Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Planes Can Be Hacked Via Inflight Wi-fi, Says Researcher

blueg3 Re:I don't buy it (151 comments)

Hardcoded credentials aren't necessary. What they *mean* is that the *reason* for hardcoded credentials is "support". "Necessary" here doesn't actually mean "necessary", but rather, "deemed to be the best choice". Of course, it might really be the best choice. There's certainly a cost associated with making the support more complicated. You have to weigh that against the difficulty of using the hardcoded credentials and what you can do with them. There are lots of potential tradeoff points, from "using hardcoded credentials was the stupidest choice you've ever made" to "it's technically offensive, but also the best option".

about three weeks ago
top

"BadUSB" Exploit Makes Devices Turn "Evil"

blueg3 Re:and this is news why? (205 comments)

Doesn't require physical access. Firmware reprogramming is easily over-the-wire with many USB devices. It just requires logical access to the device. A computer running malware is a malicious third party with logical access to the USB device.

about three weeks ago
top

"BadUSB" Exploit Makes Devices Turn "Evil"

blueg3 Re:Oh think of the fun when drivers update firmwar (205 comments)

Yes, devices have updateable firmware. How is this a "sneakernet issue"? The firmware update does not cause Windows to install anything. Those are orthogonal features.

about three weeks ago
top

"BadUSB" Exploit Makes Devices Turn "Evil"

blueg3 Re:Do cellphone chargers require USB negotiation? (205 comments)

Sure. Depending on your device (iPhone works differently from the standard USB fast-charging spec), you should be able to easily look up what resistors need to go where. (As mentioned, non-iPhone devices use an informal standardized spec. A circuit diagram of something like a Samsung charger should show you.)

about three weeks ago
top

"BadUSB" Exploit Makes Devices Turn "Evil"

blueg3 Re:Oh think of the fun when drivers update firmwar (205 comments)

What sneakernet issue? Be more clear. USB devices do not contain installable software, except for the obvious and well-known case of a mass-storage device happening to contain files that can be intentionally or inadvertently executed by the end user after the MSD is connected.

about three weeks ago
top

"BadUSB" Exploit Makes Devices Turn "Evil"

blueg3 Re:Do cellphone chargers require USB negotiation? (205 comments)

You just need a resistor or two. Almost any USB-charged device will charge at 500 mA if it is connected to a dumb charger (no data lines), but in order to charge at a higher current (as many devices do), it needs to sense that it's connected to a charger that supports the higher current draw. So that it can be implemented without real USB-supporting electronics, that's just done with some simple electrical components. So you can make a charger that blocks the data lines but permits full-speed charging.

If you're okay with the slow version, just go out and buy a "power only" USB cable. They already exist. Alternately, this.

about three weeks ago
top

"BadUSB" Exploit Makes Devices Turn "Evil"

blueg3 Re:White hat hackers, if you build it I will come. (205 comments)

It'd probably be easier to implement a little hardware device that places restrictions on device classes that can connect through it and limits hybrid devices (e.g., keyboard+mouse = ok, keyboard+webcam = reject).

about three weeks ago
top

"BadUSB" Exploit Makes Devices Turn "Evil"

blueg3 Re:Oh think of the fun when drivers update firmwar (205 comments)

A couple NSA letters later and MS is now sending NSA payloads.

Because they couldn't already do this with network-distributed software updates?

about three weeks ago
top

"BadUSB" Exploit Makes Devices Turn "Evil"

blueg3 Re:How is this viable as an attack medium? (205 comments)

1. A ton of USB devices are actually implemented as general-purpose components with programmable firmware (attached to whatever support hardware, like a network card or a webcam, is necessary). So they're more common than you think.

2. Smartphones are an excellent reprogrammable USB device that lots of individuals have.

3. This is difficult enough to really engineer well that it is probably a bigger threat as a targeted attack against a big organization for now. Until someone does the engineering to make it easy to deploy widely. Then, it'll be a threat for everyone. Kind of like automated hacking of consumer-grade routers to modify the firmware to participate in an Internet-wide portscan. It's the Metasploit effect: it's not a big problem until someone makes it automated, then it is.

about three weeks ago
top

"BadUSB" Exploit Makes Devices Turn "Evil"

blueg3 Re:and this is news why? (205 comments)

The whole point of this is that the malware reprograms the firmware of existing, trusted devices to make them malicious.

about three weeks ago
top

New SSL Server Rules Go Into Effect Nov. 1

blueg3 Re:Documentation (92 comments)

None. Now you've identified and understand the problem.

about a month ago
top

New SSL Server Rules Go Into Effect Nov. 1

blueg3 Re: Why? (92 comments)

They are bugged only once, and then they accept the cert locally.

Not necessarily. On Chrome, for example, accepting a self-signed cert long-term isn't the default behavior. Even that isn't a great idea: you have no knowledge of whether the self-signed cert is legitimate or not without a substantial out-of-band communication of technical information to nontechnical people, which isn't cheap. A college network is a good example: it should be treated as a hostile network, so MitM against a self-signed cert within your private network is very much a reality.

