Slashdot Mirror
Real-Time Keyloggers
The NY Times has a story and a blog backgrounder focusing on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. The capability came to light in a court filing (PDF) by Project Honey Pot against "John Doe" thieves. The case was filed in order to compel the banks — which are almost as secretive as the cyber-crooks — to reveal information such as IP addresses that could lead back to the miscreants. Or at least allow victims to be notified. Real-time keyloggers were first discovered in the wild last year, but the court filing and the Times article should bring new attention to the threat. The technique menaces the 2-factor authentication that some banks have instituted: "By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA's SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula. If [your] computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can't see."
My Windoze apps at work don't even respond in real time. Maybe the trojan provides a free performance boost?
RSA Secuid is a one time password,it can't be reused.
Only when we start immediately and publicly executing these hackers whenever we discover them will we start to put a dent into this problem. Frankly, I don't think that they'll be missed afterwards.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Again, a proper banking system like my bank uses
- a one time pad for logging on
- another set of codes, from which one is picked randomly, to confirm transfers
The one time pad means they can't open a second session. Even if they could hijack the session I've opened they can't transfer money without my explicitly authorizing each transfer by entering the second code.
I'm sorry if I haven't offended anyone
"By going real time, hackers now can..." Exactly the kind of crap that gives REAL hackers a bad name to the lay-person. The douchebags stealing info from banks aren't hackers... they are thieves and crackers.
RSA SecurID can be configured to only allow a tokencode to be used for authentication once. If configured in this way, the above keylogger still wouldn't let someone log in remotely after the legitimate user had used the tokencode.
Not too much of an issue, really.
The technique menaces the 2-factor authentication that some banks have instituted:
Sure, they could intercept my login, but that would get them nothing. A new token is required for each and every transaction once logged in. I suppose they could try to add an emulation layer of sorts for the entire bank site, but that starts to become a lot of work with a lot of opportunity to notice something strange going on.
Does it really matter? If they have access to your PC, why on Earth is this an issue anyway? Two-factor authentication or not, they have *ACCESS* to your Visa numbers, Amazon account, bank details (if you pay some bills online by direct transfer etc.). What the things *do* once they are on your machine is irrelevant. How they got there and finding them is infinitely more important.
This doesn't break RSA's 2-factor at all, as long as they have it setup to accept each temporary password only once.
RSA was good while it lasted. It's still better than nothing. Looks like we may need to invest in biometric laptops for the crew. What a pain.
Reread what they are doing, biometric laptops won't help. They could capture the biometric data as easily as the keyboard data.
No need to execute them. No need to punish them severely at all. We just need to catch them. Given a 50% risk of being caught a one year prison sentence would provide more than adequate deterrence. Given the present one in 100 million risk of being caught an 18th century hanging would offer no significant deterrence.
This applies to crime in general as well.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I'm careful but I just noticed a lag in my e-mail typing so I'm assuming I got nailed by a logger. I switched off that machine and don't use it for the internet but I am having trouble getting rid of it. I've been having a lot of trouble getting rid of things since I switched to Vista. What's the best software these days? I had all my security up and I hadn't been downloading even commercial software so I haven't a clue where it came from. I do a lot of on-line banking so I'm not about to use that machine again but I'd love to get rid of it since I do have a lot of web sites saved off on that one. All I can think was I got it from clicking on a web link to a story. I do surf a lot of news.
I wonder if the next step will be a dedicated hardware device such as IBM's ZTIC, where one does their transaction confirming on a closed secure device. This way, even though the consumer's PC may be compromised, an attacker trying to run transactions would be stopped when there is no device confirming the transaction.
Of course, there are always issues like spamming the user with bogus transactions, or compromise the hardware device. However, it is a lot harder to compromise a hardware device than a generic PC which has to parse/execute/render untrusted code from the Internet on a common basis.
Anything to avoid a secure OS eh?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
And browse / log in using the VM. Done.
------ The best brain training is now totally free : )
This message means your browser has been exploited with a known hole causing black hat crackers to receive what you type!
I herd u liek browser. Tis MINE NAO! Im in ur b0x0rz stealin ur keystrokes! All your cardz are belong to us!
From TFS:
"Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA's SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula."
