I thought this stuff was well-known... maybe they've fixed it now, but at the time TrustZone had absolutely no security mitigations, no ASLR, no DEP, no non-executable heap or stack, as one pen-tester put it you could "hack like it was 1999". So for example Motorola's otherwise quite secure Android Razr cellphones were hacked by exploiting various holes in TrustZone and then attacking the "insecure" phone software from inside the "secure" TrustZone (the call is coming from inside the house!). Given that the TrustZone kernel that was used seems to have been written without any regard for security, I wouldn't put much hope in future versions being much better, it'd be like starting from Windows '95 and hoping for a secure system at some point.
Across the room, his father turns on a laptop. "Now we will register our child,"
"Unt now ve register our child. Ve haff permission from ze government to haff him, provided he doess his compulsory military serviss, vhich guarantees both citizenship unt voting riiights!".
Security-wise they're no different, both are bug-riddled super-privileged zones of operation that can be used to compromise the main system, and that the main system has no oversight of. Using holes in the secure-because-we-say-it-is TrustZone to compromise the otherwise secure main system is particularly amusing,
I'm defined by who I am, not whether my great-great-great grandfather was a different race to my great-great-great grandmother.
For any white supremacists wanting to cover up the fact that their great-grandmother's name was actually Leshaniqua and not Mary as claimed, please remit $1,000 to pure_aryan_dnatest_results@paypal.com.
I'm actually surprised no-one's done this yet. You can buy clean urine test results to cover up doping, I'm sure there'd be a good market for "pure" DNA test results to cover up ancestry. If you can get people to pay money for pee, I'm sure they'd pay money for spit.
I got the opposite results of what many white supremacists nutcases are getting, according to 23andMe I'm 100.0% white European (my family were peasant stock from central European going back forever). I actually wanted to have some interesting mixed blood, but it's just completely boring central European monoculture. Maybe I should sell my DNA to the mixed-race white supremacists...
I started to have a look, mostly to see how many new UEFI security holes I could spot in the first five minutes. Holy fuck, have you seen the size of that code base? There's an entire OS and supporting services hiding in there screaming to get out (and waiting to be exploited), the bloat is ridiculous. I stopped skimming after I don't know how many thousand lines of code, and I'd barely scratched the surface.
Exactly. Firmware is what's permanently flashed into your hardware to make it run, it's not a service, and if it was a service any availability issue would mean your hardware wouldn't work any more. Sheesh, what's next, DRAM as a Service? PSUs as a Service? Wall Socket as a Service?
In any case this is just the dry run for the big one, the resupply contract for the ISS. Next launch will be 5000lb of poppadoms, rogan josh, samosas, and tandoori chicken.
Problem with this is that the collateral damage is huge. Because of pre-FOSTA/SESTA laws, it paid to automatically tag your contents page as adults-only for safe-harbour reasons even if it was 99.99% certain that there was no adult content whatsoever. Now, post-FOSTA/SESTA, they're auto-removing anything for which the owner made the safe-harbour choice, whether there's adult content there or not. There were several Tumblr pages which I didn't even realise were tagged as adult content (photography stuff) until they all vanished earlier today. At least 500px and the like are still OK... for now.
Not to sound too disparaging. But Open Source is often the waste bin of dead technology.
Yep. The IT industry's equivalent of the movie industry's "If you can't make it good, make it 3D" is "If you can't make it successful, make it open source".
Y'know, if you could mix and match features from about ten different Samsung phones, you'd get one pretty decent phone that didn't suck. Take the J-series for example, a range of phones so badly crippled they can't even update their own firmware because there's no space on the system partition, but it does have a headphone jack. Then there's the A8 without the headphone jack. And there are others, all crippled in various ways so they won't compete with each other. Drop a few thousand on various Samsung phones and pretty soon you've got the feature set for a single actually useful phone.
Well they're not doing so well with the War on Drugs, War on Terror, War on Whatever, so they have to distract themselves with a War on some random crap on Youtube, obviously the most important social and political issue of our time. Bread and circuses!
Slashdot Mirror
I thought this stuff was well-known... maybe they've fixed it now, but at the time TrustZone had absolutely no security mitigations, no ASLR, no DEP, no non-executable heap or stack, as one pen-tester put it you could "hack like it was 1999". So for example Motorola's otherwise quite secure Android Razr cellphones were hacked by exploiting various holes in TrustZone and then attacking the "insecure" phone software from inside the "secure" TrustZone (the call is coming from inside the house!). Given that the TrustZone kernel that was used seems to have been written without any regard for security, I wouldn't put much hope in future versions being much better, it'd be like starting from Windows '95 and hoping for a secure system at some point.
It does what MS Paint used to do, the default easy-to-use painting app under Windows.
And for the person who asked why people wouldn't use the GIMP, see the sentence above.
