I suspect that the CPU will be the new Intel Santa Rosa CPU. The Santa Rosa is based on the Core architecture. The Apple iPhone will probably be the first phone with a dual core processor.
Like everyone else, I have no inside information at all, and this is merely speculation, but the performance of the device apeared to be pretty amazing.
I think the point is that many, if not most email users find themselves wading through a sea of spam despite the multiple layers of content filtering that happen between the point of origin and their inbox. The AC is partly right. Content filtering has merely delayed the death of email.
College students these days are often heard to say, "I have an email address but I never use it." They prefer their cell phones because voice and SMS text messages are not yet flooded with spam. Email may not be dead, but it's definitely gasping for air.
"It doesn't matter at all because the vast majority of business applications are not available for the mac. Period. "
It's not that simple, and you probably know it. Most business transactions are apparantly still conducted by COBOL applications so I'll see your Windows Server and raise you a mainframe: Windows will never be accepted in the Enterprise market because everybody knows most business apps are COBOL apps on the mainframe.
Most new application development in the Enterprise market seems to be web based and can work fine with Macintosh clients. This nonsense about "most business apps are Windows-only" is based on the erroneous assumption that just because there are lots of tiny little companies pooping out their custom apps (which nobody else uses) in visual basic that the Macintosh can't play in the Enterprise market. That's definitely wrong in both the server and the client desktop/mobile markets. There is a Macintosh in the Enterprise future.
Okay. Then after that, how about you give me the keys to your house, and I'll let you have your first experience with being robbed? =) And on the way out, I'll stop by your garage and borrow your car... don't worry about the keys for that one, I'll make it work.
Are you implying that in exchange for valuable security consulting which could save your career you would arrange to have my personal posessions stolen by violating my trust? I don't think I need any clients like that!
(1) Not all lying is social engineering.
Lying, by definition, is making a statement believed to be untrue with the intent to deceive another (see: lie) therefore all lying might be considered a form of social engineering, using the most inclusive possible definition for "social engineering". However, one might consider that there are types of lying which do not really have a useful purpose (e.g. pathalogical lying) and which are not employed to seek a gain, and these types of lying might be considered to fall outside of the domain of social engineering. Lying and social engineering therefore might be thought of as two domains which share an overlapping subset. As an aside, deception is a superset of lying, not an equivalent set as you implied.
(2) Not all social engineering involves lying, but may involve other forms of deception.
A trivial and familiar example is the practice of following someone through a physical access point, known as "tailgating." Tailgating may exploit a natural human trust relationship (I've seen your face before or you dress like you work here or you walk with confidence, make eye contact and smile) or may merely exploit a conflict avoidance instinct without active propogation of a statement believed to be untrue. Tailgating is clearly a tool which could be used to circumvent security controls and can be clearly considered as a type of social engineering, but does not fit within the accepted definitions for lying.
It just makes me so mad, and makes me rant like this every time I read some jack hole on/. spreading FUD about Windows boxes getting owned all over the place.
In the world that everyone else lives in, you can walk into well-administered networks in large corporations with dozens of qualified systems administers and thousands of Windows PC systems, as many as 20% of which in some organizations are running adware, spyware, botnets or worms, and rather effectively Owned by Them (0wn3d b1 Th3m).
If you understand computer security, you know that nothing is 100% secure.
Excellent point. Suppose your network is 99% secure. That means nearly four days a year all your boxen could be owned by them. Alternatively, 1% of your boxen at any given time are owned by them and you don't even know it. The phrase "nothing is 100% secure" should be abandonned. It says nothing useful whilst attempting to intimidate those who disagree.
Boxes get owned because admins are failing to do their jobs properly.
If you provide a retainer, I'll be glad to come to your organization and uncover a few reasons that you could use to justify firing yourself. Preferably, you would learn these things before your manager learns them in the aftermath of your first experience of being 0wn3d.
This kind of stunt gets people fired, and worse, gets people in serious legal trouble and ruins their reputations.
Doubt me? Ask Randal Schwartz. Unless I missed something, Randal has admitted his naivety, but not malice, concerning the matter of cracking passwords to demonstrate security problems to one of his clients. The client was not amused. Here is an example, from the first click in a trivial google search.
Intel v. Randal Schwartz: Why Care?
