False positives? Number of detections isn't sufficient for evaluating the detection rate. It has to have a high detection rate without misidentifying benign apps as malware. That is the tricky part.
1017 posts • joined 7 May 2012
Re: The problem, if any...
At least with https, unsavoury folk need to pwn your server to emulate you. Https everywhere. Google, stop being dicks. You understand the risks. Most app developers don't. I will happily criticise Apple on many things, but what they are doing here is completely right. (Although no doubt they enjoy the collateral damage to their competitor)
African or European?
*cough* rounded corners *cough*
doesn't cut it
> Not Teltra's (sic) fault, but not a good look for the Big T either
I wasn't aware that Telstra were under duress to include unvetted third party resources?
You can complain that you are not responsible for the content of third party resources you load in your website.
You can complain that people run adblockers.
What you can't do is both.
Icy what you did there.
So where does one get the H2 to squeeze down the headphone nossle thing? Do we all get to install an electrolysis kit on or kitchen bench? Or if it is coffee shop/service station distribution model planned, this would have to compete with a more simplistic swap and go style battery power pack.
Re: And what happens to the vapours?
You're, er, holding it in wrong?
But this is different. It is battery tech from a (relatively # unknown company. They always pan out!
Re: Surely the solution is ...
Mmmm. An ATM machine that spits out bacon. What a brilliant idea!
Spotify wants me to agree to what!?
Re: no longer synonomous with security then?
As late as this morning, I would consider BB as sitting in heaven's waiting room, reminiscing with Nokia about times of old....
Now I am not claiming they can dodge that bullet, it may be a case of too little too late, but looking at Google's inability to patch against stagefright et al on phones that are newer than and cost double my laptop, you have got to ask whether BB even realise the goldmine they own. I mean, a company, known for security and business use cases, with android app compatibility already, can't market their capability of keeping their devices patched. Consider the factually um stretches I'm a Mac ads if you want a good example of that working.
Sounds like the next few BOFH episodes have just written themselves.
Cudos to Vodafone AU
/hey, how often does one get to write that.
//still using a VPN though.
Re: The Participant Observer Problem
The hash of the hash file has to be stored somewhere. That somewhere can also be compromised.
Lame. Walking to office*
Re: The Participant Observer Problem
> A hash for every Windows file
That wasn't the suggestion. It was system files. These would number in the thousands. Even if there were a million system files, that would only take 32MB of storage to hold every hash.
The bigger question is how you prove that your hash database hadn't been compromised.
Re: I should be an account
Or a YouTube comment moderator.
Heck, some ancient version of winamp would be better.
Re: Monthly security updates will soon become a major PITA
Whether it is ART or Dalvik or whatever, it is an important point. The update process for me just took 20 minutes and at least 1/4 of the battery to spin through 141 apps. Further, if your device is encrypted then you need to enter your pass code in the middle of it, so you can't just run it unattended overnight. If it truly is optimising apps then they need to move it to a lazy load model and only optimise on first launch, and have a background process completing the job. Sometimes I wonder if they forget it is also a phone.
HDD usually give the click of death on the way out. No such warning with SSD. Of course you have working backups so none of that really matters, right?...
If I look at the area most consumers need capacity, it is videos and photo storage. Both use cases get little practical benefit from faster seek time. One more I suppose is as a backup medium. Again seek time is not a benefit. SSD has a theoretical lower minimum cost (lacks motors and spindles and magnets etc that mean that a 100MB hard drive today would not be much cheaper than the smallest capacity manufacturers still bother with. A 128MB SSD would be by contrast much cheaper. HDD is a technology with an end of life (or at least a far more niched existence) but we aren't there yet.
Jeep runs* QNX. Never underestimate the ability of the universe to create idiots that can break anything.
*Autocarrot wanted to write ruins. Well played Google.
