32 posts • joined Friday 2nd January 2009 20:35 GMT
Hopefully things like this will encourage people never to use the same user ID and password on multiple sites, there are enough devices and apps out there for password management and plenty of high profile hacks out there that people should know better by now...
Mine's the one with the nifty MyLOK+ USB stick password manager in the pocket...
Re: Knew It Was Coming
@ Pepper Your referring to the infamous DB Cooper case and several others who tried to copy his escape, and while some of the money was found I believe the case is still open and there is some speculation around if he survived the experience. The 727's now have a interlock called the cooper vane to prevent the rear stair from opening if the plane is not on the ground wheels down specifically to prevent this from happening again.
Re: Actual Satnav units
Pretty much every built in sat nav system I've owned in the US all disable the keyboard and most touch screen input functions wile the vehicle is in motion. The Sync unit in my new Ford Truck allows for voice commands which I personally find a lot more distracting than a touch screen menu.
As for the portable ones and early laptop devices I have found some of them to lock up when moving more than 5-10 MPH while others do not. I find it interesting that it's still legal in some states to have the old hocky puck antennae hooked to a laptop with cables and power inverters run all over the front seat that you have to bend down to look at but you can't suction-cup a touch screen to the window.
Of course it varies state by state so please don't judge us all by the strangeness of California. :-) I always found it quite odd that in New Jersey it's illegal to pump your own gas until I caught an episode of Jersey Shore.... context makes a huge difference!
My Guess is "Unbreakable" glass probably cost too much so they went with the slightly less expensive "Insanely great" doors instead...
How about the Highland games...
Port the old highland games with the caber toss and swap that sissy beer tap for a Scotch dispenser, higher you score the older the single malt you get. Now that would be worth playing.
Re: Cake crumbs?
That's a big part of the problem it's kind of like a medical company that has found the cure for a disease but also makes drugs to treat the disease itself. They make more money in the long run treating the symptoms than actually curing the disease or in this case of security researchers selling prevention and detection tools, consulting services, selling the tools to exploit themselves versus telling the vendors how to fix the problems directly.
I understand the financial motivation of not wanting to disclose it all, but I think the real purpose of these competitions is for vendors to learn about potential weaknesses and ultimately FIX the problems to make the product better for everyone. Your getting cash, prizes, the priceless free publicity from the event, plus the good karma from helping make the products safer for the masses. I think all that should be more than enough to compensate you for telling them how you pwned their product but I guess that's why I'm not filthy rich... :-)
Re: It looks like...
@Herby Actually I think the driver is a little different. Yes it probably will save them on staff who monitor the queues on live video to keep an eye on things and also provide more accurate wait times for the people who pay the extra money for the cell phone apps which they may sell more because of this.
The real driver is the same as the "Key To The World" cards they have been using for years as the room key, park admission, fast pass AND room charge.... Most people spend less when they are paying in "real" money than they do when using credit cards, although that is changing as more and more people use credit and debit cards in place of old fashioned cash and coins. By further abstracting things by making the payment vehicle a wrist band as opposed to room key with mag swipe which resembles a credit card. Instead of signing and comparing the signature on the back they use a pin to authenticate you. So even if your brain now says credit cards = Money your not thinking wristband = money let alone wristband = credit card = money and chances are you will spend more casually without thinking as much.
Most of the merchandise you find in the parks are impulse buys, separation of the thoughts of money from the payment mechanism is really a rather clever way of separating your money from your wallet. Which as someone who is married to a Disney Travel Agent can tell you they are VERY good at. :-)
@Collis Actually there are no lost children in Disney outside of the "Lost Boys" in the Peter Pan attraction... :-) Ok, sorry bad joke and this really is no laughing matter but there is a point to it:
Cast members (aka "Staff") are trained to talk to children and explain it's actually the Parent's who wander off and get lost. (And we do...) This keeps the kids calm and lets the cast member get vital information from the child to reunite them with the parents at guest services.