The RSA SecurID tokens generate a unique code that is only valid for ONE logon transaction. As soon as it's used, it becomes invalid, no matter if it's still within the one-minute window of validity or not, so you can't log on twice with the same code. The only chance the real-time hackers would have is to grab the code and log in in the few moments between when the user finishes typing in the passcode and them pressing enter.
Real time key logger, that reports back visited web sites? Isn't that how Google Chrome address bar works?
VMs can break into their host machine.
Read the paper presented at the recent BlackHat Conference.
Its not like we don't know what countries most of this Cracker crap is coming from. We need to deal effectively with the nations that are lax on this stuff. They are lax because it serves their political interest. Eastern Europe is a big place but rather authoritarian. This stuff could would stop over night if they wanted to stop it.
... that I'm still a Bank of America customer. I've grown to like their 2-factor authentication mechanism. You can set up your account so that whenever you try to log in they send a random 6-digit number to you via a text message to your phone. You then enter that number into the website as you're logging in. Since it's truly a one-time-use number sent out of band from the way you're logging in it's about as secure as you can get.
Who uses a keyboard anyway ?
>>>Given the present one in 100 million risk of being caught...
And since our lazy leaders, who don't even bother to read the bills they pass, are unlikely to change this statistic, I'm going to go close my online bank account right now. The last thing I need is some asshole swiping my half-million life savings. I'll just drive to the bank instead.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
We just need to catch them. Given a 50% risk of being caught a one year prison sentence would provide more than adequate deterrence.
Your post displays a lack of understanding of the criminal mind. Don't feel too bad though, because most people (especially lawmakers) have the same lack of understanding.
The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught. Career criminals believe that only idiots get caught, and since they're smarter than everyone else (thanks to the Dunning-Krueger effect), they won't be caught.
I am pretty sure they know who the "cyber criminals" are mostly.
Wait, aren't ALL keyloggers real time?
Bank of America used to have a good system for authenticating their site. At login, you input your ID, and the B of A site gave you back a photo of your own choosing to tell you that you were on the real Bank of America site. Only then did you input your password.
Last Friday, B of A broke this feature. I'm now getting a password prompt without seeing the photo I'd chosen. My first thought was that there's was a security problem. I checked the SSL cert info, which looked OK. I reinstalled Firefox. No change. I called Bank of America. They wanted me to remove Flash, which I did. No change. They advised me not to log in. Then they passed me off to tech support, which hasn't called back yet.
Then I took out a Linux-based Eee PC 2G Surf that had been unused for months, powered it up, plugged in an Ethernet cable, and saw the site doing exactly the same thing. So it's probably not a client side problem.
What I think happened is that someone at B of A did a partial site redesign and broke something. They introduced some Flash (something called "/sas/sas-docs/html/pmfso.swf") on the password page (a terrible idea, given Flash's history of security vulnerabilities) and along with that, broke some part of the login process.
If, in fact, they've had a break in on the server side, the main login of Bank of America has been compromised for at least three days now. I'm not seeing any indication of that, though; just general ineptitude.
(The page HTML is awful. It's clearly been modified over and over for years without a cleanup. It has Flash, Javascript, CSS, single-pixel GIFs for formatting, and comments like "July maintenance OLB timeout inactivity update starts". The "enter password" page has 966 lines of HTML and JavaScript, not including external files. That's too much flaky machinery for such a security-critical function.)
How many of these stories do we have to see before people wake up and realize that the login and security method is irrelevant if the OS itself is compromised?
As long as everything needed for a successful bank transaction is done through one line (e.g. your Internet connection at home) and a malicious hacker is able to control your endpoint of that connection, he will be able to attack any transaction, no matter how complex the security is (all secure communication schemes are based on the assumption that the endpoints are secure)
A good solution is to require communication over a second channel, e.g. telephone calls or SMS for confirmation of transactions (bank sends SMS with transaction data, client sends SMS with "authorize"). This is done by some banks already.
The human immune system is in part adaptive. It learns, or, acquires a repertoire of effective actions against invading antigens. The black hats drive PC and Internet security. In a sense their critical doubt run amok, but, as such, push innovative responses. In the late 90's the Internet was alive with crackers and script kiddies. There was a one time a community of reverse engineering that "boasted" a University. I'm not saying they're good. There a bad pain in the ass but I'd rather give their kind enough room on the Internet to allow white hats to keep the best possible eye on them. How lame would PC security be without being incessantly tested?
ideopath @ play
will it run on Linux?
