Two-factor auth is hardly analogous to a scaled down laptop that's locked down and intended to be a thin client for the cloud. The former is an effort to improve user experience, the latter a power grab.
Article? This is/., we don't read those around here. That said, given the size of Reddit and volume of leaked credentials, I can see why the hacker got bored here. An attack like this would be trivial to pull off: aggregate all recent leaks, scrape moderator usernames from Reddit, filter the leaked creds using the scraped usernames, and go to town.
Assuming this is in fact their fault. If the hacker is taking an out-of-band approach such as reusing passwords from other leaks, there isn't really a discrete vulnerability in Reddit's codebase. The fact that such passwords could be used to access accounts could be described as a weakness in Reddit's security, but the actual vulnerability exploited lies in whatever system was originally compromised. Same thing with phishing--it's not really Reddit's fault if users can be tricked into disclosing credentials via channels outside of their control.
That Reddit's response has been to restore hacked subreddits seems to indicate it's something of this nature. Otherwise, they'd (hopefully) patch the issue immediately and publish an advisory.
If true, I'm guessing it's credential reuse, phishing, or possibly XSS/CSRF. The volume hints at XSS/CSRF, but the suggestion to implement 2FA says otherwise since it may not mitigate such vulnerabilities.
The difference is that Facebook is a social network, not a news organization. The feature in question is intended to reflect the usage of users, not the bias of hidden curators.
I always questioned the "trending" feature, largely because it's obvious the summaries are written by people specifically for the feature.
How exactly would the US force terrorists and criminals to use this state sanctioned pre-owned encryption? It's almost like they want to spy on everyone that passively reaps the benefits of encryption.
If you perceive developers as not being security minded, the ones you've encountered aren't very good. Developers are the first line of defense as their actions dictate what vulnerabilities are present in the software they're developing. A good software developer knows far, far more about software security than most sys admins because sys admins generally don't need to understand the nuances of vulnerabilities. In short, they only need to understand the threat, not the technical details about the vuln.
Think about it this way: developers are making the security patches you apply.
How, exactly? C# doesn't use ref counting, and pinvoke works great for reaching native APIs that aren't exposed through the BCL. What kind of projects did you have trouble with?
I'm sure out of the hundreds of millions of installs, yours is the telemetry they're after, and it will be personally reviewed by Satya Nadella. It's not, you know, usage data to improve the reliability of the software.
This is the real news, and given the ability to opt out and forgo payment, it sounds like they will be retaining the reports of those that fail their checks. Complete and utter bullshit.
Not at all. If you look at my post history, it's quite clear I'm a security researcher. What you think doesn't matter, though. I'll keep you safe regardless, end user.
Generally, when people suggest using an alternative to Windows they are alluding to FOSS alternatives. It doesn't matter though, because it's highly unlikely the attackers actually exploited an operating system zero-day to compromise the systems affected. That's not how this sort of thing works, you see; a zero-day in a modern operating system is worth far more than can be had with a few ransoms. And to be clear, persistence in an already compromised system isn't really part of the "attack", excluding stuff like local EoP of course.
Given that this account is largely for shitting all over/., I think I will abstain from providing details that could easily be used to track down my real identity. Rest assured I've contributed plenty of security fixes to software you probably use on a daily basis.
Nope, the issues we're facing have virtually nothing to do with platform. Move to different operating systems and the APTs will follow. In fact, they already are. Arguments that other operating systems will provide adequate security in the meantime amount to little more than security through obscurity, which is widely accepted as an anti-pattern.
Until we address the underlying issues, nothing will change for the better, regardless of OS used. Quite the opposite, I assure you.
Slashdot Mirror
Two-factor auth is hardly analogous to a scaled down laptop that's locked down and intended to be a thin client for the cloud. The former is an effort to improve user experience, the latter a power grab.
Perfect, shovelware for my neutered laptop. Excellent. Amazing. Brilliant.
Found the communist.
I can't even read this crap, I just see word salad with "republican" sprinkled about. This is not a partisan issue. Do you understand that?
"instant blue-screening"? How about kernel-mode code execution, hence why "this is about as bad as it can possibly get".
