Slashdot Mirror
Domain: ycombinator.com
Stories and comments across the archive that link to ycombinator.com.
Comments · 484
-
Obligatory: Intel CPU Backdoor Report
Intel CPU Backdoor Report (Updated Mar 12, 2017)
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge.
What we know about Intel CPU backdoors so far:
TL;DR version
Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.
30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel.""the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."
"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."
"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."
"We can permanently monitor the keyboard buffer on both operating system targets."
Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).
Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software1. Introduction, what is Intel ME
Short version, from Intel staff:
Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AMThe Management Engine (ME) is an isolated and protected coprocesso
-
Obligatory: Intel CPU Backdoor Report
Intel CPU Backdoor Report (Updated Mar 12, 2017)
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge.
What we know about Intel CPU backdoors so far:
TL;DR version
Your Intel CPU and Chipset is running a backdoor as we speak.
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.
30C3 Intel ME live hack:
@21m43s, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
[Quotes] Vortrag:
"DAGGER exploits Intel's Manageability Engine (ME), that executes firmware code such as Intel's Active Management Technology (iAMT), as well as its OOB network channel.""the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker. Our presentation consists of three parts. The first part addresses how to find valuable data in the main memory of the host. The second part exploits the ME's OOB network channel to exfiltrate captured data to an external platform and to inject new attack code to target other interesting data structures available in the host runtime memory. The last part deals with the implementation of a covert network channel based on JitterBug."
"We have recently improved DAGGER's capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code."
"To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."
"We can permanently monitor the keyboard buffer on both operating system targets."
Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.
If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded.
Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops
30C3 To Protect And Infect - The militarization of the Internet
30c3: To Protect And Infect Part 2 - Mass Surveillance Tools & Software1. Introduction, what is Intel ME
Short version, from Intel staff:
Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AMThe Management Engine (ME) is an isolated and protected coprocessor, embedded as a n
-
Obligatory: Intel CPU Backdoor Alert
Intel CPU Backdoor Alert (Updated Mar 12, 2017)
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge.
What we know about the Intel backdoor so far:TL;DR version
Your Intel CPU and Chipset is running a backdoor as we speak:
The backdoor hardware is inside the CPU/Bridge and the backdoor firmware is in the chipset flash chip (Intel Management Engine).
ccc.de: "Our presentation covers a DMA malware that benefits from an isolated network channel to update the attack code and to exfiltrate captured data. To be more precise, we show how to conduct a DMA attack using Intel's Manageability Engine (ME)."
30C3 Intel ME live hack, @21m43s, keystrokes leaked from Intel ME outside the OS, wireshark cannot detect packets:
[Video Link] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware MalwareThe backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal is tricky and requires a Raspberry Pi (with GPIO pins) and a SOIC clip.The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort. If you are skilled in BIOS/Firmware, download some of the Intel ME firmware from this collection have a go at it (Intel used various decode counter measures, explained below).
Useful links:
The Intel ME subsystem can take over your machine, can't be audited
REcon 2014 - Intel Management Engine Secrets
Untrusting the CPU (33c3)
Towards (reasonably) trustworthy x86 laptops1. Introduction, what is Intel ME
Short version, from Intel staff:
Re: What Intel CPUs lack Intel ME secondary processor?
Amy_Intel Feb 8, 2016 9:27 AMThe Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current Intel chipsets, I even checked with the engineering department and they confirmed it.
Long version:
The Intel Management Engine (ME) is a separate computing environment physically located in the MCH chip or PCH chip replacing ICH.
The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system's memory as well as to reserve a region of protected external memory to supplement the ME's limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or PCH).
The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the networ
-
Training or hire self-trained contractors
Yes -- training is being replaced by H1B hiring! Investments in employee training by big companies like HP and IBM are what made Silicon Valley possible in the first place.
Discussions about H1Bs also often imply that if you pay an H1B as much as a US citizen then everything is OK -- but it is not. Where is the extra incentive for people to risk their own time to learn stuff which might or might not be in demand when wages are essentially capped at market wages for employees? Or for contractors to put a *lot* of extra unpaid time (and stress) into learning as they go after taking on a project? Granted, most techies learn stuff on the side anyway -- but that is more problematical when you have a family. Example:
"Ask HN: Developers with kids, how do you skill up?"
https://news.ycombinator.com/i...Another part of this rarely discussed is that companies used to pay 2X to 3X more than a worker's salary+benefits to specific highly-compensated individuals as independent contractors. But, big contracting firms like Perot Systems lobbied around the 1980s to get laws passed affecting IRS regulations that made it financially risky for companies to hire individuals on a 1099 independent contractor basis -- thus forcing more individuals to work through big companies as W2 employees. We just take that change for granted decades later, but things were not always like this. (That said, in many areas of the economy 1099 IC workers are indeed exploited -- just not back then in the technology field in in-demand areas.)
