Re: That's nice.
When will people realise that electric racecars just aren't useful outside of a racetrack?
About the same time they realize that race cars in general are not useful outside a racetrack.
2583 publicly visible posts • joined 31 May 2011
The research pair said there was very little advertising networks could do to prevent the attacks.
My first thought when I read this was, "Why not?" It's not as though at least one app store has made a reasonable attempt at controlling their process. This shouldn't be that much different. Ads generate enough revenue to be able to support some in-house vetting. Taking control of the process rather than allowing their customers to have free rein would go a long way toward filtering out the riffraff.
I would expect to see an online dump if it was a hacker going for bragging rights. I would expect it to show up for sale, just as you imply, otherwise. My understanding is that most people who are capable of breaking in and grabbing up this sort of information are more likely to sell it off as they are not necessarily set up to exploit it. It's a tried and true concept: one person performs the theft and then sells the goods.
So they have just failed to protect some of the most sensitive data concerning their customers who pay very real money with the expectation that this company would exercise due diligence in their actions? I would appreciate a statement from the company explaining how it is the victim and not its customers. Obviously, I do not know the details in this or any of the many other similar cases, but given the well known and publicized nature of this threat, it seems reasonable that any such breach should be grounds for a third party or regulatory investigation of negligence.
"The New York Times previously reported how Monsegur worked with the FBI on cyber-attacks against governmental websites in Brazil, Iran, Iraq, Pakistan and Syria."
Do you need a map of the USA to help you work out where those cities are?
I will leave it to you to work out what is inside the US and not.
Oh, God! I just realized that car manufacturers are working to make the joke about Microsoft making cars come true, except someone else will be opening and closing all the windows. It looks as though there will be some security positions opening in the automotive industry soon.
The competition consists of two rounds ...downloading a virtual computer image full of vulnerabilities that could present opportunities for a cyber criminal. The teams have ...to identify and fix these vulnerabilities.
No, changing the OS is not an option (because it is the very first thing I thought of).
Since it does something other than simply report, it is technically an IPS - an intrusion prevention system - though it probably would not produce as much entertainment on your side of the Atlantic and confusion on mine. Ah well, I learned something unexpected today.
Security patches ... are arguably necessary. Extending the scope of the changes to include updates to the Applications is going to produce chaos.
Not applications, the UI is where the problem is. Applications can have security issues too or have additional functionality added without causing much in the way of distress, but if the entire menu system is rearranged (e.g. drop-downs for ribbon) there might be a bit of trouble. Decouple functionality from cosmetics and things will get a lot better for all.
“By digitally imaging the sky for a decade, the LSST will produce a petabyte-scale database enabling new paradigms of knowledge discovery for transformative STEM education. LSST will address the most pressing questions in astronomy and physics, which are driving advances in big data science and computing.”
This is what you get when you run "We will use this telescope for basic science and keep records of what we did," through a manager-speak/buzzword generator several times.
Having worked for both regular and reserves, I can say there is not much difference in the training and expectations for the troops in the different commands. The point about outside experience is more pertinent. Really though, while it has been rightly mentioned that there is a huge difference between defense and offense, what is missing from the discussion as to how the military actually functions when it comes to IT. Most of it is handled by contractors who are told what to do and how to do it by someone, often a civilian, who probably is not very technically inclined and has to trust someone else, often someone who works for a competing contracting agency, for information on which a decision can be based. Yes, it makes good headlines to hear about the AR Red Team's victory and I am sure someone got a wonderful dressing down. Will it result in meaningful change (which is really the point of these exercises)? Who knows?
Someone is confused about what constitutes an appropriate and effective punishment. There are many historical examples of amputation being used on thieves. It resulted in many people with missing bits, but no overall reduction in theft. No, in order to do it right, you have to go straight for the most severe punishment. Kill them. Kill them all along with their families and neighbors then resuscitate as many as possible so they can be killed again. That will show them!
Mine is the one with a copy of Draco's legal code in the pocket.
