You are here

Agreguesi i feed

Kevin Avignon: Tech questions 10-17: FP questions

Planet Debian - Pre, 24/06/2016 - 2:07md
Hey guys, Today’s post is to make you understand that even is oriented-object programming (OOP) feels now finally natural and exquisite, they are better ways to design and implement your solutions to make them better and of course, safer. My goal today is to make you want to adopt a functional mindset when creating software … Continue reading Tech questions 10-17: FP questions →

BlackBerry Remains Committed To Smartphone Business, Despite $670M Net Loss In Last Three Months

Slashdot.org - Pre, 24/06/2016 - 12:00md
AchilleTalon writes: BlackBerry CEO John Chen refuses to give up on the company's hardware business despite lackluster sales of its first Android-powered smartphone, the Priv. The Canadian smartphone maker reported a $670 million net loss in the first quarter of its 2017 financial year, but said its recovery plan for the year remains on track. Chen, who has stated the company's No. 1 goal is to make its smartphone device business profitable this fiscal year, said he expects the company's new mobility solutions segment to break even or record a slight profit during the third quarter, which ends Nov. 30, 2016. During BlackBerry's first quarter -- second full quarter to include Priv sales -- the company sold roughly 500,000 devices at an average price of $290 each, he said, which is about 100,000 smartphones fewer than the previous quarter and about 200,000 fewer than two quarters earlier. Previously, the company said it needs to sell about three million phones at an average of $300 each to break even, though Chen indicated that may change as the software licensing business starts to contribute to revenue.

Read more of this story at Slashdot.

A Bug in Chrome Makes It Easy to Pirate Movies

LinuxSecurity.com - Pre, 24/06/2016 - 11:38pd
LinuxSecurity.com: For years Hollywood has waged a war on piracy, using digital rights management technologies to fight bootleggers who illegally copy movies and distribute them. For just as long, hackers have found ways to bypass these protections. Now two security researchers have found a new way, using a vulnerability in the system Google uses to stream media through its Chrome browser.

Let's Encrypt accuses Comodo of trying to swipe its brand

LinuxSecurity.com - Pre, 24/06/2016 - 11:35pd
LinuxSecurity.com: Let's Encrypt, a free certificate authority launched by the Internet Security Research Group in November 2014 and backed by some of the biggest names in the industry, today revealed that rival CA Comodo is attempting to "improperly" trademark the Let's Encrypt brand.

next-20160624: linux-next

Kernel Linux - Pre, 24/06/2016 - 8:52pd
Version:next-20160624 (linux-next) Released:2016-06-24
Kategoritë: Kernel Linux

BBC: UK Votes To Leave The European Union

Slashdot.org - Pre, 24/06/2016 - 8:00pd
An anonymous reader quotes a report from the BBC: The UK has voted by 52% to 48% to leave the European Union after 43 years in a historic referendum, a BBC forecast suggests. London and Scotland voted strongly to stay in the EU but the remain vote has been undermined by poor results in the north of England. Voters in Wales and the English shires have backed Brexit in large numbers. The referendum turnout was 71.8% -- with more than 30 million people voting -- the highest turnout since 1992. London has voted to stay in the EU by around 60% to 40%. However, no other region of England has voted in favor of remaining. Britain would be the first country to leave the EU since its formation -- but a leave vote will not immediately mean Britain ceases to be a member of the 28-nation bloc. That process could take a minimum of two years, with Leave campaigners suggesting during the referendum campaign that it should not be completed until 2020 -- the date of the next scheduled general election. The prime minister will have to decide when to trigger Article 50 of the Lisbon Treaty, which would give the UK two years to negotiate its withdrawal. Once Article 50 has been triggered a country can not rejoin without the consent of all member states. British Prime Minister David Cameron is under pressure to resign as a result of the decision. UK Independence Party (UKIP) leader Nigel Farage called on him to quit "immediately." One labor source said, "If we vote to leave, Cameron should seriously consider his position." Several pro-Leave Conservatives including Boris Johnson and Michael Gove have signed a letter to Mr. Cameron urging him to stay no matter the decision. Mr. Cameron did say he would trigger Article 50 as soon as possible after a leave vote. Update 6/24 09:33 GMT: David Cameron has resigned.

Read more of this story at Slashdot.

