The point of research...and that's what DARPA is all about...is pushing the envelope. I was at the DARPA event where potential respondents learned about the desired features and overall nature of the program, and it was extremely ambitious, yes. But in conversations with my peers, it turns out that an enormous amount of the technology to make it happen already exists. Sure, they may not get everything they want, but so what? If they only get half of it...and the lesser half at that...they'll still have something that our country desperately needs, which is a place to test and practice information warfare tactics. The components that exist today, if put together to form an "NCR lite," would still provide immense value, and for that alone, the NCR is bound to be a success. And let me tell you, with the people that were in that room, I would be profoundly surprised if a great deal of innovation did not take place as well.
Some of these tools do catch it before code review. A number of them are not meant to work in a code review process, but rather operate real-time as the developer writes code. The philosophy behind this runs along the lines of 'the horses are out of the barn for existing apps; instead, focus on what's in development now and help the coders learn from their mistakes directly at the same time.' The biggest advantage to this that I see is that anyone who is writing code not only learns of their own foibles, but they're actually incented to write code more securely in the first place, since they have to rewrite it on the spot if the tool flags a problem. And it could also be argued that code that won't pass through a developer's workstation again (for updates or other changes) is so difficult to fix that the time/effort is better spent on the next set of apps.
I tried using it on our current administration. It showed up as being 29% complete, but unfortunately nobody's seeding the uncorrupted parts that we're missing.:(
I find myself relieved that at least this DMCA complaint actually has something to do with technical copyright controls, on some level at least. Not about a security vulnerability, or making printer cartridges, or a person's resume.
This is a good thing. I'm working on a proposal for a...well, it's $900 million worth of something, I'll say that. It's a huge project, with a lot of different technologies (even by IT standards). I'm the "Security Tower," the group of people responsible for security in the solution, and I've never had it so easy. Sure, there are firewalls, and an IdM extension to support SSO, and a few other things for security, but for the most part our security is architectural. Every area of the solution has products with security infused into them to some degree, whether it's encryption for the endpoints, key management for the central system that manages the endpoints, and so on. Instead of having to wait until the rest of the solution was finalized, and then play catch-up to try and get security added in, it's been a matter of mapping requirements to security functionality that is already there.
Ohboy...I think this is going to be a case of a guy with one legitimate complaint, into which he builds other things that have no basis at all. Lotus Notes...slow over a remote link? Yeah...it is. But it has nothing to do with Comcast. Where I work now, we have Notes, and the problem is that the Notes needs to talk back to the Notes server whenever you do ANYTHING. I mean, when you're scheduling a meeting, and you go from the "description" field to the "start time" field, it chats with the server. Obviously, in client-server terms, this is a bag of , and I personally think that whoever architected Notes should go , with a broomstick. But it's not Comcast's fault; the same exact behavior happens whether I'm at home (using Comcast) or at the remote office (over a Verizon DSL link). It's equally slow, either time.
[humor mode on] Of course the British are working on doing this in labs. They lost all their colonies. But we don't need this stuff; this kind of thing is what Puerto Rico is for:)
If the guard had half a brain, he'd know that ITAR has to do with export, not possession. Under ITAR, the version of IE that supports 128-bit encryption held the same classification; this didn't mean that you had to wipe your hard drive and go back to the 64-bit version, just that you couldn't give/sell/loan your computer to someone in another country. ITAR has no jurisdiction or concern with regard to ownership within the United States.
Guest: "I'm thirteen! I'm old enough to have all the children I want with my 40-year old brother! I've had three so far and nothing bad has happened...I'm going to keep having them!"
Dr. Phil: "You suck. Bad."
Guest: "You're right, Dr. Phil. Maybe I'll straighten up after all."
An episode of "Everyone Loves Raymond"
Raymond: "God, I'm so insecure that it makes me utterly inept. At everything."
Everyone else: "Yeah, but that's just because we're all so sadistic that we circle around you and stomp your brains out in unison when you mess up even slightly, rather than try to support you."
There are already (and have been) network accelerators that do this, and more. Cisco has a product called WAAS that incorporates this technology, and adds quite a bit more to it. As others have said here, though, I don't think that just FastTCP would get you the kinds of gains that they're talking about. Where it is good is when you have apps that don't like latency. When that's the case, throwing more bandwidth at the problem doesn't help, and instead an accelerator is the best bet. But while this company has come out with their first system, others are on their second-gen versions, and have a lot more features (like file caching...and that's not as simple as it sounds, since they can cache the main versions of files and simply send the minor changes back and forth, for example).
I can think of a lot of ways to do it. The best practice (yeah, guess what...I'm an IT consultant) is to look at the ITIL library, and ITSM in general. ITSM is essentially a set of practices around helping business units tell IT what they want, in useful terms, and measuring the definition of success in how IT fulfills those wants/needs. ITIL is a library of information that relates to ITSM.