The big two enhancements that Microsoft is talking up the loudest are an improved Attack Surface Reduction (ASR) tool “... configured to block some modules and plug-ins from being loaded by Internet Explorer while navigating to websites belonging to the Internet Zone”.
The new ASR will “also block the Adobe Flash plug-in from being loaded by Microsoft Word, Excel, and PowerPoint.”
So, they are implementing a limited control on application hooking? It's a good first step, but it would be nice if it were more generalized and configurable... and had better online documentation. Still, it's decent of MS to create a rich environment for third-party security vendors.
The Nigerian 419'ers are moving onto new ways to extract money from you
Yes, but they will continue to target the least educated and tech savvy. In fact, the way their scams work weed out anyone with a clue. That is not to say that there aren't many individuals and groups out there willing to take advantage just as you suggest, just that there are different "target audiences" for each kind of scam.
USB firewalls that block certain device classes do not (yet) exist.
Um... actually, they do. There is a McAfee product, Data Loss Prevention that has just that sort of functionality built in. Alas, it is only for Windows devices, but there are likely similar products out there. It is a pain to administer - it has all the hallmarks of an acquired product that was slapped into an existing management console - and is likely to be resented by users as it will keep them from doing what they desperately want to do (infesting the corporate network with malware), but it exists.
Network operators shouldn't shortsightedly kill something because they don't understand it - there are more sensible ways to deal with a threat than panicking and beating it to death.
Welcome to the fun, Catherine, and thanks for the research. Most of what you say makes good sense, though I have one quibble with the above statement: this is exactly how network admins should react to anything on their network they do not understand. They should make every effort to gain the knowledge to make a rational decision, but until that point, not so much. Besides the obvious concern that it, whatever it is, is not under your control, there is also the idea that if you do not understand it, you have no assurance you it is configured properly and doing what you want it too. I am not so sure about the panic portion of the equation, but I am sure someone in management can cover that.
You are referring to network IDS. I cannot comment much on those as my experience has been with host-based solutions, but my understanding is that firewalls are fairly static, whereas an IDS or IPS should perform some analysis based on heuristics or signatures similar to an AV product (and yes, I know there are some of my fellow commentards who decry their use). However, you mention firewalls, which the article said could be broken by MPTCP. It is more complex than that, depending on configuration of the FW to accept it, the implementation of MPTCP, the FW being used. However, the simple solution, as far as I can tell, is to disable it at the FW if possible. Also, the cited Cisco article includes NATed networks as being affected.
Unless there is a business case for using it, it should be disabled (pretty much true for anything from a security standpoint). If there is a good reason for using it, I'm happy I'm not the person doing the implementation.
Well, this gives you confidentiality (at least in theory) and integrity (with the same caveat). As far as availability goes, how hard would it be to implement a DoS attack against this kind of traffic? Would such an effort affect everyone with a torrent client or would it be possible to target an arbitrary client?
Anonymous internet usage in Russia is surging...
I think the real question governments should ask is not how to stop anonymous internet use, but why it is needed. Soon, there will be slogans around the world echoing the gun rights people here in the States: when anonymous surfing is made illegal, only criminals will surf anonymously.
Additionally, the people writing and approving the contracts are often not those actually involved in them. When it comes to IT, this is especially telling as they are often completely unaware of what the actual requirements of a project should be and are thus unequipped to make a reasonable determination on any bids submitted.
In many cases, while the contract is supposed to be written and reviewed by a panel, they often all report to the same person which essentially grants that person all the decision-making power. The advise of the panel may be ignored or, if the manager in question is more skillful, steered to the desired outcome.
There is so much waste built into the way our government runs. It is no surprise, though, given how much money is at stake. While most rules put into place around this process were made to minimize government expenditures, money will find a way to overcome.
Unfortunately, with many users having poor password practices, attacks like this are only likely to increase
There are plenty of laws and rules surrounding financial institutions. Why shouldn't sites that are work with or gather financial data treat customers in the same manner corporate IT tends to treat users, enforcing password strength, forcing them to change on a regular basis, et cetera? I know this would not be popular among customers, so it would cause many to go to less secure sites as they would be easier to deal with unless there were some industry-wide requirement to have this in place in order to do business.
