HackerTrans
TopNewTrendsCommentsPastAskShowJobs

mthomasmw

no profile record

comments

mthomasmw
·geçen yıl·discuss
citation?
mthomasmw
·2 yıl önce·discuss
1995. It was NIST. https://www.nist.gov/nist-and-nobel/eric-cornell/nobel-momen...
mthomasmw
·2 yıl önce·discuss
Support is now upstream
mthomasmw
·3 yıl önce·discuss
Is there a list of "kill switches encoded in law autos can't make" somewhere?

I know the vehicle data recorder, and I've heard that LTE radios have to report occupancy, though I can't find a requirement that cars need an LTE radio.

There's rumors cars will be mandated to support remote deactivation, but the story is unclear: https://www.usatoday.com/story/news/factcheck/2023/01/19/fac...

relevant: https://consumerwatchdog.org/sites/default/files/2019-07/KIL...
mthomasmw
·3 yıl önce·discuss
https://twin-cities.umn.edu/news-events/do-images-brain-make...
mthomasmw
·3 yıl önce·discuss
Our forever limited supply of helium, the most vital non-renewable resource on Earth, the only supply the human race will ever have.

https://www.npr.org/2019/11/01/775554343/the-world-is-consta...
mthomasmw
·3 yıl önce·discuss
It's completely possible to build an EV that isn't connected. The idea that electric power means networked spying is an invented fiction. Due to the privacy-conscious background of one automaker, a vote by the board mandated that all their cars be able to function in a completely disconnected, non-reporting mode:

https://www.wsj.com/articles/porsche-rolls-out-board-approve...

And they all do, even their EV. I voted with my wallet.
mthomasmw
·3 yıl önce·discuss
You've misunderstood the situation completely. The first job of a persistent attacker is to gain acceess. The second job of a persistent attacker is to pivot that access from illegitimate to legitimate, so that by the time their TTPs become IOCs, log rotation has wiped that illegitimate access from the books and all their access looks legitimate.

What we have here is a way for an attacker using shady means (email-delivered 0day, parking lot thumbdrive, browser drive-by compromise) to take over a computer and then drop a signed package that will allow for remote control over time that looks completely legitimate. To a network IDS, that access will look like an authorized cloud tunnel, completely normal. To a file scanner, it will look like an vendor-signed binary, the gold standard. To the complete defense-in-depth stack, the entire c2 chain is cloaked in legitimacy. If you get a single detection at all for the initial compromise (not possible with 0day), the entire rest of the kill chain looks like legitimate access and vanishes.

It's a nightmare for defense in depth and hunt teams.
mthomasmw
·3 yıl önce·discuss
Do you have a link handy for "we don't know how bikes work" ?
mthomasmw
·3 yıl önce·discuss
Without working in the industry, how could someone vet for the internal cybersecurity of an upcoming car purchase? None of these security features seem to be publicly documented anywhere. I have spent a long time looking.
mthomasmw
·3 yıl önce·discuss
Agree. Would be interested if horizontal rows. Still happy with my kinesis which I never look at.
mthomasmw
·3 yıl önce·discuss
Make me a hammer that only works on nails
mthomasmw
·4 yıl önce·discuss
'Currently the tech can create one hour's worth of power "from just 20 minutes of English or Swedish summer sunshine".'
mthomasmw
·4 yıl önce·discuss
You left out that he built the security program at Stripe.