Increasing mastery (i.e. on the job learning) is one important part of a happy work life (along with autonomy, purpose, and community); sad that so many companies ignore it:
"RSA ANIMATE: Drive: The surprising truth about what motivates us"
https://www.youtube.com/watch?...And no, learning some new flavor of the month JavaScript framework that reinvents the wheel badly does not count much towards a feeling of "mastery" for an experienced programmer...
Related:
http://blog.getabstract.com/th...
"So, why are some companies dragging their feet and refusing to invest in employee development? In some cases, it comes down to an insecurity most managers don't want to acknowledge: the fear an employee may become become overqualified, outgrow his job, and leave the company to pursue a better position elsewhere before a promotion is available. This fear isn't completely baseless. Young high achievers job hop frequently to earn a higher salary, and on average, leave their jobs after only 28 months.
Withholding professional development from employees is not the right response to this fear; it's a self-fulfilling prophecy. Employees seek professional development to achieve successful careers, and when companies don't invest in this development, employees leave."As I suggested in this comment about Google and H1Bs:
https://slashdot.org/comments....
"So, in a similar way that Angela Davis suggests prisons are the USA's way [of consolidating] dealing with social issues it can't or won't address, hiring H1Bs willing to live like sardines in SV slum-equivalents helps Google make up for those less-than-desirable recruiting aspects while not having to address fundamental issues which are harder to wrestle with involving the soul of the organization and how it spends its revenues towards what ends." -
Intel CPU backdoor
Your Intel CPU is backdoored and it is wide open, right now.
The backdoor is on all modern intel CPU/Chipset and is marketed as vPro/AMT/Small Business Advantage/Anti-Theft Technology, it is in all Core i3/i5/i7/Xeon CPU/Chipset in the past 6 years.
*3 Billion devices run JAVA* because everyone's Intel backdoor is running it.
REcon 2014 - Intel Management Engine Secrets
CCC Intel CPU backdoor live hack demonstration, keystrokes logged and sent over wire, wireshark can't detect packet because the Intel backdoor runs above the OS:
Towards (reasonably) trustworthy x86 laptops
Untrusting the CPU (33c3)
30C3 To Protect And Infect - The militarization of the Internet
Jacob Appelbaum - To Protect and Infect Part 2 - At 30c3 on Mass Surveillance Tools & SoftwareMore links in this discussion:
The Intel ME subsystem can take over your machine, can't be auditedTools to remove Intel backdoor firmware (You need to physically clip onto a 8pins chip on motherboards to download/neutralize/flash the rom, nothing else can touch it), the backdoor is designed to shutdown your machine within 30 minutes after boot, if you just remove the backdoor and don't handle checksums correctly:
https://github.com/corna/me_cleaner.Neutralize your Intel backdoor:
Neutralize ME firmware on SandyBridge and IvyBridge platforms
First introduced in Intelâ(TM)s 965 Express Chipset Family, the Intel Management Engine (ME) is a separate computing environment physically located in the (G)MCH chip (for Core 2 family CPUs which is separate from the northbridge), or PCH chip replacing ICH(for Core i3/i5/i7 which is integrated with northbridge).
The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating systemâ(TM)s memory as well as to reserve a region of protected external memory to supplement the MEâ(TM)s limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or PCH).
The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that canâ(TM)t be ignored.
https://hackaday.com/tag/intel-management-engine/
Five or so years ago, Intel rolled out something horrible. Intelâ(TM)s Management Engine (ME) is a completely separate computing environment running on Intel chipsets that has access to everything. The ME has network access, access to the host operating system, memory, and cryptography engine. The ME can be used remotely even if the PC is powered off. If that sounds scary, it gets even worse: no one knows what the ME is doing, and we canâ
-
More links on Intel backdoors
-
Intel CPU = Backdoor
NSA/CIA/GCHQ Shills kept down voting this:
Your Intel CPU is backdoored and it is wide open, right now.
The backdoor is on all modern intel CPU/Chipset and is marketed as vPro/AMT/Small Business Advantage/Anti-Theft Technology, it is in all Core i3/i5/i7/Xeon CPU/Chipset in the past 6 years.
Remember *3 Billion devices run JAVA* because everyone's Intel CPU backdoor is running it.
REcon 2014 - Intel Management Engine Secrets
CCC Intel CPU backdoor live hack demonstration, keystrokes logged and sent over wire, wireshark can't detect packet because the Intel backdoor runs above the OS:
Towards (reasonably) trustworthy x86 laptops
Untrusting the CPU (33c3)
30C3 To Protect And Infect - The militarization of the Internet
Jacob Appelbaum - To Protect and Infect Part 2 - At 30c3 on Mass Surveillance Tools & SoftwareMore links in this discussion:
The Intel ME subsystem can take over your machine, can't be auditedTools to remove Intel backdoor firmware (You need to physically clip onto a 8pins chip on motherboards to download/neutralize/flash the rom, nothing else can touch it), the backdoor is designed to shutdown your machine within 30 minutes after boot, if you just remove the backdoor and don't handle checksums correctly:
https://github.com/corna/me_cleaner.Neutralize your Intel backdoor:
Neutralize ME firmware on SandyBridge and IvyBridge platforms
First introduced in Intelâ(TM)s 965 Express Chipset Family, the Intel Management Engine (ME) is a separate computing environment physically located in the (G)MCH chip (for Core 2 family CPUs which is separate from the northbridge), or PCH chip replacing ICH(for Core i3/i5/i7 which is integrated with northbridge).
The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating systemâ(TM)s memory as well as to reserve a region of protected external memory to supplement the MEâ(TM)s limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or PCH).
The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that canâ(TM)t be ignored.
https://hackaday.com/tag/intel-management-engine/
Five or so years ago, Intel rolled out something horrible. Intelâ(TM)s Management Engine (ME) is a completely separate computing environment running on Intel chipsets that has access to everything. The ME has network access, access to the host operating system, memory, and cryptography engine. The ME can be used remotely even if the PC is powered off. If that sounds scary, it gets e
-
Thanks to Intel CPU backdoor
NSA/CIA/GCHQ Shills kept down voting this:
Your Intel CPU is backdoored and it is wide open, right now.
The backdoor is on all modern intel CPU/Chipset and is marketed as vPro/AMT/Small Business Advantage/Anti-Theft Technology, it is in all Core i3/i5/i7/Xeon CPU/Chipset in the past 6 years.
Remember *3 Billion devices run JAVA* because everyone's Intel CPU backdoor is running it.
REcon 2014 - Intel Management Engine Secrets
CCC Intel CPU backdoor live hack demonstration, keystrokes logged and sent over wire, wireshark can't detect packet because the Intel backdoor runs above the OS:
Towards (reasonably) trustworthy x86 laptops
Untrusting the CPU (33c3)
30C3 To Protect And Infect - The militarization of the Internet
Jacob Appelbaum - To Protect and Infect Part 2 - At 30c3 on Mass Surveillance Tools & SoftwareMore links in this discussion:
The Intel ME subsystem can take over your machine, can't be auditedTools to remove Intel backdoor firmware (You need to physically clip onto a 8pins chip on motherboards to download/neutralize/flash the rom, nothing else can touch it), the backdoor is designed to shutdown your machine within 30 minutes after boot, if you just remove the backdoor and don't handle checksums correctly:
https://github.com/corna/me_cleaner.Neutralize your Intel backdoor:
Neutralize ME firmware on SandyBridge and IvyBridge platforms
First introduced in Intelâ(TM)s 965 Express Chipset Family, the Intel Management Engine (ME) is a separate computing environment physically located in the (G)MCH chip (for Core 2 family CPUs which is separate from the northbridge), or PCH chip replacing ICH(for Core i3/i5/i7 which is integrated with northbridge).
The ME consists of an individual processor core, code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating systemâ(TM)s memory as well as to reserve a region of protected external memory to supplement the MEâ(TM)s limited internal RAM. The ME also has network access with its own MAC address through the Intel Gigabit Ethernet Controller integrated in the southbridge (ICH or PCH).
The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that canâ(TM)t be ignored.
https://hackaday.com/tag/intel-management-engine/
Five or so years ago, Intel rolled out something horrible. Intelâ(TM)s Management Engine (ME) is a completely separate computing environment running on Intel chipsets that has access to everything. The ME has network access, access to the host operating system, memory, and cryptography engine. The ME can be used remotely even if the PC is powered off. If that sounds scary, it gets e
-
#1/3 - Thanks: Soon 4 ALL OS (repost)
"the Host File Engine performs exactly as promised, and exactly as expected" - by mmell (832646) on Thursday February 16, 2017 @07:17PM (#53882945)
See my subject: It's just waiting for Borland Delphi (it'll always be Borland to me) to do 64-bit Linux in 2018 per "The most exciting new feature on the roadmap is the coming Linux support, which weâ(TM)ll soon start previewing." from https://community.embarcadero.com/article/news/16418-product-roadmap-august-2016/ so the codebase stays EXACTLY the same (for most part, some small diffs between *NIX & Windows, in WinSock2 vs. *NIX sockets - these I have resolved already for the most part, drive letters vs. mounted devices (I don't use registry, it's a 'portable app' so it's VERY *NIX like, uses
Delphi already does Win16/32/64, Android, MacOS X (iirc, 64-bit here already) but not Linux (used to in Kylix, they stopped it - not sure why, dumb move imo!).