But even if you get all that working at your end (and it's not a tiny effort), how are you going to possibly compare against other organizations? How are you going to get information like that about what I presume are competitors? That's the big problem that I see, and I can't think of a way around it.
It just amazes me...some weeks ago, students were suspended for saying "vagina"...during a performance, at school, of "The Vagina Monologues" (I mean, couldn't they have just told the students to pick another piece to perform instead?). And now this. Why is it that so many principals...the people in charge of the development of students...seem so intent on acting like Principal Rooney from "Ferris Bueller's Day Off"?
Okay, so here's how I see it all unfolding. Blizzard comes out with World of Warcraft, which immediately becomes a hugely successful MMORPG. And not only is it hugely successful, it happens to come into being at the same time that the real-world economy starts interfacing directly with the virtual economy of the MMO world. As a result, there are services that offer gold for cash, leveling services, etc...all of which incur unintended (and even destabilizing) economic effects on the virtual world. A rough analogy would be if people could sell their souls for sudden wealth or fame here, in a very literal sense of the world; something not of this world is being traded in return for something of this world, and giving those people a leg up over everyone else.
So, Blizzard has to figure out how to fix this. Obviously, they've done things to make it harder to goldfarm, in some respects. Fishing, which is an obvious activity that requires little input, is made harder to automate based on the requirement that you click on the fishing lure (which lands in a random location in front of you every time) when and only when it has a fish on it (which happens at a random interval after the time you cast the lure, or not at all). Combat is set so that if you're at a higher level than the thing you're killing, you get less credit for it; if there's such a difference that it's a ridiculously easy kill, you get nothing at all for your trouble.
But still, there are ways that something watching variables in memory could help a cheater. All you have to do is watch for the change in a variable, or the triggering of a function, when the fishing lure makes that splashy noise, and read (direct from RAM) the coordinates where the lure is, and you can have a piece of software click on it for you. I'm something of a WoW noob, so I'm sure there are other ways as well, including manipulation involving mining, auction house market manipulation, etc. Heck, if you had computers work together in concert, you could have a whole group of low-level characters team up on one larger-level NPC and kill it for a big bounty in both XP (for sale as a leveling service) and silver/gold (for sale as gold). The reason the maximum party size that can do quests/gain XP is 5 is just this, and it's not at all hard to imagine circumventing it by coordinating the systems to work together, where one online character is human-operated and the others just follow him automatically, attacking whatever attacks him.
So, Blizzard has a problem to fight. Since pretty much all of these techniques require a lot of manpower (which adds significantly to the labor cost of the goldfarming/leveling service and eats the profit) or reading variables from RAM, Blizzard decides to prohibit this tactic. But it's the same old situation in computer security, when it comes to things with tangible economic gain in the real world; the bad guys will evolve at least as fast as the good guys. So there needs to be a way to gather intel, to find out what the latest tricks are which are being used. And so Blizzard has Warden.
Now, a lot of people get up in arms about private corporations and privacy, and rightly so. There are numerous companies that maintain databases of our information, selling it to whoever wants it. Even worse, the organization that can harm us the most by invading privacy...our government...has been purchasing that information, conveniently skirting around the limits placed on them by law. But Blizzard isn't keeping a database of our personal information. We may happen to be doing online banking while WoW is idling in the background, but they're not culling/recording that information. And unlike the metaphor used in the article on Warden, no human being will ever see it. It's more like the person behind me at the checkout, or the cashier, being able to see my credit card when I take it out of my wallet to swipe it. I don't have a problem with that; I'm one of millions of people who d
Okay, a few people have responded by saying something along the lines of, "Yes, but the issue is one of being able to tamper with the device this way." Yeah, true...so what? That's an issue for anything. Hell, ATM's are being tampered with like that, and they're both more mature (the bloody things have been evolving for decades) and secure. Add to that the fact that, unlike an ATM, chip and pin devices need to be cheap to be practical, and I don't see how this can be avoided, no matter what. Leave a device in the hands of an attacker, and the device can no longer be trusted, this is not news.
So, what then...don't do chip and pin, right? Uh...has anyone thought about how the vulnerability we're talking about here ALSO applies to...normal credit card readers? And last I saw, the sky wasn't falling, and credit card/debit card payments were rather widespread, to the benefit of consumers, retailers, and financial institutions (like credit card companies and banks). So, under this threat model, life goes on, and the cost of the threat is vastly overcome by the value of the method of payment. And I don't see why it wouldn't be with chip and pin, too.
They got it to play tetris by replacing the majority of the electronics inside it. It's not exactly like they got the actual terminal to play tetris...it's more like "They put a tetris game console inside the empty terminal shell, and used the terminal's keypad and screen for control and display." It'd be like skinning a copy of Windows 95 to look like Xwindows, and then saying "Look at all the vulnerabilities I found in linux!"
