* Posts by Charles 9

16605 publicly visible posts • joined 10 Jun 2009

Apple and Google are KILLING KIDS with encryption, whine lawyers

Charles 9
Childcatcher

Re: Whose Crime?

(Could only choose one icon; using this one in sarcasm; bear with me)

But the moment you invoke children and the future, then all bets are off, no holds are barred, no search is unreasonable. Which means the search is within the law. After all, without children, where will our country be in a few decades?

Patching a fragmented, Stagefrightened Android isn't easy

Charles 9

Re: A general problem

"You could make the phone suppliers responsible for any reasonable loses due to known but unpatched bugs for, say, 5 years after the product was last sold."

And how do you do that when the manufacturers are located in countries that simply don't care?

Charles 9

Hard to say. BB10 is supposed to have QNX under the hood which is normally hardened against exploits, but it's still manmade. About the only reason it and Sailfish don't make headlines are their abysmally-low takeup rates. Much like how MacOS and Linux usually didn't get as much attention by the hackers until recently.

Charles 9

Re: "it needs to push carriers to push over-the-air updates promptly after fixes become available."

There can be A LOT of under-the-bonnet changes to the baseline Android core to make a manufacturer's unique features run. Take Samsung's TouchWiz. They added quite a bit to the standard Android. In particular, the WiFi Calling that keeps me on T-Mobile is inseparable with TouchWiz on a Samsung phone. AIUI it's the same across the board; the only phones that do T-Mobile WiFi Calling all have custom UIs where the feature is baked in. It must be baked in pretty deep as in over two years since the likes of the S4 have been released, no one's been able to disentangle the feature and add it to an AOSP-based UI.

Charles 9

Re: A general problem

That'll never happen. With the car example, people were KILLED as a DIRECT result of the flaws. You'll never be able to pin the same thing on a phone and therefore can never make the risk great enough to require overriding oversight (which in turn gets pushed back by privacy concerns).

Random numbers aren't, says infosec boffin

Charles 9

Re: "Take my vehicle's radio"

"Actually, in practice FY needs space equivalent to the total size of the collection in quite a few cases unless you're happy with the increased cost of memoising the swaps and losing the O(1) property (that would be a total no-no in crypto apps where side channel attacks need considering)."

I was talking in terms of a simple music playlist, in which case the playlist is a separate array from the actual table of music files (stored separately), which makes sense if you want to customize the playback in other ways. With the Modern Fisher-Yates Shuffle, you alter the playlist in situ by going down the list in order (direction doesn't matter) and swapping each entry you come across with any of the ones after it. All you need is one placeholder to hold values during swapping, nothing else. And it's O(1) space, O(n) time, and uses no floating points, so it's something any processor capable of MP3 playback should be able to do.

Charles 9

Re: RNGs

"The basic rule is that PRNGs are all but useless for anything other than toy applications. Even the best ones are subject to predictability, if one had enough data and knows the algorithm being used (and, one has to believe that there are organizations out there that can reverse engineer the hardware/software being used)."

So you're basically saying Cryptographically-Secure PRNGs (CSPRNGs) is basically a misnomer? Even if it were to be re-seeded in relatively short periods with numbers from a hardware RNG?

Charles 9

Re: "Take my vehicle's radio"

"However, what you want most of the time is a shuffle, not a random!"

But a shuffle (list randomization) isn't that difficult either. A Modern Fisher–Yates shuffle is iterative and needs no more space than the playlist itself. The only limiting factor is the RNG.

Charles 9

Re: Anyone know whether Simtec is alive or dead?

Overwhelmed, last I heard. There's a comparable product called the TrueRNG on the market now that seems to have plenty on hand and is competitively priced.

Charles 9

I've always been curious as to why the Linux kernel entropy pool is (AFAIK) normally capped at 4096 bits even in a world where there is an increasing need for good random numbers (which /dev/urandom can't always provide).

Intel left a fascinating security flaw in its chips for 16 years – here's how to exploit it

Charles 9

Re: Just goes to show..

Wanna bet they can STILL access it by specially tuned microwaves and then get the password out of you with rubber hoses?

Meet OneRNG: a fully-open entropy generator for a paranoid age

Charles 9

Re: Infinite Loop?

The radio chip probably takes a cue or two from the avalanche diode, which is known to be random but IINM isn't as quick.

Telstra's Netflix downloads get EVEN SLOWER

Charles 9

But net streams are more compressed than disc streams. I think for SD streaming 2Mbit/sec is a safe bet while IINM Netflix says you need 15Mbit/sec for HD.

