The way this works is that when you start one of the cars with this security hardware in it a chip in your car key talks to a chip inside the cars computer using secrets stored in both chips. If the secrets match, the car will start.
What the researchers figured out was a way to start the car without having the correct key.
Even if they had chips that were 100% compatible in hardware and software but with a new more secure algorithm, the cost to replace all of the chips in every car and every key (and to program the cars and keys with the correct secrets so that the right keys will open the right cars) would be astronomical.
The issue here is that this isn't like a piece of computer software where you can disclose the vulnerability to the vendor, give them a few months to push a patch and then go public.
The only way for Volkswagen and the many other car makers using this Megamos cryptography chip can fix their cars to not be vulnerable would be to replace both the computer system responsible for the immobilizer AND the keys/remotes/etc that talk to it. That would be a VERY expensive exercise.
And what about cars that are old enough where its just not possible to redesign the computer module and run a new production run (e.g. the computer module may rely on other components that you cant get anymore)
Or trying to find every single example of a car (whether made by Volkswagen or otherwise) that contains one of these vulnerable security chips so that it can have its system replaced?
Edison used his patents on motion picture cameras to control the film industry though litigation. In fact, his lawsuits forced many many film producers who didn't like Edison (or couldn't get a patent license from Edison) to move away to places like California (where it was harder for Edison to sue them and where the judges were less friendly to patent holders)
So yes he WAS very litigious. But no, he wasn't really a patent troll in that he actually produced many of the things he invented and patented.
RSA the algorithm isn't insecure if you use a big enough key. RSA the company may have released some weak products (at the request of the NSA or otherwise) but nothing they did affects the security of RSA the algorithm or the implementation of RSA that is in OpenSSH.
Or does this lock also feature a combination or key so that some random bike thief (who probably hasn't been drinking any alcohol) can't just come up, blow into it and steal your bike?
I WAS thinking of seeing this film in the theater when it came out here in Australia but this news is enough to tip me into the "don't bother" camp. I will not go to see it in the theater, nor will I pirate it or otherwise see it (maybe I will see it in a few years when it shows up on free-to-air TV)
By all accounts the film is a piece of crap anyway (just like every other Adam Sandler film to date) so I am not missing out on anything...
I am in Australia and pay A$14.99 a month ($5 discount for also having ADSL2+ with the same company) and get 1GB of data for free per month plus $300 worth of included cap spend that I can spend on calls or data (data after that free 1GB is charged at 0.2c per 10kb). The only things I cant use my $300 cap on are international calls, calls/sms to premium numbers and international roaming)
If Tesla are smart, they will have digitally signed all their updates with strong cryptography (2048 bit RSA or similar) such that the private key is stored on a secure box with limited access.
Hackers would need to obtain that private key before the car would pass their bogus firmware update as valid and install it.
It looks like the re-implementation of the Apple APIs is open source but their fork of the clang/llvm stack is not (although that makes sense since they are basically wiring their code generation backend into clang and publishing the source code for talking to c2.dll isn't exactly something Microsoft is going to do)
All through the 20th century if you created some content and wanted to distribute that content to a wide audience, you needed to go through a distributor who could distribute that content. These distributors would distribute your content (whether it be music, movies, TV shows, books, video games, magazines or whatever else) to the wide audience and would take their cut.
But in the early years of the 21st century, things changed and new distribution methods have appeared that allow people to distribute their content (even paid content) to a wide audience without going through a big corporation middleman taking a cut.
And now the big corporations are fighting back and trying to put the Internet genie back in the bottle and return to a world where companies like Comcast, Disney, 21st Century Fox, Time Warner, Viacom and Sony get to control what content is available to the general public.
Its been said before but I am saying it again, the #1 problem with this world is the control of the worlds governments by big corporations. Find a way to end that and the roadblocks preventing many of the other problems with this planet from being fixed will disappear.
As long as so many companies, towns and states earn so much money digging dirty polluting black rocks out of the ground and burning them to generate electricity, there is no chance that that the USA can move to a cleaner greener future.
