Slashdot Mirror
Security Researchers Threatened With US Cybercrime Laws
An anonymous reader writes "The Guardian reports that many of the security industry's top researchers are being threatened by lawyers and law enforcement over their efforts to track down vulnerabilities in internet infrastructure. 'HD Moore, creator of the ethical hacking tool Metasploit and chief research officer of security consultancy Rapid7, told the Guardian he had been warned by U.S. law enforcement last year over a scanning project called Critical.IO, which he started in 2012. The initiative sought to find widespread vulnerabilities using automated computer programs to uncover the weaknesses across the entire internet. ... Zach Lanier, senior security researcher at Duo Security, said many of his team had "run into possible CFAA issues before in the course of research over the last decade." Lanier said that after finding severe vulnerabilities in an unnamed "embedded device marketed towards children" and reporting them to the manufacturer, he received calls from lawyers threatening him with action."
Break the law then pay the price.
...when ill thought out laws are passed.
In the UK, it is a crime (under the computer misuse act) to test a 3rd party system for vulnerabilities.
The Heartbleed incident caused a lot of people to break the law testing whether websites were affected.
1990 - 2000 - "Script Kiddie"
2014 - "Security Researcher"
This is why we can't have nice things. Companies won't audit themselves, and they get bent out of shape if others do it for them...
Logic is the beginning of reason, not the end of it.
In America any good intentions are met by defensive idiots
fuck them don't even try to help them anymore use your research to secure the rest of the world and let them rot in the festering cesspool they created
First weev, now this.
The NSA and other security services will not want security researchers to find and fix vulnerabilities the security services are exploiting.
You didn't read the article.
Authorities don't wanting them finding all their backdoors.
Not "caught hacking", this implies you know about the problem or had a way to detect this post-fact. Most of the times it is "hey you have a problem" followed by OMGLAWYERS idiotic response. Last time I checked lawyers were rather ineffective at patching vulnerabilities, doing root cause analysis, or improving your organization's security posture and/or practices.
Yeah how dare they ask these companies to take their heads out of the sand and do something about their customer's security/privacy!
I'm appalled at the amount of "Good, they broke the law" comments in this thread...
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
Odd as it may sound, for security research, you have WAY more liberties there.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
From what I understand the primary way they can prosecute under the CFAA is a device is being used other then the manner in which it is intended.
Why not have the companies liable for releasing a device that has undocumented exploitable features that fall outside the realm of intended use?
My plan won't work (For anyone thinking logically), but it'd shut up the CFAA lawyers.
Why, with all the plenty of cheap resources, technology, entertainment and knowledge, are people still complete assholes? There must be an asshole gene that natural selection has yet to make dormant.
Buy your next Linux PC at eightvirtues.com
So you should have to be invited to test to ensure that the systems are secure from exploits? Under that philosophy the black hats will win almost every time.
When you cant win, ad hominem.
Putting scare quotes around "security researcher" or adding the adjective "random" does nothing to convert first class security researchers such as H. D. Moore into a script kiddy. Seems to me that reporting a discovered vulnerability to the manufacturer is pretty good evidence that the researcher's motives are pure.
You learn a lot about people and organizations when you point out their own fuckups to them.
First, if anyone can get to your "shit-ton of data" you are not doing it right, and in your organization's CIO is a honorary title.
Second, the act of publishing is problematic, maybe even the act of downloading, no the act of accessing your system in proof-of-concept.
Third, if someone trying to report a problem to your organization and does not have an easy way to do so, then it is yet another failure that you should address.
Everything is going according to plan.
---- Booth was a patriot ----
And it's about time the so-called "ethical security researchers" got off their high horses and realized that. There are far too many laws for there to be white hats. If you want to do useful research into vulnerabilities other than those of the company you are a security researcher for, you're going to have to put on the black hat.
You were given notice that your product has vulnerabilities. I had no intention of letting others know about these vulnerabilities until they were fixed.
I did not have to do this and could have anonymously released the vulnerabilities into the wild.
Unfortunately, after your stupid-assed fucktard move of sending me this threatening letter, it seems that the Anonymous group has hacked into the device of yours that I was using to store all of the exploitable vulnerabilities and have released them into the wild.
