Well, this bodes ill...
...for the upcoming Internet of Things, which ought to provide some novel and exciting attack surfaces if IoT makers care as much about security as router makers do.
579 posts • joined 17 May 2007
...for the upcoming Internet of Things, which ought to provide some novel and exciting attack surfaces if IoT makers care as much about security as router makers do.
Maximum Overdrive! There's a stinker of a film and no mistake. I saw it in the theaters with some friends of mine, and we were absolutely rolling with laughter, until about midway through when we realized that (a) nobody else was laughing and (b) the actors all seemed deadly earnest. I recall looking at my friend Henry and saying "this movie isn't a parody, is it?" and he shook his head and said "no, I don't think it's supposed to be funny."
Hooray! That's one down...now, how many more to go?
I definitely get the appeal of the hacker spirit, but I don't think it's dead, I just think it's gone in another direction.
Adding RAM to your computer hardly qualifies you as a "hacker" any more. I mean, hell, my mother added more RAM to her computer last year and she's 74 years old and the farthest thing from a hacker it's possible to be, fer Chrissakes! The days when computers were so ultramodern and new that a person who could put in another battery or swap a hard drive was qualified to call himself a "hacker" are long gone.
I'm typing this on a Macbook Pro. Is my hacker spirit dead? Naah, it just has another outlet--I don't hack this laptop, I do my hacking on the Arduino Uno and the DF Robotics Beetle board it's connected to.
Cycbot and Zbot are both executables, not malware that hide inside doc files. It seems likely that if there's an .exe sitting in a specific subdirectory on an external drive, it's because someone put it there, not because it copied itself there from an infected computer or hitched along with a Word file.
Firm to users: You're tightening it wrong!
Well, no, we don't believe we know everything. That's kind of the point. If we believed we knew everything, we wouldn't be launching satellites to make observations and see how well those observations line up with what we think we know.
The universe is a vast and tricksy place, and our intuition evolved to make sense of only a small sliver of it. The universe is in no hurry to reveal its secrets and in any event is under no observation to conform to our expectations. Hence, science, which is always observing, making predictions, and asking questions.
"Instead of sending it through the sewer system into the lakes and rivers, it needs to get sprayed on the fields along with the animal manure. Rain runoff can be minimized by proper tilling of the land with an eye to the direction of the furrows.
Voila, ALL the NATURAL ORGANIC fertilizer one could ever want and Dupont and Monsanto (or other chemical companies) aren't involved. No anhydrous ammonia, no phosphate mining."
Mammals do not fix nitrogen. We just don't. Not pigs, not cows, not humans.
All the nitrogen in our poo comes from nitrogen in our diet. We do not fix nitrogen. We just pass it along through our digestive tracts. Animal manure, human or otherwise, is not a SOURCE of nitrogen, it's a CARRIER of nitrogen.
We, like cows and pigs and any other mammals, have nitrogen in our waste from the nitrogen we ingest in our food that has been fixed somewhere else. That "somewhere else" is either chemical fertilizer or from rhizomes, filamentous bacteria, or to a lesser extent some other bacteria.
I've read at least one report that states the total amount of crop-available biological nitrogen fixation on earth does not meet the total amount of nitrogen we need to grow food for the entire population. That leaves chemical fertilizers.
If we apply chemical fertilizers to plants that are grown for animal consumption, then feed those plants to the animals and use the animal's poo to grow other crops, we've done what one bloke I know calls "nitrogen laundering"--but I trust you can understand why getting your nitrogen to grow animal feed from animal poo doesn't actually work, given that animals do not actually fix nitrogen.
Yours is the first cogent description of the problem I've actually seen. I keep hearing about how "Apple wiped out non-iTunes music!!!111!1!" but I've had an iPod for quite some time and have never experienced this issue. I've never downloaded music from RealNetworks, either.
"Nothing stands out as a red flag and it’s difficult to detect because no footprints are left behind," said the company.
Shirley the draft emails themselves count as 'footprints,' no?
"The US transaction market has always seemed pretty "quaint" to much of the rest of the world."
Yeah. One of my girlfriends lives in Canada, and I feel like a barbarian when I visit her and pay for anything with my debit card. There's always this awkward moment when the cashier looks for the chip, then looks at me like "what is this primitive stone-knives-and-bearskins payment technology you've provided me with? How does this archaic thing even work, anyway?"
"Pick the least evil one?"
