Slashdot Mirror

The problem is antivirus makes your system less secure. You're giving up control of your system, making it less secure, and not getting much in return. Microsoft Security Essentials is enough.

I meant four thousand dollars per minute of downtime, not four million.

So, I suppose they could demand a million easily. Still, when you compare that to the pidly $17,000 payout made by Hollywood Presbyterian Hospital, it's the difference between a bank heist and a purse snatch.

While you can't easily prove your phone ISN'T sending data, you can certainly prove when it IS sending data.

Simply take out the SIM card, turn on WiFi, and monitor the connections. I'd imagine many apps/hacks/vulnerabilities aren't designed to automatically disable if the cellular radio is off. So that'd logically leave you with ones that are, and ones that depend specifically on a cellular modem. (Fun fact: Cellular modems can actually have root file access to your phone, an "Red Flag!"-level vulnerability.)

--- Citation for last point:

http://www.darkreading.com/mob...

----------------- Secondary post:

Lastly, come to think of it. I wonder if you could design a "Communication LED" like modems and ethernet hubs/cards have. A blinking LED any time the PHY layer is sending data. However, I don't know enough about the GSM/CDMA protocol to know how often a cellphone "actively" sends data (announcement to look for potential cell towers), or if it's passive in nature.

A quick Google seems to favor the passive route (and battery conservation sure sounds like the right idea for a protocol.)

https://www.quora.com/How-ofte...

This would certainly be outside of "most" people's abilities. Cellphones are a pain-in-the-ass to open without damaging, and you'd have to identify the PHY layer and I would imagine you can't simply attach an LED to a GSM antenna. But the point remains. For a donor phone and a (hardware) hacker with a free weekend, one could likely build a phone that lights up an LED whenever it sends data. And logically, you've then made a phone that will tell you if entire ranges of apps and Android features "call home."

Perhaps I'm overthinking it. An even better method (if you had the cash) would be to create a fake cellphone tower ("base station") that forwards back to the internet and gives you a packet log. OpenBTS (open base station) exists already. Then you'd be able to see many layers of the stack and not just a transmit LED, to help identify what is talking and where it's going.

DDoS is not a magic death ray that cannot be countered:
http://www.darkreading.com/att...

Is that supposed to mean something?

Cookies have been re-branded as "Certificates"... or secure cookies

I think the worst decision was putting security functions in dynamically loaded libraries and allowing them to be dynamically hijacked

What's a Skimer?

Using the magical oracle known as "Google", we find the answer to that question is...
ATM malware
ATM malware
ATM malware
ATM malware
ATM malware
ATM malware
(you probably get the idea by now: "Skimer" is ATM malware)

I'm sick of all the privacy warriors ruining all the cool shit that people come up with because of some fucked up fantasy that someone gives a shit about what people have stored on their computer. Newsflash: nobody does.

I beg to differ

There is no way that this malware is going to be in usr or opt without having a root priv install so and it cannot access or modify etc unless you installed it as root.

People routinely install stuff with sudo, so if it's a trojan it was probably installed as root. Furthermore, privilege escalation bugs are quite common. I just did a search for: linux privilege escalation bug, and the top hit was a news item less than a day old:

http://www.darkreading.com/vul...

Tens of millions of Linux PCs and servers and 66% of all Android devices are impacted by a vulnerability in the Linux kernel that allows privilege escalation from local to root via a use-after-free attack, according to the research team at Perception Point.

Although no exploits for the bug have been seen in the wild yet, the vulnerability is far-reaching. According to Yevgeny Pats, co-founder and CEO of Perception Point, the bug affects all Linux kernels from release 3.8 and later, both 32-bit and 64-bit, operating on desktop, server, mobile, and embedded devices.

The vulnerability, CVE-2016-0728, is a reference leak in the keyrings facility, where security data like encryption keys and authentication keys are stored.

http://www.securityweek.com/fi...

http://www.theregister.co.uk/2...

http://it.slashdot.org/it/05/0...

http://it.slashdot.org/it/07/0...

http://labs.umbrella.com/2013/...

http://www.darkreading.com/per...

http://tech.slashdot.org/artic...

http://crypto.stanford.edu/dns...

http://it.slashdot.org/it/07/1...

http://www.zdnet.com/blog/secu...

http://tech.slashdot.org/tech/...

http://it.slashdot.org/it/08/0...

http://it.slashdot.org/it/06/0...

http://tech.slashdot.org/story...

http://blogs.zdnet.com/securit...

http://crypto.stanford.edu/dns...

