If the USB port chipset is smart enough, it may communicate with the plugged-in devices in ways that are harmful - such as exploiting a bug in the USB chipset's firmware - before the non-firmware software can act on it.
This is where a "USB condom" comes in - while it is a single point of failure (its software can be buggy) it is a single, small thing that can be designed and built with security in mind from the get-go.
First person to invent a cheap, provably secure, not-already-patent/intellectual-property-encumbered "USB condom" (really, a very small computer) that sits between my computer and a USB stick which disables boot, Windows-auto-run, device-driver shenanigans, and the like gets the win.
-- One of many possible ways to do this: * Assume the device is a generic USB memory stick. If it's not, fail. * If it is, attempt to access the files using generic methods. If it doesn't work, fail. * If it's not a recognized filesystem (fat-variations, ntfs, ext2-variations, possibly others), fail. * Present the directory-tree to the user's real computer a sub-tree so any files the host sees in the "root" directory as "special" aren't there. * Present the "device" to the host as read-only. * Consider simply not presenting well-known files like autorun.exe to the host computer at all.
The hard part will probably be that future USB sticks may not work with today's "USB condoms" as, by definition, the "condoms" would not trust any device-driver-like code that resides on the USB stick. This can be partially mitigated if the USB stick's device-driver-like code is signed and the signer's key is trusted by the "USB condom." But this is not without its own risks.
-- Bonus points if the "USB condom" it also stops hardware trojan horses like the "plug me in and 30 seconds later I'll fry your USB port" devices, even if it has to die in the process.
------------- Note - I haven't done a Google search - such a thing may already exist. If it's cheap (under $10) and proven to provide protection without doing harm, I'm interested in buying a few.
"Almost" because I didn't plug it into the interwebs:).
Oh, I guess it doesn't count that I started with a PC, two NICs, and a Linux distro. But hey, it ran Linux, so that counts for something.
But yeah, as a commercial product that is supposed to be run-able out of the box by an unsophisticated user, I expect it to be "fit for its purpose" - which means that at a minimum, it's security reflects industry best practices.
Many companies have "customer retention specialists" who will waive fees if you threaten to bail to a competitor AND you are a "valuable enough" customer to make it worth their while.
In many companies, almost all customers are "valuable enough," so unless you've made a nuisance out of yourself so much that you are a "net loss" for them, they'll probably work with you.
On the other hand, if this company's attitude makes you want to quit just on principle, then by all means quit. If enough people do, it will send a message.
To me, "financial engineering" is pretty much synonymous with "complete and utter bullshit and thinly disguised fraud".
Sometimes it is that.
But sometimes it's just knowing the rules so well that you can optimize otherwise-unimportant decisions to maximize profit.
For example, if I know I'm going to need to sell some stock so I can pay for my kid's college education, do I sell the shares that I bought over a year ago, do I sell the ones that I paid the most money for, or does it really matter? In the absence of capital-gains taxes and the ability to count losses against ordinary taxable income, it wouldn't matter. But if you live in a country where stock held over a year is held more favorably and where you can reduce your taxes by "realizing" a capital loss, the simple decision of "oh, just sell as many shares as you need to fund your kid's education, it doesn't matter which shares you sell" now becomes an opportunity to do some financial engineering to lower your tax bill.
So, if we cut the mass of that steel ball down that of the 44 magnum - either by using some other material, making it hollow or filled with air pockets, or reducing its size, how would it compare against the bullet?
If we further reduced its mass so it was equal to the other bullets tested in the video, how would it fair?
My guess is that unless you had a very inefficient gun, the gun would beat the slingshot.
Having said that, there are some inefficient guns out there and I wouldn't be surprised if a few well-known guns were less powerful "at the target" than the best-engineered, best-built slingshot for a same-mass projectile.
4) People who are afraid of people losing their temper or rational thinking ability while armed. 5) People who are afraid that the armed individual will lose possession/control of the gun to someone who is either reckless or intending to do harm.
In short, if you are going to be armed in public and you aren't 100% mentally stable while packing (and a large percentage of the population is at least a bit shy of that mark) AND you have the training, awareness, and physical ability to keep anyone from using your gun (or, in the alternative, you have a gun that nobody but you can fire without fiddling with it for at least a minute), then I don't want to be around you when you are armed.
So a slingshot firing a projectile does more damage than a gun firing an identical projectile, assuming identical projectiles and an efficient, well-designed gun made for that bullet and an efficient, well-designed slingshot made for the same projectile.
I think not.