Given the difficulty in gauging the relative evil of, say, Apple vs. Walmart vs. Google vs. any of the other players, I'd rather say "pick the more secure one."
Given that both Apple and Google system involve exchanging a single-use token that's necessary for the retailer to hook the cash out of my bank account, whereas (as I understand it, anyway) the CurrentC scheme allows the retailer direct access to my bank account, I know which of the two I prefer...
"I'm proud of the fact that I made $250bn under my watch as CEO," says Ballmer, neglecting to add that under someone--anyone--else as CEO, Microsoft might have made rather a lot more.
Another benefit of Cloudflare is your IP address is obfuscated from spam trackers. That, plus Cloudflare's rather...relaxed attitudes toward spam and malware, make Cloudflare the content delivery platform of choice for really aggressive hardcore spammers and malware distributors.
I keep track of who's hosting/serving the spamvertised domains in all the spam I receive. Right now, Cloudflare's serving a bit over a third of the domains for all the spam landing on my spamtrap addresses.
That was my impression, too. It's like Hypercard, only juiced with cloudy Web 2.0 goodness. Whee!
Despite the naysayers, fusion power has made considerable progress. It hasn't progressed as fast as we would like, but sometimes new technology works that way.
For example, Lawrence Livermore and MIT have both produced fusion reactions that net more energy output than energy input. They don't do it for long, but they do do it, which shows it is possible.
I for one would like to see more research put into fusion power. If and when it can be made to work, it's a civilization-wide game-changer. A lot of political, social, economic, and resource problems turn out to be power problems, when you have copious amounts of cheap power. (For instance, much of the developing world, and more recently the developed world, struggles with water shortages; cheap and plentiful power make desalination easy.)
It pains me that we as a species spend more money on spectator sports every year than we do on something that can profoundly change human civilization for the better.
The NSA worked with "specific US commercial entities to modify US manufacturer encryption systems to make them exploitable for SIGINT". And yet, strangely, they didn't see how that might blow up in their faces.
The NSA is tasked both with protecting US network infrastructure and also penetrating and gathering intelligence from networks. Those two goals seem contradictory to me. I guess we've found out which of the two had the higher priority...
If someone ten years ago had written this into the plot of a sci-fi novel, I'd have thought it was too implausible. Live and learn.
When the police say encryption makes it impossible for them to catch the bad guys, I read that as a stark admission of failure on their part. Essentially, they're saying the can't actually figure out how to catch criminals without the crims' help. Normal investigatory processes are useless; they can't catch bad guys unless they use stuff the bad guys themselves have written about their crimes.
"This lab test is brought to you by the words 'Apple' and 'Dollar', and by a very large number indeed."
You might want to do some research.
Consumers Union, the outfit behind Consumer Reports, refuses to accept money from any maker of any of the products they test. They will not even accept test samples from manufacturers--they buy everything they test retail. The magazine itself contains no advertising. They have shown themselves willing to go up against car manufacturers, pharmaceutical companies, and other wealthy, entrenched interests.
Complain about the test methodology if you like. Criticize the test apparatus if you like. But saying Apple bought them off just makes you look profoundly ignorant.
"What I'm worried about is, this is an indication to us as a country and as a people that, boy, maybe that pendulum swung too far."
No. As long as metadata remains trivially easy to gobble in massive quantities without legal oversight, the pendulum has not swung too far. Just the opposite--it hasn't swung nearly far enough.
"They had a problem with that, saying and they want people to understand that expensive cables are more profitable."
There. Fixed it for them.
Ironic to see this article posted on El Reg's home page so close to an article about the Home Depot hack, considering the credit cards swiped from Home Depot are now being sold on a carder site served up by Cloudflare (who have so far ignored several abuse reports on the matter).
Given the rising cost and diminishing returns of a university education, a person more cynical than I might suggest buying a phone is more rational than buying a degree. Not that I would suggest anything so cynical, oh goodness no.
"But in both cases, non-free (as in beer) software has been bundled with the hardware, for which you can get no refund. I have explained the difference between the two situations above."
OS X is free. Indeed, OS X upgrades are free to users of earlier systems. So the cases don't match. You're not buying software you don't intend to use. (And you don't have to use OS X if you don't want to; I have a Mac Mini server running Linux. But I didn't pay extra for OS X when I bought it.)
