A good number of laptops use a Type M barrel connector
Some do not. For example, Lenovo. And while some laptops use round connectors, the OD/ID can vary.
1 or 2 cables into a universal dock has been a reality for me since I bought this laptop at the beginning of 2014 and has been possible way longer than that.
Congrats for you. For those who don't own a Macbook Pro, a universal dock means they can do this in the future. And they can change laptops without requiring a new dock. In the past, it wasn't guaranteed that different models from the same manufacturer could use the same dock.
If IIS was used, and the CIO saw a report that said there was a flaw in IIS, he could probably consult the database of licenses they have for IIS find out where it is used, and ask to see what patches were applied.
First of all, Hahahahaha. I don't know about you but all the CIOs I've dealt with never looked about reports about which software had which bugs and when they needed to be applied. They were more concerned about larger matters like if there was scheduled downtime and new systems and how to coordinate such downtime. They left the details of what to patch and when to sysadmins. Here's this month's Oracle security bulletin. Even when I worked with the Oracle team at my company, I didn't know if we used some of these products without a great deal of research. The Oracle team would also have to research it. Unless the CIO is some sort Rainman with instant recall of everything that the company uses, he won't know either. At best it gets delegated.
Second, the database of licenses? Bahahaha. You could look at that if there was a magical repository of every license type that the company used. Let's hope that it is never outdated. That your company doesn't have multiple sites and countries. In other words, perfect knowledge scenario that every person watching CSI is used to having all knowledge instantly and correct.
If Apache is used, and he sees a report that there is a flaw in Apache, how can he see where Apache is used if the company has not tracked FOSS?
Same way every CIO learns whether they have Apache: they ask their sub-ordinates. Preferably the people in charge of the web servers.
Most companies will have policy that says all commercial software must be licensed, and will keep track of where those licenses are used. Apparently fare fewer companies have poilcies saying all FOSS usage must be tracked, and THAT is what the article is about.
You are assuming that company using FOSS doesn't have any policies by that statement. False dichotomy.
USB-C is not adequate isn't for every laptop but some laptops now use it for charging. USB-C alone allows for 15W and USB-C with Power Delivery allows for up to 100W.
I don't know. And unless you work in Equifax neither do you. What we do know is that there was a patch for the flaw because open source is, well, open about bugs and patches.
Who was responsible for patching the systems and making sure the patches were applied? It certainly should not be left to some admin, it should be way higher up (CIO). But if there is no policy regarding use of open source, and the CIO has no accurate inventory of what software is in use where, how is he supposed to do that?
None of what you said applies ONLY to open source. It also applies to closed source. For example, if there is a flaw in IIS web server who's responsible for patching it? Why doesn't the CIO know about every single closed source software that his company uses. That's more an indication of bad management than open source.
I'd say it has more to do with the fact that tablets and smartphones are generally okay for most people to do the majority of their computing tasks these days. For those that need a desktop or laptop, one from several years back is sufficient. Gamers and some professionals need the latest and greatest. For example, my parents got a new laptop only because their last desktop died and only for certain things. They use their tablets/phones for things like checking mail and reading news.
If you are a middle manager, the situation is different. Your goal is not to minimize failure, but to protect your career. Proprietary software gives you someone else to blame.
Only if your manager is stupid. Say it was a Windows IIS bug that was the problem and that bug had been patched six months prior. The manager could blame MS but MS would turn around and say it was already patched.
Especially the example they cite is flawed. Equifax did not install a patch to Apache Struts that was six months old by the time the breach was announced. With closed software, Equifax may never have known that their software had a patch until after the vendor may have acknowledged it.
The devices, my friend.... the devices. I even said devices. Name one device that implements both USB and Thunderbolt over a USB-C port.
Ruling out all Apple devices? Well let's start with the obvious PC ones: laptops, desktops. There's also Thunderbolt docks. How about Thunderbolt 3 monitors?
. Please, try not to be pedantic and point out that a computer is technically a device; you know precisely what I'm getting at.
Now that I've shown you that you're wrong are you going to change the meaning of the word "devices"?
The problem is that USB-C is being used as a universal connector for many different things because of some goal to have "The one true connector". Many geeks have called for this in the beginning days of USB. The implications are now starting to hit in how it might be confusing to have the same connector do two different things and it matters which of the two ports are used: Is this the power charging port or the mostly data port? For now I see it as part of growing pains with the new connector. Better labeling by the computer manufacturers would help.
I still don't get why they combined data, A/V, and power into one interface. Was this really an issue that needed solving? Were there devices out there that just couldn't handle an extra port or use Bluetooth or some other wireless tech for their needs?
Laptops: Before USB-C, laptops all used proprietary power connectors and required proprietary docks if you didn't want to unplug/plug in 3 or 4 cables every time you wanted to move the laptop. This move allows you to plug in 1 or 2 cables into a universal dock.
Here's what I don't get. Like in your example with the phone and battery pack -- How do devices decide which way the power should flow? If I connect several battery-powered devices together through a USB-C hub and all can both power and be charged by the same port, how do they negotiate which device drains to power the others, if any?
From what I can tell battery packs solve this by having 2 ports: 1 for output and 1 for input. Thus no need to "decide" which way it flows.
Wake me up when that happens. What you're missing was that USB (the protocol, not the connector) does that be default; adding Thunderbolt to the mix means that Thunderbolt devices now need to also add in USB chipsets in order to gain that ability and, well, most of them don't.
[sarcasm] Well that changes things because no computer manufacturer implementing Thunderbolt would ever implement USB at the same time in the same computer. That's ludicrous! That would never happen as no computer manufacturer wants their computer to use USB peripherals.[/sarcasm] Oh wait, they all pretty much do.
If you know the PSK, then you can set up your own AP with the same SSID as the legit AP. The client doesn't know which one is the 'correct' "CafeNetwork". You don't have to compromise the AP to do that, you have enough knowledge to impersonate it. In both cases the client wants to get to the internet, so it's not like that AP provides something uniquely qualifying it other than the correct PSK.
That's a lot of work to almost achieve the same thing but not really. If you set up a rogue AP, you still have to fool the target into thinking it is the same network. That requires the target to join the new network. Also setting a rogue AP does not send the same encryption key in the handshake unless you use this flaw. This flaw allows you to bypass all of that. Again, knowing the PSK or not knowing the PSK gives you nothing.
If you don't believe me, set up your scenario and see for yourself. Your device doesn't automatically join your rogue AP. Thus it doesn't leak traffic.
You just proved his point. It's a freaking connector. The interface behind the connector is what you are complaining about. If your beef is with Thunderbolt, that's with them not USB-C. That's like complaining that the optical disc (CDs, DVDs, Blu-ray) has terrible DRM and proprietary interfaces when the physical dimensions of the disc has nothing to with the content placed on the disc.
You realize that other than supplying power, the interface is essentially crap, right?
In what way does that negate your assertion. As for your new assertion, please explain what you mean as USB-C being smaller and bi-directional is only a connector.
When functionality becomes that crippled, the interface might as well be proprietary crap.
Do you realize USB-C is only a connector, right? The interface behind it might be USB 3.1, USB Power Delivery, etc. which is not due to the connector.
It also tends to make a device rather fucking worthless when your I/O is nothing but a handful of power plugs.
Please explain what you mean as this makes no sense.
What the hell are you talking about? USB-C is an industry standard that all PC makers are moving to implement. For years (and still now) the complaint about Apple is that they use their own proprietary connectors like Lightning. This one isn't theirs and you can blame the USB Implementer's Forum for the design choices. While Apple is member of the forum so are HP, NEC, Microsoft, and Intel.
I wish this kind of fucking courage would spell the demise of such stupidity, but chances are Apple's particular flavor of ignorant Greed will force them to double-down on proprietary interface bullshit to maximize revenue streams. Soon, every model will be devoid of tried and true interfaces, and we'll be left with "you're plugging it in wrong."
Please explain what you mean as Apple actually has to pay the non-profit USB Implementer's forum to use the tech (like every one else). Also you do realize, you can't plug-in USB-C cables wrong as the connector is not directional. But let's look at what USB-C replaced: Apple magsafe power (Apple proprietary), USB A , Thunderbolt 1 and 2 (proprietary to Intel), HDMI (also proprietary). Only the power connector was one that Apple owned. So please explain to me how Apple "doubles down" on interfaces which they don't own and get revenue.
Nope. PSKs are never sent over the network in a reversible encryption, hence the name "pre-shared". The attacker cannot get the password using this method, so cannot compromise your entire network and assuming you're using AES they can only listen to the targeted device. So if one device on the network is exploitable and another is not, they can listen in on the compromised one, but the other cannot be listened to.
Are you not assuming that a device never drops a connection to a wireless network and has to re-establish credentials? In re-establishing credentials, anything that device is sending to the real network might be sent to a fake network.
That's my point, that this attack is only valuable if you don't know the PSK. In most public wifi locations, you know the PSK. (Simplified to speak only to WPA-PSK).
Knowing the PSK does not mean you can snoop on someone else's traffic unless you've compromised the AP. Whether you know the PSK of "CafeNetwork" does not mean you can listen to John Doe using the same network. This attack lets you eavesdrop on a device.
The attack requires spoofing the AP. The client (your device) will certainly need to be patched. The AP's firmware might be hardened so that spoofing is less likely is mostly likely the fix.
Q: What is the impact?
A: When used successfully against WPA2 with AES-CCMP (the default mode of operation for most Wi-Fi
networks), an attacker can decrypt and replay packets in one direction of communication (from client to
AP), but cannot forge packets and inject them into the network. When used against WPA-TKIP – an
encryption scheme that already suffers from serious security weaknesses and is not recommended for
use – an attacker can decrypt, replay, and forge packets
For a private laptop connecting to public wifi-hotspots, this attack is harder than just setting up another credible wifi hotspot. Any place where the wifi password is well known knowledge is never going to be rigorous security.
The attack doesn't rely on knowing or compromising the password or securing the network at all. What happens is an attacker sets up "CafeNetwork" on a different channel than "CafeNetwork". A device can connect to rogue "CafeNetwork" assuming it is the real one. As a MITM attack, the rogue network can listen in on traffic. If the traffic was previously encrypted with HTTPS, it provides some security but it is not foolproof.
Slashdot Mirror
A good number of laptops use a Type M barrel connector
Some do not. For example, Lenovo. And while some laptops use round connectors, the OD/ID can vary.
1 or 2 cables into a universal dock has been a reality for me since I bought this laptop at the beginning of 2014 and has been possible way longer than that.
Congrats for you. For those who don't own a Macbook Pro, a universal dock means they can do this in the future. And they can change laptops without requiring a new dock. In the past, it wasn't guaranteed that different models from the same manufacturer could use the same dock.
If IIS was used, and the CIO saw a report that said there was a flaw in IIS, he could probably consult the database of licenses they have for IIS find out where it is used, and ask to see what patches were applied.
First of all, Hahahahaha. I don't know about you but all the CIOs I've dealt with never looked about reports about which software had which bugs and when they needed to be applied. They were more concerned about larger matters like if there was scheduled downtime and new systems and how to coordinate such downtime. They left the details of what to patch and when to sysadmins. Here's this month's Oracle security bulletin. Even when I worked with the Oracle team at my company, I didn't know if we used some of these products without a great deal of research. The Oracle team would also have to research it. Unless the CIO is some sort Rainman with instant recall of everything that the company uses, he won't know either. At best it gets delegated.
Second, the database of licenses? Bahahaha. You could look at that if there was a magical repository of every license type that the company used. Let's hope that it is never outdated. That your company doesn't have multiple sites and countries. In other words, perfect knowledge scenario that every person watching CSI is used to having all knowledge instantly and correct.
If Apache is used, and he sees a report that there is a flaw in Apache, how can he see where Apache is used if the company has not tracked FOSS?
Same way every CIO learns whether they have Apache: they ask their sub-ordinates. Preferably the people in charge of the web servers.
Most companies will have policy that says all commercial software must be licensed, and will keep track of where those licenses are used. Apparently fare fewer companies have poilcies saying all FOSS usage must be tracked, and THAT is what the article is about.
You are assuming that company using FOSS doesn't have any policies by that statement. False dichotomy.
USB-C is not adequate isn't for every laptop but some laptops now use it for charging. USB-C alone allows for 15W and USB-C with Power Delivery allows for up to 100W.
Equifax did not patch until 6 months later. WHY?
I don't know. And unless you work in Equifax neither do you. What we do know is that there was a patch for the flaw because open source is, well, open about bugs and patches.
Who was responsible for patching the systems and making sure the patches were applied? It certainly should not be left to some admin, it should be way higher up (CIO). But if there is no policy regarding use of open source, and the CIO has no accurate inventory of what software is in use where, how is he supposed to do that?
None of what you said applies ONLY to open source. It also applies to closed source. For example, if there is a flaw in IIS web server who's responsible for patching it? Why doesn't the CIO know about every single closed source software that his company uses. That's more an indication of bad management than open source.
I'd say it has more to do with the fact that tablets and smartphones are generally okay for most people to do the majority of their computing tasks these days. For those that need a desktop or laptop, one from several years back is sufficient. Gamers and some professionals need the latest and greatest. For example, my parents got a new laptop only because their last desktop died and only for certain things. They use their tablets/phones for things like checking mail and reading news.
But if you are not hard-core gaming then most people are fine with computer made years ago and are somewhat okay with tablets.
If you are a middle manager, the situation is different. Your goal is not to minimize failure, but to protect your career. Proprietary software gives you someone else to blame.
Only if your manager is stupid. Say it was a Windows IIS bug that was the problem and that bug had been patched six months prior. The manager could blame MS but MS would turn around and say it was already patched.
Especially the example they cite is flawed. Equifax did not install a patch to Apache Struts that was six months old by the time the breach was announced. With closed software, Equifax may never have known that their software had a patch until after the vendor may have acknowledged it.
The devices, my friend.... the devices. I even said devices. Name one device that implements both USB and Thunderbolt over a USB-C port.
Ruling out all Apple devices? Well let's start with the obvious PC ones: laptops, desktops. There's also Thunderbolt docks. How about Thunderbolt 3 monitors?
. Please, try not to be pedantic and point out that a computer is technically a device; you know precisely what I'm getting at.
Now that I've shown you that you're wrong are you going to change the meaning of the word "devices"?
The problem is that USB-C is being used as a universal connector for many different things because of some goal to have "The one true connector". Many geeks have called for this in the beginning days of USB. The implications are now starting to hit in how it might be confusing to have the same connector do two different things and it matters which of the two ports are used: Is this the power charging port or the mostly data port? For now I see it as part of growing pains with the new connector. Better labeling by the computer manufacturers would help.
I still don't get why they combined data, A/V, and power into one interface. Was this really an issue that needed solving? Were there devices out there that just couldn't handle an extra port or use Bluetooth or some other wireless tech for their needs?
Laptops: Before USB-C, laptops all used proprietary power connectors and required proprietary docks if you didn't want to unplug/plug in 3 or 4 cables every time you wanted to move the laptop. This move allows you to plug in 1 or 2 cables into a universal dock.
Here's what I don't get. Like in your example with the phone and battery pack -- How do devices decide which way the power should flow? If I connect several battery-powered devices together through a USB-C hub and all can both power and be charged by the same port, how do they negotiate which device drains to power the others, if any?
From what I can tell battery packs solve this by having 2 ports: 1 for output and 1 for input. Thus no need to "decide" which way it flows.
Wake me up when that happens. What you're missing was that USB (the protocol, not the connector) does that be default; adding Thunderbolt to the mix means that Thunderbolt devices now need to also add in USB chipsets in order to gain that ability and, well, most of them don't.
[sarcasm] Well that changes things because no computer manufacturer implementing Thunderbolt would ever implement USB at the same time in the same computer. That's ludicrous! That would never happen as no computer manufacturer wants their computer to use USB peripherals.[/sarcasm] Oh wait, they all pretty much do.
If you know the PSK, then you can set up your own AP with the same SSID as the legit AP. The client doesn't know which one is the 'correct' "CafeNetwork". You don't have to compromise the AP to do that, you have enough knowledge to impersonate it. In both cases the client wants to get to the internet, so it's not like that AP provides something uniquely qualifying it other than the correct PSK.
That's a lot of work to almost achieve the same thing but not really. If you set up a rogue AP, you still have to fool the target into thinking it is the same network. That requires the target to join the new network. Also setting a rogue AP does not send the same encryption key in the handshake unless you use this flaw. This flaw allows you to bypass all of that. Again, knowing the PSK or not knowing the PSK gives you nothing.
If you don't believe me, set up your scenario and see for yourself. Your device doesn't automatically join your rogue AP. Thus it doesn't leak traffic.
You just proved his point. It's a freaking connector. The interface behind the connector is what you are complaining about. If your beef is with Thunderbolt, that's with them not USB-C. That's like complaining that the optical disc (CDs, DVDs, Blu-ray) has terrible DRM and proprietary interfaces when the physical dimensions of the disc has nothing to with the content placed on the disc.
You realize that other than supplying power, the interface is essentially crap, right?
In what way does that negate your assertion. As for your new assertion, please explain what you mean as USB-C being smaller and bi-directional is only a connector.
When functionality becomes that crippled, the interface might as well be proprietary crap.
Do you realize USB-C is only a connector, right? The interface behind it might be USB 3.1, USB Power Delivery, etc. which is not due to the connector.
It also tends to make a device rather fucking worthless when your I/O is nothing but a handful of power plugs.
Please explain what you mean as this makes no sense.
What the hell are you talking about? USB-C is an industry standard that all PC makers are moving to implement. For years (and still now) the complaint about Apple is that they use their own proprietary connectors like Lightning. This one isn't theirs and you can blame the USB Implementer's Forum for the design choices. While Apple is member of the forum so are HP, NEC, Microsoft, and Intel.
I wish this kind of fucking courage would spell the demise of such stupidity, but chances are Apple's particular flavor of ignorant Greed will force them to double-down on proprietary interface bullshit to maximize revenue streams. Soon, every model will be devoid of tried and true interfaces, and we'll be left with "you're plugging it in wrong."
Please explain what you mean as Apple actually has to pay the non-profit USB Implementer's forum to use the tech (like every one else). Also you do realize, you can't plug-in USB-C cables wrong as the connector is not directional. But let's look at what USB-C replaced: Apple magsafe power (Apple proprietary), USB A , Thunderbolt 1 and 2 (proprietary to Intel), HDMI (also proprietary). Only the power connector was one that Apple owned. So please explain to me how Apple "doubles down" on interfaces which they don't own and get revenue.
Nope. PSKs are never sent over the network in a reversible encryption, hence the name "pre-shared". The attacker cannot get the password using this method, so cannot compromise your entire network and assuming you're using AES they can only listen to the targeted device. So if one device on the network is exploitable and another is not, they can listen in on the compromised one, but the other cannot be listened to.
Are you not assuming that a device never drops a connection to a wireless network and has to re-establish credentials? In re-establishing credentials, anything that device is sending to the real network might be sent to a fake network.
That's my point, that this attack is only valuable if you don't know the PSK. In most public wifi locations, you know the PSK. (Simplified to speak only to WPA-PSK).
Knowing the PSK does not mean you can snoop on someone else's traffic unless you've compromised the AP. Whether you know the PSK of "CafeNetwork" does not mean you can listen to John Doe using the same network. This attack lets you eavesdrop on a device.
You didn't watch the video. It clearly shows a MITM attack.
The attack requires spoofing the AP. The client (your device) will certainly need to be patched. The AP's firmware might be hardened so that spoofing is less likely is mostly likely the fix.
Bold claims from an AC who doesn't understand what an encryption key is.
Pffft. Cat 5 is so 2001. You can't even get it anymore. You can barely get Cat 5e which is gigabit. Many places will happily sell you Cat 6 though.
From the FAQ:
Q: What is the impact?
A: When used successfully against WPA2 with AES-CCMP (the default mode of operation for most Wi-Fi networks), an attacker can decrypt and replay packets in one direction of communication (from client to AP), but cannot forge packets and inject them into the network. When used against WPA-TKIP – an encryption scheme that already suffers from serious security weaknesses and is not recommended for use – an attacker can decrypt, replay, and forge packets
Care to explain or are you using the opportunity to prove your account name?
Coming from an AC, that is ironic. How about: YOU FIRST.
For a private laptop connecting to public wifi-hotspots, this attack is harder than just setting up another credible wifi hotspot. Any place where the wifi password is well known knowledge is never going to be rigorous security.
The attack doesn't rely on knowing or compromising the password or securing the network at all. What happens is an attacker sets up "CafeNetwork" on a different channel than "CafeNetwork". A device can connect to rogue "CafeNetwork" assuming it is the real one. As a MITM attack, the rogue network can listen in on traffic. If the traffic was previously encrypted with HTTPS, it provides some security but it is not foolproof.