* Posts by Steve Hersey

72 posts • joined 11 Aug 2009


FYI: BMW puts heated seats, other features behind paywall

Steve Hersey

Raise the Jolly Roger!

Jailbreak the features. No jury of car owners would convict. You paid for the car, you own it.

I read a novel set in the near future where characters chose old cars because they didn't have surveillance features and hackable crapware. The future has already arrived and wants to take over the spare bedroom...

The Raspberry Pi Pico goes wireless with the $6 W

Steve Hersey

Re: "the 50 per cent premium"

A 50% premium on down-in-the-noise is still down in the noise. <Yawn>

More power than the Apollo flight computer (haven't verified this), for less than the cost of a deli sandwich. The cabling and wall wart will cost more.

We live in an age of marvels. If we can just manage to survive it...

Foxconn factory fiasco could leave Wisconsinites on the hook for $300m

Steve Hersey

From my cursory reading (not an expert here!):

It looks as though the town took out $300 million in bonds to build stuff to support the project, Foxconn promised annual payments to cover the debt, and - big surprise there - didn't hold up their end of the deal. And have now effectively abandoned it. (The hire-and-fire trick to fudge compliance with the agreement is a typically soulless big-corporation touch.)

Who is ultimately on the hook for this will doubtless depend on the contract language, and exactly how binding that promise was. I suppose the town could seize and resell the property if the promise is enforceable but Foxconn won't pony up, but that would involve massive legal expenses. In the end, I think they're well and truly screwed.

An international incident or just some finger trouble at the console?

Steve Hersey

I was once on a support trip in Toulouse (lovely city, wonderful people!) with folks from another US company supporting the same project. We went to lunch at an outdoor cafe; none of us spoke any French, but I speak German and a teeny bit of Dutch, and I wound up translating the menu (by guessing the ingredients from the closest English, German or Dutch cognates) and placing our order. Worked out amazingly well.

Languages skills rock.

(So does learning at least the basic hello/please/thank you in the local language; show folks that you respect their language and culture, and they'll generally be very helpful.)

Bank had no firewall license, intrusion or phishing protection – guess the rest

Steve Hersey

Re: Root Causes

My personal response would be to reach for the D-ring and exit the plane stage right.

"Who do we sue if this goes wrong?" is that rere thing, an actually stupid question.

The RIGHT question is: "Will we be better off if we do this, or if we don't? Is this the best option, or is there a better one?"

Planning for whom to sue in case of failure is planning for failure.

If you fire someone, don't let them hang around a month to finish code

Steve Hersey

The unacknowledged moral of the story

An organization that features "unachievable deadlines set by managers that lacked a proper grasp on the challenges involved" is a toxic waste site, and should be shunned by anyone with a gram of self-respect, until said organization either gains a clue or collapses from the accumulated incompetence.

Your skills, your time, your self-worth, are too valuable for you to collude in your employer's abuse of you. Run, do not walk, to find a job with a better employer. (If you really need the money that badly, set a limit on how long you'll tolerate those conditions, and stick to it.)

Debugging source is even harder when you can't stop laughing at it

Steve Hersey

Not sure I'd recommend this practice today, but...

On one memorably miserable project in the last century (single-handedly creating software support for a portable instrument; the full requirements list was: "We want it to talk to the flowmeter", and you can imagine how fast it went down hill from there), the Sales folks routinely gave out internal-use-only alpha test copies of the software to customers, in violation of explicit instructions to the contrary. Salesmen were always trying to steal a march on the others by showing off the newest (buggiest!) features.

Until I added a profanity-laden startup splash screen stating that this test version was for <expletive> internal use only and NOT for <expletive> distribution to customers.

And waited (not long) for the complaints to roll in from Sales. Which were then countered by a reminder that, as they had been repeatedly warned, they weren't supposed to be releasing alphaware to customers.

Dell opts out of Microsoft's Pluton security for Windows

Steve Hersey

Another way to look at Pluton

A denial-of-competition attack. They've done that one before, why trust them not to try it again?