I chose Object Pascal Delphi due to seeing it outrace MSVC++ in Oct 1997 VBPJ (competing trade rag) "Inside the VB5 Compiler" where it MORE-THAN-DOUBLED C++ in strings & math performance (which IS what the hosts engine does mostly).
APK
P.S.=> It does block most all advertising (if not all, this is how that works downloading scripts from adservers https://news.ycombinator.com/item?id=10221859/ ) IF not served on same site (99.999% isn't), spam & phish payload links (& if done by malicious attachment, it stalls it, stopping communique back to C&C servers if a botnet type) & it does stop MANY forms of malware (like C&C botnets I noted or other types that coordinate w/ other machines-botnet herders OR downloaders etc.)... apk
-
#1/3 - Thanks: Soon it'll be for ALL OS
"the Host File Engine performs exactly as promised, and exactly as expected" - by mmell (832646) on Thursday February 16, 2017 @07:17PM (#53882945)
See my subject: I'm just waiting for Borland Delphi to do 64-bit Linux in 2018 per "The most exciting new feature on the roadmap is the coming Linux support, which we’ll soon start previewing." from https://community.embarcadero.com/article/news/16418-product-roadmap-august-2016/ (it'll always be Borland to me)
That's so the codebase stays EXACTLY the same (for most part, some small diffs between *NIX & Windows, in WinSock2 vs. *NIX sockets - these I have resolved already for the most part, drive letters vs. mounted devices (I don't use registry, it's a 'portable app' so it's VERY *NIX like, uses
I could have ported to FreePascal & Lazarus IDE (Delphi 2 clone) but ports from Delphi 5/7 to XE1->XE4 had "hurdles" believe it or not - I don't like taking chances. Codebase for 32 & 64 bit is EXACTLY the same too, I like to keep it that way (especially over 26++ thousand lines).
Delphi already does Win16/32/64, Android, MacOS X (iirc, 64-bit here already) but not Linux (used to in Kylix, they stopped it - not sure why, dumb move imo!).
I chose Object Pascal Delphi due to seeing it outrace MSVC++ in Oct 1997 VBPJ (competing trade rag) "Inside the VB5 Compiler" where it MORE-THAN-DOUBLED C++ in strings & math performance (which IS what the hosts engine does mostly).
APK
P.S.=> It does block most all advertising (if not all, this is how that works downloading scripts from adservers https://news.ycombinator.com/item?id=10221859/ ) IF not served on same site (99.999% isn't), spam & phish payload links - the DANGER in them are that (& if done by malicious attachment, it stalls it, stopping communique back to C&C servers if a botnet type) & it does stop MANY forms of malware (like C&C botnets I noted or other types that coordinate w/ other machines-botnet herders OR downloaders etc.)... apk
-
Re:the future of Mozilla
In that case, where exactly did you read that? Since others seem to make different claims...
-
Re:At least it wasn't github.com
Github goes down from time to time, too. Self-hosting code is so easy (that's what git was designed to do), that there's really no reason to have your company depend on Github. Unless you're early stage startup and don't even have an office or something.
-
Re:At least it wasn't github.com
Github goes down from time to time, too. Self-hosting code is so easy (that's what git was designed to do), that there's really no reason to have your company depend on Github. Unless you're early stage startup and don't even have an office or something.
-
Even Hacker News is tearing it apart.
The new logo and branding is being discussed at Hacker News. Even there, where it is rife with Mozilla fanatics and contributors, the sentiment is very negative. Many people dislike it, some are disappointed, and some even hate it outright.
Keep in mind that Hacker News is a discussion forum where you will almost surely be downvoted and attacked if you don't show extreme devotion to Firefox and Mozilla. The people there will find some way to support pretty much each and every Mozilla initiative, no matter how dumb and idiotic everybody else knows it is (see Australis, Firefox OS, abandoning Thunderbird, the atrocious treatment Eich was subjected to, and so on).
So when the people at Hacker News don't like something Mozilla has done, you know it has to be really, really, really bad.
-
NoScript's also inferior like UBlock
See my subject: NoScript has to parse tags before it works in slow usermode vs. hosts in fast kernelmode that block scriptsources (like in ads from remote adservers https://news.ycombinator.com/item?id=10221859/ in 1 step before addons of any kind work, minus all that parsing.
* Both UBlock https://tech.slashdot.org/comments.pl?sid=10130851&cid=53689859/ & NoScript are inefficient + vastly INFERIOR vs. hosts (as well as redundant wastes when you come right down to it).
