Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Don't help them until they support homebrew (Score 2) 44

Security holes in these types of devices are what enable the homebrew developer community. Until Nintendo provides support for homebrew development on the 3DS, no ethical hacker should be providing vulnerabilities to Nintendo. Now, if Nintendo put that $20,000 toward providing homebrew options, then ethical hackers will want to help Nintendo since it would help secure their platform.

Although, with the rise of smart phones, there is a much smaller homebrew community on the 3DS than there was on previous generations of their hardware.

Comment You moved the goal posts (Score 5, Insightful) 251

It isn't a false equivalence: instead, you moved the goal posts.

First, we made fun of those nations because the government spied on everyone.
Now we spy on everyone.
So in response, we changed the argument. We claim that it was never really the spying that was the problem, it was that they were blocking free speech.
Next, we block free speech.
Then we can change the argument again: It wasn't the blocking of speech that was the problem, it was that they jailed people and held them without charges.

In the US, we've been playing this game for decades:

We now have a special jail where we can hold people without charges (Guantanamo Bay).
But we can move the goal posts again. We still aren't as bad as those other guys, because they do it on their own soil!
We used to make fun of Russia for requiring paperwork to travel, now we require it.
But it wasn't the paperwork that was the problem! It was that they had special "watch lists." Now we have them.
But it wasn't the watch lists that were the problem! It was that they had to all be personally inspected in order to travel. Well now we do to.

As you can see, we have already gone down the slippery slope, we merely hide it by moving the goal posts. Eventually, the next generation will grow-up expecting this kind of stuff, having never known what it was like to be free. If you find yourself saying "well, we are nothing like place XXXX" then you should pause, reflect, and see if this is the same standard you applied a decade ago.

Comment Re:Cadmium based LEDs (Score 3, Interesting) 46

Your experience with OLED seems to match the theory. Blue degrades fastest. Some causes of degredation are proportional to usage, while some are not. As a counterexample however, I have a 2.5-year-old Samsung Galaxy S5, which uses "Super AMOLED", with no noticeable degradation so far. Unsurprisingly, the OLED association claims that OLED lifespan is as good or better than LCD. Wikipedia implies that too, but it sounds like it depends on exactly how it is constructed.

Comment Yes, and I'm Rick James, b*itch! (Score 5, Interesting) 471

Trump is a brilliant improviser. One way to redirect criticism is to accept the criticism, and spin it as though it agreed with you. I actually took a course on collaboration in a corporate environment that talks about this. Their idea was not to use it to spin things though, but to keep people open to ideas. Instead of saying "no, you are wrong because" you say "yes, and..." elaborate on how you will address the problem. Trump takes this to the next level.

Trump: "I'm going to build a wall"
The world: "That's ridiculous, that will cost 5 billions of dollars!"
Trump: "My wall idea is soo ridiculous, it will cost 10 billion dollars!"
The world: "We can't afford that."
Trump: "So I'll have somebody else pay for it!"

Trump: "I'm going to build iPhones in America."
The world: "That will cost too much."
Trump: "Yeah! They will cost so much that we will have to construct robots to build the phones!"
The world: "But if robots build them, that won't employ workers."
Trump: "My robots will be so awesome that they will cook breakfast for the workers!"

Sometimes I want him to say "Because I'm Donald Trump, bitch" in the same voice that Dave Chapelle used when he said "'Cuz I'm Rick James, bitch!"

Irony: One reason you can build iPhones cheaply in China is because Chinese workers don't get the kinds of protections and rights that US workers do. That was part of the Trans Pacific Partnership (TPP): to raise the worker protections in China to level the playing field. Trump is doing the opposite. He says regulations will be removed in the US. So instead of raising worker protections for Chinese workers, it sounds like he is going to remove protections from US workers. And ironically, the blue-collar workers voted for this.

Comment Re:Commute Chelsea Manning's sentence (Score 2) 534

Why does Chelsea Manning deserve a pardon?

Snowden leaked information about an illegal NSA program. He released the information to several high-class American newspapers in the hopes that they would filter it appropriately. What he released caused material changes to public policy. He may darn well deserve whistle-blower protection for that. Unfortunately, Snowden also leaked a bunch of stuff that was totally legal that the NSA did, just to shame them into paying attention to him. This leaves his status as a potential whistle-blower in a more dubious position.

