* Posts by Charles 9

16605 publicly visible posts • joined 10 Jun 2009

Printers now the least-secure things on the internet

Charles 9

Re: I wouldn't connect it to the Internet

How are you going to not buy it when ALL refrigerators on the market have the feature standard and secondhand ones aren't available anymore because all trade-in/part exchange fridges get scrapped? It's a question of WHEN, not IF. It's already happening with TVs. Fridges, stoves, and other appliances are next.

Spoof an Ethernet adapter on USB, and you can sniff credentials from locked laptops

Charles 9

Re: Look What I Found!

That's not even considering the Ol' Switcheroo.

Charles 9

Re: Oh look, there's a dongle in one of the USB ports of my laptop

"Having virtualised desktops might be one way, but still vulnerable to keylogger dongles."

Not just dongles. Evil keyboards. They can be done by contractors sent to replace bad keyboards. And this attack would be OS-agnostic.

Charles 9

"Or even don't use windows on your machines.'

Ethernet is below the software layer, so this attack can be made OS-agnostic since you can duplicate almost any behavior you want on an imitation Ethernet device. Heck, if the device is fed keys ahead of time, it could probably even successfully imitate a secured connection.

Charles 9

And THAT just gives the Insidious Insider a known target to replace with a subverted device with the same signatures. Now all you need is a way to force the keyboard you want to break.

Charles 9

Re: No, signed devices would be the fix

Signed USB hardware won't save you from evil hardware inserted behind the USB chip (such as can be expected from an evil USB keyboard or network dongle). And we already know state actors are attacking storage devices at the firmware level: both OS- and interface-agnostic.

USB isn't really the problem here. It's attacks on hardware at levels no end user has the ability to verify. IOW, this is damn close to DTA Mode.

Charles 9

Re: Yes, that's one of the bad design decisions of USB

"Obviously the sane way to go would be to have dedicated ports again. Connect printers and scanners via Ethernet, connect input devices via some sort of overclocked PS/2, and have a special port for mass storage devices. That way you could essentially eliminate all harmful device spoofing..."

Not really. What's to stop an evil keyboard from presenting itself as TWO keyboards or simply transmitting stuff AS that keyboard. Same with mass storage; just present as TWO mass storage devices, one of which can perform auto-launching tricks (even with AutoRun turned off). Plus the reason these things have appeared is because uses have arisen for them, such as non-Ethernet laptops needing to hook up to a wired network or one with a single port needing to connect to two of them. Or someone needing extra desktop real estate but only has one video port.

Besides, do you REALLY want to go back to the jungle days of finicky PS/2 ports that require interrupts and can seize the system if you unplug them and so on? Remember SCSI terminator packs? The fat Centronics printer connections? Oh, and multi-function devices don't have a universal network communication standard, meaning you're usually locked into the vendor's software there or you probably can't use say the scanner over a network.

When you've paid the ransom but you don't get your data back

Charles 9

"There are steps to stop this from happening, however most companies won't put these in place for fear of upsetting their technically incompetent employees."

Particularly technically-incompetent executives who can overrule you.

Charles 9

Re: Risk of personal webmail accounts?

"it would be a sacking offence (assuming you could get past the blacklist) to use personal webmail."

Unless, of course, the offender was someone over your head. Then YOU'RE the one that gets sacked...

RIP ROP: Intel's cunning plot to kill stack-hopping exploits at CPU level

Charles 9

Re: this is all very well but...

"It's not a feature, it's a profoundly stupid default setting"

One problem. You're also talking about stupid users. Unless a license becomes compulsory for something that operates in the privacy of one's home ("Papers, please!"), you've got a pretty nasty problem.

Charles 9

Re: Looks sweet ...without the pseudo-security... of lock-in.

"Sad. Just sad. Ignoring the point to defend lockin is just really sad. And, you know what they say about doing the same thing again, and again, for the same result?"

Yes. Doing the same thing over and over and actually getting a different result is PRAISED. It's called persistence.

Charles 9

Re: There's a XKCD for this, but I can't be bothered to find it.

"Look, you have a working horse. How much harder can it be to add one little horn?"

You forget the "by yesterday" requirement. Pardon me, but Time Lords are few and far between, and the one we know doesn't have what one would call a stable or always-agreeable personality.

It's time for humanity to embrace SEX ROBOTS. For, uh, science, of course

Charles 9

Re: Is that so?

"It always has been arbitrary."

Which is why most laws pick an age with some legal backing: the point of legal adulthood when both parties (typically) have legal control over themselves. It gets murky if one party is legally declared a mental invalid.

Charles 9

Re: Agenda?