Norbert Preining: Rest in peace UK

Planet Debian - Pre, 24/06/2016 - 6:22pd

I am mourning for the UK. I feel so much pain and pity for all my good friends over there. Stupidity has won again. Good bye UK, your long reign has found its end. The rest is silence.

RIP.

(Graphic from The Guardian – EU referendum results in full)

Apple Discontinues Thunderbolt Display

Slashdot.org - Pre, 24/06/2016 - 5:30pd
An anonymous reader writes: Apple has officially told several news sites that it plans to discontinue the Thunderbolt Display, which has been available online and in Apple retail stores since it was first introduced in 2011. "We're discontinuing the Apple Thunderbolt Display. It will be available through Apple.com, Apple's retail stores and Apple Authorized Resellers while supplies last. There are a number of great third-party options available for Mac users," said an Apple spokesperson. Rumors suggest that Apple will launch a new version of its Thunderbolt monitor later this year, featuring an upgraded 5K resolution and discrete GPU. The new Thunderbolt Display may even launch alongside next-generation Skylake Retina MacBook Pros, which too are rumored to be released later this year. fyngyrz writes: So, bought into the whole Thunderbolt monitor thing from Apple? Might want to collect a few right now, while you still can. It appears that the Thunderbolt monitor is going the way of the analog [headphone] jack over at Apple. Isn't it fun to be part of an unsuccessful experiment?

Read more of this story at Slashdot.

Comcast Admits It Incorrectly Debited $1,775 From Account, Tells Customer To Sort It Out With Bank

Slashdot.org - Pre, 24/06/2016 - 3:25pd
An anonymous reader writes from a report via The Consumerist: Consumerist reader Robert is fighting with Comcast over a $1,775 early termination fee that should not have been assessed after he tried to cancel his business-tier service with the company. Comcast itself has even admitted that the money should not have been debited from Robert's bank account, but now says it's his responsibility to sort the mess out with his bank. The Consumerist reports: "In an effort to save money in 2014, Robert called to have their service level downgraded to a more affordable rate. Shortly thereafter, correctly believing that he was out of contract, he cancelled his Comcast service. That should have been the end of the story, but only weeks after closing the Comcast account, the boys from Kabletown decided that Robert was not out of contract, debiting $1,775.44 from the checking account tied to the Comcast service. Skip forward to Jan. 2015 -- two months after being told he'd get made whole; still no check. Robert says that when he called Comcast, 'the rep actually laughed when I told her I didn't get a check yet. She said it would take three months.'" Two calls later, one in June 2015 and one in Jan. 2016, Robert still didn't receive the check even after being reassured it was coming. More recently, he received an email from someone at Comcast "Executive Customer Relations," saying: "I understand you're claiming that someone advised you Comcast would send a refund check for the last payment that was debited but this is generally not the way we handle these situations. [...] For your situation, you would have to dispute the payment with your bank." Good news: The Consumerist reached out to Comcast HQ and a Comcast rep wrote back. "More information just came in," reads the email, which explains that an ETF credit was applied to his account in Dec. 2014, but "through some error the refund check never generated." Comcast is reportedly sending the check for real this time.

Read more of this story at Slashdot.

Clinton's Private Email Was Blocked By Spam Filters, So State IT Turned Them Off

Slashdot.org - Pre, 24/06/2016 - 2:45pd
An anonymous reader quotes a report from Ars Technica: Documents recently obtained by the conservative advocacy group Judicial Watch show that in December 2010, then-U.S. Secretary of State Hillary Clinton and her staff were having difficulty communicating with State Department officials by e-mail because spam filters were blocking their messages. To fix the problem, State Department IT turned the filters off -- potentially exposing State's employees to phishing attacks and other malicious e-mails. The mail problems prompted Clinton Chief of Staff Huma Abedin to suggest to Clinton (PDF), "We should talk about putting you on State e-mail or releasing your e-mail address to the department so you are not going to spam." Clinton replied, "Let's get [a] separate address or device but I don't want any risk of the personal [e-mail] being accessible." The mail filter system -- Trend Micro's ScanMail for Exchange 8 -- was apparently causing some messages from Clinton's private server (Clintonemail.com) to not be delivered (PDF). Some were "bounced;" others were accepted by the server but were quarantined and never delivered to the recipient. According to the e-mail thread published yesterday by Judicial Watch, State's IT team turned off both spam and antivirus filters on two "bridgehead" mail relay servers while waiting for a fix from Trend Micro. There was some doubt about whether Trend Micro would address the issue before State performed an upgrade to the latest version of the mail filtering software. A State Department contractor support tech confirmed that two filters needed to be shut off in order to temporarily fix the problem -- a measure that State's IT team took with some trepidation, because the filters had "blocked malicious content in the recent past." It's not clear from the thread that the issue was ever satisfactorily resolved, either with SMEX 8 or SMEX 10.