So, if you ever find yourself wandering off in a child like daze to say hello to Cinderella and realize your child is not there, simply find any cast member and they will radio it in immediately and all cast members will be on the lookout for the child while the parents are escorted to the front of the park for a happy reunion. (However, chances are you may be panicked and looking frantically around in which case the Cast Member will probably approach you, as they are trained to do...) They drill this into the cast and they take the situation very seriously most families are reunited in minutes although for the terrified parents it seems like an eternity.
While I doubt this technology will be more useful in locating the child or parents more than their pervasive video surveillance is, it may make positive ID of the parents easier but typically there's so much crying and hugging (and sometimes yelling) that's fairly obvious. But, I agree it would be a good thing if it speeds up the happily ever after reunion! :-)
@AC - Actually no it's not code signing, it's basically hash enforcement at the os level - if the app and hash you have stored on PC when you try to save/execute dosn't match the version on the white-list on the server it is blocked. It's been a feature of windows server for years as well as several 3rd party tools.
This goes well beyond malware protection to address what users can and cannot load on their systems, if your group dosn't have permission to say run firefox you cannot install or run it period, weather it's a "trusted" source and code signed or not dosn't make a difference. if it's not on the list it's not going to run on your PC period.
I stand by my comments before, it's highly effective when done right, but it can take a lot more effort and money to implement properly than AV amd IPS devices like Imperva.
@ John Beat me to it... ;-)
Black list and Heuristic Algorithms are great for catching stuff you already know about and they will catch what they know and a few things they shouldn't based on the patterns that have already been established. As a pen tester I can say none of the exploits I have used (ahem only with signed authorization or on my own boxes that is..) have ever tripped off an AV client, there are plenty of repackagers that are way too easy to use out there not to mention toolkits like SET that will do it for you from a menu option.
It dosn't mean they are worthless or you can safely surf naked (e.g. running with no AV/firewall) it just is what it is, a filter to catch know bad stuff. Think of it as getting a flu shot, it works against the bugs you predict you'll be exposed to but not everything that makes you sick.
White listing is a great solution, and I personally think it IS the best one, basically it only allows you to run what the system admins have "pre-blessed" is ok to run on your system. It works, it works very well when implemented properly....
Which is the problem. Most companies who sell white listing applications out there do not tell you the effort involved in maintaining that white-list. One security researcher I know once commented a corporation will need to hire 4 times the number of staff needed to run a proper AV and patch management implementation in the same environment. I mention patch management since that now has to be tied into the process since the patches themselves need to pass though the white-listing process as well, which can add delays in implementing patches which may cause friction for management who have been pushing for ever shortening patch cycles, of course white listing actually prevents the risks driving these demands in the first place it typically comes up in the discussion.
The other issue I see most commonly is delays or frustration due to over-complex white listing processes for new applications can cause users to rebel against corporate systems and you will see a surge in BYOD (Bring Your Own Device) or copying data to portable storage to use on personal laptops outside of the company's control. USB sticks get lost, personal laptops get hacked or stolen, it can be a nightmare if you do not have controls in place to enforce policies against it.
When all's said and done, a properly funded, managed, and implemented white-listing program offers the best defense against all exploits. Sadly, it's just too damn expensive for most organizations to do properly. :-(
The other consideration is redundancy, the DROBO NAS solutions have the ability to loose 2 drives without loosing the entire array in raid 5 configurations with less overhead. Having recently had 2 drives fail within hours of each other on a old Terastation I can tell you honestly yes it CAN and sadly does happen!
Last thing I would want in my test lab would be to loose ALL of my VM's at once, even with backups your down for days restoring multi-terabyte drive arrays. Out of all of them the DROBO units seem to offer the most resiliency of the others out there for the price. Unless of course the entire DROBO box itself decides to take a dirt nap then your in trouble!
Re: So what?
The only conclusion that can be drawn at all from those statements is that INDIVIDUALS as opposed to the anonymous "super" PAC's are donating more money to Obama than Romney on those specific sites and from those select companies.
What's disgusting here to me is American news Media today, the golden age of professional Journalism is long gone in this country with the age of cable... Am I the only one who sees the irony in Fox New's claim of "Fair and Balanced" News coverage? You have Fox News on one extreme and MSNBC with the Ed and Rachel Maddox Shows at the other and all the others fall somewhere in-between and just blindly playing the sound-bytes with no apparent care about the actual validity of the comments made in them. Every year it gets harder to cut though it all to get to the truth of what's actually going on. Used to be the news would verify information and report it factually, it was a matter of integrity and professionalism over ratings. Sadly today that's too boring when you have 900 channels to choose from.
Mine's the one with the CSPAN program guide in the pocket, If I'm going to get fed manure on TV it'll get it straight from the source and make up my own mind.
Defense in Depth...
The main problem here is a lack of awareness, understanding and application of defense in depth strategy by home users.
Of course you need AV, you always will need AV, but AV alone is not enough to protect you, you need a good firewall, not some $99 special you picked up at the big box store because someone told you you needed one and just plugged it in with default settings, a real one properly configured. In addition you still need HIDS, content filtering, and all the other things corporate users have ad a lot of common sense.
I see this as an attempt at application white listing, pure and simple. Quite frankly if more companies take this approach and control what can be run on their machines it makes it much more difficult to compromise the systems though traditional means and maintain persistence control for any period of time. Drives the pen testers crazy when done right.
Now the use of certs is good, but the problem here is they will only be as secure as the certs themselves, if developers share certs or a disgruntled employee signs his malware with a legitimate cert it will still get though the wall. That's why you need other defenses, if one or two fail hopeful the third or forth layer protects you, in security parlance it's called Defense in Depth, in layman's terms don't put all your eggs in one basket.
There is no silver bullet to security, but this is a step in the right direction IMHO.
Zombies, et al.
The Living dead technically are not living or dead, hence the statistical anomalies. So stop running around fact checking...you'll only die tired!
They apparently used hardware based keyloggers, which are virtually impossible to detect by software as they plug inline with the keyboard cable out of the back of the PC. More of a physical security issue. Besides almost every company I hear about being hacked all act dumbfounded at the breaches because they all had "AV and Firewalls" The biggest threats are from within, and AV can only stop what it knows about if ti's something new or just newly encrypted in low volumes it's not a priority and often times will slip right though most AV...
I don't think this was a case of a lack of being stimulated or engaged here, they used COTS hardware, a copied key from the janitor, it was fairly low tech breach overall. This is simply a case of B&E, academic fraud, and being greedy.
If they where smart....
1) They would not have done it at all, agreed. And this is the MOST important point!
2) They would have written their own software key-logger vrs a hardware one to make it harder to detect and hopefully harder to trace back to them. (kids and credit cards these days, way too lazy!)
3) They would have retrieved the hardware devices after they had captured the needed passwords to avoid detection. (Granted there is a risk of detection on re-entry but it appears these guys where rather proficient at infiltration of the school...)
4) And this is the big one.... they should have never tried to profit and never told anyone, ever!!!
Like most criminals it's the greed that gets them every time! But will they learn their lesson?
Now that they are expelled they have plenty of time to learn how to use metasploit and SET to do it from the outside (Just what we all need...).
School or not Security needs to be baked in to everything you do these days, and expulsion alone is not harsh enough to prevent the students from continuing down a rather dark and dangerous path.... lets hope their parents straighten them out before the courts have to!
Sorry Lewis but your way off here.
Apple is creating the editing software, providing it to you for free in the app store, hosting/distributing the work on the ibooks bookstore and handling all the payment processing. Apple will also promote books in a similar way that the promote apps and songs as "featured content" in the iTunes store.
