Slashdot Mirror


User: Rich0

Rich0's activity in the archive.

Stories
0
Comments
11,574
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 11,574

  1. Re:Trusted Computing Will Make It Worse on Crackers Tune In to Windows Media Player · · Score: 1

    You are missing it. If a piece of spyware was run as DRM'd app - which I am sure could happen - it won't be hard to do basically it's just a runtime flag that triggers the Nexus to take over, it'd have access *only* to it's own sealed storage.

    Again, the original poster's premise was that the Nexus contains a flaw which would allow an app to gain access to all of the sealed storage. Now, that premise may not be true, but if it were true, then the original poster's conclusion was that this could be used to make it more difficult to remove spyware.

    I fully agree that if the Nexus works properly this scenerio cannot occur. The original argument was that if it fails, it fails badly...

  2. Re:Trusted Computing Will Make It Worse on Crackers Tune In to Windows Media Player · · Score: 1

    No. Not at all. The binary is the key. The binary is loaded into memory by the OS, and then asked to run secure. Boom. Nexus jumps in. encrypts the file using the binary.

    If the binary is the key to decrypting the secured storage, and the binary is stored on the disk, then anything with physical access to that disk can decrypt the secured storage area. All you need to decrypt something is the thing that you're decrypting, the algorithm used to encrypt it, and the key. You have all three, so you can read it.

    Regardless, only the Nexus has access to the sealed data, even in encrypted form. Even though it's on the same disk doesn't mean that Windows will have physical access to it.

    I tend to doubt that TCPA will actually block the OS from reading data off a drive. There is no need to - if the data is encrypted then there is no benefit to protecting it.

    In any case, the OP's whole premise is that a flaw would be found in the Nexus allowing spyware to gain access to stuff it shouldn't be able to access. The OP's deduction was that this access could then be used to make the spyware harder to remove.

    I still haven't seen anything that suggests that if spyware were able to gain elevated privs on a TCPA-based machine that it wouldn't be harder to get rid of it as a result.

    Now, you can certainly argue that the spyware would never make it past the Nexus in the first place, and you may be right. However, the general pattern has been that nothing like this has every been bulletproof in v1.0.

  3. Re:Is anybody reading this using NT4? on End Of Support for Windows NT 4.0 · · Score: 1

    Do you see any exploits coming out for DOS

    Well, in all fairness that is an OS which lacks any networking features (without 3rd party drivers), so a remote exploit isn't going to happen. It is also an OS which is single user and no access controls, so a local exploit isn't possible since you have all the access you can get simply by booting it.

    Any remote flaws in DOS would be flaws in 3rd-party software, and consequently they wouldn't really be flaws in DOS.

    Does that make DOS seure? No! The reason you can't break into DOS is because the door has always been wide open...

  4. Re:Uhh... on End Of Support for Windows NT 4.0 · · Score: 1

    In an ideal world you should be OK, but you're open to a few avenues of attack:

    1. By having all your ports accessible to the outside world at the very least your IP shows up on a portscan directed at any port. Now, if you have port 80 open that is pretty-much inevitable, but if you only open port 8574 for some odd service, then you get some security-by-obscurity simply by forcing port-scanners to pick that port to check. If a hacker knows your IP exists, they might give it more attention.

    2. By not firewalling unneeded ports at an outside point, you run the risk of inadvertently starting up some server which listens on an outside interface. By having a firewall you don't need to worry about stuff like that, since you have to explictly enable outside connections.

    3. By opening up all ports you are potentially vulterable to obscure kernel bugs in your TCP stack. These come up only on very rare occassions, but you could be away at work and the annoucement might come out that any linux box with port 17 exposed to the outside world can be remotely exploited due to some flaw in the TCP stack. If you had everything but port 80 blocked you wouldn't have to call home to the wife and tell her to power the thing off until you get home and patch it. This is an unlikely scenario, but why leave unneeded ports open?

    One advantage of a firewall is that it is an independant network guardian. If somebody finds a way to hack a linksys router I'm fine since they'd only get as far as my linux box on the other end, which I keep up to date with patches. If somebody finds a flaw in linux I'm safe since they'd have to get past the router first. I've forced an attacker to exploit two zero-day flaws at once, which is much less likely. If you run only a software firewall, or if you run the same OS on your firewall and production box, you lose this protection.