Read more of this story at Slashdot.

HTML5 Ads Aren't That Safe Compared To Flash, Experts Say

Slashdot.org - Pre, 24/06/2016 - 2:05pd
An anonymous reader writes: [Softpedia reports:] "A study from GeoEdge (PDF), an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves. The company argues that for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser. Even if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users." The real culprit is the ability to send JavaScript code at runtime, and not if the ad is a Flash object, an image or a block of HTML(5) code.

Read more of this story at Slashdot.

Internet Trolls Hack Popular YouTube Channel WatchMojo

Slashdot.org - Pre, 24/06/2016 - 1:20pd
An anonymous reader writes: WatchMojo, one of the most popular channels of YouTube with over 12 million subscribers, has been hacked. Subscribers of one of YouTube's most popular channels, WatchMojo, were greeted with an unusual surprise on Wednesday evening, as a couple of hackers, known only as Obnoxious and Pein, hacked the lineup of the channel's videos. The two hackers then proceeded to rename almost all of WatchMojo's videos with the title "HACKED BY OBNOXIOUS AND PEIN twitter.com/poodlecorp." Since the channel was compromised, the hackers have uploaded two new videos, "Top 5 Facts About the Yakuza," and a video about Neanderthal myths. Apart from these, however, the hackers have not touched anything else on the channel. Though, most of WatchMojo's videos still remain hacked as of writing. The popular channel announced that it is fully aware of the hack. WatchMojo further stated that it has already contacted YouTube about the incident and that it is already starting to fix the changes to its videos.

Read more of this story at Slashdot.

SanDisk Made an iPhone Case With Built-In Storage

Slashdot.org - Pre, 24/06/2016 - 12:40pd
An anonymous reader writes: SanDisk has made its iXpand Memory Case to alleviate the problem that Apple creates when they release an iPhone in 2016 with only 16GB of on-board storage. The iXpand Memory Case is an iPhone case with flash storage built directly into the case itself that connects/charges via the Lightning port. You won't need a new phone and you won't need to carry around an extra charging dongle, which is the case for many other third-party cases and accessories. Since Apple doesn't make expanding your storage with third-party devices easy, you will need to download/install the companion SanDisk iXpand Memory Case app on your iPhone, which will automatically back-up your camera roll and password-protect your photos and files. If you need some extra juice, you can spend an extra $40 to receive a 1900mAh battery pack that attaches to the case. The iXpand Memory Case is only available with the iPhone 6 and 6s and is available with 32GB, 64GB, and 128GB of extra flash storage for $59, $99, and $129, respectively. Oh, and of course there are varying color options: Red, Grey, Sky and Mint. Maybe your phone battery is running low (God-forbid it is dead) and you just so happen to be nearby a KFC in Delhi or Mumbai, KFC has you covered. They have introduced a meal box that doubles as a smartphone charger.

Read more of this story at Slashdot.

Federal Court: The Fourth Amendment Does Not Protect Your Home Computer

Slashdot.org - Pre, 24/06/2016 - 12:00pd
An anonymous reader writes: The EFF reports that a federal court in Virginia today ruled that a criminal defendant has no "reasonable expectation of privacy" in his personal computer (PDF), located inside his home. The court says the federal government does not need a warrant to hack into an individual's computer. EFF reports: "The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all. To say the least, the decision is bad news for privacy. But it's also incorrect as a matter of law, and we expect there is little chance it would hold up on appeal. (It also was not the central component of the judge's decision, which also diminishes the likelihood that it will become reliable precedent.) But the decision underscores a broader trend in these cases: courts across the country, faced with unfamiliar technology and unsympathetic defendants, are issuing decisions that threaten everyone's rights.

Read more of this story at Slashdot.

Boston Dynamics' SpotMini Is All Electric, Agile, and Has A Capable Face-Arm

Slashdot.org - Enj, 23/06/2016 - 11:20md
An anonymous reader writes: Boston Dynamics has shown the world their "fun-sizeified version of their Spot quadruped," the SpotMini robot. It's a quiet, all electric machine that features a googley-eyed face-arm. IEEE Spectrum notes some observations made from watching their YouTube video. First of all, the SpotMini appears to be waterproof and doesn't rely on hydraulics like the other more powerful robots of theirs. The SpotMini is likely operated by a human, and is not autonomous, though the self-righting could be an autonomous behavior. The video appears to show two separate versions of the SpotMini: an undressed and dressed variant (it's hard to tell if the "dressed" variant features differing components/abilities). There is a MultiSense S7 video camera on the front, some other camera-based vision system on the front, a butt-mounted Velodyne VLP-16 system, and what may be a small camera on the face-arm's mouth. One particularly noteworthy observation is that during much of the video, the SpotMini is traversing through a house. In other Boston Dynamics demo videos, the robots are outside. The author of the report says, "[...] it wouldn't surprise me if we're looking at an attempt to make an (relatively) affordable robot that can do practical things for people who aren't in the military."

Read more of this story at Slashdot.

Crispr Wins Key Approval to Fight Cancer in Human Trials

Slashdot.org - Enj, 23/06/2016 - 10:40md
Tom Randall, reporting for Bloomberg Technology:An experimental cancer treatment that alters the DNA of patients has won a key approval to proceed with its first human tests using the controversial gene-altering tool known as Crispr. Scientists from the University of Pennsylvania want to edit the immune systems of 18 patients to target cancer cells more effectively. The experiment, backed by internet billionaire Sean Parker, won approval from the Recombinant DNA Advisory Committee (RAC), a federal ethics panel set up at the National Institutes of Health 40 years ago to review controversial experiments that change the human genome. The trial still needs final approval from the U.S. Food and Drug Administration. The experiment targets difficult-to-treat cases of multiple myeloma, sarcoma, and melanoma. The scientists will remove blood samples from patients and alter their T-cells -- central to human immune response -- to more effectively target and pursue cancer. The T cells will then be infused back into patients and studied for the safety and effectiveness of the technique.STAT News has an article in which it discusses the probable consequences of altering the DNA of a cancer patient.

Read more of this story at Slashdot.

Comodo Attempting to Register 'Let's Encrypt' Trademarks, And That's Not Right

Slashdot.org - Enj, 23/06/2016 - 10:00md
Let's Encrypt is a nonprofit aimed at encrypting the entire web. It provides free certificates, and its service is backed by EFF, Mozilla, Cisco, Akamai and others. Despite it being around for years, security firm Comodo, which as of 2015, was the largest issuer of SSL certificates with a 33.6% market share on 6.6% of all web domains, last year in October filed for the trademark Let's Encrypt. The team at Let's Encrypt wrote in a blog post today that they have asked Comodo to abandon its "Let's Encrypt" applications, directly but it has refused to do so. The blog post adds: We've forged relationships with millions of websites and users under the name Let's Encrypt, furthering our mission to make encryption free, easy, and accessible to everyone. We've also worked hard to build our unique identity within the community and to make that identity a reliable indicator of quality. We take it very seriously when we see the potential for our users to be confused, or worse, the potential for a third party to damage the trust our users have placed in us by intentionally creating such confusion. By attempting to register trademarks for our name, Comodo is actively attempting to do just that. Update: 06/23 22:25 GMT by M :Comodo CEO has addressed the issue on company's forum (screenshot).

Read more of this story at Slashdot.

Facebook Offers Political Bias Training In Wake Of Trending Controversy

Slashdot.org - Enj, 23/06/2016 - 9:20md
Michael Nunez, reporting for Gizmodo:Facebook is adding political scenarios to its orientation training following concerns, first reported by Gizmodo, that workers were suppressing conservative topics in its Trending news section. Sheryl Sandberg, Facebook's chief operating officer, announced the change during an interview with conservative leader Arthur Brooks, president of the prominent conservative think tank the American Enterprise Institute. Brooks also attended a private meeting between Facebook executives and prominent conservative leaders following the controversy. "We had an ex-contractor on that team who accused us of liberal bias," Sandberg said during the interview. "Frankly, it rang true to some people because there is concern that Silicon Valley companies have a liberal bias. We did a thorough investigation, and we didn't find a liberal bias."

Read more of this story at Slashdot.