APK
P.S.=> Do what you like but facts I just stated, backed by reputable sources & documentation, are facts & truth is truth... apk
-
Re:Who cares?
LED back-lit screens are known to harm retinas. Why did they stop selling CCFL back-lit screens.
-
Bigoted much?
This report was ripped to shreds yesterday.
It's mostly OWASP copypasta with recommended mitigations and a few interesting tidbits.
I'm also not clear on why this submission linked to a copy of the report. Best compare it with the original report in case there are any differences..
-
Script blockers like inefficient NoScript?
See subject: Hosts stop ads stopping adscript sources before NoScript runs (how ads work https://news.ycombinator.com/item?id=10221859/ parsing page tags (tons more effort/resources expended in CPU + RAM to do so stupid) - hosts do it 1 step in fast kernelmode (not slow usermode like addons).
Tepples gave examples & I show how clarityray workshttps://it.slashdot.org/comments.pl?sid=10053539&cid=53569609/ (using script to detect addons - can't do it to hosts - hosts != browser addon).
I bookmark when you start w/ me - you're sado-masochist bringing beatings on yourself - I blow you away easily.
My posts on hosts = on topic. Your bs isn't (see below).
APK
P.S.=> I don't WISH you dead - you KILL YOURSELF for me attacking ME 1st (I can't you as you post unidentifiable ac though you HAVE an acct here weasel) & you EAT YOUR WORDS for it https://slashdot.org/comments.pl?sid=9986237&cid=53480147/ doing it to yourself DYING of malnutrition... apk
-
Re:Really ?
. . .
This is NOT Rocket Science. . .
Indeed, I used to work for a company whose app's downloads got blocked in various countries because the URLs were sent in the clear. My snarky comment was that app developers will care about web security as soon as Apple does.
But the big reason the ATS mandate was absurd is that lots of apps have to be able to download arbitrary content from arbitrary URLs, and web views aren't necessarily involved. And even when they are, developers often need to work around limitations in iOS WebKit by using custom NSURLProtocol subclasses to manipulate web view traffic on its way out (e.g. adding custom headers, authentication credentials, etc.). With ATS enabled, doing that becomes impossible.
So yeah, mandatory ATS was never going to fly, and lots of us said so almost immediately after the announcement. I'm glad they finally got the message.
-
Re:Really ?
. . .
This is NOT Rocket Science. . .
Obviously, they had significant grumbling from the Dev. community.
But this is like when they pushed-back the Sandboxing requirement a few years ago: It will happen.
How about a little less negativity, and a little more support for Apple at least attempting to drag Devs. into using more robust security? -
Really ?
. . .
This is NOT Rocket Science. . . .
-
Re:Before or after?
Which is to say, companies are having to do it because "parents" (if they can be called that) no longer will.
They don't have to do shit. They just got infected by political correctness gone mad. In Github's case, they crossed the Rubicon when they tossed out their "Meritocracy" rug. They did this to appease an employee more interested in gender politics than coding and that they were already coddling.
Said employee ended up causing even more drama before eventually leaving. Did Github learn their lesson? No, they doubled down and hired some tranny who was already causing drama on the site and trying to turn individual projects into social "justice" crusades.
Doesn't surprise me at all that they are losing money.
-
Before or after?
Before or after they started pissing people off by deciding what "was" and "wasn't" an acceptable repo, which magically lined up with SJW views.
"Opalgate", anyone? Read the comments yourself.
https://github.com/opal/opal/i...
https://news.ycombinator.com/i...
Hiring a SJW, Coraline Ada Ehmke, to run "anti-harassment." (Good thing people on the left never harass anyone.)
http://www.breitbart.com/tech/...
The second you start judging what is, and isn't, "moral" (as opposed to acceptable to your standards ala no porn), then people are going to 1) get worried their repo might get affected, or 2) say "fuck you" altogether.
-
It's not done quite like that... apk
See subject: Sites download script off servers hosting javascript to run ads that get executed clientside https://news.ycombinator.com/i...
Stealing not only your bandwidth but also your cpu time increasing power use & tracking you + INFECTING you!
(They're not only getting a "free-ride" on your bandwidth but also your speed online & power bill too)
Malware makers got onto the ad train via OpenBid adnetworks http://www.theregister.co.uk/2... since it's tougher to exploit browsers + OS now, & ads get in to MOST users' systems + most users run scripts (I don't generally)!
APK
P.S.=> That is, UNLESS YOU DO THIS VS. THEM-> https://it.slashdot.org/commen... [slashdot.org] using THIS to do so even moreso vs. threats & more https://it.slashdot.org/commen... by "yours truly" (it protects you vs. many threats + speeds you up 2 ways too doing more for far less vs. browser addons that don't work souled out to advertisers http://www.businessinsider.com...
