Slashdot Mirror

Do you? Is that why the top 6 products with the most vulnerabilities in 2018 were all Linux products? Is that why the Linux kernel had the second highest number of vulnerabilities in 2017?

You're conflating two different concepts. We have no way of knowing what piece of code has the highest number of vulnerabilities. To find that out, we would have to freeze all development and then scour all existing code using some standardized methodology.

What you're talking about here is that the Linux kernel had the second highest number of vulnerabilities that were discovered. BIG difference.

The Linux kernel is open source and is by far the most widely used operating system in the world. Vulnerabilities in Linux are golden tickets, so people are looking for them all the time. Having a simple aggregate list like that is also of limited value because it doesn't tell you the nature of the exploit.

https://www.csoonline.com/arti...

Why, looky there. Ask yourself a question: How bad is this?

See, before Cisco fessed up, few people knew about this. It wouldn't have shown up on your list there. But something like this almost certainly trumps 20 regular vulnerabilities. It's nearly impossible to put something like this into open source software.

Well, Roger Grimes agrees with you. He's been promoting honeypots as a security solution for years now.

Example:
https://www.csoonline.com/article/3128818/data-protection/10-decisions-youll-face-when-deploying-a-honeypot.html

IIRC he has always lamented that honeypots aren't a near-universal solution.

Right, because life is completely binary, and either you favor the most safety regulation humanely possible, or else that means you are in favor of babies juggling electrified knives.

Fine. Pretend that those are not regulations that you are already subject to right now, that government has no business regulating commerce to forbid unreasonable hazards, and that IoT botnets have not proven that devices with generally-applicable default passwords are unreasonable hazards.

IoT botnets are totally ficitonal, like babies juggling electrified knives.

for the latest Windows zero day?

NetBSD would never include it because it is unable to implement it. NetBSD is recognized as being in a pretty sorry state.

Here's a recent article to put BSD in perspective: Are the BSDs dying? Some security researchers think so" .

Wheat this study has found is that NetBSD is the worst of the BSDs in terms of bugs, manpower, and support for modern hardware. Read the article for youself and see. BSD really is dying, and that's not hyperbole or a troll. NetBSD is already dead for realistic purposes.

Sorry, got distracted and didn't catch some bad html cut'n'paste while editing. Ms. Smith's article's URL:

https://www.csoonline.com/arti...

It took me a while to find it, but it was Slashdot that pointed to a good article last month: https://bsd.slashdot.org/story... links to
https://www.csoonline.com/arti....
The author supposed that BSD will survive, but not necessarily FreeBSD. My thought: maybe this gigantic publication will further propel them down a course of ruin, if it doesn't indicate their status on that course already.

No, that's not what I said. It is about committing FRAUD, not just being inept. And yes, the two ARE different.Here's 10 CEOs who also committed fraud and all are in jail. Another CEO of a startup committed fraud and is going to jail. And here's another startup CEO going to jail because of fraud. Curiously, all those CEOs who committed fraud are going to jail. Why not Holmes? I'll tell you why: vagina. She is STILL the CEO because she is a woman, and kicking her out would be seen as sexist.

Why else would a CEO of a company, who committed fraud, NOT go to jail or be charged? Can you tell me?

R! /dir/.* destroys root.
Poettering: "I am not sure I'd consider this much of a problem. Yeah, it's a UNIX pitfall, but "rm -rf /foo/.*" will work the exact same way, no?"

Processes owned by a user with a leading zero in the name are started with root privilege..
Pottering: "I don't think there's anything to fix in systemd here"

Systemd kill background processes after user logs out.
Poettering: "In my view it was actually quite strange of UNIX that it by default let arbitrary user code stay around unrestricted after logout."

'I have an issue with journal corruptions and need to know what is the accepted way to deal with them.'
Poettering: "Yupp, journal corruptions result in rotation, and when reading we try to make the best of it. they are nothing we really need to fix hence."

'Poettering locked and limited conversation to collaborators on 17 Apr'

There is a good reason he got the pwnie award:
https://www.csoonline.com/arti...

https://www.csoonline.com/article/3235707/security/apple-samsung-and-huawei-phones-fall-on-day-one-of-mobile-pwn2own.html
Id see if i could get those premiums back.

There is nothing premium about apple; its a consumer hardware company like any other.
The jumped on the security bandwagon when all their other bragging points failed. (iAds, the education market lost to Chromebooks, marketshare).
At that point the only thing they could boast about was profits and that's not going to sound too good in a keynote sermon.

https://it.slashdot.org/story/...
https://www.csoonline.com/arti...
http://www.businessinsider.com...

