The revelations overcame Edgar Maddison Welch like a hallucinatory fever. On December 1st, 2016, the father of two from Salisbury, North Carolina, a man whose pastimes included playing Pictionary with his family, tried to persuade two friends to join a rescue mission. Alex Jones, the Info-Wars host, was reporting that Hillary Clinton was sexually abusing children in satanic rituals a few hundred miles north, in the basement of a Washington, D.C., pizza restaurant. Welch told his friends the “raid” on a “pedo ring” might require them to “sacrifice the lives of a few for the lives of many.
If they won't boot Alex Jones for inciting an armed simpleton to enter a pizza place demanding to search the basement for Hillary's secret child sex trafficking ring, they sure as hell won't boot Trump for anything.
"Focusing on users' needs" is not what the OSM Foundation does. OSM simply hosts map data in a database. That's it. Their only software is an API into that database, plus a web viewer and a couple of web-based map editors.
OSM does not make a mobile app, or routing software, or host a traffic conditions database. They didn't even write the rendering libraries that turn the map data into the image tiles you see on their own site! They use a renderer called mapnik. All those tools that exist today were built by independent third parties.Some are open source, while others are commercial.
The field is wide open for a Waze-like company to come along and use the OSM data as their map source. A couple have even been tried; I understand there's a fairly popular one in use in Germany.
I call BS on this anecdote after reading into it.. most agricultural zone systems have levels separated by multiple degrees (F), and there's no place on earth that's experienced that level of warming over a single decade.
Minnesota has always had pronounced extremes of weather, from -60F (-51C) to +114F (+45C). And this wasn't simply a single ten year rise in averages - the temps have been steadily rising since my childhood (several decades ago), back when we were Zone 2B. I was just noting that the last decade has not only continued the rise; but the old extremes no longer contain the current temperature range. Given that our average annual temperature has been rising by an average of 0.776F per decade, it's not all that surprising.
Also, we should be taking into account that plant hardiness zones aren't defined by the average temperature, but by the coldest minimum temperature experienced during a winter. It's those periods of extremes that kill off the non-hardy plants and animals, and that give the native plants the chance to outlast the invaders.
This has long been a concern of mine. Our area used to be in agricultural "Zone 2", meaning we'd usually experience a few day snap of -22F winter weather. This killed off a wide variety of non-native pests, such as those that arrived here on trucks and railcars from warmer clones during the summers. After a decade of record warm winters, we've been re-classified as Zone 4 and the transient beasts never die off now. So we've now got emerald ash borers; gypsy moths; new wasps, bees, and ants; and various roaches and snakes we've never had to deal with before, They're killing vast numbers of native trees and plants.
I take many similar precautions, but not all. (I have some utilities on my iPhone and will purchase on my credit card through it, but i don't do banking on it.)
One thing I also do is distrust certain certificates; generally those I recognize as having been issued by countries run by despots. For example, I'll personally never have a need to a secure connection to any site in Turkey. So why should I trust their national issuer, when their government could theoretically abuse it to issue certs valid for any domain name? While widespread issuance of fraudulent certificates would certainly result in their removal from the browser and OS trusted root certificate lists, if they abuse their power to issue very specifically targeted certificates for spying purposes, they probably wouldn't get caught.
Just because Turkey convinced Mozilla or Microsoft to trust their issuers, doesn't mean I have to.
No cop is going to bother going through the legal means when nobody supervises the use of the tool.
The nice thing is that the cops are buying license packages, so there is a supervisor - the company licensing the tool is counting every phone decrypted. Once the cops open 300 phones, they have to pony up for the next batch of phones. This means they're limited by money: they won't open a phone unless there's a reasonable expectation that it'll pay off. That will significantly slow down the "let's snoop on every phone" approach.
The FBI is mostly whining because they want on-line real-time undetectable wiretapping. Cracking open a locked phone is no different than gaining a warrant and taking the phone in the first place - the suspect is aware that his phone has been taken (or is dead), and it usually happens only after a serious crime has been committed and the suspect has been identified. I have no problem with police using tools to examine evidence after a crime has been committed.
