I was watching the playoff game where the Surfaces weren't responding... the television crew correctly referred to them as "Microsoft Surface" multiple times while discussing the problems.
Dyn comes in on the other side of the equation. You use your ISP DNS server (or Google's 8.8.8.8, etc.) to look up addresses. But the people running the servers have to publish those addresses somewhere in the first place, and to do so, some of them use a service like Dyn.
To use a simplified phone analogy, Dyn publishes a phone book and your DNS server is 411. If you call 411 and the operator can't find the right phone book, they can't give you the number you want.
Don't mention that they gave away hundreds of thousands of.xyz domains for free to people who didn't even ask for them to get there.
Which has, incidentally, given it a reputation of being 99.9% spam, just like.biz. I visited abc.xyz the day Google announced its reorg, and that remains the only legitimate domain I've ever seen in that TLD. I have postfix rejecting anything with a.xyz "From" header, and it looks like I'm about to add.shop to the list.
IMO the only thing these new TLDs are accomplishing is fracturing the namespace into ever more useless niches that will never be widely accepted or compatible. Oh well, it's their money, if they want to waste it.
I bet they're itching to get some of these drones deployed next time. I've had The Weather Channel streaming as background noise for the past couple of days, and the reporters have been frequently mentioning that Verizon service is down, calling out Verizon specifically instead of just saying "cell service is down." Outages are to be completely expected during this type of event, but it's still not great advertising for vzw.
he said that the movie industry was not above shooting itself in the foot
"I say to you that the VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone." Jack Valenti, MPAA, 1982.
Amazon is in the business of selling products that don't leave a bad taste in the mouths of Amazon customers. They have a vested interest in removing shitty products from their site, as the shitty products reflect poorly upon the Amazon brand. Honest and objective reviews, insulated from retribution by the seller, are a good thing.
Some of the traditional attacks (DNS/NTP reflection and amplification) would be mitigated but it's not likely to help with these IoT DDoSes. When you can control 300,000 pwned devices, you don't need to spoof any traffic.
I think credit card issuers *should* change your card number every year. It would have a slightly PITA quality to if you had a ton of automatic charges, but it would also mean the number would expire sooner rather than later and increase the chances that if the number were harvested somehow it wouldn't have a long life.
FYI, VISA offers merchants a service called VISA Account Updater where if your credit card number changes, VISA will happily sell your new number to any merchant who had your old one. Just great, huh? It used to be if you were dealing with a hostile merchant who refused to stop billing you (think AOL for example), your "nuclear option" was to have your card number changed. Now even that won't work if you use a VISA card, because VISA themselves will sell you out.
Rotating every minute is probably too fast for this purpose. Consider your average consumer poking around online, it might take them more than a minute just to type in their card information, then they see that "Continue Shopping" button and realize they want to add something else to their cart. Next thing you know, 10 or 15 minutes have elapsed between the time they entered their card info and the time they click "Checkout." The card issuers are loath to introduce any frustration into the purchase process. An hour window seems like a good compromise.
A broken 12-hours clock is right twice a day and those broken numbers will be right 26 times in those three years.
Unless you're attempting to use a stolen card every hour for 3 years, you'd have to get really fucking lucky to run your charge at the correct time. And attempting to charge a card every hour is going to get the card flagged for fraud long before your blind squirrel finds his nut.
Regarding this number changing method, how are the new number generated? How does the bank know that numbers are valid ?
I presume it works just like a SecurID or other access control dongle. Your card is seeded with a value known to the bank. The card plugs that seed and the current time into an algorithm that generates the number. When you go to make a purchase, the bank runs the same calculation and looks to see if the numbers match.
I mean, presumably if I have a server somewhere, on Google cloud, AWS, at home, whatever, and it it has a public IP address, then I can have it serve up IP addresses of all my other machines when I give it some name. With whatever naming scheme I might like to use. I can make my own IP address lookup system.
Yes, absolutely. This is how I block advertising and malware sites, I set up a DNS server that resolves 20,000+ domains to 0.0.0.0 and pointed all my devices at it. Nothing is preventing you or anyone else from setting up a DNS server, the only challenge would be convincing others to use it, if that was your goal.
In many jurisdictions, judges aren't required to have any legal background or education whatsoever. Even Supreme Court justices don't need a law degree or license, though one lacking them hasn't been appointed since 1941.
There are a few graves I would like to piss on but I cannot find out where these people are buried.
