I didn't mean to imply that the onus is on the user to update their device.
I am saying that Google and the carriers need to find some way to get along and keep these devices updated.
At the end of life, when Google no longer wants to support these devices, I think it would be appropriate to block access to the Play Store for those devices.
but I'm pretty sure that there are not a bevy of apps in the App Store that can contain malware which can root 90% of iPhones.
Of course, the response to that is: Not that you know of.
If we have learned anything, it should be:
- Systems are not inherently secure - Companies are profit driven (they care about you only so much as it affects their bottom line) - Software is complex - People make mistakes
This creates an environment where nobody is above reproach. No system can ever be thought of as bulletproof.
I think this falls under the "victim of their own success" category.
The thing is, once you install an app, that's it, it can then do whatever it wants within the limitations that Google has defined. One of those things is "access the Internet" which means that the app, once installed, can then go out to the web and grab whatever it needs to exploit your device.
I am sure that there are thousands of legit apps that have the same exact "signature" as these malware apps. As in, they do normal stuff like access the Internet, turn on your camera's LED, etc.
If you start blocking apps that access particular URLs, that's all well and good, but what if the malicious party creates an ad that is only malicious when used in conjunction with their app? Will Google block apps that access the ad networks? Nope.
The real fix is to get these devices updated so that they are no longer vulnerable to root kits.
Clearly there should be no critical, time sensitive, live saving system or device with heavy security. At the same time, make sure that these systems are physically separated from the administrative network.
On the other hand, stuff like research terminals or administrative computer systems can be locked down and require more security. I believe that these are the systems the article is talking about.
It is fun to hear people complain about technology.
If there is one thing I have learned, it is that people like to complain and they LOVE to complain about technology.
You could address all of these concerns and the next thing out of the user's mouth will be "the text is hard to read" or "the color scheme hurts my eyes" or any number of other asinine things.
How many "jobs" let you decide you don't feel like working this week with no consequences?
UPS is one
When I worked as a loader (in the local Teamsters union) I got 100% medical and dental benefits, got $15/hour and the official policy was that if you don't show up WITHOUT CALLING IN for 4 days in a row, that was grounds for termination (it was *grounds* for termination... but I rarely, if ever, saw anyone fired)
I personally saw, several times, people not call in and not show up for a week at a time. Then they would show up when they needed money.
Because of the benefits and short hours (no full time employment and anything over 4 hours in a single shift is overtime, which was almost never authorized) there were a lot of people who had their own businesses during the day and just use UPS for the benefits.
I was going to school at the time and UPS also kicked in a few thousand per semester for that.... I always recommend UPS to people... it amazes me how many people turn their nose up at it.
This reminds me of the time that I worked in the returns department of a consumer goods manufacturing company.
The product was good but all I ever saw was the crap. Pallets and pallets of non-working things.
I didn't have a very good opinion of the company's product at that time.
However, the number of items returned was a tiny fraction of the amount of product sold.
My point is that when all you hear about is breach after breach, it is easy to come to the conclusion that everything is easily breached.
I don't think that is true. Just think about all of the databases in the world.
I would be willing to bet that the odds of being breached are still fairly low if you actually spend the resources on taking reasonable security measures.
I think that what we are seeing is an intersection between growing computer savvy (as everyone who grows up with the technology really grok it) and status quo (legacy) network concepts.
I think it is absolutely possible to secure a network if the will to do it is there.
Let me ask you this: What is it that you need your phone for at a concert anyway?
The main annoyance that I can think of is that you will not be able to find your friends who arrived separately but are already in the building/venue.
That is easily solved by just meeting somewhere outside before going in.
That really is it. That is the only thing I have used a phone for at a concert other than to snap some pics or a short video. Obviously, it is not necessary for me to have that video and if the artist doesn't want me to take pics, why should I argue? If I want to "prove" that I was there, I can just snap a pic of my ticket stub or the outside of the venue.
If someone's willing to pay $300 for something, you have no right to get it for $30.
Seriously?
Where I come from, that is called getting a good deal. No harm in that.
The thing is, the venue or the performer/artist are the ones setting the price. If they set it at $30 it doesn't matter if someone is willing to spend $300. You absolutely do have a RIGHT to get it for the price offered as long as there is availability (all the tickets aren't sold)... --- right here is where the dilemma exists
I am with you. The only things I use 2FA for are banking, password manager, Facebook & Google (because I use their authentication system sometimes) and e-mail accounts (and WoW because you get a pet).
Even with those, 2FA is enough of a hassle that I consider removing it sometimes. I certainly do not need every web site I log in to know my phone number.
I think they are probably being a little bit more intelligent than you describe.
I was not forced to change my password upon login to GitHub (I just tried). I use unique passwords for all sites.
So, probably what is happening is GitHub got a copy of the account list and started checking passwords against its own db.
Since GitHub knows the encryption methods of its own accounts db, it can run the compromised account list through its encryption process and match the output to user's hashes. They can then flag any accounts with a match.
If you do something shitty while on drugs, we have laws already on the books to deal with those things.
That said, I absolutely see the need for providing a cycle breaker into the system for those that want a way out.
Take a portion of the money raised from the taxation of drugs to provide proven treatment and remediation opportunities for people caught in a bad cycle.
Without the need to feed the DEA and other enforcement agencies, we would still likely come out ahead.
Slashdot Mirror
Let's be honest, the only thing making this "difficult" is the paper (policy) that prevents it
That... and the fact that you need to get the malware onto the air gapped system.
Which, as previously noted, really makes this an insider attack vector and not a remote exploit.
There are probably easier ways for an insider to infiltrate information.
I am sure it is only a matter of time before people are able to buy this thing, wipe it and install a clean ROM on it.
+1 Insightful
That was pretty witty.
I didn't mean to imply that the onus is on the user to update their device.
I am saying that Google and the carriers need to find some way to get along and keep these devices updated.
At the end of life, when Google no longer wants to support these devices, I think it would be appropriate to block access to the Play Store for those devices.
but I'm pretty sure that there are not a bevy of apps in the App Store that can contain malware which can root 90% of iPhones.
Of course, the response to that is: Not that you know of.
If we have learned anything, it should be:
- Systems are not inherently secure
- Companies are profit driven (they care about you only so much as it affects their bottom line)
- Software is complex
- People make mistakes
This creates an environment where nobody is above reproach. No system can ever be thought of as bulletproof.
I think this falls under the "victim of their own success" category.
The thing is, once you install an app, that's it, it can then do whatever it wants within the limitations that Google has defined. One of those things is "access the Internet" which means that the app, once installed, can then go out to the web and grab whatever it needs to exploit your device.
I am sure that there are thousands of legit apps that have the same exact "signature" as these malware apps. As in, they do normal stuff like access the Internet, turn on your camera's LED, etc.
If you start blocking apps that access particular URLs, that's all well and good, but what if the malicious party creates an ad that is only malicious when used in conjunction with their app? Will Google block apps that access the ad networks? Nope.
The real fix is to get these devices updated so that they are no longer vulnerable to root kits.
Meh. It's a trade off issue like everything else.
Clearly there should be no critical, time sensitive, live saving system or device with heavy security. At the same time, make sure that these systems are physically separated from the administrative network.
On the other hand, stuff like research terminals or administrative computer systems can be locked down and require more security. I believe that these are the systems the article is talking about.
This isn't brain surgery here.
You do realize how these breaches happen right?
Almost every major hack you have heard about has the same vector into the network: users.
[...] is slower than shit.
Try eating fiber. No more slow shit.
It is fun to hear people complain about technology.
If there is one thing I have learned, it is that people like to complain and they LOVE to complain about technology.
You could address all of these concerns and the next thing out of the user's mouth will be "the text is hard to read" or "the color scheme hurts my eyes" or any number of other asinine things.
How many "jobs" let you decide you don't feel like working this week with no consequences?
UPS is one
When I worked as a loader (in the local Teamsters union) I got 100% medical and dental benefits, got $15/hour and the official policy was that if you don't show up WITHOUT CALLING IN for 4 days in a row, that was grounds for termination (it was *grounds* for termination... but I rarely, if ever, saw anyone fired)
I personally saw, several times, people not call in and not show up for a week at a time. Then they would show up when they needed money.
Because of the benefits and short hours (no full time employment and anything over 4 hours in a single shift is overtime, which was almost never authorized) there were a lot of people who had their own businesses during the day and just use UPS for the benefits.