But demanding flawed cryptographic algorithms, on the other hand, permit drift-net trawling of everyone's phones. Did you text someone about the weapon or the assassination plot? These crimes can now be thwarted before the victims are injured -- look, our pre-crime unit saves lives! But the drift-nets don't discriminate, and gather information about misdemeanor or non-criminal activity, too: small drug sales, shoplifting, or in the case of the Cheetohead-in-charge, researching climate change, donating to Hillary, or badmouthing Putin.
If anything, the current administration is so corrupt that the FBI themselves should be putting on the brakes, saying "no, we don't even want the tools to exist since you're just going to use them to ask us to further violate the Constitution for you."
"based on the designs of the existing studies, it is difficult to definitively conclude that these negative results clearly indicate that cell phone RFR is not carcinogenic."
This is how a priest justifies the existence of a religion, not how a scientist describes a fact.
Come back to us when you actually have positive results, not some phony belief.
Not until I can block everything that leaks out, like I do with NoScript today. I don't know when that might be, but if it isn't soon, I'll have to switch to Pale Moon.
Privacy and script blocking are far more important to me than speed or stability.
It's not easy, but it can be done. The USB keyloggers present themselves over the USB bus as a keyboard, but not necessarily YOUR keyboard. They will have the same USB vendor/device ID across all of the devices. So look for that ID in place of your normal keyboard. Boom, detected in software.;)
And Boom, doesn't go the dynamite. Take a look at some of the Hak5 products, like the Bash Bunny or USB Rubber Ducky. They allow the owner of the device to specify whatever VID/PID combination they want; they actually recommend you change it from their defaults so that scanning for their default VID/PID won't get you caught.
Besides, you can't simply block alternate keyboard IDs anyway, at least not in America. The Americans With Disabilities Act will quickly be invoked by someone who needs an alternative input device in order to do their job. Perhaps they're in a wheelchair and need a wireless keyboard or mouse. Blocking random USB HID devices turns out to be a real problem for them.
When my grandmother passed about 20 years ago, the family got together to empty the house to sell it. We loaded her old refrigerator on to a truck, and hauled it to the dump (where the guy helping unload it from the truck commented that it was still cold!) On the back was the date of manufacture: 1941. That thing had kept food cold for nearly 60 years.
And you know what? That old fridge was so inefficient that it cost her far more on her electricity bill than if she had thrown it away in 1980 and bought a new one. 60 year reliability was certainly a positive quality, but efficiency was definitely a negative quality that far surpassed it in terms of cost of ownership.
A washing machine from 20 years ago would likely use about 45 gallons of water per wash load, regardless of the load size. A smart HE washer from 2017 uses a sensor to measure the load, and uses between 5-20 gallons. Even in a place where water is cheap, heating the water costs. And the amount of electricity consumed by a modern direct drive motor is a fraction of the belt-driven beasts of the past.
Does that mean your washer should break down after five years, just so you can benefit from whatever gains in efficiency they've made? Of course not. But it does imply that buying a washer built to last 60 years is a waste of money.
2FA, or even just smart cards alone would protect against all forms of password stealing. Logging a smart card transaction doesn't get you a replayable password, it only gets you a token that's already been consumed by the legitimate user. Plus, smart cards are a lot easier to use than passwords, so your users would love you for it. (Most users, anyway; some will inevitably complain that they can't use an app on their phone.)
Convenience has its price, however -- without 2FA, a smart card is susceptible to physical theft. But defending a possession against theft is something most people are already pretty good at. The same can't be said for computer security.
Getting companies to agree on a security standard? Good luck with that, there's always going to be the profit-oriented company willing to sell their lightbulbs 15% cheaper, and have them cost 4 times less, undercutting and eventually buying off competition.
Right now, the designers of WiFi light bulbs throw a SoC in the socket and a few LEDs on the heatsink, and because there's no standard, each company makes up their own bare-bones data connection for "on/off", and supplies a clunky iOS and Android app. Nobody reviews the protocols, they shove whatever no-name distro and web server they can think of into the SoC, and ship it.
So the way to improve on this is to have an externally defined standard for IoT devices. The standards need to address all of the security problems. That means having a secure way to deliver updates. It can't be poking giant holes in home users' routers via UPnP. It needs to have a secure communications channel. It has to use high quality cryptographic algorithms. It must be completely open and free. Ideally it should be easier for manufacturers to download a reference implementation than it is to write their own, or to buy something. And of course it needs to be fully subject to review.
