Slashdot Mirror


User: fuzzyfuzzyfungus

fuzzyfuzzyfungus's activity in the archive.

Stories
0
Comments
15,204
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 15,204

  1. Re:Why is anyone surprised? on LinkedIn's New Mobile App Called 'a Dream For Attackers' · · Score: 1

    I do like the one where you can helpfully suggest a new backup URI for the phone to safely store its filevault encryption keys.

  2. Re:Umm... on LinkedIn's New Mobile App Called 'a Dream For Attackers' · · Score: 1

    It's good that LinkedIn is a Respectable Business, or this would probably be about Eleventy-billion CFAA violations...

  3. Re:Umm... on LinkedIn's New Mobile App Called 'a Dream For Attackers' · · Score: 1

    An iOS app has no access to any other app's files. The scheme you describe would fortunately be impossible.

    A given app doesn't have access to another app's files; but since their scheme also employs a configuration profile, I suspect you could have some fun with quietly twiddling per-app VPNs, the global HTTP proxy, silent installation of trusted certificates, and other useful little toys.

  4. Re:"Colony"? on F-Secure's Hypponen: The Internet Is a 'US Colony' · · Score: 1

    "US has colonized the German Internet about as much as it colonized the German forests." One little detail (though it's actually somewhat unhelpful to TFA's thesis, and makes the situation of the hypothetical European even grimmer...): Post WWII and through NATO more or less to the present, the US does actually have a nontrivial physical presence in Europe (one of the NSA's nicer SIGINT study-abroad bases is actually in Germany), and they are likely aided in their spying by that fact. However, they are there with the more or less complete cooperation of the European states in question. If arms are being twisted, it's all very quiet and tactful, and it's not like 10 divisions of Warsaw Pact armour bearing down on them is a serious consideration to club them around with...

    So, to the degree that they are screwed by using US services and servers, they have a problem because apparently their domestic services aren't competing (even against a bunch of mostly-monolingual Americans with an ocean worth of ping between them and the foreign market), and to the extent that they are being physically compromised by US spooks, it's with the active collaboration of the spooks at home, who will be happy to watch them even if they seize the moment to try to shove Washington out of the picture...

  5. Re:Why is anyone surprised? on LinkedIn's New Mobile App Called 'a Dream For Attackers' · · Score: 1

    As much as your point about DICE is well taken, I'd honestly love to know how you would go about 'monetizing' a user who (voluntarily, and for no material reward, no less) impersonates a fungus with internet access in order to whine about surveillance and make bad geek jokes. I have the chilling suspicion that it can be done; but damned if I can imagine how...

  6. Re:Why is anyone surprised? on LinkedIn's New Mobile App Called 'a Dream For Attackers' · · Score: 5, Informative

    "All communication from the Mail app to the LinkedIn Intro servers is fully encrypted. Likewise, all communication from the LinkedIn Intro servers to your email provider (e.g. Gmail or Yahoo! Mail) is fully encrypted."

    And all (transient) storage of the data being communicated while they are on the LinkedIn servers?

    Hmm... Didn't think so.

    Also worth noting: In their 'Pledge of Privacy'(which may change from time to time, to 'clarify' things) they have an adorable little elision...

    "Do you read my email?

    In order to provide the Intro service, the servers use software to extract information from each message: for example, the sender's email address is extracted, so that the servers can search for their LinkedIn profile to include in the message."

    Well, ok, the system obviously wouldn't work if it didn't parse the email, right?

    "Do you store my email or my password?

    During usage, the servers may temporarily cache your emails in order to make emails download faster. When your device starts to download a mail folder, such as your inbox, the servers will pre-emptively download and cache recent messages in that folder. A few seconds later, when your device downloads the individual messages, the servers will provide the cached messages. Your messages are only cached until your device downloads them, and never for more than 1 hour. Typically, your messages are cached for no more than a few minutes."

    Well, ok, fast downloads are good, and temporary cache is temporary, so you totally aren't building a giant dossier of all my email, whew.

    Now... " the servers use software to extract information from each message". Hmm... it doesn't say a thing about the storage, use, retention, or anything else of that 'extracted information'. Nor (aside from giving the one example that is architecturally necessary, and thus trivial), does it provide any detail about what information is extracted. So, in fact, the only thing I know is that they say that a literal copy of my email is not being stored (Maybe they only store my metadata, like the NSA?) Maybe they store any substrings that match a set of keywords? Who knows? Not you or me.

