Yes indeed. Powerful interests do not want devices to be seen as vulnerable, even from other manufacturerers. He has a defense if the German govt really tried a recall -- he could say he is assisting them.
Otherwise, he should be extremely careful about travel, especially where the US has influence. If anyone in the US has this Austrian device and got hacked, he could be liable for "unauthorized access" under US law and extradited.
Brute-force attacks like these can only work when attackers can access the passwd hashes so their guessing cost comes down to a few machine cycles. This is why/etc/shadow was developed and eventually will become encrypted itself.
When an attacher has to go to the local OS, let alone a remote net, the cost per guess goes up by many (4-10) orders of magnitude. Decent security watchdogs will throttle guessing even further.
Look, the name may or may not be juvenile. The idea is _not_. I've done much the same for years, using textmode `links` as my primary browser, and building shell scripts to do RSS via `wget` and `diff`.
If anyone is interested, I got squashed in the #MeToo timeframe, about 15 years ago. What happened was a kernel update suddenly started making my Abit BP6 (dual) lock-up. I traced it to a new System Management Interupt service routine that would not handle double-interrupts. Masking off would fix it.
I reported this on the LKML, and eventually Linus commented "We don't fix broken hardware." True enough, the SMI bus was vomitous (unbalanced, open-drain). But I'm older than Linus, and remember when software was meant to fix hardware!
So I just manually patched kernel source for ~5 years. I didn't and don't mind, at least I had source to patch. But I gave up on reporting anything to the LKML "if it boots, it's perfect".
Does all this touchy-feely psychobabble mean a shift in kernel philosphy away from the "speed at all costs" into something perhaps more reliability based?
It is a start to recognize visa-free is a good thing. But their list ought not to simply count countries, but weigh them by something -- population, GDP, area,/. postings,... ). Simple binary dot-product.
After all, visa-free to Russia or China is more useful than visa-free to Uzbekistan or Mongolia for most people.
"journalism" is a difficult-to-define word. The closest I can come is from the french "journal", newspaper or frequent periodical. Journalists are those who produce the content, hopefully distinct from copywriters who produce the advertisments.
Put another way, you are saying the NYT review of books and theatre reviews are also not journalism.
NVidia can ask/require anything they want -- that doesn't mean reputable journalists [where?] will agree. They just won't review NVidia products as early, or at all. NVidia loses the free publicity in a very-short-term effort to reduce negative reviews. Are they going out of business? I thought they had leading vidcards. They must think not.
The rest of us will know the disreputable journalists by their early NVidia reviews. Just makes me buy Radeon.
The NYT reliably misunderstands (ironically their own business): The growth of the Advertising industry over ~100 years has occurred primarily because there is good feedback [justification] for ad campaigns from sales volumes. With the Internet, much more information can be routinely tracked to give much finer feedback (click-thru). Side-stream (private?) data can be used to target ads for 2+ orders of magnitude in effectiveness.
"Math" [AI, neural nets, etc] is nothing more than a tool used by Mad Men who no longer need to use as much judgement [guessing]. Never become so amazed by flashy tools that you neglect the judgement required to use increased power. MBA hubris.
I had an email exchange with RMS around the time this all started ~20 years ago and the closest thing I got was it was not GNU/BSD or GNU/TomsRtBt but it was GNU/Linux for Slackware and Debian. Everybody used `gcc` at the time, so the closest differentiator I could determine was "user environment", essentially fileutils,etc. Neither clear nor satisfying.
Personally, I prefer the term GNU/Linux for those who might need education on GNU. I firmly believe the GPL (esp.v2) is what enabled the fledgling 90s Linux to overtake the established BSD (partially hobbled by the AT&T suit). The forced publication/sublicence of the GPL was and remains far more attractive to many publishing programmers than the "take it private if you want" BSD licence.
The interesting thing about this news is the datasource is not the State Registrations as one might expect. ICE is using "private" scans most likely because a significant number of state laws prevent them "fishing" and require probable cause for access. I bet much of those "private" DBs are from toll authorities, AFAIK all of which have enabling legislation. Watch for new laws restricting toll authorities, much like public outcry clamped down of State Registration searches.
"Never interrupt your enemy while she is making a mistake" [Napoleon 1er]
I dislike secret-source software and I believe this lock-in subscription model is a good example of some reasons (possible abuses). Monopolists leaning on their users just gives more incentive to switch. I doubt PS->GIMP is much worse than MSwin7->MSwin8.
Articles like this (and gameplay, etc) seem to assume more is bad. "We never did this before, so why now?" Implicity rejecting peoples intelligence, or at least their ability to choose. Assuming everything was perfect before...
