Are you saying that any products shipped to Australia do not require licensing or royalties from CSIRO? Or, are you saying all Australian companies don't have to pay? Or are tax funded research results not available for free to the tax payers (who paid for it) down under?
I used to day trade. I don't remember a time when I wasn't stressed during trading hours. When you day trade, you always are under some stress, even if it's the euforia of just making 10% in 5 minutes (which would likely trigger the stress indicator as it is an intense emotional response). I got out of day trading having made money overall, but thinking I will never do it again - way too stressful.
My point was that people should not treat the live CD as the ironclad "I am now safe" option. It should be treated as "I am safer now, but as the CD gets older I am loosing that safety margin".
Your suggestion of a jailed browser is also just another step, there are more - you can hardwire the certificate the browser trusts (so need a new CD for every new cert on banking site) as well as provide the browser it's own client certificate to authenticate both ends. The next safer step is to use a bank provided hardware locked to only boot from that CD (signed boot loader). This is in case if the user was to get his hard drive infected, then reboots via some method which either doesn't actually fully reboot (they clicked on shutdown restart but the malware did a warm boot instead) or if the malware changes the boot device priority and loads itself first from HDD before booting from CD.
This being said, I don't know the costs due to banking hacks - is it worth $200 per customer in hardware costs to provide them with a dedicated client? Maybe something like Kindle but for banking only, locked down to a particular user? If the bank today is loosing $400 per customer per year, here is a great business opportunity!
And this is exactly why this advice of using a bootable live CD (Linux, Windows, Solarix, QNX or anything else) as a cure-all is so dangerous. People like yourself believe they are invincible, and therefore careless. Number of people mentioned in this thread that you can get compromised, even with LiveCD. Here is an example - SSL certificate NULL-prefix vulnerability - there was recently a slashdot article on that, but if you want to see yourself how it works, search for sslsniff tool - comes with a complete howto too. Unless you have the latest patched browser, you are open to this. There are other ways also - just read through this slashdot thread for some hints.
You obviously never had to deal with many (or any) power supply issues. If you can diagnose the issue with the multimeter (missing power rails, or too high) you'll likely have other indicators (such as the computer won't start or smoke coming out of something). Most power supply issues show up under certain conditions only (such as specific load pattern) and only occur briefly (sufficiently to cause memory errors, put hardware in half-reset undefined states, etc). You could put all of the voltage rails on some kind of continuous monitor (maybe oscilloscope with triggers set above and below acceptable values) and then run the machine until the undesired behavior occurs. Repeat for each voltage rail. Not a quick thing to do either.
This may not be such a joke, how long before he gets an email "Your top secret clearance password is about to expire. Please log in here to change it" or something along those lines? What if this time he does fall for it? Sounds to me like the guy should stop using the internet, not just internet banking. If your own wife doesn't trust you using internet banking, how the heck is the country supposed to trust you using the internet?
A few separate replies state it's a good idea. I just looked at what they are actually deploying and the very first thing which jumped out at me is that all they are doing is introducing a new way to infect computers. From the description:
"Customers in Denver will begin receiving notifications that their system may be infected with a virus or other malware via a pop-up message in the browser as part of the new Comcast Service Notice, which is free. The notice will include a link to a Comcast security Web site where customers can follow a set of instructions to remove the malware from their computer."
How long before malicious websites show the exact same "notification popup" with a convenient link to download a "virus removal tool"? There is no way to authenticate the security warning as it is already an "injected" man-in-the-middle attack in itself (and no, most customers will not attempt to verify that in fact they were directed to a comcast security site, even if they use SSL certificates (the hack will simply have an unencrypted site, which I suspect the actual comcast page will also be). Fake antivirus popups already are one of the favorite infection methods, this is simply playing into the bad guys' hand by training your customers to fall for it.
