"In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism."
So either the CEO of Symantec is a security idiot, or he has a better reason he's not sharing.
And if he's claiming the reason for using Security Through Obscurity is to provide his customers with a stronger feeling of being secure, I do hope the masses aren't idiots and this backfires as spectacularly as it really should.
perhaps you slept through a certain class in school;)
You are counting the number of eggs ovulated, not created. For every one egg ovulated at the start of the cycle, there may have been a dozen or more on the surface of the ovary in various stages of maturation. When one follacle bursts and releases its egg, the others immediately stop growing and are re-absorbed. (when two burst at about the same time, you have a possibility for fraternal twins)
I don't have hard numbers on eggs ripening, but a dozen is plausible. And those are just on the surface maturing. There are many more in stock inside the ovary, and that's the number you really need to go off. It's not like "ok the woman is going to use 500 eggs in her lifetime, so the body only ever produced 500 eggs" - that's totally wrong. That would be like only counting the total sperm production of a male based on sperm ejaculated. I wasn't able to easily find the total number of eggs the female body has stockpiled by the time they stop replicating. (at or around birth iirc) But it's certainly a lot larger than the total number ovulated.
The difference is important since I was looking at generational mutation. I was interested to see how many generations of gamete production there were leading up to the end of fertile life, since each generation is a big contributor to genetic mutation in gametes. (along with recombination)
Mutations occur mainly during cell replication. Given how many sperm are produced (compared to eggs) there's going to be many more generations of sperm (in the stem cell lineage) replications between a man and a woman over their lifetime. I've seen 5 billion quoted as a man's lifetime sperm production. From 1 starting stem cell that's over 30 generations. I don't see any hard data on how many eggs a woman is born with (since they don't replicate beyond that) but if it's say 50,000, that's around 15 generations. Each generation is an opportunity for more mutation. So the man has up to 15 additional generations of sperm production as he ages.
I've also seen a study awhile ago that mentioned that older men have more mutations in their sperm, which also makes sense for the same reason, they're farther down the generation tree in their sperm production. Nothing about this article is surprising in the least.
Name a business that doesn't tell their investors that the business is growing and that there's a big boom in growth right around the corner?
This is just SOP for any startup, and should be ignored. Judging future performance of any product should be done by careful examination of the product's history and of current and developing market conditions. There will be sudden surges here and there from time to time, but unexpected plunges will occur just as often, (if not moreso) and so should never be expected and only very carefully anticipated. And definitely not on the word of someone with a hugely vested interest in your investing further.
This has no more merit than those random spam emails most of us have received from someone with a "market tip" about some stock that's going to explode in the next few days and you're advised to rush out and buy some.
Don't the two both just pass through your digestive tract and on out? I don't see the big deal - if it just passed through and isn't getting absorbed or cause problems, why worry about it? Or is there some confirmed research that shows it's a problem somehow?
Once he have has bought out the lease, how difficult would it be for the owner to remove the disabler himself, or just smash the modem?
These things are often installed with the knowledge of the user of the car, as a way to disable the vehicle if they skip town with it or stop making payments on it, and so it's installed with a similar level of covertness as is a lowjack or a car alarm. Not to say they're all "installed properly", but the idea is to put them in some nonstandard location, made to look like they belong, not in a location easily discovered by accident or even if you're looking for it, and almost always wired up in such a way that simply cutting it out will render the car disabled by default. You have to know how to "restore the connections to the engine/computer/starter after cutting the unit out, otherwise the car's computer, ECU, or starter won't work because some of its lines (that were bypassed during the installation of the device) were not reconnected in their normal/default way.
As an example, on my new truck, the aftermarket remote start/alarm I had installed has "memorized" my chipped key and that's the only reason it can remote-start start the truck. (since the key isn't present) If you cut out the alarm, you will have interrupted the lines between the computer and the ignition switch, and the car won't start for you because it can't see the key.
Any alarm/disabler that ceases to disable the vehicle when simply cut out is junk. They do exist. I've owned one in the past that installed a relay in series with the starter solenoid power, and was connected by default. Only when the relay received power would it disable the starter. The relay was turned on when the alarm was going off. So in that case if you cut out the alarm (or simply unplugged the connector block from the unit, if you could find it) then the kill relay would have no power and the vehicle would start just fine. That's a bad design though. Reminds me of the movie trope where there's a bomb or something that's attached to a timer and the good guys are trying to disarm it but run out of time before they can figure it out. So they just reach in and rip it out, and that disables the bomb. (Rei ripping out the compressor, Carol Marcus disarming the torpedo by ripping out the fuser, etc) Or any number of movies where shooting the security panel at the door unlocks/opens the door, or shutting down the power to the building unlocks the vault door. Despite what you've seen in the movies, that's not how they're supposed to work. This is the difference between something that's designed to 'fail-safe" vs "fail-open".
It's just the nightmare event of when someone from upper management pops their head around the door at the IT department and say "Oh hey guys, heads up, we just signed a contract for this new tech you're going to need to support for the next three years, look for my email with details on what we bought!" When upper management makes tech purchasing decisions whilst keeping themselves 100% insulated from their techs, that's what happens. A smooth sales pitch nullifies all technical and critical review, and you end up saddled with a contract to use and support ineffective, overpriced crap. Sales reps have a well-known technique for rushing the deal, and seem to have a knack for convincing the PHB that "everything will be fine, you don't need to consult your IT over this, they'll LOVE it!"
