I'm not sure a country which has consistently inflated its own currency by massive amounts can really accuse other countries of "currency manipulation".
Etherpad was acquired long after Wave was created. Wave is indeed a purely home grown innovation - of course "new" does not always imply "successful", arguably it often implies the opposite. But it's not necessarily a problem. The OPs point could apply to almost any big, successful company. Microsoft, Apple, Facebook.... all of them built their business on doing something that already existed, but better.
So you think it's easier for criminal gangs to build and deploy thousands of small, hard to discover automatic wifi sniffers/repeaters all across the country than to simply infect computers with malware? Anything valuable is already SSL protected so that scheme would be very expensive, labor intensive, easy to discover, dangerous for the criminals and useless against high value targets like banks or gmail accounts.
Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk. Let's review the risks here:
No VPN at an airport or coffee shop. Your session may be hijacked by somebody near by, intuitively this is a pretty unlikely thing. Of course there are idiots everywhere, but then again you might get somebody coming up and harassing you for change or positioning themselves so they can see your screen. Mostly, people are nice and don't do that kind of thing. If they do, you can deal with it quite easily by leaving and going somewhere else.
VPN at an airport or coffee shop. Now a hijacker has to actually be tapping the high speed fibre links between your VPNs colo facility and the target. The only people who actually do this is government, and guess what - they can just go to Facebook, Twitter or Amazon and demand co-operation anyway. 99.99% of the populace does not include the government in their daily lives threat model, mostly because you can't do anything about it except move country and most governments, at least in the west, just aren't that bad.
Full SSL. Now the people you have to fear are employees of Facebook, Amazon etc and the government. Notice how nothing changed from step 2..
I'd still happily log into Facebook from a coffee shop post-Firesheep because frankly, the chances of me encountering some bizarre creep is very low. If they do steal my session cookie and I notice they are tampering with my account, I can solve this problem by logging out, leaving, and logging back in again somewhere else.
Bingo. The article he linked to talks about VPNs. Seriously, WTF? The threat Firesheep poses is basically this - some guy harassing strangers in a Starbucks. Maybe if you're very unlucky a friend/enemy doing the same. Weigh up the options, which is easier - ignoring the occasional douchebag who causes trouble in Starbucks vs buying service from a VPN provider. It's not surprising most people choose the former and you don't need an experiment to realize it!
Diamonds, at least theoretically, have value beyond their resale price - for example they look nice. Apple stock has no value beyond their resale price as they don't pay dividends and I don't know many people who buy stocks just so they can frame the certificates. That's what the OP meant by calling it a "bubble" - the stocks themselves aren't useful for anything except passing them on to somebody else.
We can't know for sure can we. But we might as well apply Occams Razor. Indonesia doesn't have any enemies that are both technically sophisticated and extremely aggressive. Nor does it have any industrial facilities of obviously high value. Iran has all these things.
It's a good question how so much Stuxnet ended up in Indonesia, but I suspect it's simply bad luck. If the initial infection vector was some kind of industrial contractor, it's easy to imagine that "hop zero" copies of the virus occurred in whatever countries that contractor happened to work in. The virus tries to limit its own propagation but its C&C system is really weak - only two nodes both of which are now offline. Most modern malware has much stronger C&C infrastructure than that. It can do P2P updates as well but that's got to be a slow and flaky way to update the virus. So it appears that the virus was created for a specific task and what happened after that wasn't a big concern.
Also while Iran is a major hotspot of infections they aren't the only ones. Indonesia is a close second.
These things are easy to explain from perspective that assumes a criminal syndicate but hard to explain from the perspective of a theory of state sponsorship.
Well. Let's ignore the problem of motive for now (there are far easier ways for criminals to turn a profit than this) - one has to wonder why Stuxnet is written as a traditional self-propagating virus.
Apparently it has some kind of self-kill logic which tries to ensure it doesn't spread after three "hops", which suggests whoever wrote it didn't want it to become a totally uncontrolled worldwide infection.
Presumably whoever wrote this knew they wouldn't be able to obtain actual physical access to the facility they wanted to damage, nor would they be able to insert an undercover agent, nor would they be able to compromise an existing employee. If you wanted to attack a high security facility and your intelligence agency wasn't able to penetrate it using more traditional techniques, creating a virus that spreads indiscriminately and hoping you get lucky seems like a pretty reasonable strategy.
The truth may be somewhere in the middle. The top candidates are the US and Israel based on "who dislikes Iran the most". Israeli intelligence has proven several times before they apparently don't care about being detected or involving other nations as collateral damage, see the recent UK passport forging that was a part of an assassination. A guy who used to be a director of anti-proliferation strategy for the US government has remarked that the style doesn't seem like a US operation given how much noise the approach would inevitably create, and the tremendous impact outside of the intended target.
Now obviously he is biased, but I'd tend to agree with him. It seems kind of unlikely the US would do something so dramatically non-covert. The way Stuxnet works practically guaranteed it would be eventually detected and subjected to intense scrutiny. The fact that there's so many clues and possible evidence trails lying around also suggests that whoever did it wasn't too concerned with being caught, eg, it's possible the stolen digital certs or the C&C servers will provide a trail that can be investigated.
