Definitely well worth a read :)
1083 posts • joined 23 Oct 2007
Feckin hell, I had to double check that wasn't on The Onion.
That's a pretty big leap in utility from a system sold as being used for detecting terrorists. Can't say I'm surprised to see Council Tax listed as one of the things they'll stop you leaving the country for, given they already charge you council tax for the period that you're in prison for failing to pay said council tax....
It only looks like https at a casual glance, and even then that's dependant on what's traversing the tunnel (we're of course talking volume).
It's certainly more expensive to block (as you'd need to do some analysis), but it's certainly doable.
Re: "In no way am I suggesting that INgrooves is an evil bunch of bastards"
The DMCA can be particularly harsh when a copyright holder crosses the line, however, that's only IF the copyright holder manages to do the one thing that the DMCA provides punishment for - KNOWINGLY filing a notice for which you are not the copyright holder (or authorised on behalf of).
In other words, if a company files a shitload of correct ones and accidentally includes half-a-shitload of incorrect ones, they're safe. They have to have known they didn't have the rights, and proceeded anyway for there to be any chance of them getting slapped.
So when a company accidentally gets Github projects unlisted from Google, or 'accidentally' monetizes someones videos, that's apparently fine as they didn't deliberately set out to file a notice against something they had no claim to.
The cynic in me wonders whether this is part of the reason they use bots. Bot's are great for dealing with the huge amount of content which may need reviewing, but are also a way to avoid having a human review the notice before it's sent - anything wrongfully submitted is accidental, so you don't get raped by the DMCA's counter provisions
Re: How bad is Torvalds?
Regular people may prefer to spend money on Windows, but from what I hear, Fox News is also quite popular in the US.
Popularity is a terrible measure of quality.
Although, I've personally never understood why some people were so bothered about Desktop dominance. As long as I can run what I choose, frankly you're free to run MSDOS if that's what you prefer.
Yup, it's the first time that I've felt both that an article is worth sharing, but also that the headline is so unrelated and clickbaity that I've had to edit it before hitting 'Tweet'.
Especially given that the reference to porn in the article refers to Child Porn, which isn't exactly what I think of if someone mentions exotic porn......
Do a 'safe' test run first
ssh root@someonelesesbox "rm -rf $DIRECTORY"
The best advice, really, is to always carefully think about what you're actually running (not what you think you're running), though mistakes can happen.
Re: Hmmmn, I've found linux in a right state...
I've found Gentoo has stayed reasonably stable in that respect over the years, and Slack always deserves a mention for that too.
Mind you, I'm reasonably easily pleased, as long as there's a terminal and browser I can do most of what I need to do (and enjoy doing).
Do have a Kubuntu install (for Wifey) and will admit I've been getting increasingly frustrated within it with each 'upgrade'.
Re: Lee D Laptop/convertible+smart phone
Canonical also nominally provide support (through Ubuntu Advantage) though I've not heard much about it, and what I have had hasn't been entirely endearing.
Re: The agency is no longer collecting bulk telephony metadata from US service providers.
I suspect the last quote may have been stripped too
It has not been active nor searchable since September 2013, and all of the information has been deleted... from our servers.
Suspect there's likely a 'backup' elsewhere, even if only to allow comparison against the NSA's database.
Got beaten to it...
..on Twitter of all places, but this seems appropriate given the breathless reporting elsewhere - http://xkcd.com/932/
Firstly you'll note wordpress is the actual issue here (as described) - if you want to be worried about something be worried about the insecurity of your actual app. What happened there might not be relevant to your problems (it's extremely likely it isn't)
Does seem odd doesn't it? The attacker has managed to execute arbitrary code in order to retrieve some other arbitrary code and execute it and the solution is block pastebin?
There may be some logic to blocking it if you've absolutely no need for it - as it's (apparently) currently being commonly used as a low tech C&C you do at least block that route, but if enough people do block pastebin it's use as a C&C will drop and the blocking becomes worthless.
I promise that wasn't there when I posted earlier - or at least I'm pretty certain it wasn't...........
The judge has now explained in detail why she comprehensively smacked down the requests, and in doing so has provided a hugely detailed outline of the evidence the Feds hope will put Ulbricht behind bars.
And yet the article doesn't even drop a hint of what the reasons were............. Given the title is that the title is that his defence is essentially sunk, some additional info might have been nice - sure I can click the link and read the ruling, but I thought the whole point was El Reg wanted to keep our eyes on theregister.co.uk (and by extension, the ads).
Re: HEAR HEAR!!!
Due to the last two points, I would suspect they have next to no legal value. Pretty sure for a legal document to stand, the person has to see it and agree to it first before it becomes binding.
Yup, pretty much. As it accompanies the email it's has no power over you what-so-ever, the sender opted to send you that information (quite possibly without having ever communicated with you before hand) and therefore you've not been able to negotiate terms/agree a consideration etc.
Although they're often written to look like a contract, no legal contract has been created, so they serve to do nothing but make those who don't know any better feel warm and fuzzy.
would be allowing budget surpluses in government departments to be retained for the next year without having next year's budget slashed, eliminating the annual glut of wasteful spending that so often occurs.
It's a nice idea, but it'd take years to take effect. If they brought it in, no department would trust that it wasn't just a temporary thing, and so would still spunk the cash in case failing to do so might lead to budgets being cut a few years down the line instead (as a result of a change in Government, policies whatever).
Thanks for your opinion, but most of the rest of the world is outside the EU and it's not dangerous for them.
I don't know exactly what the OP meant, but my interpretation was that it's dangerous because UKIP seem to have no clue on a wide range of issues. Their strong focus on key areas, within a (relatively) small party comes at the cost of some of other (potentially more important) issues.
Personally, I'd hate to see UKIP get into power. I had hoped their surge in popularity might make Cameron and chums rethink a few things, but aside from small hat tips, that doesn't seem to have happened.
Bang on the mark, in fact there are (at least) two different sets of API keys in his commit history, spread across 4 different commits.
Note - are, not were - it's all still there. So the bot had much more than a 5 minute window to purloin them.
Re: What about pre-payment?
To be fair, if you're that determined to 'Pre-Pay' your Amazon account, it's fairly straight forward.
Buy £50 of Amazon gift cards
Apply them to your account
Don't register a card against the account
Whenever your bill comes out they'll subtract from the credit, though you can probably expect some shitty emails if you do go over.
Re: What about pre-payment?
Yup hadn't purged them fully (though he's now revoked) - https://github.com/andhof-mt/shriek/commit/799a62ed075954eac673322b9f69963ad815c4d0
Looking at his post, I'm not sure they were just S3 keys, though it's hard to say for sure. Certainly can't find any reference (based on a _very_ quick google) to being able to fire up EC2 instances through the S3 API - though if it is true, that's some spectacularly bad design by Amazon.
But yes, either way, they definitely had too many privileges. Mind you, if you look at the average S3 tutorial online, the various authors all seem to think that creating limited privileges in IAM is too complex and skip over it.
Re: What about pre-payment?
Aside from the obvious issue of storing credentials securely
And, as appears to be relevant here - actually bothering to set up non-privileged keys. If they were spinning up EC2 instances (and the dev seems surprised by it) then either he was using a key with permission to do so (i.e. it's been configured in IAM) or more likely was using his root keys, granting the attacker unlimited access.
Wonder whether he remembered to purge the keys from his commit history, a 5 minute window is pretty short...
Re: Who else?
FWIW, the standard alien "experiences" tend to follow movies of similar themes - showing that most people involved are fairly suggestible. They may _believe_ they were abducted by aliens, but it's more likely to have been a particularly vivid dream, possibly years after seeing Close Encounters, etc
To pile conspiracy on top of conspiracy, as you said
The CIA and several other organisations spent a long time planting people in various tinfoil hat brigades to keep them paranoid
Let's accept that's true - the ultimate way for the CIA to keep the paranoia (and outward appearance of such) would be to do a few 'alien' abductions themselves. Slip the targets a few drugs and then wear rubberised suits whilst brandishing a certain medical instrument related to the bottom, lots of light's etc.
Mind you, if it came out, I guess an anal-probe could be seen as state sanctioned anal rape....
I initially thought that, but if you read the linked article, they've taken that into account.
For example, they've noted that RHEL/CentOS 6 backports to PHP 5.3.3 and so any server reporting 5.3.3 is considered secure.
If anything they've skewed their results the other way (i.e. if I'm running Debian, 5.3.3 probably means I'm insecure).
TFA doesn't exactly make that point clear though......
Re: And the alternative is ?
I was spitting feathers recently, having looked over the output of a development team and found such things as
$result = mysql_query("SELECT foo FROM bar WHERE id=".$_GET['id']);
In this day and age, how can people not know better?
Mind you, it does seem a little unfair to judge the language for that. As you say, it's biggest sin is that it's incredibly easy to learn. If the type of person that does the above could write C they'd still do the same thing.
There were also some other beauties within that code review, but I won't bore you as it might just push my blood pressure beyond breaking point.
The joys of being brought in on a project way too late eh?
Re: Seriously, he actually believed the advertised PHP version on the server?
I doubt any serious admin is accurately showing the actual version they are running,
Not to pile (too much) on the hate you seem to be getting - but a serious question...
Did you also remember to turn off PHP's 'Easter eggs'? If not, then with a single URL I can tell which version of PHP you're running without needing to resort to the idiots method of last resort (spray and pray) or rely on the version headers.
As others have said though, if all else fails, brute force will find its way through to whatever version you're using.
Re: i rather liked mine
You photograph your food before you eat it? My first though when food arrives tends to be "bugger waiting for everyone else, I'm digging in!"
Can we (The Register) please stop trawling Twitter for quotes and public opinion. I've noticed the actual news (on the telly) has started doing this, and it drives me insane.
Yup, especially when it seems to replace actual research.
Other news sites managed to include a fairly important point;
the bloke who had his dead daughter displayed to him (she died on her 6th birthday incidentally), didn't post his 'Year in Review'. In fact, because of the painful memories he'd been actively avoiding the 'new feature'.
But because he hadn't configured it, Facebook 'helpfully' stickied it to the top of his timeline for him
"But I don't post anything of significance on FB anyway."
Out of curiosity, I went to see what Facebook had generated as my 'Year in Review'. They didn't have a whole lot to choose from, so selected the only 2 pictures I'd posted - neither of which were relevant or particularly personal to me.
But then, like everyone else here, I'm not exactly the best user to use as an example
Re: So a wrong expiration date from the server is a "front end issue"?
Would like then to know how Twitter calls the browser side code.
Like most people, they probably call it the client-side code.
Front-end code lives on the server (generally doing presentation) - it's the 'front' to your service, which is accessed by clients (whether a browser or an app).
Put it this way, even a false sense of security is preferable to NO sense of security.
IMHO you're wrong on that.
If you _know_ you've got no security, then you're naturally careful about what you store. If you believe you're secure, then you feel confident storing material that otherwise you might not.
The one thing that sets TrueCrypt apart is that audit
Once complete, yes, it very definitely will - and it is definitely looking good so far, but it's still early days so taking the results so far as proof that it's safe would be a bad idea.
Before suggesting PGP/lo, consider users who can't use a loopback device.
A fair point, but for those that it is an option it's not a bad solution.
It is currently being audited, yes, so once that's complete it can probably be considered safer.
By alternative it depends on what exactly you're after. If it's hidden volumes I've no suggestions. If it's simply encrypted containers (as opposed to FDE) then PGP and a loopback can work nicely.
Ecryptfs gives a good level of protection if you're primarily bothered about stopping the bloke who stole your laptop from rifling your files.
It all comes down to what your threat model is, amd what you're wanting to implement (and the OS you're using). I've got containers encrypted with 16k keys and I've also got others where 512 is considered enough.
Once the audit has finished there's still the possibility of holes, but Truecrypt will be in a stronger position than now. In the meantime though, using crypto software that is unsupported and has publicly been declared insecure by the devs is a bad idea - you've got a potentially false sense of security and nothing more.
