A lot of people are looking at this from the perspective of "what if I'm a bad guy, trying to get away with something". Crypto doesn't indeed help that much, because headers are in the clear, so you have to take other measures like anonymous proxies, whatever. And there are laws in place to force people into handing over their keys.
But from the perspective of "I'm a regular guy, and don't want someone reading every mail I send", ubiquitous crypto is exactly what we need. Even though someone may take no action on the mail between me and my wife telling her we're having a beer-mergency and to please stop on the way home, there's also a chance that someone might. Global crypto is there to help the regular people who just don't want their privacy invaded. Also, my mail might set off some false-positive Terror Alarm and "they" might watch my mail more closely. Basically, I would say that anything you wouldn't print out and nail to your front door or put in an envelope and send to the police should be encrypted.
At the moment, it's just too hard to get buy-in from most regular people, including my wife.
PGP or GPG are crypto implementations that run on the client, gpg is all free, PGP can cost money, but has a lot of desktop integration features for the platforms that support it. I also use a certificate on my mailserver, which is self signed, since they only people who need to trust it are inside my house, and I trust me.
The SSL cert is only really in place to protect my credentials during IMAP/S and SMTP+SSL. Using certificates doesn't really help in the transmission of mail between hosts, since that will happen in the clear anyway. That's where PGP/GPG protects your mail content.
I really do hope this drives people to make encryption ubiquitous. All of the egregious US programs have failed to make the public use crypto, but this seems to be well publicized enough that it might make a large chunk of people install and use good crypto.
GPG plugins for Mail.app and Thunderbird are at the point now that it's basically set it and forget it, come on folks. (I don't so much like the GPG Outlook plugins, but maybe I haven't messed with it enough)
As a move to avoid the possibility of getting caught up in a suit, I think Google, Yahoo, MSNLive, Ask and every other engine should remove any reference to this domain.
If no one can find you via search engines, and no one links to you, what good is your site? They would probably sue the engines if they de-listed that domain for some wacky antitrust mumbo jumbo, "conspiracy to not help us make a living" or somesuch.
You're right, it's not fair. The idea is that it's supposed to put pressure on the ISP to kick out the offenders, by making all their other customers complain that they can't deliver mail. If an ISP has 50 angry customers and can make it all go away by getting rid of one customer, then they're apt to do just that.
I disagree even more with blacklisting peering partners. Just because Pacific peers with some other ISP doesn't mean that Pacific should know or care about anything regarding the other ISPs business. For them to get blacklisted as an incentive to de-peer strikes me as pretty lame.
I'm certainly not SpamHaus's biggest fan. I do get why they do what they do, and I get why people use their list as a blackhole, though it's not for me.
They list netblocks in a blacklist that other people use to filter, and if an ISP doesn't deal with the issue with that one block, Spamhaus will threaten to expand beyond the block of the individual offender, which might be like a/27, and blacklist the ISP's block, which might be a/18 or something.
If a whole ISP is seen as a habitual offender and providing safe haven to unrepentant spammers, then SpamHaus will work their way upstream.
It's going to be a while
on
LHC Success!
·
· Score: 1
I've read that it will be some time before they test anything with enough energy that they might create the "mini black holes" everyone is worried about, that it might be a couple of years?
However, when they DO do it, if the black holes do not dissipate and immediately head for the center of the planet and proceed to grow and kill all of us, does that mean Hawking owes everyone in the world a subscription to Penthouse? Sweet.
"Unsecured" doesn't mean "Unauthenticated", but you can still sit there and listen without authenticating and being able to browse. The hotels do not establish secure tunnels to each client at authentication, for instance.
If you aimed a better antenna at your neighbors house, it would be easy to sniff all their traffic. Now let's say that you're not the well meaning, keep to yourself kind of guy that I'm sure you are, but that you're intent on identity theft or stealing personal or business data. The fact that you can see 1/2 dozen unsecured networks from your house means you live in a pretty target-rich environment. How many of your neighbors might use the same password for AIM or Myspace that they use for Bank of America, or their local login password?
