Posts by Steve Hersey 72 posts • joined 11 Aug 2009
Jailbreak the features. No jury of car owners would convict. You paid for the car, you own it.
I read a novel set in the near future where characters chose old cars because they didn't have surveillance features and hackable crapware. The future has already arrived and wants to take over the spare bedroom...
A 50% premium on down-in-the-noise is still down in the noise. <Yawn>
More power than the Apollo flight computer (haven't verified this), for less than the cost of a deli sandwich. The cabling and wall wart will cost more.
We live in an age of marvels. If we can just manage to survive it...
From my cursory reading (not an expert here!):
It looks as though the town took out $300 million in bonds to build stuff to support the project, Foxconn promised annual payments to cover the debt, and - big surprise there - didn't hold up their end of the deal. And have now effectively abandoned it. (The hire-and-fire trick to fudge compliance with the agreement is a typically soulless big-corporation touch.)
Who is ultimately on the hook for this will doubtless depend on the contract language, and exactly how binding that promise was. I suppose the town could seize and resell the property if the promise is enforceable but Foxconn won't pony up, but that would involve massive legal expenses. In the end, I think they're well and truly screwed.
I was once on a support trip in Toulouse (lovely city, wonderful people!) with folks from another US company supporting the same project. We went to lunch at an outdoor cafe; none of us spoke any French, but I speak German and a teeny bit of Dutch, and I wound up translating the menu (by guessing the ingredients from the closest English, German or Dutch cognates) and placing our order. Worked out amazingly well.
Languages skills rock.
(So does learning at least the basic hello/please/thank you in the local language; show folks that you respect their language and culture, and they'll generally be very helpful.)
My personal response would be to reach for the D-ring and exit the plane stage right.
"Who do we sue if this goes wrong?" is that rere thing, an actually stupid question.
The RIGHT question is: "Will we be better off if we do this, or if we don't? Is this the best option, or is there a better one?"
Planning for whom to sue in case of failure is planning for failure.
An organization that features "unachievable deadlines set by managers that lacked a proper grasp on the challenges involved" is a toxic waste site, and should be shunned by anyone with a gram of self-respect, until said organization either gains a clue or collapses from the accumulated incompetence.
Your skills, your time, your self-worth, are too valuable for you to collude in your employer's abuse of you. Run, do not walk, to find a job with a better employer. (If you really need the money that badly, set a limit on how long you'll tolerate those conditions, and stick to it.)
On one memorably miserable project in the last century (single-handedly creating software support for a portable instrument; the full requirements list was: "We want it to talk to the flowmeter", and you can imagine how fast it went down hill from there), the Sales folks routinely gave out internal-use-only alpha test copies of the software to customers, in violation of explicit instructions to the contrary. Salesmen were always trying to steal a march on the others by showing off the newest (buggiest!) features.
Until I added a profanity-laden startup splash screen stating that this test version was for <expletive> internal use only and NOT for <expletive> distribution to customers.
And waited (not long) for the complaints to roll in from Sales. Which were then countered by a reminder that, as they had been repeatedly warned, they weren't supposed to be releasing alphaware to customers.
I discovered around 2000 or so that the limiting factor to the service life of an ancient desktop PC in a piece of satellite ground test equipment was the coin-cell battery molded into its configuration memory and clock chip. Said clock chip having gone obsolete, the only solution was to Dremel my way into the chip, tap into the supply wire from the battery, and reroute it to an external coin cell in a holder glued atop the chip. Worked a treat, and the test gear continued to work. Such projects have a very long support timeframe.
I'd have gladly upgraded the PC (and we tried!), but due to a consultant's idiocy (and against the urging of the new engineer at project start -- me) we had chosen software that depended on a specific version of QNX, and whose vendor shortly went out of business (no upgrades!). That version of QNX had a clock counter overflow that prevented it from operating on anything faster than the original 33 MHz 80386 processor.
The next such system used Sun Ultra 5s, whose dead battery-backed SRAM and clock chips were at least still obtainable.
When, in times of disaster, the ruler would be ritually sacrificed to carry to the gods a petition for rescue.
Now, I don't personally think those gods existed, but the practice DID tend to have a self-correcting effect on incompetent leadership, and in those cases where the disasters were caused by said incompetence, the petitions were actually effective...
Reminds me of the calibration house that used to annually certify our digital multimeters. We suspected that they were certifying them without actually testing them, so we opened one up, diddled its trimpots well beyond its stated calibration limits, and sent it off. Sure enough, back it came with a fresh sticker -- and still horribly out of calibration.
To your first point, it appears that the MCAS system was added because without it, the aircraft was not stable enough to get flight certification. I'd say that DOES qualify as "inherently unstable," though I'll agree it isn't as inherently unstable as, say, an F-14.
To your second point, it's actually even worse than just fail-safe: If I read the reports correctly, the two-sensor configuration was sold as an extra-cost option; the standard configuration had a single sensor, with no failover capability at all. Set negligence level to "criminal stupidity with a side order of arrogant avarice."
I smell BS coming from Atari in this interview. No major project that is real and being responsibly managed gets THAT close to its release date and then decides, "Well, maybe we'll just change the fundamental CPU architecture." By the time you're carrying engineering prototypes to trade shows to show them off, you damn' well better have settled on a chip architecture. Once settled, you only change that under dire circumstances. Even if the replacement is essentially identical, you don't delay the project for things that "would be nice." Delays to an almost-ready project cost a LOT of money.
The Atari bloke's statements make it clear that the project is nowhere near the state of readiness they would like us to think it is in.
Having listened to the rest of the excerpts, it's even a bit worse than that. They went all the way to a "product launch" when they knew they didn't have working *engineering prototype* hardware (else they'd have been willing to show at least a don't-touch-this static display of an operating prototype.
I agree with Milton's point about Chinese IP theft, but in this case I'm not especially worried about its consequences. Here's why: The US military establishment has a decent understanding that strategic control of space is an enormous military advantage. With that in mind, the competition from China, India and Russia for space launch capability represents a challenge they cannot ignore; keeping the USA's launch capability technologically competitive is thus a must-do thing from their point of view. (Who has an automated mini-Shuttle that can spend a year on-orbit?)
So even if China steals lots of other folks' tech secrets, the competition for space capability will mean that the human species is back in space on an ongoing basis this time. The faster any one party advances, the harder the rest will work to keep up. From a species point of view, that's all to the good.
The cheating and stealing are aggravating, but are at most a damned nuisance, and may even prove neutral to beneficial in the long run. Though we should still feed the bastards some subtly defective designs just to mess with their heads.
It escapes my poor, limited understanding how a scheme that requires a large number of nodes (inherent in its "distributed web of trust") to store EVERY TRANSACTION EVER MADE could possibly be sustainable at a large enough scale to count as a "currency." Yes, "lightweight" nodes can store a subset, but that doesn't fix the fundamental insanity of the design.
Even the global banking system doesn't require every major bank to maintain the full transaction history of all major banks in order to function. For comparison, the Internet Archive only exists as one instance, not replicated X thousand times.
This sounds like a banking system designed by someone who didn't understand banking. There's no way it can possibly scale up far enough to be more than a curiosity/money-laundering tool/means to fleece the unwary.
I once built some external I/O hardware for a ZX80 to drive solid-state relays. The customer wanted to use it to automate a sawmill. They were disinclined to accept the notion that the ZX80 wan't really an appropriate platform for controlling potentially man-killing machinery. I never did get my AC adapter back...
It's not critical if the ground support hardware no longer exists. So long as the documentation on the telemetry formats and comms parameters is still available, some bright grad student or motivated Ham radio operator can set up a software-controlled radio setup to receive and decode it, and the same goes for satellite commanding (though that requires a suitable ground control transmitter, which NASA certainly still has).
Of course, that will require some time and money to set up, but it's not a gargantuan effort. Debugging the recreated commanding system on-orbit can be exciting, but the worst that can happen is you lose the bird again.
Trust me, you don't want to rely on the original ground support equipment after all this time, even if you can find it. If nothing else, the ancient PC's RTC chips with their built-in batteries and configuration memory have gone dead, cannot be sourced any longer, and can only be revived by judicious use of a Dremel grinder, a coin cell battery/holder, and a soldering iron. Been there, done that on satellite ground support gear.
Apple could have derated the batteries properly so that the phones would continue to work as they -- predictably -- aged. Apple being Apple, it's not like profit margins on iThings are razor-thin, so they *could* certainly afford to do a proper engineering job on power management and get $5 less profit per unit.
