Mea culpa, I used the term incorrectly. I was not intending to reference microkernels, but rather the inclusion of LKMs and associated drivers and firmware for hardware that does not exist on the system.
Another big frustration of mine is improper software dependencies. Several years ago I was trying to remove packages from a Debian system to see how slim I could get it. By attempting to remove one package at a time, I'd get warnings about what depended on various packages, and thus could determine their importance.
I gave up in disgust when attempting to remove "aalib" -- the ASCII art library -- and the chain of dependencies would have rendered the system unusable by uninstalling almost 90% of the system.
I operate on the idea that reducing attack surface is good. Misconfigurations are a big source of security problems. If it doesn't exist, it can't contain an error, can't be broken, can't be abused or exploited, and isn't ever going to cause you a problem.
Linux, unlike Windows and Apple's iOS, *can* be made much more secure with a little bit of effort.
How? By not using monolithic kernels that support every device in creation, and stripping the kernel down to what is installed on the system -- especially with things like IOT devices. If it isn't installed, it doesn't need patched, it can't break, and it can't be exploited.
Ditto for added software and apps. Take a look at many of the Linux-based router firmwares out there, both sold by commercial vendors and FOSS projects, and you'll see attempts to compete with high-end Cisco feature sets for home or small business use.
Having that available is great! However, turning all of that on by default, and user thinking they should get something not because it suits their needs but because it supports 10,000 features, gets you a complex, insecure mess.
With Microsoft and Apple you can't remove many of those features. The company controls it and, Enterprise customer with a decade experience or not, you will damn well have Telemetry and like it! And dozens of other "features" that you'll never use, don't want, and just are waiting to get exploited.
Linux gives you the ability to shape much of your own system, including making it much more secure than a run-of-the-mill device. Whether or not you take the time and effort to do that is up to you.
I've seen way to many Linux-based routers and gadgets that are exposed to a network and still have default admin passwords to blame "Linux" for security headaches.
No, that was the original WannaCry outbreak. Petya is a repurposed version that exploits the same unpatched vulnerability. It first turned up in Ukraine though, IIRC, an update infected accounting software.
If you're talking about a B.S. degree, then $160K is way overkill. The only degrees that should cost that much are M.D. (plus Dental and Vet variants) and J.D.. WTF else costs that unless you've bought the lie that she needs to go to a top private university for 4 full years?
Community College for the first 2 years, focusing on your core classes, then transfer to wherever to finish up. Even a top notch private school will only run $80K or so -- and you should be able to either get a discount or grants to cover a bunch. If you can't, then you have enough assets to pay cash for her tuition and are whining here as a troll.
Hell, some of the best university programs in each field are in State schools, which cost a hell of a lot less if you're a resident.
Amazon is a public company, with stock traded on NASDAQ. Ownership is over 63% institutional. Jeff Bezos is the Chariman, President, CEO, and a large stockholder, but by no means "owns" Amazon.
The Washington Post is a privately held company, which Jeff Bezos purchased through a holding company (Nash Holdings, LLC) for $250 million in 2013. Yes, he indirectly "owns" The Washington Post.
Your descriptions of writing off of losses from WP to cover gains from Amazon is grossly inaccurate and ignorant of how business structures and taxes work in the United States.
The kind of people who shop at whole foods don't want RFID tags attached to their food.
Considering RFID tags can easily be PLU stickers, like the type placed on damn near every piece of fresh produce, they may already be there whether people know it or not.
A combination of Alexa and one of these takes care of both of those.
"Ok Google" already knows when I'm in Lowe's and Home Depot, and when I look up a product, they tell me not only the availability in the store I'm in, but the shelf location it is at. Part of that is the Home Depot and Lowe's websites wanting to know my location -- which is very useful.
RFID tags on all products will allow you to check out just by pushing your cart thru the lane -- like driving thru a toll booth with an EZ Pass (or equivalent). It could speed up checkout by a great deal.
If enough people want their shopping to be a social experience, then there is a market for that and it'll happen. I don't expect my local farmer's markets to wholly automate anytime soon.
No, I didn't. ChromeOS is significantly lighter weight than Windows. There is a smaller attack surface. Less code means fewer places for bugs to exist.
Windows Vista clocked in at about 50 million lines of code. Windows 10 is estimated closer to 70 million. Chrome OS is closer to 15-20 million.
That is 1/3 of the number of places for bugs to hide. And complexity isn't a simple linear progression, so the true difference is much greater.
Complexity is the enemy of security. Minimizing complexity has a direct benefit on improving security.
Your argument is a version of a logical false dichotomy that is called a "Perfect Solution Fallacy".
Chromebooks come the closest, being far ahead of Windows or Mac PCs. Of course, there are tradeoffs and limitations that may not be acceptable to some.
