note that they didn't model per-capita ammo supply as an input. Real people aren't going to put two loads of buckshot into the head of a smallpox patient.
agreed (and they know it) - this is probably their 18-month holding pattern while the Israel team gets the power out of Iris. Not having a market position until then is a worse option for them. Not paying a video royalty is obviously better for cost/profitability and developers.
Let me repeat that, in case you appear to misread it. 16,000 airstrikes I'm not exactly sure how anyone can say we're not "stopping them"
I know if a foreign adversary had launched 16,000 airstrikes on the US, I'd harbor no ill will towards them! Doubly-not if they'd killed my loved ones!
Because people who live in the middle east are the black-haired equivalent to the soulless gingers who roam our strees, except more mindless and probably much-gatherers - amirite?
Oh, wait, did you mean the airstrikes were IMPROVING our safety? ROFL WAFL!
Jesus, NSA contractor - at least register a damn account and build some cred so *somebody* will fall for your propaganda. Do they actually pay you for such phone-it-in worksmanship?
I like Krebs, so DO NOT put him in a position where he has to think about protecting your identity. For the love of all that is holy, boot Tails on a junker laptop at a cafe you never go to and use a throw-away mail account or pastebin it and leave a comment.
Or just walk away. You have no duty to put your life on the line here - everybody who supports the system that will throw you to the lions for being a good guy will suffer for it in kind. You're not obligated to be their saviour. Sucks, but play the shitty hand you're dealt - don't bet all your money wishing you didn't just have a pair of threes.
I'm betting, even in their mom's basement, hardly anyone has time for that.
Time and money are fungible in this case (buy equipment, hire an expert). Rich corporations have time and money to do this. "The People" most certainly do not. Plutocracy managed.
I'm still waiting for the first CEO to go to jail for refusing this.
Dude, you're fourteen years behind the news. The technique is not to get you on the "refusing NSA" charge, but any of the other countless criminal acts you commit every day. This is the primary purpose of a hyper-criminalized environment - so that everybody can be easily bent to the whim of the power structure. See also: charge stacking and the de-facto abolishment of the Sixth Amendment through the plea-bargain process (or, if you're a corporation, the no-plea deal for really efficient fascism.
Seagate is correct. Putting a hash on the website doesn't improve security at all because anyone who can change the download can also change the web page containing the hash.... A company like Seagate doesn't rely on volunteers at universities to distribute their binaries so the technique is pointless.
There are many possible attacks. A hash on a website is not invulnerable to a rogue employee at Seagate (or one "just following orders").
A hash protects against a rouge insertion at the endpoint. Like if your PC is compromised by an attacker and then you pull the hard drive and [assuming there's a way to get a hash from SMART/ATAPI) you can compare the hash of the firmware that the drive is running to the list of published firmwares at the vendor's site. If the attackers are only modifying a small subset of drives, this works fine - they can't also intercept the check to the vendor's site - not unless they've broken TLS and/or have malware on every possible machine.
A tool to verify the firmware is poetically impossible to write. What code on the drive would provide the firmware in response to a tool query? Oh right..... the firmware itself.
Well, today you can pull the image from JTAG, or so the experts have said (you can verify the firmware directly from memory with a hash if you have moderate funding). There's all sorts of talk about how ATAPI is write-only for firmware because the vendors don't want their competition to get their code and decompile it. This appears to be nonsense, as any other drive vendor already has the debug tools to pull such things from memory, and extracting it from an update isn't that hard - if a 16K DOS update utility can extract it, so can a multi-billion dollar R&D company.
To make it work you need an unflashable boot loader that acts as a root of trust and was designed to do this from the start. But such a thing is basically pointless unless you're trying to detect firmware reflashing malware and that's something that only cropped up as a threat very recently. So I doubt any hard disk has it.
They most certainly do not. So, here we are at today and need a way forward. There are a few ways forward, a fistful of crypto protocols to choose from to ensure future usefulness of hard drives for security applications, and INCITS/SATA-IO ought to be having emergency meetings _right now_ because this (NSA/GCHQ) is a major threat to the industry. The vendors may need to move operations outside of five-eyes to remain commercially viable.
