Slashdot Mirror

The Russians are total amateurs. This is how you do world-class incompetence.

Sorry, but all evidence shown so far seems to indicate Kaspersky software works just fine, Not caused system compromises, AND
any case where Kaspersky "exposed" or "leaked" secret files were Kaspersky working like it's supposed to --- not Kaspersky violating any privacy expectations; you
just don't get to run "secret" potentially-malicious programs on desktop computers without the possibility of malware samples of your suspicious code going to the AV vendor for analysis.... I can accept that, and I think most people SHOULD accept that with zero objections.

Yep all a vast liberal conspiracy with 0 evidence from other parties that Russian intelligence has been using Kaspersky at all because Trump has an R next so any negative news must be by the democrats.

It is not like a foreign independent intelligence agency found any proof of this at all.

Sorry, but all evidence shown so far seems to indicate Kaspersky software works just fine, Not caused system compromises, AND
any case where Kaspersky "exposed" or "leaked" secret files were Kaspersky working like it's supposed to --- not Kaspersky violating any privacy expectations; you
just don't get to run "secret" potentially-malicious programs on desktop computers without the possibility of malware samples of your suspicious code going to the AV vendor for analysis.... I can accept that, and I think most people SHOULD accept that with zero objections.

Yep all a vast liberal conspiracy with 0 evidence from other parties that Russian intelligence has been using Kaspersky at all because Trump has an R next so any negative news must be by the democrats.

Sorry, but all evidence shown so far seems to indicate Kaspersky software works just fine, Not caused system compromises, AND
any case where Kaspersky "exposed" or "leaked" secret files were Kaspersky working like it's supposed to --- not Kaspersky violating any privacy expectations; you
just don't get to run "secret" potentially-malicious programs on desktop computers without the possibility of malware samples of your suspicious code going to the AV vendor for analysis.... I can accept that, and I think most people SHOULD accept that with zero objections.

Oh?

But your fingerprint is still somewhat private. You can't replicate my fingerprints from a picture of me that you found on facebook. I can always change which fingers I have mapped to TouchID periodically. etc.

You only have one face, and your face is public, which means it's less secure than TouchID was.

You realize of course that your fingerprint is on everything you touch. (including your phone's screen)

Not quite as far back as 1999, but close. This is from 2002.

https://arstechnica.com/civis/...

Given how much havoc they raise on pilots, why not just mount one on a swivel to shoot in the eyes of the enemy? Or just keep one in the cockpit for hand-held pointing. Way cheaper, too.

And even at that breathtaking price, testers say it is on a path of failing to deliver its promised combat abilities.

It has also been soundly outclassed in dogfights against 1970's era aircraft, even with the F-16 carrying external fuel loadouts which should give it a large disadvantage. And to top it off, "o make matters worse, the test pilot found it almost impossible to turn his head to see behind the plane, something you'd want to do in a dogfight."

Lockheed has been PAYING people to say good things online about the F-35 recently. That is not something you have to do if your plane is any good.

2) It's OFF BY DEFAULT.

We don't believe Intel's claims. After the Edward Snowden revelations, after the way that an exploitable backdoor was hidden in the Dual_EC_DRBG standard, after news that Microsoft works to provide backdoors in its Windows operating system, and after government officials have insisted that backdoors must be provided, we just don't trust Intel. The ME has the potential to be the most perfect backdoor in almost every computer. And if the Intel ME is a backdoor, then most of our computers are vulnerable if anyone (anywhere in the world) learns how to exploit it.

1. This was not a "launch"

This was not even an engine firing. It was during a LOX Drop test, where the engine is tested for leaks. And since pure Oxygen outside of where it is supposed to be is nasty, it could be just about anything in the area.

The post you were replying to was pure did not RTFA classic Slashdot.

You never ever ever take shortcuts with rocket engines. They are channeled explosions or deflagrations if you wish. They might be made cheaper, but shortcuts are instantly punished.

https://arstechnica.com/scienc... here's a nice example of changing an engine. The F1's were a testament to balls to the wall, but hand assembled with so much hand welding. We'd never want to reproduce that today. The F-1B is a nice modern update to a sound concept. No shortcuts allowed in the world of LOX and RP-1. That doesn't have all that much to do with this particular story, but its good reading. Maybe OP will give it a read and learn something.

