Woz Cites “Scary” Prius Acceleration Software Problem

Posted on by
Reply

slashdot.org: Woz Cites “Scary” Prius Acceleration Software Problem

Speaking at Discovery Forum 2010, Apple co-founder Steve Wozniak went off topic and spoke about a ‘very scary’ problem with his 2010 Toyota Prius. ‘I don’t get upset and teed off at things in life, except computers that don’t work right,’ said Woz, who went on to explain he’d been trying to get through to Toyota and the National Highway Transportation Safety Administration for three months, but could not get anyone to explore an alleged software-related acceleration problem. ‘I have a new model that didn’t get recalled,’ Steve said. ‘This new model has an accelerator that goes wild but only under certain conditions of cruise control. And I can repeat it over and over and over again — safely.’

Ho my, quand ca va mal, ca va mal. S’il fallait que la “patch” mecanique de Toyota ne soit pas la bonne solution, un second recall pour une “patch” logiciel  serait vraiment la cerise sur le sunday. Et aujourd’hui, c’est la Prius qui fait les manchettes avec un probleme potentiel de pedale de frein alors qu’elle ne fait pas partie du rappel initial. Wow, quand ca va mal…

Disons que ca enleve un peu l’envie de considerer les Toyota malgre leur fiabilite passee.

Was Newsday’s Charging for Website Access a Good Idea? A Whopping 35 People Thought So!

Posted on by
Reply

dvorak.org: Was Newsday’s Charging for Website Access a Good Idea? A Whopping 35 People Thought So!

So, three months later, how many people have signed up to pay $5 a week, or $260 a year, to get unfettered access to newsday.com?

The answer: 35 people. As in fewer than three dozen. As in a decent-sized elementary-school class.

Break that contract, expect jolt of financial pain

Posted on by
1

thestar.com: Break that contract, expect jolt of financial pain

Bon article sur les frais pour briser certains contrats. Voici quelques situations illustrees:

Natasha and Brian sold their home halfway through a seven-year term, only to be charged a $46,000 penalty on their $530,000 mortgage with a major bank.

Colin Lewis, a retiree, found TD Canada Trust charging $150 to transfer three RRSPs to a dealer that offered a better interest rate.

“We felt sick after receiving a bill for $1,300-plus in cancellation fees for gas and hydro,” says first-time homeowner Greg Bago, who agreed to a deal with Summitt Energy (and was released without penalty when the Star intervened).

Disable JavaScript in Acrobat

Posted on by
2

grc.com: Security Now! Transcript of Episode #231: Mega Security Update & CES Observations

Steve: The one thing I would reiterate saying, and I imagine people have probably already done this if they’re going to, but I have to say it again, is disable JavaScript in Acrobat, that is, in the Acrobat Reader. There just is no need for scripting. I mean, we understand there’s a need for scripting on web pages because it’s being actively used by more and more websites, with it being a mixed blessing. But there’s just no need for scripting in a PDF document.

En passant, je viens justement d’installer une nouvelle version d’acrobat… et il a remis a “on” le javascript. 🙁

Aussi interessant dans cet episode (evidemment aussi disponible en audio):

Steve: And the Verbatim Corporate Secure FIPS Edition. Now, FIPS is the National Institute of Standards and Technology, NIST. That’s its federal security rating system. These devices have all received the FIPS 140-2 Level 2 certificate which validates devices as being secure for use with sensitive government data. And…

Leo: That’s pretty good. I’d take…

Steve: …they are completely hackable.

Leo: Oops.

Steve: They’ve got hardware AES-256 encryption in the key. So they’re not inexpensive. But get a load of this, Leo. You use some software that comes with a key, which of course prompts you for your password. You put your password in. And it does some mumbo jumbo with your password, whatever it is it does. But every single one of them, no matter what your password was, sends the same key string into the AES-256 cipher engine.

Leo: You’d think something at FIPS, at NIST, might have noticed.

Steve: Uh, yes. In fact, embarrassed by this, NIST has said that they will be considering whether they should make changes to their validation process because the USB drives in question met all their criteria.

Leo: Oh, boy.

Steve: So once again, so it’s true that if, as a user, you did not put the right passphrase in, the software would say, oh, sorry, that’s the wrong passphrase. But a security company reverse-engineered the software, wondering what was going on inside. And what they discovered was that there was a fixed key.

Steve: Well, yeah. And what boggles my mind is, again, our listeners understand this. You take and hash the passphrase with a secure hash, and that’s what you use as the key. This is not hard. I mean, that’s all there is to it. In which case the key would be derived from the passphrase through a secure hash and, bang, you’ve got it. I mean, sure, you want to put minimum security requirements on the length of the passphrase and all those things, and it wants to be nonguessable because it would be prone to a brute-force attack, blah blah blah, all the things we know about. But the idea that the passphrase isn’t being used to generate the key, but that the key is fixed, that’s just, I mean, actually it’s a really good lesson because it demonstrates that just saying AES-256 means nothing.