> Sometimes manufacturer updates aren't what they're cracked up to be
True, but I don't think that updates need to be whatever new flavour of confectionary is out. We just want security patches to be delivered promptly for a period of around the expected lifespan of the computer that happens to sometimes make phone calls.. In fact, automatically changing the messaging app and moving the menus around when moving from ginger bean to ice kit pop is going to cause my folks all manner of confusion so I would prefer nothing visible.
Re: Google is taking the lead on revitalising the patching pipeline for the Android ecosystem
The problem with the carriers is that they have a vested interest in obsolescence. If you have to get a new phone then they get another 2 years contract out of you.
Re: Am I being a bit thick here
> changing at very least a byte or two of data in the source image
Wouldn't even take a byte. I mean, even changing as subtle as #FFFFFF to #FEFFFF would be very* unlikely to not have a radically different MD5 and SHA1 signature.
* it is possible that the signature wont change, in the same way you might win lotto, then on the way to pick up your winnings, an asteroid shoots down toward the spot you are standing only to be blown to smithereens by a coincidental lightening strike.
> The term 'collision attack' comes to mind where two values can produce the same hash.
A hash algorithm by definition MUST permit collisions where the size of the hash is smaller than the size of the input data.
Let's use small numbers to illustrate. If your hash was just 1 byte in length, and your input was 4 bytes, you have 256 possible hashes to share amongst 4 billion odd input possibilities.. Sha1 is from memory 160 bytes, which gives 1.4615016e+48 hashes. That is a big number* but much much much smaller than the possible arrangements of bytes in a valid JPEG file.
* citation needed
On a serious note, as a developer (a real one not an app developer :p) being able to stipulate the permissions you don't need is quite a nice security layer. If I decided that the world didn't have enough photo editors and that I should release my own, I can stipulate that it should not access the contacts. If my advertising network started spewing out malware, perhaps a more conservative token collection may mitigate the malware.
You think you are the phone owner. Cute.
Re: innocuous-looking app which, when installed
I give far more credence to the number of and nature of permissions requested than the number of g+ users who give it 5 stars and usually some indecipherable comment.
The raison d'etre of the permissions model is to limit what an app can do. If it fails to do this then it is a critical flaw. But imagine there was some bug in your phones PIN entry screen where pressing the volume rocker logged you in. I suppose you would argue that such a bug isn't too bad because one should expect that anyone who can physically access it could pwn it.
Re: Driving the car
Yes, DOS is possible, but it is already possible. I remember visiting a scenic lookout tower about 10 years ago. It doubled as a communications tower. Upon returning to my car, the fob did not work. If you are going to DOS then the easiest and most effective technique is to flood the airwaves in those frequencies with white noise, not some elaborate fob emulator. The backup plan is to use your key. :)
Re: Driving the car
Sure. We move well past my knowledge of how they are implemented presently, but it really wouldn't be too hard to do. If each keyfob has an identifier that gets broadcast with the code, and the car ignores unpaired fob identifiers, then the brute force would have to emulate a particular fob. Then you can count brute force attempts by a fob id having too many wrong guesses and lock them out.
Re: Driving the car
Wouldn't a far simpler solution be if the door detected say 1000 open attempts that it is switches off the receiver for 5 minutes. Make brute forcing impractical.
Re: Pretty obvious - a keylogger was installed
> except if you use something like Keepass then even a key logger is not useful without the db you unlocked,
Why do you assume the keyloggers are software based? That would seem overly complicated to me because you have to get them installed through some flaw, social engineering or physical access. The latter would seem to be the easiest for an organisation that in their normal day to day operation need to plant listening devices for suspects.
It would be much easier to swap out the keyboard with a bugged one for a few days and to brute force against the entered strings.
Re: Security vulnerability waiting to happen
It's no more risky than https. The slithers would be validated with something like sha256 or 512. The hashes for all of the slithers would probably get downloaded over https or would maybe just rely on a digital signature to prove those hashes were decided by Microsoft.