At least this happened with the new Merlin Series 5 redesign, scheduled for flight next year.

Exactly. That's important-- this is the next generation engine, not the one currently flying.

Some alternate sources, some with more information:
https://www.space.com/38712-spacex-rocket-engine-test-explosion.html
https://www.geekwire.com/2017/next-generation-spacex-rocket-engine-goes-flames-texas-test/
https://arstechnica.com/science/2017/11/an-experimental-spacex-rocket-engine-has-exploded-in-texas/
https://www.theverge.com/2017/...

Hint: Bitcoin and other Blockchain-related coins are not regulated by anyone.

Well enjoy it while it lasts cuz the SEC is going to come down on this like a ton of bricks. Not that that's necessarily a bad thing.
https://www.coindesk.com/obvio...
https://arstechnica.com/tech-p...

For someone to get anywhere with AMT / vPro, they would already have exploited far easier routes to getting anything they could get through AMT / vPro. This is the reason we have seen exactly zero articles about people being exploited in the wild through AMT / vPro

NSA shill detected.

The hijacking flaw that lurked in Intel chips is worse than anyone thought

A query of the Shodan security search engine found over 8,500 systems with the AMT interface exposed to the Internet, with over 2,000 in the United States alone.

Oh, thanks your ars link helped me find the one I wanted to post
https://arstechnica.com/civis/...

Ars Technica stories of any note invariably end up here, but instead of running iPhone X is the "most breakable iPhone", they ran with this slashvertisement instead.

BeauHD could have at least added the display is the most "innovative in fragility" as a secondary story.

Tentatively posting, critical AC posts have been removed lately, their post number 404'd.

People recall "Smart TV ... phones home with user’s viewing habits, USB file names" (11/20/2013)
https://arstechnica.com/inform...

Remember, kids, that The Twilight Zone is part of the CBS Family, which sounds a little like the Manson Family. As reported a few days ago, CBS sues man for copyright over screenshots of 59-year-old TV show:

A CBS spokesperson wouldn't identify the exact nature of Tannen's alleged infringement. The company offered only this statement via e-mail: "Matt, Doc, Chester and Miss Kitty are part of the CBS family. Anybody who tries to do them dirt will end up on boot hill."

Because APK has been spouting crazy shit for years now (Alexander Peter Kowalski/AlecStaar)
https://arstechnica.com/civis/...
http://www.thorschrock.com/200...

Took awhile to understand your post, due mostly to the Novella you linked to.
APK aka Alecstaar https://arstechnica.com/civis/... (banned again).
Alexander Peter Kowalski post http://www.thorschrock.com/200...

You've done given Google many of your handles.

Because APK has been spouting crazy shit for years now (Alexander Peter Kowalski/AlecStaar)
https://arstechnica.com/civis/...
http://www.thorschrock.com/200...

Took awhile to understand your post, due mostly to the Novella you linked to.
APK aka Alecstaar https://arstechnica.com/civis/... (banned again).
Alexander Peter Kowalski post http://www.thorschrock.com/200...

You've done given Google many of your handles.

Because APK has been spouting crazy shit for years now (Alexander Peter Kowalski/AlecStaar)
https://arstechnica.com/civis/...
http://www.thorschrock.com/200...

Translation: I can't cite any data because I don't have any data.

Translation: you have conceded all the other points and are now grasping at straws and straw men.

Since you seem to be unable to use Google, here is the first hit on Google:

https://arstechnica.com/scienc...

Developed vs third world:

http://www.energytrendsinsider...

I am betting Trump is in need of a distraction, like maybe this latest fallout from the Mueller investigation: Sam Clovis, intended to take a science post at the Department of Agriculture (although he has no background in agriculture or science) is dropping out because of his ties to George Papadopoulos, the first person to plead guilty in the Russia probe.

