×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Patched MS Bluetooth Flaw Exposes Even Disconnected PCs

Soulskill posted more than 2 years ago | from the you-are-the-one-neo dept.

Bug 147

An anonymous reader writes "Among the 22 security holes Microsoft issued updates to fix yesterday is a critical kernel-level Bluetooth flaw that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network. An attacker could use the bug to gain access to any unpatched, Bluetooth-enabled Windows Vista or Win7 computer within 100 meters (or much further with specialized tools), all before the target system even gets an alert that another computer is requesting a Bluetooth connection."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

147 comments

Oh noes! (-1)

Anonymous Coward | more than 2 years ago | (#36746064)

Teh evil hax0rs r in ma b0x!

XP (0)

Anonymous Coward | more than 2 years ago | (#36746106)

XP is safe

Re:XP (1)

ledow (319597) | more than 2 years ago | (#36746130)

And thus we reach the point where XP is hardly targeted anymore, isn't vulnerable to the same bugs, is still under support for another three years, and Windows 8 comes out "later this year".

Tell me why I should be on 7 already, after having all my Vista testing thrown out of the window once already?

Re:XP (5, Informative)

kevinmenzel (1403457) | more than 2 years ago | (#36746164)

Because 7 has features XP doesn't. Like support for the TRIM command for SSDs. Like an audio mixer that lets you set different volumes for each application, instead of each hardware output, which is floating point from the ground up. Like desktop rendering that is accelerated by your GPU. Like UAC. Like Aero Snap. Etc. It's not like Windows 7 is just a facelift on Windows XP, There are differences that aren't even hard to find.

Re:XP (-1)

Anonymous Coward | more than 2 years ago | (#36746222)

Correct. Remind me though, why would I want to use either?

Re:XP (1)

kevinmenzel (1403457) | more than 2 years ago | (#36746266)

Is there another operating system that has per-application volume faders and a fully floating point audio path? Because I haven't seen any other OS that does... and I find that incredibly useful on a daily basis...

Re:XP (1)

Dr_Barnowl (709838) | more than 2 years ago | (#36746292)

I don't know about the "fully floating point audio path", but PulseAudio does support per-application volume faders.

It says it supports floating point [freedesktop.org] sample types, but I don't know if that meets your criteria of being from the hardware up - I guess that would be a driver issue.

Re:XP (1)

kevinmenzel (1403457) | more than 2 years ago | (#36746388)

Do all applications use PulseAudio though? The Windows 7 model is backwards compatible through to well... I haven't seen an application that doesn't get it's own fader no matter what audio model it uses, at which point the audio stream (even if the application generates an integer stream) is converted to floating point, so that the volume sliders aren't as nearly as lossy as they would be if they were dealing with integer-based audio... and then mixed in floating point... and then converted to whatever format the driver supports (which I suppose is usually integer... I haven't seen many floating point DACs...)

At the very least, it's nice to see some other operating systems playing catch up with that particular feature, because between when the vista betas that implemented the new audio model came out to the time it seems that functionality made it to other operating systems seems to have been a matter of years. I guess not everyone thinks its useful, or have ever even tried using such functionality.

Re:XP (2)

anss123 (985305) | more than 2 years ago | (#36746530)

I haven't seen an application that doesn't get its own fader no matter what audio model it uses

An app can request/get exclusive access to the audio card, and bypass everything including the volume control. But that's only used by audio authoring software.

My favorite Win7 audio feature in any case is the ability to redirect live audio. I can now watch a movie and while it's playing switch the audio to/from my headphones painlessly (earlier I would have to restart the movie, and sometimes the whole app). I don't have headphone jacks I can easily reach, so it saves me a bit of trouble.

Re:XP (1)

perryizgr8 (1370173) | more than 2 years ago | (#36746560)

I haven't seen an application that doesn't get its own fader no matter what audio model it uses

An app can request/get exclusive access to the audio card, and bypass everything including the volume control. But that's only used by audio authoring software.

My favorite Win7 audio feature in any case is the ability to redirect live audio. I can now watch a movie and while it's playing switch the audio to/from my headphones painlessly (earlier I would have to restart the movie, and sometimes the whole app). I don't have headphone jacks I can easily reach, so it saves me a bit of trouble.

how do you do that?

Re:XP (2)

anss123 (985305) | more than 2 years ago | (#36746714)

Depends on what kind of audio card you have. Some support two audio streams, some do not. If you have the same Realtech chip I got then just set it to use separate audio streams for front/back panel, alternately you can also simply have two audio cards.

Then just right click the little speaker icon, select playback devices and change default. Any app that plays to the default playback device will then change to play to the new target.

If you, like me, have more than one audio card there can be a lot of outputs. Outputs you never use can be disabled/hidden by right clicking on them, and audio outputs you use can be renamed. So I got one called headphones, and one called Speakers. Changing between them takes me five mouse clicks.

Re:XP (1)

Amouth (879122) | more than 2 years ago | (#36748138)

i love that it works across sound devices - example playing pandora on the laptop speakers.. turn on my Bluetooth headphones (which are set to be primary audio when connected) and it is a seamless switch.. the on-board speaker goes dead and music in the head phones.. turn them off and easy auto switch back.

moving the live audio to other devices is a very nice feature for me..

Re:XP (1)

ledow (319597) | more than 2 years ago | (#36746444)

And I would find that a complete waste of investment, personally. I don't have any problems with per-application faders (if you have more than one program playing sound simultaneously, of course it will sound a mess, and if you have that you can adjust those programs - a volume control is an almost universal widget on anything that plays audio) and certainly wouldn't ever use them.