I've been on the receiving end of that myself. Uppers made the decision to change out all their big multifunction printers without consulting IT at all, we just got an email notifying us "We just signed a contract with local printer supplier and they will be installing them next week, be sure to be there to talk with their tech about what changes we need to make!" It turns out their printers were incompatible with central print management, and the techs said "All we need to do is go to each computer and insert this CD and set up / configure each printer..." *sigh* "Clear my schedule for the next week I guess? And you better be damn sure you have your groups, permissions, and names all sorted out in advance and not interested in changing them with any frequency!"
... and turning them into powerful batteries capable of supplying energy to their entire homes.
Pleas stop saying "supplying energy". Gas and coal are something that "supplies energy". Batteries store and release energy. (unless you're burning them and turning that heat into energy I suppose)
You still have to charge them, storage isn't anything very incredible here. And old batteries can be pretty wasteful at that too. The manufacturers don't make the packs easy to take apart and separate the cells, and most of those packs have one or more cells that are performing much worse (or not at all) compared to the rest in the pack. You can't just chain together different grades of cells without introducing big performance hits, where you turn a lot of power into heat during charge and discharge due to the imbalance or bad cells in the string. If you want anywhere near decent performance you're going to have to tear the packs apart, separate the cells, test them, and group them together by current performance.
And when you compare the storage capacity of these packs with say, the capacity you can get from a used battery at a junkyard, they immediately reveal themselves to be a very bad investment of your money and time. The only advantage laptop packs have right now is they're often free because large users (like schools and businesses) find it difficult to get anything for them and end up giving them away when they pull the bad ones to replace them with new. (or replace them on a rotating schedule, which increases your chances of getting a pack that's still got some decent cells in it) Schools are less likely to rotate out on schedule because they are more careful with their spending. Businesses are much more likely to swap out batteries on some sort of a schedule where batteries that are still mostly useful are being pulled out of use. The school I work at only throws batteries in the "battery recycle box" when they have dropped below 1/2 of original capacity. (and often only get noticed when they have failed completely or nearly completely, indicating a totally open cell or several failing cells at the very least)
Comare the storage capacity of a new car battery and a new laptop battery. An average car battery is around 45 amp hours, which is a bit under 550 watt hours, which is what most laptop batteries are rate in. And the average laptop battery capacity is around 50WH, which is less than 1/10th that of a car battery. Now look at a typical used car battery you'd get at a junkyard for around $20. It won't have any bad cells either. (they won't bother trying to sell one that does because it won't start a car reliably with one or two dead cells dropping it to 8 or 10 volts) Then there's all the work involved in tearing apart old laptop packs, testing and matching cells, stringing them back together, setting up balanced charging... you'll quickly reach the $20/battery price point in supplies and added gear you could have spent at the junkyard. There's simply no chance of it possibly being worth it unless you think your time is free, and even then it just approaches break-even with lead acid, so you're just wasting your time. I don't consider my time free. Maybe if you're retired or something and looking for a hobby I suppose?
Any battery charger that doesn't monitor voltage and temperature is junk. At the very least there should be a way to restart a training cycle.
Any decent charger will do that. But it's still necessary to track cycle count to adjust the charge rates and levels as a battery gets older. Risk of fire isn't as big as a lot of media say, that just gets them some more clicks. But improperly charging a battery will definitely shorten its life. And when it's a big, expensive battery, getting every week you can out of it is important.
I've seen a lot of batteries swell due to overcharging, and a few of them even started busting up the laptop computer they were installed in at the time of the failure. I can't imagine the mess that would make of your car if the battery decided to be an extra 10 inches thick overnight... it'd punch out the bottom of the deck onto the driveway or try to stuff your headrest out the sunroof!
The problem is the key and the computer were paired. To fix the problem requires either duplicating the key (but it was a custom system so that's out) or replace the computer with another one you have the key for. Biut when you replace the computer, THAT was where the charge cycles were stored, and the computer will think it's still using the battery from the vehicle it used to be installed in. (I suppose you could swap the battery too but that would be a whole new problem) The hack was replacing the computer and importing the battery data from the old computer.
This all sounds rather odd to me, an electric vehicle you can't swap the battery on because the battery data is stored in the car not the battery? Any good laptop computer stores charge data in the battery itself, so a new battery has 0 cycles on it. You can also carry a spare battery with you and the computer can treat them differently. I don't see what sort of genius designs an electric vehicle and stores battery history in the computer rather than in the battery where it belongs.
Decryption was essentially negated. That's breaking a layer of security if there ever was one.
This was a small shade of "security through obscurity" but is only a thin veil. The performance of GOOD security or cryptography isn't affected by exposure of its methods. Like you see in the movies, where the criminals get the floorplan of the vault, the schedule of the guards, placement of the cameras etc etc, and manage to come up with a plan. That means the security was actually quite poor. They should have looked at it and said "Well... I guess there's just NO way to break into this place without getting caught." Now that still doesn't mean they publish their guard's schedule on the web page.
The reason of course is that vulnerabilities may (and usually DO) still exist, and obfuscation or hiding of your security information does help a bit to mitigate that, but should not be seen as a solution. That's why good security is constantly changing and improving itself.