-
"Ask & ye shall receive"
See subject: Hosts files do that blocking script sources in ads https://news.ycombinator.com/i... as that link shows HOW they work (sites point to javascript on adnetwork servers is how hosts block it) & for the BEST hosts file generator? Again - "ask & ye SHALL receive"-> https://it.slashdot.org/commen... by "yours truly"!
* Does more than ANY other "so-called 'solution'" does that are riddled w/ security issues (locally installed DNS/antivirus) or 'souled-out' to advertisers to NOT work fully (addons) http://www.businessinsider.com... & hosts operate in FAR more cpu serviced faster kernelmode vs. slower usermode too & are FAR more efficient vs. any of those faulty "solutions" I just noted.
APK
P.S.=> Enjoy... apk
-
Servers blocked for both ads+network parts
See subject: Stops malvertising @ adscript level by blocking its download & communications w/ payload parts (& if you had it already it communicate back to C&C parts of its malware network either - it stalls it then too).
* It's NO non-sense! Hosts do it more efficiently blocking those servers in 1 step than the tag parsing gyrations NoScript or Adblocker addons do for FAR less (& doing more vs. threats than they do by FAR too) in faster kernelmode vs. slower usermode they use too!
It works due to this technique backed by a valid source vs. this malware https://it.slashdot.org/commen... & why due to HOW ADS WORK (did you actually READ this, evanh? If not, do) https://news.ycombinator.com/i...
APK
P.S.=> I block BOTH its ad servers ads download script from browser tag in adspaces on a website's page running ads (& they get it from those servers - when blocked via hosts? No dice)
+
I block the rest of its network parts too (not just ads but the exploit loaders etc. too - so yes, even IF you had it from ads? That 2nd parts "chokes it off" so it can't talk back to C&C "mama's")... apk
-
See you downmodded this to "hide" it eh?
Wrong - Hosts block scriptserving adservers: Site ads point+download script 4 ads off em to run https://news.ycombinator.com/i... BETTER than NoScript (which processes page string tag data, hosts do the job w/ less - block a source outright 1 step).
NO ADS no problem (nor infestions ala a valid source for the data to block it (1st few = adservers))
("EATING YOUR WORDS" != good nutrition "YETI" https://slashdot.org/comments.pl?sid=9986237&cid=53480147/ )
Hosts work vs. this threat & Steganos too w/ what you natively already have in the IP stack & do more for far less vs. inferior 'solutions'.
See subject & https://it.slashdot.org/comments.pl?sid=9995967&cid=53487781 - last resort of weasels!
APK
P.S.=> Addons eat more & do LESS by FAR vs. hosts in fast kernelmode vs. slow usermode (& addons bloat even more w/ RAM + CPU use & messagepassing overheads in browsers)... apk
-
Hosts do the job faster & better: How?
See subject: Blocking javascript sources that sites running ads point to https://news.ycombinator.com/i... & hosts files run in more cpu serviced faster kernelmode vs. slower usermode that addons bloat even more w/ added RAM, cpu & messagepass bloat hosts files don't incur (as part of tcpip.sys in kernelmode).
* For the BEST hosts file bar-none courtesy of "yours truly" https://it.slashdot.org/comments.pl?sid=9995967&cid=53487513/
Does FAR more for FAR less than ANY other single "so-called 'solution'" out there that are full of security issues (locally installed DNS/antivirus) or addons (including NoScript) that are 'souled-out' to NOT do the single job they had http://www.businessinsider.com/google-microsoft-amazon-taboola-pay-adblock-plus-to-stop-blocking-their-ads-2015-2/ & hosts do so, for FAR less resources used yet doing far more & FASTER too!
APK
P.S.=> HOW hosts do it https://it.slashdot.org/comments.pl?sid=9995967&cid=53487497/
-
"Ask & ye shall receive"
See subject: Hosts files do that blocking script sources in ads https://news.ycombinator.com/item?id=10221859/ as that link shows HOW they work (sites point to javascript on adnetwork servers is how hosts block it) & for the BEST hosts file generator? Again - "ask & ye SHALL receive"-> https://it.slashdot.org/comments.pl?sid=9995967&cid=53487513/ by "yours truly"!
* Does more than ANY other "so-called 'solution'" does that are riddled w/ security issues (locally installed DNS/antivirus) or 'souled-out' to advertisers to NOT work fully (addons) http://www.businessinsider.com/google-microsoft-amazon-taboola-pay-adblock-plus-to-stop-blocking-their-ads-2015-2/ & hosts operate in FAR more cpu serviced faster kernelmode vs. slower usermode too & are FAR more efficient vs. any of those faulty "solutions" I just noted.
