It's an old attack, with a son breaking windows and father repairing them. However, since they did it on Internet, maybe they can patent it and make the rest of the scum pay the licensing fees?
From reading the Krebs deep-dive a year ago, I think it was a pretty straightforward protection racket: Identify a private minecraft server host that is using a competitor's anti-DDOS service. DDOS the competitor so they were ineffective and also couldn't respond to service requests, then DDOS the minecraft host itself. Then, offer your own anti-DDOS service to the Minecraft host at the seemingly most opportune time (obviously stopping your DDOS on the server once they sign up).
The Minecraft server operators had to know what was going on, but they didn't really care, like most people suffering under a protection racket.
Which is why people keep the "location" and "wifi" capabilities of their phones turned off unless they actually have a need for them.
Those are software switches. You know how people tape over their webcams?
If your Echo is compromised or Amazon is evil, you have some pretty serious problems. If your phone is compromised or your phone provider is evil, it's game over.
To reiterate, I'm not actually that paranoid where I wouldn't use or carry a phone, but I do think the comparison is helpful.
An attacker's own keylogger might well be recognized as malicious and blocked from communicating with the network stack...
What led you to believe the built-in tool sends the keystrokes over the network? The attacker is still on the hook for exfiltration, so the GP is correct: at that point he has already won.
Hard not to blame capitalism. Until their are checks in balances in place to move in a way that is actually good for us, it's all a race into the toilet.
It's also hard not to feel incredibly grateful when you compare it to heavily regulated countries.
So you (1) disable the GPS in software, then (2) keep the phone mostly in your coat pocket, which is adequate to block GPS signals. After all, all that a GPS signal gives you is your location, and you know that already. (Or at least, I do. But then, I've done enough map-making to be more confident of my navigation than 90%+ of people.)
Oh, you also get time from a GPS. Big fucking deal.
I don't actually think phones are secretly tracking people and transmitting audio, location, or other data. I simply think when you compare the potential privacy issues of an Echo versus a cell phone (any cell phone), the Echo doesn't come off so bad.
You cannot stand up and protest in your office. Why do you think football entertainers -- uh, players -- should be able to do so?
I go to a movie and the actors decide in their first scene to stand up and protest. Do you think the movie producers will stand for that? Do you think the audience should sit for that?
What is the difference???????
Actors do all sorts of stupid things while the camera is not rolling, much like athletes do all sorts of stupid things when the clock is not running. It's a good analogy that works against your point.
I'm guessing you don't do heavy video or photo editing.
It's a safe guess as most people do not. There are a thousand other jobs.
My job requires Linux, so obviously Windows is a bad choice for me. But I am not going to apply my own requirements broadly to all people, that would be silly.
There are far more photographers than Unix admins out there. I'd wager far more people in video, too.
Sorry, didn't properly quote your concluding comments, which makes it look like mine if somebody missed your comment.
Bottom line: the phone is better tested and documented tech, over which you have far more control, and which confers significant communication benefits. I see no such case for the Echo or its ilk. They're all downside as far as I'm concerned. I can order soap with a keyboard and operate light switches manually just fine, thank you.
I think that's a false equivalency, for several reasons.
1. Your phone's mic does not have to be always-on. Smart people don't do that. An Echo's mic, by contrast, must be always on; that is its intended purpose, and it's not useful otherwise.
You have the ability to audit your Echo's data usage. You do not have that ability with your phone. That means that while in both cases you must take the word of the tech company that the Echo does not transmit audio unless it hears the wake word and that your phone doesn't transmit all audio arbitrarily, you can actually conclusively verify with the Echo (or at least spot-check).
2. Yes, any device with a mic can be hacked, or subverted by a state actor. However, I've read the iOS security architecture document, and I'll bet it's a much harder target than an Echo.
The iPhone is a way bigger target than the Echo. There are far more of them and they would be far, far more useful when compromised. That means it gets more security focus, from the company providing it and from bad actors.
3. The phone has significant benefits to me which outweigh the risks. The Echo is a novelty that has no such benefits, in my opinion. Others may differ.
