Disclaimer, I *hope* but realistically these things may be lax.
TLS on private networks is a well known entitiy. The usual flow is using an extra CA to validate the certs that has no meaning outside that private network.
That's my point, that this attack is only valuable if you don't know the PSK. In most public wifi locations, you know the PSK. (Simplified to speak only to WPA-PSK).
So the juicy targets would mostly be home networks and corporate wireless that laptops get on. Practically speaking though it would be much easier for PoS to reliably be secure regardless of the user, they probably send credit cards through telnet or some crap.
I suppose that *if*: you were snooping a network you could also spoof ip for without being in the middle, you could knock the legit user off the network and assume their identity to continue the tcp session as you spoof them.
Though in that scenario, I'd imagine it easier to just set up a fake hotspot that looks legitimate,since that generally would be the case in say a public wifi spot. Also, not sure how many things in this day and age that are remotely sensitive would trust mere ability to continue a TCP stream to protect anything.
Of course, strictly speaking LDAPS isn't over https. Of course it is over TLS which is the actual relevant part of the discussion (before someone goes off on insisting that LDAP needs to be over *http*).
Of course, it should be considered a grave problem if any sensitive data relies upon the security of the LAN, considering a large chunk of network access is over an untrusted hotspot (no, that WPA2-PSK in the store with a legit-looking captive portal or the passphrase on the wall, or really any internet connection when you get down to it is not trusted).
Note that I would *hope* point of sale equipment and security equipment would use TLS regardless of the media. If that were the case, then the WPA2 weakness would not suddenly provide access to that material.
For a private laptop connecting to public wifi-hotspots, this attack is harder than just setting up another credible wifi hotspot. Any place where the wifi password is well known knowledge is never going to be rigorous security.
an expect the same security as being connected to an unsecured wifi
Not quite that bad. An unsecured wifi can have packets manipulated, and can snoop both directions. Here the attack cannot change any of the data and can only read one direction of the communication. Still pretty bad, but no reason to suddenly not care about open networks versus secured networks.
Sorry, it's just we've heard this constantly for the past decade. And there are no signs that anyone else is taking this seriously,
Nissan is pretty much neck and neck with Tesla for units sold per year of pure electric vehicles, Admittedly GM and Ford are currently lagging, though in part because fuel prices fell, chilling the market for EV a bit.
I will say I can't readily find any numbers in terms of dollars invested so I've no idea wheter you are right or wrong about being so optimistic about Tesla's spending in absolute terms, but measuring by percentage is a very incomplete metric, better to compare dollar to dollar (which can get very tricky, e.g Ford developing the Focus Electric has a lot of common cost with the non-electric, so how you do accounting to claim some indication of enthusiasm for electrics is complicated.
Also, wholly focusing on dedicated EV research may actually be a disadvantage. Ford sold more than 4x Focus vehicles in 2015 than any electric car, and so they have some room to amortize common development costs with the gas models further than say a Tesla or a Leaf can, and there is a lot about a car's development cost that is completely independent of the electric drivetrain. Of course to date Ford has been extremely tepid about their EV product, but if they ever take it seriously, they may have a huge advantage with their strategy.
My big concern is that people couple the success of EV as a viable market too much to Tesla's fortunes. If Tesla botches the mundane facets of being a car manufacturer, I'd rather it not take take down the concept in general with it.
It may turn out ok in the end, but as yet 'hundreds' is not better than the Model S situation. What observers are waiting for is for Tesla to prove they can do large scale manufacturing, which is a hugely different game than small scale manufacturing, and a necessary competency to have if going up against the major automakers by themselves rather than in partnership.
Being behind is not proof they cannot, but neither is shipping the same volume of Model 3 cars as they have Model S cars proof they can. It'll be quite a while to determine if they merely underestimated how long it would take to get the hang of large scale manufacturing or if they simply cannot manage to pull it off.
Huh? So poor performance firings should require a detailed public airing of the company's grievances against the employees? And what the heck kind crappy "layoff" would involve under 2% of the company's employee base?
If you are expressing it in terms of percentage of employees let go in a single event, then it should be a layoff. Companies lay off figures like 2% all the time. Layoffs on the magnitude of 5% are considered big news, but layoffs they never talk about are the norm. Either way it's weird for all of a sudden Tesla to be doing stack-rank style firing without claims of affordability issues, which is generally considered a poor practice in the business world nowadays, especially odd coming from a company projecting a huge progressive image. It's considered a valid short term remedy for previous long term mismanagement (GE), but for Tesla it just seems bizarre.
