^^^ Mea culpa. It seems things changed since last time I connected to icloud.com: now Apple sends an email (account) each time a login to the site is made. There is no IP, but browser brand and OS (based on user agent) are shown in the mail.
I'd actually say apple. Security failures are a pretty big deal for them.
Not so sure. Why? Because the strongest encryption model is beaten by password knowledge - and why that's bad with Apple? Because, for the sake of simplicity (I assume), there is no way / no trace / no warning / no notif in iCloud.com when accesses are made from different IPs within a given time range etc... ( gmail does that ). And basically entering one's iPhone / store password in a train (for instance), having people around over your shoulder makes someone able to access iCloud on your behalf using your account and access your data, "Where is my iThing" to see where you are at anytime... And if the guy doesn't change your data, you may never know about it. That's a problem when access is granted to such a powerful tool (and not using two-steps auth).
To be fair, what kind of words are likely to be sent - since data is only sent when explicitly using the voice recognition feature? "put channel 11", "switch on/off", "weather tomorrow" - probably not so juicy...
Yeah, o'course, or tcpdump for the real ones. But my point was that usually 443 is a clear indicator of encryption, and hackers don't bother to try it, let alone run a packet sniffer on the port. But maybe you are the kind who runs wireshark on a "connection refused" port?
Actually port 443 may have been enough, initially, to lure most hackers into thinking the communication was encrypted. Now that it's been made public it's not encrypted, however....
Oh and I even have a car analogy: the GPS guidance system [JS] in your car [OS] has no much power - it cannot impact directly your speed, wheel direction, breaks, etc... However if someone happens to inject some code into your GPS, and have it give wrong directions, your car is still not directly impacted by that hacking. However, the system may change your itinerary and guide you to a dangerous place you were not supposed to go would the GPS work normally.
That should be familiar to any Oliver fans and hardcore critics alike. For those in neither camp, Barbecoa was Oliver's butchery that was shut down last June after receiving an "A Hazardous" rating from the Food Standards Agency following complaints of food poisoning form several of his restaurants that also received poor FSA ratings for general hygiene. Oliver was also fined £17,000 over this scandal, consisting of just one specimen charge of violating the Food Safety Act, which is pretty fucking disgusting after his ironically calling the US fast food industry out for unsafe kitchen practices. He should have been shut down altogether. Oh, semi-insider info: I have it on very good authority that his restaurants have a higher staff turnover than practically every other sector. They are hellish places to work in. Certainly not worth the wage slavery. The management expect new staff to already know how it all works (in Oliver's eclectic kitchen system!?), training is not only nonexistent it's an inside joke that "training" is a curse word. Most of his staff are school leavers. The only ones over the age of 18 are upper management.
Javascript is not dangerous in itself. Functions (APIs) access is very limited (in a browser where JS engine is not compromised), and JS cannot directly impact your disk (or slightly, cookies, swap,...) or other programs (maybe DoS to some extent). However, being able to change some JS in a page makes you able to change the site behavior. And, for example, when it comes to downloading something initially safe, in a supposedly well known safe website, the bad JS may have you download something dangerous. Or steal a session cookie that makes the attacker login to the site on your behalf, or have you perform some administrative tasks on your behalf etc... But, the real difficulty for the attacker is to inject some JS into a page in the first place. This is (usually) not easy!
" it cannot impact directly your speed,"
Bullshit, poorly-done JS can damn near freeze your computer.
No. Poorly implemented browser. Eg chrome gives you a way to calm down abusive JS scripts.
If it comes from the disk firmware, even Gentoo can't get rid of it!
The summary is basically everything from TFA that is NOT related to the news.
It's not TFA, but TFAs. Did you bother RTFA2?
I swear not being the author of that AC post! Even though we posted at the same time, with the exact same title!
That makes another good reason to go back to the Moon!
^^^ Mea culpa. It seems things changed since last time I connected to icloud.com: now Apple sends an email (account) each time a login to the site is made. There is no IP, but browser brand and OS (based on user agent) are shown in the mail.
I'd actually say apple. Security failures are a pretty big deal for them.
Not so sure. Why? Because the strongest encryption model is beaten by password knowledge - and why that's bad with Apple? Because, for the sake of simplicity (I assume), there is no way / no trace / no warning / no notif in iCloud.com when accesses are made from different IPs within a given time range etc... ( gmail does that ). And basically entering one's iPhone / store password in a train (for instance), having people around over your shoulder makes someone able to access iCloud on your behalf using your account and access your data, "Where is my iThing" to see where you are at anytime... And if the guy doesn't change your data, you may never know about it. That's a problem when access is granted to such a powerful tool (and not using two-steps auth).
To be fair, what kind of words are likely to be sent - since data is only sent when explicitly using the voice recognition feature? "put channel 11", "switch on/off", "weather tomorrow" - probably not so juicy...
...Shut the fuck up moaning and use the remote.
It only sends data when using the speech recognition software. So don't use it.
Most hackers have access to wireshark
FUD, HTH, HAND
Yeah, o'course, or tcpdump for the real ones. But my point was that usually 443 is a clear indicator of encryption, and hackers don't bother to try it, let alone run a packet sniffer on the port. But maybe you are the kind who runs wireshark on a "connection refused" port?
Ok, maybe I should google "google" to learn how to use it
is there any major brand who are on the side of consumer/customer privacy out there anymore?
Google.
You may want to investigate how encryption works in your android samsung phone...
Actually port 443 may have been enough, initially, to lure most hackers into thinking the communication was encrypted. Now that it's been made public it's not encrypted, however....
Oh and I even have a car analogy: the GPS guidance system [JS] in your car [OS] has no much power - it cannot impact directly your speed, wheel direction, breaks, etc... However if someone happens to inject some code into your GPS, and have it give wrong directions, your car is still not directly impacted by that hacking. However, the system may change your itinerary and guide you to a dangerous place you were not supposed to go would the GPS work normally.
Aaah. Thank you!
all an English chef could cook was oxtail and the like. Of course, this is full of BS
You mean an English chef cannot even cook an oxtail?
iptables does the job for now, with custom rules and logging policies and it is amazing to see how many so called legitimate sites have been owned
Hmm so with iptables you can detect and block JS injections in a page...?
too **** lazy.
Indeed, some posters here omit the anchor tag that enhances the discussion.
Your next creditcard (in a couple years) will probably have a chip-and-pin system
Oh you mean what has been used in France for more than 30 years? (And that was not implemented in the US because it was an European patent)
That should be familiar to any Oliver fans and hardcore critics alike. For those in neither camp, Barbecoa was Oliver's butchery that was shut down last June after receiving an "A Hazardous" rating from the Food Standards Agency following complaints of food poisoning form several of his restaurants that also received poor FSA ratings for general hygiene. Oliver was also fined £17,000 over this scandal, consisting of just one specimen charge of violating the Food Safety Act, which is pretty fucking disgusting after his ironically calling the US fast food industry out for unsafe kitchen practices. He should have been shut down altogether. Oh, semi-insider info: I have it on very good authority that his restaurants have a higher staff turnover than practically every other sector. They are hellish places to work in. Certainly not worth the wage slavery. The management expect new staff to already know how it all works (in Oliver's eclectic kitchen system!?), training is not only nonexistent it's an inside joke that "training" is a curse word. Most of his staff are school leavers. The only ones over the age of 18 are upper management.
[ citation needed ]
yes I am bitter because at 36 I applied and was told I was too old for *any* position within Jamies Italian Kitchen.
Cooks read Slashdot, that's good news!
Javascript is not dangerous in itself. Functions (APIs) access is very limited (in a browser where JS engine is not compromised), and JS cannot directly impact your disk (or slightly, cookies, swap, ...) or other programs (maybe DoS to some extent). However, being able to change some JS in a page makes you able to change the site behavior. And, for example, when it comes to downloading something initially safe, in a supposedly well known safe website, the bad JS may have you download something dangerous. Or steal a session cookie that makes the attacker login to the site on your behalf, or have you perform some administrative tasks on your behalf etc... But, the real difficulty for the attacker is to inject some JS into a page in the first place. This is (usually) not easy!
*why /. : we should be able to edit for 1 minute or so. f.
NB
While, always, 11, ... ?