Slashdot Mirror

It's not really that good of a safeguard when you can use the right to left override character to make a file name look like jpg or something similarly safe even when the file extension is shown. Just looking at what appears to be the extension doesn't help you in every case.

Given the relative rarity of the language, and I'll assume isolation and technical illiteracy, there can't be a whole lot of material for them to build their translation engine on. How well does it work, and on esoteric topics? This might be a playground for conspiracy theorists looking for Mayan doomsday predictions when it generates strained translations.

Yes, everything is being tracked everywhere, to the greatest degree the consumer allows it to occur. The credit reporting agencies behavior overall is really a cause for concern. I think the central job these companies do should be firewalled off from all other commercial interests and activities. There is a risk of non-financial data creeping into financial evaluation of borrowers and job seekers and that has a lot of potential for harm. The credit reporting agencies are also guilty of sharing personal info in some very inappropriate ways. The Experian incident being a fine example: http://krebsonsecurity.com/201... . It's basically impossible to have a normal existence in the U.S. without allowing these companies to have your personal information. If we can't trust them to safeguard our data and use data appropriately, then none of us can be safe from fraud and unreasonable discrimination, no matter how careful we are in our own lives.

One relevant topic is the difference between chip and pin versus chip and signature. There seem to be two ways to implement the chip technology and each has their own security concerns. The U.S. seems to be more focussed on chip and signature which would appear to be the less secure of the options. Here is a good article talking about the differences. http://krebsonsecurity.com/201...

Lost/Stolen card:

Distinguishing characteristic: The smallest source of fraud on cards. Consumer generally knows immediately or is alerted by bank to suspicious transactions, which often involve small test transactions to see if the card is still active — such as at automated gas station pumps.

source,
http://krebsonsecurity.com/201...

common sense friend. you can hack and get a million cards, or risk a going to jail as a violent offender to get one card. duh?

got anything else to say? colorful words? anything?

EMV is hacked not because EMV is theoretically secure but the implementations of it are botched. Predictable unpredictable numbers, transactions not testing cypher validity or the incrementing number are hacks in widespread use right now. The easiest hack of all is to move the card number from europe to any country that does not yet use EMV. all the EMV cards work in those countries by reverting to just mag stripe signature cards. yeah you could implement geo-locking but once again, they haven't done the implementation right. Chip and pin on ATM cards is also being exploited by card snatchers in false facia of ATM machines (they video your pin, then physically steal the card unlike the mag stripe which don't have to be physcially inserted all the way into the machine to work).

http://krebsonsecurity.com/201...

http://www.telegraph.co.uk/new...

http://krebsonsecurity.com/201...

http://krebsonsecurity.com/201...

http://www.banktech.com/fraud/...

EMV is hacked not because EMV is theoretically secure but the implementations of it are botched. Predictable unpredictable numbers, transactions not testing cypher validity or the incrementing number are hacks in widespread use right now. The easiest hack of all is to move the card number from europe to any country that does not yet use EMV. all the EMV cards work in those countries by reverting to just mag stripe signature cards. yeah you could implement geo-locking but once again, they haven't done the implementation right. Chip and pin on ATM cards is also being exploited by card snatchers in false facia of ATM machines (they video your pin, then physically steal the card unlike the mag stripe which don't have to be physcially inserted all the way into the machine to work).

http://krebsonsecurity.com/201...

http://www.telegraph.co.uk/new...

http://krebsonsecurity.com/201...

http://krebsonsecurity.com/201...

http://www.banktech.com/fraud/...

EMV is hacked not because EMV is theoretically secure but the implementations of it are botched. Predictable unpredictable numbers, transactions not testing cypher validity or the incrementing number are hacks in widespread use right now. The easiest hack of all is to move the card number from europe to any country that does not yet use EMV. all the EMV cards work in those countries by reverting to just mag stripe signature cards. yeah you could implement geo-locking but once again, they haven't done the implementation right. Chip and pin on ATM cards is also being exploited by card snatchers in false facia of ATM machines (they video your pin, then physically steal the card unlike the mag stripe which don't have to be physcially inserted all the way into the machine to work).

http://krebsonsecurity.com/201...

http://www.telegraph.co.uk/new...

http://krebsonsecurity.com/201...

http://krebsonsecurity.com/201...

http://www.banktech.com/fraud/...

