Many have noted that is IS disabled by default on most of the routers. I know it was disabled on my DIR-615 (since replaced with a new dual-band ac router).
4314 posts • joined 10 Jun 2009
Given that most of these devices DO support WPA2, which supports AES as well as TKIP. These have not been compromised and most of the talk about WPA2-PSK cracking has been in the same old problems: weak passwords. As for the WPS button, which IS handy so I don't have to carry wound my standard-limit WPA key around, especially to devices where entering the key is difficult, I just make sure to use it carefully so that the device is most likely to be seen first, and I check my client tables afterwards in case of intruders.
Re: None so blind, etc.
"It's pretty much accepted that every piece of embedded kit has some secret sauce to allow the makers to intervene when everything is badly screwed up, although usually it's in the form of some soopersekret login/pass pair."
With something like this, the usuall fallback is the factory reset, which is supposed to reset the firmware back to default settings (which are written in the manual with the caveat that you're supposed to CHANGE it once you're in). Failing that, there's also usually the emergency flashing mode, which should allow for the flashing of ANY firmware in a local setting. If even that fails, then there's likely something fundamentally wrong with it and it will need physical attention in any event.
Re: It would be nice to think
It does, usually. Thing is, is that enough or can this be triggered even with remote management turned off?
Re: "market it to buyers who liked the idea of being Zuckerberg's neighbor"
Still makes me wonder what would've happened if some other rich (if not richER) person made a counteroffer over the top of Zuckerberg's and got one of the properties instead. THEN turned out to be the kind of untrusting person who spied on his/her neighbors...
Re: whip that deceased equine into a metric ton of viscous froth
"1. Copyright and patent law are substantially fair, equitable, beneficial and very much net-positive, with one glaring exception: software patents. Applying patent law to software is a flawed premise, much because the lawyers and judges that argue and decide these disputes are rarely if ever even remotely qualified to do so. If software designers were involved in every step of the patent process it might be marginally workable (though speaking as a software architect, I can't imagine anything I'd rather do less.) Nearly every software patent I've seen was based on fallacy, and virtually every high-visibility case of enforcement, imho, has constituted abuse of civil courts."
The BIG big thing with software patents is that the length of the term is extremely long compared to the speed of the industry (heavy equipment might get turned over every decade or so--software, perhaps 2 years). The simplest and IMO best way to control software patents is to simply shorten their terms to something like 3 or 4 years. That encourages the patent holders to cash in as quickly as possible but in ways that are productive, as any attempt to troll runs them the risk of the clock running out before they win (given the intentinoally-glacial pace of the court system).
"2. At the end point, DRM-protected content must be rendered viewable and/or audible for the consumer by a digital device. When said device happens to be a PC, trying to protect that content at the application or protocol levels is futile, that pesky need to render thing makes it ultimately copyable. DRM would need to be inherent to display/audio device drivers, to offer comprehensive protection, but the pace at which both hardware and operating systems evolve makes that approach way less than practical."
You'll note that some content providers are SPECIFICALLY excluding PCs in general. 4K content will ONLY be rendered on purpose-built devices certified by them to obey only THEIR rules, which will likely include signal monitoring and tamper-proofing (yes there's the analogue gap, but in their eyes that defeats the purpose). Now, for anything where a PC is concerned, yes, that cat is likely to get out of the bag because they lack control; that's one reason many content providers are leery to embrace the Web. Thing is, the Web needs the content, but the content doesn't need the Web. There's a possibility the Web could be relegates as more and more providers demand strict controls on their content that the Web just cannot provide; they're basically going to start demanding DRM as a first prerequisite to providing the content AT ALL.
Also, while some people will engage in art for art's sake, they're a considerably minority. Many of our most recognizable works of art were not done for art's sake. Nearly all of them were commissions made by rich clients or institutions. Which goes to show even the greats like Leonardo da Vinci had to make a living.