While doing some genealogy research, I discovered the Billion Graves Project where I found a crystal clear 1600x1200 JPG of my grandparents' headstone. They have volunteers who go around taking pictures of all the headstones in a cemetery, then they're indexed online. In many cases, the exact location of the gravesite within the cemetery will be displayed on a map. Worth a look.
Yahoo locked down their system so that you couldn't log into accounts from new IPs. You had to change your password from an IP you've used before before you could log in again.
That sounds like a great way to permanently lock the majority of your users out of their accounts. Many ISPs have short DHCP leases; millions of people get a new IP every week or every day. And heaven help you if you're stuck on a phone with CGNAT, you might appear to come from a different IP every few minutes. I've had enough annoyances out of Gmail thinking my logins were suspicious that I finally set up a datapipe to a server with a static IP, and I route my Gmail connections through there.
The graph of subject lines caught my eye while looking at the Talos report. In my own experience, the recent floods of mail with subjects like "Budget report," "Tax invoice," "Scanned document," etc. all arrive with some Windows ransomware variant attached. Not sure I'd really call these spam in the traditional sense. They're unsolicited, of course, but they aren't commercial in nature.
That aside, I do see an upward trend in UCE. The biggest offenders for me lately are of the boner pill variety, PurpleRhino and Vydox specifically. I'm seeing dozens of these a day to one particular address.
I'm very inclined to believe that yes, anyone whose mail is hosted by Yahoo is part of the breach. That includes the bells (ATT, SBC, PacBell, BellSouth, etc). Anecdotally I'm confident that the address books and recent contacts of Yahoo Mail users have been compromised for years through some type of exploit. There are spam campaigns that specifically target these accounts in this way, forging the "From" address as someone you have recently communicated with.
Slashdot Mirror
I was watching the playoff game where the Surfaces weren't responding... the television crew correctly referred to them as "Microsoft Surface" multiple times while discussing the problems.
That's a relatively new phenomenon and probably took many hours of re-training to achieve.
Dyn comes in on the other side of the equation. You use your ISP DNS server (or Google's 8.8.8.8, etc.) to look up addresses. But the people running the servers have to publish those addresses somewhere in the first place, and to do so, some of them use a service like Dyn.
To use a simplified phone analogy, Dyn publishes a phone book and your DNS server is 411. If you call 411 and the operator can't find the right phone book, they can't give you the number you want.
Don't mention that they gave away hundreds of thousands of .xyz domains for free to people who didn't even ask for them to get there.
Which has, incidentally, given it a reputation of being 99.9% spam, just like .biz. I visited abc.xyz the day Google announced its reorg, and that remains the only legitimate domain I've ever seen in that TLD. I have postfix rejecting anything with a .xyz "From" header, and it looks like I'm about to add .shop to the list.
IMO the only thing these new TLDs are accomplishing is fracturing the namespace into ever more useless niches that will never be widely accepted or compatible. Oh well, it's their money, if they want to waste it.
I bet they're itching to get some of these drones deployed next time. I've had The Weather Channel streaming as background noise for the past couple of days, and the reporters have been frequently mentioning that Verizon service is down, calling out Verizon specifically instead of just saying "cell service is down." Outages are to be completely expected during this type of event, but it's still not great advertising for vzw.
So would you call that a joe job or a Steve Job?
he said that the movie industry was not above shooting itself in the foot
"I say to you that the VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone." Jack Valenti, MPAA, 1982.
Hollywood keeps dropping bombs at the movie theater.
He's not using the legitimate channels available to bring the issue to the surface.
Why don't you go ask William Binney, Thomas Drake, Kirk Wiebe, and Ed Loomis how using the "legitimate channels" works out.
Amazon is in the business of selling products that don't leave a bad taste in the mouths of Amazon customers. They have a vested interest in removing shitty products from their site, as the shitty products reflect poorly upon the Amazon brand. Honest and objective reviews, insulated from retribution by the seller, are a good thing.
Dice sold Slashdot in January. There does seem to be quite a pro-Trump agenda here lately, but that isn't Dice's fault (anymore).
Some of the traditional attacks (DNS/NTP reflection and amplification) would be mitigated but it's not likely to help with these IoT DDoSes. When you can control 300,000 pwned devices, you don't need to spoof any traffic.
