Put some sort of induction hardware both sides of the router network and see if the router is communicating in strange ways?
Sure, but really smart advanced threats could do very hard to detect things like encoding CNC signals in packet latency or preferential ordering between streams. Basically you either have to discover and dissect an attacker's inserts because they screw up and tip you off that something is wrong, or do something stupid like sell their inserts on the dark web before they are done using them themselves.
Have the desktop OS and AV able to scan the router from the network?
If you know what you are doing, you limit control-plane communication on your more important nodes tightly. Plus desktop OS and AV don't usually have a rich signature set for anything but Intel processors. Also the only way to really "scan" a running router's software is to snoop the busses to get snapshots of the RAM... which given the hardware is not commodity kit, is not usually done. No $80k/year net tech is going to try to attach JTAG or bus analyzers to a $20,000 production router blade. Sure you can ask the router to dump RAM (or ROM, but since routers tend to stay up 24/7 RAM-only inserts are probably pretty common) if you can find the vendor's secret commands, but then it could just lie to you. Or crash because the debug command set isn't QAd nearly as well as the provisioning command set.
The problem will get worse: these devices are getting more and more features that interact with payload traffic... the attack surface is expanding every year. And, with the push to SDN and zero-touch deployment features, more of the guts are being exposed to management stations, which are not notorious for being well secured let me tell you.
(BTW, pro tip: giving a nessus station access to read the router config files live off the infrastructure devices is putting an awful lot of trust in the integrity of a workstation running a giant amount of hastily cobbled code. Nessus has an offline mode for router config file analysis. Strip your crypts and set up a secure rsync from your config backup server.)
Now if they produced some kind of chemical that ended up as poisonous that's a different story.
...which is entirely possible given one of the goals of GMO is pest resistance.
That said the fears about GMO health effects are overblown, but some regulation, even if only to register what's on the market and provide supply chain transparency, is merited. When the inevitable mistakes happen, they need to be dealt with promptly.
The IP issues and the use of GMO as a legal crowbar to put small competitors out of business is a bigger overall threat. You don't want anyone who would use that tactic to be in control of your food supply, because once they are they will turn similar tactics on you.
It's legal if one party involved in the conversation has consented. If Natalie Portman and I have a conversation in your living room while you are out of the room taking a piss or filling your bathtub with hot grits, in most places in the US you are not legally allowed to record it. In some states, both involved parties must consent. Third parties, like Facebook, Amazon, Google and Apple, can often also record conversations and phone calls in private locations with one-party consent but they also don't often have all the rights a participant does. Sometimes the restriction on them is to fully inform those recorded, thus, the need for a sign.
I think it would be wise for some legislator to draft up a bill requiring people with any such device operating in their house to post a nice big red notice on their front door to warn visitors that they may be recorded while on premises.
Second, last I checked, it was harder to provision devices running a smartphone OS than devices running a desktop OS. Adding a certificate on Android is impossible without first setting up a PIN or pattern lock [google.com], and developers of apps made for Android 7 "Nougat" and later have to opt in to use of user-provisioned CAs through the network security config [android.com]. Even if Chrome does, your favorite media playing app might not.
It's your choice to use that software. Why are you surprised it puts you on a path of having to pay for things like public CA certs? That's what that ecosystem was designed to do, to make you pay for things.
FWIW, if I were looking for work, It'd sure be a relief to work for someone who has a sane perspective on privacy issues and a firm understanding of what made the Internet great before it got ruined.
Those who are really ahead of the curve never signed up for a Facebook account in the first place.
I certainly don't consider myself "ahead of the curve" for never wanting to have anything to do with facebook. For me it was just a matter of having principles and sticking to them.
Say I can't trust MAC/IP/DNS resolution on an internal network,
...fix your network with dhcp snooping, arp protection, ip source guard and DNSSec... but...
then an encrypt everything at the app level policy is supposed to save the day??
...actually that's kind of the point... TLS isn't just encryption it is also server authentication via PKI.
(Back in WEP-just-got-cracked days some people just ran open wifi networks where the only protocol allowed on the hosts/APs was cert-based IPSec. Workable workaround by the same principle.)