You need to start with Intel, though. They are Bitch #0. They're the ones with the secret "management engine" hidden CPU explicitly designed to host rootkits, and the FSP boot blob perfectly crafted to allow NSA persistence in spite of "verified boot." Intel reference design is like Mossad/NSA's wet dream.

Now you, too, can disable Intel ME 'backdoor' thanks to the NSA

Replace Your Exploit-Ridden Firmware with Linux

I'm adding this here as the most technically egregious offenses related to systemd

Part of the reason why this award was given:
https://www.csoonline.com/arti...

Systemd dies if there is no cgroup support in the kernel.
Poettering: "To make this work weÃ(TM)d need a patch, as nobody of us tests this"

R! /dir/.* destroys root.
Poettering: "I am not sure I'd consider this much of a problem. Yeah, it's a UNIX pitfall, but "rm -rf /foo/.*" will work the exact same way, no?"

Processes owned by a user with a leading zero in the name are started with root privilege..
Pottering: "I don't think there's anything to fix in systemd here"

Systemd kill background processes after user logs out.
Poettering: "In my view it was actually quite strange of UNIX that it by default let arbitrary user code stay around unrestricted after logout."

'I have an issue with journal corruptions and need to know what is the accepted way to deal with them.'
Poettering: "Yupp, journal corruptions result in rotation, and when reading we try to make the best of it. they are nothing we really need to fix hence."

'Poettering locked and limited conversation to collaborators on 17 Apr'

I'm adding this here as the most technically egregious offenses related to systemd

Part of the reason why this award was given:
https://www.csoonline.com/arti...

Systemd dies if there is no cgroup support in the kernel.
Poettering: "To make this work weâ(TM)d need a patch, as nobody of us tests this"

R! /dir/.* destroys root.
Poettering: "I am not sure I'd consider this much of a problem. Yeah, it's a UNIX pitfall, but "rm -rf /foo/.*" will work the exact same way, no?"

Processes owned by a user with a leading zero in the name are started with root privilege..
Pottering: "I don't think there's anything to fix in systemd here"

Systemd kill background processes after user logs out.
Poettering: "In my view it was actually quite strange of UNIX that it by default let arbitrary user code stay around unrestricted after logout."

'I have an issue with journal corruptions and need to know what is the accepted way to deal with them.'
Poettering: "Yupp, journal corruptions result in rotation, and when reading we try to make the best of it. they are nothing we really need to fix hence."

'Poettering locked and limited conversation to collaborators on 17 Apr'

https://www.csoonline.com/arti...

As the article stated, the CEO (Straface) was the last one out of the building which implies it's late (7pm? 8pm?). Regardless, if you're in an office to meet with someone and you notice that no one else is around after 2.5 hours, that's usually a sign that your meeting has been canceled!

It is just an excuse to harvest your phonenumber.

For what purpose?

To sell it to Rachel from Cardholder Services, I expect.

What organizations have 2FA that might do this? I'm not saying there aren't any, but I can't think of any.

I don't know where Rachel from Cardholder Services got my cell phone number, but she certainly got it from somewhere.

Basically, what you posted in this thread can be summarized "oh, just trust them with the information, they won't misuse it. And anyway, I can't think of how I would misuse it, so obviously some corporation couldn't think of a way either."

...All information about a consumer is also a liability. Lots of organizations haven't figured this out yet,

Right the first time: Lots of organizations haven't figured this out yet.

but I think pretty much all of them savvy enough to be implementing 2FA understand it.

The historical record does not back you up on this.

  https://www.comparitech.com/blog/information-security/biggest-data-breaches-in-history/

  http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

  https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.htm

  https://www.techworld.com/security/uks-most-infamous-data-breaches-3604586/

http://www.csoonline.com/artic...

What? The link is there and it works.

http://www.csoonline.com/artic...

I'm still rocking XP for security camera duty.

I applied a registry hack to make XP think it's an embedded machine much like an ATM.

From the page:

Windows XP users might want to rejoice as there's a registry hack that will let those machines continue to receive security updates until April 2019...all for low, low price of free.

I guess this article is the one AC is referring to. Seems legit, but a little too esoteric for me to follow. It has links to other sources.

The indignant AC didn't post the link, but I assume it's this one:
http://www.csoonline.com/artic...
And yeah, it's a way better article.

I am not a DDoS researcher -- but the previous largest DDoS I know of was the 602Gbps against the BBC

http://www.csoonline.com/artic...

