Slashdot Mirror

Here's a SMALL partial only sample of OpenBid ad networks malware makers have taken advantage of to infect you with:

http://www.itworld.com/securit...

http://nakedsecurity.sophos.co...

http://www.zdnet.com/ad-exec-o...

http://search.slashdot.org/sto...

http://news.cnet.com/8301-1023...

http://nakedsecurity.sophos.co...

http://www.securityweek.com/ea...

http://yro.slashdot.org/story/...

http://www.theregister.co.uk/2...

http://www.theregister.co.uk/2...

http://www.wired.com/techbiz/m...

http://www.theregister.co.uk/2...

http://www.theregister.co.uk/2...

APK

P.S.=> See subject & those links...

... apk

Here's a SMALL partial only sample of OpenBid ad networks malware makers have taken advantage of to infect you with:

http://www.itworld.com/securit...

http://nakedsecurity.sophos.co...

http://www.zdnet.com/ad-exec-o...

http://search.slashdot.org/sto...

http://news.cnet.com/8301-1023...

http://nakedsecurity.sophos.co...

http://www.securityweek.com/ea...

http://yro.slashdot.org/story/...

http://www.theregister.co.uk/2...

http://www.theregister.co.uk/2...

http://www.wired.com/techbiz/m...

http://www.theregister.co.uk/2...

http://www.theregister.co.uk/2...

APK

P.S.=> See subject & those links...

... apk

I want to support my free web services by allowing reasonable advertising on websites, but not when they take over the resources on my computer.

Adblock Plus has a setting which allows unobtrusive through. It's their business model.

"The answer to that might be, *nix isn't as easy to exploit as Windows is, and we like it that way."

BWAHAHAHA oh you're straight-up fucking kidding yourself. Go take a look at the BILLION smartphones running Android (Linux) which are extremely vulnerable to all kinds of shit.

https://blogs.sophos.com/2015/...

Even sophos says you're full of shit.

Heartbleed and Shellshock were too easy.

"Yet, more than a billion laymen are happy running Windows, which they can't claim to understand"

Windows can write their shit in plain English for a regular user to understand. Linux manuals? 95% of the ones I've come across might as well qualify for a guide to neurosurgery written in binary. No documentation on what symbols mean what or do which function?

It seems as if plain English is non-existent in the Linux community. Your own failure to understand the basic plain English I just spoke is a prime example of this, with your own cherry-picking of my quote proving this even moreso. I stated "Get off your fucking high horse, and write something in plain legible English for once in your life. NO FUCKING TECHNICAL TERMS."

Apparently you can't understand from my words that THE TYPICAL AVERAGE USER doesn't want all these technical terms thrown at them in a manual. This is why most people don't read a fucking manual in the first place.

Until you get your manuals sorted and in the sort of plain English like you were supposedly taught in Elementary school, Linux isn't going to go very far.

Agreed -- the grand parent is pretty ignorant of the history about viruses.

https://nakedsecurity.sophos.c...

i.e.

* 1982 - Prehistory: Elk Cloner
* 1987 - nVIR
* 1988 - HyperCard
* 1990 - MDEF -- (Windows 3.0 released)
* 1991 - German folk tunes
* 1995 - Word macro viruses (Window 95 released)

Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.

I've never seen a satellite.
I've never seen a bacteria.
I've never seen you, and heard that you exist ;-)
"I've never seen" is not a valid argument.

I did see problems caused by a Windows update.
Those have been documented, for example:
https://nakedsecurity.sophos.c...
http://borncity.com/win/2014/1...

Still, I agree with you that there seems to be more problems with non-updated, zombified Windows machines, than there is by updates. At least so far...

Go download: https://www.sophos.com/en-us/p... You'll have a free licence for 50 ip addresses per side. Beauty is.. its linux; supports more hardware options than pfsense. I use this to do exactly what you're wanting to do. I built small cheap computers($250 a pop from newegg, tri nic'd) to be the "FW", installed the UTM box to every family household that needed one and setup site-to-site VPN between them. Works perfectly and it easy to manage.

Didn't Google already claim ownership of my SSID in case i wanted to opt out of google maps WIFI scanning ?

Yes, if you leave out the number '500,000' it sounds silly, doesn't it.

And the only reason the number of exploits from untrusted sources is 0 on non-jailbroken iOS is because you simply can't install from untrusted sources.

Since you seem to want to compare Apples to Androids, though, here is one that infected 100k+ iOS devices, no jailbreak or untrusted sources required. And another affecting 75k+ jailbroken iOS devices. I stopped searching after finding those two (which took a whole 30 seconds); that it was so easy to find those two tells me there's a lot more to be found if I wanted to invest another half-minute in it.

