It is a lot harder to build bombs... Guns are a lot more... efficient.
It may be harder to build bombs than to grab some guns, but the guns are not more efficient. The largest school killing in US history was done with explosives.
See the GP -- with school killings, you're not dealing with a rampage; you're dealing with someone who is fed up that people aren't seeing things their way making sure that people finally listen to them. Teenagers are intelligent enough to know that indiscriminately blowing up a chunk of property with a bunch of people on it, some of which are the ones they're fed up with, won't really get their point across. However, they figure that everyone, including their target, seeing them walk in with a gun, take aim, and fire, will be able to connect the dots and see this as avenging justice. This is the mindset, and guns are a very efficient way of pulling this off. Of course, those who consider this avenging justice are wrong, but that doesn't change the reasoning.
If you're in Jilin province China, backing a pickup truck into a tower is going to be a wee bit tricky. Clicking a button to take out power for the Midwest? Pretty easy at the moment.
Uhh... What? Would you care to back this statement with something other than FUD and bollocks? Please educate yourself on NERC CIP.
No, I wouldn't. And I already have; and it doesn't really matter.
The issue is that how things actually exist doesn't line up with the procedures and protocols that are laid out. Sure, they're followed properly in most installations, but all it takes is one, and as we've seen, you can get a cascading failure. Right now what's protecting the grid is a combination of CIP 5 compliance, complexity, and obscurity. An attacker can overcome the second remotely and wait for someone to breach the first -- leaving the last as the final bastion of protection.
Now the reality is that to get past the last one, you either need an all-out digital assault on the infrastructure, which gives away the attacker and highlights the insecurities in a way that they can likely be protected prior to catastrophic failure, or you need a man on site to run discrete tests, such as what was done with stuxnet. But once that's done, you don't even have to be on the same continent to set off the appropriate chain of events to cause failure.
Ah; but the guy down at the station babysitting the PLC probably wants to get his Facebook fix too -- so he hooks up a wireless USB stick and presto! The entire national WAN is now online....
And the next day, he finds a pink slip waiting for him.
You have much faith in his local IT managers and their managers... I've seen places run for months with such a setup with nobody noticing... and then when something happens as a direct result of the rogue router, it still takes significant time to isolate it and take appropriate steps. Sometimes, the guy who set up a system like this doesn't even work for the company by the time they realize what is wrong. This despite the fact that on paper, it should be as you say -- something logged and flagged up, resulting in a pink slip less than 24 hours later.
I could take out a substation with parts found in any store and wouldn't trigger any alerts buying them. Heck, damage things with a bow and arrow and thick metal wire. There are cheaper/easier ways to take down power. Back a pickup truck into a tower. The "cyber" complaint is FUD. It may be true, but is still FUD because it's easier to attack the infrastructure in other ways.
If you're in Jilin province China, backing a pickup truck into a tower is going to be a wee bit tricky. Clicking a button to take out power for the Midwest? Pretty easy at the moment.
Ah; but the guy down at the station babysitting the PLC probably wants to get his Facebook fix too -- so he hooks up a wireless USB stick and presto! The entire national WAN is now online....
Why not a separate WAN for the power based stuff, similar to NIPRNet and SIPRnet? That way, if there is a bridge across the Internet, it is point to point encrypted, but most traffic would be on separate leased lines. With this in place, combined by measures to limit connectivity, it would make it far harder than just having an Internet connected box to be able to do power grid shenanigans, unless one has physical access to the substations/stations.
Because you have to treat the network as if it is already compromised -- as it is guaranteed to be by a combination of ineptness, laziness, malfeasance, temporal complexity creep, etc. Plus, airgapping is not a panacea, as Stuxnet showed us.
Add to that how dumb some of the components of the energy grid are, and you have a situation where you really do have to prepare yourself for the worst. I think the overall chaos and complexity is likely the only thing that has protected it to date.
I had a few other questions as well... This does nothing to protect against tampered hardware (keyloggers, screen captures, etc.). If you're using USB, you also have to trust that you really only have a flash device in that circuitry. Plus, you have to trust that any certificates you use aren't compromised, any exit nodes you use don't belong to the NSA (a large number do), etc.