* "Read 'em & weep" EVEN MORE are coming... & that's only SOME of the exploits DNS has experienced, I don't have them all but those will do!

(Simply facts supporting my former post as I promised in it, to show the RAMPANT EXPLOITABILITY of DNS vs. my program AND WINDOWS protecting hosts perfectly...)

APK

P.S.=> You can't win, accept it... apk

I think you're trolling, but this guy went to jail for running almost the exact same script as is found in the article. This guy didn't even have malicious intent when he modified the URL, and he was still convicted.

Lockheed Martin announced today that they've had a huge security breech where 10s of thousands of documents and designs from advanced weapons may have been stolen by foreign agents. At this time the FBI does not know where these agents originated their attack from but is investigating.

In other news, North Korea has just announced that it will demonstrate it's new 30KW laser system dubbed "We kill you America!" Analysts at the DoD are still wondering how the isolated nation managed to catch up so quickly to the US.

it's already happened in the past folks.. http://www.darkreading.com/ris...?

And you think the TLA's haven't compromised that too?

http://www.darkreading.com/att...?

You said

7.) Protect vs. DNS amplification attacks

No, hosts files to not prevent DNS amplification attacks. These attacks do not depend whatsoever on the configuration of your computer. These attacks are performed from outside your network. Here's how it works:

1. I send a packet to a DNS server on the internet, lets say 8.8.8.8, this packet requests a large amount of data, like a request for the whole DNS database. This packet also has spoofed your address as the requesting address.
2. You receive large amount of data.
3. You have just been taken off the Internet due to repeated use of this attack. Congratulations, your hosts file is now useless as you have been DDOSed, and if you are lucky, your Internet router hasn't fried from the overload.

This is not a benefit of hosts files. Take it off your list. DNS amplification attacks are not attacks against a DNS server, they are DDOS (Distributed Denial of Service in case you didn't know) against an internet connection. Your hosts file will be utterly useless when your ISP is receiving 7 Gbit of traffic destined for you, not many people have that kind of connection.

More information:
http://www.watchguard.com/info...

If you aren't a security professional, don't act like you know what you are talking about, as it makes you look very foolish. If you are a security professional, read up on this stuff, as it could save your career.

DNS amplification attacks were recently replaced by NTP amplification attacks. These attacks can take down even large ISPs. Your hosts file won't help you there either. Recent NTP amplification attacks can and have pushed more than 100Gbit of traffic using just a few NTP servers.

http://www.darkreading.com/att...?

So in other words....they are FOSSies and are doing it on religious grounds rather than on the merits of the OS or even its functionality?

In that case I agree with you 100%, because if they are getting viruses in 2014 then its because of PEBKAC and those same people will end up somebody's bitch on Linux so as a member of the Windows community allow me to say thank you, please keep them. Better they cause millions of Linux infections than cause Windows ones, thx!

For everybody else Windows 7 is solid as a rock, Windows 10 looks to be even nicer in every way, and with both you have to REALLY go out of your way to be a booger picking moron to get yourself infected, what with the sandboxing, ASLR,DEP,low rights mode, Windows Defender, auto updates, one has to be a real drooling idiot to get themselves infected...I should know, I run a PC repair shop and see quite a few and ya know what? Damned near every.single.one. says something along the lines of "I knew I shouldn't click and run that, I really did, I don't know why I did that"...well I do its the same reason the "How to write a Linux virus" works just fine (which it does BTW, see the KDELook bug for just one example) its called social engineering, which is how more than 95% of Windows bugs end up installed.

So I personally wish all the "virus carrying click on everything" types go to your OS, I really do. From the looks of the Android malware they will be happy to spread their STDs to your OS just as they did to ours, so please accept these plague bearers with our compliments!

"Since Target’s breach last fall, numerous business and organizations including Home Depot, JPMorgan, Supervalu, Community Health Systems, UPS Stores, Dairy Queen, and others have announced breaches that cumulatively have exposed data on tens of millions of people. The sudden rash of data breaches has left security experts scrambling to find a reason for what is going on". ref

Not so much anymore. http://www.computerworld.com/s... http://www.darkreading.com/ris...

What are you talking about? BIOS-flashing malware is a well-known problem, long pre-dating this discussion. Here's a recent article on the topic: http://www.darkreading.com/vulnerability/bios-bummer-new-malware-can-bypass-bios/240155473

In previous years, people did scoff at the idea of BIOS hacks, but they were fairly common for older BIOSes, even without this special NIST BIOS standard.

Now if you were to propose that the NIST standard was deliberately broken by the NSA, that would be an interesting speculation to pursue, but the point is that BIOS-flashing malware is a very real problem, and has been for a long time.

For example, #1341. 10 fucking years old.

#68892 - best comment on the bug: 'Not quite sure how the severity scales are generally used, but shouldn't a trivial command that breaks the one feature that is being splatted all over the homepage as having significant improvements be a little higher than "non-critical" ?'

What about stupid shit like this: http://www.darkreading.com/database/expect-a-surge-in-breaches-following-mys/240001958?cid=nl_DR_daily_2012-06-14_html&elq=7e0510c44883432fa8e79c2ebde2ecb8 "The vulnerability itself is in the way MySQL accepts passwords -- the bug makes it such that there's a one in 256 chance that the wrong password will still grant the user access to an account. So an endless loop of attempts will eventually grant an attacker access. It was a bug so unique that Moore says some MySQL developers ran into it, couldn't reproduce it ,and eventually chalked it up as a fluke."

Is MySQL even ACID compliant yet, without addons?

http://nosql.mypopescu.com/post/1085685966/mysql-is-not-acid-compliant

That seems to be the prevailing theory now. The paranoid side of me wants to know if it's a three-letter-agency running the botnet, or one from Anonymous, Lulzsec or similar.

...China Inc. can first fuck all these corporations and then run away with their decades of R&D data.

http://www.wired.com/threatlevel/2011/03/rsa-hacked/

So because RSA was hacked, we shouldn't use Microsoft software?

It's a good thing that no Open source software has ever been hacked.

I block out communications to their C&C servers here, via custom hosts files + firewall rules tables in combination:

---

0.0.0.0 flashsoft.no-ip.biz
0.0.0.0 good.zapto.org
0.0.0.0 hatamaya.chickenkiller.com
0.0.0.0 helpme.no-ip.biz
0.0.0.0 hint.zapto.org
0.0.0.0 hint1.zapto.org
0.0.0.0 idf.blogsite.org
0.0.0.0 javaupdate.no-ip.info
0.0.0.0 loading.myftp.org
0.0.0.0 lokia.mine.nu
0.0.0.0 may2008.dyndns.biz
0.0.0.0 may2008.dyndns.info
0.0.0.0 menu.dyndns.biz
0.0.0.0 mjed10.no-ip.info
0.0.0.0 monagameel.chickenkiller.com
0.0.0.0 natco1.no-ip.net
0.0.0.0 natco2.no-ip.net
0.0.0.0 natco3.no-ip.net
0.0.0.0 natco4.no-ip.net
0.0.0.0 owner.no-ip.biz
0.0.0.0 powerhost.zapto.org
0.0.0.0 ramadi.no-ip.biz
0.0.0.0 remoteback.no-ip.biz
0.0.0.0 skype.servemp3.com
0.0.0.0 test.cable-modem.org
0.0.0.0 www.hint-sms.com

---

SOURCE = Cyberattack_against_Israeli_and_Palestinian_targets.pdf

Downloadable from NORMAN -> via the article's source page here -> http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240115353/the-globalization-of-cyberespionage.html

(I would post the direct link, but /. says it is "too long of a string of letters" so, there you are! Close as I can get...)

Excellent document too!

Well-done & INFORMATIVE for my purposes!

(Which is simply shutting these kinds of machinations down before they can even DO anything, much less even let me get it in the first place!)

