I deliberately choose not to have kids for environmental reasons. If you look at what amount of CO2 emission and general waste a single person in the developed nations produces, our planet can not sustain more people in western nations anymore. If the population of the western countries would halve over the next 20 years it would do much to improve the state of the current environmental issues that we are exposed to. I will risk a broken pension system for an inhabitable planet anytime.
I use:
Adblock Plus, for blocking Advertisement
CustomizeGoogle, for making gmail use HTTPS only
Firekeeper, IDS/IPS for Firefox
FormFox, shows you where a form submitted gets sent to
McAffe Site Advisor,
NoScript,
SafeHistory, defends against visited-link-based web privacy attacks
Site Security Policy, enforces security policies for how a websites's content should behave
TrackMeNot, porotects against data profiling by search engines
User Agent Switcher, lets me surf as googlebot
IMHO the problem might be your (trifishs) "That works" part of the message. Because I do not know what you meant with "that": do you mean: "this attack only works on the cheapest certificates", which I would read as "only works against the cheapest certificates, certificates bought at Paypal are secure."?
But I guess you meant to say that you can not purchase the certificates needed for this kind of attack at Paypal?
SSL will raise a certificate error unless they have some way of getting a fake cert.
With this you can intercept email which is used to validate at VeriSign that you own the domain. Because mail servers do DNS lookups as well, which can be spoofed.
It is of great concern. Many corporate users live in the false sense of security that their (personal and corporate) data is secure should the laptop get stolen. But this no longer holds true if the laptop stolen was either in hibernation mode (sleeping) or just password locked. That might also hold true for the guy that is walking around with millions of SSNs on his laptop, including yours.
Very interesting, never heard of this one. But it is really plausible because another division of Sony also implemented a rootkit, sold on a USB stick that utilized a fingerprint reader. It used the rootkit to hide the stored fingerprint information... It got detected by AV's anti-rootkit technologies.
When I attended the
DIMVA conference I watched a presentation where the propagation of a worm was analyzed. This analysis was done with the session informations of swiss provider backbone routers (like date and time and IP addresses involved in conversations). That data was easily obtainable by the researchers by requesting it as data used for scientific research. But the researchers had to anonymize the data for the presentation, of course. But hey, if it's that easy to get to that kind of information (just pose as a researcher), who needs faulty laws?
Although that is certainly true, do you know that this is not true for all stores and maybe even the data center?
Also, why should we not think that you are an agent of that firm that scours the internet to find bad things posted about TJX, hired by them, Mister A.C.?!
Also interesting titbit from TFA:
"Not one single thing was done. My store manager even posted the password and username on a post-it note. I told her not to do that."
Some states have laws that make it a crime to possess a "criminal instrument" or the "tool of a crime." Depending on the wording of the law, this can be construed to mean any device that is designed or adapted for use in the commission of an offense. This means you could be arrested and prosecuted, for example, for constructing a high gain wireless antenna for the purpose of tapping into someone else's wi-fi network, even if you never did in fact access a network. Several years ago, a California sheriff's deputy made the news when he declared "Pringles can antennas" illegal under such a statute.
Ways to detecte the presence of a VM are not limited to the methods you mentioned.
E.g., you could check for certain characteristics of the VM, like with VMware, the presence of the "VMware" string in memory or the presence of a communication channel between the VM and the host.
Then you can detect VMs by some special instructions that the native CPU would not understand.
And probably most difficult to prevent, you can detect the presence of VM by looking at the memory addresses of certain OS tables.
IANAB as well but I think there could be a problem with imitating the body's immune system concerning the use of "lookup tables".
AFAIK (please feel free to correct me) the antibodies are generated after a first contact happened with what they are to defend against and if I am correct this is the mechanism vaccination uses. So for the defence against the first encounter of an unknown virus the immune system has to rely on heuristics (which makes the defending process slow and ineffective).
Now the problem with that seems to be that it makes perfect sense for the body to only carry the antibodies for exciter that it has encountered as chances are great that most of the exciters that you encounter are known to your body as they are generally to be found in the area you live.
With other words, it makes sense for your body not to have antibodies for the Ebola virus if you have never encountered it as you will likely not get it (if you don't travel to a region where this virus is to be found - the immune system was IMHO not able to react to the invention of planes that take you there so it's not prepared for this case).
But with the Internet the situation is even more problematic than with planes: your computers 'immune system' has to be very concerned about that virus originating in Sao Paulo even if it does not fly there as long as it's hooked up on the net.
