Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Shorter summary (Score 1) 144

we don't know that, for all we know they were one of those mongodb databases that got cryptolocker-ed.

Except that you're describing it wrong. Cryptolocker has nothing to do with the over 20,000 MongoDB databases that have been subjected to ransom.

Here's what's happened...and may well be the case in this particular instance as well. MongoDB, by default, has no controls on being able to write, read, or even delete information. If you make the database accessible via the Internet, odds are you haven't fixed that default state..and that's exactly what's happened to tens of thousands of public-accessible MongoDB installations.

Krebs on Security has an excellent writeup here: https://krebsonsecurity.com/20...

Comment Re:Time to be pedantic (Score 1) 163

My argument is simple. A meter measures, nothing else (ignoring quantum physics). A device that controls the power in a house is not a meter. If such a device is called a meter is is incorrectly named, probably the handy work of a marketing department. Yes, I am being pedantic, but where I come from (New Zealand), smart meters are immune to the risk of property damage because they are meters and only meters.

Gee, that's swell...but you know these are real things we're talking about, being done by real people, yes? You don't get to just redefine the whole power grid to suit your ignorance of the industry because you could technically argue that something is no longer a "meter" because it has an on/off switch. Remote disconnect is an option on every major meter for sale today, and pretty much all of the minor ones as well...and it's an option that almost every meter in the field has because it's incredibly useful to the power company.

Comment Re:ftdi? sigh ;( (Score 1) 83

The problem is that they hit the wrong target. I don't blame them for wanting to block counterfeits, but they attacked people who had no way to know they were using a counterfeit. Basically, they mis-managed their channels to the point that a legit customer could make a good faith effort to buy the real thing at market price and still end up with fakes and no way to tell. FTDI had a way to tell but they wouldn't disclose it. Rather than fix their channels and help their direct customers to get the real thing, they punished people who had no idea what an FTDI was.

I see a bigger problem here. You've got a microcontroller that is ostensibly open-source hardware, but it's using a component from a company that most definitely swings hard in the other direction. Okay, so a USB-to-UART conversion option that is open-source hardware may not be available...but do you have to use one from a company that deliberately goes after clones in a way that punishes the innocent as collateral damage, too?

Comment Re:There is nothing Alex Jones would doubt (Score 1) 333

...shit Alex Jones would doubt

There is not likely to be any conspiracy that Jones would doubt. In fact, he was one of the main promoters of the fabricated conspiracy.

There are shitloads of conspiracies that Alex Jones would doubt. Let me cite a few:

1, anything that makes Donald Trump look bad.

2, anything that makes Donald Trump's opposition look good.

3, anything that hurts his own image.

Comment Re:Time to be pedantic (Score 1) 163

Time to put my pedantic hat on. A smart meter can not cause any damage as a meter is a device to measure, not modify or control. A quick Internet search suggests the word comes from the Greek word métron, to measure.

The devices being argued about are not smart meters, they are controllers. If you have a smart energy controller then I guess you may be at risk, but if like me, you have a smart meter then you can write code until the cows come home and still have zero effect on my power.

The devices being argued about actually are smart meters. One vendor cited...Sensus...doesn't even make "smart energy controllers." I don't know what you mean by that phrase, exactly...I assume you mean devices used for WAMPAC (Wide Area Monitoring, Protection And Control)...but Sensus does not manufacture anything that would fit the meaning of that phrase. Also, everything described here aligns with meters, not reclosers or synchrophasors or other WAMPAC-related devices.

Comment Sales pitches can be dangerously overblown (Score 1) 163

What the "expert" has done here is taken the worst features of multiple meters, and put them together as though every meter is this way. And even then, he's overstating things...this "they can tell if you're home by how much electricity you're using!" bullshit has been around forever, and it's ridiculous.

