Because browsers have a very large, very public attack surface and come from the desktop mentality where security wasn't even considered until recently...
Databases etc *should* have limited exposure to untrusted networks, and thus less attack surface - you typically interact with a frontend application rather than directly with the database for instance.
Webservers are obviously inherently public, but security on web servers has been a serious concern for a long time plus the typical web server is far less complex than a browser. Most web based vulnerabilities these days exist in individual applications rather than the web server software itself.
If you can cause the account to be locked for 2 minutes by making 10 attempts, then you could rapidly make intentionally bogus login attempts and render all accounts inaccessible, which would be somewhat painful to fix.
No it's just that the scammers selling snake oil are noisier, have bigger marketing budgets and are more trusted by those who don't know any better...
There are plenty of competent people out there, doing research, finding and fixing security holes, trying to write secure code themselves and trying to improve the coding and general security practices of others. The problem is that setting things up securely or building secure code requires a high level of (expensive and rare) skills, whereas trusting the snake oil salesman and buying his product does not.
To someone who doesn't understand the technical details, buying a product that claims to magically solve all your problems costs much less than employing people to actually address them. Plus being horrendously insecure doesn't necessarily mean you will suffer a high profile breach, most organizations have gaping security holes but are either lucky and don't get hacked, or do get hacked but never find out about it. It only becomes a problem if a high profile breach occurs and goes public.
All the big operating systems are aimed at geeks, the average user is not really capable of managing a complex general purpose computer system and that's the whole reason why such problems as malware are so prevalent.
But there's also the fact that very few people actually need a general purpose system, most people do a small subset of things so devices built to do these things are a far better choice for most people. Think games consoles, chromebooks, tv sets, phones, routers etc... And a lot of these special purpose are running linux underneath, just that the user doesn't ever have to deal with the underlying system.
Which is why we need diversity, a variety of different systems being used with interoperable data files between them... If no single system has more than 30% market share then malware writing will become far less profitable.
1, this is what a firewall does... 3, OSX does this by default - although signed binaries is not a perfect solution 5, i scripted something similar for a linux kvm based hypervisor setup, it mounts each of the vm disk images readonly and scans them... you can also scan your backups in this way which gives your backup server something to do during the day when its not actually making backups. 6, selinux/apparmor policies do this - access to unexpected locations are logged and/or denied, the problem with windows is that the filesystem is more messy and users often store files in ridiculous locations. 7, if the server can pull backups then it can take whatever it wants from your machine at any time, push backups aren't necessarily a problem if done correctly - ie retention should be controlled by the server and the client should not be able to overwrite or remove old backups. 10, its too hard to define "meaningful"... if you alert too frequently users get annoyed and ignore or disable the alerts, if the alerts are too insensitive then its easier for malware to avoid attracting attention... it also depends highly on the skill level of whoever receives the alerts.
Welcome to capitalism... You can't keep selling the same product, you have to offer perceived "improvements" or people won't upgrade, and under the hood improvements are not visible to users so won't compel them to buy more - only highly visible and flashy features will make clueless users think they're getting value for money.
Another thing to consider, is should users have to be educated about hygiene and learn how to deal with such things? For the vast majority of users that is wishful thinking, and they'd be much better off with a device that is managed by someone else.
An "award" is totally arbitrary and meaningless anyway, anyone can provide an award, for anything, based on any criteria and don't have to even disclose the criteria on which the award is based. The problem is that people think any of these awards have any value whatsoever, so vendors will take steps to acquire them and use them in marketing material.
No a backdoor just gives you access via a method other than the publicly disclosed one. A backdoored encryption where there are two keys just means that you need one of the two keys, it's quite possible to publish the source code without publishing the backdoor key, and equally possible for anyone with the source to remove or change the backdoor.
If you provide absolute freedom, then you also provide the freedom for some to take away freedoms from others. Releasing binaries without source is just such an act, you are using source which you had the freedom to receive and modify, but you are not extending that same level of freedom to others.
The GPL aims to ensure equality for everyone, which requires to impose an equal set of limits on everyone to avoid a select few from imposing their own set of limits on everyone else. Society works much the same way, you are free to do quite a lot but when it comes to things which harm others there are various laws to stop you.
No it wouldn't... You can release the code, while not releasing the keys. It would be quite easy to create a system with a default SSH public key such that anyone with the private key could log in, without having to release the private key. Of course such a backdoor would be obvious and quickly found, and people would surely remove or change the public key if they were using it themselves but it wouldn't help anyone else to actually gain access unless they were to also leak the private key.
Most encryption algorithms are open source, it's the keys which need to be secret not the algorithms.
