Really is it that hard to build some basic security into one's site? I mean like storing the passwords as hash, instead of plaintext? It is just a few bits of code... so simple... but yet again a web site failing on such a basic matter. No wonder they got hacked to boot, and now have all their member's e-mails and passwords out on the street.
I would expect a porn site to care a bit more about their user's privacy, considering the business they're in. Though considering how much some of their users care (using a.mil or.gov address to sign up) maybe indeed it's just as well that they didn't care too much. Oh well, let's hope it's a lesson learnt for porn site subscribers, even though considering they are paying for on-line porn they're not the smartest cookies of the pack.
The people who have been doing the real hacks for anonymous like the HBGary hack are probably much less likely to be caught.
Indeed. That are people that actually know what they are doing. And if it's indeed users of some simple DDOS tool, then that also explains the fairly high number of people rounded up.
If you know what's in the documents, then life gets easy of course. The trouble is that usually you do not know what's in the documents without reading them. And if there's nothing new, that's a pity. But anyway the fact that one could say "there is nothing but local newspaper clips and gossip" in a set of documents indicates that they actually went through them all.
And for sure with the WikiLeaks documents there's a lot of noise in it. The same will be with the Palin e-mail trove. And finding the interesting bits out of that enormous noise that's what journalists are for, and what those interesting bits are no journalist will know beforehand - which is exactly why they are interesting.
I don't think it would take away from your Internet bandwidth - when you're not watching it, there is no data to be streamed. And when you're watching you're normally away from home so no problem there.
Anyway, while I basically like the idea to keep an eye on your property from afar, the one thing I'd be most worried about is the security of the system itself. How to make sure that only authorised people can access the cameras, and no-one else, not even Comcast staff?
Having this over a centralised system makes it a nice target for criminals: one hack, and you're looking at thousands of homes. And it appears to be a centralised system as they're talking about watching it from a certain web site. I really wonder how they're going to do authentication (two-factor or just a password?), and how they can prevent any unauthorised persons to access the video and other information about a home.
The article starts with pointing out this business owner has no computer.
A bit further down it seems this same business owner is running a blog, advertising on facebook, and using twitter to promote the business. Also it appears she has been communicating with the Groupon sales by e-mail.
This just doesn't add up.
The point that she bought something without really understanding what she bought, I won't contest. That's the core of the problem here for this business owner.
And when supplied in electronic form you can easily see it's edited? I've always been taught that electronic means it can be altered easily. Usually without a trace.
The fun starts when a recipient of one of those e-mails comes forward and says "hey but this is not what she wrote to me!"
This printing out is just asshattery, that's all. Just to make it harder for journalists. Not by much... just hand it to Google to have it scanned and OCRed, they've got heaps of experience with books.
Until not so long ago, Microsoft was a pretty safe bet. They put a technology on the market, and for better or for worse it will be used so it makes total sense to invest in such technology. On top of that almost all businesses use Microsoft products so if you want to sell to businesses you'd better use Microsoft's technology.
So this shop investing heavily in Silverlight is not that crazy. MS promising it to be present in Windows pre-installed means that soon enough "everyone" has it installed, and you would have even less to worry about plug-ins than with Flash.
It is also not really like MS to kill off products that barely have the chance of maturing, certainly not when they put so much effort in it themselves.
Well it goes on to show how much Microsoft is just a shadow of it's former self. They live on existing momentum, and have so much of it that they can survive for a very very long time. Lots of cash in the bank, still dominating the desktop computing platforms, they're not going anywhere soon. But they're also not a company that has any leadership left in the market, and currently are best not counted on for anything new. They don't have the future anymore.
The lack of information sharing may very well have been a factor - though there surely at the time were plenty of ways for such agencies to share information. Why they didn't, or didn't do so successfully, that's a whole different matter. When you have the solution to the puzzle it's always much easier to put the pieces together. When you don't have that solution - some pieces may appear to be unrelated, while they belong to the same puzzle. On top of that, effective information sharing between thousands of people doing different things is not easy. How to you know what is interesting to share? And who to share it with? This meta-information is a serious problem. Especially when you do not know what you're actually looking for.
Secondly, - slipping into conspiracy theory mode - how do we know that the public report of the commission is really the complete report? Were there parts kept under wraps, that could have embarrassed certain people in powerful positions? That there was more to blame for the attacks?
Like another poster said already that the continuous meddling of the US in the Middle East may be a major factor. Of course the question is to be asked: why would someone plan such an act in the first place? Why were they so unhappy with the US that they got to such great lengths? That someone could find and organise twenty people that were willing to kill themselves - not in the spur of the moment but with possibly years of preparations?
There is so much more wrong than just "lack of sharing of information", which allowed Al Qaeda to succeed in their plans. The mere existence of Al Qaeda and related groups. The success that group had in recruiting people for their cause. The success they had in raising sufficient money for it. The unfettered determination of their followers, who for years managed to not leak enough information to have them busted.
These deeper questions, that's what we need answers for most badly. Of course it's great to know how a single incident took place, but that's not enough. We have to know how to prevent it from ever happening again - preferably not on how to catch would-be terrorists, but preventing them to become would-be terrorists to begin with. As has been stated here many times before: when someone with a bomb built into his underwear or in his shoes arrives at the airport intending to board a plane with the purpose of setting off that bomb in the air, then something is terribly wrong already. Even if he's caught by airport security during their routine screening.
So, there's your answer. We care more about our online security for video games than we do about the security of our banks.
I think you misstate that a bit. It's probably the games COMPANIES that care more about keeping their accounts secure than banks do - most of their customers don't really understand/know about/care much about online security. This may or may not have to do with liability (I suspect it does), where the game company stands to lose more than a bank in case of compromised accounts. Financially or in terms of goodwill or whatever.
Their customers don't know much about on-line security. They shouldn't need to: let the experts figure it out, it's not easy or simple. When I started my e-banking I considered entering all those extra numbers a hassle, only many years later I understood the real reason behind it, and how it helped to keep my accounts safe. And also only by that time I realised how advanced my bank actually was with implementing those security measures.
That should be quite simple to fix with a procmail recipe, that's what I would do at least. Have it grep the body of the mail for pat.smith@example.com (very often the original To: address is present in the reply), and if matched have formail create an automated reply to the sender, and send that out.
What to do with the original mail is up to GP. They can just let it continue to their inbox, put it in a separate folder (that's what I'd do at least in the beginning - to make sure it works fine), drop it in the spam folder, or no local delivery - effectively deleting the original - which is what I would do after making sure it all works as planned.
It seems Europe in general is way ahead of the US when it comes to security in on-line banking.
My on-line banking (with a Dutch bank) goes back some 18 years now. The first system I used required dial-in to a dedicated telephone number using a 2400 baud modem (I didn't have Internet options yet - not even dial-up - and 2400 baud was not the fastest available but at the time quite normal), logging in with user name and password to a telnet like system, and to authenticate each transaction I had to enter a number from a list that was written on a separately mailed paper. So two-factor already, while the whole environment was a lot safer by then.
A few years later they created an off-line application, where you could enter all your transactions. Saved a lot on telephone costs. That dedicated number was long-distance of course.
Another few years later, and an Internet option appeared. Not long after I got a dial-up connection. Same two-factor security.
Other banks started using a separate calculator to create the one-off numbers. This was a physically separate device, not on the computer itself.
And all of the above was over ten years ago already. The system has remained basically the same (I'm still using that paper list - for living overseas and not having a Dutch mobile number), now using a calculator or having the one-time code sent to your mobile phone. Still: two-factor, physically separate.
Bank fraud, also e-banking fraud, is unfortunately still not unheard of in Europe. A lot is related to credit card fraud, but also e-banking accounts still end up being hacked. No security is perfect, but the relative rare occurrence of such incidents indicates it's pretty good.
This patent may be one reason why the unlock screens for Android phones don't allow you to pick an unlock gesture that's one, single slide across the screen.
Now for some reason my Android phone has exactly that gesture for unlocking. OK you first have to activate the screen by pressing one of the buttons (makes sense they do not wake the screen immediately every time it's touched - not sure how this is on iPhones), but after that it's a straight line across the screen.
Oh well, it's again someone who doesn't know what a "design patent" is. As long as it doesn't look exactly like iPhone's slider, you're OK.
Personally I don't have the experience to do such programming, and I guess that accounts for most (almost all) people on/.. I don't even know how to hack my own driver. I can barely understand a simple C program.
Still I think it's a good thing to have the source available. People can often do really cool things with it - lots of creative minds wanting to do crazy things the device maker never thought of, or simply want to scratch an itch, and the greater public (including me) can benefit from that.
What is good (i.e. increases profit) for the producer is not necessarily good for the consumer. And likely, as another poster pointed out, it has also to do with small defects in the chips, just like AMD and Intel are testing processors and then selling them at different clock speeds dependent on what that individual processor can do.
And the question on why we can not see (most) firmware source code will probably the exact same answer as why we can't see (most) driver source code: patents, copyrights, proprietary algorithms, DRM, whatever.
Yet the biggest risk lies in the devices where firmware can be changed ("flashed"), and where the device and its software must provide certain security against that happening unauthorised. There exist at least proof-of-concept BIOS viruses, maybe also actually malicious BIOS viruses. There is no reason why such viruses could not target other parts of the computer, such as hard drive firmware to hide themselves.
That doesn't mean firmware can not do evil things. Or does not need any quality vetting or so.
The BIOS is a kind of firmware too, and there exist viruses that can exploit certain BIOS firmwares and to all kinds of bad things to your computer. Not sure about this specific piece of hardware but I'm quite sure that the trend is towards more and more reprogrammable firmwares, if only to fix bugs after release.
Anyway I'd say the firmware is about as important as the OS driver. And having the source of the firmware will no doubt provide information to driver developers on how the device really works.
Re:Very unlikely that iTunes was hacked...
on
Has iTunes Been Hacked?
·
· Score: 4, Interesting
This is what bugged me about general security advice: people are recommended not to re-use passwords over a variety of web sites (sensible). However the solutions proposed are to store these passwords in a local "password vault" protected with just a single password, or for all sites to use a centralised log-in system such as Google or OpenID or whatever.
Now if really those web masters all follow suit and all switch to doing their logins using Google: is that any safer than re-using a password? If Google gets hacked, logins to all web sites are suddenly on the streets. Google's security may be better than Sony's, that's not said that it can not be breached.
Or if a keylogger finds its way on your computer, then the complete password vault can be opened in one go.
Re:Reminds Me of Something the Sony CEO Said ...
on
Has iTunes Been Hacked?
·
· Score: 4, Interesting
So you closed the vulnerability and kept the stash?
No-one was talking about viruses here. Of course everyone knows there are no viruses on Apple's platform, it's preposterous to even suggest the idea of viruses on Apple's platform. However Apple's users are certainly prone to social engineering. Or are there products really as great as they say they are?
Do PCI and SAS70 issue certificates that they find your site to be secure? If so that could prove invaluable CYA material in case something does go wrong after all, as you have at least something to prove you tried, and that that you were up to "industry standard".
It takes time, but not much. The fakes make it to market in days upon release of a new model. That means they're often available on the streets BEFORE the original is in mass production.
Really is it that hard to build some basic security into one's site? I mean like storing the passwords as hash, instead of plaintext? It is just a few bits of code... so simple... but yet again a web site failing on such a basic matter. No wonder they got hacked to boot, and now have all their member's e-mails and passwords out on the street.
I would expect a porn site to care a bit more about their user's privacy, considering the business they're in. Though considering how much some of their users care (using a .mil or .gov address to sign up) maybe indeed it's just as well that they didn't care too much. Oh well, let's hope it's a lesson learnt for porn site subscribers, even though considering they are paying for on-line porn they're not the smartest cookies of the pack.
In that case they're lucky that at least some people have been caught. Otherwise you'd get a division by zero error.
The people who have been doing the real hacks for anonymous like the HBGary hack are probably much less likely to be caught.
Indeed. That are people that actually know what they are doing. And if it's indeed users of some simple DDOS tool, then that also explains the fairly high number of people rounded up.
If you know what's in the documents, then life gets easy of course. The trouble is that usually you do not know what's in the documents without reading them. And if there's nothing new, that's a pity. But anyway the fact that one could say "there is nothing but local newspaper clips and gossip" in a set of documents indicates that they actually went through them all.
And for sure with the WikiLeaks documents there's a lot of noise in it. The same will be with the Palin e-mail trove. And finding the interesting bits out of that enormous noise that's what journalists are for, and what those interesting bits are no journalist will know beforehand - which is exactly why they are interesting.
I don't think it would take away from your Internet bandwidth - when you're not watching it, there is no data to be streamed. And when you're watching you're normally away from home so no problem there.
Anyway, while I basically like the idea to keep an eye on your property from afar, the one thing I'd be most worried about is the security of the system itself. How to make sure that only authorised people can access the cameras, and no-one else, not even Comcast staff?
Having this over a centralised system makes it a nice target for criminals: one hack, and you're looking at thousands of homes. And it appears to be a centralised system as they're talking about watching it from a certain web site. I really wonder how they're going to do authentication (two-factor or just a password?), and how they can prevent any unauthorised persons to access the video and other information about a home.
The article starts with pointing out this business owner has no computer.
A bit further down it seems this same business owner is running a blog, advertising on facebook, and using twitter to promote the business. Also it appears she has been communicating with the Groupon sales by e-mail.
This just doesn't add up.
The point that she bought something without really understanding what she bought, I won't contest. That's the core of the problem here for this business owner.