Re: And sharing malware in 5 4 3
Someone doesn't understand how hashes work. Put it this way, If that was possible, don't you think Hollywood would be corrupting the torrents left, right and centre? For sure you could send my computer malware instead of the patch. Problem for you is that it won't be signed with Microsoft's private signature so my computer will file it to the Windows equivalent of dev/null
Re: And there's more!
P2P is a completely sensible way to distribute large files. Do you not find it a bit weird that your laptop, PC and media centre* all independently download the same patches over your internet connection rather than sharing amongst themselves and only downloading it once.
I suggest you flag your network as metered..
* yes, sadly dead now
Re: The pen is mightier than the sword.
Tin foil? Like those military/citizen blankets for treating people for hypothermia?
So $127 million to setup collection for about 7.5 million connections. So $17 ish per household. For something that can be bypassed for the price of a cup of coffee a month.
/posted from Romania, because why not, it demonstrates just what a stupid waste of money this is.
Re: I have 600
Also, 2^9? Really? You could kinda understand some numpty using the wrong type and ending up with a 256 limit. 512 is quite creative though.
Re: filter at the telco level?
OK, assuming some sort of signature based pattern can identify the infected video, why involve the telco at all? That would mean that the hangouts app itself could perform the scan before sending it off for preview. This is important, because hangouts can be pushed through Google play as an update.
Although it wouldn't eliminate the attack vector (too much insufficient storage-esq errors on old devices), the attack surface would easily and quickly halve.
OK Google, you've got 90 days.
Re: Won't affect my spending habits.
The eBay's and Amazon's of this world aren't used as some sort of GST avoidance scheme. They are substantially more than 10% cheaper in most cases, are available at 10:30 at night, have detailed information about their products, user reviews and the like. No checkout queues (have you actually been to one of your shops Gerry? Do your sales team know what is available in the market or are they too busy pushing the lines offering the best bonus that month?)
Take something simple like a phone case for some modern smartphone. How much change do you get from $ 35? Now go to eBay and do the same. If you are paying more than $10 you probably weren't looking very hard. Jumping from $10 to $11 doesn't change the equation.
By all means, include online purchases for GST (and add healthcare and education while you are there). Then fix up the super tax concessions, CGT and negative gearing avoidance schemes. That'll fix your revenue problem.
Next micro business, some kid with Photoshop charging 20 bucks to change the times on the sign for your fine protest letter.
Iot must die
The sooner that we stop stumbling around the opportunities and take the threats with the same level of consideration, the safer we will be.
It just struck me about a discussion I have been having with someone who was complaining about their browser of choice's decision to block a certificate signed with an old broken algorithm. The inconvenience is real, but so is the threat. I was struck because I know they get the same emails as me and that they were again flooded with iot development technology's marketing. A lot of energy went into pushing people into such devices, but there is really nothing on security.
You wouldn't feel safe with a windows vista machine with no patches applied, yet we are building impossible to update firmware into all sorts of gadgets with life expectancies above and beyond. It is a weird world sometimes.
Maybe not, but assuming the very long bow that such connectivity of the core systems of your car is needed, why were they not NAT'd inside some walled garden?
Re: Congratulations on repeating exploits before they can be fixed
You're reporting it wrong....
Stackexchange; is there anything you don't know?
Re: Agree - don't run scripts without permission. mMatrix and mBlock are good for chrome.
>Why can't they bring these libraries under their own domain and take responsibility?
1. They would then have to pay for that bandwidth.
2. Chances are that their site is not the first you have visited that includes that particular framework. They can therefore leverage the cached (possibly even precompiled) version for better load times.
3. A website is never going to take responsibility for the resources your computer asks for.
Isn't evidence gathered outside the law inadmissable? Surely that u is the whole point of a warrant, to fairly evaluate whether the particular action which would in other situations be illegal should be deemed lawful as an exceptional circumstance, the judgement by someone independent and competent.
Re: How does this change ANYTHING?
> PS Why are we allowed to play with < UL > but not < OL >?
One does not simply play with < OL >.