If this guy was the only one who accessed the data, and he did so under a bug bounty program for which he got paid (and presumably signed an nda) then it's not really a breach at all?
The data was basically accessed by a paid contractor who's under NDA, business as usual and happens all the time.
Wether a place is good to work at or not depends on your personal circumstances - what job do you do, who are your immediate colleagues and manager, how far do you have to commute to work etc. I've seen many companies were certain departments were treated like kings, while other people doing different jobs are treated like dirt.
We hunted rabbits and other animals for food for thousands of years successfully, and managed to find enough food to survive by doing so... There's nothing wrong with natural foods, the problem as you point out is excessive consumption of them. But instead of reducing consumption to sensible levels, they used that as an excuse to remove certain components of those foods and replace them with something else (usually worse).
I'd rather go back to the original foods, and rely on personal responsibility to not consume stupid amounts. Meddling in things has only made matters worse.
But why would they? Companies are run for short term gain... Deploying a backdoor could get you a short term injection of cash from the government for whom you created the backdoor. Sure there is a risk the backdoor will be leaked in the future, but by then the people who made those decisions have taken their cash and run so they won't care. Also even if a backdoor is discovered, it can usually be explained away as a bug. Even when obvious backdoors are found (see the recent juniper ssh backdoor) they can claim it was hackers and brush it under the carpet. Juniper lost very few customers over that incident.
There is always a war on something... War on fat, war on salt, war on sugar... It's these wars on other things that allowed sugar to increase, because if you take fat and salt out of a product it tastes disgusting - so you add something else, like sugar...
So now you have products which use lots of sugar sand other chemicals to make up for the lack of salt and fat, once they start taking sugar out they will have to replace it with something else too so who knows what kinds of weird chemicals they will use for that.
I'd rather just have natural foods, containing a reasonable naturally occurring amount of salt, fat and sugar and then eat sensible quantities of them. We didn't have massive obesity problems 100+ years ago when people ate natural foods and got a bit more exercise.
A laptop that's already underpowered, being forced to do emulation? How's that going to perform, and what's going to happen to battery life when you're running apps through emulation? This is going to be a terrible user experience which will quickly earn a terrible reputation.
Didn't work for me.. By default i was shown a list of users and nowhere to type "root", upon changing that setting it still didn't work. Also this assumes the system is already booted, or not using disk encryption... If the disk is encrypted you can't login as root to the pre-boot auth screen and therefore can't boot the system. If disk encryption is not in use you can just boot from USB, mount the disk and insert your own password or backdoors anyway.
Yes, assuming those macs have been upgraded to high sierra... Although in mitigation, high sierra is quite new and schools don't generally upgrade systems right away so i imagine the actual number of systems affected by this to be pretty small.
The biggest risk with any vulnerability is against default setups, as users are more likely to be unaware. If someone has gone to the effort of changing the defaults then they will be more aware of how things are set up. This vulnerability is also not exploitable if you've already set a root password, which many managed setups are likely to have done anyway.
Besides, it's not the first and won't be the last local privesc vulnerability... There are many more in various systems, this one just happens to be easily exploited.
I'd happily pay for such a service, it need not be free, it just has to be equivalent or better than what the pirates are offering.
I refuse to pay for an artificially inferior service. The money you pay for these services is being used not to create a better product for you the customer, but to create a WORSE product by implementing further artificial restrictions (geoblocking, drm etc) that act directly against the interests of the customers (ie YOU).
I will not support a company that acts directly against my interests, and i will not fund research into methods which will be intentionally detrimental to me.
Only your post is flawed, making meth in a lab has significant disadvantages compared to most legit jobs, there is danger from the police, from rival drug dealers, from the buyers, from the process of making the meth itself etc. The income is unreliable, and you have the added overhead of trying to create a legitimate explanation for where the income came from. None of these problems exist with a legit job, and for someone sufficiently skilled/qualified the money difference isn't so big either. The idea of working as much or as little as you want has nothing to do with working in a meth lab, it's a consequence of being your own boss or not. If you're employed by a drug dealer to work in his meth lab you will likely have very little freedom on when you can work and severe penalties for disobeying his demands.
Downloading movies from torrents on the other hand has none of those disadvantages, in some locations it's actually legal too.