Heck, even if you allow for the small extra mass of the shell casing and un-exploded gunpowder in the slingshot, the gun will send the bullet out with far more momentum and far more energy than any normal slingshot could.
* Register domain that China government hates * China-based script-kiddies can't get to me * ??? * PROFIT by being able to focus my security infrastructure on more serious security threats (like the Chinese-government-trained/sponsored industrial-espionage-hackers???) instead of wasting time swatting the script kiddies that happen to be in China.
Now if only it was that easy to get rid of the script-kiddie problem worldwide.
Unless you are going to tamper with the firmware or its settings, "good luck" changing my boot sequence.
Oh, by the way, a comment at this Trend Micro write-up suggests that the initial program that infects the system won't work unless the user has administrative privileges.
Companies don't want to invest in actual security though as it costs them lots of money and usually makes a product less friendly.
"it costs the lots of money" vs "going bankrupt from the bad reputation and lawsuits resulting from multiple serious breaches" - which is going to happen sooner or later.
"product less friendly" may be a necessary inconvenience, much like having to lock your home when you go to work every day is a necessary inconvenience.
What I envisioned was an offline system that could retrieve data in a matter of minutes, with a "skinny pipe, heavily alarmed with independent monitoring equipment" system sitting between the offline storage system and the "main, online" system. "Skinny pipe" to make it physically impossible to do a wholesale data dump in a short period of time, and "heavily alarmed with independent monitoring equipment" so the alarms can't be hacked through normal means (they could be hacked by social engineering or perhaps by side-channel attacks, but the latter is hard and the former can be controlled by limiting access to a few well-trained, loyal individuals).
Essentially this is the computer equivalent of having a locked file-room with only 1 person allowed to access it, with several well-trained, highly-observant, loyal-to-the-company people watching that one person and raising an alarm any time that person's behavior was out-of-the-ordinary. That person would retrieve data from the locked file-room upon request and store changed files upon request, with all transactions logged for audit purposes.
The analogy breaks down since the "main, online" part of the computerized system would have to purge its copies of data after a short period of time - typically hours or days but in some use cases perhaps in seconds or, for that matter, weeks, and that capability isn't reflected in the analogy above.
Is it time for companies to keep most customer records "near-line" instead of "online"?
Yes, this may mean having the company put you on hold for a minute or two while your record gets moved from "near line" to "online" when you call for help, but at least "massive" data breaches will be "less massive."
Question: What's another major advantage of keeping records "near-line" besides fewer victims? Answer: You can keep track of how many records are being moved in any given period of time and quickly respond if the numbers become anomalous.
... are made for suicide and for well-known highly-correlated conditions like epilepsy?
In other words, do an Apples-to-Apples comparison, and answer these questions:
* What is the decrease in age attributable to suicide among those without other correlated conditions, compared to those in the general, non-Autism-spectrum population without correlated conditions. * For each correlated condition, is there an increase in suicide compared to those not on the Autism spectrum who have the same correlated condition? If so, how much does this decrease the overall lifespan for those on the Autism spectrum? * For each correlated condition, is there a non-suicide-caused decrease in lifespan compared to non-autistic-spectrum-disorder people with the same correlated condition, and if so, how big is it? * For those who have neither a correlated condition nor who take their own life, is there a decrease in lifespan compared to the general population, and if so, how big is it?
This is supposed to be a solution? Sounds like everyone making their own proprietary ethernet connectors.
It will only be a solution if vendors and end-users get on-board with a single, non-proprietary standard way of doing this.
They will only get on-board with it if they see an up-side greater than the down-side.
There is a small obvious up-side, namely, a smaller connector. There is another obvious Machiavellian up-side for vendors: People will need to buy adapters.
The obvious down-sides are "yet another standard/more cables in my 'go bag,'" "manufacturing costs," and "who controls the patents and how much is it going to cost me to buy in?"
If some generous inventor is willing to give away his technology, that last one can be all but eliminated (there will still be the risk of "submarine patents" and the like).
But yes, all things considered, if there is no intellectual property or other non-technical barrier I can see this being a solution to connecting very thin devices to a wired Ethernet LAN without having a bulky RJ-45-sized chunk of plastic lying between the wall jack and the computer.
It may be a moot point in a few years with WiFi and even-shorter-range connectivity being widely available.
For non-portable devices in offices, I see future "cheap, fast, not-necessarily-wall-penetrating, high-speed wireless" standards gradually replacing wired connections in 5 to 15 years: You put a cheap access point in every room, and put an antenna on every device.
For portable devices, "what is this wired Ethernet of which you speak?" (but without the "and where can I [obtain/invest in] it" notably absent) is already the appropriate meme.
I wonder how much patents are preventing this from becoming popular, either
* directly, because not everyone is allowed to license it? * indirectly, because the cost of licensing is more than "noise" compared to the actual cost of manufacture? * indirectly, because the existing market players are loath to embrace something that is "owned" by someone else and are waiting for the patent owner to donate it to a patent pool that they already participate in.
Also, the AC poster calls this "a new standard for physical ethernet cabling" but a quick Google search doesn't turn up anything suggesting that this connector has been approved by any of the major standards bodies. It's also called "RJ point five" in all of the vendor-related web sites that I found, suggesting that it is not a true RJ ("registered jack") standard.
Make a suitable teeny-tiny 8-pin connector that has the key features of the current jack, namely that you can't plug it in wrong and you can't just "pull it out" thanks to the locking tab.
Then have low-cost adapters that convert it into a standard RJ-45.
The advantage of this is you can also create standard, small, self-contained USB2/3, USB-C, or what-not-to-"new"-Ethernet-adapters that fit in a thin form-factor from the computer to the wall.
It might look like this:
[RJ-45 wall jack] [RJ45 to "thin" adapter"] [Ethernet wire with "thin" adapters at both ends] ["thin"-adapter ethernet to USB2/3 or USB-C adapter] [computer].
For the data center and other places where you typically crimp your own cables, continue to use existing wiring standards.
For your "go bag" have a variety of male-to-female adapters of both "thin" and "classic" varieties, much like techs used to have 9- and 25-pin serial adapters in various gender configurations in their "go bag" back in the day.
Slashdot Mirror
I hear they give off radiation.
uhhh 'dark' web? can you call it that any more? coloured? african american?
Use a screen-reader for the blind. At worst, they graphical ad will be replaced by text read off in robo-tone by my computer.
Oh wait, now the newspapers will claim that screen-reading software is illegal too since it blocks the pictures of the ads.
--
Seriously, back in the last century, I browsed "with images disabled" mostly for speed reasons, but it had the nice side-effect of blocking most ads.
If the USB port chipset is smart enough, it may communicate with the plugged-in devices in ways that are harmful - such as exploiting a bug in the USB chipset's firmware - before the non-firmware software can act on it.
This is where a "USB condom" comes in - while it is a single point of failure (its software can be buggy) it is a single, small thing that can be designed and built with security in mind from the get-go.
Get him to do what a lot of people do :).
First person to invent a cheap, provably secure, not-already-patent/intellectual-property-encumbered "USB condom" (really, a very small computer) that sits between my computer and a USB stick which disables boot, Windows-auto-run, device-driver shenanigans, and the like gets the win.
--
One of many possible ways to do this:
* Assume the device is a generic USB memory stick. If it's not, fail.
* If it is, attempt to access the files using generic methods. If it doesn't work, fail.
* If it's not a recognized filesystem (fat-variations, ntfs, ext2-variations, possibly others), fail.
* Present the directory-tree to the user's real computer a sub-tree so any files the host sees in the "root" directory as "special" aren't there.
* Present the "device" to the host as read-only.
* Consider simply not presenting well-known files like autorun.exe to the host computer at all.
The hard part will probably be that future USB sticks may not work with today's "USB condoms" as, by definition, the "condoms" would not trust any device-driver-like code that resides on the USB stick. This can be partially mitigated if the USB stick's device-driver-like code is signed and the signer's key is trusted by the "USB condom." But this is not without its own risks.
--
Bonus points if the "USB condom" it also stops hardware trojan horses like the "plug me in and 30 seconds later I'll fry your USB port" devices, even if it has to die in the process.
-------------
Note - I haven't done a Google search - such a thing may already exist. If it's cheap (under $10) and proven to provide protection without doing harm, I'm interested in buying a few.
I made a router with no root admin password.
"Almost" because I didn't plug it into the interwebs :).
Oh, I guess it doesn't count that I started with a PC, two NICs, and a Linux distro. But hey, it ran Linux, so that counts for something.
But yeah, as a commercial product that is supposed to be run-able out of the box by an unsophisticated user, I expect it to be "fit for its purpose" - which means that at a minimum, it's security reflects industry best practices.
I head that the Obama girls had color printing devices when they moved in back in 2009.
Many companies have "customer retention specialists" who will waive fees if you threaten to bail to a competitor AND you are a "valuable enough" customer to make it worth their while.
