No, in a human the virus would be "running." If you want to compare this with herpes it'd be akin to carrying a container with herpes virus in your pants, ie. you wouldn't have an infection yourself.
Do note that he only presented those account details to these institutions in question, he didn't publish them anywhere. He could have done that instead, he didn't need to publish all 3 million just to prove the flaw exists.
So what you are saying is, if the public doesn't know about it, it's good security?
No, I clearly said the institutions in question think so. I do not have any idea how you missed that.
You do realize that if the dude who warned them found it, anyone could of found it.
Yes, but then again, I never claimed anything in the contrary. I am merely saying that he could've published only a handful of details like e.g. the name and address of the person holding the card, the beginning and the end of the card number and 2 of the PIN digits. That would've been enough, that would've proved beyond doubt that there is a very serious security flaw that needs to be fixed, and with missing numbers the PIN+card number would have not been that useful for criminals, thereby making him seem less bad and drawing more attention towards the institutions. As it is these institutions will undoubtedly spin all the negative press towards the hacker in question and away from themselves, simply because he made himself an easy target.
And we wonder why the general public has a sense of distrust and suspicion regarding "hackers".
"When the affected banks, including the largest state institutions didn't respond" is the part that worries me, instead. The hacker in this case was just trying to help and pointed out a REALLY bad security flaw, but since the general public didn't know about it the institutions apparently decided to just ignore it. Publishing all the details was a bad move, that I definitely agree with, but atleast it got the institutions' attention, too bad that this will be spun in the media as the hacker's fault and not the institutions' fault, though.
Of course, I personally would never go for something like this and I try to steer people away from all-in-one-technology whenever I can, but technically-adept people clearly aren't the segment who these are aimed for; it's the technically-challenged people with some cash to spend and no one to guide them. And I can very well see this selling pretty well to such people, it seems to have everything they want, and for many of them 2.1 stereo sound combined with a bunch of marketing speech, an okayish flat TV, and no visible wires is indeed "good enough."
But alas, that is the whole point of my original comment: these things aren't being marketed and aimed at us and thus our opinions are irrelevant in this context. Feel free to lambast them here as much as you like, non-Slashdot-crowd won't care or even know about such comments.
And? Not the whole world revolves around your navel, there's plenty of people who would be absolutely delightled to get one of these. Without even properly thinking about it I could name a handful of households where I fully expect to see something similar soo. You see, the thing is that for many people the aesthetics is more important than getting the most technically sound solution, "good enough" is plenty when it's made pretty.
You're simply short-sighted there. Someone can e.g. come up with more productive way of handling packaging, logistics, or even improving the paper itself. And it's not limited only there as someone can come up with whole new business idea to try out, a related but completely different product to produce.
I personally use Denyhosts on my Linux server; it is a simple application that keeps an eye on SSH log and blocks access to SSH and any other services you have configured when the limit threshold is reached. You can also configure whether to keep those IP-addresses blocked forever, or for a specified time. Plenty useful. And the attack described here wouldn't work with Denyhosts.
Since I don't use my server for any actual business-use I have just configured Denyhosts to flat-out block access to any and all services altogether when the limit threshold is reached, and I've configured it to retain the block lists forever. These days I've got several thousand IP-addresses there and I rarely see anything malicious in my logs anymore.
Of course, denying root login altogether and using either SSH-keys or proper, long passwords is still essential.
Now, what do you do with the piece of software that acts like a predator, though? Put it in car alarms or something?
Hmm, if it was smart enough to be able to respond to conversations or situations around it I'd definitely want it on my phone: what better than your phone suddenly joining in a conversation you're having and making awkward sexual advances to you, or having your phone yell obscenities to all the pretties around you on the bus?! If it works as a pick-up method, well, good for you, and if it doesn't you can always just blame your phone!!
