>A better analogy would be when people start talking about kitchen knife >control or baseball bat control. Do you see that happening
>Knives and bats are inanimate objects. They are controlled by people >who make choices with thier minds...
Actually, here in the UK carrying a kitchen knife in public certainly IS illegal in certain circumstances. It's 'posession of an offensive weapon' (class 1 or class 2 OW) with varients to do with 'intention to cause greivous bodily harm' or suchlike.) The difference between the classes is that Class 1 are *designed* to be weapons; class 2 are improvised weapons. Clearly a kitchen knife is not designed to be a weapon, but if you're caught trying to smuggle one into a football ground or onto a plane clearly you're not planning to carve the sunday roast with it. The same logic of 'improvised weapons' makes everytday objects like milk bottles, bricks, 2x4 with added rusty nails offensive weapons in certain circs and you can get pretty severe penalties for carrying one in those circs.
Well, up to a point, Lord Copper. The "Real IRA" were responsible for the worst single atrocity in the entire history of the recent troubles, the 29 civilians who were blown to bits when they were evacuated into the street where the car bomb was.
That said, I think the odds are in favour of "Al-Qaeda" affiliated groups. As others have pointed out there is no monolithic AQ organisation; any random wannabe-martyr can blow people up and claim it for A.Q.
I was supposed to be coming into London tonight & staying with friends who live very close to King's Cross station (visible in the footage currently playing on Sky, in fact.) Now I don't want to get in the way o cause any more traffic problems. But on the other hand, I'm loathe to let these bastards affect my life.
Finally - if it IS AQ, and/or linked to Iraq (a reasonable assumption) - I think it's clear that whilst the terrorists are responsible for killing & maiming people, Blair, Straw, Hoon and the rest of that pack of lickspittles that voted for the war have, in the hackneyed phrase, blood on their hands. They were the ones who gave the bombers the incentive to blow up _us_ in particular.
Where the hell was slashdot for the last 6-8 hours? it was answering pings for a while but not accessible on tcp/80. Traceroutes from here and other places (see traceroute.org - U Orgeon is a good site) were dying at the last hop with !H (ie host not accessible.) Interestingly traceroutes from within Savvis (Slashdot's upstream provider) were fine,even from Amsterdam. Any chance of a post-mortem? Major BGP brainfarto perhaps? Enquiring minds want to know...
Little did I know of the history, for I was born in 1968 and at the time was a child.
I'm no biologist, but believe that this is frequently the case.
To me, he was everything, and so was my country.
An admirably holistic approach to life... if enough things impressed you enough to become everything to you, pretty soon *everything* will be everything for you. I recommend reading something about Buddhism. Seriously.
We were just discussing this at work yesterday. (I work at a large well known mail filtering company.) One of the sales types wandered over to the Security Dept and asked us if we happened to have any CISSP books or recommendations for courses, material etc. (He was a network admin in previous lives so it's not quite so hatstand as it might sound.) CUe an interesting discussion where the consensus amongst my boss (who has no certs) myself (ditto) and a colleague who has CISSP and a UK-specific IT security cert boiled down to: vendor-specific certs are largely devalued, though they can be a good way to learn stuff the CV-enhancing benefits are marginal at best these days. Apart from CISSP and the Cisco CCIE (a seriously hardcore cert - there are only a few thousand holders in the world), and perhaps SANS GIAC (another sec cert) the MCSE-mill places and the dotcom-era experience of paper admins with no clue have completely devalued most of the vendor-specific certs. Certainly, when we're hiring, a candidate who brandishes a string of letters as some sort of passport to clue gets treated with more scepticism, not less, during interviews.
That's what the Internet is like. You really have to lock up your system like Fort Knox to keep yourself safe.
That's odd, I'm sitting here on an unfiltered DSL line, with no firewall and no antivirus software. And I'm offering public services (well, granted ssh is password protected, but I spikka da HTTP to all comers.) My Linux box seems pretty happy to me... and I'm saving a lot of cycles over when it was running Windows on the aforementioned fw, a/v etc:)
I hear this sort of guff all the time, and whilst it IS technically correct in that it's attackers who are attacking systems (and that without attacks, no effort would be expended on defending against them.) However this is as pointless as blaming the rain for being wet or the wind for being cold. Attacks will always be with us; you can think of them as a force of nature. And it is a fact that security provides an excellent backdoor to improving code quality. Microsoft is a good example; I bet their code is less prone to random crashes after their security-driven drive to comb thru the codebase looking for common buffer overflows, stack smashes, format strings or whatever. Some small percentage of those could be used as security exploits, but the majority will just cause crashes or incorrect functionality.
