An attack is still possible. The attack is on vulnerable clients that are tricked into connecting to a rogue AP that is made to look exactly like your existing AP. Whether your AP is fixed or not doesn't matter as it can't stop the rogue AP from showing up. Once your vulnerable client connects to the rogue AP it can be attacked.
Considering your AP is not often a client too (client side is where the real issue is) and you rarely take your AP to other public places they are not the highest priority. The highest priority at the moment are clients like phones, tablets and laptops. They are more likely to go to places where someone might be running a rogue AP.
For people on LEDE: As the issue is mainly client side (such as when a router acts as a client of another router), two of the three fixes are in packages that can be updated without updating the whole firmware (or even rebooting the router). Updating wpad and hostapd should update them to version xxx-5 which fixes the issue.
There is also a kernel level fix that is going through the motions and will most likely mean 17.01.4 is out soon.
The 'Computer Fraud and Abuse Act' is an American law and so doesn't apply in Switzerland where ProtonMail is based. It might be that Swiss law also bans 'hacking back' but the 'Computer Fraud and Abuse Act' is not relevant in this case.
This is just typical Assange style attention seeking. He has been out of the news for a while and desperately needs people not to forget about him.
The main reason he won’t be handed over to the US any time soon is because he is not wanted by the US. If Assange was wanted by the US there would have been an arrest warrant and an extradition request.
The best chance for the US, if the US indeed had some interest in him, would have been while Assange was walking around freely in the UK between his extradition hearings trying to stop being extradited to Sweden. The US-UK extradition treaty is extremely one-sided in favour of the US so he could been put on a plane the same day.
Now, considering nobody has ever seen a US arrest warrant for Assange and the US has never attempted to have him extradited it is safe to assume that is not one of his major worries.
Right now, Assange is a fugitive of two police forces. The British justice system wants him for jumping bail, the Swedish justice system wants him for a double rape inquiry.
Assange has always maintained he doesn’t want to go to Sweden because he worries about being extradited to the US (even though that is a very weak argument, see above). If he would now have fewer issues with going to the US, why doesn’t he just go to Sweden and face the rape inquiries if he is so confident he has done nothing wrong?
He missed another, Whatsapp uses FreeBSD. Jan Koum even donated USD 1 million to the FreeBSD Foundation to thank them for all their work. https://freebsdfoundation.blog...
The EU is not performing the audit themselves, they are funding the audit performed by a reputable organisation. My bet is that FOX-IT will get the job.
That was a disingenuous response from Facebook and has no bearing on the legality of their tracking. The viewing of content on Facebook.com by non-logged in users was not part of the legal case. Facebook is fined for tracking non-Facebook users on other sites than Facebook.com and none of their actions so far have been enough to legalise their current operation.
So, they may try the same thing as in Belgium but, just like in Belgium, it is completely irrelevant to the case and won't help them one bit.
The technical solution for Facebook to escape massive fines could be to provide websites with a 'social button' whose image is only allowed to be stored locally at the website. Facebook's servers should then only be contacted if someone clicks on the button. In its current design even viewing the button makes Facebook track everyone and that is clearly illegal.
It's not about what average user of SSL Labs understands about it. That's why it uses just a couple of letter grades to communicate an overview of the findings. The most important part is that ordinary users can go to their hoster or a website owner and ask them why their site gets a 'D'. The people who run those web servers will know more about the detailed findings of SSL Labs and implement them accordingly.
A personal example. I know a thing or two about SSL/TLS but some things on the SSL Labs results page are over my head too. However, when I noticed that my own site got an 'F' (because of some old cyphers that were still accepted) I filed a ticket with my hoster. A week later they had upgraded the entire shared hosting environment and upgraded everything to an 'A'. In one fell swoop many thousands of websites had their security upgraded because I sent my hoster a detailed outcome of the SSL Labs test.
I have been running OpenWRT on my Asus RT-N16 for a while now. First OpenWRT 14.07 (Barrier Breaker) and now OpenWRT 15.05 (Chaos Calmer) and it works like a charm. OpenWRT is the most stable alternative firmware I have ever used (compared to SveaSoft, DD-WRT, Tomato Toastman and Tomato Shibby).
You’re right that Broadcom is a pain in the ass and my next router will have an Atheros chip. But if you don’t mind using closed source drivers the Asus RT-N16 works like a charm with OpenWRT.