Hosting your book online for money IS something, it's a big thing. it cost money to host a web site and hope and pray someone will find and buy your book from it, or money to advertise the site to get people there. Apple is also providing you a way to get paid for your work, Published and protect your content from being distributed outside the official ibook store. (No one's a big fan of DRM until it's YOUR work getting ripped off...) Sure you have a web site you can sell it yourself, but now you have PCI DSS compliance headaches and costs to consider to have your site tested at least once a month and they don't process the cards for free and put the money in your account for nothing. Chances are the Processor and the bank will slap some fees on you for those services since they have to comply with PCI as well. Nor will all users feel comfortable buying your ebook off the internet from your site vrs Amazon or Apple.
When you add up what it would cost to develop, distribute, protect, and market a multimedia ebook on your own, 30% suddenly dosn't look that bad.
Mine's the one with the ipad in the pocket...
IF you don't reuse them then you don't have to...
Big if there, and with so many websites around most people use one or two (hopefully) strong passwords on a number of sites. If any of them are compromised and the hashes decrypted (Lets face it brute forcing passwords ALWAYS works by definition) you now have a username, email address and password (as well as other personally identifiable information) that you can use to compromise other accounts.
Random usernames, and passwords on all accounts for every web site you access are well beyond most mere mortals, but there are a number of devices and software solutions out there to do this, people just need to invest in something that works for them and start randomizing their passwords. Personally I like MyLOK from ii2p (www.mylok.com) but it's currently only available in the US due to export limitations on the technology. Just find what works for you and use it!
Cloud Security = Oxymoron
Clouds as implemented by today's technology and could hosting providers are not secure-able unless you physically own all the hardware and networks involved which defeats the cost savings of leveraged cloud hosting. (aka a private cloud which is basically outsourced virtual server clusters)
Don't believe me ask your provider to demonstrate how they can trace an intrusion or network connection thought the leveraged cloud, which servers where compromised when, which routers, switches, etc. Most of the major hosting providers simply cannot provide the basic incident information you need to do a proper investigation or documentation required in most courts. It's hard enough to do this effectively with physical systems in a court of law, let alone trying to explain the layers of abstraction involved with the virtual machines in a cloud.
Log management/reviews how do you merge all those server logs into one unified manageable source, well that's more hardware and software = more $$$. How do you monitor your network traffic to detect anomalies? You can't. Why? Well because you might have visibility into other client's packets. Or worse, it they let you then that means someone has access to yours!
More important questions to ask are where exactly is my data located in the cloud and how many others share that same storage? Are the backups of that storage segregated or are they mixed together? Why you ask? Well all it takes is one warrant for all data, tapes and servers for company XYZ which live on the same infrastructure as yours to ruin your whole company. If they are mixed (and most are, again for cost savings) not only did you loose your servers (easy to replace) and the SANS (little harder to replace, and will take a while) but your backups as well! Possession is 9/10 of the law in the US the hosting provider owns the servers, the storage, and the backups in many courts they own your data unless a clear agreement is in place. Even so that agreement will not save you from a shutdown in the scenario above.
Worse if you are a smaller customer you may have to wait longer while the high priority customers get online first. Hope you have up to date Disaster recovery and Business continuity plans in place.... or at least an updated CV on hand you may need it.
Finally if the hosting provider is replicating the data in multiple countries you also can get in trouble especially with things like Personally Identifiable information, things that are commonplace in the US for example may be against the law in the UK.
Not secure and in many cases more trouble than they are worth! IMHO the cost to implement a secure cloud environment with today's technology will generally cost more than traditional server farms for most implementations. Fine for blogs and public information but I would resist the hype about putting proprietary, sensitive, or business critical data on them. If you do good luck come audit time! :)
Price - Air display is a bit more expensive I think I paid around $10 for it when I purchased it last year. Well worth the cost though, for $8 more you get an app that works as a spare monitor on BOTH Mac and PC as well as touch screen remote control. I use it with my mac book and iPad when coding/debugging and when giving presentations on the road.