If something is playing sound, it's because I need to hear it. I haven't touched the volume control panel in YEARS on this machine image that I use, only the hardware Up/Down buttons.

And floating-point audio path? Puh-lease. Is it running over oxygen-free, gold-plated processor registers? Otherwise I'm just not touching it... :-P

Re:XP (1)

Dog-Cow (21281) | more than 2 years ago | (#36746790)

Windows 7 remembers the audio level on a per-executable basis. This means that I can set, for example, a game's sound settings once, and adjust the game's master volume in Windows. This is nice for when I want to turn the sound down to avoid disturbing my wife, but I don't want to adjust the music, sound effects, voice-overs, etc. individually within the game. Not all games have a master volume setting, and generally the Windows setting is easier to get to.

Re:XP (1)

ledow (319597) | more than 2 years ago | (#36746922)

*Cough* hardware speaker volume.

Seriously, I don't adjust volumes in games (except to turn off music on some of them). Everything is at "max". And then I use either the master volume *in WINDOWS* (usually via some hotkey on laptops) or the speaker volume itself to bring it down to a decent level. I don't need the games to have volume settings, either internally or via some Windows hack, at all. It all "just works" and has since Windows 3.1! It's honestly not a problem that I, or anyone I support, has ever had - and can be a source of problems, and is nowhere NEAR a reason to upgrade an OS (not just because I'm sure you could dig up a audio mixer driver that could do just want you wanted if there was really a need for it).

And, working in schools where they use a lot of interactive "noisy" apps etc., I can't think of anything worse than a per-executable (and presumably per-user) volume setting. God, I get enough support calls now where someone has turned the volume too low to hear it, or locked it too high, and there's already the speaker-volume, master volume, mixer-volumes, and in-applications volumes to get them to check before you can tell a sound even works.

It'll play merry hell with diagnosis - the standard way to test sound is to put something like WMP playing the Windows startup sound on loop and then adjust everything until it's audible and the correct volume. I could spend 10 minutes doing that per workstation only to find that program X has been configured to do that differently to WMP via some Windows settings, or because a different user has logged on, or because the programs changed (hash or location, however Windows tracks it) and I need to redo all the settings for that for every user.

Seriously, people, it's a dumb idea that you're not using properly at all (or you wouldn't be trying to turn down all the in-game settings to cut one game's speech rather than just control a global volume knob) and, if you were (e.g. for level control because channel X is louder than channel Y), it's actually far more complex than it needs to be.

Re:XP (1)

VGPowerlord (621254) | more than 2 years ago | (#36747732)

Windows still has the global volume setting as well. If you don't need the per-app volume settings, that's fine.

Having said that, there is one *other* thing this fixes:
An app can no longer directly change the system's audio volume. Instead, it changes its own volume slider. This is a nice change for those of us who don't keep the Windows and app volumes cranked to 100%, but the app insists on cranking its up to 100%.

Re:XP (1)

ledow (319597) | more than 2 years ago | (#36747928)

That, I'll give you.

That's gotta be worth at least 50p of anyone's money, being all of a few thousand lines of code at best. Now - how much is a Windows 7 license again?

Re:XP (1)

bhtooefr (649901) | more than 2 years ago | (#36746832)

What if I'm playing music while browsing the web, and stumble on a Flash ad that blasts me with sound, and has no mute button? Or, worse, some ancient site that's blasting MIDI music?

On XP, my options are:

1. Block Flash (which, yes, I do already) - but that doesn't work if it's one of those ancient sites blasting MIDI music
2. Mute ALL sound, including my music
3. Navigate away from the page

On 7, I can pause my music, bring up the mixer, and mute my web browser only.

Re:XP (1)

TheRaven64 (641858) | more than 2 years ago | (#36746472)

FreeBSD has had per-application volume controls for a while. It uses fixed-point arithmetic for the audio path, because that gives lower latency. Unless your source is floating point and your audio device supports floating point samples, then having a floating point audio path just involves translating from integer to float and back again, which isn't such a great selling point. And, yes, it is backwards compatible. Any application using the OSS 3 or 4 APIs (also supported on most other *NIX variants) gets this support. There's even a compatibility mode so that applications that use the OSS 3 APIs to modify the global mixer settings can be instructed to modify their own mixer settings.

Oh, and I didn't have to pay anything to upgrade to the FreeBSD version that supported this...

Re:XP (1)

macs4all (973270) | more than 2 years ago | (#36746526)

Is there another operating system that has per-application volume faders and a fully floating point audio path? Because I haven't seen any other OS that does... and I find that incredibly useful on a daily basis...

Don't know about the floating point thing, but OS X has per-application volumes; just not all in one place (which I will admit has always annoyed me).

Re:XP (1)

SenseiLeNoir (699164) | more than 2 years ago | (#36747300)

I dont think you understand what is being spoken here. Yes, individual APPS may have their own volume controls (such as itunes/mediaplayer/flash players/vlc) this is the app itself generating the sound at different volumes.

What Windows 7 (and i think Vista too) has is each application that plays sounds play to a "pipe" that is only associated with it. There is a system mixer that then mixes each pipe after applying a volume to it to a master pipe that is sent to the Audio Hardware. (Some audio hardware does the mixing for Windows, so it doesnt have to be done in software).