On a related note. Is it really true that even today you can find American engineers not using metric units? That must a royal pain for things such as collaboration, documentation, supply chain management, reducing cost, competition etc.
First of all, keep an eye on the updates. They should automatically install (or at least warn of their availability) by default. Apple can push out a separate EFI upgrade or it can be be a part of the next big update (10.10.5 for instance, which is imminent). I expect some or all of these to be fixed fairly quickly.
In the mean time, make sure that you haven’t disabled Gatekeeper (which is on by default). While Gatekeeper can’t defend against infected peripherals you stick in your Thunderbolt port, it can protect against online attacks trying to infect your machine with the Thunderstrike payload. And the chances of being infected through the internet (malicious ads, drive-by downloads, trojans etc.) are far greater than through a peripheral as it can take months or years before an old-fashioned physical malware spread reaches your machines. That’s one of the downsides of the internet, it has made the spreading of malware incredibly fast.
NRK (the public service broadcaster) and all commercial and private stations are moving off FM in 2017. The only stations staying on FM are local stations. They have asked for a 5 to 7 year extension of FM use while DAB+ for local/smaller stations is being rolled out.
So, the plans for the FM space are fairly straightforward. The only thing not in the plan is the inevitable use by pirate stations.
True, but then FM is not going to banned either. It's just that all the big stations in Norway are leaving FM. You can still use your FM radio to listen to small local stations (and probably pilots). You will also still be able to buy FM radios in Norway but they now carry stickers to warn people that they will be of less use from 2017.
There are quite a few HiFi separates with DAB+ but you'd need to live in a country that has DAB+ on-air. You won't find one in the US for instance. This gives you some idea of the brands and models available http://www.digicomparison.com/...
One of the reasons to shut it down is massive cost savings. The Norwegian public service broadcaster (NRK) has mentioned a single channel on FM is eight times as expensive as a single channel on DAB. Add to that the massively increased capacity (44 national DAB stations vs. 5 national FM stations) you essentially get more capacity for a fraction of the cost. The NRK will save 200 million krone annually in distribution and maintenance cost.
If that's a problem for some people they can just buy one of those solar powered DAB radios. A friend of mine has one in the kitchen and he never needs to plug it in. The light it catches during the day is enough to charge the battery for the rest of the day.
The 50% threshold is for Digital Switch Over (DSO). The DSO is not about DAB, it's about FM. It makes perfect sense that for that criteria it doesn't matter which digital medium people use, as long as it's not FM. They are essentially measuring how many people still listen to FM. That has dropped to below 50% for in-house already and is steadily declining overall. Once the majority of all radio listening is digital (irrespective of whether that's using DAB, satellite, cable, internet etc.) the plans for the UK's national FM switch off can come in effect.
You're confusing DAB+ with SiriusXM or IBOC/Ubiquity.
Any device manufacturer or slightly advanced geek can download the DAB+ specs (http://www.etsi.org/deliver/etsi_ts/102500_102599/102563/01.02.01_60/ts_102563v010201p.pdf) and build their own receiver. Anyone with a DAB+ radio can pick up the unencrypted DAB+ signal Free To Air and play it. How is that a walled garden?
Fortunately multipath is not an issue with DAB radio. DAB is especially designed for use in cars, where on FM multipath is common, and DAB has been designed not to suffer from multipath for this reason. The signal is constructed from one or more sources (as opposed to FM where you can only use the signal from one transmitter at a time) broadcasting on the same frequency. If the second signal is slightly delayed but within the time parameters it can even aid to form a better signal. DAB+ uses Reed-Solomon error correction (you know, the ECC also used for audio CDs) which sorts it out.
So, multipath is a problem on FM, it's not a problem with DAB.
"When cybersecurity firm Kaspersky Lab was called in to investigate ATMs that had begun dispensing cash without input from users, they expected to find a simple problem."
The problem is that Kaspersky wasn't "called in", it's just a dubious PR tactic coupled with a journalist who (surprise, surprise) didn't do any own research. They took a discovery from December, renamed the network, inflated the amounts and spun someone else's work as their own.
Graham Cluley had a suspicion about the details which looked awfully familiar: High-tech hackers stole $300 million from 100 banks. But here's what the media forgot to tell you (http://grahamcluley.com/2015/02/bank-hackers/)
Fox-IT, who uncovered this issue last year have since responded to confirm it was indeed a rehash of an older story (https://www.fox-it.com/en/press-releases/anunak-aka-carbanak-update/) but with some inflated amounts to get news headlines.
