Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Submission + - Quicken Bill Pay is No Longer Safe to Use (perens.com)

Bruce Perens writes: I don't usually make security calls, but when a company makes egregious and really clueless security mistakes, it's often the case that the only way to attract their attention and get the issue fixed is to publicize it. This one is with Quicken Bill Pay, a product of Metavante (not Intuit). It's from personal observation rather than an expert witness case, and the company has been unresponsive through their customer support channel.

Comment Abandoning Time-Worn Processes Leads to Atrophy (Score 5, Insightful) 154

Scientists determined that those people who made use of machine washing rather than hand washing had diminished hand strength and neurological motor communication necessary for fine motor control. Seamstresses who bought thread rather than using the spinning jenny were similarly impaired. But worst off were teamsters who used the internal combustion trucks rather than teams of horses and used forklifts and other mechanical devices rather than loading their vehicles by hand. Their overall body strength was much reduced.

Comment Re:Contempt of the court... (Score 1) 507

As I said — it is not testimony. The jury will not hear it. The 5th Amendment protects him from being compelled to be a witness against himself

The courts have generally held the 5th Amendment protections to be wider than that. For example, are you denying that people have the right to remain silent when being questioned by police? Why is there a distinction between being questioned by the police and by the court here?

As for encryption passwords, the Supreme Court hasn't ruled on such a case yet, but they have given hints on how they would rule. Maybe this will actually be the case that goes all the way?

I don't know about case law, but there is no "right to remain silent" in the Constitution. You don't have to be a witness against yourself.

Rights do not *only* come from the Constitution. Case law is indeed important, and there's a lot of case law around one's right to remain silent.

Comment Re:Modern HW crypto (Score 1) 507

I'm aware of ATA drive locking and their on-drive encryption, but that's not really what I was referring to.

I was thinking more of organized crime and enemy governments and other well funded and well-planned enterprises -- it would not surprise me if they had custom drive firmware made that was designed to foil the drive being imaged for forensics. I don't know if this is actually being done yet (though I suspect it is), but if it was, law enforcement (well, the better-equipped offices, and especially things like the NSA) would adapt.

And yes, you're right, such countermeasures would be a good deal harder to deal with on SSDs than spinning hard drives. Perhaps even approaching impossible without a lot of assistance from the drive manufacturer themselves.

And no, I wouldn't expect any of this to be done by a guy who's simply got illegal porn on his computer. Really, just keeping it on an encrypted drive probably puts him ahead of most.

Comment Re:In an ideal world (for the cops) yes (Score 1) 507

Even a lab "up to the quality of a guy running a hard disk recovery business out of his garage" is going to work on images of the disks rather than the disks themselves -- anything less will get all their cases thrown out of court by the defense ("how can you guarantee that you didn't alter the data yourselves?") *and* will get caught by "oh, you entered the wrong password? erase everything!" code. Maybe in 1992, but in 2017 ... that's law enforcement computer forensics 101, day 1. They absolutely will not be hooking up his computer and drives and working on that (unless they need to do so to figure something out, and even then -- it'll have copies of his drives rather than the originals.)

If a police department can't even reach that level ... then they're probably either avoiding such cases entirely, or deferring them to some other, larger and better-equipped organization.

Beyond that ... it becomes an issue of how badly they want the data. The local police department probably can't do too much, but the NSA/CIA/etc. can do a *lot* if they are properly motivated.

(That said, this sounds like a case where they won't be going to any extraordinary technological lengths to get at the data. They certainly do seem to have some friends in the courts, however.)

Now, back to "self-destructing crypto" ... if half the encryption key is on some remote server in Russia that self-destructs if not accessed at least every 30 days, then maybe. (That said ... people would lose their data often under such an arrangement.) If such services popped up and were being actively used, I imagine that the NSA and friends would be working on countermeasures (like compromising that box and looking for other vulnerabilities in the arrangement or simply installing keyloggers where needed), but that would probably foil the local police department's attempts to get the keys.

Of course, simply refusing to tell them the password should also foil them, legally and technically. This ruling is bad, bad, bad ... but I guess fighting child porn is more important than the right to not self-incriminate to this court?

Comment Re:Rubber-hose cryptanalysis (Score 2) 507

.Perhaps some type of expiry after 30-60 days of non-use for sensitive encrypted drives might protect against this, since there's no way the person could decrypt the drive after that threshold.

You aren't imagining the defendant's computer in a nice neat room with his drives plugged in and a cop sitting at it trying to guess the password, are you?

No, the drives will have been imaged through a hardware device that blocks all attempts to write, and their work will be on their own computers running their forsensic software against the images of his drives, with his original drives safely in the evidence lockup.

