Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment The problem isn't just use (Score 1) 367

Quite some time ago, I took global warming to heart and had a vasectomy. I make the affirmative decision not to have children. So, how many of the eco-alarmists have done the same thing? The problem isn't "man-made CO2", the problem is that we have too many men/women on the planet, with no sign of slowing. But global warming isn't the only problem. Wait until the population outgrows the food supply.

The difference between involvement and commitment is like ham and eggs. The chicken is involved; the pig is committed.

Submission + - Internet of Things nightmare: is this a reasonable solution?

satch89450 writes: Fixing the security of the Internet of Things: Now we have had several distributed denial of service attacks — generating eye-popping amounts of network traffic to bury a web site or gamer — arguably traced to botnets-for-sale of "hacked" common devices with Internet connectivity. It's time to look at the problem bad product design can cause. Not being "computers", many of those devices — cameras, televisions, light bulbs, to name a few — don't have tough-enough security moxie baked in. And it's not enough to solve today's attacks, they have to survive new attacks down the road.

Some of these household items didn't conform to today's Best Practices, taught in Security 101, with the rules learned (painfully) over the last 30 years. And then there is the question of installing security fixes: "Hey, Joe, you have to install an update to your thermostat and washing machine." Right.

This is nothing new. What is new is the tsunami of Internet-capable devices hitting the market and the Internet...and doing it badly. By sheer numbers, the situation rises to a whole new level of risk to the nation's communications infrastructre. The magnitude of the problem? Think how many light bulbs are in the typical house or apartment, and you get the idea.

This note comes a little late to the game, but I thought that one way to stem the flood of carb from compromised household stuff is to treat vulnerabilities as design defects, defects as serious as the exploding batteries in the Samsung Galaxy Note 7. So, looking at the procedures already in place for dealing with merchandise that can cause harm, this suggestion.

Proposed: GIVEN

  • any Internet-connected device,
  • "powned" by cybercriminals,
  • that cause significant harm,
  • the manufacturer receiving notice of the defect, and
  • did not, or can not, provide a timely, zero-cost update

THEREFORE the Consumer Product Safety Commission shall require that the manufacturer provide a security update to the device within 30 day of first notice; or failing that, to issue a complete recall of the defective devices.

I don't care if it's a television, camera, refrigerator, light bulb, thermostat, washing machine, wireless access router, smart phone, desktop computer, server, you-name-it...if it's broke, and can't (or won't) be fixed, it gets recalled.

That's the only way manufacturers will take Internet security seriously. If they have to upgrade the stuff they sell, without exception, the manufacturers will find a method that will keep their expense for upgrades down. Upgrades should not be charged to the customer — the manufacturer screwed up, they should fix the problem, at their expense. I further suggest that security testing should be specifically permitted under law, not be considered part of "reverse engineering", or other shrink-wrap or copyright restriction.

The CSPC should develop guidelines for product with embedded computers that connect to the Internet at large, either directly or indirectly.

There are a number of things to consider, when building such a regulation, that come into play that complicated things

  • orphaned devices,
  • devices made by companies that have gone out of business,
  • imported stuff,
  • methods of notification, and
  • enforcement

This is an off-the-top-of-my-head idea. I think it's worth considering over other "solutions" I've seen proposed.

Comment Update? What update? (Score 1) 224

I have a Lenovo laptop with Windows 7 Professional on it. Sometime in the last nine months, Windows has forgotten how to talk with much of the hardware in the laptop. This includes the finger reader and all networking devices. I called both Microsoft and Lenovo, and both refused to help.

So I never see the nags!

The hardware works fine, as proven by the copy of Fedora 20 I have running on the thing -- when I need to network, I just boot into Linux and have at it. RJ-45 port. Wifi. All happy. (I haven't tried installing the finger reading software yet, because I don't have much use for it.

When I need to copy software across, USB sticks and Blu-Ray drive work just swell. That's how I keep the DVD/BR reader up to date on the laptop that runs in the Windows side.

So, no problem. That doesn't help the folks in hospitals or out in the field...

Comment My wireless is not vunerable (Score 1) 157

I've been worrying about the ability for wireless routers to withstand any significant attack, particularly given the reponsiveness of the manufacturers of the things (like, none at all) to exploits. So I made a decision to put my wireless router behind a firewall that keeps bad people in the cloud from playing.

Yes, the firewall would cost money ($70 for the computer, $0 for the firewall software -- I'm using CentOS and IPTABLES) and it's another box, but that box protects my inside network, so that I abide by the rule "Never expose Microsoft gear to the bare Internet." As a bonus, I run the router in bridge mode, so that my firewall gets to answer DHCP requests instead of the router. Makes packages like Dropbox work properly even for wireless devices.