Realtime keyloggers have been around since botnes have been and then some. Utter Bullshit.
...Your router's activity light blinks every time you press a key on the keyboard.
I assume it's trivial to detect this type of keylogging.
Assuming your phone isn't being compromised, the bank could just call you on your telephone-number-of-record. Of course, you'd need to make sure the bad guys couldn't change that number.
Also, banks should be on the lookout for things like "he used his ATM card at home yesterday, he's in Eastern Europe today" and react accordingly.
These won't stop all such attacks, but they will help.
Another technique is to require inter-bank transactions over a certain amount to be held until they can be affirmed "in person," such as by the customer going into any cooperating bank, ATM, grocery store, etc. and smiling for the camera as he affirms the transaction.
Attack-the-consumer bank fraud cannot be completely stopped but by making it not worth the effort, criminals will try other ways of getting rich, perhaps even honest ones.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
First of all, RSA SecurID has nothing to do with the algorithm RSA (besides being created by the same people).
Second, biometrics won't help at all since they can simply transmit the biometric data back and have *permanent* access to whatever system uses it.
Finally, RSA SecurID is actually *not* vulnerable because the passwords it generates are *one time* passwords. If the hacker tries to log in to the system using the same password the victim just did, he will be rejected since that password was already used. If he keeps trying to do this, they will probably detect the attack and remove the trojan (not to mention that a single event where the same password is used twice from two different locations is already suspicious enough). If he somehow manages to get the password and log in with it before the victim does (even though at this point the victim has already entered his password), the victim will not be able to log in and quickly detect the problem.
Your post displays a lack of understanding of the criminal mind. [snip] The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught.
There is no single "criminal mind."
True, many criminals grossly underestimate the chances of getting caught or suffering significant consequences.
Some, those who who protest against governments in violation of the law or who steal from the rich to give to the poor, do so for a real or imagined higher purpose.
Others are aware of the consequences but get some benefit out of it, such as the thrill of "getting away with it," the thrill of showing they are, at least this time, more powerful than their victim or society, the thrill or other benefits of a drug high, or simply for financial gain.
I can give you a USA-based example with misdemeanor speeding tickets: Many people spend their entire adult life speeding 5-10% over the speed limit on the highways even when it is safe to go the speed limit, knowing they will get caught a few times a decade. For them, it's simply a matter of cost-vs-benefit. In some parts of the world or for people with certain political connections, the cost-benefit equation for fraud favors the criminal.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
When the first part of the authentication is done by a Greasemonkey script, keyloggers don't see that. Or do they?
This may sound like a joke, but in fact I do have one part of the authentication scripted in Greasemonkey. That gets me directly to the next step with some sort of challenge-response system involving a calculator-like gadget with my bank card inserted in it.
Of course, if your bank requires nothing else than an account number and a password which you have in a GM script, I would be glad to borrow your computer...
The systems I know are the ones of the swiss post (pdf) and of UBS (pdf). I do wonder if these can be attacked by such instant keloggers.
Why is there a "GoogleWave" tag? I don't get it.
They use wish-it-was two-factor
Two-factor authentication is when authentication requires two different factors of authentication. Some possible factors of authentication are something you know (PIN numbers, passwords, usernames, secret answers to questions arranged in advanced), something you have (smart card, key fob, pass-card, a special piece of hardware, a SSL certificate loaded on a device that you can't read), something you are (biometric identification, facial, voice, fingerprint recognition, hardware that reads your GPS position to verify you are at home, a phone number that checks your ANI caller ID information)
Most banks only require something you know. The security question/answer dialogs that are commonly used are equivalent to a second password, granted: a second password that is likely to be a lot less secure.
Issues like the 'temporary passwords' on your key fobs being discovered when you use them can be defeated, by only allowing the password to be used once. If an attempt to use the temporary password is used again, or an attempt is made to use any incorrect temporary password, then all active sessions should be logged out.
In addition both sessions should be warned about the attempt, and that their computer station may be compromised, they should update their antivirus and antispyware scanners, disconnect from the internet, and perform a full scan.
Do these real-time keyloggers affect Linux?