Re: Truecrypt is a threat
@Michael - I largely agree with you, but its not a jury that needs convincing, it's a single judge. Whether that makes it better or worse probably depends on the judge.
The reason it'd be easier is because they can ask for something specific with legislation to cover that request rather than a rather vague "we know you have it somewhere, tell us then give us the keys"
Your defence to the claim of self-implemented crypto would have to be along the lines of "they seem to believe I'm intelligent enough to roll my own non-trivial crypto and yet also believe I'm stupid enough not to recognise what a bad idea that is".
Not sure it's likely to hold up, but it's probably less likely to need to in any case. Technically the law does allow for the op's point so it should be considered a threat but the probability is probably about equal to that of the Mossad pawning your edge devices
Re: Truecrypt is a threat
> I am not familiar with truecrypt, but I assume that it does not let an observer see "a blob of random data" precisely because it would be pretty convincing evidence of "hidden volume".
The outer container is a blob of random data, at least in appearance. Once you've decrypted the outer container, there isn't a second random blob, no.
However, unlike with your Picture example, the very existence of the outer container demonstrates that you _are_ using crypto. It's not proof of a hidden container, but the fact you've used technology capable of it will likely be used against you.
Part of it would likely come down to what you had stored within the outer container, if the fuzz suspect you of something henious (let's say terrorism) and you provide the key on request to reveal a bunch of fairly uninteresting emails, they'll likely try to claim it's a decoy.
They can't prove it is, you can't prove it isn't, but the burden here isn't reasonable doubt, it's balance of probabilities. So if they can use your use of crypto and the technical capabilities of Truecrypt in front of a technically inept judge, it's not improbable that you could be on the losing end.
On the other hand, I disagree with the OP almost entirely anyway. He's right to warn about using Truecrypt, but wrong in his reasoning. It has nothing to do with the existence of hidden containers, and everything to do with the fact the developers have _very_ publicly walked away, and whilst doing so have declared it insecure.
The software is no longer supported, and the reasons for the developers stopping are not known. Unless it is bikini pictures you're planning on encrypting, using Truecrypt now is a bad idea, because it brings far too many unknowns with it
Re: Truecrypt is a threat
Whilst they could claim stego, they've still got to convince a court;
Hes got a blob of random data which is unusable for anything, so we believe its an encrypted container.
This picture of his wife in a bikini can only be an image containing encrypted data, why else would he keep _that_.
Re: Truecrypt is a threat
> Also, the penalty isn't life imprisonment, but that's a side issue.
No, but the 'crime' is viewed as contempt of court (the Judge has asked you to hand over the keys and you said No), so you can be asked again and when you say 'No' you do some more time.
Although you'd obviously hope some level of reasonableness would kick in, there's no limit to how many times you can be told to hand over the keys and then do a stretch for refusing, so it could, in theory, be used to lock you up for life.
People have done short stretches for failing to hand over keys, though don't think there's ever been any cases of being locked up for failing to provide the key to a hidden volume that doesn't actually exist.
Re: Wrong side of somebody
being total twatnozzles
Thanks... that's a welcome addition to my vocabulary
Re: Me too
Bastards - that explains a few things for me too.
I'd hazard a guess they've outsourced their GeoIP stuff (a lot of companies do) to a company that literally just pulls down the IP of all Tor Nodes, rather than checking whether they've got the exit flag.
Will be moving my relay I think (had planned to anyway)
Re: And here's what it does!
Add another happy user of your CSS, looks much, much better
Re: There are more than a million Tor relays?
There are, roughly, 9000 nodes.
The percentages relate to capacity.
The article doesn't mention it, but it was also pointed out to the Lizards (on the mailing list) that they'd made something of an OpSec facepalm. I'll leave you to look over the publicly accessible data to work out what it is :)
Re: the tablets will save us...
I can't see skiddies using daddy's credit card to set up their own VM farm for ddosing...
I can see some of them doing that.... Others will use stolen CC details, others will use stolen vouchers.
You do want your attack nodes spread out, but don't underestimate the benefit of using a server with a 1Gbps (or better, 10) connection over that of using something that manages 500Kb upstream.