This looks like a not-too-well-prepared excercise as there is absolutely no definition of what they mean with "sexual predator," except that a sexual predator tries to gain some sort of a sexually-loaded response from the other side. The problem: what is considered a "sexually-loaded response," would e.g. a boyfriend asking his girlfriend for a bikini-picture qualify as a "predator" even though the act is perfectly common and acceptable, do they deem there is a possibility of a sexually-loaded conversation that still manages to say within the terms of "good behaviour" or are all sexually-loaded comments and conversations inherently "bad behaviour" etc. etc.
I have a feeling the whole point with this is to use the results for "protect the children" - politics in an effort to score brownie-points.
EVERYTHING IS VULNERABLE TO STUPID AND BADLY TRAINED USERS/ADMINS.
That is the whole point I've been making all along: even Linux cannot guard against users doing stupid stuff, or against applications having vulnerabilities. Some people try to paint Linux as being completely invulnerable to anything whatsoever and that is the thing I have an issue with: you should never assume your system is secure just because it is Linux.
Are you claiming that there is, currently, malware out there designed to target Linux? If so, I'd like to know about it because I've never heard of it.
As far as root kits go, you either need to have access to a machine to install one or you need to trick somebody into giving your installer root access
It's easy enough to fool people into running stuff they shouldn't, and there are vulnerabilities even on Linux that allow stuff to gain root access. Just look through last year's Slashdot news if you wish, there was several high-profile vulnerabilities reported.
The OS in question bears no relevance here: it's a trojan, something a user installs on his or her own, and thus could just as easily apply to Linux, too. Linux isn't some magic bullet that is immune to trojans; as long as whatever happens to be the payload can access user's files and see what the user does and can make network connections that's all it needs, having root access is just a bonus, not a necessity.
How would you implement such? The devices would very be unlikely to transmit their data in human-readable text, so you'd need to know the binary layout of the data packets transmitted, and such details would not just be handed over when asked for. Then you have to take into account that different manufacturers wouldn't use the same protocol, and possibly not even one manufacturer would use one protocol among all of its products, so you'd have to reverse-engineer ALL your internet-connected appliances. Not to mention things like possible proprietary encryption and SSL.
TeliaSonera is a telco that actually operates both in Finland and in Sweden, and they're planning to block people from using Skype for free on the Finnish side of things, too. Their plan is to allow you to buy Skype talk-time that then allows the service through until the time is up. Do notice that this is in *addition* to what one already has to pay for Skype credits, so this has understandably created quite some negative commentary here and there.
The funny thing is that it's only TeliaSonera contemplating on doing this, all the others are more than fine with the situation as it is, and are even actively promoting unrestricted mobile broadbands.
You're barking up the wrong tree: I wasn't advocating upgrading CPUs or such. I am saying that often years-old computers still have enough crunch to do most office work and you may only need to upgrade new HDD on it, ethernet-card or WLAN-stick and such. There is no need to throw the whole package away every time one part starts to get long in the tooth.
Cost of new desktop PC with warranty, dual core 2.7ghz cpu, 4 gigs ram (upgradeable to 8 gigs), 1tb hard drive, gigabit ethernet + wireless b/g/n, card reader, Windows - $399 retail, no favours.
Cost of upgrading a 10-year-old box to those specs - forget it.
And again, you're trying to imply that office workers need 2.7ghz dual-core CPUs etc. But really, there is no need to upgrade an older box to those specs simply because office tasks do not require 1Tb hdd space and multi-core systems.
The new hardware will be amortized over 6 years, so you're talking less than $6/month. With 20 working days in the month, if the new machine saves a user a grand total of 5 minutes a day because it's faster, even if you're only paying the worker $4 an hour, you're still ahead of the game.
Let's see: a card-reader ~8e, a new HDD ~65e, SATA-card ~15e, 802.11n USB stick or a 1Tbps PCI-card ~10e = 98e. That would be roughly 130 dollars. Amortized over 6 years that would be around $1.80 a month. Compared to your $6/month you could have the worker do a whole extra hour a month and still be left ahead of the game.