There have been a lot of posts that rightly point out that the definition of acceptable varies from workplace to workplace. Where these statements go awry is with the assumption that the NSFW tag would therefore automatically fail, however. The reason why there is so much variance from place to place isn't because every single workplace has thought it out carefully and diligently and has determined that their own needs are special; this isn't true at all. Every company in the U.S., for example, faces the same degree of legal risk when it comes to inappropriate sexual content (since EEOC laws are federal, not state or local). The same holds true for nearly every other kind of risk that results from NSFW content, and let's face it...that's the real business driver behind disallowing such things in the workplace.
So why is there so much variance? Simple. There are no standards that are put out there for everyone to draw upon. The creation of an NSFW tag creates an opportunity...the chance to build a standard behind it. Remember, we don't have to build a standard for workplace behavior, or the way communications are handled within an organization. All we have to do is say, "Ah, yes, that's probably going to get someone into a lawsuit that they'll lose," based upon existing case law and regulations.
What about other countries, then? Well, there are two ways to look at it. One, since this is Google, there can be variance based upon the country in question. When I was in China, I got www.google.cn; when I was in the Philippines, I got pushed to www.google.ph. It's not that hard to differentiate based on country, with that kind of situation. And if you decide to go with "one tag fits all," then you could simply adopt the standards of the U.S. Why? Because we're damned litigious, that's why...if it's safe here, it's pretty much safe anywhere else.
I'm in China at the moment, actually, about to go to a second site here. My purpose? I'm looking at the security of two vendors who are competing for a financial BPO (Business Process Outsourcing) contract with a major corporation. This is my first look at outsourcing up close, and I can see why companies examine the option. Yesterday I looked at a BS 17799 and SAS 70-certified facility, with smart people who cost far less than their counterparts. Also, there was discussion about turnover in India.
Outsourcing is definitely here to stay, but from what I have seen, cost is not the only factor that gets considered these days. (At least, not by the client I'm working for.) They're looking at the whole package, but the biggest thing that has mattered so far are the tools and functionality that the outsourcing provider can bring to bear. At the end of the day, it'll be functionality that matters the most, especially as labor costs in markets like India and China grow. But don't make the mistake of thinking that in such countries lower cost is all they have to offer, because that's not necessarily the case; the provider I visited yesterday had a hell of a great system for handling the complex financial functions that are a main pain point for my client.
Simple. Only one application can listen to a port at a time. You can't connect to your trojan on port 443 if there's an apache server on 443 already listening. That's why trojans use other ports. TCP sockets 101, my friend.
Trust me...I've done a lot of incident response, and I've never seen apache recompiled with a trojan built into it. Can you point me to the source of such code, so that I can have a look at it?
And no, you don't need only one instance of such camouflaging. You need a lot of them. All pointing in the same direction, all seen by the same people. Because as I've said before, this is something that's been seen by multiple organizations and people, all from different backgrounds. It's no coincidence that the original link to the story about Titan Rain that I posted was a link to the blog of Bruce Schneier, who among other things is the founder of one of the largest IDS monitoring service providers.
And I remember nothing in Takedown that talks about trojaned apache servers. Mitnick didn't trojan anything, he used a redirection attack to cause traffic to come to him directly.
You don't need to back-track all connections. Let's say an intermediary host is a web server, with http and ssl running. For simplicity, let's say that nothing else, besides ssh, is listening. It gets hacked, and as a result, a new listening service...the backdoor...now exists. When you hack back to it, you'll be able to determine "which connection is not like the others" from a variety of methods. One, looking at traffic and port/binary association, you'll see that the listeners on 80 and 443 are indeed going to (for example) apache and are just http/https. Two, you'll see patterns in what traffic comes from where. And three, the big one...using on-system binaries, you'll be able to tell quite easily which port isn't being given up when you type "netstat", because it's being hidden. And it's not like the whole world will be connecting to that port. Only one guy will, your hacker.
Okay...I'm going to take a path that starts with a single straightforward question. Why would you go through all that trouble if you were hacking someone? To protect yourself, yes? To make it so that you couldn't be prosecuted easily, if your machine were seized in the investigation of hacking, right? Okay. But what if...what if you were doing this on behalf of your own government, using GFE? Do you think that hackers for our own intelligence communities go through all this trouble, because they're afraid that the French are going to barge into a NSA or CIA-controlled facility with a search warrant and start imaging drives? Of course not...there's no reason to worry. In fact, you WANT to keep that information lying around, because it's part of the "intelligence product" that you're responsible for. Take away the risk of prosecution that comes with a mandate from your own government, and the need for such stringent tracks-erasing goes away completely. And a trojan that keylogs, by design, keylogs EVERYTHING. They don't have the granularity to only log good guys; for proof, check out any of the keyloggers in the wild today, or even better look at some of the methods by which they work.
