Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

The Daily Harassment of Women In the Game Industry

rabtech Hypothetical (860 comments)

For all of you trying to turn this into a men's rights issue, just stop.

You're embarrassing my gender.

  Yes there are some unfair things that happen to men. Yes there are some real issues.

But we aren't talking about those issues right here in this post. We're talking about women right now, so let's stick to the topic.

  Even as a man I find it highly annoying that the Internet jackass squad has to jump into the middle of every single conversation about women and cry "BUT WHAT ABOUT THE MENZ?!?!". Just fucking stop it already. Write your own blog post about men's issues and submit it to slashdot and we can discuss it over there.

yesterday
top

The Daily Harassment of Women In the Game Industry

rabtech Re:Occams Scalpel (860 comments)

Just how annoying is this person that she generates that kind of hate ?

I have worked with/under/and above women and the only time I have ever seen anyone get this kind of reaction, male or female is when it is provoked or the people perpetrating it were a few punch cards short of a program.

Says the person who's never been publicly visible. No matter who you are, what your personality is, etc there will always be some people out there that don't like you, won't hire you, or otherwise throw negativity your way even if you've done absolutely nothing to earn their hate.

Your reaction is what I've noticed most women get if they even gently bring something up. It's 100% complete denial and blame the messenger.

What I can't figure out is why? I'm a guy, I'm a software developer. I like to work off data. Every single even halfway notable woman I've seen or talked to from conferences in person to online forums and Twitter all tell the same story: massive ongoing campaigns of harassment. The quantity only varies with the topic under discussion. Even the women developers I've worked with who aren't famous have multiple stories of being threatened with rape, patted on the head and dismissed in a meeting with colleagues, having their boobs grabbed at conferences, etc.

True, this behavior may be a small group of bad apples, but by denying the problem exists at all you're enabling those bad apples to continue doing what they do. You don't need to do much to be part of the solution, just admit you're not a woman and don't actually know what women experience when other men aren't watching and that there's so much smoke from almost every single woman in tech it is highly probable there is fire.

Seriously, why can't we just admit women catch a lot of shit just for being women in tech? No one is claiming they shouldn't catch shit for having stupid ideas or writing bad code. No one is claiming you can't ask women out or you have to be some kind of PC choir boy for fear of offending someone. What is this irrational urge to deny, deny, deny?

yesterday
top

Researcher Finds Hidden Data-Dumping Services In iOS

rabtech Huge Caveat! (95 comments)

There is a huge caveat here:

You can only do this if you have the keys from a computer you have sync'd with previously. That only happens if you enter your passcode then see the "Trust this Computer" prompt on a computer that has iTunes installed and you click "Trust" at the prompt. That creates a set of sync keys that the iOS device will then accept to access the various services.

Some of the stuff he complains about is only enabled for devices used for development or if the device is enrolled in enterprise provisioning. As far as I'm aware, Apple requires that the company purchase the device on the company account to support over the air enrollment in this system so it wouldn't affect personal devices. Even for USB connected devices, you must enter the password/passcode to allow the device to be visible to MDM tools in the first place. Even enabling development mode requires entering the password/passcode.

The one main point he brings up (which I agree with) is Apple needs to provide a way to see the list of computers on your device and remove them.

There are some other more theoretical issues here that Apple should address, but no your iPhone is not running a packet sniffer and will not hand over files to anyone who connects. If your device isn't provisioned for enterprise and has never connected to a PC to sync (the vast majority of iOS devices these days) then as far as I can tell, none of the issues he found are of any use whatsoever.

2 days ago
top

KeyStore Vulnerability Affects 86% of Android Devices

rabtech Re:Serious? (71 comments)

That was a new $700+ iPad, from the Apple Store in the summer of 2010 about five months after launch.

That's certainly a nerd sort of pedantically correct, but the scope and scale matter a lot. Apple is far, far better about updating old devices. Anyone who tries to argue that they are equivalent to Google on this front is just being an asshole.

Yes, there are a few models that did not get more than two years of OS updates due to hardware limitations (or business reasons if you want to think that) and the iPad you mention is one of those.