  7. Re:Why is anyone surprised? on LinkedIn's New Mobile App Called 'a Dream For Attackers' · · Score: 5, Insightful

    It is admittedly a cute hack (presented in a smarmy tone); but the sheer tone-deafness and unwillingness or inability to recognize that you are proposing to subject potentially-hundreds-of-thousands of people's private information to your cute hack is sickening.

    That's what really gets me: If this were random geek giving a little chat about 'stupid IMAP regex tricks; the closest thing to greasemonkey for iOS mail!' and showing off an architecturally similar system for on-the-fly-rewrites of mail to add useful hooks to present features absent in the client, it'd be clever and endearing. But that isn't the game we are playing here. This is a slick, weaponized, weasel-worded-for-wide-deployment dangerous toy we are talking about here.

    Either he knows that, and just doesn't give a fuck (in which case he is somewhere beneath contempt and heading further down), or he's dangerously myopic to an almost unbelievable degree.

  8. Re:Certainly an increasing danger. on Ask Slashdot: Developer Responsibility When Apps Might Risk Lives? · · Score: 2

    I think that there is one additional factor to consider (that does strongly affect this case; but might be weak or nonexistent in others): In the case of an "Avalanche Transceiver", that's not a generic description of any radio beacon designed for avalanches, it's a fairly specific set of standardized minimum capabilities and interoperability characteristics, recognized by both hardware vendors and significant mountaineering organizations.

    Even the insinuation that you are talking about a similar thing edges pretty close to misrepresentation, because of the degree to which the existing device has been codified.

    In a situation where the app's function is novel, and there is either no consensus at all, or a consensus so obscure as to be confined to some very specific subgroup, it would be much easier to make 'almost as good and a lot cheaper' style claims without edging on seriously misrepresenting the situation.

    If the market for avalance transceiver devices was either a total incompatible clusterfuck, or simply didn't exist, my position on these would be 'the more the better', since the implicit promise would be less, and the existing 'standard of care', so to speak, much closer to being equivalent. As it is, though, they would have to market...very...carefully to not be treading on thin ice in terms of implicit misrepresentation.

  9. Re:Developer or publisher? on Ask Slashdot: Developer Responsibility When Apps Might Risk Lives? · · Score: 2

    The ones who lied? Honesty isn't a 100% ironclad defense, there are things you can do with full disclosure that are still unethical; but if I program 'tweet_while_U_die' a program that uses your accelerometer to detect a probably-fatal vehicular collision and then tweets about it for you while you bleed out, I'm in poor taste; but hey, it is what I say it is.

    If somebody brands it as 'Personal Safety Notifier Pro' and insinuates that EMS dispatch is somehow going to find you based on this behavior, I'd like to see them charged with negligent homicide each time that fails to happen.

  10. Re:Why is anyone surprised? on LinkedIn's New Mobile App Called 'a Dream For Attackers' · · Score: 5, Informative

    I'm not surprised ('social networks' in general make you the product, linkedin has always been a touch sleazy, especially for an ostensibly 'professional' site that could theoretically be making its money on the semi up-and-up by offering useful recruiting services); but I am fucking shocked at just what a clusterfuck this particular app is.

    So, you install the 'app'. It applies an iOS configuration profile to your phone. those can do rather a lot... In this case (so far) what it does is set up an MiTM that routes all your email through their servers, and dynamically rewrites it to add content of their choice to messages.

    It's totally normal for 'social networks' to own you like livestock in everything you do on that network; but reaching out and grabbing all 3rd party email (Oh, man, are some corporate IT/Security people going to be spitting napalm about this one...) that passes through your handset, and including that? Ballsy. Really, really, ballsy. Makes the old "Hey, let's grab their entire contact list!" sleaze-scheme look like amateur hour.

  11. Re:How the heck ... on Citizen Eavesdrops On Former NSA Director Michael Hayden's Phone Call · · Score: 1

    I think that hysterical whining about the need to stifle speech is mostly a pandering-congresscritter thing (zOMG Terrorists are using Twitter to disseminate their propaganda! Somebody think of the Children!!!!), while the spooks are loving the fact that nobody can resist bragging on the internet(even local Deputy Donut has had a fair few cases solved for him by dumb gang kiddies talking shit about their crimes on Facebook and so forth).