Let's see, 500k of 900 million Android devices, that's an infection rate of about 5.6%. I'll admit, that's not great, but let's see how iOS fares before we got all uppity, okay? I can't find "in use" numbers, only that Apple has sold over 800k; I know they're not all in use, so I'll do a quick calculation based on market share. Worldwide market share, that is, since the 500k number you're touting is worldwide. So, Android's 81.5% market share means that 1% of the market is a hair over 11 million devices; iOS holds 14.8% of the market, or 163.5 million devices. 175k infected, out of 163.5 million devices, that's a 10.7% infection rate.

So yes, sure, let's assume that other malware exists for iOS, sure there are almost 3x as many infected Android devices, but an iOS device appears to be almost 2x as likely to be infected. Factor in that other malware certainly does exist (every jailbreak is an exploit and many jailbreak utilities have been bundled with malware; little reported but anyone involved in the scene knows, always get your jailbreak tools direct from the author, but even that is no guarantee). In short, the 175k number I used is smaller than it should be, making the 10.7% infection rate I came up with a fair bit smaller than the real infection rate, as well.

As a user of a single phone and a single tablet, running the less-likely-infected platform means I'm less likely to be infected. Period. That said, I greatly prefer iOS over Android on a tablet and absolutely love my iPad. I don't do anything mission critical on either device, so my exposure is limited in any case, but I'm a little more lax with my more secure Android phone than I am with my less secure iPad.

It doesn't at all sound like the result of bad philosophies colliding, thus breeding bad behavior from a massive number of customers.

Correct. It really doesn't. unless you consider freedom a bad philosophy. Of course, with freedom comes responsibility, as in you are responsible for what happens when you misuse the freedom to install crap on your phone. Seriously, rather than volunteering to have our own freedoms stripped from us because we refuse to connect our actions with the consequences they bring, why don't we all just behave like the adults that we are and own out own liabilities? Android lets you do that, while iOS does not.

Oh, just wanted to mention since I'm somehow a douche for your laziness, you replied a full hour after the link you asked for was presented.

You're not a douche because I loaded the page long before that link was posted (not laziness, BTW), you're a douche for a whole slew of other reasons, many of which also apply to myself. So I didn't refresh the page before posting. We all do that, your point? Welcome to Slashdot.

Fandroids are especially vulnerable to SEP.

They also wouldn't own an iPad and two MacBook Pros. I guess you aimed your anti-Fandroid ray at the wrong guy.

If you don't learn from your history? Then you sir are a dumbass, because datamining is what Google does and if its one thing they love its gathering more and more intel on you.

I mean have you really already forgotten the stink over google trying to ram G+ and real names down on YouTube? From Google Drive to even spying on kids emails the simple fact is Google is all about connecting the dots, its what they do, where their income is coming from, and the more they can gather on you the more money it can make from its REAL customers, the advertisers.

Now it won't just be arrests, though, but any interaction with police.

We just see the way this goes. Some tiny little thing gets taken out of context and posted online and people go fucking rabid, for and against.

There was a story a few weeks ago from Australia (just as easily anywhere in the US, though) about a guy who was "creep shamed" as a pedo when he was really just taking a selfie with Darth Vader as a joke to send to his kids. tl;dr mom sees guy take pic near her kids, flips, takes pic of him, posts online, 20k + views, death threats, cops, psychological trauma, etc etc.

And then of course there was a backlash against her (I'm not sure if her identity was revealed) with all the anti-moral panickers having a moral panic about moral panics. As terrible a mistake as she made, she doesn't deserve death threats either. If you think she does, congratulations on being part of the problem.

I just wonder how good the redaction can be that you can't match somebody up. It's not to hard to imagine the same kind of scenario playing out. Guy's at the park with his kids, kids are out of sight, cop asks the guy what he's doing here "Oh I'm here for the kids." "Hmmm...all right then..." Internet Super Hero catches sight of this, snaps a pic, finds the footage on the police website later "EVERYBODY WATCH OUT FOR THIS PEDO HE 'GOES TO THE PARK FOR THE KIDS!!!!'" Face is blurred and speech is altered, but it's clearly the same guy. Time/place/clothing.

Then of course there's all the other interactions with police where they're not talking to a suspect. What about interviewing victims? If somebody calls the cops on an abusive spouse do they now have to worry that their dirty laundry is going to be on the internet for everybody to see? How hard will it be to match up victims based on...who knows...addresses, landscape features, google street view data.

