Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment they all use memory. If app can check available me (Score 5, Informative) 87

If an app can see how much memory is available, it can use this technique. All operating systems use memory when they create a new window and when the create gui widgets such as input fields and buttons.

On their own machine , the malware author monitors free memory vs used memory. The click "buy now" in the eBay app. That open a "log in to PayPal " window. The malware author notes that opening the login window caused memory usage to increase by 23752 bytes.

The malware author creates an app that monitors how much memory is used. When memory usage jumps by exactly 23752 bytes, that means the PayPal login window is probably being opened. The malicious app pops up it's own window that looks like the PayPal login window. Since the user was expecting a PayPal login window at that moment, they enter their credentials. 5. Profit!

Note there's nothing unique to any operating system here. On any systwm, an application can find out how much memory and disk space is available, and therefore infer whether or not the PayPal login window is being opened, based on the precise amount of memory that window uses as it opens.

Comment not reading memory, just see HOW MUCH shared memor (Score 5, Informative) 87

Android DOES run each app as a separate user, and one app cannot read another app's memory.
Processes have private memory and shared memory. Shared memory is used for communicating with other processes, such as the window manager.

An app can tell HOW MUCH shared memory another app is using. You see this in task manager, it'll tell you that your browser is using 12 MB of shared RAM or however much.

So the attack goes like this:
On their own device, the attacker monitors how much shared memory is being used by the Paypal app and the eBay app.
The they "pay now". The eBay app opens a "login to PayPal " window.
To display the window, the eBay app must communicate with the OS or window manager.
The attacker notes that when the app displays the login window, the amount of shared memory used increases by 26KB.

The attacker builds an app the monitors the amount of shared memory in use.
If the amount of memory in use jumps by exactly 26KB, that's probably because the "login to PayPal " window in being displayed.
The malicious app pops up it's own login window on screen, which looks just like the PayPal login window.
The user was expecting a PayPal login window, they see what looks-like a PayPal login window.
The user enters their PayPal credentials.

This is all based on knowing HOW MUCH memory is used vs available. From that, you can infer whwn another app opens a new window (activity).

Comment It's a confidence score. Normal for binary decisio (Score 1) 33

The "inferred third value" is almost certainly the probability/score/confidence level, and it's normally included for machine-learning or any classifier algorithm, such as one that makes a yes/no decision based on a numeric value within a range. You'll see it a lot with spam filters. It's required because the USER choses at which threshold they wish to take certain actions.

I'm going to use the spam filter example because that's one many people are familiar with, specifically Spamassassin. It will score a message like this:
Body includes the word "free": 2 points
HTML and text parts are different: 1 point
Sent through an open relay: 2 points
Tiny font: 1 point
From address default whitelist: -3 points

Adding up the scores, the total score for that email is 3 points. The server admin can configure how many points are required before an email is placed in the spam box, and how many are required before the email is deleted outright. Note that the choice of how high the score needs to be to be considered spam is completely separate from the algorithm generating those scores. One admin might be very tough on spam and decide that anything over 2 points is treated as spam. Another admin might be more lenient and set it to 4, so anything 4 or higher is treated as spam. The ROC informs the admin as to the results of different settings. A threshold of 2 will obviously have more false positives than a threshold of 4.

Note again the choice of threshold to take some action is selected by the USER, not by the group who designed the algorithm. In the case of this predictive tool, a web hosting company might choose to have the following policies:

No site with a risk score over 80 can be hosted on our servers.
Any site with a score over 40 will be informed and our security team will offer assistance in making the site more secure.

Those policies of what to do at different score thresholds are completely separate from the algorithm, the team who wrote the paper doesn't choose the thresholds for specific actions. Instead, the graph informs the web hosting company "at a risk score of 80, you can expect 5% false positives. At a risk score of 40, you can expect 15% false positives".

Comment water stops alpha particles (Score 1) 521

I think what you said is true.

Also, as I understand it, the long-lived isotopes tend to emit alpha particles. Alpha particles are easily stopped- they don't penetrate most materials, including water. So most of the radiation is expended by the particles hitting the water.