I reject such negativity. Barring error, I believe people will choose correctly for themselves, and a few selected counter-examples do not justify total population control, euphemisticly called "regulation".
Nice description. Now tell me how knowing the _addresses_ in L[123] cache is any kind of exploitable breech? No-one is talking _data_, and the 'sploit described (history dumped) is pure userspace, most likely a cleverly crafted URL like file:///C\:Users\.
If you're as worried as Theo, just turn off RDTSC (seccomp) as MS did long ago (Win98?), likely to disable a less-than-favorable benchmark.
By other reports, swatter was in LA, CA and made interstate phone call to Kansas. Very likely committed several US Federal felonies (wire fraud, phone phreaking, making terroristic threat) that will trigger Federal Felony Murder. Kansas statute is far more limited. Rare for the Feds to go for the death penalty, but it is probably available.
ONE: the cop, who killed an innocent person. The coward will probably skate claiming "fear for life". BS! You go to a door, you'd better not be excessively afraid. If you are, stand down/back! Kansas is Castle Doctrine, so cops have to stand back.
TWO: the swatter intended and knew harm would result. From LA, the case crosses state lines and brings the Feds in, and their Felony Murder rules, not the more-connected Kansas rules.
THREE: the misdirector who gave the swatter the addr. He knew harm could result. Maybe he pleads self-defense, but it is wanton disregard for safety of another. Innocent if he called Kansas promptly to report the threat and false addr.
As I posted on The Economist, it is not salacious polygyny but anything that upsets the sex ratio that becomes profoundly destabilising: [Poor] young men see the [few] young women of their villages swept away to better [city] prospects. They can hardly stop it. But it gives them powerful motivation to improve their standing, including by military adventure. A clever "leader" (Bo Xilai?) can tap into this. Most worrying are China's "empty branches", excess young men as a result of China's "one child" policy generating selective abortion/infanticide.
Agreed. Hog wild not needed -- slow escalation but keep count and watch time anyways. By the time 100 wrongs have occured, it is unlikely a legitimate user is at the far end. But you are correct, programmers (and especially PMs) ought to consider user costs. And perhaps allow users some choice over their account security tight-normal-lax to enable them to balance their security preferences agains their typing quality.
Crackers play script games because zhey can. Good programming should assist genuine users (who make more mistakes than scripts) while heavily penalising automated attacks. [re]CAPTCHA is one idea, rather poorly implemented (AI is better than humans). But lockout, exponential backoff, black- and greylists, IP fail2ban, rate limiting, fail advice, provisional (honeypot?) access and other tactics will increase attack costs. Yes, some of them becomes DoS, but all cracking essentially is exactly this.
IANAL, but there are at least two violations of Federal law likely to flow from allowing net biasing:
First, most ISPs qualify under Sherman Antitrust as monopolies since they have "pricing power" in their markets. Net biasing allows illegal extension of that monopoly into other services.
Second, biasing traffic implies control and approval. ISPs are jeopardizing their common carrier immunity which is founded on an inability to control.
It would have been nice had the FCC announced what sort of comments they wanted. But in fact, they probably wanted none and just need a checkbox before proceeding corruptly. It is fortunate the much-reviled DJT got elected one year ago in that the Press was jolted awake from their 8+ years of sleep and syncopancy.
Yes, at least some browsers have this setting. And as another poster mentioned, scripts do not autocomplete all fields (uid/pwd). But this does not necessarily stop the scripts from running and sending running data, even if the browser does not show any useful return. Websites can adjust their behaviour per user, and might appear less intrusive to some users. Cookies & per-user scripts. That does not mean that they do not track and capture data, just that they are more subtle in displaying the results of tracking.
You know how Goggle and others do autocomplete on your search entries? Or spell check in text boxen? Or mouse zooming? How could they do this if every mouse/keystroke was not sent to them? Of course some loaded script does, and whatever else it does is probably described as "trojan".
I do not much like this mis-behaviour and mostly browse using `links2`, a lynx-like text browser. Missing images is a feature:)
But if the attacker gets root, s/he can keep it, even through reboots and potentially kernel upgrades. For serious intrusion, Ring0 (x86/x64) is the goal, root is just a stepping stone. More to the point, just why do you think OpenBSD removed loadable module support 3 years ago? Theo may be... peculiar... but no-one can call him completely irrational without revealing themselves to be even moreso.
`insmod` is tough? Modifying a commonly used module, perhaps one loaded later (vfat)? Modules do have a checksum, easy to fix. They do not have any crypto-signing which might verify integrity.
Granted from Linus' kernel perspective, _MOST_ security problems are caused by bugs. Userspace has far more bugs, and proportionally more caused by poor design & implementation. However, loadable kernel modules are a security hazard that has been designed-in.
Slashdot Mirror
Yes indeed. Powerful interests do not want devices to be seen as vulnerable, even from other manufacturerers. He has a defense if the German govt really tried a recall -- he could say he is assisting them.
Otherwise, he should be extremely careful about travel, especially where the US has influence. If anyone in the US has this Austrian device and got hacked, he could be liable for "unauthorized access" under US law and extradited.
Brute-force attacks like these can only work when attackers can access the passwd hashes so their guessing cost comes down to a few machine cycles. This is why /etc/shadow was developed and eventually will become encrypted itself.
When an attacher has to go to the local OS, let alone a remote net, the cost per guess goes up by many (4-10) orders of magnitude. Decent security watchdogs will throttle guessing even further.
Look, the name may or may not be juvenile. The idea is _not_. I've done much the same for years, using textmode `links` as my primary browser, and building shell scripts to do RSS via `wget` and `diff`.
If anyone is interested, I got squashed in the #MeToo timeframe, about 15 years ago. What happened was a kernel update suddenly started making my Abit BP6 (dual) lock-up. I traced it to a new System Management Interupt service routine that would not handle double-interrupts. Masking off would fix it.
I reported this on the LKML, and eventually Linus commented "We don't fix broken hardware." True enough, the SMI bus was vomitous (unbalanced, open-drain). But I'm older than Linus, and remember when software was meant to fix hardware!
So I just manually patched kernel source for ~5 years. I didn't and don't mind, at least I had source to patch. But I gave up on reporting anything to the LKML "if it boots, it's perfect".
Does all this touchy-feely psychobabble mean a shift in kernel philosphy away from the "speed at all costs" into something perhaps more reliability based?
It is a start to recognize visa-free is a good thing. But their list ought not to simply count countries, but weigh them by something -- population, GDP, area, /. postings, ... ). Simple binary dot-product.
After all, visa-free to Russia or China is more useful than visa-free to Uzbekistan or Mongolia for most people.
"journalism" is a difficult-to-define word. The closest I can come is from the french "journal", newspaper or frequent periodical. Journalists are those who produce the content, hopefully distinct from copywriters who produce the advertisments.
Put another way, you are saying the NYT review of books and theatre reviews are also not journalism.
NVidia can ask/require anything they want -- that doesn't mean reputable journalists [where?] will agree. They just won't review NVidia products as early, or at all. NVidia loses the free publicity in a very-short-term effort to reduce negative reviews. Are they going out of business? I thought they had leading vidcards. They must think not.
The rest of us will know the disreputable journalists by their early NVidia reviews. Just makes me buy Radeon.
The NYT reliably misunderstands (ironically their own business): The growth of the Advertising industry over ~100 years has occurred primarily because there is good feedback [justification] for ad campaigns from sales volumes. With the Internet, much more information can be routinely tracked to give much finer feedback (click-thru). Side-stream (private?) data can be used to target ads for 2+ orders of magnitude in effectiveness.
"Math" [AI, neural nets, etc] is nothing more than a tool used by Mad Men who no longer need to use as much judgement [guessing]. Never become so amazed by flashy tools that you neglect the judgement required to use increased power. MBA hubris.
I had an email exchange with RMS around the time this all started ~20 years ago and the closest thing I got was it was not GNU/BSD or GNU/TomsRtBt but it was GNU/Linux for Slackware and Debian. Everybody used `gcc` at the time, so the closest differentiator I could determine was "user environment", essentially fileutils,etc. Neither clear nor satisfying.
Personally, I prefer the term GNU/Linux for those who might need education on GNU. I firmly believe the GPL (esp.v2) is what enabled the fledgling 90s Linux to overtake the established BSD (partially hobbled by the AT&T suit). The forced publication/sublicence of the GPL was and remains far more attractive to many publishing programmers than the "take it private if you want" BSD licence.
The interesting thing about this news is the datasource is not the State Registrations as one might expect. ICE is using "private" scans most likely because a significant number of state laws prevent them "fishing" and require probable cause for access. I bet much of those "private" DBs are from toll authorities, AFAIK all of which have enabling legislation. Watch for new laws restricting toll authorities, much like public outcry clamped down of State Registration searches.
Where is _my_ computer? Paper Tape? Punch Cards? :)
BTW, I have kbds (PS/2, BT or USB OTG) for all machines, RPi, iP5 on up.
"Never interrupt your enemy while she is making a mistake" [Napoleon 1er]
I dislike secret-source software and I believe this lock-in subscription model is a good example of some reasons (possible abuses). Monopolists leaning on their users just gives more incentive to switch. I doubt PS->GIMP is much worse than MSwin7->MSwin8.
I reject such negativity. Barring error, I believe people will choose correctly for themselves, and a few selected counter-examples do not justify total population control, euphemisticly called "regulation".
Nice description. Now tell me how knowing the _addresses_ in L[123] cache is any kind of exploitable breech? No-one is talking _data_, and the 'sploit described (history dumped) is pure userspace, most likely a cleverly crafted URL like file:///C\:Users\ .
If you're as worried as Theo, just turn off RDTSC (seccomp) as MS did long ago (Win98?), likely to disable a less-than-favorable benchmark.
By other reports, swatter was in LA, CA and made interstate phone call to Kansas. Very likely committed several US Federal felonies (wire fraud, phone phreaking, making terroristic threat) that will trigger Federal Felony Murder. Kansas statute is far more limited. Rare for the Feds to go for the death penalty, but it is probably available.
ONE: the cop, who killed an innocent person. The coward will probably skate claiming "fear for life". BS! You go to a door, you'd better not be excessively afraid. If you are, stand down/back! Kansas is Castle Doctrine, so cops have to stand back.
TWO: the swatter intended and knew harm would result. From LA, the case crosses state lines and brings the Feds in, and their Felony Murder rules, not the more-connected Kansas rules.
THREE: the misdirector who gave the swatter the addr. He knew harm could result. Maybe he pleads self-defense, but it is wanton disregard for safety of another. Innocent if he called Kansas promptly to report the threat and false addr.
As I posted on The Economist, it is not salacious polygyny but anything that upsets the sex ratio that becomes profoundly destabilising: [Poor] young men see the [few] young women of their villages swept away to better [city] prospects. They can hardly stop it. But it gives them powerful motivation to improve their standing, including by military adventure. A clever "leader" (Bo Xilai?) can tap into this. Most worrying are China's "empty branches", excess young men as a result of China's "one child" policy generating selective abortion/infanticide.
Agreed. Hog wild not needed -- slow escalation but keep count and watch time anyways. By the time 100 wrongs have occured, it is unlikely a legitimate user is at the far end. But you are correct, programmers (and especially PMs) ought to consider user costs. And perhaps allow users some choice over their account security tight-normal-lax to enable them to balance their security preferences agains their typing quality.
Crackers play script games because zhey can. Good programming should assist genuine users (who make more mistakes than scripts) while heavily penalising automated attacks. [re]CAPTCHA is one idea, rather poorly implemented (AI is better than humans). But lockout, exponential backoff, black- and greylists, IP fail2ban, rate limiting, fail advice, provisional (honeypot?) access and other tactics will increase attack costs. Yes, some of them becomes DoS, but all cracking essentially is exactly this.
IANAL, but there are at least two violations of Federal law likely to flow from allowing net biasing:
First, most ISPs qualify under Sherman Antitrust as monopolies since they have "pricing power" in their markets. Net biasing allows illegal extension of that monopoly into other services.
Second, biasing traffic implies control and approval. ISPs are jeopardizing their common carrier immunity which is founded on an inability to control.
It would have been nice had the FCC announced what sort of comments they wanted. But in fact, they probably wanted none and just need a checkbox before proceeding corruptly. It is fortunate the much-reviled DJT got elected one year ago in that the Press was jolted awake from their 8+ years of sleep and syncopancy.
Yes, at least some browsers have this setting. And as another poster mentioned, scripts do not autocomplete all fields (uid/pwd). But this does not necessarily stop the scripts from running and sending running data, even if the browser does not show any useful return. Websites can adjust their behaviour per user, and might appear less intrusive to some users. Cookies & per-user scripts. That does not mean that they do not track and capture data, just that they are more subtle in displaying the results of tracking.
I do not much like this mis-behaviour and mostly browse using `links2`, a lynx-like text browser. Missing images is a feature :)
But if the attacker gets root, s/he can keep it, even through reboots and potentially kernel upgrades. For serious intrusion, Ring0 (x86/x64) is the goal, root is just a stepping stone. More to the point, just why do you think OpenBSD removed loadable module support 3 years ago? Theo may be ... peculiar ... but no-one can call him completely irrational without revealing themselves to be even moreso.
`insmod` is tough? Modifying a commonly used module, perhaps one loaded later (vfat)? Modules do have a checksum, easy to fix. They do not have any crypto-signing which might verify integrity.
Granted from Linus' kernel perspective, _MOST_ security problems are caused by bugs. Userspace has far more bugs, and proportionally more caused by poor design & implementation. However, loadable kernel modules are a security hazard that has been designed-in.