Domain: darknet.org.uk
Stories and comments across the archive that link to darknet.org.uk.
Comments · 13
-
Password Guessing hasn't been the problem!This has been a pet peeve of mine for a long time, and I've followed it for years, because password complexity hasn't been the problem in the big breaches. We are just making it harder on normal people, who then write them down, lose them, use the same one everywhere.
Think of the big breaches, which I tracked until about five years ago... In the Zappos breach, hackers broke into their system and stole their database. They didnt guess passwords, just stole them.
In May 2005, GMail was hacked... via JavaScript, exposing contacts, personal data without cracking (or exposing) passwords.
When CardSystems Solutions (a payment processor) was hacked and 40 million credit card numbers stolen, it was by SQL Injection. Fust full names, addresses and passwords exposed without any password guessing.
TJX (TJ Maxx, a retailer) lost 45 million credit card records in a hack... by unprotected WiFi and unencrypted records.
Google's AdWords system by surrupticious files being installed. User passwords were stolen.
About ten years ago, Internet Explorer (yeah, I know...) facilitated look-alike sites to steal Hotmail (Microsoft), GMail and Yahoo passwords... but complexity or guessing were not the issue.
When Epsilon Data Management was hacked, it wasn't via guessed passwords, but they were stolen, compromisingcustomer accounts on Citibank, Chase, Target, Walgreen and Best Buy.
LinkedIn, the professional networking site, had six million passwords cracked-and-leaked in June 2012. The process was an attack on the server storage encryption, not on password strength.
The stupid thing was, when Zappos was hacked (again, not via password theft), they then decided to impose stringent password requirements. Amazon doesn't have such stringent requirements, so just for ease I've switched most of the purchases (about four a year) I used to do from Zappos over to Amazon. -
Root DNS *was* affected... apk
"This hack, while bad, doesn't directly affect the root dns system." - by MrCawfee (13910) on Thursday December 18, 2014 @11:54AM (#48626607)
ICANN Hacked Including Root DNS Systems -> http://www.darknet.org.uk/2014... *OR* http://www.theregister.co.uk/2... on that account...
* ANYONE WONDERING WHY I DO THIS TO OVERCOME THOSE SECURITY ISSUES ETC> IN DNS? Don't -> http://tech.slashdot.org/comme...
APK
P.S.=> It works... apk
-
Re:Silly question
My assurance stems from,
1. Thousands (at least) of other end users actually do peruse the code, looking for errors, back doors, exploits, etc.
Which has been proven (and not just that instance) to be ineffective anyway. And if you think Microsoft is providing the keys to the NSA then why would countries like Russia and China continue using Windows hrmmm?
-
Re:How many of those where linux pc's again?
Are you claiming that there is, currently, malware out there designed to target Linux? If so, I'd like to know about it because I've never heard of it.
http://www.theregister.co.uk/2011/10/04/linux_repository_res/ , https://en.wikipedia.org/wiki/Linux_malware#Threats , http://www.darknet.org.uk/2011/01/java-based-cross-platform-malware-trojan-maclinuxwindows/ and so on. How about the cross-platform one for OpenOffice, BadBunny or what its name was? And so, you should be able to use Google sufficiently even on your own. Or hell, if you happen to be running SSH or HTTP servers go and take a look at your log files, you'll see plenty of attempts and many of those target Linux-boxes.
As far as root kits go, you either need to have access to a machine to install one or you need to trick somebody into giving your installer root access
It's easy enough to fool people into running stuff they shouldn't, and there are vulnerabilities even on Linux that allow stuff to gain root access. Just look through last year's Slashdot news if you wish, there was several high-profile vulnerabilities reported.
-
Re:Wait...
Too lazy to google, but I seem to recall something in the last months about a similar thing, where people were offered a bar of chocolate or something in exchange for their password.
First, it was over 2 years ago.
Second it was apparently 20% of people gave their passwords in exchange for chocolate.
http://www.darknet.org.uk/2008/04/chocolate-owns-your-passwords/However, the key thing is - the survey had absolutely zero way of confirming whether the passwords were genuine or not.
You know what? Some random in the street offers me a bar of chocolate in exchange for my password, I'll gladly trade; I end up with a free bar of chocolate, they end up with a garbage string of characters which isn't my password to anything at all. Seems I would be included in that 20%, but my security would have remained uncompromised and I'd be better off to the tune of 1 bar of chocolate.
which all just goes to show that the survey was crap, the results equally so.
-
Re:So it's true--NOT AT ALL!
Except this phone is not unlocked; it's just without a contract! You can buy the phone, but you can't use it with any provider other than AT&T (without illegally unlocking the phone yourself) and, if you do activate the phone with AT&T, you still have to get an iPhone contract (i. e. you can't buy the no-contract iPhone and activate it on a regular, voice-only plan).