APK
P.S.=> Enjoy... apk
-
It's not done quite like that... apk
See subject: Sites point to servers hosting javascript to run ads that gets executed clientside (you) https://news.ycombinator.com/item?id=10221859/
Stealing not only your bandwidth but also your cpu time increasing power use & tracking you + INFECTING you!
(They're not only getting a "free-ride" on your bandwidth but also your speed online & power bill too)
Malware makers got onto the ad train via OpenBid adnetworks http://www.theregister.co.uk/2015/09/23/malvertising_forbes/ since it's tougher to exploit browsers + OS now, & ads get in to MOST users' systems + most users run scripts (I don't generally)!
That is, UNLESS YOU DO THIS VS. THEM-> https://it.slashdot.org/comments.pl?sid=9995967&cid=53487497/ using THIS to do so even moreso vs. threats & more https://it.slashdot.org/comments.pl?sid=9995967&cid=53487513/ by "yours truly" (it protects you vs. many threats + speeds you up 2 ways too doing more for far less vs. browser addons that don't work souled out to advertisers http://www.businessinsider.com/google-microsoft-amazon-taboola-pay-adblock-plus-to-stop-blocking-their-ads-2015-2/ )
APK
P.S.=> Enjoy... apk
-
Another company to die a slow death under Oracle
Oracle likely made their calculations, and have determined they can extract plenty of money from the Dyn customers to make the acquisition worth it.
I, for one, will be moving away from Dyn ASAP, after being a satisfied customer for ~15 years.
Does anyone have any suggestions for a reliable and secure DNS?Discussion at new.ycombinator:
https://news.ycombinator.com/i... -
Re:Why?
Yes I have. It is 100% secure. I have audited the code.
Then it looks like you've got some serious 'splain' to do, since some folks have found
a few issues with your "100% secure" assessment.So how do you know Lastpass is secure?
Gee, I don't know. Maybe you could just audit the source code, the same as you claim did for KeePass. LastPass is open source too, after all.
-
Re:A Master Password....
These kind of "promises" by closed-source software security companies are rather worthless. If they want to, they'll have all your passwords
1) They're open source: https://github.com/LastPass/la...
2) The only way they "have all your passwords" is as an encrypted blob. See #1 if you want to confirm it for yourself.
3) Your master password that could decrypt that blob never leaves your system.
And then there's this discussion about the quality of code in KeyPass, which seems to call into question some of what you said. While your ideas about open source probably work fine as generalizations, they should not be stated as absolutes, since they oftentimes fail in particular instances.
-
Re:robots.txt
It's odd, I see plenty of discussion about the robots.txt nonsense:
https://archive.org/post/10194...
https://news.ycombinator.com/i...
https://archive.org/post/18880...
But no solid answers as to why. -
Re:There was a time,
Where did the smart people with a passion for informative discussion of interesting topics go?
Maybe Hacker News.
-
Re:I worked on Sync 2
Thanks. And thanks for the tip about emcrazyone, I found that article, it was a good read.
And I can tell you're keenly interested in the topic. Emcrazyone wrote it as B-Squared and you gave the correct spelling and capitalization of BSquare. And I should know because I used to work there.
The Ford project pretty much killed BSquare. The thing was FAR bigger of a project than we were used to. We had to hire and hire and hire to put butts in chairs to get this thing done. Once the project was over the money dried up, and all of those people were laid off.
Part of the problem was we lost our CEO around that time. We had a really great CEO. She left, and BSquare were never able to find anyone her caliber as a replacement. All that Dilbert stuff about upper management? It's actually (well partially) not true. A good CEO can make or break a company. I know, I got to see it.
And as for the salesman who may have known someone to get the contract? I'm friends with him. He's a really great guy. BSquare laid him off citing "personality differences", but I really believe it was an attempt to screw the guy out of his percentage for landing the sale. I quizzed him about my suspicion and he gently deflected my question. I got the impression he felt it wouldn't be gentlemanly to say so, so he said nothing. Hope he's doing well, he was a good guy.
I was an in-the-trenches coder there. I can't verify if it was BSquare that decided to use Flash as the UI. I just know that it was a set in stone decision by the time I got involved. I hated the notion. The Actionscript people were not terribly computer literate, either. I had to provide support to that team on occasion because none of them could read C. We had all these teams working independently of each other, most of them new hires. It was a rough ride.
It was an interesting thing to be a part of, that's for sure.
-
Re:Wrong company for the jobIt's even worse than Microsoft -- actually some hack 'n' sack firm called BSquare (was a publicly-traded company, I think they're swirling the drain) did the initial version of Sync Gen 2. Oh, but BSquare is a Microsoft "Gold Certified Partner", whatever the hell that means.