When civilisation ends, a Xenix box will be running a long-forgotten job somewhere

Steve Hersey

Long project timeline, meet short product lifecycle.

I discovered around 2000 or so that the limiting factor to the service life of an ancient desktop PC in a piece of satellite ground test equipment was the coin-cell battery molded into its configuration memory and clock chip. Said clock chip having gone obsolete, the only solution was to Dremel my way into the chip, tap into the supply wire from the battery, and reroute it to an external coin cell in a holder glued atop the chip. Worked a treat, and the test gear continued to work. Such projects have a very long support timeframe.

I'd have gladly upgraded the PC (and we tried!), but due to a consultant's idiocy (and against the urging of the new engineer at project start -- me) we had chosen software that depended on a specific version of QNX, and whose vendor shortly went out of business (no upgrades!). That version of QNX had a clock counter overflow that prevented it from operating on anything faster than the original 33 MHz 80386 processor.

The next such system used Sun Ultra 5s, whose dead battery-backed SRAM and clock chips were at least still obtainable.

AR flop Magic Leap's 'pivot' spins CEO right off his throne

Steve Hersey

Alas, for the days of the ancient kings

When, in times of disaster, the ruler would be ritually sacrificed to carry to the gods a petition for rescue.

Now, I don't personally think those gods existed, but the practice DID tend to have a self-correcting effect on incompetent leadership, and in those cases where the disasters were caused by said incompetence, the petitions were actually effective...

Why is the printer spouting nonsense... and who on earth tried to wire this plug?

Steve Hersey

Re: Not on the wall socket

Reminds me of the calibration house that used to annually certify our digital multimeters. We suspected that they were certifying them without actually testing them, so we opened one up, diddled its trimpots well beyond its stated calibration limits, and sent it off. Sure enough, back it came with a fresh sticker -- and still horribly out of calibration.

Boeing boss denies reports 737 Max safety systems weren't active

Steve Hersey

Re: 2 big no-no's - if it's Boeing, I am NOT going!

To your first point, it appears that the MCAS system was added because without it, the aircraft was not stable enough to get flight certification. I'd say that DOES qualify as "inherently unstable," though I'll agree it isn't as inherently unstable as, say, an F-14.

To your second point, it's actually even worse than just fail-safe: If I read the reports correctly, the two-sensor configuration was sold as an extra-cost option; the standard configuration had a single sensor, with no failover capability at all. Set negligence level to "criminal stupidity with a side order of arrogant avarice."

Qualcomm wins Apple patent case, loses Apple patent case, wins Apple patent case, loses Apple patent case...

Steve Hersey

As Dr. Strangelove would surely be able to advise,

The whole point of deterrence is NOT firing off the entire nuclear arsenal and mutually destroying one another. Apple and Qualcomm seem to have missed the significance of that point.

Do not adjust your set, er, browser: This is our new page-one design

Steve Hersey

I like the new design.

Unlike the tasteless novelties force-fed me by Android and Gmail updates (just as I get used to the UI changes from the *last* update) your new home page looks like an improvement.

Atari accuses El Reg of professional trolling and making stuff up. Welp, here's the interview tape for you to decide...

Steve Hersey

Stopped the process at "launch day" and STILL weren't committed to a specific chip?

I smell BS coming from Atari in this interview. No major project that is real and being responsibly managed gets THAT close to its release date and then decides, "Well, maybe we'll just change the fundamental CPU architecture." By the time you're carrying engineering prototypes to trade shows to show them off, you damn' well better have settled on a chip architecture. Once settled, you only change that under dire circumstances. Even if the replacement is essentially identical, you don't delay the project for things that "would be nice." Delays to an almost-ready project cost a LOT of money.

The Atari bloke's statements make it clear that the project is nowhere near the state of readiness they would like us to think it is in.

Having listened to the rest of the excerpts, it's even a bit worse than that. They went all the way to a "product launch" when they knew they didn't have working *engineering prototype* hardware (else they'd have been willing to show at least a don't-touch-this static display of an operating prototype.

Keep your hands on the f*cking wheel! New Tesla update like being taught to drive by your dad

Steve Hersey

Re: Auto-crash-pilot

Change lanes. The car ahead did exactly that. Of course, a more mature and fully functional autopilot would ALSO have just changed lanes...

Soyuz later! Russia may exit satellite launch biz

Steve Hersey

Re: 2 billion in today's market

I agree with Milton's point about Chinese IP theft, but in this case I'm not especially worried about its consequences. Here's why: The US military establishment has a decent understanding that strategic control of space is an enormous military advantage. With that in mind, the competition from China, India and Russia for space launch capability represents a challenge they cannot ignore; keeping the USA's launch capability technologically competitive is thus a must-do thing from their point of view. (Who has an automated mini-Shuttle that can spend a year on-orbit?)

So even if China steals lots of other folks' tech secrets, the competition for space capability will mean that the human species is back in space on an ongoing basis this time. The faster any one party advances, the harder the rest will work to keep up. From a species point of view, that's all to the good.

The cheating and stealing are aggravating, but are at most a damned nuisance, and may even prove neutral to beneficial in the long run. Though we should still feed the bastards some subtly defective designs just to mess with their heads.

Bitcoin's blockchain: Potentially a hazardous waste dump of child abuse, malware, etc

Steve Hersey

So, blockchain systems are unsustainable at scale.

It escapes my poor, limited understanding how a scheme that requires a large number of nodes (inherent in its "distributed web of trust") to store EVERY TRANSACTION EVER MADE could possibly be sustainable at a large enough scale to count as a "currency." Yes, "lightweight" nodes can store a subset, but that doesn't fix the fundamental insanity of the design.

Even the global banking system doesn't require every major bank to maintain the full transaction history of all major banks in order to function. For comparison, the Internet Archive only exists as one instance, not replicated X thousand times.

This sounds like a banking system designed by someone who didn't understand banking. There's no way it can possibly scale up far enough to be more than a curiosity/money-laundering tool/means to fleece the unwary.

10 PRINT "ZX81 at 37" 20 GOTO 10

Steve Hersey

Top this...

I once built some external I/O hardware for a ZX80 to drive solid-state relays. The customer wanted to use it to automate a sawmill. They were disinclined to accept the notion that the ZX80 wan't really an appropriate platform for controlling potentially man-killing machinery. I never did get my AC adapter back...

Inviting nearby exoplanet revealed as radiation-baked hell

Steve Hersey

Cue the Firefly theme ...

"Burn the land and boil the sea, but you can't take the sky from me."

Building decent space habitations is sounding a LOT more feasible than finding other habitable planets right now.

NASA finds satellite, realises it has lost the software and kit that talk to it

Steve Hersey

Doesn't matter.

It's not critical if the ground support hardware no longer exists. So long as the documentation on the telemetry formats and comms parameters is still available, some bright grad student or motivated Ham radio operator can set up a software-controlled radio setup to receive and decode it, and the same goes for satellite commanding (though that requires a suitable ground control transmitter, which NASA certainly still has).

Of course, that will require some time and money to set up, but it's not a gargantuan effort. Debugging the recreated commanding system on-orbit can be exciting, but the worst that can happen is you lose the bird again.

Trust me, you don't want to rely on the original ground support equipment after all this time, even if you can find it. If nothing else, the ancient PC's RTC chips with their built-in batteries and configuration memory have gone dead, cannot be sourced any longer, and can only be revived by judicious use of a Dremel grinder, a coin cell battery/holder, and a soldering iron. Been there, done that on satellite ground support gear.

IBM turns panto villain as The Reg tells readers: 'It's behind you!'

Steve Hersey

Carrier pigeon? Oops.

The vulture ate it.

That was fast... unlike old iPhones: Apple sued for slowing down mobes

Steve Hersey

Or, shocking thought...

Apple could have derated the batteries properly so that the phones would continue to work as they -- predictably -- aged. Apple being Apple, it's not like profit margins on iThings are razor-thin, so they *could* certainly afford to do a proper engineering job on power management and get $5 less profit per unit.