"I live in Nevada. We have legal brothels here, which run quite peacefully - they even occasionally place ads in the Situations Vacant section of the local paper for new ladies. The only place there is trouble with pimps and exploitation is Las Vegas, since prostitution is illegal in Clark County and it's 100 miles to the county line."

Then you're probably too low a profile and not the target of the pimps, who would probably take over any Vegas brothel, legal or not. Remember, Vegas once was a hotbed of organized crime.

Charles 9

"If someone does something based on what they see, the problem is with the person not the source of the material.

Unless you're advocating banning things like first person shooting games, or anything pertaining to Slenderman. (Remember those two girls?)"

Except that that person's actions affect everyone else, and no one can predict his actions until it's too late and people are dead and survivors are complaining.

Charles 9

"They'll classify it as "sex with something that doesn't have a pulse," and try very fucking hard to sweep it under that law."

Then they'll simulate pulses. Then they'll have a harder time defining what a pulse really is since it has multiple scientifically-valid definitions.

"Probably because they're not real. Any sane person (our country, for that matter) can tell the difference between fiction and reality."

They're concerned about delusional people who really CAN'T tell the difference between fiction and reality. And BTW, Japan actually has laws in the books concerning kiddie porn. At this time, this is limited to living stuff, but they're still under pressure to extend it to their manga industry (particularly in regards to the lucrative underground or doujinshi market). It helps that they already have laws on the books barring the complete depiction of the genitalia (real or drawn) for the most part.

FCC goes over the top again to battle America's cable-box rip-off

Charles 9

Re: Unfortunately many of us are still screwed.

"So the FCC needs to grow a spine, DEMAND the competition that we deserve"

That's something NO ONE can do, because NO ONE can FORCE a company to do ANYTHING it doesn't WANT to do. If no one wants to build in your area, then as the saying goes you are just S.O.L. Your ONLY options are to move or to live with it.

It's like being stuck in a desert village where the guerillas control the only well. You can't move because you'd never survive the trip, yet you can't really stay because of the guerillas. Scylla or Charybdis: pick your poison.

Google plots cop detection for auto autos

Charles 9

Re: What about the bicyclists?

"when I was a youth, we used the crosswalks, but I digress"

That assumes the crosswalk you need exists. If it doesn't, you're supposed to obey the signals just like any other road user, which is why I tended to do hook or box turns instead.

Charles 9

Re: Fax noise!

Fax may be a bit tricky in noisy environments. You may wanna use the EAS protocol instead, though it is limited to 500bps IIRC. But at least it's DESIGNED to go out and be picked up over ratty communications systems. Most cars don't use fixed-purpose displays these days, so they can receive the EAS-type signal, cut the music and flash a "PULL OVER" message while perhaps playing the 853+960Hz dual-tone attention signal. I know my phone does that when an emergency alert is sent over the cell networks.

Charles 9

Re: red and blue lights

That's a bit odd. In most jurisdictions I know, BOTH red AND blue are restricted. If it's all blue, it's an ambulance or other medical vehicle. If it's all red, it's fire, rescue, or EMT (which is attached to the fire department). If they mix red and blue, it's police.

Usually a utility vehicle like a trash or tow truck that needs some kind of signal is restricted to using yellow.

QANTAS' air safety spiel warns not to try finding lost phones

Charles 9

BZZZZT! You forget that we're talking Lithium. Lithium is a Group I element, an alkali metal: the same class of metals as sodium and potassium. One thing these alkali metals have in common is that they react very badly to water. Pour water on a lithium fire and run the risk of making it worse. That's why they had to develop Class D fire extinguishers for metal fires since they tend to introduce complications that make even certain dry chemical (for Class C electrical fires) risky.

HDMI hooks up with USB-C in cables that reverse, one way

Charles 9

Re: Why not...

Because juggling power and data on the same wire is a tricky thing, which is why USB separates power leads from data leads (it's just better all around; ask anyone who's had to juggle with Power-over-Ethernet). Plus you have to consider the size of the target device. Slim is in, so expecting phones to get fat to accommodate a BNC receptable is a nonstarter. Furthermore, there's only so much you can shove through a thin copper wire.

BTW, there was a time I handled BNC cables in an ad-hoc 10Base-2 network. Ditched it the moment I could switch it out for 100Base-T. It was just a whole lot easier all around.

Charles 9

Re: When?

Red and yellow ports mean Sleep-and-Charge ports. They're powered up even with the laptop off or asleep, meaning they can be used for charging.

Charles 9

And most broadcast material isn't in 4K resolution. Anything 1080p and below, HDMI can handle easily up to 60Hz.