Still working to confirm this, but the vector may have been a 0-day Adobe Acrobat vulnerability. Far from sophisticated. http://krebsonsecurity.com/201...

Intuit is NOT making things completely right! Intuit is apparently just reducing the amount of abuse. See this explanation by an Intuit VP on Amazon:

"... returning customers who have already upgraded to Premier or Home & Business, we are continuing to offer $25 cash back through April 20."

Apparently only customers who know about the rebate will get money back; that may be a very small percentage. Many customers paid $30 extra, so Intuit will still make $5 extra for tricking customers. Some customers have automatic extensions of time to file, so they won't get the "$25 cash back", because they will file after April 20.

See this Amazon review: **UPDATE -- IT'S EVEN WORSE**. Quote: " Even in the high-priced Premier version, Schedule C is crippled -- limited to $100 of deductions in a couple of expense categories. I.e. only good for a tiny hobby business, and maybe not even that. So now having forced me to Premier, even that high priced product is useless to me."

See this story: Citing Tax Fraud Spike, TurboTax Suspends State E-Filings. Quote: "Cyber thieves have long sought stolen credentials for hijacked tax preparation accounts at TurboTax, H&R Block and related services."

Another quote:

"Stolen TurboTax or H&R Block credentials are cheaper and more plentiful that most people probably would imagine. According to the below-pictured well-known seller on the Dark Web forum Evolution Market, hacked accounts currently can be had for .0002 bitcoins, which works out to about 4 cents apiece."

Another:

"Unfortunately for Intuit and its users, calls for the company to support two-factor authentication have fallen on deaf ears so far, at least according to twofactorauth.org, a site that tracks which popular cloud-based services support the added security measure."

Intuit has a LONG history of abuse, of being anti-customer to make more money. Dishonest people don't later become honest, generally. This is an example of that. Dishonest people, when forced to correct their dishonesty, look for other ways to be dishonest.

If Intuit has a capable, strong board of directors, which I doubt, the board should consider getting a new CEO, and firing all the other dishonest people in Intuit top management.

This comment gives only a very short summary of what I consider to be Intuit's anti-customer behavior.

1) One of my CCs was just switched to Chip & PIN.

AFAIK the US banks' implementation of Chip & PIN is just "Chip". They haven't quite figured out the "& PIN" bit yet.

Interesting, America being different again ;-)

I found http://krebsonsecurity.com/201... which has some background. I'm not so sure about the security risk, there has been a recent slight increase in lost+stolen fraud in the UK (PDF graph, starting at £120M pre-introduction it reduced to £50M, but has since increased to £60M. (In step with other types too, so maybe it's just more crime in general.) That contradicts the person quoted though.

The other suggestion -- that people will pick the 'easiest' card in a competitive market -- sounds much more likely, especially as it's the reward cards that do use a PIN.

Not having a retailer take a card to check a signature helps -- they can't copy down the details to use online. In restaurants they must bring the machine to you, so you can type a PIN, and the card never leaves your sight (or often possession).

What is the deep thinking that went into this action? Why change the established process at all if it was working?

One of the possible reasons could be the Canada's antispam law. https://krebsonsecurity.com/2014/06/microsoft-kills-security-emails-blames-canada/. Initially it was going to happen half a year ago, but Microsoft backed away. Dunno if there has been some new developments.

Finnland shoud be cut off from the Internet, because of action of their criminals.

http://krebsonsecurity.com/2014/12/lizard-kids-a-long-trail-of-fail/

Indeed<voice>.

Ryan C. is a pretty good alias when your name is Julius Kivimäki.

That is pocket change compared with the 38 millon Adobe users of last year or the 7 millon dropbox users last october.. Even Sony hack of the data of internal users were in those order of numbers.

From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.

Where did it actually say that? They know the credentials given to Fazio were used to access the Target systems as the point of entry, but they don't know how the miscreants came into possession of them. The most likely method was a spear phishing attack that allowed a keylogger on to one of the PCs at Fazio. It's simply too far fetched to think that someone trolling with a script happened across Fazio, then just realized they could use it as a backdoor into Target, and then also be in possession of some very sophisticated malware that, oh gee look, matches the Target POS systems exactly down to the firmware rev number.

From what I've read, the Target crack was funnelled through a 3rd party HVAC company that did not secure their systems sufficiently.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

They may have done more AFTER the scripts gave them access. But it appears that the scripts gave them the initial access.

