What really pisses me off.. is that they closed down 395 between Alexandria and DC.. fortunately for me I took lunch at 11, when they were setting up the road blocks. I just missed being stuck in about 10 miles of stopped traffic and people walking around outside of their cars on 395.. a massive road.. and one of the main thoroughfares into and out of DC..
You have a helicopter Mr President.. use the fucking thing and stop screwing up traffic that is already a mess in the first place...
I saw the traffic on the way back to work from lunch.. with miles of backup, it being a Friday where rush hour starts early, usually around lunchtime, todays commute home is going to be an absolute nightmare..
So Mr Pres.. thanks for fucking up the afternoon for about 500k drivers... (probably more)
Everyone is going the political route here... The reality of the situation, is that it is a technological and money issue. When they data centers were first built, virtualization and cloud computing was in its infancy. Many of the datacenters are owned by individual agencies, and even some sub agencies within each gov component maintained their own datacenters.
However, virtualization and cloud computing have come a long way since those days, and it is now feasible, and far more efficient to use those technologies, there by allowing the various government entities to consolidate many of the datacenters. Currently, there are a number of federal agencies that are running what is essentially hosting and datacenter services for other government agencies. This reduces spending, costs of running a datacenter over time far exceed the cost to build and staff them.
But this is slashdot.. everyone takes an opportunity to take shots at the gov, no matter which side is in power.
As someone else noted, the servers will be sold through GSA, or in some cases private companies who sell off excess. One thing to note is that all drives and memory get removed, sometimes they use those elsewhere, sometimes they shred them (yes.. I said shred.. watching a monster shredder in action destroying hard drives is absolutely awesome.. no I do not work on cleared systems, just regular federal civilian agency work). They are almost never included with the servers anymore unless someone forgot to remove the drives and ram.
The hard drives and memory are removed and destroyed, the rest is auctioned off as surplus, sometimes through private companies, sometimes though the GSA itself.
My office at home is full of off lease and surplussed equipment from datacenters (some I purchased from GSA auctions).
And this is what is wrong with people.. no proof no hack.. talk about a false sense of security..
There are various kinds of hackers.. those who do it for fun and bragging rights, and those who do it for nefarious purposes..
Those who do it for nefarious purposes.. generally do not brag, and go all out trying to hide what they did, otherwise the methods they use tend to get closed rather quickly.
It should be noted that this particular attack (base station impersonation) was actually demo'd and performed last year during blackhat and defcon.
I do this all the time (especially when I go to Vegas this time of year:)
It does require a rooted android phone for me, as I use openvpn and password protected certificates for authentication. I have an openvpn server that I run on my VPS and tunnel all the traffic through it when I am in some less then safe (network wise) places.
Outside of that, all iphones and androids support other ravious vpn technologies (curious why they never supported openvpn as an option natively).
As an aside note, if your not doing anything stupid while tethering, then you will most likely never be found out.. I stream pandora from my phone and computer (when tethered to my phone), I surf, I check email (exchange and outlook) as well as look at the occasional cat video on youtube..
What I do not do.. is watch TV, stream movies, download torrents, and all that other crap that uses significant amounts of bandwidth when I tether.. if you are that stupid, then you deserve to be caught.
I disagree, in fact, I am willing to bet that the password could be brute forced in a very short amount of time..
Why..
Because no one just sets a password cracker off and waits.. Well, no one with any idea on how to brute force.
First, I run the hashes against rainbow tables. Next, I group my tests, first, just numbers (I generally set my limits to 50 characters) Next group, just letters (50 char limit) Next group, just special characters (50 char limit) Next group, numbers and letters (I usually drop that down to a 25 char limit to reduce the time) Finally, all character sets, upper and lower case, numbers and special characters, and let it run for a few days, if by that point, I do not have the remainder of the passwords, I deem them good enough. ps, PS3's making awesome password cracking machines:)
In theory, given enough computational power, any password can be cracked (although a better method is to attack the password generating mechanism rather then the password if the hashing/algorithms used are known to have a weakness).