Unlocking a cell phone is not considered illegal in the US. There have been recent challenges to that, but it currently is considered legal. Here is the first link I found from searching for it online:
http://www.darknet.org.uk/2007/04/legal-to-unlock-cell-phones-since-november-2006/Yeah, I know. I meant "illegal" as shorthand for "in violation of the EULA supplied by the overbearing lawyers at Apple and AT&T, voiding your warranty, potentially making your life difficult after future software updates, and of questionable enough legality that you may face lawsuits from which you can't affordably defend yourself".
I wish Apple would sell an actually unlocked iPhone; I might well buy it at $600.
-
Re:So it's true--NOT AT ALL!
All that the $400 higher price for the unlocked iPhone is proving
Except this phone is not unlocked; it's just without a contract! You can buy the phone, but you can't use it with any provider other than AT&T (without illegally unlocking the phone yourself) and, if you do activate the phone with AT&T, you still have to get an iPhone contract (i. e. you can't buy the no-contract iPhone and activate it on a regular, voice-only plan).
Unlocking a cell phone is not considered illegal in the US. There have been recent challenges to that, but it currently is considered legal. Here is the first link I found from searching for it online: http://www.darknet.org.uk/2007/04/legal-to-unlock-cell-phones-since-november-2006/
-
Re:FAQ
I googled for the ecrime howto but couldn't find it. Link please.
Try reading this zine and this zine, too. This is also recommended. Try here, too. Start searching forums, IRC, etc. Subscribe to all the major vulnerability sites, too. Learn to code, if you don't already know how. Get skills in C, assembler, Java, SQL, Visual Basic, Python, PHP, Perl, Unix, Linux, Windows, DNS, TCP/IP, routing protocols, Apache, MySQL, PostgreSQL, Oracle, etc. Understand how networks and systems work, architecturally speaking, from a high-level all the way down to the physical hardware.
The learning curve is pretty steep for anyone who wishes to ascend beyond the level of 'l337 skr1p7 k1dd13'.
Be aware, however, that the penalties for getting caught are very high. Think Kevin Mitnick.
-
Re:Maybe the media is what he wants.
But even if all that were not true, you're saying it's just fine to hack into someone's personal email account because you suspect they are guilty of something. So it's fine for the police to do that to you? You must love the Patriot Act and think it doesn't go remotely far enough.
No, but Nazi Germany does.
-
Re:Calling all Lawyers
Lawyers my eye, this is probably covered by the DMCA reverse engineering, same as for unlocking XBoxes and so forth.
I had to look this up but Cell Phones have been ruled to be one of the exceptions to the the DMCA:
http://arstechnica.com/news.ars/post/20061124-8280 .html
http://www.darknet.org.uk/2007/04/legal-to-unlock- cell-phones-since-november-2006/
Cell Phone providers do not have to provide you with the ability to unlock your phones nor provide you with the information, but they cannot legally sue their customers for unlocking them according to Federal rules. -
MD5 & SHA-1 might not be cracked.....
But they are certainly weak against attacks using rainbowtables. Both algorithms should be tossed into the bit bucket for something a little more secure. New services including Hashbreaker, Schmoo, freerainbowtables etc show how easy it is to brute force using rainbowtables. RE: http://www.hashbreaker.com/ and distributed rainbowtable generation http://hashbreaker.com:8700/ http://wired.s6n.com/files/jathias/ http://www.freerainbowtables.com/index-rainbowtab
l es-distributed.html/ http://www.darknet.org.uk/2006/02/password-crackin g-with-rainbowcrack-and-rainbow-tables/ -Spudster -
Re:You can't...>no real-world risk
I believe the usualy reliable Otter is a couple of days out of date here.
Targeted attacks using the Word vulnerabilities
Panda reports attack code which they call iTable.A
For what it's worth, Symantec reports wild occurrences of Word exploits.We found a malicious Word document that was written in Portuguese and added detection for it as Trojan.Mdropper.T. The document contains an exploit that drops an executable file, which then installs a downloader threat and opens a clean Word document in an Asian language with some strange predictions about the future. The downloader then downloads a keylogger/infostealer.
It's still correct to say "low risk". There have been very few reported infections. So far. -
Re:Aye, PC fanboi
But if you go to download.com or any other somewhat reputable source of apps, your Windows PC won't get infected
That's just not true. You can't make any such guarantees. Nothing prevents a programmer from making a trojan that will only activate at a later time, once there have been enough downloads. Even Apple, as reputable as you can get, recently distributed a Windows virus with iPods.
In reality, you don't get infected by downloading stuff.
No, in reality you do: Spyware Everywhere. Another example is: zCodec Video Codec is a TROJAN (and you can google for more). Any piece of softare can be malware. The more software you trust, the greater your risk.
So the security of the Mac (and the general quality of Mac apps, and the intolerance of Mac users for crappy apps) is the reason why Mac users aren't afraid of downloading stuff.
No, I think the dominating factor is that the Mac is niche market. If the market shares were reversed between Windows and Mac, the Mac would have just as many problems and your "free love" days of downloading anything you wanted would be over.