And for those of you who complain about the price of the ipad vrs a second monitor, well the ipad is a lot easier to travel with plus it's wireless! I don't think I would want to lug even a small LCD around the country with me, even if it survived the baggage handlers the extra bag fees eat you alive these days! :-)
And yes you can use VNC or similar free remote control products to do the remote control or monitor mirroring, in fact that's what I used to do when driving presentations from my iphone, but it does not give you the option of 2 monitors which is great for development that these products do.
Air Display works great on Macs,I have had no issues on any of my 3 mac systems running it on Leopard or Snow Leopard. I did hear some windows users where having intermittent issues with Windows although I have not had a problem with this when running on my windows 7/Vista test boxes, your mileage may vary.
@chem Serious lock?
Seriously? Most PC case locks take less than 2 minutes to circumvent if your serious about getting in and have a little know how, a bit longer if your trying to not leave any physical evidence of the intrusion. :-)
All kidding aside though, valid point if you have physical access to the box you have the box and by extension possibly the network it's only a matter of time.
I've worked at places that went to great extremes, even to the point of "disabling" all external ports, in all cased if you really want to get in you can get in. Just like cracking a safe it's just a matter of having three things: 1) The time to get the job done, 2) the right tools and 3) the knowledge of how to use them.
What concerns me the most it the tools are more readily available, faster and easier to use than ever...
Mines the one with the lockpics attached to the USB stick.
A couple things missing....
Ok I recently took the plunge and purchased the 17" Macbook pro, so far it's been the best laptop I have ever owned and I have owed several over the years including some from Alienware and other high end laptops. (I'm an IT veteran of over 25 years) I'm mostly a web security, architect and software designer these days, not a gamer and so far I am extremely pleased with it for what I need.
Few points to consider here:
Overall build quality - The MBP17 is by far one of the most solid well engineered laptops I have ever used. every detail appears to be well though out and not just thrown in there because it fits that way the way most PC laptops seem to be in comparison. It's less than half the thickness of my wife's 6 month old HP laptop (without it's bulging battery pack with it it's roughly 1/4 the thickness) and even though mine is a 17' and her's is a 15" mine weighs less. It's solid aluminum body while not colorful is classy, and I think makes the plastic ones look cheap personally. Small touches like a closing cover over the express card slot to keep dust out and the clever button that shows you the current battery charge without booking up are very nice. The mag safe charger cable and brick are much nicer than any PC power connectors I have used, no shorting or sparking if you connect a live cable. (Haven't we all at least once done this?)
CPU - All of the Macbook Pro's support Hardware Virtulization, even the lower end 13" models, most of the PC laptops you will find at the big box stores do not (or at least didn't as of a month ago when I was looking around) Anyone running windows 7 who wants to ever run a MS Virtual PC (aka windows XP mode) on their laptop will be disappointed after shelling out the cash for Windows 7 pro or Ultamate to find the hardware on their new PC won't support it. I do a lot of development so VM's are a must. Enterprise customers need the XP mode for legacy software.
Flexibility - You can run a PC on a mac, not the other way around. And with the latest Parellels Software they PC apps just show up in their own apps folder. Start up and shutdown of Windows 7 is faster than on a similarly configured PC (PC actually has more RAM maybee that's part of it but who knows.) The PC based apps I still use run fin without issues.
Office Apps - I run Office 2007 and 2010 on the PC's, Open office on my linux boxes, I run Apple's iWork package on my mac, mostly because it was less than half the cost of MS Office. Yes office has more bells and whistles but I find the items on the iWork easier to use to create stunning layouts, I even find myself using Adobe in-design less and Pages more and more.
The touch pad - it's a multi-touch pad, not a touch pad and yes it takes a while to get the hang of but is very intuitive and powerful. I have never been a fan of touch pads, in fact I hate them with a passion but this one is easier and works better than any I have ever used, and I almost never use my mouse anymore just the pad.
