3510 posts • joined 10 Jun 2009
There's already a specific Android permission for this "Draw Over Other Apps". Thing is, like the article says, some apps need this functionality to interrupt user action. What's to stop this function being used for evil while at the same time being disguised as something plausible like an alarm clock?
Sounds to me like the most robust way to handle this (separate the desktop compositor into a black box task and let the apps request their graphical resources from that) has drawbacks of its own such as memory and CPU/GPU costs.
BTW, did this test tell the difference between view-only access and controllable access? Sure, view-only access has its own foibles, but it's a lot harder to pwn a machine when you can't remote control it.
Re: It's hard for a reason
So what happens when you run smack into the fence separating security and usability? Because for security to be ubiquitous, it MUST be easy to use (and by that I mean easy enough for Stu Ped to get). Yet difficulty is a necessary evil for something to be practically secure (sort like having to fish for the keys to the front door).
So basically, the security problem is looking to be intractable because you're caught between needing a system a state-level adversary can't break in a heartbeat and needing a system easy enough to be used by people who have trouble remembering what they did yesterday.
Re: Business cards??
Because the keys are too big to put on even 2D barcodes (even I suspect the color barcodes once touted by Microsoft). Which means you have to store it somewhere, which means you have to trust both the place it's stored AND whatever means is used to transport it. And if your opponent's something of state level, I wouldn't even trust the fingerprint (since the state may secretly have the means to subvert things behind the scenes).
Re: Not saying PGP is perfect
I *tried* to put a certificate into a qr code. It doesn't work, at least not for 2048 bit certificates.
That's odd. 2048 bits should take up only 256 bytes, well within the QR Code limit of 2,953 bytes under ISO 8859-1 encoding. Even if you have to convert it to a text-compatible format, you should still be well within the limit, even counting necessary overhead.
"Especially when considering there was no way to tie an online user to this data in a way to improve ad targetting,"
There's always a way to tie an online user. Cleartext metadata will suffice. Heck, didn't researchers show they can correlate identifiable information from an encrypted connection using timing attacks? Face it. Data mining is the specialty of companies like Google. These firms basically strive to ensure no privacy in this world.
Re: This already exists
And MY point is that Google lacks the motivation to bake in security. In fact, they're actively DEmotivated. Unless lots of people actively defect to Apple or Blackberry specifically because of security, then the money keeps coming into Google, especially if saps KEEP their phones insecure sources of personal information.
Microsoft was in an Apple-like position: owning the dominant desktop OS in the market, which meant devs had to play by Microsoft's rules or not at all. Android has only just edged iOS for dominant mobile OS and not by much, meaning Android devs could still take their app and go back to Apple.
Re: This already exists
But Xposed requires rooting. What's needed is a root-free solution and that will probably mean baking it into Android itself, and Google lacks the motivation (remember, their customers are the devs--they're the ones paying to get in the app store and giving Google the cut--not the consumers). Apple can get away with it ONLY because they're still the irresistible lure. And Blackberry is enterprise-oriented which changes the focus points.
Huge, huge flaw in Android design.
Actually, that was BY design. Remember that once upon a time, Android was behind Apple in the app market so they needed a way to convince app devs to jump on board. A permission system geared more to them was one way to convince them. And once you have that, the genie's basically out of the bottle since trying to curtail them NOW will break too many things: many with no alternatives.
If it's a specialized HUD, showing just car-related information, then I don't think they could consider it any more of a distraction than the speedo itself, which is standard equipment. If the plods nail you for that, I'd probably argue they're basically saying required equipment is a distraction, meaning cars are inherently unsafe.
As for the police doing their work, they can pull the same thing pilots and lorry drivers can: they're trained in what they do.
Re: So many things to consider.
"Pilots have lots and lots of training. They don't have other aircraft jumping out in front of them or traffic lights turning red suddenly as they fly along."
They might. Wingmates might break away to track a bogie they spotted and so on. Plus there's always the danger of incoming fire. One of the things drilled into pilots through history is to maintain situational awareness. Target fixation is a killer.