What the standards really need to succeed in the eyes of the public is a championing body, with a logo, a certification body, rules, and an insurance fund. Stores need to feature signs like "This devices cyber security guaranteed up to $5000 by the manufacturer, a member in good standing of The Secure Testing Industry Group (STIG)." The logo should become as common as the UL, CE, and ETL logos seen on electric appliances everywhere. Something that says "if you get hacked because our device was vulnerable, we'll pay you money."
Then, we need retailers to get behind this. Make sure every web site selling them features The STIG certification logo right next to the stupid "Trust me" lock. The big box store shelves need to have a signs proclaiming "Security certified by The STIG products sold here".
Putting money on the table puts incentive on the manufacturers to be as secure as possible, and to patch things as quickly as possible. And it gets consumers to prefer it over an unlabeled brand.
...and now 5 years later they notice it? Why are companies like that still allowed to stay in business?
My guess is that the evidence of the attack from 5 years ago has long since been destroyed. Disqus *never* noticed it themselves, they were only recently informed of it by Troy Hunt, who obtained a copy of the stolen database and then contacted them.
Anyway, there isn't a law against being incompetent. There may still be consequences, however, if their clients get mad at them for this breach and abandon disqus in favor of another commenting system.
And that in no way defends the incorrect assertion of the article's author that associates SHA-1's flaws with this attack, which was the entire point I was trying to make.
Regarding the security of the password hash database that was stolen, I was assuming a few things: that the attackers are lazy, and while they might try a rainbow table, they won't bother brute-force hashing salted passwords; and that when disqus says they used a salted hash, that they actually used a proper per-user salt algorithm, and not a common-to-all-users salt.
And yes, any scheme can still be bruted force attacked with a limited list of common passwords. Even PBKDF2() hashed passwords can be brute force attacked with a very limited number of common passwords (perhaps the top 10, like "password", "abc123", etc.) and no doubt more than a few user accounts will fall. This being disqus (not exactly a high security site), I have to wonder how many of their users reused their same passwords on their banking or other high value shopping sites? Account Take Overs that exploit a common password across multiple sites seem to be the most damaging form of attack in use today, so I suppose it's prudent to assume that this database is no exception, and that the attackers aren't as lazy as I had assumed.
Of course if they used a common-to-all salt, you can bet that Troy Hunt will start building a rainbow table soon (if he hasn't already begun to do so.) And I'd be even more concerned about the security of that password.
Way more people than anyone who knows better would believe. Just look at all of the security camera hacks from the past few years. Almost all of those involve people exposing their devices (like security cameras) to the internet via port forwarding so they can remotely access them. The same people who don't know to set a damn password (or reset the default) on those devices. All it usually takes is some port scanning or even just a little google-fu to find them.
Except that's not what happened. These cameras were bought by ordinary people who have no idea what "port forwarding" is; they did not follow any instructions to open a hole on their router. They simply went to the store and bought a camera, and then installed a camera app on their phone. That's it. Internally, the camera sent a UPnP message to their router that opened a hole back to the camera, where the camera's weak telnet server and default passwords allowed the bot attacks to succeed.
These people did nothing more than purchase a device that did exactly what it promised on the label. It's not their fault the device accomplished the task by silently screwing their security over.
"About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers,"
Sigh. If you're going to pick a quote, pick one that states a meaningful fact. SHA-1's flaw is that it allows a pre-image attack, where an attacker can craft a duplicate message that yields the same hash value as a different message, which is very useful for forging signatures on certificates. But that flaw is utterly useless for more efficiently brute force attacking a password that was hashed with SHA-1.
All the information I gleaned from this quote is that the author doesn't understand what he's talking about, and his writing isn't worth reading. Oh, and that my password on Disqus is still safe.
Slashdot Mirror
The revelations overcame Edgar Maddison Welch like a hallucinatory fever. On December 1st, 2016, the father of two from Salisbury, North Carolina, a man whose pastimes included playing Pictionary with his family, tried to persuade two friends to join a rescue mission. Alex Jones, the Info-Wars host, was reporting that Hillary Clinton was sexually abusing children in satanic rituals a few hundred miles north, in the basement of a Washington, D.C., pizza restaurant. Welch told his friends the “raid” on a “pedo ring” might require them to “sacrifice the lives of a few for the lives of many.
https://www.rollingstone.com/p...
