799 posts • joined 29 Jun 2009
Usually they'll try and abuse the 'reset my password' feature, especially those with 'security questions' that people will fill in with information that is very easy to look up (like what happened to Palin in the 2008 elections). Then there are a lot of attacks using dictionary attacks (usually an abridged version is used first before trying to reset the password, just in case the account holder is a class-A moron). Although password reuse attacks are on the rise, especially with all the recent major breaches.
How do they know its not the other way round
That men with a large number of children are better at navigation because they want to get away so much faster?
Re: Good luck, at the end of the day
From other projects I've read about; they'll build many copies of a space craft: One primary to be launched, a second one in case the first is found to be defective on or near launch.
Then there will be several engineering copies to test one or two pieces. None of these will be full copies, but you can assemble one form multiple models with dummy components taking the place of the systems not under test. One might be uses solely to test the drills, another the landing gear, and maybe a third that is the drill and landing gear sections. These copies only get used once since they get pushed through stress testing and you're not going to test against a already-stressed component.
Wakes up when it gets sun
Knowing the way that western organizations build spacecraft and that it was built by Germans, I imagine there will be some time millennia from now the comet beaks from our star system and finds itself orbiting some star, waking up, and freaking the hell out of some sentient beings on another planet.
I've chosen such datacenters because of the carrier
Usually because we have customers of that carrier complaining about speed so we stick some servers for a CDN / Reverse proxy farm.
Re: What's so neat about it?
State laws do not apply to federal land, however, most federal agencies will play nice with the locals. Especially when it comes to things like power plants, weapons caches, and air strips which can present an unacceptable risk to the lives of the local populace or to property in the area.
With that kind of money
Why doesn't Google just buy Moffett Field? Or better yet, why don't they build their own facility out in Nevada/Arizona/New Mexico/Etc. for a fraction of the cost? As a bonus, they would no longer be held back by California's laws so they can test whatever they want.
Re: "side loaded" apps?
"interfacing via the App Store where other software installs work" that's what I was thinking. Make everything simple by setting up the store with an Apple cert for publicly available apps and then allow enterprises to install their own certificate along side the Apple certificate to verify their deployment server.
Or better yet, flip the authentication method where the client (phone/pad/pod, whatever) verifies the server's certificate and presents it own once its verified. Done properly, it would allow enterprises to publish their internal apps to the main Apple store and make it only available to a select number of client phones by way of adding whitelists of certificate hashes (with each phone having a different client cert). These apps would then be signed by Apple, rather than the Enterprise. This would create a scenario where the IT department of the company no longer needs to maintain infrastructure while still ensuring that their users get verified apps and staying as secure as they can be.
This could then be expanded to allow developers to build right to the App store and deploy to only their own phones/devices and ones registered in a white-list. Hell maybe Apple could offer a cloud-based repository/build system; write code, commit, Apple servers build it, do some preliminary tests, sign it, push to store, app gets pulled down by phone if its on the proper whitelist, device sends back debug data to the Apple dev cloud and reports are filed into the code's repository. As the app is polished and tested, the whitelist is expanded to include beta-testers, then finally the targeted audience.
If you're going for a walled-garden/big-brother approach, you can't take half measures, otherwise stupid crap like this exploit happens.
(Note: I have only a high-level view of what Apple does, the last Apple device I've ever used was a Powermac all-in-one in the late 90's)
Why would they allow installs from text/email?
Given their walled-garden approach, I figured they would have set things up so that executable code could only be modified by the store app, and only during an install requiring your password. Otherwise the file system the binaries are on stay read-only.
They control one or more TOR nodes, so they could watch as it passes through the first node, and see what the packet looks like on the other side. To ensure that they know which packet is theirs, they could cut traffic to that node from external sources just long enough so theirs becomes the only packet passing through it.
As for tracking it, I'm sure that they have a full map of where every tor node sits and have wire taps at their closest routers (well, closest that they control).
I figure it would be something as simple a GET request to a targeted server and following it by way of packet dumps on ISP routers (well, the encrypted packet containing the GET...)