* The rest, based on IP addresses, seem to be changing dynamically (ala "fastflux" type work), but again:

I simply add them as they are discovered via a Windows PowerShell script to my firewall rules table too - thank goodness they are NOT the majority of what these malware makers use usually though since they're relatively easy to "Blackhole" @ the ISP/BSP level via say, DNS Block lists as 1 example thereof.

APK

P.S.=> After all - "You can't get burned IF you don't & can't go into the hot kitchen"...

AND?

Yes, that is EXACTLY what this method of defense allows, easily, via a custom hosts file!

(Which is the primary one, since they "recycle" the host-domains they own usually)

And, of course, for those IP address based ones (rarer since they are EASILY blackholed @ the DNS level alone) & firewall rules tables also...

Do THAT, folks?

There is literally NO WAY for them to even "TALK TO MAMA" (C&C Servers) for orders!

Heck - NOT even IF I was to get one of these machinations, via say, a USB stick... they're totally "nullified" from the get-go!

... apk

Lets hope NASA read the research by HDMoore back in 2010, where he identified security mis-configurations with the VxWorks software.

http://www.metasploit.com/modules/auxiliary/admin/vxworks/wdbrpc_memory_dump/
http://www.darkreading.com/vulnerability-management/167901026/security/application-security/226100011/researcher-pinpoints-widespread-common-flaw-among-vxworks-devices.html

1) Apple phones don't have NFC chips in them so Charlie Miller cannot be "exposing them"

2) Charlie Millier will be exposing security problems of NFC with Android phones.

3) Charlie Miller is also Google's nemesis and has exposed how silly Android security testing is:

http://www.darkreading.com/vulnerability-management/167901026/security/client-security/240003490/apple-ban-gives-miller-time-to-hack-other-things.html

4) timothy seems to have an axe to grind against Apple so he's submitting these idiotic articles lately. It's he, however, that looks stupid as a result.

> "[E]vidence to sustain such dire warnings is conspicuously absent."
Guess the Wired.com authors live in a different world than I do:

http://www.physorg.com/news/2012-02-nortel-penetrated-hackers-decade.html
http://articles.latimes.com/2008/aug/17/opinion/ed-cyberwar17
http://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia
http://arstechnica.com/business/news/2011/10/rsa-details-march-cyber-attack-blames-nation-state-for-securid-breach.ars
http://www.commandfive.com/research.html
http://www.darkreading.com/database-security/167901020/security/attacks-breaches/229700229/targeted-attacks-on-u-s-defense-contractors-fallout-from-rsa-breach.html
http://en.wikipedia.org/wiki/Stuxnet

I'm concerned about the response, but the threat is real.

http://www.darkreading.com/security/article/208803634/index.html

Really? What malware is there in the official market?

Oh, really? Unfortunately, the story doesn't state whether the apps are from the Android Market, but I'm not exactly sure where they would have found 10,000 apps outside of it. But if you have reason to believe this is from outside the Market, I'm all ears.

The problem is that Google has a very hands off approach to their store. This is something that is treated as a virtue around here, but the downside of this cannot be ignored. Almost by definition it means that the Android Market is going to have apps of lower quality, including malware.

What is an 'unauthorized' server? Is the server unauthorized by the app writer or by the end user or both? This is important information which is missing from the article. More worrisome in a link in TFA is the other attack vectors which are going to be discussed: drive-by downloading, etc. There's a video on the author's site at http://www.dasient.com/resources/video/?v=15 but I haven't watched it.

One hundred purcent.

Did you read the recently posted article? Criminal botnets are being used as part of Operation Payback?

And a few hundred nodes would not be enough to kick Visa off the net, there are ceratinly more than that going on.

While the treatment of WikiLeaks and Julian Assange is important, it's USUALLY misdirection, to divert public attention.

How effective is the (replacment) EO 13526 http://edocket.access.gpo.gov/2010/pdf/E9-31418.pdf or http://www.whitehouse.gov/the-press-office/executive-order-classified-national-security-information

Was it followed by State and DoD? Have NIST/FISMA security guidelines been properly implemented (even yet)?