All in all, this really only protects you if you weren't already a surveillance target and weren't using compromised systems.
Still, it's better than the alternative. Just not "completely secure".
Added to this, most of what they're doing is removing code and exposing the underlying code to the safeguards they already have in place at the OS level. Refactoring suddenly becomes a LOT easier, as there's less to test. They're pruning their tree, essentially.
The beauty is that the way the handlers are designed at the OS level (and have already been tested against all other packages) means that if there IS a failure, it'll immediately cause a hard fail in OpenSSL -- which might seem bad, but it means that it'll be immediately reported and fixed, and the actual problem will be easy to find. It also means that there's less likelihood of an attacker being able to leverage the bug other than to perform denial of service attacks.
Not to mention the fact that the part of the internet NOT controlled by Comcast didn't have the same issues experienced by Comcast customers -- which shows that the issue was at some level, Comcast's problem. Of course, the real issue was their peering agreement with Cogent (who didn't have such issues with others, but Comcast must have, as it would have only been a few hops to route around the peering issue).
In other words, Comcast is looking like a gated intranet, and Netflix has now paid for the access keys in a way that ISPs refused to do. I predict that soon you'll see ads saying "blazing fast speeds within the Comcast Network". So much for net neutrality.
but the first controlled flight was built upon decades of trial; and error, and by 1000's of people.
In other words, the Wright Bros.* flew on the backs of giants. Just in case you wondered how they got off the ground and stayed afloat.
*Yeah; Wright Bros.' claim to first controlled flight is just as strong as their claim to first successful bike repair shop; don't let it detract you from the joke.
ah; I thought "vertically integrated social media" referred to owning the things people talk about, owning the means of telling them what they want, owning the means of discussing what they want with each other and owning the means to buy it.
I didn't realize we had annexed Canada recently. I hope we didn't also get Quebec.
I'd be tempted to accept annexation just for the entertainment of watching the Quebecer's try to pull their entitlement nonsense with the US government.
You obviously missed the recent vote: even the Quebeckers are fed up with their politician's entitlement nonsense. They stated that they prefer a known corrupt leadership to an entitled leadership.
Manufacturers have to rewrite IMEIs frequently when testing prototype phones, as there's a limited pool of test IMEIs. Making the IMEI unchangeable would mean a final hardware change what could be tested only in production.
See Sneftel's response to the GP; PROM can be in PROM easily.
As for prototyping... I've done a lot of prototyping using test IMEIs and you know what? We did exactly that -- stuck it on PROM. Quick trip through the UV and it was ready for reprogramming.
At least with this setup, the thieves would have to crack the phone open, get rid of the potting, flash the chip (in the old school sense) and reprogram it with a custom binary. Suddenly, a lot of the savings over legit phones dries up.
Even signed EEPROM would be useful, as if ALL the code on the chips is signed, you could reprogram it with your own code, but you'd have to do all the chips. And since it's your hardware, this should be fine to do. But if you want to use the provided firmware, you need it all signed properly by the manufacturer and vendor.
But I think that schools should change the way they roll out computers -- have appropriately powered computers for creative work, and have a whack of these for consumptive work/staff tools/etc. Makes a lot more sense than a homogeneous network of anything.
+1 snarky but insightful. there are a bunch of jobs that need to be done and we all have a role to play. I would suggest that Zuck focus his attention on the children of coal miners in rural areas, and help educate them for job opportunities (such as coding) that are not coal mining.
True, but have you seen the latest stats? We've got a glut of coders; we've got more trained coders coming out of colleges than we've got jobs, and we have many people who are self-taught coders who are doing just as well at landing those jobs. Going into this climate, wouldn't it make more sense to retrain as, say, a construction worker (get your welding ticket, etc)? There's a lot more money and a lot less shift in this area. For that matter, move from mining into the gas industry; there are plenty of jobs there right now (including construction).
I think part of the problem is that we always retrain people for jobs that are currently hot, instead of training people for the jobs that will be hot when their training is complete.
But now it's harder to get kids to tinker with stuff because there aren't many stores where you can go to buy electronics parts, etc., so things like the Raspberry Pi can be cool at introducing kids to the very *idea* that you can make things for yourself, and not limit yourself to what you can buy off the shelf.