Let's see, where to start. One, almost no meters use GSM. GSM is expensive on a per-device basis (the target upper limit for hardware costs is about $100/meter), poorly-supported by cellular providers...with future-state being no support at all...and renders the utility dependent upon an outside provider for all of their network backhaul from the meters. This is why, if you look at any of the major meter manufacturers (Itron, Elster, Landis + Gyr, etc.) you will find that they all use a very different architecture that does not at all rely on GSM, or any other cellular protocol. They use mesh networking and collectors.

Second...okay, let's talk about what you can do with the meters. Yes, theoretically (it's never been done), you can figure out if someone is home. You would need to be in their neighborhood to begin with since you have to speak directly with the meter. You would need to reverse engineer their specific approach to frequency agility, and break the crypto so that you could then impersonate the head-end and do meter data requests. With that, you could do data sampling to determine what normal peak and low usage numbers were, and from that you could derive whether or not they were probably home at any point in time. Or...you could simply walk near the house and see if the lights were on or there were less cars in the driveway/garage than usual. Which thieves already do, as a best practice that works pretty well.

Then, let's talk this "house fire" over "overload" bullshit. Meters do not regulate power. Let me say that again. METERS DO NOT REGULATE POWER. They can turn power on and off, and that is it. They cannot modulate voltage, wattage, frequency, or amperage. And while in the early days of AMI adoption it was feared that a compromised head-end (or impersonation thereof) could permit an attacker to issue enough remote disconnects to cause what's known as a "bulk load shedding event," it turns out that the meters and their communications networks are too slow. That network architecture I described above with collectors and mesh networks? Every approach in broad use acts as an inherent throttle on communications in bulk. So you couldn't even destabilize the grid; the effect would happen too slowly. And just as the attacker could turn the meters off, the utility could just turn them back on..so this would not be what you would consider a "blackout." They cleverly cite a house fire, though that was the result of a meter vendor changing the polymer used in the meter backing; the replacement polymer had the dual properties of 1, not being ablative (so it could catch fire) and 2, being more brittle...so if the meter wasn't seated the right way, it would crack. An arc would form eventually, setting the meter's base on fire...and there's your house fire. Nothing to do with hacking in the least.

This guy Rubin is a wanna-be with a new company, and he's decided to look at devices which are widely used without really learning about the industry they belong to, or getting the experience needed to know how all of this stuff really works in detail. He's not a widely-recognized "expert" in cyber security, neither in general nor within the power industry.

Comment Re:Mass Impersonation (Score 1) 122

So my drone override transmitter that is already jamming GPS just needs to impersonate more than at least half the drones in range?

Along with all the local wifi hotspots, ssids, repeaters, device MAC addresses, etc. (including their spatial relationships to each other) that Google Maps just went ahead and logged. If I had to set this whole "out of sight flight" thing up that is one database that would get a lot of updates. People have put radio beacons everywhere, it would be a shame not to at least check in and say hello 60 times a day...

Also, he's confusing "jamming" with "impersonating." His "drone override transmitter" (whatever the fuck that is) can do one, or the other...but not both. And he should note that he'd need to be doing this across a LOT of spectrum...and eventually the FCC is going to find his ass as a result because as soon as GPS stops working, the drone shifts to other methods of navigating until it gets out of range of the jammer.

Comment Re: Patentee needs to be shot in the head. (Score 2) 122

Did you read the patent? It only seems to describe what actions the drone would take, not how those actions would be carried out. Any idiot could say "the drone will detect a threat and move out of the way." The hand waving behind this patent is similar to a software patent - no meat behind *how* it is done. Here is a great line from the patent: "The imager 210(2) may detect objects, which may allow the UAV 102 to identify the objects." Maybe if they designed some very sensitive "imager" with a wide FOV that weighs nothing and uses very little power along with a processor to handle all of the data, then they would have an invention.

I think I'm going to file a patent on a device that creates power through nuclear fusion. I'll just copy/paste the Wikipedia article on the topic since that level of detail is apparently enough for the idiots at the Patent office. Then, when someone finally figures out how to do it I'll be rich!

Actually, it did describe how they would be carried out, in detail. I mean, it doesn't explain how a camera works, but at some point you have to assume that a person reading a patent application has some understanding of, well, you know...consumer-grade electronics.