So the circumstances under which our immune systems have to work differ substantially from the circumstances that your AV client has to deal with.
Also, in 2007 alone as many new malware samples were found than in the last 20 years alone. If our immune system had to cope with that many new types of viruses humanity would be in deep trouble.
my 2 Cents
Grammar Nazis go away: English is not my mother tongue, it's 1:40 local time and I am tired as hell.
Yes, that's the idea behind WabiSabiLabi, the Exploit Marketplace. Security Researchers have always been treated unfair, as it was always demanded from the to give their knowledge away for free, at least to the vendor. But what is the incentive for a white hat to do research at all if he is not allowed to make money out of it?
Also, why should said researcher not just turn into a blackhat and sell stuff on the black market if he is not paid for his work on the 'free' market because no such market exists?
Compare it to medical research: medical research requires great efforts and would not be done if you could not turn the results into money (usually by patenting). Is it unethical to patent drugs that could save many lives? Why does nobody point their finger onto the drug researchers but the security researchers are the unethical people?
If someone is willing to pay more for an exploit than the vendor, that's the free market.
The WabiSabiLabi guys experienced the ethical dilemma as well: They tried to resolve this issue and to create a free market for the security researchers but when they informed the vendor of an auction, they were called blackmailers. If they didn't do so, they acted unethical as well. So what?
BTW, there's a great video available from the WabiSabiLabi guy (Roberto Preatoni from Zone-H) at the HITB Kuala Lumpur Videos, the presentation is here .
Aleksey Kolupaev [...] develops and sells software that can thwart captchas by analyzing the images and separating the letters and numbers from the background noise. They charge $100 to $5,000 a project, depending on the complexity of the puzzle.
Quoted from this article. No wonder someone used it for a worm.
Evolution of the 'Captcha'
Posted by CmdrTaco on Monday June 11, @08:36AM
from the why-can't-i-even-read-them-half-the-time dept.
FireballX301 writes
"The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well -- is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"
Slashdot Mirror
I deliberately choose not to have kids for environmental reasons. If you look at what amount of CO2 emission and general waste a single person in the developed nations produces, our planet can not sustain more people in western nations anymore. If the population of the western countries would halve over the next 20 years it would do much to improve the state of the current environmental issues that we are exposed to. I will risk a broken pension system for an inhabitable planet anytime.
Can you back that up with data? It seems to make sense but why did nobody ever mention that, then?
Thank you so much for sharing that video. It was truly enlightening.
I use:
I use: Adblock Plus, for blocking Advertisement CustomizeGoogle, for making gmail use HTTPS only Firekeeper, IDS/IPS for Firefox FormFox, shows you where a form submitted gets sent to McAffe Site Advisor, NoScript, SafeHistory, defends against visited-link-based web privacy attacks Site Security Policy, enforces security policies for how a websites's content should behave TrackMeNot, porotects against data profiling by search engines User Agent Switcher, lets me surf as googlebot
Oh, if I only had modpoints...
But I guess you meant to say that you can not purchase the certificates needed for this kind of attack at Paypal?
SSL will raise a certificate error unless they have some way of getting a fake cert.
With this you can intercept email which is used to validate at VeriSign that you own the domain. Because mail servers do DNS lookups as well, which can be spoofed.
FTFWS: (FTFWebSite)
"This image was frequently foist on unsuspecting viewers to shock them."
Hey, I mean: no one expects the goatse!
Or did you?
Has anybody recorded the live radio streams? I can't seem to find any recordings of this anywhere, I missed the live stream. :-(
Also links to video recorings - even if not free of charge - would be welcome!
It is of great concern. Many corporate users live in the false sense of security that their (personal and corporate) data is secure should the laptop get stolen. But this no longer holds true if the laptop stolen was either in hibernation mode (sleeping) or just password locked. That might also hold true for the guy that is walking around with millions of SSNs on his laptop, including yours.
That's exactly what the communists want you to think! :-)
Very interesting, never heard of this one. But it is really plausible because another division of Sony also implemented a rootkit, sold on a USB stick that utilized a fingerprint reader. It used the rootkit to hide the stored fingerprint information... It got detected by AV's anti-rootkit technologies.
Fool me once...
well...
When I attended the DIMVA conference I watched a presentation where the propagation of a worm was analyzed. This analysis was done with the session informations of swiss provider backbone routers (like date and time and IP addresses involved in conversations). That data was easily obtainable by the researchers by requesting it as data used for scientific research. But the researchers had to anonymize the data for the presentation, of course. But hey, if it's that easy to get to that kind of information (just pose as a researcher), who needs faulty laws?
Also, why should we not think that you are an agent of that firm that scours the internet to find bad things posted about TJX, hired by them, Mister A.C.?!
Also interesting titbit from TFA:
"Not one single thing was done. My store manager even posted the password and username on a post-it note. I told her not to do that."from 10 ways you might be breaking the law with your computer
#5: "Tools of a crime" laws
Some states have laws that make it a crime to possess a "criminal instrument" or the "tool of a crime." Depending on the wording of the law, this can be construed to mean any device that is designed or adapted for use in the commission of an offense. This means you could be arrested and prosecuted, for example, for constructing a high gain wireless antenna for the purpose of tapping into someone else's wi-fi network, even if you never did in fact access a network. Several years ago, a California sheriff's deputy made the news when he declared "Pringles can antennas" illegal under such a statute.
E.g., you could check for certain characteristics of the VM, like with VMware, the presence of the "VMware" string in memory or the presence of a communication channel between the VM and the host.
Then you can detect VMs by some special instructions that the native CPU would not understand.
And probably most difficult to prevent, you can detect the presence of VM by looking at the memory addresses of certain OS tables.
Take a look at On the Cutting Edge: Thwarting Virtual Machine Detection or just google a bit
And then they took the red pill and saw the truth...
How to turn a flashlight into a handheld burning laser...
/. here: How To Turn a Mini Maglite Into a Laser.
Previously covered on
Turn a flashlight into a handheld burning laser
If only I had mod points now...
Read the File System? (Perhaps a mixture from NTFS and RTFA)
Just a guess.
IANAB as well but I think there could be a problem with imitating the body's immune system concerning the use of "lookup tables".
AFAIK (please feel free to correct me) the antibodies are generated after a first contact happened with what they are to defend against and if I am correct this is the mechanism vaccination uses. So for the defence against the first encounter of an unknown virus the immune system has to rely on heuristics (which makes the defending process slow and ineffective).
Now the problem with that seems to be that it makes perfect sense for the body to only carry the antibodies for exciter that it has encountered as chances are great that most of the exciters that you encounter are known to your body as they are generally to be found in the area you live.
With other words, it makes sense for your body not to have antibodies for the Ebola virus if you have never encountered it as you will likely not get it (if you don't travel to a region where this virus is to be found - the immune system was IMHO not able to react to the invention of planes that take you there so it's not prepared for this case).
But with the Internet the situation is even more problematic than with planes: your computers 'immune system' has to be very concerned about that virus originating in Sao Paulo even if it does not fly there as long as it's hooked up on the net.
So the circumstances under which our immune systems have to work differ substantially from the circumstances that your AV client has to deal with.
Also, in 2007 alone as many new malware samples were found than in the last 20 years alone. If our immune system had to cope with that many new types of viruses humanity would be in deep trouble.
my 2 Cents
Grammar Nazis go away: English is not my mother tongue, it's 1:40 local time and I am tired as hell.
Also, why should said researcher not just turn into a blackhat and sell stuff on the black market if he is not paid for his work on the 'free' market because no such market exists?
Compare it to medical research: medical research requires great efforts and would not be done if you could not turn the results into money (usually by patenting). Is it unethical to patent drugs that could save many lives? Why does nobody point their finger onto the drug researchers but the security researchers are the unethical people?
If someone is willing to pay more for an exploit than the vendor, that's the free market.
The WabiSabiLabi guys experienced the ethical dilemma as well: They tried to resolve this issue and to create a free market for the security researchers but when they informed the vendor of an auction, they were called blackmailers. If they didn't do so, they acted unethical as well. So what?
BTW, there's a great video available from the WabiSabiLabi guy (Roberto Preatoni from Zone-H) at the HITB Kuala Lumpur Videos, the presentation is here .
Quoted from this article. No wonder someone used it for a worm.
Also discussed here on
Evolution of the 'Captcha'
Posted by CmdrTaco on Monday June 11, @08:36AM
from the why-can't-i-even-read-them-half-the-time dept.
FireballX301 writes
"The New York Times is running an article about the small word puzzles various sites use in order to defeat automated script registration while still letting humans through. It seems many people can't actually solve them anymore, so new alternatives (image recognition) are being created. This, of course, seems breakable as well -- is there a feasible alternative to the captcha, or are we stuck jumping through more and more hoops to register at places?"