There is nothing new about this technology, the actual pipe & mixer framework is the same as what was available always since probably Windows 95, and exists on most other systems too (such as sound servers, etc). Its what allows two different applications to play sounds at the same time (not allowed if each application sent their sounds direct to the soundcard, unless the soundcard had multiple channels, and a hardware mixer)

What Windows 7 (and i think vista) does differently is that it exposes the "volume" for each mixer channel to the application so that the application can adujust its volume via that, instead of trying to incorporate their own volume processing. For example, windows Media player has its own volume control, but on Win7 it actually adjusts the OS provided application mixer, instead of doing its own processing. It centralises all of this processing, potentially giving the user better controll, as well as allowing for hardware mixers to be utilised saving some CPU usage.

The floating point mixing provides two possible advantages. When mixing integer streams there is the possibily of fidelity loss or noise when for example mixing two or more 16bit integer streams to a final 16 bit integer stream. Using fp helps curtail some of the losses, especially if the output hardware supports 24 bit resolution.

Re:XP (1, Insightful)

Haedrian (1676506) | more than 2 years ago | (#36746282)

Right so basically.

"If I want to use lots of complicated or modern features, I need to use Windows 7"

But if I just want to chat with my buddies, browse the internet and write a document once in a while, and don't want to try linux XP is fine. Until it gets an open exploit which never gets closed.

Most of the public doesn't use SSDs, doesn't need volume for each application nor does it need GPU accelerated rendering.

Re:XP (2)

kevinmenzel (1403457) | more than 2 years ago | (#36746334)

Most of the public could do all that on their phone. Most of the public don't particularly "need" computers. Seriously, when the hell did "computers should only do exactly what people need them to do the day they buy them and anything else is a waste" become such a fashionable sentiment?

Re:XP (1)

tehcyder (746570) | more than 2 years ago | (#36746724)

Most of the public could do all that on their phone. Most of the public don't particularly "need" computers.

No, they couldn't. Browsing the internet or writing a document is horrible on most phones. Tablet, yes maybe.

Re:XP (1)

xouumalperxe (815707) | more than 2 years ago | (#36746598)

Most of the public doesn't use SSDs, doesn't need volume for each application nor does it need GPU accelerated rendering.

I'll give you the SSDs. GPU acceleration is not critical but still a nice-to-have even for the average Joe. Sound per application? This is a lot less esoteric than you'd expect -- all it takes is trying to Skype someone while you have ANY other application open and you'll see why you want that. Not sure how much use it gets by most people, but I like Aero Snap enough that I installed BetterTouchTool on my Mac just to get that one feature.

Re:XP (1)

SenseiLeNoir (699164) | more than 2 years ago | (#36747452)

GPU accelleration goes beyond that, and has its uses for the average Joe. In the old days, each application would have to write onto an off screen buffer, which then the CPU woudl have to work out which ones are in front of each other, then finally copying onto the screen, although older Graphics Chipsets could help (via BITBLT, Bit Move, etc) when you have things such as transparency, etc, it gets pretty hairy for the CPU to process.

By offloading the entire window management onto the GPU, means the 3d capable GPU works out how to display each off screen window (after all its just a 3d plane now) and handles all the transparency stuff, etc.

I tested this back in 2006 with Vista, and saw that with full Aero, overall CPU usage did reduce in relation to screen redraw functions, even reducing its power requirements. Yes GPU usage did go up in comparision, but in the case of simple onboard GPUs the increase in power usage of the GPU was still less than the power saved on the CPU. And thigns were usably smoother.

Most modern user oriented Linix distros include Compiz, which also uses the GPU, and MacOS i bleive does similar tricks too.

Re:XP (1)

macs4all (973270) | more than 2 years ago | (#36746504)

Because 7 has features XP doesn't. Like support for the TRIM command for SSDs. Like an audio mixer that lets you set different volumes for each application, instead of each hardware output, which is floating point from the ground up. Like desktop rendering that is accelerated by your GPU. Like UAC. Like Aero Snap. Etc. It's not like Windows 7 is just a facelift on Windows XP, There are differences that aren't even hard to find.

Not trolling, but why does an Operating System care about being "Floating Point"?

Re:XP (0)

Gordonjcp (186804) | more than 2 years ago | (#36746686)

So, with Windows 7 you get basic support for modern ATA devices, something that tries to be Pulseaudio, something that tries to be Compiz, something that tries to be tcpd, and a pretty theme?

It's pretty cute, but Windows 7 still looks like an Aldi own-brand version of Kubuntu LTS.

Re:XP (1)

JackDW (904211) | more than 2 years ago | (#36746698)

Not to mention the ability to quickly recover from a graphics driver crash. It's absolutely amazing when you see it happen. "Oh, my GPU crashed, the screen went black. And... it's back already, and it didn't even affect the game I was playing."

Re:XP (1)

ledow (319597) | more than 2 years ago | (#36747900)

Seeing as I've never had a graphics driver crash in the last four updates of the nVidia driver that I'm using (going back - what - five years on this particular chip) - and haven't witnessed (or had reported) one in work either on several hundred machines - that's not a big selling point.

"Hey, when random programs crash we can carry on!" is pretty much what I expect of an OS, anyway, and the damn things shouldn't be crashing in the first place.

If you're that accustomed to complete driver crashes that you just treat it like a screen mode change, you really are setting yourself up for trouble. Something prompted that crash, and you have *zero* idea what because Windows just carried on like nothing was wrong. Could be bad programming, could be some exploit in your graphics drivers being taken advantage of, could be overheating, or bad electrical contact, or failing motherboard, or failing graphics card, or....

