Slashdot Mirror


User: sjames

sjames's activity in the archive.

Stories
0
Comments
34,276
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 34,276

  1. Re:but that's the problem with the turing test... on Was Turing Test Legitimately Beaten, Or Just Cleverly Tricked? · · Score: 1

    Actually, the proper test is to have a series of judges converse with both the program and a human (both over a terminal) and then judge which is which. If the judges get it wrong more than 50% of the time, the program passes.

    The judges should be right 50% of the time by random chance, but they were only wrong 30% of the time in this faulty version of the test.

  2. Re:That's why IPMI should only live on intranets. on IPMI Protocol Vulnerabilities Have Long Shelf Life · · Score: 1

    Well, one IPMI does SHA256 or SHA1. For another, I'm unaware of any attack even against MD5 that would compromise the security when used in an HMAC scheme, as is the case for the hash function use in IPMI.

    An actual dump from a BMC:

    ID IANA Auth Alg Integrity Alg Confidentiality Alg
    0 N/A none none none
    1 N/A hmac_sha1 none none
    2 N/A hmac_sha1 hmac_sha1_96 none
    3 N/A hmac_sha1 hmac_sha1_96 aes_cbc_128
    6 N/A hmac_md5 none none
    7 N/A hmac_md5 hmac_md5_128 none
    8 N/A hmac_md5 hmac_md5_128 aes_cbc_128
    11 N/A hmac_md5 md5_128 none
    12 N/A none md5_128 aes_cbc_128

    As for the rest, yes, http can be done without encryption, but there are substantial low-risk use cases for taht. Http doesn't generally allow rebooting a server into single user mode and resetting the root password..

    As for the rest, see A Penetration Tester's guide to IPMI. Note that using a DH exchange to negotiate a session key offers forward secrecy and allows for a much more secure authentication protocol that doesn't involve handing out the MD5 hash of any chosen user's password or storing passwords in plain text. MD5 is quite weak in that scenario.

  3. Re:Fsck x86 on Intel Confronts a Big Mobile Challenge: Native Compatibility · · Score: 1

    There are a number of DOS based industrial apps and the people using them care very much about 16 bit support.

  4. Re:Fsck x86 on Intel Confronts a Big Mobile Challenge: Native Compatibility · · Score: 1

    Actually, x96_64 does natively run 32 bit code, no emulator involved. You may be thinking of Itanium.

    In fact, x86_64 still starts up in real mode.

  5. Re:Good on Parents Mobilize Against States' Student Data Mining · · Score: 1

    Sorry to double reply, but it's also worth considering that when the politicians squabble, no amount or quality of evidence will change their minds. At most, it will cause them to take a minute to sling mud at the researchers.

  6. Re:Good on Parents Mobilize Against States' Student Data Mining · · Score: 1

    Parents today were in school when the problem of corporate intrusion was getting started. They saw first hand that when a corporation reaches for it's wallet the school board will be on their backs with legs spread before the john even gets the money out.

    They know that today's private school records can easily become tomorrow's corporate asset. The law provides no protection and even if it did, the courts would bend over backwards and twist it into a pretzel to make the sale happen anyway. The only way to make sure that their 1st grader never faces job discrimination due to talking in class is to make sure the records are never created. It's just that simple.

    It's a shame that parents have to fear collection of data for legitimate purposes today because of what may happen to that data tomorrow, but the simple fact is that their concerns are well founded.

    As for the census, just skip any questions you don't care to answer. As much as they like to imply otherwise, the maximum fine is $100. The last time anyone was actually fined was in 1960 when 2 people were fined. In practice, if you really don't want to answer, the forms aren't sent as registered mail, so it would be impossible to show willfull neglect or refusal. If a census taker shows up, just act like you're REALLY drunk and wander off into crazy stories involving an onion tied to your belt.

    But note, the last time the census went around, people did protest the questions about household income and such even though the IRS already has that information.

  7. Re:Poorly Designed Roadways Addressed By This on New Car Can Lean Into Curves, Literally · · Score: 1

    There are things an active suspension can do to improve stability, tilting the body just isn't one of them. Lowering the whole car can do a lot for stability, for example. Anticipating bumps in the road and damping them to maintain downforce on the tires is good. Airfoils can create a powerful downforce.

    I don't know the details of Mercedes tech, so I can't say exactly what is improving the handling.

  8. Re:That's why IPMI should only live on intranets. on IPMI Protocol Vulnerabilities Have Long Shelf Life · · Score: 1

    They have encryption, but it is not mandatory and when used, it is shared secret rather than DH or similar. For the purposes of this discussion, an actual rs-232 connection should be considered remote.

    I'm not so sure an SSL cert like system is really practical for target (server) authentication. Management firmware can be expected to be in the field for a long time and never updated. Honestly though, once encryption is established through DH, a simple scheme involving hashing the session key, an arbitrary user set string and a nonce chosen by the client together should suffice.

    I could be convinced that an actual rs232 connection warrants it's own channel (always channel 2), but I expect that to be fairly rare these days.

    Anything involving MD5 needs to go.

  9. Re:Redbox Instant on Netflix Trash-Talks Verizon's Network; Verizon Threatens To Sue · · Score: 3, Interesting

    But since the route still has to get through peering w/ Verizon, it lends some credence to the suggestion that Verizon is selectively oversubscribing the peering points. Normally, traversing a VPN would be expected to damage connectivity.

    Verizon isn't lying in the same sense as a used car salesman isn't lying.

  10. Re:Poorly Designed Roadways Addressed By This on New Car Can Lean Into Curves, Literally · · Score: 1

    No. What you are interested in is the actual force that the static friction can hold. That is determined by area of contact * force normal to the contact plane * the coefficient of friction (which varies based on what is in contact). Moving some of that from the outer to the inner tires isn't really a net gain.