There was a story on Hacker News a couple years ago, an embedded systems engineer (inside Ford) was lamenting upper-management's choice of Windows CE and BSquare for the system.
Interesting that the 3rd generation of SYNC (out since 2016 I think) is based on QNX and appears to very well received. No Microsoft, no BSquare, no Windows CE. QNX is a real-time operating system. Windows CE purports to be, but a) all the middleware crap that comes in MS Auto is so buggy and full of priority inversions etc,, give me a break.
Someone (maybe the Hacker News article?) said something along the lines of "the decision to use WinCE in MyFord Touch was a handshake on a golf course, and Ford has felt the pain ever since."
-
Toyota - 10,000 Global Variables Incorporated
When someone tells you they want safety checks on your computerized platform there are few on the planet less qualified to complain than Toyota or, as I like to call them 10,000 Global Variables Incorporated.
-
Re:Apple Patent Trolling + Biased Juries = PROFIT
Saying "an appeals court with a panel of judges" is redundant: Appeals courts are always judges, never juries. Anyone who has watched 5 minutes of any TV legal drama can tell you that. Here appeals judges were upheld a jury verdict.
For Jury Bias: http://www.theglobeandmail.com...
For Judge Bias: https://www.techdirt.com/artic... https://news.ycombinator.com/i... http://arstechnica.com/civis/v... http://www.law360.com/articles... https://yro.slashdot.org/story... -
Re:HDD price milking
--With a drive that size (8TB) I hope you are at -least- mirroring it; and if you're not using ZFS or btrfs, you should have several backups *and* checksums on your files. The chances of bitrot and unrecoverable reads on a single spinning disk with that much storage are much greater.
REF:
http://arstechnica.com/informa... -
Havana good time.
At least Cuba is safe from this.
-
Hacker News thread
-
Try HN...
Try Hacker News at https://news.ycombinator.com/ for better submissions - and also for much better discussions. I don't want to advertise it too much though, let the "funny" commenters and over-emotional downvoters who can't say anything technical about the subject(s) being discussed remain on all the other websites...
-
Re:Open source is more secure
After all, you have millions of people looking over source code, so any bugs and vulnerabilities are guaranteed to be found and repaired quickly.
The fact that this is modded "insightful" despite truly technologically competent people knowing how false it is along with the ridiculousness of the statement that "millions of people" are looking at the code just shows how ignorant and out of touch so much of the slashdot audience is with the real world.
The security of Linux has been very much security through obscurity and its growth in usage (particularly in the mobile space) has begun to reveal this. The bigger problem is that whenever a bug is discovered in Linux the apologists immediately come out and start saying "Oh but Windows this or Windows that" or in the mobile space "iOS this or iOS that" as if any Linux user gives two shits about what Windows or iOS does. It's time you supposed Linux users climbed out of your own asses and stop obsessing over Windows and iOS all the time.
-
Patch already available (I think...)Patch.
The link was from here, which also suggests a fix for unpatched systems:echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >>/etc/sysctl.conf;sysctl -p
(Courtesy of this site.)
-
Hosts block clickthru already
See subject: Ads run javascript from another server (not site you're on) & hosts block the javascript source from another server.
APK
P.S.=> Here, take a read to verify what I said-> https://news.ycombinator.com/i...
-
Re:What the world needs is non-profit version of U
-
Re:Peer to Peer suspicous?
> Am I the only one who considered the old Peer to Peer mode of Skype suspicious?
No. When the Skype client relies heavily on obfuscation it SHOULD be extremely suspicious!
* http://www.oklabs.net/skype-re...
Skype (almost like every P2P network) has its particular P2P architecture. It had to be adapted to the network uses. For example, unlike the P2P Kazaa network, designed for file sharing, the Skype network had to be optimized to transfer data in real time, where Kazaa network transfers data stored on nodes. In addition, Skype network still includes centralized networks entities, because unlike Kazaa network, Skype protocol had to implement user secured authentication, dynamic contacts lists management and ensure privacy.
The Skype user directory is entirely decentralized and distributed among the nodes in the network, which means the network can scale very easily to large sizes without a complex and costly centralized infrastructure.
If M$ kills off Skype 6.20 then it will be time to migrate to something else that is open source and doesn't have known backdoors.
-
Yahoo the brand ..
"Yahoo"... The brand is the problem. It sounds like a good name for a personal website in 1998 (with 85 gifs and a turquoise background). link
-
This was on HackerNews two days ago
It's nice to see that recycling between the various forum sites works well. I don't really mind, I don't even ever complain about reposts unless they are too frequent, but here's the link to the long discussion of the exact same article: