Please create an account to participate in the Slashdot moderation system


Forgot your password?

Submission + - Netflix has no project managers. Yet, everybody uses this project management too 1

mattydread23 writes: Netflix is well-known for its unusual management structure, and one of its characteristics is a lack of official project managers. Instead, workers cluster into ad hoc groups for particular projects. With no official mandate from IT, a project management tool called Smartsheet has become incredibly popular at the company. Netflix enterprise technology manager Justin Slater explains why.

Comment Re:Millions of conventional TVs vulnerable too (Score 1) 155

"Researchers from Dickweed University's Network Security Lab discovered a flaw affecting nearly every TV on the planet. The flaw allows a radio-frequency attacker with a low budget to take control over tens of thousands of TVs in a single attack, forcing the TVs to turn on or off, or switch channels. The attack works by equipping a drone with a powerful universal remote, sending commands to all TVs in a broad range." It's even scarier like this!

That is not how this attack actually works. The attack has nothing to do with the remote and references to it and the "red button" have derailed things. This is an attack on the broadcast television signal. As you recall, broadcast TV was switched from an analog signal to digital. In Europe the protocol for this signal is DVB and in the US it is ATSC. Within these digital broadcasts is a protocol called the HbbTV standard which allows additional interactive data, features, etc. to be embedded to provide a hybrid viewing experience. For example during a baseball game they might embed an HTML page with the stats for the current batter. The exploit is that this embedded data is not protected in any way so anyone can inject a malicious payload into the signal. This could allow such attacks as session hijacking, etc. In the demonstration the researchers are attacking smartTVs in the neighborhood by rebroadcasting a local channel with the extra packets added to the stream. That approach is limited of course to the extend to which you can override the regular broadcast signal. A much broader impact would be if you could inject the packets at the broadcast source, for example on the network between the broadcast station and the actual transmitter station. In that case your attack would reach entire greater metropolitan areas.

What I am interested in is how much, if any, of this HbbTV information gets through when local channels are carried on other transmission media such as satellite or cable.

Comment Re:It doesn't take a genius to come up with an att (Score 4, Informative) 155

So the idea is that the attacker overrides the RF signal with his own one, which contains the malicious data.

No. They are actually overriding the DVB broadcast signal from the broadcaster and inserting malicious packets into the stream.

Abstract: In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content which is rendered by the television. This system is already in very wide deployment in Europe, and has recently been adopted as part of the American digital television standard.

All of the references to the "red button" on the remote are a distraction that can be confusing. The red button on your remote is simply a way that you can invoke or interact with the hybrid content in the broadcast stream. It has nothing to do with the actual attack and the embedded content doesn't need to be actual interactive content.

Comment Re:This is awesome (Score 1) 217

but in practice the subset of "all people" who actually do code reviews appears to be very, very small -- possibly smaller than the set of people who review closed source code.

I'm going to disagree here. For a given company that has a closed source implementation, there may be small group of people qualified to look at the code and understand it, but that in no way means that they are or have done so. Corporate politics, capitalizable time, access restrictions, etc. all play a part in whether any one at all actually looks at the closed source code for vulnerabilities.

Comment Re:Somewhat (Score 1) 114

This is not at all relevant to most implementations of DH, which use prime fields of large characteristic.

Exactly. Probably more interesting is that their solution is applicable to a wider range of finite fields than recent improvements.
From the paper:

Although we insist on the case of finite fields of small characteristic, where quasi-polynomial complexity is obtained, our new algorithm improves the com- plexity of discrete logarithm computations in a much larger range of finite fields.

I see no good basis for the ScienceDaily author's leap from the paper's results to his conclusion that

Since solving this variant of the discrete logarithm is now within the capacity of current computers, relying on its difficulty for cryptographic applications is therefore no longer an option. This work is still at a theoretical stage and the algorithm still needs to be refined before it is possible to provide a practical demonstration of the weakness of this variant of the discrete logarithm. Nonetheless, these results reveal a flaw in cryptographic security and open the way to additional research. For instance, the algorithm could be adapted in order to test the robustness of other cryptographic applications.

Comment Re:Is Diffie Hellman at risk? (Score 1) 114

Actually there is no need for DH, you can create a new throwaway RSA private/public key pair on both sides, sign it with your main key, use the throwaway keys to transfer the session key then wipe the throwaway keys. The problem with this approach is that generating a new RSA key pair for every session + transferring new key + extra round trips is a really slow process compared to DH.

So how do you go about securely communicating one part of the throwaway keys to the other side so that the session key can be transferred?

Comment Re:What Level 3 can do (Score 1) 210

I need internet for streaming media, general internet access, email, cloud storage, and gaming. Only one company allows me to do that effectively and even if I did switch to a worse service I'd lose the ability to do some of those.

Oh noes! Whatever will you do? How would you survive?
No, you don't need those things. You would like to have them. You need air to breathe, water to drink, food to eat and shelter from the elements. You apparently already have the things that you need which allows you to worry about the things that you want.

Comment Re:They're nuts but right (Score 1) 1374

Same problem as, "What if your gun runs out of ammo?". How do gun owners mitigate that problem? They check their weapon regularly.

Except that rounds do not magically disappear from a loaded magazine when it sits for a month. It still goes bang when you need it to. Batteries self discharge and could leave you defenseless just when you are counting on it.

Slashdot Top Deals

Life would be so much easier if we could just look at the source code. -- Dave Olson