Suspend and hibernate works just fine on laptops designed to run linux (e.g. chromebooks), the same can be said of macosx - suspend and hibernate is perfectly reliable on apple laptops, but is usually flakey on a hackintosh.
Linux already has various kludges to emulate the nonstandard way in which windows handles power management, but laptops also often come with customised model-specific drivers so even if you run windows you often still have problems if you run the default drivers or drivers for the chipsets rather than the specific laptop model. The lower end laptop makers also make things difficult for users by varying the hardware in the same model, when looking at laptops recently i was told that a given model could have any one of 3 different wifi and ethernet chipsets, and that i wouldn't know which until i physically took delivery of the laptop... They will guarantee that you get "an 802.11ac wireless card" and "a gigabit ethernet", but the performance, range, stability or cpu usage can vary wildly between chipsets as can compatibility with linux or other systems and even (albeit quite niche) features like wireless monitor or master modes are not available with some chipsets. The chipsets in use for various components were always an important factor for me when deciding what to purchase.
The solution is pretty simple, setup private vlanning so that only the ports in a given room can talk to each other, and any central server authenticates the connection based on the incoming port. Sure the traffic is still in the clear but so what? You would be able mitm your own room and turn off your own lights, which you could have done anyway.
You take the card details and encrypt them using your processor's public key... That way you can re-bill the customer but you aren't storing the card number in a way that would be usable by anyone who hacked you. Problem is that a lot of payment processors don't bother with this, and often require you to submit the plain text card number.
Well if they used the same root password on every box they had bigger problems than telnet... All it takes is one box to be compromised and you have a pretty good chance of obtaining the password... You can crack the hash, on windows boxes you can even pass the hash without cracking it, if you cant crack the hash then you can backdoor the services to capture passwords and wait for someone to log in, and unless the box is completely unused you can probably entice an admin to log in by crashing whatever service the box is supposed to be running... A crashing service doesn't even raise suspicion these days, people are used to software being unreliable and will just restart it or even reboot the whole box.
There are many reasons why telnet is still around...
Some older devices support nothing else. Some vendors charge you extra for SSH support (or for anything supporting encryption at all). Windows only comes with a telnet client by default (although they are finally planning to change that). Telnet isn't necessarily a problem if you control/trust the entire network path, for instance i have some switches i use for testing and i connect to them using telnet over a direct cable from my laptop to the switch itself so theres very little scope for a mitm attack... Telnet is much simpler to implement, requires far less code and far less processing resources. Because its simpler, it's also less likely to have vulnerabilities in the code itself so the risks of using telnet are better understood and easier to understand.
PCI-DSS is responsible for the ease of committing payment card fraud, by occupying the space that could otherwise be occupied by a comptent organization taking effective steps to improve the security of payment mechanisms.
The PCI-DSS specs are a huge compromise... If they made them too tough then the vast majority of companies would be completely unable to be compliant with their existing systems, and would basically have to build an entire new network for dealing with card data. If you make something too difficult then noone will do it at all, and noone would ever enforce that because the card companies actually want people to use cards.
So what you have instead is a baby step, PCI-DSS may not be very good but it's better than the only actual alternative - nothing at all.
Often those audits are based purely on a blind external scan, so while you get the false positives due to backported security fixes you can also get false negatives where the banners have been turned off or changed.
To do the job properly, you really need access to the host so you can audit it thoroughly and determine whats installed, how its installed and wether it has backported patches or similar but a lot of clients don't want to do that... They think that a completely blind test is "more realistic", despite the fact that you have numerous limitations imposed on you (limited time, can only attack the specific targets and not try looking for other less obvious ways in, cant do anything that might risk crashing the host or service etc).
Just because you are compliant, does not mean you're secure. That said, PCI compliance is an obstacle to business and most of the PCI accreditors are not very technically minded so a lot of companies blag their way through by misleading their QSA...
A lot of people aren't really so brainwashed, they take a more pragmatic approach - play along or end up jailed/killed. Many will switch sides when the benefits outweigh the risks for them.
The sanctions only serve to help the government, they make it easier to keep the populace cut off from outside sources of influence and provide evidence the government can use to demonstrate to its people how foreign governments are taking steps which negatively impact on them.
Those high in the government are not affected, they still have black market channels to get goods in and out of the country and can still make a tidy profit doing so. Lots of goods made in places like north korea using extremely cheap labor are labelled as "made in india" or "made in china" and shipped via those countries for resale in the west.
The only ones who are hurt by sanctions are the north korean people.
Slashdot Mirror
Because browsers have a very large, very public attack surface and come from the desktop mentality where security wasn't even considered until recently...