And as for how to tie the government to the hacker, well...that's the intersection of two pieces of data. HUMINT points to a few Chinese universities (and specific departments therein) as centers of learning and activity for information warfare. And the end-point IPs exist within the netblocks of those universities. I've seen this myself when in a monitoring center; it's been going on for years...I saw it on a scope back in 2001. I would say the evidence is quite convincing, considering that there really isn't any reason to think that it *isn't* true. The Chinese have openly stated their intent and ability to do this, multiple independent sources (both private and governmental) have evidence of it occurring, there's a motive to do so, there's no reason not to do so, and it's just the "next big thing" of what governments have been doing to each other all along. So what's so hard to believe about it? Hell, if we weren't doing it to them, I'd want to know...why the hell not?
You're reading too much into individual components of my post, and not taking them as a whole. I'll answer your questions in turn. For one, how does someone backtrack to the original host? By gaining control of the next hop, one at a time, essentially. You know that your box got owned by 10.20.30.1, so you counter-hack it. Once in, you look around, and see who connects to it. More importantly, you see who is connected to it while it connects to your box. (This is detailed in a number of the articles linked in the Schneier article I referenced in my original post as the method used.) Rinse, repeat, until you are on a box where the person connecting to the next hop in the chain isn't on an SSH shell, but is local. This is an oversimplified explanation, but is quite technically accurate; the means employed can range from leveraging the tools placed there already by the hacker to using your own. You could also conceivably enlist the assistance of the organizations that own all the hacked boxes, but this would be a nightmare to accomplish, and since the person investigating Titan Rain has been confirmed to essentially be breaking the law by hacking, I'm sure this wasn't how he did it.
And no, I'm not saying that just because it's not a Windows box spouting spam or whatnot, but is instead a unix-flavored system doing very specific things, it's the Chinese. I'm saying that because it's a unix-flavored box at the end of a long train of hacked proxies (keep in mind that without the backtracking, the assumed culprit would have been South Korea in most cases, everyone) where the only person logged in doing naughty things to us is there locally, in a country whose military was the very first to espouse information warfare as a legitimate method in current times...well, that's a much clearer picture. I think you get the idea. To counter, let me point out that the argument has been, up to this point, "It can't be China, because lots of Chinese boxes get owned, and it could just be a bot owned by someone else." That's an argument for skepticism and closer investigation, not a logically sound way to say that the entire population of the world's largest country is impossible of being capable of hacking. And when you look at WHAT is being hacked, and what information is being stolen, then you can see the shopping list that is being used, which is typical of an organized intelligence-gathering organization.
I'd say you're spot on with this. But conversely, I would expect that we'd be doing so anyways; we don't need an excuse to do spook-like things to other countries. So again, there's no disincentive for the Chinese to do the same. After all, the French spy on us, the Israelis spy on us...some of our closest friends with whom we have far less competitive motiviations, in other words, spy on us. So why wouldn't a country like China, with far less to lose and far more to gain not do the same? When you push the details of technology aside, that's all this is...spying. And spying is always going on.
Well, yes and no. There are a few problems with this hypothesis; one, and the most important of them, is that attacks have been conclusively back-traced to China. And yes, the guy who did it actually broke the law in the process, but c'est la guerre, non? The event is known as "Titan Rain," and it began with a series of targeted attacks against the Department of Energy. A computer security worker, in his spare time (and a wink/nod from the FBI) counter-hacked hosts that were the source of the attacks, eventually following the trail back to mainland China. There, he saw that the logins which executed commands were being performed locally, and that the devices were not forwarding pilfered data on to other hosts but were instead the repositories of that data.
Other things involve the fact that when you see attacks from China, you usually get one of two kinds of hosts: you get a wildly unpatched Windows box that's being used as a bot, or you get a decently-secured (usually linux or *BSD) system that is doing some rather specific things to a specific target. And last of all, let's not forget that most of the seminal works on information warfare were written by Chinese military officers, and that it's no secret whatsoever that China actually does have a significant infowar capability. We have no rules of engagement that classify hacking as an act of war, so they can get away with it; what are we going to do, bomb them over it? They have the world's largest standing army, are a (increasingly) crucial economic partner, and we're already overburdened militarily with a two-front war where we've bogged down fighting insurgents. They do it because they know they can get away with it, and they're correct in that thinking.
This is nothing new, and it's not even something that's restricted to the world of money managers. It's being used by individual investors now, and has been for years; it's called "technical investing". The definitions of combinations of factors (market cap, financials, etc.) are called 'screens', and are a common source of discussion on forums like those found on The Motley Fool. There's software for sale, priced for individual investors, and there are websites that will even allow you to save your screens to use periodically, looking for new possible stocks to buy into (or to check and be sure that your existing portfolio matches the parameters you want).
