13 posts • joined Thursday 13th March 2008 22:57 GMT
The issue with mixed-ssl on a page is, IMHO, worse than described here:
Even if google used EV certificates for google analytics, there should be no reason for the browser to assure the whole page is "extendly validated" for the site on which it is installed ( of course the site needs EV ssl anyway ). THe browser should at least display the list of of certifcates, EV or not, contained in the page.
What would make sense is a feature on the browser which would block all third party content on an EV ssl page, and display the green bar only in this case.
This is currently the behavior for IE with the "ssl lock": if one component in the page is not ssl'ed, the lock is broken (which IS correct behavior ).
I am rather surprised : usually there are loads of comments blaming everything on Bill Gates.. Wake up penguins:
Linux ubuntu1 2.6.24-22-server #1 SMP Mon Nov 24 20:06:28 UTC 2008 x86_64
If this could bring a bit a modesty and humility to the "community", this attack might contribute to make lamp less insecure.
The day I discovered it was possible to *completely disable* UAC from win2k8, I was at last able to appreciate the new OS.
Clearly it has very interesting features that were not available in win2k3 ( iis7, posix shell, .. ) but for me the UAC wasted it completely.
I think most people should disable UAC on Vista or Windows7. I bet they would be actually more secure because they would not have a false feeling of protection because of the continuous interruption.
Is there any statistics suggesting UAC reduces virus infection?
> Anything that makes it harder for SPAMMERS to SEND email looks good to me.
Unfortunately DKIM makes it much harder for legitimate senders than for spammers. If hitting spammers means killing email, what is the point? If you follow your point, then we should move from email to proprietary, secured protocols. Exactly the dream Bill had for many years. The challenge against spam is to make it hard for spammers but let legitimate email thru.
>Of course, somebody will probably point out that the CPU costs for bot-spammers > is almost zero anyway because they are just using their zombie hosts CPUs.
Exactly. Cost for spammers is 0. Sending emails via gmail accounts created by hijacked zombie PCs costs 0. And the emails are DKIM / DomainKeys signed from gmail.com! You want to block all emails with a valid DKIM signature for gmail.com domain? It will certainly make it harder for spammers.
Bill because if he had it his way, smtp would not be used anymore.
Basically SPF is designed to verify that the *ip address* sending an email to an smtp server is "compliant" with a proper *enveloppe*. The enveloppe does not appear in the content of an email.
There are several big problems with this:
a) only the enveloppe is verified, and the enveloppe does not show in the emails in your mailbox, so it does nothing against phishing etc.
b) since it can be very problematic to block ip addresses the spec implements a "soft fail" feature which basically allows bypassing the spf checks. Millions of domains have no spf records, or have records allowing "soft fail". So it is very easy for spammers to pass spf checks.
DKIM / DomainKeys do not check ip addresses nor enveloppes, only headers and body of emails. The big issue ( imho ) with them are:
a) implementation costs for sender. Far from trivial, many buggy/crappy tools and libs here and there, few efficient implementations, and a configuration is required per domain on each server which will send your emails..
b) cpu costs for the sender. If you send many emails, it is very expensive in terms of ressource to compute these signatures
c) few recipients check these records anyway. Yahoo and Gmail does, but not hotmail, aol, outlook ..
d) Anyway, a lot of spam and fishing emails are sent with perfect DKIM / Domain Keys records. You just have to send these emails via yahoo or gmail. And *lot* of spam is sent via these accounts. Nothing prevents from sending an email which *looks* like coming from Paypal:
From: <firstname.lastname@example.org> Paypal Security
Will "look" coming from paypal and will have DKIM + DomainKeys + SPF all perfectly verified.
Paris, because I write from there.
During the attack it is likely your servers behind the IP addresses targeted by the botnet will not deal with the flow, no matter qmail / rbldns etc..
What I would do: block all incoming smtp traffic but from yahoo, hotmail, and the top 3 ISP my customers deal with ( use of SPF records to create firewall rules - of course I treate ~all as -all ).
Then quickly rent some servers anywhere in the world ( any linux virtual server for $10 a month will do ), declare it as MX for my domain, put in iptable rule to limit the the rate on incoming smtp traffic on it and tunnel the smtp traffic to my servers.
It's a lot of manual work, but in 2 or 3 hours, for less than $150, one admin can have maybe up to 20 new mx ip addresses. If the attacker just sticks blindly to the initial ip addresses ( and believes he succeeds since you are blocking all his traffic at firewall level ), you have a sporting chance of having a degraded but functionning service. If the attacker follows your mx ip addresses you can rotate them on your pool or extend your pool, or both, and in parrallel analyze your logs and prepare a mega iptable rule to stop the botnet.
I was a former developper in a bank, we were coding on sybase, and use of stored procedures was mandatory, dynamic sql forbidden.
When I came to work for the web startup I am still working in, I explained all the benefits of stored procedures ( performance, maintainability, security, .. ) and believed to have converted the team to them.
The first stored proc I saw was like this:
declare procedure getusers(@filter varchar(255))
declare @sql varchar(8000)
set @sql = "select * from users_table where " + @filter
IMHO sql injection is almost something of the past. XSS is the next challenge..
Developpers, Managers, they do not understand what it is about. They just understand this is a critic of their coding practices and a pretext for delays. When a site is hacked they reject it on the OS, the web server, the ISP, the support team. In their opinion it is definitely not an issue they have to deal with, and I see no reason which will make them change their mind.
Bill, because at its debut at microsoft you should not be managed by someone writing worse code than you.
Making money with illegal stuff
This is exactly what ebay is doing. Why should it be forbidden everywhere, but on the internet?
If it should be legal for ebay to sell counterfeits, why then couldn'it sell also fake v1@gra, real heroïn, fake 100 € notes..?
oen source attack
Clearly this is an argument against open source code, which has no way to protect itself against this kind of threat..
The Reg should add a dead penguin picture.
Anyway, as many people already said there, hackers and security professionnals are doing this for ages. Reducing the number of bugs and vulnerabilities in closed and open source, increasing the speed at which fixes are released AND applied, looks the only sensible approach.
Is this an english site? Even the worst leftist french blogs are more open to the realities of industry.
Does your company need to run a power station in order to have electricity? Does your company own a cement factory in order to build its headquarters?
Outsourcing is an obvious rationalization process. Obvious, but not easy to manage, and obviously outsourcing does not remove responsibility..
One of the problems ( among many others ) is that often many security aspects are not considered in outsourcing contract. This is incompetence, but this does not say anything good or bad about outsourcing itself. Nothing proves that if the process was "internalized" it would be any safer.
Hacker went for value
All this shows is that hackers wanted to come home with the most valuable laptops:
First the mac book, then the vista, and the hell with the linux thingy ( even if it is the same hardware, the Vista one comes with.. Vista! )
Note that the flash exploit is not exactly a windows vulnerability ( nor is it directly a linux or a mac vulnerability ).
For the security-challenged guys who think only root access is a security threat, just consider that the latest vulns in firefox where enough for a hacker to steal your credit card information, send spam and drive ddos attacks from your computer..
And the servers?
The "vulnerable" servers are likely to be ( again ) LAMP servers. If this could make the penguins shut up a bit.. The last infection of this kind was based on a linux kernel rootkit ..
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- NSFW Oz couple get jiggy in pharmacy in 'banned' condom ad
- Exploits no more! Firefox 26 blocks all Java plugins by default
- Shivering boffins nail Earth's coldest spot