Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment Re:Effective curation of outside software (Score 1) 198

is not possible because there will always be too many applications.

So.... what are you saying here? That you just download any old executable code you can get your hands on from the Internet?

A serious walled garden would not allow outsider software, but convenience and greed always trump security.

A serious walled garden like... what? Are we talking NSA that goes through serious vetting processes for all of their purchases? Or are we talking about just rolling our own code for everything here? Because Solarwinds has shown that you can get software even into very restricted government agencies through a well executed supply chain attack.

Faux money like Bitcoin will always be more vulnerable than physical objects like precious metals but there is a passionate desire to own symbols without owning objects which crypto fits well.

If you put your life's savings in one place and fail to diversify you're, to put this as kindly as possible, fucking stupid. There is no excuse to live a life of lazy ignorance because it has such painful consequences.

So are we blaming Apple here, the user, or both? I really can't tell. But Apple's walled garden is valuable for a variety of reasons. No one has ever claimed what an application whitelist is 100% effective. That is why Apple also sandboxes applications and implements all kinds of privacy controls and restrictions. So that when a bad apple gets in there the damage is limited. There is literally nothing Apple can do to prevent the user from giving up their banking credentials, though.

Comment Re: krypto kurrency, its pretend, like keystone k (Score 1) 198

Yes, the user absolutely made mistakes that he should not -- but this is why any smart security person encourages defense in depth: We should not rely on a single security control, especially not "the user pays close attention and is thoughtful", to protect against a security threat. In this case, Apple specifically advertises the App Store as a source that users should trust.

Ahhh but that isn't really what Apple says at all. Because Apple uses defense in depth. They screen the app store for malicious behavior. They sandbox applications so that Application A cannot steal data from Application B. Apple has never and will never say "all apps on the appstore are trustworthy." They say that they have put protections in place to make using the App Store safe. And it is true. The App in question is not exploiting any vulnerability to steal data. This person voluntarily gave the app data and every security person in the world knows that you can't use technology to stop someone from granting access to data that they should not without using mandatory access control. And since this is an individual who is supposed to be protecting his own data there is no practical way to enable mandatory access control on his bitcoin wallet data.

Comment Re:How many died (Score 5, Interesting) 202

Why do people think death is the only nontrivial outcome of a viral infection?

Obviously it's the only one that matters. My aunt got polio when she was a child and it didn't kill her so its not a big deal, right? Nevermind the fact that she's had to deal with chronic pain her whole life and has been using a cane to get around since childhood. She has been almost completely bedridden for the last 5-10 years. Insignificant, I tell you.

Comment Re:At least Thunderbolt 4 has DMA protection (Score 1) 193

What does Microsoft do to promote UEFI driver support?

First of all, this has NOTHING to do with UEFI driver support and everything to do with enabling preboot IOMMU and other virtualization features that provide for better security against malicious PCIe and thunderbolt devices at boot.

Microsoft has heavily promoted UEFI Secure boot, but that is a giant mess. https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Farstechnica.com%2Finform...

You're blaming Microsoft because there is a security flaw in GRUB? In what world does that make sense? Many platforms don't even ship with Linux shims in the DB anyway so this only affects specific manufacturers and people who enroll the Linux keys manually.

Some of the most useful UEFI drivers on Windows systems require Secure Boot to be disabled. https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fgithub.com%2Fpbatard%2Fuef...

This is obvious propaganda from the driver owner - there is literally nothing stopping you from signing the driver yourself and enrolling your own key in the DB for secure boot. Either the person who maintains this project is ignorant (unlikely) or is intentionally misleading people to promote an agenda.

I understand Microsoft's motivations for wanting to own the signing keys used to verify operating system boot software(i.e. Secure Boot),

Microsoft doesn't even want to own the signing for this. They are a member of the UEFI forum. They volunteered to host the Secure Boot PKI because no one else was willing to do so and the UEFI forum would have to increase dues to pay someone to do the same. Microsoft did push Secure Boot but it solves a legitimate problem for 99.9999% of the world's population - they have no way of knowing whether or not they can trust their bootloader. They lack the knowledge to even understand that they need to know whether or not they can trust their boot loader.

but there isn't the same incentive for them to support moving drivers into the firmware that can be used by any OS.

Microsoft has literally 0 control over this. The OEM/ODM decides what drivers to include in their firmware image. Microsoft is not going to try and dictate support for other operating systems and why should they? System manufacturers don't include them because they cost more to develop and support. It also increases the boot time because one more driver has to be enumerated and potentially loaded. OEM/ODMs get upset if you impact boot time by milliseconds so I can assure you they are not going to add such support for 0.0001% of the population. If you want these things and an OEM that may be willing to support such things then you ought to talk to System76. They may actually be willing to include these things for you.

Comment Re:At least Thunderbolt 4 has DMA protection (Score 1) 193

Intel is a little wishy-washy on what DMA protection you actually get with their TB4 sticker... The way the requirement is written allows a little wiggly room for other VT-d technologies and I'm not sure if they require it to protect everything. Intel's VT-d itself doesn't protect thunderbolt... it's just a means to protect DMA. Modern OS's have kernels that will use it to protect Thunderbolt connections, but doing it in the kernel still leaves known vulnerabilities. Apple initially only loaded the protection at the kernel level which led to vulnerabilities that they fixed by moving the protection into their UEFI firmware . https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.slashgear.com%2Fthun...

Microsoft appears to be at the forefront of pushing these security measures earlier and earlier into the boot process. But keep in mind that your OS has to support preboot IOMMU Or you won't be able to use any of these features. In fact a lot of security features that could be used during the preboot window are often not included in the firmware because it makes life hard on the OS.

Comment Re:This is the *wrong* library to disable checks! (Score 1) 39

Who thought it was a good idea to disable basic bounds checks and the like for software like this?? Or use a language not made for this, like C.

This isn't a AAA game! The code's goal is not to be fast with the fenders flying off, but to be secure like a tank! And it certainly doesn't need low-level access or manual resource management outside of making sure used memory is overwritten after use.

You most likely are incorrect about many of your assumptions. Most hardware comes with cryptographic acceleration that may actually require using assembly to take full advantage of. Most likely that is not the case, but some of these accelerations may not be possible in anything but C. That doesn't mean they can't minimize the amount of C used, of course, but it may actually be required. Also, the last time I used this library was to do many tens of thousands of signing operations per second and speed was most definitely important. I haven't touched this library in over a decade so I don't know the current state. I also don't typically work in an OS environment so I don't know what libraries Linux may provide to allow access to these hardware crypto functions but that library will most likely be written in C and may suffer from these same types of mistakes.

Comment Re:IFR with single source nav? (Score 1) 119

Is using GPS as your sole source of navigation data under IFR in line with FAA regs these days? It didn't used to be but I haven't checked in quite a few years. Back in the old days I was trained to cross check at least two sources of data, and a third if I could get it, I don't know if that is still standard procedure. I know that some of the more sophisticated navigation equipment used today has integrity monitors that check for inconsistent data between different external sources and some even against an internal solution (poor man's INS). Of course if the external solution drifts slowly the system is likely to just re-sync the internal model to the bad external data, but it does catch relatively quick changes.

I used to work on software used for aviation (not FAA certified - it was just training systems but it was supposed to emulate the exact software in the aircraft). You can certainly use inertial navigation in fixed wing aircraft (the military required it last time I was working for the DoD) but inertial navigation is very difficult for a helicopter. In fact I don't remember having to support it for the simulated systems. I could misremember, but it is much easier to cope with these problems in fixed wing versus rotary wing. One of the examples listed was definitely a rotary wing aircraft.

Comment Re:Trump wins either way. (Score 1) 557

Huh. That is odd. He was definitely there to cause trouble. I don't know anything about the guy but based on this SLC Tribune article it seems like he and his brother are both kind of crazy / attention seeking. Who knows. I am not sure anyone will ever really know the truth about this guy's motives.

Comment Re:Trump wins either way. (Score 1) 557

If you want voter fraud allegations raised at trial, given several Senate members could have their own election called into question by such evidence, the conflicts of interest are significant.

Which, I think, is all the more reason that they need to put the election fraud rumors to bed. Otherwise there are hundreds of elected officials across the nation whose own rise to power could be questioned.

Referring to them as 'victims' is however an interesting description, and one I very definitely would not use.

I would personally say that the entire nation was victimized but the number of people whose lives were on the line that day is much smaller - the capitol police, the legislators / family members / etc., and the protestors / rioters. I'm honestly surprised at how many of the ones who were outside stayed, I would have been worried about my life if I were an honest protestor. I heard that many outside were cheering the rioters on, though I don't honestly recall hearing that on the TV and obviously was not there.

Probably more relevant will be statements by investigators that the violence was pre-planned, which pretty much precludes any possibility of incitement.

In that case you may be able to argue that there was no incitement the day of. But it would mean that there was a much larger conspiracy at hand that is far more dangerous to our democracy. I don't know the exact legal definition of incitement, but when considering first degree murder, the premeditation period can start at less than one minute and extends on indefinitely. If there is any potential break in the passionate outburst that occurs at 2nd degree, even just for a few seconds, they consider it 1st degree. So the question for incitement is - does it have to be a passionate outburst or can it be months of indoctrination and pot stirring? I guess Google can answer that, though.

That one of the people videoed actually inciting violence is an anti-Trump activist means the Senate could well find themselves calling into question the legality of the impeachment itself.

I am not familiar with this - I know initially there was a lot of talk that the Q Shaman might be Antifa but it has been quite thoroughly demonstrated that he is a Trump supporter and thought that he was doing what Trump was asking him to do in order for Trump to save the world / children from Hollywood and political phedophiles. Can you link me to a picture or article related to this person you're referring to?

Comment Re:Trump wins either way. (Score 1) 557

That is the evidence that you feel would justify impeachment. I'm asking for the evidence that was actually presented.

It's not trial - why do you think any evidence needs to be presented to the group that literally saw and experienced this all firsthand? Though to be clear - I think that all of available evidence for the false voter fraud allegations as well as the seditious activity needs to be brought to light during the actual trial so that the people of the country can see firsthand what happened.

Now whether or not it is a conflict of interest for the senate to try Trump for a crime of which they are victim is an interesting topic of debate. What are your thoughts on that?

Comment Re:Why always the Chinese? (Score 2) 83

Its because China is politically unpopular.

Its not entirely clear what exactly this guy did wrong. He took up a consulting job on the side. Well yeah, thats what academics do. Just because the US doesnt like that country doesn't make this just. I mean shit, the guys surname is "Chen". Kinda seems like that just maybe he might not see a problem taking up some consulting work in the motherland?

If he is receiving research grants from the US there may very well be restrictions on which countries he accepts other grants or payments from as well. I know that when I dealt with confidential material (ITAR related, not even classified) I had to notify the security officer whenever I traveled to certain countries. China, Russia, Venezuela, Cuba, and a few others were all on that list. Depending on what I was working on at that time the security officer may have needed to escalate those travel notifications to the FBI. It is something you agree to when you accept money from the feds. In my case failing to notify anyone of such travel was not a crime but would automatically disqualify me from such work for some period of time and would have basically cost me my job.

Comment Re:Practical effect? (Score 1) 557

It would hardly cost him anything. Sounds symbolic to me.

I disagree. If you look at his valuation forms, as filled out when he applies for Forbes' fortune list, you'll see that most of his perceived value comes from his brand and image. Being convicted by the senate will finish off his reputation and his image and there is always the chance that he will end up in state or federal prison for his activities before and during his presidency.

Comment Re:Politicians (Score 1) 557

>>This literally happens all the time. Watch some True Crime TV or something like that and you'll see that prosecutors...

That's cute, you rely on television for legal information

I literally tell you that I have personal experience in witnessing this from the prosecutorial side professionally and you respond with that?

Comment Re: Platforming hate speech (Score 1) 307

That is not what i see from amazons response. I see that amazon complained about a TYPE of post and that parlor had more posts of that type. Of course unless we actually have the posts it is impossible to know if amazon’s version of the content is correct. One can read almost anything as violence or hate speech. For example if i say “ all the democrats in congress are crooks we need to get rid of them “ i am most likely saying we need to vote them out , prosecute them or unseat them by legal means. But amazon could decide i mean violence. This is why we need impartial third party review on things.

I don't have the Amazon filing in front of me anymore but I thought the had included some posts in their exhibits of their filing? I could be mistaken.

Slashdot Top Deals

Did you know that if you took all the economists in the world and lined them up end to end, they'd still point in the wrong direction?

Working...