Yeah; this is the big issue. When I was 6, we had an LED calculator that wasn't working -- I took it apart with a screwdriver, cleaned it, patched up loose wires with electrical tape and put it back together -- presto! it worked! After that, my dad decided it was time to teach me how to use his soldering iron. Between that and the Radio Shack 160-in-1 electronics kit I had to play with, I had basic electronics stuff figured out by the time I was 10. Good luck getting a 160-in-1 kit these days (although I just found one on eBay)....and now I did some digging and found Elenco. Seems like these kits are still alive and selling! I'd recommend a kid get some of the Elenco kits prior to moving on to a Pi; good to have the background knowledge as well as the programming experience.
In the US too, for that matter... for those who aren't up on their history. Taking IP is beneficial for any industry up to the point where the local players have a lockhold on the IP. At that point, they tend to stagnate, and others taking their IP kills their business structure. This is the reason the US declared independence in the first place (the UK owned the shipping routes and the taxation structure).
It all boils down to $$$, for both the consumer AND manufacturer. I would love a Tesla, problem is, I also don't want to pay 1/3 of the cost of a house to get one.
I wish I lived in your area... here, a Tesla costs ~1/8th the cost of a house, and 4 x the cost of a stripped-down budget new car.
No, the Pi was made as an integrated device. Jesus fuck are you people that stupid?
Whoosh? This has nothing to do with how it was made, but how it is used. It is used as a simplified teaching tool, and still enables you to do cool stuff without having to learn the really technical stuff right at the start.
Eventually your kids'll get old enough that hardware tinkering will be back on the radar -- with the added benefit that you'll be doing it with someone who looks up to you:) Only lasts a few years though.
Learning Linux on a RaspberryPi is like learning about cars by working on a lawnmower.
That's how I did it... started with two stroke engines and worked my way up to four stroke engines.
Actually, I started with a suspended tin can with two angled holes in it, some water, and a heat source. After understanding the steam engine and its drive train, the move to a two-stroke engine with spark plugs didn't take much work; then I got to learn about throttles, priming, flow control, etc.
After mastering these bits, four stroke engines were much less of a mystery. Plus, I was able to build go karts well before I knew the details of the four stroke engine:)
I think this is precisely the point they're trying to make with the Pi.
Installing Windows 7 or 8 wouldn't make his job much easier or make his computer much more secure.
Yea, it sort of would. For one, he wouldnt be stuck with IE8. For another, hed have UAC which solves most of the rootkit threat that XP had to deal with. For a third, hed actually be getting security patches.
I have to wonder whether the folks touting how great XP is have done customer-facing IT support. Actually, I dont really wonder, because if they had theyd know well enough how much of the malware threat is mitigated just by upgrading to Win7 and updating your software.
1. He's using Firefox, not IE8. Browser's not an issue here. 2. Pre-UAC rootkits aren't really that common anymore. The malware has all moved on too. 3. This is the good point. Of course, it sounds like most of the stuff that'd be patched is stuff he doesn't use. Maybe he could patch his XP to turn it into XPLite though -- the community patch that removes all the junk you don't actually want to use. That means fewer security issues. 4. Really? These days most of the malware threat is delivered by emails and drive-by downloads, and uses the end user to get around Win7 protections. Anyone having done customer-facing IT support knows "you can't fix stupid".
The big issue really is that almost every Win7 security patch from now on will be a recipe for an XP exploit that will never be patched by Microsoft. So as long as the number of users still using XP is large, there's a real and present danger there.
This raises another point -- if I were an XP user today, I'd change my user agent string in my browser (to Linux or OS X) and maybe even hack what XP reports itself as -- that way, any malicious software checking to see if you're vulnerable is likely to serve up the wrong exploit. Stuffing the registry full of misleading entries wouldn't hurt either.
Slashdot Mirror
It is a lot harder to build bombs ... Guns are a lot more ... efficient.
It may be harder to build bombs than to grab some guns, but the guns are not more efficient. The largest school killing in US history was done with explosives.
