The tip about speakers was based on practical experience. I used to be able to answer my Nextel phone before it started ringing because the call setup handshake made my speakers pop in rhythm.
>Why not just run it for 5 months and call it good?
Crime has cost-benefit analyses just like legitimate business.
If he ran the scam himself, he'd be limited to what one individual could do before some Google engineer figured out a way to block it.
If he tried to sell his program to other criminals, he'd be betting that criminals wouldn't pass along unauthorized copies.
If he released it for free, it would cost Google way more than he could have stolen on his own, but he wouldn't see most of that kajillion dollars.
So the big payoff was in extortion, telling Google "Nice advertising business ya got here, be a shame if something happened that cost a kajillion dollars, when you could buy insurance for only $150,000". At the risk of getting arrested, a bigger risk than if he'd run the click fraud himself.
>it is claimed that he observed warming actually reflects the Urban Heat Island effect
Misleading, if he's suggesting that climatologists haven't taken this into account. The correction technique is pretty clever: you look at how the temperature changes on windy days when air from the countryside is being blown past the urban thermometers. There is room for error in calculating the correction factors, which is why science requires people to show their work and look at other sources of data.
Those other sources include tree rings, borehole measurements, oxygen isotope concentrations, and likely others that I haven't heard about.
All of which is so well known that I will go so far as to question the motives of anyone who claims the urban heat island effect has led us to err about the temperature record.
A testable prediction/observation, cheaper to derive and easier to check than a prediction about average global temperature (which has to be a probability distribution anyway, how do you check that?) would be evidence that a negative feedback loop (e.g. high clouds) was larger than previously believed, that a positive feedback loop (e.g. humidity, yes, H2O is a greenhouse gas) is smaller than expected, or that some observations don't line up wiht an average global temperature rise.
Which actually happened. The indirect satellite measurements of tropospheric temperature seemed inconsistent with all other measurements for quite a while, and those results did get published.
Some measures, for example switching to compact fluorescent lighting, are cheap and effective. Others, like taking the entire exhaust from a power plant, separating the CO2 from the nitrogen, and sequestering the CO2 are very expensive. Is it cheaper to build a seawall around Bangladesh or to sequester CO2? That question has hundreds of brothers and sisters which might have surprising answers.
>the inflated monetary loss estimates. Totally irrelevant.
If the estimates are inflated, something which has been known to happen, then the misstatement diverts law enforcement resources and can influence sentencing. Petty larceny and grand larceny are separate crimes for a reason.
>If I secure my house with a 100 year old skeleton key lock and also place a big sign in front of the house that says "Door key under welcome mat, $100,000 US in freezer behind ground beef", I may be stupid
Your insurance company will come up with a better word than "stupid".
Obviously neligence by NASA doesn't excuse an illegal breakin. The point everyone's trying to make is that the illegality of the breakin doesn't excuse NASA's negligence.
>Is that no our duty as programming and security professionals?
If we're the ones owning or operating the systems. I've got some trouble believing someone who leaves taunting messages (but not detailed remediation instructions) when they claim they were running a pro bono penetration test.
If voucher and charter advocates get their way, they will add healthy competition but are you sure they're not motivated by weakening the teachers's unions, which consistently support one party?
If advocates of a public education monopoly get their way, they may offer some benefits in integrating different socioeconomic classes, but are you sure they're not motivated by rewarding the teachers's unions?
You've wasted your money unless you do the CD error correction codes with vacuum tubes. Bits calculated by a tube have a warmth that just can't be matched by bits calculated on an IC.
Do we know that the botnet was the result of remote exploits and not the result of users explicitly downloading software that happened to be Trojanized? We can blame Microsoft for opening ports without need, having insecure software listening to those ports, and for making drive-by downloads possible. But if someone just insists on installing dancing cursors or weather forecasts, that's not Microsoft's fault.
Bless you for offering to answer questions! That sort of cooperation is indispensable if security is going to improve.
1. How did you manage the response? The one-smart-person-in-charge-who-stays-awake-the-who le-time approach? The small-team-with-independent-responsibilities model? The review-what-happened-at-shift-change model?
2. What tactics worked, and even more important, what didn't work?
3. What sort of agreements should people have in place with their upstream ISP prior to an incident?
4. How intelligent was the attack traffic? Randomized payload? Does anyone bother spoofing addresses any more?
5. Was it a guided attack or a fire and forget? In other words, did the scum make any changes to their tactics in real time as you tried corrective action?