Article? This is /., we don't read those around here. That said, given the size of Reddit and volume of leaked credentials, I can see why the hacker got bored here. An attack like this would be trivial to pull off: aggregate all recent leaks, scrape moderator usernames from Reddit, filter the leaked creds using the scraped usernames, and go to town.
CSS is an oft forgotten vector for XSS, so regardless of this event, you're definitely reducing attack surface by blocking untrusted CSS.
Assuming this is in fact their fault. If the hacker is taking an out-of-band approach such as reusing passwords from other leaks, there isn't really a discrete vulnerability in Reddit's codebase. The fact that such passwords could be used to access accounts could be described as a weakness in Reddit's security, but the actual vulnerability exploited lies in whatever system was originally compromised. Same thing with phishing--it's not really Reddit's fault if users can be tricked into disclosing credentials via channels outside of their control.
That Reddit's response has been to restore hacked subreddits seems to indicate it's something of this nature. Otherwise, they'd (hopefully) patch the issue immediately and publish an advisory.
If true, I'm guessing it's credential reuse, phishing, or possibly XSS/CSRF. The volume hints at XSS/CSRF, but the suggestion to implement 2FA says otherwise since it may not mitigate such vulnerabilities.
The difference is that Facebook is a social network, not a news organization. The feature in question is intended to reflect the usage of users, not the bias of hidden curators. I always questioned the "trending" feature, largely because it's obvious the summaries are written by people specifically for the feature.
You're on the losing side of history. Perhaps it would be best to shut the fuck up.
How exactly would the US force terrorists and criminals to use this state sanctioned pre-owned encryption? It's almost like they want to spy on everyone that passively reaps the benefits of encryption.
I can't believe this is an earnest comparison to one of the world's biggest chip makers. Please tell me you're trolling.
It's all just "tech" to them.
And to expand on this, some developers that are especially skilled at security develop specialized software known as exploits. ;)
If you perceive developers as not being security minded, the ones you've encountered aren't very good. Developers are the first line of defense as their actions dictate what vulnerabilities are present in the software they're developing. A good software developer knows far, far more about software security than most sys admins because sys admins generally don't need to understand the nuances of vulnerabilities. In short, they only need to understand the threat, not the technical details about the vuln.
Think about it this way: developers are making the security patches you apply.
Make with the transparency. How do the stream sorting algorithms work? If Facebook can't divulge that, I see no reason to trust them.
How, exactly? C# doesn't use ref counting, and pinvoke works great for reaching native APIs that aren't exposed through the BCL. What kind of projects did you have trouble with?
I'm sure out of the hundreds of millions of installs, yours is the telemetry they're after, and it will be personally reviewed by Satya Nadella. It's not, you know, usage data to improve the reliability of the software.
This is the real news, and given the ability to opt out and forgo payment, it sounds like they will be retaining the reports of those that fail their checks. Complete and utter bullshit.
Not at all. If you look at my post history, it's quite clear I'm a security researcher. What you think doesn't matter, though. I'll keep you safe regardless, end user.
Generally, when people suggest using an alternative to Windows they are alluding to FOSS alternatives. It doesn't matter though, because it's highly unlikely the attackers actually exploited an operating system zero-day to compromise the systems affected. That's not how this sort of thing works, you see; a zero-day in a modern operating system is worth far more than can be had with a few ransoms. And to be clear, persistence in an already compromised system isn't really part of the "attack", excluding stuff like local EoP of course. Given that this account is largely for shitting all over /., I think I will abstain from providing details that could easily be used to track down my real identity. Rest assured I've contributed plenty of security fixes to software you probably use on a daily basis.
Having personally discovered and exploited vulnerabilities in FOSS medical software, I can tell you that your "solution" isn't one.
Nope, the issues we're facing have virtually nothing to do with platform. Move to different operating systems and the APTs will follow. In fact, they already are. Arguments that other operating systems will provide adequate security in the meantime amount to little more than security through obscurity, which is widely accepted as an anti-pattern. Until we address the underlying issues, nothing will change for the better, regardless of OS used. Quite the opposite, I assure you.
Take some time to familiarize yourself with the economy of malware. This is not an operating system problem.