Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Google is being dumb (Score 1) 90

No. USB-PD is not a "firehose". That is not how electricity works. USB-PD specifies certain discrete voltage levels, but you can draw as much or as little current as you want. Devices are supposed to have a buck converter to adapt the voltage of the input to the voltage of the battery, and they can do so at a wide range of input voltages.

The only reason to raise the voltage at the USB connector is to reduce resistive losses in the cable by reducing the required current. Once the electricity arrives at the device it can be converted to whatever voltage is appropriate for the battery, and it can deliver exactly as much current as it should. There is absolutely no reason whatsoever why USB-PD would cause more damage to a battery than Qualcomm QC, in a correctly designed device.

Comment Re:I don't hate on systemd but this is really bad (Score 1) 508

#define _XOPEN_SOURCE 700
#include <signal.h>
#include <unistd.h>
int main() {
        sigset_t set; int status; if (getpid() != 1) return 1;
        sigfillset(&set); sigprocmask(SIG_BLOCK, &set, 0);
        if (fork()) for (;;) wait(&status);
        sigprocmask(SIG_UNBLOCK, &set, 0); setsid(); setpgid(0, 0);
        return execve("/etc/rc", (char *[]){ "rc", 0 }, (char *[]){ 0 });
}

Comment Re:It's not that bad. (Score 1) 111

It's not a year-long suspension. It's a permanent suspension of trust in their current roots. They can, however, re-apply after one year - with extra auditing over what is normally required - and if and when they pass that they may be let in again. If they do nothing, they don't get back in for free after a year.

Comment Re:Fabrice Bellard is awesome. (Score 4, Informative) 92

Too bad this isn't his.

Fabian Hemmer (http://copy.sh/, copy@copy.sh)

I have no idea where the submitter got Fabrice Bellard from. This is hosted on a completely different site and authored by a completely different person. Yes, more than one person is capable of implementing an x86 emulator in Javascript. Bellard wrote his and never released the (editable) source; this guy, OTOH, wrote a more compatible emulator of his own (runs more than Linux) and open sourced it.

This is also old news, I remember seeing it quite some time ago. The site has been up since 2014. Slow news day much?

Comment Re:The solution is horribly obvious (Score 1) 84

The problem is not "trusting" the proprietary crap, the problem is trusting it to improve security in any measurable way.

Android full disk encryption is just as secure as LUKS (in fact, under the hood it's dm-crypt just like LUKS, the key derivation is just different). This doesn't break the FDE. You still need the passphrase. What this does is break the "you need the hardware to access the FDE and we're going to impose additional non-provable restrictions such that you can keep using your 4-digit PIN and it'll be secure, promise" bunch of hot air that vendors like to sell you. Just like the FBI cracked that iPhone's FDE - by bruteforcing the passcode. This lets you bruteforce Android's FDE offline after a one-time attack on the hardware.

I use CyanogenMod on my phone. I have my FDE passphrase set to a long string, independent of my (shorter) unlock code. This attack doesn't affect me because my FDE passphrase is not bruteforceable in a reasonable amount of time. This only affects people who still think using a 4-digit PIN to secure FDE on their phone is a good idea because Apple and Qualcomm pinkie-promise that their secure tamperproof hardware can limit bruteforce attempts enough to make that a reality.

Comment Re:Blantant? (Score 5, Interesting) 181

A security researcher who goes around looking for ATM skimmers should know that the magstripe reader always goes along with a camera for the PIN pad, and that the electronics inside the card reader part aren't the whole story.

It's completely obvious once you look for it, once you know a skimmer was installed on the card slot, especially having another pristine ATM right next to it to compare. Nobody's going to blame someone for not noticing a skimmer in the first place, but once you know one was installed, yes, the PIN pad part is blatant.

Software

High IQ Countries Have Less Software Piracy, Research Finds (torrentfreak.com) 249

Ernesto Van der Sar, writing for TorrentFreak (edited and condensed): There are hundreds of reasons why people may turn to piracy. A financial motive is often mentioned, as well as lacking legal alternatives. A new study from a group of researchers now suggests that national intelligence can also be added to the list. In a rather straightforward analysis, the research examined the link between national IQ scores and local software piracy rates -- from data provided by the Business Software Alliance. They concluded that there's a trend indicating that countries with a higher IQ have lower software piracy rates.

Comment Re:Just as well (Score 1) 368

The ARM has nothing to do with game consoles. The PS4 and the Xbox One don't even use the ARM for their secure boot/DRM, they use something else (the PS4 uses the SAMU which is an LM32 derivative core inside the GPU portion, and I think the Xbox One uses more custom stuff). Read this libreboot page; the ARM is required to boot any modern AMD chip. Or this if you want a reference from AMD from last year. The PSP is very much alive and well and required to boot modern AMD chips.

Comment Re:Just as well (Score 5, Informative) 368

... and guess what, AMD CPUs have an extra ARM core in them, as well as multiple little cores of various architectures attached to the GPU. All running proprietary firmware.

Throwing random little CPUs at problems is nothing new. What makes you think the firmware in your PCIe WiFi card also can't access all main memory and be turned into a rootkit? What about the Embedded Controller on laptops, that runs even when it's off?

Yes, the state of firmware auditability of modern PCs is dismal. It's been like this for at least a decade. Yes, Intel does it one way, AMD does it another way, and just about every other peripheral on your board is also an attack surface. GPU? Dozens of little auxiliary cores (unrelated to the GPU unified shaders); Nvidia or AMD, doesn't matter. That USB 3.0 host controller? Probably runs firmware too. Ethernet? Yup, often has firmware these days. That LSI SAS controller? Full PowerPC core with enough oomph to run Linux itself. Your hard drive? 3 ARM cores, you can make them run Linux too. And all of those things can scribble all over your main memory unless you enable the IOMMU (except the HDD, that one can scribble all over your storage instead).

Sleep tight.

Comment Re:Generators (Score 4, Insightful) 637

Length doesn't matter. What matters is that you use a unique password for everything.

Using a unique password for everything is impractical without making your passwords random (for a secure definition of unique, i.e. you can't guess one password given another one). But once you make them random, it doesn't matter how long they are as long as they're at least 6 (if fully random), preferably 8 (if constrained) characters or so.

Why? Because your password doesn't have to withstand an offline brute-force attack. It has to withstand an online, over-the-network brute-force attack. If the attacker gets your password hash such that they can use an offline attack, they have already broken into that service and have all your data anyway. And, since you use different password everywhere, cracking your password on that service gets them nothing.

Passphrases used to directly generate or wrap encryption keys are the exception to this, of course. Those had better be long.

Me? I use a pwgen-generated password on all sites/services, with the defaults (8 characters, pronounceable), and write them down in an encrypted password file. It's great, because I end up easily remembering the ones I use often, and the rest I look up as I need them. Can you crack those offline? Absolutely. But I couldn't care less; if you already have the hash, there's nothing more you get by cracking it.

Slashdot Top Deals

The shortest distance between two points is under construction. -- Noelie Alito

Working...