Slashdot Mirror

What really pissed me off about the data harvesting that Microsoft is doing with these updates is how Microsoft callously has ignored any wishes I had previously stated regarding my preferences for not harvesting data from my computers.

> "This package updates the Diagnostics and Telemetry tracking service to existing devices. This service provides benefits from the latest version of Windows to systems that have not yet upgraded."

Please, Microsoft, explain the benefits that are provided. You want to know why some of us wear tinfoil? Because words like "experience," "benefits," and "improvements" have been twisted into precisely the opposite of what they used to mean.

> Included in this update: ...Reduces the network connections on a Windows system that doesnâ(TM)t participate in the Customer Experience Improvement Program (CEIP).

If the customer has opted out, not one motherfucking byte should be transmitted. Not even the DNS query for the telemetry servers. What part of THE USER HAS OPTED OUT does Nadella not understand?

And just to amplify that "not one motherfucking byte" concept -- NSA doesn't give a shit about what I fap to, PLA doesn't give a shit about my 8-bit microcomputer geeking, and FSB doesn't give a shit that I think Putin is a dick -- the point remains that even things as innocuous as error reporting have been, and will continue to be, used as attack vectors by state-sponsored actors.

The user must, at all times, be able to make the tradeoff between usability and security, because once again, Microsoft has erred.

Those of us concerned about this telemetry data are more concerned that any packets exist in the first place. There is no rational reason for Win10 to reach-out to Microsoft's servers (or any servers) when an application like the calculator is opened, especially if all of the supposed "privacy" features are set to a mode that implies that no data will be shared with the outside world.

Different AC here: And this is why. https://threatpost.com/unencrypted-windows-error-crash-reports-a-treasure-for-nsa-hackers-alike/103363

Data leakage is data leakage. If it can be exploited by NSA, it can be exploited by PLA, FSB, or your corporate competitor.

The vulnerability affected the core WordPress engine in versions 4.2 and earlier, a rarity among the constant parade of serious security issues affecting plugins for the content management platform. The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed

Ugh...

Even I'm Linux user, I find all of those excuses pretty damn bad :D It's almost like lying.

All true, but the point is that normal users don't know that. All they know is that the thing they liked in Win7 will go away if they downgrade to Win10. Unless you're volunteering to support whatever they download when they type "Ask Jeeves How I Play DVDs" into google :)

The truth is they can turn off almost all that shit, except for error reporting, which is the one thing they think falls under the "nothing to hide, nothing to fear" category, but which itself is an attack vector open to NSA, FSB, and PLA. Explain that to a Slashdotter and he'll understand and send a #retweet to the half-dozen friends who follow him, all of whom already know this shit.

Explain it to grandma in that terms and they're like "Vector? My husband didn't do math since high school algebra, and he's been dead for 20 years." Explain it to grandma in terms that her solitaire will cost $2/month to play and she'll not only hit the roof, she'll tell all the people that play bingo at her retirement home. and three generations of FWD: FWD: FWD: later, Microsoft will have a real consumer acceptance problem on its hands.

https://threatpost.com/writing... I appreciate the obligatory, and perhaps it'll be mod'ed to funny. But there's some truth in the statement, but not for reasons people believe. Mac's are not really any more secure than any other OS. They do have better security models in the creation of their OS's than say Windows, but they aren't invulnerable. The biggest threat to Mac's is complacency. The article from threatpost above breaks this down very well. I'm actually happy to see the flatworm concept attacking the thunderbolt firmware because it shows that simple file heuristics on Mac's is insufficient to detecting adverse threats on the platform. Perhaps we'll start seeing better threat detection techniques for the OSX platform (or ANY threat detection on the iOS platform).

"There are some mitigations, for example, in Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded."

Source: https://threatpost.com/android...

What about the setting that keeps MMS messages from being accidently downloaded? Where's that setting?

Oh, wait...

"There are some mitigations, for example, in Google Hangout settings, a user is able to request that MMS messages are not automatically downloaded."