Slashdot Mirror
The point of research...and that's what DARPA is all about...is pushing the envelope. I was at the DARPA event where potential respondents learned about the desired features and overall nature of the program, and it was extremely ambitious, yes. But in conversations with my peers, it turns out that an enormous amount of the technology to make it happen already exists. Sure, they may not get everything they want, but so what? If they only get half of it...and the lesser half at that...they'll still have something that our country desperately needs, which is a place to test and practice information warfare tactics. The components that exist today, if put together to form an "NCR lite," would still provide immense value, and for that alone, the NCR is bound to be a success. And let me tell you, with the people that were in that room, I would be profoundly surprised if a great deal of innovation did not take place as well.
Some of these tools do catch it before code review. A number of them are not meant to work in a code review process, but rather operate real-time as the developer writes code. The philosophy behind this runs along the lines of 'the horses are out of the barn for existing apps; instead, focus on what's in development now and help the coders learn from their mistakes directly at the same time.' The biggest advantage to this that I see is that anyone who is writing code not only learns of their own foibles, but they're actually incented to write code more securely in the first place, since they have to rewrite it on the spot if the tool flags a problem. And it could also be argued that code that won't pass through a developer's workstation again (for updates or other changes) is so difficult to fix that the time/effort is better spent on the next set of apps.
I tried using it on our current administration. It showed up as being 29% complete, but unfortunately nobody's seeding the uncorrupted parts that we're missing. :(
I find myself relieved that at least this DMCA complaint actually has something to do with technical copyright controls, on some level at least. Not about a security vulnerability, or making printer cartridges, or a person's resume.
This is a good thing. I'm working on a proposal for a...well, it's $900 million worth of something, I'll say that. It's a huge project, with a lot of different technologies (even by IT standards). I'm the "Security Tower," the group of people responsible for security in the solution, and I've never had it so easy. Sure, there are firewalls, and an IdM extension to support SSO, and a few other things for security, but for the most part our security is architectural. Every area of the solution has products with security infused into them to some degree, whether it's encryption for the endpoints, key management for the central system that manages the endpoints, and so on. Instead of having to wait until the rest of the solution was finalized, and then play catch-up to try and get security added in, it's been a matter of mapping requirements to security functionality that is already there.
An April Fool's post, or sh!thead attorneys?
Ohboy...I think this is going to be a case of a guy with one legitimate complaint, into which he builds other things that have no basis at all. Lotus Notes...slow over a remote link? Yeah...it is. But it has nothing to do with Comcast. Where I work now, we have Notes, and the problem is that the Notes needs to talk back to the Notes server whenever you do ANYTHING. I mean, when you're scheduling a meeting, and you go from the "description" field to the "start time" field, it chats with the server. Obviously, in client-server terms, this is a bag of , and I personally think that whoever architected Notes should go , with a broomstick. But it's not Comcast's fault; the same exact behavior happens whether I'm at home (using Comcast) or at the remote office (over a Verizon DSL link). It's equally slow, either time.
[humor mode on] :)
Of course the British are working on doing this in labs. They lost all their colonies. But we don't need this stuff; this kind of thing is what Puerto Rico is for
If the guard had half a brain, he'd know that ITAR has to do with export, not possession. Under ITAR, the version of IE that supports 128-bit encryption held the same classification; this didn't mean that you had to wipe your hard drive and go back to the 64-bit version, just that you couldn't give/sell/loan your computer to someone in another country. ITAR has no jurisdiction or concern with regard to ownership within the United States.
An episode of "Dr. Phil":
Guest: "I'm thirteen! I'm old enough to have all the children I want with my 40-year old brother! I've had three so far and nothing bad has happened...I'm going to keep having them!"
Dr. Phil: "You suck. Bad."
Guest: "You're right, Dr. Phil. Maybe I'll straighten up after all."
An episode of "Everyone Loves Raymond"
Raymond: "God, I'm so insecure that it makes me utterly inept. At everything."
Everyone else: "Yeah, but that's just because we're all so sadistic that we circle around you and stomp your brains out in unison when you mess up even slightly, rather than try to support you."
An episode of "Seinfeld"
""
There are already (and have been) network accelerators that do this, and more. Cisco has a product called WAAS that incorporates this technology, and adds quite a bit more to it. As others have said here, though, I don't think that just FastTCP would get you the kinds of gains that they're talking about. Where it is good is when you have apps that don't like latency. When that's the case, throwing more bandwidth at the problem doesn't help, and instead an accelerator is the best bet. But while this company has come out with their first system, others are on their second-gen versions, and have a lot more features (like file caching...and that's not as simple as it sounds, since they can cache the main versions of files and simply send the minor changes back and forth, for example).
I can think of a lot of ways to do it. The best practice (yeah, guess what...I'm an IT consultant) is to look at the ITIL library, and ITSM in general. ITSM is essentially a set of practices around helping business units tell IT what they want, in useful terms, and measuring the definition of success in how IT fulfills those wants/needs. ITIL is a library of information that relates to ITSM.