"In particular, the material includes both material under copyright, as well as trade secrets. Copyright law doesn't include a safe harbor for "but I'm a newspaper" or a generic "first amendment!" defense - while papers could publish short excerpts of the leaked info under fair use (17 USC 107), for news or commentary purposes, they could not, say, publish the entire script to the new Bond movie, relying on a defense of "well, we didn't steal it, and the first amendment says we can publish anything we want because we're the media. Going further, many states' trade secret laws actually include explicit provisions about publishing trade secrets that were obtained unlawfully, even if you weren't the person who originally stole them. And while terrible law professor Eugene Volokh thinks that the Bartnicki case has a first amendment exemption, he's clearly never actually read it..."

How is this any different from what Volokh said? No news company is publishing the entire script to a new Bond movie.

"Volokh observes that if a publication were to publish huge troves of data stolen from Sony, doing so might be seen as copyright infringement. 'The bottom line is that publication of short quotes, or disclosure of the facts from e-mails without the use of the precise phrasing from the e-mail, would likely not be infringement — it would either be fair use or the lawful use of facts rather than of creative expression,' he writes. Volokh concludes that Sony is unlikely to prevail — 'either by eventually winning in court, or by scaring off prospective publishers — especially against the well-counseled, relatively deep-pocketed, and insured media organizations that it’s threatening,” he writes. “Maybe the law ought to be otherwise (or maybe not). But in any event this is my sense of the precedents as they actually are.'"

http://krebsonsecurity.com/2014/12/in-damage-control-sony-targets-reporters/

Brian Krebs got one, reported on it, and was kind enough to post it for the world to see Sony for their true colors...

Article: http://krebsonsecurity.com/201...
Demand Letter: http://krebsonsecurity.com/wp-...

I can hear Barbara Streisand's voice now... (Well, what I hear is "her" voice from the Mecha-Streisand "South Park" episode...)

Brian Krebs got one, reported on it, and was kind enough to post it for the world to see Sony for their true colors...

Article: http://krebsonsecurity.com/201...
Demand Letter: http://krebsonsecurity.com/wp-...

I can hear Barbara Streisand's voice now... (Well, what I hear is "her" voice from the Mecha-Streisand "South Park" episode...)

(feeling karma-guilty now) Some of my previous BGP bookmarks,

The RFC6480 I'm sure you'll want to read this first, every bit of it. Others may wish to skip on to the next chapter which is a good bit and has Marvin the Robot in it.

Introduction to BGP and How BGP best path (by default!)
[2014] spammers squatting on unassigned IP address ranges
  [2014] Using BGP advertisements to gather Bitcoin mining traffic (doing digital money with unsecured protocols, kewl!)
[2012] Packet Pushers #93: Lies and Routing in the Internet great interview with Geoff Huston. Look for the show notes links too.
[2012] Packet Pushers #105: BGP Origin Validation with Resource Public Key Infrastructure (RPKI) with Alex Brand from RIPE. Discussion of attack profiles, resistance and real-world challenges to its implementation.
[2012] Previous Slashdot: Engineers Ponder Easier Fix To Internet Problem
[2013] Denver pings Denver --- via Iceland! Someone's Been Routing Internet Data Through The Great Chefs Of Europe

Here's some confusing BGP routing diagrams to print out and tape to the walls to impress everybody.

What? Target's CEO resigned earlier this year [businessweek.com] after the breach severely impacted the company's already struggling bottom dollar.

5 months after the massive data breach. Ooooh boy that is quick and decisive action. Now, do you care to address The Home Depot CEO still being around? Care to address the Staples CEO still being around? Care to address the K-Mart CEO still being around? Care to show me which executive's head is rolling over the Dairy Queen breach? Would you like me to continue on with all the examples that run completely counter to your claims?

A singular example of an already poor-performing CEO being asked to step down does not prove your point in light of all the other data breaches where the CEO wasn't quickly fired for such a massive failure in security.

What? Target's CEO resigned earlier this year [businessweek.com] after the breach severely impacted the company's already struggling bottom dollar.

5 months after the massive data breach. Ooooh boy that is quick and decisive action. Now, do you care to address The Home Depot CEO still being around? Care to address the Staples CEO still being around? Care to address the K-Mart CEO still being around? Care to show me which executive's head is rolling over the Dairy Queen breach? Would you like me to continue on with all the examples that run completely counter to your claims?