Morten Welinder: Spreadsheet Function Semantics

Planet GNOME - Mër, 22/06/2016 - 4:05pd

Anyone who has spent time with Excel spreadsheets knows that Excel has a number of really strange behaviours. I am having a look at criteria functions.

Criteria functions come in two flavours: DCOUNT/DSUM/etc and COUNTIF/SUMIF/etc. The former lets you treat a range as a kind of database from which you can filter rows based on whatever criteria you have in mind and then compute some aggregate function on the filtered rows. For example, compute the average of the “Age” column for those records where the “State” column is either Maine or Texas. The COUNTIF group is a much older set of functions that more or less the same thing, but restricted to a single column. For example, count all positive entries in a range.

In either case, criteria are in play. 12, “>0”, “<=12.5", "=Oink", and "Foo*bar" are examples. The quotes here denote strings. This is already messed up. A syntax like “>0” is fine because the value is an integer. It is fine for a string too. However, the syntax is really crazy when the value is a floating-point number, a boolean or a date because now you just introduced a locale dependency for no good reason — mail the spreadsheet to Germany and get different results. Bravo. And for floating-point there is the question of whether precision was lost in turning the number into a string and back.

Excel being Excel there are, of course, special cases. “=” does not mean to look for empty strings. Instead it means to look for blank cells. And strings that can be parsed as numbers, dates, booleans, or whatever are equivalent to searching for such values. These are all just examples of run-of-the-mill Excel weirdness.

The thing that really makes me suspect that Excel designers were under the influence of potent psycho-active substances is that, for no good reason, pattern matching criteria like “foo*bar” mean something different for the two flavours of functions. For the “D” functions it means /^foo.*bar/ in grep terms, whereas for the “if” functions it means /^foo.*bar$/. Was that really necessary?

The thing is that there really is no good alternative to implementing the weird behaviour in any spreadsheet program that has similarly named functions. People have come to rely of the details and changing the semantics just means 3 or 4 sets of arbitrary rules instead of 2. That is not progress.

I noticed this while writing tests for Gnumeric. We now pass those tests, although I suspect there are more problems waiting there as I extend the test file. I do not know if LibreOffice has the intent of matching Excel with respect to these functions but, for the record, it does not. In fact, it fails in a handful of different ways: anchoring for “D” functions, strictness for DCOUNT, wildcards in general, and the array formula used in my sheet to count failures. (As well as anything having to do with booleans which localc does not support.)

Matthew Garrett: I've bought some more awful IoT stuff

Planet GNOME - Mër, 22/06/2016 - 1:20pd
I bought some awful WiFi lightbulbs a few months ago. The short version: they introduced terrible vulnerabilities on your network, they violated the GPL and they were also just bad at being lightbulbs. Since then I've bought some other Internet of Things devices, and since people seem to have a bizarre level of fascination with figuring out just what kind of fractal of poor design choices these things frequently embody, I thought I'd oblige.

Today we're going to be talking about the KanKun SP3, a plug that's been around for a while. The idea here is pretty simple - there's lots of devices that you'd like to be able to turn on and off in a programmatic way, and rather than rewiring them the simplest thing to do is just to insert a control device in between the wall and the device andn ow you can turn your foot bath on and off from your phone. Most vendors go further and also allow you to program timers and even provide some sort of remote tunneling protocol so you can turn off your lights from the comfort of somebody else's home.

The KanKun has all of these features and a bunch more, although when I say "features" I kind of mean the opposite. I plugged mine in and followed the install instructions. As is pretty typical, this took the form of the plug bringing up its own Wifi access point, the app on the phone connecting to it and sending configuration data, and the plug then using that data to join your network. Except it didn't work. I connected to the plug's network, gave it my SSID and password and waited. Nothing happened. No useful diagnostic data. Eventually I plugged my phone into my laptop and ran adb logcat, and the Android debug logs told me that the app was trying to modify a network that it hadn't created. Apparently this isn't permitted as of Android 6, but the app was handling this denial by just trying again. I deleted the network from the system settings, restarted the app, and this time the app created the network record and could modify it. It still didn't work, but that's because it let me give it a 5GHz network and it only has a 2.4GHz radio, so one reset later and I finally had it online.

The first thing I normally do to one of these things is run nmap with the -O argument, which gives you an indication of what OS it's running. I didn't really need to in this case, because if I just telnetted to port 22 I got a dropbear ssh banner. Googling turned up the root password ("p9z34c") and I was logged into a lightly hacked (and fairly obsolete) OpenWRT environment.