So out of "countries that hate Iran" which of those is most likely to perform an operation that is very likely to be detected and very likely to piss off a large number of random other nations or organizations? If I had to pick an intelligence agency in the world that most resembled a criminal syndicate, the Mossad would be pretty high up the list. Speculation is fun isn't it.
On July 17, 2009 WikiLeaks posted a cryptic notice:
Two weeks ago, a source associated with Iran’s nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iran’s nuclear enrichment program. WikiLeaks had reason to believe the source was credible however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago.
... and from the same article...
A cross-check with the official Iran Students News Agency archives confirmed the resignation of the head of Iran’s Atomic Energy Organization.
According to official IAEA data, the number of actually operating centrifuges in Natanz shrank around the time of the accident Wikileaks wrote about was reduced substantially.
So we're arguing about the definition whether the team was "small" or "large" then:-) Given that Stuxnet is around half a megabyte in size, I'd guess the code itself was written by a team of around 5 people, probably with each person owning an area of functionality. Say another 5 for project infrastructure, eg, building testing environments, finding the zero days and doing whatever was required to steal the digital certs.
I'm sure there is a fairly large supporting cast for this "Myrtus/Guava" project, but I'd wager a crisp benjamin the bulk of the work was done by less than 10 people. Now whether this sort of effort is "small" or "large" is a matter of perspective - for a state sponsored military project it'd be very small, for a computer virus project it'd be pretty large.
By the way, if the authors of Stuxnet are reading this - nice work, but I seriously hope you know what the hell you are doing. Remotely sabotaging industrial facilities in a part of the world that's on a political knife edge can go wrong in so many ways I don't even want to think about it.
You just need to get the hollywood fabricated ideas about teams of small teams of omnipotent superhacker "gods" out of your mind, because they don't exist.
Really? How big do you think the team that created Stuxnet is then? Or do you really think that one guy found 4 new zero days, wrote a P2P control mechanism, a custom kernel mode rootkit, a bunch of PLC code in an obscure form of assembly language and a shim DLL to hide the PLC infection from the operator?
The Stuxnet team is the closest thing to the Hollywood stereotype of a small team of omnipotent superhacker gods the world has seen.
The skills "reprogram industrial PLCs" and "find four new zero days in Windows" don't overlap a whole lot. Given what this virus does, it's very hard to believe it's the work of one or two guys. The whole thing smells strongly of a highly skilled and well financed team assembled for a specific reason. After all, it apparently is searching for a specific device or type of device and then tries to sabotage it - presumably this code was thoroughly tested, which means whoever wrote it is likely to have a small recreation of parts of the target factory somewhere. Not cheap or easy to set up.
I’m surprised at how often project names for secret projects have some relation on the project. This is really for you conspiracy theorists, but read the Book of Esther in the bible where Esther informs the King of a plot against the Jews. The King then allows the Jews to defend themselves, kill their enemies, Esther’s was born as Hadassah which means Myrtle. According to Symantec, “While we don’t know who the attackers are yet, they did leave a clue. The project string b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb appears in one of their drivers.” Myrtus is Myrtle. Yes this is a stretch, and of course even if this naming meant something it could be a feint to draw suspicion away from the actual attacker.
In this case the USB hack appears to have been developed by pirates, judging from the firmware patch that it was used to install (hint: lots of stuff to do with "backups" in it). So I think this theory has been pretty much disproven. There probably isn't anything Sony could do about this type of thing except have the PS3 more aggressively auto update itself, like Chrome.
I work on the Gmail team. What happened to you is not related to your use or purchase of an Android phone. In fact, the spammer that logged in to your account wasn't using a mobile phone at all. The reason the session shows up as from a mobile device in your recent activity console is that some popular spammer tools identify themselves to our servers as a mobile phone so that it is allowed to use the mobile HTML UI - presumably as it's easier for them to reverse engineer. But it's actually just a program running on a regular computer.
Passwords can be stolen through a variety of means. I suggest you read this post in the Gmail support forum for more information on how it might have happened. The top three ways are phishing, keylogger viruses and re-using your Gmail password at other websites that then get hacked (this is very common).
In other words, you shouldn't need the Android anti-virus product and can uninstall it if you want. I have never heard of somebody being infected with an Android virus - just make sure to read the list of requested permissions and you should be OK.
Hope that helps and sorry to hear about your experience, but happy to hear we managed to block it!
For what it's worth, selecting a random element from an array is a part of a larger problem I often ask candidates to solve. And if people can't remember the API I let them look it up. One guy I interviewed looked up the random function (seriously??) and still got it wrong.
By the way, senior candidates who were rude in interviews and refused to write basic code would be an immediate no hire for me. You just can't separate senior from junior (skill wise) based on what the candidate claims to me. No code, no hire.
Well, I suppose one could argue working with character encodings isn't universal, but I think it's pretty darn close. Any program that interacts with users outside the USA will have to deal with this at some point, even if you think all your users speak English people from the UK or EU can still cause issues with our funny currency symbols:-)
I can see that if you worked only on in house software for a US only firm, you could avoid dealing with it, in which case we run into the imprecision of language - what is "experience" anyway? I liked khasims post about how X years of doing the same thing might be one year of experience repeated X times rather than X years of experience - that seems like a good way to think about it.