But even if you get all that working at your end (and it's not a tiny effort), how are you going to possibly compare against other organizations? How are you going to get information like that about what I presume are competitors? That's the big problem that I see, and I can't think of a way around it.
It just amazes me...some weeks ago, students were suspended for saying "vagina"...during a performance, at school, of "The Vagina Monologues" (I mean, couldn't they have just told the students to pick another piece to perform instead?). And now this. Why is it that so many principals...the people in charge of the development of students...seem so intent on acting like Principal Rooney from "Ferris Bueller's Day Off"?
(I know, it's a bit long, but give it a try.)
Okay, so here's how I see it all unfolding. Blizzard comes out with World of Warcraft, which immediately becomes a hugely successful MMORPG. And not only is it hugely successful, it happens to come into being at the same time that the real-world economy starts interfacing directly with the virtual economy of the MMO world. As a result, there are services that offer gold for cash, leveling services, etc...all of which incur unintended (and even destabilizing) economic effects on the virtual world. A rough analogy would be if people could sell their souls for sudden wealth or fame here, in a very literal sense of the world; something not of this world is being traded in return for something of this world, and giving those people a leg up over everyone else.
So, Blizzard has to figure out how to fix this. Obviously, they've done things to make it harder to goldfarm, in some respects. Fishing, which is an obvious activity that requires little input, is made harder to automate based on the requirement that you click on the fishing lure (which lands in a random location in front of you every time) when and only when it has a fish on it (which happens at a random interval after the time you cast the lure, or not at all). Combat is set so that if you're at a higher level than the thing you're killing, you get less credit for it; if there's such a difference that it's a ridiculously easy kill, you get nothing at all for your trouble.
But still, there are ways that something watching variables in memory could help a cheater. All you have to do is watch for the change in a variable, or the triggering of a function, when the fishing lure makes that splashy noise, and read (direct from RAM) the coordinates where the lure is, and you can have a piece of software click on it for you. I'm something of a WoW noob, so I'm sure there are other ways as well, including manipulation involving mining, auction house market manipulation, etc. Heck, if you had computers work together in concert, you could have a whole group of low-level characters team up on one larger-level NPC and kill it for a big bounty in both XP (for sale as a leveling service) and silver/gold (for sale as gold). The reason the maximum party size that can do quests/gain XP is 5 is just this, and it's not at all hard to imagine circumventing it by coordinating the systems to work together, where one online character is human-operated and the others just follow him automatically, attacking whatever attacks him.
So, Blizzard has a problem to fight. Since pretty much all of these techniques require a lot of manpower (which adds significantly to the labor cost of the goldfarming/leveling service and eats the profit) or reading variables from RAM, Blizzard decides to prohibit this tactic. But it's the same old situation in computer security, when it comes to things with tangible economic gain in the real world; the bad guys will evolve at least as fast as the good guys. So there needs to be a way to gather intel, to find out what the latest tricks are which are being used. And so Blizzard has Warden.
Now, a lot of people get up in arms about private corporations and privacy, and rightly so. There are numerous companies that maintain databases of our information, selling it to whoever wants it. Even worse, the organization that can harm us the most by invading privacy...our government...has been purchasing that information, conveniently skirting around the limits placed on them by law. But Blizzard isn't keeping a database of our personal information. We may happen to be doing online banking while WoW is idling in the background, but they're not culling/recording that information. And unlike the metaphor used in the article on Warden, no human being will ever see it. It's more like the person behind me at the checkout, or the cashier, being able to see my credit card when I take it out of my wallet to swipe it. I don't have a problem with that; I'm one of millions of people who d
Okay, a few people have responded by saying something along the lines of, "Yes, but the issue is one of being able to tamper with the device this way." Yeah, true...so what? That's an issue for anything. Hell, ATM's are being tampered with like that, and they're both more mature (the bloody things have been evolving for decades) and secure. Add to that the fact that, unlike an ATM, chip and pin devices need to be cheap to be practical, and I don't see how this can be avoided, no matter what. Leave a device in the hands of an attacker, and the device can no longer be trusted, this is not news.
So, what then...don't do chip and pin, right? Uh...has anyone thought about how the vulnerability we're talking about here ALSO applies to...normal credit card readers? And last I saw, the sky wasn't falling, and credit card/debit card payments were rather widespread, to the benefit of consumers, retailers, and financial institutions (like credit card companies and banks). So, under this threat model, life goes on, and the cost of the threat is vastly overcome by the value of the method of payment. And I don't see why it wouldn't be with chip and pin, too.
They got it to play tetris by replacing the majority of the electronics inside it. It's not exactly like they got the actual terminal to play tetris...it's more like "They put a tetris game console inside the empty terminal shell, and used the terminal's keypad and screen for control and display." It'd be like skinning a copy of Windows 95 to look like Xwindows, and then saying "Look at all the vulnerabilities I found in linux!"
There have been a lot of posts that rightly point out that the definition of acceptable varies from workplace to workplace. Where these statements go awry is with the assumption that the NSFW tag would therefore automatically fail, however. The reason why there is so much variance from place to place isn't because every single workplace has thought it out carefully and diligently and has determined that their own needs are special; this isn't true at all. Every company in the U.S., for example, faces the same degree of legal risk when it comes to inappropriate sexual content (since EEOC laws are federal, not state or local). The same holds true for nearly every other kind of risk that results from NSFW content, and let's face it...that's the real business driver behind disallowing such things in the workplace.
So why is there so much variance? Simple. There are no standards that are put out there for everyone to draw upon. The creation of an NSFW tag creates an opportunity...the chance to build a standard behind it. Remember, we don't have to build a standard for workplace behavior, or the way communications are handled within an organization. All we have to do is say, "Ah, yes, that's probably going to get someone into a lawsuit that they'll lose," based upon existing case law and regulations.
What about other countries, then? Well, there are two ways to look at it. One, since this is Google, there can be variance based upon the country in question. When I was in China, I got www.google.cn; when I was in the Philippines, I got pushed to www.google.ph. It's not that hard to differentiate based on country, with that kind of situation. And if you decide to go with "one tag fits all," then you could simply adopt the standards of the U.S. Why? Because we're damned litigious, that's why...if it's safe here, it's pretty much safe anywhere else.
I'm in China at the moment, actually, about to go to a second site here. My purpose? I'm looking at the security of two vendors who are competing for a financial BPO (Business Process Outsourcing) contract with a major corporation. This is my first look at outsourcing up close, and I can see why companies examine the option. Yesterday I looked at a BS 17799 and SAS 70-certified facility, with smart people who cost far less than their counterparts. Also, there was discussion about turnover in India.
Outsourcing is definitely here to stay, but from what I have seen, cost is not the only factor that gets considered these days. (At least, not by the client I'm working for.) They're looking at the whole package, but the biggest thing that has mattered so far are the tools and functionality that the outsourcing provider can bring to bear. At the end of the day, it'll be functionality that matters the most, especially as labor costs in markets like India and China grow. But don't make the mistake of thinking that in such countries lower cost is all they have to offer, because that's not necessarily the case; the provider I visited yesterday had a hell of a great system for handling the complex financial functions that are a main pain point for my client.
Simple. Only one application can listen to a port at a time. You can't connect to your trojan on port 443 if there's an apache server on 443 already listening. That's why trojans use other ports. TCP sockets 101, my friend.
Trust me...I've done a lot of incident response, and I've never seen apache recompiled with a trojan built into it. Can you point me to the source of such code, so that I can have a look at it?
And no, you don't need only one instance of such camouflaging. You need a lot of them. All pointing in the same direction, all seen by the same people. Because as I've said before, this is something that's been seen by multiple organizations and people, all from different backgrounds. It's no coincidence that the original link to the story about Titan Rain that I posted was a link to the blog of Bruce Schneier, who among other things is the founder of one of the largest IDS monitoring service providers.
And I remember nothing in Takedown that talks about trojaned apache servers. Mitnick didn't trojan anything, he used a redirection attack to cause traffic to come to him directly.
You don't need to back-track all connections. Let's say an intermediary host is a web server, with http and ssl running. For simplicity, let's say that nothing else, besides ssh, is listening. It gets hacked, and as a result, a new listening service...the backdoor...now exists. When you hack back to it, you'll be able to determine "which connection is not like the others" from a variety of methods. One, looking at traffic and port/binary association, you'll see that the listeners on 80 and 443 are indeed going to (for example) apache and are just http/https. Two, you'll see patterns in what traffic comes from where. And three, the big one...using on-system binaries, you'll be able to tell quite easily which port isn't being given up when you type "netstat", because it's being hidden. And it's not like the whole world will be connecting to that port. Only one guy will, your hacker.
Okay...I'm going to take a path that starts with a single straightforward question. Why would you go through all that trouble if you were hacking someone? To protect yourself, yes? To make it so that you couldn't be prosecuted easily, if your machine were seized in the investigation of hacking, right? Okay. But what if...what if you were doing this on behalf of your own government, using GFE? Do you think that hackers for our own intelligence communities go through all this trouble, because they're afraid that the French are going to barge into a NSA or CIA-controlled facility with a search warrant and start imaging drives? Of course not...there's no reason to worry. In fact, you WANT to keep that information lying around, because it's part of the "intelligence product" that you're responsible for. Take away the risk of prosecution that comes with a mandate from your own government, and the need for such stringent tracks-erasing goes away completely. And a trojan that keylogs, by design, keylogs EVERYTHING. They don't have the granularity to only log good guys; for proof, check out any of the keyloggers in the wild today, or even better look at some of the methods by which they work.