There is some evidence out there to suggest the practice of shielding really little kids (babies on up) from these allergens (which is something more parents are doing because of concerns about the risk) is actually increasing the chance that they will become allergic as they get older and that introducing kids to all these foods very early will lower the risk.
Do cows fed on the diet they evolved over 1000s of years to eat, namely grasses and similar plant species, produce as much methane as cows fed on GMO cereal grains and such do?
Oh wait, if you fed cows what evolution designed them to eat, you couldn't sell $1 hamburgers at the golden arches...
The in-development Neo900 smartphone, whilst it doesn't have the latest and greatest hardware specs, is specifically being built to make it harder to do this crap. Option of going 100% FOSS on the main ARM processor with the exception of some userspace blobs for the PowerVR GPU (at least that is the intention) plus a hardware architecture that prevents the closed parts of the system (WiFi, cellular radio etc) from having access to the other hardware (there is no way to for the cellular module to have any access to the microphone, speakers or the memory or flash/filesystem of the main processor at all) No walled garden (since its 100% FOSS there is no control by anyone other than the user), not trying to sell you apps (no app store means no apps to sell) and no spying or tracking (unless you happen to install something that does spying or tracking)
Is the Neo900 for everyone? No. But if you want a phone that genuinely gives YOU the user the control, the Neo900 is the only device out there that can really do it... (and although not everyone likes binary blobs, the nature of the Neo900 means that if someone does produce a FOSS driver for the PowerVR stuff, it can be use on the Neo900 no problems)
Even if you do go for an electronic lock, there is no reason why it has to have a full OS (much less something written by Microsoft) underlying it. You could probably implement the logic for a safe on a simple microcontroller. Even if you need things like auditing (e.g. to record who opened the safe and when) all you need is a bit more memory (to store the list of valid codes and when those codes can be used plus the log of which codes are used and when) and a simple real-time-clock chip to keep track of the current date/time.
Also, there is no reason to leave any wires or ports or access points exposed to the outside world except for the battery compartment (if the safe has an external battery compartment to allow for battery replacement if the battery is drained) or the external power source/backup battery connector (if the safe has an internal battery box to allow for providing power if the batteries inside the safe are dead)
If I had some stuff I wanted to keep secure, I would buy a safe with a dial combination lock, not an electronic safe (and certainly not one with software sophisticated enough that it needs an actual OS underneath it)
If you are writing software that takes in a password and you are hashing the password to compare it to a stored hash, there is no reason at all to restrict the maximum length of a password or prohibit certain characters from being used in it.
If you are writing software that takes in a password and you are NOT hashing the password (but instead storing it in the clear or otherwise doing something with it), you shouldn't be writing software involving passwords in the first place (I can't think of a single valid reason to do anything other than store a password hash. Even "lost password" features can easily be done via temporary passwords or email-me-a-password-reset-link features)
I would love to hear from the people behind software and web pages that limit the length of passwords or restrict what characters you can have in it why they do such a stupid thing.
Whats left unsaid is how many ISPs (including those that dont yet exist except on paper or in someones head) would LIKE to offer super fast broadband but are unable to because local or state authorities have been convinced by dinosaur companies like Comcast and Time Warner to block alternative ISPs comming into the area and providing good access.
If governments at all levels stopped listening to the dinosaur ISPs and their friends in Hollywood and started listening to the people who elected them, the number of people able to get gigabit service (or even just super fast service) might start to be a meaningful percentage of the total population.
I have watched enough Top Gear to know that there are plenty of fancy cars (sports cars etc) out there where you use the infotainment system (or at least the screen for the infotainment system) to configure all the various settings for how the car will perform. So on those cars at least, there must be a 2-way link between the infotainment system and the car control systems.
Not sure whats more impressive, the fact that a 19 year old is able to get DARPA funding or the fact that a 19 year old (and his team presumably) is about to go into mass production with a fairly fancy looking custom microprocessor on a 28nm fab process.
Slashdot Mirror
It may well be that they need Flash so that people using older versions of web browsers (that can do Flash but not HTML5 video) will still work.
The way this works is that when you start one of the cars with this security hardware in it a chip in your car key talks to a chip inside the cars computer using secrets stored in both chips. If the secrets match, the car will start.