    The one, partial, exception to the rule is the recognized value of using undercover agents/infiltrators (and allowing it to be known in general; but not specifically, that you are doing this) to make it harder for groups to recruit and organize. You see this a lot with 'Animal Rights' types in the UK, who the Met police have been sending undercover flunkies after for years, and sometimes with assorted protest movements in the US (always a big ramp-up around a G8 summit or the like). If a group suspects infiltrators, they tend to be more paranoid, less welcoming, and overall more dickish to potential new members, since those new members could be enthusiastic, or they could be feds. They also find it harder to organize large demonstrations or other actions; because you can't just spam the mailing list when there is almost certainly an undercover cop with a hotmail account signed up for it. This can lead to cliquishness, paranoid sub-cells (sometime feuding), etc.

    That isn't really about intelligence gathering, though, since the targets are usually of minimal danger and fairly well known, that's more of a harassment thing.

    With targets who are genuinely under-the-radar (especially ones that are ethnically, culturally, and/or linguistically hard to crack with undercover agents: IRA? FBI can probably put Agents Connelly, Donahue, and Murphy on it. Al-Shabab? Hmmm, we, um, have any East African looking guys with a native-level fluency in Arabic, and ideally one or two local variants? Anyone?), though, having them online is probably the biggest gift the spooks can get.

  12. Re:Hangings on US Executions Threaten Supply of Anaesthetic Used For Surgical Procedures · · Score: 1

    The ones you have to watch out for aren't the ones who don't know the difference; but believe that there isn't one.

  13. Re:Hangings on US Executions Threaten Supply of Anaesthetic Used For Surgical Procedures · · Score: 1

    I don't think that there is anything to be done about death anxiety per-se, that's Canonical Woes Of The Human Condition stuff (The Epic of Gilgamesh has some surprisingly neat treatment of the subject, and basically every subsequent religion, philosophy, and school of psychology has attempted to chip in).

    I was trying to start with the baseline of "doesn't cause severe physical pain(as a botched potassium chloride bolus will), or activate deep-rooted physiological panic mechanisms(in the way that, say, drowning, or strangulation during a botched hanging, does)", since capital punishment as typically practiced hasn't even managed that, despite the tech being widely and trivially available.

    What would be interesting to know (if probably wildly unethical to test) is whether death-anxiety is greater when time of death is known (ie. subject knows that they'll be in their cell until date X, then they get marched to the chamber and shot full of enough narcotic anesthetics to kill a water buffalo or rock star) or uncertain (at some point, within 6 months say, of final appeals being exhausted, we'll introduce carbon monoxide into your cell while you sleep, your O2 sat will plummet, and you'll never wake up.)

    Would it be scarier to be counting down to day zero, or knowing that 'if I die before I wake' is not a theoretical consideration?

  14. Re:"Colony"? on F-Secure's Hypponen: The Internet Is a 'US Colony' · · Score: 1

    On other thing strikes me, in considering Nkrumah's theory(specifically it's marxist aspects, and the general struggle of 'labor' to overcome the problem of capital always winning so long as somebody can be found to work for peanuts, issues of international solidarity vs. division, etc.) That sort of thing is one area where the internet is far more hostile than the conventional real world, thanks to network effects, Metcalf's "law", the fact that both spooks and ad-vendor analytics types are interested in connections and communications networks between people.

    Essentially, while it's trivial to 'declare independence' on the internet (IPv4 means you probably can't have your own block or anything; but as long as you are OK some NAT, or IPv6 services internally, it's probably never been easier or cheaper than it is today to set up your own damn LAN, with services, and hosts, and other neat stuff. Even an impecunious FOSS hobbyist with some fleabay shit, or a piratical microsoftie, can set up capabilities that would have been 'enterprise grade' not so long ago, all on a single residential power budget, no less. Plus you've got the 802.11i and other wireless mesh enthusiasts, the SDR crew, good old RONJA (some Czech free-hardware hackers who've been doing 1Km+ free-space optical data transmission with LEDs and sheer improv, neat project) So on, so forth, all good.