Source: https://threatpost.com/android...

It will only go after AD if the Domain User account is a member of Domain Admins, Schema, etc. Even IT Administrators should have their own User account, and leave the one for Domain Admin as a utilitarian account. Because, if you're a member of those high level privileges and run the virus, it will run with whatever your account has access to!

Here's a previous article on the subject. Be sure to block My_Resume.zip and My_Resume.svg from e-mail in the meantime.

https://threatpost.com/cryptow...

@anonymous coward: "The exploit allows attackers to steal cookies for localhost"

'The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization' ref

My server doors have fancy locks on them, thanks.

I take it these locks are not impenetrable. Nor are the walls. Someone might penetrate these and hack fromt he inside, similar to the way Tom Cruise did in your example. Security: not perfect.

One thing I'm noticing from around here is that people don't have a lot of experience with high security. Buildings that you can't get into the lobby without being buzzed in... where you can't go the right floor without a key card.

That is the sort of security you'd go through to get the headquarters of Dennys... that isn't even high security. That's just standard corporate security theater.

I've walked in to many corporate buildings without any credentials whatsoever. I've even accessed regional police HQ switch room without anybody asking anything the moment I entered the building. I had reason to access that room, but I had never visited the premises nor did I had any work credentials on me.

This is the way the world actually works outside absurd theoretical security models. Just because you may have your security tightened up, if you are doing any kind of business you are still dependant of third parties, who are dependant on other parties etc. Unless the whole chain is flawless, your security is as good as the weakes tlink in that chain. And even if it is "flawless", it really isn't because nobody knows all the possible bugs and exploits that may exist.

As to people plugging stuff into our network. There are a lot of ways to make it so people can't do that. Again, mostly from the server room. Most cisco routers can stop it if you configure them properly.

Cisco? Lol.

From outside attack? They're not getting in.

Yeah. Sure.

You just don't seem to get it.

http://www.dshield.org/diary/D...

http://tech.slashdot.org/story...

http://www.dshield.org/diary/G...

https://threatpost.com/en_us/b...

https://threatpost.com/en_us/b...

http://www.itnews.com.au/News/...

http://plus.evozi.com/204/mala...

http://tech.slashdot.org/comme...

http://www.zdnet.com/linkedin-...

http://www.zdnet.com/linkedin-...

http://www.zdnet.com/au/optus-...

http://www.zdnet.com/dutch-dns...

http://www.computerworld.com/s...

https://isc.sans.edu/forums/di...

http://it.slashdot.org/story/1...

http://www.dshield.org/diary/g...

http://www.dshield.org/diary/N...

http://www.dshield.org/diary/L...

http://www.dshield.org/diary/D...

http://www.networkworld.com/ne...

* "Read 'em & weep" STILL more are coming (since that's only partial on my end, and the future WILL SHOW MORE without doubt)... & that's only SOME of the exploits DNS has experienced, I don't have them all but those will do!

(Simply facts supporting my former posts on the subject of DNS issues -> http://tech.slashdot.org/comme... AND http://tech.slashdot.org/comme... as I promised in it, to show the RAMPANT EXPLOITABILITY of DNS vs. my program AND WINDOWS protecting hosts perfectly...)

APK

P.S.=> You can't win, accept it... apk

http://www.dshield.org/diary/D...

http://tech.slashdot.org/story...

http://www.dshield.org/diary/G...

https://threatpost.com/en_us/b...

https://threatpost.com/en_us/b...

http://www.itnews.com.au/News/...

http://plus.evozi.com/204/mala...

http://tech.slashdot.org/comme...

http://www.zdnet.com/linkedin-...

http://www.zdnet.com/linkedin-...

http://www.zdnet.com/au/optus-...

http://www.zdnet.com/dutch-dns...

http://www.computerworld.com/s...

https://isc.sans.edu/forums/di...

http://it.slashdot.org/story/1...

http://www.dshield.org/diary/g...

http://www.dshield.org/diary/N...

http://www.dshield.org/diary/L...

http://www.dshield.org/diary/D...

http://www.networkworld.com/ne...