Every electronic device I've helped to develop in a long career has gone through worst-case analyses and has included design margins to make sure it works reliably over its life, and this always includes power management. If Apple's iCrap won't work with batteries that aren't new any more, it's because Management isn't setting realistic goals for the engineering teams, and that means that Corners Will Be Cut.
... build a case for 'reasonable apprehension of bias'?
I seem to recall that SCO's lawyers tried that trick, and Alsup is certainly wise to it by now. He seems to have a bottomless reserve of cool, and the occasional decapitating strike of sarcasm stays within the limits. This IS going to be fun to watch; he'll grind them up using their own documents as the millstones.
You simply cannot get away with blatantly hiding relevant material from discovery like that and just claiming "they didn't use their company name as a search term." I expect to see their lawyers stripped of attorney-client privilege and hauled into the dock themselves; the misconduct is just that extreme.
On the other hand letting a criminal off when they've clearly done something wrong..........
The US Constitution operates on the principle that incorrectly releasing the guilty is preferable to incorrectly jailing the innocent. That's the theory, anyway.
The point of letting the crim walk away if the evidence was improperly obtained is that if you allow the use of improper evidence, then the whole due-process principle just became unenforceable, and we're right back to forced confessions under torture, faked evidence, and all the other abuses the due-process clause was intended to prevent.
It's a harsh punishment of the cops to toss out their case, true, but the alternative was held to be a worse price to pay.
If the Reg article is correct (there are things said that cannot be verified from the linked docs), then the authors at IOActive are a bit uneven in their research.
The Reg article reports (though I can't find this in the linked docs) a claim that the UR robot has a "static SSH key," which is claimed to facilitate MITM attacks. This is drivel. A given SSH host MUST have a static SSH key, or you cannot authenticate the host; that's how SSH works.
Elsewhere, they make much of happily hacking the Baxter RSDK, blissfully ignorant of the fact that it is *built* for open access, not security. Yes, you can get into the ROS interfaces and do whatever you want; that's the whole point of a "research software development kit;" it isn't meant to be a secured industrial production system.
Still elsewhere, there's mention of carrying out MITM attacks on unencrypted communications traffic. Plaintext traffic is *inherently insecure*, so complaining about MITM is a bit beside the point of "totally insecure comms link." And, as noted above, it is important to know whether the system was intended for use in a hostile environment or in a university environment where open access is the whole point.
Certainly some of these systems are inadequately secured for their advertised purpose, but it's not accurate to slam them all as written by fools.
I do enjoy a good SF movie now and then, but I generally find that the plot depth and special effects are much better in the books.
With the notable exception of Battlefield Earth, which I watched in bored horror one afternoon when marooned in San Jose on a business trip. I kept saying to myself, "That's ridiculous! The book this is based on couldn't possibly be THAT bad!" So I borrowed a copy from the library, skimmed it, and discovered that, yes, it was EXACTLY that bad, if not worse. Fully-functional 1000-year-old F14's and all.
" I'd much rather have a government too incompetent to do anything than a government doing all the wrong things."
Be careful what you wish for. What we have is a government doing deliberately evil and destructive things to great effect, while incompetent to do anything positive. Not to mention being exceedingly corrupt even by comparison with a century's worth of US administrations.
I fail to see any sense in deliberately throwing a grenade into the works of government; it would be far better to work toward a government that furthers rational policies you agree with -- assuming that rational policies are your goal. (I've met enough folks who voted for that nutjob explicitly in order to break the government that rationality cannot be assumed here.)
Immobilizing the government might have been relatively harmless in the 1790s, but it's a lethally bad idea in the 21st century. Drop the ball on climate change, pollution control, voter disenfranchisement, and everything to do with civil rights? Abandon all allies and threaten other nuclear-armed nutjobs? Deliberately destabilize the health insurance markets, such as they are? People will die on account of this stuff. It is indefensible.
The X-rays that got filtered out by ~1 cm of leaded glass in a CRT faceplate had energies of up to 25 KeV max. based on the TV's 25 KV anode voltage. That's pretty soft for X-rays.
The radiation making it through the water at Fukushima (ignoring suspended or dissolved radionuclides for the moment) is essentially all gamma rays, with orders of magnitude higher energy than CRT X-rays. As a result, leaded glass lenses wouldn't block enough of it to notice.