There has been plenty of discussion among El Reg readers concerning passwords and their use, so I am sure that someone will point out the error of my ways, but I would like just once to see government get ahead of a real problem instead of being completely reactive or, worse and more typical, manufacturing the crisis themselves.
As most Reg readers will know, fibre-optic cables work by bouncing a light beam along a wire without losing focus or intensity, allowing information to be transmitted along huge distances at massive speeds.
So, roughly the speed of light in that medium? Fast enough for the data to acquire mass? Sorry, I am caffeine deficient this morning.
The "WD" in WD-40 stands for "water displacement," so to rephrase: With duct tape* and Water Displacement 40. Using Google Translate (with apologies), it yields this:
Ductum lineam, et cum Praesentibus Aquam XL
Going back the other direction gives us this mess: Drawing the line, and with the presence of water, 40. Clearly this needs work that I'm not up for... er... for which I am not up.
* Duck Tape is a brand name.
P.S. Proof of concept: Stock market pump-and-dump spam has almost entirely stopped. The stock exchanges acted to block the profits, and the spammers gave up moved on to greener pastures.
Fixed that for you. The problem is that there are so many suckers. Still good points - Have an up-vote.
So this is another "stuff bought second hand not wiped" news story?
Yes, in as much as there was data on it that might be valuable in and of itself (e.g. account details). However, the researcher was able to learn enough about the second hand box to be able to hack systems that are still in production, assuming they are still set up the same as the terminal he purchased. Knowing that the owner doesn't change the default password or that the password can be recovered from the discarded machine and is likely to be the same on systems still in use can be pure gold (literally). Finally, "Oh's findings suggest the retailer had a poor security policy that went beyond anything particular to the terminal he bought on eBay."
I would like to know which retailer this is so I can avoid walking through its doors.
"I worry about the accuracy of their research if they think there's as many as a billion blades of grass on a football field."
Turns out this is a mathematics project/thing currently used to teach kids how to estimate. There are a number of examples posted online. This one gave the result as "about 63,350,000." A bunch of 5th graders could have told them better.
A sysadmin really should check that every patch works and doesn't break critical services/applications before deploying.
I could not agree more and yet the people who get pissy if the "critical services/applications" aren't working are typically the same bunch who will not fork over the cash to set up development or test environments. I have had to work in several large network environments in which we had to "test in production," which basically means that we target a subset of the overall production environment and see what happens next before proceeding with the rest.
To play Devil's Advocate a bit:
I love the way I can log on from any device and just carry on without thinking about what device I'm using...
I don't, at least in as much as it is the default and automated (passwords stored on device). I also have an issue with the fact that others on my home network share access to some data. I know Google searches performed on one device show up in the cache for others regardless of the accounts being used. I don't know what other data leaks may show up, but this should be enough to raise concerns.
...he has no issues anymore with Malware, Viruses and toolbar hijackers.
It might not have any now, but I find it hard to give credence to the claim that there will be no malware, especially given the relative small amount of time between Android gaining popularity and malware being developed for it. Chrome has relatively few users right now, so it is not a worthwhile target. This will change as soon as someone thinks a profit can be made from it, so pretty soon. This also discounts targeting by government sponsored groups.
Google do not sell your personal data, they use your data to place more appropriate adverts.
Essentially, they do not sell the data, but have set themselves up as a proxy. It's more profitable if they simply rent it. On the other hand, they gather as much data as they possibly can, making them a very tempting target for governments and black hats alike. This sort of data gathering is baked into all of their products, as far as I know.
My C720 is the best computer I've ever had. And the cheapest.
I cannot argue with your personal experience, though I would stipulate there are cheaper machines and better machines out there, though perhaps not in the same package. As far as better value for money, beware getting exactly what you pay for. Manufacturers will sell at a loss if they think they will make up the difference and then some later down the road. It is why printer ink cartridges are ridiculously expensive, for example. Google seems to have a good idea of how to make money, so I would not expect them to do otherwise with these machines. The question is more one of how they do so.
It's only funny if it's not damn obvious.