Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment Re:Can malware use this to prevent patching? (Score 1) 119

One potential flaw in this mechanism: I think a malware image can prevent rolling back to a known-good image by setting the rollback indexes to ridiculously high value, say 2147483647 (2**31-1).

This diagram shows how the workflow is supposed to proceed. If Mallory gets her verification key onto your device (either by social engineering or another flaw), then her custom malware image can be booted by the device in locked mode. The user will get a warning about this being a custom OS (good!), but then the rollback index values in Mallory's image are written to the stored rollback index values (bad!). If I then attempt to go back to Oreo 8.0, it won't let me.

A better mechanism would be to have a set of stored rollback index values per verification key, not a global set per device. Then I could roll back to the stock factory image from a Mallory's malware image.

Good info, thanks!

I'm being humorous, but truthful. This feels like "Ad non-view punishment". If a ad-blocker is installed, you can get those nice "ads pay for our site; you can't view unless you see the ads" on a desktop OS. This seems like a "if you have a custom installed OS, you get to wait 10 seconds as a time-out".

I know it's not the same, but it just seems to match. A user who installs a custom ROM on an unlocked phone should have to see the warning, at most, 1 time. To see it every time is a form of coercing the user into going back to the main or losing ADHD valuable time if user doesn't wanna.

Comment Re:Reset-persistent malware; Google Play Movies (Score 1) 119

If you're buying an Android device used, you want to know whether the previous owner hasn't installed malware that persists across an apparent factory reset. Popping up a "This device runs a custom operating system" notice while the bootloader is loading the kernel is an unobtrusive way of doing this.

If you're buying an Android device, and you watch movies, you want a wide selection of movies. Google can do one of two things. It can keep its license from major movie and television studios to offer their works through Google Play by continuing to improve the digital restrictions management that deters copying a rented stream. Or it can lose its license and pull the works from Google Play, and end users will end up having to buy an iPod touch, iPhone, or iPad in order to continue to watch notable movies and television series once the licensed apps become iOS-exclusive.

I'm sorry to throw this in, but I don't "get" the "new" generation. If I want to watch a movie, I have a device at home that puts it on a large screen for me to sit on this thing called a "couch" and watch. The "need" to have a way to watch mobile-accessible versions of shows/movies/etc is scary. I also say this because I work at a place where productivity falls in departments under the top-level one (top-level department, that is) because people watch movies and shows at work. Their work contains errors from distraction and they seem overwhelmed with too much work with very little work actually being performed.

Ban the devices. Well, we did. People left and others hid the fact they were doing it but their "symptoms" persisted and they were eventually confronted. Only 10%, LITERALLY 10% stopped and wanted to keep their job. Their performance increased. The other 90% left or (at least two people) were fired because what they were being paid was more than what they were producing. We were basically paying them to entertain themselves at work.

The ban was lifted because attrition and in-company mass planning to reduce productivity "won". Now people are individually canned if their production is lower than the lowest (reminds me of school grading curves). To be more to the point of "I don't get people" is that most all of them have headphones/headsets and listen to music all day. They need background noise or something. I don't get it. They have been found to type words from their songs into what they're working on; again, no joke. I (37yo), don't find it difficult to have the noise of other people, machines, HVAC, etc from serving as my "background noise". It actually helps me concentrate on topics more. I've tried listening to music with headphones, and it helps lock me into one task, but it reduces my performance by an estimated 70%.

I don't get it. Having said that and being a psychological "master-reader", I never will get it. It's a generational thing.

Comment Re:I like this. (Score 1) 119

It also prevents legitimate users that might need to rollback due to a bug or feature that affects them badly in a new build from rolling back. Really this should be a completely optional check that is user settable as a rollback can be critical. I have had to rollback twice in recent years due to breaking changes and why is it unreasonable to want to be able to use the last known good build from the manufacturer as I don't want to root m phone or put on custom roms.

I hear ya, but hear me out... I doubt this is the reasoning. The "Why" is: Google isn't stupid... Are they? Assuming they aren't stupid and wanting to be a center point of attention for a massive security breach of "all users of Android Oreo" (or something of that ilk), this hits a brick wall. The logic, their logic, that is. If a new release comes out and several weeks later after most (meaning a lot) of the users have upgraded their devices, an exploit gets found where any device running the OS can be compromised; this leaves all of the users in a state of danger until Google finds a way to release a fix for all vendors running that version. The users can't take the device somewhere and have it downgraded to prevent the exploit from being available until Google releases "their fix".

This is essentially sounding like a Windows 10 mock behavior. "We take control" is good if you're an idiot, but it's also really bad if you're an idiot OR smart and the controller creates a dangerous situation for your finances (to be blunt). Yes, I'm aware you can unlock the bootloader/etc, but that's for the current power users set. The end idiot/smart (but non-power) users succumb to Google's authority. This isn't news. What's new is the inability to have an instructional new-release or friend method of getting around the problem.