As for the HUD itself, it needs to be as concise as possible: able to convey the most information with the littlest amount of clutter. Pilot HUDs cram quite a bit along the edges of the display, keeping the center cleared for all-important targeting. In the case of the car, a driver's HUD should be as unobtrusive as possible UNTIL it needs to draw your attention to something immediate, and these signals should be discernible from peripheral vision. This means the indicators have to be distinct enough to be detected from the corner of the eye. Color can be used in this case. For example, a speedometer's number can be ignored through familiarization, but perhaps if it changed to yellow to indicate you're now crossing over the speed limit, it can be caught in the peripheral vision and be a useful caution message. Similarly, if the turnoff is coming up, perhaps part of the map can blink briefly as a hint to start looking around.
What gets me is why is the spectrum being SOLD? Such a precious and limited resource, you'd think the FCC would instead LEASE the spectrum and keep all the lessees bound to usage rules and the like: always holding the final call. Because once sold, it's extremely hard to buy it back should it be necessary.
In other words, they can fingerprint you by using the fundamental underpinnings of the Internet. It's like figuring out your activities by skimming your incoming and outgoing post (just the addresses, not the contents). The additional volume of e-traffic makes the profile more robust. And since the endpoints are already known, TOR is useless.
This is one heck of a side-channel attack because the only way to beat it is to mask the headers, and the only way to do that effectively is to introduce intentional inefficiencies into the Internet.
Re: This is why you *don't* want HTTPS
"/goes back to mumbling about the days when ftp was the primary interface used on the internet. My current ftp client is 150kB. That's a whole lot easier to audit than Chromium, Firefox and by a massive long-shot, IE. "Pretty" is causing massive security issues."
The issue the article describes, and one that FTP can fall into, as well as SMTP, POP3, NNTP, and just about ANY plaintext protocol, is that a malcontent can MITM the connection and alter the contents in transit. In FTP's case, the file transfers and directory listings can be poisoned. And it would be indistinguishable on your end, meaning you have no way to know you're not REALLY getting the stuff you asked for.
"Will the FA employ Drones to spot all those malcontented Glassholes?"
Forget them. They already make "live shades" that woud've made Spider Jerusalem jealous. 4 GB+, can do video (many at 720p30), MicroSD, Bluetooth-capable, AND they look completely like ordinary glasses. Add a pair of prescription lenses and you have a perfect disguise that no one can force you to take off (since the prescription renders the glasses medically necessary).
Re: Don't allow retries
One, they can send numerous zombies to simultaneously try the same account, creating a race condition. Two, many brute-force efforts come AFTER they purloin the shadow files (analogue: they take the still-closed safe with them) at which point they can crack at it at their leisure.
Re: Just built two W7 computers
"Just built two Ubuntu 12.04 (actually newer than win 7) computers and are already on about EOL it. How are you supposed to keep up?"
Just built as in a few months ago? Why didn't you go for 14.04 which is also an LTS release meaning you're good for three years at least?
Despite them being two small holes, there's actually quite a bit of acoustics that goes into your ear. Consider the vibration of your skull as well as the reflections of sound waves down the ear canal. Ever considered how we're able to aurally perceive that something is behind us rather than in front of us, given the two sources can be an equal distance to the ears? Plus, as the article notes, we can also figure out if the sound is above us.
I personally think we need to move beyond passwords. Except that for any possible solution I can think of (my personal favorite concept is two-way unique key exchange per-site per-user which can be performed offline if necessary), there's always a snag: the better fool, so to speak.
Re: We're gonna need a bigger hard drive...
But that takes time you don't have. Last I checked, we don't have image processing ICs capable of running in the Terahertz range yet, and this may well requires something operating in petahertz to be able to process images in realtime in trillionths of a second. Anything less than realtime and you have to deal with storage and transfer bandwidth between the camera and storage AND the storage and the processor.
Re: to counter mr mugger, you need a panic PIN
They ALREADY counter panic codes with frog marches. They won't let you go until you get the actual cash out of the machine. If you use a panic code, things are liable to get ugly. This also has the advantage that the mugger stays out of the ATM's ever-present eye. I frankly don't know how this can be countered without some unwanted side effect (I was thinking a booth that can only fit one, but what if it jams and locks you in, or you're too fat to fit?).
Just curious. I notice some of the GPUs experience a 1:4 performance penalty when going from single- to double-precision, but many (bot notably not all) of the AMD GPUs manage to reduce the penalty to 1:2. Can anyone explain how they do this and why it isn't consistent across the board (unlike nVidia, whose GPUs seem to be consistently 1:4)?
The issue applies to BOTH wired and wireless, though wireless gets hit with this problem harder than wired due to the physical limits of spectrum. The problem is that customers are expecting completely unlimited Internet access, no strings attached, but accounting and physics make fulfilling that exact demand infeasible. So what do you do when the customer expects nothing less while it's impossible for you or anyone else to deliver anything close?
Re: guaranteed minimum connection
I think part of the problem is that "guaranteed minimum" speeds would probably looked at with a sneer. IOW, they'd be trusted less than the "unlimited" claims. Let's face it; customers at this point are jaded. It's making the marketing department rather nervous, as they're running out of ways to entice the customers since the same-old stops working after a while. Meanwhile, accounting pushed back by reminding them that the uplinks costs are metered. I see it like this: how do you make a satisfactory sweet dish for a person who has no sweet spot in their tastebuds?
And why hasn't this been challenged on the basis of false advertising (and I'm of the opinion that ANY advertisement should contain nothing but the truth, the WHOLE truth, and NOTHING BUT the truth)?
Put this way, since trunk Internet access is always metered, it would be considered fiscally unsound, and therefore unreasonable, to offer consumer Internet service that is actually unlimited (since in the long run that would be a money sink). Therefore, advertising unlimited Internet of any kind should be considered illegal false advertising.
Re: As much as I agree it's not flash
Perhaps, though if you're gonna crash such a party, you'd hope to bring something a little more surprising (you know, a "this changes everything" surprise). The read numbers are good but the write rates...plus there's the question of longevity, which is another issue with Flash RAM, especially with longer times and higher activities.
Re: Laser eavesdropping
That and the windows can also vibrate from the walls which can't be muffled easily.
Re: @The last doughnut Er....
Doesn't sound much more difficult than trying to use a shotgun mic, and it has the same issues since both rely on the vibrating window glass. The laser offers greater range, though.
True or not, it's not unheard of, and I'm pretty sure I've heard of a laser being used to detect vibration at some point in the not-too-distant past. If they did, they didn't use a mirror but the glass itself, much like how a shotgun microphone focuses on the acoustic vibrations of the flat window panes.
But here I thought they were trying to recreate the real sounds off old silent cinema (no chance at only 24fps). Silly me...
Tactile feedback on a remote-controlled device like that is going to feel pretty awkward, given that, at the least, feedback is going to go through a minimum 6-minute lag (the closest Earth can come to Mars is some bit over 54 million kilometers). As the saying goes, sometimes, the only way to do things right is to get up close and personal.
I think they're already doing that with ad-blocker-blockers and hosting the desired content on the same server and system as the ads, thus making it an all-or-nothing proposition.
Re: The Rest of the Story
"2. Transparent caching of Netflix content would be easy to achieve without compromising the content creators' intellectual property. All that is necessary is for the content to be encrypted, with the key sent to the player via a separate secure channel. Then, the cache itself could not be used for piracy. The player, of course, still could -- but this would be true with or without caching."
Hollywood does not believe this to be secure. Even if the content is encrypted with a common key, in order for the content to be transcypted to the subscriber's key, the key must be delivered to the machine at some point. The fear of Hollywood is that someone (an insider, a hacker) can intercept the key inside the machine at some point, because it has to be decrypted at that specific point, allowing for man-in-the-middle piracy. For them, nothing less than end-to-end encryption will suffice, because if the stuff is pirated at the source, the law can concentrate on Netflix, while if it happens at the receiving end, they know where to look as well. This becomes a lot harder with a man in the middle.
Re: We should outlaw DRM
The point of the cache network-wise is so that more than one person can access the same content without having to download it twice. This falls apart in the Netflix model because EACH user has a different encryption key, so the same copy delivered to two different users looks different during transit: resulting in a cache miss. And the content owners insist on it being this way end-to-end. They don't want the content transiting in ANY kind of "common" format: even a common encrypted format because, at some point, the content has to be transcrypted to the user's key, and it's there that a man in the middle can pirate the content. So in the end, because of the content owners, caches are useless for the purpose of significantly reducing common traffic because, essentially, NONE of the traffic is common at all, as they ALL pass with different encryption keys.
Re: Nearly had me agreeing
"All geek analogies should be based on cars! It's the law!"