Experience with any vulnerability scanner, really. Nessus, Qualys, Rapid 7, OpenVAS, whatever. The key is to learn how to interpret the reports, dig down into the results, and figure out what is really a problem and how to fix it.
I'm happy to teach junior people, but if someone is claiming to be an experienced analyst or senior InfoSec specialist and just hand me a canned Nessus report, I'm going to be looking to replace you. I can schedule the default reports, I 'm not willing to pay a premium to do that.
While zero-day vulns and movie-plot hacks get all the attention and press coverage, the simple truth is that vast majority of compromises happen due to improperly patched and misconfigured systems.
If you can weed thru a few hundred pages of scanner output to tell me which systems are missing what patches as opposed to patched but need a registry update or config change, that is valuable. Which are false positives and why? How can we prioritize what limited resources we have to get the most impact?
Attention to detail and critical thinking I'll pay a premium for and vulnerability scanner output is a great place to demonstrate that. But keep handing me canned reports and I'll replace you with a script.
First, from a hiring perspective, the trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues â" what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing.
Anyone who is any good at cyber security didn't learn it in school. Most of what they know they learned on their own. The IT field lends itself to an apprenticeship model more than most other modern professions.
Stop requiring degrees, as they aren't relevant to the actual work. I'd much prefer candidates with an AA and skills in communication, critical thinking, probability, and logic along with some certifications and core understandings:
CCNA Routing & Switching to show you have at least a basic grasp of networking fundamentals.
Something from SANS (GIAC) gets my attention. A CISSP will help get you an interview.
Develop some skills in a Linux shell, with command-line tools. I need to know you know more than "I click the 2nd option in the 3rd menu".
Understand the basics of required policies -- PCI, HIPAA, NIST 800-53, NYDFS, CJIS. Know what they are and where they apply. You don't have to memorize them, as that stuff can always be looked up.
I'd really like to see some sort of certification that focuses on basic skills in Wireshark, Nessus, NMAP, and a solid understanding in DNS.
For companies, they also need to accommodate more telework, flexible work schedules, and better pay. I'm sorry, but an InfoSec specialist with 5 years experience should be making about TWICE as much as a Project Manager or HR Specialist with 5 years experience. Starting pay for InfoSec should be at least 25% higher than most other professions -- simply based on supply and demand.
I think Krebs means "if they're willing to cause this much grief for so little return, we don't have much hope of economics ever stopping these attacks".
The ROI on this is probably insignificantly low, so we're stuck with this sort of shit.
In most cases the financial damage is too small to expend the resources. When the attack is in one jurisdiction, like Europe, with suspected perpetrators out of Russia and Iran, and the BTC account then has funds transferred to Kazakhstan banks and Philippine casinos...
Just think of the work needed to get all those jurisdictions to cooperate, much less allocate resources, etc. Assuming the cooperate at all.
Add to that funds can be transferred and withdrawn in literally minutes, and you have a real problem.
The hack on the Pakistani bank where their SWIFT credentials were compromised and they lost ~$84 million USD saw the majority of the funds transferred to casino accounts in the Philippines. Have a mule waiting to withdraw in chips and deliver a bag full of chips to a waiting recipient, who cashes out and flees to, say, North Korea or anywhere who just doesn't want to cooperate.
The mule gets $1,000 in cash -- more than he's ever seen at one time in his life. If he gets caught, he was just hired anonymously to make a delivery, so has no info and gets off light, if prosecuted at all.
You put the effort in for $84 million USD, but $26,000? Screw that. If they didn't hit so many targets this would be filed away and forgotten.
Western Union, MoneyGram (currently the target of a bidding war for acquisition), casino accounts, or even regular banks just split into dozens, if not hundreds of accounts that can be accessed anywhere in the world by an ATM card, and you have what is really a low risk, high profit criminal enterprise.
If their violations were so obvious, what case can be made for going after their clients? I mean, sue the people who hired them to make the solicitation calls.
The whole "but we didn't know" excuse shouldn't hold water for a vendor that had numerous public complaints and bad press about illegal business practices.
If people really want to stop this practice, then take away the profitability.
Slashdot Mirror
Gateway? I think you misspelled "Northgate". The Omnikey Ultra was my all time favorite.
I'm now interested to see if enforcing SELinux prevents this.
Mea culpa, I used the term incorrectly. I was not intending to reference microkernels, but rather the inclusion of LKMs and associated drivers and firmware for hardware that does not exist on the system.
Another big frustration of mine is improper software dependencies. Several years ago I was trying to remove packages from a Debian system to see how slim I could get it. By attempting to remove one package at a time, I'd get warnings about what depended on various packages, and thus could determine their importance.