Every electronic device I've helped to develop in a long career has gone through worst-case analyses and has included design margins to make sure it works reliably over its life, and this always includes power management. If Apple's iCrap won't work with batteries that aren't new any more, it's because Management isn't setting realistic goals for the engineering teams, and that means that Corners Will Be Cut.

Russia could chop vital undersea web cables, warns Brit military chief

Steve Hersey

Because that would interfere with the Gravitube.

We go live to the Uber-Waymo court battle... You are not going to believe this. The judge certainly doesn't

Steve Hersey

Re: All's up with Alsup?

... build a case for 'reasonable apprehension of bias'?

I seem to recall that SCO's lawyers tried that trick, and Alsup is certainly wise to it by now. He seems to have a bottomless reserve of cool, and the occasional decapitating strike of sarcasm stays within the limits. This IS going to be fun to watch; he'll grind them up using their own documents as the millstones.

You simply cannot get away with blatantly hiding relevant material from discovery like that and just claiming "they didn't use their company name as a search term." I expect to see their lawyers stripped of attorney-client privilege and hauled into the dock themselves; the misconduct is just that extreme.

Hey, cop! You need a warrant to stalk a phone with a Stingray – judge

Steve Hersey

Re: What about me then?

On the other hand letting a criminal off when they've clearly done something wrong..........

The US Constitution operates on the principle that incorrectly releasing the guilty is preferable to incorrectly jailing the innocent. That's the theory, anyway.

The point of letting the crim walk away if the evidence was improperly obtained is that if you allow the use of improper evidence, then the whole due-process principle just became unenforceable, and we're right back to forced confessions under torture, faked evidence, and all the other abuses the due-process clause was intended to prevent.

It's a harsh punishment of the cops to toss out their case, true, but the alternative was held to be a worse price to pay.

Smart robots prove stupidly easy to hack for spying and murder

Steve Hersey

The original article leaves something to be desired

If the Reg article is correct (there are things said that cannot be verified from the linked docs), then the authors at IOActive are a bit uneven in their research.

The Reg article reports (though I can't find this in the linked docs) a claim that the UR robot has a "static SSH key," which is claimed to facilitate MITM attacks. This is drivel. A given SSH host MUST have a static SSH key, or you cannot authenticate the host; that's how SSH works.

Elsewhere, they make much of happily hacking the Baxter RSDK, blissfully ignorant of the fact that it is *built* for open access, not security. Yes, you can get into the ROS interfaces and do whatever you want; that's the whole point of a "research software development kit;" it isn't meant to be a secured industrial production system.

Still elsewhere, there's mention of carrying out MITM attacks on unencrypted communications traffic. Plaintext traffic is *inherently insecure*, so complaining about MITM is a bit beside the point of "totally insecure comms link." And, as noted above, it is important to know whether the system was intended for use in a hostile environment or in a university environment where open access is the whole point.

Certainly some of these systems are inadequately secured for their advertised purpose, but it's not accurate to slam them all as written by fools.

HBO Game Of Thrones leak: Four 'techies' arrested in India

Steve Hersey

The books are usually better.

I do enjoy a good SF movie now and then, but I generally find that the plot depth and special effects are much better in the books.

With the notable exception of Battlefield Earth, which I watched in bored horror one afternoon when marooned in San Jose on a business trip. I kept saying to myself, "That's ridiculous! The book this is based on couldn't possibly be THAT bad!" So I borrowed a copy from the library, skimmed it, and discovered that, yes, it was EXACTLY that bad, if not worse. Fully-functional 1000-year-old F14's and all.

Strip club selfie bloke's accidental discharge gets him 6 years in clink

Steve Hersey

'Cause it's a misprint.

Beats me why the founding fathers were so keen on arming bears, but there it is...

Trump-backed RAISE Act decoded: Points-based immigration, green cards slashed

Steve Hersey

Re: Another flatulent outburst

" I'd much rather have a government too incompetent to do anything than a government doing all the wrong things."

Be careful what you wish for. What we have is a government doing deliberately evil and destructive things to great effect, while incompetent to do anything positive. Not to mention being exceedingly corrupt even by comparison with a century's worth of US administrations.

I fail to see any sense in deliberately throwing a grenade into the works of government; it would be far better to work toward a government that furthers rational policies you agree with -- assuming that rational policies are your goal. (I've met enough folks who voted for that nutjob explicitly in order to break the government that rationality cannot be assumed here.)

Immobilizing the government might have been relatively harmless in the 1790s, but it's a lethally bad idea in the 21st century. Drop the ball on climate change, pollution control, voter disenfranchisement, and everything to do with civil rights? Abandon all allies and threaten other nuclear-armed nutjobs? Deliberately destabilize the health insurance markets, such as they are? People will die on account of this stuff. It is indefensible.

FUKE NEWS: Robot snaps inside drowned Fukushima nuke plant

Steve Hersey

Raadiation energy is too high to shield with leaded glass

The X-rays that got filtered out by ~1 cm of leaded glass in a CRT faceplate had energies of up to 25 KeV max. based on the TV's 25 KV anode voltage. That's pretty soft for X-rays.

The radiation making it through the water at Fukushima (ignoring suspended or dissolved radionuclides for the moment) is essentially all gamma rays, with orders of magnitude higher energy than CRT X-rays. As a result, leaded glass lenses wouldn't block enough of it to notice.

The other thing to keep in mind about radiation shielding, aside from having to shield your electronics from all angles, is that its effect is exponential rather than linear. If 1 cm of solid lead reduces exposure from a particular source by 50%, another 1 cm will only cut THAT dose by another 50% (= 25% of the original incoming dose), so twice the shielding thickness doesn't get you twice the effectiveness. Takeaway is this: Effectively shielding sensitive electronics from high radiation levels requires really bulky, massive hunks of stuff, or else staying far enough away that 1/R^2 is your friend.

In touching tribute to Samsung Note 7, fidget spinners burst in flames

Steve Hersey

Re: There's an opportunity here

I rather prefer the clay pot approach, as a metal can gets hotter on the outside from the fire within (though it is indeed quite fine if placed on a concrete floor). A handle is nice, but for best safety, the container must survive total burnout of the battery without setting anything else on fire.

Steve Hersey

Re: There's an opportunity here

The savvier R/C model fliers have known of this battery hazard for years. A Web search for "Lipo battery bunker" will show both commercial and home-built versions of fireproof charging containers for flight batteries. Some battery chargers make this a tad difficult by turning the charger into a wall-wart that the battery physically slots into, so the whole thing normally sits on the wall socket.

I have little to no interest in the silly spinners, so the idea of electrifying them evokes only a goggle-eyed wonderment, followed by "Gee, I wonder if they can be hacked remotely to go poof."

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

Steve Hersey

Our cats used to deliver half a dead mouse

And occasionally a stunned chipmunk.

And, on two days running when mice were in short supply, a very large toad from the front garden. THE SAME TOAD, TWICE. Undamaged.

I've always wondered how that went down. Did the cats bribe the toad somehow? Was the toad thinking, "Not this again!" as they carried it into the house?

US engineer in the clink for wrecking ex-bosses' smart meter radio masts with Pink Floyd lyrics

Steve Hersey

Re: Well, at least he has good taste in music

He's just a poor boy, from a poor family...

Seminal game 'Colossal Cave Adventure' released onto GitLab

Steve Hersey

Re: Left -- right?

In the variant I encountered, the message randomly cycled through a set of slight variants, such as, IIRC:

You are in a maze of twisty little passages, all alike.

You are in a maze of little twisty passages, all alike.

You are in a maze of twisty little passages, all different.

The sneaky bit being that the exact message text had no relationship to your actual location in the maze, and would change even if you went nowhere. I have a grudging admiration for the person who thought THAT part up.

It's been a few days, so what fresh trouble has Uber got into now?

Steve Hersey

I think Obstruction of Justice will be anough

I imagine that Uber actively detecting the enforcement authorities in places it wasn't allowed to operate, then feeding them a fake app to conceal the illegal operation, constitutes obstruction of justice. That seems quite apparent, though applying logic to the operations of law is always fraught with the most extreme hazard.