Clearly, Randal was someone who should have known better. And in fact, Randal would be the first Internet expert already well known for legitimate activities to turn to crime. Previous computer criminals have been teenagers or wannabes. Even the relatively sophisticated Kevin Mitnick never made any name except as a criminal. Never before Randal would anyone on the "light side of the force" have answered the call of the "dark side".
-- end quote --
Randal already had an established reputation as a happy friendly white-hat super star and has highly respected friends who can vouch for him. Would your own reputation be able to withstand a legal battle from a client, even if your intentions were pure? I submit that it may be best to specify in the tiger team's contract the use of techniques like password cracking and sniffing. Leaving a recoverd password on paper for any random employee to find is just a stupid, stupid stunt. Professional tiger teams carefully and jealously guard the evidence of their efforts, and share the results with the client in professional and secure manner. If you need to prove you were in the building, take a picture and leave a business card, not your client's password for crying out frigging loud.
Lying is a specific tool, not a blanket term for the various types of deception which may be employed in social engineering. Perhaps you think it sounds self-important, but that assumes that the only people who use the term are engaged in the practice. I think the term sounds reasonably descriptive and emotionally neutral, unlike "scamming" for example, and allows for the possibility that some people may engage in social engineering for non-harmful purposes.
I've seen a few laptops that had batteries in the recent replacement ranges where the new battery ran so much cooler that the laptop operating temperature dropped 15 to 20 degrees. I suspect much of the whining for the past year and a half was due to bad batteries.
Well different people have different ideas of what it means for the press to be free. For me...
Underlying your views on the topic is a meme known as Cultural Relativism. This notion that your own culture, in a general sense, may not be superior to all others is an interesting and useful tool in the field of anthropology. The idea that people may not be adequate instruments for knowing the truth of a given matter, and thus not always able to correctly arrive at a value judgement when comparing cultural elements is an interesting thought experiment in the field of epistemology.
However, as an organizing principle for the world, cultural relativism has become yet another excuse to believe without thinking. It's all good, so long as you are not the one being hurt by "different" meanings of the term "freedom" or "torture" or "following the law" (see: signing statements) or different ideas about the level of violence, repression, and mutilation which should be allowed to be inflicted by your "culture" on your daughters. Such cultural "traditions" are most often "practiced" ostensibly to support "religious beliefs" but isn't it interesting how they typically also serve to keep a tiny brutal minority in power and opulence while you suffer in this life, awaiting the next? Yes, that's right, I'm suggesting that the atheistic (scientific) notion of cultural relativism has escaped from the utility of thought experiment and runs rampant now as dogma and that among other things it has become tangled in the meme framework supporting theocratic oppression. Let's talk about that over a beer some time.
When they came for the knee-jerk libertarian computer geeks on Slashdot, there wasn't anybody left to defend you from the jack booted thugs. So sorry.
Stop accepting the dogma of cultural relativism blindly, and start thinking. It's definitely not all good.
Learn about the Founding Fathers. They warned us about compromising the democratic ideals given to us in The Constitution of the United States of America, a freely-licensed open source design pattern for democracy. Take a couple hours some evening to read and contemplate the document and the amendments, particularly the Bill of RIghts. You won't regret those hours. Consider them an investment in our common future.
...but the iPod story really can't be explained by Apple fanboys. Unless they are buying 8 to 10 iPod each per quarter and giving them to people, there just simply are not enough fanboys to account for the sales figures.
OK, whoever gave this a +1 Informative mod - hand over your Geek Card! You are no longer a card-carrying Geek. Please take a Dork card on your way out. (Geeks know that radio waves and light are two different ways to refer to the same thing, and that yes, it matters if you block it when you're talking about a telescope observing any part of the spectrum.)
If IRC went away tomorrow, botnets would be back in maybe a week at most. There are plenty of options for them. Peer to Peer command and contro, setting up their own IRC servers on someof the compromised machines in the botnet, etc.
If they can infect several thousands of systems within the first hour or two, maybe that's good enough to suit their purposes. Some of the email virus or network worm propagation techniques were "stupid" in the sense that they could be easily blocked -- once people knew how it worked. The TFTP callback used by several different worms springs to mind, very easily blocked with a filter rule in a router. In the first few hours, however, hundreds of thousands of systems were infected. Stupid is as stupid does, I guess. In this case stupid owned a bunch of systems before people could respond.
