If you buy something and it turns out to be stolen as in this case (and he will have damned well known it - a server including hard drives for £35/£55??) then you don't own it and it must be returned to the original owners.
The same way as if you buy a car for $5 you can't claim it's yours just because you paid for it when it turns out to have been stolen.
He bought a working second hand computer for £50. It said on the news that that machine 'went missing' from the datacentre where it was stored... aka. it was nicked (well what did he expect from ebay, I guess).
So he could be charged with receiving stolen goods, given that the machine (if it was the same one that was pictured on the news - it was a server with internal RAID array) was worth *far* more than £50 and he will have known that.
Most of the unix people seem to be going with Solaris rather than Linux.. Linux is definately around but doesn't seem to be strong in the commercial companies.
I didn't watch the ceremony itself, but on the subseqeuent news reports they repeatedly said that they were fireworks.. never hinting that it was fake.
Looking at the iplayer sequence it's clear they never mentioned CGI when it was being shown either.
On the BBC News they shows the footsteps sequence repeatedly and at no point ever mentioned anything but that they were fireworks. Looked real enough to me (although I did wonder about how they got them all to explode at exactly the right height/position to create the footprints.. OTOH the chinese did invent fireworks and if anyone could do it they could).
They cost way less than that.. A quick google found them genuine RSA ones being sold retail for a US equiv. of $40 each.
The WoW ones are 3rd party and produced in bulk (and allegedly nowhere near as sophisticated as RSA ones), so I don't think they're subsidised much if at all. Blizzard have previously said they're being sold at cost, not subsidised.
The real price gouging on these things goes on at the server side.. a securid appliance to use all these keys runs to about $8000... but that's peanuts to the average bank for example (which is why it surprises me so few banks use them (only one in this country I'm aware of and that's only on limited trial)).
It fell to a social engineering attack.. blizzard screwed up basically (should have demanded photo ID but didn't).
Even the most secure systems can fail in that manner if the human side fails. One of the first things that's done when security is tested in an organisation is phone up, make up a story and see if the person on the other end will give up a password.
Of course the reason the hacker had enough information to pull that off is the owner was an idiot and gave their details away - probably responded to a phishing email (they had the CD key and passphrase - the only way to get them is for someone to divulge them.. they're never typed in so they can't be got by malware).
Hell, even NTLM did that years ago.. it's not rocket science.
The problem is websites that want 'pretty' login screens with text boxes for input, instead of using the builtin authentication methods available over HTTP. It's not uncommon at all for this to be done on unencrypted pages (even some banks have made that mistake).
They do, mostly. There's a certain amount of caching built in at all levels these days (which is why for example on windows you have to do ipconfig/flushdns sometimes if DHCP changes the address of a machine).
1. Everyone is connected by a gigabit cable to a common nameserver, and the admin of the nameserver is too stupid to realize that their dns being saturated with bogus packets at gigE speeds for 10 hours is not normal. 2. Both ISPs and routers for some reason decide stop filtering source addresses so that such an attack is possible without being directly connected.
The packets won't look like that though will they - at that bandwidth they'd have to be on the local network so they'd be coming from a different source mac (and that's pretty much the only way to do this attack anyway - any ISP worth the money will drop any packets with fake source addresses on the floor before they get routed externally, so it'd have to be an internal attack).
Worst case you shut down the DNS server and everyone drops to the backups until the attacker is traced and shut down.
Compared to ARP spoofing which is much simpler and gains you the entire traffic flow to an IP address? I wouldn't bother with a DNS attack to be honest. Any attack that requires you be on the local network is uninteresting just because there are so many damned ways to do it already.
Given a setup like that you could poison just about any protocol unless it was using SSL... anything that has a two way conversation expects replies and you can inject packets into it by getting there 'first.
TBH though given that setup I'd just respond to ARP requests for the router and intercept the entire traffic flow. DNS poisoning not required.
The source addresses would be the same though - there are only a limited number of DNS servers and it's not hard to sniff a link and work out what the common ones are... so you're not adding anything, just creating a situation where the average home user can't actuallly use your DNS server.
