Sorry to reply to myself but I realized I missed an important part. There is still social engineering to get the user to run your app since you have to get it to them some other way.
If I understand the exploit, what you do is take an app from the app store, modify it, and for some reason, the signature is still valid! The user gets a prompt if they want to install this app from a trusted source with a valid signature. And they say yes. Now you've gotten your payload onto the machine.
Put less cynically, the feature hasn't been widely adopted so the vendor made some improvements based on customer feedback and is now trying to push the feature again in order to meet customer needs. I feel like a shill for M$ saying that, but really, it's hard to criticize them for continuing to work on a difficult (or maybe just difficult for them) feature for years because they see it significantly improving their product.
HFT traders don't make money if they don't execute any orders. That doesn't mean that the anticipate that *all* of their orders will be executed. Rather it means that they want to have *some* orders executed and, whether you accept the reasoning or not, the premise is that their order execution is beneficial.
This guy is different in that his scheme would have failed if *any* of his orders went through. That's right. He had to have *zero* success.
HFT is about putting an order in and *hoping* that it executes. But if it doesn't execute in a fraction of a second, it gets pulled and replace with yet another order that you *hope* executes.
This guy is different in that his goal was to *not* execute rather than *to* execute. That's a big difference.
And what if it turns out that the financial falsification was a rumor set off by a market manipulator to force the OP to execute his trade at an unfavorable price. There simply isn't an algorithm that you can design to solve all forms of dishonesty. We have laws that cover this.
https://www.law.cornell.edu/us...
Most of the posts on here are of the variety that this is taking away a fundamental human right or that everybody is an administrator so it's a meaningless feature. In the corporate IT world, this is hugely valuable. Most non-programmers *don't* have administrator privileges. But, even if they do, you don't want to allow untrusted binaries. Windows has local administrators and domain administrators. Nobody is a domain administrator. Even local admin privileges won't let you override a group policy. This really is as near perfect solution as you can get. As far as interpreted languages... uh, non-programmers don't need to have interpreters on their machines. Some "interpreted" languages (like the.Net CLR) will honor this and not interpret things that aren't properly signed. So I see this as a big win. Although it's hugely helpful for the large organizations who spend billions of dollars on IT, I do agree that it's a bit of an inconvenience for people who live in their parent's basement and run pirated copies of Windows while claiming to live and die by Linux.
Brokers are supposed to offer stock they don't have. In many cases, they are legally required to do so. They have to offer to sell even if they hold no shares. This makes them "naked short." They have to run out and buy the securities before the price moves or they will lose their tail so to speak.
This is hardly what market making is. Market makers have *more* legal responsibility than average traders. A market maker must *always* have a bid and ask price showing and they *must* buy or sell at these prices even if it costs them large sums of money. Market making is like a reverse lottery. Usually you make a few dollars on the spread. But you can lose big. Some people use the term "market maker" loosely as you probably are here. But what you are seeing here is a form of market manipulation.
I wish there were a -1 Bullshit mod. We all love stories of panhandlers really being a scam, because it eases our conscience. I live in Florida and I can tell you that nobody would stand out in this sun if they had an alternative! That doesn't just include panhandlers. Probably landscapers as well. There may be *a* rich panhandler, somewhere. But chances are that the people at street lights really are in need. Directly giving money may not actually help as they often have substance abuse and mental health problems. But if you're going to decline giving at the lights,don't assuage your conscience with a story like this. Find an appropriate charity and donate there. $2/day is $60/month. You can set it up as a recurring donation.
Churches are tax-exempt because the power to tax is the power to destroy. It's the same reason that there are no federal taxes on interest received from municipal bonds. If the government could tax churches, unfavored religions could be taxed out of existence.
All religions are equal. But not all observers are. Should you face a court, a finder of fact will evaluate the *sincerity* of your beliefs based on whatever objective evidence is available.
There was a case a few years back of somebody who got their driver's license picture with a colander on their head claiming that it was part of their religion. This would be allowed. But if it is then determined that you don't hold this religious belief (perhaps because that's the only time in your life you've ever worn a colander on your head), you could be charged with fraud.
I'm not a lawyer and this isn't legal advice, but if either of those were true, the rule of thumb is practice religion in which you sincerely believe.
I like your argument but it simply isn't true. We've had wiretaps as long as there has been a phone system. This is really the analogous capability for encrypted devices. I'm not saying that this is a good policy idea. I think it's terrible for all of the reasons already expressed. But it's not new or novel.