Seriously, it's a "nice" feature that I would hope never, ever, ever go activated, ever. And if it did, I'd much rather know about it before it corrupts data on the bus or breaks my hardware longterm. It's not a selling point - an OS doing it's only single bloody job in protecting the hardware from faultily-interfacing applications - it's a warning.

MS cares more about hiding hardware failure from you than it does about your data. Because at the end of the day, it has no idea what junk that failing, crashing driver spewed out to your graphics card to stop it responding and/or what the graphics card did about it before being reset. And graphics cards have DMA access to just about anything in main memory.

Re:XP (1)

JackDW (904211) | more than 2 years ago | (#36748230)

Well, I think it's pretty cool that the kernel can not only recover when random userspace programs crash, but also recover when those programs are third-party graphics drivers running in kernel space. And recover quickly, without taking anything else out.

It is not as if you are not told that the crash has occurred. You are told immediately after automatic recovery. Messages also appear in the event log. That's much more helpful than going to a blank screen with the keyboard unresponsive, killing all applications and leaving the user with no clue about what went wrong.

Re:XP (-1, Offtopic)

mcgrew (92797) | more than 2 years ago | (#36746538)

Tell me why I should be on 7 already

Because already there are programs that won't run on XP. My girlfriend wanted me to help her get some simple game (Majohbg or something) working on her PC, no dice -- Vista or Win 7 only.

I had the same problem when I bought DOOM 3 (XP was brand new iirc); no Win98 support. Bought XP, my disk burning software wouldn't work.

When the new version of Windows comes out, half your programs won't work on it and half the new programs won't work on the old version. To run a new program you have to also buy an expensive OS.

Tell me why you shouldn't be on Linux already?

Re:XP (1)

ajo_arctus (1215290) | more than 2 years ago | (#36746718)

Doom 3 was August 2004, XP was summer 2001. Windows 98 would have been 6 years old by then.

I agree that it's annoying when old software stops working and new software doesn't work, but it's impossible to maintain software and backwards compatibility for ever, and I think the balance we have is just about right.

Re:XP (1)

mcgrew (92797) | more than 2 years ago | (#36747536)

The point, though, is that you don't have that problem with Linux at all. Update the os? Download and install. Old programs seldom stop working unless there's a major revision to the kernel or libraries, when that happens just download and install a newer version of the software or a compatible replacement. There are usually a dozen or more programs with similar functionalities for most stuff you'd need.

If you're a Gamer, though, you're going to need the latest hardware and the latest Windows OS. Your best bet there would be to have Linux installed for non-gaming needs, multi-boot with various versions of Windows so you could run your old games as well as new ones.

Consequences? (-1, Troll)

Anonymous Coward | more than 2 years ago | (#36746126)

Sounds ridiculous for a system software used in military installations, cash machines, banks, and pretty much everywhere. And that's not even the 'government way' of reaching into private information, which is at least encrypted. It's pretty much 'no way of knowing who and if' data was seeped out.

I cannot imagine more definitive example of Unsecure.

Still nothing will change. MS will issue a patch and the thing will go as nothing happened. Cash will continue to flow and that's the only thing that will be monitored.

Re:Consequences? (1, Redundant)

kevinmenzel (1403457) | more than 2 years ago | (#36746144)

Microsoft already issued the patch. Yesterday. And systems without bluetooth capability are not affected.

Re:Consequences? (2, Insightful)

bloodhawk (813939) | more than 2 years ago | (#36746306)

Sooooo you expect highly secure devices in military installations, cash machines, banks etc are blue tooth enabled and you think MS is the one that doesn't have a clue?

Re:Consequences? (2)

m50d (797211) | more than 2 years ago | (#36746532)

Merely having bluetooth-capable hardware and software should not expose you to anything. Computers should be secure by default, out-the-box, and it is not unreasonable to expect this.

Re:Consequences? (1)

justsayin (2246634) | more than 2 years ago | (#36747580)

I am guessing that the MS/Dell/HP folks turn all the features on out of the box. Mainly because if they don't the people buying the hardware will think they got ripped off. Like the customer buys the new laptop and bluetooth don't work. So they return it in a fit of rage because they are not used to having to turn things like this on? What No BlueTooth? Why this Dell/HP/Compaq is a POS.

Re:Consequences? (1)

tehcyder (746570) | more than 2 years ago | (#36746780)

Sounds ridiculous for a system software used in military installations, cash machines, banks

Somehow I doubt that military or bank computers have bluetooth installed.

Confusing (4, Insightful)

Haedrian (1676506) | more than 2 years ago | (#36746136)

"even when the targeted computer is not connected to a network."
"target would merely need to have Bluetooth turned on."

Meh, not as scary as I thought. You shouldn't be running around with bluetooth on anyway. Also, if you're using a 'hidden' connection there's no real way for an attacker to find you is there?

So basically computers at risk are those who always leave bluetooth on and shown to everyone. Which unless you're trying to connect to a new device should be NEVER.

Re:Confusing (3, Informative)

ledow (319597) | more than 2 years ago | (#36746176)

But considering that leads to a complete OS compromise, that's pretty poor coding.

You literally only have to turn it on for a second and someone can root you without you knowing. You only have to witness someone pair with a device, or do a single Bluetooth transfer and you can root them. And what are the implications for embedded versions of Windows in, say, phones.

A lot of people use Bluetooth, it's expected to be quite secure in terms of not rooting your computer (people being able to monitor and sniff your Bluetooth data is a different class of problem entirely, and puny in comparison). And like the article says - you probably have the faulty software installed already and only an single tap of that Bluetooth switch will make you vulnerable to automatic rooting, like a virus.

A virus that exploits this will potentially go quickly global and be hard to cleanse because you literally may not even notice that you've been infected and switching on Bluetooth for a split second to send a file to your phone, answer your parent's Skype on a headset, etc. isn't generally considered an infection route.

I agree in that I have BT turned off on everything I own and set to hidden by default but it would be scary if I were using one of the vulnerable systems. That's the sort of thing that will still be catching people out five years from now and it's probably only the first of many such problems. Now before you can put a PC on the net, you need to make sure you've never enabled Bluetooth while Windows was executing until you've got it to the latest patch level.

Re:Confusing (3, Informative)

mogness (1697042) | more than 2 years ago | (#36746230)

No need to worry. Reports around the web are contradictory to this article, all say it's extremely unlikely that an attacker could gain access to your machine using this vulnerability. You're more likely to get blue-screened.

http://blogs.technet.com/b/srd/archive/2011/07/12/ms11-053-vulnerability-in-the-bluetooth-stack-could-allow-remote-code-execution.aspx [technet.com]
https://threatpost.com/en_us/blogs/microsoft-fixes-critical-windows-bluetooth-bug-july-patch-tuesday-071211 [threatpost.com]

What's more, you'd have to be sharing your bluetooth id AND the attacker would have to be within range of your signal.

Re:Confusing (2)

Gaygirlie (1657131) | more than 2 years ago | (#36746534)

What's more, you'd have to be sharing your bluetooth id AND the attacker would have to be within range of your signal.

Many laptops for example share their bluetooth ID by default, and Joe User won't be aware of it or even know why it matters.

Secondly, Internet cafes, libraries, trains, etc... all are places where people often whip out their laptops. And if you happen to be living in flats you most likely ARE within range of atleast a few of your neighbours' devices. Atleast I often see 4-8 bluetooth devices that aren't mine, they're usually from the apartments above and below.

Re:Confusing (1)

justsayin (2246634) | more than 2 years ago | (#36747640)

What was that old comparison? You're more likely to get bitten by a squirrel in New York City's Central Park than to be bitten by a shark in the Atlantic Ocean. Of course, I would rather be bitten by a squirrel than a shark no matter the location.

Re:Confusing (2)

mcgrew (92797) | more than 2 years ago | (#36746446)

A virus that exploits this will potentially go quickly global

That's the opposite of what TFA said. In order to gain access the target computer needs some sort of (unspecified by TFA) memory corruption. My guess is you would need another flaw in conjunction with this (paired flaws?) to make it work.

I agree in that I have BT turned off on everything I own and set to hidden by default

I bought a tiny bluetooth dongle for the computer so I can bluetooth pictures and such from my phone to my computer. I keep bluetooth shut off on the phone unless I'm actually transferring files, because one of the few good bits of programming on my Motorola (most of the programming is crap) makes it easy to turn bluetooth on; if you tell it to bluetooth a file it simply asks you.

I have the computer set up with bluetooth always on and in discovery mode, but the dongle lays on top of the PC unplugged. It makes uploading files brain-dead simple. Plug the dongle in, tell the phone to upload and it uploads. Then I just unplug the dongle. My only fear is losing that tiny dongle and having to spend another twenty bucks (that's a night of drinking).

Seems this would work with Windows, too, as long as bluetooth wasn't built into the computer.

Linux is head and shoulders above Windows in bluetooth support. When I bought the dongle I feared it wouldn't work; there was a Windows/Mac install disk, but nothing for Linux. Turns out you don't have to install anything in Linux (in kubuntu at least) to make bluetooth work, just plug the dongle in and it's functional.

I never could understand the "Windows is easier than Linux" argument; I've used Windows since 1995 (DOS before that) and Linux since 2003, and Windows frustrates the hell out of me. One or two clicks in Linux usually equals a dozen in Windows. Needing to install stuff to make a bluetooth dongle work is one example.

Re:Confusing (0)

Anonymous Coward | more than 2 years ago | (#36746800)

Oddly, your example of Kubuntu is a conflicting one. The more recent versions (10.10 and 11.04) have included a bluetooth program that to say the least, is lacking in capability and features. The fact that it can't even handle using a cellphone as a bluetooth connected modem is a critical failure, nor do I believe it supports audio transmit. That Canonical deemed this an 'upgrade' is borderline insanity.

Re:Confusing (0)

Dog-Cow (21281) | more than 2 years ago | (#36746906)

I have never seen a laptop that did not require considerable effort to get wireless networking going. And that's unsecured, no passwords or WEP to complicate things. Also, resume never worked for me, especially networking. On desktops its OK, if you don't actually want to do much with it. The variety of software available is dwarfed by Windows. Not the amount, perhaps, but the variety. How many text editors does Linux need, anyhow? Also, Windows has a sane (if theoretically more limited) clipboard, and keyboard shortcuts that work in every program (except games).

Re:Confusing (1)

mcgrew (92797) | more than 2 years ago | (#36747876)

I had an Acer Aspire One (actually two of them, someone broke into my house and took the first one, then it happened again with the second one), and its built-in wifi worked flawlessly out of the box in both Windows and Linux, with WPA-2 security as its default in both OSes. I had an ancient Thinkpad I paid twenty bucks for (HD and battery were shot, used a thumb drive as a HD replacement), I never could get that sucker to network at all, even with a cable.

I considered the Acer a netbook, bit some folks here disagree and say it's a small notebook. I got a bluetooth dongle, had to install the supplied software for it to work in Windows but all it needed to work in Linux was to plug it in.