Just a thought
This attack would be so much harder to detect and block by utilizing a botnet, simply install the proxy code on a botted machine and rotate which bots are serving up the pages (just have the CnC server communicate constantly update a DNS server operating as the NS server for the phishing site and set the TTL ludicrously low to eliminate lost connections from people shutting off nodes in the bot net.
Although, come to think of it, a botnet of proxy servers might not actually be a bad thing in the right hands...
Re: "legitimate site would find it very difficult to detect these attacks against their customers. "
I don't expect anyone to use my solution as the only method of fraud detection, merely as a simple filter for more rigorous testing, such as comparing previous postal / country codes used by customers on that IP. Which in your examples, would match or at least be similar.
Like the 419 scammers, phishers are typically looking for people that are just stupid enough not to notice the errors since they would be stupid enough to fall for other phishing sites as well (And thus reduce your chances of getting caught, since the victim won't know which shady website stole their identity; you also get people that so enticed by what is being offered, that they'll do whatever you want)
Catch a smart man with a good phish and you'll eat for a day; catch a sucker with a bad phish, and you'll eat for a lifetime.
"legitimate site would find it very difficult to detect these attacks against their customers. "
Look for multiple customers coming from the same IP, easy peasy.
Probably a vast majority of those certificates are used on other servers
I figure the reason why many sites haven't revoked the old certificates is that they aren't done replacing the old ones, like they may be used in DR sites or cloud services and they are waiting until those have been replaced before revoking the old certs. A lot of companies I've worked with wait until primary production has been proven to work for some time before the change can be made in DR.
After-all, it would be pretty stupid to revoke *then* issue new certificates since that would leave a time period in which no encryption is possible.
Not that uncommon
I've seen many a packet end up going on a round-the-world journey simple because one link broke and its back-up link happens to have a cost that brings just higher than going around the world. Happens a lot with peers that have global networks and low link costs between segments.
Although I've seen some pretty stupid routes where the link-cost on a satellite with a latency of 500-600 ms is assigned a link-cost lower than that of a fiber line across three ISPs but only has latency of 300 ms.
Routing on the internet can get really stupid sometimes since its just a bunch of networks stitched together in a poorly woven fabric of fiber and copper.
Re: Importing meth into the US
Actually, that's not true anymore; most meth on the streets in the US is manufactured in Mexico. The Cartels are able to use their immense amounts of power to manufacture meth at an industrial scale and far more efficiently than a small lab in the US, especially since they can get all the chemicals they want without scrutiny. They also have the advantage of having a very good smuggling and distribution network already in place that they've been building since the 1960's.
So much money wasted
I find it hilarious (In a Kafkaesque sort of way) when you compare how much money that's been wasted on 'Homeland Security' vs. how much money Al-Qaeda spent to attack us. It worked out to be that for every person that died on 9/11 the US has spent over $10 million dollars (and rising) in revenge, where Al-Qaeda has spent a measly $5. Talk about an impressive ROI... Their goal was to make us terrified of them and to be living in constant fear; in that way it looks like they achieved a victory so perfect that it can be used as a standard for purity of diamonds.
Especially since the easier way of destroying these 'terror groups' would have been so much cheaper: cut off their pool of recruits by helping out villages and convincing the people there that it would be far more beneficial for them to live peaceably with the West than to attack innocents. Farming, building, and manufacturing equipment is far cheaper than cruise missiles and jet fuel.
If your paper/article/post has a question mark in its title
Then prepare for me to ignore it. The point of Academic papers is that the author has done all the leg work and research to answer a question. The title is supposed to tell us, in as few words as possible, what they discovered. The same goes for news reports and any other form of reporting. If I wanted to read a lot of words before coming to the point of the piece, I'd pick up a novel.
To me the question mark is a big red flag saying that the following piece is nothing but click-bait (along with such words/phrases as '... might surprise you..' and '..you must read this before...'. Incidentally Buzzfeed, upworthy and their ilk are blocked on my firewall...
Re: Including the 3 digit security code?
Indeed, the 3/4-digit security code is supposed to be entered every single time and never stored and used as an extremely basic 2FA method. Otherwise what is the point of its existence (Well, its a piss-poor attempt at fraud prevention, so really it shouldn't in the first place and instead be replaced an actual OTP token)?
