wait... the drivers are all closed source ? how does that work ? (yes I know you can load binary drivers but it means they have to work hard to even make it work...)
can you point to the blobs ?
uboot certainly is better than the raspberry pi closed boot loader
again can you point to something rather than just making criticism ?
agreed however in a corporate environment people demand them for legacy apps... if thsts the case the system administrators should have turned off SMB version 1 a LONG time ago
either way there is no way that the companies should have a problem and this is a money spinning exercise for the AV companies who should be given very little money having not solved spam problems...
The Australian Prime Minister like the President of the United States of America actively avoids being recorded for offical purposes (laws enacted to keep a record)
Australia has some of the most bizarre privacy laws and data retention laws, china and the rest of the Asia is quite clear, the state can own your data and can compel that data to be released or you will face charges (jail).
The onus has been pushed onto private sector to retain meta data and grants provided to do so (the ISP's collect the meta data basically).
The hilarious bit is the proliferation of Certificate Authorities (CA). Previously the government and agents could simply compel the CA to be compromised however with the built in keys for entities beyond their control they can no longer intercept this traffic and worry more importantly that others are doing what they do (compromising the CA/keys and reading the data of the wire which is a preferred tactic of the PLA via the firewall ).
The solution to this is to secure the DNS root and have each service use their own key (equivalent to DANE) and have laws to allow interception. (that way each service is secure and the gov can intercept if they compel the service provider) the days of being able to read everything off the wire are over and the agents need to realise that and modify their behaviour to be selective.
They are never going to get all the signed traffic any more, the real worry is that others are collecting data and how to secure that while still allowing for interception. They need to agree on a compromise solution and Fast.
So the CIA uses its PoP to man in the middle traffic directed at router manufacturers firmware update sites and none of them simply checked the firmware signature before applying ?
This is pretty basic exploit and pretty basic check for the router manufacturers...
so basically VoLTE spec don't see the point in protecting the SIP call correctly and allow anyone on their network to place SIP calls
"Depending on the network operator’s architecture, IPsec tunnels between the UE and the IMS core network will be set up. In this case, we need to inject data directly into this existing IPsec tunnel, typically, when we want to test active vulnerabilities and replay traffic. The easiest way to achieve this is to reuse an existing socket used by a legitimate IMS service on Android. Reusing this socket will permit to inject traffic inside the IPsec tunnel, as the association already was established by the Linux Kernel IPsec stack (Netkey)."
At least they use IPSec but honestly they do not check the keys... deploying all the keys is going to be a major headache, and you have to trust a CA not to screw up...
The solution is to deploy your keys using DANE and DNSsec, most operators are using IPv6 and DNSsec so its not much of a deployment stretch
they also complain that the " utran-cell-id-3gpp value of UE-victim received in SIP 183 Session Progress response" honestly yes if you secured the tunnel then it would not matter
So in conclusion what they are saying is they can do MITM attacks because the operator does not authenticate correctly the IPsec tunnel and trusts all data sent...
the old Russian Proverb "trust but verify" no problem with the SIP just the verification plus tunnel and keys...
I wonder how much money consulting these guys make for setting up a MITM attack... good luck to them
Labour got less seats under Corbyn than when gordon brown campaigned was my point. Which stands.
The westminster system works like that... ask the SNP or UKIP to tell you all about it...
one of those points again I made previously was about encryption, if any of the leaders came out and actually stated they wont be trying to break into communications. Via techniques such as escrow keys or force Certificate Authorities (CA) to issue a root to "security services" then I would be impressed otherwise jog on...
Corbyn can not be described really really good since he did not even manage gordon brown level for labour seats... thats the reality yes labour seats are up from before but if you start low then going up is easy,
your going to be dealing with the DUP being king/queen makers... good luck with that....
the point stands May made terrible mistakes and one of which was encryption
(from wikipedia https://en.wikipedia.org/wiki/Intel_Active_Management_Technology)
"The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).The ME also communicates with the host via PCI interface.Under Linux, communication between the host and the ME is done via/dev/mei "
so you would have to be completely insane to enable this and not be aware on a server, however - " AMT is designed for client computing systems as compared with the typically server-based IPMI. "
so all those windows deployments are going to have to do an audit...
Apple laptops AFAIK do not enable this...
have fun auditing this if you manage a windows fleet !