The best method for attacks now is to have the malicious code execute and do its bidding. When the device is rebooted for anything, I mean anything, any reason at all, that boot will cause the device to be corrupted/wiped. That's what I'd do if I were a malware producer. That way the choice of the end user is to "leave the device alone and let the malware do its malwaring, or power it off and lose everything if [I] power it back on."

Screw ransomware's encryption stuff. Put a dent in the economy by disabling peoples' mass connectivity methods they're used to. Sure, workarounds will be found (find a phone on a desk and call using it, check your stock shit on some computer at your desk at work or home, post your pictures/videos of every element of your life using a stand-alone camera and desktop computer to your FB/Twitter/etc account, etc etc). It's not that we won't survive, it's that people will lose their way, and when many people lose their way, mass hysteria sets in.

Anyhow, I'm not typing all of this to come up with doomsday scenarios. It's just real - doing something like this locks a person in to using something that can be found to be bad, and have them locked into a bad place until a way out of that bad place is found and pushed on them. That or most everyone needs to learn how to unlock bootloaders, back up data, install an Android custom OS, restore data elements, and be fluid with back and forward software down/upgrades, you know, a power user. Just the ridiculousness of that past sentence makes it clear that it ain't'a'gonna happen.

Comment Re:Pandora? (Score 1) 144

How is Pandora #10 on the list, when I keep reading about how Pandora is struggling against competition from Apple and Spotify?

I don't trust any "list". People (companies) pay people (companies) to create "lists" that skew peoples' thoughts and curiosities toward a desired target. Of course, there are a lot of misses or not-interested people, but most will try our things out of curiosity that are the same or different to prove or disprove (to themself) the veracity of "list" truthfulness. Basically, when I see "The ten most", "The Top 100", etc, I just tune [it] out. I haven't gotten anything but slanted junk from such "lists".

Comment Not spoken of often (Score 1) 322

Diesel-electric locomotives get 200-350MPG. The mass population doesn't want to use it for transportation of goods because it's too slow and not nearly-immediate satisfaction. Now, for a truck, having to stop 3/4 of the way through a haul to wait hours for a charge to complete the haul is different....... right?

*faceplant*

Comment Re:Not real useful (Score 1) 322

Given the fact that tractors typically put in 450-600 miles in a day... Yeah yeah, stop and charge, but given it takes a few hours to charge a car, and this will supposedly have a MUCH bigger battery pack, I guess truckers can now get 300 miles before they have to stop for 5-6 hours to recharge, meaning drive for 7 hours, charge for 6, drive for 7, charge for 6, etc. Not too conducive to rest!

Now if the battery pack were the size and volume of the trailer...... Oh, wait.

Comment Re: Shut the fuck up poor people! (Score 1) 213

Poor people can't just "get" a job. There aren't any jobs. None. Rich people have all the money and they don't feel like paying poor people to do jobs. Rich people still advertise plenty of jobs to keep the HR departments busy. All the jobs are fake though. Every job application gets filed away and ignored immediately. Fake jobs are never filled but the same jobs get posted every month so they look like they're still open. But really there aren't any jobs. Poor people just waste their time applying to fake jobs until they starve to death.

FTFY. Gotta stay in the category of following gov't regulation, you know, just in case you're investigated.

Comment Re: Low what ? (Score 1) 213

its because low incomes dont understand corporate investing and returns and tax deductions.

"Um, like, ummm, because you people that do understand it won't set it up for us for free and make it just work!"

I'm trying to return to solid logic and non-white-trash thought and expression. It's just so difficult once you get in to get back out. [that's what..]

Comment Re:Fake? (Score 1) 44

The messages are real. The sources are fake.

You're dead-on. Unfortunately, in 21st-century English lingo, you have to insert the word "like" in it somewhere, and pretty much follow the path of logic from top to bottom, refining the sentence with each iterate cycle until the end sentence is, "Everything is, like, SO FAKE!"

I believe that is the correct vernacular. At least under the age of 29, and under the IQ of 100. Numbers are variable. Mileage may vary. [insert legal lingo here]

Yep. That's 21st century. Or wait, am I supposed to be silent? Geez, like, I have so much trouble, like, keeping track of this shit, ya?!

Comment Re:Why do people still fall for this shit?! (Score 1) 44

"Because... The picture or video looks different every time... and that's confusing and misleading! It's not fair that I can't see that picture or video because I wanted to see it so badly. Now I really want to see it but the ads won't get out of the way!"

Note quotes. Face-Desk.

Slashdot Top Deals

"Mr. Watson, come here, I want you." -- Alexander Graham Bell

Working...