* "Read 'em & weep" STILL more are coming (since that's only partial on my end, and the future WILL SHOW MORE without doubt)... & that's only SOME of the exploits DNS has experienced, I don't have them all but those will do!

(Simply facts supporting my former posts on the subject of DNS issues -> http://tech.slashdot.org/comme... AND http://tech.slashdot.org/comme... as I promised in it, to show the RAMPANT EXPLOITABILITY of DNS vs. my program AND WINDOWS protecting hosts perfectly...)

APK

P.S.=> You can't win, accept it... apk

http://www.dshield.org/diary/N...

http://www.dshield.org/diary/A...

http://www.theregister.co.uk/2...

http://yro.slashdot.org/story/...

http://www.dshield.org/diary/M...

http://www.theregister.co.uk/2...

http://www.scmagazineus.com/ne...

http://www.dshield.org/diary/S...

https://threatpost.com/en_us/b...

http://it.slashdot.org/story/1...

http://it.slashdot.org/story/1...

* "Read 'em & weep" more are coming... & that's only SOME of the exploits DNS has experienced, I don't have them all but those will do!

(Simply facts supporting my former post as I promised in it, to show the RAMPANT EXPLOITABILITY of DNS vs. my program AND WINDOWS protecting hosts perfectly...)

APK

P.S.=> You can't win, accept it... apk

I would suspect that some of the OS's that are used in embedded devices (If you really want to call something running an OS embedded.) have been pretty safe.

Would you?

https://threatpost.com/lizard-squads-ddos-for-hire-service-built-on-hacked-home-routers/110341

"Most recently, Microsoft brought new memory defenses to the browser, loading Internet Explorer with two new protections called Heap Isolation and Delayed Free .. last week .. Jared DeMott successfully demonstrated a bypass for both"

ref.

Why more So-Ho routers don't implement at least partial BCP38 by default has always baffled me

SoHo routers are using the cheapest, easiest to deploy software possible. They don't care if that means handing out 9 year old software bugs in millions of units. The only way I see BCP38 gaining traction in that market is if it just works out of the box in Linux, with minimal configuration involved. Then the SoHo vendors who just grab Linux derived routing software will gain that capability. If that catches on to where it becomes feature checkbox material--"our new router protects against DDOS attacks with BCP38!"--then maybe we'll get a beneficial arms race.

In the part of Linux land I spend most of my time in, I know RHEL6 starting making basic protection enabled by default. The small Linux distributions router vendors build against lag pretty badly against distributions like that though.

- DETEKT

What is Detekt and how does it work?

"Detekt is a free tool that scans your computer for traces of known surveillance spyware used by governments to target and monitor human rights defenders and journalists around the world. By alerting them to the fact that they are being spied on, they will have the opportunity to take precautions.

It was developed by security researchers and has been used to assist in Citizen Lab's investigations into government use of spyware against human rights defenders, journalists and activists as well as by security trainers to educate on the nature of targeted surveillance.

Amnesty International is partnering with Privacy International, Digitale Gesellschaft and the Electronic Frontier Foundation to release Detekt to the public for the first time."

###

Official Sites:

https://resistsurveillance.org...
https://github.com/botherder/d...
https://github.com/botherder/d...
https://github.com/botherder/d...

- version 1.1 download (Nov 20, 2014) .exe & sig
https://github.com/botherder/d...

###

- Detekt Author's GPG key:

The distributed binary is signed with my personal PGP key, the public key is available at

https://nex.sx/nex.asc

###

- More info/News stories:

https://www.eff.org/deeplinks/...
http://www.theguardian.com/wor...
http://www.amnesty.org/en/news...
http://www.amnestyusa.org/news...
https://en.wikipedia.org/wiki/...
https://threatpost.com/detekt-...
https://firstlook.org/theinter...
http://www.bbc.com/news/techno...
http://www.zdnet.com/amnestys-...

###

- Author's Twitter Page:

https://twitter.com/botherder

"Kaspersky Lab performed a forensic investigation into cybercriminal attacks targeting multiple ATMs around the world"

See, slashdot, wasn't difficult to mention the actual Operating System. ref

The only trouble I had was with Debian Sid, because of the rolling-release updates. The updates were broken some of the time. But the system was still running fine, it just meant that I had to wait a few weeks so that the updates were fixed.
Compare that with Windows updates, and the news that update X broke the system.

http://www.howtogeek.com/17962...
http://threatpost.com/microsof...
http://www.sevenforums.com/win...

https://threatpost.com/apple-c...

https://threatpost.com/researc...

https://threatpost.com/apple-c...

https://threatpost.com/researc...

iPhones have had the ability to be remote wiped for a long time. Yet I have not heard of a pandemic of hacker-led mass bricking of iPhones.

http://www.cnn.com/2014/05/27/...

Now you have.

According to the Ministry the criminals used two “well-established schemes.” One of them was hacking users’ email accounts and elaborate phishing pages to glean victims’ Apple ID credentials. The second scheme – which may or may not related to the Oleg Pliss scam – allegedly bound devices to prearranged accounts and used “various internet resources to create ads.” Those ads promised access to Apple ID accounts that contained “a large amount of media content.” As soon as someone accepted the offer and linked their device to the account, attackers hijacked the devices.

Phishing to obtain email credentials and then presenting yourself as the legitimate user, or offering access to free media to suck in greedy people. Social engineering - not the same thing as hacking the bricking/remote wipe protocol.

You probably shouldn't try to write about things you don't know about or understand.

1. The industry accepted way to store passwords securely in a database is with a one-way, salted cryptographic hash (using as CPU intensive algorithm as possible).

2. Many organisations have had database intrusions where these password hashes have been stolen (eg. eBay, Linkedin, LivingSocial etc.)

3. When this happens (i.e. "they have a copy of the password hash") passwords can be cracked offline. Strong passwords are safe (too hard to brute force), but weak passwords can be found using a dictionary attack.

4. Once the password is found offline a hacker can log straight in to the victim's online account with a single password attempt.

multipath tcp
http://threatpost.com/multipat...
http://labs.neohapsis.com/2014...

Bullshit.

April 2013: http://labs.opendns.com/2013/0...

Sept 2013: No-IP is a preferred choice for other similar attacks for command and control infrastructure: http://threatpost.com/njw0rm-a...

Feb 2014: Even Cisco said their domains were being abusive and they posted to complain that Cisco didn't contact them. http://www.noip.com/blog/2014/...

Looks to me like they should have contacted Microsoft and asked them for help. I guess they waited too long.

The link is broken for me, should be http://threatpost.com/researchers-go-inside-hackingteam-mobile-malware-command-infrastructure.

I found what appears to be a good permanent workaround from a Christian Hertel in the comment section of http://threatpost.com/plaintex...:

Another Hotfix in case there is no newer IPMI firmware release to upgrade to (so no way to fix the issue otherwise):
Login via SSH, then issue the following commands:
shell sh
iptables -I INPUT -p tcp --dport 49152 -j DROP
iptables-save > /nv/ipctrl/rultbl.sav

I've tested it on my affected servers and have verified it works and survives a reboot of IPMI. However, I'm wondering if there's a reason I might regret blocking access to port 49152 for some reason.

Thanks for the workaround, Mr. Hertel!

Here, read this https://threatpost.com/legal-g... .

Eat your words, Open SORES idiot https://threatpost.com/apache-...

Poorly implemented, huh? I suppose that means you'll be taking home the $150,000 Pwn2Own 2014 prize for breaking it, right? Shit, maybe you can collected Microsoft's $100,000 bounty, too! That is, of course, unless you're talking out of your ass.

