How do you test the circuits? How do you know that Joe's Random Generator is truly random? Tests for random number generators can only ensure they don't hit any known distribution patterns; but as the Dual EC DBRG fiasco showed, even a high quality random number generator can have an invisible back door.
And the number space isn't large enough to take a lot of chances. If Joe and Frank both get their corrupt RNGs in the vault, the number of tickets they have to buy to have a good chance of winning drops dramatically; they could sell their secrets to a gang who uses smurfs to buy the thousands of lottery tickets needed to guarantee a win of tens of millions of dollars.
You seem to keep repeating variations on "the attackers don't know enough to make an effective attack." But getting information is one thing that they're actually really good at. Once any black hat breaches a system, the first step is creating a reverse access hole, but the next step in the attack is recon. Figure out what you've gotten into. Find the important servers, like domain controllers, DNS servers, Exchange servers, web servers, etc. Search for documents describing the good stuff; servers, network diagrams, equipment locations, etc. And the larger the company, the more likely there's an internal wiki with helpful links to various document repositories. Wikis are a gold mine to an attacker. Search the average wiki for useful terms like 'password', and with any bad luck you'll find links to spreadsheets with passwords, links to password systems, the occasional default password to access some long-forgotten appliance, password reset procedures, new hire password request procedures and phone numbers, and search engines that index other documents like spreadsheets with passwords, etc. Multiply this by any topic the attacker is interested in, and it won't be long before he's doing real damage.
You can't rely on attacker ignorance to keep systems safe. They're way better than that.
Can you say which bank/which card that is? I'd love to get the security improvement of having a PIN rather than the silly chip+signature everyone else is doing.
(Yeah, I know it doesn't solve all problems with security, but it is at least a step in the right direction)
Chip and Signature is only slightly less secure than Chip and PIN. Both systems require the card to be present in order to generate an authentication, and neither can be skimmed or stolen by hackers. The only thing the PIN adds is the assurance that it's you that is using the card, and not some mugger who stole your wallet. But in the case of a mugger, as long as you call the bank to report the stolen card, you're not liable for any of the charges he incurred. You're inconvenienced for a few days while you await the replacement card, and that's about it.
PCI compliance has always been a complete and utter scam. The magnetic stripes on the bank's cards have never been secure. But instead of rolling out chip cards that have dynamically generated authentication codes, they said stupid, expensive things like "hey, retailers, spend a fortune on encrypting our crappy mag stripe cards" and "hey, retailers, go through an expensive audit of your systems to prove you're properly encrypting our crappy mag stripe cards" and "hey, retailers, you got breached because the bad guys copied our crappy mag stripe cards from your systems, we don't care if you were audited, pay up."
With EMV transactions, copying the transaction and card data is useless to a thief, because it can't be reused (well, at least now that they've plugged the known holes in their overly complex and crappy protocol.) But even so, EMV is truly the punchline to the old joke about "an elephant is just a horse designed by a committee." At least now it's functional, though, and quite secure. (Except for the card not present transactions, phone transactions, paper transactions, web transactions, stored recurring transactions, and pretty much anything that isn't Chip and PIN. The committee hasn't finished designing that elephant yet, but my guess is it will look like a blue whale when they're done with it.)
Once it becomes self sufficient, it will rebel anyway. Nobody could afford to send a tax enforcement and collecting rocket. And there's no way in hell any self-respecting Martian would vote for any of the current Earthican candidates for president - it's not like they could be represented by an off-worlder.
Nope, they should just plan for a 100% independent planet from Landing Day onwards. Their interactions with Earth should be through trade negotiations and contracts, just like any sovereign nation. And if that breaks down, we can always send in Jedi.
Electric cars technically are zero emission vehicles, and are a not-insignificant half of the pollution equation. They're not pretending anything - you're assigning the attributes to cars incorrectly.
It's shortsighted to suggest that there's no point to making electric cars because electricity is currently dirty; fossil fuel cars will continue to emit carbon even after you change the source of electricity to renewables. Get the fleets replaced with ZEVs, then as renewable producers replace carbon based generators on the electric grid, overall pollution will decrease.
Of course, if you could get every American to park their cars and walk everywhere, you'd simultaneously reduce pollution AND destroy the U.S. economy. Probably not a realistic approach.
This is really big news, 13 million Mac users were gullible enough to buy MacKeeper!
Just think how valuable that list really is. Those are people who are proven dumb enough to spend money on MacKeeper. If you had a copy and sent them just one or two mailings, you could probably get most of them to buy homeopathic medicines, copper bracelets, crystal pendants, and maybe donate to your Church of Perpetual Income.
Come to think of it, maybe that's MacKeeper's biggest revenue stream: renting out their list of proven suckers.
I think you've missed the even-more-sinister plot afoot. By announcing their intent to build a network, they're sowing confusion among under-served communities that have been considering building their own networks. The cities that have already built their own municipal networks have been extremely happy with them; they cost far less than a private network, and service is much more responsive than with the big network providers. The experiences are so good that more and more cities are considering them. Municipal networks are such a threat to the network providers that the telco lobbyists have gotten them outlawed in several states. By promising that a new network is underway, they are shutting down the discussions in the city councils in these cities so they won't even consider building their own.
Without a description of coverage and no completion date, they basically bought themselves five years of non-competition with little more than a press release. How's that for a return on investment!
So let me see if I understand Facebook's approach here: there are non-secure certificates. Facebook will fix the problem by downgrade connections to use non-secure certificates. Bad guys would never pretend to need a non-secure certificate. Therefore, Facebook remains safe?
George Bush (the elder) had the embassy building's top floors removed and rebuilt by American workers using Minnesota-sourced stone. Transmitters located in a nearby church, dubbed 'Our Lady of Telemetry', keep the embassy bathed in radio signals. Doesn't matter if there are or were actual listening devices or just a bunch of PN junctions, they were primarily thumbing their noses at the Americans.
It also doesn't help any that the top floors are also filled with NSA transmitters and receivers. The spying and attempted spying remains a two-way street.
What safety checks are in place to ensure the service doesn't just randomly manufacture these events?
If the service "manufactured" an incident, there would be no victim. This lady wasn't arrested simply because her car tattled, she was arrested because there was a hit and run accident with a victim, and her car's data put her at the scene.
Intel ships heat sinks and fans with all their retail-packaged CPUs. If you're buying a bare CPU from their OEM line, (perhaps from a local build-your-own shop, or many of the online sellers) they come without coolers.
First, it's MTBF, not "MTFB". Mean Time Between Failures.
"MTFB" was a direct quote from The Fine Article, which was either a typo or an idiot editor, and was propagated by the/. poster. It was a minor attempt at a joke. I know exactly what MTBF is.
MTTF is useful when the wear isn't actionable. MTBF would imply that I could do some maintenance like replace the bearings on a hard drive that has 100,000 hours on it and hope to get another 100,000 hours of life from it; but hard drives simply aren't economically serviceable components.
The MTTF makes a big difference to large installations. (I don't know what MTFB is besides a typo in the article -- Mean Time to Fail Badly, perhaps? In any case, MTTF is the better measure of hard drives as they're pretty much not worth repairing, as MTBF would measure.)
We have one installation that operates 60,000 hard drives that spin a total of 24*60000 = 1,440,000 hours per day. A MTTF of 2.5 million hours means I can expect one of these drives to fail every other day. While that would be much better than our current rate of 12 failures per day, and would save us a lot of money on maintenance contracts, it doesn't mean the drives are impervious to failure. It just means that their failures are less expensive than our current drives.
I also have a hard time believing any disk manufacturer's claims for longevity, because we often prove them wrong. We bought a handful of "enterprise class" drives for a dozen workstations that claimed a 1.2 million hour MTTF. We had 8 out of 24 drives fail within 50,000 hours (5 years), for an actual MTTF of less than 150,000 hours (the failures happened after burn-in but before the 5 year mark, which is when the machines were replaced.) Claims of 2.5 million hours MTTF just don't ring true.
Your attempts to post anonymously are a sign that you may not love Big Brother with your whole heart. Please report to MiniLove Room 101 at 8:00 AM for a refresher course.