Do some traffic analysis on your target's porn habits at the ISP, leave a compromised disc about his favorite kink in a bag on the ground near where he parks his car, and use his "connected" player to zero-day the other equipment on his LAN, installing the APT without even needing to pretend about premesis warrants or anything.
I will preface this by saying "this is really true" because you probably would otherwise read it as a nonsense, sarcastic, or glib comment.
I heard a conversation the other day about some of the terrible new buildings at the nearby university. A very senior administrator said (paraphrased), "you need to hire a hot architect and pay him 20% of the project price to come up with some really shocking architecture, to prove to prospective students that the school is still relevant."
I think he was talking mostly about the atrocity that they added to the Medical School, which looks suspiciously like the post-accident Chernobyl reactor. The "architecture" part of the project probably added $20M over making it look like a classical higher-ed building. I believe this administrator had final sign-off on such an expense.
It is not like an educated population is some kind of public good.
It's not, if you're speaking about the economic term. A 'public good', to an economist, is something that cannot be provided by the private market (a "market failure") and therefore must fall to a government to provide. Education is one where the private market excels in comparison to the public provision, which would be a counter-example.
And how should the government do that? With the tax income that these companies managed to avoid paying? Cool story bro.
The government should take money from the poor and funnel it into the coffers of these corporations. Did you miss the part where government is for the privatization of gains and the socialization of losses?
I can just about guarantee you that several buyers of bandwidth in Phoenix had contracts with the people who owned this fiber and those contracts specified multiple redundant paths out of the city.
Odds are we're looking at backup system failure or contract fraud. Probably the former.
you forgot to order the right Compaq IDE laptop header adapter. Whichever one it is for this model...
Suddenly a Laplink cable and a VirtualBox running DOS with a detachable D: doesn't seem so awful bad. Move the image from the XP box via flash drive or network, mount it loopback and profit before lunch.
One of the issues is whether they will turn from transmit to receive fast enough. If not, you might need two, or one of those cheap stick receivers and a converter.
Is there some standard way to manage timing? Does the weekend hacker need to deal with signal/buffer latency from the DAC/ADC or somehow manage timecode synchronization?
You have plenty of 'choice', but sitting and waiting for someone to actually do the work and make a success out of something then springing your patents on them and trying to cash in... yeah.. you are not likely to get much sympathy for your forced hand.
In a world where ideas are a dime-a-dozen, execution ability is the real currency.
So obviously those with no execution ability should use the government to force people to pay them for ideas they could not figure out how to make money on themselves.
As long as you don't demand that one provide you with sex...
But then, that's a whole other ethical bucket of fish.
Nobody thinks there's an ethical problem with me "forcing" my lawnmower to spin its blade and murder the grass, or torturing my refrigerator by chaining it to a wall and making it go "brrrr" all day.
Machines do what their owners want, end of story - there are no ethical issues unless they affect other people.
You realize that no one would give them money for the replacement sims? they would be required to replace them for free like in any recall
Not just that - it might be worth it to the carriers to get the SIMs from anybody else.
Nobody buys their SSL certs from Diginotar anymore - there is a smoking crater on the crypto landscape where that incompetent business used to be.
Gemalto is left with having to prove the negative. We only need believe that their security and forensics people are more competent than the NSA/GCHQ attacker and cover-up people are, and continue to trust them on that basis. Gemalto cannot take a different position than they are now, no matter how confident they are/aren't.
Why aren't phones generating their own keys when they're activated at the store? Burn a fusible link if necessary. This would be more secure _and_ cheaper for the carriers. Oh, because NSA has plants on the GSM committees?
Slashdot Mirror
note that they didn't model per-capita ammo supply as an input. Real people aren't going to put two loads of buckshot into the head of a smallpox patient.
agreed (and they know it) - this is probably their 18-month holding pattern while the Israel team gets the power out of Iris. Not having a market position until then is a worse option for them. Not paying a video royalty is obviously better for cost/profitability and developers.
Let me repeat that, in case you appear to misread it. 16,000 airstrikes
I'm not exactly sure how anyone can say we're not "stopping them"
I know if a foreign adversary had launched 16,000 airstrikes on the US, I'd harbor no ill will towards them! Doubly-not if they'd killed my loved ones!