Comparatively, during the 2016 olympics, 7.3 Tbps was served (presumably in addition to routine customer traffic) without substantial complaint.

https://www.akamai.com/us/en/m...

This DDoS was very possibly just another slightly-unusual-day-in-the-life of Akamai, but one that actually started to cost non-trivial resources (just like TFA stated).

Given the current structure of the internet, you asking any company to "handle it properly" for anything approaching the terrabit scale is absurd. There is no playbook for that -- there's only sysadmins making the most solid QoS decisions their background and knowledge permits, and infrastructure investments. Most likely, there's sysadmins shuffling capacity around while trying to protect paying customers.

How many full-time sysadmin-days should be dedicated to a gratis customer -- even one as important to the world as Krebs?

65535 @ December 21, 2013 4:38 AM

https://www.schneier.com/blog/...

@ Jackson

Your concern about the Cryptome report does raise serious questions. When carefully read the Cryptome report touches on the subject of finger printing TOR users via a BT backdoor.

The Crytome report also speculates that major CA's instantly transmits copies of clients SSL/TLS Certificates to the NSA and possibly GCHQ when purchased. This is quite troubling.

I will note that CSO acknowledges that:

'On the issue of the USDOD IP address referenced by the paper's authors, that block of addresses has been used by many firms over the years. It's a valuable piece of IPv4 real-estate that is often enabled internally by an ISP after they've gotten permission from the Defense Information Systems Agency (the part of the USDOD that manages networks and infrastructure).

Just last year, Sprint was using IPs internally from that block for their mobile network. So the fact that BT would be using it too isn't a shock to network engineers who have seen the paper.

'In short, one security expert told CSO, the usage of 30.x.x.x /8 doesn't really imply NSA monitoring at all. In fact, he added, "If you want a non-routable IP that won't break when using it, [the] DOD is your best choice."'

http://www.csoonline.com/artic...

But the Cryptome report goes much farther. It indicates that a simple ping test can detect the backdoor. Next you can telnet into the modem and see the actual configuration and un-hack the device (assuming altering the firmware doesn't violate BT TOS agreement - causing your service to terminated).

http://cryptome.org/2013/12/Fu...

[Cryptome pdf page 39]

"Easy Confirmation

"Step 1.

"Remove Power from the modem and disconnect the telephone line.

"Step 2.

"On your PC (assumed Linux) add an IP address 192.168.1.100 i.e:

#
ifconfig eth0:1 192.168.1.100 up

"Step 3.

"Start to ping 192.168.1.1 from your PC i.e:
#
"ping 192.168.1.1

"Step 4.

"Connect a network cable to LAN1

"Step 5.

"Plug-in the power cable to the modem and wait for about 30 seconds

"for the device to boot, you will then notice:

"64 bytes from 192.168.1.1: icmp_seq=115 ttl=64 time=0.923 ms
"64 bytes from 192.168.1.1: icmp_seq=116 ttl=64 time=0.492 ms
"64 bytes from 192.168.1.1: icmp_seq=117 ttl=64 time=0.514 ms

"You may notice up to ten responses, then it will stop.

"What is happening is the internal Linux kernel boots [inside of the modem], the start up scripts then configure the internal and virtual interfaces and then turn on the hidden firewall at which point the pings stop responding.

"In other words, there is a short window (3-10 seconds) between when the kernel boots and the hidden firewall kicks in.

"You will not be able to detect any other signs of the hidden network without actually logging into the modem, which is explained in the next section."

The second step is telneting into the BT modem/router is show on page 40 to 44. The "un-hack" is on page 45 forward.

Other notable Cryptome pages include:

"All SSL Certificates Compromised in Real-Time" page 22

"Theft of private keys" page 24

"Tor User/Content Discovery" page 26

@ ron41, see TOR discovery from the Cryptome link. There is a fingerprinting method to determine TOR users.

"Covert International Traffic Routing" page 27

"Secure your end-points" page 30

"I'm an American, does this apply to me" page 35

@ *others who care, the paper indicates that NSA is using the very same technique and can discover TOR users (if this is true it is troubling).

65535 @ December 21, 2013 4:38 AM

https://www.schneier.com/blog/...

@ Jackson

Your concern about the Cryptome report does raise serious questions. When carefully read the Cryptome report touches on the subject of finger printing TOR users via a BT backdoor.

The Crytome report also speculates that major CA's instantly transmits copies of clients SSL/TLS Certificates to the NSA and possibly GCHQ when purchased. This is quite troubling.

