Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment So... (Score 1) 169

However, GP's point was that NAT could make it a little more difficult to get the device hacked in the first place.

So does also any sensible router that I've seen that blocks inbound traffic by default.
(i.e.: router where you explicitely need to open Internet->PC access).

It doesn't matter if they are private IP (v4) addresses, that need NAT and port forwarding (i.e.: port 8080 from the router, should be forward to port 80 on intenal sebserver 10.0.0.x),
or plain normal public IP (generally v6) addresses, that need simply to enable access to some ports on the public intenet (request for port 80 on machine IPv6 2xxx:yyyy:zzzz:wwww:vvvv:uuuu should be allowed through by the router).

If the router blocks inbound access by default, and the user needs to explicitely enable some access in the settings, both NATed IPv4 and IPv6 with public addresses are protected equally.

Comment What the end-user bought. (Score 1) 304

The thing is, from a technical point of view:

The user has paid for and bought.
- a car (with an electric drive, and it's battery)
- an expensive webcam (also, accompanied by some computation accelerating hardware that could run neural-nets/deep learning, if needed).

And the user has provably received the agreed goods.
(Easy to check, the front facing camera is clearly visible from the outside).

At some point in a putative future, Tesla might manage to write a pieces of software that could eventually make the cars 100% fully autonomous self-driving
(i.e.: Google-car style) and not only some advanced form of collision avoidance (what the current Tesla Autopilot is. Basically what Volvo, BMV, and the like have been providing for a decade, only a tiny bit more advanced. Basically, the same stuff as boat's or an airplane's autopilot - it takes over some of the more menial tasks of driving, but still require a human captain's supervision)..

They are now announcing that this future putative software that does not exist yet, can not by used to earn money.

From the current point of view : nothing could be done, because this thing doesn't exist yet.
So no legal argument at all.
It's basically as if I put a sign in my backyard saying that if one day, some extra-terrestials start to make contact, I will only allow *blue-colored* filying saucers to land here.

In the future: well *when* this putative piece of software starts to exist, then we will be able to start talking about it.
- maybe it will be considered as a software upgrade to which paying users should be entitled, because Tesla can't put legally enfocreable arbitrary limitation in their EUL (they probably just can't be held liable for any damage done in a commercial situation).
- maybe by then the law will have evolved and adapted enough, and people using 100% autonomous self-driving in a commercial manner will be legally required to take a special insurance that will cover any subsequent liability (that's probably going to be the case in some european jurisdiction).
- maybe by then, Uber will have *their own* neural net, and will require you to install *their* package and run *their* net when ubering an autonomous car, in order to keep the liability under control - e.g.: because they have correctly insured their neural net against commercial damage. (Given their tendency to try to wash their hands off, don't count on it, unless they get explicitly required by law).

Comment ASLR is *NOT* Obscurity, quite opposite (Score 1) 72

(Obscurity. You keep using that word, I do not think it means what you think it means)

ASLR is NOT obscurity.
ASLR is quite the opposite : it's a way to mitigate obscurity.

(Just like a password is NOT security through obscurity).

A kernel without ASLR is obscurity: you count on the attacker not known where the kernel (or any other critical software) stores its code.
Once the address map is known, every single instance of this kernel (or software) everywhere on planet Earth is at risk.

With ASLR (which is, in Linux kernel case, publicly documented and known - exactly as any cryptographic algorithme - the exact opposite of obscurity), every single instance can, based on a small random token (which plays the same role as a password or a private key in a cryptographic system), can manage to hide *its own peculiar instance of stuff* from a potential attacker.

Knowing how ASLR works isn't critical (and in Linux case, it's actually documented).
Knowing the token (=the password) is the critical step.
It's not "Security through Obscurity", it's side channel attack (= managing to guess the security key by using a feature of the Haswell CPU that locally leaks the information - the "clear text").

Security through Oscurity is hoping that nobody actually understands how your magical security solution works under the hood.
If anyone gets to know the internals, the *whole technology* is toast for ever.

Cryptography and other forms of sensible and modern security is the opposite: it counts on a technology that is as widely known and published as possible (so it undergoes as many tests and reviews as possible, to make sure it is sound).
If something is kept secret, it's a small token, a number, a code, a key. Just a piece of data. Not the actual open standard code which will process the data.

Comment Apple and ZFS (Score 1) 159

I'm betting that once Apple is done ridiculling themselves with their "too little, too late + NIH" catastrophe with APFS,
their probably going to silently acquire OpenZFS, and rebrand it as "Apple's CoW System".

I'm taking bets.

See Copland and NextStep for Apple's historical precedent.

(And see CUPS, LLVM, the KHTML-WebKit-Blink family, and countless of better external technologies that Apple ended-up buying/acquiring/taking over.
OpenZFS - if/when my prediction happens - will be just one extra point on this list)

Comment Apple's *New Future SSD filesystem* vs *Copland* (Score 1) 159

As pointed by krakelohm above,
and dgatwood below,
that "potential future successor to 'HFS Plus'" is NOT in production yet, and misses important features.

Let's be frank.

This thing is so much over-due, and has been post-poned so much, that it might as well be considered as Apple's new "Copland".

(And in this metaphore, ZFS is probably the thing that will play NextStep's role as the "external technology that got bought and hastily re-branded in order to save the situation in a last-ditch effort".
I'm starting to get bets).

Comment Re:If the point was ... (Score 4, Insightful) 324

There's no proof that it has anything to do with Wikileaks, but in a world of IoT devices with no thought toward security, anyone who cares to do so can mount DDOS with the power of a national entity.

What's the point of doing what Assange and Wikileaks have been doing without any moral position? He isn't helping his own case.

Comment Re:Legal? (Score 2) 276

No, of course it is not legal to set a trap to intentionally hurt someone, even if you expect that the trap could only be activated by the person committing property theft or vandalism. Otherwise, you'd see shotguns built into burglar alarms.

Fire alarm stations sometimes shoot a blue dye which is difficult to remove or one which only shows under UV. Never stand in front of one when pulling the lever! But they are not supposed to hurt you.

And of course these booby traps generally are not as reliable as the so-called "inventor" thinks and tend to hurt the innocent.


Prosecutors Say NSA Contractor Could Flee To Foreign Power ( 44

An anonymous reader quotes a report from ABC News: The NSA contractor accused of stealing a gargantuan amount of sensitive and classified data from the U.S. government was studying Russian before he was arrested and would be a "prime target" for foreign spies should he be released on bail, prosecutors argued ahead of a court hearing for Harold Martin, III, today. The government said it is "readily apparent to every foreign counterintelligence professional and nongovernmental actor that the Defendant has access to highly classified information, whether in his head, in still-hidden physical locations, or stored in cyberspace -- and he has demonstrated absolutely no interest in protecting it. This makes the Defendant a prime target, and his release would seriously endanger the safety of the country and potentially even the Defendant himself." Prosecutors noted that Martin purportedly communicated online "with others in languages other than English, including in Russian" and that he had downloaded information on the Russian language just a couple months before he was arrested in August. Martin's attorneys, however, said in their own court filing Thursday that there is still no evidence he "intended to betray his country" and argued that he was not a flight risk. All the talk of foreign spies and potential getaway plans, the defense said, were "fantastical scenarios." Martin's defense team said in part: "The government concocts fantastical scenarios in which Mr. Martin -- who, by the government's own admission, does not possess a valid passport -- would attempt to flee the country. Mr. Martin's wife is here in Maryland. His home is here in Maryland. He hash served this country honorably as a lieutenant in the United States Navy, and he has devoted his entire career to serving his country. There is no evidence he intended to betray his country. The government simply does not meet its burden of showing that no conditions of release would reasonably assure Mr. Martin's future appearance in court. For these reasons, and additional reasons to be discussed at the detention hearing, Mr. Martin should be released on conditions pending trial."

UPDATE 10/21/16: Slashdot reader chromaexursion writes: "Harold Martin was denied bail. The judge agreed the the prosecution in his decision."
The Internet

Several Sites Including Twitter, GitHub, Spotify, PayPal, NYTimes Suffering Outage -- Dyn DNS Under DDoS Attack [Update] ( 264