6. What if anything can be done in the first few minutes/hours?
7. If you had to choose between capacity and filtering, which would you choose?
You can try to flush out the poison chemically, with chelation therapy or some such approach. Though you won't get all of it and the tissue damage will already have been done.
A religious obligation for over a billion people five times a day.
The other noteworthy point is that *after* they were dogsniffed, searched and cleared, US Airways refused to sell them replacement tickets. US Airways pointed them to other airlines, which proves it wasn't a safety issue.
First there's the games theory problem. Stop everyone from Saudi Arabia from boarding airplanes, and the killers will put locally recruited types like John Walker Lindh onto airplanes.
Second, nobody has a monopoly on killing innocent people. From Salon's Patrick Smith, via Bruce Schneier's blog:
* In 1985, Air India Flight 182 was blown up over the Atlantic by:
a. Muslim male extremists mostly between the ages of 17 and 40
b. Bill O'Reilly
c. The Mormon Tabernacle Choir
d. Indian Sikh extremists, in retaliation for the Indian Army's attack on the Golden Temple shrine in Amritsar
* In 1986, who attempted to smuggle three pounds of explosives onto an El Al jetliner bound from London to Tel Aviv?
a. Muslim male extremists mostly between the ages of 17 and 40
b. Michael Smerconish
c. Bob Mould
d. A pregnant Irishwoman named Anne Murphy
* In 1962, in the first-ever successful sabotage of a commercial jet, a Continental Airlines 707 was blown up with dynamite over Missouri by:
a. Muslim male extremists mostly between the ages of 17 and 40
b. Ann Coulter
c. Henry Rollins
d. Thomas Doty, a 34-year-old American passenger, as part of an insurance scam
* In 1994, who nearly succeeding in skyjacking a DC-10 and crashing it into the Federal Express Corp. headquarters?
a. Muslim male extremists mostly between the ages of 17 and 40
b. Michelle Malkin
c. Charlie Rose
d. Auburn Calloway, an off-duty FedEx employee and resident of Memphis, Tenn.
* In 1974, who stormed a Delta Air Lines DC-9 at Baltimore-Washington Airport, intending to crash it into the White House, and shot both pilots?
a. Muslim male extremists mostly between the ages of 17 and 40
b. Joe Scarborough
c. Spalding Gray
d. Samuel Byck, an unemployed tire salesman from Philadelphia
>how long until your "Good American" score will be used as a factor in court proceedings, federal hiring practices, etc. etc.?
You mean like this?
The government notice says some or all of the ATS data about an individual may be shared with state, local and foreign governments for use in hiring decisions and in granting licenses, security clearances, contracts or other benefits. In some cases, the data may be shared with courts, Congress and even private contractors.
It's not a national security program: >Government officials could not say whether ATS has apprehended any terrorists.
It can't work because of the base rate fallacy. At any false alarm rate known to man, the output will be statistically indistiguishable from 100% false alarms.
All these problems are aggravated by the fact that they won't correct errors: >Nor can they see the records "for the purpose of contesting the content."
It's not to keep airplanes safe, it's a general control tool: >ATS data about an individual may be shared with state, local and foreign governments for use in hiring decisions and in granting licenses, security clearances, contracts or other benefits.
There's some justice in saying that Ajax doesn't introduce any new problems over and above Javascript, but that is faint praise and doesn't allow for the fact that buzzword-compliant organizations are now creating more web sites that require Javascript.
His advice about keeping web apps secure is sound and practical but incomplete. The last OWASP conference I went to, one of the speakers pointed out that there's an Ajax development toolkit out there in which you can't tell a priori whether a piece of functionality you program will end up on the client or on the server. "Avoid toolkits like that" should be on the list of security precautions.
>AJAX is a web browser (client-side) technology. It does not execute on the server.
The XMLHttpRequest certainly does execute on the server and allows a range of parser attacks that you were less likely to get with other technologies. Which would you rather validate, a set of CGI parameters or a blob of XML?
Slashdot Mirror
The tip about speakers was based on practical experience. I used to be able to answer my Nextel phone before it started ringing because the call setup handshake made my speakers pop in rhythm.
>Why not just run it for 5 months and call it good?
Crime has cost-benefit analyses just like legitimate business.
If he ran the scam himself, he'd be limited to what one individual could do before some Google engineer figured out a way to block it.
If he tried to sell his program to other criminals, he'd be betting that criminals wouldn't pass along unauthorized copies.
If he released it for free, it would cost Google way more than he could have stolen on his own, but he wouldn't see most of that kajillion dollars.
So the big payoff was in extortion, telling Google "Nice advertising business ya got here, be a shame if something happened that cost a kajillion dollars, when you could buy insurance for only $150,000". At the risk of getting arrested, a bigger risk than if he'd run the click fraud himself.
All the cases I'd heard of were long, long ago. Are there any recent examples of somebody being that dumb?
>it is claimed that he observed warming actually reflects the Urban Heat Island effect
Misleading, if he's suggesting that climatologists haven't taken this into account. The correction technique is pretty clever: you look at how the temperature changes on windy days when air from the countryside is being blown past the urban thermometers. There is room for error in calculating the correction factors, which is why science requires people to show their work and look at other sources of data.
Those other sources include tree rings, borehole measurements, oxygen isotope concentrations, and likely others that I haven't heard about.
All of which is so well known that I will go so far as to question the motives of anyone who claims the urban heat island effect has led us to err about the temperature record.
A testable prediction/observation, cheaper to derive and easier to check than a prediction about average global temperature (which has to be a probability distribution anyway, how do you check that?) would be evidence that a negative feedback loop (e.g. high clouds) was larger than previously believed, that a positive feedback loop (e.g. humidity, yes, H2O is a greenhouse gas) is smaller than expected, or that some observations don't line up wiht an average global temperature rise.
Which actually happened. The indirect satellite measurements of tropospheric temperature seemed inconsistent with all other measurements for quite a while, and those results did get published.
I'd like to add another big one to your list:
o What's the most cost-effective response?
Some measures, for example switching to compact fluorescent lighting, are cheap and effective. Others, like taking the entire exhaust from a power plant, separating the CO2 from the nitrogen, and sequestering the CO2 are very expensive. Is it cheaper to build a seawall around Bangladesh or to sequester CO2? That question has hundreds of brothers and sisters which might have surprising answers.
Parent is -1 offtopic at the moment and is directly related to the topic of how the scientific community reacts to climate change skeptics.
Lindzen, by the way, is a climate scientist who thinks that negative feedback loops will win, so it's not just Lomborg and Gray.
>the inflated monetary loss estimates. Totally irrelevant.
If the estimates are inflated, something which has been known to happen, then the misstatement diverts law enforcement resources and can influence sentencing. Petty larceny and grand larceny are separate crimes for a reason.
>If I secure my house with a 100 year old skeleton key lock and also place a big sign in front of the house that says "Door key under welcome mat, $100,000 US in freezer behind ground beef", I may be stupid
Your insurance company will come up with a better word than "stupid".
Obviously neligence by NASA doesn't excuse an illegal breakin. The point everyone's trying to make is that the illegality of the breakin doesn't excuse NASA's negligence.
>Is that no our duty as programming and security professionals?
If we're the ones owning or operating the systems. I've got some trouble believing someone who leaves taunting messages (but not detailed remediation instructions) when they claim they were running a pro bono penetration test.
If voucher and charter advocates get their way, they will add healthy competition but are you sure they're not motivated by weakening the teachers's unions, which consistently support one party?
If advocates of a public education monopoly get their way, they may offer some benefits in integrating different socioeconomic classes, but are you sure they're not motivated by rewarding the teachers's unions?
You've wasted your money unless you do the CD error correction codes with vacuum tubes. Bits calculated by a tube have a warmth that just can't be matched by bits calculated on an IC.
You don't know audiophiles. They'll start arguing that it's an invalid test because the switch is introducing artifacts.
Do we know that the botnet was the result of remote exploits and not the result of users explicitly downloading software that happened to be Trojanized? We can blame Microsoft for opening ports without need, having insecure software listening to those ports, and for making drive-by downloads possible. But if someone just insists on installing dancing cursors or weather forecasts, that's not Microsoft's fault.
Bless you for offering to answer questions! That sort of cooperation is indispensable if security is going to improve.
o le-time approach? The small-team-with-independent-responsibilities model? The review-what-happened-at-shift-change model?
1. How did you manage the response? The one-smart-person-in-charge-who-stays-awake-the-wh
2. What tactics worked, and even more important, what didn't work?
3. What sort of agreements should people have in place with their upstream ISP prior to an incident?
4. How intelligent was the attack traffic? Randomized payload? Does anyone bother spoofing addresses any more?
5. Was it a guided attack or a fire and forget? In other words, did the scum make any changes to their tactics in real time as you tried corrective action?
6. What if anything can be done in the first few minutes/hours?
7. If you had to choose between capacity and filtering, which would you choose?
The discussion is deliberately nontechnical, but I did a comparison of password generator utilities last year and pwdhash came out on top.
You can try to flush out the poison chemically, with chelation therapy or some such approach. Though you won't get all of it and the tissue damage will already have been done.
Absolutely. Current first aid training will teach you things much safer than tourniquets.
>loudly uttering "allah"
A religious obligation for over a billion people five times a day.
The other noteworthy point is that *after* they were dogsniffed, searched and cleared, US Airways refused to sell them replacement tickets. US Airways pointed them to other airlines, which proves it wasn't a safety issue.
Almost all the Democrats voted against the Abu Ghraib Legalization and Magna Carta Repeal Act in October.
First there's the games theory problem. Stop everyone from Saudi Arabia from boarding airplanes, and the killers will put locally recruited types like John Walker Lindh onto airplanes.
Second, nobody has a monopoly on killing innocent people. From Salon's Patrick Smith, via Bruce Schneier's blog:
* In 1985, Air India Flight 182 was blown up over the Atlantic by:
a. Muslim male extremists mostly between the ages of 17 and 40
b. Bill O'Reilly
c. The Mormon Tabernacle Choir
d. Indian Sikh extremists, in retaliation for the Indian Army's attack on the Golden Temple shrine in Amritsar
* In 1986, who attempted to smuggle three pounds of explosives onto an El Al jetliner bound from London to Tel Aviv?
a. Muslim male extremists mostly between the ages of 17 and 40
b. Michael Smerconish
c. Bob Mould
d. A pregnant Irishwoman named Anne Murphy
* In 1962, in the first-ever successful sabotage of a commercial jet, a Continental Airlines 707 was blown up with dynamite over Missouri by:
a. Muslim male extremists mostly between the ages of 17 and 40
b. Ann Coulter
c. Henry Rollins
d. Thomas Doty, a 34-year-old American passenger, as part of an insurance scam
* In 1994, who nearly succeeding in skyjacking a DC-10 and crashing it into the Federal Express Corp. headquarters?
a. Muslim male extremists mostly between the ages of 17 and 40
b. Michelle Malkin
c. Charlie Rose
d. Auburn Calloway, an off-duty FedEx employee and resident of Memphis, Tenn.
* In 1974, who stormed a Delta Air Lines DC-9 at Baltimore-Washington Airport, intending to crash it into the White House, and shot both pilots?
a. Muslim male extremists mostly between the ages of 17 and 40
b. Joe Scarborough
c. Spalding Gray
d. Samuel Byck, an unemployed tire salesman from Philadelphia
You mean like this?
Do you think you're exaggerating?
Muslims removed from airplane when passengers found praying to be suspicious
It's not a national security program:
>Government officials could not say whether ATS has apprehended any terrorists.
It can't work because of the base rate fallacy. At any false alarm rate known to man, the output will be statistically indistiguishable from 100% false alarms.
All these problems are aggravated by the fact that they won't correct errors:
>Nor can they see the records "for the purpose of contesting the content."
It's not to keep airplanes safe, it's a general control tool:
>ATS data about an individual may be shared with state, local and foreign governments for use in hiring decisions and in granting licenses, security clearances, contracts or other benefits.
There's no mention of aggregate, the sand and gravel that cement glues together to make concrete.
There's some justice in saying that Ajax doesn't introduce any new problems over and above Javascript, but that is faint praise and doesn't allow for the fact that buzzword-compliant organizations are now creating more web sites that require Javascript.
His advice about keeping web apps secure is sound and practical but incomplete. The last OWASP conference I went to, one of the speakers pointed out that there's an Ajax development toolkit out there in which you can't tell a priori whether a piece of functionality you program will end up on the client or on the server. "Avoid toolkits like that" should be on the list of security precautions.
>AJAX is a web browser (client-side) technology. It does not execute on the server.
The XMLHttpRequest certainly does execute on the server and allows a range of parser attacks that you were less likely to get with other technologies. Which would you rather validate, a set of CGI parameters or a blob of XML?