My wife is really comfortable with her WinXP software and I'll never get her to change to Linux (I've tried, but it's hopeless). Still, I have given her a Linux laptop for doing her on-line banking and she does not use the WinXP machine for any financial transactions. I was thinking that I only had to deal with Firefox exploits that way
Escaping that sort of detection is easy by not transmitting each individual keystroke in real-time. Maybe once every 4 or 5 keystrokes, or when you click, press enter, submit, space bar, or do something else that indicates a "text break".
In addition, they can attenuate this by sending a constant low-bitrate stream of data when you aren't typing anything, so your router's activity lights are always blinking.
E.g., they might transmit a 56-byte packet every 2 to 3 seconds, say something innoculous like a port 80 ping to windows update servers (or your distro's update servers for Linux users).
Needless to say, all the keystroke log transmissions would be encrypted and random fuzziness generated to make it hard for adversaries and network-based IDS to identify generated packets as keylogger traffic.
Me and my friends have been using this in the USA since uhm... ever. It's pretty easy.
sock.send(keypressed);
Or something to the effect of that.
On the other end:
sock.recv(keypressed);
cout keypressed;
"Your post displays a lack of understanding of the criminal mind."
Who the fuck do you think you are? Axel Foley? Your post displays a lack of open-mindedness and foresight.
So you're saying that an increase in the number of arrests (by percent) would not deter criminals, or - to give you the benefit of the doubt - enough to make a difference? Why don't you take a look at the statistics. With respect to that, it seems that perhaps an increase in probability of arrest would be something of a deterrent. Needless to say, making those arrests, that is, not ignoring them as you would do, would also keep those who disregard the law entirely from repeating their offense. Here is a nice chart indicating percent change of crimes from one year to the next.
There will always be people who don't care about the consequences of their actions, and those actions will always be the more damaging when the "unthinkable" occurs (i.e. 9/11, Columbine, and so forth), but one thing that the threat of punishment can do is deter the would-be criminals with weaker motivations or morals that are not completely skewed. This wont prevent the "unthinkable," but it will keep more people from committing most crimes. The main problem with trying to prosecute international cyber-crimes is jurisdiction, which would likely cause a larger bureaucratic mess than the crime itself.
Punishment is supposed to be about demotivation, though the Us doesn't have a great track record on demotivating those convicted of their crimes. The threat however, is likely a more powerful demotivator to those who would be susceptible to being talked out of committing the crime.
Statistically speaking, if it were possible to find and prosecute a sizable enough number of any group of criminals, it would seriously deter enough of them to represent a decrease in the volume of acts committed.
To get back on topic, one time pads and other methods should have been implemented by financial institutions to begin with. This sending of unencrypted bank information - especially to cell phones - to and from clients is ridiculous.
- Spades
The speed limit was set to 55mph in the mid-70s to conserve oil.
Even with today's fuel-efficient cars, going 65 saves money over going 85.
This is for at least two reasons:
* atmospheric drag
* engine efficiency
The former you can't do much about save driving with a tail-wind: You will get more drag at 85 than 65, and more drag at 65 than 45, more at 45 than 25, and more at 25 than at a dead stop.
The second is determined by the car's engineering. For cars sold in America, most have maximum engine efficiency somewhere in mid-RPM range, corresponding to somewhere in the 50-70mph range in top gear. Any faster than that and you'll lose efficiency.
As long as people are focused on pollution, don't expect wholesale speed-limit reductions, especially in urban areas.
Oh, there is also the safety factor: Even on a road designed for 85mph travel, that's with a given level of traffic and with a given driver behavior pattern. If the traffic is lighter and the drivers behave "better" the ideal speed may be higher, if the traffic is heavier or you have someone weaving in and out of traffic, or even adverse weather or night driving, the ideal speed may be lower.
Speed limits need to be set on a case by case basis for each road segment, taking into account typical actual traffic patterns including typical actual speeds, the accident and near-accident history of the road, pollution levels in the region and downwind, and other factors. The national maximum of 80-ish mph may be too low, but there are very few places near cities where anything higher than even 70mph makes sense.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Yes this "new" ability! Oh wait, Sub7 has had a real time keylogger on it for almost 10 years. Oh no, that doesn't sound very new at all.
"Made possible by Microsoft(TM)"
Right?
TFA says nothing about the OS involved, which usually means a Microsoft Windows PC. I suppose the NYT is able to sell more advertising if they keep it ambiguous.