The other thing to keep in mind about radiation shielding, aside from having to shield your electronics from all angles, is that its effect is exponential rather than linear. If 1 cm of solid lead reduces exposure from a particular source by 50%, another 1 cm will only cut THAT dose by another 50% (= 25% of the original incoming dose), so twice the shielding thickness doesn't get you twice the effectiveness. Takeaway is this: Effectively shielding sensitive electronics from high radiation levels requires really bulky, massive hunks of stuff, or else staying far enough away that 1/R^2 is your friend.
I rather prefer the clay pot approach, as a metal can gets hotter on the outside from the fire within (though it is indeed quite fine if placed on a concrete floor). A handle is nice, but for best safety, the container must survive total burnout of the battery without setting anything else on fire.
The savvier R/C model fliers have known of this battery hazard for years. A Web search for "Lipo battery bunker" will show both commercial and home-built versions of fireproof charging containers for flight batteries. Some battery chargers make this a tad difficult by turning the charger into a wall-wart that the battery physically slots into, so the whole thing normally sits on the wall socket.
I have little to no interest in the silly spinners, so the idea of electrifying them evokes only a goggle-eyed wonderment, followed by "Gee, I wonder if they can be hacked remotely to go poof."
And occasionally a stunned chipmunk.
And, on two days running when mice were in short supply, a very large toad from the front garden. THE SAME TOAD, TWICE. Undamaged.
I've always wondered how that went down. Did the cats bribe the toad somehow? Was the toad thinking, "Not this again!" as they carried it into the house?
In the variant I encountered, the message randomly cycled through a set of slight variants, such as, IIRC:
You are in a maze of twisty little passages, all alike.
You are in a maze of little twisty passages, all alike.
You are in a maze of twisty little passages, all different.
The sneaky bit being that the exact message text had no relationship to your actual location in the maze, and would change even if you went nowhere. I have a grudging admiration for the person who thought THAT part up.
I imagine that Uber actively detecting the enforcement authorities in places it wasn't allowed to operate, then feeding them a fake app to conceal the illegal operation, constitutes obstruction of justice. That seems quite apparent, though applying logic to the operations of law is always fraught with the most extreme hazard.
Clearly, I'm *not* the first to think of some of these dark-side things. My first thought when hearing today's Uber-automated-cars-will-Borg-the-taxi-industry story was that there will be a serious problem with vandals fouling automated cabs in assorted unpleasant ways.
Alas, the problem with sarcasm is the same as the problem with cynicism: It's so <expletive> hard to keep up with the you-can't-make-this-stuff-up that reality hands us.
I think the major problem with unreliable news at Internet speed is not that there's a greatly higher fake-to-real ratio (tabloids have been around for more'n a century), but rather that the information firehose is now so big and fast that human processing faculties are overloaded, and end up (metaphorically) lying dead-shorted in a smoking, charred heap.
With the equivalent of a hundred newspapers shouting for our attention every morning, it's not really a surprise that folks pick and choose the news sources that best fir their world views. It's a formula for society to end up in a (literally) lying dead-shorted in a smoking, charred heap, but it's not a surprise.
Back on topic, surely I'm not the first person to read about ubiquitous automated parcel delivery and wonder when and how some nasty minds will try to weaponize it?
So, a notorious monopolist that screws its customers at every opportunity is offering a new jail cell -- I mean, computing experience -- and wants the sheeple to step inside? No, thanks, I'll wait until the hardware has been jailbroken and I can load Ubuntu onto a unit bought from the reminder bin.
I only tolerate Windows because of applications that run on no other platform. These days, that no longer even includes software development environments OR office apps; all the good stuff has versions for Linux. LibreOffice on Linux is amazingly useful. I can only see the Windows S platform being used for sacrificial computing devices to be issued to folks traveling internationally and to run Office apps for road warriors, never for any serious work that can be done on any other OS.
Show me a serious use case for needing to do X in your home from half a world away, and I'll believe there's a reason for it to be on the Internet. 'Course, its security will still be crap ;-)
When I bought my home many years ago, 'twas the first time I'd had a garage door with a remote opener. For yucks, one day I wandered the neighborhood clicking the clicker, and discovered several owners of compatible openers who, like the previous owner of my house, had never changed the default switch settings on their remote openers. It was fun running their doors up and down, but I went home and changed my switch settings right away. Still not really secure, of course, but less miserably INsecure.