Also, those older machines ran HOT. Newer machines have much better power management, so you're going to save on both power and office ac.
I ran an Athlon XP for years and it definitely didn't run nearly as hot as current systems.
It's cheaper to throw out a 10-year-old PC than it is to update the ram, hard drive, and cpu. Those obsolete components cost a lot more than newer ones.
With old laptops, you often don't even have a choice. Want to change that ethernet port from 10mpbs to 1gig? Update the cpu? Good luck with that.
5-year old CPUs and GPUs are perfectly adequate for office work, those do not need to be updated all that often. And more-or-less everything else is actually very easy to update, either via PCI-cards, USB or Cardbus. Yes, even that old laptop can almost definitely handle either Cardbus or USB.
Besides, it must be some very strange office if you can't get your work done without 1Gpbs connection. I could understand that for a developer, a graphics artist, someone handling video and so on, but for standard office work you definitely do not need such, so your point is a strawman anyways.
Say, do you always throw out the baby with the bathwater? Last I heard it's very easy to replace various components on PCs without having to replace the whole thing.
Success is when you have reached the goal you have set, nothing more, nothing less.
An open-source project can be success even if it has NO users whatsoever outside the developers, and equally well it can be a failure even if it had 200,000 users. An outsider cannot really say whether a project is a success or not, it's the developers who has that say.
Slashdot Mirror
No, in a human the virus would be "running." If you want to compare this with herpes it'd be akin to carrying a container with herpes virus in your pants, ie. you wouldn't have an infection yourself.
It's an infection only if the code runs. If the files just lie dormant somewhere and cannot run on the system at all then it's not an infection.
Do note that he only presented those account details to these institutions in question, he didn't publish them anywhere. He could have done that instead, he didn't need to publish all 3 million just to prove the flaw exists.
So what you are saying is, if the public doesn't know about it, it's good security?
No, I clearly said the institutions in question think so. I do not have any idea how you missed that.
You do realize that if the dude who warned them found it, anyone could of found it.
Yes, but then again, I never claimed anything in the contrary. I am merely saying that he could've published only a handful of details like e.g. the name and address of the person holding the card, the beginning and the end of the card number and 2 of the PIN digits. That would've been enough, that would've proved beyond doubt that there is a very serious security flaw that needs to be fixed, and with missing numbers the PIN+card number would have not been that useful for criminals, thereby making him seem less bad and drawing more attention towards the institutions. As it is these institutions will undoubtedly spin all the negative press towards the hacker in question and away from themselves, simply because he made himself an easy target.
And we wonder why the general public has a sense of distrust and suspicion regarding "hackers".
"When the affected banks, including the largest state institutions didn't respond" is the part that worries me, instead. The hacker in this case was just trying to help and pointed out a REALLY bad security flaw, but since the general public didn't know about it the institutions apparently decided to just ignore it. Publishing all the details was a bad move, that I definitely agree with, but atleast it got the institutions' attention, too bad that this will be spun in the media as the hacker's fault and not the institutions' fault, though.
It does seem like LibreOffice's spell- and grammar-checking-tools still need some work, though.
The N900 is a 32-bit system.
Of course, I personally would never go for something like this and I try to steer people away from all-in-one-technology whenever I can, but technically-adept people clearly aren't the segment who these are aimed for; it's the technically-challenged people with some cash to spend and no one to guide them. And I can very well see this selling pretty well to such people, it seems to have everything they want, and for many of them 2.1 stereo sound combined with a bunch of marketing speech, an okayish flat TV, and no visible wires is indeed "good enough."
But alas, that is the whole point of my original comment: these things aren't being marketed and aimed at us and thus our opinions are irrelevant in this context. Feel free to lambast them here as much as you like, non-Slashdot-crowd won't care or even know about such comments.
And? Not the whole world revolves around your navel, there's plenty of people who would be absolutely delightled to get one of these. Without even properly thinking about it I could name a handful of households where I fully expect to see something similar soo. You see, the thing is that for many people the aesthetics is more important than getting the most technically sound solution, "good enough" is plenty when it's made pretty.
You're simply short-sighted there. Someone can e.g. come up with more productive way of handling packaging, logistics, or even improving the paper itself. And it's not limited only there as someone can come up with whole new business idea to try out, a related but completely different product to produce.
I personally use Denyhosts on my Linux server; it is a simple application that keeps an eye on SSH log and blocks access to SSH and any other services you have configured when the limit threshold is reached. You can also configure whether to keep those IP-addresses blocked forever, or for a specified time. Plenty useful. And the attack described here wouldn't work with Denyhosts.
Since I don't use my server for any actual business-use I have just configured Denyhosts to flat-out block access to any and all services altogether when the limit threshold is reached, and I've configured it to retain the block lists forever. These days I've got several thousand IP-addresses there and I rarely see anything malicious in my logs anymore.
Of course, denying root login altogether and using either SSH-keys or proper, long passwords is still essential.
Now, what do you do with the piece of software that acts like a predator, though? Put it in car alarms or something?
Hmm, if it was smart enough to be able to respond to conversations or situations around it I'd definitely want it on my phone: what better than your phone suddenly joining in a conversation you're having and making awkward sexual advances to you, or having your phone yell obscenities to all the pretties around you on the bus?! If it works as a pick-up method, well, good for you, and if it doesn't you can always just blame your phone!!
This looks like a not-too-well-prepared excercise as there is absolutely no definition of what they mean with "sexual predator," except that a sexual predator tries to gain some sort of a sexually-loaded response from the other side. The problem: what is considered a "sexually-loaded response," would e.g. a boyfriend asking his girlfriend for a bikini-picture qualify as a "predator" even though the act is perfectly common and acceptable, do they deem there is a possibility of a sexually-loaded conversation that still manages to say within the terms of "good behaviour" or are all sexually-loaded comments and conversations inherently "bad behaviour" etc. etc.
I have a feeling the whole point with this is to use the results for "protect the children" - politics in an effort to score brownie-points.
EVERYTHING IS VULNERABLE TO STUPID AND BADLY TRAINED USERS/ADMINS.
That is the whole point I've been making all along: even Linux cannot guard against users doing stupid stuff, or against applications having vulnerabilities. Some people try to paint Linux as being completely invulnerable to anything whatsoever and that is the thing I have an issue with: you should never assume your system is secure just because it is Linux.
However, unlike any OS that Microsoft has ever sold, security is part of the basic design, not something that's tacked on later as an afterthought.
You've never heard of SELinux, Tomoyo Linux et. al. then.
Are you claiming that there is, currently, malware out there designed to target Linux? If so, I'd like to know about it because I've never heard of it.
http://www.theregister.co.uk/2011/10/04/linux_repository_res/ , https://en.wikipedia.org/wiki/Linux_malware#Threats , http://www.darknet.org.uk/2011/01/java-based-cross-platform-malware-trojan-maclinuxwindows/ and so on. How about the cross-platform one for OpenOffice, BadBunny or what its name was? And so, you should be able to use Google sufficiently even on your own. Or hell, if you happen to be running SSH or HTTP servers go and take a look at your log files, you'll see plenty of attempts and many of those target Linux-boxes.
As far as root kits go, you either need to have access to a machine to install one or you need to trick somebody into giving your installer root access
It's easy enough to fool people into running stuff they shouldn't, and there are vulnerabilities even on Linux that allow stuff to gain root access. Just look through last year's Slashdot news if you wish, there was several high-profile vulnerabilities reported.
The OS in question bears no relevance here: it's a trojan, something a user installs on his or her own, and thus could just as easily apply to Linux, too. Linux isn't some magic bullet that is immune to trojans; as long as whatever happens to be the payload can access user's files and see what the user does and can make network connections that's all it needs, having root access is just a bonus, not a necessity.
How would you implement such? The devices would very be unlikely to transmit their data in human-readable text, so you'd need to know the binary layout of the data packets transmitted, and such details would not just be handed over when asked for. Then you have to take into account that different manufacturers wouldn't use the same protocol, and possibly not even one manufacturer would use one protocol among all of its products, so you'd have to reverse-engineer ALL your internet-connected appliances. Not to mention things like possible proprietary encryption and SSL.
TeliaSonera is a telco that actually operates both in Finland and in Sweden, and they're planning to block people from using Skype for free on the Finnish side of things, too. Their plan is to allow you to buy Skype talk-time that then allows the service through until the time is up. Do notice that this is in *addition* to what one already has to pay for Skype credits, so this has understandably created quite some negative commentary here and there.
The funny thing is that it's only TeliaSonera contemplating on doing this, all the others are more than fine with the situation as it is, and are even actively promoting unrestricted mobile broadbands.
You're barking up the wrong tree: I wasn't advocating upgrading CPUs or such. I am saying that often years-old computers still have enough crunch to do most office work and you may only need to upgrade new HDD on it, ethernet-card or WLAN-stick and such. There is no need to throw the whole package away every time one part starts to get long in the tooth.
Cost of new desktop PC with warranty, dual core 2.7ghz cpu, 4 gigs ram (upgradeable to 8 gigs), 1tb hard drive, gigabit ethernet + wireless b/g/n, card reader, Windows - $399 retail, no favours.
Cost of upgrading a 10-year-old box to those specs - forget it.
And again, you're trying to imply that office workers need 2.7ghz dual-core CPUs etc. But really, there is no need to upgrade an older box to those specs simply because office tasks do not require 1Tb hdd space and multi-core systems.
The new hardware will be amortized over 6 years, so you're talking less than $6/month. With 20 working days in the month, if the new machine saves a user a grand total of 5 minutes a day because it's faster, even if you're only paying the worker $4 an hour, you're still ahead of the game.
Let's see: a card-reader ~8e, a new HDD ~65e, SATA-card ~15e, 802.11n USB stick or a 1Tbps PCI-card ~10e = 98e. That would be roughly 130 dollars. Amortized over 6 years that would be around $1.80 a month. Compared to your $6/month you could have the worker do a whole extra hour a month and still be left ahead of the game.
Also, those older machines ran HOT. Newer machines have much better power management, so you're going to save on both power and office ac.
I ran an Athlon XP for years and it definitely didn't run nearly as hot as current systems.
It's cheaper to throw out a 10-year-old PC than it is to update the ram, hard drive, and cpu. Those obsolete components cost a lot more than newer ones.
With old laptops, you often don't even have a choice. Want to change that ethernet port from 10mpbs to 1gig? Update the cpu? Good luck with that.
5-year old CPUs and GPUs are perfectly adequate for office work, those do not need to be updated all that often. And more-or-less everything else is actually very easy to update, either via PCI-cards, USB or Cardbus. Yes, even that old laptop can almost definitely handle either Cardbus or USB.
Besides, it must be some very strange office if you can't get your work done without 1Gpbs connection. I could understand that for a developer, a graphics artist, someone handling video and so on, but for standard office work you definitely do not need such, so your point is a strawman anyways.
Say, do you always throw out the baby with the bathwater? Last I heard it's very easy to replace various components on PCs without having to replace the whole thing.
This guy is 800X a man than any of you ever will be
To be honest, I would feel sorry for him if he was LESS of one than I am.
Success is when you have reached the goal you have set, nothing more, nothing less.
An open-source project can be success even if it has NO users whatsoever outside the developers, and equally well it can be a failure even if it had 200,000 users. An outsider cannot really say whether a project is a success or not, it's the developers who has that say.