Same with the mentally ill. Bipolar family member having a manic episode and slipping into psychosis and you need help to get them to the hospital? Gotta think twice about making that call now. And yes, yes, I know there have been a few instances of cops hurting or killing a mentally ill person when their family called for help, but it's very rare compared to the number of times they're the only way to get a suicidal or psychotic person to the hospital for treatment. But now you're adding definite privacy concerns to rare brutality concerns.

Even if they can't identify you, you know some asshole is going to turn this into a game. "Post the funniest/most fucked up police footage." When I was younger and stupider I played a game with people on a forum once where you went to the sexual predator watchdog website where you could put in an address and it would show you the registered sex offenders on a map and you'd find the creepiest looking mugshots/conviction list near you and try to outdo the other people playing the game. I feel pretty ashamed of that now. But, well, it's going to happen.

I'm all for body cams, but man, I just think there's got to be a better way to oversee the program to protect people who have interactions with police than publishing the videos for everybody to see. Some kind of civilian oversight board that approves requests. 99/100, a time you're interacting with police is not a good day in your life. You're either a victim or a suspect, and you don't deserve to have one of the worst days of you life broadcast, particularly in these hyper-sensitive days of internet mob moral justice.

The supremes have recently ruled that gps tracking requires a warrant.

One could argue that a system which a amalgamates multiple, automated sightings is pretty much the same thing as gps tracking.

WhatsApp issues 24 hour ban for WhatsApp Plus users

I'm not sure that WhatsApp has a leg to stand on as reverse engineering is allowed, and could be opening themselves up to legal action. What I do find amusing is this classic FUD argument:

Why am I banned for using WhatsApp Plus and how do I get unbanned?

WhatsApp Plus is an application that was not developed by WhatsApp, nor is it authorized by WhatsApp. The developers of WhatsApp Plus have no relationship to WhatsApp, and we do not support WhatsApp Plus. Please be aware that WhatsApp Plus contains source code which WhatsApp cannot guarantee as safe and that your private information is potentially being passed to 3rd parties without your knowledge or authorization.

More times ads have infected MILLIONS of users http://www.webroot.com/blog/20...
http://nakedsecurity.sophos.co...
http://dshield.org/diary/Malic...
http://slashdot.org/story/1964...
http://it.slashdot.org/story/1...

APK

P.S.=> Now, what's that you said about "they don't hurt that much"? They've INFECTED MILLIONS dozens of times over the past decade which I've shown evidences of ontop of those above, here http://developers.slashdot.org... & here too http://developers.slashdot.org... !!! apk

Here's MORE in that regard (dozens of times, millions of users infected by ads):

http://it.slashdot.org/story/0...
http://www.securityweek.com/lo...
http://www.theregister.co.uk/2...
http://yro.slashdot.org/story/...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.wired.com/techbiz/m...
http://news.cnet.com/8301-1023...
http://nakedsecurity.sophos.co...
http://www.securityweek.com/ea...
http://www.itworld.com/securit...
http://nakedsecurity.sophos.co...
http://www.zdnet.com/ad-exec-o...
http://search.slashdot.org/sto...

APK

P.S.=>

"And they dont hurt that much..." - by Anonymous Coward on Tuesday December 16, 2014 @08:00PM (#48613667)

Oh, really? See above, & "tell us another one"... apk

Here's MORE in that regard (dozens of times, millions of users infected by ads):

http://it.slashdot.org/story/0...
http://www.securityweek.com/lo...
http://www.theregister.co.uk/2...
http://yro.slashdot.org/story/...
http://www.theregister.co.uk/2...
http://www.theregister.co.uk/2...
http://www.wired.com/techbiz/m...
http://news.cnet.com/8301-1023...
http://nakedsecurity.sophos.co...
http://www.securityweek.com/ea...
http://www.itworld.com/securit...
http://nakedsecurity.sophos.co...
http://www.zdnet.com/ad-exec-o...
http://search.slashdot.org/sto...

APK

P.S.=>

"And they dont hurt that much..." - by Anonymous Coward on Tuesday December 16, 2014 @08:00PM (#48613667)

Oh, really? See above, & "tell us another one"... apk

And how do you find that out? You have absolutely no idea who is behind the threat. Sure, most of the time it'll be an empty threat but are you willing to take that chance if its your family? look what happened here http://nakedsecurity.sophos.co...

its more to do with trolling like this http://nakedsecurity.sophos.co...

no-one will spend any jail time for slashdot type trolling but they should for this type http://nakedsecurity.sophos.co...

Sophos Files Samples (samples@sophos.com)

To: hhhobbit@securemecca.com
Cc: hhhobbit@securemecca.com, services@it-mate.co.uk, alecstaar@gmail.com, apk4776239@hotmail.com

Hello ,

Thank you for your submission. We have now released a fix for the file(s) you sent in to us for analysis.

If you have any further questions please do not hesitate to contact Sophos Technical Support.

Regards,

Romeo Carlo David
Sophos Technical Support
http://www.sophos.com/en-us/su...

Support knowledgebase: http://www.sophos.com/en-us/su...
Follow us on Twitter @SophosSupport
SophosTalk community (discussion forums): http://community.sophos.com/

SOPHOS - Security made simple

---

* That was June 2013 - not as recent as the others, but I am posting this one for posterities' sake too...

APK

P.S.=> 1 more coming in EmsiSoft... apk

Sophos Files Samples (samples@sophos.com)

To: hhhobbit@securemecca.com
Cc: hhhobbit@securemecca.com, services@it-mate.co.uk, alecstaar@gmail.com, apk4776239@hotmail.com

Hello ,

Thank you for your submission. We have now released a fix for the file(s) you sent in to us for analysis.

If you have any further questions please do not hesitate to contact Sophos Technical Support.

Regards,

Romeo Carlo David
Sophos Technical Support
http://www.sophos.com/en-us/su...

Support knowledgebase: http://www.sophos.com/en-us/su...
Follow us on Twitter @SophosSupport
SophosTalk community (discussion forums): http://community.sophos.com/

SOPHOS - Security made simple

---

* That was June 2013 - not as recent as the others, but I am posting this one for posterities' sake too...

APK

P.S.=> 1 more coming in EmsiSoft... apk

Sophos Files Samples (samples@sophos.com)

To: hhhobbit@securemecca.com
Cc: hhhobbit@securemecca.com, services@it-mate.co.uk, alecstaar@gmail.com, apk4776239@hotmail.com

Hello ,

Thank you for your submission. We have now released a fix for the file(s) you sent in to us for analysis.

If you have any further questions please do not hesitate to contact Sophos Technical Support.

Regards,

Romeo Carlo David
Sophos Technical Support
http://www.sophos.com/en-us/su...

Support knowledgebase: http://www.sophos.com/en-us/su...
Follow us on Twitter @SophosSupport
SophosTalk community (discussion forums): http://community.sophos.com/

SOPHOS - Security made simple

---

* That was June 2013 - not as recent as the others, but I am posting this one for posterities' sake too...

APK

P.S.=> 1 more coming in EmsiSoft... apk

The bendable phones is a non issue. People should be more careful and not bend their phones. Duh.

I'm with you on the buggy software though. They better fix Wave so it stops damaging devices!

Thanks god I am using windows.

Umm. Russian ransomware takes advantage of Windows PowerShell

I have a pc in my living room that is on 24/7 and serves as my media server (xbmc) and storage (hardware raid + lvm + nfs). It's also my compile machine so I invested two years ago in a i7 3930k with 64GB ram and loads of disk space. I'm running the community edition of Astaro Firewall (nowadays called Sophos UTM http://www.sophos.com/en-us/pr...) under kvm. I purchased on ebay a quad port intel 1GB NIC which is reserved for my firewall VM. I have one port connected to my ISP, one to my internal network via a real hardware switch, one to a dmz VM, and one to my wireless AP. The system is rock solid, Sophos UTM is being updated on a regular basis, has a long list of nice features, including OpenVPN and iOS/Android friendly VPN solutions, with clients for linux/mac/windows/ios/adnroid. The interface is super nice. And since a few versions ago it supports google authenticator for a two factor authentication, both to the admin console and the user portal, as well as the VPN. Very very nice feature. Works with iOS and Android, NetworkManager, etc.

In the past I was using netbsd on an old powerpc machine, then ipcop on the same powerpc machine (I was the guy who ported ipcop to ppc and sparc), then ipcop on x86 under vmware server, then ipcop under virtualbox, then astaro firewall under virtualbox. I switched to kvm+qemu because I was not happy with the virtualbox network performance. I even played with PCI passthrough to have complete control over the network card. Finally I settled on libvirt + kvm with astaro firewall. I'm running all this under LFS (linux from scratch), but this setup can be easily replicated on any modern distro: Fedora, CentOS, Debian, Ubuntu, you name it.

Or you can try and roll something yourself, based on iptables, whatever. But if you're not into monitoring security mailing lists for the latest vulnerabilities, you're better of with an off-the-shelf commercial product with a free community offering.

Correct, Lavabit tried just that ( http://nakedsecurity.sophos.co... ) and was held in contempt for it ( http://www.theguardian.com/tec... ).

And then all that money that would be used to pay salaries that would be used on expenses locally, making the local economy work, will be redirected to Bill Gate's pockets.

The chief idea behind this was to save money yet it resulted in a poor user experience with many complaints. Saving money by paying salaries to people to produce a product that results in many user complaints is not a good economic choice.