Smartphones aren't tiny PCs, but that's how we use them in the West

Charles 9

Re: It's because of the apps

"Oh, and no, we don't *exclusively* use smartphones as tiny PCs in the West. I'm pretty damn certain the Pokemon Go phenomenon has proven that exact point. Aren't these articles fact-checked at all before publication?"

IINM this article was published BEFORE the release of Pokemon Go. And frankly, this whole brouhaha reminds me a lot of Angry Birds. It'll flare for a while and then slowly tamp down to a controlled burn.

'Hey, Elon? You broke it, you bought it' says owner of SpaceX's satellite cinder

Charles 9

Re: Launch insurance

Lawyer could argue launch is contingent on a successful test, making the test part and parcel with the launch procedure.

'I'm sorry, your lift has had a problem and had to shut down'

Charles 9

Re: It's not quite a BSOD...

Bet you the computer has an outdated time-shift schedule and doesn't connect to a time server.

But here's something that puzzles me. Given the possibility of these things just plain glitching to cosmic events, why don't these things carry some kind of watchdog in them, or at the least, if they're not operating anything critical, an automatic daily reset, say, at 3AM local time, to minimize glitch behavior?

EU 'net neutrality' may stop ISPs from blocking child abuse material

Charles 9

Re: @Alexander Hanff 1

"What is being suggested however is that getting the network operator involved in the process is a bad idea, and one that will be unnecessarily invasive and inefficient given the alternatives available."

What alternatives are there for clueless users who can nonetheless be zombied without their knowledge? This has implications for everyone else, too.

Charles 9

Re: Scope

"If the "free" WiFi is conditional on your buying something (coffee, sandwich, whatever), it's part of the business transaction, so the rules will apply."

But since when has that kind of rule applied? In fact, how can they police it? I don't recall any shop of that kind hiding their access points behind a password that only shows on the receipt, seeing as two of its noted uses are keeping customers distracted while waiting in line and providing an avenue for Apple Pay/Android Pay should they accept it. Both require access PRE-purchase.

Charles 9

Re: Let me set DNS on my Router then

"Let me choose my own DNS for my own devices from the router which I have paid for too."

You're in the distinct minority, then. Most Internet users couldn't tell DNS from WWW but have heard the terms before, putting them into that oh-so-dangerous category: people "with a little knowledge". What makes them dangerous is that a little knowledge makes them prone to trying to do things they really don't know enough about: as a result breaking things. And since they're clueless about it, they just thing the Internet broke and start calling for help.

Since these kinds of people outnumber you AND can produce incidents like getting zombied that can get the ISP in trouble for things like failure of due diligence, guess what the ISP has to do to cover its butt?

Charles 9

"And if the device is used on another connection that isn't filtered?"

And if the device has no internal means to filter? Then you're pretty much SOL if you're stuck with the device.

Charles 9

Re: Does net neutrality exist?

If they do, the only way to get around it is to use an ISP that doesn't proxy (and by your admission, there aren't any). Since the ISP can filter you right at the entry point, there's no other way to evade it. It's easy to guard traffic when there's only one way in or out.

Charles 9

"This runs afoul of the Hazlitt rule for "Economics in One Lesson": you must consider the short-term and long-term impact. Bureaucrat-issued regulations virtually never consider both."

People beholden to other people usually don't have a choice in the matter. Most investors don't like to wait, and voters have a pretty short cycle combined with long memories of grievances. Long-term gain is lost on people who balk at the short-term pain.

Charles 9

Re: "...ISPs would be forbidden from implementing any traffic control at all"

But caveat emptor: they don't guarantee the access or the rates, frankly because they have no control outside their own network. Plus there's always that adage: "No one's above THE LAW," so if there are laws about what ISPs can and can't do, they MUST obey them or face fines and/or consequences to their license. And a provider to the public usually can't provide without a license.

It's like with roads. Sure, it's YOUR car, but it's usually NOT your road.

Charles 9

Re: Scope

"I doubt this argument works for an ISP, so why would it work for someone offering Wifi to customers?"

I think the drawing line is when a business is SELLING Internet access. Once money's involved, buyer/seller ground rules go into effect. The cafe doing free WiFi on the side isn't providing the access for a living, so they can set limits.

As for selling WiFi, that tends to happen when the access is at a premium. Airlines and airports come to mind. These rules may have an effect on the way they provide service (selling it may mean they can't stop their customers from accessing, say, porno sites, especially through a VPN or other encrypted tunnel that leaves them blind).

Charles 9

Re: @Richard

"I hope that this move might help get providers to work together amongst themselves and law enforcement agencies to actually put a stop to all this. That would be so much better than just blocking this mess and pretend as if nothing happened."

