Ahh! Thank you for the link to the actual paper! (TFA suggested to me that since they were presenting it at a conference next week they hadn't published it yet. Yet another misread by me. I'm two for two today!)
So I really am safe as long as I'm not entering my PIN in a place where I can be eavesdropped upon. No worries! Whew.
The headsets I'm familiar with have a preset PIN (something like 0000 or 1111) that you have to enter into the phone. But they can't initiate the pairing process -- it has to be driven from the phone side. I suppose it's entirely possible for an attacker who sees you use a headset to set up his device to sniff your headset's ID, then pretend to be that headset with PIN 1111.
Now a headset has only a limited set of functions it can perform -- they can't dial digits without a keypad, so they're usually restricted to voice recognition of pre-programmed names. So unless you wanted to steal a phonecall to my wife or my son, you probably won't find it very useful.
That is, if headsets are restricted to "no dialing, no OBEX, no service discovery". If headsets are allowed to "change" their profile to suddenly support network dialing, keypads, and all that, then you're in big trouble from spoofers without even worrying about cracking the crypto.
The way I originally read it I didn't understand if this forced pairing required the input of the user to perform a "pairing" manually, (which was then intercepted by the attacker) or if the devices just agreed automatically to resend their pair information (which was then intercepted by the attacker.)
Don't use bluetooth!
To me it seems very unnessesary to have a bt enabled phone.
Then not only didn't you RTFA, but apparently you haven't used Bluetooth, either. Bluetooth is an extremely useful mechanism for many of us. It lets my PDA get on line; and when I hop in my vehicle, my car stereo magically becomes my car phone whenever it rings.
I just wish more devices were Bluetooth enabled (and that this security hole didn't exist.) As is, I'm not losing sleep over this as I don't have a public-transit commute (the sort of place where breaks seem most likely to happen.)
By forcing a re-pairing (as stated in the article) does it then rely on the user to re-pair his devices as a manual step? Or does this re-pair process happen in an automated fashion?
If it's a manual step, then it'll require education of the users to not pair their phones in public.
The Harley-Davidson police bikes in our city were leased to us for $1.00/year (each bike) by Harley-Davidson. This is what they do for corporate giving. I'd be hard-pressed to say those two dollars were "spent on useless things."
The other thing to remember is that they're going to spend money to enforce laws that are the most visible to the most people. "Identity Theft" is a very popular headline these days. Most people have inboxes full of spam. By equating these annoyances with "identity thieves," spending money on fighting them becomes a politically smart manouever. And because we are collectively so stupid that we believe everything the news tells us, it doesn't even matter whether or not it has any effect on our inboxes! As long as a politician can use it to say "I'm doing something!" the money to fight it will be there.
Excuse me? Did you forget Echelon? The whole idea of the UK/USA alliance is so that the US can spy on the domestic English traffic, and the UK can spy on the domestic USA traffic. Then, since there are no rules against sharing international information between allies, the FBI and MI-5 can sit down and swap tales about what kinds of bad guys they saw in each other's countries. No laws were harmed in the violating of your privacy.
Now, whether or not we shared factual stuff, like "hey, we know about these Weapons of Mass Destruction in Iraq," and "Really? So do we!", well that's a different question.
Y'know, I even scrolled back through the Slashdot pages until I got back to May 29th. I saw the date of May 30th at the very top of the article itself, and I didn't want to submit a dupe. I figured it was safe to check back to the date on the article itself. I was wrong.
Therefore, I whole-heartedly apologize to absolutely everyone who was taken out back and beaten with sticks because I submitted a duplicate story.
Oh, what's that? You say you weren't taken out back and beaten with sticks because I submitted a dupe? Then may I ask why it is a Department of Homeland Security issue that someone posted a dupe? Honestly, I sometimes think that posting "Dupe" is just a different way of saying "FRIST PSOT" without getting immediately modded down as a troll.
Space: 1999 made it easy for every fanboi to whip up a glowing-light stapler-based laser gun. The kids who made Star Trek phasers and communicators, now they had to work for their entertainment. But Space: 1999's props all look like they came out of mom's basement or dad's garage workbench, (and mostly because I think they did.) That made it easier for the kids to have their own As-Seen-On-TV toys.