"It could be true, but I think its a bit odd that military personnel capable of operating advanced defence electronics would be speaking in the open on insecure telephone lines, don't you?"
My father was career military. No, I don't find that one bit odd. Technically skilled specialists talking in the open on insecure telephone lines is *far* from surprising.
So I just got my first camera-equipped quadcopter, and on watching the video from my first test flight I was like "hey waitaminnit, there's no sound!" Then I thought about it for a second and realized why.
"Distributed web host CloudFlare says its costs rise dramatically..."
Don't let them hear you say the dreaded words "web host." Cloudflare serves up huge quantities of spam sites, malware, and phish sites...but its abuse team will quickly point out "we are not a Web host and therefore we will not/do not have to/cannot take any action against abuse on our network, now be off to bother someone else" if you file an abuse report.
From the sound of it, the hacking device is simply a payload delivery system; it would be up to whoever is deploying it to equip it with the appropriate payload.
Attacks exist against both Mac OS and Windows targets by exploiting holes in Flash (the Mac DSchanger malware is an example of an attack that targets Mac OS). Presumably, there are attack vectors against Linux as well, and I'm aware of at least one attack against old versions of Android that could presumably be loaded into this device.
In a world where most people aren't developers, most people will always run someone else's code. "Run your own code" is fine for you and me, less so for my parents, my sister, my inlaws, and most of the other people who will be using these devices.
And I don't know about you, but I spend enough time doing friends'n'family tech support as it is. I don't want to be security-auditing or writing new firmware for every single new gadget they buy! I hardly have enough time to get things done as it is.
One of the advantages I see to this scheme is it makes black hat SEO bullsh*t just that little bit harder. The economics of linkfarming and SEO spamming mean even small incremental changes in cost have large knock-on effects that can undermine the profitability of the enterprise.
If we start accepting self-signed certs, then all that will happen is linkfarms will start using SSL with self-signed certs. And the consequence of accepting self-signed certs are potentially quite troublesome. I'm not down with making MITM attacks easier, for example.
Ideas like changing the color of the padlock for self-signed vs. CA-signed certs don't stand well in a world where it's hard enough to convince folks to look for the padlock in the first place. And unlike some IT-savvy people I've met, I don't believe that users who are less savvy deserve to get hijacked.
"What always confuses me is *why* any Apple fanboi thinks Apple's mountain of cash is *in any way* a good thing."
Back in the 90s, before His Jobsness returned to Apple, everyone who didn't like the company was saying "they're losing money, clearly that's a bad thing. Apple is doomed."
Now it's "they're making money, clearly that's a bad thing."
I use a lot of different machines--there are three Apple devices, two generic PC boxes running Linux, and a NAS on my desk as I type this. I make money from my machines, and I find that I use an Apple laptop a lot more than I use any of the other computers. That suggests to me the money I invested in this tool was worth it. :)
"18 per cent revealed they have even checked their phone during sexual intercourse. Ah, that’ll be the women."
Nah, not necessarily. I once live-tweeted an orgy I was involved in. It seemed like a good idea at the time, though a well-known astronomer unfollowed me as a result. (Well, I assume it was as a result, given the timing, though correlation doesn't always imply causation, I've heard.)
"I can do dangerous things with a knife or chainsaw - that doesn't make them bad or dangerous when used in a responsible manner."
Sure. But plain old-fashioned C is a bit like a chainsaw with no chain guard. It's a capable tool, but you gotta watch where you put your hands...
Frankly, though, I think the responsibility lies with the AV vendors, not the tools they use. It's a poor workman who blames his tools. These folks are supposed to know about security, that's what they do.
"Electric toothbrushes. Discuss."
Rule 34, my friend. You can use an electric toothbrush applied to the...oh, never mind, just Google it.
Used to have a girlfriend who loooooved "abusing" her electric toothbrush this way...
So the company was founded in 2006, and for the last 8 years it's been operating without a peep from Bose. Then, in 2014, it gets bought by a company with very deep pockets, and Bose asserts its patent claims.
I'm sure the timing is entirely coincidental.
I run and/or administer a large number of Web sites, on subjects ranging from computer troubleshooting to emerging biotechnology to sex.
Ironically, my personal site, which has no content that might be deemed even remotely scandalous (and is not a WordPress site), is blocked on Sky...but my sex site, which talks about kink in very explicit terms, is not blocked by any of the major UK ISPs.
Let's hear it for Net censors, getting things wrong since...well, since the dawn of time, I think.
A great sales organization always listens to the customer, first and foremost. Comcast, on the other hand, has other policies.
"Harrison Ford breaking his ankle (sounds more like a bad sprain, break one of your own and see), has no tech connection.
Some gossip site has no tech connection, except they have an Internet site."
Looking for a tech connection on every Reg article? You must be new.
As for the rogue stormtrooper: The idea of a hero with a conflicted past trying to make good can be brilliant, if it's done properly, but I have little faith this movie will be done properly.
I mean, Star Wars Episode 3 was basically the story of Faust--the classic story of the fall from grace that's been a running theme in human literature since...well, since before there WAS literature. It's an archetypal story that's so embedded in our consciousness that it should not be possible to screw it up. Yet screw it up they did. So I might, I think, be forgiven for approaching any new movies in the franchise with a certain battle-hardened skepticism, I think.
Had a Web server (a shared hosting server operated by a big-name hosting provider) get hit by this recently. It dropped a PHP file onto the server that contained the line
from which, as you can imagine, all manner of mayhem became possible.
"Companies that do see malicious activity originating from AWS should contact us immediately at firstname.lastname@example.org."
I've done this on many occasions, only to receive a "thank you for your report, we have confirmed an Amazon EC2 instance was running at the address you specified" form email in response...and days or weeks later, it's still there.
Perhaps the problem is I'm a person and not a company? If companies can be people, shirley people can be companies too?
I had almost this same conversation a year back with Clear Wireless. I tried invoking the "may I speak to your supervisor" conjuration, but they were too clever for me--I got the exact same treatment from the supervisor. Wish I'd have recorded it.
 At least she claimed to be a supervisor. I have no empirical evidence this was the case.
Nickel allergies can be nasty. I once had a friend who discovered the hard way that the bright finish on a particular sex toy she liked had nickel in it...not a good scene. Aluminum-clad devices are, presumably, not likely to cause this particular problem.
"The next flight, "Elysium", is planned for October."
At which time it will no doubt be shot down by Jodie Foster.
Microsoft? Microsoft? That name sounds familiar. Wait, don't tell me, it will come to me...
I'm definitely more "security researcher" than "security professional," and on several occasions have notified firms of vulnerabilities and abuse by Twitter...when emails, phone calls, and other more orthodox channels of communication have been ignored.
Sometimes, public shaming works where reasonable discourse doesn't.
In this particular case it doesn't seem like security was an afterthought--the mesh connections were encrypted, after all--but that the security wasn't implemented in a way that made it resistant to sophisticated physical attack on the microcontroller.
Security is HARD. Even when you think about it from the get-go.
It's an urban legend that the blueprints of the Saturn V and F1 engines disappeared after the end of the Apollo program. In fact, every scrap of engineering records was kept.
The issue with simply rebuilding F1s from the original design wasn't the lack of blueprints, but rather of skilled labor. The F1s required a fearsome number of extremely sophisticated hand welds made by master welders. Each one was slightly different from all the others, as engineers made small hand tweaks to each. (For example, early prototype F1 engines had a nasty habit of tearing themselves apart because the hot combustion gasses would start swirling in the combustion chamber, setting up shock waves that would build until the engine failed catastrophically. The engineers solved the problem by adding baffles to the injector head to prevent the gases from swirling, but, lacking tools to model the combustion and design the appropriate baffling, they simply experimented until they found designs that worked.)
It's the institutional knowledge, not the blueprints, that were lost.
I've talked to folks who seem to think crowdfunding is a fad that will never produce anything more exciting than a pot of potato salad. Projects like this show what's possible when a group of smart, dedicated, and determined folks, supported by a lot of people who believe what they're doing is worthwhile, attempt something amazing.
Did the same thing myself, many years ago, then got the idea to add a phono plug to it and write chat software that produced DTMF tones. Worked over the phone or the Internet.
First prototype used a simple, small switching transistor instead of a MOSFET, which promptly exploded the first time the toy turned on. (Who knew a simple battery-powered vibrator consumed six watts of power?)
More recently, I've connected an Arduino to a MOSFET and a Neurosky EEG chip, to make a vibe that works on brainwaves. Works really well, and it's even more hands-free than this iPad nonsense.
"being able to read and reply to massages from anywhere in the house or garden without carrying my phone all the time is a genuine benefit."
I've always been able to reply to massages without a phone, myself.