The biggest benefit of using pawned consumer devices is that they (historically) aren't so easily noticed and shut down. You may get to run an attack from VMs for a while, but it's far easier for your host to shut you down than it is for 1000 home devices to be cleaned of your malware.
I use OTR for various things, the article mentioned the Pidgin plugin, but there's also a useful app for Android - chatSecure - exact same basis but for your phone.
If you're after Tor on your phone - Orbot and Orweb (the former connects to Tor, the second is a browser). If you're rooted, Orbot can redirect all traffic over Tor, if not then it just opens a Socks proxy.
TAILS is pretty popular, but IMHO Liberte Linux is a better bet as it's also got i2p baked in. Same procedure for running: boot off a liveCD.
Kind of my first thought too, 541EUR for a laptop isn't exactly extravagant and likely well worth paying for someone who is a prolific contributor
> If the North Koreans really do have an elite hacking squad, it'll be twiddling its thumbs at the moment,
Doubt it, it's generally accepted that if they do exist, they're based in China and not NK
Re: If I had the money to spend
I'm all for holding banks to higher standards, but it isn't going to work if you're charging 150k for a domain. How many are going to pay that when other TLDs are available?
Even if it were cheaper, it still isnt going to work. If users are too stupid to think therealhsbc.geocities.com is their bankimg login page (or more likely, don't even glance at the address bar) then it doesn't matter whether it's hsbc.trust or hsbc.honestguvitsreallyus.
Aside from making NCC money, the only real benefit I can see is the extra weight carried by "your site is insecure, fix it or we'll suspend your 150k domain" - except you've got to get the customers first.....
Re: Where does this daft expression "nation state" come from, anyway?
The term nation state implies sovereign backing. In much the same way we say Britain went to war, rather than members of the MoD went to war.
The latter is true, but sounds fucking stupid
The term nation state isn't exactly new either, it provides a distinction against the various other types of state. A quick Google will soon fill the gaps in your knowledge AC.
Re: I'm not taking the NORK Bait™.
Yup, and the media have seized upon it as it makes better headlines to have a nation state behind it.
I don't buy that it's the Norks either, and some of the 'evidence' doesn't exactly stack up. It's been claimed the attackers used DNS masking techniques to try and hide their origins. Tactic of an advanced nation based attacker that is not.....
The 'evidence' that's been disclosed is, uh, flimsy.
I'm not saying it can only be a false flag op, but there's something that doesnt feel right about the idea it was NK. From the messages that read like an English speaker trying to sound non-native to the fact NK would normally be trumpeting their 'victory' over the Western devils.
Frankly I'd find it easier to believe it's a /b/ prank than the Norks based on whats been made available so far.
To be fair, bugs do happen from time to time, and the latest kit isn't automatically the best kit for the job.
The unanswered question, though, is whether they could perhaps have avoided (or shortened) the outage through investment. I'd be surprised if they didn't have something to fail over to, though it wouldn't be the first time an organisation has decided that redundant == unnecessary cost.
Re: Brought to you by...
It is bollocks.
A user given a higher level of trust might be able to abuse that trust, go figure.
As physical access is required (if the same user tries via SSH, they'll be prompted to enter a password) it's something of a non-issue given the huge amount of pain that could be brought by anyone who gains physical access.
Be careful who you give higher privileges too, and be very careful about who you allow physical access to. Not an awful lot of news there.....
The OS-Sec mailing list was particularly scathing of this 'vuln', but as a side effect, someone looking into this did discover a real privilege escalation vuln - CVE-2014-9322 - so something good has come of it at least
Except its no longer just the premiere - http://arstechnica.com/tech-policy/2014/12/sony-hackers-terror-threat-prompts-movie-chain-to-pass-on-the-interview/
El Reg, I'm dissapointed, it was on BBC news and still no sign here
Re: This is entirely UNreasonable
There is a must register for the new rules - if you sell to an EU member state then theres no lower threshold of earnings. You can deregister from UK VAT but not from the new rules.
You don't _have_ to use the MOSS though. The EU is more than happy for you to instead register for VAT in any EU country you make sales to.