And Martin Landau? Now there's a guy who knows how to act his way out of a paper bag! No cliche phrases, no hackneyed punch-out-the-bad-guy-and-kiss-the-girl storylines, just pure thespianism!
Can we sacrifice them anyway, regardless of SciFi channel's status? Please? Let's throw them on the altar, pull out the wicked looking wavy-bladed dagger, and have us a real Old-Testament kind of sacrifice.
I read TFA. They simply claimed the MPAA was backing down because the MPAA hadn't purchased Barton's vote yet. And I don't believe that ends this for a single minute. The MPAA isn't going to risk it all on a single congressman's vote -- they're going to cast their nets (and their lobbyists and their money) far and wide in hopes of finding a few affordable congressmen. They won't wait till 2008 because they're more afraid of entrenched technology, which is much harder to control than future unreleased technology.
Just because the EFF quoted someone else's article doesn't mean they don't believe it, or it's not their point. Rather, they seemed to be rejoicing in the news as if it were the Holy Gospel. And I think that's extraordinarily naive. They're way underestimating the power of the dark side.
No, there are some tuner cards on the market today that don't respect the broadcast flag. As a matter of fact, there was quite a run on them up until the FCC ruling was overturned.
And it has nothing to do with "email" or "share". It's the "broadcast" flag and it would only have interefered with recording, not with subsequent usages.
Sorry, but I don't see where the EFF would be the definitive authority on what the MPAA is up to. They're going to see what they want to see, and how they want to see it. Yes, a certain representative may currently be opposed to the provision, but that won't take away any incentive from the MPAA to continue to push Congress for whatever they can get.
There are people who are recommending (probably to sell CPUs, not to help anyone altruistically) that home users buy dual core chips -- and devote one CPU to their primary application, and the other to run the firewalls, virus scanners, hot sync managers, print managers, network managers, scanner managers, fax managers, spyware, adware, malware and all the other crap that Windows users seem to accumulate over time.
Most home-built radiator-based watercooling systems have been built with heater cores (the part of your car's cooling system used to provide heat in the passenger compartment.) They're much smaller than the engine radiator, but look and work the same way.
I wish I still had the link, but I recently saw a picture of a guy who built the most ghetto homebuilt cooling system you can imagine. He took the whole radiator from a '79 Toyota and duct-taped the hoses into his PC case. I think the radiator still had bugs stuck in it, it was that ugly. I'm not sure if it was a joke or if he thought he was being inventive, cheap or what. But it was impressively ugly.
But yeah, it's been tried. A lot.
( Actually, the heatsink in this picture is SMALLER than my Zalman Reserator. )
But only if they can actually find to the next zombie. If one bot infected and recruited 100 other windows boxes, which of those lead to others? Can you get to the next box? Is it in the same country? Can you get logs from the ISPs involved to identify it? When they're not under direct use, they're kept busy portscanning for other victims, so it's never a static "snapshot", either. How do you know when you've got 'em all?
Remember, there are over 10,000 bots in a typical professional extortionist or spammer's botnet. Are you capable of rolling them all up and identify the single one which received the spammer's actual input? That's a helluva feat.
There are tools, such as the "internet telescope", which might reveal the "first source" of a spam or of an attack. But when the bots are syncrhonized, as when an extortionist commands "Begin a DDoS attack on www.foo.com at 0800 GMT", timing on the telescope reveals nothing other than "which of these idiots with infected PCs also don't have their clocks set properly."
Botnets have evolved beyond your 2003 viewpoint. They now are implementing encrypted peer-to-peer communications networks, and are not run from a central point like the IRC-based botnets of old.
I briefly chatted with a guy who tracks these people down, and looked at some research posted by the honeynet project. My understanding is the operator fires a message into just one zombie, and it passes it around to its immediate circle of friends, then launches the requested task. Each zombie only relays the command to its peer circle, making it "cell based". The investigator really has no idea which cell was "cell 0", where the command originated.
Many of the DDoS attacks are things like SYN floods with forged IP headers, making it very tough to track back to any single machine, let alone the thousands the zombie operators had under their control.
Well, I have a Dell Precision 610 at work, and I have to say I love it. It's screamingly fast, and absolutely whisper quiet. It's the most stable machine I've used in probably 10 years. And it was also about $4k.
At home I have a homebuilt AMD that's loud, hot, unstable and about 1/4 the price. I'll be updating it long before I'll be updating the Dell. But I'll continue to replace it with AMD gear, as long as my AMD chips aren't DRM infested.
"Trusted computing" is going to offer more than just the ability to playback DRMed material without the possibility of your copying it. It's also going to offer "certified" programs. Want to run Office? Hope your subscription is up to date. Fine, Microsoft gets their money.
But what happens when the OS turns on you? Let's say that a judge somewhere finds BitTorrent is an "infringing application", and orders Microsoft to disable the signature associated with BitTorrent? There, problem solved, no Microsoft boxes will run it. And now, the CPU is party to enforcing that restriction.
And what happens when it goes even further? Downloaded a copy of Star Wars III to your hard drive, and now you're trying to play it through Windows Media Player, DRM Edition? Not only is it going to refuse it because the file's signature is on the nightly-downloaded "do not play" list, but nothing is stopping them from reporting you to the MPAA.
Wanna run Knoppix? Sorry, but now the chip can identify that as an "infringing application."
With Trusted Computing, DRM isn't a choice -- it's the rule. DRM chips are simply the only playground on which they can be forced to happen.
Ahh. That's only if you're not logged in when you post. Nope, doesn't bother me at all. Keeps the stupid troll posters from scripting their fecal-ware.
If you don't like it, feel free to log in. You'll dodge it completely.
So I really am safe as long as I'm not entering my PIN in a place where I can be eavesdropped upon. No worries! Whew.
Now a headset has only a limited set of functions it can perform -- they can't dial digits without a keypad, so they're usually restricted to voice recognition of pre-programmed names. So unless you wanted to steal a phonecall to my wife or my son, you probably won't find it very useful.
That is, if headsets are restricted to "no dialing, no OBEX, no service discovery". If headsets are allowed to "change" their profile to suddenly support network dialing, keypads, and all that, then you're in big trouble from spoofers without even worrying about cracking the crypto.
Thanks for the clarification.
Then not only didn't you RTFA, but apparently you haven't used Bluetooth, either. Bluetooth is an extremely useful mechanism for many of us. It lets my PDA get on line; and when I hop in my vehicle, my car stereo magically becomes my car phone whenever it rings.
I just wish more devices were Bluetooth enabled (and that this security hole didn't exist.) As is, I'm not losing sleep over this as I don't have a public-transit commute (the sort of place where breaks seem most likely to happen.)
If it's a manual step, then it'll require education of the users to not pair their phones in public.
The other thing to remember is that they're going to spend money to enforce laws that are the most visible to the most people. "Identity Theft" is a very popular headline these days. Most people have inboxes full of spam. By equating these annoyances with "identity thieves," spending money on fighting them becomes a politically smart manouever. And because we are collectively so stupid that we believe everything the news tells us, it doesn't even matter whether or not it has any effect on our inboxes! As long as a politician can use it to say "I'm doing something!" the money to fight it will be there.
Now, whether or not we shared factual stuff, like "hey, we know about these Weapons of Mass Destruction in Iraq," and "Really? So do we!", well that's a different question.
Therefore, I whole-heartedly apologize to absolutely everyone who was taken out back and beaten with sticks because I submitted a duplicate story.
Oh, what's that? You say you weren't taken out back and beaten with sticks because I submitted a dupe? Then may I ask why it is a Department of Homeland Security issue that someone posted a dupe? Honestly, I sometimes think that posting "Dupe" is just a different way of saying "FRIST PSOT" without getting immediately modded down as a troll.
Because it's easier to type .xxx with one hand?
Space: 1999 made it easy for every fanboi to whip up a glowing-light stapler-based laser gun. The kids who made Star Trek phasers and communicators, now they had to work for their entertainment. But Space: 1999's props all look like they came out of mom's basement or dad's garage workbench, (and mostly because I think they did.) That made it easier for the kids to have their own As-Seen-On-TV toys.
And Martin Landau? Now there's a guy who knows how to act his way out of a paper bag! No cliche phrases, no hackneyed punch-out-the-bad-guy-and-kiss-the-girl storylines, just pure thespianism!
I'm so looking forward to this...