And when supplied in electronic form you can easily see it's edited? I've always been taught that electronic means it can be altered easily. Usually without a trace.
The fun starts when a recipient of one of those e-mails comes forward and says "hey but this is not what she wrote to me!"
This printing out is just asshattery, that's all. Just to make it harder for journalists. Not by much... just hand it to Google to have it scanned and OCRed, they've got heaps of experience with books.
Until not so long ago, Microsoft was a pretty safe bet. They put a technology on the market, and for better or for worse it will be used so it makes total sense to invest in such technology. On top of that almost all businesses use Microsoft products so if you want to sell to businesses you'd better use Microsoft's technology.
So this shop investing heavily in Silverlight is not that crazy. MS promising it to be present in Windows pre-installed means that soon enough "everyone" has it installed, and you would have even less to worry about plug-ins than with Flash.
It is also not really like MS to kill off products that barely have the chance of maturing, certainly not when they put so much effort in it themselves.
Well it goes on to show how much Microsoft is just a shadow of it's former self. They live on existing momentum, and have so much of it that they can survive for a very very long time. Lots of cash in the bank, still dominating the desktop computing platforms, they're not going anywhere soon. But they're also not a company that has any leadership left in the market, and currently are best not counted on for anything new. They don't have the future anymore.
The lack of information sharing may very well have been a factor - though there surely at the time were plenty of ways for such agencies to share information. Why they didn't, or didn't do so successfully, that's a whole different matter. When you have the solution to the puzzle it's always much easier to put the pieces together. When you don't have that solution - some pieces may appear to be unrelated, while they belong to the same puzzle. On top of that, effective information sharing between thousands of people doing different things is not easy. How to you know what is interesting to share? And who to share it with? This meta-information is a serious problem. Especially when you do not know what you're actually looking for.
Secondly, - slipping into conspiracy theory mode - how do we know that the public report of the commission is really the complete report? Were there parts kept under wraps, that could have embarrassed certain people in powerful positions? That there was more to blame for the attacks?
Like another poster said already that the continuous meddling of the US in the Middle East may be a major factor. Of course the question is to be asked: why would someone plan such an act in the first place? Why were they so unhappy with the US that they got to such great lengths? That someone could find and organise twenty people that were willing to kill themselves - not in the spur of the moment but with possibly years of preparations?
There is so much more wrong than just "lack of sharing of information", which allowed Al Qaeda to succeed in their plans. The mere existence of Al Qaeda and related groups. The success that group had in recruiting people for their cause. The success they had in raising sufficient money for it. The unfettered determination of their followers, who for years managed to not leak enough information to have them busted.
These deeper questions, that's what we need answers for most badly. Of course it's great to know how a single incident took place, but that's not enough. We have to know how to prevent it from ever happening again - preferably not on how to catch would-be terrorists, but preventing them to become would-be terrorists to begin with. As has been stated here many times before: when someone with a bomb built into his underwear or in his shoes arrives at the airport intending to board a plane with the purpose of setting off that bomb in the air, then something is terribly wrong already. Even if he's caught by airport security during their routine screening.
I really wonder when the US will catch up.
So, there's your answer. We care more about our online security for video games than we do about the security of our banks.
I think you misstate that a bit. It's probably the games COMPANIES that care more about keeping their accounts secure than banks do - most of their customers don't really understand/know about/care much about online security. This may or may not have to do with liability (I suspect it does), where the game company stands to lose more than a bank in case of compromised accounts. Financially or in terms of goodwill or whatever.
Their customers don't know much about on-line security. They shouldn't need to: let the experts figure it out, it's not easy or simple. When I started my e-banking I considered entering all those extra numbers a hassle, only many years later I understood the real reason behind it, and how it helped to keep my accounts safe. And also only by that time I realised how advanced my bank actually was with implementing those security measures.
You may in this case very well be in your right.
It is illegal to send someone goods s/he didn't order, and then after delivery of the parcel and you accepting it to demand payment for it.
Though whether sender is in the right do demand back their parcel, assuming it's indeed addressed to you at that address, I really don't know.
That should be quite simple to fix with a procmail recipe, that's what I would do at least. Have it grep the body of the mail for pat.smith@example.com (very often the original To: address is present in the reply), and if matched have formail create an automated reply to the sender, and send that out.
What to do with the original mail is up to GP. They can just let it continue to their inbox, put it in a separate folder (that's what I'd do at least in the beginning - to make sure it works fine), drop it in the spam folder, or no local delivery - effectively deleting the original - which is what I would do after making sure it all works as planned.
It seems Europe in general is way ahead of the US when it comes to security in on-line banking.
My on-line banking (with a Dutch bank) goes back some 18 years now. The first system I used required dial-in to a dedicated telephone number using a 2400 baud modem (I didn't have Internet options yet - not even dial-up - and 2400 baud was not the fastest available but at the time quite normal), logging in with user name and password to a telnet like system, and to authenticate each transaction I had to enter a number from a list that was written on a separately mailed paper. So two-factor already, while the whole environment was a lot safer by then.
A few years later they created an off-line application, where you could enter all your transactions. Saved a lot on telephone costs. That dedicated number was long-distance of course.
Another few years later, and an Internet option appeared. Not long after I got a dial-up connection. Same two-factor security.
Other banks started using a separate calculator to create the one-off numbers. This was a physically separate device, not on the computer itself.
And all of the above was over ten years ago already. The system has remained basically the same (I'm still using that paper list - for living overseas and not having a Dutch mobile number), now using a calculator or having the one-time code sent to your mobile phone. Still: two-factor, physically separate.
Bank fraud, also e-banking fraud, is unfortunately still not unheard of in Europe. A lot is related to credit card fraud, but also e-banking accounts still end up being hacked. No security is perfect, but the relative rare occurrence of such incidents indicates it's pretty good.
I really wonder when the US will catch up.
Until now I had never even heard of that flick...
It's a design patent, so as long as it doesn't look exactly like Apple's design they should be OK.
My phone has Android 2.2, no experience with earlier versions.
This patent may be one reason why the unlock screens for Android phones don't allow you to pick an unlock gesture that's one, single slide across the screen.
Now for some reason my Android phone has exactly that gesture for unlocking. OK you first have to activate the screen by pressing one of the buttons (makes sense they do not wake the screen immediately every time it's touched - not sure how this is on iPhones), but after that it's a straight line across the screen.
Oh well, it's again someone who doesn't know what a "design patent" is. As long as it doesn't look exactly like iPhone's slider, you're OK.
Personally I don't have the experience to do such programming, and I guess that accounts for most (almost all) people on /.. I don't even know how to hack my own driver. I can barely understand a simple C program.
Still I think it's a good thing to have the source available. People can often do really cool things with it - lots of creative minds wanting to do crazy things the device maker never thought of, or simply want to scratch an itch, and the greater public (including me) can benefit from that.
What is good (i.e. increases profit) for the producer is not necessarily good for the consumer. And likely, as another poster pointed out, it has also to do with small defects in the chips, just like AMD and Intel are testing processors and then selling them at different clock speeds dependent on what that individual processor can do.
Indeed.
And the question on why we can not see (most) firmware source code will probably the exact same answer as why we can't see (most) driver source code: patents, copyrights, proprietary algorithms, DRM, whatever.
Yet the biggest risk lies in the devices where firmware can be changed ("flashed"), and where the device and its software must provide certain security against that happening unauthorised. There exist at least proof-of-concept BIOS viruses, maybe also actually malicious BIOS viruses. There is no reason why such viruses could not target other parts of the computer, such as hard drive firmware to hide themselves.
That doesn't mean firmware can not do evil things. Or does not need any quality vetting or so.
The BIOS is a kind of firmware too, and there exist viruses that can exploit certain BIOS firmwares and to all kinds of bad things to your computer. Not sure about this specific piece of hardware but I'm quite sure that the trend is towards more and more reprogrammable firmwares, if only to fix bugs after release.
Anyway I'd say the firmware is about as important as the OS driver. And having the source of the firmware will no doubt provide information to driver developers on how the device really works.
This is what bugged me about general security advice: people are recommended not to re-use passwords over a variety of web sites (sensible). However the solutions proposed are to store these passwords in a local "password vault" protected with just a single password, or for all sites to use a centralised log-in system such as Google or OpenID or whatever.
Now if really those web masters all follow suit and all switch to doing their logins using Google: is that any safer than re-using a password? If Google gets hacked, logins to all web sites are suddenly on the streets. Google's security may be better than Sony's, that's not said that it can not be breached.
Or if a keylogger finds its way on your computer, then the complete password vault can be opened in one go.
So you closed the vulnerability and kept the stash?
No-one was talking about viruses here. Of course everyone knows there are no viruses on Apple's platform, it's preposterous to even suggest the idea of viruses on Apple's platform. However Apple's users are certainly prone to social engineering. Or are there products really as great as they say they are?
Do PCI and SAS70 issue certificates that they find your site to be secure? If so that could prove invaluable CYA material in case something does go wrong after all, as you have at least something to prove you tried, and that that you were up to "industry standard".
It takes time, but not much. The fakes make it to market in days upon release of a new model. That means they're often available on the streets BEFORE the original is in mass production.