Posts by Charles 9

Re: I'm actually curious...

It's happened at least once already IIRC. The policy is that the court must reach a majority in order to set a precedent, meaning at least five justices must side on the issue (if two vacancies occur, however, the mark becomes four). If no majority is reached, the previous decision stands as written, and that decision (from the full Court of Appeals) sided with Apple.

Re: And who told you I want to be measured?

"if you have NAT you almost have a stateful FW which is much better than a basic FW."

But not necessarily. He's basically stated and proved that NAT alone doesn't block incoming connections, and in the world of Don't Trust Anyone, you can't trust the ISP, either. One DOES NOT necessarily imply the other.

Anyway, why do you think the ISP wouldn't supply a stateful IPv6 router when they're already doing the same with IPv4. You assume the ISP is a Janus: providing good firewalls on IPv4 but crappy ones with IPv6.

Re: IPv6 tracking

How can you deep analyze ENCRYPTED packets?

Re: re: you've still got some time before it combusts

No, because I've also had to to do it with LGs and with HTCs. It's just that Samsungs are my current hookup because they offer the most of what I ask for (decent amount of good-quality features, case- and shield-friendly, removeable battery, and MicroSD slot). In any event, the S4 in question is over three years old and the S5 was acquired used meaning the battery there had been around the block. I don't expect these batteries to last forever; no battery I've ever owned, alkaline, nickel-based, or lithium-based, ever do; that's what we have to live with. And that's why I insist on them being removeable to maintain the device's long-term longevity, as it's usually the quickest thing to wear out.

Re: Replacement batteries

"So in conclusion, companies that make unsafe batteries need to be sued out of existence, and the faster the better."

How will you sue them out of existence when they're protected by foreign sovereignty?

Re: RE no, no, no, stop

"Each one made announcements that once on the aircraft, phones must be switched to 'flight' mode....except for Samsung Galaxy Note 7 devices which much be switched OFF (and if you have one in the hold, tell the crew now, as the only place they can be carried is in the cabin)"

The FAA forbids lithium-based batteries from being transported as cargo without special packaging. This applies to all aircraft, not just passenger liners because of fire risk (and an in-flight fire is considered a mayday event). At least in the carry-on luggage there are people around to attend to combusting batteries in the event of an emergency.

Re: Replacement batteries

"Let's say my iphone dies and the battery is shot, so I have it dismantled and the battery replaced. And this is possible to do! So what battery goes in there, one from Apple? or one from some other guy? I'm going for the cheaper one. But what consumer protection do I have now?"

I think pretty much zip given you opened a non-user-serviceable part and essentially voided whatever warranty you had.

Someone can hack into your account and use it to glean information to perform social engineering attacks to get at your other accounts. It's happened, and El Reg has reported on it. And since we can't present ID cards or the like to say who we are, we have to use best analogue in a "not present" situation: a username/password combo. It's basically the only option open, and an open forum is a no-no because of forum spam problems. And the environment's such that bots are gaining the ability to pass simple Turing Tests and the rest can use sweatshops. It's like with dead bolts. You pretty much have to live with it or leave the Internet.

Re: Ditch Windows

"You really fell for that horseshit? Do you know how hard it is to deliberately root an android device? Yet somehow malware can magically do it without your knowledge and hide itself? You need to listen to yourself."

Not that hard if the device is pretty old. Check out the xda forums where this is a basic request of every device out there. Also look up the rooting toolkits like KingoRoot. Anything these kits can do, the malwares can do.

"How exactly did this magical malware get there in the first place?"

Smuggled into apps that somehow pass Google's security testing. El Reg covers this all the time (The linked article specifically covers malware getting into Google Play; there's also the Gugi trojan one month ago).

"To even think android is even vaguely close to windows in malware terms in bonkers"

It's closer to Windows than any other mobile OS on the market. It's possible to install third party apps, it's possible to bypass security measures even if they're running, and let's not forget Stagefright, an exploit in the Android baseline that can't be fixed in the vast majority of phones on the market. Is it any wonder Google's taking more of an Apple approach with its Pixel phones and the upcoming Andromeda. If they don't, they could end up on the hook.

"One easy solution is to stop using a computer for anything important."

Ever considered that train has already left the station? The way things are being reorganized, going back to the old days (as I put it, back to the Sears catalog) may be more trouble than it's worth, especially since you can't UNlearn what we learned in the meantime.

Re: Attention must be paid

"That is precisely my point. It is time to ask questions regarding why it is required that these devices use Flash in the first place instead of demanding they use something else. It is time to actually deal with the fact the such devices are 'required' rather than summarily rejected BEFORE they are purchased."

Because they were purchased a long time ago when it was pretty much the ONLY way to go. You forget that in many industry long-term investments are pegged to run for DECADES. Thanks to the breakneck pace of technology, it's practically impossible to predict the direction of technology that far forward.

"Trying to fix the barn doors after to horses come home is futile."

So is trying to secure the barn doors against very aggressive animals who will probably just bust them down. We're probably already at the point where we've bitten off more than we can chew but are forced by momentum to see this through to the end.

"There is strength in numbers. This has been proven time and time again throughout history."

What history REALLY tells us is that strength in numbers can only work when directed properly. IOW, effective leadership can mean the difference between an army and a mob. That's why riot police can do their job, why the Romans won the Battle of Wattling Street, why Americans could hold off so many Chinese in Korea, and so on.

Re: The Problem is TCP/IP

"And to stop "state-sponsored impersonation?" - our financial systems have trusted protocols at higher levels and by-and-large, they work."

Oh? Wells Fargo? SWIFT? I suspect we're only seeing the tip of the iceberg and that a lot of bank sleight of hand is being conducted under everyone's nose, likely through currency inflation so that no one knows the real value of anything anymore.

"Anonymous communication provides cover for criminals."

AND whistleblowers, who in oppressive places can literally fear for their lives. Throw out the baby with the bathwater?

Re: Some good points --

"And of course this system makes inter-process communication more difficult. That's part of the point, again IMHO: if you have always-on, widespread comms between many processes then obviously a security flaw in any one of them becomes a vulnerability in all of them. If you want to keep attackers in one room, you have to shut the door. Or at least vet the traffic in and out."

Which poses a problem if said door is the kitchen door of a restaurant. People come and go all the time as part of the business AND they frequently do so with their hands full. Thus the passageways are either open (with bends for privacy) or are doors built with double-action spring hinges that allow opening with some body part other than an arm. Similarly, what if you do FREQUENT inter-process communication. You interfere with this, things don't get done. And again, who cares about security if the job isn't getting done?

"But, as noted by others, successfully attacking a hypervisor as well as attacking the processes running inside it adds a layer of difficulty an attacker must overcome. It's not trivial. Probably an order of magnitude harder."

They said the same thing about sandboxes, and look where we are now. Figure out how to crack one egg and dealing with any other egg becomes a lot easier. We're just at the probing stage at this time for VMs, but once they figure out how to reliably hit the hypervisor, I expect a house of cards effect to follow.

"Whatever. You make good points. I do think OS modifications will have to move toward raising the security bar, though. The bad guys are not getting stupider, nor fewer."

But you still have to deal with the customer, and The Customer is Still King. What do you do when the customer's demands are a direct conflict with your security model?

Re: Attention must be paid

"The average person (the end user) usually leaves it all to someone else to be responsible for. This is proven in the popularity of iphones and ipads (smartphones and tablets). End users must take the initiative and the time to actually 'learn' something about the equipment and the devices they spend all the money and time on. Without that, nothing anyone else every does will ever matter much..."

Then we're lost, as people lack the time and willingness to learn. As the comedian says, you can't fix stupid. You CAN'T work around the stuff as that's what the people want (or even NEED, ask anyone who has to control expensive devices with nothing but Flash) every day, and they won't part with it. The Customer Is King. What do you do when you're told you CAN'T remove Flash as the business DEPENDS on it and they can't afford to replace the machine?

Re: How do you design secure devices...

Until you need a lot of inter-process communication, that is. Many people are used to browsers turning matters over to other programs when they download certain things, your idea breaks it. Plus games tend to suck in virtualized environments, especially the newer games. Not to mention increased memory usage when most consumer machines lack the memory. And what about things like Steam that run on top of games?

Plus you overlook the likelihood of a hypervisor attack. If you can break out of a sandbox, I can bet you they'll find a way to the hypervisor next, if they haven't already done it.

"But I don't know that Microsoft or Apple are interested in pursuing a fundamentally more secure OS. Reactive security is still the rule."

Because they get the complaints when things BREAK. And when things BREAK, things don't get done. It's bad in a consumer setting since they'll probably stop buying stuff. It gets worse in an enterprise environment since it could mean the business stops making money, putting them in existential risk. That's why backward compatibility takes precedence over security nine times out of ten; the customer demands it.

Re: Ditch Windows

playonlinux is based on WINE, and like I said the compatibility list for games is pretty bad, especially when you get to newer ones like Fallout 4. And with DX12 now being pressed, I suspect this is only going to get worse as it appears Valve has failed to convince developers to go multiplat.

Re: The Problem is TCP/IP

In other words, you want a stateful Internet: no more anonymity. Plus what's to stop state-sponsored impersonation?

That's not proper design. First, the self-destruct can be aborted in the first five minutes. No good if you're being hijacked as you can be frog-marched to turn it off. Plus, after the five-minute point. Murphy strikes and you get knocked out past the point of no return and wake up only to learn the last escape pod's god and you have no way to get off.

Fact is, there is no such thing as proper design if you have to go up against "Dave".

Re: "People believe that security has become too complex "

"Apart from games and some specialist and often hardware-related applications (like SatNav updaters, I'm looking at YOU TomTom, but I gather Garmin are just as bad) there isn't much software that actually needs Windows apart from corporate/enterprise applications written using Microsoft Office. There are Linux-based alternatives for most other things. Dual-boot if you must."

What about all the CUSTOM jobs you tend to see in businesses? No one wants to plunk the big money down to replace it, and most of them can't afford it, either. If it means living dangerously, then they don't have a choice. It's live dangerously or they're already dead.