Resume was a problem in both Windows and Linux on the Acer. If you had it set to power down when shutting the lid on battery, and hibernate when shutting the lid with AC power, and you shut the lid and plugged it in before the lights stopped flashing it would just go crazy. With Linux all I had to do was take out the battery and put it back in and boot it, with Windows it would run chkdsk and reboot itself. Sometimes. It finally collapsed completely where Windows wouldn't work at all, so I wiped the drive and made it all Linux. No problem there; the machine booted fast so Hibernate was completely unneeded; in Linux, when you boot the machine it comes up in the same state it was in when you power down, with all the open apps and documents still open.

Yes, there is more software available for Windows, and I'm sure there are some that aren't available on Linux that some may need, like photoshop for a professional photographer. But for non-pros, GIMP is as good as any program you're likely to get legally in Windows.

There are quite a few text editors available for Windows, too. I count that as a good thing, even though it doesn't matter to me what text editor I'm using.

Linux's clipboard (at least in KDE, I haven't used GNOME much) works exactly like Windows' clipboard.

At work, keyboard shortcuts are not the same with every program. Some apps Ctrl-X closes, some Ctrl-C. In IE6 you can't shut the browser down at all with keyboard shirtcuts if you're in wikipedia (I blame wikipedia for that, not Microsoft).

Re:Confusing (1)

justsayin (2246634) | more than 2 years ago | (#36747662)

20 bucks equals a night of drinking? I beg to differ. 20 bucks does not cover the tip on the tab at the first bar. ;)

Re:Confusing (1)

mcgrew (92797) | more than 2 years ago | (#36747980)

Lets see, 20% tip would be a hundred bucks at the FIRST bar? Lets see, you're drinking Cabo or something equally expensive, say $5 a shot. Sixteen shots at the FIRST bar?

You, sir, can drink me under the table! I get $1.25 drafts and stagger home after ten of them.

Re:Confusing (1)

KiloByte (825081) | more than 2 years ago | (#36746190)

This brand new Lenovo laptop my mother bought on Friday (guess why I had it in my hands...) had Bluetooth on, out of the box.

The plural of "anecdote" is not "data", thus to be accurate let's keep it to this single sample :p (Honestly, I basically never deal with laptops.)

Re:Confusing (2, Informative)

Anonymous Coward | more than 2 years ago | (#36746204)

So basically computers at risk are those who always leave bluetooth on and shown to everyone. Which unless you're trying to connect to a new device should be NEVER.

Or you have a bluetooth mouse/keyboard.
None of the advisories say anything about being in "discoverable" mode.

Re:Confusing (1)

Haedrian (1676506) | more than 2 years ago | (#36746264)

Right, you pair the devices, then you set it to hidden.

That wasn't so hard was it?

I assumed that to start a bluetooth connection there needs to be something to connect TO.

Re:Confusing (1)

Gaygirlie (1657131) | more than 2 years ago | (#36746514)

Right, you pair the devices, then you set it to hidden.

Unfortunately, you can get infected already during that moment.

Re:Confusing (1)

ArsenneLupin (766289) | more than 2 years ago | (#36746898)

Right, you pair the devices, then you set it to hidden.

But as soon as you actually use the keyboard or mouse, packets fly around, which have this "hidden" number in their headers, from where it can be snarfed by the bluetooth equivalent of tcpdump...

Re:Confusing (1)

Plunky (929104) | more than 2 years ago | (#36747440)

No, you will need more than a standard Bluetooth dongle to sniff packets from the air.. the BlueZ hcidump program only dumps packets passing through the host OS stack (to or from the host), and the controller cannot be set to 'promiscuous' mode like a wifi radio can..

Re:Confusing (1)

Haedrian (1676506) | more than 2 years ago | (#36746300)

Just read one of the links someone posted:

". If your system were “discoverable,” it would respond to attacker SDP queries with its Bluetooth address. But in the default state, an attacker must obtain your Bluetooth address another way – either via bruteforcing it or extracting it from Bluetooth traffic captured over-the-air."

"you have paired a Bluetooth peripheral and are actively communicating, it is hard but not impossible to extract the Bluetooth address from the traffic sent over-the-air. A device is available on the market for $10,000 - $30,000 to do this in about 5 minutes"

I don't think I'm worth the price of a car to access my emails and images of cats with captions underneath.

Re:Confusing (4, Funny)

c0lo (1497653) | more than 2 years ago | (#36746210)

You shouldn't be running around with bluetooth on anyway.

Meh - trying to get to the root of the problem.

You shouldn't be running around with bluetooth on.
You shouldn't be running around with bluetooth
You shouldn't be running around
You shouldn't be running
You shouldn't be
You shouldn't

YOU! Ah, it is always you at fault.

Re:Confusing (1, Insightful)

bmo (77928) | more than 2 years ago | (#36746256)

And this is how Microsoft gets away with this crap.

It's always "blame the user"

Got a virus? "you didn't use the right virus protection"
Got spyware? "You shouldn't have gone to that porn site"

etc.

While there is no patch for stupid, there are ways to protect the user that don't involve encasing a machine in concrete and dropping it at the bottom of the Marianas trench.

--
BMO

Re:Confusing (2, Insightful)

kevinmenzel (1403457) | more than 2 years ago | (#36746302)

Yeah, there are ways of protecting the user. WHICH IS WHY THEY PATCHED THE HOLE. This isn't an unpatched vulnerability. The title even notes that this vulnerability was patched. They found the hole. They patched the hole. No more hole. No more trench. No blaming the user.

The only way a user would be vulnerable to this, is if they never updated. At which point, hell yeah, blame the user.