Maybe next time you'll pull your head out of your ass before sending stupid assed shit like this.
I am releasing a public announcement with full data, full vulnerabilities as well as the full context of your letter(s) and threats to let the world know that you prefer to threaten people who try to help you rather than fixing your problems.
Way to go retards.
BTW - you cannot touch me in any way shape or form as your laws do not apply to me,as I am a citizen of Moldavia and sit on the Mutant Jedi Council and have full diplomatic immunity.
So go fuck yourself
Yours truly,
Anon Y Mous
mock up a few copies and then dare folks to hack it (sort by remote and physical access type hacks)
when you get something that can stand up to a decent number of hacks (remote hacks that require you to be on the same subnet on a blue moon with Big$ tool between the hours of 22:00 and 23:59 and the product needs to be in mode X and physical hacks that would be obvious don't count) then you as a last check put up a BIG$ bounty on hacks.
Then you can release a cyber product targeting children.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Maybe he should get a few babies killed instead - anonymously of course. Maybe they'll listen then.
The NSA are a bunch of jealous, obsessive, insecure bitches.
Typical, and yet so predictable.
Remember the old days when motive was a substantial part of a court's consideration of an alleged illegal act.
But that was in the days before lawyers became gods on earth.
The world's burning. Moped Jesus spotted on I50. Details at 11.
the mayors of several crime-plagued cities release a joint announcement that reporting apparent crimes in progress to police would result in the arrest and summary punishment of the person making the police report.
"If you losers would stop reporting crimes, we wouldn't have so much crime," one prominent mayor stated to this reporter. "We're going to push down crime rates the only way that works: make it impossible to report a crime."
When asked for a comment, the aforementioned mayor's Chief of Police muttered "Whaddyawant, I'm busy here" through a mouthful of donut while pocketing a thickly-stuffed brown paper envelope proffered by an unidentifed man flanked by several apparent bodyguards.
Welcome to the Panopticon. Used to be a prison, now it's your home.
industry's top researchers are being threatened by lawyers and law enforcement over their efforts to track down vulnerabilities in internet infrastructure.
Yes, it's surprising when companies get bent out of shape when random "security researchers" hack into their systems uninvited.
Sure, it's nice to know if you are vulnerable, but still, it is difficult to take at "face value" when some random "security researcher" claims to have altruistic aimes when caught hacking your network...
Why, because it's so difficult to believe these days that any system would have vulnerabilities that need to be addressed?
Perhaps I would question the source a bit, but being alerted via email isn't exactly the standard Way of the Black Hat. They prefer you find out the hard way, and given that fact alone, I'd probably put some value on the face of the notification.
The legal reaction described is quite pathetic. Hiding behind your lawyers instead of trying to look into an identified problem isn't going to bode well long-term. And hiring a dozen more of them isn't going to get customers to buy your shitty, broken product you refuse to fix.
but still, it is difficult to take at "face value" when some random "security researcher" claims to have altruistic aimes when caught hacking your network...
Why bother? The script kiddies are rattling the doors all day, every day. That noise is always there. One more visitor, or ten, isn't going to make a difference in our threat posture. And if one of those visits results in a discovery that we all benefit from, so much the better.
These are all business decisions. Fact of the matter is that every business owner needs to make a calculated decision on whether or not to fix a known security problem (or any bug for that matter) based on the cost/benefit. They may decide that the likelyhood of being attacked, cost of damage, value of data that could be stolen, or otherwise is simply too low in comparison to the cost of fixing the issue. This may or may not be true, but any ethical "security researcher" should allow that company to make that decision without holding them hostage with the damaging information. Every system is vulnerable. It's aways a question of how much money is it worth spending to make it less vulnerable.
I suppose lawyers don't have locks on their homes because there's laws about illegal entry.
Get free satoshi (Bitcoin) and Dogecoins
So you should have to be invited to test to ensure that the systems are secure from exploits?
Do you really need to ask? Should I need to be invited to find out if the locks on your front door are sufficienty resistant to being picked? The door is locked. Leave it alone.