Any restrictions placed on movie streaming services are entirely artificial, there is no technical reason why netflix or anyone else couldn't offer unrestricted downloads of drm-free video files in a common format to anyone willing to pay for them, they choose not to out of greed and actually expend significant additional effort to create an inferior service.
Employers generally don't expend extra efforts to make your job more difficult. If your job is difficult then it's either the nature of the job, or they haven't expended the extra effort required to make it easier (eg supplying proper tools etc), they will never expend additional effort to achieve a detrimental result.
A couple of years ago we were trying to source laptops for pentesting, where they might have to run linux or bsd, might have to do wireless testing (monitor mode, packet injection etc) and would make heavy use of the network card.
What we found was that for any given model of laptop it could have several different wireless chipsets (intel, atheros, broadcom etc) which had varying levels of linux support and varying support for monitor mode and packet injection (atheros chipsets would do everything, the broadcom ones wouldn't work with linux at all) and there was no way to tell what chipset you'd get short of buying the laptop and booting it up.
The same was true of ethernet controllers, there were at least 3 different chipsets and while they all nominally worked with linux, the performance varied quite considerably... CPU usage on the lesser chipsets was much higher, and compatibility with various switches was often much worse.
I would use legit services if they offered the same functionality as torrents, but they just don't...
Most limit you to streaming rather than downloading... My connection isn't fast enough to stream at any decent quality, especially at times of day when i'll actually be awake. I can happily torrent overnight and watch the following day. Sometimes i want to watch when i don't have internet (eg while travelling), downloading and watching later is useful.
Netflix has limited content and arbitrary limitations on where it can be accessed from, most other services are the same. Useless when travelling. A lot of these services don't walk at all in some of the countries i regularly visit.
DRM restricts what kind of devices and players you can use, the content available from torrents can be played on anything.
So long as the legit services are inferior to torrents, people will torrent. Make them as good or better and people will have little excuse for using torrents.
The blank root password attack is only a local privesc in the default config too... It works over screen sharing, but that's not enabled by default. It doesn't seem to work on the local login screen, at least on the machine i've tried (plus by default the local login screen shows you a list of users and doesn't let you type a username). To exploit on a default system you need to have local access to an unprivileged user account, and from there you can get root.
SCP won't work if the default shell is set to/bin/false, and current versions of sshd don't allow root logons by default unless you install an ssh key. Although giving the root account an invalid shell will also break single user mode and various system functions, possibly even preventing the system from booting.
Depends what you mean by "productivity"... Different people do different things, a lot of users only ever run a single fullscreen app and occasionally tab between several such apps. With more and more software being browser delivered the number of apps is decreasing and some people only ever have a browser open. A lot of employees spend their whole day dealing with emails, and do so from within a web based interface. If they're not replying to emails, they're looking up information in browser-delivered applications. There are a great many office workers these days who would be better off with chromeos.
Camera phones tend to lack optical zoom, and digital zoom is largely pointless (basically cropping)... For a fixed range they're not too bad, you'll need a pretty highend camera with some decent lenses to beat a modern smartphone.
Most employers don't care what format your resume comes in so long as they can open it... Most employers will be able to open PDF, and you have a much lower risk of formatting errors if you use PDF. I write my resume in latex and export to pdf, never had a problem.
If you need 100% compatibility you have to be running the exact same version, on the exact same hardware and configured to use the exact same printer... In practice, 100% compatibility is never achieved with the msoffice files and you can just get varying degrees of compatibility depending what you're doing... In some instances, libreoffice actually does a better job of opening files and in some it doesn't. The only real difference is that people are conditioned to accept the incompatibilities and bugs with msoffice so they overlook them.
That's how capitalism is designed... Personal benefit at any cost. The problem as always is a lack of education, if people were better informed they wouldn't fall for the marketing.
Our bodies require a certain intake of sugars, it's excessive quantities which are bad... We don't really need any alcohol, although there have been claims that moderate consumption of red wine etc can be beneficial, but excess consumption of alcohol is clearly detrimental. We don't require any intake of tobacco whatsoever, and are much better off without it. Certainly our bodies are not designed to inhale fumes from something being burned.
Slashdot Mirror
If this guy was the only one who accessed the data, and he did so under a bug bounty program for which he got paid (and presumably signed an nda) then it's not really a breach at all?
The data was basically accessed by a paid contractor who's under NDA, business as usual and happens all the time.
Wether a place is good to work at or not depends on your personal circumstances - what job do you do, who are your immediate colleagues and manager, how far do you have to commute to work etc. I've seen many companies were certain departments were treated like kings, while other people doing different jobs are treated like dirt.
Many people stay at jobs they hate for all kinds of reasons...
We hunted rabbits and other animals for food for thousands of years successfully, and managed to find enough food to survive by doing so...
There's nothing wrong with natural foods, the problem as you point out is excessive consumption of them. But instead of reducing consumption to sensible levels, they used that as an excuse to remove certain components of those foods and replace them with something else (usually worse).
I'd rather go back to the original foods, and rely on personal responsibility to not consume stupid amounts. Meddling in things has only made matters worse.
But why would they?
Companies are run for short term gain... Deploying a backdoor could get you a short term injection of cash from the government for whom you created the backdoor.
Sure there is a risk the backdoor will be leaked in the future, but by then the people who made those decisions have taken their cash and run so they won't care.
Also even if a backdoor is discovered, it can usually be explained away as a bug. Even when obvious backdoors are found (see the recent juniper ssh backdoor) they can claim it was hackers and brush it under the carpet. Juniper lost very few customers over that incident.
There is always a war on something... War on fat, war on salt, war on sugar... It's these wars on other things that allowed sugar to increase, because if you take fat and salt out of a product it tastes disgusting - so you add something else, like sugar...
So now you have products which use lots of sugar sand other chemicals to make up for the lack of salt and fat, once they start taking sugar out they will have to replace it with something else too so who knows what kinds of weird chemicals they will use for that.
I'd rather just have natural foods, containing a reasonable naturally occurring amount of salt, fat and sugar and then eat sensible quantities of them. We didn't have massive obesity problems 100+ years ago when people ate natural foods and got a bit more exercise.
A laptop that's already underpowered, being forced to do emulation? How's that going to perform, and what's going to happen to battery life when you're running apps through emulation?
This is going to be a terrible user experience which will quickly earn a terrible reputation.
Didn't work for me..
By default i was shown a list of users and nowhere to type "root", upon changing that setting it still didn't work.
Also this assumes the system is already booted, or not using disk encryption... If the disk is encrypted you can't login as root to the pre-boot auth screen and therefore can't boot the system. If disk encryption is not in use you can just boot from USB, mount the disk and insert your own password or backdoors anyway.
Yes, assuming those macs have been upgraded to high sierra... Although in mitigation, high sierra is quite new and schools don't generally upgrade systems right away so i imagine the actual number of systems affected by this to be pretty small.
The biggest risk with any vulnerability is against default setups, as users are more likely to be unaware. If someone has gone to the effort of changing the defaults then they will be more aware of how things are set up. This vulnerability is also not exploitable if you've already set a root password, which many managed setups are likely to have done anyway.
Besides, it's not the first and won't be the last local privesc vulnerability... There are many more in various systems, this one just happens to be easily exploited.
I'd happily pay for such a service, it need not be free, it just has to be equivalent or better than what the pirates are offering.
I refuse to pay for an artificially inferior service.
The money you pay for these services is being used not to create a better product for you the customer, but to create a WORSE product by implementing further artificial restrictions (geoblocking, drm etc) that act directly against the interests of the customers (ie YOU).
I will not support a company that acts directly against my interests, and i will not fund research into methods which will be intentionally detrimental to me.
Only your post is flawed, making meth in a lab has significant disadvantages compared to most legit jobs, there is danger from the police, from rival drug dealers, from the buyers, from the process of making the meth itself etc. The income is unreliable, and you have the added overhead of trying to create a legitimate explanation for where the income came from. None of these problems exist with a legit job, and for someone sufficiently skilled/qualified the money difference isn't so big either.
The idea of working as much or as little as you want has nothing to do with working in a meth lab, it's a consequence of being your own boss or not. If you're employed by a drug dealer to work in his meth lab you will likely have very little freedom on when you can work and severe penalties for disobeying his demands.
Downloading movies from torrents on the other hand has none of those disadvantages, in some locations it's actually legal too.
Any restrictions placed on movie streaming services are entirely artificial, there is no technical reason why netflix or anyone else couldn't offer unrestricted downloads of drm-free video files in a common format to anyone willing to pay for them, they choose not to out of greed and actually expend significant additional effort to create an inferior service.
Employers generally don't expend extra efforts to make your job more difficult. If your job is difficult then it's either the nature of the job, or they haven't expended the extra effort required to make it easier (eg supplying proper tools etc), they will never expend additional effort to achieve a detrimental result.
Kim Jong Un is heroically helping his people avoid addiction by banning the use of mobile phones.
You'll be hard pressed to buy anything then...
A couple of years ago we were trying to source laptops for pentesting, where they might have to run linux or bsd, might have to do wireless testing (monitor mode, packet injection etc) and would make heavy use of the network card.
What we found was that for any given model of laptop it could have several different wireless chipsets (intel, atheros, broadcom etc) which had varying levels of linux support and varying support for monitor mode and packet injection (atheros chipsets would do everything, the broadcom ones wouldn't work with linux at all) and there was no way to tell what chipset you'd get short of buying the laptop and booting it up.
The same was true of ethernet controllers, there were at least 3 different chipsets and while they all nominally worked with linux, the performance varied quite considerably... CPU usage on the lesser chipsets was much higher, and compatibility with various switches was often much worse.
I would use legit services if they offered the same functionality as torrents, but they just don't...
Most limit you to streaming rather than downloading... My connection isn't fast enough to stream at any decent quality, especially at times of day when i'll actually be awake. I can happily torrent overnight and watch the following day.
Sometimes i want to watch when i don't have internet (eg while travelling), downloading and watching later is useful.
Netflix has limited content and arbitrary limitations on where it can be accessed from, most other services are the same. Useless when travelling. A lot of these services don't walk at all in some of the countries i regularly visit.
DRM restricts what kind of devices and players you can use, the content available from torrents can be played on anything.
So long as the legit services are inferior to torrents, people will torrent. Make them as good or better and people will have little excuse for using torrents.
Exactly what did i say that was bullshit?
The default configuration on modern versions (since 7.0) is to only allow root logins with keys, see:
https://www.openssh.com/txt/re...
I never said it wasn't configurable, i said password root login is not enabled by default.
So leaving a logged in session is dangerous, and this bug makes the existing dangerous behaviour a bit worse...
The blank root password attack is only a local privesc in the default config too...
It works over screen sharing, but that's not enabled by default.
It doesn't seem to work on the local login screen, at least on the machine i've tried (plus by default the local login screen shows you a list of users and doesn't let you type a username).
To exploit on a default system you need to have local access to an unprivileged user account, and from there you can get root.
I wonder if it works when logged in via the guest account (if enabled)?
SCP won't work if the default shell is set to /bin/false, and current versions of sshd don't allow root logons by default unless you install an ssh key. Although giving the root account an invalid shell will also break single user mode and various system functions, possibly even preventing the system from booting.
Depends what you mean by "productivity"...
Different people do different things, a lot of users only ever run a single fullscreen app and occasionally tab between several such apps. With more and more software being browser delivered the number of apps is decreasing and some people only ever have a browser open.
A lot of employees spend their whole day dealing with emails, and do so from within a web based interface. If they're not replying to emails, they're looking up information in browser-delivered applications. There are a great many office workers these days who would be better off with chromeos.
Camera phones tend to lack optical zoom, and digital zoom is largely pointless (basically cropping)...
For a fixed range they're not too bad, you'll need a pretty highend camera with some decent lenses to beat a modern smartphone.
Most employers don't care what format your resume comes in so long as they can open it... Most employers will be able to open PDF, and you have a much lower risk of formatting errors if you use PDF. I write my resume in latex and export to pdf, never had a problem.
If you need 100% compatibility you have to be running the exact same version, on the exact same hardware and configured to use the exact same printer... In practice, 100% compatibility is never achieved with the msoffice files and you can just get varying degrees of compatibility depending what you're doing... In some instances, libreoffice actually does a better job of opening files and in some it doesn't. The only real difference is that people are conditioned to accept the incompatibilities and bugs with msoffice so they overlook them.
That's how capitalism is designed... Personal benefit at any cost.
The problem as always is a lack of education, if people were better informed they wouldn't fall for the marketing.
Our bodies require a certain intake of sugars, it's excessive quantities which are bad...
We don't really need any alcohol, although there have been claims that moderate consumption of red wine etc can be beneficial, but excess consumption of alcohol is clearly detrimental.
We don't require any intake of tobacco whatsoever, and are much better off without it. Certainly our bodies are not designed to inhale fumes from something being burned.