Intel have known it for some time and spent a lot of time refining the cache down to the geometry...
what they do not specify is the cache size or any benchmarks... personally I would like nothing more than to see a mix of architectures with a standard board interface layout...
basically this site is new media, it gathers data but uses a pre recorded voice to describe it i.e. it uses predefined comments about a users state....
it's a bit like the Huxley comment on society... it may be valid but really its recycled can we please have a new comment ?
thanks this is the internet its a little different (not huge but a little)
what this really means is you will not be able to cache updates via HTTP
honestly I do not know why they have NOT used plain HTTP to download the objects (fall back to https/p2p if needed and have them as options) this would make caches so much faster (yes verify those objects via cryptographic hash obtained via DANE and TLS )
honestly why cant Microsoft , Apple and Linux/BSD all agree on the transport mechanism (I propose HTTP) this would make life and speed better for everyone
Slashdot Mirror
wait... the drivers are all closed source ? how does that work ?
(yes I know you can load binary drivers but it means they have to work hard to even make it work...)
can you point to the blobs ?
uboot certainly is better than the raspberry pi closed boot loader
again can you point to something rather than just making criticism ?
thanks
John
agreed however in a corporate environment people demand them for legacy apps... if thsts the case the system administrators should have turned off SMB version 1 a LONG time ago
either way there is no way that the companies should have a problem and this is a money spinning exercise for the AV companies who should be given very little money having not solved spam problems...
they used windows... they did not turn off SMB 1... their own fault if they are a large company
John
exactly
The Australian Prime Minister like the President of the United States of America actively avoids being recorded for offical purposes (laws enacted to keep a record)
Australia has some of the most bizarre privacy laws and data retention laws, china and the rest of the Asia is quite clear, the state can own your data and can compel that data to be released or you will face charges (jail).
The onus has been pushed onto private sector to retain meta data and grants provided to do so (the ISP's collect the meta data basically).
The hilarious bit is the proliferation of Certificate Authorities (CA). Previously the government and agents could simply compel the CA to be compromised however with the built in keys for entities beyond their control they can no longer intercept this traffic and worry more importantly that others are doing what they do (compromising the CA/keys and reading the data of the wire which is a preferred tactic of the PLA via the firewall ).
The solution to this is to secure the DNS root and have each service use their own key (equivalent to DANE) and have laws to allow interception.
(that way each service is secure and the gov can intercept if they compel the service provider) the days of being able to read everything off the wire are over and the agents need to realise that and modify their behaviour to be selective.
They are never going to get all the signed traffic any more, the real worry is that others are collecting data and how to secure that while still allowing for interception. They need to agree on a compromise solution and Fast.
Regards
John Jones
So the CIA uses its PoP to man in the middle traffic directed at router manufacturers firmware update sites and none of them simply checked the firmware signature before applying ?
This is pretty basic exploit and pretty basic check for the router manufacturers...
so basically VoLTE spec don't see the point in protecting the SIP call correctly and allow anyone on their network to place SIP calls
"Depending on the network operator’s architecture, IPsec tunnels between the UE and the IMS core network will be set up. In this case, we
need to inject data directly into this existing IPsec tunnel, typically, when we want to test active vulnerabilities and replay traffic. The easiest way
to achieve this is to reuse an existing socket used by a legitimate IMS service on Android. Reusing this socket will permit to inject traffic inside
the IPsec tunnel, as the association already was established by the Linux Kernel IPsec stack (Netkey)."
At least they use IPSec but honestly they do not check the keys... deploying all the keys is going to be a major headache, and you have to trust a CA not to screw up...
The solution is to deploy your keys using DANE and DNSsec, most operators are using IPv6 and DNSsec so its not much of a deployment stretch
they also complain that the " utran-cell-id-3gpp value of UE-victim received in SIP 183 Session Progress response" honestly yes if you secured the tunnel then it would not matter
So in conclusion what they are saying is they can do MITM attacks because the operator does not authenticate correctly the IPsec tunnel and trusts all data sent...
the old Russian Proverb "trust but verify" no problem with the SIP just the verification plus tunnel and keys...
I wonder how much money consulting these guys make for setting up a MITM attack... good luck to them
regards
John Jones
Labour got less seats under Corbyn than when gordon brown campaigned was my point. Which stands.