All of this is valid, but also myopic In most vulnerability situations, especially involving data at rest, you have costs to the business and costs to general public that usually exceeds first figure. Just because your organization is not held financially liable for compromise, does not mean that such compromise did not cause significant damage to third-party.
For example, a SCADA system that your organization maintains got compromised. Fixing such system vulnerability will be inevitably expensive, and simply sending out a technician to reset it would generate billable hours. Your business interest are to ignore this problem, but imagine if this system is part of water treatment system for large residential neighborhood.
Business needs worship is a flavor of 'market will fix it' fallacy. It only works if all players are forced into making moral decisions.
We should totally leave our vulnerability research up to professionals and foreigners. Our government has teams and teams of computer scientists working to make the world a better place who will tell us if there is a problem we should know about. And China, North Korea, Iran, and Russia will let us know if they find problems on their end so they won't recieve so much SPAM.
Identifying the good guys is a question of trust, so you can imagine why lawmakers are hesitant to throw trust around willy-nilly. Building a system that shows how that trust is reciprocated and enforced would be a good start.
Seems like there could be a law that tries to differentiate "Research Hacking" by setting requirements to qualify as a researcher. They must provide full transparency to prove they have no malicious intent. They inform law enforcement authorities of their activities before and after the exercise and constantly upload logs of their actions and any data transactions they execute. Maybe on a virtual "research sandbox" machine that deletes itself at the end of the session as an added layer of protection. Then if the vulnerability gets out before it's been reported, maybe that researcher (or people with access to their machine) is a good place to start the investigation, so there's incentive to report vulnerabilities quickly. Overly simplistic, probably not quite workable as-stated, but you get the idea.
I don't understand what the security researchers are doing. It sounds like they're doing something analogous to physically picking random locks that don't belong to them. It should not be surprising that the lock owners would be annoyed.
Your business interest are to ignore this problem, but imagine if this system is part of water treatment system for large residential neighborhood.
This was exactly my point. It is a business decision of cost/benefit. If that SCADA system is just part of your office building's HVAC control, you would probably be wise to leave it be since the likelyhood of anyone attacking your air conditioning is low and any fallout cost would be relatively low. If it's controlling a nuclear power plant, that's another story. It is the responsibility of the business to make that call.
Let me put it another way. If you tell a homeowner that their front door lock is unusually vulnerable to being picked, first of all they should sock you in the face for trying to pick their lock (before they call the police), and second you should not go publishing that information if they choose to not fix it.
They're very effective. To paraphrase Futurama:
Documentary Narrator: Fortunately, our most expensive lawyers sued the security researchers and shut them up. Of course, the security holes are still there, we just sue anyone who talks about them. Thus solving the problem once and for all.
Suzie: But...
Documentary Narrator: Once and for all!
Sadly, too many companies don't see this as a joke, but as a valid security vulnerability response strategy.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
What happens if lock picking the front door in your hypothetical example also has a chance to unlock everybody's front door or would make it harder to lock all neighbor's door? Should the homeowner in such scenario be allowed to make decisions for the rest of the neighborhood?
Flaw in your examples and analysis is that you view each individual networked system in isolation. This is not how Internet works. Every compromised system makes it less safe for the rest of us.
Fix it or take it offline.
And by companies, you mean the US gov't in this case.
There are two types of people in the world: Those who crave closure
If you want to research how a deadbolt fails buy one test it and send the results to the manufacture. If you break into the manufactures warehouse to test the deadbolts or someone's house you are going jail.
Yes, either you are invited as a consultant or you do your research in a controlled environment but not on someone else equipment without permission.
Black hats are always ahead already.
Everyone else is just trying to keep up, or at least not drown.
There are two types of people in the world: Those who crave closure
If you set up your door to be potentially unlocked by mine, that's your problem. And it is definitely not the problem of some stranger. If I set up my door to unlock yours without asking, you should sue me. If I did it with your permission, you're foolish if you didn't require that you would be allowed to audit me regularly and cancel the agreement whenever. Now get off my lawn.
Consider that lovely phrase cost/benefit. We're talking *perceived* cost/*perceived* benefit.
As far as TEPCO executives were concerned, the cost of protecting Fukushima Daichi
was enormous, while they could pooh-pooh the possibility of an earthquake which might
need such protection.
Such costs can be reasonably estimated, so perceived cost closely equals actual cost.
However, earthquake probabilities are much easier to dismiss, so it is easy to have
perceived benefit MUCH lower than actual benefit when the earthquake shows up.
Security costs have much the same problem. You can't say for certainty that someone
WILL find a way in if there is one,, so...
"Son, the guards we hire for our caravans look like a loss on the books. But the books
don't show the losses we'll take if we're hit by bandits."
"...embedded device marketed towards children" and reporting them to the manufacturer, he received calls from lawyers threatening him with action."
It's OK, it's for the children!.
Finding and reporting vulnerability is one thing, making working programs to exploit the vulnerability to the mass public is the main problem. They don't belong in the public domain. If a hairdresser needs to get a license to cut hair why in hell do we not demand security researchers be licensed as well?? the answer they should be required to get one and making of tools to exploit vulnerabilitys should only beavailable to licensed researchers. Stop handing over tools to the criminals and stupid teens. That is IMO
Jack of all trades,master of none
Of course security researchers are being targeted by US cybercrime laws.
Who do you think they were designed to stop? Security researchers, whistleblowers and anyone who wants to see the nation's security apparatus held accountable were always the intended targets of these laws. And anyone who believes the Internet should be free and research that impacts the public welfare should be readily available to all.
You didn't think these laws were about Estonian hackers, did you?
You are welcome on my lawn.
Incorrect analogy.
More like only one of these locks was ever produced. You're not invited to test it or make suggestions about it or even see it but it's used to lock up a warehouse that contains copies of your financial records and naked pictures of your mom. The lock happens to be a broken off twig shoved through a shackle.
I work for a company that does a lot of forensics work, including collections activities and incident response. The company has to be licensed as a "private investigator" in all of the states that our employees do collections in.
It seems like a similar licensing regime would be a good place to start for computer security researchers.
It might also be worth considering making the researchers or their employer carry a bond as collateral against any potential damage that they might inadvertently cause.
It has been my experience that when people and organizations have something to lose (like forfeiture of a bond or loss of a license / ability to do business), they tend to act in a more predictable manner, and within well established guidelines.
There might also be some lessons to be learned from maritime law. In a way, researchers are sort of like privateers on the digital oceans. (So yes, once again, pirates ARE better than ninjas. Just in case there was ever any doubt.)
I think it is OK if someone drives down the street and identifies houses that leave the front door open and report on what they see.
That is, so long as they do not go through the door. That would be a crime.
People who leave the door open are enabling and encouraging criminal activity. Oddly enough, I was in a museum just this morning reading some translated Sumerian cuneiform. It was some laws that addressed just this problem. If someone leaves a property unmaintained and it attracts criminals, then that property owner becomes responsible for any thefts occurring next door.
People who have vulnerable systems on the Internet similarly are responsible in some degree to the huge botnets that are often such a plague.
People who identify vulnerable systems are doing us all a favor, and as far as I can tell, they are not committing a crime. The law has a concept called "mens rea", which I do not fully understand, but the concept seems to be that if you do not intend harm and do no harm, then there is no crime.
First, if anyone can get to your "shit-ton of data" you are not doing it right
Then my company is doing it right...Not even the employees can access their own data.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Do you really need to ask? Should I need to be invited to find out if the locks on your front door are sufficienty resistant to being picked? The door is locked. Leave it alone.
Then it becomes a question of practicality. There are people out there who will probe your vulnerabilities (oo-er) for fun and profitssss, and others for the Kudos of finding the vulnerability.
The latter will tell you about it (and possibly attracting the negative attention of the law) and the former will take your database to bed without first buying it dinner, and probably try and make it do the dishes on the way out (if it can still walk).
So, persecute the thrill-seekers and you will fall foul of the pleasure-takers.
Just because something is illegal, doesn't make it wrong and vice versa - there is such a thing as uncommon sense*.