@bloodhawk: "EMET is not a cure all, nor is it pushed as one. EMET is about standard best practises to mitigate many exploits (not all) and is still an excellent toolkit for what it offers, that doesn't mean you should rely on only it. And as usual the Slashdot summary comes across as far more negative than the actual article itself"

“The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection, .. This is true of EMET and other similar userland protections”

The article to which this piece points is an opinion piece. The author points out that Snowden's "latest revelations" may compromise current field operations and/or operatives.

The central problem with that claim is that SNOWDEN HAS MADE NO NEW REVELATIONS. *All* of the revelations from "Snowden" are actually revelations made by one or more of the journalists to whom Snowden gave copies of his stolen documents. All of them. Snowden himself has refused to reveal ANYTHING that THEY have not already published, on the grounds that he considers himself to be unqualified to properly strike the balance between preserving national security and revealing information that is clearly in the public interest. Instead, he has left it ENTIRELY up to the journalists to whom he gave the information to make those decisions.

But don't take my word for it. Listen to the man himself.

Though he started by revealing NSA collection programs that some judges have now declared illegal, such as the metadata program,

Following the link, one finds another article on the same site which states:

The [Privacy and Civil Liberties Oversight Board] is an independent committee that operates within the Executive Branch

For those who do not understand what that says, the Privacy and Civil Liberties Oversight Board is not a part of the judicial system and is not "some judges". The PCLOB can claim something is illegal until they are blue in the face, the ONLY part of the government that can make a determination that something is truly illegal is the judicial branch. The executive branch can believe a program is illegal and not implement or end it. But, it can't determine actual legality. If it could, then anyone who did anything the executive branch said was illegal, this means anyone ever charged in federal court, would be automatically guilty. There would be no need for a court or judges and we would be ruled by a totalitarian king, not a president.

This factual error, which appears to me to be a deliberate and outright lie, invalidates the author's entire line of reasoning and calls into question all the premises upon which it is based.

Though he started by revealing NSA collection programs that some judges have now declared illegal, such as the metadata program,

Following the link, one finds another article on the same site which states:

The [Privacy and Civil Liberties Oversight Board] is an independent committee that operates within the Executive Branch

For those who do not understand what that says, the Privacy and Civil Liberties Oversight Board is not a part of the judicial system and is not "some judges". The PCLOB can claim something is illegal until they are blue in the face, the ONLY part of the government that can make a determination that something is truly illegal is the judicial branch. The executive branch can believe a program is illegal and not implement or end it. But, it can't determine actual legality. If it could, then anyone who did anything the executive branch said was illegal, this means anyone ever charged in federal court, would be automatically guilty. There would be no need for a court or judges and we would be ruled by a totalitarian king, not a president.

This factual error, which appears to me to be a deliberate and outright lie, invalidates the author's entire line of reasoning and calls into question all the premises upon which it is based.

On other thing strikes me, in considering Nkrumah's theory(specifically it's marxist aspects, and the general struggle of 'labor' to overcome the problem of capital always winning so long as somebody can be found to work for peanuts, issues of international solidarity vs. division, etc.) That sort of thing is one area where the internet is far more hostile than the conventional real world, thanks to network effects, Metcalf's "law", the fact that both spooks and ad-vendor analytics types are interested in connections and communications networks between people.

Essentially, while it's trivial to 'declare independence' on the internet (IPv4 means you probably can't have your own block or anything; but as long as you are OK some NAT, or IPv6 services internally, it's probably never been easier or cheaper than it is today to set up your own damn LAN, with services, and hosts, and other neat stuff. Even an impecunious FOSS hobbyist with some fleabay shit, or a piratical microsoftie, can set up capabilities that would have been 'enterprise grade' not so long ago, all on a single residential power budget, no less. Plus you've got the 802.11i and other wireless mesh enthusiasts, the SDR crew, good old RONJA (some Czech free-hardware hackers who've been doing 1Km+ free-space optical data transmission with LEDs and sheer improv, neat project) So on, so forth, all good.