Re: DRM is fundamentally broken
Perhaps, but I think all they really want is to prevent it being captured at the full resolution, and to do that, they can establish a hardware-based chain of trust from end to end. THAT at least is possible, as is seen by a number of chains of trust that have yet to be acceptably broken. The only way around the chain of trust is to employ the analogue gap, and to them that's an acceptable loss as the resulting loss of quality would defeat the purpose (much as they're not too concerned with camcorders in movie theaters--the quality is too low to be of mass appeal barring desperation).
You know that'll mean they'll leave the PC and digital area altogether. Like I said before, the staked involved mean the movie makers would sooner take their ball and go home. If they can't control their product, they won't provide it at all. That means they'll go back to theaters, airports, and television. No more home movies for you forever (and it's not like they get the bulk of their revenues from the home video market anyway--most of it comes from the box office).
Re: DRM does not belong in the standard
The problem is that while DRM will be proprietary, it will more than likely not be LIMITED, meaning DRM content will either EMBRACE the web...or MARGINALIZE it. The Web needs the content, but the content doesn't need the web.
Re: He does NOT have a point
"Extrapolate the development of DRM into the future and we might well end up with a compartmentalized system managed via routine ('standard') DRM. There are obvious interest groups that would love this development: big publishers, control-freak security agencies, anybody that hopes to control and monetize your data consumption. It's a slippery slope."
You forget one important detail. Providers don't HAVE to use the Web. Nor do they have to publish their stuff in the ways WE want it. THEIR stuff, THEIR rules, and if you don't like it, the door's right there.
That's the most fundamental thing we have to realize. It's THEIRS, NOT OURS (if it were ours, we'd be communists). Unlike music, movies have large budgets, so they take big risks (a record bomb might be six or seven figures--a movie bomb is at least eight; Heaven's Gate was a $40M bomb 30 years ago). They're MUCH more risk-averse and more likely to take the ball than just let it go.
What Berners-Lee is saying is that if you don't standardize DRM on the Web, the content providers (who won't go without DRM no matter how much we kick and scream--live with it) will go OUTSIDE the Web to other protocols like RTSP, which may not be as open or as well-understood. Or they'll continue to encapsulate their HTTP traffic in proprietary ways. Either way, the Web becomes secondary to them.
So basically, DRM is here to stay, like it or not, and it can exist with or without the WWW. So the choice is yours: embrace DRM or relegate the Web. No middle ground is possible.
As for the whole patent/copyright debate, they both have their uses. They're an alternative to commissions by the rich, which were how the most recognized works of art were typically made before the modern system. Most artists need to make a living, and these give them a possibility without rich clients. We don't need to abolish them, just limit them back to the way they were before: short terms enough to make a living off but not enough to excessively milk. We should also account for the accelerated pace of some industries and make some terms even shorter (ex. make software patents 3-4 years long to account for rapid progress in the tech industry--and no, copyright won't work on a technique since you can weasel around copyright with a clean-room copy--that's how the PC Clone BIOS was made; only patents can cover ALL the bases).
No, because booting from a CD-ROM would break a chain of trust., as there's no way to verify the CD-ROM is official from the BIOS. The hard drive can initially be set in the factory and sealed in the box (note the crooks have access to the FACE of the CD-ROM, NOT the internals of the machine; drive housings can be bolted down with one-way screws so they can't be removed) so that any further updates have to be signed before they're accepted.
Re: BIOS Password
But then how do you update the machines when security patches are mandated? That's probably why the CD drives are there: to facilitate updating. That being said, the drives should not be bootable. The ATM software should be the one in charge of the updates and should insist on signed code from the CD-ROM before updating.
Based on what I'm hearing, I don't know if these are official offsite bank ATMs being hacked. I suspect these are more second-tier ATMs like those I see in a mom-and-pop store.
Re: Don't worry
Nothing. That wasn't the point. Plus the downloaders don't work with protected streams. They have to pass through third-party DRM systems before YouTube can negotiate them. Getting THOSE downloaded is a lot more difficult.