*re-named for the 21st Century
If they "act in a more predictable manner, and within well established guidelines", then how do do they find the vunerabiities? Unpredictable behavior tests the system.
mens rea: "of a/having a guilty mind", it is a sad state of affairs but mens rea is only required for conviction of some crimes. Much of the criminal code requires no mens rea for being guilty (I heard the percetage of crimes requiring mens rea for guilt was only 40% a few years ago, I've no idea if that's true or even verifiable), this is a real problem, because things like intent don't matter for things like possession of child porn, people are literally serving time for downloaded something that was not what it purported to be, immediately deleting it, and in some cases reporting it to the authorities, all because mens rea wasn't required to convict them. It's asinine.
But you're right, intent should matter, and in cases where a judges' hands aren't tied by how the statute is written, will often come into play. Too many "tough on crime" legislators simply don't care though, they're buying votes at the price of gross miscarriages of justice.
AKA Script Kiddy AKA Bubba's Toy (as they deserve).
I'm a student at Naval Postgraduate School, and every single "cyber" security course taught here could be renamed to "How to use Metasploit to [blank]". There are all of a half dozen of the CS students here that came from any kind of background involving coding, making it necessary to dumb things down to "How to be a script kiddie".
So the makers of the primary tool taught to service members from all branches (Air Force, Marines, etc all attend there), many of which are absolutely dependent upon it, are also one of our law enforcement agency's take-down targets (or, to a lesser degree, is being told at least to not do the very thing that makes them useful to so many). Go figure.
Law enforcement doesn't want researchers uncovering their backdoors put into consumer products? Or some sleazy manufacturer with defective crap getting a buddy in the FBI to lean on people who might go public?
Have gnu, will travel.
Let me put it another way. If you tell a homeowner that their front door lock is unusually vulnerable to being picked, first of all they should sock you in the face for trying to pick their lock (before they call the police), and second you should not go publishing that information if they choose to not fix it.
Who says you actually tried to pick their lock. There is a decent chance that your house has the same make and model of lock that theirs does, and when you accidentally locked yourself out, you discovered how easy that particular lock was to pick. Wouldn't warning them about the risk be the right thing to do?
This space unintentionally left blank.
Lawyers don't "call" you to make threats. They send cease and desist letters via certified mail. Thus, the entire story is likely bullshit blown out of proportion. This is something that all security researchers are good at. Bullshitting and blowing things out of proportion.
That depends on who it costs if the security is breached. If it is JUST the company that stands to lose, fine. But if their customers also stand to lose (for example, credit card info, medical records, etc), then no. It is no longer the company's risk to take and their customers have every right to know how poorly their data is being guarded.
The latter is more common than the former.
tools to exploit vulnerabilitys should only beavailable to licensed researchers. Stop handing over tools to the criminals and stupid teens. That is IMO
Fair enough, but it's not particularly achievable is it? How would you go about stopping people getting hold of the software or, heaven forbid, from writing their own?
Once third parties can be damaged, it is no longer the business' call. Sure, it's their right to ignore the risk that their A/C could get shut off, or that their corporate bank account could be hoovered. However, if the hack could flood neighborhoods with sewage, it is no longer their call, it's up to the people who might get flooded.
Let me put it another way. If you tell a homeowner that their front door lock is unusually vulnerable to being picked, first of all they should sock you in the face for trying to pick their lock (before they call the police), and second you should not go publishing that information if they choose to not fix it.
How about if I owned the lock and found it was easy as pie to pick, then went to your place and said "oh hey, this is easy to pick, see", pulled my front door out of my pocket and demonstrated to you how easy it was to pick.
Would you still punch me in the face and call the police on me?
And how about I then tell the lock maker, give them six months to fix their locks so people have an alternative to upgrade to and then publish my paper I was writing for university (I was doing a thesis on how shitty locks on every day homes are), which, while highlighting the problem, doesn't give exact details on how to take advantage of said shitty lock, would it be fair for the lock company to sue the pants off me instead of fixing the locks to make everyone safer?
Simple: Classify GCC as a WMD.
Bark less. Wag more.
Here's the failure with this stupid analogy. The lock on the door isn't guarding your stuff in your house. It's guarding my stuff in your house and you're failing to properly secure my stuff in your house, and everyone who has stuff in your house. That's a public issue, not a private one. You've been careless, and you can either fix it, or you should be forced to compensate EVERYONE for your failure to perform adequate security.