On the other hand, if the fish eat plutonium particles and a human eats the fish, that's not good. On the other hand, taking a walk on sunny day exposes you to more radiation than a power plant ever will, excepting a worst-case scenario.

Comment Yes. That's what republicans have said for years. (Score 2) 338

When it comes to granting new powers to the government , that's exactly right. Republicans have been saying tat for decades and Bysh Jr was criticized for taking on new powers, because any new power he assumed would be inherited by Obama or whoever came next.

Looking at poll numbers, Jeb Bush us likely to be elected president in two years. How much power do you want Jeb Bush to have? Any powers you grant Obama will be inherited by J Bush.

Comment no, he said don't take NEW powers if your successo (Score 3, Informative) 338

No, he didn't say everything needs to have bipartisan support. He said that if the FCC assumes a NEW power, the power to override state law and ban or require municipal broadband, the FCC will still have that power when Jeb Bush is president. If you decide that the FCC can choose whether or not muni is built, a different FCC chairman would inherit that power and could ban municipal broadband. Don't assume new powers for yourself if you don't want your successor to have the same power.

That's something I keep in mind. If Palin were president, would I want her administration running the health care industry? If not, I should oppose government run healthcare because we WILL have a president as bad as Palin at some point. Maybe in 2016, maybe in teo years, maybe in six years, maybe in ten years. We will have a horrible president. How much control do I want that crappy president to have over my life?

Comment That's his point. Don't let the FCC ban/require (Score 4, Informative) 338

You seem to have completely missed his point, so let me break that long sentence into four short sentences for you:

The is FCC deciding if it has the (unconstitutional) power to decide whether or not municipal broadband is built, disregarding state law.
If the FCC assumes that power, a future FCC chairman would therefore have the power to ban municipal broadband.
That would be bad.
Therefore, don't assume new powers that you wouldn't want your successor to have.

I'm not sure if I agree in this case. I do agree with the general principle- if you acquiesce to Obama assuming new powers, president Jeb Bush will inherit those new powers in a couple years.

Comment Mostly Wordpress, then. 50% accurate: all sites (Score 5, Informative) 33

I see of the top "features" they identified, mostly is just various tags that mean Wordpress is in use. So they learned that Wordpress sites tend to get hacked. Duh. The Wordpress team isn't interested in security. I demonstrated an exploit for a serious vulnerability in Wordpress and submitted it to their bug tracker. For two years it sat, with one WP developer saying "it can't be exploited" - even though I attached an exploit directly to the tracker issue. Two years later, the vulnerability was added to a 'sploit kit and thousands of sites were compromised over the course of just a few days. That's when WP finally got around to patcing the clear and significant vulnerability.

I see TFA claims "66% accuracy". "All sites will be hacked at some point" is about 50% accurate. I bet we could have 66% accuracy simply by saying "sites running PHP 5.2 or below will be hacked."

Comment C and Basic(.net) to learn both sides,tree forest (Score 1) 548

I think it's very valuable to be at least a little bit familiar with C, so you understand what the interpreter or .NET runtime is doing behind the scenes, and something like a .NET language for a bigger view. For example, I didn't really "get" objects until I worked on VB for a while. Graphical objects like text boxes and buttons are clearly objects which have their own properties, events, and methods. Until then, I thought of objects as little more than function libraries. Working in C or something else low level, sometimes you can't see the forest for the trees.

On the other hand, people who only know very high level, highly abstracted, languages routinely do stuff that's obviously incredibly stupid - obvious to the person who can roughly translate that C# into ansi C. If you don't know what the runtime is doing behind the scenes, you don't realize that while you could access the disk 1,000 times, you're instead accessing it 1,000^2 times (1,000,000).

Not that everyone should be GOOD at C or assembly and good at Java or .NET, but being familiar enough with both high and low level will make you much better at whichever you prefer.