Agreed. But exporting jobs to an already incredibly rich country is even worser.

Tough decision.

when all our documents will be locked in a proprietary cloud

No, you have stored them on a server, in fact any sane organization already stores all their documents on a server. They are not "locked" there, you could equally store them locally if you want. Did you not know that?

Nice. Stop paying Office 365 and try to get your documents. :-)

Storing your documents in the cloud, the way we're doing now (granted, it's not the only way), is like storing private data on Facebook. You can't expect integrity in the former in the same way you can't expect privacy in the latter.

You didn't knew that, right?

that anyone with the right influence will have access

So now it is a conspiracy? The defeatist has not heard of encryption? Or not storing sensitive data on a server you do not control? Anyone with the right influence could put a backdoor in the open source software too and they wouldnt have to go through Microsoft to get one put in Windows.

Microsoft software may not be a good choice but dont be so dimwitted as to think open source is some silver bullet that solves all the problems you pointed out.

You take it on the wrong side. =]

WHen you store your documents in the cloud, the software is irrelevant. Doesn't matter if you're using open ou closed source software, the server's owner can do whatever he wants and you'll never know.

Now... About that encryption thing....

You probably shouldn't try to write about things you don't know about or understand.

1. The industry accepted way to store passwords securely in a database is with a one-way, salted cryptographic hash (using as CPU intensive algorithm as possible).

2. Many organisations have had database intrusions where these password hashes have been stolen (eg. eBay, Linkedin, LivingSocial etc.)

3. When this happens (i.e. "they have a copy of the password hash") passwords can be cracked offline. Strong passwords are safe (too hard to brute force), but weak passwords can be found using a dictionary attack.

4. Once the password is found offline a hacker can log straight in to the victim's online account with a single password attempt.

See subject-line, & even more examples (more than ever before & FAR from a complete total) - & adbanners ROB THE SPEED/BANDWIDTH WE PAY TO BE ONLINE as well:

Black Hat: Ad networks lay path to million-strong browser botnet

http://www.itworld.com/securit...

OpenX ad servers "pre-compromised" - official distro contained remote code backdoor:

http://nakedsecurity.sophos.co...

Ad exec: Online ad industry complicit in NSA PRISM datamining:

http://www.zdnet.com/ad-exec-o...

Bing serving malware ridden ads:

http://search.slashdot.org/sto...

APK

P.S.=> Had enough yet, raymorris? I've got even MORE coming (as to what folks think of adbanners slowing them down, stealing their speed/bandwidth they PAID FOR to be online no less, folks NOT liking being tracked by adbanners, & advertisers STEALING FOLKS' BROWSING HISTORIES even)... apk

See subject-line, & yet more examples (Even more than ever before & FAR from a total) - & adbanners ROB THE SPEED/BANDWIDTH WE PAY TO BE ONLINE as well:

2013 - Google settles rogue drug ad claims for $500 million: http://news.cnet.com/8301-1023...

Pertinent quote/excerpt: "The Web giant pays out one of the largest forfeitures ever in a settlement with the Justice Department over claims that it accepted ads from rogue online pharmacies."

(Thus, they aren't even CHECKING who or what is putting up those ads, ripping folks off &/or possibly worse, injecting them with malicious code for enslaving their systems into botnets + ripping off their personal information such as bank account numbers & what-not...)

2013 - NBC website hacked and distributes malware - here's what happened:

http://nakedsecurity.sophos.co...

More dangerous to click on an online advertisement than an adult content site these days, Cisco said:

http://www.securityweek.com/ea...

APK

P.S.=> Still TONS more coming, raymorris...

So much for YOUR 'b.s.' since the strong websites that aren't ONLY in it for profits would survive (vs. the greed driven ones & malware laden ones DUE TO advertiser negligence)... apk

See subject-line, & yet even MORE examples (Even more than ever before & FAR from the total) - & adbanners ROB THE SPEED/BANDWIDTH WE PAY TO BE ONLINE as well:

2013 - Google settles rogue drug ad claims for $500 million: http://news.cnet.com/8301-1023...

Pertinent quote/excerpt: "The Web giant pays out one of the largest forfeitures ever in a settlement with the Justice Department over claims that it accepted ads from rogue online pharmacies."

(Thus, they aren't even CHECKING who or what is putting up those ads, ripping folks off &/or possibly worse, injecting them with malicious code for enslaving their systems into botnets + ripping off their personal information such as bank account numbers & what-not...)

2013 - NBC website hacked and distributes malware - here's what happened:

http://nakedsecurity.sophos.co...