Death to DRM, we'll kill it in a decade, chants EFF

Charles 9

Re: When does Privacy become DRM

It's very much like guns, in that the very thing you need to defend yourself in a world of minutes away when seconds count is also the very thing that can start a massacre. It's part and parcel, inseparable. The only thing that determines its ultimate role is the holder, and it's AFAWK impossible to determine how the holder will use it before the deed is already done.

IOW, it's a "dual use" technology, with both sides being able to go to uncomfortable extremes. Knowledge of the atom is another extreme one (atomic power = GOOD, atomic bombs = BAD). And it's hard to perform a risk assessment because of those extremes; we can't see far enough into those extremes to be able to balance it out against human uncertainty.

Charles 9

Re: People slowly realise how much of a problem it is

Wouldn't that just cause transnationals to bail out of the EU and avoid the sovereign reach? Barring a treaty, one country isn't able to tell another country what to do, and in situations such as these, there will usually be one country willing to cheat.

Sane people, I BEG you: Stop the software defined moronocalypse

Charles 9

Re: Is there a standard to aspire to?

"It always amazes me how certain types of management always think that timing is everything - so they'll happily release utter crap, so long as it releases on time. I've yet to meet a customer who's been pleased to accept a steaming pile of turds on the appointed day..."

Then again, that may be considered preferred to not having anything at all on the deadline. As they say, 10% of something is better than 100% of nothing. Plus, one has to figure competition into the equation. If the competition plans to release a competing product around the same time, then the deadline becomes hard because, in many cases, first in wins as people grab the first product to meet their needs. Once that happens, the market disappears and a miss is as good as a mile.

Charles 9

But if the unit tests are thorough enough, it shouldn't matter what each unit gets so long as they all handle bad stuff cleanly (that's why unit testing should include stuff like munging and testing for sabotage), then the whole integrated unit should be sound unless you're saying the integration introduces some kind of gestalt element that no amount of individual testing can anticipate.

Charles 9

Re: Is there a standard to aspire to?

About the only standard we have for code is the formal proof of security, and that has an extremely narrow scope (the one example that pops to mind, SeL4, has the issue that the formal proof is only valid in the absence of any DMA devices, including video) and is so hard to perform that it's only practical for very small projects (SeL4 is a microkernel, which as said before isn't useful for everyone).

Charles 9

Re: Might take a while

But then who gets the axe? Such complicated projects tend to have so many developers, usually working across each other, that assigning blame is going to be an exercise in futility. And you can't do a blanket execution because that would catch innocents in the crossfire, making the work too risky to undertake. IOW, go too draconian and you'll soon find yourself without developers.

Charles 9

Re: As my father-in-law always said

While this may be true, the consequences of going astray are usually far less severe for a drunk pedestrian than for a drunk driver. Drunks on foot are rarely in a condition to adversely affect other people in contrast to one commanding a one-tonne rolling mass of metal.

Charles 9

Re: Once upon a time...

"Failure, the consequences of failure, and being part of the vector for such failures, part of the attack surface creation, has become such a widely accepted 'cost of doing business' that by and large, it carries no real cost. Some bad publicity? Sure, but we can always say 'the X did it, and they're nasty'. Or 'well, it happens to everybody'."

Unfortunately, what you describe is a natural human progression. Especially in business, one of the driving goals is to reduce risk. Because when you reduce risk, you raise the odds of a payoff, and when you do that, you encourage investment, so risk becomes a two-way amplifier, especially in a competitive market. So it becomes second nature for businesses to dodge risk. Why do you think the Limited Company (in America, the Limited Liability Company) was established in the first place? Because people weren't willing to risk the farm on an investment.

Charles 9

Re: The 80% of us who think they are "better than average" drivers

"Not just self-optimistic, but optimistic in general.

Otherwise there would be no lotteries, casinos or bookies."

No, self-optimistic. Lotteries, Casinos, and Bookies are all fed on the idea of, "I can beat the odds." I admit, I play them once in a while, but only as a tiny "one-in-something-other-than-a-million" longshot with my loose change.

Charles 9

Re: You'll never get the public to understand enough to care

"I don't claim to have the magic bullet to kill this problem, but I do believe it starts by making it financially painful, via fines, to an organization for getting owned, provided that it can be demonstrated that their security is a joke."

But this kind of regulation can only go as far as sovereign borders. And increasingly businesses are going trans-national, meaning they can play the shell game to get around regulators. We're reaching a point close to Gibson's Sprawl where transnational businesses can transcend national borders and basically become sovereign entities in their own right, at which point the rules get changed yet again.