You should probably capitalize Mormon, as it's a proper noun; or you should spell "mormon" without the second silent "m".
Just because the EFF quoted someone else's article doesn't mean they don't believe it, or it's not their point. Rather, they seemed to be rejoicing in the news as if it were the Holy Gospel. And I think that's extraordinarily naive. They're way underestimating the power of the dark side.
And it has nothing to do with "email" or "share". It's the "broadcast" flag and it would only have interefered with recording, not with subsequent usages.
Sorry, but I don't see where the EFF would be the definitive authority on what the MPAA is up to. They're going to see what they want to see, and how they want to see it. Yes, a certain representative may currently be opposed to the provision, but that won't take away any incentive from the MPAA to continue to push Congress for whatever they can get.
There are people who are recommending (probably to sell CPUs, not to help anyone altruistically) that home users buy dual core chips -- and devote one CPU to their primary application, and the other to run the firewalls, virus scanners, hot sync managers, print managers, network managers, scanner managers, fax managers, spyware, adware, malware and all the other crap that Windows users seem to accumulate over time.
Made me want to cry when I heard that.
I wish I still had the link, but I recently saw a picture of a guy who built the most ghetto homebuilt cooling system you can imagine. He took the whole radiator from a '79 Toyota and duct-taped the hoses into his PC case. I think the radiator still had bugs stuck in it, it was that ugly. I'm not sure if it was a joke or if he thought he was being inventive, cheap or what. But it was impressively ugly.
But yeah, it's been tried. A lot.
( Actually, the heatsink in this picture is SMALLER than my Zalman Reserator. )
Can't tell you the dimensions, but we know that it gets 80 furlongs to the hogshead, and that's the way we likes it!
Remember, there are over 10,000 bots in a typical professional extortionist or spammer's botnet. Are you capable of rolling them all up and identify the single one which received the spammer's actual input? That's a helluva feat.
There are tools, such as the "internet telescope", which might reveal the "first source" of a spam or of an attack. But when the bots are syncrhonized, as when an extortionist commands "Begin a DDoS attack on www.foo.com at 0800 GMT", timing on the telescope reveals nothing other than "which of these idiots with infected PCs also don't have their clocks set properly."
I briefly chatted with a guy who tracks these people down, and looked at some research posted by the honeynet project. My understanding is the operator fires a message into just one zombie, and it passes it around to its immediate circle of friends, then launches the requested task. Each zombie only relays the command to its peer circle, making it "cell based". The investigator really has no idea which cell was "cell 0", where the command originated.
Many of the DDoS attacks are things like SYN floods with forged IP headers, making it very tough to track back to any single machine, let alone the thousands the zombie operators had under their control.
At home I have a homebuilt AMD that's loud, hot, unstable and about 1/4 the price. I'll be updating it long before I'll be updating the Dell. But I'll continue to replace it with AMD gear, as long as my AMD chips aren't DRM infested.
But what happens when the OS turns on you? Let's say that a judge somewhere finds BitTorrent is an "infringing application", and orders Microsoft to disable the signature associated with BitTorrent? There, problem solved, no Microsoft boxes will run it. And now, the CPU is party to enforcing that restriction.
And what happens when it goes even further? Downloaded a copy of Star Wars III to your hard drive, and now you're trying to play it through Windows Media Player, DRM Edition? Not only is it going to refuse it because the file's signature is on the nightly-downloaded "do not play" list, but nothing is stopping them from reporting you to the MPAA.
Wanna run Knoppix? Sorry, but now the chip can identify that as an "infringing application."
With Trusted Computing, DRM isn't a choice -- it's the rule. DRM chips are simply the only playground on which they can be forced to happen.
I am Zeus, Seller of the Gods.
Opening bids up for Narcissus. He's in beautiful shape! Any takers for Narcissus? (Sorry, sir, but you cannot bid on yourself.)
What am I bid for this muse, Apollo? Anyone care to bid on Apollo? Slightly used, I'm letting him go for a paean.
We've got goddesses, too! Aphrodite is going fast! She always goes fast!
Oh, you meant "seller of the goods"? Never mind.
If you don't like it, feel free to log in. You'll dodge it completely.
What "image verification thing" are you talking about? A specific site, or just the idea of image verification in general?