I will note that CSO acknowledges that:

'On the issue of the USDOD IP address referenced by the paper's authors, that block of addresses has been used by many firms over the years. It's a valuable piece of IPv4 real-estate that is often enabled internally by an ISP after they've gotten permission from the Defense Information Systems Agency (the part of the USDOD that manages networks and infrastructure).

Just last year, Sprint was using IPs internally from that block for their mobile network. So the fact that BT would be using it too isn't a shock to network engineers who have seen the paper.

'In short, one security expert told CSO, the usage of 30.x.x.x /8 doesn't really imply NSA monitoring at all. In fact, he added, "If you want a non-routable IP that won't break when using it, [the] DOD is your best choice."'

http://www.csoonline.com/artic...

But the Cryptome report goes much farther. It indicates that a simple ping test can detect the backdoor. Next you can telnet into the modem and see the actual configuration and un-hack the device (assuming altering the firmware doesn't violate BT TOS agreement - causing your service to terminated).

http://cryptome.org/2013/12/Fu...

[Cryptome pdf page 39]

"Easy Confirmation

"Step 1.

"Remove Power from the modem and disconnect the telephone line.

"Step 2.

"On your PC (assumed Linux) add an IP address 192.168.1.100 i.e:

#
ifconfig eth0:1 192.168.1.100 up

"Step 3.

"Start to ping 192.168.1.1 from your PC i.e:
#
"ping 192.168.1.1

"Step 4.

"Connect a network cable to LAN1

"Step 5.

"Plug-in the power cable to the modem and wait for about 30 seconds

"for the device to boot, you will then notice:

"64 bytes from 192.168.1.1: icmp_seq=115 ttl=64 time=0.923 ms
"64 bytes from 192.168.1.1: icmp_seq=116 ttl=64 time=0.492 ms
"64 bytes from 192.168.1.1: icmp_seq=117 ttl=64 time=0.514 ms

"You may notice up to ten responses, then it will stop.

"What is happening is the internal Linux kernel boots [inside of the modem], the start up scripts then configure the internal and virtual interfaces and then turn on the hidden firewall at which point the pings stop responding.

"In other words, there is a short window (3-10 seconds) between when the kernel boots and the hidden firewall kicks in.

"You will not be able to detect any other signs of the hidden network without actually logging into the modem, which is explained in the next section."

The second step is telneting into the BT modem/router is show on page 40 to 44. The "un-hack" is on page 45 forward.

Other notable Cryptome pages include:

"All SSL Certificates Compromised in Real-Time" page 22

"Theft of private keys" page 24

"Tor User/Content Discovery" page 26

@ ron41, see TOR discovery from the Cryptome link. There is a fingerprinting method to determine TOR users.

"Covert International Traffic Routing" page 27

"Secure your end-points" page 30

"I'm an American, does this apply to me" page 35

@ *others who care, the paper indicates that NSA is using the very same technique and can discover TOR users (if this is true it is troubling).

65535 â December 21, 2013 4:38 AM

https://www.schneier.com/blog/...

@ Jackson

Your concern about the Cryptome report does raise serious questions. When carefully read the Cryptome report touches on the subject of finger printing TOR users via a BT backdoor.

The Crytome report also speculates that major CA's instantly transmits copies of clients SSL/TLS Certificates to the NSA and possibly GCHQ when purchased. This is quite troubling.

I will note that CSO acknowledges that:

'On the issue of the USDOD IP address referenced by the paper's authors, that block of addresses has been used by many firms over the years. It's a valuable piece of IPv4 real-estate that is often enabled internally by an ISP after they've gotten permission from the Defense Information Systems Agency (the part of the USDOD that manages networks and infrastructure).

Just last year, Sprint was using IPs internally from that block for their mobile network. So the fact that BT would be using it too isn't a shock to network engineers who have seen the paper.

'In short, one security expert told CSO, the usage of 30.x.x.x /8 doesn't really imply NSA monitoring at all. In fact, he added, "If you want a non-routable IP that won't break when using it, [the] DOD is your best choice."'

http://www.csoonline.com/artic...

But the Cryptome report goes much farther. It indicates that a simple ping test can detect the backdoor. Next you can telnet into the modem and see the actual configuration and un-hack the device (assuming altering the firmware doesn't violate BT TOS agreement - causing your service to terminated).

http://cryptome.org/2013/12/Fu...

[Cryptome pdf page 39]

"Easy Confirmation

"Step 1.

"Remove Power from the modem and disconnect the telephone line.

"Step 2.