A singular example of an already poor-performing CEO being asked to step down does not prove your point in light of all the other data breaches where the CEO wasn't quickly fired for such a massive failure in security.

What? Target's CEO resigned earlier this year [businessweek.com] after the breach severely impacted the company's already struggling bottom dollar.

5 months after the massive data breach. Ooooh boy that is quick and decisive action. Now, do you care to address The Home Depot CEO still being around? Care to address the Staples CEO still being around? Care to address the K-Mart CEO still being around? Care to show me which executive's head is rolling over the Dairy Queen breach? Would you like me to continue on with all the examples that run completely counter to your claims?

A singular example of an already poor-performing CEO being asked to step down does not prove your point in light of all the other data breaches where the CEO wasn't quickly fired for such a massive failure in security.

Don't forget that a lot of people there have decent CS and maths education, but less than optimal employment opportunities.

You're absolutely right.

Add to that a dim view of government in general

If by general, you mean government anywhere, I would agree with that. A lot of the CS and math guys from over there came out with a general attitude of unlimited cynicism towards any government. As for their own government I would say the guys we're talking about here likely see their own government as being a non-issue in their enterprise. Hell, one of the top spammers from Russia wasn't busted until we found out he had a sex dungeon full of young an disabled children in his basement. Eventually it seems he felt so far above the law to not even bother trying to hide from it.

Brian Krebs covered it too: http://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-kmart/

Technically, libel and slander are grounds for a civil suit, not criminal. Death threats and impersonation/identity theft are criminal but can be pursued civilly as well. Victims need to start lawyering up and getting rulings that bankrupt the trolls, and put them under restraining orders for their internet activity. If they persist put them under court orders barring them from accessing the internet, and throw them in jail for criminal contempt if they violate the court orders.

The standard of proof for civil suits is significantly lower than beyond a reasonable doubt, so the main barrier is getting internet sites and ISPs to release information that can identify the anonymous offenders.

And once again, this is not a feminist issue. Doxxing an SWATting are rampant against males as well. From Wikipedia:
* In the past, there have been swatting incidents at the homes of Ashton Kutcher, Tom Cruise, Chris Brown, Miley Cyrus, Justin Bieber and Clint Eastwood.

Brian Krebs has suffered various harassments for several years now, as documented here: https://krebsonsecurity.com/20...

Basically once you reach a certain level of fame or notoriety on the internet, you are likely to piss off someone who thinks it's fun to engage in these kinds of activities.

"Absolutely. We've seen this over and over. VLSI was a lot better than discrete components. A one-piece forged hammer is a lot better (and safer) than a hammer with a handle held in place by a wedge. Single-piece wheels are a lot better than the old split-rim wheels (no inner tube, and no danger of the ring flying off when inflating and killing someone).

By using the plasma as the containment field, there's less energy needed overall. And fewer components to break. And maintain. So, lowered material and labor costs in day-by-day operation as well. At least that's what we're all hoping for." - by BarbaraHudson (3785311) on Thursday October 09, 2014 @09:33AM (#48101973)

See subject-line: My use of hosts does far more than adblock with less moving peripheral parts room for complexity + breakdown OR exploit!

It IS is the SAME principle as what you're championing here!

(Yet I also do FAR MORE than AdBlock does, with less moving parts + overheads BY FAR, yet with less parts involved - using what you already have in using the IP stack itself as a "containment field" (much like this system you LIKE does) vs. malware, botnets, spam/phish, ads of all types, etc. - et al)

* Get it, Barb? Good... YOU FAIL!

After all - YOU have essentially said it yourself with this topic, that doing more with less IS GOOD ENGINEERING (vs. "bolting on more" overheads to do the same job a simpler already NATIVE part can)...

APK

P.S.=> Heck - Even the disassembler of the Morris Worm agrees on MY design as YOU DO TOO -> http://it.slashdot.org/story/1...

As does Mr. Krebs here (quoting Amit Yoran) also http://krebsonsecurity.com/201... AND SO DO YOU, Barb (set you up like a bowling pin, didn't I? Absolutely!)

... apk

http://krebsonsecurity.com/201...

I really think the original article made that joke so much better with the meme they included:
http://krebsonsecurity.com/wp-...

Leaving us to ponder, how many bugs would bug xibit enough for xibit to exhibit bugs?

This whole thing is way too meta, I am going back to bed until it is over.