  11. Re:Poorly Designed Roadways Addressed By This on New Car Can Lean Into Curves, Literally · · Score: 1

    It would help keep the car from rolling, if rolling was the problem. That certainly applies to motorcycles as well. But most cars that don't make the turn fail by going into a skid rather than a roll. Whatever weight you add to the inner tires comes from the outer tires, so you're really just moving the traction rather than increasing it by tilting.

  12. Re:Yeah. Right. on New Car Can Lean Into Curves, Literally · · Score: 1

    Actually, there is a point right at the threshold where you can feel the tires rapidly alternating from static to dynamic friction. That is the back off point. Slightly past that, you hear the characteristic stuttering squeal. At that point you must back off more.

    My best guess is that it happens because of the elastic properties of the tread.

  13. In a fab. Fortunately not the part where you have to wear the bunny suit, but in a paper jumpsuit wearing gloves and a facemask.

  14. Re:Yeah. Right. on New Car Can Lean Into Curves, Literally · · Score: 1

    But a person need not operate the brakes digitally. They can back off just a bit or brake just a bit harder. They don't have to decide between all or nothing 25 times a second. A really skilled driver in a familiar car can brake right up to the threshold without going over to get the maximum possible braking (no skid).

    There's also the question of how modern. I have seen tests where the skilled driver wins over the ABS but that wasn't with the latest and greatest ABS.

  15. Re:It doesn't take a genius to come up with an att on Millions of Smart TVs Vulnerable To 'Red Button' Attack · · Score: 3, Insightful

    The Red button can be useful IFF there is no network connection at all (preventing most of the crap). For example, on DirecTV you can pull up sports scores, weather for your location, and such.

    But over the air with a network connection? I agree with you, DO NOT WANT!

    I notice they seem to have put plenty of effort into DRM in the spec to protect content providers, and none into security that would protect the owner of the TV.

  16. Re:Yeah. Right. on New Car Can Lean Into Curves, Literally · · Score: 1

    This latest one might actually be a hazard. ABS and such provide some actual safety for less skillful drivers. This one cause the turn to feel less dangerous but does nothing to keep traction from breaking.

  17. Re:Poorly Designed Roadways Addressed By This on New Car Can Lean Into Curves, Literally · · Score: 4, Informative

    But note that the suspension makes the occupants more comfortable but does nothing for stability, so the mis-designed roads are still dangerous.

  18. Re: Common sense on IPMI Protocol Vulnerabilities Have Long Shelf Life · · Score: 1

    It's not necessarily a choice. Only some systems offer a separate management connection.

  19. Re:Not protocol vulnerabilities on IPMI Protocol Vulnerabilities Have Long Shelf Life · · Score: 1

    No, actually the protocol has some ugly parts that make it very difficult to secure, that's why isolation from the internet is the only choice.

    I truly despise the funky almost VNC and java app. It makes it quite hard to use it over a secure forwarded port.

  20. Re:That's why IPMI should only live on intranets. on IPMI Protocol Vulnerabilities Have Long Shelf Life · · Score: 1

    Completely agreed. In this case, the vulnerability is deep in the specification for IPMI. They'll need a new spec.

    Step one, lose all the channel crap. There should be two. Channel 0 which is accessed via the host OS requiring root/Administrator access. The second is for any sort of remote access (normally LAN). Channel 0 SHOULD skip authentication entirely, channel 1 MAY NOT skip authentication (no NULL user or password). They can take it from there, but I would suggest simple encryption (no, not SSL, I said simple. How about DH exchange and a secure cipher) as an option at least.

  21. Re: Common sense on IPMI Protocol Vulnerabilities Have Long Shelf Life · · Score: 1

    Sometimes they are, and in that case it's easy to put it all on a separate LAN segment. In other cases it's an odd little setup where BMC and main system share the physical port but have seperate MACs. The BMC gets it's own IP address that the host and it's OS is unaware of. In the bad old days of the mid aughties the the BMC side of the shared port crashed more often than the server. In the worst cases, the host side would crash as well and the only recovery was a hard power cycle ((defeating the point of having a BMC).

    These days, it's fairly reliable, but I am not sure how well the soft vlan actually isolates the BMC from the host's vlan.

  22. Re:Annoying. on Hundreds of Cities Wired With Fiber, But Telecom Lobbying Keeps It Unusable · · Score: 1

    In other terme, it's not that national security is a better sell here, it's more a matter of what the political class cares to sell. Apparently they are quite bloodthirsty these days.

  23. Re:Annoying. on Hundreds of Cities Wired With Fiber, But Telecom Lobbying Keeps It Unusable · · Score: 1

    I'm not sure. *Knock Knock*. Hello, I'm taking a survey. Would you prefer fast affordable internet or 100,000 dead brown people?

  24. Re:Culpability at the Top on GM Names and Fires Engineers Involved In Faulty Ignition Switch · · Score: 4, Insightful

    Should the CEO be signing off on every single part that goes into every one of their vehicles?

    More than one person should be signing off. Certainly it shouldn't have even been possible to later change the design and sneak it into production without even changing the part number.

  25. Re: No one will ever buy a GM product again on GM Names and Fires Engineers Involved In Faulty Ignition Switch · · Score: 4, Interesting

    What is really sick is that on the day he was granted a new trial the prosecutor tried to trick him into pleading guilty and accepting time served. When he refused, the prosecution dropped the whole thing.

    I sincerely hope he gets a great deal of money and a very public apology from Toyota, Minnesota, and the Feds (they knew about the problem too), but I'm not going to hold my breath for any of that.