Autonomous cars are about to do to transport what the internet did to information

Steve Hersey

A new, odious class of pranking.

Clearly, I'm *not* the first to think of some of these dark-side things. My first thought when hearing today's Uber-automated-cars-will-Borg-the-taxi-industry story was that there will be a serious problem with vandals fouling automated cabs in assorted unpleasant ways.

Steve Hersey

Re: So...

Alas, the problem with sarcasm is the same as the problem with cynicism: It's so <expletive> hard to keep up with the you-can't-make-this-stuff-up that reality hands us.

I think the major problem with unreliable news at Internet speed is not that there's a greatly higher fake-to-real ratio (tabloids have been around for more'n a century), but rather that the information firehose is now so big and fast that human processing faculties are overloaded, and end up (metaphorically) lying dead-shorted in a smoking, charred heap.

With the equivalent of a hundred newspapers shouting for our attention every morning, it's not really a surprise that folks pick and choose the news sources that best fir their world views. It's a formula for society to end up in a (literally) lying dead-shorted in a smoking, charred heap, but it's not a surprise.

Back on topic, surely I'm not the first person to read about ubiquitous automated parcel delivery and wonder when and how some nasty minds will try to weaponize it?

S is for Sandbox: The logic behind Microsoft's new lockdown Windows gambit

Steve Hersey

Nothing to see here, run away very fast.

So, a notorious monopolist that screws its customers at every opportunity is offering a new jail cell -- I mean, computing experience -- and wants the sheeple to step inside? No, thanks, I'll wait until the hardware has been jailbroken and I can load Ubuntu onto a unit bought from the reminder bin.

I only tolerate Windows because of applications that run on no other platform. These days, that no longer even includes software development environments OR office apps; all the good stuff has versions for Linux. LibreOffice on Linux is amazingly useful. I can only see the Windows S platform being used for sacrificial computing devices to be issued to folks traveling internationally and to run Office apps for road warriors, never for any serious work that can be done on any other OS.

Startup remotely 'bricks' grumpy bloke's IoT car garage door – then hits reverse gear

Steve Hersey

Cloud is just another word for someone else controls your data/stuff, and they don't care

Show me a serious use case for needing to do X in your home from half a world away, and I'll believe there's a reason for it to be on the Internet. 'Course, its security will still be crap ;-)

When I bought my home many years ago, 'twas the first time I'd had a garage door with a remote opener. For yucks, one day I wandered the neighborhood clicking the clicker, and discovered several owners of compatible openers who, like the previous owner of my house, had never changed the default switch settings on their remote openers. It was fun running their doors up and down, but I went home and changed my switch settings right away. Still not really secure, of course, but less miserably INsecure.

User lubed PC with butter, because pressing a button didn't work

Steve Hersey

Always be nice to the IT folks.

I've done IT support as a many-hats activity from time to time, and I know how that world feels on the inside. So for many years I've made it a practice to ALWAYS establish a friendly, supportive relationship with the IT and facilities people. (Not that it's a *good* idea to make enemies anywhere, for that matter.) And always admit your mistakes to IT, especially the bonehead ones.

Aside from making everyone's life easier, this approach yields immense benefits when you really, really need some help from IT or the facilities crew. What goes around, comes around, and when it comes around with a replacement hard drive and a friendly greeting, you'll be glad.

One BEEELLION dollars: Apple sues Qualcomm, one of its chip designers

Steve Hersey

Re: Hmm..

Well, the handset manufacturers basically have no business if they don't continue to buy those chips, as the chips embody standards-essential tech. The manufacturers don't have anywhere else to go until Intel becomes a viable alternative. Consequently, it's no surprise that they continue to place orders...

Microsoft, IBM, Intel refuse to hand over family jewels to China

Steve Hersey

Perhaps not so much of a threat as you may think...

Or at least much more complicated.