If it's a home LAN you can make your own CA and add it to your OS trust store. What are you talking about, like 10 client devices to provision? Not a huge deal.
Who knows. It does strike me that the authentication bypass in the AMT management processor might have been just the sort of thing a seasoned C coder might have spotted.
The reasonable way to do this would be to have humans control robots at first, from nice air-conditioned, possibly even remote, venues, and have the machines just record how the humans move their parts and build up a data source to train AI from. Then you'd have a much better training set, and be technologically prepared to have a small workforce of trained machine operators jump into tasks and take over on the diminishingly rare occasion that a machine is presented with a situation it is unfamiliar with. Then everyone is happy. We get our work done, and people trained to operate machines get some income from being on retainer to handle quirky situations.
But the overly technophilic tend towards a purism that prevents them from seeing this.
Technology provides us with the possibility of OBJECTIVE insight and provides framework for OBJECTIVE verification (with mathematics).
Well judging from social media platforms just now realizing they need more than a single "like" button, that possibility is far from realized.
From TFA:
reconstructing the reputational path of the piece of information in question, evaluating the intentions of those who circulated it, and figuring out the agendas of those authorities that leant it credibility.
...this won't happen unless it can be monetized. Sure OSS solutions may emerge, but the general population will only use the services that had the budget to advertise, and those will be the ones who think they have a way to recapture the advertising revenue and generate an ROI for their shareholders.
The proper tool to try to figure out where packets are being dropped or delayed is called "paratrace"
You kind of need to know what you are doing to use it properly... you have to find the connection that is being slowed and jump on it.
Also, and this goes for traceroute, too, if a single transit node has high loss or delay, but the nodes beyond it do not, then that node should not be blamed... returning packets due to TTL exhaustion may be CPU-bound or control-plane-policed on a transit node, which is normal on some equipment and won't matter for normal traffic.
Least important: they claimed that the causes of the error were that the respondents misread
Yes, least important. But not unimportant. Giant swaths of the social sciences rely on surveys, and considering how ill funded they often are, you would think they'd send *much* more time crafting the language of such important questions. Heck even medical shit often relies on a survey, which is why anyone who has a brain gets totally stressed every time they see all the stupid questions that could be interpreted five ways that are being used to determine the course of their treatment.
What I don't understand is why so few of these AI systems seem to be aimed at not blinding oncoming drivers with your headlights. You'd think that this would have been a great pilot application for these systems, before trying to make AI do anything fancier or more potentially dangerous.
There are a LOT of potential energy sources in space that simply cannot be found and/or utilized on earth. Most are still out of our technical grasp, but solar isn't, and is pretty damn effective in space... even more so closer to the sun.
Yeah when I bother to read my email at all, these days it is mutt. Still kinda did like pine better, but it's not far off... just a bunch of different keys to remember on an application I use so rarely these days.
(Note to ancient unix devs: email is not a good way to do system logging and alerting. cron needs to find some other way.)
Yeah, essentially we now know what is most popular among a handful of bored or zealous users.
The Debian Popularity Contest automatic rolling poll has package-level info on a couple hundred thousand systems. Of course systems != users and monitoring the atime of a file overcounts things that get run automatically on occasion (e.g. if some application isn't complying with Debian standards and opens nano or vim instead of the system's "sensible-editor" default, it would affect those results even if the user hates said editor.) And you have to find all the different flavors/major versions to get a complete count on a package. But still, a much more robust data set
...and demand SSO solutions from the IT department. If the trend ever does really reverse, we'll see requests for separating password realms from users... and then end up with an even more complicated SSO solution to accommodate that functionality since apparently so many of them neglected to think to implement that feature in their rush towards "one password that works everywhere."
Slashdot Mirror
Put some sort of induction hardware both sides of the router network and see if the router is communicating in strange ways?
Sure, but really smart advanced threats could do very hard to detect things like encoding CNC signals in packet latency or preferential ordering between streams. Basically you either have to discover and dissect an attacker's inserts because they screw up and tip you off that something is wrong, or do something stupid like sell their inserts on the dark web before they are done using them themselves.