Because people who live in the middle east are the black-haired equivalent to the soulless gingers who roam our strees, except more mindless and probably much-gatherers - amirite?
Oh, wait, did you mean the airstrikes were IMPROVING our safety? ROFL WAFL!
Nokaard (with two dots over the o).
Maybe just 'Discard ' - at least the electronics will fail about the same time as the joinery.
Jesus, NSA contractor - at least register a damn account and build some cred so *somebody* will fall for your propaganda. Do they actually pay you for such phone-it-in worksmanship?
I like Krebs, so DO NOT put him in a position where he has to think about protecting your identity. For the love of all that is holy, boot Tails on a junker laptop at a cafe you never go to and use a throw-away mail account or pastebin it and leave a comment.
Or just walk away. You have no duty to put your life on the line here - everybody who supports the system that will throw you to the lions for being a good guy will suffer for it in kind. You're not obligated to be their saviour. Sucks, but play the shitty hand you're dealt - don't bet all your money wishing you didn't just have a pair of threes.
I'm betting, even in their mom's basement, hardly anyone has time for that.
Time and money are fungible in this case (buy equipment, hire an expert). Rich corporations have time and money to do this. "The People" most certainly do not. Plutocracy managed.
I'm still waiting for the first CEO to go to jail for refusing this.
Dude, you're fourteen years behind the news. The technique is not to get you on the "refusing NSA" charge, but any of the other countless criminal acts you commit every day. This is the primary purpose of a hyper-criminalized environment - so that everybody can be easily bent to the whim of the power structure. See also: charge stacking and the de-facto abolishment of the Sixth Amendment through the plea-bargain process (or, if you're a corporation, the no-plea deal for really efficient fascism.
Seagate is correct. Putting a hash on the website doesn't improve security at all because anyone who can change the download can also change the web page containing the hash. ... A company like Seagate doesn't rely on volunteers at universities to distribute their binaries so the technique is pointless.
There are many possible attacks. A hash on a website is not invulnerable to a rogue employee at Seagate (or one "just following orders").
A hash protects against a rouge insertion at the endpoint. Like if your PC is compromised by an attacker and then you pull the hard drive and [assuming there's a way to get a hash from SMART/ATAPI) you can compare the hash of the firmware that the drive is running to the list of published firmwares at the vendor's site. If the attackers are only modifying a small subset of drives, this works fine - they can't also intercept the check to the vendor's site - not unless they've broken TLS and/or have malware on every possible machine.
A tool to verify the firmware is poetically impossible to write. What code on the drive would provide the firmware in response to a tool query? Oh right ..... the firmware itself.
Well, today you can pull the image from JTAG, or so the experts have said (you can verify the firmware directly from memory with a hash if you have moderate funding). There's all sorts of talk about how ATAPI is write-only for firmware because the vendors don't want their competition to get their code and decompile it. This appears to be nonsense, as any other drive vendor already has the debug tools to pull such things from memory, and extracting it from an update isn't that hard - if a 16K DOS update utility can extract it, so can a multi-billion dollar R&D company.
To make it work you need an unflashable boot loader that acts as a root of trust and was designed to do this from the start. But such a thing is basically pointless unless you're trying to detect firmware reflashing malware and that's something that only cropped up as a threat very recently. So I doubt any hard disk has it.
They most certainly do not. So, here we are at today and need a way forward. There are a few ways forward, a fistful of crypto protocols to choose from to ensure future usefulness of hard drives for security applications, and INCITS/SATA-IO ought to be having emergency meetings _right now_ because this (NSA/GCHQ) is a major threat to the industry. The vendors may need to move operations outside of five-eyes to remain commercially viable.
but it doesn't seem to be a likely threat vector.
Do some traffic analysis on your target's porn habits at the ISP, leave a compromised disc about his favorite kink in a bag on the ground near where he parks his car, and use his "connected" player to zero-day the other equipment on his LAN, installing the APT without even needing to pretend about premesis warrants or anything.
I will preface this by saying "this is really true" because you probably would otherwise read it as a nonsense, sarcastic, or glib comment.