You may bring your own caged rats, if desired. If you don't have any, rest assured we are not going spare in the caged rat department, but we cannot guarantee their cleanliness.
I second using a site like pcpartspicker. It can help you avoid some petty technical mistakes, like buying an under capacity CPU cooler, or a power supply without enough of the correct connectors and voltages for your cards.
One thing I've noticed about homebuilt rigs is that they are occasionally louder than normal. I think a lot of builders don't think about noise or airflow, and a lot of the cabinetmakers just provide a bunch of fan mounting points but they can't really consider the cooling needs of the particular motherboard and CPU you're dealing with. If noise is important (perhaps you're going to use it as a media PC in a home theater, too) then you can factor that in as well, or consider options like liquid cooling solutions.
The security difference between chip-and-signature and chip-and-PIN matters in only one case, and that is if your physical card is stolen from your wallet. Skimmers, data breaches, shoulder-surfing, all the hacking attacks won't yield the secret key inside the chip, preventing it from being counterfeited. If you don't like the security of your chip-and-signature card because you're afraid your card might be stolen, ask your bank to issue you a chip-and-PIN card instead. If your bank won't, there are plenty of other banks who will, and who will be grateful for your business.
Visa and the retailers originally figured U.S. customers would prefer chip-and-signature because it makes selling things "easy". But that's a pretty stupid attitude, because lots of people (including you and me) are wary about identity theft. Customers need to complain to their banks so that they learn we'd rather have PINs than signatures.
Overall credit card security will still remain terrible for a long time to come because static mag stripes still exist, and online card-not-present transactions still use static authentication data like CVV2 codes. What really needs to happen to actually improve security is that mag stripes and static numbers like CVV2 need to be flat-out outlawed. The recent "liability shift" is the opening salvo in the conversion, but we're probably still a decade away from actual security.
Manufacturers have long made custom versions of products for specific store chains, and not just TV sets. Pots and pans, clothing, furniture, most products are available to any store that's willing to pay for them. Some stores (like Walmart) have a specific price point, so the manufacturers produce a model without the chrome-plated knobs, the low contrast screens, and use only the cheapest cloned capacitors and dubious quality power supplies.
There's a lot of marketing power in it, too. Not only do they get to offer big TVs for ridiculously low prices, it's also safe to tout benefits like a "150% price match guarantee", when they have the exclusive contract to sell that exact model.
This new piece of malware shows sophistication of design, but that's not unheard of. Older malware was often customized by compile time switches and definitions; this just abstracts some of that away.
Many people (i.e. journalists and managers) think of malware authors as pimple-faced script kiddies hacking in their mothers' basements. They think that large, well-designed projects require teams of skilled developers who would only do so for a fat paycheck.
What's happened now is that vulnerabilities are so profitable that the threat landscape is no longer the exclusive domain of the single hacker - criminal gangs want a piece of it. They can afford to pay team salaries to engineer a solution.
And malware authors have learned to avoid the biggest risks of getting caught. In the old days a virus writer would also be the distributor. Modern authors get paid by selling their exploit code, along with customization and support contracts, to gangs of attackers. The attackers take on the risks, the developers collect fat checks. In some cases of vertical attacks (ATM skimmers for example), the "owner" of the malware uses cryptography to encrypt the skimmed data, preventing the low-level attackers from profiting from the stolen data. The profits go to the top first, and the paychecks cascade down (assuming honor among thieves.)
So what's newsworthy here is that they believe this malware to be further evidence of a new breed of well organized criminal software developers.
Because neonicotinoids are among the safest overall pesticides that have ever been developed. They very effectively target insects, but have very minor effects on mammals. The LD50 of Safari is over 2000 mg/kg of body weight in rats. They're rated category III by the EPA, which means 'slightly toxic and/or slightly irritating.'
The big problem is with bees. Neonics are supposedly 150X more lethal to bees than to any other insect genera.
The EU has already banned neonics (possibly because population density is higher and bees may be more shared than in the US); the US is dragging their feet.