Are there actual timing considerations, when-leaked, vs when EO 13526 went into force? (Signed: December 29, 2009)

WHY would there be no "alarms" when a PFC accesses an enormous number of documents?

Someplace between a half-million and 3 million people with full access to these documents BEFORE they got to WikiLeaks?

What about "the State Department's Risk Scoring tool"?

STREUFERT: "...the continuous monitoring has something that is an assessment capacity of the organization to deal with outside risk that is never longer than a month and scanning data in fact could be as fresh as 24 hours old." (but are they looking at the RIGHT THINGS)?

Refs: http://gcn.com/articles/2010/03/03/rsa-futue-of-fisma.aspx
            http://www.govinfosecurity.com/podcasts.php?podcastID=276 [John Streufert, State Department Deputy CIO and CISO]
            http://www.darkreading.com/database-security/167901020/security/news/224200410/ninth-state-department-insider-found-guilty-of-illegal-database-access.html [Ninth State Department Insider Found Guilty Of Illegal Database Access - Mar 25, 2010]

For investigation:
http://www.state.gov/m/pri/rls/plans/146301.htm
> For example, weekly reports to senior management are now routed through Microsoft
> SharePoint websites instead of by paper or individual emails. -- August 30, 2010

In case you think this is "picking on Microsoft" ...
http://www.federaltimes.com/article/20101205/IT03/12050306/
> Besides limiting access to Net Centric Diplomacy, the State Department has recently
> suspended SIPRNet access to two classified sites, ClassNet and SharePoint, according
> to the White House. In an apparent reference to those actions, State Department
> spokesman P.J. Crowley said last week that access to diplomatic cables has been narrowed
> across the government "for the time being."

Antiviruses catch only a declining percentage of malware, so you can't rely on them - see http://en.wikipedia.org/wiki/Antivirus_software#Effectiveness which shows that even in 2007 the average percentage caught was about 50%. Various independent tests confirm this, particularly for zero-day viruses (i.e. you must rely on heuristics in the AV product, not signatures). In 2007, 23% of infected PCs had up to date antivirus: http://www.pandasecurity.com/infected_or_not/ and http://www.pandasecurity.com/infected_or_not/panda_security_research/

Even when there is coverage for a specific virus/trojan, highly polymorphic ones are often not caught - for example the Zeus banking trojan, which steals from bank accounts while hiding the illicit transactions and resulting balance from the user, is missed in 77% of cases - http://www.darkreading.com/security/article/220000718/index.html

Does it have to be an uber-dos tool? My employers services have been hit by 10gbit/s dos attacks for no obvious reason, and later studies have shown somebody initiated them for fun (and it was cheap).

I imagine they just have to figure out what attack vectors wikileaks is vulnerable to. From what I've read, relatively few machines exploiting the slow POST vulnerability (Note: *not* the same as Slowloris) might do some damage.

I would pass on the encryption key via SMS text

So after setting up this whole fancy encryption system, you broadcast the key over the air via GSM which is known to use breakable encryption, across a black box of a network that's known to be monitored by both law enforcement and the telecom's staff, onto a phone which is likely to be lost or stolen and could have backdoors installed on it.

What happened to, oh I dunno, encrypted email? If you're really serious, you should only send the key after the CD is received with holographic sealing stickers intact.

Bang on. That's why smart companies like Google run interviews that test problem-solving skills rather than some particular api.

The set of smart companies certainly does not include Google.

2007-01-24
Rob Enderle _Dark Reading_/_TechWeb_/_CMP_
Executives and recruiters often behave stupidly
"a recent interview with Google's CEO [Eric Schmidt], in which he discussed the company's [alleged] staffing problems and what it's doing to [make them worse]. Like many companies that experience very rapid growth, Google is having [self-created] problems getting enough [capable] people to do the jobs they [want] done. And, like many companies, Google has been using academic accomplishments as a key metric for weeding out [many very capable people from the flood of] applicants. Google's executive staff has [idiotically] concluded that interviewing takes too long and that by sorting potential employes based on grades -- largely an artificial metric in business -- they are probably missing out on many great employees they might otherwise hire. Unfortunately, Google's 'solution' to this problem is to hire people [who are capable of doing] jobs '3 levels higher' than the jobs they are hired for. This approach clearly addresses the need to fill the pipe-line for potential executives in a rapidly growing company; it could also result in a security nightmare. As anyone in security knows, the most likely employee to steal from a company is one who feels under-paid and under-appreciated."