It's important to all of the sober roadway users too. A balancing test is about the only reasonable way to resolve things when two different principles are in conflict. It's a violation of my privacy to have to walk through a metal detector when going to a courthouse. It's also a violation of my rights if I can't get a day in court because judges are assassinated so often. Therefore, the courts look to balance the interests in a way that produces an optimal outcome. They don't always get it perfect but the line of thinking is always reasonable. Random inspections of vehicle safety and driver sobriety are a reasonable way to ensure that we can use the roadways safely which is in everybody's interest.
It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.
This is true in the short-term and only if there is no culling. If we experience a massive die-off, those who aren't fit but who breed efficiently will die at a higher rate. Of course it may turn out that intelligence isn't what makes us the most fit for the next culling. Maybe the ability to survive nuclear fallout.
Right now, if you are a pilot wanting to down a plane you pretty much have a 100% chance. On a long flight, it's inevitable that your counterpart will need to use the bathroom at some point. Then you strike. If there is always somebody else in the cabin, you may or may not succeed in killing them. But the odds are still improved.
That interesting. I'm a very regular traveler on domestic US flights. I've seen plenty of pilots coming out of the cockpit for the bathroom. And no other member of the flight crew has stepped in. So this may be a rule, but I'm not so sure that it is ever enforced. Pilots are not ones to flout rules if there is even a modicum of enforcement.
The reason the pilot couldn't get back in was the steel cockpit door designed to prevent a terrorist from entering the cockpit. It may still make sense to have these doors. Maybe we should reconsider this 'security' measure. Or perhaps some means to allow a pilot back in. You already need a pass code but, apparently, also whoever is in the cockpit also has to authorize. Every flight I've been on, when the pilot or copilot leaves, to renter, first the flight attendants turn off the lights (so nobody can see the PIN entered) and then wait for the copilot to authorize.
I'm pretty sure that, in order to write something to disk, it first has to be written to memory! I don't think there is a function that goes right from a register to disk.
Slashdot Mirror
I guess if a fat person takes up jogging, we should make fun of them for going so slowly. It won't really help?!
Sorry to reply to myself but I realized I missed an important part. There is still social engineering to get the user to run your app since you have to get it to them some other way.
If I understand the exploit, what you do is take an app from the app store, modify it, and for some reason, the signature is still valid! The user gets a prompt if they want to install this app from a trusted source with a valid signature. And they say yes. Now you've gotten your payload onto the machine.
Put less cynically, the feature hasn't been widely adopted so the vendor made some improvements based on customer feedback and is now trying to push the feature again in order to meet customer needs. I feel like a shill for M$ saying that, but really, it's hard to criticize them for continuing to work on a difficult (or maybe just difficult for them) feature for years because they see it significantly improving their product.
HFT traders don't make money if they don't execute any orders. That doesn't mean that the anticipate that *all* of their orders will be executed. Rather it means that they want to have *some* orders executed and, whether you accept the reasoning or not, the premise is that their order execution is beneficial. This guy is different in that his scheme would have failed if *any* of his orders went through. That's right. He had to have *zero* success. HFT is about putting an order in and *hoping* that it executes. But if it doesn't execute in a fraction of a second, it gets pulled and replace with yet another order that you *hope* executes. This guy is different in that his goal was to *not* execute rather than *to* execute. That's a big difference.
And what if it turns out that the financial falsification was a rumor set off by a market manipulator to force the OP to execute his trade at an unfavorable price. There simply isn't an algorithm that you can design to solve all forms of dishonesty. We have laws that cover this. https://www.law.cornell.edu/us...
Most of the posts on here are of the variety that this is taking away a fundamental human right or that everybody is an administrator so it's a meaningless feature. In the corporate IT world, this is hugely valuable. Most non-programmers *don't* have administrator privileges. But, even if they do, you don't want to allow untrusted binaries. Windows has local administrators and domain administrators. Nobody is a domain administrator. Even local admin privileges won't let you override a group policy. This really is as near perfect solution as you can get. As far as interpreted languages... uh, non-programmers don't need to have interpreters on their machines. Some "interpreted" languages (like the .Net CLR) will honor this and not interpret things that aren't properly signed. So I see this as a big win. Although it's hugely helpful for the large organizations who spend billions of dollars on IT, I do agree that it's a bit of an inconvenience for people who live in their parent's basement and run pirated copies of Windows while claiming to live and die by Linux.
Brokers are supposed to offer stock they don't have. In many cases, they are legally required to do so. They have to offer to sell even if they hold no shares. This makes them "naked short." They have to run out and buy the securities before the price moves or they will lose their tail so to speak.