Now that I come to think about it, the human drive that motivates people to attack others - aggression, envy, desire, jealousy, resentment, greed or whatever - are the same human behaviours that we've always displayed throughout recorded history. They didn't stop us moving from Ur to megalopolis, hunter-gatherer to modern societies and so on, and they're not going to stop computers having an overall beneficial effect. Speaking personally, I'd be out of a job if no-one was a threat to my employer, so to be honest it doesn't bother me. It's a callous thing to say but every time there's a big hack that makes itto the news, I mail my boss with the URL and we look forward t ohaving more ammo for demanding more resources and greater input into development and ops practices, for instance. (The 40million Mastercards hack was a great example: it'll probably turn out to be "only" a few tens of thousands of cards, but it's the 40 million figure that the non-technical management will remember - and that will concentrate their minds on the importance of security. (I don't mean _my_ management of course - they take infosec _very_ seriously, which is why they hired me:)
So you're suggesting you can have a recession *AND* have economic confidence at the same time? If thats so why aren't people investing during a recession?
I'm talking about a much more profound loss of confidence in the economic systems than the temporary belief that one's better off sticking money on deposit or into bonds than into equities for a few years (ie a recession.) If people weren't investing during a recession there would be no employment and hence no economy. (If I pay you to sweep the streets, that's an investment.)
I don't especially want to get into a flamewar at this point, especially as no-one's reading the thread now:))...
All I can say is that this thing IS a big deal, no really it is. You talk about "webmaster forums" doesn't cut much ice; we process about 1x10^9 mails per week which gives us a pretty good insight into the state of mail-borne malware.
Ah, right, of course... TBH I hadn't factored in the 'restore all the apps' part. And I hadn't realised you were doing this professionally... (Guess I'm spoiled by corporate environments where you have an apps cd (or ghost image or whathaveyou) and anything else they want to install is going to cost em all the paperwork and hassle of getting it approved... this does tend to make em more careful about online betting sites and whatnot;)
Surely critical infrastructure is stuff thats critical! i.e. Indispensable.
So intangible things, economic confidence etc. aren't critical because you can live without them. (and given the state of the US$ you ARE living without economic confidence right now!).
The threat to economic confidence is a lot more significant than "a recession". Personally I've lived through 3 recessions in the UK in my lifetime, none were much fun and all of them killed people. Even if we were talking about the ability to trip the world economy into, say, a severe early 80s style world recession, there are plenty of people who would suffer. There are also plenty of people aruond now who would benefit from, or might just expect that they'd benefit from it, whether they were right or not, that they'd do that if they thought they could.
Finally even if that weren't the aim, and it's straightforward industrial espionage or blackmail, or even something boringly James Bond like the crack North Korean nuclear-powered hacking masses, it's still an attack against critical infrastructure; it's targetted, and that's new (a) on this scale (b) with this degree of sophistication (c) on organisations more extensive than imabigcorp.co.uk.
See in the banking industry we run these "penetration scans" all the time, that are TOTALY WORTHLESS. I cannot emphasize this enough, that running the weakest setup possbile will pass their "tests" with flying colours. The people doing these tests (Some certified security specialists!) Think that firewalls are magical devices that know how to stop the pesky hackers. Bottom line is that people are involved, they are out of their element, and simply placeholders. Management in general needs to get out of this "placerholder" mentality when it comes to jobs, and just fire people that are not doing their jobs.
Nice rant:) but... the problem is that there just aren't enough people with security clue to go around. Fire the people who think firewalls are magic boxes that keep the hackers out, and you'll end up with people who think Zone Alarm on a dual-NIC XP machine is a firewall...
The copy of the NISCC report I have says on P3 (para 5):
Trojan capabilities suggest that the covert gathering and transmission of otherwise privileged information is a principal goal. The attacks normally focus on individuals who have jobs working with commercially or economically sensitive data.