NOT when it's a bulk transport analogy. Cars don't fit that analogy as they're not considered a bulk transport vehicle, so it HAS to be lorries. That's law, too. Even the Net Neut debate uses lorries in its diagrams."
The reason it's so bad is that the US is so BIG. Wiring up tiny little Great Britain isn't exactly a picnic, but at least the distances aren't so bad. But in the US, you have people from coast to coast, and unless it's a big city, the ROI just isn't there unless the communities in need can sweeten the deals with exclusivity contracts. For many small communities, it's the price of admission: either bind themselves to contracts or go without. It's like that for other utilities, too, like natural gas, since there's a significant infrastructure investment required just to reach those communities.
Given that Netflix tends to aggravate their upstream costs, which are ALWAYS metered, perhaps there's some measure of fairness in it. Even when it comes to shipping physical things, there's some give and take involved. Sometimes, the buyer pays the shipping; other times the supplier eats the costs. Perhaps the next question to ask is whether or not the amount the customer pays between the ISP and Netflix is sufficient to fund all the upstream costs. If it's not sufficient, then the ISP probably has a case to ask for compensation from either end. It's something that has to be hashed out between all parties involved, just as bulk shippers need to cut deals with transport companies.
Re: Even the story doesn't seem to make sense.
But what about all the TRAFFIC this thing will generate? Who foots the bill for all the upstream usage?
Re: A glimmer of hope
That's not what's stopping a skateboard maker from doing that. Apple does it now to some degree; it just suffers from "if man can make it, man can make it again" and "patents aren't enforceable across borders". Sometimes, standard screws are just a ton cheaper to use. Other times, it's demanded of the customer. Take the skateboard again. Above a certain level of skill, skateboarders start customizing their boards, which means they will be demanding parts that can be swapped out easily or they won't be buying.
Re: It's nice to see people are chipping away on the DMCA
I think the threat's starting to lose its bite. Some countries seem to be threatening to take the "or else" and close relations with the US, meaning they don't care anymore.
Re: A glimmer of hope
How about one that guarantees the right of exhaustion in regards to virtual (download-only) software? And prevents software from being leased without a formal written contract (to keep business software leases OK)?
Static stereoscopes are nothing new. I once viewed a topographical photograph using an old-fashioned stereoscope. Both implements were in the neighborhood of 50 years old. Stereo photography still exists, but it's more of a a specialty field since you need both the stereo camera and some form of stereoscope. TVs are not well-suited for this because of the flicker (which would still exist for still photography).
You mean volumetric. I suspect true 3D TV will first appear by borrowing a trick from the CRT days: rapid refresh. The main obstacle to getting a volumetric display done with a spinning LED plane is the refresh rate. To achieve a 30Hz volumetric display with 360 voxels circumferential resolution, the planar elements need to be able to refresh themselves at least 5400 times per second (to cover a 180-degree sweep in 1/30 of a second).
For me, it would be an Ethernet port (I wired my house), and not just a good range of ports, but one-button access to all of them. I've seen 4K TVs on display and I felt them to overkill (and this was at point-blank range, too). 3D gives me a headache, so forget that.
Re: Is there a Microsoft parallel to Godwin's Law?
Pehaps that's what we should call it from now on:
Eadon's Law: As an online discussion grows longer, the probability of a comparison involving Microsoft or its executives approaches 1.
Re: >Engineers know how to fix things. What do beancounters know?
That's also an urban myth. Army quartermasters themselves have revealed these to just be accounting generalities meant to get paperwork through. Sure, people complain about the $500 hammer, but then there's the $600 jet engine...
Re: Still vulnerable to hacking
We don't know for certain they hacked it. Besides, the drone was military tech, so you'd think they'd be using the encrypted military GPS. Cracking military security tech would be a first-order coup and something MANY antagonistic countries would be itching to get, bit Iran's keeping mum, which tells me their method was likely much more prosaic and specific.
Re: Technically speaking...
That's due to one of the trade-offs of microkernels: performance.
Ever thought they took that into consideration?
Re: The problem is......
Even when that service provider ceases to exist?
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Microsoft refuses to confirm 'Windows 9' unzip lip slip
- The Register to boldly go where no Vulture has gone before: The WEEKEND
- Netflix swallows yet another bitter pill, inks peering deal with TWC