Battery - While I'm not seeing 9 hours on battery while actually doing work (I did bump the cable out one night and it ran on battery for over 10 hours idle though) I constantly get a good 5-6 doing regular work (coding mostly) with no issues or fear of completely running out of power. I have yet to have a windows laptop provide me the same performance without a bulky spare battery pack attached.
Support - The one time I called support for an issue with the time machine backups (which turned out to be a bad external drive no the mac btw.) I was connected to a support person in under 2 minutes and then escalated to a specialist in under 5, problem was sorted in quick order. In contrast to HP which is supposed to have the best support in the PC world a similar support call took over 3 hours. Time is money I need to be working not running though the same thing 10 times over and bounced around the globe.
Out of the box - While various PC makers add various software (mostly trials) with the mac you get enough to get started with for most needs, iphoto, Itunes, i movie, mail, ical, preview (document/pdf reader) Garage band, time machine (automatic backups) idvd, safari, photo booth, ichat, etc all come out of the box. This is enough for most home users. Most other software as mentioned earlier is easy to find and install. (in OSX you just drag the file to the apps folder to install) You also get a full linux and xwindows environment as well. As well as a relatively easy scripting language and automation tools.
Developer tools included - Yup Xcode is on the install DVD just install it, now you can write, compile, and debug software for the mac. Last time Microsoft shipped any development tools with windows was what Dos 6.22? Yes you can download the community versions of their development tools but it's just not the same. I honestly did not expect to see this for free on the Mac but was pleasantly surprised.
Finally the dang thing just works, it does what i need when I ask it to, my letterhead in office 2007 always fights me after saving the initial template, in Pages it just works. No hangs no spontaneous reboots, I can set up remote ssh/ftps mounts and work with files on my servers directly. Almost no learning curve for me, but if I did need help I can always schedule a one to one training session at my local Apple store for free with the apple care
Bottom line, like many things in life it's still a ya get what you pay for situation. You pay more for the mac (a lot more granted) but if you can afford it and it suits your personal and professional needs I would go for it. I don't think I'll buy anything else form here on.
Side Mounted Drives?
I get nervous when I see side mounted drives, it could just me my experience but they seem to go bad faster than mounting them top side up. I'll stick with the Buffalo TeraStation Pro's for now I have been using their products for about 3-4 years now for backups and they have performed flawlessly.
Wouldn't a more proper title be...
"Tata's Datacenter goes tits up?"
Been doing that for years....
Used to be you could buy the snapdial software and usb cable at your local Best Buy stores here in the US, it's sole purpose was to use your cell phone as a wireless internet adapter, all you needed was a cell phone with a internet connection... only drawback is it dropped the connection every time someone called your cell... Tethering is nothing new...
No big deal...
This is not that big of a deal, just flash the bios before you reload the OS on the box, problem solved, unless they prevent flashing in some way, then in that case just replace the chip. If this becomes a real problem someone will have a standard service (mail us your BIOS chip and we'll overnight you a new one) or some kit to make this easy even for consumers.
Paris well she's now crying because she doesn't know how to flash the BIOS and now has to wait an extra 5-10 minutes more for me to fix her computer.
The real question is...
How a helicopter that is not able to take of vertically under load was allowed to be selected in the first place no matter who makes it? If the base configuration is not fit for purpose who in their right mind would think it would even get off the ground after you add all the extra kit on it it? Just a little common sense could have avoided this whole mess...
I think the big win here would be for the boffins at DARPA and for the larger governments who need an OS that could reboot immediately to it's previous state after a massive EMP discharge. If you can harden the system and the flash memory you could significantly reduce the time needed to get critical systems online and the vehicle or device back in the fight faster. For warships and tanks that may not be that large of a concern but any modern fighter plane or bomber that looses all computer control is basically a flying brick until those systems can come back online, every second counts there.
We may never see it in the commercial sector but there is a niche for it, and a highly lucrative one at that.