Silk Road said they blocked requests. But their attempt to do so was incorrect, it allows any php request through. Think about how secure that server was...

In a related story from Brian Krebs, Silk Road was not outed by a badly configured CAPTCHA, as the FBI said. They seem to have another way to peek in TOR: http://krebsonsecurity.com/201...

Skype already leaks your IP anyway (both to active callers and to anyone that requests it as long as they know your username.)
It's common knowledge in live streaming that you should hide your skype username when streaming to prevent DoS attacks.

http://krebsonsecurity.com/201...

http://krebsonsecurity.com/201...

You're welcome :)

They say ASLR is disabled

I *think* what they are saying is that:
ASLR is disabled in their build of the software. (It must be enabled via compiler option).

However, ASLR is enabled in windows itself.

from Microsoft:

http://www.microsoft.com/secur...

Address Space Layout Randomization (ASLR): In older versions of Windows, core processes tended to be loaded into predictable memory locations upon system startup. Some exploits work by targeting memory locations known to be associated with particular processes. ASLR randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the location of a given process. The combination of ASLR and DEP creates a fairly formidable barrier for attackers to overcome in order to achieve reliable code execution when exploiting vulnerabilities.

ASLR was introduced in Windows Vista and has been included in all subsequent releases of Windows. As with DEP, ASLR is only enabled by default for core operating system binaries and applications that are explicitly configured to use it via a new linker switch.

As for EMET and ASLR:

Basically EMET can force recent versions of Windows to use ASLR even on applications that don't explicitly build with support for it:

http://krebsonsecurity.com/tag...

EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, youâ(TM)ll need to have Microsoftâ(TM)s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

Target was hacked via their HVAC system.

Interesting article on the details of what he's charged with here, with screenshots of the operation he stands accused of running.

While the details of the arrest are still hazy, one thing is clear - they've had this guy in their sights since 2011. It's not surprising that they issued a sealed indictment for him, mind you, that's not particularly unusual for a case like this where the subject is unlikely to be extradited and would avoid your jurisdiction if the indictment was public (nor is the US in any way unique in this regard). And since I've seen others commenting about this: yes, the Secret Service is the correct body to have jurisdiction over this, as they (strangely) are in charge of enforcement against financial crimes. Back in the early days of commercially available inkjet printers, the nerdy high school/college program I went to (TAMS) once got a visit from the secret service when one of the students figured out that he could print good enough replica dollar bills on one to fool the scanner on the drink machine in the lounge. The total volume of the forgery had to be tiny, I'd be surprised if it was more than $100, but still, if you feel like getting involved in financial crime, expect the Secret Service to be looking out for you. ;)

The scandal here would be if this was an extrajudicial "kidnapping" in the Maldives, with the US swooping up in a van, grabbing the guy, and jetting him off to Guam to use as a bargaining chip, as has been alleged by the guy's MP father. I seriously doubt all that, but we'll see where the truth lies.

That reminds me of this post by Brian Krebs. How hard would these things be to set up with some nefarious device that installs a Trojan on any phone that connects? I imagine a well-crafted overlay panel wouldn't be too hard to put on one of these things, or they could come by at night and just install it internally. Sounds too dangerous to me, I think they're going to find this is more trouble than it's worth.

I was wondering the exact same thing. They don't like to make it known that they're the same company, so I wonder if they use the same CC processing system or not.

Even if they don't use the same CC processor, if the attack was aimed at the Point of Sale system and the companies have their networks linked and/or they're using the same Point of Sale systems, it's possible that both were hit in the same attack. The Target breach (and several subsequent breaches) involved special memory-scraping malware loaded on the Point of Sale system. This scraped the Credit Card data long before it ever got to the Credit Card processor.

Reference: http://krebsonsecurity.com/201...

Brian Krebs' blog entry, indicated that Mr. Curtis Gervais allegedly made at least 30 fraudulent phone calls (two of which targeted Krebs himself). It may have been more.

My suspicion is that the per getting caught might have had more to do about Twitter bragging and the apparent leaking of real-life identity on Pastebin, rather than the mere number of calls he had made.

For the ass banana that marked me down.
http://krebsonsecurity.com/201...

It's just a blame shift and the issuers are not going to stop till they can make US consumers responsible to prove fraud while still on the hook for whatever charges were made. Same as in Europe where the system has been corrupted already but the banks are silent on it and where the consumer has to prove the charges are fraudulent


Like this:
or this:

And many more on the internet that I am more then surprised the slashdot community didn't point out. Much different community then ten years ago on here.