I completely agree with this general statement, though I think the Echo is low enough risk as to be in line with the benefits (again, when compared to the phone, which is seriously a hacker's/evil state's dream)
Bottom line: the phone is better tested and documented tech, over which you have far more control, and which confers significant communication benefits. I see no such case for the Echo or its ilk. They're all downside as far as I'm concerned. I can order soap with a keyboard and operate light switches manually just fine, thank you.
If my cell phone was recording everything around me and transmitting it, my pocket would be on fire, my battery would be dead before lunch every day, and my bandwidth allowance would be toast by the end of the first week every month. At home, there's essentially infinite power, no bandwidth limitation, and I can hardly tell the difference between a small hockey puck that's idling & one that's active just by looking at it or touching it. Tolerances for cooling aren't nearly as tight as a phone.
The limitations of a mobile platform provide a degree of safety, or at least verifiability. The laws of physics are on your side in this case.
You have it backwards, or at least you are only looking at one side of the equation. An Echo stays in one place, and must rely on your router to dial out, which means you have full control over its connectivity and you have the ability to inspect bandwidth usage. Your phone has a separate and completely opaque connection to whatever mothership you're afraid of.
Your phone will also not "be on fire" if it is transmitting audio, which is the only kind of data the Echo has access to. Nor does it need to record or transmit 100% of the time, because your phone has a location device built-in.
I think you are either overplaying the scariness of the Echo or willfully ignorant of how a phone is an order of magnitude scarier, because you have already accepted the tradeoff for that particular device (and a phone does provide far more than an order of magnitude more utility than an in-home smart assistant).
Presumably though cell phones have a power constraint, the battery...
Well your phone also has a GPS so there's no reason to record everything, maybe just in certain areas or when it is in proximity to another targeted device. Heck, maybe all the evil party cares about is your location, and that incurs practically no overhead to upload.
I want something open source, that runs locally on my home network. If it requires connectivity to a server on the Internet, I don't want it.
There's no legitimate reason such a device can't be made except so that the tech companies can access whatever data they want - which yes, is PROBABLY just for product improvement (which will include better, creepier targeted advertising), but is also a massive invasion of privacy with all sorts of potential to be used by criminals and the government doing things you'd consider criminal.
Nothing changed in the last three years. The Echo now does more, but has the same privacy concerns now as it did then. No, hacking demonstration on the Echo is nowhere near as scary as the malware floating around on phones, and those are far, far more privy to information than the Echo is. I 100% agree that people should carefully consider whether the privacy concerns of an Echo are an acceptable tradeoff for them.
This reminds me of when a teenager "discovers" things his parents loved/hated thirty years prior.
I'm curious how that makes it faster. Using the built-in search, I don't have to use modifiers (win+r) and I don't even have to type in the full program name. Like, for Chrome: Win-C-H-R-(ENTER). If you can share how it's better, I'd appreciate it as I'm always game for a lazier or more efficient keyboard shortcut.
I don't even use the start button 95% of the time. I hit the win key and start typing the name of the application I'm looking for. It was a habit I picked up with Win 8.1, and even though 10 has a decent start menu in comparison, I like typing better.
The rest of what you wrote is nice, but is a bit of a straw man argument. My original statement was
One of the ways people get rich is by recognizing good and bad investments
You're talking about how rich people invest, not about investments that can make you rich. And there are so many ways people have successfully invested their money that have nothing to do with high frequency trading or your shotgun approach--unless you're talking about a diversified buy and hold portfolio, in which case I agree--that I find your general premise very lacking in imagination.
There are lots of comfortably, though not necessarily fabulously, wealthy people who became as much by sound investment and disciplined living. It is not a guarantee, but I can very nearly guarantee you that investing $2.30 a day ($2.50 minus the cost of a home made cup) in something reasonable will give you better results than buying a cup of coffee at a chain. Even if it's $575 a year in a mutual fund.
Question is: had you ever have fun in your life?