I'm confused. Do you think the company should have fired poor-performing employees earlier, or not at all?
Tesla is on the cusp of trying to prove they have ambitions apart from being a boutique auto company. They are trying to prove to the world they can stand toe to toe with the mainstream auto companies. The production of the Model 3 is their first proof point, so the launch is of critical importance. Generally, companies don't take on the disruption of a bulk firing in that mode. Even when they are taking on more fiscal burden than perhaps they should, they wait until after their make or break moment. Tesla is flush with investment cash, a mass firing seems ill-advised.
Now that doesn't mean they wouldn't fire individually horrid folks, but the scale they did all at once and in their own words corresponding with a performance review cycle... It's just a bad idea all around. At best it is still bad press against the backdrop of being being in production and trying to get the model 3 out the door.
Even if they are poor performers, firing and back filling is far more of an impact than delaying. Also stack ranking to fire might have made sense for GE, a long lived company that had frankly accumulated a lot of mediocre employees over years of neglect. However for most other companies firing as a matter of policy for the lowest stack rank is generally not considered good form, and especially a company as young as Tesla shouldn't have the need to force fire bottom tier unless there's been some horrible management in place.
In one case, sucking up to management gets ahead rather than merit. Politics is rewarded over talent, skill, and dedication.
In the other case, someone gets paid more simply by not getting fired for longer. This means there's still not much room for rewarding going above and beyond.
Even in a fundamentally democratic context, you still have politics, but to a different audience. As such, corruption is still quite easily a thing. It seems to be a sad reality of the human condition that folks will get empowered and empowered folks can be corrupt.
In a large business, sadly both business leaders and labor leaders can get in a situation where they would rather bleed the endeavor dry rather than do what's right by the company.
Others have mentioned the betrayal of long trusted brands failing or selling themselves out to random companies.
I will say also prior to the internet, there was little recourse but to place your trust in a brand. With the internet, good and bad news travels quickly. You can find multiple in depth video product reviews of a random 5 dollar item. It comes from a large populace that can be gamed, but not nearly so easily as controlled advertising back in the day. So brand loyalty becomes but a smaller factor, and requires more sincere effort to keep people 'coasting' on your brand strength. I don't care if I see a brand like RCA it will carry zero meaning anymore, but a brand like "ThinkPad' still carries weight for me, but they about lost it all when they did a touch strip and removed all clicky buttons one gen, but they rapidly reverted.
I will say it's a convenience to keep more loose track of a market and get to kind of trust a brand instead.. Apart from being sold off, a brand tends to evolve slowly in quality, so if I have a good experience with a brand, I'll tend to get lazy on research and stay with it unless I see news that they got bought, they carry more than a 15% premium, or I clearly notice a decline or hear of a decline... then I start seriously evaluating again.
Also, a coherent and deep unified shopping experience.
Google shopping is crappy. It's damn near useless for researching a product or browsing categories. Forget ordering. Voice shopping is a gimmick that is only barely good enough for repeat purchases of cheap consumable goods even if you liked it. AR and all is neat I suppose, but they are so far off the fundamentals.
If they had pretty much the amazon experience with "select a local store to instantly pick up form", that would be a serious threat, but I suspect that would be a bridge too far for their business partners to erase any pretense of value add the merchants think they provide to the shopping experience.
It's less about the consumer impression and more about the business impression.
If you are target, the situation with Amazon is looking grim. Google sounds like a household name that is less overtly threatening, so for now, an alliance.
WalMart is interesting as they recently bought Jet to compete with Amazon on more equal footing, and hypothetically they would have more control over their destiny that way, but probably a wise idea to hedge their bets.
The brick and mortar thing is nice for me as there is at least a chance for instant gratification if it happens to be in stock. Even if not in stock, I'd feel better grabbing it from a store after it ships rather than left on my doorstep. If I were in a rural setting that would be different of course.
The challenge of course is that Google doesn't feel like a brand that can pull this off, and they have a long history of random bets they've had to abandon. This seems ripe to be the next failure.