"On your PC (assumed Linux) add an IP address 192.168.1.100 i.e:

#
ifconfig eth0:1 192.168.1.100 up

"Step 3.

"Start to ping 192.168.1.1 from your PC i.e:
#
"ping 192.168.1.1

"Step 4.

"Connect a network cable to LAN1

"Step 5.

"Plug-in the power cable to the modem and wait for about 30 seconds

"for the device to boot, you will then notice:

"64 bytes from 192.168.1.1: icmp_seq=115 ttl=64 time=0.923 ms
"64 bytes from 192.168.1.1: icmp_seq=116 ttl=64 time=0.492 ms
"64 bytes from 192.168.1.1: icmp_seq=117 ttl=64 time=0.514 ms

"You may notice up to ten responses, then it will stop.

"What is happening is the internal Linux kernel boots [inside of the modem], the start up scripts then configure the internal and virtual interfaces and then turn on the hidden firewall at which point the pings stop responding.

"In other words, there is a short window (3-10 seconds) between when the kernel boots and the hidden firewall kicks in.

"You will not be able to detect any other signs of the hidden network without actually logging into the modem, which is explained in the next section."

The second step is telneting into the BT modem/router is show on page 40 to 44. The "un-hack" is on page 45 forward.

Other notable Cryptome pages include:

"All SSL Certificates Compromised in Real-Time" page 22

"Theft of private keys" page 24

"Tor User/Content Discovery" page 26

@ ron41, see TOR discovery from the Cryptome link. There is a fingerprinting method to determine TOR users.

"Covert International Traffic Routing" page 27

"Secure your end-points" page 30

"I'm an American, does this apply to me" page 35

@ *others who care, the paper indicates that NSA is using the very same technique and can discover TOR users (if this is true it is troubling).

65535 â December 21, 2013 4:38 AM

https://www.schneier.com/blog/...

@ Jackson

Your concern about the Cryptome report does raise serious questions. When carefully read the Cryptome report touches on the subject of finger printing TOR users via a BT backdoor.

The Crytome report also speculates that major CA's instantly transmits copies of clients SSL/TLS Certificates to the NSA and possibly GCHQ when purchased. This is quite troubling.

I will note that CSO acknowledges that:

'On the issue of the USDOD IP address referenced by the paper's authors, that block of addresses has been used by many firms over the years. It's a valuable piece of IPv4 real-estate that is often enabled internally by an ISP after they've gotten permission from the Defense Information Systems Agency (the part of the USDOD that manages networks and infrastructure).
Just last year, Sprint was using IPs internally from that block for their mobile network. So the fact that BT would be using it too isn't a shock to network engineers who have seen the paper.

'In short, one security expert told CSO, the usage of 30.x.x.x /8 doesn't really imply NSA monitoring at all. In fact, he added, "If you want a non-routable IP that won't break when using it, [the] DOD is your best choice."'

http://www.csoonline.com/artic...

But the Cryptome report goes much farther. It indicates that a simple ping test can detect the backdoor. Next you can telnet into the modem and see the actual configuration and un-hack the device (assuming altering the firmware doesn't violate BT TOS agreement - causing your service to terminated).

http://cryptome.org/2013/12/Fu...

[Cryptome pdf page 39]

"Easy Confirmation

"Step 1.

"Remove Power from the modem and disconnect the telephone line.

"Step 2.

"On your PC (assumed Linux) add an IP address 192.168.1.100 i.e:

#
ifconfig eth0:1 192.168.1.100 up

"Step 3.

"Start to ping 192.168.1.1 from your PC i.e:
#
"ping 192.168.1.1

"Step 4.

"Connect a network cable to LAN1

"Step 5.

"Plug-in the power cable to the modem and wait for about 30 seconds

"for the device to boot, you will then notice:

"64 bytes from 192.168.1.1: icmp_seq=115 ttl=64 time=0.923 ms
"64 bytes from 192.168.1.1: icmp_seq=116 ttl=64 time=0.492 ms
"64 bytes from 192.168.1.1: icmp_seq=117 ttl=64 time=0.514 ms

"You may notice up to ten responses, then it will stop.

"What is happening is the internal Linux kernel boots [inside of the modem], the start up scripts then configure the internal and virtual interfaces and then turn on the hidden firewall at which point the pings stop responding.

"In other words, there is a short window (3-10 seconds) between when the kernel boots and the hidden firewall kicks in.

"You will not be able to detect any other signs of the hidden network without actually logging into the modem, which is explained in the next section."

The second step is telneting into the BT modem/router is show on page 40 to 44. The "un-hack" is on page 45 forward.

Other notable Cryptome pages include:

"All SSL Certificates Compromised in Real-Time" page 22

"Theft of private keys" page 24

"Tor User/Content Discovery" page 26

@ ron41, see TOR discovery from the Cryptome link. There is a fingerprinting method to determine TOR users.

"Covert International Traffic Routing" page 27

"Secure your end-points" page 30

"I'm an American, does this apply to me" page 35

@ *others who care, the paper indicates that NSA is using the very same technique and can discover TOR users (if this is true it is troubling).

The chances that you're going to use that app when not on a United flight are pretty close to zero. So just uninstall it after the flight. And Android began supporting multiple users with Lollipop. If you're that paranoid about an app getting access to your contacts, calendar, etc, you can just login as a new user and install the app. Then uninstall it when the flight is over.

From the airline's perspective, I can see why they'd want to put this sort of thing into a proprietary app. They don't want to put it on a standard streaming or network file server service because curious (and sometimes malicious) people like us would then immediately begin probing it, seeing what else we could do with it, what security holes they might have left open. This sort of stuff can be fun and games when your feet are firmly on the ground, but don't screw around with it at 30,000 feet. Yeah security problems in these systems need to be highlighted, but we don't need a demonstration with live passengers aboard.

2FA is great unless the company happily agrees to turn it off when a hacker kindly asks them to via web chat or twitter DM: http://www.csoonline.com/artic...

If someone can CALL or CHAT or DM and ask them to turn off 2FA, then the process is broken, the security is an illusion and using 2FA is worthless.

Luckily Paypal isn't trusted with something so important as your online identity - just your funds.

2FA is great unless the company happily agrees to turn it off when a hacker kindly asks them to via web chat or twitter DM: http://www.csoonline.com/artic...

If someone can CALL or CHAT or DM and ask them to turn off 2FA, then the process is broken, the security is an illusion and using 2FA is worthless.

From http://www.csoonline.com/article/3035743/security/linux-mint-hacked-compromised-data-up-for-sale-iso-downloads-backdoored.html:

"Kaiten has been open source since about 2001, so the code isn't something new or unique. Early reports on the hack said the IRC bot was Tsunami, which is technically correct, as that's one of the names used to identify the bot's core code (AV companies use this name too), but the code itself is Kaiten.c."

Boston Children's Hospital was likely in the wrong for what they did. Here's some background: https://www.bostonglobe.com/metro/2014/12/07/difficult-return-hospital-for-justina-pelletier/u4JXzmt5YsmWhYk95za2aK/story.html. Justina Pelletier had been diagnosed with a mitochondrial disorder, but doctors at BCH decided the ailments were mental. They claimed that Pelletier's parents were harming her by seeking medical treatments that the BCH doctors deemed unnecessary with their diagnosis. Pelletier was declared a ward of the state and spent over a year in a psychiatric health unit. Another article worth reading is http://www.csoonline.com/article/2147347/hacktivism/activisms-slippery-slope-anonymous-targets-childrens-hospital.html, which says that there was a note allegedly written by Pelletier saying that caregivers in the psychiatric health unit were abusing her.

Diagnosing some ailments is difficult, and doctors don't always agree. I suspect Pelletier's parents believed they were doing the right thing. Declaring her a ward of the state was a pretty awful thing to do. If the caregivers didn't treat her well, that's even worse. Campaigns on social media and going to the traditional media to protest this is absolutely warranted. Threatening to harm doctors crosses the line. Denial of service attacks against a hospital might affect systems used to provide medical care, endangering patients. That's truly wrong because it puts innocent people at risk of being collateral damage.

itwbennett is not Bennett Haselton. Haselton has his own account that he posts comments (but not stories) from. 30 seconds with Google tells me that csoonline is owned by IDG. IDG, in turn, owns IT World where an Amy Bennett posts frequently. And, lo and behold, she also posts at csoonline.

Your tinfoil hat is a little too tight. Not all people with the name 'Bennett' are His Bennettness. This is just an example of someone writing for a publication and firing much of it through the firehose to see what sticks.

itwbennett is not Bennett Haselton. Haselton has his own account that he posts comments (but not stories) from. 30 seconds with Google tells me that csoonline is owned by IDG. IDG, in turn, owns IT World where an Amy Bennett posts frequently. And, lo and behold, she also posts at csoonline.

Your tinfoil hat is a little too tight. Not all people with the name 'Bennett' are His Bennettness. This is just an example of someone writing for a publication and firing much of it through the firehose to see what sticks.