My recollection is that most of my clever geek friends actually laughed when they first heard about Patch Tuesday. Within a fraction of a second of hearing the news, it was easy to predict that malware releases would be timed to exploit the month lag for patching institutionalized by Patch Tuesday. I would be greatly surprised if there weren't some comments to this effect in the Slashdot archive the day the Patch Tuesday strategy was announced and columns in the IT rags within a few days. It had already been common for batches of malware, particularly email worms to appear on Friday afternoon, and spread over a weekend. Malware releases were timed thusly one presumes because the malware authors suspect that fewer people are available at AntiVirus companies to analyze, fewer staff are available at system vendors to build and test patches, and so forth.
So why didn't this Malware Wednesday effect show up immediately, and why is it still not employed universally? Malware seems to emerge, in general, every week, every day. It took almost two full years for the Malware Wednesday response to emerge into a recognizable pattern. I suspect that this should indicate something interesting about the malware community. But what?
Perhaps communications between different groups and individuals that share code and ideas in the underground community isn't very efficient, due to the mistrust and need to shield identity. Perhaps these groups don't spend much time reading Slashdot or IT journals where pundits probably decried the silliness of Patch Tuesday and predicted the Malware Wednesday phenomenon. Perhaps they were too busy sitting on the beach drinking rum from hollowed out pineapple shells with those little umbrellas in it, and only recently got around to thinking about the problem. Perhaps the techniques they employed were effective enough.
However, there are problems with all of those theories. Here's a theory that seems to have greater explanatory power: Releasing patches immediately following a Patch Tuesday probably didn't show much of an advantage to the malware authors in terms that matter to them, (a) how long will the exploit remain effective, and (b) how many systems can be infected via this exploit and remain under botmaster control for an extended period of time.
Microsoft hasn't really shown an ability to consistently patch defects within a single month of discovery.
The systems which are most likely to remain under botmaster control (once control has been usurped by exploitation of a defect) for the longest period of time also tend to remain unpatched for a long period of time.
Systems which are patched frequently or re-imaged following an intrusion are of declining interest to the profit-motivated organized crime organizations which are driving much of the evolution of malware in the past few years. Such system remain interesting to malware authors seeking underground fame for infecting large numbers of systems, but the people who would in the past have been be trying to infect "m0R3 s1st3mS th4n 3V4R, d00dz!!!" are attracted and tamed somewhat by the money.
If they are going to work for the underground economy, and get paid to write malware, they need to write malware that focuses on the profit making goals of the underground group. That means more people writing more dangerous code that attracts less attention because it can be controlled more carefully and seldom causes global outbreaks on the scale of MS Blaster. Instead, lots of little releases all the time. Rapid spread techniques might be used as a smoke screen now and then while harvesting data for espionage purposes (either corporate or national) but are probably used much less often by those seeking to quietly build up botnets for spamming, hosting phishing sites, scanning for identity information which can be aggregated and used or sold, and so forth.
Just a thought, not fully formed. I'm kinda groggy this morning.
And since I know both my neighbors and they're both developers who I'd trust with my network
What?! Did somebody declare detent in the forever war between systems administrators and developers whilst I was not paying attention? Never trust a developer with your network! Trust developers with your source code. (Never trust an admin with your source code! (save possibly to back it up...)
Slashdot Mirror
Recent reports indicate that Apple has confirmed today that there is an Intel chip in this phone, although they will not specify which one.
I suspect that the CPU will be the new Intel Santa Rosa CPU. The Santa Rosa is based on the Core architecture. The Apple iPhone will probably be the first phone with a dual core processor.
Like everyone else, I have no inside information at all, and this is merely speculation, but the performance of the device apeared to be pretty amazing.
I think the point is that many, if not most email users find themselves wading through a sea of spam despite the multiple layers of content filtering that happen between the point of origin and their inbox. The AC is partly right. Content filtering has merely delayed the death of email.
College students these days are often heard to say, "I have an email address but I never use it." They prefer their cell phones because voice and SMS text messages are not yet flooded with spam. Email may not be dead, but it's definitely gasping for air.
No floppy drive... you crack me up.
Most new application development in the Enterprise market seems to be web based and can work fine with Macintosh clients. This nonsense about "most business apps are Windows-only" is based on the erroneous assumption that just because there are lots of tiny little companies pooping out their custom apps (which nobody else uses) in visual basic that the Macintosh can't play in the Enterprise market. That's definitely wrong in both the server and the client desktop/mobile markets. There is a Macintosh in the Enterprise future.
Consider two propositions.