Yes, China has a lot of money sunk into US government debt. However, that provides the second edge on the sword: If China were to dump T-bills onto the market in an effort to punish the US, it would depress the dollar, but the Chinese government would take a massive loss. Lower-cost dollar-priced US exports would also be an increased competitive threat against exports priced in the suddenly higher yuan.

These risks are likely to inhibit any use of China's US debt holdings as a weapon or threat, as that sword is pointy on both ends.

Silicon Valley's oligarchs got a punch in the head – and that's actually good thing

Steve Hersey

Humor or blunder?

If you follow the "Let's Be Beastly to the Germans" link to Wikipedia, you'll find that the correct title actually reads, "Don't..." instead. Could be either The Register's characteristic sense of humor, or The Register's characteristic nonchalant proofreading...

ARM: Hold my beer, we'll install patches for your crappy IoT gear for you

Steve Hersey

Re: OK, so the dystopian-but-realistic solution is...

A DDoS is hard to spot at the source end, but is pretty unmistakable at the target end (that's rather the idea, after all). The idea would be something like this: A DDoS target notifies their ISP, who analyzes the attack pattern, then starts back-tracing the source addresses of incoming attack packets and reporting them to participating source ISPs, who then filter or disconnect the originating addresses. A significant percentage of inbound traffic to the target will be malicious in a DDoS, so it's not such a needle-in-haystack proposition if you're the destination ISP.

Other ISPs could conceivably be triggered to get into the act by logging source addresses sending to the affected targets, filtering out the legitimate players, and dealing with the rest.

This is not a simple endeavor by any means, and it would definitely require careful automation, but if properly implemented it could nobble many DDoS attacks and deprive them of effect. Even if you don't actively disconnect attack sources, but simply throttle their traffic to the target, a DDoS could be mitigated to the point where it becomes not worth the trouble.

Steve Hersey

Re: OK, so the dystopian-but-realistic solution is...

Agreed, everyone *should* behave responsibly, but the core of the problem is that there are a lot of nonspecialists out there with no idea that this is a problem, and lotsa cheap-artists building insecure junk to sell to them. Educating everyone's Aunt Sally that the cheap baby-cam is a hazard will be a challenge, and getting the cheap-baby-cam folks to clean up their act will be a near impossibility (the sky is high and the Emperor is far away, after all). For that matter, even specialists (like us) would be hard put to name a SOHO router with decent security that we could recommend to our friends.

I agree with your stated principle, it's just that getting everyone to be responsible is difficult and unlikely.

Steve Hersey

OK, so the dystopian-but-realistic solution is...

The major ISPs and network infrastructure operators, who of anyone have the most skin in the game, wind up banding together and establishing an infrastructure to (semi-)automatically identify and black-hole the IP addresses of the insecure tat that's doing the DDoS'ing, preferably in close to real time. Your internet connection gets turned off until you fix or disconnect the offending devices on your net.

I already hear you thinking, "But that just creates another hackable service the bad guys can use to disable connectivity for the target of an attack, and this time they don't even need to pwn a thousand devices to do it, just pwn the countermeasure system!" Alas, that argument is true, and weighs against *any* realistic countermeasure; the ISPs would simply have to do a good job designing their system to be resistant to abuse. An imperfect system for sure, but at least it doesn't rely on tat-makers to become responsible netizens.

Clearly, *someone* needs to do a good job designing their system to be resistant to abuse, and it self-evidently won't be the bottom-dollar bottom-feeders making said insecure tat. Until then, it'll continue to be the Wild Wild Web.

Victoria Police warn of malware-laden USB sticks in letterboxes

Steve Hersey

The safest way to handle them short of a large hammer...

Would be to put them in a cheap USB hub attached to a Raspberry Pi powered by a suitably current-limited DC supply, to which Pi you're logged in through the serial port. This allows you to safely peruse the malware on said stick without being pwned, and if it's a BadUSB device, only the $5 USB hub takes one for the team. What are the chances that the USB malware can pwn an ARM-based Pi without your being able to detect it?

You already KNOW (or should at a minimum assume) that there's malware on it, the only question is "what kind, and can I turn the tables on the rat-bastards?"



Biting the hand that feeds IT © 1998–2022