If we compare to Android, the majority of all Android devices have *never* seen a software update. A supermajority (if not 90%+) don't get updates a year past their original introduction (meaning people buy them brand new and *never* get a single update).

By contrast, when Apple's famous "goto fail" bug was discovered, they issued a patch for my test device, a four year old iPod Touch 4th generation running the end-of-life iOS 6. The patch was released immediately, at the same time as the patch for the latest hardware.

Tell me... what 4 year old Android devices are getting any OS updates whatsoever?

Honestly... how is this even slightly controversial?

Apple controls their own hardware and software, and they release a limited number of models. Their support burden to release updates for older devices is minimal. They also have the benefit of requiring complete open access from the carriers and have stuck to their guns, forcing carriers to cave in. (I remember the days before Apple, when carriers struck features from devices at their whim, and the only "app" store was the horrible carrier's app store). That's also part of the reason you will never see this on Android - having let the cat out of the bag, they absolutely will not allow anyone else to usurp their control again.

By contrast, Android is developed by one company, has firmware developed by an SoC company, then gets modified for hardware by another, then certified by thousands of individual carriers. If anyone in that chain decides it's too much work, doesn't care, or just drags their feet then you don't get updates.

P.S. Expect carriers (at least in the US) to start injecting boot loader verification into the baseband ROM, then refuse to let your device on the network if it has been rooted. They are fighting tooth and nail to not be a commodity dumb pipe and will try anything. Many of their most profitable customers are iOS users, so they basically can't avoid doing as Apple says (ask NTT DoCoMo or Verizon how resisting Apple's demands worked out). Samsung has no such leverage - one Android phone is, to a rough order of magnitude, as good as another, so when the carriers demand locking and verification you can bet Samsung will comply.

about three weeks ago
top

Research Project Pays People To Download, Run Executables

rabtech Duh (76 comments)

People were happy to install ActiveX controls to "Punch the Monkey" in 1998. Nothing has changed since then.

It's also why the Android security model is a complete joke and always has been.

Any security model that requires users to make perfect security decisions is an automatic failure because there is no "undo", so one mistake after 10 years of perfect vigilence owns your entire machine.

about a month ago
top

Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

rabtech My grand conspiracy theory (250 comments)

Many end users have IPv6 support. Many servers are capable of it. The issue is mostly the US ISPs and middle-tier transit providers dragging their feet. My systems all support IPv6, my m0n0wall box supports it, but neither of the two ISPs I can buy service from support it. In fact they won't sell it to me even if I offer to pay extra money for it!

My pet theory is that Verizon et al wants to convert IPv4 address space into a "resource" they can buy/sell/trade. A bunch of lawyers and MBAs are rubbing their greedy fingers together, hoping we stay in a "resource shortage" for as long as possible.

We could switch over, probably within a year or two, but it would take a government-imposed mandate to force people to stop screwing around and make the change.

about a month ago
top

One Developer's Experience With Real Life Bitrot Under HFS+

rabtech Re:Clueless article (396 comments)

People talking about "bit rot" usually have no clue, and this guy is no exception.

It's extremely unlikely that a file would become silently corrupted on disk. Block devices include per-block checksums, and you either have a read error (maybe he has) or the data read is the same as the data previously written. As far as I know, ZFS doesn't help to recover data from read errors. You would need RAID and / or backups.

I'm afraid it is you who is clueless. Up until ZFS started gaining traction, we all had the luxury of assuming the storage chain was reliable (RAM, SATA controller, cables, drive firmware, read/write heads, oxide layers, etc). Or at least we would know something went wrong.

But it was found that in the actual real world, these systems all silently corrupt data from time to time. The problem is much worse as the volume of data grows because the error rates are basically unchanged, meaning what was once expected to be a random bit flip that would strike one user out of a million once per year is now something that strikes every single user multiple times per year.

I'm not talking theory or what *should* happen. I'm talking about actual real world experience with check summing filesystems that demonstrate, beyond any doubt, that bit rot happens and happens far more frequently than most people believe. Actual experience with ZFS proves that disks can and **will** read back out different bits than what was written silently with no block read errors.