And as for how to tie the government to the hacker, well...that's the intersection of two pieces of data. HUMINT points to a few Chinese universities (and specific departments therein) as centers of learning and activity for information warfare. And the end-point IPs exist within the netblocks of those universities. I've seen this myself when in a monitoring center; it's been going on for years...I saw it on a scope back in 2001. I would say the evidence is quite convincing, considering that there really isn't any reason to think that it *isn't* true. The Chinese have openly stated their intent and ability to do this, multiple independent sources (both private and governmental) have evidence of it occurring, there's a motive to do so, there's no reason not to do so, and it's just the "next big thing" of what governments have been doing to each other all along. So what's so hard to believe about it? Hell, if we weren't doing it to them, I'd want to know...why the hell not?
You're reading too much into individual components of my post, and not taking them as a whole. I'll answer your questions in turn. For one, how does someone backtrack to the original host? By gaining control of the next hop, one at a time, essentially. You know that your box got owned by 10.20.30.1, so you counter-hack it. Once in, you look around, and see who connects to it. More importantly, you see who is connected to it while it connects to your box. (This is detailed in a number of the articles linked in the Schneier article I referenced in my original post as the method used.) Rinse, repeat, until you are on a box where the person connecting to the next hop in the chain isn't on an SSH shell, but is local. This is an oversimplified explanation, but is quite technically accurate; the means employed can range from leveraging the tools placed there already by the hacker to using your own. You could also conceivably enlist the assistance of the organizations that own all the hacked boxes, but this would be a nightmare to accomplish, and since the person investigating Titan Rain has been confirmed to essentially be breaking the law by hacking, I'm sure this wasn't how he did it.
And no, I'm not saying that just because it's not a Windows box spouting spam or whatnot, but is instead a unix-flavored system doing very specific things, it's the Chinese. I'm saying that because it's a unix-flavored box at the end of a long train of hacked proxies (keep in mind that without the backtracking, the assumed culprit would have been South Korea in most cases, everyone) where the only person logged in doing naughty things to us is there locally, in a country whose military was the very first to espouse information warfare as a legitimate method in current times...well, that's a much clearer picture. I think you get the idea. To counter, let me point out that the argument has been, up to this point, "It can't be China, because lots of Chinese boxes get owned, and it could just be a bot owned by someone else." That's an argument for skepticism and closer investigation, not a logically sound way to say that the entire population of the world's largest country is impossible of being capable of hacking. And when you look at WHAT is being hacked, and what information is being stolen, then you can see the shopping list that is being used, which is typical of an organized intelligence-gathering organization.
I'd say you're spot on with this. But conversely, I would expect that we'd be doing so anyways; we don't need an excuse to do spook-like things to other countries. So again, there's no disincentive for the Chinese to do the same. After all, the French spy on us, the Israelis spy on us...some of our closest friends with whom we have far less competitive motiviations, in other words, spy on us. So why wouldn't a country like China, with far less to lose and far more to gain not do the same? When you push the details of technology aside, that's all this is...spying. And spying is always going on.
Well, yes and no. There are a few problems with this hypothesis; one, and the most important of them, is that attacks have been conclusively back-traced to China. And yes, the guy who did it actually broke the law in the process, but c'est la guerre, non? The event is known as "Titan Rain," and it began with a series of targeted attacks against the Department of Energy. A computer security worker, in his spare time (and a wink/nod from the FBI) counter-hacked hosts that were the source of the attacks, eventually following the trail back to mainland China. There, he saw that the logins which executed commands were being performed locally, and that the devices were not forwarding pilfered data on to other hosts but were instead the repositories of that data.
Other things involve the fact that when you see attacks from China, you usually get one of two kinds of hosts: you get a wildly unpatched Windows box that's being used as a bot, or you get a decently-secured (usually linux or *BSD) system that is doing some rather specific things to a specific target. And last of all, let's not forget that most of the seminal works on information warfare were written by Chinese military officers, and that it's no secret whatsoever that China actually does have a significant infowar capability. We have no rules of engagement that classify hacking as an act of war, so they can get away with it; what are we going to do, bomb them over it? They have the world's largest standing army, are a (increasingly) crucial economic partner, and we're already overburdened militarily with a two-front war where we've bogged down fighting insurgents. They do it because they know they can get away with it, and they're correct in that thinking.
This is nothing new, and it's not even something that's restricted to the world of money managers. It's being used by individual investors now, and has been for years; it's called "technical investing". The definitions of combinations of factors (market cap, financials, etc.) are called 'screens', and are a common source of discussion on forums like those found on The Motley Fool. There's software for sale, priced for individual investors, and there are websites that will even allow you to save your screens to use periodically, looking for new possible stocks to buy into (or to check and be sure that your existing portfolio matches the parameters you want).