It turns out that here's a whole community of people playing with these plugs, and it's common for people to install CGI scripts on them so they can turn them on and off via an API. At first this sounds somewhat confusing, because if the phone app can control the plug then there clearly is some kind of API, right? Well ha yeah ok that's a great question and oh good lord do things start getting bad quickly at this point.

I'd grabbed the apk for the app and a copy of jadx, an incredibly useful piece of code that's surprisingly good at turning compiled Android apps into something resembling Java source. I dug through that for a while before figuring out that before packets were being sent, they were being handed off to some sort of encryption code. I couldn't find that in the app, but there was a native ARM library shipped with it. Running strings on that showed functions with names matching the calls in the Java code, so that made sense. There were also references to AES, which explained why when I ran tcpdump I only saw bizarre garbage packets.

But what was surprising was that most of these packets were substantially similar. There were a load that were identical other than a 16-byte chunk in the middle. That plus the fact that every payload length was a multiple of 16 bytes strongly indicated that AES was being used in ECB mode. In ECB mode each plaintext is split up into 16-byte chunks and encrypted with the same key. The same plaintext will always result in the same encrypted output. This implied that the packets were substantially similar and that the encryption key was static.

Some more digging showed that someone had figured out the encryption key last year, and that someone else had written some tools to control the plug without needing to modify it. The protocol is basically ascii and consists mostly of the MAC address of the target device, a password and a command. This is then encrypted and sent to the device's IP address. The device then sends a challenge packet containing a random number. The app has to decrypt this, obtain the random number, create a response, encrypt that and send it before the command takes effect. This avoids the most obvious weakness around using ECB - since the same plaintext always encrypts to the same ciphertext, you could just watch encrypted packets go past and replay them to get the same effect, even if you didn't have the encryption key. Using a random number in a challenge forces you to prove that you actually have the key.

At least, it would do if the numbers were actually random. It turns out that the plug is just calling rand(). Further, it turns out that it never calls srand(). This means that the plug will always generate the same sequence of challenges after a reboot, which means you can still carry out replay attacks if you can reboot the plug. Strong work.

But there was still the question of how the remote control works, since the code on github only worked locally. tcpdumping the traffic from the server and trying to decrypt it in the same way as local packets worked fine, and showed that the only difference was that the packet started "wan" rather than "lan". The server decrypts the packet, looks at the MAC address, re-encrypts it and sends it over the tunnel to the plug that registered with that address.

That's not really a great deal of authentication. The protocol permits a password, but the app doesn't insist on it - some quick playing suggests that about 90% of these devices still use the default password. And the devices are all based on the same wifi module, so the MAC addresses are all in the same range. The process of sending status check packets to the server with every MAC address wouldn't take that long and would tell you how many of these devices are out there. If they're using the default password, that's enough to have full control over them.

There's some other failings. The github repo mentioned earlier includes a script that allows arbitrary command execution - the wifi configuration information is passed to the system() command, so leaving a semicolon in the middle of it will result in your own commands being executed. Thankfully this doesn't seem to be true of the daemon that's listening for the remote control packets, which seems to restrict its use of system() to data entirely under its control. But even if you change the default root password, anyone on your local network can get root on the plug. So that's a thing. It also downloads firmware updates over http and doesn't appear to check signatures on them, so there's the potential for MITM attacks on the plug itself. The remote control server is on AWS unless your timezone is GMT+8, in which case it's in China. Sorry, Western Australia.

It's running Linux and includes Busybox and dnsmasq, so plenty of GPLed code. I emailed the manufacturer asking for a copy and got told that they wouldn't give it to me, which is unsurprising but still disappointing.

The use of AES is still somewhat confusing, given the relatively small amount of security it provides. One thing I've wondered is whether it's not actually intended to provide security at all. The remote servers need to accept connections from anywhere and funnel decent amounts of traffic around from phones to switches. If that weren't restricted in any way, competitors would be able to use existing servers rather than setting up their own. Using AES at least provides a minor obstacle that might encourage them to set up their own server.

Overall: the hardware seems fine, the software is shoddy and the security is terrible. If you have one of these, set a strong password. There's no rate-limiting on the server, so a weak password will be broken pretty quickly. It's also infringing my copyright, so I'd recommend against it on that point alone.

comments

Faqet

Subscribe to AlbLinux agreguesi