In many companies, almost all customers are "valuable enough," so unless you've made a nuisance out of yourself so much that you are a "net loss" for them, they'll probably work with you.
On the other hand, if this company's attitude makes you want to quit just on principle, then by all means quit. If enough people do, it will send a message.
If that doesn't scream "slashvertisedment" I don't know what does.
To me, "financial engineering" is pretty much synonymous with "complete and utter bullshit and thinly disguised fraud".
Sometimes it is that.
But sometimes it's just knowing the rules so well that you can optimize otherwise-unimportant decisions to maximize profit.
For example, if I know I'm going to need to sell some stock so I can pay for my kid's college education, do I sell the shares that I bought over a year ago, do I sell the ones that I paid the most money for, or does it really matter? In the absence of capital-gains taxes and the ability to count losses against ordinary taxable income, it wouldn't matter. But if you live in a country where stock held over a year is held more favorably and where you can reduce your taxes by "realizing" a capital loss, the simple decision of "oh, just sell as many shares as you need to fund your kid's education, it doesn't matter which shares you sell" now becomes an opportunity to do some financial engineering to lower your tax bill.
Let's try that test again using actual bullets, or, if you must, identical-mass projectiles.
A 1-inch steel ball has a mass of about 66g, give or take.
66 grams is about 1020 grains give or take.
Your typical 44 magnum - which was one of the biggest bullets used in the video - typically weighs in at 250-400 grains, but it could be a tad more.
So, if we cut the mass of that steel ball down that of the 44 magnum - either by using some other material, making it hollow or filled with air pockets, or reducing its size, how would it compare against the bullet?
If we further reduced its mass so it was equal to the other bullets tested in the video, how would it fair?
My guess is that unless you had a very inefficient gun, the gun would beat the slingshot.
Having said that, there are some inefficient guns out there and I wouldn't be surprised if a few well-known guns were less powerful "at the target" than the best-engineered, best-built slingshot for a same-mass projectile.
4) People who are afraid of people losing their temper or rational thinking ability while armed.
5) People who are afraid that the armed individual will lose possession/control of the gun to someone who is either reckless or intending to do harm.
In short, if you are going to be armed in public and you aren't 100% mentally stable while packing (and a large percentage of the population is at least a bit shy of that mark) AND you have the training, awareness, and physical ability to keep anyone from using your gun (or, in the alternative, you have a gun that nobody but you can fire without fiddling with it for at least a minute), then I don't want to be around you when you are armed.
So a slingshot firing a projectile does more damage than a gun firing an identical projectile, assuming identical projectiles and an efficient, well-designed gun made for that bullet and an efficient, well-designed slingshot made for the same projectile.
I think not.
Heck, even if you allow for the small extra mass of the shell casing and un-exploded gunpowder in the slingshot, the gun will send the bullet out with far more momentum and far more energy than any normal slingshot could.
fueled by excessive debt and financial engineering
In Capitalist America, financials engineer YOU!
* Register domain that China government hates
* China-based script-kiddies can't get to me
* ???
* PROFIT by being able to focus my security infrastructure on more serious security threats (like the Chinese-government-trained/sponsored industrial-espionage-hackers???) instead of wasting time swatting the script kiddies that happen to be in China.
Now if only it was that easy to get rid of the script-kiddie problem worldwide.
I know! I'll use a Martian IP address!!!
I don't *always* boot from non-writable media.
Unless you are going to tamper with the firmware or its settings, "good luck" changing my boot sequence.
Oh, by the way, a comment at this Trend Micro write-up suggests that the initial program that infects the system won't work unless the user has administrative privileges.
Companies don't want to invest in actual security though as it costs them lots of money and usually makes a product less friendly.
"it costs the lots of money" vs "going bankrupt from the bad reputation and lawsuits resulting from multiple serious breaches" - which is going to happen sooner or later.
"product less friendly" may be a necessary inconvenience, much like having to lock your home when you go to work every day is a necessary inconvenience.
What I envisioned was an offline system that could retrieve data in a matter of minutes, with a "skinny pipe, heavily alarmed with independent monitoring equipment" system sitting between the offline storage system and the "main, online" system. "Skinny pipe" to make it physically impossible to do a wholesale data dump in a short period of time, and "heavily alarmed with independent monitoring equipment" so the alarms can't be hacked through normal means (they could be hacked by social engineering or perhaps by side-channel attacks, but the latter is hard and the former can be controlled by limiting access to a few well-trained, loyal individuals).