Charles 9

Re: The 80% of us who think they are "better than average" drivers

The point is psychologists can easily point to the phenomenon of self-inflation: overconfidence in our own capabilities. If you ask drivers on a scale of 1 to 10 how good a driver they are and then put them down on a road test and grade them more objectively on the same scale, odds are the self-assessment will be higher than the road assessment. Perhaps as a psychological survival instinct, humans are usually innately self-optimistic, and since everything we do is colored by this perception, it can lead to problems.

Charles 9

Re: Completely daft article

He's saying they're too branches of the same problem: increased vulnerability. SDN is the proverbial one basket with all the eggs while the IoT is basically a war on a hundred fronts.

Charles 9

Besides which, how will the average Joe be able to tell the difference? If it weren't so complicated, perhaps it would be better to insist on a formal standard of code screening for as many vulnerabilities as is practical. I mean, it's too much to ask for a formal proof of everything (there's only one formally-proved OS available today, and it's only true if there's no external DMA access which hurts performance). And KISS is running into the brick wall of necessary complexity (either because it's part of the core function or because it's a necessary evil in order to close the sales and make the money to stay running).

All hail Ikabai-Sital! Destroyer of worlds and mender of toilets

Charles 9

Re: Remove the seal! To return to IT.

""Nice try, but that's the only thing we check ..."

FTFY."

Nope, that neglects to check the front for cracks, the removeable drives to make sure they work, and any other misses. The sticker may be there to detect internal tampering, but they're still obligated to field returns for external defects, so anything obvious gets sent back to the line to be repaired.

Charles 9

Re: To return to IT.

"Sod the warranty seal. If you've bought it, it's your property, and you can do what you damn well want with the thing."

Sod you back. What you describe carries the caveat that if you monkey with stuff you're not supposed to, you're on your own. IOW, if it's YOUR property, it's no longer THEIR businesses to help you. Warranties normally DO NOT cover mishandling.

Charles 9

Re: Remove the seal! To return to IT.

"They must have forgotten to put the seal on"

I'm surprised they didn't counter with, "Nice try, but that's the first thing we check before we box the things. Those stickers save us some serious money."

Perhaps middle-aged blokes SHOULDN'T try 34-hour-long road trips

Charles 9

Re: NZ and territories

"I once got pinged for using a motorway onramp to overtake, there being three vehicles driving persistently side by side in the three lanes for some km. My offence, apparently, was changing lane from a proper motorway lane onto the onramp -- not the overtaking itself."

That sounds a lot like a version of overtaking on the left since you're not supposed to pull into an onramp; only entering traffic should be on it. And I think they'd get you for the same if you tried the same stunt on an offramp, on the belief that pulling into one indicates an irreversible intent to leave the motorway.

Charles 9

Re: NZ and territories

Many American jurisdictions also make it a moderate offense to "pass on the right" (the American version of Britain's "overtaking on the left"). Now, just what the "right" means can differ. Some just don't want you to use the shoulder as a passing lane; others are stricter and want you ONLY to pass on the left, enforcing a fast-to-slow progression from median to shoulder. Usually, stricter passing areas use signs to indicate this.

Biggest security update in history coming up: Google patches Android hijack bug Stagefright

Charles 9

Re: just standard OTA (Over The Air) updates

You're lucky, then. You've got a pretty bare-bone Android device, so there's little to interfere. It's also primed for a Lollipop update. Both would likely come from Motorola.

Charles 9

Re: just standard OTA (Over The Air) updates

"So do I need to have my mobile data turned on to have any chance of getting this, or will it arrive via wifi?

I hardly ever need to use mobile data as almost everywhere I go has wifi available."

Depends on how your device was built. Many WiFi-only tablets do a periodic phone home over the Internet to perform OTA updates. Your device may do this if on a WiFI connection even if it has mobile data.

Update Firefox NOW to foil FILE-STEALING vulnerability exploit, warns Mozilla

Charles 9

Re: Update Done

Or simply finds a way to attack the package manager itself. Sounds a lot like single point of failure to me.

Nvidia's GTX 900 cards lock out open-source Linux devs yet again

Charles 9

Also make sure the nVidia chipset it uses is a recent one. I've had my issues with older chipsets on Linux because they were too old for the new drivers but too new for the old drivers, meaning it went back to Windows for lack of a better option.

STOP! You – away from the keyboard. There's no free speech in our China

Charles 9

Re: @asdf hmm

You always have to take these kinds of numbers with a grain of salt. A better figure would be the ratio of the average salary to the average cost of living, which I expect will boost China's rating since the US isn't exactly a cheap place to live.

Stuffing the wafers: SanDisk presses on with 48-layer 3D NAND chip

Charles 9

Re: SD or SSD

In SD's case, probably the container. This is the main reason Micro SDXC seems maxed out at 200GB. Recall the SD cards are very thin (Micro SD even more so), so I don't think there's room for a 3D flash chip in them.

