Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×

Comment Re:PKI? (Score 1) 27

Worse than that; in all likelihood.

While adoption has been patchy; the 'trusted computing'/TPM guys definitely have what it takes to deliver a cryptographically locked bootloader and a variety of other powerful-and-somewhat-creepy capabilities; so anyone who gets onboard with this will presumably move from shipping hardware with shitty firmware that doesn't get patches to shipping hardware with shitty firmware that doesn't get patches and cannot be fixed or replaced even if you have the requisite expertise with that platform. The sort of 'support' that bootloader locked android devices get now. Far too insecure to be remotely safe; far too secure for mere mortals to reflash the firmware with something else without a particularly elegant 'trustzone' compromise or hardware attacks.

I hardly mean to suggest that OpenWRT will save IoT or anything(IoT needs a lot more saving than is probably possible for anyone; and vendors are spitting out unsupported hardware far faster than 3rd parties and mainline kernel support can catch up); but if you think shoddy firmware is bad; it's hard to get excited about shoddy firmware that is effectively impossible to replace even for devices based on well supported hardware.

Comment Re:vGPU seems cool (Score 5, Informative) 90

My understanding is that it is more extensive: PCI(mostly 'e' these days) passthrough allows you to assign a physical device to a VM; but the device can't be shared: if a given piece of hardware is being passed through to one of the guests, none of the other guests or the host OS can use it.

This 'virtual GPU' stuff is supposed to make allocating GPU resources between VMs closer to how it is with CPU time or memory, where all the guests and the host can't exceed the capabilities of the machine they are running on; but they can all have access, with relatively modest overhead, to the same device.

I don't know if things work as pleasantly as desired yet; but in principle it should be a lot more convenient than full device passthrough. Especially in cases where you might be interested in the GPU for its computational capabilities, video transcoder, etc.

Comment Re:Why not blame the manufacturer? (Score 2) 263

If you think that finding a vendor that doesn't keep cutting battery life/SD card slots/headphone jacks/basic safeguards against electrical fire in order to make it thinner, cheaper, or both is hard; just try to find one that ensures sufficient borated polyethylene(with something else to sop up the resulting gamma rays) or other neutron shielding into their products.

There probably are some, making bits for nuclear reactors and industrial, scientific, and medical users of neutron sources; but it's a niche.

Comment Re:LibreOffice? (Score 5, Informative) 121

You can definitely embed Windows Metafile images in LibreOffice on Windows; but I'm not entirely sure if that is enough to make it vulnerable. WMF is dangerous because it is basically a package of GDI function calls, which might be good for efficiency or compactness; but has led to a number of creative and executable things being shoehorned in(as in this case; and repeatedly over the years).

However, there are several image handling libraries that can render or convert WMF images without access to GDI; so in those cases GDI bugs wouldn't be a problem(though you probably have other things to worry about).

This Libreoffice VCL documentation suggests that LibreOffice uses its own VCL WMF filters; but I sure wouldn't bet anything remotely important on that without testing it first; or knowing rather more about how LibreOffice is put together.

Comment Re: Makes sense. (Score 1) 109

Keeping the rats and fungi at bay can be tricky; so long-term survival is only assured in optimal cases. That said; the fact that ancient-recipe booze tends to be aggressively unfiltered by the standards of even the most yeast riddled modern variants quite possibly has something to do with the fact that you definitely lose calories if you do the filtering and clarifying necessary to get the 'suitably tinted; but otherwise optically clear' results that are currently favored.

You can recover at least some of the losses if you feed fermentation byproducts to livestock, use them as fertilizer, etc; but if hunger is a real constraint the fact that there's effectively bread sludge suspended in your beer starts to look more like a virtue than a defect.

Comment This seems pretty dubiously useful. (Score 4, Insightful) 142

This seems like a rather touchy solution looking for a problem.

Unless you really enjoy buying replacement hardware; the need to have battery power in order to trigger the kill switch is a problem. If you don't configure the device to self-destruct when its battery is on the verge of no longer having enough energy to perform a self destruct; all the attacker has to do is run the battery down. If you do configure it that way, forgetting to put it on the charger could get expensive and tedious rather fast(in addition to the various other issues that can interrupt battery power: overtemp protection kicking in in a hot car; current delivery capability falling under freezing conditions, etc.)

