13 posts • joined Friday 11th May 2007 12:09 GMT
Not SMTPauth - HTTP SSLStripping
The linked post seems to be of the opinion that the cause of the problem was a bogus web login page (or, SSLstripping+sniffing).
If SMTP (and POP and IMAP and active sync) were hard configured to use SSL, then no details would have been revealed - the client would not fall back to a non-encrypted connection.
It begs the question of how the attacker was able to redirect a browser to the non-SSL login page - at a guess the login page must be the gateway to a captive portal.
"wasn't encrypted [...] So a MiM attack is pretty straight-forward" - disagree - the layer at which you implement encryption is not nearly as important as how you implement the encryption.
While I have been extremely frustrated by support services (regardless if I'm paying for them or not) it costs money to develop, man and maintain these. Recovering some of the costs from a revenue share means that the costs are not being passed on to the customer via another route.
Removing charges from support services means anyone who
- takes time to RTFM
- bothers to think about their problem
....will be subsidizing the stupid and the lazy.
But worse - it actually ecourages people to be stupid and lazy.
At least with a charged model you have the opportunity to recover at least some of the costs - when it's 'free' you'll never get your money back when it's the service provider's fault.
Somewhat lacking in substance
Bit disappointed in this article - heavy on rhetoric, a bit of opinion and no facts.
BTW, how much would it cost? In 2009, the guys at Backblaze costed their solution at 74,000 UKP per Petabyte.
Problem in chair not in computer
Of course they can "really do BI from the desktop" the problem is a bit more complicated.
Making tools easier to use and more integrated does not resolve the fundamental problem: in order to produce accurate information from data you need to understand the structure of the data and the effects of transformations you apply.
Users have had access to spreadsheets for a long time - and in my experience, the quality of the tools they produce using such spreadsheets varies greatly. I've seen millions of pounds lost by a business due to a single bug in a spreadsheet application created by a user (tool was never tested, never documented).
Actually, I think BI on the desktop is a great idea - after all, the further we can keep *some* users from production systems the better ;) Once again, from personal experience, I've seen people without extensive IT training bringing a production system to a halt by running badly behaved / innefficient applications on transactional systems.
So we can give the users tools which are easy to use, we can train them in data structures and development processes, train them how to test their applications, provide them with version control systems and document management systems....at what point do they cease to be 'users' and become 'developers'?
Maybe it was smaller...
..then ate all the bugs?
Even from Microsoft this stretches the bounds of credibility
If third party cookies are not a security risk then why does Microsoft Internet Explorer (and every other mainstream browser) not allow them by default?
Their stated reason for using such cookies amounts to "we don't know how to, or can't be bothered writing a web-based single sign-on solution".
Their own worst enemy?
I work in IT and like Linux, but I often wondered why other people just didn't seem to get it. Was the political and economic factors colouring my judgement of the useability of the system?
When I started my current job, I was forced to go back to using a Microsoft OS and apps desktop - I found it a big struggle. Slow, unreliable, difficult to move data between tools, hard to manage, poor ergonomics. There are some things I think MS does better - SMB makes a lot more sense than NFS for most purposes, mailmerge in OpenOffice is still painful. But compare OpenOffice's template system with that in MS Office, or try to fix a Microsoft window above others when switching betwen apps...
I recently bought a new laptop for my daughter (aged 10) - it came with Vista, so I thought I would try it out before wiping it. Gettnig the system installed (OEMs don't ship PCs with Vista pre-intalled - merely copied onto the hard disk with a bootstrap) took hours of effort (do you really want to run this program? HTF should I know what it does?). But I persevered and got a useable system set up.
My daughter is now pestering me to install Linux on it because its so much slower and flaky than the (also 10 year old) laptop it replaced running Linux.
I welcome the fact that she's got access to Apple Macs and MS Windows machines - I think there is tremendous value in being exposed to different tools when learning about computing - it enhances the learning of the computing rather than just learning your way around a single application.
Open Source is certainly no less useable/functional as the commercial alternatives. As far as I can make out, the issue is only one of market penetration/perception.
I would agree that, with no barriers to entry, there is a lot of badly written open-source software freely available - but this is irrelevant to what most people are actually using computers for.
I'd like to believe that Mr Sutherland bases his opinions on a rather idealised view of civil liberties.
Under his proposals, I would be a terrorist suspect if I am seen to behave like a terrorist (by which I mean shopping in the same places, accessing the same websites - rather than more blatant terrorist behaviour like blowing things up).
I shouldn't be too bothered about being a terrorist suspect since surely our criminal investigation bodies would never tamper with evidence, the courts would never convict someone wrongly, and I wouldn't be disadvantaged indirectly by, say getting the sack from my place of work due to investigation as a terrorist suspect?
Except there are lots of documented cases where exactly that has happened.
At least I am innocent until proven guilty, and can't be jailed without a public trial? Wait a minute....no, that's not the case any more.
While we do have to put up with people pimping there warez regardless of their effectiveness, I think its sad and pathetic that in the past 15 years we have replaced a legal enforcement structure deigned to protect the innocent with one designed for punishing the guilty (with little regard to the collateral impact on the innocent).
Civil liberties have intrinsic value for protecting the innocent.
Follow the money.
+ instead of either acting itself or providing incentives for the private sector
+ the government insists that users are ultimately responsible for their own security
...but apparrently not *liable* for their failures. If someone runs an open SMTP relay, or fails to install patches or does not have an adequate firewall they will become the unwitting accomplices of the black-hats. While establishing a basic standard of culpability is nearly impossible (although IIRC the London Stock Exchange require listed companies to demonstrate compliance with at least part of BS7799) without accountability in such cases there is little hope of decreasing the amount of abuse and the authorities have little opportunity to track back to the origin of the problem.
It is not simply a problem of jurisdiction which prevents states from implementing effective controls - the biggest barrier is that the problem has already got totally out of control.
I'd like to believe that the newer generation will pressure service providers to provide good and effective security which works both ways (other than its SSL certificate - how does your bank/betting site/ISP... demonstrate that it truly is the organisation you have chosen to place your trust in?) but am far from impressed by the quality nor the independence of IT education in schools.
+ In the case of phishing sites, surely the first defence should be that the ISP
+ running the phishing site has an 24 hours per day instant take-down
Please! This would open the flood gates to a whole new denial of service vector - one which is already being exploited, but fortunately only in a few cases. I can see this would be attractive to the state because it moves the problem out of their domain into that of private litigation. This would automatically favour those who would abuse the system and disadvantages the ISP, the site owner and the end user.
I don't have the answer to these problems (unless its to install Linux!). Certainly as far as the vendor is concerned it seems to demonstrate how a market for lemons evolves and the problems inherent in monopolies.
yes, the money - but whose opinion is this?
"Chaired by Microsoft with the DTI and several key industry representatives..."
Forget the long spoons - looks who's hosting the party.
While I couldn't agree more with the sentiments expressed in "I've said it before and I'll say it again" I worry that there are other agendas at work here. Should we allow corporate bodies (particulary foreign and multi-nationals) to have a controlling hand in steering education policy?
I'm sure every experienced IT professional has at least one story about the industry certified programmer/operator/administrator who demonstrating a complete lack of knowledge outside the approved curriculum. But at the moment, the primary and secondary education systems only seem able to provide ICT facilities by jumping in to bed with a single vendor.
Education, at least within schools, should equip our children with lifetime skills and a basis for making value judgements. I would rather my children were denied access to ICT than exposed to a corporate driven regime.
- World's OLDEST human DNA found in leg bone – but that's not the only boning going on...
- Lightning strikes USB bosses: Next-gen jacks will be REVERSIBLE
- Pics Brit inventors' GRAVITY POWERED LIGHT ships out after just 1 year
- Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt
- Storagebod Oh no, RBS has gone titsup again... but is it JUST BAD LUCK?