(1) Not all lying is social engineering.
Lying, by definition, is making a statement believed to be untrue with the intent to deceive another (see: lie) therefore all lying might be considered a form of social engineering, using the most inclusive possible definition for "social engineering". However, one might consider that there are types of lying which do not really have a useful purpose (e.g. pathalogical lying) and which are not employed to seek a gain, and these types of lying might be considered to fall outside of the domain of social engineering. Lying and social engineering therefore might be thought of as two domains which share an overlapping subset. As an aside, deception is a superset of lying, not an equivalent set as you implied.
(2) Not all social engineering involves lying, but may involve other forms of deception.
A trivial and familiar example is the practice of following someone through a physical access point, known as "tailgating." Tailgating may exploit a natural human trust relationship (I've seen your face before or you dress like you work here or you walk with confidence, make eye contact and smile) or may merely exploit a conflict avoidance instinct without active propogation of a statement believed to be untrue. Tailgating is clearly a tool which could be used to circumvent security controls and can be clearly considered as a type of social engineering, but does not fit within the accepted definitions for lying.
Excellent point. Suppose your network is 99% secure. That means nearly four days a year all your boxen could be owned by them. Alternatively, 1% of your boxen at any given time are owned by them and you don't even know it. The phrase "nothing is 100% secure" should be abandonned. It says nothing useful whilst attempting to intimidate those who disagree. If you provide a retainer, I'll be glad to come to your organization and uncover a few reasons that you could use to justify firing yourself. Preferably, you would learn these things before your manager learns them in the aftermath of your first experience of being 0wn3d.
This kind of stunt gets people fired, and worse, gets people in serious legal trouble and ruins their reputations.
Doubt me? Ask Randal Schwartz. Unless I missed something, Randal has admitted his naivety, but not malice, concerning the matter of cracking passwords to demonstrate security problems to one of his clients. The client was not amused. Here is an example, from the first click in a trivial google search.
Intel v. Randal Schwartz: Why Care?
Clearly, Randal was someone who should have known better. And in fact, Randal would be the first Internet expert already well known for legitimate activities to turn to crime. Previous computer criminals have been teenagers or wannabes. Even the relatively sophisticated Kevin Mitnick never made any name except as a criminal. Never before Randal would anyone on the "light side of the force" have answered the call of the "dark side".
-- end quote --
Randal already had an established reputation as a happy friendly white-hat super star and has highly respected friends who can vouch for him. Would your own reputation be able to withstand a legal battle from a client, even if your intentions were pure? I submit that it may be best to specify in the tiger team's contract the use of techniques like password cracking and sniffing. Leaving a recoverd password on paper for any random employee to find is just a stupid, stupid stunt. Professional tiger teams carefully and jealously guard the evidence of their efforts, and share the results with the client in professional and secure manner. If you need to prove you were in the building, take a picture and leave a business card, not your client's password for crying out frigging loud.
There, that should be clear enough.
Lying is a specific tool, not a blanket term for the various types of deception which may be employed in social engineering. Perhaps you think it sounds self-important, but that assumes that the only people who use the term are engaged in the practice. I think the term sounds reasonably descriptive and emotionally neutral, unlike "scamming" for example, and allows for the possibility that some people may engage in social engineering for non-harmful purposes.
...using Microsoft Internet Explorer. AAaaaaaaaaaaaargh!
Never trust anyone who doesn't like peanut butter as a matter of preference. (The allergic are forgiven their trespasses.)
I've seen a few laptops that had batteries in the recent replacement ranges where the new battery ran so much cooler that the laptop operating temperature dropped 15 to 20 degrees. I suspect much of the whining for the past year and a half was due to bad batteries.
This was squarely on topic, addressing it more directly than perhaps you are comfortable with.
However, as an organizing principle for the world, cultural relativism has become yet another excuse to believe without thinking. It's all good, so long as you are not the one being hurt by "different" meanings of the term "freedom" or "torture" or "following the law" (see: signing statements) or different ideas about the level of violence, repression, and mutilation which should be allowed to be inflicted by your "culture" on your daughters. Such cultural "traditions" are most often "practiced" ostensibly to support "religious beliefs" but isn't it interesting how they typically also serve to keep a tiny brutal minority in power and opulence while you suffer in this life, awaiting the next? Yes, that's right, I'm suggesting that the atheistic (scientific) notion of cultural relativism has escaped from the utility of thought experiment and runs rampant now as dogma and that among other things it has become tangled in the meme framework supporting theocratic oppression. Let's talk about that over a beer some time.