Comment All roads lead to Rome. (you're both silly) (Score 2) 299

You're both being silly. Roads, including PAVED roads, have existed for THOUSANDS OF YEARS.
  Appius Claudius Caecus, a government official in Rome, commissioned the Via Appia (Appian Way) over two thousand years ago, but thousands of years before that there was a road to Bethhoron. Consider also:

Then they said, Behold, there is a feast of the LORD in Shiloh yearly in a place which is on the north side of Bethel, on the east side of the highway that goeth up from Bethel to Shechem, and on the south of Lebonah.
Judges 21:19

As marauders lie in ambush for a victim, so do bands of priests; they murder on the road to Shechem, carrying out their wicked schemes.
Hosea 6:9

Raise your hand if you know all about Canaanite infrastructure projects in the third millennium BC. I'm going to venture a guess that neither of you have any idea how the roads in Horeb were built.

Those would be early examples of _improved_ roads. Roads, as named routes, existed in the stone age. Which one of you is going to claim you were at the tribal council meeting in Grog's cave 14,000 years ago to witness the road improvement project being contracted out to Ork?

Comment not just theory, knowingly false = actual damages (Score 1) 155

> In theory false takedowns could be pursued in court.

The statute specifically says that if someone KNOWINGLY misrepresents tge facts in a DMCA notice, they can be sued for actual damages. In contrast , someone who NEGLIGENTLY infringes can be sued for statutory damages. Knowingly is a much huger standard than recklessly or negligently. If Google can prove that Warner Brothers KNOWS a notice they are sending is bogus, Google can sue for their actual costs, about $5. That's in the DMCA law , and that's the problem with tge DMCA law.

> The real problem here is automated takedowns.

The automated notices you're talking about are sent recklessly or at least negligently. If Google and the target could sue fir reckless notices and receive statutory damages, that would solve the problem.

> How can you have a computer send

You had your computer send that message to Slashdot's computer. You did so carefully, not recklessly or negligently.

Comment I own Apache code. I allege your post infringes it (Score 1) 155

As an author, I own rights to Apache httpd.
I allege that your post infringes my copy rights on Apache and demand that Slashdot remove your post.

I am indeed "the owner of an exclusive right that is allegedly infringed." My ownership of my Apache contributes is a true fact. I allege that you've infringed those rights. The perjury part applies (only) to my statement that I do in fact own the rights to my contributions. Whether or not your post infringes my rights is for a judge or jury to decide, because it's a complicated question.

Whether or not the whole complaint is true is the subject of the "knowingly misrepresents" clause, which would be better if it was "recklessly misrepresents" or "negligently misrepresents".

Comment Yeah, we objected to the "knowingly" false. Neglig (Score 1) 155

Yeah, an earlier draft was better, but since you can only recover damages for KNOWINGLY false claims, and there are no statutory damages, it allows large-scale bogus claims. Truly, though, if it allowed damages for recklessly false or negligent claims, and had statutory damages, that would pretty much fix it. The procedure outlined in the law is actually pretty good. The content goes right back up if the person who posted it says it's not infringing. It's just the lack of any penalty for reckless claims that screws up an otherwise pretty reasonable law.

Comment DMCA has a section for search engines. Full text (Score 2) 155

The DMCA has a section titled "Information Location Tools" which covers linking. Here's the relevant text of the law:

        for infringement of copyright by reason of the provider referring or linking users to an online location containing infringing material or infringing activity, by using information location tools, including a directory, index, reference, pointer, or hypertext link, if the service provider—
                (A) does not have actual knowledge that the material or activity is infringing;
                (B) in the absence of such actual knowledge, is not aware of facts or circumstances from which infringing activity is apparent; or
                (C) upon obtaining such knowledge or awareness, acts expeditiously to remove, or disable access to, the material;

Further up, it says that once you've received a DMCA notice with all the blanks filled in, you have actual knowledge. So Under d 1 c, after receiving notice a search engine or other locator service (torrent tracker) must "acts expeditiously to remove, or disable access to, the material"

The problem is that there's no statutory damages for even knowingly false claims, and no damages at at for reckless claims.
Adding statutory damages for reckless claims would mean these big companies would stop filing all the reckless claims.

Slashdot Top Deals

But it does move! -- Galileo Galilei