Now you too can read all of itwbennett's Slashdot postings before he posts! Better yet you can ignore them on the original sites and know what to ignore on Slashdot! Remember kids, if it says "bennett" you've already stopped paying attention.

http://www.csoonline.com/about/rss/

http://www.cio.com/about/rss/

http://www.itworld.com/about/rss/

http://www.computerworld.com/about/rss/

The RSS feed for CSO Online can be found here.

In the processing of waiting for a new card. Even if I'm not liable, I don't want my bank footing the bill for criminal purchases made by someone.

This. Everyone seems all panicked about this (along with Shaws, a regional supermarket chain) - But why care? I shop regularly at both stores, use only plastic, and... I will lose exactly zero dollars even in the worst-case scenario.

I know people who currently refuse to shop at TJ Maxx because of that breach a decade ago. Yet, such people never seem to have a good answer for how much it cost them personally (correct answer: nothing). And I fully expect the same people to start using Lowes exclusively (because at least they only screw their own employees with poor security, amiright?).

Guess what, folks - It just doesn't matter. If you report any fraudulent charges within a reasonable time after getting your statement, you have no liability, with the bank, the merchant, and the insurance company getting to argue over which of them foots the bill. Debit cards have somewhat worse terms (you front any money stolen, and start sharing the liability if it takes you too long to notice any problems), but even with them, you still have one full statement cycle to notice any fraudulent charges.

Much ado about nothing.

Sourcecode

Virus Shield, by developer Deviant Solutions, was a handsome, apparently easy-to-use security app for Android devices. For $4, the app promised hassle-free, ad-free security for Android users, without impacting battery life or performance. And, mostly, Virus Shield delivered - no ads, no fuss.
 
What's noteworthy is how successful Virus Shield apparently was the app made it into several "top paid" lists on the Play Store, and was apparently purchased more than 10,000 times since its release on March 28, making it at least a $40,000 payday for the mysterious Deviant Solutions.

CSOnline

Tor does not provide bulletproof online anonymity The Onion Router can obscure your online presence, but don't count on it to completely cover your tracks or hide your identity online. http://blogs.csoonline.com/network-security/2778/tor-does-not-provide-bulletproof-online-anonymity

Peer review is no panacea. I'm not going to argue against open-source, but open-source is at significant risk too. You can't pull an _NSAKEY but with the resources available to the NSA it is no big feat to weaken an implementation in a non-obvious way.

Silent Circle's approach is that they sell their software to the US and UK government. If the NSA were to require them to install a secret backdoor then the NSA would be compromising the security of all of their government customers because they don't sell two different versions of their software, it is the same for all customers.

In fact, I think you may very well be correct. I think it's time for folks to take another look at this story:
http://blogs.csoonline.com/1296/an_fbi_backdoor_in_openbsd

Then there is the Hardware backdoor from China, using the ASIC chip in US Military components

Citation please?

If you're talking about the Actel chip, it wasn't done by the Chinese: http://www.csoonline.com/article/707542/china-not-to-blame-for-backdoor-in-us-military-chip
http://www.cl.cam.ac.uk/~sps32/sec_news.html#MEDIA

Or you know you could use a brain instead of the immediate assumption because the "government" or the "police" are involved that whatever they are doing is justified.

Absolute faith in authoritarianism isn't going to win you a gold star and it won't necessarily keep you from "even needing to think about them", that's the real world.

You realize that Megaupload responded to DMCA requests and the actual evidence that was being used to justify this raid were files that the US government had specifically requested Megaupload's help with tracking down some of Mega's users that were infringing for a previous case the US was prosecuting? Then they turn around and use those same files to say Mega in violation of US copyright law..because they were preserving those files. Of course the US gov claims there was no written instructions that told them to retain those specific files, which is irrelevant. They knew it the files were related to their previous case and could have asked Mega to get rid of them if they were done with their previous prosecution.. but they never did.

US DOJ did not entrap megaupload the agency says

First result on Google:

http://www.csoonline.com/article/597063/network-security-three-open-source-options

Read How to rob a bank: A social engineering walkthrough, the more modern way. (Maybe this was on slashdot?)

But if the systems were designed to be secure would "normal" people be better off in practice?

Don't get me wrong, I'd be happy if things really became more secure. But as long as Banks, regulators etc keep calling "identity theft", "identity theft" and not bank fraud, what do you think will actually happen?

Paranoid slashdotters might be able to keep good control over some fancy "foolproof" transaction system. But do you think most people would? They can't even secure their computers and phones.