The practicality of any sort of potential vulnerability must be considered. In a datacenter, even a human ear can generally not hear things. While someone will say 'well I tore my laptop apart and tore out the microphones and still have a spinning disk', this is a vanishingly small portion of the userbase.
The server would just hear a lot of fan noise in the vast majority of cases. It is rare for a human to even be around disks for conversation.
In a slightly more interesting thing, you could make an out-of-band communication method, induce noise (through disk accesses but more likely fan responses) and measure noise using HDD, of course it's hard to imagine getting that much access to two distinct systems and being so desparate as to communicate this way.
The problem of course is that you don't need an infinite number of plumbers. There may come a time when we need some people to work, but we don't need or even want enough 'stuff' to justify everyone working. In all likelihood, many of those jobs will be highly skilled so you can't always just make up for it with more people and fewer hours (and even when we could, our current laws and reality discourage spreading out few hours among more people anyway).
So if you can't even 'offer' a livelihood, what's a fair way to provide for your populace to cover both those working and those for whom there doesn't exist work to do?
This is the whole part of the 'if you use it all the time'. If you use it all the time, you are going to be shouldering most if not all of the burden of the fixed costs of that thing you are renting in addition to the owners margin.
If you have a daily commute that resembles 90+% of the local population, renting a car is not going to be a winner because the peak load is going to bear the burden of pretty much all the costs. Mass transit can get some economies of scale to actually reduce cost (buses, trains), but so long as you are puttering along in a dedicated vehicle to your purpose, that cost equation is going to be tricky.
Problem being that I wager you use your car at the *same time* the vast majority of people also use their cars. If the taxi fleet must accomodate peak load, then it's going to have to pretty much charge enough during peak load to pay for them the rest of the time when they are barely used. I suspect an automated taxi would be more like 12% of the time of revenue on average.
Slashdot Mirror
Tomorrow's news story: critical security flaw found in LTE!
Didn't catch the part about GCMP, hopefully for once sluggish wifi implementations being behind the curves mean most are using CCMP.
TKIP should already not be in use for many reasons.
Disclaimer, I *hope* but realistically these things may be lax.
TLS on private networks is a well known entitiy. The usual flow is using an extra CA to validate the certs that has no meaning outside that private network.
That's my point, that this attack is only valuable if you don't know the PSK. In most public wifi locations, you know the PSK. (Simplified to speak only to WPA-PSK).
So the juicy targets would mostly be home networks and corporate wireless that laptops get on. Practically speaking though it would be much easier for PoS to reliably be secure regardless of the user, they probably send credit cards through telnet or some crap.
I suppose that *if*: you were snooping a network you could also spoof ip for without being in the middle, you could knock the legit user off the network and assume their identity to continue the tcp session as you spoof them.
Though in that scenario, I'd imagine it easier to just set up a fake hotspot that looks legitimate ,since that generally would be the case in say a public wifi spot. Also, not sure how many things in this day and age that are remotely sensitive would trust mere ability to continue a TCP stream to protect anything.
Of course, strictly speaking LDAPS isn't over https. Of course it is over TLS which is the actual relevant part of the discussion (before someone goes off on insisting that LDAP needs to be over *http*).
Of course, it should be considered a grave problem if any sensitive data relies upon the security of the LAN, considering a large chunk of network access is over an untrusted hotspot (no, that WPA2-PSK in the store with a legit-looking captive portal or the passphrase on the wall, or really any internet connection when you get down to it is not trusted).
Note that I would *hope* point of sale equipment and security equipment would use TLS regardless of the media. If that were the case, then the WPA2 weakness would not suddenly provide access to that material.
For a private laptop connecting to public wifi-hotspots, this attack is harder than just setting up another credible wifi hotspot. Any place where the wifi password is well known knowledge is never going to be rigorous security.
And vice versa, a patched AP can prevent a client from breaking. One or the other side needs to prevent it, but either side by itself is sufficient.
an expect the same security as being connected to an unsecured wifi
Not quite that bad. An unsecured wifi can have packets manipulated, and can snoop both directions. Here the attack cannot change any of the data and can only read one direction of the communication. Still pretty bad, but no reason to suddenly not care about open networks versus secured networks.
