I'm sure there's going to be a lot of people terrified because of imagined privacy implications, but I'm still fascinated to see where this ride takes us.
I was too until I heard that Facebook was involved. That evaporated all the excitement in one single moment.
In your opinion, is it better than having Oculus VR bought by Microsoft?
In my opinion, it would have been much better if Microsoft bought it over Facebook. They'd both be bad, of course, but Microsoft is the clear lesser of two evils in my view.
It's being killed off in this sense: Facebook owns it now. Facebook is incredibly toxic and untrustworthy. To a lot of people (myself included), if Facebook owns it then it's untouchable regardless of whatever merits it may have. So, as far as I'm concerned, it's been killed off.
Which is sad, as this is literally the only exciting new game-related thing that I've seen in a lot of years.
One edge of that sword is a lot duller than the other. The cracker community is likely already well aware of how the exploit works (they do talk with each other frequently, after all), so it would most likely be a case of telling them what they already know.
If you don't know what the exploit is, then why are you implicating the 2.6 kernel? Particularly when that's not much better than just saying "the kernel", as 2.6 covers a ton of versions.
The implication is that you have some idea of what the exploit looks like. If that's true, you could be more helpful. If that's not true, you're misleading people.
My suspicion is that this is yet another scare story intended to help the sale of Cisco products, and that it's based on almost nothing.
Or more than occasionally, if I've forgotten to turn of the abomination that is automatic updates.
The upgrade might be required to work with changes to the back-end server for example.
Which is yet another point in the lengthy list of reasons to avoid anything that depends on the cloud or proprietary third party servers to function.
Ultimately, the best solution is for the users to quit being such whiney bitches.
Ultimately, the best solution is for developers who can't bring themselves to actually take customer needs and desires seriously (or at least to stop insulting them) to get out of the business that they obviously loathe.
Intercepting the network traffic of dishonest employees stealing company time and network access is perfectly legitimate
Why are you assuming that the employees are dishonest and stealing company time and access? My company specifically allows personal use of their network (within certain limitations), so nobody here is being dishonest.
as is the company reselling the captured personal data in the open market.
That's nowhere near legitimate, regardless of whether the employee is honest or not. That's an even greater level of dishonesty than someone checking their bank account on company time. If I found a company did that to me, I'd sue them as hard as I could, and I think I would have a decent shot of winning.
It may be baseless, but it's a necessary assumption. A MITM attack means that, effectively, you are transmitting data in the clear. It is good security practice to assume that all such data is being recorded and/or logged.
This is how you do a transparent proxy with SSL. It doesn't mean that data is being stored somewhere, it just means you're taking reasonable precautions to protect against malware/spam/internet threats.
But it does mean that users can't trust the system.
Conversely, no employee should trust their employer's network so much that they'd be willing to attach their devices to it. And they should absolutely not allow the company to install any software on their devices.
The company does not own the employee, and does not own the server that the employee is talking to, and so it really is a MITM attack. The company is the middle.
Your advice is on the nose, though. It is impossible to trust any employer run system, and therefore you should never, ever do anything of a personal nature on company systems. Even if, as where I work, using the company systems for reasonable personal use is allowed.
If your company cannot see the contents of HTTPS communications then you're right, they're just proxying and not performing a MITM attack. That is not what we're talking about here, though -- we're talking about actual MITM attacks which let the employer examine the encrypted datastreams.
And yes, it is an attack -- even if it's legal and you can make a good case for doing it, it's still an attack. It doesn't have to be "abusive" to qualify.
In the US, this is totally legal, although there may be disclosure requirements (I'm not sure). The "my system, my rules" argument wins. My workplace does this, and they informed me that they do this when I was hired.
I'm sure there's going to be a lot of people terrified because of imagined privacy implications, but I'm still fascinated to see where this ride takes us.
I was too until I heard that Facebook was involved. That evaporated all the excitement in one single moment.
In your opinion, is it better than having Oculus VR bought by Microsoft?
In my opinion, it would have been much better if Microsoft bought it over Facebook. They'd both be bad, of course, but Microsoft is the clear lesser of two evils in my view.
It's being killed off in this sense: Facebook owns it now. Facebook is incredibly toxic and untrustworthy. To a lot of people (myself included), if Facebook owns it then it's untouchable regardless of whatever merits it may have. So, as far as I'm concerned, it's been killed off.
Which is sad, as this is literally the only exciting new game-related thing that I've seen in a lot of years.
Oh, hell, looking through that list... there are Windows Server installations in there as well!
One edge of that sword is a lot duller than the other. The cracker community is likely already well aware of how the exploit works (they do talk with each other frequently, after all), so it would most likely be a case of telling them what they already know.
So then it's very likely not a kernel exploit.
If you don't know what the exploit is, then why are you implicating the 2.6 kernel? Particularly when that's not much better than just saying "the kernel", as 2.6 covers a ton of versions.
The implication is that you have some idea of what the exploit looks like. If that's true, you could be more helpful. If that's not true, you're misleading people.
My suspicion is that this is yet another scare story intended to help the sale of Cisco products, and that it's based on almost nothing.
Sure, occasionally it would be nice to go back.
Or more than occasionally, if I've forgotten to turn of the abomination that is automatic updates.
The upgrade might be required to work with changes to the back-end server for example.
Which is yet another point in the lengthy list of reasons to avoid anything that depends on the cloud or proprietary third party servers to function.
Ultimately, the best solution is for the users to quit being such whiney bitches.
Ultimately, the best solution is for developers who can't bring themselves to actually take customer needs and desires seriously (or at least to stop insulting them) to get out of the business that they obviously loathe.
Intercepting the network traffic of dishonest employees stealing company time and network access is perfectly legitimate
Why are you assuming that the employees are dishonest and stealing company time and access? My company specifically allows personal use of their network (within certain limitations), so nobody here is being dishonest.
as is the company reselling the captured personal data in the open market.
That's nowhere near legitimate, regardless of whether the employee is honest or not. That's an even greater level of dishonesty than someone checking their bank account on company time. If I found a company did that to me, I'd sue them as hard as I could, and I think I would have a decent shot of winning.
"Unjustly"? How do you figure that? Regardless of just-ness, it's still a MITM attack,
If you are using an employer's resources to surf the internet just figure that *everything* you do is monitored.
Absolutely correct. And one of the ways they monitor network traffic is by performing MITM attacks. Why do you think it's ridiculous to say so?
So you give an example of what the OP is talking about, but he's an idiot? Huh?
(Posting as AC because I lost my ~1997 account long ago and can't bear the shame of a new one with a high uid)
Suck it up, buttercup! I lost my old (5 digit UID) account long ago, and had to make a new one. The shame passes with time.
Yes, look into tethering.
It may be baseless, but it's a necessary assumption. A MITM attack means that, effectively, you are transmitting data in the clear. It is good security practice to assume that all such data is being recorded and/or logged.
This is how you do a transparent proxy with SSL. It doesn't mean that data is being stored somewhere, it just means you're taking reasonable precautions to protect against malware/spam/internet threats.
But it does mean that users can't trust the system.
How is it not an attack? I don't understand the argument.
Technically, it's a MITM attack even if the user is notified of it.
This is the single worst reason for doing it.
That's funny! I'm still of the opinion that not enough sites require HTTPS. It should be 100% of them.
Conversely, no employee should trust their employer's network so much that they'd be willing to attach their devices to it. And they should absolutely not allow the company to install any software on their devices.
So, win/win!
Extremely.
The company does not own the employee, and does not own the server that the employee is talking to, and so it really is a MITM attack. The company is the middle.
Your advice is on the nose, though. It is impossible to trust any employer run system, and therefore you should never, ever do anything of a personal nature on company systems. Even if, as where I work, using the company systems for reasonable personal use is allowed.
If your company cannot see the contents of HTTPS communications then you're right, they're just proxying and not performing a MITM attack. That is not what we're talking about here, though -- we're talking about actual MITM attacks which let the employer examine the encrypted datastreams.
And yes, it is an attack -- even if it's legal and you can make a good case for doing it, it's still an attack. It doesn't have to be "abusive" to qualify.
In the US, this is totally legal, although there may be disclosure requirements (I'm not sure). The "my system, my rules" argument wins. My workplace does this, and they informed me that they do this when I was hired.