It's clear that 'critical infrastructure' in this context doesn't just mean nuclear power-stations or the electricity grid any more. Of course such SCADA systems, and the NSA systems and the classified military stuff, as you say, doesn't touch the public network. Intangible things such as 'economic confidence', 'corporate reputation', 'social stability' - these are infrastructure of a sort. Put it this way: if you're Dr Evil and you want to blackmail the UK for ONE!!! MILLLLIOOONNN!!! SCRATCHCARDSS!!!! or whatever, imagine some sort of public demonstration that you control the networks of (say) every company in the FSE whose name starts with an 'A'. Now knock the first 10 orgs on the list off the network. (Once you're loose on an internal corporate network, it's not really trocket science to grab passwords & access to everything not air-gapped, if you know what you're doing. (Here I speak as a former pen-tester. If you've ever seen a real pentester mincing a typical corp network you'll know what I mean.)
(tangent: when I was pentesting for a living I was never allowed to change scope to include the sort of things that I thought were the real threats facing any org big enough to be worth extorting money from: namely, social engineering, physical security and custom-made IE exploit code. You'd inject URLs into the target org - crudely, by spamming everyone, or if you were feeling subtle enough (the rewards were enough to pay for it) by planting fake stories in the trade press, or punting out stories about close competitors - anything likely to attract some traffic from the target org, basically - exploit their IE, inject a reverse shell, and away you go. I pitched this to clients as well as management & sales droids, & clients never went for it. Probably this is because CTOs, CISOs, ITDs and suchlike are not paid to make the company secure, but to protect their own particular domain - usually, their IP networks.)
Anyway. The difference is that for the last few years the majority of in-the-wild viruses and trojans boiled down to botnets, DOS, IRC and spam. These attacks spread widely & relied on the law of averages to net enough of the least-secure of the online population to make it worthwhile. The business model, and hence attack strategy, adopted by the present attackers is significantly differnt, and AFAIK this is the first time such sustained interest in 'critical [national] infrastructure', of *any* country, has been public and confirmed.
Anyway - after all that rambling - if you're in the UK and you recklon you see this stuff perhaps you should get in touch with the NISCC.
Very definitely speaking for myself only, BTW, whoever pays me at the moment;)
Hehe. This guy is obviously a great coder. Too bad he's such a total dickhead.
Just as well that I run his code, not his personality. As the personality doesn't seem to affect the code - or if it does, the quality is inversely proportional to what you call 'dickheadedness' - why should I care? My firewall and fileservers keep ticking away on OpenBSD...
If you'd been targetted by these attacks, you wouldn't know about it because your anti-virus software would not detect it. You seem to have read the fsckin article but not understood a word of it. Go back and read it again.
This is not about the stuff your spam filters or anti-virus software detect. Read the NISCC advisory. Lond doc short: they're hand-optimised apps, each used for a specific, targetted organisation. Signature-based virus scanners won't detect these (which is why Dr Evil is producing them and only usnig them for a small number of targets before moving on to the next one.)
Disclaimer: I work for Messagelabs (hint: we have our own in-house scanning technologies that work differently to typical a/v, and... well, go read the Register story as well for the ML connection.
Commercial organisations have plenty of small-ess secret data that others would be interested to see. Same goes for government. (Consider a typical leak of info on, say, transport dept plans for road charging (random example) to the press.
Disclaimer: I work for Messagelabs; read the Register story to see the connection.
Longer answer: anyone who's actually thuoght about the physics involved and still thinks it's worth wasting cycles on, needs to try a different medication.
>BitTorrent already hashes the download with SHA1, so unless the Spyware > industry has come up with some practical way to generate > collisions it's not the pieces that are corrupt. It's the whole > torrent.
Slashdot Mirror
>control or baseball bat control. Do you see that happening
>Knives and bats are inanimate objects. They are controlled by people
>who make choices with thier minds...