What the researchers figured out was a way to start the car without having the correct key.
Even if they had chips that were 100% compatible in hardware and software but with a new more secure algorithm, the cost to replace all of the chips in every car and every key (and to program the cars and keys with the correct secrets so that the right keys will open the right cars) would be astronomical.
The issue here is that this isn't like a piece of computer software where you can disclose the vulnerability to the vendor, give them a few months to push a patch and then go public.
The only way for Volkswagen and the many other car makers using this Megamos cryptography chip can fix their cars to not be vulnerable would be to replace both the computer system responsible for the immobilizer AND the keys/remotes/etc that talk to it. That would be a VERY expensive exercise.
And what about cars that are old enough where its just not possible to redesign the computer module and run a new production run (e.g. the computer module may rely on other components that you cant get anymore)
Or trying to find every single example of a car (whether made by Volkswagen or otherwise) that contains one of these vulnerable security chips so that it can have its system replaced?
Edison used his patents on motion picture cameras to control the film industry though litigation. In fact, his lawsuits forced many many film producers who didn't like Edison (or couldn't get a patent license from Edison) to move away to places like California (where it was harder for Edison to sue them and where the judges were less friendly to patent holders)
So yes he WAS very litigious. But no, he wasn't really a patent troll in that he actually produced many of the things he invented and patented.
RSA the algorithm isn't insecure if you use a big enough key. RSA the company may have released some weak products (at the request of the NSA or otherwise) but nothing they did affects the security of RSA the algorithm or the implementation of RSA that is in OpenSSH.
Or does this lock also feature a combination or key so that some random bike thief (who probably hasn't been drinking any alcohol) can't just come up, blow into it and steal your bike?
I WAS thinking of seeing this film in the theater when it came out here in Australia but this news is enough to tip me into the "don't bother" camp. I will not go to see it in the theater, nor will I pirate it or otherwise see it (maybe I will see it in a few years when it shows up on free-to-air TV)
By all accounts the film is a piece of crap anyway (just like every other Adam Sandler film to date) so I am not missing out on anything...
I am in Australia and pay A$14.99 a month ($5 discount for also having ADSL2+ with the same company) and get 1GB of data for free per month plus $300 worth of included cap spend that I can spend on calls or data (data after that free 1GB is charged at 0.2c per 10kb). The only things I cant use my $300 cap on are international calls, calls/sms to premium numbers and international roaming)
If Tesla are smart, they will have digitally signed all their updates with strong cryptography (2048 bit RSA or similar) such that the private key is stored on a secure box with limited access.
Hackers would need to obtain that private key before the car would pass their bogus firmware update as valid and install it.
It looks like the re-implementation of the Apple APIs is open source but their fork of the clang/llvm stack is not (although that makes sense since they are basically wiring their code generation backend into clang and publishing the source code for talking to c2.dll isn't exactly something Microsoft is going to do)
All through the 20th century if you created some content and wanted to distribute that content to a wide audience, you needed to go through a distributor who could distribute that content. These distributors would distribute your content (whether it be music, movies, TV shows, books, video games, magazines or whatever else) to the wide audience and would take their cut.
But in the early years of the 21st century, things changed and new distribution methods have appeared that allow people to distribute their content (even paid content) to a wide audience without going through a big corporation middleman taking a cut.
And now the big corporations are fighting back and trying to put the Internet genie back in the bottle and return to a world where companies like Comcast, Disney, 21st Century Fox, Time Warner, Viacom and Sony get to control what content is available to the general public.
Its been said before but I am saying it again, the #1 problem with this world is the control of the worlds governments by big corporations. Find a way to end that and the roadblocks preventing many of the other problems with this planet from being fixed will disappear.
As long as so many companies, towns and states earn so much money digging dirty polluting black rocks out of the ground and burning them to generate electricity, there is no chance that that the USA can move to a cleaner greener future.
There is some evidence out there to suggest the practice of shielding really little kids (babies on up) from these allergens (which is something more parents are doing because of concerns about the risk) is actually increasing the chance that they will become allergic as they get older and that introducing kids to all these foods very early will lower the risk.