Sorry, it's just we've heard this constantly for the past decade. And there are no signs that anyone else is taking this seriously,
Nissan is pretty much neck and neck with Tesla for units sold per year of pure electric vehicles, Admittedly GM and Ford are currently lagging, though in part because fuel prices fell, chilling the market for EV a bit.
I will say I can't readily find any numbers in terms of dollars invested so I've no idea wheter you are right or wrong about being so optimistic about Tesla's spending in absolute terms, but measuring by percentage is a very incomplete metric, better to compare dollar to dollar (which can get very tricky, e.g Ford developing the Focus Electric has a lot of common cost with the non-electric, so how you do accounting to claim some indication of enthusiasm for electrics is complicated.
Also, wholly focusing on dedicated EV research may actually be a disadvantage. Ford sold more than 4x Focus vehicles in 2015 than any electric car, and so they have some room to amortize common development costs with the gas models further than say a Tesla or a Leaf can, and there is a lot about a car's development cost that is completely independent of the electric drivetrain. Of course to date Ford has been extremely tepid about their EV product, but if they ever take it seriously, they may have a huge advantage with their strategy.
My big concern is that people couple the success of EV as a viable market too much to Tesla's fortunes. If Tesla botches the mundane facets of being a car manufacturer, I'd rather it not take take down the concept in general with it.
It may turn out ok in the end, but as yet 'hundreds' is not better than the Model S situation. What observers are waiting for is for Tesla to prove they can do large scale manufacturing, which is a hugely different game than small scale manufacturing, and a necessary competency to have if going up against the major automakers by themselves rather than in partnership.
Being behind is not proof they cannot, but neither is shipping the same volume of Model 3 cars as they have Model S cars proof they can. It'll be quite a while to determine if they merely underestimated how long it would take to get the hang of large scale manufacturing or if they simply cannot manage to pull it off.
Huh? So poor performance firings should require a detailed public airing of the company's grievances against the employees? And what the heck kind crappy "layoff" would involve under 2% of the company's employee base?
If you are expressing it in terms of percentage of employees let go in a single event, then it should be a layoff. Companies lay off figures like 2% all the time. Layoffs on the magnitude of 5% are considered big news, but layoffs they never talk about are the norm. Either way it's weird for all of a sudden Tesla to be doing stack-rank style firing without claims of affordability issues, which is generally considered a poor practice in the business world nowadays, especially odd coming from a company projecting a huge progressive image. It's considered a valid short term remedy for previous long term mismanagement (GE), but for Tesla it just seems bizarre.
I'm confused. Do you think the company should have fired poor-performing employees earlier, or not at all?
Tesla is on the cusp of trying to prove they have ambitions apart from being a boutique auto company. They are trying to prove to the world they can stand toe to toe with the mainstream auto companies. The production of the Model 3 is their first proof point, so the launch is of critical importance. Generally, companies don't take on the disruption of a bulk firing in that mode. Even when they are taking on more fiscal burden than perhaps they should, they wait until after their make or break moment. Tesla is flush with investment cash, a mass firing seems ill-advised.
Now that doesn't mean they wouldn't fire individually horrid folks, but the scale they did all at once and in their own words corresponding with a performance review cycle... It's just a bad idea all around. At best it is still bad press against the backdrop of being being in production and trying to get the model 3 out the door.
Even if they are poor performers, firing and back filling is far more of an impact than delaying. Also stack ranking to fire might have made sense for GE, a long lived company that had frankly accumulated a lot of mediocre employees over years of neglect. However for most other companies firing as a matter of policy for the lowest stack rank is generally not considered good form, and especially a company as young as Tesla shouldn't have the need to force fire bottom tier unless there's been some horrible management in place.
The problem is both situations are flawed.
In one case, sucking up to management gets ahead rather than merit. Politics is rewarded over talent, skill, and dedication.
In the other case, someone gets paid more simply by not getting fired for longer. This means there's still not much room for rewarding going above and beyond.
Even in a fundamentally democratic context, you still have politics, but to a different audience. As such, corruption is still quite easily a thing. It seems to be a sad reality of the human condition that folks will get empowered and empowered folks can be corrupt.
In a large business, sadly both business leaders and labor leaders can get in a situation where they would rather bleed the endeavor dry rather than do what's right by the company.
Others have mentioned the betrayal of long trusted brands failing or selling themselves out to random companies.
I will say also prior to the internet, there was little recourse but to place your trust in a brand. With the internet, good and bad news travels quickly. You can find multiple in depth video product reviews of a random 5 dollar item. It comes from a large populace that can be gamed, but not nearly so easily as controlled advertising back in the day. So brand loyalty becomes but a smaller factor, and requires more sincere effort to keep people 'coasting' on your brand strength. I don't care if I see a brand like RCA it will carry zero meaning anymore, but a brand like "ThinkPad' still carries weight for me, but they about lost it all when they did a touch strip and removed all clicky buttons one gen, but they rapidly reverted.
"Visio who were barely heard of a decade ago wouldn't be a big as they are. It is also a lot of the asian brands, "
He said "also a lot of the asian brands", so he didn't say Vizio was an asian brand.
I will say it's a convenience to keep more loose track of a market and get to kind of trust a brand instead.. Apart from being sold off, a brand tends to evolve slowly in quality, so if I have a good experience with a brand, I'll tend to get lazy on research and stay with it unless I see news that they got bought, they carry more than a 15% premium, or I clearly notice a decline or hear of a decline... then I start seriously evaluating again.
He jumped to a conclusion about why you would hate Google, because evidently he doesn't notice anything else to be concerned about.
Also, a coherent and deep unified shopping experience.
Google shopping is crappy. It's damn near useless for researching a product or browsing categories. Forget ordering. Voice shopping is a gimmick that is only barely good enough for repeat purchases of cheap consumable goods even if you liked it. AR and all is neat I suppose, but they are so far off the fundamentals.
If they had pretty much the amazon experience with "select a local store to instantly pick up form", that would be a serious threat, but I suspect that would be a bridge too far for their business partners to erase any pretense of value add the merchants think they provide to the shopping experience.
It's less about the consumer impression and more about the business impression.
If you are target, the situation with Amazon is looking grim. Google sounds like a household name that is less overtly threatening, so for now, an alliance.
WalMart is interesting as they recently bought Jet to compete with Amazon on more equal footing, and hypothetically they would have more control over their destiny that way, but probably a wise idea to hedge their bets.
The brick and mortar thing is nice for me as there is at least a chance for instant gratification if it happens to be in stock. Even if not in stock, I'd feel better grabbing it from a store after it ships rather than left on my doorstep. If I were in a rural setting that would be different of course.
The challenge of course is that Google doesn't feel like a brand that can pull this off, and they have a long history of random bets they've had to abandon. This seems ripe to be the next failure.
The practicality of any sort of potential vulnerability must be considered. In a datacenter, even a human ear can generally not hear things. While someone will say 'well I tore my laptop apart and tore out the microphones and still have a spinning disk', this is a vanishingly small portion of the userbase.
The server would just hear a lot of fan noise in the vast majority of cases. It is rare for a human to even be around disks for conversation.
In a slightly more interesting thing, you could make an out-of-band communication method, induce noise (through disk accesses but more likely fan responses) and measure noise using HDD, of course it's hard to imagine getting that much access to two distinct systems and being so desparate as to communicate this way.
The problem of course is that you don't need an infinite number of plumbers. There may come a time when we need some people to work, but we don't need or even want enough 'stuff' to justify everyone working. In all likelihood, many of those jobs will be highly skilled so you can't always just make up for it with more people and fewer hours (and even when we could, our current laws and reality discourage spreading out few hours among more people anyway).
So if you can't even 'offer' a livelihood, what's a fair way to provide for your populace to cover both those working and those for whom there doesn't exist work to do?
This is the whole part of the 'if you use it all the time'. If you use it all the time, you are going to be shouldering most if not all of the burden of the fixed costs of that thing you are renting in addition to the owners margin.
If you have a daily commute that resembles 90+% of the local population, renting a car is not going to be a winner because the peak load is going to bear the burden of pretty much all the costs. Mass transit can get some economies of scale to actually reduce cost (buses, trains), but so long as you are puttering along in a dedicated vehicle to your purpose, that cost equation is going to be tricky.
Problem being that I wager you use your car at the *same time* the vast majority of people also use their cars. If the taxi fleet must accomodate peak load, then it's going to have to pretty much charge enough during peak load to pay for them the rest of the time when they are barely used. I suspect an automated taxi would be more like 12% of the time of revenue on average.