Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Comment Re:with a top speed on the 5GHz band of 1.73 megab (Score 2) 119

5GHz isn't shitty.

It is on this router if it only does 1.73Mbps. I'm also curious about the 1MB of RAM. (Other pages indicate that it's 1.73Gbps and 1GB of RAM, which is in line with modern routers.) Another correction, it's got 4 gigabit ports total, 3 LAN and 1 WAN. This comes as a huge shock, but it seems the editors can't be bothered to proofread anything.

Comment Re:Addons don't exist I guess. (Score 1) 119

Fixed issue? What issue? If a page isn't there, it isn't there.

There's no issue. If a page can't be found, the browser should tell the user. If the user wants to install an add-on to avoid this for some reason, that's their choice, but it shouldn't be default behaviour.

Except sometimes, a page isn't there, but it is, because someone has made a copy of the page while it was still available. Having one-click access to this backup copy can be very handy. In case you didn't RTFA, Mozilla's No More 404s add-on will give Firefox users the choice to see old Internet snapshots saved in the Internet Archive's Wayback Machine. No, just showing an old copy of a page instead of the current one is not a good idea. Giving the user a choice of pulling up an archived copy instead of just an unhelpful error page is a nice thing to do.

Comment Re:Horrible Idea (Score 1) 119

If you don't want services automatically crawling your pages, configure your robots.txt appropriately.,, etc. This feature (which has been around in the form of the Resurrect Pages addon for at least 10 years) simply gives users an easy way to access a backup copy of a page when it isn't found live.

Comment Comodo is dropping it now (Score 4, Informative) 120

In the linked forum thread, from robinalden (Comodo Staff):

With LE now being an operational business, we were never going to take the these trademark applications any further. Josh posted a link to the application and as of February 8th it was already in a state where it will lapse.
Josh was wrong when he said we’d “refused to abandon our applications”. We just hadn’t told LE we would leave them to lapse.
We have now communicated this to LE.

Comment You just have to deal with it (Score 2) 373

If you want a modern car, you're just going to have to accept that right now, they're all full of closed-source, black-box computer stuff. Short of going to work for the manufacturer and signing an NDA, you're never going to be able to get access to the inner workings of these things. The unfortunate truth is that these manufacturers are adding features without incorporating security from the very beginning, in an effort to have more bells and whistles than the other guys. They're getting better about security, but they still have a lot to learn.

The good news is that most of these hacks are at least somewhat mitigated. The Jeep one seems the worst, as it worked over a cellular connection from seemingly anywhere, to get into the infotainment system, and then jump to the car's actual controls from there. Chrysler was able to make some change to their network that (partially?) stopped the attack even if the individual cars were still technically vulnerable. The OnStar hack was a MITM between the mobile app and the OnStar website (due to not verifying the cert); it resulted in being able to do things to the car, but wasn't actually a vulnerability in the car itself. Most of the previous hacks require physically connecting to the OBD2 port in the car. As was stated in related posting, just as with computers, if the bad guy can break into your car and install a dongle, you're pretty much screwed anyway. Just like installing only necessary packages on a server to minimize its attack surface, you can also skip unnecessary vehicle options to reduce the chance of a vuln (though you may have varying levels of success getting a car with exactly what you want and nothing you don't).

We need these hackers to keep pointing out these flaws until the manufacturers fix them (and hopefully completely avoid the same mistake in the future). For now, it's still fairly early in the cycle with lots of learning being done. We need more isolation between the vital control systems and the trivial entertainment junk to completely remove the possibility of something like a USB stick being able to take over your engine, but for the most part these vulns are still rather limited in their application, due to the inherent limitations of actually getting linked up to your car's systems. I'm afraid it might get worse before it gets better, but at least these things seem to be getting addressed by the manufacturers, rather than just covered up.

Comment Re:When the Man In the Middle is You (Score 1) 54

Thanks, that's a much better article. Knowing that this is a Wi-Fi MITM attack greatly reduces the impact, at least for people like me. I'm sure it's very easy for less knowledgeable folks to stumble onto a rogue AP, but I'm not too worried about that with my own personal setup.

I'm still a bit surprised that just opening the app triggers a login (where OwnStar can steal the credentials). As I said, none of the displayed status information updates automatically; if you're going to log me in, why not at least show me current details in the app?

Kamkar’s shown that if a hacker can plant a cheap, homemade Wi-Fi hotspot device somewhere on the car’s body—such as under a bumper or its chassis—to capture commands sent from the user’s smartphone, the results for vulnerable vehicle owners could range from nasty pranks to privacy breaches to actual theft.

That seems like one of the worst places to do this. Due to the phone-internet link, server processing time, and VZW CDMA OnStar connection, the app is rather pokey. Other than possibly showing a curious person how it works or after locking my keys in the car, I would never bother to use RemoteLink if I was already at the car. You need to be where the phone/app is, which is probably not where the car is - that's the whole point of remote access features.

Comment Re:When the Man In the Middle is You (Score 1) 54

Yeah I'm not convinced... I don't see anything in the video that appears to be anything other than the normal functionality of the RemoteLink app by an authorized user. All of the functions listed (remote start, vehicle location, etc) are all normal functions of the app. Under normal use, the app will ask for a PIN for any command with security repercussions, and further commands in the same session will not require a PIN. I'd be very interested to know whether this "hack" is somehow capturing that PIN, or whether this is nothing more than a replay attack. Could be nothing more than copying the current login session from one phone to another...