Plus, the battery, and its connection to the logic boards, tend to be among the larger and more obvious parts of a modern electronic widget. That makes them good candidates for controlled disconnection/destruction, even if you can't open the case without tripping some sort of anti-tamper mechanism.

Finding a good self-destruct temperature is also a bit tricky. The lower you go, the closer you get to the high end of normal operating conditions or the 'device won't operate; but should not be permanently damaged' range. 80 degrees is high for flash memory; but most CPUs will be happy enough to run that hot. The higher you go; the more power you need to be able to deliver to kick off the destruction; and the more vulnerable you are to an attacker who is able to apply coolant to slow you down; limit current or voltage delivered to the resistive heater, or both.

Comment Re:Mozilla...getting it wrong so you don't have to (Score 2) 163

I certainly don't disagree that Flash should be taken out and shot on security grounds; but it is pretty much the last NPAPI plugin that you are likely to piss users off by dropping support for. iOS got away with it; but Safari continues to support it(though grudgingly); Chrome killed NPAPI; but the 'Pepper' plugin interface appears to exist primarily to support Flash; Edge also whitelists Flash; and Flash on Android died mostly because Adobe couldn't make it work very well; not because Google shoved them off the platform.

Given Mozilla's less-than-commanding presence in the browser market; I suspect that they can't afford to take a hard line on flash right now.

Comment Re:Context please (Score 1) 163

If Flash is being whitelisted; the main news will be Java applets(much rarer than they used to be; but a distant second to Flash in the embedded-blobs-of-stuff-that-can't be done in HTML, at least not when this site was built market); maybe Shockwave; if anyone still uses that; and then mostly shitware(at least at one point, Acrobat or Acrobat Reader would install something to grab PDF handling, some AV packages would inject their little contribution; Cisco has a hilariously vulnerable Webex support plugin that makes joining webex sessions incrementally easier and remote code execution a lot easier).

There really just isn't all that much anymore(which is presumably why FF is doing it; and why Chrome already did). Much as Oracle is a bit petulant about it(just visit the java download page in Chrome to see a nice little whine about how Google 'disabled the standard plugin mechanism'); relatively few people care; Flash is still hanging on; but Shockwave is pretty much dead; and most of the seriously hardcore legacy cases, the ones that will probably outlive some of us now talking about it; tend to involve ActiveX somewhere; so NPAPI plugin support is irrelevant; because NPAPI-only browsers never worked; and if they also need Java or something it continues to be available as an ActiveX plugin.

Comment Re:EMC/UL testing?! (Score 1) 67

It is true that there is no requirement about intereference resistance(unless perhaps you are selling fancy gear to the DoD or the like); but, unless rather carefully engineered, badly shielded systems tend to leak both ways; and a contemporary high resolution display isn't exactly short on very high frequency signal lines and similar sources of RF noise.

The FCC doesn't care if your device falls over as soon as someone gives it a funny look; but unless this display was beautifully engineered for low emissions from the circuitry, without reliance on additional shielding; it's a trifle surprising that wholly inadequate shielding wouldn't involve RF leaking out, as well as in.

Comment Re:Go fuck yourself... (Score 2) 67

This issue is an obvious defect from a customer perspective($1,000 for a computer peripheral that malfunctions if the wifi is too close? Are you kidding?); but from a regulatory perspective I'm not sure why LG would be in any trouble. If failure modes don't include catching fire/electrocuting the user; it's not like UL or the consumer products safety commission cares; and the FCC's usual stance is

"This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation."

Which would justify a beatdown if the LG monitors were disrupting other devices; but allows(indeed, requires) products to suck it up and deal with the presence of licensed RF and FCC-compliant ISM/misc background noise. The customer obviously has reason to be displeased; but regulatory bodies are mostly concerned either with devices that are overtly dangerous; or devices that do RF things that step on other people's toes. Pitiful resistance to interference isn't their concern.

Slashdot Top Deals

Writing software is more fun than working.