If you're coming in for a visit, just get one of the prepaid SIMs. To an extent, prepaid has been less subject to price gouging, and rates tend to be competitive amongst providers (though the best plans tend to be based on the T-Mobile network; AT&T-based MVNOs can't seem to undercut the parent company, whose rates tend to be higher than T-Mobile's. And since Verizon still uses CDMA for voice comms, support for international phones is hit-or-miss: mostly miss).
As much as I appreciate the ability to tinker around with the Pi, perhaps it's time to look for something with a little more oomph. My eyes have been drifting towards one of the Cubieboards. The main thing I'm interested in with this is the additional memory it packs (at least 1GB), so you can dedicate such a device for more utilitarian things (I'm wondering if I could turn a Cubieboard into a Freenet server; CPU isn't a big thing, but you need plenty of RAM to keep things running at a smooth pace).
Re: Digital signature conundrum
"Which leads me to conclude one of two things must be true. Either we're all radically missing our guesses as to how this "watermarking" will work, or Hollywood's emperor is still standing there in his best birthday suit."
Perhaps the information is stored in the I-frames. Those frames don't rely on adjacent frames and the most likely to remain I-frames or keyframes when transcoded, as the I-frames are typically chosen for being too distinct to use difference coding.
Thing is, challenge or not, some things just prove too hard a nut to crack.
Take the Nintendo Wii's boot1 system. It's a tiny program encoded with an encryption key buried in the OTP memory only visible to one of the processors. The key never leaves the processor. in any way, shape, or form. After Nintendo fixed an exploit, the end result was that boot1 secured boot2, which prevented certain types of hacking. To date, no one's broken boot1 or found another way to access boot2 to restore the low-level hack.
Many SoC systems that run things like tablets have similar hardware-based chains of trust. They rely on the same principle: the initial boot code is signed by a key unique to that processor (and it's a key pair--one of which is kept in the processor and can never be changed, the other is kept by the manufacturer under lock-and-key). To date, I don't recall too many of them having been utterly broken except by slips in implementation. Properly done, most hackers go AROUND the problem, which may not be an acceptable solution depending on what is needed.
Shows that SOME implementations can be done right to the point that even the most determined hacker can't get through.
Re: No need to break the scheme to avoid jail
Don't most of them lock the card until you register it (as in submit your identity)? At least that's how I see it work in the US.
Re: Digital signature conundrum
"Or perhaps get a dozen, twenty or even a hundred legit watermarks from hacking, social engineering and or volunteers, then liberally paste ALL the watermarks into the pirate copy. Call it the " I am Spartacus" defence. How would the industry prosecute if they can't pin it down to one person?"
Probably with the Ring Sting technique: BUST EVERYBODY!
Seriously, these watermark people aren't stupid, and you have to figure out which part is part of the watermark, which part is part of the real image, and which part is red herring, and odds are, due to the encoding technique, no two copies will carry identical segments, meaning fingerprints are smeared across the ENTIRETY of each individual copy. Plus, I suspect the watermarks could be encoded with some form of parity correction. Think instead of bits of the ID scattered across the movie, you have bits of the ID along with with perhaps triple or quadruple parity mixed in with it. WIth parity, all you need is some piece of the original and enough parity data to fill in the gaps. With that kind of setup, cutting and pasting probably won't be very successful in removing the ID (the pieces would probably contain at least one original chunk and enough parity) and may in fact result in revealing multiple IDs which can then be Ring Stinged.
Re: Digital signature conundrum
"But there's a big flaw in the plan. Watermarking is all very well for streaming, but the bulk of sales are still plastic discs, and the process of mass-production doesn't allow for them to contain unique versions. So as soon as one playback device is compromised, it all falls apart."
BluRay shows a way around this: the ROM-Mark, which is stored in the Burst Cutting Area, the part of the media between the pits and the spindle hole. They can design the plastic media to have two areas: a pressed area and a burned area. The burned area would be processed with a quick technique to slap on a number of keys in some standard way. As for preventing them being read, perhaps they can only be read by a certified device built by a licensed and bonded manufacturer (like with the ROM-Mark devices) which invoked a trusted path technique to be sure the device hasn't been tampered. It's like the article notes: hardware-based tamper-evident roots of trust.