Or the college provides an easy way for the BYOD people to acquire the college's cert.

Doing that at a large scale for technically-inclined people costs more than a public CA cert. Once you have to support regular users, it's way more expensive.

There is no need for an official CA to issue a cert for Server1 at IP address 10.2.1.2

Certs don't include IP address. When you get a cert for server1.internal.unm.edu, they don't know what IP address(es) it will be bound to, and they don't and shouldn't care.

No need whatsoever.

There certainly is a need. It's to enable devices that want SSL but aren't configured to trust your internal CA to securely identify your server. There are lots of reasons for "aren't configured to trust your internal CA" to happen.

And, as proof of that, starting in November, the official CAs will stop issuing those types of certs.

They're going to require that certs they issue are for domains that are tied to an external domain. For example, mail.internal.unm,edu. This doesn't negatively impact people's ability to have public CA certs for internal resources. Nor should it.

about a month ago
top

New York Judge OKs Warrant To Search Entire Gmail Account

blueg3 Re:No limits on storage or security (150 comments)

Judging by how the police actually operate, a hard drive with that data will be put in a box and put into storage with a large collection of other such boxes, probably never to be seen again.

about a month ago
top

Thousands of Leaked KGB Files Are Now Open To the Public

blueg3 Re:Strictly speaking... (95 comments)

Oddly, it's not. That's where OP is coming from. "Treasure trove" comes ultimately from Latin via French (or at least, some language fragments the Normans brought over). The "trove" means "found", so it's "found treasure". That's why in the original (pre-English) phrase, the word order is backwards: "trove" is the adjective, "treasure" is the noun, and it follows the appropriate French/Latin word order. It was pulled directly into English without reordering (common for borrowed phrases). Eventually, "trove" (which had no English meaning at all) became a synonym (a shortening) for "treasure trove".

So by etymology, "trove" was originally an adjective. However, it means nothing in English. The phrase "treasure trove" is a noun phrase all by itself that can't really be broken into parts.

about a month and a half ago
top

Thousands of Leaked KGB Files Are Now Open To the Public

blueg3 Re:seems like snowden did the exact same thing. (95 comments)

Well:
* The documents are being revealed to the public now and document events from 30-40 years ago.
* These are documents that he personally worked with, rather than a cache of documents acquired for the purpose of copying and releasing them.
* There's no question, I think, that this guy was a spy and defector. He was moved from Russia to the UK with the help of UK intelligence agencies in exchange for Russian secrets. Nobody's trying to claim that he's a "whistleblower". No comment on his actions or motivations vs. Snowden's, but they are potentially substantially different.
* This guy is dead.

Up to you to decide if any of these are substantive differences and why, but there are distinct differences.

about a month and a half ago
top

Thousands of Leaked KGB Files Are Now Open To the Public

blueg3 Re:Strictly speaking... (95 comments)

In English, "trove" has been a standalone noun for more than two hundred years. It's short for "treasure trove".

Etymologically, the "trove" in "treasure trove" comes from an adjective, but "trove" by itself isn't an English adjective. That's language for you.

Strictly speaking, you're inventing a meaning that would make sense etymologically and asserting that it's the "real" meaning of the word. It's only dictionaries and speakers of English that disagree with you.

about a month and a half ago
top

Police Using Dogs To Sniff Out Computer Memory

blueg3 Re:Better idea (415 comments)

I think the cops probably need to do more old-school investigating and undercover work.

This is part of "old-school investigating". The dog is to help them execute search warrants. The child porn can be stored on any kind of electronic storage medium, and that can be hidden pretty much anywhere in the house. It's a ton of failure-prone work to dig all that stuff up so you can search it.

In this particular case, it actually involves undercover work, too. Investigators get on P2P file sharing networks or infiltrate underground trading rings (which is sometimes pretty tough) and find people trading illicit material. Often, judges want a fair bit of supporting evidence that they're intentionally sharing explicit material (since everyone knows the "a virus did it" defense), so they'll get the target to reveal information sufficient for a warrant. (On top of that, they have to make sure the person is within their jurisdiction.)

Often times, a child porn case starts because someone calls the cops, and that requires a fair bit of proper investigation, too. Usually the accused is in contact with a child, and you have to figure out if something is going on there. Sometimes it's people planting evidence to get back at an ex-boyfriend or something, and you want to eliminate that possibility, too. (One guy tried to steal his neighbor's wife by planting CP on his neighbor's computer. Really not a great plan.)

about a month and a half ago
top

Police Using Dogs To Sniff Out Computer Memory

blueg3 Re:Memory? (415 comments)

"Storage" is what, these days, we call I/O-based secondary memory. It's still a form of computer memory, though.

about a month and a half ago

Submissions

blueg3 hasn't submitted any stories.

Journals

blueg3 has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>