You could even look at this as a good thing for them. Hackers love a challenge. A few of them will find a few holes, and publish them. (either for the credit, or the bounty, or on the darkweb etc) And any of those that are made public will get patched. There'll still be a few zero-days, the kind that either lurk in the kernel for years in plain sight without being discovered (think ShellShock) or the kind that teams of state-actors dig up and use for espionage. (think NSA dump)
Otherwise, why would the encryption be in place in the first place? That is the point of encryption, correct? To secure things?
In this case, there are two types of encryption going on. One is just obfuscation. The reason is that the key is there. The hardware decrypts the firmware and runs it. It has to be able to decrypt it unless you're going to key in a 128/256 bit key every time you turn on your phone, hence the symmetrical cipher. So it may as well not really even BE encrypted. To say you "negated" something that was already negated is silly. I wouldn't even call this "encrypted". The key is right there, so it's really more "encoded" than "encrypted". "Encrypted" means you know the process but you need the key, "encoded" means you have the key (if there even is one) but you need to figure out the process.
The other encryption, the Asymmetric one, is the one that signed the firmware. The hardware decrypts the firmware, then checks the signature to make sure it hasn't been changed. No amount of searching the hardware or firmware will reveal the code to do the signing, as it doesn't exist. The public key is there, but not the private key. Now if the hackers had figured out THAT one, okay, NOW you can call it actually hacked. This wasn't hacked, it was simply researched. BIG difference.
TL/DR time?
OK that was a bit long-winded (but necessary) groundwork. What does this mean for ME? It's always safest to assume that people can and will do anything that's reasonably possible to be done. Digging out the obfuscation key is just something that's going to happen sooner or later. Where does that leave us? Since there's no private key to be dug out, and the crypto that's used in the signing isn't going to be brute-forced anytime soon, here's your options on how to leverage the firmware:
1) you could find a bug in it that you can take advantage of. Maybe a timing condition or a race. Maybe a back door. (VERY unlikely in this case) For example, they may find that if you wait EXACTLY 83 seconds between passcode attempts, there's a bug in the firmware that doesn't increment the attempt count toward a device wipe. LEA would find this useful, and someone would make a lego mindstorm or arduino contraption that would guess your pin in a few weeks. (go look for the Garmin ones on youtube) They may even find a way to get it to unlock without the correct code, but this is far less likely. (though not com
this is creating an artificial market with goolag money. probably necessary since space seems not be a profitable venture.
Well we see SpaceX is doing well but they have customers like NASA. Inserting satellites and supplying the ISS is where the money is right now. Lunar rocks aren't too lucrative at the moment. And just LANDING there is a complete waste of money. (initially) So yeah, startup costs are high.
There's a name for that but I forget what it is, 'sunk cost' or something like that. Meaning the initial investment just to get your technology figured out (with no other return whatsoever in the process) has the appearance of being a complete waste of money, and can be a difficult or impossible barrier for a new company to overcome trying to create a new market. Nuclear power is an area that's always been that way, and is a topic that's come up recently with the growing interest in thorium. And just like with space exploration, it's hard to say whether or not it'll be profitable in the future. That's what makes it hard to find venture capital to fund it. The x-prize is there to fill in that gap, because we've been waiting years for something to happen and nobody's been able to pull it together. If you can't prove it's possible on paper, nobody wants to loan you money to try to figure out how to do it, or how to do it in a way that can turn a profit. That's just the nature of R&D.
It's also neat to see how failed research can have totally unexpected benefits in other areas. Read up on the military's research on personal jet packs. While those were ultimately a failure, their development of simple and compact jets helped other markets years later. There's lots of other examples like that.
Several times I've ran into VERY small items and seen them listed for absolutely absurd amounts. I'm talking $0.25 electronic components listed for $285. With several completed sales. That's some pretty obvious money laundering or covert payment going on there. I'd always assumed they were payments for drug sales, but I suppose this is another possibility.
But whatever the case, the problem isn't eBay. Trying to take them on over this is like trying to shutter the cell phone towers because the terrorists are using them to coordinate. People will always find another way to do things. It's like laws - the only good law is one that has a dramatic effect on the intended target, while having VERY little to no effect on the innocent. If you can't apply it in that sort of way, you need to find some other much more effective angle to deal with the problem.
Part of the issue here as I see it is when they're faced with a difficult problem, one that's proven to be resistant to previous attempts at control. They start "lowering the bar" of quality on the solutions they try to implement. Settling for methods that are both less effective on the problem AND causing more collateral damage to the innocent public in the process. And if the problem drags on or gets worse in the meanwhile, people start demanding more effective actions be taken. So the bar continues to get lower and lower, until it starts becoming apparent that the cure is getting as bad as the disease.
If your hammer isn't getting the job done, getting out a bigger hammer isn't always the best response. Maybe you need to re-examine the problem and start considering more effective, less destructive tools. (like a screwdriver)
Well he didn't try to take it, he DID take it. (he got the fence put up) Now he's finally being forced to return it.
Taking stuff is often not too difficult. It's the keeping it that's the challenge. And that's what separates the rich from the poor, as the rich can afford to pay their lawyers to try to hold onto it for awhile. (and sometimes indefinitely)
The only "perfect, unbreakable crypto" is the "one-time-pad", which requires both the sender and the receiver to have a truly (or sufficiently) random stream of numbers to use as a pad/xor. The limitations of this method are that (A) each pad can only be used once, (B) both parties need a sufficiently large amount of pad for their messages, (C) when they run out of pad, they have to get together somehow securely to exchange more large padding, and (D) pads are totally impractical to memorize.
Seedable random number generators get around those issues by (D) using a passphrase which is hashed to produce the seed, which (A) can incorporate a sequence number, date, etc so that the same passphrase can be reused several times without causing the pad to be reused, where (C) passphrases are much easier to exchange or send securely due to their much smaller size, and (B) they can produce arbitrarily large streams from a given seed.
A well-designed RNG will solve most of the problems of one-time-pad, in exchange for a possibly acceptable small increase in vulnerability to analysis.
although some things are sufficiently unpredictable as to be "close enough". Thermal noise, as this method is using, usually falls into this category.
I personally prefer algorithmic methods of generating random numbers. Sufficiently designed functions can perform well on random analysis while still offering you the option of fixed seeding for those cases where you need a consistent stream. (mainly used for testing and cryptography)
"640K ought to be enough for anybody" - Bill Gates, Seattle, 1981
But hilarious comparison aside, these clowns are just trying to find a way to justify the universally-hated stance that we don't need net neutrality. Mr T's just in the business of appointing yes-men that either always agree with him or get replaced immediately, Pai's just one of the team - there's no point in trying to reason with that, you'll never get anywhere. Not with facts, not with evidence, not with contrary public opinion of any magnitude. These people haven't been hired to be experts or critical thinkers, they were hired to be yes-men, and none of your facts matter.
If it costs them less to file the claim than the claim than they will get back on the average, they'll do it. There are only two ways to stop them - [1] make it illegal (and then they will only stop some of the time) or [2] make it unprofitable.
Right now the way the system is set up, for very little effort they can file a claim and siphon off the ad revenue. It's a "click here for free money" button. Who in their right mind wouldn't press the button? Right now the ONLY negative side-effect is bad press. And just look what happened here. "You discussed our abuse of the system with a journalist?!" *DING* ((claim dropped)) Imagine that!
It's not that they don't know what they're doing is wrong - it's that they simply don't care. It's just free money until it attracts bad press. I don't blame them, I blame the rules. If I were in their position, I'd probably be doing the same thing. The problem is the "click here for free money" button. The only way to fix the problem is to fix the rules.
uh, yeah. Sounds like he'd be interested getting a fat check for signing a prepared statement on the bottom line. That goes way beyond '"ghost writing" when you can't even be bothered to write up the biased opinion yourself.
It's good to see how some of them rebuffed the offer though. This looks like a good example of all the colors of the ethics rainbow.
I've seen this happen a lot. I know people that have DONE it (for somewhat justifiable reason) and also those that have had it done TO them. It's the pendulum swinging too far in the other direction is all.
One friend of mine bought a coin listed as authentic. When it arrived, it was a reproduction. It was a fairly good looking repo, but an obvious copy none the less. The seller immediately agreed to a refund, it was obvious he knew he was listing fakes as genuine. Buyer was going to have to pay return shipping though. Miffed by that, he shipped back a large bolt of the same weight. Once ebay saw the return shipping confirmation, he got a full refund. Slightly unfair to the seller, but would have been more unfair to the buyer having to pay return shipping and being left with nothing. Even under the current rules, when a seller commits listing fraud, someone is going to get cheated. Previously, it was always the buyer. Now sometimes it's the seller instead. Is this fair? CAN it be fair? Probably not. This is pretty much unavoidable unless you're doing escrow, but nobody's going to do that on anything other than high-dollar items. So the inexpensive stuff is just going to have to be risky for someone.
I know another guy that sells car parts on ebay. One time he sold a set of good-but-used brake disks. When it came time to ship them he found his shop had already sold them locally. So he just accepted a bit of a loss by shipping a set of brand new discs instead of the used ones. Buyer got them and complained, "item not as listed!" Well duh, you got new instead of used, why are you complaining? Buyer demanded a return. Okay whatever. Guess what he returned? His worn out discs! And of course ebay released a full refund, and left him with no recourse. Buyer gets brand new set of discs for the price of return shipping. Seller is out the cost of new discs plus shipping, minus anything he can get for the seller's old discs. (which was nothing, they were shot)
So yeah, these online places have shifted over the years from being "seller-safe / buyer-risky" to "seller-risky / buyer-safe". If you don't like the risks, don't do your selling there. If you can't be competitive elsewhere, well that's too bad, nobody promised you life was fair and full of easy opportunities. If you can't be competitive given the options you'd like to use, go find some other options or go do something else. Honestly, I've sold stuff on ebay years ago and I felt okay at the time. NOW, I'm not nearly as warm-and-fuzzy about the idea because so many buyers cheat the sellers and places like eBay won't help the seller if they get cheated. You really have to bet on the honesty of the buyer, and from time to time, get burned. There's no point in my complaining about it, I just don't list much anymore because I don't like the increased risks. It's my choice, I really have no grounds to complain on. Even if there are "no better options available for me", I still have a choice -- don't sell it online. Sellers need to understand that they still have that choice, nobody's forcing them to play a game where they don't like the rules.
Was this a position that had to be confirmed? Idiots appointing idiots is bad enough, but the appointed idiots getting confirmed is all that much worse
Slashdot Mirror
"In security engineering, security through obscurity (or security by obscurity) is the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system. A system or component relying on obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, that will be sufficient to prevent a successful attack. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism."
So either the CEO of Symantec is a security idiot, or he has a better reason he's not sharing.
And if he's claiming the reason for using Security Through Obscurity is to provide his customers with a stronger feeling of being secure, I do hope the masses aren't idiots and this backfires as spectacularly as it really should.
The third and final boss battle link is broken now with a "permission denied" notice. Anyone got a working link?
What, a car exec badmouths the competition? Say it ain't so!
in that case it's more likely it would have blown up the entire island.
perhaps you slept through a certain class in school ;)
You are counting the number of eggs ovulated, not created. For every one egg ovulated at the start of the cycle, there may have been a dozen or more on the surface of the ovary in various stages of maturation. When one follacle bursts and releases its egg, the others immediately stop growing and are re-absorbed. (when two burst at about the same time, you have a possibility for fraternal twins)
I don't have hard numbers on eggs ripening, but a dozen is plausible. And those are just on the surface maturing. There are many more in stock inside the ovary, and that's the number you really need to go off. It's not like "ok the woman is going to use 500 eggs in her lifetime, so the body only ever produced 500 eggs" - that's totally wrong. That would be like only counting the total sperm production of a male based on sperm ejaculated. I wasn't able to easily find the total number of eggs the female body has stockpiled by the time they stop replicating. (at or around birth iirc) But it's certainly a lot larger than the total number ovulated.
The difference is important since I was looking at generational mutation. I was interested to see how many generations of gamete production there were leading up to the end of fertile life, since each generation is a big contributor to genetic mutation in gametes. (along with recombination)
Mutations occur mainly during cell replication. Given how many sperm are produced (compared to eggs) there's going to be many more generations of sperm (in the stem cell lineage) replications between a man and a woman over their lifetime. I've seen 5 billion quoted as a man's lifetime sperm production. From 1 starting stem cell that's over 30 generations. I don't see any hard data on how many eggs a woman is born with (since they don't replicate beyond that) but if it's say 50,000, that's around 15 generations. Each generation is an opportunity for more mutation. So the man has up to 15 additional generations of sperm production as he ages.
I've also seen a study awhile ago that mentioned that older men have more mutations in their sperm, which also makes sense for the same reason, they're farther down the generation tree in their sperm production. Nothing about this article is surprising in the least.
Name a business that doesn't tell their investors that the business is growing and that there's a big boom in growth right around the corner?
This is just SOP for any startup, and should be ignored. Judging future performance of any product should be done by careful examination of the product's history and of current and developing market conditions. There will be sudden surges here and there from time to time, but unexpected plunges will occur just as often, (if not moreso) and so should never be expected and only very carefully anticipated. And definitely not on the word of someone with a hugely vested interest in your investing further.
This has no more merit than those random spam emails most of us have received from someone with a "market tip" about some stock that's going to explode in the next few days and you're advised to rush out and buy some.
Don't the two both just pass through your digestive tract and on out? I don't see the big deal - if it just passed through and isn't getting absorbed or cause problems, why worry about it? Or is there some confirmed research that shows it's a problem somehow?
These things are often installed with the knowledge of the user of the car, as a way to disable the vehicle if they skip town with it or stop making payments on it, and so it's installed with a similar level of covertness as is a lowjack or a car alarm. Not to say they're all "installed properly", but the idea is to put them in some nonstandard location, made to look like they belong, not in a location easily discovered by accident or even if you're looking for it, and almost always wired up in such a way that simply cutting it out will render the car disabled by default. You have to know how to "restore the connections to the engine/computer/starter after cutting the unit out, otherwise the car's computer, ECU, or starter won't work because some of its lines (that were bypassed during the installation of the device) were not reconnected in their normal/default way.
As an example, on my new truck, the aftermarket remote start/alarm I had installed has "memorized" my chipped key and that's the only reason it can remote-start start the truck. (since the key isn't present) If you cut out the alarm, you will have interrupted the lines between the computer and the ignition switch, and the car won't start for you because it can't see the key.
Any alarm/disabler that ceases to disable the vehicle when simply cut out is junk. They do exist. I've owned one in the past that installed a relay in series with the starter solenoid power, and was connected by default. Only when the relay received power would it disable the starter. The relay was turned on when the alarm was going off. So in that case if you cut out the alarm (or simply unplugged the connector block from the unit, if you could find it) then the kill relay would have no power and the vehicle would start just fine. That's a bad design though. Reminds me of the movie trope where there's a bomb or something that's attached to a timer and the good guys are trying to disarm it but run out of time before they can figure it out. So they just reach in and rip it out, and that disables the bomb. (Rei ripping out the compressor, Carol Marcus disarming the torpedo by ripping out the fuser, etc) Or any number of movies where shooting the security panel at the door unlocks/opens the door, or shutting down the power to the building unlocks the vault door. Despite what you've seen in the movies, that's not how they're supposed to work. This is the difference between something that's designed to 'fail-safe" vs "fail-open".
It's just the nightmare event of when someone from upper management pops their head around the door at the IT department and say "Oh hey guys, heads up, we just signed a contract for this new tech you're going to need to support for the next three years, look for my email with details on what we bought!" When upper management makes tech purchasing decisions whilst keeping themselves 100% insulated from their techs, that's what happens. A smooth sales pitch nullifies all technical and critical review, and you end up saddled with a contract to use and support ineffective, overpriced crap. Sales reps have a well-known technique for rushing the deal, and seem to have a knack for convincing the PHB that "everything will be fine, you don't need to consult your IT over this, they'll LOVE it!"
I've been on the receiving end of that myself. Uppers made the decision to change out all their big multifunction printers without consulting IT at all, we just got an email notifying us "We just signed a contract with local printer supplier and they will be installing them next week, be sure to be there to talk with their tech about what changes we need to make!" It turns out their printers were incompatible with central print management, and the techs said "All we need to do is go to each computer and insert this CD and set up / configure each printer..." *sigh* "Clear my schedule for the next week I guess? And you better be damn sure you have your groups, permissions, and names all sorted out in advance and not interested in changing them with any frequency!"
[citation needed]
Pleas stop saying "supplying energy". Gas and coal are something that "supplies energy". Batteries store and release energy. (unless you're burning them and turning that heat into energy I suppose)
You still have to charge them, storage isn't anything very incredible here. And old batteries can be pretty wasteful at that too. The manufacturers don't make the packs easy to take apart and separate the cells, and most of those packs have one or more cells that are performing much worse (or not at all) compared to the rest in the pack. You can't just chain together different grades of cells without introducing big performance hits, where you turn a lot of power into heat during charge and discharge due to the imbalance or bad cells in the string. If you want anywhere near decent performance you're going to have to tear the packs apart, separate the cells, test them, and group them together by current performance.
And when you compare the storage capacity of these packs with say, the capacity you can get from a used battery at a junkyard, they immediately reveal themselves to be a very bad investment of your money and time. The only advantage laptop packs have right now is they're often free because large users (like schools and businesses) find it difficult to get anything for them and end up giving them away when they pull the bad ones to replace them with new. (or replace them on a rotating schedule, which increases your chances of getting a pack that's still got some decent cells in it) Schools are less likely to rotate out on schedule because they are more careful with their spending. Businesses are much more likely to swap out batteries on some sort of a schedule where batteries that are still mostly useful are being pulled out of use. The school I work at only throws batteries in the "battery recycle box" when they have dropped below 1/2 of original capacity. (and often only get noticed when they have failed completely or nearly completely, indicating a totally open cell or several failing cells at the very least)
Comare the storage capacity of a new car battery and a new laptop battery. An average car battery is around 45 amp hours, which is a bit under 550 watt hours, which is what most laptop batteries are rate in. And the average laptop battery capacity is around 50WH, which is less than 1/10th that of a car battery. Now look at a typical used car battery you'd get at a junkyard for around $20. It won't have any bad cells either. (they won't bother trying to sell one that does because it won't start a car reliably with one or two dead cells dropping it to 8 or 10 volts) Then there's all the work involved in tearing apart old laptop packs, testing and matching cells, stringing them back together, setting up balanced charging... you'll quickly reach the $20/battery price point in supplies and added gear you could have spent at the junkyard. There's simply no chance of it possibly being worth it unless you think your time is free, and even then it just approaches break-even with lead acid, so you're just wasting your time. I don't consider my time free. Maybe if you're retired or something and looking for a hobby I suppose?
Any decent charger will do that. But it's still necessary to track cycle count to adjust the charge rates and levels as a battery gets older. Risk of fire isn't as big as a lot of media say, that just gets them some more clicks. But improperly charging a battery will definitely shorten its life. And when it's a big, expensive battery, getting every week you can out of it is important.
I've seen a lot of batteries swell due to overcharging, and a few of them even started busting up the laptop computer they were installed in at the time of the failure. I can't imagine the mess that would make of your car if the battery decided to be an extra 10 inches thick overnight... it'd punch out the bottom of the deck onto the driveway or try to stuff your headrest out the sunroof!
The problem is the key and the computer were paired. To fix the problem requires either duplicating the key (but it was a custom system so that's out) or replace the computer with another one you have the key for. Biut when you replace the computer, THAT was where the charge cycles were stored, and the computer will think it's still using the battery from the vehicle it used to be installed in. (I suppose you could swap the battery too but that would be a whole new problem) The hack was replacing the computer and importing the battery data from the old computer.
This all sounds rather odd to me, an electric vehicle you can't swap the battery on because the battery data is stored in the car not the battery? Any good laptop computer stores charge data in the battery itself, so a new battery has 0 cycles on it. You can also carry a spare battery with you and the computer can treat them differently. I don't see what sort of genius designs an electric vehicle and stores battery history in the computer rather than in the battery where it belongs.
This was a small shade of "security through obscurity" but is only a thin veil. The performance of GOOD security or cryptography isn't affected by exposure of its methods. Like you see in the movies, where the criminals get the floorplan of the vault, the schedule of the guards, placement of the cameras etc etc, and manage to come up with a plan. That means the security was actually quite poor. They should have looked at it and said "Well... I guess there's just NO way to break into this place without getting caught." Now that still doesn't mean they publish their guard's schedule on the web page.
The reason of course is that vulnerabilities may (and usually DO) still exist, and obfuscation or hiding of your security information does help a bit to mitigate that, but should not be seen as a solution. That's why good security is constantly changing and improving itself.
You could even look at this as a good thing for them. Hackers love a challenge. A few of them will find a few holes, and publish them. (either for the credit, or the bounty, or on the darkweb etc) And any of those that are made public will get patched. There'll still be a few zero-days, the kind that either lurk in the kernel for years in plain sight without being discovered (think ShellShock) or the kind that teams of state-actors dig up and use for espionage. (think NSA dump)
In this case, there are two types of encryption going on. One is just obfuscation. The reason is that the key is there. The hardware decrypts the firmware and runs it. It has to be able to decrypt it unless you're going to key in a 128/256 bit key every time you turn on your phone, hence the symmetrical cipher. So it may as well not really even BE encrypted. To say you "negated" something that was already negated is silly. I wouldn't even call this "encrypted". The key is right there, so it's really more "encoded" than "encrypted". "Encrypted" means you know the process but you need the key, "encoded" means you have the key (if there even is one) but you need to figure out the process.
The other encryption, the Asymmetric one, is the one that signed the firmware. The hardware decrypts the firmware, then checks the signature to make sure it hasn't been changed. No amount of searching the hardware or firmware will reveal the code to do the signing, as it doesn't exist. The public key is there, but not the private key. Now if the hackers had figured out THAT one, okay, NOW you can call it actually hacked. This wasn't hacked, it was simply researched. BIG difference.
TL/DR time?
OK that was a bit long-winded (but necessary) groundwork. What does this mean for ME? It's always safest to assume that people can and will do anything that's reasonably possible to be done. Digging out the obfuscation key is just something that's going to happen sooner or later. Where does that leave us? Since there's no private key to be dug out, and the crypto that's used in the signing isn't going to be brute-forced anytime soon, here's your options on how to leverage the firmware:
1) you could find a bug in it that you can take advantage of. Maybe a timing condition or a race. Maybe a back door. (VERY unlikely in this case) For example, they may find that if you wait EXACTLY 83 seconds between passcode attempts, there's a bug in the firmware that doesn't increment the attempt count toward a device wipe. LEA would find this useful, and someone would make a lego mindstorm or arduino contraption that would guess your pin in a few weeks. (go look for the Garmin ones on youtube) They may even find a way to get it to unlock without the correct code, but this is far less likely. (though not com
Well we see SpaceX is doing well but they have customers like NASA. Inserting satellites and supplying the ISS is where the money is right now. Lunar rocks aren't too lucrative at the moment. And just LANDING there is a complete waste of money. (initially) So yeah, startup costs are high.
There's a name for that but I forget what it is, 'sunk cost' or something like that. Meaning the initial investment just to get your technology figured out (with no other return whatsoever in the process) has the appearance of being a complete waste of money, and can be a difficult or impossible barrier for a new company to overcome trying to create a new market. Nuclear power is an area that's always been that way, and is a topic that's come up recently with the growing interest in thorium. And just like with space exploration, it's hard to say whether or not it'll be profitable in the future. That's what makes it hard to find venture capital to fund it. The x-prize is there to fill in that gap, because we've been waiting years for something to happen and nobody's been able to pull it together. If you can't prove it's possible on paper, nobody wants to loan you money to try to figure out how to do it, or how to do it in a way that can turn a profit. That's just the nature of R&D.
It's also neat to see how failed research can have totally unexpected benefits in other areas. Read up on the military's research on personal jet packs. While those were ultimately a failure, their development of simple and compact jets helped other markets years later. There's lots of other examples like that.
Several times I've ran into VERY small items and seen them listed for absolutely absurd amounts. I'm talking $0.25 electronic components listed for $285. With several completed sales. That's some pretty obvious money laundering or covert payment going on there. I'd always assumed they were payments for drug sales, but I suppose this is another possibility.
But whatever the case, the problem isn't eBay. Trying to take them on over this is like trying to shutter the cell phone towers because the terrorists are using them to coordinate. People will always find another way to do things. It's like laws - the only good law is one that has a dramatic effect on the intended target, while having VERY little to no effect on the innocent. If you can't apply it in that sort of way, you need to find some other much more effective angle to deal with the problem.
Part of the issue here as I see it is when they're faced with a difficult problem, one that's proven to be resistant to previous attempts at control. They start "lowering the bar" of quality on the solutions they try to implement. Settling for methods that are both less effective on the problem AND causing more collateral damage to the innocent public in the process. And if the problem drags on or gets worse in the meanwhile, people start demanding more effective actions be taken. So the bar continues to get lower and lower, until it starts becoming apparent that the cure is getting as bad as the disease.
If your hammer isn't getting the job done, getting out a bigger hammer isn't always the best response. Maybe you need to re-examine the problem and start considering more effective, less destructive tools. (like a screwdriver)
Well he didn't try to take it, he DID take it. (he got the fence put up) Now he's finally being forced to return it.
Taking stuff is often not too difficult. It's the keeping it that's the challenge. And that's what separates the rich from the poor, as the rich can afford to pay their lawyers to try to hold onto it for awhile. (and sometimes indefinitely)
The only "perfect, unbreakable crypto" is the "one-time-pad", which requires both the sender and the receiver to have a truly (or sufficiently) random stream of numbers to use as a pad/xor. The limitations of this method are that (A) each pad can only be used once, (B) both parties need a sufficiently large amount of pad for their messages, (C) when they run out of pad, they have to get together somehow securely to exchange more large padding, and (D) pads are totally impractical to memorize.