Earlier this year, Trump nominated him to a formal position within the department: the Undersecretary of Research, Education, and Economics. That position... is often referred to as Agriculture's chief scientist. The law that created the position indicates that the person nominated for it should be chosen “from among distinguished scientists with specialized training or significant experience in agricultural research, education, and economics."

That description is a poor fit for Clovis... Clovis admits he hasn't taken any courses or published any research in science or agriculture. Instead, he suggested he was qualified because some of the courses he taught included some material on agriculture, and he had run for statewide office in Iowa. "One cannot be a credible candidate in that state," Clovis contended, "without significant agricultural experience and knowledge.”

This is too funny. Don T. said he'd “hire the best people.” Well, as scientists go, Clovis is an excellent talk-show host.. He's out now, but there's plenty more appointees to help you question whether studying hard was worth it.

> The other fix you need is: don't visit malicious web sites.

You mean sites like The New York Times, the BBC, MSN, and AOL? https://arstechnica.com/inform...

Or Forbes? https://www.fireeye.com/blog/t...

It's gotten so bad that "Mainstream Web Sites Are More Risky than Porn Sites" according to Cisco. https://www.esecurityplanet.co...

Assume that *EVERY* site you visit is compromised. If your OS/browser combo can't handle that, look at different software.

Piracy! Robbery, rape, kidnapping, and murder on the high seas! Damn that Dread pirate Kodi!

Oh. I see. You are referring to copyright infringement. So if you rip a DVD, your actions are equivalent to a piracy? That certainly helps during the sentencing phase.

If you bothered to read his response, you would have read that the # of customers has increased steadily since systemd was introduced. So what you said are pure lies.

Another nice bit of misdirection there. The # customers was increasing steadily before systemd was introduced, also. You can read the success story here, and then consider that systemd didn't get included in a saleable Redhat product until mid-2014.

Looking at the figures, the best you can say is that systemd was a monumental waste of time for the whole industry.

I don't know, so I'm asking. Is there a javascript function that could appear on a web page served via Tor from NYT or FB that would cause the browser to reach out to another website directly (not via Tor) and disclose the user's actual source IP address? Something like the one pixel images used to track users reading an email. Does the system of the Tor user force all IP traffic through Tor no matter what destination, or can stuff slip out the side, so to speak?

No, in theory Javascript can't do anything really nasty as all traffic is routed through TOR, whether it's onion sites or via exit nodes to the normal web. They can fingerprint your browser much better to recognize return visits and possibly track you across sites, which may be a risk if you're doing identifying activities some of the time. But you have exploits such as these, they all involve breaking the security model but most of them involve Javascript. While in theory there can be bugs in any part of the code the HTML rendering, image decoding etc. are much more static, heavily tested, fuzzed and sometimes formally proven so they extremely rarely lead to remote exploits on their own. Usually they need some form of scripting engine to orchestrate the triggering so it'll point to a malicious payload, otherwise it's usually just a crash/hang bug.

If you want to get more paranoid than that, you run the browser from its own VM that doesn't have any other firewall access than through TOR. That way even if you have an exploit for the browser all you have is the data the VM holds, obviously then you should not do anything personally identifying inside that VM. If you're even more worried than that and think they might try to break out of the VM too you do the same thing physically using a two NIC computer as your TOR gateway with all other ports closed. There are specialized Linux distros like Tails, Whonix etc. that do most of the heavy lifting for you. From what I understand most people fail at much more basic things though, they use the same nicks and passwords, reveal personal info etc. linking them to real world identities, they download media files, PDFs and open them in non-TOR applications that call out to the normal web and so on.

Encouraging people to do "normal" browsing like NYT and Facebook through TOR might be a good thing if they're not going all-out on security, as it's free and probably even better than a VPN for browsing. At least as long as you don't type anything important into non-https sites, since TOR gives exit nodes a free man-in-the-middle attack by design. But if you're Snowden or have some other truly deep secrets then this "casual" TOR use will likely get in the way of proper OPSEC and compartmentalization. Then again, you could always compartmentalize the compartments and have a casual TorBrowser and a paranoid TorBrowser inside a VM. The most important part though is that it's not a magic bullet, TOR will protect one angle of attack. There are many others and a double-bolted reinforce steel door is no good next to an open window...

https://arstechnica.com/tech-p...