First, if anyone can get to your "shit-ton of data" you are not doing it right
Then my company is doing it right...Not even the employees can access their own data.
Heh. That doesn't even mean you're safe. I recall a project back in the late 1980s, when I was part of a team hired by a big company (who shall remain unnamed so you'll suspect it was your company ;-). We'd had a few discussions with "top management" who'd hired us, about their problems with the DP department. Their computer folks effectively owned the data, and all access was mediated by the DP department. There was a lot of information that was there, but management couldn't get at it, because the DP folks feigned an inability to provide it.
One evening, a bunch of us decided to stay around after hours. We went to work on their big (IBM of course) mainframe, and in the morning, we demoed to management that we could read any file on their machine. Our demo included a few reports we'd printed out that got wide-eyed reactions. We'd given them access to all of their own data, and they were very happy with us. We stuck around and provided them with a lot more reports ("over the dead bodies" of some of the DP department ;-).
Some time later, we discussed in private the question of what we should tell the IBM folks about what we'd done. Our decision was essentially "Nah; they'll just block our current clients' access to their own data and give control back to the DP priesthood. And we have other customers who'll pay us to similarly break into their own data."
The fact that your own employees can't access their own data doesn't necessarily mean it's safe from outsiders.
(We never did discuss with them the implication that other outsiders might as easily access their data, if they happened to know the things we did. In the late 1980s, managers at corporate computer installations generally had no concept of a "network" other than as a way to connect remote terminals to the mainframe. There's no way we could have got them to understand the wider implications of the security holes we knew about and exploited for their benefit. It's not obvious that most of today's "management" class has such understanding, either. The current story pretty much demos the extent that understanding. ;-)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
see title
This is actually a kinder analysis than accusing them of intractable stupidity.
When you get an email saying you have an exploitable bug in your web site, it becomes extremely difficult to tell if that is someone genuinely caring about your wide in a free and altruistic manner versus someone shaking your down for money or trying to drum up business. If it's a "security researcher" then presentation of credentials will help (ie, name the university being worked at plus peer reviewed papers, not the name of a consulting company).
National ScrewYou Agency would be better because the acronym would remain the same.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
I don't claim to have all the answers but common since says what is happening right now is because of bad researchers.Those who give no notice like the Google employee. If a hair dresser can have thee industry licensed I don't see why researchers cant be also. And Companies Like Target who don't follow the standard rules must be held accountable as well I don't think placing all the blame on the researchers is fair at all either. The whole world shouldn't be held hostage by a single unaccountable person as it is now
Jack of all trades,master of none
They are finding features.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Were I to accept that argument, I would be accepting it as a valid argument for assassinating business owners whenever a life threatening problem was discovered. Is that the argument that you want to be making?
I think we've pushed this "anyone can grow up to be president" thing too far.
You cant fix stupid. So stop let the hacker win and let the Corporations pay the legal defense from pissed off users.
Only loss of money will ever do. Put your time into a security type hardware device.
Mens really is a constitutional prerequisite for any serious crime. But our modern courts have become too deferential to the legislature. In the case of child porn, courts wrongly admit as evidence of mens rea the simple fact that it existed on your computer, and allow the jury to fill in the blanks with a wink and a nod.
100 years ago people routinely were acquitted of murder--committed in front of dozens of eye witnesses--because courts and juries were much more concerned with your moral guilt--which is what mens rea gets at.
I would say that unreasonable restrictions on employee access make data less safe. Many people WILL get access to whatever they need to do their job effectively. There is always a way, whether it's a technical bypass or having friends in the right department. Where I work, three of us are good friends. There are almost nothing that isn't accessible to one of us. If I needed access to something to get done what needs to be done, I'd get access. The only question is whether or not I'd be allowed to tell the security team that I was accessing the data.
Suppose an organization decides that they've had enough of trojans, so they l decree that everyone gets the approved desktop image and noone may install the software they need to do their job effectively and efficiently. To enforce this, employees get only a very limited account on the machine, similar to the default Guest account in Windows.