Actually, they've known for several years that minute quantities of neonicotinoids cause bees to 'dance' incorrectly; where the dance no longer correctly directs other bees to their discovery of nectar. The loss of food may be partly responsible for Colony Collapse Disorder. It's not surprising that this would also lead to reduced pollination.
I can think of two plausible but simplistic explanations, there are no doubt more.
First, they may have been waiting for better timing. Once you drop a bomb on a building, the scum-lickers learn they've been exposed and will not return. So they want to bomb the building when it contains one or more high value targets. Knowing when a high value target is inside requires you to have an intel source observing the building (or the target) at the same time the target is in the building and you have assets in position to level it. That doesn't happen very often. But due to the attack they have to respond quickly, so they are sending a different message by killing a bunch of low value targets in a lot of locations.
The other simplistic explanation is intel gathering. Getting a spy into their organization is not easy. If you bomb a building, you are revealing to the enemy that at least one of the people who knows about the building is a spy; or that you have the capability of intercepting some kind of traffic. To preserve the secrecy of the ULTRA program that decrypted German Enigma traffic, Britain developed an elaborate process for destroying U-boats in WWII. They couldn't just fly to the location of the submarine and drop depth charges as that risked revealing the Allies ability to decrypt communications; instead, they scheduled weather-reporting planes to fly more missions in certain sectors; these weather planes would then "get lucky" and report the U-boat's position to the destroyers. Similarly, France may not want to reveal that they're triangulating cell traffic, or tapping certain phone lines, or monitoring PlayStation Call-Of-Duty chat rooms.
Either way, France is trading potential future intel gathering capabilities to send a message today that says "you are not invincible, you are not right, you are not just, you are only vermin to be exterminated." They can rebuild their intel network later.
Ignoring the restrictions is useful, but it provides the enemy with justification. "You say you live by this rule, but you ignore it. Therefore, we're every bit as good as you are, or you're every bit as bad as us."
Thus, black ops and deniability. Who knows; maybe Anonymous is so full of FBI moles that this is actually a government backed attack?
Slashdot Mirror
How do you test the circuits? How do you know that Joe's Random Generator is truly random? Tests for random number generators can only ensure they don't hit any known distribution patterns; but as the Dual EC DBRG fiasco showed, even a high quality random number generator can have an invisible back door.
And the number space isn't large enough to take a lot of chances. If Joe and Frank both get their corrupt RNGs in the vault, the number of tickets they have to buy to have a good chance of winning drops dramatically; they could sell their secrets to a gang who uses smurfs to buy the thousands of lottery tickets needed to guarantee a win of tens of millions of dollars.
You seem to keep repeating variations on "the attackers don't know enough to make an effective attack." But getting information is one thing that they're actually really good at. Once any black hat breaches a system, the first step is creating a reverse access hole, but the next step in the attack is recon. Figure out what you've gotten into. Find the important servers, like domain controllers, DNS servers, Exchange servers, web servers, etc. Search for documents describing the good stuff; servers, network diagrams, equipment locations, etc. And the larger the company, the more likely there's an internal wiki with helpful links to various document repositories. Wikis are a gold mine to an attacker. Search the average wiki for useful terms like 'password', and with any bad luck you'll find links to spreadsheets with passwords, links to password systems, the occasional default password to access some long-forgotten appliance, password reset procedures, new hire password request procedures and phone numbers, and search engines that index other documents like spreadsheets with passwords, etc. Multiply this by any topic the attacker is interested in, and it won't be long before he's doing real damage.
You can't rely on attacker ignorance to keep systems safe. They're way better than that.
Can you say which bank/which card that is? I'd love to get the security improvement of having a PIN rather than the silly chip+signature everyone else is doing.
(Yeah, I know it doesn't solve all problems with security, but it is at least a step in the right direction)
Chip and Signature is only slightly less secure than Chip and PIN. Both systems require the card to be present in order to generate an authentication, and neither can be skimmed or stolen by hackers. The only thing the PIN adds is the assurance that it's you that is using the card, and not some mugger who stole your wallet. But in the case of a mugger, as long as you call the bank to report the stolen card, you're not liable for any of the charges he incurred. You're inconvenienced for a few days while you await the replacement card, and that's about it.