A decent firewall could be trained to recognize an attack like this take preventative action easily enough - to even get it to work you'd have to saturate the link with packets hoping to get a 'hit'.. So you can do it in gigE in 10 hours. You can attack just about any connection based system using similar methods, but you'd have to saturate the link and it'd get noticed... especially if you did it at gigE bandwidth for 10 hours!!
BS. I had a card stopped like this. It took a week for the bank to even work out what they'd done and another week to replace the card with a new one (which is the only solution apparently).
During that time several important bills were declined and it left me with a mess to sort out. It's also affected my credit rating.
The bank have still never explained why they did it and never attempted to contact me - they just stopped the card.
Also, when they do that they only stop merchant and online transactions - you can still withdraw cash from an ATM - so the security benefit is zero.. if someone has your card and pin they can clean out your account easily (ATM transactions aren't covered by the anti-fraud regulations of course so they don't care about them).
The proper way to do it is to contact me *immediately* and verify any suspicious transaction there and then. Most cards do in fact do this... I've had this happen several times.
I feel your pain. I had a card apparently locked for 'fraud' for no reason I could determine.. Stupidly, I could still use the card to withdraw cash from an ATM! (So there was no security there.. if someone had cloned the card they could have cleaned me out easily). Took the bank a week to even work out why the card wasn't working and another week to issue a new one - during which time several bill payments had bounced and it's affected my credit rating.
The vbv window contains a phrase that you setup when you enable it, known only to you and the bank. If that phrase isn't there don't enter your password... simple.
Slashdot Mirror
If you buy something and it turns out to be stolen as in this case (and he will have damned well known it - a server including hard drives for £35/£55??) then you don't own it and it must be returned to the original owners.
The same way as if you buy a car for $5 you can't claim it's yours just because you paid for it when it turns out to have been stolen.
He bought a working second hand computer for £50. It said on the news that that machine 'went missing' from the datacentre where it was stored... aka. it was nicked (well what did he expect from ebay, I guess).
So he could be charged with receiving stolen goods, given that the machine (if it was the same one that was pictured on the news - it was a server with internal RAID array) was worth *far* more than £50 and he will have known that.
Most of the unix people seem to be going with Solaris rather than Linux.. Linux is definately around but doesn't seem to be strong in the commercial companies.
They already can.. they're called mobile phones. Triangulation can get your location down to about 10 feet.
It also affects the 'free' ESXi, which has an unlimited license.
VMWare left some dev code in apparently.. it's not related to the licenses specifically.
http://www.bbc.co.uk/iplayer/episode/b00cpf8p/
Nope. The BBC broadcast did *not* say that.
They in fact explitictly say *fireworks* not CGI sequence. Watch it on the iplayer again. Seems like a case of clear deception to me.
I didn't watch the ceremony itself, but on the subseqeuent news reports they repeatedly said that they were fireworks.. never hinting that it was fake.
Looking at the iplayer sequence it's clear they never mentioned CGI when it was being shown either.
On the BBC News they shows the footsteps sequence repeatedly and at no point ever mentioned anything but that they were fireworks. Looked real enough to me (although I did wonder about how they got them all to explode at exactly the right height/position to create the footprints.. OTOH the chinese did invent fireworks and if anyone could do it they could).
..provided you don't actually want to do anything interesting with the phone.
And even if you do get past the SDK nazis at apple they can pull your app without warning.
They cost way less than that.. A quick google found them genuine RSA ones being sold retail for a US equiv. of $40 each.
The WoW ones are 3rd party and produced in bulk (and allegedly nowhere near as sophisticated as RSA ones), so I don't think they're subsidised much if at all. Blizzard have previously said they're being sold at cost, not subsidised.
The real price gouging on these things goes on at the server side.. a securid appliance to use all these keys runs to about $8000... but that's peanuts to the average bank for example (which is why it surprises me so few banks use them (only one in this country I'm aware of and that's only on limited trial)).