I think credit card issuers *should* change your card number every year. It would have a slightly PITA quality to if you had a ton of automatic charges, but it would also mean the number would expire sooner rather than later and increase the chances that if the number were harvested somehow it wouldn't have a long life.
FYI, VISA offers merchants a service called VISA Account Updater where if your credit card number changes, VISA will happily sell your new number to any merchant who had your old one. Just great, huh? It used to be if you were dealing with a hostile merchant who refused to stop billing you (think AOL for example), your "nuclear option" was to have your card number changed. Now even that won't work if you use a VISA card, because VISA themselves will sell you out.
Rotating every minute is probably too fast for this purpose. Consider your average consumer poking around online, it might take them more than a minute just to type in their card information, then they see that "Continue Shopping" button and realize they want to add something else to their cart. Next thing you know, 10 or 15 minutes have elapsed between the time they entered their card info and the time they click "Checkout." The card issuers are loath to introduce any frustration into the purchase process. An hour window seems like a good compromise.
Email would die a brutal death as the world switched to Facebook
Please, dear God, no.
A broken 12-hours clock is right twice a day and those broken numbers will be right 26 times in those three years.
Unless you're attempting to use a stolen card every hour for 3 years, you'd have to get really fucking lucky to run your charge at the correct time. And attempting to charge a card every hour is going to get the card flagged for fraud long before your blind squirrel finds his nut.
Regarding this number changing method, how are the new number generated? How does the bank know that numbers are valid ?
I presume it works just like a SecurID or other access control dongle. Your card is seeded with a value known to the bank. The card plugs that seed and the current time into an algorithm that generates the number. When you go to make a purchase, the bank runs the same calculation and looks to see if the numbers match.
I mean, presumably if I have a server somewhere, on Google cloud, AWS, at home, whatever, and it it has a public IP address, then I can have it serve up IP addresses of all my other machines when I give it some name. With whatever naming scheme I might like to use. I can make my own IP address lookup system.
Yes, absolutely. This is how I block advertising and malware sites, I set up a DNS server that resolves 20,000+ domains to 0.0.0.0 and pointed all my devices at it. Nothing is preventing you or anyone else from setting up a DNS server, the only challenge would be convincing others to use it, if that was your goal.
There is no justification to own a gun.
It's my Constitutional right. No justification is needed.
In many jurisdictions, judges aren't required to have any legal background or education whatsoever. Even Supreme Court justices don't need a law degree or license, though one lacking them hasn't been appointed since 1941.
They won't lose any money, they just might not make as much. No company is entitled to continued steady profits.
There are a few graves I would like to piss on but I cannot find out where these people are buried.
While doing some genealogy research, I discovered the Billion Graves Project where I found a crystal clear 1600x1200 JPG of my grandparents' headstone. They have volunteers who go around taking pictures of all the headstones in a cemetery, then they're indexed online. In many cases, the exact location of the gravesite within the cemetery will be displayed on a map. Worth a look.
Yahoo locked down their system so that you couldn't log into accounts from new IPs. You had to change your password from an IP you've used before before you could log in again.
That sounds like a great way to permanently lock the majority of your users out of their accounts. Many ISPs have short DHCP leases; millions of people get a new IP every week or every day. And heaven help you if you're stuck on a phone with CGNAT, you might appear to come from a different IP every few minutes. I've had enough annoyances out of Gmail thinking my logins were suspicious that I finally set up a datapipe to a server with a static IP, and I route my Gmail connections through there.
Inflation doesn't enter into the data cap argument. My cable bill has already increased every year for the past 20 years.
The graph of subject lines caught my eye while looking at the Talos report. In my own experience, the recent floods of mail with subjects like "Budget report," "Tax invoice," "Scanned document," etc. all arrive with some Windows ransomware variant attached. Not sure I'd really call these spam in the traditional sense. They're unsolicited, of course, but they aren't commercial in nature.
That aside, I do see an upward trend in UCE. The biggest offenders for me lately are of the boner pill variety, PurpleRhino and Vydox specifically. I'm seeing dozens of these a day to one particular address.
I'm very inclined to believe that yes, anyone whose mail is hosted by Yahoo is part of the breach. That includes the bells (ATT, SBC, PacBell, BellSouth, etc). Anecdotally I'm confident that the address books and recent contacts of Yahoo Mail users have been compromised for years through some type of exploit. There are spam campaigns that specifically target these accounts in this way, forging the "From" address as someone you have recently communicated with.