Re: Ditch Windows

That's because Android malwares don't let you know they're infected. They work in the underlayer and usually try to root themselves, even to the extent of surviving a nuking.

Re: "People believe that security has become too complex "

Java was built on a sandbox model, yet it's now considered not fit for purpose. Seems sandboxes are too easy to ESCAPE. And VMs will probably be next with hypervisor attacks.

Re: Punishment.

"Or they can make general mass-market machines for everyone, and accept the duty of care that comes with doing so."

But the trouble is that even there you end up with limits. Like with the engine, how does the adjuster know the difference between a car that blew up on its own or one that blew up because some idiot put the wrong liquid in the crankcase?

As the comedian said, you can't fix stupid yet you're expecting computer makers to account for stupid, and by that the stupid that doesn't realize what is meant by a mouse or who thinks a keyboard is where you hang the car keys when you come in the house.

Re: This should be good

"Until we can lock applications down easily, we'll keep worrying that a Flash zero-day can use a screen-saver reconfiguration module to elevate privileges. That shouldn't be an issue and it stops vendors focusing on the really serious problems, like ensuring critical system calls are securely coded."

Locking down is easier said than done since the nastiest exploits simply find ways around the locks. What man can code, man can code around, which is why we have things like Return-Oriented Programming that uses existing code in cleverdick ways.

Re: HurriCon One?

Even if the reading public know enough about the lingo to get it?

Re: HurriCon One?

"HurriCon One?

That's a bit cute for my taste."

But actually pretty standard US Government shorthand where you also have terms like DefCon (Defense Condition, specifying the risk of an attack on an installation). A similar term is TropCon (Tropical Storm Condition) which tends to be used more often in the Pacific where the storms are known as either Typhoons or Cyclones. Anyway, the scale starts at 4 or 5 (All Clear) and lowers as it gets worse. As noted in the article, HurriCon/TropCon 1 is the most severe (Storm Landfall Imminent).

Re: What?

Not necessarily. Our ears are surprising able to detect forward and backward sound. I know this for a fact because I came upon some quadraphonic earphones a long time ago (in a secondhand electronics shop): as in each earpiece had TWO elements set at an angle to each other.

Yes, it DID just appear in my house by magic...the magic of SOMEONE ELSE buying them without my knowledge or permission. Many of us don't live alone.

Re: Not for me

If you're in traffic there's no way to pull over because you're surrounded by other cars. And as for putting it on the windshield, traffic codes where I live forbid anything obstructing the windshield (including dangling air fresheners) apart from those built into the car (like the mirror), so that means the device must go under the dash. It can't block the speedometer because that's against the traffic code, too, so that basically puts it either in a console mount or on the passenger seat: both too tricky to reach when your eyes are on the road. BTW, it's right-hand traffic where I live, so my dominant hand is at the center, not at the window.

Look, I'm speaking from experience on this. I can at least say "OK Google, find nearest detour" while my eyes are on the road, and it's something quick enough that I don't get hypnotized.

Re: Being able to unlock your house from outside... already done

If they cases the placed and noticed high-value targets, they'll take the risk if they know they can get in and out quickly. Unless they know a cop is within two doors of the place, they'll know because of physics it takes a few minutes for any police to respond which is why they practice grab-and-runs: 60 seconds at most.

As for the doorframe, a very strong man side-kicking a front door with at least a size 12 boot can probably break a wooden door frame at the hasp (a good strong kick can hit with nearly half a ton of force; the MythBusters practically accomplished it just with shoulder-ramming). Few places use very strong metal in the door frames and most that do are business doors. Plus there's still the windows. Your only hope is if you're in a high-crime area that justifies burglar bars, in which case the whole neighborhood is probably like this; the quickie burglars will leave this to the organized rings that can not only employ winches to go for high-value targets but probably also have the resources to distract or bribe cops (given it's a high-crime area).

Re: Voice, gesture recognition, no thanks

"Someone tell me why the buggering fuck I would want to twirl my hand in the air in a futile manner instead of reaching a further 2 inches and actually just turning the volume control?"

Because those two inches could well put it out of reach when you can't move yourself (you're seated) or the device (it's fixed to its location)?

Re: Not for me

How about driving while negotiating traffic, meaning you need both hands to steer properly?

Re: Call me cynical

"I went for a SIM-free Nexus for exactly this reason last time; maybe it's time the other handset brands got better update support too?"

Why should they? Why do you think the term "Planned Obsolescence" exists? Unless it's blocked by law, phone manufacturers have no interest in updating all but the newest devices (and only to avoid defect/fitness of purpose suits).

Re: Getting to the Root of the problem.

The manufacturer can no longer trust the device. It's in the EULA: they will only update unmodified (in the /system sense) devices. It's like the "warranty void if removed" stickers.

Re: "Great Repeal Bill"

"Ancestors go back more than one generation. After all, I'm a living ancestor of all my great-great-great-great-great-grandparents."

Don't you mean a descendant? Ancestors imply previous generations; your grandparents are your ancestors, not you theirs.