...Isn't this going to be a war crime, even if it's very good at neutralizing personell for a while without killing them? Granted I've never been hit with pepper spray or similar, but from the descriptions given by police cadettes (having to have a dose used on themselves before being allowed to use it) I would probably (besides the self-defense trial issues) batter someone quite severely rather than spray them with that stuff. And that's *normal* pepper spray. It would probably be used for temporary area denial (or whatever the proper military term is), sure, but when I saw this I got quite vivid flashes of screaming women and children.
You go back in time and tell that to the political prisoners in the gulags. Russia was hell under communism. Why was there corruption? Because the system didn't work at all. Now, as a Swede I can firmly give a reasoned and experienced backing of extensive socialist policies apparently considered "extreme" in the US, but don't confuse that for "communism".
True. But yes, I do say Wortzel *is* unqualified to provide analysis of the subject if he can't understand the implications; it would seem that he thought he did, and acted accordingly. He thought he did, in fact, so clearly that he felt confident to speak in front of the US congress about it. The more I say it in my head, the sillier it sounds; would an apparently experienced analyst-person-thingie seriously do something like that? Maybe he *did* consult with someone, and they fed him a bad picture of the research?
True. I didn't consider that aspect of the issue. However, you'd think that people like this would be let in, but kept under constant surveillance. He's a Chinese academic after all, not a middle eastern terrorist suspect; I've always seen the no-fly list as being used solely against Arabian enemies and suspected sympathizers. A Chinese academic would be more of a problem for the counter-espionage, yes? Also, if he comes to the US, he's probably coming to work for a major corp (at least initially) which might mitigate such problems somewhat? Or am i ascribing actual competence and level-headed calculation to a system full of hysterical crazy?
I guess the profile of the Chinese being ultra-patriotic and always acting in the best interest of China, together with the nagging (alleged) cyber-sleuthing on US networks makes this behavior understandable, but he's overreacting. However, the situation Wortzel described could have been real, and there's no way for him to judge. The alert seems to have been canceled already, so problem solved. No black helicopters with identity-less elite commandos arriving in the night to slit the throat of an innocent geek, no.
So had they had time to transfer money from that account, to another, they would have gotten away with it? You obviously can't take out that much money in cash that rapidly, but how far/where would you need to "bounce" the money in order to escape the chargeback? Numbered Swiss/Luxembourg accounts? Transfer of the money into some sort of easily-liquidated assets (stocks, etc.)?
So, basically, the attorney/law firm covered for the client's ability to pay? I guess things like this is necessary to make things run smoothly in business, but it still seems a bit... naive, especially when you've never met the client in person. And especially when it's a check. Instant wire transfers would have made this particular problem moot (obviously), but since the client just assumed they would accept a check they did it out of professional courtesy?
Motoko: "Is that a fact?"
*KRAKRAKRAK* *beautifully drawn head asplosion*
Aide: "Out the window! Shoot!"
(Embassy mooks fail hit roll)
Aide: "Thermoptic camouflage..."
(Cue intro)
No. His Mamma is an eldritch abomination, see, and a 3D cloak *can't* hide her. Well, it can hide the part of Her that intrudes into our universe, which I guess is scary enough.
Yeah, but *that many*?
Dress up like an admin/security guy, try walking around with kismet (audible ping feature turned on) while glancing suspiciously at everyone with a laptop, and see which ones start to sweat? More likely, it's a botnet attack, if it's not the bug described above.
I've never physically been inside a data center, but I'd have thought that the locales would have really good ventilation, that would simply shut close (or rely on gas weight and gravity) if the halon system or equivalent would need turning on. The ventilation is in fact so bad, there can be a gas buildup so severe you need to (according to posters above me) go in with hazmat gear?
Of course. You have to build up the correct suspension first, if you're not going the "surprise proof-of-concept 05.00 in the morning" route. It's just how these things are done. People just have no respect for good professional showmanship.
Personally, I just run Arch with the standard security (ASLR, not sure about NX), and use an OpenBSD VM when I need to touch "places" that have a risk for targeted attacks. I even run sudo without password prompting. For hardening Windows boxes, take a look at eEye's products? Frankly, however, I don't know about exploitation prevention frameworks/apps on Windows (other than signature-based IDS) either.
Currently, you *can* relax about _malware_ if you're on Linux/*nix, because it's just not a target. Windows 7 has good security on the native-level front, with stack/heap NX, and full ASLR, but both of these can be coded around, in many exploit situations. It's still better than many end-user-oriented linux dists, code quality notwithstanding. Also, you forget one attack vector, and perhaps the easiest in terms of not having to deal with security measures: having the payload embed malicious code in the browser itself and steal data from, say, banking sessions.
A long while back, someone came in on Slashdot and claimed to have consulted/worked with the IRS, and described a security culture and tolerance for hair-trigger detection measures that would make any security fascist drool. So these problems would most likely be on a purely bureaucratic level, then?
Well, the code surface area exposed is pretty small, and the code is old and stable, but how do you know? Have you checked, ran a fuzzer against it? (Only half joking. The punchline being, you never do know until you go look.)
Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.
Slashdot Mirror
That's very informative.
...Isn't this going to be a war crime, even if it's very good at neutralizing personell for a while without killing them? Granted I've never been hit with pepper spray or similar, but from the descriptions given by police cadettes (having to have a dose used on themselves before being allowed to use it) I would probably (besides the self-defense trial issues) batter someone quite severely rather than spray them with that stuff. And that's *normal* pepper spray. It would probably be used for temporary area denial (or whatever the proper military term is), sure, but when I saw this I got quite vivid flashes of screaming women and children.
You go back in time and tell that to the political prisoners in the gulags. Russia was hell under communism. Why was there corruption? Because the system didn't work at all. Now, as a Swede I can firmly give a reasoned and experienced backing of extensive socialist policies apparently considered "extreme" in the US, but don't confuse that for "communism".
True. But yes, I do say Wortzel *is* unqualified to provide analysis of the subject if he can't understand the implications; it would seem that he thought he did, and acted accordingly. He thought he did, in fact, so clearly that he felt confident to speak in front of the US congress about it. The more I say it in my head, the sillier it sounds; would an apparently experienced analyst-person-thingie seriously do something like that? Maybe he *did* consult with someone, and they fed him a bad picture of the research?
You're right, trusting the word of the client that the debtor would pay. But that's even crazier.
True. I didn't consider that aspect of the issue. However, you'd think that people like this would be let in, but kept under constant surveillance. He's a Chinese academic after all, not a middle eastern terrorist suspect; I've always seen the no-fly list as being used solely against Arabian enemies and suspected sympathizers. A Chinese academic would be more of a problem for the counter-espionage, yes? Also, if he comes to the US, he's probably coming to work for a major corp (at least initially) which might mitigate such problems somewhat? Or am i ascribing actual competence and level-headed calculation to a system full of hysterical crazy?
I guess the profile of the Chinese being ultra-patriotic and always acting in the best interest of China, together with the nagging (alleged) cyber-sleuthing on US networks makes this behavior understandable, but he's overreacting. However, the situation Wortzel described could have been real, and there's no way for him to judge. The alert seems to have been canceled already, so problem solved. No black helicopters with identity-less elite commandos arriving in the night to slit the throat of an innocent geek, no.
So had they had time to transfer money from that account, to another, they would have gotten away with it? You obviously can't take out that much money in cash that rapidly, but how far/where would you need to "bounce" the money in order to escape the chargeback? Numbered Swiss/Luxembourg accounts? Transfer of the money into some sort of easily-liquidated assets (stocks, etc.)?
The computer is happy. :D :3 :D
The computer is crazy.
The computer will help you become happy.
This will drive you crazy. <_>
Even if it would take weeks. You're handling a historical relic, don't want to mess it up.
So, basically, the attorney/law firm covered for the client's ability to pay? I guess things like this is necessary to make things run smoothly in business, but it still seems a bit... naive, especially when you've never met the client in person. And especially when it's a check. Instant wire transfers would have made this particular problem moot (obviously), but since the client just assumed they would accept a check they did it out of professional courtesy?
Motoko: "Is that a fact?"
*KRAKRAKRAK* *beautifully drawn head asplosion*
Aide: "Out the window! Shoot!"
(Embassy mooks fail hit roll)
Aide: "Thermoptic camouflage..."
(Cue intro)
No. His Mamma is an eldritch abomination, see, and a 3D cloak *can't* hide her. Well, it can hide the part of Her that intrudes into our universe, which I guess is scary enough.
They where lying.
Yeah, but *that many*? Dress up like an admin/security guy, try walking around with kismet (audible ping feature turned on) while glancing suspiciously at everyone with a laptop, and see which ones start to sweat? More likely, it's a botnet attack, if it's not the bug described above.
I've never physically been inside a data center, but I'd have thought that the locales would have really good ventilation, that would simply shut close (or rely on gas weight and gravity) if the halon system or equivalent would need turning on. The ventilation is in fact so bad, there can be a gas buildup so severe you need to (according to posters above me) go in with hazmat gear?
Leave the area for a while, 'til the brain stops ignoring the smell again?
Will he have his computer back now?
Of course. You have to build up the correct suspension first, if you're not going the "surprise proof-of-concept 05.00 in the morning" route. It's just how these things are done.
People just have no respect for good professional showmanship.
Nope, we're not *entirely* there yet: http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/
Personally, I just run Arch with the standard security (ASLR, not sure about NX), and use an OpenBSD VM when I need to touch "places" that have a risk for targeted attacks. I even run sudo without password prompting. For hardening Windows boxes, take a look at eEye's products? Frankly, however, I don't know about exploitation prevention frameworks/apps on Windows (other than signature-based IDS) either.
Currently, you *can* relax about _malware_ if you're on Linux/*nix, because it's just not a target. Windows 7 has good security on the native-level front, with stack/heap NX, and full ASLR, but both of these can be coded around, in many exploit situations. It's still better than many end-user-oriented linux dists, code quality notwithstanding. Also, you forget one attack vector, and perhaps the easiest in terms of not having to deal with security measures: having the payload embed malicious code in the browser itself and steal data from, say, banking sessions.
A long while back, someone came in on Slashdot and claimed to have consulted/worked with the IRS, and described a security culture and tolerance for hair-trigger detection measures that would make any security fascist drool. So these problems would most likely be on a purely bureaucratic level, then?
Well, the code surface area exposed is pretty small, and the code is old and stable, but how do you know? Have you checked, ran a fuzzer against it? (Only half joking. The punchline being, you never do know until you go look.)
Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.