The attacker wouldn't necessarily own a house in your neighborhood either. Maybe they rented a van? Maybe one of your neighbors is in a position at work that puts them in touch with sensitive data, and someone follows them home? Or, maybe someone launches a balloon 4 or 5 miles away and collects everything scattershot for a couple of hours, then hones in on those interesting location in a car. As unlikely as those scenarios are, why not just click the damn "WPA2" radio button on the stupid gui and make yourself a somewhat harder target?
Did you test it with a high gain directional antenna? Team Tenacity tested a 7.5 mile radius around their "plan B" location, which included the entire LV strip.
The most entertaining part was when the cop car showed up, they all waved at the cops, and the cop car drove away. Had the intent been bi-directional communication, it would have been kind of hard without a much more stable platform, I'd imagine. But even in a listen-only Kismet setup, 170 networks, 1/3 of which are open is pretty significant.
That was pretty much the consensus from the webcast given by Dan Kaminsky et al. last week. That's why it was so critical to get a workaround in place to give them time to agree on how to go forward, hopefully with DNSSEC.
Except that DJB and presumably Mara are likely both still susceptible to the original bug. Honestly, how hard is this to understand?
Source port randomization does NOT fix the fundamental flaw of being able to change existing records in a caching DNS server with glue fields. Source port randomization is simply a workaround to mitigate the risk by making someone guess two 16 bit numbers instead of only one (source port AND txid). The core flaw remains unfixed because it's going to take a whole lot longer than 6 months to get anyone to agree on how to proceed.
djb is much, much harder to exploit, but if he implemented the spec, he should be vulnerable to the main bug, though in all honesty I haven't seen anyone saying he is, or you are.
Here is exactly that. Banks (Bank of America), uploaded, via FTP, customer data to Acxiom, which got stolen and used by spammers. Could have been worse, this guy seems to have thrown away everything he didn't need to send spam. The original investigation was a different gent who accessed customer info while a contract employee at Acxiom.
Attempts were made to make it a legal requirement to notify the public after such a breach, I don't know the status of those laws.
From a PCI DSS compliance standpoint, the fines for being a non-compliant tier 1 were pretty strict. Hannaford stated that it was fully PCI compliant. From what little I know of Hannaford's actual operation, it's hard to say, but I would think they should have had to answer "no" to a few more checkbox items.
The problem is that credit card processing companies will threaten non-compliant retailers with shutting down their authorization until they achieve compliance, or are making provable headway. So Hannaford may have had to make some quick decisions to get themselves certified, and some of those decisions seem to have bitten them. PCI DSS requires that a retailer is audited by a certified third party vendor. This amounts to the most expensive NMAP report you will ever see. This report, along with your self-evaluation checklist, are the proof of compliance.
The true cost of these breaches to the companies isn't known yet. The consumer lawsuits for Hannaford are just getting off the ground, and I don't know of any bank suits yet. This is why Hannaford is touting their compliance, "Hey, we were certified and in full compliance with regulations, therefore, it's not our fault, blame the insufficient regulations". In TJX's case, they offered a choice of $30 gift card or $15 cash to every customer involved in the breach. I've seen 45MM cards in the media, and reports of up to 90MM cards in reality. So if everyone takes the cash, they're looking at over a billion dollars just in cash payouts to customers. That's about 7% of their annual revenue.
It is pretty discouraging though that there aren't more visible signs of real change happening at these two chains. There is no real incentive for companies to protect consumer data, and that's a shame. Hopefully the large lawsuits carry some real penalties.
It's not about the probability of someone breaching 56-bit DES, it's about the consequences.
How about Hannaford or TJX using weak keys? Their CSO should be weighing the cost of changing their infrastructure to not use wireless, or using strong keys, MAC Filtering and firewalls to mitigate their exposure vs the risk of losing 47,000,000 credit and debit card numbers.
The CSOs of those companies would need to weigh different factors than businesses with no B&M retail outlets. It's about deciding "How much is my data worth", "What are the consequences of that data being exposed" and "Based on those two answers, here's the broad strokes of our Information Security strategy".
Does that risk belong to the company alone, as in the case of a manufacturing company making proprietary widgets, or is the risk shared with the general public, as in the case of a supermarket with a horrific and weak wireless policy? Those are the kinds of questions CSOs should worry about, not "What model of firewall do we use", as the summary was saying.