Do cows fed on the diet they evolved over 1000s of years to eat, namely grasses and similar plant species, produce as much methane as cows fed on GMO cereal grains and such do?
Oh wait, if you fed cows what evolution designed them to eat, you couldn't sell $1 hamburgers at the golden arches...
The in-development Neo900 smartphone, whilst it doesn't have the latest and greatest hardware specs, is specifically being built to make it harder to do this crap. Option of going 100% FOSS on the main ARM processor with the exception of some userspace blobs for the PowerVR GPU (at least that is the intention) plus a hardware architecture that prevents the closed parts of the system (WiFi, cellular radio etc) from having access to the other hardware (there is no way to for the cellular module to have any access to the microphone, speakers or the memory or flash/filesystem of the main processor at all)
No walled garden (since its 100% FOSS there is no control by anyone other than the user), not trying to sell you apps (no app store means no apps to sell) and no spying or tracking (unless you happen to install something that does spying or tracking)
Is the Neo900 for everyone? No. But if you want a phone that genuinely gives YOU the user the control, the Neo900 is the only device out there that can really do it... (and although not everyone likes binary blobs, the nature of the Neo900 means that if someone does produce a FOSS driver for the PowerVR stuff, it can be use on the Neo900 no problems)
Even if you do go for an electronic lock, there is no reason why it has to have a full OS (much less something written by Microsoft) underlying it. You could probably implement the logic for a safe on a simple microcontroller. Even if you need things like auditing (e.g. to record who opened the safe and when) all you need is a bit more memory (to store the list of valid codes and when those codes can be used plus the log of which codes are used and when) and a simple real-time-clock chip to keep track of the current date/time.
Also, there is no reason to leave any wires or ports or access points exposed to the outside world except for the battery compartment (if the safe has an external battery compartment to allow for battery replacement if the battery is drained) or the external power source/backup battery connector (if the safe has an internal battery box to allow for providing power if the batteries inside the safe are dead)
If I had some stuff I wanted to keep secure, I would buy a safe with a dial combination lock, not an electronic safe (and certainly not one with software sophisticated enough that it needs an actual OS underneath it)
What is to stop Lattice from simply shutting down this project for an open FPGA toolchain for their FPGAs?
Or does Lattice not care about this particular project for some reason?
I refused to comment on YouTube because of the whole G+ thing, now I can go back to commenting on the many interesting YouTube videos I see :)
If you are writing software that takes in a password and you are hashing the password to compare it to a stored hash, there is no reason at all to restrict the maximum length of a password or prohibit certain characters from being used in it.
If you are writing software that takes in a password and you are NOT hashing the password (but instead storing it in the clear or otherwise doing something with it), you shouldn't be writing software involving passwords in the first place (I can't think of a single valid reason to do anything other than store a password hash. Even "lost password" features can easily be done via temporary passwords or email-me-a-password-reset-link features)
I would love to hear from the people behind software and web pages that limit the length of passwords or restrict what characters you can have in it why they do such a stupid thing.
Doesn't H.264 (aka MPEG4) which has much wider client support (browsers, hardware decoding, mobile etc) do a good enough job?
Whats left unsaid is how many ISPs (including those that dont yet exist except on paper or in someones head) would LIKE to offer super fast broadband but are unable to because local or state authorities have been convinced by dinosaur companies like Comcast and Time Warner to block alternative ISPs comming into the area and providing good access.
If governments at all levels stopped listening to the dinosaur ISPs and their friends in Hollywood and started listening to the people who elected them, the number of people able to get gigabit service (or even just super fast service) might start to be a meaningful percentage of the total population.
If you dont provide remote access to the car systems, how will systems like OnStar be able to start the car remotely (ala Die Hard 4.0)?
I have watched enough Top Gear to know that there are plenty of fancy cars (sports cars etc) out there where you use the infotainment system (or at least the screen for the infotainment system) to configure all the various settings for how the car will perform. So on those cars at least, there must be a 2-way link between the infotainment system and the car control systems.
Not sure whats more impressive, the fact that a 19 year old is able to get DARPA funding or the fact that a 19 year old (and his team presumably) is about to go into mass production with a fairly fancy looking custom microprocessor on a 28nm fab process.