2007-10-19
Michelle Kessler _USA Today_ pg B1
What's up at Google?
"Google CEO Eric Schmidt said many hires were recent college graduates who received job offers earlier in the year [so, they're discriminating against older STEM workers]."

It will keep them tied up for years trying to find exploitable holes, when the real spies will use something else

It seems that a Tech columnist posted a scantily detailed opinion piece on the subject last march. Our submitter linked to his opinion on the opinion piece.

http://www.darkreading.com/blog/archives/2010/03/is_it_time_for.html?cid=nl_DR_DAILY_2010-03-15_h

1. No client talks to any other client directly: managed routers.
2. Servers run A/V.
3. IDS, e.g. snort (free)
4. Firewall departments as well as outside world
5. Patch users machines regularly for the major exploit targets: IE, Firefox, Adobe Acrobat, Flash
6. A $299 netbook, in a safe, that is the only machine used to admin salesforce and other online services.

There are two ways that your organization can be infected before you can react to it:

1. A local network worm, i.e a TCP/UDP from one client to another.
2. An email worm, i.e. Outlook.

Either of these can and will bypass *any* security solution implemented on the client.

Most attacks are neither: they are attacks intended to compromise a single machine. 80% of these are things like Adobe PDF exploits.

Stopping a local network worm is simple: Clients do not talk to each other. All it takes is a managed router. Clients talk to servers. Specifically their own servers.

Stopping an Outlook worm is more complex, unless you want to piss people off. Its pretty easy to strip everything but plain text out of email. But there are other methods. First email spamming the whole company gets quarantined, and the user told (automatically) that mail doesnt work like that. Second, any email to a distribution list is refused if it has an attachment. Use an in-house equivalent of sendthisfile.com, or sharepoint (!), or something like that. That may take some getting used to, so an alternative may be that such email is distributed slowly, e.g. after 30 seconds. Or the user has to confirm it with a second email. There are good reasons not to have users passing around documents in email but instead to have some kind of centralized document management system. There are also good reasons to allow them to. So you are going to have to use your judgment on this. Any solution that *you* write, is going to be immune to automated worms (unless someone with inside knowledge targets you deliberately).

Why NAC/NAP/SEM is a waste of money:

1. The chance of anyone being infected in an organization is fairly small.
2. The chance of the whole organization being infected if just one is infected: very high.
3. When running things like NAC/NAP/SEM, users' machines get pretty slow.
4. NAC/NAP/SEM simply don't offer complete protection against attacks.
5. Running NAC/NAP/SEM etc reduces users productivity when there are no attacks.
6. NAC/NAP/SEM cost a lot of money.

You should read this: End Users Buck Security Advice For Economic Reasons

Herley uses an example of an exploit that affects 1 percent of users per year and takes 10 hours of clean-up time per user. So implementing any security advice, he argues, should incur only 0.98 seconds per user per day to actually reduce the time involved. But it eats up much more time than that, which demonstrates that security advice provides a poor cost-benefit trade=off to users, he argues.

All that other bullshit adds huge costs to your company, and doesn't stop bots. I worked at a company that used SEM or something like it. We got a worm. Still had to bring routers down. Still lost days of network while it was cleaned up. Here's the *big* question: if it works, why is it not guaranteed? If you pay for something like this, and you get a worm, Semantec should come to your building and clean up all your computers for free. Why don't they offer that? Because they would go bankrupt in a month.

Increasingly, small business use things like Salesforce and online services. Online attacks are going to be aimed at stealing users passwords. So the most important thing is getting it into the bosses head that his day-to-day account should not be the one that has full control, i.e. add/delete users, etc. But most successful businessmen are rational, and when you explain that there are viruses that do nothing other than steal salesforce passwords, as you type them, then he/she will get it. Try to persuade him/her to have one machine that is for admin only. It can be a $299 netbook. Tell him to keep it in his safe at home.