Have the desktop OS and AV able to scan the router from the network?
If you know what you are doing, you limit control-plane communication on your more important nodes tightly. Plus desktop OS and AV don't usually have a rich signature set for anything but Intel processors. Also the only way to really "scan" a running router's software is to snoop the busses to get snapshots of the RAM... which given the hardware is not commodity kit, is not usually done. No $80k/year net tech is going to try to attach JTAG or bus analyzers to a $20,000 production router blade. Sure you can ask the router to dump RAM (or ROM, but since routers tend to stay up 24/7 RAM-only inserts are probably pretty common) if you can find the vendor's secret commands, but then it could just lie to you. Or crash because the debug command set isn't QAd nearly as well as the provisioning command set.
The problem will get worse: these devices are getting more and more features that interact with payload traffic... the attack surface is expanding every year. And, with the push to SDN and zero-touch deployment features, more of the guts are being exposed to management stations, which are not notorious for being well secured let me tell you.
(BTW, pro tip: giving a nessus station access to read the router config files live off the infrastructure devices is putting an awful lot of trust in the integrity of a workstation running a giant amount of hastily cobbled code. Nessus has an offline mode for router config file analysis. Strip your crypts and set up a secure rsync from your config backup server.)
And all those pesky left-handers. And the people without facebook accounts. And the colorblind guys. And the occasional ebohphobe.
(point being eventually you end up writing off everyone but your cousin, with whom you end up reproducing)
I'd say "conform or die" but according to TFA it's more like "conform AND die".
Yeah...
promises to limit their use to improving its own platform technologies
...are only as solid as the spongy definition of "platform technologies"
Now if they produced some kind of chemical that ended up as poisonous that's a different story.
...which is entirely possible given one of the goals of GMO is pest resistance.
That said the fears about GMO health effects are overblown, but some regulation, even
if only to register what's on the market and provide supply chain transparency, is merited. When
the inevitable mistakes happen, they need to be dealt with promptly.
The IP issues and the use of GMO as a legal crowbar to put small competitors out of business
is a bigger overall threat. You don't want anyone who would use that tactic to be in control
of your food supply, because once they are they will turn similar tactics on you.
It's legal if one party involved in the conversation has consented. If Natalie Portman and I have a conversation in your living room while you are out of the room taking a piss or filling your bathtub with hot grits, in most places in the US you are not legally allowed to record it. In some states, both involved parties must consent. Third parties, like Facebook, Amazon, Google and Apple, can often also record conversations and phone calls in private locations with one-party consent but they also don't often have all the rights a participant does. Sometimes the restriction on them is to fully inform those recorded, thus, the need for a sign.
I think it would be wise for some legislator to draft up a bill requiring people with any such device
operating in their house to post a nice big red notice on their front door to warn visitors that they
may be recorded while on premises.
Second, last I checked, it was harder to provision devices running a smartphone OS than devices running a desktop OS. Adding a certificate on Android is impossible without first setting up a PIN or pattern lock [google.com], and developers of apps made for Android 7 "Nougat" and later have to opt in to use of user-provisioned CAs through the network security config [android.com]. Even if Chrome does, your favorite media playing app might not.
It's your choice to use that software. Why are you surprised it puts you on a path of having to pay for things like public CA certs? That's what that ecosystem was designed to do, to make you pay for things.
FWIW, if I were looking for work, It'd sure be a relief to work for someone who has a sane perspective on privacy issues and a firm understanding of what made the Internet great before it got ruined.
Those who are really ahead of the curve never signed up for a Facebook account in the first place.
I certainly don't consider myself "ahead of the curve" for never wanting to have anything to do with facebook. For me it was just a matter of having principles and sticking to them.
Say I can't trust MAC/IP/DNS resolution on an internal network,
...fix your network with dhcp snooping, arp protection, ip source guard and DNSSec... but...
then an encrypt everything at the app level policy is supposed to save the day??
...actually that's kind of the point... TLS isn't just encryption it is also server authentication via PKI.
(Back in WEP-just-got-cracked days some people just ran open wifi networks where the only protocol allowed on the hosts/APs was cert-based IPSec. Workable workaround by the same principle.)
If it's a home LAN you can make your own CA and add it to your OS trust store. What are you talking about, like 10 client devices to provision? Not a huge deal.
Who knows. It does strike me that the authentication bypass in the AMT management processor might have been just the sort of thing a seasoned C coder might have spotted.
The reasonable way to do this would be to have humans control robots at first, from nice air-conditioned, possibly even remote, venues, and have the machines just record how the humans move their parts and build up a data source to train AI from. Then you'd have a much better training set, and be technologically prepared to have a small workforce of trained machine operators jump into tasks and take over on the diminishingly rare occasion that a machine is presented with a situation it is unfamiliar with. Then everyone is happy. We get our work done, and people trained to operate machines get some income from being on retainer to handle quirky situations.
But the overly technophilic tend towards a purism that prevents them from seeing this.
Why are all the names being put in clickbait social media posts either extremists or just plain bonkers.
FTFY. You won't hear about the more boring candidates on social media.
Technology provides us with the possibility of OBJECTIVE insight and provides framework for OBJECTIVE verification (with mathematics).
Well judging from social media platforms just now realizing they need more than a single "like" button, that possibility is far from realized.
From TFA:
reconstructing the reputational path of the piece of information in question, evaluating the intentions of those who circulated it, and figuring out the agendas of those authorities that leant it credibility.
...this won't happen unless it can be monetized. Sure OSS solutions may emerge, but the general population will only use the services that had the budget to advertise, and those will be the ones who think they have a way to recapture the advertising revenue and generate an ROI for their shareholders.
Yup.
The proper tool to try to figure out where packets are being dropped or delayed is called "paratrace"
You kind of need to know what you are doing to use it properly... you have to find the connection that is being slowed and jump on it.
Also, and this goes for traceroute, too, if a single transit node has high loss or delay, but the nodes beyond it do not, then that node should not be blamed... returning packets due to TTL exhaustion may be CPU-bound or control-plane-policed on a transit node, which is normal on some equipment and won't matter for normal traffic.
Yes because otherwise you are allowing the guy who p0wned your users' cable modem to inject code into their browser.
Least important: they claimed that the causes of the error were that the respondents misread
Yes, least important. But not unimportant. Giant swaths of the social sciences rely on surveys, and considering how ill funded they often are, you would think they'd send *much* more time crafting the language of such important questions. Heck even medical shit often relies on a survey, which is why anyone who has a brain gets totally stressed every time they see all the stupid questions that could be interpreted five ways that are being used to determine the course of their treatment.
What I don't understand is why so few of these AI systems seem to be aimed at not blinding oncoming drivers with your headlights. You'd think that this would have been a great pilot application for these systems, before trying to make AI do anything fancier or more potentially dangerous.
Any good driver is going to be doing a ton of constant re-fosuing from near to far
Come back when you get into your 40s and the presbyopia starts to set in and tell us how much you like those screens.
There are a LOT of potential energy sources in space that simply cannot be found and/or utilized on earth. Most are still out of our technical grasp, but solar isn't, and is pretty damn effective in space... even more so closer to the sun.
We've seen how that story ends.
Yeah when I bother to read my email at all, these days it is mutt. Still kinda did like pine better, but it's not far off... just a bunch of different keys to remember on an application I use so rarely these days.
(Note to ancient unix devs: email is not a good way to do system logging and alerting. cron needs to find some other way.)
Yeah, essentially we now know what is most popular among a handful of bored or zealous users.
The Debian Popularity Contest automatic rolling poll has package-level info on a couple hundred thousand systems. Of course systems != users and monitoring the atime of a file overcounts things that get run automatically on occasion (e.g. if some application isn't complying with Debian standards and opens nano or vim instead of the system's "sensible-editor" default, it would affect those results even if the user hates said editor.) And you have to find all the different flavors/major versions to get a complete count on a package. But still, a much more robust data set
Oh, BTW, TFA needs to get a clue. SMS texts are not a NIST approved 2FA mechanism anymore, for good reason.