See the GP -- with school killings, you're not dealing with a rampage; you're dealing with someone who is fed up that people aren't seeing things their way making sure that people finally listen to them. Teenagers are intelligent enough to know that indiscriminately blowing up a chunk of property with a bunch of people on it, some of which are the ones they're fed up with, won't really get their point across. However, they figure that everyone, including their target, seeing them walk in with a gun, take aim, and fire, will be able to connect the dots and see this as avenging justice. This is the mindset, and guns are a very efficient way of pulling this off. Of course, those who consider this avenging justice are wrong, but that doesn't change the reasoning.
If you're in Jilin province China, backing a pickup truck into a tower is going to be a wee bit tricky. Clicking a button to take out power for the Midwest? Pretty easy at the moment.
Uhh... What? Would you care to back this statement with something other than FUD and bollocks? Please educate yourself on NERC CIP.
No, I wouldn't. And I already have; and it doesn't really matter.
The issue is that how things actually exist doesn't line up with the procedures and protocols that are laid out. Sure, they're followed properly in most installations, but all it takes is one, and as we've seen, you can get a cascading failure. Right now what's protecting the grid is a combination of CIP 5 compliance, complexity, and obscurity. An attacker can overcome the second remotely and wait for someone to breach the first -- leaving the last as the final bastion of protection.
Now the reality is that to get past the last one, you either need an all-out digital assault on the infrastructure, which gives away the attacker and highlights the insecurities in a way that they can likely be protected prior to catastrophic failure, or you need a man on site to run discrete tests, such as what was done with stuxnet. But once that's done, you don't even have to be on the same continent to set off the appropriate chain of events to cause failure.
Ah; but the guy down at the station babysitting the PLC probably wants to get his Facebook fix too -- so he hooks up a wireless USB stick and presto! The entire national WAN is now online....
And the next day, he finds a pink slip waiting for him.
You have much faith in his local IT managers and their managers... I've seen places run for months with such a setup with nobody noticing... and then when something happens as a direct result of the rogue router, it still takes significant time to isolate it and take appropriate steps. Sometimes, the guy who set up a system like this doesn't even work for the company by the time they realize what is wrong. This despite the fact that on paper, it should be as you say -- something logged and flagged up, resulting in a pink slip less than 24 hours later.
I could take out a substation with parts found in any store and wouldn't trigger any alerts buying them. Heck, damage things with a bow and arrow and thick metal wire. There are cheaper/easier ways to take down power. Back a pickup truck into a tower. The "cyber" complaint is FUD. It may be true, but is still FUD because it's easier to attack the infrastructure in other ways.
If you're in Jilin province China, backing a pickup truck into a tower is going to be a wee bit tricky. Clicking a button to take out power for the Midwest? Pretty easy at the moment.
Ah; but the guy down at the station babysitting the PLC probably wants to get his Facebook fix too -- so he hooks up a wireless USB stick and presto! The entire national WAN is now online....
Why not a separate WAN for the power based stuff, similar to NIPRNet and SIPRnet? That way, if there is a bridge across the Internet, it is point to point encrypted, but most traffic would be on separate leased lines. With this in place, combined by measures to limit connectivity, it would make it far harder than just having an Internet connected box to be able to do power grid shenanigans, unless one has physical access to the substations/stations.
Because you have to treat the network as if it is already compromised -- as it is guaranteed to be by a combination of ineptness, laziness, malfeasance, temporal complexity creep, etc. Plus, airgapping is not a panacea, as Stuxnet showed us.
Add to that how dumb some of the components of the energy grid are, and you have a situation where you really do have to prepare yourself for the worst. I think the overall chaos and complexity is likely the only thing that has protected it to date.
I had a few other questions as well...
This does nothing to protect against tampered hardware (keyloggers, screen captures, etc.). If you're using USB, you also have to trust that you really only have a flash device in that circuitry. Plus, you have to trust that any certificates you use aren't compromised, any exit nodes you use don't belong to the NSA (a large number do), etc.
All in all, this really only protects you if you weren't already a surveillance target and weren't using compromised systems.
Still, it's better than the alternative. Just not "completely secure".