"Do you think a pixel precise time based watermark will successfully survive the rip, resize and transcode to be able to successfully determine with reasonable certainty which source the transcode comes from?"
The thing about watermarking systems is that they recognize the potential for mangling the watermarks through transcoding, so they go about it in different ways, using the codec system to create various artifacts that can survive transcoding, and many of them are block-based as well as time-based. That's why Cinavia's audio watermarking system is better than most: it's designed to keep its data above the noise floor so that it's more likely to be preserved in transcoding. Most watermarking systems like the Cinavia one also introduce plenty of redundancy, creating multiple gotcha points. The tradeoff for a system this robust is that you can't encode a tremendous amount of data in the stream, but if all you want to encode is identifying information, that's not that big a deal. A robust system spraying the ID information all over the stream, again and again and again in random intervals. It's gonna make for a very hard cleanup job. And you can forget about trying to mix and average two streams. Random intervals means you're more likely to MIX them together rather than destroy them (IOW, they'll be able to tell you used TWO sources in an attempt to mangle the data).
Re: They'll get around it, next time...
They DO have one big thing going for them: they know the terrain, and knowledge of terrain can be a great equalizer in an asymmetric war. Vietnam, Iraq, and so on have used knowledge of terrain to their advantage.
Tell that to that one Congress during the Kennedy Administration (I think) that got a whole lotta Fifths. The thing is, if what you are compelled to disclose could result in the revelation of culpatory evidence, you are at risk of self-incrimination. I'm sure a lawyer could make a case on those grounds and drag the proceedings for months if not years.
Re: "Just short of a criminal act"
"That was a complete bullshit thing to even say. Our legal system doesn't work that way. Something is a crime or it isn't. It isn't part of the judges or prosecutors job to prove something was almost a crime."
But the thing is, you can't ban something RETROACTIVELY. It's forbidden in Article I, Section 9 (along with Bills of Attainder and a few other things). They can only punish for present or future activities. But since Lavabit's turned off, there's no more present or future activity, and they can't force him to turn it back on because that would mean retroactively banning turning it off.
Re: "Just short of a criminal act"
They can't. The reason it was "just short" was because he closed it before they could actually perform a realtime subpoena. As it stood, he altered the situation so that any request they demanded would be considered retroactive, which is explicitly forbidden in Article I, Section 9.
Oh? What if his OWN account was in the bunch and turning over the keys would mean potential self-incrimination, which is explicitly forbidden by the Fifth Amendment? Then he can argue he has to obey a higher authority (as the Constitution is the highest law in the US).
Except the US has that base covered, too. Most other western-friendly countries have cooperation agreements if not outright mutual defence treaties with the US, meaning if the US makes a decent case, they'll do the work for them. The only other nations left then are those hostile to the west like Russia and China. Problem is, they have their OWN agendas and are just as bad. IOW, you're gonna bend over no matter where you go.
Furthermore, at least the US didn't threaten to jail him for not disclosing the key: just fined him. The UK has a law in the books that demands a minimum two years for the same offence. In fact, I'm surprised he didn't put HIS OWN account into the same mix and then plea the fifth, saying disclosing the private key would compromise his own account, potentially resulting in self-incrimination.
"Actually, it raises an earlier question. "Are they lying in order to keep their well-paid jobs?"
And that's not a hard question to answer at all...."
That just raises the hard question right back: Are selfish toadies the inevitable result of our system because they're willing to do immoral things? If so, like I said, the cutthroat competition will progress and we'll inevitably slide towards autocracy (one winner) or anarchy (no winner).
A new stock phrase will enter the lexicon.
Just as "We can neither confirm nor deny" entered the common vernacular, I think we can safely say the next such phrase to join it will be, "By this statement, we the owners and operators of this site hereby swear that we not under the active investigation, cooperation, or influence of any government agency."