And if criminals start using drives with custom firmware to foil this (they've already read the first GB sequentially? return gibberish and erase everything!), the cops will then be removing the control boards and subsituting their own before they do the imaging.

"Self destructing crypto" will just be something else for them to work around. It might foil the local police department, but if the FBI/NSA/CIA/etc. really wants your data, that's not going to foil them any more than straight strong crypto will.

Comment Re:Contempt of the court... (Score 4, Insightful) 507

This is not a Constitutional question — the guy is not asked to testify against himself. What he is to say is not under oath and will not be used against him.

It is indeed a Constitutional question. He's accused of a crime, and he's being asked, er forced to aid the prosecution. What happened to his right to remain silent, his right against self-incrimination?

And yes, I do believe it is the goal of the prosecution to use any passwords he provides to find stuff that *will* be used against him. They are *demanding* that he aid their prosecution of him by divulging secrets ... how is that not testifying against himself? Next, are they going to waterboard him for the passwords?

What is demanded of him is a key to the premises, for which a perfectly valid search-warrant has already been issued.

If they were demanding a physical key, he could refuse to tell them where that is too. That said, without that ... they'll just knock down the door.

Also ... has a search warrant been issued to search his brain?

This stinks to high heaven. I thought that it was already established by case law that you did not have to say anything to aid the prosecution in any way, that your right to remain silent was absolute in a criminal case?

Comment Re:"Human Colleague"... Nope, You Just Don't Get I (Score 1) 407

Clarke did very little writing on robot brains.

Um, I'll have to assume that you weren't around for April, 1968, when the leading AI in popular culture for a long, long, time was introduced in a Kubrick and Clarke screenplay and what probably should have been attributed as a Clarke and Kubrick novel. And a key element of that screenplay was a priority conflict in the AI.

Comment Re:"Human Colleague"... Nope, You Just Don't Get I (Score 1) 407

Well, you've just given up the argument, and have basically agreed that strong AI is impossible

Not at all. Strong AI is not necessary to the argument. It is perfectly possible for an unconscious machine not considered "strong AI" to act upon Asimov's Laws. They're just rules for a program to act upon.

In addition, it is not necessary for Artificial General Intelligence to be conscious.

Mind is a phenomenon of healthy living brain and is seen no where else.

We have a lot to learn of consciousness yet. But what we have learned so far seems to indicate that consciousness is a story that the brain tells itself, and is not particularly related to how the brain actually works. Descartes self-referential attempt aside, it would be difficult for any of us to actually prove that we are conscious.

Comment Re:"Human Colleague"... Nope, You Just Don't Get I (Score 1) 407

You're approaching it from an anthropomorphic perspective. It's not necessary for a robot to "understand" abstractions any more than they are required to understand mathematics in order to add two numbers. They just apply rules as programmed.

Today, computers can classify people in moving video and apply rules to their actions such as not to approach them. Tomorrow, those rules will be more complex. That is all.

Comment Re:"Human Colleague"... Nope, You Just Don't Get I (Score 4, Insightful) 407

Agreed that a Robot is no more a colleague than a screwdriver.

I think you're wrong about Asimov, though. It's obvious that to write about theoretical concerns of future technology, the author must proceed without knowing how to actually implement the technology, but may be able to say that it's theoretically possible. There is no shortage of good, predictive science fiction written when we had no idea how to achieve the technology portrayed. For example, Clarke's orbital satellites were steam-powered. Steam is indeed an efficient way to harness solar power if you have a good way to radiate the waste heat, but we ended up using photovoltaic. But Clarke was on solid ground regarding the theoretical possibility of such things.

Comment Re:A waste of money (Score 1) 67

Why can't you just use a different USB driver for your OS that filters, alerts on, requires additional permission for, or blocks whatever you want, rather than buying a new piece of hardware?

I mean, I get the voltage thing to fry a port, but that's a DOS attack no worse than someone who is physically there just smashing the port/computer. Why not just secure the USB device driver in the first place?

Comment Re:You make your own bed (Score 1) 244

Yeah. We have a Netflix subscription, Amazon Prime and an expensive Dishnetwork bundle. You'd think with all that there'd never be a need to stream from anywhere else.... nope. DVR missed some episodes of a TV show a month or more ago and you just now noticed? You can keep recording the new ones, but no way to watch the old ones but to find an "illegal" stream online.

At some point the video content creators need to figure out that people who've paid for their content at least once just want to be able to consume it how and when it's convenient for them, not have to get the magical time and space incantation correct in order to make sure they don't miss something.

Slashdot Top Deals

Chemist who falls in acid is absorbed in work.