Actually, here in the UK carrying a kitchen knife in public certainly IS illegal in certain circumstances. It's 'posession of an offensive weapon' (class 1 or class 2 OW) with varients to do with 'intention to cause greivous bodily harm' or suchlike.) The difference between the classes is that Class 1 are *designed* to be weapons; class 2 are improvised weapons. Clearly a kitchen knife is not designed to be a weapon, but if you're caught trying to smuggle one into a football ground or onto a plane clearly you're not planning to carve the sunday roast with it. The same logic of 'improvised weapons' makes everytday objects like milk bottles, bricks, 2x4 with added rusty nails offensive weapons in certain circs and you can get pretty severe penalties for carrying one in those circs.
Not to say it's impossible, the HTTP request smuggling attack vector is real enough - the paper is interesting reading, see http://www.watchfire.com/resources/HTTP-Request-Sm uggling.pdf
_Exactly_.
That said, I think the odds are in favour of "Al-Qaeda" affiliated groups. As others have pointed out there is no monolithic AQ organisation; any random wannabe-martyr can blow people up and claim it for A.Q.
I was supposed to be coming into London tonight & staying with friends who live very close to King's Cross station (visible in the footage currently playing on Sky, in fact.) Now I don't want to get in the way o cause any more traffic problems. But on the other hand, I'm loathe to let these bastards affect my life.
Finally - if it IS AQ, and/or linked to Iraq (a reasonable assumption) - I think it's clear that whilst the terrorists are responsible for killing & maiming people, Blair, Straw, Hoon and the rest of that pack of lickspittles that voted for the war have, in the hackneyed phrase, blood on their hands. They were the ones who gave the bombers the incentive to blow up _us_ in particular.
IMHO of course.
Yeah yeah, Off Topic, I know, mod me down *sigh*
I'm no biologist, but believe that this is frequently the case.
An admirably holistic approach to life... if enough things impressed you enough to become everything to you, pretty soon *everything* will be everything for you. I recommend reading something about Buddhism. Seriously.
Actually sir... that's not... entirely... true.
pf rules, iptables is teh suxx0r. Let the flamefest begin! :)
200 hours is exactly the figure promised by my bog-standard Sony Ericsson cameraphone. So what's the big deal here exactly?
We were just discussing this at work yesterday. (I work at a large well known mail filtering company.) One of the sales types wandered over to the Security Dept and asked us if we happened to have any CISSP books or recommendations for courses, material etc. (He was a network admin in previous lives so it's not quite so hatstand as it might sound.) CUe an interesting discussion where the consensus amongst my boss (who has no certs) myself (ditto) and a colleague who has CISSP and a UK-specific IT security cert boiled down to: vendor-specific certs are largely devalued, though they can be a good way to learn stuff the CV-enhancing benefits are marginal at best these days. Apart from CISSP and the Cisco CCIE (a seriously hardcore cert - there are only a few thousand holders in the world), and perhaps SANS GIAC (another sec cert) the MCSE-mill places and the dotcom-era experience of paper admins with no clue have completely devalued most of the vendor-specific certs. Certainly, when we're hiring, a candidate who brandishes a string of letters as some sort of passport to clue gets treated with more scepticism, not less, during interviews.
That's odd, I'm sitting here on an unfiltered DSL line, with no firewall and no antivirus software. And I'm offering public services (well, granted ssh is password protected, but I spikka da HTTP to all comers.) My Linux box seems pretty happy to me... and I'm saving a lot of cycles over when it was running Windows on the aforementioned fw, a/v etc :)
Now that I come to think about it, the human drive that motivates people to attack others - aggression, envy, desire, jealousy, resentment, greed or whatever - are the same human behaviours that we've always displayed throughout recorded history. They didn't stop us moving from Ur to megalopolis, hunter-gatherer to modern societies and so on, and they're not going to stop computers having an overall beneficial effect. Speaking personally, I'd be out of a job if no-one was a threat to my employer, so to be honest it doesn't bother me. It's a callous thing to say but every time there's a big hack that makes itto the news, I mail my boss with the URL and we look forward t ohaving more ammo for demanding more resources and greater input into development and ops practices, for instance. (The 40million Mastercards hack was a great example: it'll probably turn out to be "only" a few tens of thousands of cards, but it's the 40 million figure that the non-technical management will remember - and that will concentrate their minds on the importance of security. (I don't mean _my_ management of course - they take infosec _very_ seriously, which is why they hired me :)
I'm talking about a much more profound loss of confidence in the economic systems than the temporary belief that one's better off sticking money on deposit or into bonds than into equities for a few years (ie a recession.) If people weren't investing during a recession there would be no employment and hence no economy. (If I pay you to sweep the streets, that's an investment.)