PS. Wonder how long before they amend perjury laws to make it both legal and mandatory to lie under oath to conceal matters of national security.
The thing is, if most humans are cowards, then the Coward condition IS essentially the Human condition. Remember, they can outvote us. Intelligent but principled humans are destined to lose because, being principled, we're unwilling to exploit the cowards. Since nice guys finish last, only the most ruthless systems prevail, meaning we gravitate to extremes where extremists prevail.
"They are there to enforce justice, not to prevent things before they become crimes."
Except for most people, the commission is too late. What comfort is arriving at a murder scene after the fact. They'd rather the murderer be caught before he kills. See the problem? More and more, the commission is too late, as the perp has probably gotten away or the victim is beyond repair.
They're basically saying, "If we don't, someone will use this and launch an attack that will DESTROY the United States." In other words, they're claiming an existential threat: the worst there is. Against such a threat, no holds are barred.
Thing is, that raises a "hard" question. Is it worth protecting freedom when that same freedom can also destroy you utterly? In other words, instead of "Live Free OR Die" it's actually, "Live Free AND Die"?
What if the human condition won't allow for a happy middle ground between totalitarianism and anarchy, at least on the grand scale, and society will inevitably gravitate towards one or the other whether we like it or not?
Re: IPV6 IPV4
That's probably because 2 billion of them are sharing only a handful of addresses. Ah, the marvels of NAT... (Pardon, using Troll as best substitute for Sarcasm Mode).
Re: Pinning the activity record to a persona
You're not paranoid enough.
"As regards 2, why can I still walk into PC World and buy a t-mobile mobile internet dongle for £10 cash then put credit on it using cash with the payment card enclosed in any newsagent? If I use that with new hardware (no previous network use) you don't know who I am. And can't."
Oh heck YEAH I can. The phone can track its general location from the network masts it accesses (you can't avoid that; it's part of the system), and if your phone has a GPS receiver, that'll nail you down to within a meter. Now just pass by SOME camera that's either posting to the Internet at large or is accessible to the plods and BANG: face linked to a space-time stamp. More than a few crooks have been nailed by that kind of link (if not cell phones, then ATM records or the like). And good luck avoiding the cameras. Like I said, they don't have to be owned by the government for them to be able to access them. That includes things like cell phone cameras and store surveillance systems. Big Brother's got plenty of buddies.
Re: Miss Information
"I am in scandinavia and lo, something called "SwedishNSA" appears to be a participant in my part of the network."
Credits to milos that's a joke name. Given my very limited understanding of Swedish, the appropriate initialism for what would be Sweden's national security agency (if any) would be a different arrangement altogether.
Re: If it pisses off the Spooks
"Are there particular jurisdictions where you could host an exit node with less concern about the potential legal blowback?"
I don't really see any. The exit node problem is basically the same as the "trusted storage" problem: the authorities there can get access to the data in either case, and if it is against their law, BOBHIC.
In such a case, DTA seems to be the operative procedure. Anything that's friendly to the west is likely friendly to the US, which means friendly to the NSA. Out of what's left, you have (1) regimes even more oppressive or domineering like China and North Korea, (2) countries that, while not oppressive, still have their own rules you probably wouldn't like, or (3) countries whose internet is basically too weak to use.
Re: Commercial fusion may not be as far away as you think
"Tritium has to be manufactured in fission reactors by exposing deuterium to neutrons."
Actually, another way to get tritium is to bombard lithium-6 with neutrons. You usually end up breaking it into tritium and stable helium-4, plus a decent amount of energy to boot. That's why many countries are keeping tabs on lithium supplies.
Re: Not so big a snag.
Then you forgot how much a 3DO system COST in those days. THAT was what killed the 3DO and the Apple Bandai Pippin. Both were going some $500 when the original PlayStation was capped at $300, and neither one could justify the added expense (Sony could undercut because they had some vertical integration, much as Commodore did in its heyday).
But these days, barring the extreme high end, a PC costs pretty much the same for a given spec: perhaps a tad more if it's prebuilt.