Further, you're increadibly ignorant of now ZFS or BTRFS deal with redundancy. You can setup to mirror blocks, in some cases on a per-file or directory basis, providing protection against corrupting. A background scrubber scans the disk when idle cycles are available and detects and repair corrupting from the available good blocks, or log an error if there are no good mirrors or parity blocks available.

With our new knowledge and experience it is no longer sufficient to cross our fingers and hope for the best. We cannot trust filesystems or the underlying hardware, we must verify.

about a month ago
top

New OpenSSL Man-in-the-Middle Flaw Affects All Clients

rabtech Re:This is awesome (217 comments)

It's actually a false dichotomy...

The vast majority of software is poorly written, hacked-together junk written by dicks and idiots.

Open Source *can* be slightly less terrible, but it's all still terrible.

about a month and a half ago
top

Big Telecom: Terms Set For Sprint To Buy T-Mobile For $32B

rabtech Re:Anybody remeber Nextel? (158 comments)

This is wildly inaccurate.

Full disclosure: I'm a Sprint shareholder (at $2.70, back when people were predicting bankruptcy). I've been following them for some time.

Seems like they've been planning this for some time, and are absolutely dependent on the merger going through, because Sprint has been a complete laggard with LTE deployments, despite their massive modernization effort, and doesn't seem to be trying AT ALL.

Actually Sprint has engaged in a nationwide replacement of all their radios and base stations, including installing fiber to almost all of their towers and using gigabit microwave to connect the towers that can't get fiber to ones that can.

Sprint's major problem with 3G was the outdated backhaul. They were still using T1 lines everywhere, as they first got distracted with Nextel, then sunk money into WiMax hoping it would take off as the next-gen standard **.

I have LTE now in the DFW area and it's fast and works well.

Sprint wasn't allowed to touch Nextel's spectrum, in the 3G days, so they only freed up their big block of 800MHz when LTE was first being deployed. With a little foresight, they could have put 800MHz LTE radios on their towers, and immediately boasted the best LTE coverage. With great LTE coverage, they could save money by neglecting their 3G network, and pretty quickly stop selling phones that are able to fall-back to anything other than 800MHz LTE. After all, LTE can do simultaneous voice and data, even if AT&T and Verizon have been slow to use it, perhaps for the above reasons.

The Nextel 800mhz spectrum is a very small slice; it only has enough space for one 5x5 LTE channel and 1 CDMA voice channel, no more. If they had started making the switch, they would have cut off their existing Nextel customers overnight. Not to mention the fact that LTE wasn't even a standard at the time and no vendors offered LTE tower equipment and no handsets supported it. If they had tried to squeeze a CDMA data channel into that space it would have been painfully slow (far less than the 3MB theoretical max).

FYI: They have been turning on 800mhz and I get noticably improved performance inside elevators and building interiors. The goal is 2.5Ghz for crowded urban areas (where you don't want towers to cover much distance), 1900Mhz for general use, and 800Mhz for indoor areas and rural coverage.

But Sprint was half-hearted about their great opportunity... first saying they'd use some of that 800MHz band to improve 3G coverage, then later retracting that incredibly stupid idea. And while they've promoted their "Network Vision" upgrades for a couple years, they've still only very slowly expanded their LTE coverage to more than the very biggest urban areas, even skipping some major ones.

Actually they completely rebuilt their network, including all backhaul/routing, all radios, all tower equipment. That project is almost complete now. Compare LTE coverage in 2012 to today and you can see a massive difference. You can't do that overnight.

With Nextel, the actual problem was they waited for Qualcomm to add PTT tech (push to talk) to CDMA so they'd have a replacement for the IDEN handsets. Right as that became available, everyone stopped caring and wanting smartphones with data plans. In hindsight, they should have forced Nextel users to switch immediately and stopped running dual networks for no good reason (doubling tower and backhaul costs). They'd have lost the same number of customers in the end but saved a bunch of money.

And they didn't ever leverage the WiMax network they spent so much money deploying. Sure, it's not LTE, but by just releasing a dual WiMax/LTE phone, Sprint could have boasted the biggest "4G" network from day #1, and they could have begun LTE deployments everywhere they didn't have WiMax, giving wider coverage, quicker. Instead, there's no WiMax/LTE phones to be found, and their LTE deployment simply overlapped their early WiMax deployment, resulting in no net-gain of extra coverage area.

** Actually WiMax was a use-it-or-lose-it deal. They had to deploy something to the 2.5Ghz bands or they would lose access, but LTE wasn't ready so they deployed just enough WiMax to preserve their spectrum. They have already started deploying LTE to that band.

The whole purpose behind spinning off Clear was to get other companies to waste capital on Sprint's behalf, greatly lowering the cost of preserving that spectrum while they rebuilt their network, shut down IDEN, and got on track for the future. So in that sense it worked perfectly.

I'm cautiously hopeful that this merger will be what they need, to finally compete. But each time before that they've gotten a big opportunity, they've squandered it. From the outside, Sprint seems to be deeply dysfunctional and lacking in any foresight or innovative ideas, copying the big two in the slowest and least efficient way, possible. The opportunity they have to merge the Sprint and T-Mobile LTE networks with dual-band phones, and quickly deprecate their 3G networks, seems just as likely to be squandered and bungled.

Masayoshi Son's access to unlimited money from the BoJ (for some value of "unlimited") makes acquisition a good move.

Sprint has a modern network and is executing well, it simply takes time to roll out the network, then it takes time for everyone to upgrade to an LTE phone capable of using the new network.

Buying T-Mobile would give them compatible spectrum in many, many markets - they share a lot of 1900Mhz assignments. Sprint could immediately begin switching some of those to Sprint LTE on day one. Many phones would be compatible with both. After the typical two year replacement cycle, Sprint could begin forcing everyone off old phones and finish the conversion. That's the big key - you can't let it linger like Nextel, you have to rip the bandaid off. The only question mark is the AWS spectrum - not one Sprint currently uses. Do you try to keep it and upgrade your towers to support it? Or do you swap/sell it?

about a month and a half ago
top

Misogyny, Entitlement, and Nerds

rabtech Re:So, to sum this up. (1198 comments)

This is the most childish post I've seen on this story yet.

I am so fucking sick and tired of hearing how there is something intrinsically wrong with me and that I should be feared because I have a Y chromosome.

Objection your honor, asserts facts not in evidence! No one said there was anything wrong with you or that you should be feared. The whole point is women can't know a-priori who the good guys are and the penalty is being raped or killed. If only 1-2% of the guys are the bad apples (probably a bit low), then in a conference of 5000 men there are 50-100 who would do her harm. Do you honestly even give a second thought to someone punching you in the face or stabbing you at a conference? Didn't think so.

Don't want to be abused or get raped? Don't be friends with or date immature, over-entitled, sociopathic bad boys

Seriously? You mashed the keyboard and clicked post to share this bit of drivel with the world?

Get the chip off your shoulder man.

Know what all the nice girls are doing? Quietly trying to navigate the hurdles of life and getting by. Same as the real nice guys (not the fakes who pretend not to be interested in a woman so they can ingratiate themselves).

DaveV1.0, you are part of the problem.

From one male nerd to another: not acceptable.

about 2 months ago
top

Misogyny, Entitlement, and Nerds

rabtech Re:#notallgeekyguys (1198 comments)

"ItÃ(TM)s a standard frustrated angry geeky guy manifesto ..."

You hang around a weird/scary bunch of angry geeky guys. The "manifesto" becomes far-out well before the murder-intent plans.

What planet do you live on? This is a very common thing among nerdy guys, though slightly less so with the younger generation thankfully.

Why does every single discussion about women in tech immediately result in a bunch of denials, followed by pats on the back (upvotes) as dudes congratulate other dudes on how much of a not-problem there is?

From one white male nerd to the rest of the community: Come on, you can't be serious? Women are treated equally to men in tech? Really? Really?

The evidence is all over. You can see it on twitter, in forum posts, or just by asking any of the female geeks you may know.

To claim otherwise is to endorse a lie. If you've helped clean up your little corner of the world, excellent and good on you! But please don't pretend geek/nerd culture has no issues with women.

* As to what happens in other communities, who gives a shit? That is irrelevant. I'm concerned about our community. We should have better standards, especially those of us who were bullied as kids before the dotcom boom when being geeky started to be seen as at least not completely aberrant behavior.

about 2 months ago
top

Misogyny, Entitlement, and Nerds

rabtech Re:Are you sure? (1198 comments)

There are a lot of cultures of violence; not just the one against women. There are a lot of cultures that dehumanize, not just the one that dehumanizes women. The talking heads on this subject take an unjustified position of universal and unique persecution. Men should look at women as people, while simultaniously the talking head saying it doesn't look at men as people.

Except you are taking this off-topic because right now, at this moment, we are discussing women in geek/nerd circles. Specifically a guy who seemed at least a bit nerdy and blamed women for not seeing what a nice guy he was (translated: faker who pretends not to be interested in them romantically). While the vast majority of nerdy guys certainly wouldn't do anything violent, there are many, many thousands of them who share the same attitude: women just won't see what a nice guy he is and it's all their fault for being bitches and whaaaaaaaaaa.

Every single time someone tries to start a discussion about how women are treated in nerd/geek circles, a bunch of my fellow guys jump in and change the conversation to be about something else. Why? Because geek/nerd culture is dominated by white men so we have the largest number of voices.

Just for once, can we have a discussion about women in tech without trying to change the subject? Please? White male geek asking nicely here.

about 2 months ago
top

Misogyny, Entitlement, and Nerds

rabtech Slashdot does not disappoint (1198 comments)

I came in expecting a bunch of hand-waving denials, cries of "WHAT ABOUT MEN'S RIGHTS?!?!", and other such nonsense and I was not disappointed!

Women in tech/nerd circles generally face a lot more BS than a man would in the identical situation. That continues to go on because some of us seem to think this is an attack or indictment and refuse to acknowledge it.

Here's a pro tip: the guys who grab women's breasts, stand immediately in front of a woman when they're the only two in the elevator (blocking her exit), start asking sexually-charged questions, follow her around after a meeting, or even just the ones who automatically dismiss anything a female developer says.... They don't generally act like jerks in plain view. When they do, those of us who do care sit by silently; when the manager pats a female developer on the head and tells her not to worry about it, a lot of guys just laugh or ignore it.

You may think it doesn't happen but ask the women in your group how many times people have treated them like children, dismissed them, or behaved in a really creepy way even after being asked to stop **. Ask any reasonably well-known geek girl to show you her "death & rape threat" tweet or email folder and you'll see hundreds or thousands of them.

** I've personally seen it many times; once I even witnessed a guy ask a female geek how many guys she had slept with, then get righteously offended and angry when she said that was an inappropriate question. (To my own younger self's shame I did not step in and call him out at the time - something I regret). Women often feel they can't speak up about anything that happens to them because they are loudly shouted down as liars, whores, or met with complete denial. Even asking someone politely to stop being a creep can elicit angry self-righteous replies.

I think the refusal to see the issue and complete denial stems from fear - the fear that this will spiral into some out-of-control political correctness where we can't tell a joke, give a compliment, or even chat up women anymore. As far as I can tell that's just a manufactured fear with no basis in reality. The creepy angle also comes from guys who feel they are unable to approach women, but prominent and famous women are "known" to them, a sort of false relationship we all can tend to feel we have with the public figures in our lives. In that situation they act far more familiar than they otherwise would.

So here's a simple thing you can do: make your tech meetups friendly toward women. If you see another guy acting creepy, call him out on it. If you find yourself objecting to a technical point raised by a female developer, just take a half a second to think "would I object if it were Bob asking instead of Alice?". Stop letting the bad apples spoil the whole bunch, and worse - teach the young men and women in tech that this behavior is acceptable. Most of all, stop denying there's a problem.

I bet if even 5% of the male developers spoke out against the negative behavior and actively supported women in tech, we could completely eliminate this issue almost overnight.

about 2 months ago
top

Become a Linux Kernel Hacker and Write Your Own Module

rabtech Re:just remember ... (143 comments)

Yeah but if you get mad and start throwing things you can end all of existence. Some say the universe would collapse and reboot but sounds like hocus-pocus to me!

about 2 months ago
top

Fiat Chrysler CEO: Please Don't Buy Our Electric Car

rabtech More of the same (462 comments)

Car makers cried and pitched an absolute shit-fit about seat belts, air bags, and fuel efficiency standards.

In theory, the free market should produce incentives for solving for safety and efficiency. In reality, it just optimizes the local maxima, since no one wants to be the first to "blink" by making these new technologies standard (thus greatly lowering the cost), ensuring they stay high-priced luxuries.

If we leave it to the free market, we'll be stuck on gasoline engines for another century at least, with all the negative impacts that will have on our economy as the increasing cost of oil and various shocks hit. That's not even dealing with the environmental or global climate change issues.

Government regulations can jump-start the industry and so far it appears to be working for electric vehicles. We are still in the early-adopter stages; they'll get better and cheaper as long as we keep at it.

Fun fact: government almost always leads the way into uncharted territory. It wasn't private industry that built trans-continental railroads (which makes Atlas Shrugged hilarious). It was the US government. The government gave the rights of way, passed a series of massive funding bills to give the railroads free money and tax breaks, sent in the army to protect the rails from Native Americans, robbers, etc. Without federal government involvement, the US rail network would not exist in the form it does today.

For that matter, neither would the interstate highway system.

Nor would computing: it was massive US federal government spending that paid Grace Hopper to invent the first compiler! And it was government spending that created the Internet, both TCP/IP via ARPA and the WWW via CERN.

about 2 months ago
top

Finding More Than One Worm In the Apple

rabtech Re:-Wall -Werror (116 comments)

Turning on all warnings and forcing them to errors certainly would have caught the bug in Apple's SSL code. Anyone who just lets warnings fly by in C code is an idiot. Even if the warning is mildly silly, getting it out of the way lets the important warnings stand out. Sensible warnings from C compilers are the very reason we don't use lint anymore. Even then you still have to watch out, because some warnings won't appear at low optimization levels, and I recall hearing that there are a few obscure warnings not turned on by -Wall.

Let me quote from one of the best-tested and most widely used projects out there, SQLite, from http://www.sqlite.org/testing....

Static analysis has not proven to be especially helpful in finding bugs in SQLite. Static analysis has found a few bugs in SQLite, but those are the exceptions. More bugs have been introduced into SQLite while trying to get it to compile without warnings than have been found by static analysis.

The bolded part has been my experience unfortunately. Static analysis is nearly useless.

An appropriate test for something like an SSL stack is a separate test harness that "fuzzes" the stack by exploring large random combinations of values, some with known good certificates and others with randomly generated (and thus broken) ones. These days one can spin up thousands of VMs, run a massive suite of billions of test cases in parallel over a few hours, then spin them down and spend a relatively small sum of money.

And yes, the test harness for something like this is probably going to exceed the # of lines of code of the actual implementation by an order of magnitude. For really important security-critical stuff like cryptography, SSL/TLS, keychain management, etc it is well worth the effort.

about 2 months ago
top

Apple's Revenge: iMessage Might Eat Your Texts If You Switch To Android

rabtech IIRC (415 comments)

IIRC this is actually an issue with the sending devices not being aware that the target contact no longer has iMessage enabled.

It's trickier than it seems because iMessage will route to your Mac, iPad, and iPhone. It doesn't know if you just haven't signed in recently or if you're gone forever. If I read a message on my Mac, it is a successful delivery, even if I tossed my iPhone in a lake and swore off cell phones forever.

Apple should add a portal to manage this on icloud.com so you can see all your devices and enable/disable them from iMessage. Then the iMessage servers should reply when a device certificate is used that is disabled or deleted, causing the sending device to update its records.

Remember - Apple acts as a key exchange system but the actual private keys only exist on individual devices; the sending device re-encrypts the message for each recipient.

about 2 months ago
top

RFC 7258: Pervasive Monitoring Is an Attack

rabtech Re:Next step: (67 comments)

The NSA will try to infiltrate the IETF.

Some people may mod this as Funny, but I take it as completely serious.

Even if it isn't the NSA, do you really think other state actors won't try to exert their influence?

Expect lot of FUD around security issues by direct paid shills, or just "grass-roots" opposition indirectly fomented by various state security agencies.

about 2 months ago
top

Apple Can Extract Texts, Photos, Contacts From Locked iPhones

rabtech The actual article (202 comments)

Hey, let's link to the actual document in question! What a novel concept!

http://www.apple.com/legal/mor...

Good news:

- Apple cannot track a phone via GPS, nor forcibly enable Find My Friends/Find my iPhone

- Apple cannot monitor FaceTime or iMessage conversations since they are end-to-end encrypted

- Apple cannot provide third-party app data that is encrypted since the files are encrypted with the user's passcode.

- It appears if the user does a remote wipe before law enforcement can get a warrant and ship the phone to Apple (or fly it there), then there is nothing that can be done. I wonder if they power up the device in an anechoic chamber so it can't receive the remote wipe signal? I would guess no because most people aren't smart enough to do an immediate wipe.

- We already knew the only trick they have as far as encrypted files goes is a custom firmware that bypasses the max attempt auto-erase and rate limit feature, so it can attempt to brute-force passcodes quickly. However it requires the attempt be made on-device, since the keys are stored in the secure storage with no facility to get them off-device. So even a moderately complex passcode is effectively unbreakable, let alone a good strong password.

Questionable:

- user generated active files (this is what SMS/call logs/photos/etc are listed under). Normally if a device is powered off and rebooted, I was under the impression that these things were not available because the files are encrypted. It seems that iMessage is at least encrypted here, but I would be curious to find out what the situation is. Everything except photos, videos, and recordings is a moot point because you can get stuff like SMS history and call logs from the carrier anyway so those are the only ones I'd be concerned about.

There are some definite good points here - Apple has chosen not to build themselves backdoors or workarounds, presumably because they can't be ordered to disclose information they don't have access to... same reason they built iMessage the way they did. A court would have to order them to refactor their software before it could order them to intercept messages, and at least in the US there is no precedent or law that can compel them to do so.

However I would expect the âoeuser generated active filesâ to be encrypted after a device reboot until the passcode is entered. If that is not the case, Apple should fix it pronto.

I would also expect Apple to refactor the storage of those things to be segmented, given the NSA revelations and increasingly authoritarian behavior of law enforcement; for example, photos pending background upload could be kept unencrypted, but once uploaded they should be rewritten as encrypted so they require the passcode to access. They already have the ephemeral key tech and per-file key support so you can generate a key for the unencrypted file while the device is unlocked, then toss the passcode key when the device locks and only hold onto the file key until the upload is finished, then toss it. Thus no risk to the main key but you can still encrypt the file in the background.

I won't bother discussing Android phones - they are almost all trivial to break and access all the user's data, when people like Samsung aren't coding back doors directly into the firmware.

about 2 months ago
top

Erik Meijer: The Curse of the Excluded Middle

rabtech Re:Jump through the mirror? (237 comments)

Or, perhaps, to acknowledge that it's very hard to do anything useful without side effects.

You can write beautiful, elegant, purely functional code, as long as it doesn't have to touch a storage system, a network, or a user. But, hey, other than that, it's great!

This is a huge misconception about functional programming, one that I used to have myself.

With a functional programming language, you can have side effects, you are just forced to be explicit about those side effects with specific language features in specific places.

Basically functional programming requires you to "opt-in" to side effects only where necessary.

Traditional imperative programming requires you to "opt-out" by taking huge steps to enforce immutability, generating mountains of code to accomplish any task because the compiler doesn't help you.

about 3 months ago

Submissions

top

ASUS iKVM Epic Fail

rabtech rabtech writes  |  about 2 years ago

rabtech (223758) writes "In yet another vendor epic fail, it turns out ASUS' implementation of busybox for iKVM/IPMI ships with hard-coded anonymous access enabled, with a regular shell (not the Server Management shell). And passwords are stored in the clear. Including root with a default password of 'superuser'. So if you have anything with their iKVM or IP Management Interface your devices can be remotely rebooted by anonymous users. Enjoy!"
Link to Original Source

Journals

rabtech has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...