However, we build networks to communicate with others, right? And some of the people we want to communicate with like their Gmail accounts (or simply live behind a US ISP...) They don't mean to betray us; but the feds aren't morons: if they can't subpoena your mail provider, they can at least see everything your American buddy sends to you, or you to him... And god help you if, say, your trusted-and-principled-fighter-for-civil-rights lawyer-who-knows-a-bit-more-about-law-than-about-tech gets suckered into, say, LinkedIn's unbelievably fucking creepy man-in-the-middle attack app(yes, they did actually release that. Yes, it is a 'feature' that linkedin installs a device configuration profile(which is capable, in principle and at their mere power and pleasure, of any change that Apple's APIs allow a device configuration profile to make, config profiles are intended for managing institutionally owned/controlled devices). Oh, attorney-client privilege? That's adorable, those emails are just 'business records' now...

Network effects cut both ways: even in an ideal world, where there exists some jurisdiction where the services are attractive and the local governance isn't creepy, sophisticated inferential attacks become easier and more powerful with every interaction between free and unfree service users. tricky problem.

Except that NSA can read your Truecrypt files:
http://threatpost.com/truecrypt-audit-could-answer-troubling-questions

The article only mentions the username going in clear.

Might want to double check that...

FTA: "Users’ AppleID passwords also are sent in clear text to the Apple servers."

http://threatpost.com/apple-imessage-open-to-man-in-the-middle-spoofing-attacks/102610

They've damaged business (cloud), trust in gov't. -> http://thestateweekly.com/nsa-director-alexander-admits-he-lied-about-phone-surveillance-stopping-54-terror-plots/ and https://threatpost.com/dni-clapper-says-statement-to-congress-about-nsa-data-collection-was-erroneous/ and expect us to believe anything they say (especially in transparently obvious retaliation like this)? Please - give us a break: We're NOT the stupid sheep you *think* we all are, "fearless leaders" (political sociopathic lying scum that you are) - you undereducated dolts blew it ON ALL LEVELS NOTED HERE, mostly specifically on a piss poor job economically as well since you're nothing but paid off kickback taking puppets of corporations, catering to the rich and shitting on everyone else, but yourselves. Funniest part's seeing your own systems of surveillance being levelled against you since no one can tell us that isn't why you designed it (or was the IRS scandal targetting current regimes' opponents some fiction? No, it was not). Gov't spending at its finest: Nearly NO good "roi" stopping any 'terrorist' attacks (you're the fucking terror more than anyone) as lied about above, but plenty of opportunity for blackmailing opponents into submission and 10 million dollars a day wars WE taxpayers pay for (except for your corporate lobbyist masters who EVADE TAXES via offshore games they wrote the bills for laws for which you as good puppets, pass, if not using 'secret courts' to do it). All so you war profiteers gain from it while the non-wealthy die fighting them for you and you offshore their jobs at the same time. Bullshit "2 party systems" that are on the same corporate lobbyist payrolls designed to keep us divided and fighting one another ideologically too. We see thru you. All of you "leaders" have lost your fucking minds thinking you can INSULT OUR INTELLIGENCE this way. Soon enough you'll lose your gravy train jobs for your piss poor performance (circus sideshow b.s. is more like it). Were I or anyone else to do such a "fine job" (not) as you idiots? We'd be fired, without your lifetime pensions you get after your term too (which should be denied for doing a shit job). Don't worry. You'll all be gone, soon enough, before you can ruin even more and all the main stream mass media manipulation and spin you're doing can't stop that, and you know it. You failed. Miserably. On all fronts. Go on: Go cry to your corporate criminal mastermind masters, shoo. You're history (infamous history) that keeps good people at one another's throats for the bullshit you spew. What a transparent pack of assholes we have for "leaders". No wonder shits falling apart worldwide - you're all too stupid and short-sighted selfish pigs! You've done us all a favor though: We're aware of YOU and your kinds' transparent sociopathic machinations from today foward - especially this weak attack on those that exposed you.