More dangerous to click on an online advertisement than an adult content site these days, Cisco said:

http://www.securityweek.com/ea...

APK

P.S.=> Still LOTS more coming, raymorris...

So much for YOUR 'b.s.' since the strong websites that aren't ONLY in it for profits would survive (vs. the greed driven ones & malware laden ones DUE TO advertiser negligence)... apk

If this were the 1990s, this would be the perfect answer. Back then, the idea was that you use a firewall as a perimeter defense in a defense-in-depth strategy.

But this isn't the 1990s, this is 2014. Nowadays, you have to assume that at least one endpoint on your local network is compromised in some way, whether that be via malware infection, clueless intern, corporate espionage, disgruntled employee, etc.

These days, any decent firewall does a lot more than prevent access to ports -- most actively monitor the traffic passing through any open port, and when configured correctly (in this case for a DB server), they'll lock anything down and flag that doesn't look like a SQL transaction, and then check for common SQL exploits, for connections to network points that should not have access to that port, for binary objects being passed in the SQL queries, and more.

What this means is that if you consider a firewall to be enabling the Windows Firewall on your MSSQL Server/Windows Server 2008 box, it's probably a good idea just because those boxes are usually not locked down correctly, and someone could be browsing facebook in IE on that box unless the firewall prevents it. But this isn't really the sort of firewall you should be applying to a transaction server that may one day have to be PCI DSS compliant.

See https://nakedsecurity.sophos.c... for one case study of how things can go horribly wrong incrementally.

Of course such a vulnerability would probably never be FOUND in iOS or WinPhone, since they are closed source, and almost certainly never disclosed if it was

The last major security flaw in iOS was found in open source parts of iOS.

http://nakedsecurity.sophos.co...

And all phones released since 2009 received the patch. (iPhone 3Gs and up)

No not all of Android is open source and Google is close sourcing more and more of what is considered "Android" by most people.

Having bugs is an inevitability what with how software is written by fallible humans.

How those bugs are identified, handled and fixed is the issue. In proprietary software, the OpenSSL bug might not have even come to light as it did, and a fix certainly wouldn't have been released as immediately as it was.

You misunderstand the value of F/OSS. It is not that our software is bug-free and theirs is buggy, its that we can see and fix our own bugs and not sit on our thumbs waiting for a fix. ... cf http://nakedsecurity.sophos.co...

Right well "signed by anybody" isn't that much different from a code safety perspective than unsigned code, you still have to trust who it is signed by and while they might not be able to modify existing apps we can see that from the malware examples on Android (even though I don't believe that many are particularly widely circulated) that this doesn't make much of a difference in terms of their ability to be malicious.

It very much does, actually. Your phone stores a keyring of known publishers for your apps. If you try to patch an app that has a different certificate, you'll be made well aware that something is off.

The one you refer to was a research project, it's hardly a "major slipup" (I'm sure platform fanboys would like it portrayed that way but I don't have a religious devotion to any technology platform), in fact it had exactly zero impact on anybody, period.

How about this one then:

http://www.wired.com/2012/07/f...

Of course, the iOS one was found only after the Android app of the same name was discovered. Nobody would have checked otherwise and it would have still been in the wild by now. And that wasn't the first either:

http://nakedsecurity.sophos.co...

In fact in all three of these incidents, Apple never discovered any of them. If there is any other real malware in the wild, the authors aren't going to tell Apple about it first of all, and second of all, no independent security researchers outside of Apple are allowed to vet them (except for jailbroken users.) Unless the malware author makes a major screwup like creating an Android malware app of the same name, (or making it blatantly obvious to the end user) it'll never be found.

No i don't think that's true at all, I guess I'm an Apple user (amongst Windows, Android and Gentoo) and I pointed out that whilst they are very good they are not perfect, which is the same as Google with the Play Store.

If you don't think apple users commonly go around spouting that "Macs don't get viruses," then I've got a bridge to sell you. Fuck, Apple even had a commercial effectively making a similar claim.

Obviously if you restrict yourself to the Google Play store it is very much the same thing as using an iOS device which is restricted to the Apple App Store. But that negates the biggest advantage of Android.

That's just the thing: You don't HAVE to do so. For most users, it's a pretty good idea, and they do exactly that. However for people like me, I'll get apps such as adfree, or like how I patched the Kindle app myself to show ebook PIDs so I could dedrm my own kindle ebooks. Try that on an ipad. In fact I'll answer for you because I already own one: It can't be done.

Neither is inherently more secure, it comes down to flexibility and if you provide the freedom to do whatever the user wants and they take it then - just like on desktop systems - the user needs to take on additional responsibility, which they usually aren't capable of or willing to do.