When they came for the knee-jerk libertarian computer geeks on Slashdot, there wasn't anybody left to defend you from the jack booted thugs. So sorry.
Stop accepting the dogma of cultural relativism blindly, and start thinking. It's definitely not all good.
Learn about the Founding Fathers. They warned us about compromising the democratic ideals given to us in The Constitution of the United States of America, a freely-licensed open source design pattern for democracy. Take a couple hours some evening to read and contemplate the document and the amendments, particularly the Bill of RIghts. You won't regret those hours. Consider them an investment in our common future.
...but the iPod story really can't be explained by Apple fanboys. Unless they are buying 8 to 10 iPod each per quarter and giving them to people, there just simply are not enough fanboys to account for the sales figures.
Garner should get out of the clue business. The industry trade press props them up and everybody knows they haven't made a decent clue for years.
OK, whoever gave this a +1 Informative mod - hand over your Geek Card! You are no longer a card-carrying Geek. Please take a Dork card on your way out. (Geeks know that radio waves and light are two different ways to refer to the same thing, and that yes, it matters if you block it when you're talking about a telescope observing any part of the spectrum.)
If IRC went away tomorrow, botnets would be back in maybe a week at most. There are plenty of options for them. Peer to Peer command and contro, setting up their own IRC servers on someof the compromised machines in the botnet, etc.
silent velcro.
If they can infect several thousands of systems within the first hour or two, maybe that's good enough to suit their purposes. Some of the email virus or network worm propagation techniques were "stupid" in the sense that they could be easily blocked -- once people knew how it worked. The TFTP callback used by several different worms springs to mind, very easily blocked with a filter rule in a router. In the first few hours, however, hundreds of thousands of systems were infected. Stupid is as stupid does, I guess. In this case stupid owned a bunch of systems before people could respond.
So why didn't this Malware Wednesday effect show up immediately, and why is it still not employed universally? Malware seems to emerge, in general, every week, every day. It took almost two full years for the Malware Wednesday response to emerge into a recognizable pattern. I suspect that this should indicate something interesting about the malware community. But what?
Perhaps communications between different groups and individuals that share code and ideas in the underground community isn't very efficient, due to the mistrust and need to shield identity. Perhaps these groups don't spend much time reading Slashdot or IT journals where pundits probably decried the silliness of Patch Tuesday and predicted the Malware Wednesday phenomenon. Perhaps they were too busy sitting on the beach drinking rum from hollowed out pineapple shells with those little umbrellas in it, and only recently got around to thinking about the problem. Perhaps the techniques they employed were effective enough.
However, there are problems with all of those theories. Here's a theory that seems to have greater explanatory power: Releasing patches immediately following a Patch Tuesday probably didn't show much of an advantage to the malware authors in terms that matter to them, (a) how long will the exploit remain effective, and (b) how many systems can be infected via this exploit and remain under botmaster control for an extended period of time.
- Microsoft hasn't really shown an ability to consistently patch defects within a single month of discovery.
- The systems which are most likely to remain under botmaster control (once control has been usurped by exploitation of a defect) for the longest period of time also tend to remain unpatched for a long period of time.
Systems which are patched frequently or re-imaged following an intrusion are of declining interest to the profit-motivated organized crime organizations which are driving much of the evolution of malware in the past few years. Such system remain interesting to malware authors seeking underground fame for infecting large numbers of systems, but the people who would in the past have been be trying to infect "m0R3 s1st3mS th4n 3V4R, d00dz!!!" are attracted and tamed somewhat by the money.If they are going to work for the underground economy, and get paid to write malware, they need to write malware that focuses on the profit making goals of the underground group. That means more people writing more dangerous code that attracts less attention because it can be controlled more carefully and seldom causes global outbreaks on the scale of MS Blaster. Instead, lots of little releases all the time. Rapid spread techniques might be used as a smoke screen now and then while harvesting data for espionage purposes (either corporate or national) but are probably used much less often by those seeking to quietly build up botnets for spamming, hosting phishing sites, scanning for identity information which can be aggregated and used or sold, and so forth.
Just a thought, not fully formed. I'm kinda groggy this morning.
Although this phrase is quite commonly misused, there is a difference between language evolution, and willful propagation of ignorance.