Transmitting people's energy consumption by wireless is completely insane. This is private information that does not need to be broadcast insecurely to anyone with the right black box.
Putting it on display in a location where a meter reader can get to it also, necessarily, means putting it on display in a location where anyone with at least one good eye can see it. The black box is a red herring.
Imagine booting for the first time and not having enabled this yet, or this being a Windows driver-based security measure that doesn't take effect until Windows loads its drivers, allowing the new keyboard to be used to boot into a mode where this protection is temporarily disabled in case of this very situation. My IQ is up there, but I'm no super-genius, and it only took me about 5 seconds to solve both of those problems.
You know, I realize I didn't address your point fully. Let me clarify: non-admin users should not be modifying system security functions in the first place. If the issue you mention affects you, you are a non-admin user and should not be adding USB devices to any whitelist; you should be contacting an admin user, who can log in with the on-screen keyboard and add the new keyboard to the whitelist simply by clicking the "OK" button on the UAC prompt.
Alternately, since you purport to know the administrator password in the first place, in order to be able to type it into the UAC prompt in the presence of a working keyboard, why don't you just sign in with that account yourself?
TL;DR: Admins don't see UAC password prompts; if you see them, you are not an admin and shouldn't be doing this in the first place.
Come to think of it, I don't recall ever having to type my password into a UAC prompt. I'll grant your point about the mouse, but also point out that Windows' driver-based protection measures can't take effect until Windows has loaded those drivers. If actually ever implemented, it should be possible to boot into safe mode with that protection disabled to add a device to the whitlist; the extra paranoid can unplug all but the new keyboard before doing so.
And, even if this was disallowed, USB hubs still exist. The device could just as well present itself as a hub with those three things connected. Like you, I don't know why people are getting all worked up over this as though it's something they could actually protect against.
Considering that what was leaked was, quite literally, primarily a list of vulnerabilities, I'd say they do. Of course, with all these unpatched and in-use vulns, one of them was bound to be used to exfiltrate data. The DoD wouldn't have approved it for classified communications if they had known unpatched vulnerabilities.
That said, Google did recently identify a vuln in the ASLR used by Knox, which Samsung is working on fixing. There's not a whole lot you can do with it on the typical non-rooted Samsung phone, though, as one would require escalated privileges to be able to overwrite kernel or application RAM to inject their malware in the first place.
I do have my TV on my network; however, it is not a smart TV, just just has a media player feature. It will try to phone home if I tell it to check for updates; however, because I have its MAC blocked at the firewall, it can't. I check manually form time to time and, well, there have been 0 updates in the past 6 years anyway.
It's also not one of the models with a mic and/or camera, so I feel I'm being just the right level of paranoid; I just don't want it getting an "update" that ends up pwning my network.
I'm just writing about what I've confirmed, but yes, that would probably work as well.
Especially if you originally submit with:
if (false) { //malware code here }
Then it literally is just a two line change.
As an aside, it seems Slashdot has fallen on the "neither" side of the tabs/spaces argument, as I tried both and it seems to want to eat my indentation regardless. Yes, my code is properly indented.
Because the alternative is going off-grid. Just be selective in what you trust them to do and you'll be fine. I fully expected that they, at least these two, would deny, deny, deny; yet here they are admitting the holes existed. Does that mean I trust that they actually patched them? Irrelevant, really, as I'm absolutely positive there are plenty of others, which were not revealed in this recent disclosure and remain unpatched. But no, I do not.
Samsung meanwhile may talk a good security game, but they put out truly half-assed effort with a billion exploit channels. How about TV's that can record audio and have full android installations to exploit?
Samsung's phones, at least those with Knox, are DoD approved for government communications. Just sayin'.
First of all, I'm not whining about it, nor have I been doing so for the last 10 years, or in every iOS development thread.
Second, as an iOS developer, I've paid it. Many times over. That doesn't mean I don't understand why others complain about it, which is what I was explaining above, in response to a direct question.
So, as I said before: you know me, then? Nah, didn't think so. Why with the personal attacks?
I didn't "forget" any possibilities, nor did I fail to list just "one"; there are many, many more than just three possibilities. I plainly stated that I was only providing two possibilities, I never said they were the only two.
Come on, I know you can read and comprehend better than that; I've seen you follow a conversation here before.
It's quite possible that someone within WikiLeaks disclosed them privately before disclosing them publicly. That would have been the responsible thing to do.
It's also possible that the CIA leaked the documents themselves after a number of the vulnerabilities had already been discovered. I find this less likely, as there were many vulnerabilities disclosed which have not yet been patched.
Those, of course, are only two possibilities; both of which are pure speculation.