I guess ... I mean, if you want to use words and definitions and stuff, then yes, you're right.

BTW, this story has some kind of clustersummary. Monkeys and keyboards don't mix.

I read the summary thinking "citation needed... citation needed" and "What does that mean?" Turns out the words were just lifted from the article at threatpost.com which was just as poorly written, and also only includes one link -- to another page on the same site. That original article simply describes a method of carrying out a DDOS attack by paying for some ads then using javascript (could even be html) on those ads to contribute to the DDOS. Cheap, not fancy, put would work if someone is stupid enough to pay ransom for getting their web site back up.

The other article, linked to in the summary, piles a shitload of hyperbole, unsubstantiated claims and bullshit on top of that, and then gets someone to link to it here. Nothing substantiated about Android, SMS, or anything else. There is no link to Palo Alto Networks, but I googled them. There is nothing about this on their web site that I could find quickly. Nothing.

What we have here is a completely fabricated story posted on Slashdot because someone wanted to post a story, I guess, and the editors didn't even get suspicious about the obviously wrong article and click on the one link there. Slashdot, you are sometimes great, but you would be more consistently great if the editors just spent a few more minutes with the content. Like reading the articles. This was just fucking awful.

Yeah, we know how well that worked...

http://threatpost.com/department-energy-compromised-sophisticated-attack-020413/77485
http://www.reuters.com/article/2013/02/04/net-us-usa-cybersecurity-doe-idUSBRE9130ZL20130204
http://news.cnet.com/8301-1009_3-57567581-83/hackers-hit-u.s-department-of-energy/

This article and http://threatpost.com/crypto-gains-ramp-up-calls-to-get-ahead-of-inevitable-rsa-algorithm-downfall/101560 both imply that we need to jump to ECC and get off of RSA. Since there are direct quotes from Mr. Stamos in one of these articles, it sounds like he is the source of the confusion. Actually the recent advances weaken ECC more than RSA, and RSA is only weakened if the discrete log advances are followed by similar advances in factoring. There is no known theoretical reason for this to be guaranteed to happen, but folklore shows that it has indeed happened in the past: discrete log breakthroughs are intertwined with factoring breakthroughs, but there are only vague handwaving explanations about why this should be true.

So the problem is that RSA may well break soon, but ECC is already to some extent broken by Joux et al. Any advice to throw out RSA in favor of ECC seems wrong to me. What you really need is a totally new potentially hard problem to base new crypto algorithms on, and you maybe only have months to come up with the idea, and then only a few years to get the idea into practice, or else it's a return to snailmail if we haven't completely dismantled it before then.

See http://www.treefrogenterprises.com/research/funwithecc.html for more.

When your surveillance program is not only immoral, but ineffective, then there's not a lot you can do to defend it.

It seems pretty likely to me that you'll do nothing to defend effective or even vital intelligence. In fact it seems to be quite the opposite.

...Alexander said, adding that of 54 different terrorist-related activities identified through PRISM, 42 of which were disrupted, including 13 in the U.S., and 25 in Europe. “ -- Gen. Keith Alexander

"Once the worm is on a new [Microsoft Windows] PC, it extracts a DLL from its code and then copies itself to the temporary user folder. It also copies the Java executable from %ProgramFiles% to the same folder" link

He doesn't have any.

You are kidding right? Or do you seriously believe that there are no compromised Linux servers out there(and please don't stop the moment you see the word Apache, it's more.. and this is just one of multiple examples if you really are interested)? If so you are less informed than some of the Windows users being ridiculed here.

Sounds like this and this and this and many others targeting individual groups or nationals such as Tibetans, Pakistanis and others.

Sounds like this and this and this and many others targeting individual groups or nationals such as Tibetans, Pakistanis and others.