Chelsea Manning just grabbed every random document he/she had access to and sent them, unfiltered, to a foreign national. Foreign diplomats now hold-back from talking to US diplomats out of fear of their confidential communications being leaked. No public policy changes were made as result of those leaks. What did Manning do that makes him/her a whistle-blower?

I see a big difference between the actions of these two people.

Comment Re:Ideally a manifest/profile from IoT makers... (Score 2) 230

I do not understand the questions. I will try to answer.

But how would that work for devices that aren't tied to a specific service?

Any labeling system has standard lingo. When labeling food for example, vitamin content is listed as a % of the estimated daily value required for an average adult. Protein however is listed in grams. Terms such as "Yellow #5" are standardized. The same would happen when labeling your speakers. When a device is listening, we would need to have a term for "I listen on all IPV4 addresses" and "I listen on the local IP multicast address." If you've ever written socket code, there are already standards for these. We would need other standard terminology for payloads.

When you open the box, you would see a little piece of paper that says "This wifi speaker system communicates on the following protocols:"
IP4ANY | RTCP+TCP/UDP | 554 - 556 | LAN realtime streaming service for receiving audio; PCM audio data, device name, model number
* | HTTPS+TCP | 443 | Internet streaming service for receiving audio; PCM audio data, device name, model number
* | HTTPS+TCP | 443 | Firmware update service; sends model number, firmware version, device name, last update date

Hopefully it would not say:
* | HTTP+TCP | 80 | Remote video monitoring and tunneling service; sends video, wifi password, user name, email address, device name

And the OP was saying this information is also coded into the device, in some standard machine-readable way.

If i cut them off from the internet then they simply don't work. I'd have to manually identify every IP that spotify uses and there seem to be a lot of them

This is where I am confused. Why would you need to do that?

My interpretation of what mlts proposed is kinda like what UPnP does. Today, UPnP already has a way for a device to request that the firewall open a port. I don't think it is super broadly used because security wasn't really considered when UPnP was designed. It is part of why some people just universally turn off UPnP on their routers. But my knowledge may be totally out of date. I didn't interpret mlts to be saying that all outgoing communication was turned off by default, and that the owner of the firewall would need to manually whitelist sites. That would be secure, and you could certainly do that today, but that won't be convenient for the end-user. One could certainly make a "friendlier" firewall that made this a bit easier, kinda like how personal firewall software works. "Hey, device WIFI_CAMERA_1234 wants to talk to Allow Y/N?" :-)

Comment Re:Ideally a manifest/profile from IoT makers... (Score 5, Insightful) 230

I love that idea! It's like FDA labeling laws, but for electronics. It would be totally cheap for the manufacturer to do, and it would make it totally transparent as to which devices are total crap. And if they lie, they could be liable for it at LEAST under false advertising laws. Now that you say this -- why the heck haven't we done this before? It seems so simple and obvious.

This device communicates on the following protocols:
IP address | Protocol | Destination

Comment Re:Seed money, not day-to-day operations. Openstac (Score 1) 165

Corporate networks already do this.

No they don't. They wish they could, and they try. Here's how they try:

First of all, corporate IT has physical access to everything in the building. Comcast has no access to the devices in my house. That's an important difference. Second, corporate IT achieves most of their security by demanding that all devices on the network be Windows boxes that are on their domain. Comcast can't require this either.

Ultimately though, even corporate IT can'achieve this because they have to allow non-Windows devices onto the network. The fact that I could buy an insecure IOT camera and plug it into the network jack in my cube is what scares the heck out of IT admins. The best they could do is apply mac-address filtering, which would require that I either modify the MAC address, or take the device to IT so they can add it to their whitelist.

So some national testing organization is going to test every device that connect to the Internet?

organizations plural. They already do test most of them. They just don't bother to test security. The point about new software is interesting: currently, when companies make hardware changes it is up to them to notify the testing lab and submit it for certification. I suppose it would be the same for software.

Really I have a hard time believing people are so stupid here.

This is the 3rd time you've said something like that to me. I reply in the hopes that another person reading the thread will learn something, but I am going to stop replying at this point. I hope you get modded down to -1 on all these. It's annoying to write a paragraph explaining something, and get a single line reply like "That doesn't work and you are an idiot."

Comment Re:Another way (Score 1) 165

So Dell is liable because your Dell computer got infected and is part of a botnet?

If Dell installed an insecure piece of software on it, then yes, they can be.

It only makes sense to you because you are an idiot.

LOL, nice burn dawg.

There is no difference between an "IOT device" and a Linux or Windows computer you install software on.

One key difference is: who installed the vulnerable software and firmware onto the device? With a Dell Laptop, the owner can install whatever they want on it, so *maybe* it was the owner's fault not the manufacturer's. With a Frigidaire refrigerator, or a Honeywell thermostat, or an XBOX 360, or a Shenzhen-Guowei security camera, the owner probably can't install software on it. That's a crucial difference. With the laptop, one could argue that it is my fault because I installed the virus. But if my refrigerator gets infected because the manufacturer's firmware allowed anyone to remote into it, that is definitely the manufacturer's fault.

Comment Re:Another way (Score 1) 165

the problem is what is a "successful test"?

That is what the 3rd-party testing lab determines. It's not up to the manufacturer to test it.

what about devices that legitimately need to phone home

The testing agency should not have a problem with a device that needed to phone home. That's a legitimate feature. The testing agency would make sure that the data was encrypted, that failed pasword attempts are limited, that there isn't a single shared password on each device, etc.

For example that stupid IoT thermostat

Yes!!! That's what we are trying to prevent! It had no encryption, send the user's personal information (email account, password, wifi SSID, wifi password). It had no limit to the number of password attempts. This is really low-hanging fruit that any testing would have uncovered.

Comment Re:Another way (Score 1) 165

So getting some kind of incentive to have devices certified seems like it will be difficult.

Agreed! So to make this work, we need liability.

So how about this: if your device is part of a botnet, or infects another computer - you are liable unless the device was certified by the testing agency., that won't work. The problem there is finding out the source. If there is a DDOS from 5 million devices, nobody is going to sue 5 million people.

So how about this: Hold manufacturer liable. We've been asking for companies (banks, etc.) to be liable for security breaches, and for software companies to be liable for making totally insecure software. So applying such thinking to IOT devices makes prefect sense.

Comment Re:Seed money, not day-to-day operations. Openstac (Score 1) 165

So the next step is that every device that connects to Comcasts network must be approved by this "organization similar to the UL", or they won't allow it on

Almost. We are proposing something similar to how it works with electrical devices and telecommunications devices. In those cases, it isn't the power company or the phone company that gets a say, it is the insurance companies and retailers. So no: Comcast would not be able to approve things. They simply have no way to enforce this even if they wanted to.

And you can't make any unapproved changes to that device, because any change might make it insecure. It is only logical after all.

No, that is not logical, and it is not how the industry we are comparing it to works.

At some point you will be only allowed to use a locked down computer running pre-approved software running in the cloud. Don't think it will happen? That is the logical conclusion to this madness.

If that is the logical conclusion, then why has it not happened already? This is how communications devices and electrical devices work in the at least the US and Europe. Yet people are still allowed to tinker with those devices. Perhaps this is the point of confusion: Your computer is *already* approved by a national testing agency today. Pretty much anything that plugs into a power plug is. All we are saying is that those organizations should also do security testing as well.

Comment Another way (Score 5, Insightful) 165

Most electronics in the United States are (Underwriters Laboratory) UL approved. That is because there are various non-governmental rules that strongly influence people into buying UL approved products. One is that vendors often refuse to stock products that are not approved by some standards body, because otherwise they may face liability for the product. Another is that homeowners insurance will not cover you if a non-UL approved device started the fire. Hospitals and laboratories will not buy medical devices that are not UL approved.

We need something like UL for security.

It would be great to have a system like that in place, rather than to have the government directly involved. The toughest part is that so much electronics is purchased online, from overseas manufacturers, that this free-market solution may not work. Really, the free market is optimizing around it. It would be awesome to see Amazon and Newegg refuse to sell products unless they had some kind of security approval.

Slashdot Top Deals

"You show me an American who can keep his mouth shut and I'll eat him." -- Newspaperman from Frank Capra's _Meet_John_Doe_