Other than sticking to the play store, right? On the contrary, there really is no good standard app source on Windows or OSX unless you want a good selection of mostly crappy ones.

Brick & Mortor [sic] at their local bank. Many still do it this way today given the security nightmare that online banking has suffered recently.

May or may not be. Often times, any bank security breach is from a user, not from the system. In other words, both client or the employee causes the security breach to the system ( http://money.msn.com/saving-mo... ). Many who use the online banking understand the convenience they get plus the time saving. As long as they properly use it (i.e. http://nakedsecurity.sophos.co... ), the security stuff would never be an issue.

Again, a trip to the lawyer's office...

I agree that the legal forms should be done via a person/lawyer. However, there are other applications/forms that you could simply fill in via the Internet rather than write/fill in a physical form. It is much more convenience, faster, and could be cheaper (no envelope and stamp). And one thing I feel that it is very convenient to use the Internet is to file/submit tax return!

That's why God invented schools...

School nowadays require students to submit/accept their work via the Internet/Intranet. It is a lot more convenience and It is NOT only for MOOC style which to me is still in at immature state. Therefore, giving out assignment/homework via hand out or on the board is much less convenient to both teachers and students. The Internet is there, why not utilize it?

NOAA Weather Radio...

I have no comment on this one because I do not check for the weather. However, on one note about "radio" in your comment, many people nowadays do NOT listen to their radio box but rather listen to the "Internet radio" instead. See the word "Internet"?

Phone call to broker...

May or may not get the information quickly. Also, those people would need to check on the INTERNET. Or do you think they need to call another person to get the answer for you? So why would you go through the middle man if you can get it directly?

USPS/ UPS/ FedEx Same Day Delivery...

Not unless you need the document (regardless certified or prototype) within an hour and you need to deliver across the country. Also, these carrier do NOT GUARANTEE that your document will be delivered on the "same day." There are many cases already that they cannot do what they advertised. Most documents nowadays are in digital format. If it does not need real signature on it or certified, why spend money on carrier and time for delivery? Physical delivery is NOT what Internet is for. Maybe you are still stuck in the hard copied world.

Overall, the Internet has been absorbed into the society long enough to be a part of the society; especially in the 1st world countries. I would not reject the idea of its necessity due to its benefits. I will wait and see how it evolves. I am quite sure that it will be one of utility that human will need to live on.

I've used Astaro for years and been very happy with it. It includes many free features (VPN is great) and there are other features you can add for a fee. Sophos purchased it a couple of years ago and still have a very featured free version.

http://www.sophos.com/en-us/pr...

Either is quite possible, though default password issues require that a PC on the LAN already be infected.

No. This guy mapped the entire IPv4 Internet using a bot-net running inside routers only linky link. Apparently he just used the default root:root or admin:admin to build the bot-net. Point being, he never used the infrastructure behind the routers, only the routers themselves.

From there it's not hard to imagine how you would go about changing the DNS settings on the router, and you could expand the bot-net if you know the algorithm the default passwords on newer routers are created with.

Thanks trolls, see subject-line, & this: You've shown WHO "can't 'face the nusic'" of his own actions (you sow the wind, I am your whirlwind of righteous indignation) & you WON'T answer, will you?

Nope - just 'downmods' to *try* to attempt to "hide" what you've earned libeling me, & best part's seeing you "EAT YOUR WORDS" yet again, here http://slashdot.org/comments.p... & of course, also the post I just replied to (my own).

You're NO man, despite your "big talk" I've seen from you... period.

* He's STRUCK speechless, & certainly hasn't shown me he's done better on HIS part, though he sure "talks a good game" (as is his usual, but nothing to demonstrate of his own I've ever seen @ least to compare to it... I'd RESPECT him more then @ least, but I have none for a BIG TALKER "service man" (probably a lie) allegedly who acts like a PUNK - the USA's in DEEP SHIT if THAT is the type defending us, because we'll lose wars with weasels like THAT @ the wheel).

APK

P.S.=> Sorry folks - he hasn't shown me any differently & I gave him EVERY fair chance on any grounds to do so... nope, he does a "Run, Forrest: RUN" & uses AC trolling posts (that's what I see, & I am FAIRLY SURE that's his game... that of a sadistic troll, whom imo & those of the folks noted @ SOPHOS security, have issues)... I am all done with that fool - he's running ("Oh sure" - he'll CLAIM he was ignoring me because he's "Too GOOD to talk to me" or apologize for libeling me... anyone NORMAL, knows the difference - that's where "his kind", the NOT MAN online as I call them, fail... they don't understand that, because they have the issues noted here http://nakedsecurity.sophos.co... )...

