Re: IoT crazy
Why the hell would I want remote control access for my fridge?
Because of the "Bring Me Beer" button!
2583 publicly visible posts • joined 31 May 2011
The hint would be that the default is to gather everything it can and send it on home (Passwords? Really??) I am most interested to see how businesses and government agencies deal with this particular bit of data-gathering. Oh, wait... that's exactly what is going on here.
"The iceberg is an estimated 12.5 square kilometers 0.6 milliWales across and has a depth of around 1400 meters 10 brontosauruses, meaning a volume of 17.5 cubic kilometers just under a staggering 7 million Olympic-sized swimming pools. That would equate to enough ice to bury the entire island of Manhattan Wales under 300 metres of frozen water a light dusting of snow."
FTFY! I know it's a bit of fun, but if you are going to compare an area with a presumably well known body of land, why not stick with established precedent and use Wales? Besides, when measuring things in terms of Manhattans, you should also use miles, yards and feet as Americans are notoriously resistant to the use of metric measurements. One of the most important reasons to read The Register is that it is fun to read, at least for me. I can get most of the content elsewhere. It is the quality of the writing that keeps me coming back.
...users were unable to remove the Online Now instant messaging feature...
The appropriate response would have been to uninstall the application (coincidentally removing the Online Now feature), to block access to the Yammer site at the FW, and to sanction anyone who reinstalled the stuff. The CIO should have a really good idea as to what is permitted on their systems. He should have been thrown under the proverbial bus, not sideswiped.
Before he touched ANYTHING, he should have made 100% certain he had a way to go back to the previous state if he broke something.
I think a step back from that would have been more to the point. This was touched on above, but first he should have made sure the state things were in. Second, he should have come up with several possible courses of action. Third, he should have consulted with management and obtained informed consent before proceeding on to taking any sort of action. Management should have to accept the risk of making changes, especially of this scope and nature. Allowing them to bury their heads and later deny everything when it all goes wrong is never a good strategy. Ultimately, management is responsible and it is a good idea to keep that in mind.
I've cleaned up plenty of messes (both my own and those of others). I have found it to be useful to let those above me know just how bad things really are, especially as it makes me look that much better after it's all sorted. On the other hand, having documented that the boss signed off on something and it turned out badly because of the decisions someone else made rather than something I did has proven helpful on occasion, too.
I would argue that not enough people being trained in security is a major problem. I don't mean security professionals. I mean every user in the company environment ought to have at least a basic amount of training as to how they are supposed to behave and why and that it should be an integral part of corporate IT culture. In fact, while Trevor might lump this in with his Prevention category, I would argue that it is important enough to rate its own entry. When I evaluate a corporate IT product, I look at what training the company selling the product offers. Why would information security products be different in that regard?
Burn the hydrogen in a slightly tweaked, bog standard combustion engine and avoid the rather excessive cell tax completely.
No! Jet engines all the way! Who has seen the classic 60s Batmobile and not had the visceral longing to own one of those? If widespread use caught on, we would eliminate any problem with tailgating. Also, development of this technology should lead to flying cars, so it must happen. Hydrogen jet powered cars for everyone!1
The keys are in my pocket.
1 It is election season here in the US so I am running a test of my stump speech with this. Vote now. Vote often. Vote for me.
For a bank, risk/security is very much a field in its own...
Contrast this with retail where the main thrust of "security" is to reduce shrinkage (vanishing inventory). I caught the facility security manager installing malware infested freeware on her computer on a regular basis. I could not get her to understand that her machine was connected to every other one on the network, including and especially those the company used to generate profits.
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.
"A simple fix for this is to not allow browsers to run under admin accounts by default. Disabling other common attack vectors in a similar manner (e.g. email clients) will result in increased security on systems. In general, it is a good idea to not do non-administrative tasks using an admin account."
- Captain Obvious (attrib.)
The drone runs on Busybox which has had a few vulnerabilities and has been targeted in the past. You could indeed create a squad of possessed killer parrots!
...in case it's not obvious, the box to tick here is "Laws specifically prevent it"...
This points the way to the solution. If a politician or a sufficient number of a politician's top donors are made to realize that their servers are infected with something like this, the politician will Do Something1. This will take the form of passing legislation which we all know will fix everything. In this particular case, it might remove the impediment to two wrongs in fact making a right or perhaps fund a new agency which is authorized to cleanse this blight from the world2.
1 This is the dodgy part as it involves getting politicians to deal with something technical and have that lead to a reasonable and useful outcome.
2 Yes, the entire world, because there are no borders among the interwebs!
After all; what else is ever going to tempt Android users into even trying a Windows phone?
I just upgraded to a Nexus. While doing a comparison of the various phones my service provider offered, I realized mine only offered a token Windows Phone choice and definitely not the latest and greatest. Many, probably most, people don't look beyond what their service providers offer as part of a bundled plan when shopping for a new phone, so I think "doing a better job working with the vendors" might be part of the answer to your question.