So cynical me thinks at worst all the fancy tech would do is give the Banks a reason to pass more of the losses to their customers. At best it just makes the people supplying the tech rich, while not improving things much.

Right now, if stuff happens, a customer can go to the issuer/court and say "I didn't make that transaction" and the issuer/jury/judge would be more inclined to believe him. With fancy "foolproof" tech, when stuff happens and a hacker gets or guesses passwords or manages to pwn the system via other means, the customer might find it harder to convince the court that he didn't make their transaction - because the "expert witness" says it's "100% secure".

The goals and motives behind people creating SSH and SSL/TLS were better, so you did get something better than telnet. And even then has https really been that effective in stopping that many people from getting phished/pwned?

Yes there are hackers going around stealing money, but when Banks are helping their friends and customers _directly_ steal money and get away with it I don't really think hackers are the biggest problem we should worry about. See:
http://it.slashdot.org/comments.pl?sid=2761105&threshold=0&commentsort=0&mode=thread&cid=39549881
http://www.csoonline.com/article/603461/ach-fraud-why-criminals-love-this-con
And also
http://www.fcc.gov/guides/cramming-unauthorized-misleading-or-deceptive-charges-placed-your-telephone-bill
http://en.wikipedia.org/wiki/Cramming_(fraud)

So many easy ways of directly stealing your money. Think the Corporations will make things more secure? I bet they'd only lock down your transactions while still allowing their friends and customers to steal your money easily.

Here is a link to the printable version.

No, actually, I'd say it's more that you have made the error of thinking that because it's dramatized it bears no resemblance to reality. Social engineering is a big deal, to the extent that in places where security is paramount it's a major component in vulnerability assessment and penetration testing.

No, actually, I'd say it's more that you have made the error of thinking that because it's dramatized it bears no resemblance to reality. Social engineering is a big deal, to the extent that in places where security is paramount it's a major component in vulnerability assessment and penetration testing.

When you point a finger at someone else, three are pointing back at you.

US Federal Guvmint - ACTA, DMCA, NSA wiretaps, full laundry list available online.
Cisco - Great Firewall of China, 'nuff said.
Visa/Mastercard/Amex - Insecure data practices while raping their customers with fees.
Facebook - In bed with Zynga, whose CEO has admitted he's a scammer and that his games are rife with malware.
Google - Censorship in China (until they got pwned).
Microsoft - No comment needed (with a CEO that looks like Satan, it's not really necessary).

The only reason the *AAs aren't jumping on the bandwagon at this point is that they'd bring to stench of their bad PR all over this legislation and alert the public to what's it's really all about.

They are used for other purposes. Read this. Here is the important part:

1. Joe Terrorist (whose name is on the no-fly list) buys a ticket online in the name of Joe Smith using a stolen credit card^H^H^H^H. Joe Smith is not listed on the terrorist watch list.

2. Joe Terrorist then prints his "Joe Smith" boarding pass at home, and then electronically alters it to create a second almost identical boarding pass under the name Joe Terrorist, his name.

3. Joe Terrorist then goes to the airport and goes through security with his real ID and the FAKE boarding pass. The name and face match his real driver’s license. The airport employee matches the name and face to the real ID.

4. The TSA guard at the magnetometer checks to make sure that the boarding pass looks legitimate as Joe Terrorist goes through. He or she does not scan it into the system, so there is still no hint that the name on the fake boarding pass is not the same as the name on the reservation.

5. Joe Terrorist then goes through the gate into his plane using the real Joe Smith boarding pass for the gate’s computer scanner. He is not asked for ID again to match the name on the scanner, so the fact that he does not have an ID with that name does not matter. (Since Joe Smith doesn’t actually exist it does not coincide with a name on the terrorist watch list) Joe Terrorist boards the plane, no questions asked.

TADA. A terrorist, on the no fly list, just flew without even bothering to get fake ID. (Rendering all Real ID talk total nonsense.)

And note I erased 'stolen credit card'. The credit card doesn't have to be stolen. Names of CC purchasers are not checked against the no-fly list, as far as anyone knows. If they are, there are probably ways to fly without a credit card, and if not, getting a credit card in a fake name is easy enough.

No, apparently DDoS attacks are a common use for botnets. Threaten to take down someone's website unless they pay you can get you $500 - $40,000 depending on the website. Here is a cool story talking about one of those cases. Basically an online casino got threatened with a DDoS attack unless he paid, but he didn't pay. So he worked with the ISP to try to keep the website up (which didn't completely succeed at first), and eventually the guy gave up. Then they started investigating to find out who did it. Interesting read.