Added to this, most of what they're doing is removing code and exposing the underlying code to the safeguards they already have in place at the OS level. Refactoring suddenly becomes a LOT easier, as there's less to test. They're pruning their tree, essentially.
The beauty is that the way the handlers are designed at the OS level (and have already been tested against all other packages) means that if there IS a failure, it'll immediately cause a hard fail in OpenSSL -- which might seem bad, but it means that it'll be immediately reported and fixed, and the actual problem will be easy to find. It also means that there's less likelihood of an attacker being able to leverage the bug other than to perform denial of service attacks.
Not to mention the fact that the part of the internet NOT controlled by Comcast didn't have the same issues experienced by Comcast customers -- which shows that the issue was at some level, Comcast's problem. Of course, the real issue was their peering agreement with Cogent (who didn't have such issues with others, but Comcast must have, as it would have only been a few hops to route around the peering issue).
In other words, Comcast is looking like a gated intranet, and Netflix has now paid for the access keys in a way that ISPs refused to do. I predict that soon you'll see ads saying "blazing fast speeds within the Comcast Network". So much for net neutrality.
but the first controlled flight was built upon decades of trial; and error, and by 1000's of people.
In other words, the Wright Bros.* flew on the backs of giants. Just in case you wondered how they got off the ground and stayed afloat.
*Yeah; Wright Bros.' claim to first controlled flight is just as strong as their claim to first successful bike repair shop; don't let it detract you from the joke.
ah; I thought "vertically integrated social media" referred to owning the things people talk about, owning the means of telling them what they want, owning the means of discussing what they want with each other and owning the means to buy it.
I'd be tempted to accept annexation just for the entertainment of watching the Quebecer's try to pull their entitlement nonsense with the US government.
You obviously missed the recent vote: even the Quebeckers are fed up with their politician's entitlement nonsense. They stated that they prefer a known corrupt leadership to an entitled leadership.
Manufacturers have to rewrite IMEIs frequently when testing prototype phones, as there's a limited pool of test IMEIs. Making the IMEI unchangeable would mean a final hardware change what could be tested only in production.
See Sneftel's response to the GP; PROM can be in PROM easily.
As for prototyping... I've done a lot of prototyping using test IMEIs and you know what? We did exactly that -- stuck it on PROM. Quick trip through the UV and it was ready for reprogramming.
At least with this setup, the thieves would have to crack the phone open, get rid of the potting, flash the chip (in the old school sense) and reprogram it with a custom binary. Suddenly, a lot of the savings over legit phones dries up.
Even signed EEPROM would be useful, as if ALL the code on the chips is signed, you could reprogram it with your own code, but you'd have to do all the chips. And since it's your hardware, this should be fine to do. But if you want to use the provided firmware, you need it all signed properly by the manufacturer and vendor.
Can you not think of something better to do with your money and time.
Well, he could try posting on Slashdot -- or was that what you were referring to?
Does the Chromebook use OpenSSL?
Might want to harden those things significantly.
But I think that schools should change the way they roll out computers -- have appropriately powered computers for creative work, and have a whack of these for consumptive work/staff tools/etc. Makes a lot more sense than a homogeneous network of anything.
+1 snarky but insightful. there are a bunch of jobs that need to be done and we all have a role to play. I would suggest that Zuck focus his attention on the children of coal miners in rural areas, and help educate them for job opportunities (such as coding) that are not coal mining.
True, but have you seen the latest stats? We've got a glut of coders; we've got more trained coders coming out of colleges than we've got jobs, and we have many people who are self-taught coders who are doing just as well at landing those jobs. Going into this climate, wouldn't it make more sense to retrain as, say, a construction worker (get your welding ticket, etc)? There's a lot more money and a lot less shift in this area. For that matter, move from mining into the gas industry; there are plenty of jobs there right now (including construction).
I think part of the problem is that we always retrain people for jobs that are currently hot, instead of training people for the jobs that will be hot when their training is complete.
But now it's harder to get kids to tinker with stuff because there aren't many stores where you can go to buy electronics parts, etc., so things like the Raspberry Pi can be cool at introducing kids to the very *idea* that you can make things for yourself, and not limit yourself to what you can buy off the shelf.