The result? The IT department no longer knows what software is being used since employees have to keep it secret (or be unable to do their job effectively). They don't know how the software got there. Maybe a lot of people are doing their work on personally-owned laptops, so company data is now handled on the same system their kids use to play online games.
The trend is stupid people runing the show, bringing the hammer down on smart people. My wife had to go through security training recently, and was graded on answers that identified people as likely spies in an organization. Top of the list are "people who travel abroad and criticize the US government," which is exactly not what a spy would do, but who am I telling this, right? So, I'm beginning to think that the US is fast becoming what we always thought the Soviet Union to be, some sort of ultra-paranoid and self-consuming organism (rather than the reality: an economic system that ran itself into the ground because it eliminated the incentive to work).
In the end I am far more terrified of where our government is pushing us, than I am of those violent idiots with a misguided penchant for blowing stuff up. It makes me sad, but of course, we have always been at war with the terrorists. Haven't we?
Wait a sec, someone at the door . . .
Wht do slashdot INSIST that I should read this thread using the *crap* beta version?
Read my lips: I DONT WANT TO USE THE BETA VERSION. THAT'S WHY I ENTER SLASHDOT WITH THE NOBETA TAG IN THE URL. Was that clear?
Your beta version is *really really bad*.
Bye. me --> Hacker News.
"Is Your Antivirus Tracking You? You'd Be Surprised At What It Sends"
by Chris Hoffman, 28th May, 2014, MakeUseOf.com
############
PLEASE READ THE PDF. THE QUOTE FROM THIS ARTICLE DRAWS REFERENCE TO WEB URLs BUT IN ORDER TO PROPERLY COMPREHEND THE MAGNITUDE OF DATA COLLECTION, YOU NEED TO READ THE PDF. PREPARE TO BE FLOORED.
DOWNLOAD THE PDF. STORE IT. CONVERT IT TO OTHER FORMATS. SHARE IT. MAKE SURE IT IS ALWAYS AVAILABLE SOMEWHERE ON-LINE OTHER THAN THE SOURCE BELOW. DON'T BLINDLY TRUST ARCHIVE.ORG TO KEEP IT FOR YOU.
EVERYONE NEEDS TO READ THIS PDF BEFORE CONTINUING TO USE ANTI-VIRUS PROGRAMS.
############
"Your antivirus software is watching you. A recent study shows that popular antivirus applications like Avast assign your computer a unique identifier and send a list of all web addresses you visit to the manufacturer. If the antivirus finds a suspicious document, it will send the document to the antivirus company. Yes, your antivirus company might have a list of web pages you've visited along with your sensitive personal documents!
AV-Comparatives' Data Transmission Report
We're getting this information from AV-Comparative's Data transmission in Internet security products report, released on May 8, 2014. AV-Comparatives is an antivirus testing and comparison organization.
The study was performed by analyzing antivirus products running in a virtual machine to see what they sent to the antivirus company, reading each antivirus product's end user license agreement (EULA), and sending a detailed questionnaire to each antivirus company so they could explain what their products do........""
############
Rest of article and comments here:
http://www.makeuseof.com/tag/a...
http://www.av-comparatives.org...
http://view.samurajdata.se/
If you make sure that the public costs of a breach (say, a messed-up water treatment system) are applied to the company, and through them, to the owners - then yes, the market should fix it.
To make this happen, we'd need to have hefty government fines applied to the responsible party, as well as eliminating the legal rights of limited-liability companies and bankruptcy.
Suppose an organization decides that they've had enough of trojans, so they l decree that everyone gets the approved desktop image and noone may install the software they need to do their job effectively and efficiently. To enforce this, employees get only a very limited account on the machine, similar to the default Guest account in Windows.
The result? The IT department no longer knows what software is being used since employees have to keep it secret (or be unable to do their job effectively). They don't know how the software got there. Maybe a lot of people are doing their work on personally-owned laptops or tablets, so company data is now handled on the same system their kids use to play online games.
BINGO!
That is exactly what they do. I stopped carrying a laptop a couple of years ago and just set up a VM I use to VPN in to the office from my home PC.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K