It describes what it would use as points of reference, and in what way. It even goes into details as to the frequency bandwidth needed for some of those uses. It explains the circumstances under which certain sets of activities would take place and has flow charts...FLOW CHARTS...to illustrate the components needed, the actions taken, and the order in which it all would happen. I mean, what do you want...PCB plans and parts lists so that you can build your own? And I've never seen anything quite like this approach...it's brilliant.

Comment Re:Rocket Propelled Entaglement Nets! (Score 1) 122

I built a proof of concept and took down my drone that was flying at 150' in my yard. It was fun.

I'm pretty that a delivery drone can not out manuver a rocket propelled net dispersion system.

I don't know...it doesn't have to move much to accomplish it. How wide was your net, and did you hit a moving drone or one that was stationary above you? What was your angle to the drone...because if it's passing by a hundred feet or so to either side of you, it only needs to shift course away from your position a tiny bit to cause a miss. The drone doesn't need to suddenly be 30 feet from where it was at the moment you fire your net...I'm guessing it's got a solid 1-2 seconds...at least...to alter course enough to avoid. Of course, if not...then the fact that your device has almost no other uses is interesting. I find it hard to believe that it'd be difficult to outlaw "rocket-propelled net dispersion systems" as soon as they became the primary means of committing grand larceny of delivery drones.

Trust me...you're not smarter than Amazon's combined force of engineers, lawyers, and lobbyists.

Comment Re:Drones seem to be the big thing in weponry now (Score 1) 122

Maybe thinking about this is a bad thing.

  Might be ok if someone open sourced it so it wouldn't lead to a power imbalance but killing people with drones is pretty problematic so even then it's not a good thing.

  Think a bit Slashdot, nerds aren't for evil.

  Unless they work for Microsoft.

  Or the pay is really good.

  Or it's just too cool.

So...did you even READ any of this? This is a patent application by Amazon, for their delivery drones. They aren't killing people, they're delivering consumer products. The threats that Amazon is counteracting are actually already accounted for in military drones; it's called SAASM, with regard to jamming/spoofing, and also called "flying really high" with regard to the whole bow and arrow threat. Nobody is looking at this as a way of killing people, and if you're worried about the possibility that drones will be used to kill people...well guess what, dude? Too late.

Comment Hm. Bad writing? (Score 2) 122

When I first read the OP, it didn't make sense. A drone being "confused" by a muzzle flash? What kind of idiot thinks that's how a drone navigates...or that a muzzle flash would be more confusing than light reflecting off a window or a pond? So I dug in...and the actual patent application is what you should really read because it's very cool. The article about the patent application itself is very poorly-written; either the author didn't really read the patent app or didn't understand it.

The underlying problem is this: people will screw with drones that are delivering valuable items. They will shoot at them with objects ranging from thrown stones to bullets from firearms. They will use signal jammers, spoofing of navigational or control systems and maybe even malware that compromises a device that's used to provide guidance. They've put together a pretty clever approach to each of these problems.

For kinetic threats, a system that would detect the attack would trigger one of a few possible reactions. One reaction is the emission of foam to cushion the drone from the direction of the threat. This would temporarily degrade its flight performance, but only on an as-needed basis. Another would be avoidance, if possible.

For (using the USAF definition) cyber threats, they get really clever. GPS is a nightmare against a moderately-capable attacker; spoofing and jamming are pretty much impossible to defend against. The current gold standard is a device called a SAASM...but there's a catch. It's only available to military users of GPS, and no commercial equivalent exists. It depends upon cryptographic keys to use the privileged GPS functions, so even if you could build your own you could not make use of it. And this is the other interesting/tricky threat.

So, you're humming along and minding your own business using GPS to navigate when...aha! Someone jams you. Or they spoof GPS and try to get you to crash into the ground so that they can take your goodies. You will notice one of these happening when you suddenly lose GPS signal...and the other when your speed and course suddenly vary wildly without you having done anything to cause such.

