* Posts by Charles 9

6654 posts • joined 10 Jun 2009

Trustworthy x86 laptops? There is a way, says system-level security ace

Charles 9
Silver badge

Re: Going back to dumb terminals ...

But at the same time, you reduce the attack surface, meaning hackers concentrate on the few places left, and as the saying goes, they only have to be lucky once. As for separation of code and data, that's impractical if one of the programs you have to run is a compiler or something else that must use the von Neumann blurring of code and data (data is code and code is data). Plus there's things like Return-Oriented Programming that can use existing code (and thus defeats both Data Execution Prevention and the Harvard separation of code and data) to do its work. Finally, the tighter you lock things, the slower you make the business until the economic factor kicks in. If you make things TOO tight that things can't get done, people start finding ways around your security. In the end, you have a business to run, and that business is run ultimately by people.

1
0
Charles 9
Silver badge

Re: ALL YOUR x86 ARE BELONG TO US

Last I checked, biro (ball-point) pens still used ink. I believe you're referring to a fountain pen or some other type that writes without a lot of pressure. I believe you can get similar results with a felt-tip marker-like pen (using one very light not only doesn't leave an impression but controls the possibility of bleed-through).

1
0
Charles 9
Silver badge

Re: It's Turtles all the way down!!!

"how do you know the 3d printer isn't infected? You build the first printer from scratch, and it has very limited functionality, just enough to build the next printer, and you iterate, so that at the end you have a trustable device. This isn't reasonable for a person to do, but for a state actor, maybe..."

But then, a state actor may have the resources to subtly subvert the very first printer you make (on in the other example, the system on which you build the initial assembler/compiler). And they may even defeat the technique to detect the latter (cross-compile against a known-good compiler) by making it so you can't be sure you have a good compiler.

1
0
Charles 9
Silver badge

Re: Going back to dumb terminals ...

"There was IT before we had PC's, smartphones & tablets. There were millions of end user devices like 3270's and VT100's, but there was no malware problem. Building dumb terminals with browser capabilities shouldn't be rocket science ..."

One problem. You just put the eggs in one basket, so to speak. Sure, there wasn't a big malware problem in decades past because the terminals weren't worth breaking, but hacking has existed as long as IT, too, and what was the big sci-fi element of the 80's? Hacking into those big honking systems that all the dumb terminals connected to. Sure, single point of defense, but also possibly single point of failure.

1
0
Charles 9
Silver badge

That problem will exist as long as humans exist. As a comedian once said, "You can't fix stupid."

1
0

3D printer blueprints for TSA luggage-unlocking master keys leak online

Charles 9
Silver badge

Re: Tie Wrap

Not if they use the ol' "pen in the zip strip" trick, which is reversible.

0
0

China wants encryption cracked on demand because ... er, terrorism

Charles 9
Silver badge

Re: Whistling in the Wind?

China can do whatever it wants. It's a sovereign nation.

0
0
Charles 9
Silver badge

Tibet, I'll give you since it's adjacent to China and still in dispute as far as China is concerned, but to engage in action in another sovereign state against actors against their interest raises an international stink, and they're already getting dirty looks from various other powers both near and far.

0
0
Charles 9
Silver badge

Re: Clipper Chip - history repeats?

Thing is, the Chinese state, unlike the US, doesn't care. The government is itself immune from the legislation so they can use whatever robust encryption they want. It's the plebs they're trying to control, and they could care less if the citizenry's encryption gets broken. Hell, odds are they'll be the ones breaking it, thus the way the law's constructed. If someone else does it, too, it's not like it's going to end up biting them.

1
0
Charles 9
Silver badge

Re: ban mathematics...

From a security standpoint, even with compartmentalization you can still employ gestalt-type exploits like race conditions. These don't depend on any individual component but on how they interact as a whole (thus why I call them gestalt--something beyond the sum of the individual parts). This is something beyond the scope of the individual pieces and subtle enough that it would probably get past even a standard examination.

As for why anyone would allow this, only by mandate. Otherwise, you're talking trade secrets and Sharing Information With The Enemy. Sorry, but the OS world is too competitive to standardize at such a low level.

0
0
Charles 9
Silver badge

Re: Steganography is the key

Or you can mangle the stego by noting the inconsistencies (like capitalization in the middle of a word with no capital to begin—and BTW, Chinese uses a different grammar system) and automatically correcting them (same for extraneous whitespace), just as images can be distorted and its palette flattened to mangle any stego in there. Who cares if you can't detect it, as long as no one else can, either? A determined adversary like the Chinese state can probably slow any usable stego to a crawl.

0
0
Charles 9
Silver badge

Re: ban mathematics...

"That leaves Android and other FOSS apps that cannot be backdoored (without serious intellectual effort, not necessarily purchasable or available under torture)."

But quite possible with a very smart mole who hides the exploits in bits and pieces scattered throughout the code, each piece inextricably tied to a legitimate function so it's not only tough to spot but hard to remove without breaking something else. Even with a million pairs of eyes, it's still tough to spot a chameleon hidden in the leaves of a tree.

6
0
Charles 9
Silver badge

Re: Don't stand downwind

"Some people will want to build a nice thing, some other people can't, so they will tear down nice things, as that is their thing. It's a stupid thing, but there are lots of stupid people, so don't look surprised. Build a nice thing that is stupid people proof, and then we'll all be better off."

A pipe dream. Make something foolproof and the world responds with a better fool. And you can't fix stupid. IOW, we're all already in the handbasket; we're just halfway down at this point.

PS. The amount of resources needed to make a true working quantum computer pretty much precludes everyone but entities where money of at least 9 figures is no object. That pretty much leaves only states. And I'm pretty sure they're already aware of post-quantum systems and are already working on ways to beat them.

3
0

Kaspersky says air-gap industrial systems: why not baby monitors, too?

Charles 9
Silver badge

Re: @Charles 9 (was:@anonymous boring coward

If you can demonstrate someone who can memorize a complex PLC program in their head just by reading it from a screen, then going over to an isolated machine and keying in the same program, without mistake or means to verify there is no mistake, then I'll withdraw my claim.

0
0
Charles 9
Silver badge

Re: @anonymous boring coward

""Stuxnet", for example, was delivered by SneakerNet into systems without a clue about actual air gap security ... SneakerNet in this case being the wire, albeit a one-way connection[0]. A true air-gapped system would have never have allowed Stuxnet to propagate."

The thing was, for something like was targeted by Stuxnet, true air-gapping was impossible as parameters have to be entered into the system to change its operation. In this case, it can be a complex set of instructions: too much for a human head to enter correctly, AND it's intolerant of input errors (unavoidable: the products in play are intolerant by nature). It's a necessary evil of a dynamic system; Stuxnet exploited the necessary evil. With something of state-level importance, few precautions can be considered too extreme since an enemy state will find and exploit the one you leave out.

0
0

NSA spying on US and Israeli politicians stirs Congress from Christmas slumbers

Charles 9
Silver badge

Re: h4rm0ny Seriously, though

"No. Mostly because it's a state built on stolen land and the genocide of the indigenous Palestinian population."

No. Because it's a state built on land stolen FROM them and the genocide of the 12 Tribes of Israel. They claim the land is theirs by God-given right, so their claim is absolute.

So unless the Palestinians can claim to be the descendants of the people of Jericho, from whom God took the land that was to become Israel, it's a land dispute where each side claims rightful ownership with proof. And since part of the land is considered sacred to both sides and can only be sacred if they and they alone possess it, well the only way it can turn is ugly, which is why Israel tends to take a defensive stance over their ancestral home.

1
3
Charles 9
Silver badge

Re: Why is this news?

The trouble with a DTA attitude is that eventually you stop trusting anyone, not even yourself. That inevitably isolates everyone and civilization would collapse because society requires a certain level of trust to function.

4
0

John McAfee rattles tin for password replacement tech

Charles 9
Silver badge

Re: Who will be pleased?

(= what we know and nobody else knows).

Trouble is, are there REALLY things we know that nobody else knows or rather there are things we know and only THINK nobody else knows. It's like searching for that absolute truth everyone can universally agree upon. I suspect it'll be like chasing unicorns; there's no such thing as something ONE AND ONLY ONE person can ever know. So what else can we use?

0
0
Charles 9
Silver badge

Re: Close, but no cigar

So what about if you only carry one factor on you: the fob, because you don't believe in cell phones, for example?

And what if your memory is so bad that even ONE long password is problematic ("Now was it 'correcthorsebatterystaple' or 'cotterpindonkeypetrolwrong'?)

0
0

Good news! US broadband speeds are up. Bad news – they're still rubbish

Charles 9
Silver badge

Re: One of my pet peeves

No, it's mostly down to raw capitalism. It's especially true out in the sticks where small communities would like to get on the Internet, don't want to go to the cities (which is why they're out in the sticks), and face the little problem of the nearest trunk line being 100 miles away or so. Laying a cable from there to the town is going to cost a pretty penny, but the community doesn't have that kind of money. So they're basically over the barrel which is why cable providers offering to roll out to the sticks can coerce exclusivity agreements out them. For many it's a simple matter of bend over or go without, and the community won't accept the latter.

0
0
Charles 9
Silver badge

Re: Typical Feral Blovating

Age.

London is an OLD city, meaning full of built-up infrastructure that you have to get around to put in new infrastructure. Sparse places don't have as much infrastructure. Nor do young cities like in the Far East where lots of stuff got REbuilt. As I recall, New York City suffers from the same problem in places, particularly Manhattan where infrastructure is a case of trying to cram a baker's dozen in an egg carton.

1
0
Charles 9
Silver badge

Re: 8 years

They may change their tune if Verizon or AT&T start bringing fiber to your area. Cox has to keep their prices down after Verizon FiOS was rolled out in my area (since the two now directly compete service-for-service).

0
0
Charles 9
Silver badge

Re: Advertised speeds?

They're BOTH involved since the ads go through and involves a communications medium. The FTC gets involved because of trade practices, the FCC because of the use of a regulated medium.

0
0
Charles 9
Silver badge

Re: Typical Feral Blovating

Grant County got the deal because the fiber company responsible for it wanted to make an example. And they didn't want to do a ton of infrastructure costs, so they use a sparse, rural county that happens to be up north and not TOO far from the IT haven of Redmond, meaning they've got a major data trunk nearby. And note, they went NORTH, where natural cooling attracts data centers (which is what happened to Grant County--big companies built data centers there). I doubt you could make the same case in, say, Tuscon, Arizona. As they say, read between the lines and you'll see there's more to the story than meets the eye.

Color me impressed when a rural community in the middle of Nebraska (or like I said, a place like Arizona or New Mexico) can do their own high-speed installation without some carrot deal from a provider (which is how most communities get locked in: many times the providers demand exclusivity before they'll agree to send a data line their way, take it or leave it).

2
0
Charles 9
Silver badge

Re: Advertised speeds?

Thing is, the FCC regulates advertising. Sure, there is the catch-all "up to", but the FCC can still check to see if the advertised maximum rate is in any way feasible or within reason, and if it isn't, the ISP can still be nailed for deceptive advertising. IOW, the FCC's survey can have legal consequences.

0
0

North Korean operating system is a surveillance state's tour de force

Charles 9
Silver badge

Re: One thing is mind-boggling

You fail to understand the Nork government is in a whole different world from the plebs. The systems running on the Nork government computers are bound to be totally different from Red Star.

1
0
Charles 9
Silver badge

"I wasn't aware of that. It certainly was not the case ten years ago when a colleague was ordered to put his laptop in checked luggage. Rules and regulations change though, so I will take your word for it."

That was before we started getting reports of exploding iPods and so on. Then came the reports of Li-Ion and lithium metal batteries (those AA batteries meant to go in digital cameras) combusting spontaneously, even when not in use, due to the batteries being chemically active even when at rest. Look at the controversy around the 787. Plus lithium is a pretty touchy element chemically: it can react to moisture (just like sodium, one row down on the periodic table). And an in-flight fire is one of the biggest risks for an airliner, so anything that creates a fire risk is taken seriously.

0
0
Charles 9
Silver badge

"Airlines won't allow the laptop to be checked because of lithium batteries. Same goes for any other reasonably recent/modern gadget."

Most laptop batteries are removeable and thus can be taken out so the rest of the laptop can be checked. Otherwise, you have a dilemma when you're told you can't put the laptop in to EITHER the carry-on (over the limit) OR the checked baggage (restricted contents). And since the laptop probably also contains the VPN keys, leaving it behind isn't an option, either.

0
0
Charles 9
Silver badge

Re: A serious question...

If UEFI secure boot with a custom key were required, then how are the researchers fiddling with it right now? Are they running it on Nork hardware, too (which BTW is x86-based, so no built-in security features via the CPU)? With home-grown hardware, even without EFI, it can be secured with a custom BIOS that has signature-checking capabilities (as this is a one-off, compatibility need not be an issue).

0
0
Charles 9
Silver badge

Re: "watermarks" vs. "appended"

You're confusing watermarking with steganography, as the latter is one way to robustly and covertly apply the former. Because this process occurs behind the scenes in the OS itself, transparent to the user, possibly by way of an alternate data stream, I would consider this a form of covert fingerprinting: that's watermarking in my book.

In any event, a series of fingerprints can be used in a technique known as source tracking, which is what this system apparently does to provide an audit trail of where files get transferred.

2
0
Charles 9
Silver badge

Re: Interesting possibilities for someone wanting to take down the regime

"Assuming you can get the ability to inject files into a computer in NK, and are able to fake the signature of a high ranking person's machine, you could create an incriminating file, sign it as if it was viewed by them, which once it became known to the right person would probably cause them to 'disappear'."

I think the way the system is designed, that's very risky, as you could just as easily commingle your signature with the target's, making it easy to tell it's a fake. Remember, the signature process runs within PID0, so you can't get around that without changing or compromising the kernel, and as the article notes, it takes precautions to prevent that. I wouldn't put them above integrity and signature checking.

0
0
Charles 9
Silver badge

Re: I'm gonna download this shit...

"what if I just don't give a fuck if the chinese take over my computer? like seriously that's some first world problem shit"

The problem is that if the Chinese don't target you, they'll use you anyway. Much like how the Chinese Cannon works.

0
0
Charles 9
Silver badge

Re: I'm gonna download this shit...

You're talking a Red Pill exploit aka a hypervisor attack. Something like that would make the technology news since AFAIK no malware has actually been able to break out of the VM and into the hypervisor. There's been a lot of conjecture about it, but nothing in the wild as of yet.

4
0

US Marines kill noisy BigDog robo-mule for blowing their cover

Charles 9
Silver badge

Re: All Terribly Silly

Donkeys have load limits, endurance limits especially under load, and have maintenance costs that continue even when they're not in service. And you wonder why trucks and other mechanized cavalry quickly replaced pack mules...

0
0
Charles 9
Silver badge

Aren't there fuel cell designs that use hydrocarbon fuel, which can be and frequently is transported?

4
0

You ain't nothing but a porn dog, prying all the time: Cyber-hound sniffs out hard drives for cops

Charles 9
Silver badge

Re: Disk-sniffing

But when Hum-Int fails (as in you keep saying, "No Comment"), then they call in the Forensics team.

0
0
Charles 9
Silver badge

Re: SSD?

"Ah, but they would have to prove that such existed. This is where the real danger lies: you could be accused of refusing to give up a secondary key where none exists,"

And that's why you're screwed. Plausible deniability doesn't exist against an adversary that assumes guilt, regardless of whether or not the law says otherwise. As far as they're concerned, you're an Enemy of the State, a direct threat to the future of the country's existence, so no holds are barred.

1
0
Charles 9
Silver badge

Re: Disk-sniffing

But still possible to reconstruct given a determined forensics team. And since nuking from orbit isn't an option, the next best choice would be something easily combustible since nigh nothing apart from a phoenix has been able to be reconstructed from burnt remains.

0
0
Charles 9
Silver badge

Re: So...

You may wish to use the "Joke Alert" icon in future if you intended this as a joke...if this was intended as a joke. (OK, if you used mobile, I'll forgive that)

I think he's referring to "skunk" as in a particularly odorous kind of marijuana. It would be the kind dogs would be able to sniff out easily if they were in range.

0
0
Charles 9
Silver badge

Re: So...

You'd be wrong. A dog's nose is that damn sensitive. IOW, they'd be able to sniff the dope AND the candle. You can't mask odors with a dog as they can pick out the individual scents. About the only way to beat the drug dog (and it's TOUGH) is to completely seal the stuff in gas-tight material and make absolutely sure no trace of it is left to permeate out and catch the dog's nose.

0
0
Charles 9
Silver badge

Re: This is...

No good. A fire hot enough to burn down such a big haystack is also likely to burn or melt the needle, defeating the purpose.

0
0
Charles 9
Silver badge

Re: SSD?

Unless the smell is not chemically repugnant to a dog. Remember, senses of smell differ from person to person; from species to species the difference can be even greater. One man's reek may be another dog's rose.

1
0
Charles 9
Silver badge

Don't think it's possible. Dog noses are naturally wet, so anything that would react to a dog's nose would also react to ambient humidity.

0
0
Charles 9
Silver badge

Re: SSD?

You underestimate the sensitivity of a dog's nose. Unless one of those chemicals is exactly the same as the drive glue, a dog can usually sniff it out in spite of covers because it can distinguish between the different substances. As one site put it, dogs smell the way we see: we smell a forest, they smell each tree.

1
0
Charles 9
Silver badge

Re: So...

As busted drug mules have found out, it only takes a tiny amount of residue for a drug dog to catch onto your swag bag, even if you vacuum sealed it and everything, simply because the necessity to handle the goods before sealing it tends to cause traces to end up on the exterior where it can be sniffed. The kind of attention needed to prevent this is close to the attention to detail found in chip foundries (also a place where tiny contamination has a big impact).

4
0

No, drone owners – all our base are belong to US, thunders military

Charles 9
Silver badge

Re: Accidents happen...

You forget the possible blowout swerve, which can occur spontaneous and immediately in front of another so there's no time to react, in the middle of rush hour which causes a chain reaction. massive pileups have been triggered with less.

0
0
Charles 9
Silver badge

For the record, what was the company that make that meme-worthy botch of a translation? I recall it being an early Neo-Geo game (as time passed, the companies hired better translators) so the two prime candidates are SNK and Alpha Denshi (who made the bulk of early Neo-Geo games).

0
0
Charles 9
Silver badge

Re: The part I don't get...

That's like stealing someone else's tags that don't match your car. Sure, it can cover your tracks for a time, but if they do catch you, they take your attempt at concealment into consideration as an aggravating circumstances. Meaning, it makes it harder for you to get caught, but if they catch you anyway, expect a harder punishment.

2
0

Feds widen probe into lottery IT boss who rooted game for profit

Charles 9
Silver badge

Re: More proof

"The odds of winning without having bought a ticket (perhaps finding the winning ticket on the ground or being left one in a will or something) are pretty similar to winning after having bought a ticket."

No, it's a world of difference. 0 in X, for any nonzero X, is always zero. 1 in X may be infinitesimally small, but it's still not zero. An infinitesimally small chance is always preferable to no chance at all.

0
0
Charles 9
Silver badge

Would be tough to prove. I have firsthand evidence that the pattern's tough to predict. Once saw a guy buy out the last 14 tickets of a book of 40. Not one winner. Over a third of the book. And the overall odds of these things typically hang around 1 in 4.

0
0

Forums