The white paper is actually very detailed. But the specific vulnerabilities that they discovered are not the meat and bones of the message. The message is that the Bluetooth specification is so overly complicated, and the attack surface so large, that there are almost certainly many more vulnerabilities yet to be identified. I suspect that Bluetooth is akin to Adobe Flash or ActiveX -- something so inherently flawed that the easiest and best thing to do will be to discard it and start over with something better.
This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."
WTF, this is supposed to be a site for nerds. It says so right there at the top.
That's not how it works. It's not a conspiracy between governments and security companies. The government mostly buys exclusive access to vulnerabilities through open markets, and sellers who want to do repeat business keep their discoveries secret.
Computer security companies don't aid in keeping these secret -- they don't know about them in the first place. Security companies only look for existing threats in the wild, they don't try to find vulns on their own. Even if they did, there's no guarantee they'd find the same ones. They only find threats that show up on their radar somehow, either through honeypots or user submissions. The targeted use of exploits will likely *never* cross their radar, unless they are the target. That's how their operations work -- by targeting specific systems and networks, not like criminals trying every possible computer on the internet. It's that promiscuous use of exploits that security companies can most easily identify and quickly stop before they become too widespread. So in that sense, they are useful.
The infrastructure, and the maintenance thereof, *is* the service. Yes, carrying bits is vital too, but that's the easy, invisible part of it. Hardly anybody buys a router for its firmware -- it's the hardware, the infrastructure, that they care about.
It's not just reflexes -- bots are rife on any currently-played PC FPS, and some console titles as well. Just peruse "ArtificialAiming" or any of the dozens of other subscription-based aimbot sites that have been around for years. Hell, install one and play around for a while and watch the other aimbotters make impossible shots and win "reflex tests" 100% of the time. They will be the ones with better KDRs than you while you yourself are cheating because they're going to extremes to rack up their kill counts. I guarantee at least 5% of other players are cheating, although a given match can be much higher still. The upside, if there is one, is that aimbot users quickly identify one another and usually target each other -- other players are just collateral damage. They also can't be everywhere on the map at once -- at least not without getting caught. People like to think that it's much more rare than it is, and give other players the benefit of the doubt, because it preserves our subjective experience and enjoyment of the game, but the truth is that cheaters always win, and they're always at the top of the high scores.
They were both far too short. I suppose that was necessary to both avoid being repetitive while still allowing for game completion with human-level skills, but I've had bowel movements lasted longer than a play-through of Portal.
I feel like stories get in the way of good games. Chess? Catan? Poker? No stories to any of them. If I want a story, I'll read a book or watch a movie. But if there must be stories, they should be in service to the game, not the other way around. Give me just enough information to explain my in-game motivation for exploring the next section, and no more. Character development, intricate backstories, and plot twists in my games can all get stuffed.
Exactly. Bitcoin will never have the core feature of a desirable currency, which is stability. The only people who transact in volatile currencies are those who must -- namely the citizens of the countries that issue them. If you own BTC, there's little incentive to spend it because you likely believe it will be worth more of a "real" currency in the future, so you're holding it. If you believe it's going to depreciate, then you're probably going to liquidate by selling all of it, not by buying a pizza and paying transaction fees. And if you believe it's going to remain relatively stable, then I want some of what you're smoking.
Every case I've seen has been someone receiving an email addressed *to* their address with (or without) dots, and presuming that an actual account exists or existed with that address. In no case has someone provided an email from an account with the same address plus or minus dots, which would be required to demonstrate the existence of such an account.
This happened to me. Some lady signed up as first-initial.middle-initial.lastname@gmail.com when in fact mine is the exact same but with no periods.
This is like speculating that you get wrong number calls because someone also has the same phone number.
Someone is either deliberately or accidentally providing or entering the wrong information. We can speculate why that's happening, but it's not because they actually created an account with your.email.address with dots.
Google hasn't released the details of their spam filters, for obvious reasons, but it stands to reason that it would take more than one person marking an item as spam for it to carry any weight outside of their personal account, and for account-level filtering, there's no indication that the content of the email is used when the message is flagged as spam, but rather just the sender.
My Gmail address is also used by some Australian who seems to be a freshly minted adult. Whenever they sign up for dating, or any other business site, I go to the site, click "forgot password," change it, unsubscribe from everything, disable the account/profile, and then flag it as "Spam" in Gmail. If they get a personal email, I ignore it the first time, and if I receive a second email, I respond with a message that I'm not the person they're trying to contact and flag it as spam.
There's a limit to how obscure backdoors can be. At the end of the day, the backdoor has to either initiate or receive a connection, and that gives the game away. The problem is that monitoring connection logs is tedious, boring, and -- if you're paying someone competent -- expensive.
Moreover, the risk/reward for creating and using a backdoor in security software doesn't make sense when the ability to exploit 0-days in the OS itself is so easy. Why blow your own hard-earned reputation when you can blow someone else's instead? Anyone with enough money can buy a 0-day and a payload (which is pretty much any nation state) and have as much access to any system as they desire until the vulnerability is discovered and patched/firewalled.
If your mouse won't move, try applying some cleaning product to your desktop. In the future, drink less Mt. Dew and find a sock to use for watching Redtube.
The only way they could identify offenders would be through targeted or incidental collection -- spyware on an endpoint, or a laptop search at customs. In either of those cases, though, the VPN use itself would likely be the least of the offenses they would be concerned about, and they wouldn't expose their capabilities simply to prosecute VPN usage, but rather the underlying information that was transmitted or received. It's really a law without teeth.
This story has all the hallmarks of a hoax. It's semi-plausible on its surface, but how many companies would have leaked production credentials in a config document AND had production machines accessible from a dev network AND had backups without any integrity testing, let alone multiple redundant backups AND had zero incidental copies? That's violating a slew of helpful best practices but none of the potentially harmful ones, like locally mirroring production data for development use. This sounds more like someone's worst fears of their first day presented as fact, but the details don't add up. It involves a strange blend of strict adherence to some policies with rampant noncompliance to others, and incompetence by a lot (nearly all) of the existing employees, managers, and executives. When things fail big, it's because of a series of events in corner cases, not
C maps remarkably well to ASM, and with compiler hints and optimizations that don't exist in ASM, well-written C typically runs as fast -- and often faster than -- hand-written ASM. If there were any significant performance advantages to ASM, it would be used far more often in performance-critical applications, but there aren't, and it's not.
Slashdot Mirror
The white paper is actually very detailed. But the specific vulnerabilities that they discovered are not the meat and bones of the message. The message is that the Bluetooth specification is so overly complicated, and the attack surface so large, that there are almost certainly many more vulnerabilities yet to be identified. I suspect that Bluetooth is akin to Adobe Flash or ActiveX -- something so inherently flawed that the easiest and best thing to do will be to discard it and start over with something better.
This isn't anything "on your computer," it's MITM javascript injection by your ISP. You didn't need to reimage your computer (and, in fact, that's unlikely to change anything), rather you need to opt-out, since they decided to opt you in. Also, you should probably either up your technical proficiency, or else stop "doing your own security."
WTF, this is supposed to be a site for nerds. It says so right there at the top.
That's not how it works. It's not a conspiracy between governments and security companies. The government mostly buys exclusive access to vulnerabilities through open markets, and sellers who want to do repeat business keep their discoveries secret.
Computer security companies don't aid in keeping these secret -- they don't know about them in the first place. Security companies only look for existing threats in the wild, they don't try to find vulns on their own. Even if they did, there's no guarantee they'd find the same ones. They only find threats that show up on their radar somehow, either through honeypots or user submissions. The targeted use of exploits will likely *never* cross their radar, unless they are the target. That's how their operations work -- by targeting specific systems and networks, not like criminals trying every possible computer on the internet. It's that promiscuous use of exploits that security companies can most easily identify and quickly stop before they become too widespread. So in that sense, they are useful.
Yeah, we all caught that episode of Vice too.
The infrastructure, and the maintenance thereof, *is* the service. Yes, carrying bits is vital too, but that's the easy, invisible part of it. Hardly anybody buys a router for its firmware -- it's the hardware, the infrastructure, that they care about.
It's not just reflexes -- bots are rife on any currently-played PC FPS, and some console titles as well. Just peruse "ArtificialAiming" or any of the dozens of other subscription-based aimbot sites that have been around for years. Hell, install one and play around for a while and watch the other aimbotters make impossible shots and win "reflex tests" 100% of the time. They will be the ones with better KDRs than you while you yourself are cheating because they're going to extremes to rack up their kill counts. I guarantee at least 5% of other players are cheating, although a given match can be much higher still. The upside, if there is one, is that aimbot users quickly identify one another and usually target each other -- other players are just collateral damage. They also can't be everywhere on the map at once -- at least not without getting caught. People like to think that it's much more rare than it is, and give other players the benefit of the doubt, because it preserves our subjective experience and enjoyment of the game, but the truth is that cheaters always win, and they're always at the top of the high scores.
They were both far too short. I suppose that was necessary to both avoid being repetitive while still allowing for game completion with human-level skills, but I've had bowel movements lasted longer than a play-through of Portal.
I feel like stories get in the way of good games. Chess? Catan? Poker? No stories to any of them. If I want a story, I'll read a book or watch a movie. But if there must be stories, they should be in service to the game, not the other way around. Give me just enough information to explain my in-game motivation for exploring the next section, and no more. Character development, intricate backstories, and plot twists in my games can all get stuffed.
Exactly. Bitcoin will never have the core feature of a desirable currency, which is stability. The only people who transact in volatile currencies are those who must -- namely the citizens of the countries that issue them. If you own BTC, there's little incentive to spend it because you likely believe it will be worth more of a "real" currency in the future, so you're holding it. If you believe it's going to depreciate, then you're probably going to liquidate by selling all of it, not by buying a pizza and paying transaction fees. And if you believe it's going to remain relatively stable, then I want some of what you're smoking.
Every case I've seen has been someone receiving an email addressed *to* their address with (or without) dots, and presuming that an actual account exists or existed with that address. In no case has someone provided an email from an account with the same address plus or minus dots, which would be required to demonstrate the existence of such an account.
This is like speculating that you get wrong number calls because someone also has the same phone number.
Someone is either deliberately or accidentally providing or entering the wrong information. We can speculate why that's happening, but it's not because they actually created an account with your.email.address with dots.
Honestly, it seems more likely that "this dude" is simply wrong.
Google hasn't released the details of their spam filters, for obvious reasons, but it stands to reason that it would take more than one person marking an item as spam for it to carry any weight outside of their personal account, and for account-level filtering, there's no indication that the content of the email is used when the message is flagged as spam, but rather just the sender.
My Gmail address is also used by some Australian who seems to be a freshly minted adult. Whenever they sign up for dating, or any other business site, I go to the site, click "forgot password," change it, unsubscribe from everything, disable the account/profile, and then flag it as "Spam" in Gmail. If they get a personal email, I ignore it the first time, and if I receive a second email, I respond with a message that I'm not the person they're trying to contact and flag it as spam.
There's a limit to how obscure backdoors can be. At the end of the day, the backdoor has to either initiate or receive a connection, and that gives the game away. The problem is that monitoring connection logs is tedious, boring, and -- if you're paying someone competent -- expensive.
Moreover, the risk/reward for creating and using a backdoor in security software doesn't make sense when the ability to exploit 0-days in the OS itself is so easy. Why blow your own hard-earned reputation when you can blow someone else's instead? Anyone with enough money can buy a 0-day and a payload (which is pretty much any nation state) and have as much access to any system as they desire until the vulnerability is discovered and patched/firewalled.
If your mouse won't move, try applying some cleaning product to your desktop. In the future, drink less Mt. Dew and find a sock to use for watching Redtube.
I won't be satisfied until it's described in terms of space stations that are mistaken for moons from a distance.
The only way they could identify offenders would be through targeted or incidental collection -- spyware on an endpoint, or a laptop search at customs. In either of those cases, though, the VPN use itself would likely be the least of the offenses they would be concerned about, and they wouldn't expose their capabilities simply to prosecute VPN usage, but rather the underlying information that was transmitted or received. It's really a law without teeth.
What makes you think VPN providers haven't been compromised?
If the median salary was under $50k, then I'm not sure who they were surveying, but it wasn't professional developers.
After a few years they simply collapse into a black hole. Storage problem solved.
...hitting submit before you finish composing your post. :)
This story has all the hallmarks of a hoax. It's semi-plausible on its surface, but how many companies would have leaked production credentials in a config document AND had production machines accessible from a dev network AND had backups without any integrity testing, let alone multiple redundant backups AND had zero incidental copies? That's violating a slew of helpful best practices but none of the potentially harmful ones, like locally mirroring production data for development use. This sounds more like someone's worst fears of their first day presented as fact, but the details don't add up. It involves a strange blend of strict adherence to some policies with rampant noncompliance to others, and incompetence by a lot (nearly all) of the existing employees, managers, and executives. When things fail big, it's because of a series of events in corner cases, not
No one ever does.
C maps remarkably well to ASM, and with compiler hints and optimizations that don't exist in ASM, well-written C typically runs as fast -- and often faster than -- hand-written ASM. If there were any significant performance advantages to ASM, it would be used far more often in performance-critical applications, but there aren't, and it's not.