Seedable random number generators get around those issues by (D) using a passphrase which is hashed to produce the seed, which (A) can incorporate a sequence number, date, etc so that the same passphrase can be reused several times without causing the pad to be reused, where (C) passphrases are much easier to exchange or send securely due to their much smaller size, and (B) they can produce arbitrarily large streams from a given seed.
A well-designed RNG will solve most of the problems of one-time-pad, in exchange for a possibly acceptable small increase in vulnerability to analysis.
although some things are sufficiently unpredictable as to be "close enough". Thermal noise, as this method is using, usually falls into this category.
I personally prefer algorithmic methods of generating random numbers. Sufficiently designed functions can perform well on random analysis while still offering you the option of fixed seeding for those cases where you need a consistent stream. (mainly used for testing and cryptography)
"640K ought to be enough for anybody" - Bill Gates, Seattle, 1981
But hilarious comparison aside, these clowns are just trying to find a way to justify the universally-hated stance that we don't need net neutrality. Mr T's just in the business of appointing yes-men that either always agree with him or get replaced immediately, Pai's just one of the team - there's no point in trying to reason with that, you'll never get anywhere. Not with facts, not with evidence, not with contrary public opinion of any magnitude. These people haven't been hired to be experts or critical thinkers, they were hired to be yes-men, and none of your facts matter.
If it costs them less to file the claim than the claim than they will get back on the average, they'll do it. There are only two ways to stop them - [1] make it illegal (and then they will only stop some of the time) or [2] make it unprofitable.
Right now the way the system is set up, for very little effort they can file a claim and siphon off the ad revenue. It's a "click here for free money" button. Who in their right mind wouldn't press the button? Right now the ONLY negative side-effect is bad press. And just look what happened here. "You discussed our abuse of the system with a journalist?!" *DING* ((claim dropped)) Imagine that!
It's not that they don't know what they're doing is wrong - it's that they simply don't care. It's just free money until it attracts bad press. I don't blame them, I blame the rules. If I were in their position, I'd probably be doing the same thing. The problem is the "click here for free money" button. The only way to fix the problem is to fix the rules.
uh, yeah. Sounds like he'd be interested getting a fat check for signing a prepared statement on the bottom line. That goes way beyond '"ghost writing" when you can't even be bothered to write up the biased opinion yourself.
It's good to see how some of them rebuffed the offer though. This looks like a good example of all the colors of the ethics rainbow.
I've seen this happen a lot. I know people that have DONE it (for somewhat justifiable reason) and also those that have had it done TO them. It's the pendulum swinging too far in the other direction is all.
One friend of mine bought a coin listed as authentic. When it arrived, it was a reproduction. It was a fairly good looking repo, but an obvious copy none the less. The seller immediately agreed to a refund, it was obvious he knew he was listing fakes as genuine. Buyer was going to have to pay return shipping though. Miffed by that, he shipped back a large bolt of the same weight. Once ebay saw the return shipping confirmation, he got a full refund. Slightly unfair to the seller, but would have been more unfair to the buyer having to pay return shipping and being left with nothing. Even under the current rules, when a seller commits listing fraud, someone is going to get cheated. Previously, it was always the buyer. Now sometimes it's the seller instead. Is this fair? CAN it be fair? Probably not. This is pretty much unavoidable unless you're doing escrow, but nobody's going to do that on anything other than high-dollar items. So the inexpensive stuff is just going to have to be risky for someone.
I know another guy that sells car parts on ebay. One time he sold a set of good-but-used brake disks. When it came time to ship them he found his shop had already sold them locally. So he just accepted a bit of a loss by shipping a set of brand new discs instead of the used ones. Buyer got them and complained, "item not as listed!" Well duh, you got new instead of used, why are you complaining? Buyer demanded a return. Okay whatever. Guess what he returned? His worn out discs! And of course ebay released a full refund, and left him with no recourse. Buyer gets brand new set of discs for the price of return shipping. Seller is out the cost of new discs plus shipping, minus anything he can get for the seller's old discs. (which was nothing, they were shot)
So yeah, these online places have shifted over the years from being "seller-safe / buyer-risky" to "seller-risky / buyer-safe". If you don't like the risks, don't do your selling there. If you can't be competitive elsewhere, well that's too bad, nobody promised you life was fair and full of easy opportunities. If you can't be competitive given the options you'd like to use, go find some other options or go do something else. Honestly, I've sold stuff on ebay years ago and I felt okay at the time. NOW, I'm not nearly as warm-and-fuzzy about the idea because so many buyers cheat the sellers and places like eBay won't help the seller if they get cheated. You really have to bet on the honesty of the buyer, and from time to time, get burned. There's no point in my complaining about it, I just don't list much anymore because I don't like the increased risks. It's my choice, I really have no grounds to complain on. Even if there are "no better options available for me", I still have a choice -- don't sell it online. Sellers need to understand that they still have that choice, nobody's forcing them to play a game where they don't like the rules.
Was this a position that had to be confirmed? Idiots appointing idiots is bad enough, but the appointed idiots getting confirmed is all that much worse