Interesting news:
http://www.darkreading.com/vulnerability_management/security/client/showArticle.jhtml?articleID=223200163

Ya gotta love this lovely tidbit of fine print from the SyncMyRide
terms and conditions:
http://www.syncmyride.com/Own/Modules/PageTools/TermsAndConditions.aspx

Ford's Service provider Tellme Networks, Inc. ("Tellme"), a subsidiary
of Microsoft Corporation, may record and retain user voice utterances
("recorded utterances"), which are recordings of sounds made when the
TDI Service is in listen state and waiting for a user command or
response. These recorded utterances may include all sounds in the
vehicle, including the voice of the user and voices of other vehicle
occupants, while the service is in listen state. Tellme may also, at
Ford's request, randomly record and assemble in sequence, all voice
communications made from the time the Service is connected (by the
user pressing the VOICE button) to the time the Service is
disconnected.

("Whole call recordings (WCRs)"). WCRs will include voice utterances
and may include any other sounds in the vehicle, including the voices
of the user and other vehicle occupants, during the entire time the
Service is connected. Both recorded utterances and WCRs may be
associated with you or the cell phone number assigned to the Service.

Wouldn't it be easy if you had one card for ID, public transport, payments, building access, getting your treatment, etc?

If you are willing to give up essential liberties for mere convenience, you don't deserve those liberties. Go ahead and apply for the card. Just don't complain when your life gets turned upside down when something goes wrong.

I've seen this article in a few places (see also here) and discussed it with some colleagues (one of whom was a consultant on the design of the TPM). We had the same suspicions regarding whether or not it was an Infineon TPM or a clone.

Regarding the key question, I don't think he has actually been able to extract the endorsement key. I believe the attack is just about extracting keys generated and stored on the TPM. For instance, the CW article refers to the "licensing keys." My impression is that these are keys used by the software to ensure the XBox 360 hasn't been modded. I don't believe you would use the endorsement key in this instance. Unfortunately, none of the articles are clear on this point.

Windows Bugs get younger every year

Do you have any proof showing that UAC and Protected Mode does not guard against this exploit or others? So far from the security researchers, I've only read very specific conditions under the latest systems that it's a problem.

Oh, so you have already read about conditions where this happens? Guess I dont have to answer this one then, do I?

Besides, I already gave you an example earlier. But just for shits and giggles, here's one that references the chances at 1% on IE8/Vista or IE8/Win7:

DEP Bypassed

Now, while 1% seems a trivial number, it is actually quite large when installed base is taken into account... or only a few million machines.

Then add to that, such an exploit can be attempted multiple times on a machine, which raises the likeliness of the exploit working.

And here's one more recent that states it is even more likely and has been proven to be possible:

Aurora Exploit

Hmmm... does that one sound familiar? Maybe the one this patch is supposed to address?

Or this one: Crappy Ass Microsoft Javascript implementation vector for bypassing DEP

And one that was made available to govts and large security software vendors: DEP being bypassed

And one (just to add it to the list) to bypass XP and hardware DEP: ANI Cursor Exploit

Should I go on? There are TONS of pages I can go through... and I havent even started on the hotfixes and other patches Microsoft has released to fix earlier issues with DEP and UAC.

Knowing what I've read about the various security contests, the only thing that needs to be done is execute code as the user.

But what limited scope is this? Does the vulnerability get contained within the Low profile of IE? If it drops files in there, who gives a damn? Even if it can execute code at the medium privilege level, it still doesn't have access to core system files and settings.

Hmmm... I dunno... what did the .NET stuff do for both Firefox and IE? Is .NET really truly fixed this time? This is the 6th major attempt to do so, and probably the few dozenth attempt overall.

The severity of the vulnerability to me under Windows is what I care more about, simply saying the application is "vulnerable" isn't enough.

True... but then again, I make most of my "repair" money at the company I work for from fixing virus ridden machines running on default settings (DEP and UAC enabled) from customers who have (or claim to have) done nothing and clicked on nothing - other than visiting malicious sites before the most recent .NET patch.

Not that I'm downplaying the exploit nor any fixes for it, I'm just trying to shed light on the various methods used to prevent such things from gaining much traction on a user's computer.

If the exploit can get by IE Protected Mode and execute under medium integrity I'd be a bit worried, but the attack surface is very limited until it generates a UAC prompt.

When exactly does it do that? And you realize there are mechanisms built into Windows Vista and Windows Seven to bypass UAC, correct? I'm cleaning a machine right now with Vista on it (and UAC & DEP enabled), where winlogon was infected (along with just under 100 other files).

If the user clicks OK to the UAC prompt and lets the thing get elevated privileges, well, at that point I no longer blame the application--I blame the user.

I agree... but that is not needed in vari

If there's one moderation that Slashdot really needs, it's +1 Paranoid Schizophrenic.

You really did not know about the privacy issues with some of Intel's chips? Sad but true, hardly paranoid. Here is info about the Pentium III Privacy issues...even if its turned off!

Wikipedia page on Pentium III exploit.

Now like many others, I figured Intel got their issues fixed, imagine my surprise when I read this, this year:

This is the third vulnerability that Rutkowska's Invisible Things Lab has discovered in the Intel processor in the past 10 months; she presented a paper on weaknesses in the Intel Trusted Execution Technology (TXT) at the Black Hat DC conference last month.

and

"It seems that the current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying," Rutkowska said in her blog.

Why do people assume someone is crazy, or a conspiracy person; simply because the person mentioning it (me) is aware of facts that the dis- believer (you) had no clue about.

That's three security hits / exploits for Intel processors from June 2008 through March 2009

I bet you think the US Government has never experimented on its military...wrong, they did during the Nucleur testing.

I bet you think that JFK was killed by a magic bullet? Wrong again. Way too many facts have come to light disputing official accounts. Today we know what a poor investigation was performed and that many officials lied in reports. Not my opinion, fact. Because its happened before, governmental abuse, it will happen again. My suggestion to you, try believing them until you prove them wrong. You might find it enlightening. More important, the powers that want to divide you and I, only win if you allow the divide to occur. Next time someone attacks someone else, ask yourself this question:

What do they not want me to know about?
Is the dispute in question even possible? If so, perhaps some research is in order.

So the next time someone who knows something that you do not, why not state your reasons and facts that you believe disproves what they are suggesting/saying, without failing and resorting to Argumentum ad hominem. That is a logic fail for someone who has no basis from which to draw their conclusions.

You just might discover that you have more in common then you realize! You might actually have a new friend! Just a thought.

This guy amuses me: http://www.darkreading.com/blog/archives/2009/01/how_hackers_wil.html?cid=ref-true
He suggests hackers can hit 1billion passwords a second. I seriously want that hackers setup :(

over at DarkReading they say: Earlier Wednesday, the National Intelligence Service said in a statement that 12,000 computers in South Korea and 8,000 computers overseas had been infected and used for the cyberattack. Seems a little more realistic for a national threat

Human nature: Don't you just love it?

I have been an IT tech for many years and *still* don't know how to do URL links in /. comments :(

And I wonder, are the maintainers of schoolmate and webchess now frantically patching their code? None of the articles gives dates - although the PDF is more than 18 months old.

I googled for the ecrime howto but couldn't find it. Link please.

Try reading this zine and this zine, too. This is also recommended. Try here, too. Start searching forums, IRC, etc. Subscribe to all the major vulnerability sites, too. Learn to code, if you don't already know how. Get skills in C, assembler, Java, SQL, Visual Basic, Python, PHP, Perl, Unix, Linux, Windows, DNS, TCP/IP, routing protocols, Apache, MySQL, PostgreSQL, Oracle, etc. Understand how networks and systems work, architecturally speaking, from a high-level all the way down to the physical hardware.

The learning curve is pretty steep for anyone who wishes to ascend beyond the level of 'l337 skr1p7 k1dd13'.

Be aware, however, that the penalties for getting caught are very high. Think Kevin Mitnick.

Ensure your users pick good passwords, by preventing them from entering passwords described here (e.g. their firstname, "password", "qwerty", etc).