Essentially this is the computer equivalent of having a locked file-room with only 1 person allowed to access it, with several well-trained, highly-observant, loyal-to-the-company people watching that one person and raising an alarm any time that person's behavior was out-of-the-ordinary. That person would retrieve data from the locked file-room upon request and store changed files upon request, with all transactions logged for audit purposes.
The analogy breaks down since the "main, online" part of the computerized system would have to purge its copies of data after a short period of time - typically hours or days but in some use cases perhaps in seconds or, for that matter, weeks, and that capability isn't reflected in the analogy above.
Is it time for companies to keep most customer records "near-line" instead of "online"?
Yes, this may mean having the company put you on hold for a minute or two while your record gets moved from "near line" to "online" when you call for help, but at least "massive" data breaches will be "less massive."
Question: What's another major advantage of keeping records "near-line" besides fewer victims?
Answer: You can keep track of how many records are being moved in any given period of time and quickly respond if the numbers become anomalous.
... The FBI might be snapping photos of you anyways.
... are made for suicide and for well-known highly-correlated conditions like epilepsy?
In other words, do an Apples-to-Apples comparison, and answer these questions:
* What is the decrease in age attributable to suicide among those without other correlated conditions, compared to those in the general, non-Autism-spectrum population without correlated conditions.
* For each correlated condition, is there an increase in suicide compared to those not on the Autism spectrum who have the same correlated condition? If so, how much does this decrease the overall lifespan for those on the Autism spectrum?
* For each correlated condition, is there a non-suicide-caused decrease in lifespan compared to non-autistic-spectrum-disorder people with the same correlated condition, and if so, how big is it?
* For those who have neither a correlated condition nor who take their own life, is there a decrease in lifespan compared to the general population, and if so, how big is it?
This is supposed to be a solution? Sounds like everyone making their own proprietary ethernet connectors.
It will only be a solution if vendors and end-users get on-board with a single, non-proprietary standard way of doing this.
They will only get on-board with it if they see an up-side greater than the down-side.
There is a small obvious up-side, namely, a smaller connector. There is another obvious Machiavellian up-side for vendors: People will need to buy adapters.
The obvious down-sides are "yet another standard/more cables in my 'go bag,'" "manufacturing costs," and "who controls the patents and how much is it going to cost me to buy in?"
If some generous inventor is willing to give away his technology, that last one can be all but eliminated (there will still be the risk of "submarine patents" and the like).
But yes, all things considered, if there is no intellectual property or other non-technical barrier I can see this being a solution to connecting very thin devices to a wired Ethernet LAN without having a bulky RJ-45-sized chunk of plastic lying between the wall jack and the computer.
It may be a moot point in a few years with WiFi and even-shorter-range connectivity being widely available.
For non-portable devices in offices, I see future "cheap, fast, not-necessarily-wall-penetrating, high-speed wireless" standards gradually replacing wired connections in 5 to 15 years: You put a cheap access point in every room, and put an antenna on every device.
For portable devices, "what is this wired Ethernet of which you speak?" (but without the "and where can I [obtain/invest in] it" notably absent) is already the appropriate meme.
I wonder how much patents are preventing this from becoming popular, either
* directly, because not everyone is allowed to license it?
* indirectly, because the cost of licensing is more than "noise" compared to the actual cost of manufacture?
* indirectly, because the existing market players are loath to embrace something that is "owned" by someone else and are waiting for the patent owner to donate it to a patent pool that they already participate in.
Also, the AC poster calls this "a new standard for physical ethernet cabling" but a quick Google search doesn't turn up anything suggesting that this connector has been approved by any of the major standards bodies. It's also called "RJ point five" in all of the vendor-related web sites that I found, suggesting that it is not a true RJ ("registered jack") standard.
Make a suitable teeny-tiny 8-pin connector that has the key features of the current jack, namely that you can't plug it in wrong and you can't just "pull it out" thanks to the locking tab.
Then have low-cost adapters that convert it into a standard RJ-45.
The advantage of this is you can also create standard, small, self-contained USB2/3, USB-C, or what-not-to-"new"-Ethernet-adapters that fit in a thin form-factor from the computer to the wall.
It might look like this:
[RJ-45 wall jack] [RJ45 to "thin" adapter"] [Ethernet wire with "thin" adapters at both ends] ["thin"-adapter ethernet to USB2/3 or USB-C adapter] [computer].
For the data center and other places where you typically crimp your own cables, continue to use existing wiring standards.
For your "go bag" have a variety of male-to-female adapters of both "thin" and "classic" varieties, much like techs used to have 9- and 25-pin serial adapters in various gender configurations in their "go bag" back in the day.