2170 posts • joined Wednesday 10th June 2009 16:31 GMT
Re: Secure Boot
"You can't even rely on a format-and-reinstall approach because there are rootkits in existence today that can fake enough of the boot process to circumvent that."
Not even the "Nuke 'em from orbit" approach, where the drive's formatted from a an OS on a different boot device, say a USB stick or the DVD installer?
Re: Another reason for scrapping the Big E
The EXTERIORs are still there, yes, but "gutting" means the INTERNALS are removed. Wanna bet the elevators and magazine chambers (all situated UNDER the big guns) have been stripped down? As for the power plants, odds are passing fair that any regulating mechanisms and anything that would actually cause the boilers to, well, boil, are gone also.
x86 UEFIs are REQUIRED to provide the off switch or they're not Windows 8 compliant. As for RT, those are tablets, complete ecosystems, and not meant to be viewed separately. Even Android a pain in the butt to tinker. Sure there CyanogenMod, but a look under the hood reveals that many of the ones for various phones and such have incomplete support or spates of bugs.
Speaking of the Roddenberry comment, it should be noted that the retiring ship happens to be the (at least) the SECOND U.S. Navy ship named Enterprise (its earlier namesake was CV(N)-5, a WW2-era carrier that saw service for most of the war until it was crippled during the Okinawa campaign).
"Just ignoring the calls, or letting them go to voicemail, would keep the number higher in the queue in the hope of getting an answer."
But at some point they have to think that perhaps the call is being actively screened, especially in these days of Caller ID being much more common. I would think after say 10 attempts sent straight to voicemail/answering machine they have to assume the call is being screened and lower its priority, too.
The trouble is the cartels' DTA attutide. The last thing they want is a mole, so the only way out of the cartel is feet-first. The only reason this is possible is there are plenty of engineers for the cartel to grab. Once the supply goes down, then they may be forced to husband their engineers, probably by resorting to threats and blackmail.
I don't think that'll work. Look at the USPTO. Terribly underfunded (and you see the results), yet nothing is done to either let the filing fees pay for more workers OR get more out of the federal budget. Two ways to better fund it, and they choose option ZERO. What's to stop the FTC/FCC from suffering the same fate, if it isn't already?
Re: "...tired of Bronco Bomma and Mint Romney"
Unfortunately, political speech (including political robocalls) are considered privileged speech under the 1st Amendment since they're intended to promote the election process.
I frankly think the Founders didn't quite get it right. FREE speech isn't as important as FAIR speech. Until the Constitution is amended to make that distinction, we'll be stuck with this political circus...unless it kills us first.
Re: About fucking time.
Wonder if that's what those "800 Service" calls were for the last month. Thankfully, I have Caller ID and tend to screen all calls from firms and people i"m not expecting (through the answering machine). Tends to scrub out most of the robocallers who are smart enough not to plaster answering machines. That just leaves the collection agency calls (the last owner of my current number was apparently in credit trouble).
Re: 1.7m apps audited?
OUTSIDE Google Play, perhaps? It's the APK itself that contains the permission list.
Re: oh well...
Then simply require an explanation for each permission. If it requires fine (GPS) location, it can explain, "This program uses location-specific advertising to fund its development." Honest enough, wouldn't you think, and easy enough to explain for legitimate uses.
Of course, disguising a malware use INSIDE a legitimate use (say a spy camera in a photo editing app) is another matter, but it should help some.
Re: Permissions use explained in description
Agreed. How about this for an idea? For every permission an app requires, it must also submit to Google the reason for that permission, in specific detail. If it needs "Full Internet Access", for example, the submission must include specific reasons such as "This program receives advertising from the Internet to fund its development." Or if a financial app can send SMS messages, it must provide something like "This program can send SMS messages to financial institutions and read the replies to obtain account information." Google should require this of each specific permission and post them alongside the permissions themselves on the installation prompt. This would be a Google Play extension and could apply to all apps submitted in future, so it shouldn't break existing apps.
Re: How to Fix It
What about where performance is needed, such as games? How do you balance the power requirement with the security requirement?
Re: Is this a joke?