    However, we build networks to communicate with others, right? And some of the people we want to communicate with like their Gmail accounts (or simply live behind a US ISP...) They don't mean to betray us; but the feds aren't morons: if they can't subpoena your mail provider, they can at least see everything your American buddy sends to you, or you to him... And god help you if, say, your trusted-and-principled-fighter-for-civil-rights lawyer-who-knows-a-bit-more-about-law-than-about-tech gets suckered into, say, LinkedIn's unbelievably fucking creepy man-in-the-middle attack app(yes, they did actually release that. Yes, it is a 'feature' that linkedin installs a device configuration profile(which is capable, in principle and at their mere power and pleasure, of any change that Apple's APIs allow a device configuration profile to make, config profiles are intended for managing institutionally owned/controlled devices). Oh, attorney-client privilege? That's adorable, those emails are just 'business records' now...

    Network effects cut both ways: even in an ideal world, where there exists some jurisdiction where the services are attractive and the local governance isn't creepy, sophisticated inferential attacks become easier and more powerful with every interaction between free and unfree service users. tricky problem.

  15. Re:"Colony"? on F-Secure's Hypponen: The Internet Is a 'US Colony' · · Score: 3, Insightful

    Oh, there are, indeed, a great many ways of getting what you want without (too much, visible, unpopular) overt violence, and we use them.

    However, Nkrumah's own career is not a hopeful bit of reading from the perspective of somebody looking to decolonize on the internet:

    His ability as an anticolonial leader, and at least the beginning of his post-independence period went very well. Then things went... off the rails. A lot. In that 'elected dictator for life and father of the revolution by 99.1% of the alleged electorate' sort of way. If there's anything that puts a sad note on your struggle for independence, it's throwing off the chains of foreign occupation and then taking up the chains of local dictatorship.

    On the internet, since it isn't built on land or particularly scarce, the revolution is easy. (You probably have your very own free and independent LAN right now!) Building alternatives to the hegemonic American cat-video/industrial complex? Less easy. Building alternatives that succeed and aren't under the thumb of authoritarian surveillance nuts or ruthless corporate titans who are just as unpleasant as their American counterparts and live closer to you? Harder still. That seems to be Europe's problem at present, also common in other areas, to varying degrees (China's language barriers and blatant willingness to exercise mercantile favoratism seem to have rendered them partially immune, in terms of web services, though I haven't heard of Red Flag Linux burning up the sales charts...)

    Europe has culture, and money, and networks, programmers, and guns; but apparently they still flock to US web services (either directly hosted/operated in the US or physically located in Europe as appendages of US companies and subservient to them) in numbers large enough, and for business important enough, to raise TFA's author's concerns.

  16. Re:Yes, that's pretty much true on F-Secure's Hypponen: The Internet Is a 'US Colony' · · Score: 1

    The problem is, what can be done about the problem that would actually improve matters?

    The most commonly suggested answer is to turn it over to the UN, and, frankly, I don't think that there can be much argument but that would make matters immeasureably *worse* for the average user.

    Even if there were an actually-benevolent-and-competent contender in the wings, the part of internet governance that the ITU and some states keep trying to pull into the UN isn't really the part that gives the US leverage.

    The US does have the ability (and willingness) to exert control over the registrars for a number of the most desirable TLDs. Just operate a piracy-related website and you'll probably learn that firsthand. That matters because US-controlled TLDs are popular; but being able to change the DNS entry for 'foo.com' from one IP to another doesn't change what is on your server, nor does it exert any control over the fact that foo.co.uk still points to it.

    The US also has a pretty good position in terms of common SSL CAs (If they've done so, it's been on the quiet so far; but if anybody can shove Verisign around like they did to Lavabit, and get fake certs generated, it'd be the feds); but that control is, again, nonexclusive.

    The part that gives the US power is the amount of traffic (US and other) that travels through US infrastructure and services operated by US companies. Changing who hands out TLDs or letting telco dinosaurs into the decision-making process isn't going to change that (unless we start charging for 'long-distance packets' or something ghastly)...

  17. "Colony"? on F-Secure's Hypponen: The Internet Is a 'US Colony' · · Score: 4, Insightful

    I'd argue that "Colony" is sort of an unfair term: a "Colony" is something that I set up by getting some of my jackbooted thugs together, sailing to your country, and telling you that this is how it's going to be from now on, while drinking gin-and-tonics and exporting your resources to the home country.

