Re: Extended life expectancy for mobes
"what makes them die so young?"
The smaller you make the components the less able they are to tolerate minor defects.
16427 posts • joined 16 Jun 2014
"Then what happens when you're told you just lost a big deal because of your paranoia"
And what happens to you when your lack of paranoia has let in malware that's closed down your IT network for a few days or allowed access that's enabled a few million of your favoured currency units to be looted?
"You can't steal an identity. They are permanently attached to people and impossible to remove."
That's a debatable point.
For the purposes of identifying oneself for an increasing proportion of transactions "identity" consists of a few pieces of data. Given those - or maybe a subset and a bit of social engineering of the service provider - then a criminal could start to get control of of other aspects. An instance would be getting a bank to send out a replacement credit card to a different address. Another would be getting a password reset to something the criminal controls.
We're used to having to remind people writing of "copyright theft" that it doesn't meet the ingredients of theft. But this is different. If the criminal takes control of various aspects of the individual's identity, at least within this meaning of identity, then the individual has indeed lost something and the criminal has gained it. It wasn't permanently attached and it's certainly arguable that it's been stolen.
"Crime recording standards generally only allow crimes to be reported by the victim or an officer."
Clearly things have changed. Back in my day I took part in quite a few murder investigations and I don't think all the victims lived long enough to dial 999 or was stumbled over by an officer who nobody else could call because they weren't the victim.
It depends on whether your use of the product depends on an ongoing arrangement with the vendor. If it doesn't then you don't need to worry. If it does then you should realise that pretty well anything could go wrong. Even the most stringent T&Cs aren't proof against the vendor going out of business. If it's simply some item you can live without - a sound system for instance - you could just be prepared to write off your investment in hardware. If it's something that's looking after your personal media collection then you need backups or, again be prepared to write it off. But if it's something your livelihood or business depends on then you do need to think seriously about what could happen if things go wrong.
Risk involves both the probabilities and what you stand to lose.
"Cloud providers (as vendors) can be threatened by large customers to either fix their s[censored]t or customers will go elsewhere."
Threaten, yes; but to make good on that threat they need staff able to move the services and data elsewhere.
And they no longer have any.
"IT Security has three balanced priorities: Confidentiality, Integrity of data, and Availability.
IT and developers and CIO's also have three priorities: Availability, Availability and Availability."
Presumably you've never been a DBA. If you had you should have been aware that integrity of data was your first priority.
You're spot-on about bonus level managers, however.
"Would this be just as effective?"
Marketing department decides it's perfectly OK to spam customers irrespective of whether they wanted to be spammed or not. Hands over customer list to "digital marketing company" AKA professional spammer. Together they concoct email which is infested with links except web site managers refuse to host them so the spammer does that as well. Ends up training customers to be phished with customer list in hands of spammer to be re-used for other clients, sold on or both. Do we expect marketing departments to have security functions to make sure this is done properly?
"the fact that the crime was committed in the US (allegedly)."
Only in the sense of the US's extraterritorial extension of its criminal justice system. If he lived and worked in the UK it's likely that if he wrote Kronos (& see my response to Gumby) then he would have done so in the UK. However, the CPS would have required something like a proper prima facie case that they could present to a committal hearing. So far we've heard of nothing like that in this instance other than that he wrote an explanation of a technique which wasn't original, posted the code on Github and then, maybe naively, suggested that it had been the source of similar code in Kronos.
TL;DR In the UK it'd have been laughed out of court had it got there.
"The real question is why does the FBI think this is their guy?"
They need a guy so anyone will do?
Oh, look, here's a bit of code he posted publicly that he then says was incorporated in Kronos. That'll do.
Incidentally the author of this analysis https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/ suggests that the actual code has a longer pedigree than Hutchins publication and that the implementation is more sophisticated concluding "The level of precision lead us to the hypothesis, that Kronos is the work of a mature developer, rather than an experimenting youngster."
"In your laptops, get rid of the rubbery chiclet keyboard and use proper keyboards instead"
I have a little MSI I use when I don;t want to take my regular laptop with me. It has a chiclet keyboard and I don't give the difference a moment's thought. Press key and character appears on screen. That's what matters.
"look at how many other things the each reviewer has reviewd"
Also, compare the things "multiple" reviewers have reviewed. Several allegedly different reviewers all reviewed the same or almost the same set of products. Really?
"Then you put in writing why it can't be done and/or your misgivings about why it is a supremely bad idea."
It still leaves you as the man in the middle between sales and customer in a situation which could potentially end up in court. It's still not your job to manage customers' expectations.
In fact, in the case I was thinking of someone must have done that because the product, although ricocheting between a number of software firms seemed to have been successful in its niche market. I had a couple of short testing gigs much later when a client was migrating to bigger and bigger hardware. Because the name had changed I didn't recognising it when the first of these was proposed but hanging around in the front office waiting to meet the client I could see a use screen and thought that it was laid out just the way I'd have done it. Not surprising as I had. I also found that one screen still had place-holder text in the menu produced by my home-made code generator and left unchanged for 11 years.
"You could have read the article and realised that he was using the UNIX 'mail' application on a VT (aka dumb terminal) - likely a text only one... Some apps *did* run on VTs and offer the +/- idiom (ISTR trn did that) 'mail' most definitely did not."
The article isn't explicit about this.
All we're told is:
Server: Unstated on Linux -> Exchange on unstated (but a Windows server of some vintage)
Client: Unstated -> Outlook
Desktop: No information
In fact, at the technical level we're not even told half the story. If this is indicative of Newt's communication skills it's no wonder there were problems.
"I'll be a damn sight more respectful and will INSIST on learning the tools I need to use rather than just expecting someone else to do it for me."
Again, it needs to be pointed out that the user had learned the tools he needed. He never asked for them to be changed but someone did just that.
Remember that IT exists to help the business as a whole operate. As an IT staffer you can't exist without the operational people* because they earn the money to pay your salary. They, on the other hand, may take the view that they can do without you, especially if you don't appear helpful; they can outsource your job.
*Yes, I know IT can be part of the delivery system. Been there, done that. It was an aspect of being part of the business as a whole.
"Honestly- I reckon these users have to be related to one another!"
Probably not but they do train each other, especially if IT doesn't make the effort to do so themselves.
I can't imagine why they think it's a good idea but it seems to have been something that's happened for years so IT really should be aware of it and try to break the cycle by emphasising that what goes into Deleted can't be assured of coming out again.
Biting the hand that feeds IT © 1998–2019