Amazon has put together a really smart mutli-layered approach to this kind of threat. I won't dig into the details, but some of the goodies include mesh networking, using a variety of alternate methods as points of reference (including even the signal jammer itself, if jamming is going on) and a broad range of different frequencies so that all-encompassing jamming or spoofing becomes a serious, serious pain in the ass for the attacker to accomplish.

Comment Re:We are the US of A (Score 1) 160

Any country with laws not inline with ours are just backwater dictatorships.

Who do our companies need to freaking read up about their stuff. That's like asking us to read a few hundred country's laws and these shitty dictatorships would probably have consumer protection laws in their traffic laws just to make us pay.

If they play punch with us we should just stop trading with them and see what happens to their economy.

These assholes are biting the hand who feeds them.

While the AC is obviously a troll, there are some aspects of this ruling which seem a bit odd. For one, Steam was called out for not having "minimum quality guarantees." How exactly do you DEFINE "quality" for a video game? Do Australian laws really require this of all vendors...so that if you buy a book from a bookstore, and don't like it, you can say it had "poor quality," and get your money back? (Or, more to the point, you can claim that it had "poor quality" and get your money back even though you liked it?) Why is Steam the one that would have to be accountable for enforcement? Steam is a distributor.

The way business operates these days, it's unrealistic for a distributor to be held directly and solely accountable for maintaining quality standards on all products. Imagine Amazon having to test everything for quality...and keep testing, lest that quality change over time? Just setting standards for "quality" across things like books, movies, games, TV shows, sex toys, crafting supplies, etc....an impossible challenge. Testing against those standards? Incredibly difficult. And for what, an economy of 23 million people?

Add to that the fact that while a bit more than 21,000 tickets were opened that contained the word "refund" (not the best standard for determining how many refunds were warranted, mind you), Steam offered over 15,000 refunds. To me, this is a company that IS giving out refunds. And going further...how many of those tickets had a phrase like "if you can't fix this, I want a refund," only to have the problem fixed? How many of those were duplicates? How many of them didn't take the next step provided to start the refund process? How many of them were situations where a refund simply wasn't even warranted?

General Counsel for Steam was stupid not to get legal help when doing business there. He was even dumber to act like that was no big deal. But yeah...this ruling seems a bit excessive, if only because the laws there are nuts.

Comment Re:painfullpy lacking on details (Score 4, Informative) 37

the article outlines the general process of how a phone is intercepted and the software is applied, but it obviously does not go into details of how the data is found or transferred. my guess is these portable tablets cellbrite has developed contain ADB and developer tools to pull off what to a seasoned slashdotter is just a parlor trick, but to a police department is nothing short of magical CSI hacking.

as hackers ourselves we need to ask more questions. what is the inner machination of this tablet? how do we defeat it? can it defeat password encryption? how about Signals password-based authentication? Is there a means by which contact lists can be hardened and encrypted? All of these questions are crucial in the next 10 years as most law enforcement does not bother with a warrant when theyre halfway through your roadsite fishing expedition.

As I understand it, from what I've read, the software essentially does an unencrypted backup of the phone and then analyzes the data to produce the report. It also appears to only work on older iPhones that do not require a pass code to backup; thus rendering it useless on newer models.

You hit the nail on the head.

(Love your account name, by the way...epic!)

For one thing, there was no passcode on the device. That's the reason for no encryption...all iPhones of this generation were encrypted so that you couldn't pull the data directly from memory storage. But since the phone was never locked, it was trivial to simply ask the phone to divulge all of its contents as a backup, which it did. No hacking, no exploitation...just like opening a shoebox to see what's inside.

For another, you're right in that later models (if locked) would be harder to get into. Starting with one model later...the iPhone 5s...iPhones have had a separate trusted module known as "Secure Enclave." Basically, Secure Enclave is the vault that stores all the cryptographic material. The iPhone puts the keys to all of its eggs in that one basket, and then secures the bejezus out of that basket. The 5s has the A7 processor...and the A7 was the first processor to use Secure Enclave. The iPhone 5 has the A6.

Slashdot Top Deals

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics