Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment What about all of the other toys? (Score 3, Interesting) 45

I've got to say, this seems creepy to me. It's not just spying on kids, it's spying on whoever is in range. It's basically an open mic in your home, transmitting to god knows who.

So is a "smart" TV, a laptop computer, a tracker (a more appropriate name for a cell phone or mobile phone which recognizes the activity it does the most), and so many other voice-activated gadgets with network connectivity all running proprietary (read: untrustworthy by default) software. And a lot of these devices have cameras in them too, also under proprietary software control. And virtually all of them have been used by kids for years. Some of these devices have geolocation hardware in them too, that must make it easier to geotag the data the proprietors can acquire, keep, and share. I think it's great that people are finally getting around to thinking about the security and privacy implications when this is presented to them in the form of a toy but really this is far too late in coming.

Departing from the parent comment, situations like this are also a constant reminder of the profound inadequacies of modern-day IT experts who choose to surround themselves with these things, not in an experimental way to investigate them but as consumers who apparently value minor convenience more than their own privacy.

Only software freedom helps you enjoy all of these devices in a way where you, the user and owner of the device, can have a real say in what gets recorded, where that data is copied, and thus who gets access to that data. It's not about shutting these things out of your life entirely, it's about respecting who should control this data.

Comment Re:Well... (Score 1) 91

No, what he is referring to is that you get into a command shell, you can invoke an unsigned PowerShell script with PowerShell.exe -file. But that's not much different than source in bash.

But it's hard to imagine a social engineering attack that would get a user to download a file and then get them into a CLI session to override execute flags or signing to invoke the script file.

Comment Re:Not that big a leap (but I doubt OOP @ times) (Score 1) 91

This is one of the reasons micro kernels have a much more manageable security model. The problem being microkernels have some performance penalties that, at least in previous generations of CPUs, lead most OS developers to work in monolithic or mixed models. Yes, there are user space device drivers, so there has been a lot of work done to move device drivers a lot further away from Ring 0 and Ring 1, but even this simply makes monolithic kernels even more complex, and complexity is always the enemy of security.

Comment Re:(bash|sh|ksh|zsh) && !PowerShell (Score 1) 91

The kinds of vulnerabilities that PowerShell suffers would be suffered by any operating system that has a fairly comprehensive scripting language. The issue simply is if you can automate OS functions like creating, altering or deleting files and other system resources, someone can write a malicious script that, if run even in an non-super user context, can wreak havoc, but if run in a super user or similar higher access context can lead to enormous damage or to compromised systems. There are ways to mitigate this for both Windows and *nix, but more often than not you have to be proactive about it.

Comment Why I watch in the cinema (Score 3) 284

Watching in the cinema is a completely different experience. Going out of the house and making a journey somewhere builds up the sense of occasion, especially when it's combined with a nice meal somewhere beforehand. Watching a film as part of a large audience is also a better experience than watching at home. Sure there are certain audiences that are annoyingly chatty, but for the most part I have a good experience with fellow film-goers. Watching as part of an audience helps you to pick up on things that you wouldn't notice otherwise. Also, the inability to pause means that you have to put your phone away and give the film your undivided attention. Watching at home leaves you prone to more distractions.

Comment Re:More likely medical practice, not evolution (Score 1) 255

There are reasons why that's a poor idea. E.g., wider hips pose mobility issues. The system really needs a thorough redesign so that birth doesn't need to fit through the pelvic girdle, but that's far beyond us. The current system was designed for creatures with horizontal body position and small head size. For that it works fine. As it is... it puts strong constraints on development.

Don't think that this is the only place where history impacts evolution, though. Spiders have to drink their dinner because their brain is in a circle around their esophagus (or whatever you call that part of a spider). This worked out fine originally, but spiders became successful, and started growing and getting smarter, so their brains got larger, and now they need a liquid diet. If they get any smarter they won't be able to eat at all.

And speaking of the esophagus, consider the human trachea. Ever have something "go down the wrong pipe"? That's because of a very old design decision that's now apparently impossible to evolve a solution for. The lungs share the plumbing with the gut in the neck and head. There are lots of other similar features calling for a re-factoring of the design, but evolution doesn't work that way. All the intermediates must we not only working, but competitive WRT the prior model. No intermediate regressions allowed. (Except, of course, at times like after a major extinction event, when the selection pressure temporarily becomes quite low.)

Comment Re:Microsoft Bash to the rescue (Score 1) 91

They're not, and suffer the same inherent vulnerability that Powershell or any other executable scripting language does; that even if you have core network and system resources ringfenced, malicious scripts can still play havoc with anything even regular users have access to (like shared file resources and the like).

The reality is, and this has been known for a couple of decades now, email and web clients simply should not be able to execute code. But since executable code, whether macros or scripts, show up in so many file formats it's all but impossible to fully enforce such a regime.

Comment Re:Replacing CMD (Score 3, Interesting) 91

Some of the nastier scripts out there nowadays aren't really about gaining elevated privileges. Some of them, like the encrypting ransomware requires no special privileges at all, but simply access to user files, and to network files that the user has read/write access to. So while the critical aspects of a computer or a network are protected by execution and system resource access limitations, you need to prevent execution of unauthorized scripts completely.

I have to admit I've found signing Powershell scripts to be a mighty pain in the arse, but it does provide some protection against external scripts running when you maintain the blocking of execution of unsigned scripts. It isn't a complete protection, unfortunately, and Powershell is only one route by which this kind of ransomware could end up on a system. Vulnerabilities in Java, MS-Office files, and even the execution of Windows Scripting Host files (vbscript and jscript) seem more common from my experience.

The one bit of ransomware I saw got loose through a vbscript file attached to an email. For whatever reason, Outlook allowed it to be executed, and the user clicked the dialog that might have prevented it, and then the script went to town encrypting files on the user's own folders and the share. Fortunately there's a good backup regime in place, so there was very little actual loss, but it demonstrated that along with some vulnerabilities in Windows' execution protection schemes, the real weak link as always is users themselves.

Slashdot Top Deals

"Why waste negative entropy on comments, when you could use the same entropy to create bugs instead?" -- Steve Elias

Working...