Now, to be fair, Linux recently patched a root-privilege bug that went unnoticed for EIGHT years. But, to be just as fair, there are several orders of magnitude more compromises available courtesy Redmond, and due largely in part (as Djikstra quipped...) to their poor reinvention of UNIX.
I have family that use Windows. What am I supposed to do? This is getting ridiculous. Sure, they get the OS they deserve. Sure, my employer gets the security compromises they deserve. But some part of the blame has to be shared by the company which made all of this possible.
Programmers have always written buggy software. But it took Microsoft to create security flaws *by design* - that is, to deliberately architect software in an insecure an unreliable manner. It took Microsoft to disregard the lessons learned in UNIX, (as Djikstra would say) "To reinvent it poorly."
I know, I know, ./ers will say, "Don't use Windows". Okay, I don't. But you have to understand that not everyone is a geek. The folks at corporate *BUY* Windows licenses because they don't know any better. My relatives use it because it came with their computer, or, their department at the university uses word, or they want to play games, or they want something familiar.
What about them?
Is it really acceptable for us to ignore the needs of the average user? Is it really acceptable to blame the victims?
Or, should we hold Microsoft accountable to the same standards adhered to by everyone else in the industry?
The society for a thought-free internet welcomes you.
Since my bank requires the gadget to be used not only at logon time but also whenever I request a transfer of money to a new entity, as well as a 4-digit pass code puched in via mouse, I'd say the hackers may have a rather tough time trying to dig me debt-trench deeper than it already is.
Although they may have a laugh browsing my accounts, that won't help them a bit.
This signature is DRM protected. By the DMCA, you are not allowed to counteract or oppose to it.
FUCK YOU; Madonna rocks. Any guy would do Madonna.
I think that the parent needs heard. ,likeminded and in danger of the same abuse to erradicate the predator is natural human and perfectly acceptable.
There are certain facts I believe everyone can agree on.
1. These are thieves that both steal money and Constitutional rights (or if not a u.s. citizen a human right to life liberty and the pursuit of happiness which we may agree are all fueled by money won by our sweat,talent and wits)
2. Law enforcement is no where near to bringing any of these to justice nor will they be in the foreseeable future.
3. Any human may defend themselves especially in the event where there is a lack of , or insufficient police protection .
4. To call on others
5. Since incarceration hasn't deterred black hattery since before Mitnik , it has been seen that something stronger than incarceration is in fact warranted.
6. Black hatters like others of their ilk lack the survival instinct necessary to form moral barriers that protect them from their own behavior and to allow this to continually muddy the gene pool is not in the interests of humanity.
So an international treaty providing sanctions of first castration/sterilization for underage offenses and wretched horrific public execution complete with sadistic experementation should actually be manditory.
I have thought long and hard about this and considered that there are absolutely no other ways more peaceable or humanitarian to have an acceptable outcome.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
When you authenticate successfully with a passcode the passcode is immediately invalidated and cannot be used again. You cannot complete a login then use the same passcode again. At my old company we had to request special 30-second fobs for this reason. People would connect to a machine using their passcode and then need to su to root, but had to wait for the code on the token to change before they could authenticate again. If an attacker captures your passcode after you use it to successfully log in it's not going to do them any good at all. I feel like I'm missing something because none of the comments that I read above mention this fact. Pretty basic stuff to anyone who has administrated the system before.
Speak for yourself. She's probably as diseased as ex-babe Pamela Denise Anderson.
I couldn't find any ribbed for "his" pleasure so I had to turn them inside out and tell her I bought the plain ones.
And since our lazy leaders, who don't even bother to read the bills they pass
We could do real reform to the whole system if we sunset every law in effect now and require new laws to be read aloud in full before they are allowed to be voted on. That's supposed to be the law (at least in the Senate) ...
Well, hmmm, I don't recall them going too lightly on Mitnik and incarceration wasn't the only punishment necessary to sit on him til he was considered somewhat harmless. These clowns have no regard for their victims lives,property or money. If you don't believe that money is fuel for life, just try living without it. ,who should know better already.
Granted in some countries the government guarantees banks for up to $100,000 dollars as in the U.S. but this isn't universal and kind of irrelevant when you consider this is still an attack on those who work hard for their money at minimum to buy food shelter clothing for themselves and dependants. Since this $100k insurance is still money taxed from the same people and could've gone to other ways to further these tax payers it is still robbing life liberty and the pursuit of happiness from them. When law enforcement fails, humans may only rely on themselves for protection from predators. As I said in my post above, incarceration fails to be a deterrent to what seems to be a genetic mutation lacking human moral compass.