I read the arstechna article and it didn't say they broke the law. One of the plaintiffs suing them are saying that the records should have been preserved even without a court order, of course they are saying GA broke the law because that is basis of their lawsuit.

The article also says: "In accordance with standard operating procedures, an after-action report was prepared. This report outlined hardware improvements for the Center, including repurposing the impacted server and surplusing servers that had exceeded end of life. As part of the report, the original server that had been investigated by the FBI was designated to be repurposed, and the drives on the server were erased and the server made available for alternative uses."

That isn't as nefarious as "These guys knowingly broke the law.".

https://arstechnica.com/tech-p...

You can breathe now.
https://arstechnica.com/tech-p...

could be hidden by this

As another poster below linked. If it was hidden, the FBI missed it.

"While the server was in the possession of the Bureau, a forensic image or copy of all the data on the server was made and held by the agency. Following the notification from the FBI that no data was compromised and the investigation was closed"

Oh, i dunno: https://arstechnica.com/gadget...

The non-clickbaity side of the story (a statement from Center for Elections Systems at Kennesaw State University, who had possession of the server) is here:

"In March 2017, a Center for Election Systems’ server involved in an alleged data breach was turned over to the FBI. While the server was in the possession of the Bureau, a forensic image or copy of all the data on the server was made and held by the agency. Following the notification from the FBI that no data was compromised and the investigation was closed, the server was returned to the University’s Information Technology Services group and securely stored. In accordance with standard operating procedures, an after-action report was prepared. This report outlined hardware improvements for the Center, including repurposing the impacted server and surplusing servers that had exceeded end of life. As part of the report, the original server that had been investigated by the FBI was designated to be repurposed, and the drives on the server were erased and the server made available for alternative uses."

"As noted by the subpoena filed today by the Attorney General’s Office, the data and information that was on the server in question has been and is still in the possession of the FBI and will remain available to the parties in the event it is determined to be relevant in the pending litigation."

So (a) the feds already investigated and found no evidence the server was compromised, and (b) they still have their forensic image of the server. This seems a lot more like litigants and journalists huffing and puffing than it does a real issue.

So if this is true, there is no story. At all.

Any comments, angry folks?

The non-clickbaity side of the story (a statement from Center for Elections Systems at Kennesaw State University, who had possession of the server) is here:

"In March 2017, a Center for Election Systems’ server involved in an alleged data breach was turned over to the FBI. While the server was in the possession of the Bureau, a forensic image or copy of all the data on the server was made and held by the agency. Following the notification from the FBI that no data was compromised and the investigation was closed, the server was returned to the University’s Information Technology Services group and securely stored. In accordance with standard operating procedures, an after-action report was prepared. This report outlined hardware improvements for the Center, including repurposing the impacted server and surplusing servers that had exceeded end of life. As part of the report, the original server that had been investigated by the FBI was designated to be repurposed, and the drives on the server were erased and the server made available for alternative uses."

"As noted by the subpoena filed today by the Attorney General’s Office, the data and information that was on the server in question has been and is still in the possession of the FBI and will remain available to the parties in the event it is determined to be relevant in the pending litigation."

So (a) the feds already investigated and found no evidence the server was compromised, and (b) they still have their forensic image of the server. This seems a lot more like litigants and journalists huffing and puffing than it does a real issue.

I'm guessing you mean US city? Amsterdam famously wired the city - https://arstechnica.com/tech-p...

Interesting point with Amsterdam is they wired the city but do not operate an ISP

Please remind me not to let you administer my filesystems.

http://jrs-s.net/2015/02/03/will-zfs-and-non-ecc-ram-kill-your-data/

https://forums.freenas.org/index.php?threads/ecc-vs-non-ecc-ram-and-zfs.15449/

https://arstechnica.com/civis/viewtopic.php?f=2&t=1235679&p=26303271#p26303271

https://www.csparks.com/ZFS%20Without%20Tears.html

We need to distract people from the fact that the Android flagships - the Pixel 2 line - are plagued by tons of hardware problems (plus the lack of headphone jack, something that Google mocked Apple for in the past, the hypocrites).