I've done IT support as a many-hats activity from time to time, and I know how that world feels on the inside. So for many years I've made it a practice to ALWAYS establish a friendly, supportive relationship with the IT and facilities people. (Not that it's a *good* idea to make enemies anywhere, for that matter.) And always admit your mistakes to IT, especially the bonehead ones.
Aside from making everyone's life easier, this approach yields immense benefits when you really, really need some help from IT or the facilities crew. What goes around, comes around, and when it comes around with a replacement hard drive and a friendly greeting, you'll be glad.
Well, the handset manufacturers basically have no business if they don't continue to buy those chips, as the chips embody standards-essential tech. The manufacturers don't have anywhere else to go until Intel becomes a viable alternative. Consequently, it's no surprise that they continue to place orders...
Or at least much more complicated.
Yes, China has a lot of money sunk into US government debt. However, that provides the second edge on the sword: If China were to dump T-bills onto the market in an effort to punish the US, it would depress the dollar, but the Chinese government would take a massive loss. Lower-cost dollar-priced US exports would also be an increased competitive threat against exports priced in the suddenly higher yuan.
These risks are likely to inhibit any use of China's US debt holdings as a weapon or threat, as that sword is pointy on both ends.
A DDoS is hard to spot at the source end, but is pretty unmistakable at the target end (that's rather the idea, after all). The idea would be something like this: A DDoS target notifies their ISP, who analyzes the attack pattern, then starts back-tracing the source addresses of incoming attack packets and reporting them to participating source ISPs, who then filter or disconnect the originating addresses. A significant percentage of inbound traffic to the target will be malicious in a DDoS, so it's not such a needle-in-haystack proposition if you're the destination ISP.
Other ISPs could conceivably be triggered to get into the act by logging source addresses sending to the affected targets, filtering out the legitimate players, and dealing with the rest.
This is not a simple endeavor by any means, and it would definitely require careful automation, but if properly implemented it could nobble many DDoS attacks and deprive them of effect. Even if you don't actively disconnect attack sources, but simply throttle their traffic to the target, a DDoS could be mitigated to the point where it becomes not worth the trouble.
Agreed, everyone *should* behave responsibly, but the core of the problem is that there are a lot of nonspecialists out there with no idea that this is a problem, and lotsa cheap-artists building insecure junk to sell to them. Educating everyone's Aunt Sally that the cheap baby-cam is a hazard will be a challenge, and getting the cheap-baby-cam folks to clean up their act will be a near impossibility (the sky is high and the Emperor is far away, after all). For that matter, even specialists (like us) would be hard put to name a SOHO router with decent security that we could recommend to our friends.
I agree with your stated principle, it's just that getting everyone to be responsible is difficult and unlikely.
The major ISPs and network infrastructure operators, who of anyone have the most skin in the game, wind up banding together and establishing an infrastructure to (semi-)automatically identify and black-hole the IP addresses of the insecure tat that's doing the DDoS'ing, preferably in close to real time. Your internet connection gets turned off until you fix or disconnect the offending devices on your net.
I already hear you thinking, "But that just creates another hackable service the bad guys can use to disable connectivity for the target of an attack, and this time they don't even need to pwn a thousand devices to do it, just pwn the countermeasure system!" Alas, that argument is true, and weighs against *any* realistic countermeasure; the ISPs would simply have to do a good job designing their system to be resistant to abuse. An imperfect system for sure, but at least it doesn't rely on tat-makers to become responsible netizens.
Clearly, *someone* needs to do a good job designing their system to be resistant to abuse, and it self-evidently won't be the bottom-dollar bottom-feeders making said insecure tat. Until then, it'll continue to be the Wild Wild Web.
Would be to put them in a cheap USB hub attached to a Raspberry Pi powered by a suitably current-limited DC supply, to which Pi you're logged in through the serial port. This allows you to safely peruse the malware on said stick without being pwned, and if it's a BadUSB device, only the $5 USB hub takes one for the team. What are the chances that the USB malware can pwn an ARM-based Pi without your being able to detect it?
You already KNOW (or should at a minimum assume) that there's malware on it, the only question is "what kind, and can I turn the tables on the rat-bastards?"
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022