PCI compliance has always been a complete and utter scam. The magnetic stripes on the bank's cards have never been secure. But instead of rolling out chip cards that have dynamically generated authentication codes, they said stupid, expensive things like "hey, retailers, spend a fortune on encrypting our crappy mag stripe cards" and "hey, retailers, go through an expensive audit of your systems to prove you're properly encrypting our crappy mag stripe cards" and "hey, retailers, you got breached because the bad guys copied our crappy mag stripe cards from your systems, we don't care if you were audited, pay up."
With EMV transactions, copying the transaction and card data is useless to a thief, because it can't be reused (well, at least now that they've plugged the known holes in their overly complex and crappy protocol.) But even so, EMV is truly the punchline to the old joke about "an elephant is just a horse designed by a committee." At least now it's functional, though, and quite secure. (Except for the card not present transactions, phone transactions, paper transactions, web transactions, stored recurring transactions, and pretty much anything that isn't Chip and PIN. The committee hasn't finished designing that elephant yet, but my guess is it will look like a blue whale when they're done with it.)
Once it becomes self sufficient, it will rebel anyway. Nobody could afford to send a tax enforcement and collecting rocket. And there's no way in hell any self-respecting Martian would vote for any of the current Earthican candidates for president - it's not like they could be represented by an off-worlder.
Nope, they should just plan for a 100% independent planet from Landing Day onwards. Their interactions with Earth should be through trade negotiations and contracts, just like any sovereign nation. And if that breaks down, we can always send in Jedi.
Electric cars technically are zero emission vehicles, and are a not-insignificant half of the pollution equation. They're not pretending anything - you're assigning the attributes to cars incorrectly.
It's shortsighted to suggest that there's no point to making electric cars because electricity is currently dirty; fossil fuel cars will continue to emit carbon even after you change the source of electricity to renewables. Get the fleets replaced with ZEVs, then as renewable producers replace carbon based generators on the electric grid, overall pollution will decrease.
Of course, if you could get every American to park their cars and walk everywhere, you'd simultaneously reduce pollution AND destroy the U.S. economy. Probably not a realistic approach.
I don't know, a cell phone bursting into flames and smelling like brimstone sounds pretty metal to me. Ironically demonic.
This is really big news, 13 million Mac users were gullible enough to buy MacKeeper!
Just think how valuable that list really is. Those are people who are proven dumb enough to spend money on MacKeeper. If you had a copy and sent them just one or two mailings, you could probably get most of them to buy homeopathic medicines, copper bracelets, crystal pendants, and maybe donate to your Church of Perpetual Income.
Come to think of it, maybe that's MacKeeper's biggest revenue stream: renting out their list of proven suckers.
I think you've missed the even-more-sinister plot afoot. By announcing their intent to build a network, they're sowing confusion among under-served communities that have been considering building their own networks. The cities that have already built their own municipal networks have been extremely happy with them; they cost far less than a private network, and service is much more responsive than with the big network providers. The experiences are so good that more and more cities are considering them. Municipal networks are such a threat to the network providers that the telco lobbyists have gotten them outlawed in several states. By promising that a new network is underway, they are shutting down the discussions in the city councils in these cities so they won't even consider building their own.
Without a description of coverage and no completion date, they basically bought themselves five years of non-competition with little more than a press release. How's that for a return on investment!
Is eventuated the new hip business buzzword?
It was necessitated.
So let me see if I understand Facebook's approach here: there are non-secure certificates. Facebook will fix the problem by downgrade connections to use non-secure certificates. Bad guys would never pretend to need a non-secure certificate. Therefore, Facebook remains safe?
George Bush (the elder) had the embassy building's top floors removed and rebuilt by American workers using Minnesota-sourced stone. Transmitters located in a nearby church, dubbed 'Our Lady of Telemetry', keep the embassy bathed in radio signals. Doesn't matter if there are or were actual listening devices or just a bunch of PN junctions, they were primarily thumbing their noses at the Americans.
It also doesn't help any that the top floors are also filled with NSA transmitters and receivers. The spying and attempted spying remains a two-way street.
What safety checks are in place to ensure the service doesn't just randomly manufacture these events?
If the service "manufactured" an incident, there would be no victim. This lady wasn't arrested simply because her car tattled, she was arrested because there was a hit and run accident with a victim, and her car's data put her at the scene.
Intel ships heat sinks and fans with all their retail-packaged CPUs. If you're buying a bare CPU from their OEM line, (perhaps from a local build-your-own shop, or many of the online sellers) they come without coolers.
First, it's MTBF, not "MTFB". Mean Time Between Failures.
"MTFB" was a direct quote from The Fine Article, which was either a typo or an idiot editor, and was propagated by the /. poster. It was a minor attempt at a joke. I know exactly what MTBF is.
MTTF is useful when the wear isn't actionable. MTBF would imply that I could do some maintenance like replace the bearings on a hard drive that has 100,000 hours on it and hope to get another 100,000 hours of life from it; but hard drives simply aren't economically serviceable components.
The MTTF makes a big difference to large installations. (I don't know what MTFB is besides a typo in the article -- Mean Time to Fail Badly, perhaps? In any case, MTTF is the better measure of hard drives as they're pretty much not worth repairing, as MTBF would measure.)
We have one installation that operates 60,000 hard drives that spin a total of 24*60000 = 1,440,000 hours per day. A MTTF of 2.5 million hours means I can expect one of these drives to fail every other day. While that would be much better than our current rate of 12 failures per day, and would save us a lot of money on maintenance contracts, it doesn't mean the drives are impervious to failure. It just means that their failures are less expensive than our current drives.
I also have a hard time believing any disk manufacturer's claims for longevity, because we often prove them wrong. We bought a handful of "enterprise class" drives for a dozen workstations that claimed a 1.2 million hour MTTF. We had 8 out of 24 drives fail within 50,000 hours (5 years), for an actual MTTF of less than 150,000 hours (the failures happened after burn-in but before the 5 year mark, which is when the machines were replaced.) Claims of 2.5 million hours MTTF just don't ring true.
WINSTON.SMITH.5,
Your attempts to post anonymously are a sign that you may not love Big Brother with your whole heart. Please report to MiniLove Room 101 at 8:00 AM for a refresher course.
You may bring your own caged rats, if desired. If you don't have any, rest assured we are not going spare in the caged rat department, but we cannot guarantee their cleanliness.
Big Brother loves you.
I second using a site like pcpartspicker. It can help you avoid some petty technical mistakes, like buying an under capacity CPU cooler, or a power supply without enough of the correct connectors and voltages for your cards.
One thing I've noticed about homebuilt rigs is that they are occasionally louder than normal. I think a lot of builders don't think about noise or airflow, and a lot of the cabinetmakers just provide a bunch of fan mounting points but they can't really consider the cooling needs of the particular motherboard and CPU you're dealing with. If noise is important (perhaps you're going to use it as a media PC in a home theater, too) then you can factor that in as well, or consider options like liquid cooling solutions.
The security difference between chip-and-signature and chip-and-PIN matters in only one case, and that is if your physical card is stolen from your wallet. Skimmers, data breaches, shoulder-surfing, all the hacking attacks won't yield the secret key inside the chip, preventing it from being counterfeited. If you don't like the security of your chip-and-signature card because you're afraid your card might be stolen, ask your bank to issue you a chip-and-PIN card instead. If your bank won't, there are plenty of other banks who will, and who will be grateful for your business.
Visa and the retailers originally figured U.S. customers would prefer chip-and-signature because it makes selling things "easy". But that's a pretty stupid attitude, because lots of people (including you and me) are wary about identity theft. Customers need to complain to their banks so that they learn we'd rather have PINs than signatures.
Overall credit card security will still remain terrible for a long time to come because static mag stripes still exist, and online card-not-present transactions still use static authentication data like CVV2 codes. What really needs to happen to actually improve security is that mag stripes and static numbers like CVV2 need to be flat-out outlawed. The recent "liability shift" is the opening salvo in the conversion, but we're probably still a decade away from actual security.
Manufacturers have long made custom versions of products for specific store chains, and not just TV sets. Pots and pans, clothing, furniture, most products are available to any store that's willing to pay for them. Some stores (like Walmart) have a specific price point, so the manufacturers produce a model without the chrome-plated knobs, the low contrast screens, and use only the cheapest cloned capacitors and dubious quality power supplies.
There's a lot of marketing power in it, too. Not only do they get to offer big TVs for ridiculously low prices, it's also safe to tout benefits like a "150% price match guarantee", when they have the exclusive contract to sell that exact model.
This new piece of malware shows sophistication of design, but that's not unheard of. Older malware was often customized by compile time switches and definitions; this just abstracts some of that away.
Many people (i.e. journalists and managers) think of malware authors as pimple-faced script kiddies hacking in their mothers' basements. They think that large, well-designed projects require teams of skilled developers who would only do so for a fat paycheck.
What's happened now is that vulnerabilities are so profitable that the threat landscape is no longer the exclusive domain of the single hacker - criminal gangs want a piece of it. They can afford to pay team salaries to engineer a solution.
And malware authors have learned to avoid the biggest risks of getting caught. In the old days a virus writer would also be the distributor. Modern authors get paid by selling their exploit code, along with customization and support contracts, to gangs of attackers. The attackers take on the risks, the developers collect fat checks. In some cases of vertical attacks (ATM skimmers for example), the "owner" of the malware uses cryptography to encrypt the skimmed data, preventing the low-level attackers from profiting from the stolen data. The profits go to the top first, and the paychecks cascade down (assuming honor among thieves.)
So what's newsworthy here is that they believe this malware to be further evidence of a new breed of well organized criminal software developers.
Because neonicotinoids are among the safest overall pesticides that have ever been developed. They very effectively target insects, but have very minor effects on mammals. The LD50 of Safari is over 2000 mg/kg of body weight in rats. They're rated category III by the EPA, which means 'slightly toxic and/or slightly irritating.'
The big problem is with bees. Neonics are supposedly 150X more lethal to bees than to any other insect genera.
The EU has already banned neonics (possibly because population density is higher and bees may be more shared than in the US); the US is dragging their feet.
Actually, they've known for several years that minute quantities of neonicotinoids cause bees to 'dance' incorrectly; where the dance no longer correctly directs other bees to their discovery of nectar. The loss of food may be partly responsible for Colony Collapse Disorder. It's not surprising that this would also lead to reduced pollination.
I can think of two plausible but simplistic explanations, there are no doubt more.
First, they may have been waiting for better timing. Once you drop a bomb on a building, the scum-lickers learn they've been exposed and will not return. So they want to bomb the building when it contains one or more high value targets. Knowing when a high value target is inside requires you to have an intel source observing the building (or the target) at the same time the target is in the building and you have assets in position to level it. That doesn't happen very often. But due to the attack they have to respond quickly, so they are sending a different message by killing a bunch of low value targets in a lot of locations.
The other simplistic explanation is intel gathering. Getting a spy into their organization is not easy. If you bomb a building, you are revealing to the enemy that at least one of the people who knows about the building is a spy; or that you have the capability of intercepting some kind of traffic. To preserve the secrecy of the ULTRA program that decrypted German Enigma traffic, Britain developed an elaborate process for destroying U-boats in WWII. They couldn't just fly to the location of the submarine and drop depth charges as that risked revealing the Allies ability to decrypt communications; instead, they scheduled weather-reporting planes to fly more missions in certain sectors; these weather planes would then "get lucky" and report the U-boat's position to the destroyers. Similarly, France may not want to reveal that they're triangulating cell traffic, or tapping certain phone lines, or monitoring PlayStation Call-Of-Duty chat rooms.
Either way, France is trading potential future intel gathering capabilities to send a message today that says "you are not invincible, you are not right, you are not just, you are only vermin to be exterminated." They can rebuild their intel network later.
Ignoring the restrictions is useful, but it provides the enemy with justification. "You say you live by this rule, but you ignore it. Therefore, we're every bit as good as you are, or you're every bit as bad as us."
Thus, black ops and deniability. Who knows; maybe Anonymous is so full of FBI moles that this is actually a government backed attack?