I gave up in disgust when attempting to remove "aalib" -- the ASCII art library -- and the chain of dependencies would have rendered the system unusable by uninstalling almost 90% of the system.
I operate on the idea that reducing attack surface is good. Misconfigurations are a big source of security problems. If it doesn't exist, it can't contain an error, can't be broken, can't be abused or exploited, and isn't ever going to cause you a problem.
Linux, unlike Windows and Apple's iOS, *can* be made much more secure with a little bit of effort.
How? By not using monolithic kernels that support every device in creation, and stripping the kernel down to what is installed on the system -- especially with things like IOT devices. If it isn't installed, it doesn't need patched, it can't break, and it can't be exploited.
Ditto for added software and apps. Take a look at many of the Linux-based router firmwares out there, both sold by commercial vendors and FOSS projects, and you'll see attempts to compete with high-end Cisco feature sets for home or small business use.
Having that available is great! However, turning all of that on by default, and user thinking they should get something not because it suits their needs but because it supports 10,000 features, gets you a complex, insecure mess.
With Microsoft and Apple you can't remove many of those features. The company controls it and, Enterprise customer with a decade experience or not, you will damn well have Telemetry and like it! And dozens of other "features" that you'll never use, don't want, and just are waiting to get exploited.
Linux gives you the ability to shape much of your own system, including making it much more secure than a run-of-the-mill device. Whether or not you take the time and effort to do that is up to you.
I've seen way to many Linux-based routers and gadgets that are exposed to a network and still have default admin passwords to blame "Linux" for security headaches.
No, that was the original WannaCry outbreak. Petya is a repurposed version that exploits the same unpatched vulnerability. It first turned up in Ukraine though, IIRC, an update infected accounting software.
An AA from a State CC will transfer to a 4-year State U in the same State. That is what they are designed to do.
The Univ won't give you a B.S. with their name on it unless you take a full 2 years from their school, but it is 2 and not 4.
Private schools on the other hand...
You're doing it wrong.
If you're talking about a B.S. degree, then $160K is way overkill. The only degrees that should cost that much are M.D. (plus Dental and Vet variants) and J.D.. WTF else costs that unless you've bought the lie that she needs to go to a top private university for 4 full years?
Community College for the first 2 years, focusing on your core classes, then transfer to wherever to finish up. Even a top notch private school will only run $80K or so -- and you should be able to either get a discount or grants to cover a bunch. If you can't, then you have enough assets to pay cash for her tuition and are whining here as a troll.
Hell, some of the best university programs in each field are in State schools, which cost a hell of a lot less if you're a resident.
No, you're wrong.
Amazon is a public company, with stock traded on NASDAQ. Ownership is over 63% institutional. Jeff Bezos is the Chariman, President, CEO, and a large stockholder, but by no means "owns" Amazon.
The Washington Post is a privately held company, which Jeff Bezos purchased through a holding company (Nash Holdings, LLC) for $250 million in 2013. Yes, he indirectly "owns" The Washington Post.
Your descriptions of writing off of losses from WP to cover gains from Amazon is grossly inaccurate and ignorant of how business structures and taxes work in the United States.
There was a link in the article to a prior one that contains a map of the Hywinds location.
https://www.theguardian.com/environment/2016/may/16/worlds-largest-floating-windfarm-to-be-built-off-scottish-coast
The kind of people who shop at whole foods don't want RFID tags attached to their food.
Considering RFID tags can easily be PLU stickers, like the type placed on damn near every piece of fresh produce, they may already be there whether people know it or not.
https://www.pma.com/content/articles/2014/05/labeling
A combination of Alexa and one of these takes care of both of those.
"Ok Google" already knows when I'm in Lowe's and Home Depot, and when I look up a product, they tell me not only the availability in the store I'm in, but the shelf location it is at. Part of that is the Home Depot and Lowe's websites wanting to know my location -- which is very useful.
RFID tags on all products will allow you to check out just by pushing your cart thru the lane -- like driving thru a toll booth with an EZ Pass (or equivalent). It could speed up checkout by a great deal.
If enough people want their shopping to be a social experience, then there is a market for that and it'll happen. I don't expect my local farmer's markets to wholly automate anytime soon.
No, I didn't. ChromeOS is significantly lighter weight than Windows. There is a smaller attack surface. Less code means fewer places for bugs to exist.
Windows Vista clocked in at about 50 million lines of code. Windows 10 is estimated closer to 70 million. Chrome OS is closer to 15-20 million.
That is 1/3 of the number of places for bugs to hide. And complexity isn't a simple linear progression, so the true difference is much greater.
Complexity is the enemy of security. Minimizing complexity has a direct benefit on improving security.
Your argument is a version of a logical false dichotomy that is called a "Perfect Solution Fallacy".