Getting patches applied to vulnerable systems may however take some time due to the fragmented nature of the Android ecosystem as well as the lack of an efficient patch delivery mechanism, at least outside of Google's home-grown Nexus devices.
Exactly why I got a Nexus. I liked the old phone, but my carrier was never going to update it. So now I get security updates a bit slowly, but it's a vast improvement on never, right?
Couldn't that also mean that an impactor caused locally available amino acids to fuse into said peptides?
So it's an experiment that failed to disprove a hypothesis, added to the body of available knowledge, and raised more questions as well? Sounds like science. Carry on.
[Adobe] was served a ... class action lawsuit ...in which it is claimed "shoddy" security practises lead to the breach.
Just like shooting fish in a barrel, throwing that sueball at Adobe. Perhaps customers can litigate bad software out of existence. Probably not, but I am sure there are some lawyers out there willing to give it a try.
Not to be outdone, the Russians also have been caught out on social media. Security training is not something that can be done once and then left at that. It requires ongoing efforts and many, many reminders. And even after all of that, there will still be some twit who will allow unaccompanied "tech support" into the server room after giving that unauthorized individual an admin credentialed account and password.
Why? Because the current "Death Star" motif doesn't get the idea across?
...one idea that would also help a bit is a massive mountain-side rail-gun style to allow a proportion of the launch momentum to be delivered from ground-based power.
There are a number of possibilities that have been explored in this regard such as firing a laser at the bottom of the craft to superheat the air beneath it. That's pretty nifty, but my favorite is the space gun which would be capable of literally firing objects into space (much as the name implies). The US Navy has a railgun project that is coming close to being able to do this with small objects, but these are meant to come back down. Still, if the research put into that could be further developed to launch things with a reasonable amount of acceleration (without turning people into paste), we might have a winner.
For purposes of comparison, escape velocity is about 11.2 kps (81 bnps) and the USN railgun will fire projectiles at about 2.5-3.5 kps (18-25 bnps) while the fastest bullet train taps out at around .17 kps (1.2 bnps).
Yes, the lawnbot has blades, but the snowbot could throw shit 10 or more meters.
If it is throwing the snow, it isn't properly equipped. If it came in an updated laser-wielding model, I would lay down some cash for that.
Honestly, if you think a cobbled together media player is somehow a replacement for QuickTime then you simply don't know what QuickTime is.
Let's do a quick side-by-side comparison: QuickTime (OK, you'll have to dig through the linked user manual to get much in the way of specifics, but it's an iProgram, so it's really about the way it makes you feel any way) vs VLC. Yes, there are a few differences, but I'm hardly persuaded that I should drop VLC and join the Cult of Apple on this one.
Troll icon because you really should have.
Pretty much the same went on when OS/2 went past end-of-life. Banks were responsible in large part for keeping it alive on life support long after IBM wanted to pull the plug. The usual excuse is that they are risk-averse, but to be honest it's more a case of having a huge amount of changes to be made without having the proper resources devoted to the issue. I would look to see them keep Server 2003 alive for another few years and for there to be licensed third party support after (again, as with OS/2). Windows XP is still being supported (MS is still rolling out patches to paying customers) and its official end of life was April 8, 2014. My best guess is that Server 2003 will finally die become undead around 2020.
However, if this modular system is extended to tablet screens, keyboards and more, the possibilities become more interesting.
This! Yes, this! I am sure there were plenty of people who took a look at the Raspberry Pi when it first came out and just didn't get it. The 5 millionth RPi was sold back in February of this year. This will be a niche product by its very nature, but it will give plenty of bright souls a playground in which to enjoy themselves, to create new gadgets, and to find novel solutions to existing problems. I say good luck and please don't stop.
We used a garlic bread (with chunks of garlic in it) and initial tasting before setting it aside to chill indicate this will be tasty and hit the spot.
I am not normally a fan of unadorned tomatoes for flavor, but I am going to give this a go. The garlic bread idea looks sound, but I prefer to test the base recipe first and then tweak to fit my tastes. Another possible addition is some fresh basil. Good thing I have some on hand. Perhaps a side-by-side will be in order...
One basic consideration when comparing historical data is are are you comparing apples to apples? What instruments were used then compared to now? Do they reliably measure the same thing? Are measurements taken with the same frequency? Are there any other areas in which inconsistencies might skew the data and introduce an artifact? I believe that in the case with the NOAA update many of the the differences were down to measurements by ships in the older data versus measurements by buoys in newer data. More details can be found here. It wouldn't surprise me at all if there were some similar issues with this data set.
"We have included a symphony, titled Alternative Energy, by composer Mason Bates below."
And is this the composer with whom the Santa Fe Opera (not the Sante Fe Opera, I believe) commissioned this work or was that just thrown in for additional entertainment value? Editor? A little help here, please.
Good choice of banner image, though.