Also, the remote-start thing is way overhyped. Remote starting a Chevy Volt does nothing more than turn on the A/C. You can't actually start the car and drive away without pressing the Power button, at which point the vehicle will look for and interrogate a valid key fob.

The biggest question I have so far is how he's managing to intercept the data stream between the RemoteLink app and GM. Presumably it communicates via HTTP (though one would hope HTTPS) I doubt that little box is intercepting 3G/4G cellular data, so I suspect that this is only possible via an insecure WiFi connection.

I agree, the video doesn't really prove anything. It simply looks like he's using the app normally. I could make an identical video with my own Volt. I assume he's actually doing what he claims, but the lack of detail in the video means it isn't actually proof of anything.

The SIM800L seen in his device is a quad-band GSM module. He also has a Raspberry Pi and a RTL8187L wireless NIC in there. It seems like it's a MITM attack between the app and OnStar's servers, but the GSM module makes me think he might be generating cellular packets to send directly to the target vehicle. The app doesn't even automatically refresh the displayed vehicle status info just by opening the app, so it doesn't seem like simply opening the app would trigger an OnStar-to-vehicle cellular connection that he could take advantage of.

I suppose it could be for intercepting the app's traffic over a cellular connection, but it seems like breaking into that data stream would be more complex than hijacking a Wi-Fi connection (though I admittedly don't know too much about data over cellular connections). It looks like all of the iPhones that are in use are on VZW cellular connections (the screenshot of the map is on Wi-Fi).

Maybe it's just to give the OwnStar cellular connection ability to report the target vehicle info to him from anywhere? That seems a bit excessive for a PoC for local testing, but I guess if he's taking it to DefCon, he would want it to work there.

If he is doing something with a direct cellular connection, it's somewhat mitigated by the fact that '14 and older models use VZW CDMA for OnStar service, while '15 and newer models have switched to AT&T. I'm sure it wouldn't be too hard to use a different cellular radio in the OwnStar, but it does make the target vehicles somewhat heterogeneous.

Comment Re:When the Man In the Middle is You (Score 1) 54

Crazy that the phone is not just some kind of passthrough ,but instead somewhere in he binary contains enough rights to do anything it likes with your car... the device must be just convincing the app that OnStar said it was OK to use it's unlimited powers to unlock the car and start the engine or whatever.

On the other hand, perhaps that ALSO means the attack cannot work with any arbitrary car, but only with an instance of an app you have already paired to your car so it was given the right credentials? If so it's a much less serious attack than it would seem at first.

The real issue would be, if a rooted Android or iPhone device could have the car-specific credentials scraped, to use at a later time with thier own OnStar app.

The app/phone doesn't communicate directly with the car. The app communicates with the OnStar service via the Internet (you have the same functionality from their website), which then sends commands to the car via cellular data (previously VZW, switched to ATT for '15 with all the new LTE Wi-Fi hotspot stuff).

Comment Re:Please explain (Score 1) 158

As others have said, I have a pile of old cell phones. I currently have 6 iPhones of various vintage in my possession. I also have a few other modern-ish cell phones and tablets as cheap gadgets to play with. I'm sure I have older phones around here too (got some Nextels somewhere...), but I'm not sure on quantity or capability. My car has GPS. I also have a neat little GPS-powered digital speedometer HUD that I bought for my motorcycle.

I'm pretty sure I'm still under 15, but somewhere around a dozen. How many of those get regular use? Just one - my current iPhone. Waze on my phone is better than my car's GPS, the motorcycle's windshield is at a bad angle for the HUD, and the other phones/tablets were just cheap toys to try things out on.

Comment Re:Pull the disk (Score 1) 466

So use the old machine to power the drive up if you don't have the power connector for it. Like a jumper cable. Open the old machine and set it next to the new one. USB adapter to the new computer, power from the old. The old computer will just sit there failing to find a boot drive, and you don't have to open the new one up. An adapter as suggested is the best way to go.

How do you suggest getting the old machine's power flowing through the 44-pin connector on the USB adapter?

On desktop drives with separate connectors, it's a great plan. It doesn't really work on a laptop drive with a single combined connector though.

Comment Worked for me (Score 1) 466

This looks nearly identical to the one I bundled with a HDD for a few bucks back in '09. It has worked great for me on many occasions. As stated, it might have problems if the HDD is especially power-hungry (check its label for power stats), but I expect it will most likely solve your problem pretty quickly, easily, and cheaply. On top of that, it's a good tool to have around for a variety of tasks related to working on random hard drives.

Comment I bought one (Score 1) 330

I picked up a Samsung UN65FH6001F in a 2013 Black Friday deal at Best Buy for under $1,000. It's very simple as far as current TV features go, but it's a great screen if you don't need 50 inputs and 200 apps on your TV.

I think the trend is to make every TV "smart" because it costs them little to nothing to put the existing "smart" chip in the TV, and it gives them more features to list on the box. Worst case scenario, they figure people simply won't use it if they don't want it. I expect the dumb TVs to become harder and harder to find, but you might still find the occasional gem out there. Mine was a BB-specific model, and wasn't even on Samsung's site at first (had to submit a ticket to get them to add it to even register the warranty).

Slashdot Top Deals

If you can't get your work done in the first 24 hours, work nights.