See:

https://arstechnica.com/gadget...

https://arstechnica.com/gadget...

(Ars Tecnica, by the way, still calls it "The best Android phone ever", despite the FACT that it is an overpriced paperweight... no prizes for guessing who sponsored that "unbiased" review)

This is a made up problem that boils down to "applications that have permission to use camera can use camera". What a shocker.

Even more shocking, you are informed of this when the app tries to use said permission (for the first time) and can actually manage these permissions in a, frankly, simple way.

This is a completely fabricated issue.

We need to distract people from the fact that the Android flagships - the Pixel 2 line - are plagued by tons of hardware problems (plus the lack of headphone jack, something that Google mocked Apple for in the past, the hypocrites).

See:

https://arstechnica.com/gadget...

https://arstechnica.com/gadget...

(Ars Tecnica, by the way, still calls it "The best Android phone ever", despite the FACT that it is an overpriced paperweight... no prizes for guessing who sponsored that "unbiased" review)

This is a made up problem that boils down to "applications that have permission to use camera can use camera". What a shocker.

Even more shocking, you are informed of this when the app tries to use said permission (for the first time) and can actually manage these permissions in a, frankly, simple way.

This is a completely fabricated issue.

I didn't know that. Thanks for the info.

Interesting sequence of events.

newegg sold: https://www.techpowerup.com/22...

anti-patent troll lawyer leaves: http://www.law.com/nationallaw...

current lawsuit: https://arstechnica.com/tech-p...

They've survived patent trolls, they should survive this (assuming innocence).

And "colorful grid of icons"? Really? Hasn't ANYONE at the patent office used a computer or phone for the last zillion years? Every PalmOS phone, which proceeded the iPhone had such a screen. Even generic flip phones of the time had such colorful grids of icons for programs and launchers.

The design patent doesn't cover any colorful grid of icons, but a specific one. In their showings to the jury, Apple provided examples of several "colorful grid[s] of icons" that would not infringe the patent.

Even Spectacles wont let you see those buried cartridges, they were exhumed in 2013.

It's one big giant bubble and when it bursts, who knows what financial ruin will face us.

That's what people were saying when XBT first reached $1,000 back in December 2013. Nothing to worry about at all.

Bubbles only really happen when people buy things with little to no intrinsic value for purely speculative reasons. If this were really a bubble you would have a sensational rise in price of XBT. What's more the price would have been largely unresponsive to news of increasing moves to regulate or outright ban it by various governments around the world.

So yeah, just go ahead and plow all your life-savings into XBT ... it's as safe as silver!

It's worth noting that Samsung won the same case regarding tablets - they convinced the jury that the elements in the Apple design patent for the iPad already existed in other products and popular culture (2001, Star Trek, etc) long before the iPad. In fact if you look at Samsung's digital picture frame from 2006, it's pretty clear their Galaxy Tab simply re-used that face design, rather than copying the iPad. And if anything, it was Apple who copied Samsung. (Except of course Samsung never got a design patent on a black rectangle with rounded corners - because that'd be silly and the USPTO would never grant it, right?)

The only reason Samsung lost to the design patent on phones was because they missed a filing deadline. They'd put together a document showing pre-production models and design concepts of Samsung phones prior to the iPhone's release. Demonstrating that their phone designs already incorporated all the elements in Apple's design patent before the patent was granted. Unfortunately, Judge Koh prohibited Samsung from showing that evidence to the jury because they missed the filing deadline.

BTW, a lot of other Apple patents should never have been granted. Here's pinch-to-zoom in 1988. And the "bounce" animation is just the transient response of an underdamped second order system that every freshman engineering student learns.