Across the room, his father turns on a laptop. "Now we will register our child,"
"Unt now ve register our child. Ve haff permission from ze government to haff him, provided he doess his compulsory military serviss, vhich guarantees both citizenship unt voting riiights!".
Security-wise they're no different, both are bug-riddled super-privileged zones of operation that can be used to compromise the main system, and that the main system has no oversight of. Using holes in the secure-because-we-say-it-is TrustZone to compromise the otherwise secure main system is particularly amusing,
They could still export their food, except that for some reason rats don't feature high on neighbouring nations diets.
And ARM has TrustZone as its answer to Intel's Management Engine. Not sure which is worse in terms of insecurity.
Now if it'd been a story about Faraday Futas, that would be worthy of the Slashdot front page.
The only regret is that I get the feeling he would he liked to have gone out in a hail of bullets, not peacefully of natural causes...
I'm defined by who I am, not whether my great-great-great grandfather was a different race to my great-great-great grandmother.
For any white supremacists wanting to cover up the fact that their great-grandmother's name was actually Leshaniqua and not Mary as claimed, please remit $1,000 to pure_aryan_dnatest_results@paypal.com.
I'm actually surprised no-one's done this yet. You can buy clean urine test results to cover up doping, I'm sure there'd be a good market for "pure" DNA test results to cover up ancestry. If you can get people to pay money for pee, I'm sure they'd pay money for spit.
I got the opposite results of what many white supremacists nutcases are getting, according to 23andMe I'm 100.0% white European (my family were peasant stock from central European going back forever). I actually wanted to have some interesting mixed blood, but it's just completely boring central European monoculture. Maybe I should sell my DNA to the mixed-race white supremacists...
I started to have a look, mostly to see how many new UEFI security holes I could spot in the first five minutes. Holy fuck, have you seen the size of that code base? There's an entire OS and supporting services hiding in there screaming to get out (and waiting to be exploited), the bloat is ridiculous. I stopped skimming after I don't know how many thousand lines of code, and I'd barely scratched the surface.
Exactly. Firmware is what's permanently flashed into your hardware to make it run, it's not a service, and if it was a service any availability issue would mean your hardware wouldn't work any more. Sheesh, what's next, DRAM as a Service? PSUs as a Service? Wall Socket as a Service?
Yup, this is the company whose motto is "only the paranoid survive", they practically wrote the book on crushing competitors via unethical means.
Yeah, sorry, my bad. They should install Qihoo 360 Total Security.
In any case this is just the dry run for the big one, the resupply contract for the ISS. Next launch will be 5000lb of poppadoms, rogan josh, samosas, and tandoori chicken.
Problem with this is that the collateral damage is huge. Because of pre-FOSTA/SESTA laws, it paid to automatically tag your contents page as adults-only for safe-harbour reasons even if it was 99.99% certain that there was no adult content whatsoever. Now, post-FOSTA/SESTA, they're auto-removing anything for which the owner made the safe-harbour choice, whether there's adult content there or not. There were several Tumblr pages which I didn't even realise were tagged as adult content (photography stuff) until they all vanished earlier today. At least 500px and the like are still OK... for now.
They should install Kaspersky, then they'd be OK, A/V, filtering, an IDS, and a decent auth system all in one product suite.
Not to sound too disparaging. But Open Source is often the waste bin of dead technology.
Yep. The IT industry's equivalent of the movie industry's "If you can't make it good, make it 3D" is "If you can't make it successful, make it open source".
These changes were designed to ensure that Edge and other browsers could not properly run Google's sites
Google ain't done until Edge won't run? I have a feeling I've heard something like that before somewhere...
Y'know, if you could mix and match features from about ten different Samsung phones, you'd get one pretty decent phone that didn't suck. Take the J-series for example, a range of phones so badly crippled they can't even update their own firmware because there's no space on the system partition, but it does have a headphone jack. Then there's the A8 without the headphone jack. And there are others, all crippled in various ways so they won't compete with each other. Drop a few thousand on various Samsung phones and pretty soon you've got the feature set for a single actually useful phone.
Colonel Sandurz: Prepare for high precision!
Tim Cook: No-no-no, high precision is too unclear!
Colonel Sandurz: High precision too unclear?
Tim Cook: Yes, we'll have to go right to...ludicrous precision!
[The entire crew gasps.]
Colonel Sandurz: Ludicrous precision?! Sir, we've never gone to that precision before. I don't know if this advertising campaign can take it!
Tim Cook: What's the matter Colonel Sandurz... chicken?
Well they're not doing so well with the War on Drugs, War on Terror, War on Whatever, so they have to distract themselves with a War on some random crap on Youtube, obviously the most important social and political issue of our time. Bread and circuses!
Are you saying no just to be negative?
While consuming porn is typically a private and personal affair, porn sites still track your every move:
Not much to track there, just one or the other hand moving back and forth repeatedly, then stopping suddenly.
I'd rather a Python embrace Microsoft... and squeeze... and squeeze... and squeeze...