Chromebooks come the closest, being far ahead of Windows or Mac PCs. Of course, there are tradeoffs and limitations that may not be acceptable to some.
Yeah, I think Travis is just the reincarnation of Lig Lury, Jr.
And he is definitely giving everyone the business.
Washington, DC
charlesDOTeDOThillATgmail.com
Yep.
Ia! Ia! Cthulhu fhtagn! Ph'nglui mglw'nfah Cthulhu R'lyeh wgah'nagl fhtagn!
Experience with any vulnerability scanner, really. Nessus, Qualys, Rapid 7, OpenVAS, whatever. The key is to learn how to interpret the reports, dig down into the results, and figure out what is really a problem and how to fix it.
I'm happy to teach junior people, but if someone is claiming to be an experienced analyst or senior InfoSec specialist and just hand me a canned Nessus report, I'm going to be looking to replace you. I can schedule the default reports, I 'm not willing to pay a premium to do that.
While zero-day vulns and movie-plot hacks get all the attention and press coverage, the simple truth is that vast majority of compromises happen due to improperly patched and misconfigured systems.
If you can weed thru a few hundred pages of scanner output to tell me which systems are missing what patches as opposed to patched but need a registry update or config change, that is valuable. Which are false positives and why? How can we prioritize what limited resources we have to get the most impact?
Attention to detail and critical thinking I'll pay a premium for and vulnerability scanner output is a great place to demonstrate that. But keep handing me canned reports and I'll replace you with a script.
Quoth the article:
Anyone who is any good at cyber security didn't learn it in school. Most of what they know they learned on their own. The IT field lends itself to an apprenticeship model more than most other modern professions.
Stop requiring degrees, as they aren't relevant to the actual work. I'd much prefer candidates with an AA and skills in communication, critical thinking, probability, and logic along with some certifications and core understandings:
CCNA Routing & Switching to show you have at least a basic grasp of networking fundamentals.
Something from SANS (GIAC) gets my attention. A CISSP will help get you an interview.
Develop some skills in a Linux shell, with command-line tools. I need to know you know more than "I click the 2nd option in the 3rd menu".
Understand the basics of required policies -- PCI, HIPAA, NIST 800-53, NYDFS, CJIS. Know what they are and where they apply. You don't have to memorize them, as that stuff can always be looked up.
I'd really like to see some sort of certification that focuses on basic skills in Wireshark, Nessus, NMAP, and a solid understanding in DNS.
For companies, they also need to accommodate more telework, flexible work schedules, and better pay. I'm sorry, but an InfoSec specialist with 5 years experience should be making about TWICE as much as a Project Manager or HR Specialist with 5 years experience. Starting pay for InfoSec should be at least 25% higher than most other professions -- simply based on supply and demand.
Technically, an app that tells you when to have an orgasm would really be able to answer the question of just what the fuck was going on.
You might be on to something here.
FTFY
49-55" 4K LCD TVs are currently going for $350. That *is* an order of magnitude cheaper than prices only 2-3 years ago.
Agreed.
I think Krebs means "if they're willing to cause this much grief for so little return, we don't have much hope of economics ever stopping these attacks".
The ROI on this is probably insignificantly low, so we're stuck with this sort of shit.
In most cases the financial damage is too small to expend the resources. When the attack is in one jurisdiction, like Europe, with suspected perpetrators out of Russia and Iran, and the BTC account then has funds transferred to Kazakhstan banks and Philippine casinos...
Just think of the work needed to get all those jurisdictions to cooperate, much less allocate resources, etc. Assuming the cooperate at all.
Add to that funds can be transferred and withdrawn in literally minutes, and you have a real problem.
The hack on the Pakistani bank where their SWIFT credentials were compromised and they lost ~$84 million USD saw the majority of the funds transferred to casino accounts in the Philippines. Have a mule waiting to withdraw in chips and deliver a bag full of chips to a waiting recipient, who cashes out and flees to, say, North Korea or anywhere who just doesn't want to cooperate.
The mule gets $1,000 in cash -- more than he's ever seen at one time in his life. If he gets caught, he was just hired anonymously to make a delivery, so has no info and gets off light, if prosecuted at all.
You put the effort in for $84 million USD, but $26,000? Screw that. If they didn't hit so many targets this would be filed away and forgotten.
Western Union, MoneyGram (currently the target of a bidding war for acquisition), casino accounts, or even regular banks just split into dozens, if not hundreds of accounts that can be accessed anywhere in the world by an ATM card, and you have what is really a low risk, high profit criminal enterprise.
If their violations were so obvious, what case can be made for going after their clients? I mean, sue the people who hired them to make the solicitation calls.
The whole "but we didn't know" excuse shouldn't hold water for a vendor that had numerous public complaints and bad press about illegal business practices.
If people really want to stop this practice, then take away the profitability.