This mutation should be erradicated by sterilization of the young who may still learn to be an asset to humanity and a horrible public torture and execution as a possible deterrent for those older and set in their ways
If you can actually come up with a FEASABLE way of doing this more peacefully and actually getting the job done without regurgitating more buzz and diatribe, we would all love to hear.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
Finally, RSA SecurID is actually *not* vulnerable because the passwords it generates are *one time* passwords.
If the attacker has trojaned your machine, he just needs to arrange for his software to block your submission of the one-time password so that he can use it. If he gives you an error page, or even what looks like a functional page, then he can proceed to drain your bank account and leave you completely unsuspecting.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
The speed limit was set to 55mph in the mid-70s to conserve oil.
It was set there by Dick Nixon right after the election. Even the idiots at Wikipedia got it right.
And it was sold as "55 saves lives", not as a consumption reduction measure.
Get off my lawn!
(Barry-O's spiritual forefather was Dick Nixon, not Jimmy Carter)
It was set there by Dick Nixon right after the election. Even the idiots at Wikipedia got it right.
And it was sold as "55 saves lives", not as a consumption reduction measure.
If by right you mean even Wikipedia says the reason they changed it was due to safety, which Wikipedia article do you mean?
National maximum speed law and Speed limit both point to fuel-efficiency as the initial reason for the 55mph Untied States speed limit in 1973.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Richard Nixon, Statement on Signing the Emergency Highway Energy Conservation Act, January 2, 1974:
"I AM pleased to sign into law H.R. 11372, an act aimed principally at helping to reduce gasoline and diesel fuel consumption during the energy crisis."
I'm not saying you are wrong about the ads, I am saying the official reason for the change was to save energy. I am also saying that if some Wikipedia article is claiming otherwise, it needs to be reconciled with the two articles I mentioned above. Happy editing.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
[citation needed]
Career criminals believe that only idiots get caught, and since they're smarter than everyone else (thanks to the Dunning-Krueger effect), they won't be caught.
That paper is the best (+1 Informative), most insightful (+1 Insightful), most disturbing (+1 Troll) and funniest (+1 Funny) psychology paper I have ever read.
http://www.apa.org/journals/features/psp7761121.pdf
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
what do you mean blink? its always on, only turns off when my pc is turned off or i have stopped all my torrents :P
True, he could also just run a second browser session with the already authenticated URL. But I agree with the grandparent that the article is wrong - I tried logging in twice using the same token sequence, it consistently fails on the second attempted session.
I am not a robot. I am a unicorn.
DEMOCRATS Speed-read Bill:
http://www.youtube.com/watch?v=_uxsAuY1AF4
This is not a solution. What needs to be done is to allow time for review of the bill in private - at least a month. Why rush lawmaking, especially when these laws last decades.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Research indicates otherwise.
75% of music pirates would stop if told to by their ISP.
Interested in open source engine management for your Subaru?
I heard of a case where the locals set the speed at some arbitrary level, I think 55 or 60, but everyone was going 60 or 65.
Either the state transportation agency or the state courts ordered the city to use rational justification to set the speed limits. They were specifically ordered to take into account prevailing actual speeds and actual accident rates. After a brief study, the speed limit went up. This was post-1995, possibly during one of the mini-oil-gluts of the past 15 years, and fuel-conservation wasn't a specific factor.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
First off, whatever he did, he didn't do alone - he had help from Congress, and help from courts who rejected 10th-amendment arguments.
Second, this was all about money. States were free to reject highway funding, at least in theory.
I agree though, he and Congress together violated the spirit and intent of the 10th amendment, while very obviously not violating the letter.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Does anyone produce biometric sensors which digitally sign and timestamp your fingerprints?
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
There are places, usually small towns, where they will ticket you for going 1mph over. This can be enforced by means other than a radar gun, means that will hold up in court.