The VPN example was flawed, sure. But if you think in terms of the consequences it makes more sense. If you're sending credit card data over a 56-bit DES tunnel, and someone intercepts and decrypts that traffic, that's horrible. More horrible will be the impact to the company when the department is shown as negligent for having relatively weak crypto.
Business value and risk
on
The Pragmatic CSO
·
· Score: 3, Informative
That's a tough thing for security professionals to draw a distinction with. Everything a company does should weigh the business value of a proposed technology vs the risk of what happens if that technology breaks. So if you have an old firewall or licensing restrictions that won't let you use 3DES or AES for your VPN, and are stuck with DES, the company (CSO) should be weighing the cost of upgrading vs the risk of loss to the company if your DES VPN is broken.
If you have credit data passing across, there may very well be PCI/DSS issues and fines, but if the VPN is just there to pass pictures of kittens from one site to another, you might not care and may not need 3DES or better.
Many security professionals see this as sub-optimal, and will bitch. However as long as the senior management is aware of the risk and has decided it's a risk worth taking, then you've done your job as a security person.
Yeah, that used to work, well, it used to outline the whole thing. In any case, I've locked and then unlocked the widgets, no avail. I've deleted ~/.kde4 and restarted X, no avail. It's probably still my machine though somehow.
Try to make a bookmark in Konsole for "ssh -l ASA 10.250.1.254". First, just typing it in the Bookmark manager is a bitch, but you can't have capital letters, at all, even if you change the bookmarks.xml, it changes them to lower and rewrites the file.
I'm obviously trolling for some answers with these posts, so hopefully someone knows some workarounds, and especially what we found that sped up the GUI by tons, which I just can't remember at all.
I've been using every weekly build for SuSE 10.3 since 4.0 came out and have seen it get more and more stable. I have some issues, some are KDE's fault, some aren't.
No OTR for Kopete yet, which is in Kopete 3.5
In Kopete, if you're logged in, and log in from another computer, rather than saying "there are now two of you logged in", it crashes
Okular (Awesome!) keeps losing the ability to show me PDFs. I figured this out and fixed it once, then it broke a couple of builds ago and I can't remember what I did.
I've never successfully burned a CD with k3b 4.x
There is a checkbox that is basically the "make KDE go fast now" option, if I wasn't on a Mac right now, I'd say where it is exactly. The box is set to "slow" by default
I can't figure out how to move plasmoid applets around the desktop. So if I have a weather applet, it goes in the top left corner and can't be moved. Luckily, if I make a Folder Browser plasmoid, it goes right over the weather one, and also can't be moved, so...problem solved?
Those are the ones that I've had problems with that are KDEs fault. This one probably isn't, but it makes 4.0 worthless to me:
Horrible graphic tearing, mostly in KDE 3.5 apps or GTK apps (kpdf, Thunderbird, Firefox, also any rdesktop session). This seems to be due to be due to using a compositing desktop. I notice it in Compiz too under 3.5. I believe the issue might be that for anything to work, you should sync on vblank, however if you have multiple monitors, sync on vblank freaks out and makes things worse?
Overall though, I really like it, especially since someone clued me in to the Make It Fast setting. This is coming from a KDE user since 1.x. I loved 2.0 when it came. Hated 3.0 (which grew into my favorite GUI of all time including OSX), hated 4.0, like 4.1 OK so far.
Those are pretty much the settings I arrived at in my "More Memory = More Better" hunt around the phone.
Prior to my initial bump to 4MB, the browser would crash whenever you hit the Menu button in Opera Mini, so bumping up the memory definitely helped a lot, but doesn't seem to have completely solved everything.
I really like it, until it crashes and I have to take the battery out, which ends up being 1 in about every 20 sessions or so. I'd really like to see it work well, Opera Mini has a lot of potential.
Opera Mini kind of sucks, it gets all crashy on my Centro, yet no other mobile browser is coming out for Palm. I like the feel of Opera Mini, but the proxy, or the fact that it's Java, means that pages load much more slowly than with Blazer.
Does anyone have any suggestions, beyond cranking up the memory available for Java apps and threads (which I've done, and it made a huge positive difference), that might make it more stable?
How much CO2 is going to be introduced by the quarrying of limestone, shipment of limestone, shipment of lime, etc?
I know that TFA says they'll more than offset the carbon created in the transformation of limestone into lime and CO2, but how much carbon is going to be released by all the trucks, ships, etc involved in the process of shipping a few billion tons of rock from one place to another?
Slashdot Mirror
A lot of people are looking at this from the perspective of "what if I'm a bad guy, trying to get away with something". Crypto doesn't indeed help that much, because headers are in the clear, so you have to take other measures like anonymous proxies, whatever. And there are laws in place to force people into handing over their keys.
But from the perspective of "I'm a regular guy, and don't want someone reading every mail I send", ubiquitous crypto is exactly what we need. Even though someone may take no action on the mail between me and my wife telling her we're having a beer-mergency and to please stop on the way home, there's also a chance that someone might. Global crypto is there to help the regular people who just don't want their privacy invaded. Also, my mail might set off some false-positive Terror Alarm and "they" might watch my mail more closely. Basically, I would say that anything you wouldn't print out and nail to your front door or put in an envelope and send to the police should be encrypted.
At the moment, it's just too hard to get buy-in from most regular people, including my wife.
PGP or GPG are crypto implementations that run on the client, gpg is all free, PGP can cost money, but has a lot of desktop integration features for the platforms that support it. I also use a certificate on my mailserver, which is self signed, since they only people who need to trust it are inside my house, and I trust me.
The SSL cert is only really in place to protect my credentials during IMAP/S and SMTP+SSL. Using certificates doesn't really help in the transmission of mail between hosts, since that will happen in the clear anyway. That's where PGP/GPG protects your mail content.
I really do hope this drives people to make encryption ubiquitous. All of the egregious US programs have failed to make the public use crypto, but this seems to be well publicized enough that it might make a large chunk of people install and use good crypto.
GPG plugins for Mail.app and Thunderbird are at the point now that it's basically set it and forget it, come on folks. (I don't so much like the GPG Outlook plugins, but maybe I haven't messed with it enough)
As a move to avoid the possibility of getting caught up in a suit, I think Google, Yahoo, MSNLive, Ask and every other engine should remove any reference to this domain.
If no one can find you via search engines, and no one links to you, what good is your site? They would probably sue the engines if they de-listed that domain for some wacky antitrust mumbo jumbo, "conspiracy to not help us make a living" or somesuch.
You're right, it's not fair. The idea is that it's supposed to put pressure on the ISP to kick out the offenders, by making all their other customers complain that they can't deliver mail. If an ISP has 50 angry customers and can make it all go away by getting rid of one customer, then they're apt to do just that.
I disagree even more with blacklisting peering partners. Just because Pacific peers with some other ISP doesn't mean that Pacific should know or care about anything regarding the other ISPs business. For them to get blacklisted as an incentive to de-peer strikes me as pretty lame.
I'm certainly not SpamHaus's biggest fan. I do get why they do what they do, and I get why people use their list as a blackhole, though it's not for me.
They list netblocks in a blacklist that other people use to filter, and if an ISP doesn't deal with the issue with that one block, Spamhaus will threaten to expand beyond the block of the individual offender, which might be like a /27, and blacklist the ISP's block, which might be a /18 or something.
If a whole ISP is seen as a habitual offender and providing safe haven to unrepentant spammers, then SpamHaus will work their way upstream.
I've read that it will be some time before they test anything with enough energy that they might create the "mini black holes" everyone is worried about, that it might be a couple of years?
However, when they DO do it, if the black holes do not dissipate and immediately head for the center of the planet and proceed to grow and kill all of us, does that mean Hawking owes everyone in the world a subscription to Penthouse? Sweet.
Man, she's just asking for it now. Next thing you know she'll say she has her mail in USPS mail trays right by her front door.
Why drive around and crack WPA networks when there is so much low hanging fruit? With an unsecured network, you're just advertising an easy target.
"Unsecured" doesn't mean "Unauthenticated", but you can still sit there and listen without authenticating and being able to browse. The hotels do not establish secure tunnels to each client at authentication, for instance.
If you aimed a better antenna at your neighbors house, it would be easy to sniff all their traffic. Now let's say that you're not the well meaning, keep to yourself kind of guy that I'm sure you are, but that you're intent on identity theft or stealing personal or business data. The fact that you can see 1/2 dozen unsecured networks from your house means you live in a pretty target-rich environment. How many of your neighbors might use the same password for AIM or Myspace that they use for Bank of America, or their local login password?
The attacker wouldn't necessarily own a house in your neighborhood either. Maybe they rented a van? Maybe one of your neighbors is in a position at work that puts them in touch with sensitive data, and someone follows them home? Or, maybe someone launches a balloon 4 or 5 miles away and collects everything scattershot for a couple of hours, then hones in on those interesting location in a car. As unlikely as those scenarios are, why not just click the damn "WPA2" radio button on the stupid gui and make yourself a somewhat harder target?
Did you test it with a high gain directional antenna? Team Tenacity tested a 7.5 mile radius around their "plan B" location, which included the entire LV strip.
The most entertaining part was when the cop car showed up, they all waved at the cops, and the cop car drove away. Had the intent been bi-directional communication, it would have been kind of hard without a much more stable platform, I'd imagine. But even in a listen-only Kismet setup, 170 networks, 1/3 of which are open is pretty significant.
That was pretty much the consensus from the webcast given by Dan Kaminsky et al. last week. That's why it was so critical to get a workaround in place to give them time to agree on how to go forward, hopefully with DNSSEC.
DNSSEC vs. IPv6, let's race 'em!
Except that DJB and presumably Mara are likely both still susceptible to the original bug. Honestly, how hard is this to understand?
Source port randomization does NOT fix the fundamental flaw of being able to change existing records in a caching DNS server with glue fields. Source port randomization is simply a workaround to mitigate the risk by making someone guess two 16 bit numbers instead of only one (source port AND txid). The core flaw remains unfixed because it's going to take a whole lot longer than 6 months to get anyone to agree on how to proceed.
djb is much, much harder to exploit, but if he implemented the spec, he should be vulnerable to the main bug, though in all honesty I haven't seen anyone saying he is, or you are.
Dear Science,
/. Nerd
I'd love to be muscular and have better endurance, but I will never be willing to quit smoking and exercise, please get on this for me.
Sincerely,
Every
I knew Science would have my answer.
Here is exactly that. Banks (Bank of America), uploaded, via FTP, customer data to Acxiom, which got stolen and used by spammers. Could have been worse, this guy seems to have thrown away everything he didn't need to send spam. The original investigation was a different gent who accessed customer info while a contract employee at Acxiom.
Attempts were made to make it a legal requirement to notify the public after such a breach, I don't know the status of those laws.
From a PCI DSS compliance standpoint, the fines for being a non-compliant tier 1 were pretty strict. Hannaford stated that it was fully PCI compliant. From what little I know of Hannaford's actual operation, it's hard to say, but I would think they should have had to answer "no" to a few more checkbox items.
The problem is that credit card processing companies will threaten non-compliant retailers with shutting down their authorization until they achieve compliance, or are making provable headway. So Hannaford may have had to make some quick decisions to get themselves certified, and some of those decisions seem to have bitten them. PCI DSS requires that a retailer is audited by a certified third party vendor. This amounts to the most expensive NMAP report you will ever see. This report, along with your self-evaluation checklist, are the proof of compliance.
The true cost of these breaches to the companies isn't known yet. The consumer lawsuits for Hannaford are just getting off the ground, and I don't know of any bank suits yet. This is why Hannaford is touting their compliance, "Hey, we were certified and in full compliance with regulations, therefore, it's not our fault, blame the insufficient regulations". In TJX's case, they offered a choice of $30 gift card or $15 cash to every customer involved in the breach. I've seen 45MM cards in the media, and reports of up to 90MM cards in reality. So if everyone takes the cash, they're looking at over a billion dollars just in cash payouts to customers. That's about 7% of their annual revenue.
It is pretty discouraging though that there aren't more visible signs of real change happening at these two chains. There is no real incentive for companies to protect consumer data, and that's a shame. Hopefully the large lawsuits carry some real penalties.
It's not about the probability of someone breaching 56-bit DES, it's about the consequences.
How about Hannaford or TJX using weak keys? Their CSO should be weighing the cost of changing their infrastructure to not use wireless, or using strong keys, MAC Filtering and firewalls to mitigate their exposure vs the risk of losing 47,000,000 credit and debit card numbers.
The CSOs of those companies would need to weigh different factors than businesses with no B&M retail outlets. It's about deciding "How much is my data worth", "What are the consequences of that data being exposed" and "Based on those two answers, here's the broad strokes of our Information Security strategy".
Does that risk belong to the company alone, as in the case of a manufacturing company making proprietary widgets, or is the risk shared with the general public, as in the case of a supermarket with a horrific and weak wireless policy? Those are the kinds of questions CSOs should worry about, not "What model of firewall do we use", as the summary was saying.
The VPN example was flawed, sure. But if you think in terms of the consequences it makes more sense. If you're sending credit card data over a 56-bit DES tunnel, and someone intercepts and decrypts that traffic, that's horrible. More horrible will be the impact to the company when the department is shown as negligent for having relatively weak crypto.
That's a tough thing for security professionals to draw a distinction with. Everything a company does should weigh the business value of a proposed technology vs the risk of what happens if that technology breaks. So if you have an old firewall or licensing restrictions that won't let you use 3DES or AES for your VPN, and are stuck with DES, the company (CSO) should be weighing the cost of upgrading vs the risk of loss to the company if your DES VPN is broken.
If you have credit data passing across, there may very well be PCI/DSS issues and fines, but if the VPN is just there to pass pictures of kittens from one site to another, you might not care and may not need 3DES or better.
Many security professionals see this as sub-optimal, and will bitch. However as long as the senior management is aware of the risk and has decided it's a risk worth taking, then you've done your job as a security person.
Yeah, that used to work, well, it used to outline the whole thing. In any case, I've locked and then unlocked the widgets, no avail. I've deleted ~/.kde4 and restarted X, no avail. It's probably still my machine though somehow.
Try to make a bookmark in Konsole for "ssh -l ASA 10.250.1.254". First, just typing it in the Bookmark manager is a bitch, but you can't have capital letters, at all, even if you change the bookmarks.xml, it changes them to lower and rewrites the file.
I'm obviously trolling for some answers with these posts, so hopefully someone knows some workarounds, and especially what we found that sped up the GUI by tons, which I just can't remember at all.
Those are the ones that I've had problems with that are KDEs fault. This one probably isn't, but it makes 4.0 worthless to me:
Overall though, I really like it, especially since someone clued me in to the Make It Fast setting. This is coming from a KDE user since 1.x. I loved 2.0 when it came. Hated 3.0 (which grew into my favorite GUI of all time including OSX), hated 4.0, like 4.1 OK so far.
Those are pretty much the settings I arrived at in my "More Memory = More Better" hunt around the phone.
Prior to my initial bump to 4MB, the browser would crash whenever you hit the Menu button in Opera Mini, so bumping up the memory definitely helped a lot, but doesn't seem to have completely solved everything.
I really like it, until it crashes and I have to take the battery out, which ends up being 1 in about every 20 sessions or so. I'd really like to see it work well, Opera Mini has a lot of potential.
Opera Mini kind of sucks, it gets all crashy on my Centro, yet no other mobile browser is coming out for Palm. I like the feel of Opera Mini, but the proxy, or the fact that it's Java, means that pages load much more slowly than with Blazer.
Does anyone have any suggestions, beyond cranking up the memory available for Java apps and threads (which I've done, and it made a huge positive difference), that might make it more stable?
How much CO2 is going to be introduced by the quarrying of limestone, shipment of limestone, shipment of lime, etc?
I know that TFA says they'll more than offset the carbon created in the transformation of limestone into lime and CO2, but how much carbon is going to be released by all the trucks, ships, etc involved in the process of shipping a few billion tons of rock from one place to another?