That said, Apple has known about the gaping hole that is hot code pushing for years now and only decided to enforce their already existing rules against it very recently, so it could also be complete incompetence on the part of the vendor.
At any rate, when we've seen that products from all vendors are equally vulnerable, does it really matter who we buy from? I'd say it does not and there's no point in arguing that one is more secure than another now that we've been shown that this simply is not the case.
Assuming the safe was cracked, and not destructively broken into, such detection is not reliable. Crack the safe, extract the contents, copy the data, replace the contents, re-lock the safe, and turn the dial back to its original position.
It might not be the simplest of operations for some safes but, again, it's trivial in comparison to cracking decent encryption. If you can crack the encryption, the safe will barely slow you down; if you can't, then I don't care if you have a copy of the encrypted data. The safe is pointless.
They weren't patched before they were known because they weren't yet known. They haven't all been patched yet because they've only been known for a handful of days and patches don't write themselves just because you know about the vulnerabilities. Patching any non-trivial issue without introducing other non-trivial issues takes time.
You can often get updates direct from the manufacturer for Android phones; you just don't get them OTA. Even if not made generally available, they're more than happy to supply them to you if you call in and tell them you've managed to brick your firmware and need a factory image to restore from. thus far, I've been able to get them one way or another from Motorola (both pre- and post-acquisition), HTC, LG, and Samsung. I haven't yet not been able to get updates directly from a manufacturer.
I tend not to keep devices for that long, save for my TV which is going on 6 years now, so that's not really a concern for me. In fact, this is the longest I've kept a cell phone in nearly 2 decades. I won't disagree that it can be an issue for others, though.
TrueCrypt is available to most people; it is free and not too difficult to set up. A safe can be had for $100 or less. If you can afford an iPhone, you can afford a laptop and a safe. Affording TrueCrypt is a given, as it's free. That's not where that AC's argument falls apart.
That argument falls apart when you realize that TrueCrypt hasn't been under active development in quite some time and has, in fact, been abandoned by its developers with a warning that it may be vulnerable. Coupled with the fact that even the most expensive of safes are trivial to crack when compared to decent full disk encryption, which renders the entire "safe" point meaningless as well.
Slashdot Mirror
Transmitting people's energy consumption by wireless is completely insane. This is private information that does not need to be broadcast insecurely to anyone with the right black box.
Putting it on display in a location where a meter reader can get to it also, necessarily, means putting it on display in a location where anyone with at least one good eye can see it. The black box is a red herring.
... which wouldn't affect safe mode with this protection temporarily disabled. You're smarter than this. Stop, think, and quit embarassing yourself.
Imagine booting for the first time and not having enabled this yet, or this being a Windows driver-based security measure that doesn't take effect until Windows loads its drivers, allowing the new keyboard to be used to boot into a mode where this protection is temporarily disabled in case of this very situation. My IQ is up there, but I'm no super-genius, and it only took me about 5 seconds to solve both of those problems.
You know, I realize I didn't address your point fully. Let me clarify: non-admin users should not be modifying system security functions in the first place. If the issue you mention affects you, you are a non-admin user and should not be adding USB devices to any whitelist; you should be contacting an admin user, who can log in with the on-screen keyboard and add the new keyboard to the whitelist simply by clicking the "OK" button on the UAC prompt.
Alternately, since you purport to know the administrator password in the first place, in order to be able to type it into the UAC prompt in the presence of a working keyboard, why don't you just sign in with that account yourself?
TL;DR: Admins don't see UAC password prompts; if you see them, you are not an admin and shouldn't be doing this in the first place.
Come to think of it, I don't recall ever having to type my password into a UAC prompt. I'll grant your point about the mouse, but also point out that Windows' driver-based protection measures can't take effect until Windows has loaded those drivers. If actually ever implemented, it should be possible to boot into safe mode with that protection disabled to add a device to the whitlist; the extra paranoid can unplug all but the new keyboard before doing so.
The on-screen keyboard that Windows has had since at least as far back as XP.
Plug it in, use the mouse to click "OK" on the prompt.
And, even if this was disallowed, USB hubs still exist. The device could just as well present itself as a hub with those three things connected. Like you, I don't know why people are getting all worked up over this as though it's something they could actually protect against.
"Accept the things I cannot change" and all that.
Considering that what was leaked was, quite literally, primarily a list of vulnerabilities, I'd say they do. Of course, with all these unpatched and in-use vulns, one of them was bound to be used to exfiltrate data. The DoD wouldn't have approved it for classified communications if they had known unpatched vulnerabilities.
That said, Google did recently identify a vuln in the ASLR used by Knox, which Samsung is working on fixing. There's not a whole lot you can do with it on the typical non-rooted Samsung phone, though, as one would require escalated privileges to be able to overwrite kernel or application RAM to inject their malware in the first place.
Then the laptop is still no less secure than the iPhone, to which that can also be done.
I do have my TV on my network; however, it is not a smart TV, just just has a media player feature. It will try to phone home if I tell it to check for updates; however, because I have its MAC blocked at the firewall, it can't. I check manually form time to time and, well, there have been 0 updates in the past 6 years anyway.
It's also not one of the models with a mic and/or camera, so I feel I'm being just the right level of paranoid; I just don't want it getting an "update" that ends up pwning my network.
Especially if you originally submit with:
Then it literally is just a two line change.
As an aside, it seems Slashdot has fallen on the "neither" side of the tabs/spaces argument, as I tried both and it seems to want to eat my indentation regardless. Yes, my code is properly indented.
You mean like Windows?
Yeah, more or less. Same as ever.
Because the alternative is going off-grid. Just be selective in what you trust them to do and you'll be fine. I fully expected that they, at least these two, would deny, deny, deny; yet here they are admitting the holes existed. Does that mean I trust that they actually patched them? Irrelevant, really, as I'm absolutely positive there are plenty of others, which were not revealed in this recent disclosure and remain unpatched. But no, I do not.
Samsung meanwhile may talk a good security game, but they put out truly half-assed effort with a billion exploit channels. How about TV's that can record audio and have full android installations to exploit?
Samsung's phones, at least those with Knox, are DoD approved for government communications. Just sayin'.
Did you get to more entertaining fare by skimming my comment, though? It doesn't seem so.
First of all, I'm not whining about it, nor have I been doing so for the last 10 years, or in every iOS development thread.
Second, as an iOS developer, I've paid it. Many times over. That doesn't mean I don't understand why others complain about it, which is what I was explaining above, in response to a direct question.
So, as I said before: you know me, then? Nah, didn't think so. Why with the personal attacks?
I didn't "forget" any possibilities, nor did I fail to list just "one"; there are many, many more than just three possibilities. I plainly stated that I was only providing two possibilities, I never said they were the only two.
Come on, I know you can read and comprehend better than that; I've seen you follow a conversation here before.
Nice bit of speculation, though.
It's quite possible that someone within WikiLeaks disclosed them privately before disclosing them publicly. That would have been the responsible thing to do.
It's also possible that the CIA leaked the documents themselves after a number of the vulnerabilities had already been discovered. I find this less likely, as there were many vulnerabilities disclosed which have not yet been patched.
Those, of course, are only two possibilities; both of which are pure speculation.
That said, Apple has known about the gaping hole that is hot code pushing for years now and only decided to enforce their already existing rules against it very recently, so it could also be complete incompetence on the part of the vendor.
At any rate, when we've seen that products from all vendors are equally vulnerable, does it really matter who we buy from? I'd say it does not and there's no point in arguing that one is more secure than another now that we've been shown that this simply is not the case.
Assuming the safe was cracked, and not destructively broken into, such detection is not reliable. Crack the safe, extract the contents, copy the data, replace the contents, re-lock the safe, and turn the dial back to its original position.
It might not be the simplest of operations for some safes but, again, it's trivial in comparison to cracking decent encryption. If you can crack the encryption, the safe will barely slow you down; if you can't, then I don't care if you have a copy of the encrypted data. The safe is pointless.
They weren't patched before they were known because they weren't yet known. They haven't all been patched yet because they've only been known for a handful of days and patches don't write themselves just because you know about the vulnerabilities. Patching any non-trivial issue without introducing other non-trivial issues takes time.
You can often get updates direct from the manufacturer for Android phones; you just don't get them OTA. Even if not made generally available, they're more than happy to supply them to you if you call in and tell them you've managed to brick your firmware and need a factory image to restore from. thus far, I've been able to get them one way or another from Motorola (both pre- and post-acquisition), HTC, LG, and Samsung. I haven't yet not been able to get updates directly from a manufacturer.
I tend not to keep devices for that long, save for my TV which is going on 6 years now, so that's not really a concern for me. In fact, this is the longest I've kept a cell phone in nearly 2 decades. I won't disagree that it can be an issue for others, though.
TrueCrypt is available to most people; it is free and not too difficult to set up. A safe can be had for $100 or less. If you can afford an iPhone, you can afford a laptop and a safe. Affording TrueCrypt is a given, as it's free. That's not where that AC's argument falls apart.
That argument falls apart when you realize that TrueCrypt hasn't been under active development in quite some time and has, in fact, been abandoned by its developers with a warning that it may be vulnerable. Coupled with the fact that even the most expensive of safes are trivial to crack when compared to decent full disk encryption, which renders the entire "safe" point meaningless as well.