Trouble is that some asteroids aren't solid but rather clusters held together by gravity. Blow one of the chunks off, and it'll likely take all the energy, leaving the rest intact. There's also the fact that many asteroid rotate on axes, meaning you have to fight their rotation as well. The effects of a nuke on a corner of an irregular, spinning cluster of rocky objects moving at a surprisingly speedy clip (closer to the sun, the faster it goes) is rather uncertain, but most scientists basically sum it up as "not much".
Know of a glue that works at near-zero Kelvin?
Re: Burn in power plants
Thing is, pyrolysis is an ENDOthermic reaction, which means you need to feed it energy to keep it going, so it's hard to picture how a process that absorbs energy can then produce energy. Pyrolysis is good for turning waste products into other products you can use like biochar, but what's the ratio of waste in to useable product out? Somehow I suspect it's something greater than 1:1, which will make the tree huggers scream that it's inefficient and that we should still recycle like we did because we get more out of the process.
Re: To Paraphrase The Ogre
"ensure that the system is fully insulated from any external source."
And if you MUST have an external source because the device involved is not very easy to reach (involving time- and money-consuming procedures or lengthy travel)?
"Seriously. Return of the Jedi - $32m budget, $400m income (just on the film, not merchandising, etc.), yet "never made a profit"."
Question. Was LucasFilm ever publicly traded? I don't think it is. Otherwise, you would think some shareholder would've seen that statement you just posted, noted the box office returns, and taken LucasFilm to court, the SEC, or whatever on charges of "cooking the books".
Simple. The financial crisis tightened purse strings: once bitten, twice shy, not to mention the legal repercussions. Many banks won't provide loans without serious backing, and for most grassroots projects such backing is lacking. So if you can't get help from a bank or a rich friend, who else can you turn?
Re: Crypteks ?
My one Kickstarter investment was to Stainless Games, makers of the original Carmageddon, and the goal is a reboot of the franchise. I among many others loved the original game, and this project has a lot of support. For my contribution, I will get two copies of the game: one on Steam, the other Steam-free and for (my choice) Linux. Stainless is actually delivering regular progress reports and things do seem to be moving along. I look forward to the final release.
Watch out for incompatibility.
From what I've been able to make out, to use SmartGlass on Android, you need to match three conditions:
- Phones ONLY (My only ICS device is a tablet).
- The phone must have at lease Android 4.0.
- Needs enough resolution. They mention WVGA, so I don't know if SVGA (1024x600) will suffice.
Figured I'd give heads up.
So the question becomes: How do you allow remote access to SCADA resources, even on the field, without leaving a big fat bullseye on your network. Especially since any computer that connects to or is connected by it can potentially break down any firewall? And yes there's money involved since travel costs money.
Re: asteroid rotation
The paint plan actually takes the rotation into account with TWO volleys, to be fired at intervals where each half of the asteroid is in the sights.
Re: But but, can you switch it on??
They could alter the Dashboard and the 360's standby mode to allow other forms of waking up.
The could have a form of Wake-on-Lan system.
IIRC the 360 wireless controllers operate on the Bluetooth wavelengths (as do the PS3 and Wii), just not on the same protocols. I wonder if it would be difficult to adopt some kind of Bluetooth link between the 360 and the phone/tablet enabling a wakeup.
The IR port can wake up the 360. Some tablets (like some Samsungs) have IR ports and can act as remote controls.
Re: US does cost more but most of the world doesn't
Most of the rates you see are for contract rates with subsidized phones. If you go outside the loop to MVNOs, you tend to find better deals. Some of the best ones use T-Mobile USA (Simple Mobile and Walmart's Family Wireless) or Sprint (Boost Mobile and Virgin Mobile) as the base provider, and the rates provided seem much more competitive and in line with what you see abroad. It's a lot harder to catch a break with AT&T and Verizon, however (and none of the AT&T MVNOs I've seen charge any better than AT&T themselves).
There is such a thing as one-way hardware design. Think of a booby-trapped box rigged to act the moment you open it in any manner, regardless of its orientation. How would one go about preventing the trap from acting without being able to open the box (and in this case, poking a hole in the box would count as opening it)? I would think such an approach could be applied to ICs as well, booby-trapping them to prevent them spilling their secrets. You would think top-secret hardware would have such safeguards.
Re: Will this allow making the Roku useful?
"Why not start with a Raspberry Pi and make life simpler?"
Sure thing...if you can tell me where I can go to get my hands on a Pi kit out the door today? All the mail-order sites are on indefinite backorder. Roku boxes are in Walmart and Best Buy, among other places. That said, I've avoided them because I know they don't do DLNA. About the only thing close to being viable is the WD TV, and even that interface stinks. Meanwhile, the port of XBMC to Pi is progressing nicely.
"Even if climate change is happening and it is overwhelmingly man made, there is zero chance that cold starving people wont dig up coal and burn it or cut down trees to keep warm. Faced with the prospect of a marvellously preserved planet with no one on it, or a rather battered and hot planet with a few people left to enjoy it, which would you prefer?"
The concern is that the latter creeps itself all the way down and becomes the worst of both worlds: a torn-up world with NO people in it (and perhaps a lot less life altogether than before). Given the choice, mother nature and Luddites would take the former. At least that way, nature can try again.
The reasons for the lack of talk on climate are far more prosaic. It's hard to think about climate when you're having trouble keeping a job and paying the bills. The economy is the top subject for both debates, with related subjects getting airtime as well. It's simpler, more subject to the influence of government and, frankly, more direct for people.
Re: Vertical integration makes sense
If power is not your thing, then yes ARM solutions are cheap as...well, chips. However, Google and Amazon have multimedia and more in mind and therefore need something with a little more oomph (one thing not always mentioned is that when it comes to raw computing power on demand, ARM needs help, usually GPUs or other DSPs). So there is still a need for an optimal chip: one capable of delivering the most power for the least power at the lowest price. That area is still considered bleeding edge so there are costs involved. Vertical integration helps to minimize those costs, so to Google and Amazon, it's a boon.
"And as far as opera singers smashing glasses go, yes it's possible, but only with a LOT of power. Just hitting the right frequency isn't enough."
The MythBusters proved it to be possible using just a voice (using a MAN, no less), but he was a trained singer able to belt out the right note loud enough for long enough to pull it off. They also showed that power helps, as an untrained voice could break the glass if his note was amplified through a speaker and some acoustic channels.
Re: JS speed
CRIME is a side-effect. It's a side-channel attack that tries to determine the cookie by sniffing for encryption optimizations in the SSL/TLS channel. Compressing the channel to optimize transmission was part of the optimization rush, but it resulted in the side channel.
"(The drivers do this mind boggling stupid thing of resizing the output for overscan when there is none for DTV and then resizing back, completely messing up the 1:1 pixel mapping.)"
They fixed that already. Use the "standard" rather than the "optimized" resolutions and it goes back to 1:1. The optimized resolutions probably come because not all DTVs are digital displays and thus may actually have overscan issues.
Re: Tamper proof
And suppose anyone with that level if information is a misanthropic bachelor geek, meaning the only people they relate to would be in the same kind of position and would not be worth threatening? As for the dog, what if he answers, "He ruined my rug anyway."
Re: Code signing is not a security feature!
That's the entire point. This is beyond what most would term "hardware" security. We're talking utterly paranoid PHYSICAL security. Epoxy and resins will likely be part of the solution, yes, but what about chemical and mechanical failsafes (meaning they can be tripped even with zero electricity) embedded into the device housing or deep in the internals that would trip on any attempt to get inside? Remember, bricking is preferable to unauthorized access. You can always issue another phone; you can't get the cat back in the bag.
Actually, moves have been made into tamper-detecting ICs. The private key could be held in such a way that attempting to etch down to read it would trip a chemical failsafe that destroys the key and bricks the device (in a classified environment, bricking would be considered an acceptable outcome because it means the enemy can't get at the data). If that key is only used within the IC itself (outside communications uses another set of keys), then the pins won't tell you anything, plus you can perform trace detection on those pins. So if you can't etch it and you can't trace the pins, where would you go next?
Re: How about Greenhills?
"With enough biometrics collection, this so-called "classified phone" or many other devices will be broken unless brain scans and body scans against a live user are matched."
What about iris prints? About the only way you can get those is by shooting the eye point-blank. Doing it on foot would be to obvious, I would think. So that leaves a third-party iris scanner, and there aren't too many places that actually use that level of security.
Re: UEFI is a lockdown technique, NOT designed to prevent malware.
And don't say they'll just sign the malware code. That would involve getting Microsoft's PRIVATE platform signing key. In the history of PKI, only one major company has had its private signing key compromised (Realtek, for the Stuxnet attack, and that likely took state-level resources to pull). The companies know those keys are the weak links in the trust chain, so they're guarded as fiercely as the accountants hide their trade contracts (which contain trade secrets the competition would kill to get). So any malware that appears with a completely valid Microsoft code signature would be a sign of a bigger problem than just signed malware.
Re: @H2O networks, yes?
"When you go from 1kbps to 100gbps (and anything in between), the speed does not change - only capacity to move data in a given time period."
Maybe, but when you want to shovel dirt, it usually helps to have a bigger shovel. Or if you want to move lots of people, it helps to have wide thoroughfares. Sure, it still takes time to get from A to B in any event, but the more things you can have flying at once, the faster it takes to get everything put together.
With the human mind, "impossible" doesn't apply. Consider the term "doublespeak", where one lies and wholeheartedly believes it to be the truth, while still recognizing it as a lie, all at once. And while we're not at 1984 levels, doublespeak seems to have found some niches.
Re: If they wanted to see sod all
Thing is, arc sparks are brief and sporadic. Well-aimed, a laser dazzler can be continuous, meaning you're either blinded by the dazzler or blinded by the automatic shade, neither of which are very comfortable positions to be in when you're trying to line up for a runway landing.
Re: False Economy
Likely reason is the overburden. Getting the copper out will sometimes involve tearing something up to get at it. Need to pay for the tearing up, not to mention the putting back once you're done. Cable thieves are opportunists and will usually only go for easy-to-reach cables. I would think BT will be focusing on them first for logical reasons.
Re: The opposite of confidence building
"The fact that the rocket got to orbit despite a failure does not mean the failure was insignificant. It means things are not working as expected, which means they do not understand what they thought they understood. For all anyone knows at this point, there may have been a 90% probability that the explosion would damage an adjacent engine, and they just lucked out this time."
Reports indicate that SpaceX had taken such a scenario into consideration. Each engine has a blast shield to help safeguard adjacent engines from blasts. From what I've read, these weren't called into play because the engine in this case, despite a failure, failed safely (meaning as per a design which caused the engine pieces to blow away from the craft, minimizing risk to the other engines).
So on a scale of "This did not just happen" to "Break out the bottles", this probably rates as a "Eh...get the design team in here; we've got things to look at."
Re: Food for thought.
"One question the police would, however, never answer is why it was still acceptable in the circumstances for them to be firing their laser speed devices directly at the front of motor vehicles."
One, LIDARs don't need a lot of power to work: just enough to reach a vehicle a few (at worst, tens) of meters away and reflect back (usually via your plate or lamp housings). Some reports I've read indicate the laser used is only rated in the tens of mW--not exactly in the danger zone. Two, LIDARs normally use beams outside the visible spectrum (typically infrared or ultraviolet). Three, police don't tend to fire them until you're close (A, because it help minimize exposure time and the chance of hitting the wrong thing and causing a false reading, and B, because it makes it too late to detect when you're being clocked).
I correct myself about the American design in the 60's. Even the Saturn V had multiple nozzles but even then they accounted for a single-engine failure. Still, with fewer engines, there were fewer things to go wrong. The trick then even as now has been to get the right balance between redundancy and delicacy (more engines makes the system both more robust--able to withstand a non-catastrophic failure--and more delicate--more prone to an outright catastrophic failure--at the same time).
The Soviets during the Space Race trended toward multiple smaller engines while the Americans preferred one big engine. The main issue in the 1960's I think was that for the Soviet engines, you had to make sure all of them worked because there was no margin for even a single-engine failure. It wasn't just a matter of power but also of balance. If one of them blew, the odds are the thrust would become so uneven as to send the rest of the craft into a death spiral. Under that kind of math, the American design made more sense since you had fewer potential points of failure.
I would imagine in this case that SpaceX has taken a single failure into consideration and had means to compensate for it (albeit not ideally), but this moment probably will have the designers sitting down in the morning and having serious discussions.
Re: So what's the difference between this and the
An update to that. The SCOTUS refused to hear the case, meaning the decision stands for the 9th Circuit. The law can still be challenged on grounds of "copyright misuse" (which was left unresulved) or by an alternate interpretation in another circuit (which could then force the SCOTUS to decide due to the conflicting rulings).