A 0-day for Adobe Flash was also patched today.

For some reason I had three different and separate updates I had to do to fix this:

1) Chrome automatically updated something and was running the latest version when I checked

2) The plugin that Firefox uses only seems to look for updates when I reboot. I found this guide to trigger the update manually, which basically then resulted in it just opening a browser window & making me download an update .exe.

3) Even after that, IE still reported running the older version. I ran Windows Update manually and discovered there was an separate patch in there for Flash for IE.

Pretty awesome.

Bit9? Seems to ring a bell... Oh, yes, aren't they the illustrious security firm whose site got hacked and turned into a malware redistribution centre about 6 weeks back?

Hey, whaddaya know, they are.

Are Credit Monitoring Services Worth It?

In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America.

[...read the rest on the blog...]

Bullshit. Why do people like you always assume that the fabled terrorist doesn't already know about these holes? Or are actively searching for them? If you've been following security for any length of time, you would know that in most cases the "bad guys" are many steps ahead of the researchers, if not on a whole other playing field. This renders the standard security by obscurity irrelevant, if not straight up dangerous.

But, suppose an imaginary terrorist group has decided that they wish to conduct some good old fashioned cyber-terrorism, what the fuck do you think they're going to do? Wait for a talk at some random conference? Or start utilizing the expertise they have on hand? The massive security holes in the digital infrastructure do not magically appear once a researcher publishes a paper on them, they were there all along. If you're a terrorist and itching for some mayhem, you're not going to sit idly by, twiddling your thumbs and waiting for the next research paper.

By keeping your mouth shut about these holes, you are pretty much guaranteeing that they will remain open for exploitation. People in positions with the authority to make decisions about patching the holes will remain oblivious, because let's face it, very few of said people have a fucking clue.

Stupid terrorists go in the front door with guns blazing, and get gunned down in the courtyard. Smart terrorists exploit holes nobody is aware of to maximize their payoff.

* In this reply, the term terrorist is used as a stand-in for <insert scapegoat of choice>, a good choice could be the guys who did this, or this guy, or maybe these guys.

There are so many of them it's not even funny anymore, it has become easier to count the institutions with a grasp on their own security, then those without. So please good sir, wake the fuck up.

Bullshit. Why do people like you always assume that the fabled terrorist doesn't already know about these holes? Or are actively searching for them? If you've been following security for any length of time, you would know that in most cases the "bad guys" are many steps ahead of the researchers, if not on a whole other playing field. This renders the standard security by obscurity irrelevant, if not straight up dangerous.

But, suppose an imaginary terrorist group has decided that they wish to conduct some good old fashioned cyber-terrorism, what the fuck do you think they're going to do? Wait for a talk at some random conference? Or start utilizing the expertise they have on hand? The massive security holes in the digital infrastructure do not magically appear once a researcher publishes a paper on them, they were there all along. If you're a terrorist and itching for some mayhem, you're not going to sit idly by, twiddling your thumbs and waiting for the next research paper.

By keeping your mouth shut about these holes, you are pretty much guaranteeing that they will remain open for exploitation. People in positions with the authority to make decisions about patching the holes will remain oblivious, because let's face it, very few of said people have a fucking clue.

Stupid terrorists go in the front door with guns blazing, and get gunned down in the courtyard. Smart terrorists exploit holes nobody is aware of to maximize their payoff.

* In this reply, the term terrorist is used as a stand-in for <insert scapegoat of choice>, a good choice could be the guys who did this, or this guy, or maybe these guys.

There are so many of them it's not even funny anymore, it has become easier to count the institutions with a grasp on their own security, then those without. So please good sir, wake the fuck up.

A Russian can be an Eastern European while an Eastern European can also be a Russian. I don't see the problem. Besides, the actual criminals that Krebs is covering don't seem to mind the mingling, case in point: A First Look at the Target Intrusion, Malware

From the second to last paragraph:

Group-IB goes on to link that account to a set of young Russian and Ukranian men who appear to be actively engaged in a variety of cybercrime activities, including distributed denial-of-service (DDoS) attacks and protests associated with the hackivist collective known as Anonymous.

So I guess until the Eastern European criminals themselves make the distinction, you'll have to live with it. Or clean up at home.