I'm sure there are better methods, but these have worked for me, and you catch the low hanging fruit easy enough.
I doubt they have any malicious intent, at least not in the same way as a phishing scam. However, I would not be surprised if the submitted passwords ended up in a massive set of rainbow tables at some point....
My password is just as long, and like you, I rarely ever get it wrong.... More to the point though.. I have no idea what my actual password is, if you ask me to write it down, I am liable to get it wrong most of the time, but I can certainly type it out without any issues.
My password scheme..
I use 4 random words, separated by spaces and punctuation, 1 of those words will have something to do with the the application or site I am connecting to. Every few months, I will change the password, using those same 4 words, changing the order, and the location of the punctuation. Throughout the password I will also randomly replace letters with their related number or special character symbols.
I have yet to forget my password (except on sites where I will log in once every 4 or 5 months, the Startek website being one of those (the user and parts site for my car), where I do a password reset and pick a new password.
Maybe your company should consider looking into single signon solutions that integrate with active directory (or whatever authentication mechanism you are using).
Not all certs are meaningless. Sure, most people who can study a book can pass a certification test. Some of course are harder then others. That being said, they do have meaning.
They show that some people are willing to put in the effort, time and money to pass a certification. Also, some certifications are required for certain positions. The CISSP for example. Go see https://www.isc2.org/dod-fact-sheet.aspx#whatis which explains what some of DOD Directive 8570.1 is.
Me, when I hire, I do require a CISSP, not just because I like the piece of paper (trust me, I spent years actively avoiding getting my own, I think it is a money making racket in some cases), but it is required by many of the contracts I consult on.
Top Gear regularly re-records certain segments for other markets, particularly in the US, which is why sometimes if you watch the exact same episode for 2 different markets, they will have some variances, usually the re recorded spots, where they may use imperial measurements, and dollar amounts as opposed to metric and Euro/Pound/Whatever currency.
Do these 50mpg cars mysteriously hover above the road without touching it.. are they lighter.. do they patch the road and kiss it goodnight when they are done driving...
No, they do the exact same damage as any other car on the road in the same class, a Golf weighs less then a Prius, but they both have 4 wheels, they both do the same amount of damage to the road. But then both get good mileage (a diesel golf gets better mileage then most hybrids). However cars of equiv weight, where say one gets 15mpg.. the other is 40... say like my previously owned Toyota Camry hybrid..and my current MB AMG C63, both weight about the same, but I can damn well guarantee you that I am using more gas in my AMG, and therefore paying alot more in taxes..
I tether my corp laptop when I am on my client site (where I cannot connect my laptop to the network). Unfortunately, my corp policy pushed out to the laptop includes a daily backup, that is what was running around that point.. its annoying, but I cannot turn it off. I can kill the process, but sometimes I forget, and then end up with a much larger backup....
If you look at your bill, it shows how much data per day and when the sessions started and stopped. Short sessions are not counted separately, rather grouped into the previous or next major session. I tether, and I just checked my bill, currently about 2.5 g per month is what I am running on the high side.
here is a sample from a few days of use last month..
336 MON 01/31/2011 9:23AM Data Transfer Data 222,366 KB DPPB AT GPRR Out 0.00 337 MON 01/31/2011 11:30AM Data Transfer Data 75,889 KB DPPB AT GPRR Out 0.00 338 MON 01/31/2011 11:02PM Data Transfer Data 513 KB DPPB AT GPRR Out 0.00 339 TUE 02/01/2011 12:02AM Data Transfer Data 4,323 KB DPPB AT GPRR Out 0.00 340 WED 02/02/2011 8:27AM Data Transfer Data 38,168 KB DPPB AT GPRR Out 0.00 341 WED 02/02/2011 11:32AM Data Transfer Data 107,778 KB DPPB AT GPRR Out 0.00 342 WED 02/02/2011 2:50PM Data Transfer Data 38,417 KB DPPB AT GPRR Out 0.00
Even if I was streaming pandara all day, and surfing the internet, and using various network aware apps and youtube (which would conflict with pandora from an audio standpoint), it would still be hard to hit 220 meg between say 930am and 1130am on lines 336 and 337.