It fell to a social engineering attack.. blizzard screwed up basically (should have demanded photo ID but didn't).
Even the most secure systems can fail in that manner if the human side fails. One of the first things that's done when security is tested in an organisation is phone up, make up a story and see if the person on the other end will give up a password.
Of course the reason the hacker had enough information to pull that off is the owner was an idiot and gave their details away - probably responded to a phishing email (they had the CD key and passphrase - the only way to get them is for someone to divulge them.. they're never typed in so they can't be got by malware).
The WoW ones cost 6 euros a piece. If that kind of security is available for a game then what are you prepared to spend for something important?
Hell, even NTLM did that years ago.. it's not rocket science.
The problem is websites that want 'pretty' login screens with text boxes for input, instead of using the builtin authentication methods available over HTTP. It's not uncommon at all for this to be done on unencrypted pages (even some banks have made that mistake).
They do, mostly. There's a certain amount of caching built in at all levels these days (which is why for example on windows you have to do ipconfig/flushdns sometimes if DHCP changes the address of a machine).
The internet at large is safe until either:
1. Everyone is connected by a gigabit cable to a common nameserver, and the admin of the nameserver is too stupid to realize that their dns being saturated with bogus packets at gigE speeds for 10 hours is not normal.
2. Both ISPs and routers for some reason decide stop filtering source addresses so that such an attack is possible without being directly connected.
The packets won't look like that though will they - at that bandwidth they'd have to be on the local network so they'd be coming from a different source mac (and that's pretty much the only way to do this attack anyway - any ISP worth the money will drop any packets with fake source addresses on the floor before they get routed externally, so it'd have to be an internal attack).
Worst case you shut down the DNS server and everyone drops to the backups until the attacker is traced and shut down.
Compared to ARP spoofing which is much simpler and gains you the entire traffic flow to an IP address? I wouldn't bother with a DNS attack to be honest. Any attack that requires you be on the local network is uninteresting just because there are so many damned ways to do it already.
Given a setup like that you could poison just about any protocol unless it was using SSL... anything that has a two way conversation expects replies and you can inject packets into it by getting there 'first.
TBH though given that setup I'd just respond to ARP requests for the router and intercept the entire traffic flow. DNS poisoning not required.
The source addresses would be the same though - there are only a limited number of DNS servers and it's not hard to sniff a link and work out what the common ones are... so you're not adding anything, just creating a situation where the average home user can't actuallly use your DNS server.
A decent firewall could be trained to recognize an attack like this take preventative action easily enough - to even get it to work you'd have to saturate the link with packets hoping to get a 'hit'.. So you can do it in gigE in 10 hours. You can attack just about any connection based system using similar methods, but you'd have to saturate the link and it'd get noticed... especially if you did it at gigE bandwidth for 10 hours!!
BS. I had a card stopped like this. It took a week for the bank to even work out what they'd done and another week to replace the card with a new one (which is the only solution apparently).
During that time several important bills were declined and it left me with a mess to sort out. It's also affected my credit rating.
The bank have still never explained why they did it and never attempted to contact me - they just stopped the card.
Also, when they do that they only stop merchant and online transactions - you can still withdraw cash from an ATM - so the security benefit is zero.. if someone has your card and pin they can clean out your account easily (ATM transactions aren't covered by the anti-fraud regulations of course so they don't care about them).
The proper way to do it is to contact me *immediately* and verify any suspicious transaction there and then. Most cards do in fact do this... I've had this happen several times.
I feel your pain. I had a card apparently locked for 'fraud' for no reason I could determine.. Stupidly, I could still use the card to withdraw cash from an ATM! (So there was no security there.. if someone had cloned the card they could have cleaned me out easily). Took the bank a week to even work out why the card wasn't working and another week to issue a new one - during which time several bill payments had bounced and it's affected my credit rating.
The vbv window contains a phrase that you setup when you enable it, known only to you and the bank. If that phrase isn't there don't enter your password... simple.
One click is the only option on the appstore.
On the phone it'll at least ask your password, but there's no shopping cart on either.