Re: They seem to be doing everything right, apart from...
That's the thing. AMD's Linux support isn't as robust as nVidia's. The fglrx driver series isn't as well-developed, and support for GPGPU and GPU-assisted rendering is a little behind the times (ex. XvBA, AMD's answer to nVidia's VDAPU for GPU-assisted video rendering, falls flat on my rig, and GL rendering is buggy as all getup). Plus, at present, TF2 doesn't run as smoothly as it did on my Windows install, so not everything's there, it seems.
Not so big a snag.
Note that ALL the CPUs are Intel-brand Core i-series and ALL the GPUs are nVidia-brand. within a generation of each other, and all using the same driver set. The spread is among those two brands, and they're all essentially compatible with each other. Some are just beefier than their brethren, which means if it runs on one of the boxes just fine, it'll run on ALL of them (some not as well, but at least it's not going to break). So in this case, Valve is looking for a reference spec they can say, "build to this and we can vouch for your experience".
Valve is essentially doing that I'd been thinking about for some time: opening up a gaming console by essentially setting a reference design and letting other companies use that as a basis for their own Steam Machines. I'm pretty sure they won't get the designation without some compatibility testing, but Valve is getting into the console market without having to tie themselves too tightly to hardware, and since we're talking the mature PC market (a market SO mature that BOTH Microsoft AND Sony essentially chose it for their new consoles--consider THAT), problems will probably be few and far between these days.
Re: I wouldn't mind one
HDMI has been a standard feature of video cards for a while now. They even now come with basic sound chips to make the HDMI output basically feature-complete.
Re: Way to miss the dick in your digestive tract
"You must be thinking about the $17 TRILLION* bailout given to Wall St. by... wait, who was controlling all three branches of the government in 2007?"
It was SPLIT in 2007. No one party controlled the entire government. Dems retook the House in the 2006 elections, giving them control of the ENTIRE Legislature (they'd been holding the Senate for a while and still do).
Re: Will Google change sides?
Conceivably, yes. They wouldn't be very popular, yes, but it's similar to those exit ramps that are only useable by ETC users--cash users are barred.
Re: Why people don't move on
And what about those people that got XP-prebuilt computers and have no desire or money to step up the OS, meaning they're stuck with the OEM XP and the sticker on their machine? Plus the software they're using isn't Linux-, WINE-, or VM-friendly, meaning they're stuck with the machine, essentially.
And you wonder why they're so far behind? Because clean-rooming an entire OS with all its quirks is, simply, A SLOG. Especially when under the legal onus of VERIFYING their clean-room procedures (a slip of which caused a complete code review at least once). Plus they're chasing a moving target in that Microsoft has released three new versions of Windows (which include significant revisions) in the meantime.
Re: Yes, but...
"I can't think of too many practical technologies that weren't theoretical technologies first.
So, 'Good show,' say I, and have a pint."
The trouble is that you show theoretical tech that, nine times out of ten, never makes it out of the lab. This isn't the first time we've seen data-crystal tech in the lab, but in the 20+ years, how far has it gotten? Why can't we use data crystals NOW?
I don't mind all this theoretical tech. Just don't GRANDSTAND it. Save it for when your drive appears in a Best Buy or something.
Until then, I'll have that pint another time.
Re: Install a Kill Switch?
ISTR the second amendment prevents the government from seizing legally-owned firearms, yet that happened quite a bit in Louisiana post-Katrina. At least one incident made the news. The justification? Martial law.
I would think a similar 'threat to national' security that uses a different part of the Constitution might be used to override the Fifth Amendment on the grounds that, without it, the US is doomed, rendering the Fifth moot anyway.
Re: OK, but where was it hosted ??
1. Know enough about the trail and you can find an .onion site. El Reg covered this previously.
2. If the host country is friendly to the US, chances are they'll be willing to cooperate.
Re: Doesn't need TOR-cracking abilities
Also seems to indicate the host is not in a country hostile to the west.