I feel it would make most sense if they plan for the abolishing of OpenSSL in favor of a new library called OpenTLS.
Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future. For instance, don’t copy SSL or TLS 1.0 to the new fork. Nobody should be using SSL anyway so it can easily stay out of the new OpenTLS.
The new OpenTLS library can then be cleaned up and strenghtened without causing too much harm to users of legacy OpenSSL, although some things could be backported from OpenTLS to OpenSSL.
Anyone starting a new project would obviously opt for OpenTLS and would stay clear of legacy OpenSSL and slowly but surely the use of legacy OpenSSL would diminish in favor of the brave new OpenTLS.
Ehm. You make it sound as if Google owns Mozilla, which is clearly not the case.
Like all browsers, Firefox has a default search engine. Having search traffic directed from Firefox' few hundred million users is very appealing to search companies, who are willing to pay good money for that. This does not mean that the paying customer in any way owns, runs or controls Mozilla. Just like I don't own, run or control the shop on the corner when I pay them for a pack of biscuits.
In the last bidding process Google was top bidder and Mozilla extended it's contract with Google. After this contract finishes the contract will go out to tender again and perhaps next time Bing, Yahoo or Baidu is the highest bidder, who knows?
It could even be, if Mozilla at some point decides that Google's practices are not compatible with their own principles, that Mozilla dumps Google and does business with the second highest bidder. It might not even make a massive financial difference.
SVG fonts are an outdated standard and the focus is on its successor, Web Open Font Format (WOFF).
Mozilla has announced they are not going to waste resources on an almost deprecated standard. So, unless the three test for SVG fonts are removed from the ACID3 test, Firefox will never pass.
Nobody will notice because nobody uses SVG fonts so it is only interesting for people who have been led to believe that ACID tests are important, not for web users or site developers.
Slashdot Mirror
An attack is still possible. The attack is on vulnerable clients that are tricked into connecting to a rogue AP that is made to look exactly like your existing AP. Whether your AP is fixed or not doesn't matter as it can't stop the rogue AP from showing up. Once your vulnerable client connects to the rogue AP it can be attacked.
Considering your AP is not often a client too (client side is where the real issue is) and you rarely take your AP to other public places they are not the highest priority. The highest priority at the moment are clients like phones, tablets and laptops. They are more likely to go to places where someone might be running a rogue AP.
For people on LEDE:
As the issue is mainly client side (such as when a router acts as a client of another router), two of the three fixes are in packages that can be updated without updating the whole firmware (or even rebooting the router). Updating wpad and hostapd should update them to version xxx-5 which fixes the issue.
There is also a kernel level fix that is going through the motions and will most likely mean 17.01.4 is out soon.
https://forum.lede-project.org...
Javascript is running the internet.
The 'Computer Fraud and Abuse Act' is an American law and so doesn't apply in Switzerland where ProtonMail is based. It might be that Swiss law also bans 'hacking back' but the 'Computer Fraud and Abuse Act' is not relevant in this case.
This is just typical Assange style attention seeking. He has been out of the news for a while and desperately needs people not to forget about him.
The main reason he won’t be handed over to the US any time soon is because he is not wanted by the US. If Assange was wanted by the US there would have been an arrest warrant and an extradition request.
The best chance for the US, if the US indeed had some interest in him, would have been while Assange was walking around freely in the UK between his extradition hearings trying to stop being extradited to Sweden. The US-UK extradition treaty is extremely one-sided in favour of the US so he could been put on a plane the same day.
Now, considering nobody has ever seen a US arrest warrant for Assange and the US has never attempted to have him extradited it is safe to assume that is not one of his major worries.
Right now, Assange is a fugitive of two police forces. The British justice system wants him for jumping bail, the Swedish justice system wants him for a double rape inquiry.
Assange has always maintained he doesn’t want to go to Sweden because he worries about being extradited to the US (even though that is a very weak argument, see above). If he would now have fewer issues with going to the US, why doesn’t he just go to Sweden and face the rape inquiries if he is so confident he has done nothing wrong?
He missed another, Whatsapp uses FreeBSD. Jan Koum even donated USD 1 million to the FreeBSD Foundation to thank them for all their work. https://freebsdfoundation.blog...