This is hardly what market making is. Market makers have *more* legal responsibility than average traders. A market maker must *always* have a bid and ask price showing and they *must* buy or sell at these prices even if it costs them large sums of money. Market making is like a reverse lottery. Usually you make a few dollars on the spread. But you can lose big. Some people use the term "market maker" loosely as you probably are here. But what you are seeing here is a form of market manipulation.
I wish there were a -1 Bullshit mod. We all love stories of panhandlers really being a scam, because it eases our conscience. I live in Florida and I can tell you that nobody would stand out in this sun if they had an alternative! That doesn't just include panhandlers. Probably landscapers as well. There may be *a* rich panhandler, somewhere. But chances are that the people at street lights really are in need. Directly giving money may not actually help as they often have substance abuse and mental health problems. But if you're going to decline giving at the lights,don't assuage your conscience with a story like this. Find an appropriate charity and donate there. $2/day is $60/month. You can set it up as a recurring donation.
It's too bad you can't moderate up good counter-arguments.
Churches are tax-exempt because the power to tax is the power to destroy. It's the same reason that there are no federal taxes on interest received from municipal bonds. If the government could tax churches, unfavored religions could be taxed out of existence.
All religions are equal. But not all observers are. Should you face a court, a finder of fact will evaluate the *sincerity* of your beliefs based on whatever objective evidence is available. There was a case a few years back of somebody who got their driver's license picture with a colander on their head claiming that it was part of their religion. This would be allowed. But if it is then determined that you don't hold this religious belief (perhaps because that's the only time in your life you've ever worn a colander on your head), you could be charged with fraud. I'm not a lawyer and this isn't legal advice, but if either of those were true, the rule of thumb is practice religion in which you sincerely believe.
The updates would be brought in via approved media. That media would never leave the secure facility.
I like your argument but it simply isn't true. We've had wiretaps as long as there has been a phone system. This is really the analogous capability for encrypted devices. I'm not saying that this is a good policy idea. I think it's terrible for all of the reasons already expressed. But it's not new or novel.
It's important to all of the sober roadway users too. A balancing test is about the only reasonable way to resolve things when two different principles are in conflict. It's a violation of my privacy to have to walk through a metal detector when going to a courthouse. It's also a violation of my rights if I can't get a day in court because judges are assassinated so often. Therefore, the courts look to balance the interests in a way that produces an optimal outcome. They don't always get it perfect but the line of thinking is always reasonable. Random inspections of vehicle safety and driver sobriety are a reasonable way to ensure that we can use the roadways safely which is in everybody's interest.
It seems that this group managed to spread their malware via USB sticks. The modern equivalent of floppy disk viruses. But in all of the classified networks that I've seen, you can bring your USB drive into the secure area, but it can't be removed. So even if I managed to get my malware on a machine and then somehow got the sensitive data onto some sort of external media, I still don't have anything useful. Not that I wouldn't want to defend against the malware, but it seems that the air gap really is doing it's job.
Which is why men in North Korea are getting shorter!
This is true in the short-term and only if there is no culling. If we experience a massive die-off, those who aren't fit but who breed efficiently will die at a higher rate. Of course it may turn out that intelligence isn't what makes us the most fit for the next culling. Maybe the ability to survive nuclear fallout.
It's sexual selection. That's different.
Everything else is just a distraction
Right now, if you are a pilot wanting to down a plane you pretty much have a 100% chance. On a long flight, it's inevitable that your counterpart will need to use the bathroom at some point. Then you strike. If there is always somebody else in the cabin, you may or may not succeed in killing them. But the odds are still improved.
That interesting. I'm a very regular traveler on domestic US flights. I've seen plenty of pilots coming out of the cockpit for the bathroom. And no other member of the flight crew has stepped in. So this may be a rule, but I'm not so sure that it is ever enforced. Pilots are not ones to flout rules if there is even a modicum of enforcement.
The reason the pilot couldn't get back in was the steel cockpit door designed to prevent a terrorist from entering the cockpit. It may still make sense to have these doors. Maybe we should reconsider this 'security' measure. Or perhaps some means to allow a pilot back in. You already need a pass code but, apparently, also whoever is in the cockpit also has to authorize. Every flight I've been on, when the pilot or copilot leaves, to renter, first the flight attendants turn off the lights (so nobody can see the PIN entered) and then wait for the copilot to authorize.
I'm pretty sure that, in order to write something to disk, it first has to be written to memory! I don't think there is a function that goes right from a register to disk.