... apk

Sociopathic trolls w/ no balls posting by AC ("Gee, wonder WHO this ac is", not (Lumpy)) & a condition others that are expert in their analysis arena seem to say YOU fit actually -> http://nakedsecurity.sophos.co...

* Your "kind" (lowest of the low online & weasels I call "not men") are described there, perfectly... sociopath trolls.

APK

P.S.=> Why don't you do something of service to others instead of being punks? I have & it's worth it & the RIGHT thing to do, for FREE & it works (I challenge & have challenged repeatedly, my naysayers & trolls like you to prove it doesn't in its 17 enumerated points, here) -> http://start64.com/index.php?o... For Pete's sake - being a psycho freak with NO BALLS, accomplishments, or integrity is not being a man, & it's no way to live a life imo - but, that's only me, however, I'd strongly wager the majority of normal folks agree with my sentiments... apk

I use Sophos' UTM product. http://www.sophos.com/en-us/pr.... It is not open source and grandma is not going to use this, but it is rock solid. Honestly the primary reason is country blocking and the daily email reports on the previous day/week/month's activities. You have to get a PC for it, but a small form factor ATOM processor box with works well and has a low power consumption.

When even the cops use these databases on on other cops you know the only solution is to stop building the databases in the first place.

That's kind of like saying we should get rid of bittorrent. Information is very easy to compile and distribute, and it is getting easier all the time. Right now it is abuse of government databases. Pretty soon EVERYBODY will have access to these databases, and they will store far more.

The app this article is about lets you snap a picture and get a search result in a minute - that's just an issue with CPU/bandwidth. In a few years the app can just run all the time, searching every face you see and imposing a name like a HUD, and the results will be retrieved instantly. The device knows your GPS location, so you can also log where they were seen and when. At first it will be just some data aggregators collecting this info, but soon there will be apps that let you store this data yourself and share it in an open database. Now we have an open database listing the locations of every person and object with a unique number on it (like a license plate, but not limited to this) for the entire planet for their entire lives.

You can't stop this sort of thing, any more than you can stop people from downloading movies. Society will just have to adjust to a complete lack of privacy and anonymity.

Maybe we should update our privacy laws and stop allowing companies and the government to store all this information about us in shitty databases to begin with.

This.

When even the cops use these databases on on other cops you know the only solution is to stop building the databases in the first place.

Stalking pretty girls makes for a good visceral story, but the larger problem is one of political repression -- essentially using these databases to make it harder for political upstarts to instigate change, basically co-opting democracy.

BTW, that same database the cops used to stalk other cops? Also used to stalk political candidates.

Hope Target's systems used a salt when creating the 3DES.

If the Triple DES used a salt, then good, it will make it much more likely the PINS are secure, because then the hackers would have to brute-force trying a salt value, then all possible pins for 1 of the Triple DES encrypted PINS, which would take longer.

If the salt was unique for each PIN, then that would be the most secure ( but I do not know how a little machine where people give their pins could do that )

If no salt was used, then might be another case like what happened to Adobe: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/

If you're like me you're wondering exactly what the implications of this revelation are in the real world. This article and this discussion helped clear it up for me.

Thankfully, this PRNG likely isn't used in any implementation of OpenSSL. It also doesn't appear to be used, at least in newer versions, of Microsoft applications. It may be used in any older Java, and C applications though (especially those linking RSA's BSafe library).

If anyone has anymore information or clarification that would be great.

It'd definitely harder now, and I see that as a very good thing. Remember the drive-by website that was basically a remote root exploit? There's a vast difference between requiring physical access and operator permission, and being able to root a system through the owner visiting a web page.

So, you made a donation to organized crime. How charitable.

As did this police department ...

US local police department pays CryptoLocker ransom

=snip=

A local police department in Swansea, Massachusetts, has paid cybercrooks behind the CryptoLocker ransomware attack to decrypt files locked up by the malware on police computer systems, according to local press reports.

The police department spokesman claimed that the infection had been mopped up and their systems secured, with no personal information stolen.

=end snip=

So, you made a donation to organized crime. How charitable.

As did this police department ...

US local police department pays CryptoLocker ransom

=snip=

A local police department in Swansea, Massachusetts, has paid cybercrooks behind the CryptoLocker ransomware attack to decrypt files locked up by the malware on police computer systems, according to local press reports.

The police department spokesman claimed that the infection had been mopped up and their systems secured, with no personal information stolen.

=end snip=

Just a quick Google search, but there's plenty of others:

http://www.scmagazine.com.au/News/276780,security-researcher-threatened-with-vulnerability-repair-bill.aspx
http://nakedsecurity.sophos.com/2012/02/20/jail-facebook-ethical-hacker/