The fact that a security issue is not disclosed to the public doesn't mean the "bad guys" will never know about it or exploit it
Without public disclosure you can still find your bank account empty
both true, but non disclosure makes it less likely and increases the grace period, and even when the next guy finds it, if he keeps his mouth shut that still makes only 2 possible threats, whereas if you publicize the vulnerability you immediately have millions of potential hackers.
stop thinking that public disclosure makes things more safe, it makes you sound like an idiot
Public disclosure is often needed to force the responsible entities to act
no, actually the hack/disaster itself is usually what forces responsible entities to act (such as aircraft accident or bank account hacking)... as you can tell by TFA, merely knowing of a potential threat doesn't force anything
yeah gudammit... stupid laws prevent me from killing my next door neighbor and getting away with it. these so called "laws" are much too strict and affect way too many people... and stuff
P.S.=> Especially on custom HOSTS files - he wouldn't be the 1st "Big Name" or even PhD I've blown away on things computing... apk
ummm... no he's just one of the (if not the) most respected experts in security in general. why the fuck would he give a shit about you and your custom hosts files? maybe you should introduce yourself to iptables, which does everything that hosts can do and more. if you came up with some good iptables scripts, who knows, some people may actually take you slightly seriously.
dude... do you have ANY real friends? i bet blathering on about how you "burn asses" of "blowhards" on slashdot with your custom hosts file godliness goes down great with the ladies:)
"the program you're trying to install wants to pwn your machine... just click yes without even reading this and don't worry about security if it allows the program to install"
nowadays if you go around picking on a public figure becuase of how they dress you're likely to face a defamation lawsuit
...and certifications and accreditations always come with disclaimers
the FAA would hve certified the system to the current airworthiness regulations, which no doubt impose much more stringent requirements than any other type of software security certification (you're probably thinking of something rediculous like McAfee's "Hacker Safe" certification, which is total bullshit, and is nothing like the rigor that the FAA goes through in its certification of anything related to air safety)
http://www.faa.gov/nextgen/implementation/portfolio/trans_support_progs/adsb/faq/#2
read the wikipedia article... how exactly is it relevant? in a court case apportioning blame for an aviation accident, full disclousure might be brought up by renderman's defense lawyer, but i doubt it would save him.
and the reason why full disclosure is bad in this case is because it puts people already in the air at risk... put yourself in the shoes of a passenger travelling in an aircraft for a moment
if a flaw was supposedly found in your bank's security, would you want it publicized? maybe after you have your account emptied you might think differently... the bank may be able to reimburse you if it is their fault, but you would still be upset... now imagine how upset you would be if you were flying with your family on vacation and some moron scriptkiddy hacked the ATC and caused the airplane you were in to be diverted, late or crashed and your family dead...... full disclosure my ass. why do you think national security classifications were devised in the first place? ATC may not be a defense issue, but it certainly affects the security of the flying public
hey I don't think the FAA is guilt-free... they are after all ultimately responsible for air safety, but you gotta admit an ATC management system isn't exactly a simple thing... i challenge anyone else to come up with something that does the same job that is totally secure for a realistic price. anyone who thinks they can are either bullshitting or just plain full of shit.
and i actually believe the FAA's answer (filtering bogus aircraft) is possibly right in this case, as filtering bogus aircraft doesn't seem like a fundamentally difficult problem... the more i think about it the more i think renderman is just blowing smoke out his own ass.
the FAA can be more forgiving than EASA (I've worked on the opposite side of the table to both), but at least they don't just rubber stamp someone else's certification like most authorities... they can't just change the way their ATC system is secured overnight, and I'm sure if they are aware of a potential risk they are looking into it (as an organization they may be as faceless as any other, but there are some really smart people working there). aviation is probably one of the most bureaucratic and heavily regulated industries in the world, and while every software system has potential and real security risks, an organisation like the FAA can only go as far as they practically can given their operating budget and regulatory mandate.
they can shut down the sky (in the USA at least) but would anyone really want that because of a potential security risk in their software? maybe they should, but at what cost? would shutting down the airways kill more people due to increased road traffic and frustration than may be killed by an ATC hack? these are questions that the FAA will be struggling with, but the answers aren't black and white.
what classifies as a security risk? just because someone at Defcon brags about how he can hack the system may or may not mean that he can... or that anyone else can. I didn't read anything in TFA that suggested he actually has, only that he has shown it in simulations and makes assertions.