I use LANsync quite a bit, because the repository at work has some DVD ISO images, and an update or addition causes quite a bit of network traffic without LANsync. With LANsync, the traffic is between my fileserver and the wireless device, and the uplink carries only the administrative traffic.

What I'm looking for is a wireless card I can put into a CentOS 7 box, so that I don't have to have the lashup I have now. It also means my resulting wireless router/server would be considerably more future-proof than my no-longer-supported Cisco branded router is. (Rebanded Linksys, I think.)

Comment Re:The Commit Message (Score 1) 572

It is very easy to whip up a systemd script to manage the software no matter what quirks the software has about running as a daemon.

I've been looking for a concise, complete HOWTO on how to take an existing daemon program running in the old init-script environment and make minimal changes to have it run in the systemd environment. Can you point me to a URL?

Comment Re:Phones, Computers, etc. (Score 1) 420

This is the greatest thing to happen to the libre firmware movement.

Mr. Cerf and Mr. Taht have used the VW issue in their response to the FCC in ET Docket No. 15-170, the wireless-router lockdown issue. From the contribution: "Requiring all manufacturers of Wi-Fi devices to make their source code publicly available and regularly maintained, levels the playing field as no one can behave badly. The recent Volkswagen scandal with uninspected computer code that cheated emissions testing demonstrates that this is a real concern."


Comment Re:Why no diesel hybrids? (Score 1) 420

I don't understand why we're seeing all these gasoline hybrids instead of diesel ones. Aren't diesels running in their optimum range much more efficient? And with all these emissions issues turning up, isn't it feasible to set up diesel hybrids to basically always run in a narrow range with the best emissions and efficiency possible?

I wonder about this, in the context of long-haul semis. I've wondered what it would be like if someone, say Peterbilt, would make a truck tractor with a fixed-speed diesel driving a generator, and the output driving motors on the wheels of the tractor and perhaps even the trailer? This would make it *exactly* like a long-haul train locomotive.

Or perhaps a turbine driving a generator.

You don't have the same limitations about size with a truck tractor.

Comment Re:Forfeit all revenues from sales (Score 1) 420

I've also read in the last day or two that VW is (predictiably) trying to claim that management knew nothing about the emissions and that "a handful" of engineers were responsible. While there were obviously engineers responsible I have NO doubt whatsoever that management requested and signed off on this. They're just trying to throw a few peons under the bus to save their own skin.

Have you ever worked in a larger corporation? There are quite a few layers of managers and worker bees, so the upper layers don't necessarily know what the lower layers are doing. I saw this at Motorola and Rockwell in my career. So the managers may well have been in the dark about the "defeat device", because the managers are not engineers, and would not have seen that level of report. All they would see is a single bullet item on a PowerPoint slide: "meets EPA limits for emissions."

Or, as the old saying goes, "Never attribute to conspiricity that which is adequately explained by stupidity."

Comment Re:Realism (Score 1) 420

Is there some compelling reason why these tests aren't being conducted in realistic conditions in the first place?

Repeatability. If you can't repeat the measurement, then the result can result in a "he said"/"she said" fight in the courts or in administrative hearings. That said, the testing you do on the dynamometer should bear some relation to what actually happens in the field. Engineers will tune their products to the tests. Some engineers will also test "in real life", but only if they have time and budget. And, when all else fails, they will fall back on what works in the tests. Or worse, if you can't pass the tests without a "tweak".

Comment This should cause a sea change in testing (Score 3, Insightful) 494

There is a reason Consumer Reports does most of its car tests on the road and the track -- it's more realistic. So I expect that the rules will change to de-emphasize lab testing on dynomometers and emphasize road testing using several different modes (in-town, highway, and off-road where applicable).

Comment It's not over until the fat lady sings (Score 1) 102

While Warner/Chapple says they are not considering an appeal, they say "we are reading the long opinion to see what our options are." [paraphrase] So they may decide to appeal after all. Then there is the other issue: repayment of royalties already received, going back decades. That may indeed trigger an appeal of the ruling, to hold off that fiscal event. At two million a year for decades, the cost of the appeal starts to look cheap...

Comment Re:Noscript + Ghostery (Score 1) 307

First, in NoScript I whitelist those sites that appear to take responsibility for their content. That leaves lots of unrecognized domain names in the list of forbidden-to-script. Ghostery has perhaps three out of the thousands of trackers enabled, and Facebook isn't one of them.

I also use /etc/hosts liberally; for example, I added " avg.com" this morning.

Slashdot Top Deals

To program is to be.