That would be a dead giveaway. They would not even have to use deep packet inspection to pull agent strings, or anything.
But like someone else said, they are probably just going to hit people that use exorbitant amounts of bandwidth, although as a security person, I could easily develop something automated to find the majority of those tethering without any human interaction required..
They do know this, however unlike other places in the world, we are a captive audience when it comes to wireless providers, the 4 major carriers (and now I will put on my tinfoil hat) appear to collude to a point that price and features all cost around the same. The only thing that differentiates them is how good their coverage is in the different areas.
More so, logging via MAC address, which is a modifiable identifier is a moot point. For example, I have FIOS, I have long since replaced my actiontec router (three times actually), and use an openbsd box as my primary gateway/firewall, for the DHCP to function, I had to forge the mac address of the actiontec on the openbsd box.. easy enough to reset, and when they show up, the actiontec router I have will have a different mac address. Obviously, this will not remove all suspicion since the MAC is associated with my account, but it could introduce enough doubt to screw with court orders and potential lawsuits..
L3 is not a small tier 1 provider by any means, and if Comcast wants to pull this crap, then L3 should completely remove all peering agreements with comcast, That would affect comcast's view of the internet quite significantly. In fact, if all ISPs do this, that would leave comcast a tiny isolated wan network. At that point, I suspect the entire internet would no longer function, and they would change their attitude towards forcing content providers to fork over the cash.
As the original synopsis concluded, its not like L3 is pushing data across comcasts network as a transport to other networks, rather this is traffic that comcast subscribers have requested. Comcast already charges their subscribers, those subscribers are requesting that data. This sets a bad precedent, next thing you know they will start asking every ISP for money for voip, start charging Blizzard for the privilege of letting their customers connect to WoW... etc.. etc...
What most people, and based on your comment, don't seem to realize, is that the results you see under any single president (and its like this for most countries that are not dictatorships), where not cause or created by that president, but by the 2 or 3 presidents (and associated houses and congresses) before him.
What gets put in motion today, might not see any recognizable returns for many many years to come.
Smalleville was not really cancelled, as much as it has run its course. It lasted 9 seasons with decent ratings, not the best, but not quite plummeting. This is the last season. I never really got into Supernatural (and not that I would admit I got into Smalleville in public either:) but I do like superhero type shows, so I 30 second skip through the crappy love aspect they through in there).
As for those you mentioned, while the Stargate franchise ran for a while, Atlantis only lasted 5 seasons, although the writers strike is probably what did them in.
Lexx, only ran for 4 seasons, Farscape also only lasted 4 seasons.
Arcsight makes a quality product, and while I am no fan of their licensing costs (they are ridiculous... cost per user, cost per processor, cost per agent, even more expensive cost for admin user...), I doubt HP will butcher the product. At most I see rebranding, and additional support for HP's other product line, but other than that, doubt much will change.
Disabling the ability to mount or mounting read only for USB mass storage devices would not have made a difference. Further, there is a fundamental flaw with USB...
During Blackhat/Defcon (or was it B Sides), a guy, whos name completely escapes me right now, as I did not get a chance to attend the briefing/talk, took a USB thumb drive and added some keyboard hardware to it. When you plug it into the system, it registers as an HID device, not a USB Mass storage device...
Guess what, every computer that is sold uses a USB keyboard and mouse. I am sure you can still find ps2 based keyboards, but not for places that require users to use a crypto card, or a CAC card (per HSPD-12), which generally drops into the keyboard, those are USB devices.
A small script with some keystrokes embedded into the USB drive that identifies itself as a keyboard, and you can instruct it to do whatever....
USB itself is flawed in that respect, so simply disabling USB Mass storage will not work.
Now if only I could remember who gave the damn talk....
Slashdot Mirror
I am not even going to get political here..
What really pisses me off.. is that they closed down 395 between Alexandria and DC.. fortunately for me I took lunch at 11, when they were setting up the road blocks. I just missed being stuck in about 10 miles of stopped traffic and people walking around outside of their cars on 395.. a massive road.. and one of the main thoroughfares into and out of DC..
You have a helicopter Mr President.. use the fucking thing and stop screwing up traffic that is already a mess in the first place...
I saw the traffic on the way back to work from lunch.. with miles of backup, it being a Friday where rush hour starts early, usually around lunchtime, todays commute home is going to be an absolute nightmare..
So Mr Pres.. thanks for fucking up the afternoon for about 500k drivers... (probably more)
Everyone is going the political route here... The reality of the situation, is that it is a technological and money issue. When they data centers were first built, virtualization and cloud computing was in its infancy. Many of the datacenters are owned by individual agencies, and even some sub agencies within each gov component maintained their own datacenters.
However, virtualization and cloud computing have come a long way since those days, and it is now feasible, and far more efficient to use those technologies, there by allowing the various government entities to consolidate many of the datacenters. Currently, there are a number of federal agencies that are running what is essentially hosting and datacenter services for other government agencies. This reduces spending, costs of running a datacenter over time far exceed the cost to build and staff them.
But this is slashdot.. everyone takes an opportunity to take shots at the gov, no matter which side is in power.
As someone else noted, the servers will be sold through GSA, or in some cases private companies who sell off excess. One thing to note is that all drives and memory get removed, sometimes they use those elsewhere, sometimes they shred them (yes.. I said shred.. watching a monster shredder in action destroying hard drives is absolutely awesome.. no I do not work on cleared systems, just regular federal civilian agency work). They are almost never included with the servers anymore unless someone forgot to remove the drives and ram.
The hard drives and memory are removed and destroyed, the rest is auctioned off as surplus, sometimes through private companies, sometimes though the GSA itself.
My office at home is full of off lease and surplussed equipment from datacenters (some I purchased from GSA auctions).
And this is what is wrong with people.. no proof no hack.. talk about a false sense of security..
There are various kinds of hackers.. those who do it for fun and bragging rights, and those who do it for nefarious purposes..
Those who do it for nefarious purposes.. generally do not brag, and go all out trying to hide what they did, otherwise the methods they use tend to get closed rather quickly.
It should be noted that this particular attack (base station impersonation) was actually demo'd and performed last year during blackhat and defcon.
I do this all the time (especially when I go to Vegas this time of year :)
It does require a rooted android phone for me, as I use openvpn and password protected certificates for authentication. I have an openvpn server that I run on my VPS and tunnel all the traffic through it when I am in some less then safe (network wise) places.
Outside of that, all iphones and androids support other ravious vpn technologies (curious why they never supported openvpn as an option natively).
As an aside note, if your not doing anything stupid while tethering, then you will most likely never be found out.. I stream pandora from my phone and computer (when tethered to my phone), I surf, I check email (exchange and outlook) as well as look at the occasional cat video on youtube..
What I do not do.. is watch TV, stream movies, download torrents, and all that other crap that uses significant amounts of bandwidth when I tether.. if you are that stupid, then you deserve to be caught.
I disagree, in fact, I am willing to bet that the password could be brute forced in a very short amount of time..
Why..
Because no one just sets a password cracker off and waits.. Well, no one with any idea on how to brute force.
First, I run the hashes against rainbow tables. :)
Next, I group my tests, first, just numbers (I generally set my limits to 50 characters)
Next group, just letters (50 char limit)
Next group, just special characters (50 char limit)
Next group, numbers and letters (I usually drop that down to a 25 char limit to reduce the time)
Finally, all character sets, upper and lower case, numbers and special characters, and let it run for a few days, if by that point, I do not have the remainder of the passwords, I deem them good enough. ps, PS3's making awesome password cracking machines
In theory, given enough computational power, any password can be cracked (although a better method is to attack the password generating mechanism rather then the password if the hashing/algorithms used are known to have a weakness).
I'm sure there are better methods, but these have worked for me, and you catch the low hanging fruit easy enough.
I doubt they have any malicious intent, at least not in the same way as a phishing scam. However, I would not be surprised if the submitted passwords ended up in a massive set of rainbow tables at some point....
My password is just as long, and like you, I rarely ever get it wrong.... More to the point though.. I have no idea what my actual password is, if you ask me to write it down, I am liable to get it wrong most of the time, but I can certainly type it out without any issues.
My password scheme..
I use 4 random words, separated by spaces and punctuation, 1 of those words will have something to do with the the application or site I am connecting to. Every few months, I will change the password, using those same 4 words, changing the order, and the location of the punctuation. Throughout the password I will also randomly replace letters with their related number or special character symbols.
I have yet to forget my password (except on sites where I will log in once every 4 or 5 months, the Startek website being one of those (the user and parts site for my car), where I do a password reset and pick a new password.
Maybe your company should consider looking into single signon solutions that integrate with active directory (or whatever authentication mechanism you are using).
I don't have any mod points.. otherwise I would mod this up.. this made me laugh a little this morning...
Not all certs are meaningless. Sure, most people who can study a book can pass a certification test. Some of course are harder then others. That being said, they do have meaning.
They show that some people are willing to put in the effort, time and money to pass a certification. Also, some certifications are required for certain positions. The CISSP for example. Go see https://www.isc2.org/dod-fact-sheet.aspx#whatis which explains what some of DOD Directive 8570.1 is.
Me, when I hire, I do require a CISSP, not just because I like the piece of paper (trust me, I spent years actively avoiding getting my own, I think it is a money making racket in some cases), but it is required by many of the contracts I consult on.
Top Gear regularly re-records certain segments for other markets, particularly in the US, which is why sometimes if you watch the exact same episode for 2 different markets, they will have some variances, usually the re recorded spots, where they may use imperial measurements, and dollar amounts as opposed to metric and Euro/Pound/Whatever currency.
Do these 50mpg cars mysteriously hover above the road without touching it.. are they lighter.. do they patch the road and kiss it goodnight when they are done driving...
No, they do the exact same damage as any other car on the road in the same class, a Golf weighs less then a Prius, but they both have 4 wheels, they both do the same amount of damage to the road. But then both get good mileage (a diesel golf gets better mileage then most hybrids). However cars of equiv weight, where say one gets 15mpg.. the other is 40... say like my previously owned Toyota Camry hybrid..and my current MB AMG C63, both weight about the same, but I can damn well guarantee you that I am using more gas in my AMG, and therefore paying alot more in taxes..
Your comparison is flawed on so many levels..
I tether my corp laptop when I am on my client site (where I cannot connect my laptop to the network). Unfortunately, my corp policy pushed out to the laptop includes a daily backup, that is what was running around that point.. its annoying, but I cannot turn it off. I can kill the process, but sometimes I forget, and then end up with a much larger backup....
If you look at your bill, it shows how much data per day and when the sessions started and stopped. Short sessions are not counted separately, rather grouped into the previous or next major session. I tether, and I just checked my bill, currently about 2.5 g per month is what I am running on the high side.
here is a sample from a few days of use last month..
336 MON 01/31/2011 9:23AM Data Transfer Data 222,366 KB DPPB AT GPRR Out 0.00
337 MON 01/31/2011 11:30AM Data Transfer Data 75,889 KB DPPB AT GPRR Out 0.00
338 MON 01/31/2011 11:02PM Data Transfer Data 513 KB DPPB AT GPRR Out 0.00
339 TUE 02/01/2011 12:02AM Data Transfer Data 4,323 KB DPPB AT GPRR Out 0.00
340 WED 02/02/2011 8:27AM Data Transfer Data 38,168 KB DPPB AT GPRR Out 0.00
341 WED 02/02/2011 11:32AM Data Transfer Data 107,778 KB DPPB AT GPRR Out 0.00
342 WED 02/02/2011 2:50PM Data Transfer Data 38,417 KB DPPB AT GPRR Out 0.00
Even if I was streaming pandara all day, and surfing the internet, and using various network aware apps and youtube (which would conflict with pandora from an audio standpoint), it would still be hard to hit 220 meg between say 930am and 1130am on lines 336 and 337.
That would be a dead giveaway. They would not even have to use deep packet inspection to pull agent strings, or anything.
But like someone else said, they are probably just going to hit people that use exorbitant amounts of bandwidth, although as a security person, I could easily develop something automated to find the majority of those tethering without any human interaction required..
They do know this, however unlike other places in the world, we are a captive audience when it comes to wireless providers, the 4 major carriers (and now I will put on my tinfoil hat) appear to collude to a point that price and features all cost around the same. The only thing that differentiates them is how good their coverage is in the different areas.
It only became a Federation after we discovered the warp drive... :)
More so, logging via MAC address, which is a modifiable identifier is a moot point. For example, I have FIOS, I have long since replaced my actiontec router (three times actually), and use an openbsd box as my primary gateway/firewall, for the DHCP to function, I had to forge the mac address of the actiontec on the openbsd box.. easy enough to reset, and when they show up, the actiontec router I have will have a different mac address. Obviously, this will not remove all suspicion since the MAC is associated with my account, but it could introduce enough doubt to screw with court orders and potential lawsuits..
I disagree with your disagreement.... :)
L3 is not a small tier 1 provider by any means, and if Comcast wants to pull this crap, then L3 should completely remove all peering agreements with comcast, That would affect comcast's view of the internet quite significantly. In fact, if all ISPs do this, that would leave comcast a tiny isolated wan network. At that point, I suspect the entire internet would no longer function, and they would change their attitude towards forcing content providers to fork over the cash.
As the original synopsis concluded, its not like L3 is pushing data across comcasts network as a transport to other networks, rather this is traffic that comcast subscribers have requested. Comcast already charges their subscribers, those subscribers are requesting that data. This sets a bad precedent, next thing you know they will start asking every ISP for money for voip, start charging Blizzard for the privilege of letting their customers connect to WoW... etc.. etc...
What most people, and based on your comment, don't seem to realize, is that the results you see under any single president (and its like this for most countries that are not dictatorships), where not cause or created by that president, but by the 2 or 3 presidents (and associated houses and congresses) before him.
What gets put in motion today, might not see any recognizable returns for many many years to come.
Smalleville was not really cancelled, as much as it has run its course. It lasted 9 seasons with decent ratings, not the best, but not quite plummeting. This is the last season. I never really got into Supernatural (and not that I would admit I got into Smalleville in public either :) but I do like superhero type shows, so I 30 second skip through the crappy love aspect they through in there).
As for those you mentioned, while the Stargate franchise ran for a while, Atlantis only lasted 5 seasons, although the writers strike is probably what did them in.
Lexx, only ran for 4 seasons, Farscape also only lasted 4 seasons.
I have used qradar as part of a DHS/USCert initiative. It was pretty, it did not scale so well when you have 12 major operational networks to monitor.
Arcsight makes a quality product, and while I am no fan of their licensing costs (they are ridiculous... cost per user, cost per processor, cost per agent, even more expensive cost for admin user...), I doubt HP will butcher the product. At most I see rebranding, and additional support for HP's other product line, but other than that, doubt much will change.
Disabling the ability to mount or mounting read only for USB mass storage devices would not have made a difference. Further, there is a fundamental flaw with USB...
During Blackhat/Defcon (or was it B Sides), a guy, whos name completely escapes me right now, as I did not get a chance to attend the briefing/talk, took a USB thumb drive and added some keyboard hardware to it. When you plug it into the system, it registers as an HID device, not a USB Mass storage device...
Guess what, every computer that is sold uses a USB keyboard and mouse. I am sure you can still find ps2 based keyboards, but not for places that require users to use a crypto card, or a CAC card (per HSPD-12), which generally drops into the keyboard, those are USB devices.
A small script with some keystrokes embedded into the USB drive that identifies itself as a keyboard, and you can instruct it to do whatever....
USB itself is flawed in that respect, so simply disabling USB Mass storage will not work.
Now if only I could remember who gave the damn talk....