If they won't boot Alex Jones for inciting an armed simpleton to enter a pizza place demanding to search the basement for Hillary's secret child sex trafficking ring, they sure as hell won't boot Trump for anything.
"Focusing on users' needs" is not what the OSM Foundation does. OSM simply hosts map data in a database. That's it. Their only software is an API into that database, plus a web viewer and a couple of web-based map editors.
OSM does not make a mobile app, or routing software, or host a traffic conditions database. They didn't even write the rendering libraries that turn the map data into the image tiles you see on their own site! They use a renderer called mapnik. All those tools that exist today were built by independent third parties.Some are open source, while others are commercial.
The field is wide open for a Waze-like company to come along and use the OSM data as their map source. A couple have even been tried; I understand there's a fairly popular one in use in Germany.
I call BS on this anecdote after reading into it.. most agricultural zone systems have levels separated by multiple degrees (F), and there's no place on earth that's experienced that level of warming over a single decade.
Minnesota has always had pronounced extremes of weather, from -60F (-51C) to +114F (+45C). And this wasn't simply a single ten year rise in averages - the temps have been steadily rising since my childhood (several decades ago), back when we were Zone 2B. I was just noting that the last decade has not only continued the rise; but the old extremes no longer contain the current temperature range. Given that our average annual temperature has been rising by an average of 0.776F per decade, it's not all that surprising.
Also, we should be taking into account that plant hardiness zones aren't defined by the average temperature, but by the coldest minimum temperature experienced during a winter. It's those periods of extremes that kill off the non-hardy plants and animals, and that give the native plants the chance to outlast the invaders.
This has long been a concern of mine. Our area used to be in agricultural "Zone 2", meaning we'd usually experience a few day snap of -22F winter weather. This killed off a wide variety of non-native pests, such as those that arrived here on trucks and railcars from warmer clones during the summers. After a decade of record warm winters, we've been re-classified as Zone 4 and the transient beasts never die off now. So we've now got emerald ash borers; gypsy moths; new wasps, bees, and ants; and various roaches and snakes we've never had to deal with before, They're killing vast numbers of native trees and plants.
Reread the summary above. The card numbers weren't on an "internet facing database." They were taken by malware implanted in their cash registers.
I take many similar precautions, but not all. (I have some utilities on my iPhone and will purchase on my credit card through it, but i don't do banking on it.)
One thing I also do is distrust certain certificates; generally those I recognize as having been issued by countries run by despots. For example, I'll personally never have a need to a secure connection to any site in Turkey. So why should I trust their national issuer, when their government could theoretically abuse it to issue certs valid for any domain name? While widespread issuance of fraudulent certificates would certainly result in their removal from the browser and OS trusted root certificate lists, if they abuse their power to issue very specifically targeted certificates for spying purposes, they probably wouldn't get caught.
Just because Turkey convinced Mozilla or Microsoft to trust their issuers, doesn't mean I have to.
No cop is going to bother going through the legal means when nobody supervises the use of the tool.
The nice thing is that the cops are buying license packages, so there is a supervisor - the company licensing the tool is counting every phone decrypted. Once the cops open 300 phones, they have to pony up for the next batch of phones. This means they're limited by money: they won't open a phone unless there's a reasonable expectation that it'll pay off. That will significantly slow down the "let's snoop on every phone" approach.
The FBI is mostly whining because they want on-line real-time undetectable wiretapping. Cracking open a locked phone is no different than gaining a warrant and taking the phone in the first place - the suspect is aware that his phone has been taken (or is dead), and it usually happens only after a serious crime has been committed and the suspect has been identified. I have no problem with police using tools to examine evidence after a crime has been committed.
But demanding flawed cryptographic algorithms, on the other hand, permit drift-net trawling of everyone's phones. Did you text someone about the weapon or the assassination plot? These crimes can now be thwarted before the victims are injured -- look, our pre-crime unit saves lives! But the drift-nets don't discriminate, and gather information about misdemeanor or non-criminal activity, too: small drug sales, shoplifting, or in the case of the Cheetohead-in-charge, researching climate change, donating to Hillary, or badmouthing Putin.
If anything, the current administration is so corrupt that the FBI themselves should be putting on the brakes, saying "no, we don't even want the tools to exist since you're just going to use them to ask us to further violate the Constitution for you."
"based on the designs of the existing studies, it is difficult to definitively conclude that these negative results clearly indicate that cell phone RFR is not carcinogenic."
This is how a priest justifies the existence of a religion, not how a scientist describes a fact.
Come back to us when you actually have positive results, not some phony belief.
Not until I can block everything that leaks out, like I do with NoScript today. I don't know when that might be, but if it isn't soon, I'll have to switch to Pale Moon.
Privacy and script blocking are far more important to me than speed or stability.
What you can do is submit your public key to an online checker, like https://keytester.cryptosense.... and see if it's vulnerable.
"...no way for an OS to detect it."
It's not easy, but it can be done. The USB keyloggers present themselves over the USB bus as a keyboard, but not necessarily YOUR keyboard. They will have the same USB vendor/device ID across all of the devices. So look for that ID in place of your normal keyboard. Boom, detected in software. ;)
And Boom, doesn't go the dynamite. Take a look at some of the Hak5 products, like the Bash Bunny or USB Rubber Ducky. They allow the owner of the device to specify whatever VID/PID combination they want; they actually recommend you change it from their defaults so that scanning for their default VID/PID won't get you caught.
Besides, you can't simply block alternate keyboard IDs anyway, at least not in America. The Americans With Disabilities Act will quickly be invoked by someone who needs an alternative input device in order to do their job. Perhaps they're in a wheelchair and need a wireless keyboard or mouse. Blocking random USB HID devices turns out to be a real problem for them.
He should change his major to "Hacking"; problem solved!
And he can hand out copies of his verdict when asked for his "Certified Unethical Hacker" (CUH) credentials.
I just hope some of the classes he faked his grades in were Comp Sci so when he gets out of prison he can go to work for a spammer.
Catalonia has become Cataloffia.
Is this "Spexit" or "Cexit"?
When my grandmother passed about 20 years ago, the family got together to empty the house to sell it. We loaded her old refrigerator on to a truck, and hauled it to the dump (where the guy helping unload it from the truck commented that it was still cold!) On the back was the date of manufacture: 1941. That thing had kept food cold for nearly 60 years.
And you know what? That old fridge was so inefficient that it cost her far more on her electricity bill than if she had thrown it away in 1980 and bought a new one. 60 year reliability was certainly a positive quality, but efficiency was definitely a negative quality that far surpassed it in terms of cost of ownership.
A washing machine from 20 years ago would likely use about 45 gallons of water per wash load, regardless of the load size. A smart HE washer from 2017 uses a sensor to measure the load, and uses between 5-20 gallons. Even in a place where water is cheap, heating the water costs. And the amount of electricity consumed by a modern direct drive motor is a fraction of the belt-driven beasts of the past.
Does that mean your washer should break down after five years, just so you can benefit from whatever gains in efficiency they've made? Of course not. But it does imply that buying a washer built to last 60 years is a waste of money.
2FA, or even just smart cards alone would protect against all forms of password stealing. Logging a smart card transaction doesn't get you a replayable password, it only gets you a token that's already been consumed by the legitimate user. Plus, smart cards are a lot easier to use than passwords, so your users would love you for it. (Most users, anyway; some will inevitably complain that they can't use an app on their phone.)
Convenience has its price, however -- without 2FA, a smart card is susceptible to physical theft. But defending a possession against theft is something most people are already pretty good at. The same can't be said for computer security.
Getting companies to agree on a security standard? Good luck with that, there's always going to be the profit-oriented company willing to sell their lightbulbs 15% cheaper, and have them cost 4 times less, undercutting and eventually buying off competition.
Right now, the designers of WiFi light bulbs throw a SoC in the socket and a few LEDs on the heatsink, and because there's no standard, each company makes up their own bare-bones data connection for "on/off", and supplies a clunky iOS and Android app. Nobody reviews the protocols, they shove whatever no-name distro and web server they can think of into the SoC, and ship it.
So the way to improve on this is to have an externally defined standard for IoT devices. The standards need to address all of the security problems. That means having a secure way to deliver updates. It can't be poking giant holes in home users' routers via UPnP. It needs to have a secure communications channel. It has to use high quality cryptographic algorithms. It must be completely open and free. Ideally it should be easier for manufacturers to download a reference implementation than it is to write their own, or to buy something. And of course it needs to be fully subject to review.
What the standards really need to succeed in the eyes of the public is a championing body, with a logo, a certification body, rules, and an insurance fund. Stores need to feature signs like "This devices cyber security guaranteed up to $5000 by the manufacturer, a member in good standing of The Secure Testing Industry Group (STIG)." The logo should become as common as the UL, CE, and ETL logos seen on electric appliances everywhere. Something that says "if you get hacked because our device was vulnerable, we'll pay you money."
Then, we need retailers to get behind this. Make sure every web site selling them features The STIG certification logo right next to the stupid "Trust me" lock. The big box store shelves need to have a signs proclaiming "Security certified by The STIG products sold here".
Putting money on the table puts incentive on the manufacturers to be as secure as possible, and to patch things as quickly as possible. And it gets consumers to prefer it over an unlabeled brand.
Cyber insurance rates are already risk based. The insurance company will set your rate based on the level of competence in security you demonstrate.
...and now 5 years later they notice it? Why are companies like that still allowed to stay in business?
My guess is that the evidence of the attack from 5 years ago has long since been destroyed. Disqus *never* noticed it themselves, they were only recently informed of it by Troy Hunt, who obtained a copy of the stolen database and then contacted them.
Anyway, there isn't a law against being incompetent. There may still be consequences, however, if their clients get mad at them for this breach and abandon disqus in favor of another commenting system.
And that in no way defends the incorrect assertion of the article's author that associates SHA-1's flaws with this attack, which was the entire point I was trying to make.
Regarding the security of the password hash database that was stolen, I was assuming a few things: that the attackers are lazy, and while they might try a rainbow table, they won't bother brute-force hashing salted passwords; and that when disqus says they used a salted hash, that they actually used a proper per-user salt algorithm, and not a common-to-all-users salt.
And yes, any scheme can still be bruted force attacked with a limited list of common passwords. Even PBKDF2() hashed passwords can be brute force attacked with a very limited number of common passwords (perhaps the top 10, like "password", "abc123", etc.) and no doubt more than a few user accounts will fall. This being disqus (not exactly a high security site), I have to wonder how many of their users reused their same passwords on their banking or other high value shopping sites? Account Take Overs that exploit a common password across multiple sites seem to be the most damaging form of attack in use today, so I suppose it's prudent to assume that this database is no exception, and that the attackers aren't as lazy as I had assumed.
Of course if they used a common-to-all salt, you can bet that Troy Hunt will start building a rainbow table soon (if he hasn't already begun to do so.) And I'd be even more concerned about the security of that password.
Way more people than anyone who knows better would believe. Just look at all of the security camera hacks from the past few years. Almost all of those involve people exposing their devices (like security cameras) to the internet via port forwarding so they can remotely access them. The same people who don't know to set a damn password (or reset the default) on those devices. All it usually takes is some port scanning or even just a little google-fu to find them.
Except that's not what happened. These cameras were bought by ordinary people who have no idea what "port forwarding" is; they did not follow any instructions to open a hole on their router. They simply went to the store and bought a camera, and then installed a camera app on their phone. That's it. Internally, the camera sent a UPnP message to their router that opened a hole back to the camera, where the camera's weak telnet server and default passwords allowed the bot attacks to succeed.
These people did nothing more than purchase a device that did exactly what it promised on the label. It's not their fault the device accomplished the task by silently screwing their security over.
Years ago, I used Yahoo!'s OAuth provider to sign up on lots of sites. That sure kept my accounts secure! :-/
"About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers,"
Sigh. If you're going to pick a quote, pick one that states a meaningful fact. SHA-1's flaw is that it allows a pre-image attack, where an attacker can craft a duplicate message that yields the same hash value as a different message, which is very useful for forging signatures on certificates. But that flaw is utterly useless for more efficiently brute force attacking a password that was hashed with SHA-1.
All the information I gleaned from this quote is that the author doesn't understand what he's talking about, and his writing isn't worth reading. Oh, and that my password on Disqus is still safe.