If we recall, the FBI desperately wanted to backdoor the cell phone of the San Bernadino terrorists

Incidentally, that was a PR snowjob by Apple. The cell phone in that case didn't belong to the terrorists. It actually belonged to the San Bernardino County government. It was assigned to one of the terrorists as a work phone. Apple was basically arguing that they should not be compelled to give the owner of a phone access to information on the phone in the case of a (potential) dire emergency. If you follow through on their argument, employers would not have access to company phones they provided to employees, parents would not have access to phones they bought for their kids, you could not authorize police to pull GPS data from a phone you lent to a friend when they went hiking and got lost. It's an argument which weakens the concept of ownership (right of the owner to know what their property is being used for, vs the user's right to privacy).

The RSA tokens had exactly the same exposure as the apps. If you gain access to the database of token IDs you know what key it is currently generating.

This actually happened back in 2011 https://arstechnica.com/inform...

Desktop OS market - on life support.

Laptop OS market - moribund at best

Both of these are at, or near, saturation levels, but Microsoft still dominates on these platforms. Which means that while there will be revenue decline, it will likely be slow and steady.

Server OS market - MS's one bright spot is a bubble fighting a better free alternative

What "better free alternative"? Microsoft has only seen revenue increases as VMs took off. If LINUX is a valid cheap alternative that could save tons of money, why aren't companies replacing their Windows VMs with LINUX VMs? Because it isn't a valid alternative in most cases. In other words, it's hard to run your corporate software on LINUX/UNIX if it isn't written for it... Where it makes sense to do this (i.e. Databases, ERP, etc), it's already been done.

Tablet OS market - does MS even have an offering?

Not really,. Windows 10 and the Surface Pro are the closest but revenue is down across the entire Surface line (they don't break out the Surface Pro figures).

Phone OS market - Yep, that went well for MS

Already written off on the books, no longer relevant to their future financial success.

Office Suite - on life support as on line and free alternatives eat their lunch - anybody write documents?

Outlook - Please somebody put this out of its (and my) misery

The Office Suite is not "on life support". As much as you want to believe that Office and Outlook are crappy products with "free alternatives" that are "eating it's lunch" and that are just as good, that's just not the case. The Integration of the Office Suite, Free/Busy, Skype presence, etc. are what enterprises run on and how they exchange documents with other organizations. Not one product out there offers the same feature set with this level of integration. In fact sales are up this year in this segment.

One of the key segments that you missed is Cloud offerings. Microsoft's Cloud services are driving revenue today.

Summary of the Q3 2017 results for Microsoft:
https://arstechnica.com/inform...

$600B?? Time to short and profit!

By all accounts, feel free to do so. But the current overall financial situation is much more complex than presented. For every product where they are seeing declines or write-offs, they have segments that are expanding and growing revenue at a faster pace. Can Microsoft continue this into the future? The market thinks that they can.

Today's Microsoft killed the Astoria Android compatibility project: https://arstechnica.com/inform...

Executive summary of the six "truths":
1. The other departments are already using cloud services without asking IT.
2. ~90% of companies will be using cloud services by 2020 according to Gartner.
3. Your IT is so incompetent that it's already been hacked; using cloud solutions may help to mitigate risks.
4. Your IT is incompetent(bis): your software is outdated and/or crap (no mention of the cloud, but I guess they're supposed to keep their stuff better updated).
5. Have lots of bandwidth (no mention of the cloud again, but then how are the users going to use cloud services if the network connection isn't fast enough?).
6. If IT bends over and let cloud services take their rightful place, they may get to keep their jobs.

In short, the whole things reads like an a clever advertisement, where instead of saying quotes like (...)cloud infrastructure comes with security designed in, they instead claim that the IT department is incompetent and useless.

I'm having trouble finding the specific details. It looks like they aren't releasing all the details publicly until a conference on November 2nd https://crocs.fi.muni.cz/public/papers/rsa_ccs17 but it appears to be a problem only with RSA keys they generate and has to do with how they are generating large primes, not a fundamental flaw in RSA.

Ars Technica explains more. Says it's a fault specifically with the implementation used by Infineon to generate keys, not with other more correct ways to generate keys.

https://arstechnica.com/inform...

And now we know how they closed the loop: The Israelis hacked Kaspersky. https://arstechnica.com/information-technology/2017/10/russian-hackers-reportedly-used-kaspersky-av-to-search-for-nsa-secrets/