    On ye olde intertubes, it's sort of hard to 'colonize' somebody (especially since, unlike land, which hasn't been available in the "actually not populated by somebody you'll need to shove if you want to 'discover' it" flavor in centuries to millenia, the internet exists because it is built, and you can build more if you want more), except on the very limited scale of cracking their server and stashing stuff on it.

    It seems that it might be fairer to say that the internet is more of an American shopping mall. It is true that, to a surprising degree (especially surprising in areas that have never liked us much, or for which we never bothered to do much localization), that lots of foreign traffic crosses into American-held internet infrastructure to work, play, and do business; but (unlike a 'colony') that isn't because that infrastructure used to belong to somebody else until we grabbed it, and the locals are still stuck there; but because once it was built, people came.

    Anybody who doesn't fancy being watched by Uncle Sam, or a EULA-serf of a major American multinational(including US residents) should definitely give some strong consideration to how much of their activity is currently firmly within the grasp of the US government and a few cooperative (except on taxes) corporations; but if they want to get anywhere, the line of thought is going to have to be closer to "So, why does everybody go through $AMERICAN_COMPANY$ anyway, and why isn't there a homegrown equivalent elsewhere?" rather than following the misleading road of some sort of post-colonial process. There simply was no such colonization, so expecting to decolonize is going to fall into exciting category error fun time.

  18. Re:Stick with sodium on NYC's 250,000 Street Lights To Be Replaced With LEDs By 2017 · · Score: 4, Insightful

    Near observatories to cut down on light pollution. LEDs are too broadband.

    On the plus side, if somebody is thinking about installing LEDs, that is (sometimes) a sign that light fixtures that have been, well, fixtures, for decades, sometimes quite a few of them, are getting their first re-evaluation in quite some time.

    It only helps if somebody pushes at the correct time; but if the fixtures are being reevaluated in anything resembling a serious way, that's your best chance to get action on things like fixtures that point upward, ill-designed fixtures that don't target their output very well, and all the various other dubious lighting decisions that help add up to light pollution.

    It's unlikely to be perfect; but LEDs (being costly; but easy to aim fairly tightly, as well as very good at doing accent work (say, lighting a set of stairs with small lamps set just above the steps, rather than one big bulb-on-a-stick pointed in the direction of the stairs and cranked to 11), do encourage more efficient targeting in a way that big, cheap, one-size-fits-all bulbs don't.

  19. Re:I wish they'd do it here. on NYC's 250,000 Street Lights To Be Replaced With LEDs By 2017 · · Score: 3, Informative

    I wonder how many smaller cities have already done this?

    I think that it's not uncommon (though traffic signals usually go first, since LEDs have been cheap and good at red, green, and amber for longer than they've been either cheap or good for white, and bulbs-behind-filters have always had even more miserable efficiency than bulbs in general).

    LEDs are still pretty expensive, and white ones (because they are usually blue ones pumping a phosphor layer) are still less efficient than one might like; but one big advantage is lifespan.

    A replacement lightbulb doesn't cost much; but sending out guys in bucket trucks to deal with dead ones adds up.

  20. Re:How the heck ... on Citizen Eavesdrops On Former NSA Director Michael Hayden's Phone Call · · Score: 4, Insightful

    Isn't it entirely reasonable for Hayden to have grown a sense of arrogant impunity almost large enough to have its own event horizon?

    To have had his career, and walked away scot-free and with a chest full of medals, if that doesn't tell you that you are untouchable, you clearly fail at empiricism...

  21. Re:Isn't it a bit rude.... on Citizen Eavesdrops On Former NSA Director Michael Hayden's Phone Call · · Score: 1

    Is that a problem? "Politeness" is a social virtue we cultivate to make our interactions with others smoother and more pleasant, particularly the 'others' who are too distant for friendship but close enough that interaction is necessary. It isn't some sort of iron law. When dealing with someone who is both of considerable public interest and wouldn't deserve to be spit upon if he were on fire, why would you consider it?