    Can you get by without a firewall - sure. If you've already paid for one should you use it - probably.

  5. Re:Supporting? on End Of Support for Windows NT 4.0 · · Score: 2, Insightful

    The other problem is the long list of other companies who are doing the same thing which tends to make everything snowball.

    At work we often have big expensive machines which are controlled by computers (insert your own scenario here - manufacutring robot, high-tech scientific instrument, hospital device, extremely-complex-server, whatever). Said device controller software ran on NT4. Device vendor decides that they won't upgrade the software to run on XP (yes, it must be lousy software to not just run on the newer OS, but when you have two vendors for a given type of equipment and they both have these kinds of problems, you're up the creek). Of course, the vendor wants you to spend an extra $100k on another big machine.

    So, now your OS upgrade problem just turned into a $100k machine upgrade problem. When the machine was bought, the justification was probably that it will save $x per year for the next 20 years and so we should buy it. Now you're tossing it after maybe 7 years (they wouldn't have made the software for NT4 if it had just come out). That changes the math considerably.

    Of course, said machine vendor should be supporting their customers better - otherwise nobody will buy expensive machines unless they can afford to toss them every 5 years.

    Note that this isn't purely MS's fault - just an illustration of the problems that dependance on vendor support lead to, and that when you depend on multiple vendors you are now subject to weakest-link issues. One vendor might tie you to a specific product, and if that product becomes unsupported you get two different vendors pointing fingers at each other...

  6. Re:Trusted Computing Will Make It Worse on Crackers Tune In to Windows Media Player · · Score: 1

    The nexus even doesn't have access to the secure areas of the various programs without the actual binary being loaded into the secure portion of memory. The binary contains/is the key needed to decrypt the sealed storage.

    And the binary is on the disk, and consequently the spyware can access the key stored inside of it. If a file on disk is going to be decrypted, then the key uesd to do so must be stored SOMEWHERE on the computer - and therefore it can be retrieved.

    You are misunderstanding how the system works. The OS doesn't trust binaries, the binaries trust the OS.

    You indicated that the OS can't access protected memory/storage/etc. Therefore, the spyware can put its stuff in those locations. The spyware will simply refuse to trust the OS.

    The TCPA system does not rely on any embedded key in the OS or hardware. There is a hash which is generated by the Nexus at power-on that describes the system.

    Then how does a piece of software know that it is talking to the Nexus when it gets the hash? I could run an emulator and intercept the request for the hash and give the software whatever I want to - unless the nexus can respond to a challenge-response using a key embedded in the hardware that I do not possess.

    The point of TCPA systems is that you don't own (1) the computer (corporate does)

    Uh, TCPA isn't being planned just for business systems. If my employer wants to put it on their computers - that is their choice. However, TCPA is being made ubiquitous and is going to be installed mainly for home use on computers owned by their users. What is the point of DRM on office machies? Most people watch movies at home...

    My feeling is that TCPA will be used for uses beyond those advertised by those promoting it...

  7. Re:Trusted Computing Will Make It Worse on Crackers Tune In to Windows Media Player · · Score: 1

    Uh, what do fingerprints have to do with trusted computing?

    What I don't like about trusted computing is that it creates a computer which doesn't trust me.

    My computer belongs to me, as does the data on it. My computer will surrender to me anything stored on it upon request. If somebody asks my computer whether I'm a nice guy, my computer will answer what I tell it to answer - not what the other guy who doesn't own it wants to hear.

    Why will me having a computer that does what I ask it to do make the world get ugly? I'm not asking that the bank's computer trust me. I'm not asking that your computer trust me. I'm fine with having secure keys stored in my computer to ensure that the computer doesn't obey any order not signed by ME, or to ensure that I'm the only one who can get data off of it. However, I will be the one to hold a copy of those keys - not some vendor someplace else whose last desire is to see me have control over my own hardware. I'm not renting - it belongs to me...

  8. Re:Trusted Computing Will Make It Worse on Crackers Tune In to Windows Media Player · · Score: 1

    A lot of this depends on how everything is implemented.

    Suppose an exploit in the nexus is found. Spyware could use said hole to gain access to the entire system, and if it closed the hole behind itself it could use the nexus to then protect itself. When you went to delete it, the operating system would be denied access since it is no longer trusted to modify the spyware.

    Perhaps the spyware would work by modifying the web browser disk cache to put ads on webpages. Remember - it managed to corrupt the nexus, so it now has control over the trust relationships.

    Obviously if the Trusted architechture had no flaws, the whole model would tend to prevent spyware installation. However, the original poster poitned out that since the purpose of Trusted computing is to reduce a user's access to their own machine, it could be leveraged by spyware which managed to circumvent the architechture itself.

    My feeling is that it should be illegal to sell a user anything which contains an embedded key for which the user is not given a copy of all mathematically related keys (ie the associated private/public keys). If I own something, I should be able to do whatever I want with it. Now, if the vendor wants to help give me more control via trusted computing mechanisms, that is fine, but I had better be one of the trusted parties - and that can be demonstrated by giving me the keys to the safe...

  9. Re:BT links on FreeNET on The Centralization of BitTorrent Networks · · Score: 1

    Doing so would cripple BT so much - you'd do better just to insert the whole file on Freenet the regular way and then just download it at regular Freenet speeds.

    Freenet does work fine for even really big files (it is a distributed P2P system), the problem is that it is just very slow.

  10. Re:Umm, no, it won't ever die. on The Centralization of BitTorrent Networks · · Score: 1

    That is simple enough - have all clients tell the tracker how much they are downloading on each connection. The tracker will ignore any stats from a client indicating how much it is uploading. Then all you can hack your client to do is to over-report other clients uploads, not your own. Of course, it is in everybody's self-interest to police others, and nobody is trusted to police themselves, so the problem is fixed.

    I thought this was already how it worked. Clearly trusting clients to report their own upload stats is a bad move...

  11. Re:Intuit "Tax Freedom Project" on Tax Time Again: Any Linux Solutions? · · Score: 1

    I think the IRS is crazy with their current policies. They claim they want to reduce their costs via e-filing, but they don't make it easy to e-file for free, and when they do it is only for a few forms and low incomes.

    The IRS claims that it shouldn't be in the tax preparation business. Well, fine - just put a web-version of every tax form and let people fill them out manually and hit submit.

    Right now I spend money on tax preparation software, but half the time I print out my tax forms and just mail them. It costs the IRS FAR more to process these forms than if I submitted them electronically, but it costs me about $10 less to just print and mail.

    Sure, many vendors have a free e-file offer (which I sometimes take advantage of), but often it depends on rebates. I'm not a big believer in rebates since it has been hit-and-miss on my ever receiving them. When I see "Free after rebate!" my brain reads "$8.95 and the feeling of having gotten ripped off!"

    If it really is so much cheaper on the IRS to have electronic filing of returns, then they should do more to encourge the use of electronic forms. It certainly shouldn't cost taxpayers more to use the preferred method than the non-preferred method!

  12. Re:Get a projector on CRTs Still Beat Flat-Panel TVs · · Score: 2, Interesting

    I know a fair amount about sound reinforcement - if you're getting lag it is almost certainly the result of a speaker being far away from a listener, and not the length of cable (unless you are running your cable across several states).

    Unless you're in some kind of theater-sized room, however, the delay really won't be noticable. In a big living room I doubt it takes sound more than 1 ms to travel across the room. In really big rooms with multiple speakers you usually use digital delay generators - not to avoid a perceptible lag, but to avoid phase problems (you can't hear a 20ms delay, but you can hear what happens when you mix a sound coming from a speaker directly overhead with a sound travelling halfway across a big room if the speaker overhead isn't delayed to make both sounds arrive at the same time).

    If you're getting lag it might be due to some crazy setting on your receiver (if it has a delay feature), a bad DVD player (more likely), or if it only happens on one DVD it is just a bad hollywood post-production job (most likely).

    I don't doubt that your father's setup has issues, but the lag is certainly not the result of cable length - signals travel at nearly the speed of light in cable, and you probably need miles of length to even start to make the delay measurable by any but the most advanced equipment. (Assuming, of course, that the signal wasn't completely attenuated into non-existance by such a cable run.)

  13. Re:Even when it's horribly outmoded... on Ham Operator Sets New Miles-Per-Watt World Record · · Score: 1

    Radio astronomy has very impressive resolution figures - its main problem is that it only works for radio waves. The resolution is due to the fact that you can extend radio interferometry about as far as you'd like (in theory if you put a receiver on a probe in solar orbit you could simulate a dish the size of the solar system). This is because you can record the radio signals with a atomic clock reference which is more accurate than the frequency of the signals being recorded.

    Now, while an atomic clock may drift less than a few hundred MHz, it will not drift less than the THz+ frequencies that optical astronomy uses. So, an optical interferometer requires bending light and directing it to a common location, which requires essentially a line of site. So, no collaborations between Arizona and Austrailia...

    You should look online at some radio astronomy images - they're pretty impressive and you can get detailed pictures of stuff which is halfway across the universe.

  14. Re:Perl Script on Y2K: Hoax, Or Averted Disaster? · · Score: 1

    Interesting - my gentoo amd64 box works just fine in 64bit mode, but not in a 32-bit chroot:

    (64 bit)
    bash-2.05b$ ./test.pl
    Tue Jan 19 03:14:01 2038
    Tue Jan 19 03:14:02 2038
    Tue Jan 19 03:14:03 2038
    Tue Jan 19 03:14:04 2038
    Tue Jan 19 03:14:05 2038
    Tue Jan 19 03:14:06 2038
    Tue Jan 19 03:14:07 2038
    Tue Jan 19 03:14:08 2038
    Tue Jan 19 03:14:09 2038
    Tue Jan 19 03:14:10 2038

    (32-bit)
    tmp $ ./test.pl
    Tue Jan 19 03:14:01 2038
    Tue Jan 19 03:14:02 2038
    Tue Jan 19 03:14:03 2038
    Tue Jan 19 03:14:04 2038
    Tue Jan 19 03:14:05 2038
    Tue Jan 19 03:14:06 2038
    Tue Jan 19 03:14:07 2038
    Fri Dec 13 20:45:52 1901
    Fri Dec 13 20:45:52 1901
    Fri Dec 13 20:45:52 1901

    I wonder if this is an OS problem, or maybe a perl bug. The same kernel is running either way, but the two perl's are compiled for 32/64 bit.

  15. Re:I utterly agree on Is Your Development Project a Sinking Ship? · · Score: 1

    Of course, the problem is that most companies will hire two mediocre programmers rather than one smart one.

    At work we've deployed a fairly large software application which was written by a total of about four people. This replaced a software application written by an office-building full of people which lacked the functionality and flexibility of our new software. Within its niche this small company has gone on to steal most of the larger company's customers.

    Sometimes lean-and-mean does the trick. And smart programmers don't abandon you at the drop of a hat - only at the offer of more money. If you pay them the wages of 10 mediocre programmers they won't be going anywhere, and you actually save money when overhead is factored in...

  16. Re:So compromised keys make for faulty hardware? on Building the AACS Next-Gen Copy Protection Scheme · · Score: 1

    The key DVDs would probably be trivial to crack. Sure, they'd be encrypted, but the hacker has already obtained the keys from their player in the first place, so there is no shared secret that the vendor and the player have which the attacker does not also have.

    The only way a system like this would work is by using smartcard tactics and having no employee leaks. Even smartcard tactics are limited in their ability to work, and they would only work for hardware players (forget software players, although you could put them in the DVD drive).

  17. Re:Same old, same old. on Building the AACS Next-Gen Copy Protection Scheme · · Score: 1

    This hasn't happened with CSS, but that is because due to a weakness in the algorithm all the keys were obtained. A typical decss library probably only has one or two keys in it, but all of them are in the open.

    When CSS was cracked it was due to poor obfuscation of the key in a software DVD player. That key was used to decrypt the disk. However, upon examining the decrypted disk a weakness in the algorithm was discovered allowing them to obtain all the other keys using a known-plaintext attack. So, revoking keys was out of the question unless every DVD player in the world was to be made obsolete.

  18. Re:Same old, same old. on Building the AACS Next-Gen Copy Protection Scheme · · Score: 1

    True enough - ultimately the player has to possess the key, and a hacker will be able to obtain it. When that happens they'll have to revoke that key - which will almost certainly impact more than just a single player.

    How many keys to they plan on issuing? Unless they plan on having an individual key for every individual player, they'll be in trouble when a key gets out. If they want a billion keys out there, then they'll need about a gigabyte of disk space just to store the session keys for each disk...

  19. Re:So compromised keys make for faulty hardware? on Building the AACS Next-Gen Copy Protection Scheme · · Score: 1

    That is easy enough. When somebody starts circulating the source code to the CSS-breaker they simply examine it and figure out what key they're using.

    However, that still leaves a major problem. So, you know that the key was stolen from a Sony DVD player - do you now make every Sony DVD player useless for playing new movies? What would the cost of the resulting recalls be?

  20. Re:Asset taxes on Interview With Richard Stallman · · Score: 1

    The OP's rant is that government is funded via tax on work done, and not on possessions. That premise remains unrefuted, despite the fact that a small minority of government funding comes from property taxes.

    You can certainly dispute whether taxes on work vs property are a good or bad thing. However, there really isn't any question as to where most funding comes from right now. In general, property is barely taxed at all - and when it is taxed it is mostly taxed when it is owned by individuals, and not corporations.

  21. Re:Asset taxes on Interview With Richard Stallman · · Score: 1

    And what portion of all government funding is raised from such asset taxes? My guess is that the figure is under 10%.

    Property taxes tend to be used to fund only local government (for the most part - the state may also collect some tax, but it is a smaller share). Large corporations often get property tax exemptions to encourge them to settle in a particular community.

  22. Re:Why so slow to react? on Ham Radio Served as Main Link to Disaster Area · · Score: 1

    Keep in mind that stuff costs a fortune to stockpile. Most of it is perishable (guns, bullets, tanks, and gasoline are less so).

    While it is unfortunately, it is unlikely that countries will ever spend significant resournces stockpiling supplies that will only benefit people other than the ones paying for them. People will open their wallets when there is a disaster, but they generally won't do so beforehand.

    The US hardly stockpiles stuff like this for internal emergencies - let alone disasters half a world away...

  23. Re:Another estimate and what that means for Satali on Quake Changes Earth's Rotation, Moves Islands · · Score: 1

    GPS does not use geosync orbits - they are in a fairly low orbit, and a given satellite probably is only overhead for maybe an hour or something like that. The important thing is that the satellite knows where it is at all times, and it transmits that info which GPS receivers use in their calculations. All satellites drift naturally due to tides, etc, therefore there was already a need to periodically reassess the GPS satellite orbits and update the satellites idea of where it is located...

  24. Re:Keeping them clean? on Time Sharing Cars · · Score: 1

    Uh, if you drive 9000 miles per month, you had better factor in more than a "small amount" for servicing. You'll go through one or two scheduled service intervals every month, and blow through many warranties in only three or four months. $20k sounds like a lot of money per year, but not really for a car that you are driving over 100,000 miles per year. Then again, 300 hours per month is 10 hours per day (at about 30mph to make 9000 miles) - you'd have that car out about as much as it would be in the parking space. If you're driving 10 hours a day you probably don't want to take the advice you suggested and do the service yourself unless you want to be married to your car (that's 2-3 oil changes a month, for starters).

    I can't think of too many people who would put that kind of mileage on a car. Maybe a company might buy that plan as a low-scale fleet-service plan or something like that. If you're going to have that car reserved 10 hours per day, you're basically getting your own car out of the deal. If you drive that heavily and are self-employed it might even make sense to just pay them the $20k/year just to maintain the car for you (in theory they can pick up the car on the rare occasions you aren't in it and keep it in repair, and you have instant choices if it breaks down).

  25. Re:Missing it entirely on Mozilla Lightning to Challenge Outlook · · Score: 1

    FYI - I've been syncing my kmail with my Palm for a while now. Alas, mail does not work, but contacts/calendar do. My guess is that the kpilot conduits only work for the kmail inbox - but I use IMAP for all my folders so nothing is in that inbox...