I heard a conversation the other day about some of the terrible new buildings at the nearby university. A very senior administrator said (paraphrased), "you need to hire a hot architect and pay him 20% of the project price to come up with some really shocking architecture, to prove to prospective students that the school is still relevant."
I think he was talking mostly about the atrocity that they added to the Medical School, which looks suspiciously like the post-accident Chernobyl reactor. The "architecture" part of the project probably added $20M over making it look like a classical higher-ed building. I believe this administrator had final sign-off on such an expense.
It is not like an educated population is some kind of public good.
It's not, if you're speaking about the economic term. A 'public good', to an economist, is something that cannot be provided by the private market (a "market failure") and therefore must fall to a government to provide. Education is one where the private market excels in comparison to the public provision, which would be a counter-example.
And how should the government do that? With the tax income that these companies managed to avoid paying? Cool story bro.
The government should take money from the poor and funnel it into the coffers of these corporations. Did you miss the part where government is for the privatization of gains and the socialization of losses?
The alternative is asking for bankruptcy.
I can just about guarantee you that several buyers of bandwidth in Phoenix had contracts with the people who owned this fiber and those contracts specified multiple redundant paths out of the city.
Odds are we're looking at backup system failure or contract fraud. Probably the former.
How so? Everyone gets the same speed....
It's almost as fair as the toilet paper supply in Venezuela, Comrade!
Ah - they'll face opposition in some southern cities where they want to expand Google Fiber, but they won't suffer the wrath of the LGBT... community.
Put the key in off the license sticker on your PC
Yeah, the one that rubbed off the bottom of your laptop in three months and you forgot to take a picture of it when it was new...
Ah, I hope Redbox helped fund this feature since they're going to be a primary beneficiary!
you forgot to order the right Compaq IDE laptop header adapter. Whichever one it is for this model...
Suddenly a Laplink cable and a VirtualBox running DOS with a detachable D: doesn't seem so awful bad. Move the image from the XP box via flash drive or network, mount it loopback and profit before lunch.
http://www.pcxt-micro.com/dos-...
Black matter, dark matter, dyslexia is awesome...
"Alternately-bright matter" is the preferred nomenclature, Dude.
One of the issues is whether they will turn from transmit to receive fast enough. If not, you might need two, or one of those cheap stick receivers and a converter.
Is there some standard way to manage timing? Does the weekend hacker need to deal with signal/buffer latency from the DAC/ADC or somehow manage timecode synchronization?
Shouldn't they always serve the operator?
yes, probably, maybe, sometimes, usually - there can be complex extenuating circumstances.
Robot & Frank is a pretty good SciFi exploration of such issues. I think the writers imagine the likely future trade-offs well.
You have plenty of 'choice', but sitting and waiting for someone to actually do the work and make a success out of something then springing your patents on them and trying to cash in... yeah.. you are not likely to get much sympathy for your forced hand.
In a world where ideas are a dime-a-dozen, execution ability is the real currency.
So obviously those with no execution ability should use the government to force people to pay them for ideas they could not figure out how to make money on themselves.
IP.
As long as you don't demand that one provide you with sex...
But then, that's a whole other ethical bucket of fish.
Nobody thinks there's an ethical problem with me "forcing" my lawnmower to spin its blade and murder the grass, or torturing my refrigerator by chaining it to a wall and making it go "brrrr" all day.
Machines do what their owners want, end of story - there are no ethical issues unless they affect other people.
You realize that no one would give them money for the replacement sims? they would be required to replace them for free like in any recall
Not just that - it might be worth it to the carriers to get the SIMs from anybody else.
Nobody buys their SSL certs from Diginotar anymore - there is a smoking crater on the crypto landscape where that incompetent business used to be.
Gemalto is left with having to prove the negative. We only need believe that their security and forensics people are more competent than the NSA/GCHQ attacker and cover-up people are, and continue to trust them on that basis. Gemalto cannot take a different position than they are now, no matter how confident they are/aren't.
Why aren't phones generating their own keys when they're activated at the store? Burn a fusible link if necessary. This would be more secure _and_ cheaper for the carriers. Oh, because NSA has plants on the GSM committees?