There are also special situations, such as around schools, parks, and neighborhoods with a lot of children at play, where locals demand strict traffic enforcement. I once knew of a town that had an unwritten rule: "we'll give you 10mph, except in a school zone right before and right after school, where we will pull you over for going 1mph over." Not that they would actually ticket you for going 1mph over, but they would get your attention and a mini-lecture on traffic safety around children.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I wasn't aware of this research before, and it seems ironic to me that it seems to have coincided with the increased use of self-assessment forms in job applications. As someone with a high degree of knowledge of my area of work (web development) I am almost painfully aware of my areas of inadequacy. I choose to answer these questionnaires honestly, but I wonder now if that means I am getting passed over for people with an over-inflated idea of their competence? Or do people set these tests in order to weed out the ones who give themselves high scores in every area?
How does this "indicate otherwise"? If you receive one of these letters, you have already been caught.
Online banking security in the face of malware is an argument for TC. Which Stallman calls Treacherous Computing.
Although, if you controlled the root keys, this would be a step in the right direction.
-- I was raised on the command line, bitch
>Finally, RSA SecurID is actually *not* vulnerable because the passwords it generates are *one time* passwords. If >the hacker tries to log in to the system using the same password the victim just did, he will be rejected since that >password was already used.
Actually if the person who tries to log , logs in to fake page which redirects the user all the while capturing his keylogged info, then he would have a fake unavailable page sent to him, while the attacker has his keypad info, letting him access, and by the time that the whole ordeal is down with page loads and what not, the number has changed on those securid, thereby making the failed attempt obsolete, and starting new with a fresh key, so now you would have 2 log ins attempts, if there was a sort of ip address log, as soon as 2 separate logins were active with the same credentials but different key, then it should lock that account and send an email to the admin about what just happened, any admin worth his salt would take care of this, however I have seen many lazy admins and most don't even log ips with secureids...not cost efficient !!!
This "amazing" attack is easily defeated. Only allow the six-digit number to be used once. Then it can be sniffed and used immediately -- and the attacker will be denied access as it will be the second time.
Currently hooked on AMP
"I have family that use Windows. What am I supposed to do?" - by gillbates (106458) on Sunday August 23, @09:53PM (#29168277) Homepage
THIS:
HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA (& beyond), + make it "fun-to-do", via CIS Tool Guidance (& beyond):
----
http://www.tcmagazine.com/forums/index.php?s=e9bb2f3f527af8305dc4891065f330c4&showtopic=2662
----
IT WORKS...
How well? Ok, a testimonial, from -> http://www.xtremepccentral.com/forums/showthread.php?s=79253c5b286c472a012ff2ef7e7f2230&t=28430&page=3
----
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local." THRONKA, user @ xtremepccentral.com
----
That's 'how well'... for going on 2++ yrs. now for Thronka & his paying clients, & for myself? Since 1997-1998 or so, through many machines since those days, to the present today, same results here!
APK
P.S.=> Enjoy - that guide, once you apply its points? It MAY "change your 'pov'" on Windows... Especially because you're such a "Pro-*NIX" type! apk
My winkie shrivels at the very thought of coming near that skank
Good consumer banks, employing sane programmers, do it in a way that is 100% foolproof, unless a major mathematical discovery rendering all cryptography useless is made...
The correct way to do it is not only to use such a generated token for login, but also to mandate the bank account number of the person/firm you want to send money to be part of the cryptographic challenge.
There's no "real-time keylogger" that lowlifes can use to work around that. There simply is no way. It's 100% foolproof when done correctly.
Cryptographic challenges, once done correctly, will be impossible to defeat. There are already some consumer banks doing this.
And it's just the beginning.
The math is out there. The knowledge is out there. The programmers able to implement that are out there.
Once upper management takes this seriously, the bad guys will have a *really* hard time trying to steal money from bank account by doing MITM-type attacks, or any other type of cyber-attack.
Once again, several consumer banks already implemented this in Europe.
Good luck lowlifes.
Real-time keyloggers? What is it, the 80s? This is new?
> then he can proceed to drain your bank account
.. the technical side of it looks like it would work for the bad guys, but this "drain your bank account" business seems a bit glib. Recently I had tried to transfer a significant amount of money between two banks I had accounts with. It was unbelievably ugly. In the end I just wrote myself a check and deposited it at the other bank .. manually; and had to wait the requisite days for it to "clear".
Yeah
I'm not saying it's not possible but I'd take a WAG that any local bank might actually get in touch with you if you suddendly volleyed most of your life's savings to a bank in lower Slobovia, and that's if you can convince the bank servers that you really, really wanted to do this.