I was going to school at the time and UPS also kicked in a few thousand per semester for that.... I always recommend UPS to people... it amazes me how many people turn their nose up at it.
I get the feeling that this is exactly where that number came from.
Take all revenue earned by drivers and divide by number of drivers. See? every driver earns, on average, $100k/year (for us)...
I know... I think of Buzzfeed as the crappy clickbait list people... definitely NOT the news people...
This reminds me of the time that I worked in the returns department of a consumer goods manufacturing company.
The product was good but all I ever saw was the crap. Pallets and pallets of non-working things.
I didn't have a very good opinion of the company's product at that time.
However, the number of items returned was a tiny fraction of the amount of product sold.
My point is that when all you hear about is breach after breach, it is easy to come to the conclusion that everything is easily breached.
I don't think that is true. Just think about all of the databases in the world.
I would be willing to bet that the odds of being breached are still fairly low if you actually spend the resources on taking reasonable security measures.
I think that what we are seeing is an intersection between growing computer savvy (as everyone who grows up with the technology really grok it) and status quo (legacy) network concepts.
I think it is absolutely possible to secure a network if the will to do it is there.
Yay for Windows Phone!
cows are for LUDDITES
Let me ask you this: What is it that you need your phone for at a concert anyway?
The main annoyance that I can think of is that you will not be able to find your friends who arrived separately but are already in the building/venue.
That is easily solved by just meeting somewhere outside before going in.
That really is it. That is the only thing I have used a phone for at a concert other than to snap some pics or a short video. Obviously, it is not necessary for me to have that video and if the artist doesn't want me to take pics, why should I argue? If I want to "prove" that I was there, I can just snap a pic of my ticket stub or the outside of the venue.
If someone's willing to pay $300 for something, you have no right to get it for $30.
Seriously?
Where I come from, that is called getting a good deal. No harm in that.
The thing is, the venue or the performer/artist are the ones setting the price. If they set it at $30 it doesn't matter if someone is willing to spend $300. You absolutely do have a RIGHT to get it for the price offered as long as there is availability (all the tickets aren't sold)... --- right here is where the dilemma exists
I am just trying to understand a little bit about this automated software.
I mean, we have been dealing with automated bots in the online world for a long time.
The general solution is stuff like CAPTCHAs.
Do these types of systems not exist in the ticket buying world?
It sounds like this is just legislation around lazy business practices.
By all means, feel free to point out my logical fallacy.
Except that this is probably more about minimizing the workload of the bouncers than it is about making it physically impossible to get to your phone.
I played WoW pretty much all weekend and did not encounter any issues.
Hopefully apple jack continues to throw this level of expertise at the "real" attack.
I am an honest person and I am not going to cheat.
I stopped puffing as soon as I started the interview process. The whole thing took almost a month to go from interview to offer and drug test.
Funny that you should advocate being dishonest in order to get a job... that seems like being the opposite of what an employer would want.
That is strange. I am in the exact same boat. I looked up my password for GitHub and it was a 24 character random password with symbols.
I logged in and changed it to another similarly long password anyway.
Still, I received no notice and I was not prompted to change my password upon login.
I am with you. The only things I use 2FA for are banking, password manager, Facebook & Google (because I use their authentication system sometimes) and e-mail accounts (and WoW because you get a pet).
Even with those, 2FA is enough of a hassle that I consider removing it sometimes. I certainly do not need every web site I log in to know my phone number.
I think they are probably being a little bit more intelligent than you describe.
I was not forced to change my password upon login to GitHub (I just tried). I use unique passwords for all sites.
So, probably what is happening is GitHub got a copy of the account list and started checking passwords against its own db.
Since GitHub knows the encryption methods of its own accounts db, it can run the compromised account list through its encryption process and match the output to user's hashes. They can then flag any accounts with a match.
I am with you completely.
If you do something shitty while on drugs, we have laws already on the books to deal with those things.
That said, I absolutely see the need for providing a cycle breaker into the system for those that want a way out.
Take a portion of the money raised from the taxation of drugs to provide proven treatment and remediation opportunities for people caught in a bad cycle.
Without the need to feed the DEA and other enforcement agencies, we would still likely come out ahead.