The X.509 certificates are used for many purposes, not just ssl. A Common Name (CN) field is a generic field defined under the spec. Since there is no spec defining what a valid set of chars are in the CN for SSL, I don't think we want CA's to be going off deciding whatever they feel is valid based on what breaks someone else's implementation. What if they decide that com.com breaks some poor implementations, hence they'll never issue a certificate for cnet (who owns com.com) or even supercom.com or malcom.com. It really should the the responsibility of the implementers who use X.509 certificates to deal with all possible values allowed by the X.509 spec - even if the "dealing with it" means throw an error saying "unable to process this certificate".
The sslsniff tool already offers this capability for Mozilla and Firefox/Thunderbird add-ons. Even the howto is included for those who lack the expertise. From the sslsniff page:
sslsniff has also been updated to support the OCSP attacks that I published at Blackhat 09 and Defcon 17, thus making the revocation of null-prefix certificates very difficult. Additionally, sslsniff now supports modes for hijacking auto-updates from Mozilla products, as well as for Firefox/Thunderbird addons. Attackers can specify payloads of their choice, which will be delivered to the targets being man-in-the-middled.
So the argument here is that the ISP is liable for illegal content exchange. What about the router manufacturer? How about the OS manufacturer? If the traffic was all encrypted, is the ISP on the hook for man-in-the-middle attacks to decrypt and inspect the content, or will they then be liable for invasion of privacy? Is there such a thing as privacy down under?
From the exploit write-ups, evidently NUL is a valid character in a PASCAL string. Nothing wrong with that since it contains the string (or array) length at byte offset 0. Notice that NUL is also a valid value for any member of a char array in C/C++, it's just that C didn't have a explicit data type called string, so instead it uses a NUL terminated char array as strings.
This is simply a data type compatibility issue, no different than a problem where integers are 32 or 64 bit between platforms. Whoever implemented the C/C++ extraction of the CN, should have considered that - bad implementation and bad test coverage.
If there are conflicting precedents, the oldest one overrides? Does this automatically overturn the latter, conflicting precedent rulings as invalid? Does this also mean that once a precedent is set, the courts cannot ever rule differently no matter what, only congress can overwrite?
Since the hole affects Windows Crypto API's, this should now be easily possible. A rootkit virus, which hijacks all the traffic from its local network, intercepts all windows update requests and spreads itself as an update. Implications: if single machine on your network is infected, all windows machines get infected within 24hrs? This is providing you can get a code signing cert with null-prefix, but I don't see why this would be much different than SSL cert (just find an automated CA).
Not exactly. I'm not one to defend the CA's, there is no shortage of irresponsible behavior examples from them (say, the MD5 collision attack, why continue using MD5 signatures years after the theoretical exploit was published), HOWEVER, in this case the CA's have it properly implemented, as per specification. Specification says PASCAL type strings, and that's how they should be handled. The problem is the implementation of the CN string handling as a C/C++ null-terminated string by the crypto functions or the application (like the browser) itself. CA's shouldn't be blamed for someone else having bad code.
For all the good reasons to do hack your wii, there are those who do things which hurt Nintendo's bottom line. For example, those who use homebrew to download hacked versions of multiplayer games allowing online cheating, such as Mario Kart Wii. My kids for example stopped wanting to play any online games after hacked homebrew versions of the game showed up allowing people to cheat and make the races pointless (what's the point of racing with a guy who is always invincible, or has unlimited powers to nuke you with super homing weapons). So, I haven't bought any more multiplayer games since. Nintendo looses 2 ways here - one, through software piracy (let's not argue that one, many other threads on why "piracy doesn't actually hurt anyone") and two, people get a bad opinion about their online multiplayer service, causing less sales of multiplayer games.
Another way to think about this is like this: Nintendo has a service for their console. Modified consoles cost in terms of causing havoc or simply in terms of having to do extra work to make sure such consoled don't wreck things, so they should have the right to exclude hacked consoles from any service. If you want to modify your console, no problem, but don't use any Nintendo services from then on (including their update service) - problem solved! Would it make you feel better if they put a sticker on the box saying "If you hack this, we reserve the right to brick it upon any connection to any Nintendo service (including update)"?
Well, here is your problem. You (and countless others) are attempting to legislate what "you personally thing is right". Where do you draw the line? Let's make changing radio stations while driving illegal (I've heard of number of accidents where people died due to driver changing the radio station). How about driving within 24hrs of breaking up with your girlfriend, or getting fired (you must take a cab home if you're fired, since you'll be too distracted to drive). By your logic it should be also illegal to take off your jacket while driving, scratching your rear, or anything else anyone has ever done and caused an accident. In some countries some people "personally think" that women should not walk in public without covering their face - so they stone them if they do, by law. See the problem? People should stop legislating based on a knee-jerk reactions - someone txt and drive and killed someone, oh let's make it illegal! How about holding people responsible for their actions and not for stupidity of others?
The legal system doesn't scale. Every year there are more laws created than repealed. Let's set aside the recent issue of laws being copyrighted by some stated, but even if you had unrestricted access to all laws, there is no way you could know all the laws applicable to you already. Since every year we have more and more laws, the problem is only getting worse, partly because people want to legislate EVERYTHING!
Other companies have done this before. One which comes to mind is an MIT startup called Witricity - I caught their demo at least a year ago in the news and even on the unsuccessful US TV show Brink. Witricity [http://www.witricity.com] site has a bunch of information on the technology.
Are you implying that most other states take more out than they put in? Wow, that would federal explain the deficit. No wonder the feds need to print money by the trillions - everyone expects to take more than they pay in!
Yea right. The second Pirate Bay sets up shop there, anonymous reports about terrorist training camps in Antigua will suddenly come to light. A few carpet bombings later this will no longer be an issue.... Antigua who?? Oh, you mean that big crater in the North Atlantic?
In the times we live in, everyone is attempting to nickle and dime you on everything. Airlines now charge for luggage (all but 1 in the USA), hotels charge for a phone line, whether you want it or use it or not, weird "fees" appear on various utility bills. The gaming industry has been attempting to stop used game sales by lobbying for legislation, but since that wasn't moving fast enough to yield short term profits, enter iPho.. I mean PSP Go. Why are we so surprised? Guess where the next generation of consoles are heading...
The lesson I got from this is as follows: If one ever receives information which appears to be sensitive, the only way to make sure one won't get their account shut down by the incompetent to send it is to post this information somewhere public, therefore negating any need to shut down your account (the information is already leaked out).
Now, if the poor owner of the account in this case did in fact retrieve this information, he could still spread it around as widely as he can, so he can go to court and say "You honor, I understand my account was shut down in order to prevent this information leak. I really want access to my personal email so I the only way to get it back I could see was to eliminate the reason to keep my account shut down. It is now no longer necessary to keep my account suspended since the information is already all over the internet."
Having anything "crawl" through your network seems like a huge security risk to me. Any security solutions will have be aware of those crawlers and allow them to crawl from computer to computer. What's to stop viruses to simply impersonate such crawling ant - free pass to every computer on the network!
Another problem may be as they all "converge" on threats. What is they bug down the target machine, or the network? If my browser cookie looks "yummy" to the "ant" (no pun intended - browser cookie may be classified as a threat), next thing I know my network interface is crawling with these "ants"! My administrator cannot log in because of all the ants plugging my bandwidth!
I saw a similar sign at Fry's Electronics in WA state just this week, referring to the paper they print receipts on. The sign didn't mention the state of CA, just that substances are known to cause cancer and birth defects. They had horrible customer service so I ended up not buying anything there and couldn't try this, but I wondered what if I refuse to take such carcinogenic (by their own admission) receipt - that will the guy at the door do if I can't show him the receipt?
Slashdot Mirror
Are you saying that any products shipped to Australia do not require licensing or royalties from CSIRO? Or, are you saying all Australian companies don't have to pay? Or are tax funded research results not available for free to the tax payers (who paid for it) down under?
I used to day trade. I don't remember a time when I wasn't stressed during trading hours. When you day trade, you always are under some stress, even if it's the euforia of just making 10% in 5 minutes (which would likely trigger the stress indicator as it is an intense emotional response). I got out of day trading having made money overall, but thinking I will never do it again - way too stressful.
My point was that people should not treat the live CD as the ironclad "I am now safe" option. It should be treated as "I am safer now, but as the CD gets older I am loosing that safety margin".
Your suggestion of a jailed browser is also just another step, there are more - you can hardwire the certificate the browser trusts (so need a new CD for every new cert on banking site) as well as provide the browser it's own client certificate to authenticate both ends. The next safer step is to use a bank provided hardware locked to only boot from that CD (signed boot loader). This is in case if the user was to get his hard drive infected, then reboots via some method which either doesn't actually fully reboot (they clicked on shutdown restart but the malware did a warm boot instead) or if the malware changes the boot device priority and loads itself first from HDD before booting from CD.
This being said, I don't know the costs due to banking hacks - is it worth $200 per customer in hardware costs to provide them with a dedicated client? Maybe something like Kindle but for banking only, locked down to a particular user? If the bank today is loosing $400 per customer per year, here is a great business opportunity!
And this is exactly why this advice of using a bootable live CD (Linux, Windows, Solarix, QNX or anything else) as a cure-all is so dangerous. People like yourself believe they are invincible, and therefore careless. Number of people mentioned in this thread that you can get compromised, even with LiveCD. Here is an example - SSL certificate NULL-prefix vulnerability - there was recently a slashdot article on that, but if you want to see yourself how it works, search for sslsniff tool - comes with a complete howto too. Unless you have the latest patched browser, you are open to this. There are other ways also - just read through this slashdot thread for some hints.
You obviously never had to deal with many (or any) power supply issues. If you can diagnose the issue with the multimeter (missing power rails, or too high) you'll likely have other indicators (such as the computer won't start or smoke coming out of something). Most power supply issues show up under certain conditions only (such as specific load pattern) and only occur briefly (sufficiently to cause memory errors, put hardware in half-reset undefined states, etc). You could put all of the voltage rails on some kind of continuous monitor (maybe oscilloscope with triggers set above and below acceptable values) and then run the machine until the undesired behavior occurs. Repeat for each voltage rail. Not a quick thing to do either.
This may not be such a joke, how long before he gets an email "Your top secret clearance password is about to expire. Please log in here to change it" or something along those lines? What if this time he does fall for it? Sounds to me like the guy should stop using the internet, not just internet banking. If your own wife doesn't trust you using internet banking, how the heck is the country supposed to trust you using the internet?
A few separate replies state it's a good idea. I just looked at what they are actually deploying and the very first thing which jumped out at me is that all they are doing is introducing a new way to infect computers. From the description:
"Customers in Denver will begin receiving notifications that their system may be infected with a virus or other malware via a pop-up message in the browser as part of the new Comcast Service Notice, which is free. The notice will include a link to a Comcast security Web site where customers can follow a set of instructions to remove the malware from their computer."
How long before malicious websites show the exact same "notification popup" with a convenient link to download a "virus removal tool"? There is no way to authenticate the security warning as it is already an "injected" man-in-the-middle attack in itself (and no, most customers will not attempt to verify that in fact they were directed to a comcast security site, even if they use SSL certificates (the hack will simply have an unencrypted site, which I suspect the actual comcast page will also be). Fake antivirus popups already are one of the favorite infection methods, this is simply playing into the bad guys' hand by training your customers to fall for it.
The X.509 certificates are used for many purposes, not just ssl. A Common Name (CN) field is a generic field defined under the spec. Since there is no spec defining what a valid set of chars are in the CN for SSL, I don't think we want CA's to be going off deciding whatever they feel is valid based on what breaks someone else's implementation. What if they decide that com.com breaks some poor implementations, hence they'll never issue a certificate for cnet (who owns com.com) or even supercom.com or malcom.com. It really should the the responsibility of the implementers who use X.509 certificates to deal with all possible values allowed by the X.509 spec - even if the "dealing with it" means throw an error saying "unable to process this certificate".
The sslsniff tool already offers this capability for Mozilla and Firefox/Thunderbird add-ons. Even the howto is included for those who lack the expertise. From the sslsniff page:
sslsniff has also been updated to support the OCSP attacks that I published at Blackhat 09 and Defcon 17, thus making the revocation of null-prefix certificates very difficult. Additionally, sslsniff now supports modes for hijacking auto-updates from Mozilla products, as well as for Firefox/Thunderbird addons. Attackers can specify payloads of their choice, which will be delivered to the targets being man-in-the-middled.
So the information about which websites you visit is not considered private?
So the argument here is that the ISP is liable for illegal content exchange. What about the router manufacturer? How about the OS manufacturer? If the traffic was all encrypted, is the ISP on the hook for man-in-the-middle attacks to decrypt and inspect the content, or will they then be liable for invasion of privacy? Is there such a thing as privacy down under?
From the exploit write-ups, evidently NUL is a valid character in a PASCAL string. Nothing wrong with that since it contains the string (or array) length at byte offset 0. Notice that NUL is also a valid value for any member of a char array in C/C++, it's just that C didn't have a explicit data type called string, so instead it uses a NUL terminated char array as strings.
This is simply a data type compatibility issue, no different than a problem where integers are 32 or 64 bit between platforms. Whoever implemented the C/C++ extraction of the CN, should have considered that - bad implementation and bad test coverage.
If there are conflicting precedents, the oldest one overrides? Does this automatically overturn the latter, conflicting precedent rulings as invalid? Does this also mean that once a precedent is set, the courts cannot ever rule differently no matter what, only congress can overwrite?
Since the hole affects Windows Crypto API's, this should now be easily possible. A rootkit virus, which hijacks all the traffic from its local network, intercepts all windows update requests and spreads itself as an update. Implications: if single machine on your network is infected, all windows machines get infected within 24hrs? This is providing you can get a code signing cert with null-prefix, but I don't see why this would be much different than SSL cert (just find an automated CA).
Not exactly. I'm not one to defend the CA's, there is no shortage of irresponsible behavior examples from them (say, the MD5 collision attack, why continue using MD5 signatures years after the theoretical exploit was published), HOWEVER, in this case the CA's have it properly implemented, as per specification. Specification says PASCAL type strings, and that's how they should be handled. The problem is the implementation of the CN string handling as a C/C++ null-terminated string by the crypto functions or the application (like the browser) itself. CA's shouldn't be blamed for someone else having bad code.
For all the good reasons to do hack your wii, there are those who do things which hurt Nintendo's bottom line. For example, those who use homebrew to download hacked versions of multiplayer games allowing online cheating, such as Mario Kart Wii. My kids for example stopped wanting to play any online games after hacked homebrew versions of the game showed up allowing people to cheat and make the races pointless (what's the point of racing with a guy who is always invincible, or has unlimited powers to nuke you with super homing weapons). So, I haven't bought any more multiplayer games since. Nintendo looses 2 ways here - one, through software piracy (let's not argue that one, many other threads on why "piracy doesn't actually hurt anyone") and two, people get a bad opinion about their online multiplayer service, causing less sales of multiplayer games.
Another way to think about this is like this: Nintendo has a service for their console. Modified consoles cost in terms of causing havoc or simply in terms of having to do extra work to make sure such consoled don't wreck things, so they should have the right to exclude hacked consoles from any service. If you want to modify your console, no problem, but don't use any Nintendo services from then on (including their update service) - problem solved! Would it make you feel better if they put a sticker on the box saying "If you hack this, we reserve the right to brick it upon any connection to any Nintendo service (including update)"?
Well, here is your problem. You (and countless others) are attempting to legislate what "you personally thing is right". Where do you draw the line? Let's make changing radio stations while driving illegal (I've heard of number of accidents where people died due to driver changing the radio station). How about driving within 24hrs of breaking up with your girlfriend, or getting fired (you must take a cab home if you're fired, since you'll be too distracted to drive). By your logic it should be also illegal to take off your jacket while driving, scratching your rear, or anything else anyone has ever done and caused an accident. In some countries some people "personally think" that women should not walk in public without covering their face - so they stone them if they do, by law. See the problem? People should stop legislating based on a knee-jerk reactions - someone txt and drive and killed someone, oh let's make it illegal! How about holding people responsible for their actions and not for stupidity of others?
The legal system doesn't scale. Every year there are more laws created than repealed. Let's set aside the recent issue of laws being copyrighted by some stated, but even if you had unrestricted access to all laws, there is no way you could know all the laws applicable to you already. Since every year we have more and more laws, the problem is only getting worse, partly because people want to legislate EVERYTHING!
Sounds like someone there should have read "Who Moved My Cheese?" - an all time classic book.
Other companies have done this before. One which comes to mind is an MIT startup called Witricity - I caught their demo at least a year ago in the news and even on the unsuccessful US TV show Brink. Witricity [http://www.witricity.com] site has a bunch of information on the technology.
Are you implying that most other states take more out than they put in? Wow, that would federal explain the deficit. No wonder the feds need to print money by the trillions - everyone expects to take more than they pay in!
Yea right. The second Pirate Bay sets up shop there, anonymous reports about terrorist training camps in Antigua will suddenly come to light. A few carpet bombings later this will no longer be an issue.... Antigua who?? Oh, you mean that big crater in the North Atlantic?
In the times we live in, everyone is attempting to nickle and dime you on everything. Airlines now charge for luggage (all but 1 in the USA), hotels charge for a phone line, whether you want it or use it or not, weird "fees" appear on various utility bills. The gaming industry has been attempting to stop used game sales by lobbying for legislation, but since that wasn't moving fast enough to yield short term profits, enter iPho.. I mean PSP Go. Why are we so surprised? Guess where the next generation of consoles are heading...
The lesson I got from this is as follows: If one ever receives information which appears to be sensitive, the only way to make sure one won't get their account shut down by the incompetent to send it is to post this information somewhere public, therefore negating any need to shut down your account (the information is already leaked out).
Now, if the poor owner of the account in this case did in fact retrieve this information, he could still spread it around as widely as he can, so he can go to court and say "You honor, I understand my account was shut down in order to prevent this information leak. I really want access to my personal email so I the only way to get it back I could see was to eliminate the reason to keep my account shut down. It is now no longer necessary to keep my account suspended since the information is already all over the internet."
Having anything "crawl" through your network seems like a huge security risk to me. Any security solutions will have be aware of those crawlers and allow them to crawl from computer to computer. What's to stop viruses to simply impersonate such crawling ant - free pass to every computer on the network!
Another problem may be as they all "converge" on threats. What is they bug down the target machine, or the network? If my browser cookie looks "yummy" to the "ant" (no pun intended - browser cookie may be classified as a threat), next thing I know my network interface is crawling with these "ants"! My administrator cannot log in because of all the ants plugging my bandwidth!
I saw a similar sign at Fry's Electronics in WA state just this week, referring to the paper they print receipts on. The sign didn't mention the state of CA, just that substances are known to cause cancer and birth defects. They had horrible customer service so I ended up not buying anything there and couldn't try this, but I wondered what if I refuse to take such carcinogenic (by their own admission) receipt - that will the guy at the door do if I can't show him the receipt?