Databases etc *should* have limited exposure to untrusted networks, and thus less attack surface - you typically interact with a frontend application rather than directly with the database for instance.
Webservers are obviously inherently public, but security on web servers has been a serious concern for a long time plus the typical web server is far less complex than a browser. Most web based vulnerabilities these days exist in individual applications rather than the web server software itself.
If you can cause the account to be locked for 2 minutes by making 10 attempts, then you could rapidly make intentionally bogus login attempts and render all accounts inaccessible, which would be somewhat painful to fix.
No it's just that the scammers selling snake oil are noisier, have bigger marketing budgets and are more trusted by those who don't know any better...
There are plenty of competent people out there, doing research, finding and fixing security holes, trying to write secure code themselves and trying to improve the coding and general security practices of others. The problem is that setting things up securely or building secure code requires a high level of (expensive and rare) skills, whereas trusting the snake oil salesman and buying his product does not.
To someone who doesn't understand the technical details, buying a product that claims to magically solve all your problems costs much less than employing people to actually address them.
Plus being horrendously insecure doesn't necessarily mean you will suffer a high profile breach, most organizations have gaping security holes but are either lucky and don't get hacked, or do get hacked but never find out about it. It only becomes a problem if a high profile breach occurs and goes public.
All the big operating systems are aimed at geeks, the average user is not really capable of managing a complex general purpose computer system and that's the whole reason why such problems as malware are so prevalent.
But there's also the fact that very few people actually need a general purpose system, most people do a small subset of things so devices built to do these things are a far better choice for most people. Think games consoles, chromebooks, tv sets, phones, routers etc... And a lot of these special purpose are running linux underneath, just that the user doesn't ever have to deal with the underlying system.
Which is why we need diversity, a variety of different systems being used with interoperable data files between them... If no single system has more than 30% market share then malware writing will become far less profitable.
1, this is what a firewall does...
3, OSX does this by default - although signed binaries is not a perfect solution
5, i scripted something similar for a linux kvm based hypervisor setup, it mounts each of the vm disk images readonly and scans them... you can also scan your backups in this way which gives your backup server something to do during the day when its not actually making backups.
6, selinux/apparmor policies do this - access to unexpected locations are logged and/or denied, the problem with windows is that the filesystem is more messy and users often store files in ridiculous locations.
7, if the server can pull backups then it can take whatever it wants from your machine at any time, push backups aren't necessarily a problem if done correctly - ie retention should be controlled by the server and the client should not be able to overwrite or remove old backups.
10, its too hard to define "meaningful"... if you alert too frequently users get annoyed and ignore or disable the alerts, if the alerts are too insensitive then its easier for malware to avoid attracting attention... it also depends highly on the skill level of whoever receives the alerts.
Welcome to capitalism...
You can't keep selling the same product, you have to offer perceived "improvements" or people won't upgrade, and under the hood improvements are not visible to users so won't compel them to buy more - only highly visible and flashy features will make clueless users think they're getting value for money.
Another thing to consider, is should users have to be educated about hygiene and learn how to deal with such things? For the vast majority of users that is wishful thinking, and they'd be much better off with a device that is managed by someone else.
An "award" is totally arbitrary and meaningless anyway, anyone can provide an award, for anything, based on any criteria and don't have to even disclose the criteria on which the award is based.
The problem is that people think any of these awards have any value whatsoever, so vendors will take steps to acquire them and use them in marketing material.
A few seconds is all that's required to install a persistent trojan to retain access later.
still no ipv6 support?
No a backdoor just gives you access via a method other than the publicly disclosed one. A backdoored encryption where there are two keys just means that you need one of the two keys, it's quite possible to publish the source code without publishing the backdoor key, and equally possible for anyone with the source to remove or change the backdoor.
If you provide absolute freedom, then you also provide the freedom for some to take away freedoms from others. Releasing binaries without source is just such an act, you are using source which you had the freedom to receive and modify, but you are not extending that same level of freedom to others.
The GPL aims to ensure equality for everyone, which requires to impose an equal set of limits on everyone to avoid a select few from imposing their own set of limits on everyone else. Society works much the same way, you are free to do quite a lot but when it comes to things which harm others there are various laws to stop you.
No it wouldn't...
You can release the code, while not releasing the keys. It would be quite easy to create a system with a default SSH public key such that anyone with the private key could log in, without having to release the private key. Of course such a backdoor would be obvious and quickly found, and people would surely remove or change the public key if they were using it themselves but it wouldn't help anyone else to actually gain access unless they were to also leak the private key.
Most encryption algorithms are open source, it's the keys which need to be secret not the algorithms.
Suspend and hibernate works just fine on laptops designed to run linux (e.g. chromebooks), the same can be said of macosx - suspend and hibernate is perfectly reliable on apple laptops, but is usually flakey on a hackintosh.
Linux already has various kludges to emulate the nonstandard way in which windows handles power management, but laptops also often come with customised model-specific drivers so even if you run windows you often still have problems if you run the default drivers or drivers for the chipsets rather than the specific laptop model.
The lower end laptop makers also make things difficult for users by varying the hardware in the same model, when looking at laptops recently i was told that a given model could have any one of 3 different wifi and ethernet chipsets, and that i wouldn't know which until i physically took delivery of the laptop... They will guarantee that you get "an 802.11ac wireless card" and "a gigabit ethernet", but the performance, range, stability or cpu usage can vary wildly between chipsets as can compatibility with linux or other systems and even (albeit quite niche) features like wireless monitor or master modes are not available with some chipsets.
The chipsets in use for various components were always an important factor for me when deciding what to purchase.
Yes it's a huge nasty mess!
The solution is pretty simple, setup private vlanning so that only the ports in a given room can talk to each other, and any central server authenticates the connection based on the incoming port.
Sure the traffic is still in the clear but so what? You would be able mitm your own room and turn off your own lights, which you could have done anyway.
But most annoyingly, shutting off the power means i can't leave something charging in the room while i go out somewhere.
That entire processor could happen almost instantly, why would it need to take 45 days?
You take the card details and encrypt them using your processor's public key... That way you can re-bill the customer but you aren't storing the card number in a way that would be usable by anyone who hacked you.
Problem is that a lot of payment processors don't bother with this, and often require you to submit the plain text card number.
Well if they used the same root password on every box they had bigger problems than telnet... All it takes is one box to be compromised and you have a pretty good chance of obtaining the password...
You can crack the hash, on windows boxes you can even pass the hash without cracking it, if you cant crack the hash then you can backdoor the services to capture passwords and wait for someone to log in, and unless the box is completely unused you can probably entice an admin to log in by crashing whatever service the box is supposed to be running... A crashing service doesn't even raise suspicion these days, people are used to software being unreliable and will just restart it or even reboot the whole box.
There are many reasons why telnet is still around...
Some older devices support nothing else.
Some vendors charge you extra for SSH support (or for anything supporting encryption at all).
Windows only comes with a telnet client by default (although they are finally planning to change that).
Telnet isn't necessarily a problem if you control/trust the entire network path, for instance i have some switches i use for testing and i connect to them using telnet over a direct cable from my laptop to the switch itself so theres very little scope for a mitm attack...
Telnet is much simpler to implement, requires far less code and far less processing resources.
Because its simpler, it's also less likely to have vulnerabilities in the code itself so the risks of using telnet are better understood and easier to understand.
PCI-DSS is responsible for the ease of committing payment card fraud, by occupying the space that could otherwise be occupied by a comptent organization taking effective steps to improve the security of payment mechanisms.
The PCI-DSS specs are a huge compromise... If they made them too tough then the vast majority of companies would be completely unable to be compliant with their existing systems, and would basically have to build an entire new network for dealing with card data. If you make something too difficult then noone will do it at all, and noone would ever enforce that because the card companies actually want people to use cards.
So what you have instead is a baby step, PCI-DSS may not be very good but it's better than the only actual alternative - nothing at all.
Often those audits are based purely on a blind external scan, so while you get the false positives due to backported security fixes you can also get false negatives where the banners have been turned off or changed.
To do the job properly, you really need access to the host so you can audit it thoroughly and determine whats installed, how its installed and wether it has backported patches or similar but a lot of clients don't want to do that... They think that a completely blind test is "more realistic", despite the fact that you have numerous limitations imposed on you (limited time, can only attack the specific targets and not try looking for other less obvious ways in, cant do anything that might risk crashing the host or service etc).
Just because you are compliant, does not mean you're secure.
That said, PCI compliance is an obstacle to business and most of the PCI accreditors are not very technically minded so a lot of companies blag their way through by misleading their QSA...
A lot of people aren't really so brainwashed, they take a more pragmatic approach - play along or end up jailed/killed. Many will switch sides when the benefits outweigh the risks for them.
The sanctions only serve to help the government, they make it easier to keep the populace cut off from outside sources of influence and provide evidence the government can use to demonstrate to its people how foreign governments are taking steps which negatively impact on them.
Those high in the government are not affected, they still have black market channels to get goods in and out of the country and can still make a tidy profit doing so. Lots of goods made in places like north korea using extremely cheap labor are labelled as "made in india" or "made in china" and shipped via those countries for resale in the west.
The only ones who are hurt by sanctions are the north korean people.