I don't especially want to get into a flamewar at this point, especially as no-one's reading the thread now :))...
All I can say is that this thing IS a big deal, no really it is. You talk about "webmaster forums" doesn't cut much ice; we process about 1x10^9 mails per week which gives us a pretty good insight into the state of mail-borne malware.
Ah, right, of course... TBH I hadn't factored in the 'restore all the apps' part. And I hadn't realised you were doing this professionally... (Guess I'm spoiled by corporate environments where you have an apps cd (or ghost image or whathaveyou) and anything else they want to install is going to cost em all the paperwork and hassle of getting it approved... this does tend to make em more careful about online betting sites and whatnot ;)
The threat to economic confidence is a lot more significant than "a recession". Personally I've lived through 3 recessions in the UK in my lifetime, none were much fun and all of them killed people. Even if we were talking about the ability to trip the world economy into, say, a severe early 80s style world recession, there are plenty of people who would suffer. There are also plenty of people aruond now who would benefit from, or might just expect that they'd benefit from it, whether they were right or not, that they'd do that if they thought they could.
Finally even if that weren't the aim, and it's straightforward industrial espionage or blackmail, or even something boringly James Bond like the crack North Korean nuclear-powered hacking masses, it's still an attack against critical infrastructure; it's targetted, and that's new (a) on this scale (b) with this degree of sophistication (c) on organisations more extensive than imabigcorp.co.uk .
I don't wish to sound like a backseat admin, but why on earth didn't you just nuke the box & reinstall? Was your client paying you by hour? ;)
Nice rant :) but... the problem is that there just aren't enough people with security clue to go around. Fire the people who think firewalls are magic boxes that keep the hackers out, and you'll end up with people who think Zone Alarm on a dual-NIC XP machine is a firewall...
(tangent: when I was pentesting for a living I was never allowed to change scope to include the sort of things that I thought were the real threats facing any org big enough to be worth extorting money from: namely, social engineering, physical security and custom-made IE exploit code. You'd inject URLs into the target org - crudely, by spamming everyone, or if you were feeling subtle enough (the rewards were enough to pay for it) by planting fake stories in the trade press, or punting out stories about close competitors - anything likely to attract some traffic from the target org, basically - exploit their IE, inject a reverse shell, and away you go. I pitched this to clients as well as management & sales droids, & clients never went for it. Probably this is because CTOs, CISOs, ITDs and suchlike are not paid to make the company secure, but to protect their own particular domain - usually, their IP networks.)
Anyway. The difference is that for the last few years the majority of in-the-wild viruses and trojans boiled down to botnets, DOS, IRC and spam. These attacks spread widely & relied on the law of averages to net enough of the least-secure of the online population to make it worthwhile. The business model, and hence attack strategy, adopted by the present attackers is significantly differnt, and AFAIK this is the first time such sustained interest in 'critical [national] infrastructure', of *any* country, has been public and confirmed.
Anyway - after all that rambling - if you're in the UK and you recklon you see this stuff perhaps you should get in touch with the NISCC.
Very definitely speaking for myself only, BTW, whoever pays me at the moment ;)
If you'd been targetted by these attacks, you wouldn't know about it because your anti-virus software would not detect it. You seem to have read the fsckin article but not understood a word of it. Go back and read it again.
Disclaimer: I work for Messagelabs (hint: we have our own in-house scanning technologies that work differently to typical a/v, and... well, go read the Register story as well for the ML connection.
Posting on behalf of myself only, of course.
Commercial organisations have plenty of small-ess secret data that others would be interested to see. Same goes for government. (Consider a typical leak of info on, say, transport dept plans for road charging (random example) to the press.
Disclaimer: I work for Messagelabs; read the Register story to see the connection.
Longer answer: anyone who's actually thuoght about the physics involved and still thinks it's worth wasting cycles on, needs to try a different medication.
I'm glad you asked me that, Brian.
That's the very one. Thanks!