How are they ever going to do that when most of the material comes from sovereign countries that won't give them the time of day (or are even actively trying to undermine them as a hostile power)?

Charles 9

Re: It's all just (encrypted) data

All this'll do is push the blocking point to the router. It'll force ISPS to provide more useful firewalls with rules the ISP (and ad block agencies) can provide free for the user to download which they can then push to their firewalls.

Australia Post says use blockchain for voting. Expert: you're kidding

Charles 9

Re: Reminds of a famous quote

Oh? What happened to ballot-stuffing by well-resourced actors who can fool, distract, or corrupt the watchers?

Deep inside Nantero's non-volatile carbon nanotube RAM tech

Charles 9

If that happens we're pretty much screwed since the level of energy contained in cosmic radiation (remember, they're at the very top of the electromagnetic spectrum, both heavier and more energetic than alpha particles) means they can go through nearly everything. It would take shielding of the kind you see in nuclear power plants, only much more so, to keep them from your goods.

Charles 9

Re: All change

"Unfortunately, the fact that I can reliably crash and corrupt Firefox down to an actual snow crash within sixty seconds of loading Google StreetView each and every time I use it does not bode well for the implications of no longer having a more or less "clean" state to reboot from."

If you can consistently crash Firefox using StreetView when most people get along just fine, then perhaps you should see if your installation is still clean. That goes to the point I was making. We expect the code stored in our drives to remain pristine, yet that's always been a gamble: down to rogue processes, runaways, and cosmic radiation. If the data on the storage is screwed, we're in the same boat as when a program in storage-class-memory goes. We've lost the known-good state and are into GIGO and will have to reinstall, which would happen either way. Of course, if there's a backup or error-correcting code, perhaps we can retreat back to a good state, but that's not something changing the storage will alter.

Charles 9

Except this is pilot production; this isn't vaporware anymore. This is actual initial production going on RIGHT NOW. Besides, mass production is only about TWO years away given the normal pace of fab retooling (and it helps this tech doesn't seem to require anything too exotic which slows that timetable down). Nantero's probably well aware they have a shot at the checkered flag here, but because their tech has a chance to cause a paradigm shift, they can't jump the gun and risk being ahead of their time.

Charles 9

Re: All change

"Yep. It means all of the technology will crash even faster, and now has the added benefit that turning it off and on again won't fecking help."

Turning it off and on again doesn't help if it's the drive that has the corrupt data. That doesn't change. Backups and error-correcting code won't be going away and may in fact become more important in this kind of system.

Charles 9

"In the mid term, a technology that is as fast as RAM and as non-volatile and capacious as a HDD will change how a desktop computer is designed fundamentally. That is, why have separate RAM and mass storage?"

It will definite alter the concept of how computers will have to work, especially in regards to how one defines what belongs to what regarding code spaces, libraries, data, and so on. Plus how will this affect existing paradigms like USB Mass Storage?

Charles 9

Re: Space

Radiation is a pretty strange beast at the molecular level, particularly since there are actually THREE kinds of tadiation, each with its own peculiarities. And that doesn't start to cover more exotic stuff like cosmic radiation.

Charles 9

Almost...

This isn't quite mass production "Can I get this in my hands right now?" But I will admit pilot production "How about some of you give this a try?" is tantalizingly close.

EU ministers look to tighten up privacy – JUST KIDDING – surveillance laws

Charles 9

Re: Cahrles 9 AC lack of knowledge

Cooking is both art and science, too, especially if you have to deal with things like inconsistent ingredients and boiling with salt (it's not just for taste, it raises the boiling point and the cooking temperature of anything you put in it).

You worked over the summer; that's a key consideration, too, since concrete doesn't set so well when it's cold (which highway crews could be forced to negotiate when performing emergency repairs in the winter). And you noted the bane of salt; that's actually a scientific consideration though you don't acknowledge it. You had less concern because you were working terrestrially, but it's one reason concrete exposed to the sea (like a bridge or pier at the coast) needs extra considerations.

USBee stings air-gapped PCs: Wirelessly leak secrets with a file write

Charles 9

I don't recall Scanners posting the legally-required tagline: "This is a true story."

Charles 9

Call us when someone can jump an air gap or escape a TEMPEST room without installing anything first.

Net neutrality activists claim victory in Europe

Charles 9

If they really were scalping, someone would've come along and undercut them by now.

Chinese CA hands guy base certificates for GitHub, Florida uni

Charles 9

Re: Secure remote password is the answer

No, because it relies on prior knowledge to work, useless in a First Contact scenario. And any remote attempt to pass a shared key during First Contact, Eve or Mallory could intercept.