The EU is not performing the audit themselves, they are funding the audit performed by a reputable organisation. My bet is that FOX-IT will get the job.
But why would an American go to Panama if they can just go to Delaware?
The people that use services in Panama do that because their local jurisdiction is on the ball w.r.t. tax evasion...
That was a disingenuous response from Facebook and has no bearing on the legality of their tracking. The viewing of content on Facebook.com by non-logged in users was not part of the legal case. Facebook is fined for tracking non-Facebook users on other sites than Facebook.com and none of their actions so far have been enough to legalise their current operation.
So, they may try the same thing as in Belgium but, just like in Belgium, it is completely irrelevant to the case and won't help them one bit.
The technical solution for Facebook to escape massive fines could be to provide websites with a 'social button' whose image is only allowed to be stored locally at the website. Facebook's servers should then only be contacted if someone clicks on the button. In its current design even viewing the button makes Facebook track everyone and that is clearly illegal.
It's not about what average user of SSL Labs understands about it. That's why it uses just a couple of letter grades to communicate an overview of the findings. The most important part is that ordinary users can go to their hoster or a website owner and ask them why their site gets a 'D'. The people who run those web servers will know more about the detailed findings of SSL Labs and implement them accordingly.
A personal example. I know a thing or two about SSL/TLS but some things on the SSL Labs results page are over my head too. However, when I noticed that my own site got an 'F' (because of some old cyphers that were still accepted) I filed a ticket with my hoster. A week later they had upgraded the entire shared hosting environment and upgraded everything to an 'A'. In one fell swoop many thousands of websites had their security upgraded because I sent my hoster a detailed outcome of the SSL Labs test.
I have been running OpenWRT on my Asus RT-N16 for a while now. First OpenWRT 14.07 (Barrier Breaker) and now OpenWRT 15.05 (Chaos Calmer) and it works like a charm. OpenWRT is the most stable alternative firmware I have ever used (compared to SveaSoft, DD-WRT, Tomato Toastman and Tomato Shibby).
You’re right that Broadcom is a pain in the ass and my next router will have an Atheros chip. But if you don’t mind using closed source drivers the Asus RT-N16 works like a charm with OpenWRT.
For anyone wanting to try OpenWRT 15.05 on an Asus RT-N16 I can recommend this post on the forum: https://forum.openwrt.org/view...
On a related note. Is it really true that even today you can find American engineers not using metric units? That must a royal pain for things such as collaboration, documentation, supply chain management, reducing cost, competition etc.
First of all, keep an eye on the updates. They should automatically install (or at least warn of their availability) by default. Apple can push out a separate EFI upgrade or it can be be a part of the next big update (10.10.5 for instance, which is imminent). I expect some or all of these to be fixed fairly quickly.
In the mean time, make sure that you haven’t disabled Gatekeeper (which is on by default). While Gatekeeper can’t defend against infected peripherals you stick in your Thunderbolt port, it can protect against online attacks trying to infect your machine with the Thunderstrike payload. And the chances of being infected through the internet (malicious ads, drive-by downloads, trojans etc.) are far greater than through a peripheral as it can take months or years before an old-fashioned physical malware spread reaches your machines. That’s one of the downsides of the internet, it has made the spreading of malware incredibly fast.
NRK (the public service broadcaster) and all commercial and private stations are moving off FM in 2017. The only stations staying on FM are local stations. They have asked for a 5 to 7 year extension of FM use while DAB+ for local/smaller stations is being rolled out.
So, the plans for the FM space are fairly straightforward. The only thing not in the plan is the inevitable use by pirate stations.
True, but then FM is not going to banned either. It's just that all the big stations in Norway are leaving FM. You can still use your FM radio to listen to small local stations (and probably pilots). You will also still be able to buy FM radios in Norway but they now carry stickers to warn people that they will be of less use from 2017.
There are quite a few HiFi separates with DAB+ but you'd need to live in a country that has DAB+ on-air. You won't find one in the US for instance. This gives you some idea of the brands and models available http://www.digicomparison.com/...
One of the reasons to shut it down is massive cost savings. The Norwegian public service broadcaster (NRK) has mentioned a single channel on FM is eight times as expensive as a single channel on DAB. Add to that the massively increased capacity (44 national DAB stations vs. 5 national FM stations) you essentially get more capacity for a fraction of the cost. The NRK will save 200 million krone annually in distribution and maintenance cost.