"a less sever fine that didn't run the risk of putting the company out of business."
They should go out of business. Simple problems like this need to stop and they won't until someone starts making an example of the offenders. And a fine of £7,500? The company won't even notice that, hell I wouldn't have a problem paying that fine myself. At least make the fine much greater than the cost of fixing it (and then if they fix the issue, provide a discount equivalent to what they spent doing so).
Why not implement a dual-hash (or multiple-hash) system?
Why is it that certificates can only have a single hash? Having more than one would increase the difficulty of finding a collision that satisfies both hashes. Theoretically this would allow certificates to remain safe long enough after the hash was found to be easily exploitable to let it just expire and re-issue a new one without the weak algorithm. Plus it would have the advantage where old clients that support only a very weak hash can still verify with a single hash and ignore the others (Or ones that don't need the extra security and have very low compute power as it is); allowing for certificates, clients, and servers to use $standard +/- 1 without compatibility issues.
I use a similar thing when verifying OS install packages, I run an MD5 and SHA-256 hash on them when I first get them and when install on my beefy systems, but only do an MD5 on my low-powered single core boxes.
"[I]t does however have a much lower complexity than a complete brute force attack."
Umm, no. Brute-force is the least complicated attack possible (Since its just n = n +1;). It may be much quicker, but can't possibly be less complex.
Of course it isn't the Chinese government
No, the attacks are being carried out by loyal citizens of the People's Republic that just happen to be getting money from the Chinese government for reasons that are totally not related to hacking or other types of cyber-crime (why would you think otherwise?)
The problem is ISPs
I've been trying to support IPv6 on my network for a few years, but the ISPs I connect to refuse to even bother with supporting IPv6. While Comcast does technically support IPv6, its only for dynamically assigned addresses on residential connections, if you have static IPs, you're stuck with v4. The only other game in town is Qwest DSL and it has a maximum upstream speed of 768k 9Not even sure if they support IPv6 anyway). I've tried IPv6 tunnels, but the latency on them is complete crap (not their fault, just intermediate ISPs).
They only way to get IPv6 on the internet natively around here is to use one of the big NSPs (Level-3, Hurricane Electric, Global Crossing, etc) and those ill set you back back a nice big bundle of cash.
ICANN - A tumor on the internet
Funny how a glorified DNS operator managed to turn into a bloated bureaucracy in such a short time. I was confused to why they needed such a huge pile of money and now I know: ridiculously expensive meetings in hotels around the world and bullshit jobs with extravagant paychecks.
Why the fuck do they need to meet in person anyway? What's wrong with doing video conferencing? Oh right, then they can't waste as much of our money.
If you buy something because of benchmark figures...
...then you get what you deserve.
Another reason it might be pointless
Consider how many websites are hosted in the US anyway, or at least owned by US companies. Almost all the data that would be heading to Europe will just ending getting re-directed over to the US anyway (Or at east the meta-data).
A quick look at Alexa's ratings for Brazil seem to confirm this. The top 100 are either located/owned by a company in the US or hosted/owned by a company in Brazil (So it wouldn't go across that pipe anyway).
Re: "it's open, lots of eyes can see the code"
I've always hated that thought, just because a lot of people *can* see the code, doesn't mean that they *are* or even that they understand what they see. Most of the time I see it as an excuse to not bother with verifying code because someone else will. You end up with things like OpenSSL that had a lot of eyes looking at it, yet no one noticed Heart-bleed for quite some time.
"The same applies to MS Windows Update "
Well, they would need to get both an SSL certificate and a code-signing cert that match Microsoft's public keys for both (the expected public key is shipped with Windows, and any updates to those keys are signed by the one before it).
It can be done, but it would take a really sophisticated attack campaign or the backing of a very powerful government. Of course while their is a guarantee that it hasn't been tampered with, there is no guarantee to the quality of the code itself...
Re: Why bother to impersonate a real newspaper?
Of course given how quickly Facebook rolls over when a nice man in a uniform hands them a piece of paper, the FBI wouldn't even need to post anything in the first place.