The westminster system works like that... ask the SNP or UKIP to tell you all about it...
one of those points again I made previously was about encryption, if any of the leaders came out and actually stated they wont be trying to break into communications. Via techniques such as escrow keys or force Certificate Authorities (CA) to issue a root to "security services" then I would be impressed otherwise jog on...
Corbyn can not be described really really good since he did not even manage gordon brown level for labour seats... thats the reality
yes labour seats are up from before but if you start low then going up is easy,
your going to be dealing with the DUP being king/queen makers... good luck with that....
the point stands May made terrible mistakes and one of which was encryption
Theresa May wanted to have "back doors" in encryption schemes to allow government access and everyone with a clue laughed at her
she stood by the claims and this is what happens....
maybe next time a politician dreams of this we can remind them of how this turned out...
John Jones
I hope the api is open so that people can build their own in... something like ownCloud ?
webdav can be useful and caching would be great... conflict resolution with dropbox/icloud/box is going to be fun...
anyone seen the API ?
thanks
John Jones
So this would have to be provisioned...
its like IPMI (DRAC)
(from wikipedia https://en.wikipedia.org/wiki/Intel_Active_Management_Technology)
"The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, for what support exists in various Ethernet controllers, exported and made configurable via Management Component Transport Protocol (MCTP).The ME also communicates with the host via PCI interface.Under Linux, communication between the host and the ME is done via /dev/mei "
so you would have to be completely insane to enable this and not be aware on a server, however -
" AMT is designed for client computing systems as compared with the typically server-based IPMI. "
so all those windows deployments are going to have to do an audit...
Apple laptops AFAIK do not enable this...
have fun auditing this if you manage a windows fleet !
regards
John Jones
https://downloadmirror.intel.com/26754/eng/INTEL-SA-00075%20Mitigation%20Guide%20-%20Rev%201.1.pdf
How about support for SMIME ?
It would be nice if they supported DANE so that all the keys where looked up automatically!
Why not ?
John
Intel have known it for some time and spent a lot of time refining the cache down to the geometry...
what they do not specify is the cache size or any benchmarks... personally I would like nothing more than to see a mix of architectures with a standard board interface layout...
john
this already exists....
please educate your fellow workers :
https://en.wikipedia.org/wiki/Baidu#Censorship
regards
John Jones
My one question is logging....
what did they replace SystemD with and how does it log ?
the FAQ and the rest of the site is VERY bare...
heat salt with the sun and you get a base load capacity (throughout the night)
that combined with mini nuclear reactors seem to hold the answer to power generation... critiques ?
John
either you tell machines what to do or the machines tell you what to do
you choose
apple are ahead of the game they will allow them to " repatriate " funds to do this in reverse...
https://www.youtube.com/watch?v=AYshVbcEmUc
https://www.youtube.com/watch?v=AYshVbcEmUc
have fun
John Jones
errors do happen it will be interesting to see what they are though...
no comment on the DNS query nor on the route
basically this site is new media, it gathers data but uses a pre recorded voice to describe it i.e. it uses predefined comments about a users state....
it's a bit like the Huxley comment on society... it may be valid but really its recycled can we please have a new comment ?
thanks this is the internet its a little different (not huge but a little)
John Jones
exactly its just a firewall with IDS...
scary...
I honestly dont know how people can trust that they are doing the right thing without knowing about the design....
They use a modified SIP communications for Audio is it the same for video ?
knowing the codec would be good ?
the problem is that is it point to point or simply proxied through their servers ?
anyone know ?
thanks
John Jones
what this really means is you will not be able to cache updates via HTTP
honestly I do not know why they have NOT used plain HTTP to download the objects (fall back to https/p2p if needed and have them as options) this would make caches so much faster
(yes verify those objects via cryptographic hash obtained via DANE and TLS )
honestly why cant Microsoft , Apple and Linux/BSD all agree on the transport mechanism (I propose HTTP) this would make life and speed better for everyone
regards
John Jones
honestly
where is the mathematical fonts and symbols for science ?
STIX goes some way but why this is not in noto ?
why would you send a mathematical explanation into the stars but we cant express those notations on machines we use every day ?
thanks
John Jones
for it is and always shall be...
so after killing the map are the photo's going to be scrubbed of GPS/Location data ?
going forward ?
any information ?
John