Sounds like this and this and this and many others targeting individual groups or nationals such as Tibetans, Pakistanis and others.

That's "so secure" (NOT) from recent history 2011-2013? Take a read ("read 'em & weep"):

"Nearly nine out of ten security vulnerabilities in Windows computers last year were the fault of popular third-party applications, as opposed to Microsoft's own software." FROM -> http://www.theregister.co.uk/2013/03/15/secunia_vulnerability_research/

(And, that's "hot off the presses"/current...)

+

Linux STILL needs patches @ the core - all the way from kernel build 2.6 thru current ones (been there for ages on this one):

---

Linux STILL needs patching @ kernel level in 2013, thru ALL distros 2.6-3.8 current:

http://www.zdnet.com/linux-kernel-exploit-gets-patched-7000011844/

(Face facts, that THAT line of "b.s." of "Linux = Secure & Windows != Secure" just DOESN'T HOLD ANY WATER - the core of Linux STILL gets patched vs. vulnerabilities, just like Windows NT-based OS, & they ARE RELATIVELY THE SAME AGE too! Thus, proving (especially via ANDROID) that "the most used = most attacked"...)

---

Apparently, I need to put out more on that note, so here goes (as to Linux's "fine security showing" over the past couple years now/current history):

---

2012:

New Linux Rootkit Emerges:

https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012

"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."

---

'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/

---

Medicaid hack update: 500,000 records and 280,000 SSNs stolen:

http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444

So, what's dts.utah.gov running everyone?

LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov

What's health.utah.gov running too??

YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov

* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com

---

London Stock Exchange serving malware:

With backing links & pertinent quotes/excerpts from them:

SAME GOES FOR WINDOWS (it's apps on it that represent the MAJORITY of what gets exploited):

"Nearly nine out of ten security vulnerabilities in Windows computers last year were the fault of popular third-party applications, as opposed to Microsoft's own software." FROM -> http://www.theregister.co.uk/2013/03/15/secunia_vulnerability_research/

(And, that's "hot off the presses"/current...)

+

Linux STILL needs patches @ the core - all the way from kernel build 2.6 thru current ones (been there for ages on this one):

---

Linux STILL needs patching @ kernel level in 2013, thru ALL distros 2.6-3.8 current:

http://www.zdnet.com/linux-kernel-exploit-gets-patched-7000011844/

(Face facts, that THAT line of "b.s." of "Linux = Secure & Windows != Secure" just DOESN'T HOLD ANY WATER - the core of Linux STILL gets patched vs. vulnerabilities, just like Windows NT-based OS, & they ARE RELATIVELY THE SAME AGE too! Thus, proving (especially via ANDROID) that "the most used = most attacked"...)

---

Apparently, I need to put out more on that note, so here goes (as to Linux's "fine security showing" over the past couple years now/current history):

---

2012:

New Linux Rootkit Emerges:

https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012

"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."

---

'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/

---

Medicaid hack update: 500,000 records and 280,000 SSNs stolen:

http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444

So, what's dts.utah.gov running everyone?

LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov

What's health.utah.gov running too??

YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov

* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com

1st, get back to us when MySQL can handle *NIX dates past 2038 (known issue), as far as databases go.

Secondly, regarding THIS "trollish stupidity" out of you quoted next below - Here's some contrary data regarding Linux & it's "invulnerability" from current recent history 2011 to present:

"I'm amazed they haven't learned; don't use windows. Especially for a database and even more so for a database that hosts vulnerability information" - by Anonymous Coward on Thursday March 14, @11:15AM (#43171307)

On databases, especially "Open SORES"? See above. On Linux "fine security"?? See next below:

---

2012:

New Linux Rootkit Emerges:

https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012

"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."

---

'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/

---

Medicaid hack update: 500,000 records and 280,000 SSNs stolen:

http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444

So, what's dts.utah.gov running everyone?

LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov

What's health.utah.gov running too??

YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov

* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware

(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)

---

DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS: