If ever there was a "get off my lawn" post... I simply lost my first account. I don't even remember the username (if I did I *might* remember the pwd).
I worked a retail job that was all sorts of f'd up (pay wise) fresh out of high school.
It was commission draw, which means you're guaranteed minimum wage, but once your commissions exceed that any time you were performing below was taken out of your earnings to repay it.
E.g assuming a $10/hr minimum wage (easy math): you worked a sloooooow day for 8 hours and sold only $40 worth of commission; you're paid $80 ($40 commission + $40 draw) next day was a lot better and you sold $120 worth of commission in 8 hours; you're paid $80 ($120 commission - $40 draw from yesterday).
While in theory this was okay, the problem was that when you were working and the store was closed you effectively were not paid.
Add to that some of the products had negative commissions...
So, the game that was used: on a slow day buy a product for cash that was on incentive (high commission for short time) that was due to be off before 30 days were up. Wait between two weeks and 30 days for it to clear your paycheck *and* the spiff to go away, return for cash under generic ring number.
Naturally this resulted in arrests for fraud, which resulted in countersuits for unfair pay. All in all a total F* fest.
Old way of straight pay (above min wage) for hours worked and *stores* getting a bonus for good performance worked a lot better.
First and foremost: I completely agree. Now devils advocate:
How about unreasonable search and seizure?
Your choice to broadcast your signal gives implicit rights for them to read the signal, much like your choice to place your garbage into the county provided can on the curb.
How about due process?
See above, there is not a due process violation if all they are doing is processing through the signal you sent.
How about manufactured evidence?
There is a chain of custody to be followed, manufactured evidence would require breaking a seal on the device, much like a radar gun.
Is using the spectrum like this even legal? Aren't they violating the licensing laws of the spectrum?
One would hope they got a licence from the FCC. *snort* (sorry, couldn't keep a straight face on that one)
Seriously though, the same argument that has been set forth about using open WiFi APs and even breaking WEP/WPA to use APs that are broadcasting past a property line apply here with your phone and any cleartext that is sent / cyphertext that is broken.
I'm happily in a state where a warrant is required to use one of these... not that I think they are used anyway, but at least if there is no warrant the evidence is inadmissible and via poisoned fruit any evidence looked for because of one of these also becomes inadmissible (i think).
Conceptually, sure it was straightforward. That doesn't mean the implementation was simple. A huge part of stuff like this is what you learn while doing it. Sometimes things that seem obvious turn out not to be.
A famous example: Supersonic flight. At some point as you cross the threshold your up and down are reversed in supersonic flight. Early pilots pulled up to avoid the ground and as a result crashed harder. Pretty counter intuitive, but that was the case.
I would bet that some of the things that intuitively went together (like improving the accuracy of the EM wave interpretation with results from the sonic detection) had lots of gotchas in it.
I have encountered those types as well. They can *perfectly* follow a list of instructions, even those with branches, so long as those branches describe exactly what they see. Those people are invaluable in a HVM testing environment where it's: * Load trays in tester * Push run button * Unload passed and failed parts, put on appropriate shelves * If tester jams like picture A do worksheet FOO * If tester jams like picture B do worksheet BAR
All is well. BUT if the tester jams and it's not like A || B they are hopelessly lost. Same with switch config and debug.
My only beef with Clinton comes down to her *willful* flaunting of the law about State documents and email on a private server.
That. Is. Not. Okay.
The classification of the material is actually irrelevant, the law is crystal clear and she violated it. Those e-mails have to be audit-able. I get that the state dept servers blow chunks, and that realistically you have to work around them, so set up a parallel server on *government* machines that you can use. That way they are still part of the audit and backup process.
She'll be another Nixon. Willing to flagrantly delete evidence rather than not doing things that are really bad in the first place.
I'm guilty of similar. "What the hell were you thinking?" answer about thinking about security by design "clearly not, since I can overflow your input right here." but you shouldn't do that "and your code shouldn't roll over and die just because of malformed input!"
That landed me in a meeting about sensitivity. Mind you, this was a public facing API I was criticizing and the dev had rejected the bug I filed on it for this reason. -nbr
but it's not the exact center b/c the mapping company rounded. Text should read: This is the default location for all IP lookups and is... not the location you are looking for.
likely now they have to give a location or will break services that assume no token for "not found". Since most of the trouble is caused by criminal complaints... 1600 Pennsylvania ave should work (or even better, whatever the address for congress is).
Realistically they should return 0.0 0.0, a nice point in the ocean. -nbr
My IRL experience was very similar. Amazing how blind I can be now. Sadly my fingerprints still cause me trouble when applying for some forms of access, even though I was only a witness.
Netflix's deep catalog ended my piracy, since they made it so much easier... I even bought a fire stick to get access to Prime content, only to find that nearly everything on prime you still have to pay extra for. Time to fire up uTorrent and Plex once again:/ (I liked not having to manage my own content catalog for a few years).
" see one of my co-workers lose his new iPhone to the shredder"
Bwahahahahaha awesome! We have systems that are not air gapped (as I can remotely access them) but are not connected to the network either. We use an IP KVM solution to connect keyboard, mouse, monitor remotely. Much more secure against this kind of attack. Of course bad guy at terminal or prepared for such setup can script keyboard commands and series of screenshots, but the barrier is much higher than direct connected systems.
I have an SVN repo on the same server that hosts my sites. All code is linked from there for js stuff. I have a private side as well that I use to deploy all server side code from. Works quite well. -nb
I used it as proofing for my 4x5 camera. I did not need great quality, just good enough, so I didn't waste my expensive sheet film. Now, if the price for fuji increased to the point that it was over 25% of the cost of my sheet film then I would have not bought it anyway.
Slashdot Mirror
If ever there was a "get off my lawn" post...
I simply lost my first account. I don't even remember the username (if I did I *might* remember the pwd).
I don't know why or how, but that just made my day so much brighter. /hat tip
I worked a retail job that was all sorts of f'd up (pay wise) fresh out of high school.
It was commission draw, which means you're guaranteed minimum wage, but once your commissions exceed that any time you were performing below was taken out of your earnings to repay it.
E.g assuming a $10/hr minimum wage (easy math):
you worked a sloooooow day for 8 hours and sold only $40 worth of commission; you're paid $80 ($40 commission + $40 draw)
next day was a lot better and you sold $120 worth of commission in 8 hours; you're paid $80 ($120 commission - $40 draw from yesterday).
While in theory this was okay, the problem was that when you were working and the store was closed you effectively were not paid.
Add to that some of the products had negative commissions...
So, the game that was used: on a slow day buy a product for cash that was on incentive (high commission for short time) that was due to be off before 30 days were up.
Wait between two weeks and 30 days for it to clear your paycheck *and* the spiff to go away, return for cash under generic ring number.
Naturally this resulted in arrests for fraud, which resulted in countersuits for unfair pay. All in all a total F* fest.
Old way of straight pay (above min wage) for hours worked and *stores* getting a bonus for good performance worked a lot better.
-nb
I would love to see an autopilot car in NASCAR.
What's the over/under on all data stored in the clear unhashed/unsalted?
based on the sample data, it looks like it was *all* cleartext, nevermind salted.
correlation, causation; tomAto, tomAHto
We just hired a (bright) guy that used to work for Harris. Shite company from what I gather.
-nb
First and foremost: I completely agree.
Now devils advocate:
How about unreasonable search and seizure?
Your choice to broadcast your signal gives implicit rights for them to read the signal, much like your choice to place your garbage into the county provided can on the curb.
How about due process?
See above, there is not a due process violation if all they are doing is processing through the signal you sent.
How about manufactured evidence?
There is a chain of custody to be followed, manufactured evidence would require breaking a seal on the device, much like a radar gun.
Is using the spectrum like this even legal? Aren't they violating the licensing laws of the spectrum?
One would hope they got a licence from the FCC. *snort* (sorry, couldn't keep a straight face on that one)
Seriously though, the same argument that has been set forth about using open WiFi APs and even breaking WEP/WPA to use APs that are broadcasting past a property line apply here with your phone and any cleartext that is sent / cyphertext that is broken.
I'm happily in a state where a warrant is required to use one of these... not that I think they are used anyway, but at least if there is no warrant the evidence is inadmissible and via poisoned fruit any evidence looked for because of one of these also becomes inadmissible (i think).
-nb
Actually it is a good bit of research.
Conceptually, sure it was straightforward. That doesn't mean the implementation was simple. A huge part of stuff like this is what you learn while doing it. Sometimes things that seem obvious turn out not to be.
A famous example:
Supersonic flight. At some point as you cross the threshold your up and down are reversed in supersonic flight. Early pilots pulled up to avoid the ground and as a result crashed harder. Pretty counter intuitive, but that was the case.
I would bet that some of the things that intuitively went together (like improving the accuracy of the EM wave interpretation with results from the sonic detection) had lots of gotchas in it.
-nb
I have encountered those types as well.
They can *perfectly* follow a list of instructions, even those with branches, so long as those branches describe exactly what they see.
Those people are invaluable in a HVM testing environment where it's:
* Load trays in tester
* Push run button
* Unload passed and failed parts, put on appropriate shelves
* If tester jams like picture A do worksheet FOO
* If tester jams like picture B do worksheet BAR
All is well. BUT if the tester jams and it's not like A || B they are hopelessly lost.
Same with switch config and debug.
-nb
My only beef with Clinton comes down to her *willful* flaunting of the law about State documents and email on a private server.
That. Is. Not. Okay.
The classification of the material is actually irrelevant, the law is crystal clear and she violated it. Those e-mails have to be audit-able. I get that the state dept servers blow chunks, and that realistically you have to work around them, so set up a parallel server on *government* machines that you can use. That way they are still part of the audit and backup process.
She'll be another Nixon. Willing to flagrantly delete evidence rather than not doing things that are really bad in the first place.
the realization that you're right makes me profoundly sad...
Same Java problem here. I actually modified the hosts file on my dev machine to blackhole the java update domains.
Red
Asteroid
Pussball
FTW!
I'm guilty of similar.
"What the hell were you thinking?"
answer about thinking about security by design
"clearly not, since I can overflow your input right here."
but you shouldn't do that
"and your code shouldn't roll over and die just because of malformed input!"
That landed me in a meeting about sensitivity.
Mind you, this was a public facing API I was criticizing and the dev had rejected the bug I filed on it for this reason.
-nbr
but it's not the exact center b/c the mapping company rounded.
Text should read:
This is the default location for all IP lookups and is... not the location you are looking for.
likely now they have to give a location or will break services that assume no token for "not found". Since most of the trouble is caused by criminal complaints... 1600 Pennsylvania ave should work (or even better, whatever the address for congress is).
Realistically they should return 0.0 0.0, a nice point in the ocean.
-nbr
the same thing that makes those shows bad in syndication makes them great for Netflix binge watching!
-nb
My IRL experience was very similar.
Amazing how blind I can be now.
Sadly my fingerprints still cause me trouble when applying for some forms of access, even though I was only a witness.
-nb
Netflix's deep catalog ended my piracy, since they made it so much easier... :/
I even bought a fire stick to get access to Prime content, only to find that nearly everything on prime you still have to pay extra for.
Time to fire up uTorrent and Plex once again
(I liked not having to manage my own content catalog for a few years).
/hat tip
" see one of my co-workers lose his new iPhone to the shredder"
Bwahahahahaha awesome!
We have systems that are not air gapped (as I can remotely access them) but are not connected to the network either. We use an IP KVM solution to connect keyboard, mouse, monitor remotely. Much more secure against this kind of attack. Of course bad guy at terminal or prepared for such setup can script keyboard commands and series of screenshots, but the barrier is much higher than direct connected systems.
Defense in depth.
-nb
I have an SVN repo on the same server that hosts my sites. All code is linked from there for js stuff.
I have a private side as well that I use to deploy all server side code from. Works quite well.
-nb
/thread
+ multiple Internets
I used it as proofing for my 4x5 camera.
I did not need great quality, just good enough, so I didn't waste my expensive sheet film.
Now, if the price for fuji increased to the point that it was over 25% of the cost of my sheet film then I would have not bought it anyway.
I believe the market is simply dead.
-nb