Re:Confusing (2)

mcgrew (92797) | more than 2 years ago | (#36746496)

This isn't an unpatched vulnerability.

It was before they patched it, which in Vista was how long?

Re:Confusing (0)

mcgrew (92797) | more than 2 years ago | (#36746476)

While there is no patch for stupid

There is a remedy for ignorant. And face it, we're all stupid sometimes. "Oh, shit, Why in the hell did I do THAT????"

Windows makes "stupid" easy. Linux makes "stupid" hard, one reason why Windows is so insecure compared to other OSes; it's made so somebody dumber than a box of rocks can use it. Hell, my ex-wife uses Windows and they don't come much dumber than her.

Re:Confusing (1)

Dog-Cow (21281) | more than 2 years ago | (#36747038)

Windows is not insecure compared to other OSes. Unless you are talking zOS or something similar. Linux is a pile of security vulnerabilities waiting to be discovered. It's just that no one bothers, at least not on the scale that Windows "enjoys".

Re:Confusing (2)

imric (6240) | more than 2 years ago | (#36747832)

"Linux is a pile of security vulnerabilities waiting to be discovered."

As is every OS. Apparently, ESPECIALLY Windows.

"It's just that no one bothers, at least not on the scale that Windows "enjoys"."

This has been debunked so many times its ridiculous. Go on living in fairyland, though.

Re:Confusing (2)

mcgrew (92797) | more than 2 years ago | (#36748174)

Lets see, one OS you have the source code to look for vulnerabilities, one you don't. I assure you that people DO look for vulns in Linux, especially those who use it for their file and web servers. The only folks looking for vulns in Windows are black hats looking for virus vectors, and white hats fighting the black hats.

What's that saying about Many Eyes? [google.com] (PDF from Wash U, "Many Eyes Hypothesis") Wait, now I remember -- Linus' Law [wikipedia.org].

Linus's Law is a claim about software development, named in honor of Linus Torvalds and formulated by Eric S. Raymond in his essay "The Cathedral and the Bazaar".[1] The law states that "given enough eyeballs, all bugs are shallow"; or more formally: "Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone." Presenting the code to multiple developers with the purpose of reaching consensus about its acceptance is a simple form of software reviewing. Researchers and practitioners have repeatedly shown the effectiveness of the reviewing process in finding bugs and security issues,[2] and also that reviews may be more efficient than testing.

In Facts and Fallacies about Software Engineering, Robert Glass refers to Linus' Law as a "mantra" of the Open source movement, but calls it a fallacy, stating that research has found that the number of bugs found decreases with too many inspectors, and that no research supports the Law as stated.[3] Interestingly, closed-source practitioners tacitly support the law's notion, by promoting stringent, independent code analysis during a software project's development.[4][5]

Re:Confusing (3, Insightful)

peppepz (1311345) | more than 2 years ago | (#36746442)

You shouldn't be running around with bluetooth on anyway.

Actually, I should be able to, because it's useful.
It's my OS that should drop any packet I'm not interested in. Machines are supposed to do the work for me, not the opposite.

Re:Confusing (3, Informative)

TheRaven64 (641858) | more than 2 years ago | (#36746494)

Absolutely! Needing to activate bluetooth every time you want to use it removes a lot of its use. Some of the things that I've done with Bluetooth:
  • Tie the 'device enter range' notification to a script that checks whether the device has been sync'd in the last day, and if not runs the sync program.
  • Configure my laptop to lock its screen when I walk away from it carrying my phone ('phone exits range' notification triggering screen saver).
  • Send vcards from my phone address book to another person's phone, or from their phone to my phone or laptop.
  • Send pictures from my phone to my laptop.
  • Control presentations from my phone.
  • Use wireless keyboards and mice with my laptop.

Why would I want to have an extra enable step before doing each of these and a disable step after?

Re:Confusing (1)

pmontra (738736) | more than 2 years ago | (#36747024)

The point is that nobody should tell you or me what we must do. There are some security best practices but if you know what you're doing (and it seems you do), you evaluated the tradeoffs and you can do whatever you want. Actually your setup looks pretty useful even if I don't trust the security of anything wireless, not even at my home. Cables are great things :)

You cant get too much worse than that (1)

nzac (1822298) | more than 2 years ago | (#36746180)

From MS SB

The vulnerability could allow remote code execution if an attacker sent a series of specially crafted Bluetooth packets to an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Almost remote full admin access. Seriously how much worse can it get, guess your still safe from internet attacks but still.

Anyone found a page on the exploit, you can do the entire list of immature things to other peoples computers to all your friends with Bluetooth with this one.

Re:You cant get too much worse than that (1)

kevinmenzel (1403457) | more than 2 years ago | (#36746346)

I'm pretty sure, given that my friends and family all keep their computers updated, I can't do any of that stuff. At least not via this vulnerability. You know, because this was patched already...

Re:You cant get too much worse than that (1)

nzac (1822298) | more than 2 years ago | (#36746578)

Some will have chosen to delay restarting just for an update but i guess since its a service pack things running better will be expected. I would expect a small window for a few. I guess its not clear but the last sentence was sensationalist. The casual nature of the post should have given some indication of it.

Apart from is a little difficult for the Russian to access it and least for primary infection this is a pretty bad exploit i cant remember worse for a while. Must have been a window for the FBI to gather intel.

100 meters (1)

Anonymous Coward | more than 2 years ago | (#36746220)

A worm that infects computers within a 100 meters of itself? That's a novel way of bypassing firewalls. The exploit would need to be paired with a traditional network vulnerability for the worm to spread far from the point of origin though.

Re:100 meters (1)

peppepz (1311345) | more than 2 years ago | (#36746436)

In reality, not all Bluetooth adapters are Class 1 (I'd say that most aren't, but I have no numbers backing my claim), so they can only work within 10 meters or less. And we're not even talking about walls.

Hang on (1)

Anonymous Coward | more than 2 years ago | (#36746252)

You mean all those super secure non-networked military computers that even have bluetooth adapters?

Bluetooth-enabled vs. Disconnected (0)

Anonymous Coward | more than 2 years ago | (#36746362)

If it's Bluetooth-enabled, it's not really disconnected, is it?

This is like saying "if your computer's attached a LAN, other people on the LAN can attack it, even if there's no Internet connection". Duh - you're still connected to the LAN, which is where the attacker is. Same here: you've got Bluetooth enabled, so an attacker can use Bluetooth to attack you.

Re:Bluetooth-enabled vs. Disconnected (1)

aardwolf64 (160070) | more than 2 years ago | (#36746634)

No, this is similar to saying "If your computer isn't plugged into a network, but you haven't disabled your internal NIC in device manager, your computer is vulnerable."

The lines are blurred a bit because Bluetooth is a wireless technology, but their point is you don't have to be actively connected to anything to get hacked.

Meh!!! Windows has been broken for a long time (-1)

Anonymous Coward | more than 2 years ago | (#36746542)

When Microsoft salts LAN Manager passwords then I'll get excited. Who cares if you can raise privileges by some nefarious means when you can crack the admin password by brute force:

http://www.ethicalhacker.net/content/view/94/24/
http://en.wikipedia.org/wiki/LM_hash

Re:Meh!!! Windows has been broken for a long time (0)

Anonymous Coward | more than 2 years ago | (#36746600)

Or with your GPU, eg

http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/

Re:Meh!!! Windows WAS broken for a long time (0)

Anonymous Coward | more than 2 years ago | (#36746682)

Trolling fail. "[..] versions prior to Windows NT", and not used by default since before Vista.

Patches cause BlueScreen (1)

Anonymous Coward | more than 2 years ago | (#36746546)

Having installed the three patches (KB2507938, KB25342531, and KB2555917) on a fully patched Windows 7 Dell Laptop, I immediately started experiencing BSODs. System Restore to the pre-patch state failed, but I was able to uninstall the patches through the add / remove utility. After the uninstall the BSODs immediately stopped. I have not had time to individually install each one to determine the culprit. But please take this as a heads-up.

Re:Patches cause BlueScreen (1)

ledow (319597) | more than 2 years ago | (#36747690)

Sounds like a pretty usual hotfix scenario to me. Then they'll hotfix the hotfix, and hotfix the hotfix to the hotfix, then they'll service pack it and bundle it with a dozen other things that fix that problem and introduce ten more.

As always - don't have Windows Update turned on by default unless you really do have proper (byte-level) backups of the computer that are up-to-date.

I've yet to take a batch of computers through a Service Pack without at least one of them hitting blue-screens or reboot loops and having to restore it from a clean backup (or better, a backup of a computer that already had the hotfix applied successfully).

Re:Patches cause BlueScreen (1)

Rude Turnip (49495) | more than 2 years ago | (#36748050)

I came into work this morning to find my Windows 7 laptop rebooted, presumably because of this issue. My Logitech BT mouse (uses a BT USB dongle) stopped working because the Bluetooth transceiver stopped working. I'm pretty sure the patch is what resulted in my mouse and Bluetooth transceiver landing in the garbage can this morning.

They say PC's.. (0)

Anonymous Coward | more than 2 years ago | (#36746584)

What really they meant was, every single laptop ever made with bluetooth.

Meh... (0)

Anonymous Coward | more than 2 years ago | (#36746730)

This would only be interesting if it were an Apple flaw. Then we could jump on in droves and condemn those insecure Apple users and their poorly designed and built hardware and software.

Searching for a funny Nokia N900 app... (1)

ArsenneLupin (766289) | more than 2 years ago | (#36746732)

something that would permanently send out a bluetooth beacon to make all Windows 7 or Vista computers within earshot show goatse.ragingfist.net fullscreen...

Might be fun walking through a computer shop (or just some offices...) with this on... And coming near to one of those giant display walls at a trade fair would be still better...

Why is this insighfull? RTFM (0)

Anonymous Coward | more than 2 years ago | (#36746752)

From advisory:

"A remote code execution vulnerability exists in the Windows Bluetooth 2.1 Stack due to the way an object in memory is accessed when it has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a series of specially crafted Bluetooth packets and sending them to the target machine. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

OK, this has been patched. (1)

justsayin (2246634) | more than 2 years ago | (#36747740)

No fun driving yet another Windows drops it's panties vulnerability into the ground. Instead let's make fun of Bluetooth and relate your worst Bluetooth experience.

Me first, I got the cell phone and the Garmin navigator talking via bluetooth. Love answering calls on the Garmin while driving. Hands free, sounds good, love it.

Ok, I do not love parking the truck, going into the convenience store, getting a call and the navigator picks it up when I open the flip phone. I cant hear them, they cant hear me cause their audio is routed to the fricking truck which is locked up out in the parking lot while I am picking out a 6 pack of beer.

"Disconnected" used to mean "powered off" (1)

Moskit (32486) | more than 2 years ago | (#36748194)

This "even disconnected" ./ title really got me wondering if there is a WakeOnBluetooth technology.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...