If Brad was seriously concerned, he would be working with the FAA and he wouldn't have publicized such a risk. If he didn't discover the risk, someone else would have no doubt (or the FAA may already have been aware of it anyway), but publicizing a potential security risk in something as important as Air Traffic Control is in itself a security risk. I think his motivations extend no further than gaining hacker cred, except I'm not even a hacker and I know that's not how it works. Hacker cred is gained by actually hacking... not just bragging to people how you reckon you can hack something.
Brad may not be culpable enough to execute such a hack, but by publicizing it he's putting the information in the hands of plenty of people who might, so if a plane crashes as a result of the very hack that Brad Haines has made known, wouldn't he deserve a portion of the blame? A court could possibly say... yes.
privilege escalation bugs are found in Linux or Linux modules all the time
care to share a few (not even sarcastic here)... i came across the nvidia one through a google search, but i'm interested what other ones there are (please keep them reasonably current, maybe in the last 4 years)
Slashdot Mirror
The fact that a security issue is not disclosed to the public doesn't mean the "bad guys" will never know about it or exploit it
Without public disclosure you can still find your bank account empty
both true, but non disclosure makes it less likely and increases the grace period, and even when the next guy finds it, if he keeps his mouth shut that still makes only 2 possible threats, whereas if you publicize the vulnerability you immediately have millions of potential hackers.
stop thinking that public disclosure makes things more safe, it makes you sound like an idiot
Public disclosure is often needed to force the responsible entities to act
no, actually the hack/disaster itself is usually what forces responsible entities to act (such as aircraft accident or bank account hacking)... as you can tell by TFA, merely knowing of a potential threat doesn't force anything
...is the favoritest word of these dick waving space morons
btw believe it or not i'm a (pragmatic) space enthusiast
yeah i bet he was fond of that led blinker
some bastard stole my bird bath... i loved that thing
only if you have big tits
or darth vader
looks pretty complicated... how much harder would it be to actually use the lasers to detect a break in?
in any case, I WANT ONE!!!
maybe they shouldn't be putting down their televisions, but should instead be picking them up to get some exercise
... buy windows 7 now or you might end up with windows 8!
Does anyone note that EU (first line) is rejecting the US laws (second line), while we idiots subscribe to both.
with any luck they'll contradict each other and when they finally get tested in court we'll find out how toothless they really are
yeah gudammit... stupid laws prevent me from killing my next door neighbor and getting away with it. these so called "laws" are much too strict and affect way too many people... and stuff
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "Insert whatever 'trollspeak/trolllanguage' gibberish occurs here..."
s = reverse(s)
print(s)
except Exception as e:
print(e)
ParseError: bad input on line5
http://mathcs.holycross.edu/~kwalsh/python/
laughing at your own jokes... good one apk
P.S.=> Especially on custom HOSTS files - he wouldn't be the 1st "Big Name" or even PhD I've blown away on things computing... apk
ummm... no he's just one of the (if not the) most respected experts in security in general. why the fuck would he give a shit about you and your custom hosts files? maybe you should introduce yourself to iptables, which does everything that hosts can do and more. if you came up with some good iptables scripts, who knows, some people may actually take you slightly seriously.
:)
dude... do you have ANY real friends? i bet blathering on about how you "burn asses" of "blowhards" on slashdot with your custom hosts file godliness goes down great with the ladies
yeah i never liked the stupid...