I think it is wonderful that the space station dwellers get fresh salad. I would have thought that either sprouts of some sort or an aquatic species (perhaps duckweed or watercress) would have been an easier starting point, but we certainly cannot accuse anyone up there of aiming low!
Assuming this drug works as intended, it will need to be a lifetime therapy in order to be successful. Nicotine addition, like many other forms of addiction, is both physiological and psychological in nature. Stop smoking cold turkey and you feel like crap for a couple of weeks but you will be through the physiological side of quitting after that. The real problem is that smoking is a behavior. It can be displaced by another behavior, but once it is acquired, it will be on the menu for the rest of the addict's life. The joke is that millions of people have quit smoking millions of times and there's the rub: if you put the addict back in the same set of circumstances that were previously associated with smoking, the odds are extremely good that it will happen again.
This potential drug will therefor only be useful in preventing relapse in as much as it prevents the addict from ever experiencing the rewarding sensations given through smoking. In order for that to work, it will always need to be in the person's system.
While I am not saying this would not be worthwhile for people who are affected by this horrible addiction, but I can definitely see that it would be worthwhile from the perspective of drug companies as it would give them a nice steady revenue stream.
So how do they deal with other forms of crime involving digital assets? Most money transfers these days do not involve physical assets. Likewise with high frequency trading in various stock markets. Under this ruling, if I hacked into the Nikkei or a local bank and skimmed some virtual assets, it wouldn't be theft, would it? This sounds like the quote was taken out of context given that these sorts of things would presumably already be covered under Japanese law. Perhaps these actions are better covered as fraud. Of course, it is also possible that this ruling might be overturned on appeal.
...what does that say about the mantis shrimp?
So I have to actively download it, click on it to install it and then type in my password for it to work...
Yeah, makes me feel safe, too, especially as otherwise reputable software has never been hijacked or forcibly re-purposed by an outside entity. It's a flaw that can be exploited. It should be fixed on all affected machines. Claiming that it is too hard to patch or that it is not that dangerous only makes me question the agenda of the person making the statement as they obviously don't have my best interests at heart.
Government logic... yes, we gave you the password and it's one of those areas you manage.. but you aren't supposed to look at anything.
I am not so sure about that. Those who have access to re-enable the ability to write to disk should not also have access to the documents of the nature Mr Glenn was attempting to steal. In environments such as this, administrative duties are supposed to be split between individuals and groups to prevent exactly this sort of thing.
It's turtles all the way down!*
*You will have to click through to get the joke.**
**No, I won't ruin it by explaining it.
why on earth would I want to let the backwards, process driven clods in IT tell me what I can run, or have any access to my system for that matter?
Depending on where you work, the answer might simply be "Because it's not your machine and violation of the acceptable use policy will have you run out the door." In your mind you might be the greatest sysadmin ever, but if you work in a corporate environment you share the risk of any problem you introduce with everyone around you and vice versa. Assuming you in fact are as great as your ego would have us believe, it is unlikely that all of your coworkers are of similar stature, but those "process driven clods in IT" would be forced to let even the janitors to do whatever they wanted in as much as you are allowed. That is typically the way corporate policy works, after all.
As far as you personally are concerned, are you maintaining your machine and software on your own time or are you charging your employers for for it when you are supposed to be doing something else while they are paying an IT group to handle system administration? Sounds like the wild west to me, partner. Yipee-yo-ki-yay... you can fill in the rest.
Trouble is, as outsiders we don't have enough insight...
On the contrary, I feel comfortable judging by results. I have a rather nice situation in that I am paid in part to patch Flash at work while enjoying a considerably greater amount of security by doing without on my personal machines.
"I couldn't help wondering if this technique could be contrived so as to convince the bacon to cook itself. Fantasy, I know, but a man can dream."
That's called "a wife". Google it sometime :-)
Your wife is made of bacon?!? And she cooks herself? How awesome is that?
Mine's the one with pork laser totin' shark infested pockets.
The next release is going to be a "warewolf."
"Wily Werewolf" which is just a shade better than "Werewolf's Willy" but nowhere near as cool as "Wascally Wabbit."
As use of this technique does not a a virus make, it might better be labeled as a PUP. Still, you would think that people in the anti-malware market would at least think to warn their customers about high network data usage, especially if the app was not active. This would seem like a simple catch for heuristic analysis, but my guess is that the folks in the anti-malware business are still writing for desktops and have yet to get their heads around the implications of mobile devices.
Security experts may be able to remember a couple dozen different passwords, and claim that's a good security practice, but it is impractical for the average person.
Perhaps that's why password managers are on the list, too, which for personal use is not such a bad idea. I have yet to work anywhere that provided or approved of a password manager for professional use, though.
I would love to see an expanded list of "expert recommended tools," because the top five is certainly not enough. There's nothing on there about mobile apps, which are the de facto way most people interact with the internet these days rather than a browser on their home PC. Also, the recommendation I would make more than the use of any of these is customer/user education. The fact that there is such a big misalignment in professional and lay opinions indicate where efforts in the security community ought to be focused.