If that's a problem for some people they can just buy one of those solar powered DAB radios. A friend of mine has one in the kitchen and he never needs to plug it in. The light it catches during the day is enough to charge the battery for the rest of the day.
The 50% threshold is for Digital Switch Over (DSO). The DSO is not about DAB, it's about FM. It makes perfect sense that for that criteria it doesn't matter which digital medium people use, as long as it's not FM. They are essentially measuring how many people still listen to FM. That has dropped to below 50% for in-house already and is steadily declining overall. Once the majority of all radio listening is digital (irrespective of whether that's using DAB, satellite, cable, internet etc.) the plans for the UK's national FM switch off can come in effect.
You're confusing DAB+ with SiriusXM or IBOC/Ubiquity.
Any device manufacturer or slightly advanced geek can download the DAB+ specs (http://www.etsi.org/deliver/etsi_ts/102500_102599/102563/01.02.01_60/ts_102563v010201p.pdf) and build their own receiver. Anyone with a DAB+ radio can pick up the unencrypted DAB+ signal Free To Air and play it. How is that a walled garden?
Fortunately multipath is not an issue with DAB radio. DAB is especially designed for use in cars, where on FM multipath is common, and DAB has been designed not to suffer from multipath for this reason. The signal is constructed from one or more sources (as opposed to FM where you can only use the signal from one transmitter at a time) broadcasting on the same frequency. If the second signal is slightly delayed but within the time parameters it can even aid to form a better signal. DAB+ uses Reed-Solomon error correction (you know, the ECC also used for audio CDs) which sorts it out.
So, multipath is a problem on FM, it's not a problem with DAB.
"When cybersecurity firm Kaspersky Lab was called in to investigate ATMs that had begun dispensing cash without input from users, they expected to find a simple problem."
The problem is that Kaspersky wasn't "called in", it's just a dubious PR tactic coupled with a journalist who (surprise, surprise) didn't do any own research. They took a discovery from December, renamed the network, inflated the amounts and spun someone else's work as their own.
Graham Cluley had a suspicion about the details which looked awfully familiar: High-tech hackers stole $300 million from 100 banks. But here's what the media forgot to tell you (http://grahamcluley.com/2015/02/bank-hackers/)
Fox-IT, who uncovered this issue last year have since responded to confirm it was indeed a rehash of an older story (https://www.fox-it.com/en/press-releases/anunak-aka-carbanak-update/) but with some inflated amounts to get news headlines.
I feel it would make most sense if they plan for the abolishing of OpenSSL in favor of a new library called OpenTLS.
Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future. For instance, don’t copy SSL or TLS 1.0 to the new fork. Nobody should be using SSL anyway so it can easily stay out of the new OpenTLS.
The new OpenTLS library can then be cleaned up and strenghtened without causing too much harm to users of legacy OpenSSL, although some things could be backported from OpenTLS to OpenSSL.
Anyone starting a new project would obviously opt for OpenTLS and would stay clear of legacy OpenSSL and slowly but surely the use of legacy OpenSSL would diminish in favor of the brave new OpenTLS.
Ehm. You make it sound as if Google owns Mozilla, which is clearly not the case.
Like all browsers, Firefox has a default search engine. Having search traffic directed from Firefox' few hundred million users is very appealing to search companies, who are willing to pay good money for that. This does not mean that the paying customer in any way owns, runs or controls Mozilla. Just like I don't own, run or control the shop on the corner when I pay them for a pack of biscuits.
In the last bidding process Google was top bidder and Mozilla extended it's contract with Google. After this contract finishes the contract will go out to tender again and perhaps next time Bing, Yahoo or Baidu is the highest bidder, who knows?
It could even be, if Mozilla at some point decides that Google's practices are not compatible with their own principles, that Mozilla dumps Google and does business with the second highest bidder. It might not even make a massive financial difference.
SVG fonts are an outdated standard and the focus is on its successor, Web Open Font Format (WOFF).
Mozilla has announced they are not going to waste resources on an almost deprecated standard. So, unless the three test for SVG fonts are removed from the ACID3 test, Firefox will never pass.
Nobody will notice because nobody uses SVG fonts so it is only interesting for people who have been led to believe that ACID tests are important, not for web users or site developers.