Several popular websites and services are down right now for many users. The affected sites include Twitter, SoundCloud, Spotify, and PayPal among others. The cause appears to be a sweeping outage of DNS provider Dyn -- which in turn is under DDoS attack, according to an official blog post. From a TechCrunch report:Other sites experiencing issues include Box, Boston Globe, New York Times, Github, Airbnb, Reddit, Freshbooks, Heroku and Vox Media properties. Users accessing these sites might have more or less success depending on where they're located, as some European and Asian users seem not to be encountering these issues. Last month, Bruce Schneier warned that someone was learning how to take down the internet. Update: 10/21 14:41 GMT by M : Dyn says that it has resolved the issue and sites should function normally. Update: 10/21 17:04 GMT by M : Department of Homeland Security says it is aware of the first DDoS attack on Dyn today and "investigating all potential causes." Dyn says it is still under DDoS attack. News outlet The Next Web says it is also facing issues. Any website that uses Dyn's service -- directly or indirectly -- is facing the issue. Motherboard has more details. Update: 10/21 17:57 GMT by M : It seems even PlayStation Network is also hit. EA Sports Games said it is aware of the issues in live-play. Dyn says it is facing a second round of DDoS attacks.

Update: 10/21 18:45 GMT by M : U.S. government probing whether east coast internet attack was a 'criminal act' - official.

Editor's note: the story is being updated as we learn more. The front page was updated to move this story up. Are you also facing issues? Share your experience in the comments section below.

'Adding a Phone Number To Your Google Account Can Make it Less Secure' ( 105

You may think that adding a backup phone number to your account will make it prone to hack, but that is not always the case. Vijay Pandurangan, EIR at Benchmark (and formerly with Eng Site Lead at Twitter) argues that your phone number is likely the weakest link for many attackers (at least when they are trying to hack your Google account). He has shared the story of his friend who had his Google account compromised. The friend in this case, let's call him Bob, had a very strong password, a completely independent recovery email, hard-to-guess security questions, and he never logged in from unknown devices. Though Bob didn't have multi-factor authentication enabled, he did add a backup phone number. On October 1, when Bob attempted to check his email, he discovered that he was logged out of his Gmail account. When he tried to login, he was told that his password was changed less than an hour ago. He tried calling Verizon, and discovered that his phone service was no longer active, and that the attacker had switched his service to an iPhone 4. "Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record." The attacker reset Bob's password and changed the recover email, password, name on the account, and enabled two-factor authentication. He got his account back, thanks to support staff and colleagues at Google, but the story illustrates how telco are the weakest link. From the article: Using a few old Google accounts, I experimented with Google's account recovery options and discovered that if a Google account does not have a backup phone number associated with it, Google requires you to have access to the recovery email account OR know the security questions in order to take over an account. However, if a backup phone number is on the account, Google allows you to type in a code from an SMS to the device in lieu of any other information. There you have it: adding a phone number reduces the security of your account to the lowest of: your recovery email account, your security questions, your phone service, and (presumably) Google's last-ditch customer service in case all other options fail. There are myriad examples of telcos improperly turning over their users' accounts: everything from phone hacking incidents in the UK to more recent examples. Simply put, telcos can be quite bad at securing your privacy and they should not be trusted. Interestingly, it appears that if two-factor-auth via SMS is enabled, Google will not allow your password to be reset unless you can also answer a security question in addition to having access to a phone number.

Comment Remote exploit (Score 5, Informative) 72

TL;DR: because of this bypass ASLR cannot prevent local privilege escalation. but ASLR can still prevent remote access.

The point of ASLR is that it's not easy to determine where the functions are located in memory.

So, if there's an exploit where you can force code to jump at some specific point in memory, you cannot use this exploit to call the function you want because you don't know where they are.

(e.g.: stack smash. Overrun some temporary buffer that is stored on the stack buffer, up to the point where you can overload the return address. So once a function finished, it's doesn't jump back to the caller [it doesn't return] it jumps instead to the address you've overwritten [it jumps to the next function you want to abuse as part of you exploit] )

2 possible situations:

- You've already managed to get (user-level) shell acces (or at least run any payload of your choosing). You want to escalate privileges up to root. You know of a bug in some kernel piece of code that you can try to exploit. ASLR would prevent you from doing it because you don't know where the piece of code is exactly in kernel memory space. So you run the bypass proposed by the researcher and you obtain a list of where is what.
Now you can run your exploit, and gain root.

- You're outside the machine. You want to get remote access. You know a bug in some code (be it kernel or userspace) that could be exploited. But you need to jump into specific function whose precise location in memory you don't know because of ASLR.

So ASLR won't block local privilege escalation anymore (because when you have local access you could defeat ASLR's randomisations)
But ASLR will still block remote access (without local access, you can't get a map of all ASLR-ised functions you need to inject in your remote exploit).

Slashdot Top Deals

If you're not careful, you're going to catch something.