Why bother to impersonate a real newspaper?
They could have created a page purporting to be the 'Seattle Harald' or 'Puget Times' or something like that. Hell, they could have even published an article right from the FBI website as a press release and he would have still clicked it. Although if they were to have tried it through Facebook, they wouldn't even need to the suspect to click on it; simply posting it to is 'wall' would cause his machine to send an HTTP request to the destination next time he looked at his 'feed' (to create the thumbnail).
"Most yachts operate on a very tight electrical budget."
And that is why smart sailors buy a hand-held radio to use in emergencies and when the main radio is turned off. It'll usually have a much shorter range, but long enough so that they can get out of the way if a larger ship is nearby.
"get around air-gaps by routing messages between local directories"
Then they aren't true air-gaps. Although seeing how some defense contractors set up their networks, I'd say the air-gaps are between the ears of their network security personnel...
There was one place that was too cheap to buy two machines for each of their high-security employees, so they installed a second NIC in each machine and placed a script on the user's desktop that would disable one NIC and enable the other.
It could be that the IT people currently working in these companies with open positions are working massive hours o overtime or are currently doing two jobs at once. Perhaps the company want to expand their IT services but only has enough staff to maintain what they currently have? They could also be looking for people to fill positions that are currently being filled by contractors or off-shore folk.
I'd imagine that most of those people would be mostly the old white-beards and "Real Programmers"; especially those that have been with the company for many years and are the only ones that know how to get the legacy applications to work (Because they wrote them).
Re: Slight overdesign/overbuild
Sometimes I wish NASA would get into building servers; whenever they build something it ends up lasting 10 times as long than designed. But when HP/Dell/IBM/Cisco/etc build something, it barely limps a few days beyond its warranty date...
Re: 18 light-hours in 37.2 years...
I think acceleration would account for the speed difference. It's been traveling for 37 Years now so all the little pushes it gets from its thruster have added up. Plus all the planets and other large objects its passed by have also given it some pretty big pushes.
To be fair, South Korea does have a fairly dangerous enemy nearby who has a very powerful ally. Unlike the USA/UK who seem to be scared of shadows.
Real network equipment should generate an ssh key on its own the first time its booted up (and before it turns on networking) and refuse connections from anything until you directly connect a serial cable to it and manually turn on remote management.
" Tinder for the dating app "
If that's what they were going for, they should know they spelt it wrong... The app name is spelled without the 'e', like a lot of idiotically named web2.0 crap (See 'tumblr' for a great example of idiocy).
I've blocked every TLD longer than 3 characters, nothing of value has been lost
Some years ago, I blocked any DNS request for any name where the last component is longer than three characters (Was originally intended to prevent single-label names from getting outside my network) but now its blocking all this stupid gTLD bollocks (Also blocks .info, but was there anything worthwhile in there anyway?)
What was the point?
The Chinese government is just going to tell him the attacks weren't them despite whether its true or not. Its not like Timmy would know if they were lying anyway. Even if they did lie to him and he found out, what is he going to do about it?
Seems that this is just a PR event or 'Not Steve' is trying to recreate 'The Mouse That Roared'
Re: They truly think we're all idiots
But then who oversees the overseers?
Re: The Mind Boggles
No, you're thinking of the other group of xenophobic old white dudes wasting our money (I think the politically correct term is 'Senator' or something)
Might be a good way for the NSA/GCHQ to get back into our good graces
Since they have the capabilities, I would like to see them break into these sites, and replace each entry with a picture and personal details of the person that posted the images. Turn the whole website into a directory of "Terrible people that under no circumstances should you ever trust"
An arms-race that will never end
The fight between Rights Holders and Infringers is a fight that will never end. The only thing that ever change is how screwed we, the innocent consumers, are from all the collateral damage.
- Comment Renewable energy 'simply WON'T WORK': Top Google engineers
- Game Theory Dragon Age Inquisition: Our chief weapons are...
- 'How a censorious and moralistic blogger ruined my evening'
- Leaked screenshots show next Windows kernel to be a perfect 10
- Amazon warming up 'cheapo web video' cannon to SINK Netflix