palettes that are unpredictable and inconsistent in their ability to accurately represent the stark reality of right and wrong in our world.

Not to mention the theft of imagination perpetrated by RGB pixels. Does the audience need to be spoonfed that Opie's hair is red? Let the character develop that understanding through exposing persistent vulnerabilities so the audience gradually acknowledges subconsciously that the Opie character is driven by recessive ginger traits.

Comment Don't forget public library (Score 4, Informative) 186

Although a bit less convenient, I enjoy riding my bicycle to the local public library and checking out bluray discs. The waiting list can sometimes be long for new releases, but anything released over a year ago are usually readily available. Our library system supports reserving a titled via their web page and then they'll transport it from a remote branch to my local branch for pickup over the course of a couple of days.

Comment Re:This guy has no idea how Face ID works (Score 1) 441

Archville7 is incredibly correct here and deserves +9999 modpoints for pointing out the hysterics and idiocy of the OP.

Just wanted to extend this with more details.

When the OP asks, "Who was wanting FaceID?" I can help with that.

Physical buttons on consumer hardware are expensive. I mean that in terms of production, warranty, maintenance, and customer satisfaction. I mean that last one in terms not in usability, but in terms of anger of out-of-warranty broken buttons rendering a device useless. This is why low-end devices will sometimes employ the "function" key that modifies the behavior of other buttons when it is held down simultaneously with them. Suddenly, a user can enjoy myriad functionality while keeping the overall cost the same on the above-mentioned metrics.

The touch screen interface liberated the hardware manufacturers from this button-oppressed UI constraint. Designers were free to conceive all kinds of user interfaces for phones and other products without the burden of physical button expense.

The tricky thing about that home button, though, is it has always been a lynchpin for functionality. If that thing breaks, the whole device can't be used. And with TouchID, even moreso because the part can't be replaced easily. It's a key (no pun intended) component of the security infrastructure and can only be replaced by Apple with an expensive process and stockpile of parts. A failure in the TouchID home button is crushing on all of the button-expense metrics-- "warranty, maintenance, and customer satisfaction."

FaceID solves all of that. The people who were asking for that were the manufacturer as well as their customers (unknowningly).

Comment Re:If John McAfee said it... (Score 2) 96

Clonehappy- come now. Has the public consciousness forgotten this old McAfee chestnut from last year?

McAfee Says He Lied About iPhone Hacking Method To Get Public Attention

Calling the man "batshit crazy" is not a criticism. He aspires to the title.

Whether he's crazy or pretending to be crazy is a non-issue. Delusional rantings are still unworthy of our attention whether they are intentionally delusional or authentic.

Comment If John McAfee said it... (Score 5, Insightful) 96

I'm sorry, but you lost me when in the headline just after:

"John McAfee said.."

The best use of my time and attention is to keep walking down the sidewalk when I hear the delusional rantings of a person probably off his or her meds. No eye contact. Just keep walking.

Comment Doubt Apple will buy AMD (Score 1) 186

Apple switched to Intel because the PowerPC consortium wasn't delivering on their commitments for R & D sufficient to stay competitive with the power / performance ratio of Intel. Apple hardware was falling behind PC hardware. Part of why Steve Jobs was able to convince the Apple BOD to buy NeXT was because their OS was already able to deploy on either architecture.

Intel's R & D investments were justified by the guaranteed volume. PowerPC was a niche server (IBM) and desktop (Apple) player, in contrast.

If Apple buys AMD, then they're taking on the enormous R & D expense again to outperform Intel. To defray that expense, they'd have to maintain channels with other platforms they might eventually want to compete with like PlayStation and XboX. It works better for Apple to play both CPU vendors against each other for negotiating the best vendor contracts. Don't get me wrong, I'd like to think one of the reasons AMD investors were convinced to fund Threadripper R & D was because Apple was guaranteeing a bulk purchase for the forthcoming MacPRO pending AMD's ability to deliver a compelling power / performance ration. I'd love to build my next hackintosh on an AMD platform.

Comment Re:continuous delivery == constant change (Score 2) 78

Any professional outfit will test a new release (in-house or commercial product) thoroughly before letting it get anywhere close to an environment where their business is at stake. This process can take anywhere from a day or two to several months, depending on the complexity of the operation, the scope of the changes, HOW MANY (developers note: not if any) bugs are found and whether any alterations to working practices have to be introduced.

I wanted to chime in with a tangible anecdote to support your observations here.

I work for an enterprise software company. One of our customers is a large credit card company. After our company was five years old, that credit card company still staffed more implementers / developers / testers dedicated to deploying our product throughout their organization than we staffed developers in our entire engineering team.

Talk about a ripple effect....

Slashdot Top Deals

"Spock, did you see the looks on their faces?" "Yes, Captain, a sort of vacant contentment."