...popups from vista onwards
"the program you're trying to install wants to pwn your machine... just click yes without even reading this and don't worry about security if it allows the program to install"
nowadays if you go around picking on a public figure becuase of how they dress you're likely to face a defamation lawsuit
...and certifications and accreditations always come with disclaimers
the FAA would hve certified the system to the current airworthiness regulations, which no doubt impose much more stringent requirements than any other type of software security certification (you're probably thinking of something rediculous like McAfee's "Hacker Safe" certification, which is total bullshit, and is nothing like the rigor that the FAA goes through in its certification of anything related to air safety)
http://www.faa.gov/nextgen/implementation/portfolio/trans_support_progs/adsb/faq/#2
read the wikipedia article... how exactly is it relevant? in a court case apportioning blame for an aviation accident, full disclousure might be brought up by renderman's defense lawyer, but i doubt it would save him.
and the reason why full disclosure is bad in this case is because it puts people already in the air at risk... put yourself in the shoes of a passenger travelling in an aircraft for a moment
if a flaw was supposedly found in your bank's security, would you want it publicized? maybe after you have your account emptied you might think differently... the bank may be able to reimburse you if it is their fault, but you would still be upset... now imagine how upset you would be if you were flying with your family on vacation and some moron scriptkiddy hacked the ATC and caused the airplane you were in to be diverted, late or crashed and your family dead...... full disclosure my ass. why do you think national security classifications were devised in the first place? ATC may not be a defense issue, but it certainly affects the security of the flying public
hey I don't think the FAA is guilt-free... they are after all ultimately responsible for air safety, but you gotta admit an ATC management system isn't exactly a simple thing... i challenge anyone else to come up with something that does the same job that is totally secure for a realistic price. anyone who thinks they can are either bullshitting or just plain full of shit.
and i actually believe the FAA's answer (filtering bogus aircraft) is possibly right in this case, as filtering bogus aircraft doesn't seem like a fundamentally difficult problem... the more i think about it the more i think renderman is just blowing smoke out his own ass.
the FAA can be more forgiving than EASA (I've worked on the opposite side of the table to both), but at least they don't just rubber stamp someone else's certification like most authorities... they can't just change the way their ATC system is secured overnight, and I'm sure if they are aware of a potential risk they are looking into it (as an organization they may be as faceless as any other, but there are some really smart people working there). aviation is probably one of the most bureaucratic and heavily regulated industries in the world, and while every software system has potential and real security risks, an organisation like the FAA can only go as far as they practically can given their operating budget and regulatory mandate.
they can shut down the sky (in the USA at least) but would anyone really want that because of a potential security risk in their software? maybe they should, but at what cost? would shutting down the airways kill more people due to increased road traffic and frustration than may be killed by an ATC hack? these are questions that the FAA will be struggling with, but the answers aren't black and white.
what classifies as a security risk? just because someone at Defcon brags about how he can hack the system may or may not mean that he can... or that anyone else can. I didn't read anything in TFA that suggested he actually has, only that he has shown it in simulations and makes assertions.
If Brad was seriously concerned, he would be working with the FAA and he wouldn't have publicized such a risk. If he didn't discover the risk, someone else would have no doubt (or the FAA may already have been aware of it anyway), but publicizing a potential security risk in something as important as Air Traffic Control is in itself a security risk. I think his motivations extend no further than gaining hacker cred, except I'm not even a hacker and I know that's not how it works. Hacker cred is gained by actually hacking... not just bragging to people how you reckon you can hack something.
Brad may not be culpable enough to execute such a hack, but by publicizing it he's putting the information in the hands of plenty of people who might, so if a plane crashes as a result of the very hack that Brad Haines has made known, wouldn't he deserve a portion of the blame? A court could possibly say... yes.
moron
and real programmers use iptables scripts, not hosts... moron
We encrypt and authenticate our CRITICAL systems
the FAA payroll system may well be encrypted
or blind structural rivets (cherrymax)
dammit... keep to the topic will you... now i wonder how many different assholes one can possibly flatulate from?
privilege escalation bugs are found in Linux or Linux modules all the time
care to share a few (not even sarcastic here)... i came across the nvidia one through a google search, but i'm interested what other ones there are (please keep them reasonably current, maybe in the last 4 years)
is there a wikipedia page?
http://en.wikipedia.org/wiki/Privilege_escalation#Examples_of_vertical_privilege_escalation mentions a vulnerability using cron... not sure how old that exploit would be
...apple stock price falls and yesterday's post about apple being the "most valuable" company is no longer relevent
stock price isn't exactly any kind of indicator of value... surely the world would have realized this after the whole dotcom bubble and collapse
the headline should have been "Apple Is Now the Most Valuable Company In History today"
ANARCHY RULZ OK!!!