Hate to say it, but it may be time for a new SD spec to allow for fatter cards.

Stop forcing benefits down my throat and give me hard cash, dammit

Charles 9

Re: I disagree

But humans aren't a "neat" quantity. More often what happens is a "glut," leaving a buyer's market where employers can pick and choose and prospects have to get desperate to get hired, creating a race to the bottom.

Wait, what? TrueCrypt 'decrypted' by FBI to nail doc-stealing sysadmin

Charles 9

Re: Memorex DVD marked 'secret'

Possibly a grandpa who's actually into granny porn. Remember, if it's out there, it's usually because someone's actually turned on by it. Yes, even stuff that would turn most stomachs.

Charles 9

Re: @Credas

"Let's be generous and consider a dictionary of 10,000 words. With an average of 10 misspellings of each word. And an average of 10 character substitution combinations for each word. And in 100 languages. And you can pick up to 6 of these bastardised words: 10E8^6 or 10E14 possible combinations."

Pardon me, but it seems the math's off.

IINM, when a power is raised to a power, you multiply the exponents, meaning (10E8)^6 (or more properly, (1e9)^6) should end up with 1e54, which is darn close to the strict 36-random-character entropy you listed.

Charles 9

Re: Truecrypt will become obsoleted on Windows

VeraCrypt is a fork of TrueCrypt and under active development. They can keep up with Windows, and since there's still a need for filesystem utilities like defraggers, there will always be a way in.

Charles 9

"Encrypted copy of the encryption key? What key do you encrypt it with?"

The same one(s) you use to unlock the volume to mount it. IOW, having the rescue disk simply means you have another door if the one's been caved in. Thing is, it has identical locks to the first one.

Charles 9

Re: GnuPG

"Errm, you cannot prove a negative."

Reductio ad absurdum can prove a negative by asserting the affirmative and demonstrating it cannot logically exist (for example by showing its existence would present a paradox). That's how Turing's Halting Problem proof works.

Charles 9

Re: "except if you use something like Keepass"

You can also use keyfiles which can be picked up simply by using mouse clicks while, while they can be captured, can easily be sent out of context, rendering them useless for figuring out just which file(s) you picked.

$100m fine? How about, er, $16k? AT&T teabags FCC with its giant balls

Charles 9

Re: Its a shame

But all the *G and LTE talk is thrown with the expectation of good speed. And people can look up the limits of HSPA, HSPA+, and LTE technologies online and figure out reasonable expectations. If the network can't keep up these reasonable expectations, then they're guilty of "Half the truth, twice the lie," which IMO is even worse than false-advertising a blatant lie.

Charles 9

Re: Fine seems reasonable

No, I just want them to be truthful in a Sixth Amendment sense in their ads: the truth, the whole truth, and nothing but the truth, so help you $DEITY. If that's too much to ask, what's the whole bloody point of civilization?

OS X remote malware strikes Thunderbolt, hops hard drive swaps

Charles 9

Re: Doh!

But that will either require users to open the machine (a general no-no for anyone not electronically-inclined) or take it to a Genius Bar that may or may not cost and may or may not be available. And if you try to wire it to the outside, social engineering will exploit it.

Charles 9

Re: Doh!

"This is why boot ROMs should be tiny and actually ROM, not flash."

And what happens when an actual ROM has an exploit in it? Good luck trying to fix it...

New twist in telco giants' fight to destroy the FCC's net neutrality

Charles 9

Re: Would'nt it be cheaper

Thing is, anything that passes Congress has to go to the President's desk, and since the President and Congressional control are opposing parties, any rider runs the risk of being labeled poison and grounds for a veto, which the Republicans lack the muscle to override. And the Republicans know they LOST the last game of chicken they tried to play; that's why they're so reluctant to try now. Furthermore, Democrats in the Senate also possess the power to stall disagreeable legislation by employing the filibuster power. Since the Republicans only have a bare majority, it'll be hard for them to muster the 60 votes needed to invoke cloture and stop a filibuster if party lines galvanize.

IBM punts cryptotastic cloudy ID verification services

Charles 9

Re: IBM and "The Man" do not need to be involved

"Under the IM protocol the authority is not "gleaning" any additional knowledge about you. It receives a request to confirm an assertion that some detail about you satisfies some constraint (eg that your age falls within a given range). It already has the records that guarantee that assertion."

It will know whose credential is being asked (Due to the need to look it up) AND who is doing the asking (Does the asker really need to know this?). That alone can be interesting evidence, especially piled up with other bits of information accumulated over time, and there's no way to be certain this information isn't kept in some way, shape, or form. It may be a breadcrumb, but gather enough of them and you end up with enough to fill a can.