  22. Re:Hangings on US Executions Threaten Supply of Anaesthetic Used For Surgical Procedures · · Score: 1

    In that, er, vein, the lethal injection protocol typically used on humans is illegal to use for veterinary euthanasia in most of the US(though the HSUS also condemns, albeit without legal force, nitrogen flushing. I'm not sure if that reflects some unacceptably common operator error in the procedure, or if some animals don't react as humans do.)

  23. Re:Hangings on US Executions Threaten Supply of Anaesthetic Used For Surgical Procedures · · Score: 1

    As best I can tell, PR reasons make it preferable to use a method (no matter how convoluted) that looks 'clean'.

    In US lethal injection protocol, that's where the Pavulon comes in. It's a neuromusclular blocking agent (also used in surgical settings, to avoid spontaneous movements or stimulus responses not suppressed by anesthesia from causing issues for the surgical team). Nice thing is, so long as you use enough, it does exactly what it says on the tin: muscle paralysis (nice, relaxed, paralysis, not that scary, hyper-tensed version you get from tetanus, so it won't scare the audience). It isn't an anaesthetic, so the drug has absolutely no affect on pain perception or consciousness; but you aren't going to spoil anybody's day by flinching, flailing, screaming, suffocating on your own vomit, or other impolite behaviors.

    In theory, the other two drugs in the 'cocktail' are actually supposed to do the killing; but paralysis alone, if deep enough, will cause the subject to quietly, flaccidly, and fully consciously, suffocate in reasonably short order. So much less barbaric looking than having brain fragments spattered all over the place, even if that is far faster, and the percentage of prison staff who can put a bullet in your head is likely much higher than the number who can find a vein to put the needle in without treating you like a pincushion(it's very difficult to get people with actual medical backgrounds to participate, so Deputy Bubba's Amateur Phlebotomy Show is a distinct possibility...)

  24. Re:Hangings on US Executions Threaten Supply of Anaesthetic Used For Surgical Procedures · · Score: 5, Interesting

    Given the alternatives, that's probably pretty sensible.

    For what appear to be PR reasons, execution methods that are gory looking and freak out the viewers have been largely phased out (a firing squad, say, or a guillotine, will kill you pretty dead, pretty fast; but it'll leave a heck of a mess, and the more competently it's done, the bigger the mess.

    The replacements, by contrast, seem to have been picked more for the appearance of cleanliness, rather than actual swiftness or painlessness (I suspect that the 'brain drain' of medical expertise and moderates in general toward the anti-death-penalty camp, combined with the fact that the "I wish we could make them suffer longer! Unfortunately that isn't constitutional..." camp isn't going anywhere, has lead to expertise being harder to come by, and stakeholder interest in pain-minimization simply being less). If the family dog gets sick, pretty much any vet in the country can euthanize them to a standard of humaneness that people demand for a beloved pet. Execution by lethal injection? Odds are surprisingly bad that the prison-flunky doing the job will even be able to find a vein, and the percentage of kills that actually go quickly and cleanly is unimpressive. Why the difference? Similarly, occupational safety/industrial hygiene types can tell you all about how people can suffocate without even noticing because of carbon monoxide exposure, or oxygen-displacing gas leaks (quirk of human physiology: you can detect high levels of CO2, or mechanical impediments to breathing, and you'll freak out; but you can't detect lack of oxygen, so if carbon monoxide binds all your hemoglobin, or you are working in an ill-ventilated basement and end up breathing pure nitrogen because of an LN2 leak nearby, your CO2 levels will remain in the green, and you'll just black out and die...); but we still can't gas people to death properly... Unless the pro-execution camp can get its technique together, I'd stick with old reliable myself, if I had to choose.

  25. Re:How realistic are the fears? on UK Police Seize 3D-Printed 'Gun Parts,' Which Are Actually Spare Printer Parts · · Score: 1

    I suspect that ownership of a 3d printer (statistically) places you in the category of people who are approximately 45343465% more likely than the population at large to have done something on the internet(possibly from the command line) that would scare an AOL user, so they may have been sniffing after something in that vein.

    As for practical criminal interest, though? Absolutely zero so far demonstrated, largely because it doesn't resolve any ammunition supply challenges (and anyone who can do that can probably get at least a pistol snuck through the same channels), and performance so low that hand-tools and hardware store metal stock are almost certainly still ahead in the DIY race, much less actual machine tools or smuggling of real guns.