Yeah; this is the big issue. When I was 6, we had an LED calculator that wasn't working -- I took it apart with a screwdriver, cleaned it, patched up loose wires with electrical tape and put it back together -- presto! it worked! After that, my dad decided it was time to teach me how to use his soldering iron. Between that and the Radio Shack 160-in-1 electronics kit I had to play with, I had basic electronics stuff figured out by the time I was 10. Good luck getting a 160-in-1 kit these days (although I just found one on eBay). ...and now I did some digging and found Elenco. Seems like these kits are still alive and selling! I'd recommend a kid get some of the Elenco kits prior to moving on to a Pi; good to have the background knowledge as well as the programming experience.
This is good to know about and all, but...
WHY IS THIS ON SLASHDOT!?
Because it's Truthy.
In the US too, for that matter... for those who aren't up on their history. Taking IP is beneficial for any industry up to the point where the local players have a lockhold on the IP. At that point, they tend to stagnate, and others taking their IP kills their business structure. This is the reason the US declared independence in the first place (the UK owned the shipping routes and the taxation structure).
It all boils down to $$$, for both the consumer AND manufacturer. I would love a Tesla, problem is, I also don't want to pay 1/3 of the cost of a house to get one.
I wish I lived in your area... here, a Tesla costs ~1/8th the cost of a house, and 4 x the cost of a stripped-down budget new car.
No, the Pi was made as an integrated device. Jesus fuck are you people that stupid?
Whoosh? This has nothing to do with how it was made, but how it is used. It is used as a simplified teaching tool, and still enables you to do cool stuff without having to learn the really technical stuff right at the start.
Eventually your kids'll get old enough that hardware tinkering will be back on the radar -- with the added benefit that you'll be doing it with someone who looks up to you :) Only lasts a few years though.
Learning Linux on a RaspberryPi is like learning about cars by working on a lawnmower.
That's how I did it... started with two stroke engines and worked my way up to four stroke engines.
Actually, I started with a suspended tin can with two angled holes in it, some water, and a heat source. After understanding the steam engine and its drive train, the move to a two-stroke engine with spark plugs didn't take much work; then I got to learn about throttles, priming, flow control, etc.
After mastering these bits, four stroke engines were much less of a mystery. Plus, I was able to build go karts well before I knew the details of the four stroke engine :)
I think this is precisely the point they're trying to make with the Pi.
Well, are we certain that 'GG' stands for 'Good Game'? ...
Other possible meanings:
Getting Grapes
etc.
For that matter... I used "GG" long before "good game" became a meme. You know what it used to mean?
"Gotta Go"
Installing Windows 7 or 8 wouldn't make his job much easier or make his computer much more secure.
Yea, it sort of would. For one, he wouldnt be stuck with IE8. For another, hed have UAC which solves most of the rootkit threat that XP had to deal with. For a third, hed actually be getting security patches.
I have to wonder whether the folks touting how great XP is have done customer-facing IT support. Actually, I dont really wonder, because if they had theyd know well enough how much of the malware threat is mitigated just by upgrading to Win7 and updating your software.
1. He's using Firefox, not IE8. Browser's not an issue here.
2. Pre-UAC rootkits aren't really that common anymore. The malware has all moved on too.
3. This is the good point. Of course, it sounds like most of the stuff that'd be patched is stuff he doesn't use. Maybe he could patch his XP to turn it into XPLite though -- the community patch that removes all the junk you don't actually want to use. That means fewer security issues.
4. Really? These days most of the malware threat is delivered by emails and drive-by downloads, and uses the end user to get around Win7 protections. Anyone having done customer-facing IT support knows "you can't fix stupid".
The big issue really is that almost every Win7 security patch from now on will be a recipe for an XP exploit that will never be patched by Microsoft. So as long as the number of users still using XP is large, there's a real and present danger there.
This raises another point -- if I were an XP user today, I'd change my user agent string in my browser (to Linux or OS X) and maybe even hack what XP reports itself as -- that way, any malicious software checking to see if you're vulnerable is likely to serve up the wrong exploit. Stuffing the registry full of misleading entries wouldn't hurt either.