Look, I'm not saying you're doing it wrong. But don't you say I'm doing it wrong either.
I'd rather have my fun now, thank you, even if that means not saving as much as you do, or not being as cheap as you are.
Ask him again in ten years. Then twenty. Then thirty.
He's talking about $850 a year. That's not going to make or break anyone's investment portfolio... It's nonsense the aristocracy tells it's workers to excuse stagnant and falling wages. Don't fall for it.
One of the ways people get rich is by recognizing good and bad investments--ostensibly what Shark Tank is about. For a coffee lover, a $6-8 bag of coffee is a good investment. A $2-5 cup of coffee is a bad investment.
If they didn't take steps at the time to investigate, I would say it's impossible now. You need a record of the SSID and what mac address was sending it, and then you need to know if it matches the mac address of a known device on the plane, and then also be willing to accept the possibility that it could be somebody spoofing somebody else's mac address on the flight. It's really no different than leaving a note somewhere that says the same thing, in such a way that it would not be immediately noticed and so be traceable back to you. You'd have to look for paper, pens/pencils, ask who was doing what when, etc. It's possible in some cases you would get a positive ID, but probably not worth the effort. Just like searching everybody's devices for the right kind of software if you couldn't quickly locate the source, it's intrusive and probably not worth the effort.
Essentially, what I'm saying is that if there is a reasonable way for them to identify the culprit, I'm pretty sure they would be prosecuted. The OP seemed to be suggesting that they would not normally prosecute, when the reality is more likely that they would if they could.
Slashdot Mirror
It's an old attack, with a son breaking windows and father repairing them. However, since they did it on Internet, maybe they can patent it and make the rest of the scum pay the licensing fees?
From reading the Krebs deep-dive a year ago, I think it was a pretty straightforward protection racket:
Identify a private minecraft server host that is using a competitor's anti-DDOS service. DDOS the competitor so they were ineffective and also couldn't respond to service requests, then DDOS the minecraft host itself. Then, offer your own anti-DDOS service to the Minecraft host at the seemingly most opportune time (obviously stopping your DDOS on the server once they sign up).
The Minecraft server operators had to know what was going on, but they didn't really care, like most people suffering under a protection racket.
Which is why people keep the "location" and "wifi" capabilities of their phones turned off unless they actually have a need for them.
Those are software switches. You know how people tape over their webcams?
If your Echo is compromised or Amazon is evil, you have some pretty serious problems. If your phone is compromised or your phone provider is evil, it's game over.
To reiterate, I'm not actually that paranoid where I wouldn't use or carry a phone, but I do think the comparison is helpful.
An attacker's own keylogger might well be recognized as malicious and blocked from communicating with the network stack...
What led you to believe the built-in tool sends the keystrokes over the network? The attacker is still on the hook for exfiltration, so the GP is correct: at that point he has already won.
Hard not to blame capitalism. Until their are checks in balances in place to move in a way that is actually good for us, it's all a race into the toilet.
It's also hard not to feel incredibly grateful when you compare it to heavily regulated countries.
So you (1) disable the GPS in software, then (2) keep the phone mostly in your coat pocket, which is adequate to block GPS signals. After all, all that a GPS signal gives you is your location, and you know that already. (Or at least, I do. But then, I've done enough map-making to be more confident of my navigation than 90%+ of people.)
Oh, you also get time from a GPS. Big fucking deal.
I don't actually think phones are secretly tracking people and transmitting audio, location, or other data. I simply think when you compare the potential privacy issues of an Echo versus a cell phone (any cell phone), the Echo doesn't come off so bad.
You cannot stand up and protest in your office. Why do you think football entertainers -- uh, players -- should be able to do so?
I go to a movie and the actors decide in their first scene to stand up and protest. Do you think the movie producers will stand for that? Do you think the audience should sit for that?
What is the difference???????
Actors do all sorts of stupid things while the camera is not rolling, much like athletes do all sorts of stupid things when the clock is not running. It's a good analogy that works against your point.
I'm guessing you don't do heavy video or photo editing.
It's a safe guess as most people do not. There are a thousand other jobs.
My job requires Linux, so obviously Windows is a bad choice for me. But I am not going to apply my own requirements broadly to all people, that would be silly.
There are far more photographers than Unix admins out there. I'd wager far more people in video, too.
Why does everyone who is pro-Windows do "heavy video" and "photo editing"?
Oh a Mac would be a better option if that was a requirement for you. Ubuntu, or any flavor of Linux, would be far behind Windows, though.
Other than Outlook (which will work online these days) and gaming, my Ubuntu laptop works fine for productivity.
I'm guessing you don't do heavy video or photo editing.
Bottom line: the phone is better tested and documented tech, over which you have far more control, and which confers significant communication benefits. I see no such case for the Echo or its ilk. They're all downside as far as I'm concerned. I can order soap with a keyboard and operate light switches manually just fine, thank you.
I think that's a false equivalency, for several reasons.
1. Your phone's mic does not have to be always-on. Smart people don't do that. An Echo's mic, by contrast, must be always on; that is its intended purpose, and it's not useful otherwise.
You have the ability to audit your Echo's data usage. You do not have that ability with your phone. That means that while in both cases you must take the word of the tech company that the Echo does not transmit audio unless it hears the wake word and that your phone doesn't transmit all audio arbitrarily, you can actually conclusively verify with the Echo (or at least spot-check).
2. Yes, any device with a mic can be hacked, or subverted by a state actor. However, I've read the iOS security architecture document, and I'll bet it's a much harder target than an Echo.
The iPhone is a way bigger target than the Echo. There are far more of them and they would be far, far more useful when compromised. That means it gets more security focus, from the company providing it and from bad actors.
3. The phone has significant benefits to me which outweigh the risks. The Echo is a novelty that has no such benefits, in my opinion. Others may differ.
I completely agree with this general statement, though I think the Echo is low enough risk as to be in line with the benefits (again, when compared to the phone, which is seriously a hacker's/evil state's dream)
Bottom line: the phone is better tested and documented tech, over which you have far more control, and which confers significant communication benefits. I see no such case for the Echo or its ilk. They're all downside as far as I'm concerned. I can order soap with a keyboard and operate light switches manually just fine, thank you.
Scope matters.
If my cell phone was recording everything around me and transmitting it, my pocket would be on fire, my battery would be dead before lunch every day, and my bandwidth allowance would be toast by the end of the first week every month. At home, there's essentially infinite power, no bandwidth limitation, and I can hardly tell the difference between a small hockey puck that's idling & one that's active just by looking at it or touching it. Tolerances for cooling aren't nearly as tight as a phone.
The limitations of a mobile platform provide a degree of safety, or at least verifiability. The laws of physics are on your side in this case.
You have it backwards, or at least you are only looking at one side of the equation. An Echo stays in one place, and must rely on your router to dial out, which means you have full control over its connectivity and you have the ability to inspect bandwidth usage. Your phone has a separate and completely opaque connection to whatever mothership you're afraid of.
Your phone will also not "be on fire" if it is transmitting audio, which is the only kind of data the Echo has access to. Nor does it need to record or transmit 100% of the time, because your phone has a location device built-in.
I think you are either overplaying the scariness of the Echo or willfully ignorant of how a phone is an order of magnitude scarier, because you have already accepted the tradeoff for that particular device (and a phone does provide far more than an order of magnitude more utility than an in-home smart assistant).
Presumably though cell phones have a power constraint, the battery...
Well your phone also has a GPS so there's no reason to record everything, maybe just in certain areas or when it is in proximity to another targeted device. Heck, maybe all the evil party cares about is your location, and that incurs practically no overhead to upload.
I want something open source, that runs locally on my home network. If it requires connectivity to a server on the Internet, I don't want it.
There's no legitimate reason such a device can't be made except so that the tech companies can access whatever data they want - which yes, is PROBABLY just for product improvement (which will include better, creepier targeted advertising), but is also a massive invasion of privacy with all sorts of potential to be used by criminals and the government doing things you'd consider criminal.
So I take it you don't use a cell phone?
Nothing changed in the last three years. The Echo now does more, but has the same privacy concerns now as it did then. No, hacking demonstration on the Echo is nowhere near as scary as the malware floating around on phones, and those are far, far more privy to information than the Echo is. I 100% agree that people should carefully consider whether the privacy concerns of an Echo are an acceptable tradeoff for them.
This reminds me of when a teenager "discovers" things his parents loved/hated thirty years prior.
The whole point of a GUI operating system (e.g. Windows) is NOT having to type the name of every program you want to run
I don't have to, I choose to because it is faster, easier, and works on any recent version of desktop or server Windows OS.
I'm curious how that makes it faster. Using the built-in search, I don't have to use modifiers (win+r) and I don't even have to type in the full program name. Like, for Chrome: Win-C-H-R-(ENTER). If you can share how it's better, I'd appreciate it as I'm always game for a lazier or more efficient keyboard shortcut.
I don't even use the start button 95% of the time. I hit the win key and start typing the name of the application I'm looking for. It was a habit I picked up with Win 8.1, and even though 10 has a decent start menu in comparison, I like typing better.
Because it seems like it's on the tip of your tongue, I think the word you're looking for is "liquidity."
that's not true. Not even a little bit.
The rest of what you wrote is nice, but is a bit of a straw man argument. My original statement was
One of the ways people get rich is by recognizing good and bad investments
You're talking about how rich people invest, not about investments that can make you rich. And there are so many ways people have successfully invested their money that have nothing to do with high frequency trading or your shotgun approach--unless you're talking about a diversified buy and hold portfolio, in which case I agree--that I find your general premise very lacking in imagination.
There are lots of comfortably, though not necessarily fabulously, wealthy people who became as much by sound investment and disciplined living. It is not a guarantee, but I can very nearly guarantee you that investing $2.30 a day ($2.50 minus the cost of a home made cup) in something reasonable will give you better results than buying a cup of coffee at a chain. Even if it's $575 a year in a mutual fund.
How is this News for Nerds? More importantly do we really want to take financial advise from this guy?
An article titled "The real and shocking story of..." sounds like a pretty unbiased source.
Question is: had you ever have fun in your life? Look, I'm not saying you're doing it wrong. But don't you say I'm doing it wrong either. I'd rather have my fun now, thank you, even if that means not saving as much as you do, or not being as cheap as you are.
Ask him again in ten years. Then twenty. Then thirty.
He's talking about $850 a year. That's not going to make or break anyone's investment portfolio... It's nonsense the aristocracy tells it's workers to excuse stagnant and falling wages. Don't fall for it.
One of the ways people get rich is by recognizing good and bad investments--ostensibly what Shark Tank is about. For a coffee lover, a $6-8 bag of coffee is a good investment. A $2-5 cup of coffee is a bad investment.
If they didn't take steps at the time to investigate, I would say it's impossible now. You need a record of the SSID and what mac address was sending it, and then you need to know if it matches the mac address of a known device on the plane, and then also be willing to accept the possibility that it could be somebody spoofing somebody else's mac address on the flight. It's really no different than leaving a note somewhere that says the same thing, in such a way that it would not be immediately noticed and so be traceable back to you. You'd have to look for paper, pens/pencils, ask who was doing what when, etc. It's possible in some cases you would get a positive ID, but probably not worth the effort. Just like searching everybody's devices for the right kind of software if you couldn't quickly locate the source, it's intrusive and probably not worth the effort.
Essentially, what I'm saying is that if there is a reasonable way for them to identify the culprit, I'm pretty sure they would be prosecuted. The OP seemed to be suggesting that they would not normally prosecute, when the reality is more likely that they would if they could.
If you have a solar panel I suppose that isn't an issue but if you live where coal is used, you are adding to pollution/global warming.
No matter how you get it, those are resources that could be going elsewhere. The computing resources and the power.