He probably means that for the type of codebase they have, finding somebody who will be productive on it would cost them more than they can afford, so they keep getting to the "yes let's hire" stage and then have candidates leave because they can get more money elsewhere. At least, that'd be my guess.
Sony haven't lost. The Xbox 360 has suffered from similar attacks and demonstrated that online patching works. Very few people bothered to perform the hacks during the short time windows in which they worked and even fewer bothered to keep them hacked rather than upgrade or play new games (which require upgrades). The result is that actually finding an Xbox that is still attackable is a heck of a lot easier said than done.
Some people who follow tech news closely will choose to step off the PS3 train at this point and take the ability to play pirated games released up to this point over the online services, multiplayer and new games. Chances are, most people won't.
The JTAG hack doesn't work on Xboxs that have been upgraded past Summer 2009, and you have to upgrade to the latest software to be allowed on to XBL, and that hack doesn't allow you to do arbitrary cheating, so I kind of doubt that is the real issue. If you're completely convinced you're playing against cheaters, it might be modded controllers but it's unlikely to be a code-level compromise.
jaymzter didn't actually say his employers required a CCNA, he said that candidates who claimed to have one didn't have any networking skills. Not the same thing.
I see this as well when interviewing. Lots of candidates put down that they have, for instance, ten years of experience of Java. And maybe they do! But depressingly often they can't do trivial tasks, like select a random element from an array. Or they fail at understanding what happens under the hood, eg, they have no idea what garbage collection or a character encoding is.
The skills/requirements mismatch is a real issue, it's not simply a matter of evil CEOs wanting to smoke even fatter cigars at the workers expense.
I doubt if there is anyone left who thinks that offers of v1gra.... are real opportunities
What makes you think they aren't? You realize that a lot of these online pharma stores do in fact sell pharmaceuticals, right? Of course if you buy them you might get dosages too strong, too weak, or sold alongside other things that can kill you, but they do sell Viagra! One reason the "Canadian Pharmacy" is everywhere is because they have built up brand recognition amongst casual/recreational users of ED drugs, so they get repeat custom.
The website says that "generous individuals" have donated enough that he can do it full time. Given Gates' well known financial commitments to education it wouldn't surprise me at all if Gates has donated.
To a lesser extent I guess Google is also donating by hosting the projects infrastructure for free, notably YouTube but also AppEngine and other things.
Slashdot Mirror
I'm not sure a country which has consistently inflated its own currency by massive amounts can really accuse other countries of "currency manipulation".
Etherpad was acquired long after Wave was created. Wave is indeed a purely home grown innovation - of course "new" does not always imply "successful", arguably it often implies the opposite. But it's not necessarily a problem. The OPs point could apply to almost any big, successful company. Microsoft, Apple, Facebook .... all of them built their business on doing something that already existed, but better.
So you think it's easier for criminal gangs to build and deploy thousands of small, hard to discover automatic wifi sniffers/repeaters all across the country than to simply infect computers with malware? Anything valuable is already SSL protected so that scheme would be very expensive, labor intensive, easy to discover, dangerous for the criminals and useless against high value targets like banks or gmail accounts.
Yes, exactly.
Your kind of thinking is exactly why the software security business routinely finds itself mystified by the behavior of ordinary people. It's not that those people are dumb. It's that some geeks end up with a wildly distorted view of risk. Let's review the risks here:
I'd still happily log into Facebook from a coffee shop post-Firesheep because frankly, the chances of me encountering some bizarre creep is very low. If they do steal my session cookie and I notice they are tampering with my account, I can solve this problem by logging out, leaving, and logging back in again somewhere else.
Bingo. The article he linked to talks about VPNs. Seriously, WTF? The threat Firesheep poses is basically this - some guy harassing strangers in a Starbucks. Maybe if you're very unlucky a friend/enemy doing the same. Weigh up the options, which is easier - ignoring the occasional douchebag who causes trouble in Starbucks vs buying service from a VPN provider. It's not surprising most people choose the former and you don't need an experiment to realize it!
Diamonds, at least theoretically, have value beyond their resale price - for example they look nice. Apple stock has no value beyond their resale price as they don't pay dividends and I don't know many people who buy stocks just so they can frame the certificates. That's what the OP meant by calling it a "bubble" - the stocks themselves aren't useful for anything except passing them on to somebody else.
Searching Google for [stuxnet three hops] gives this analysis.
We can't know for sure can we. But we might as well apply Occams Razor. Indonesia doesn't have any enemies that are both technically sophisticated and extremely aggressive. Nor does it have any industrial facilities of obviously high value. Iran has all these things.
It's a good question how so much Stuxnet ended up in Indonesia, but I suspect it's simply bad luck. If the initial infection vector was some kind of industrial contractor, it's easy to imagine that "hop zero" copies of the virus occurred in whatever countries that contractor happened to work in. The virus tries to limit its own propagation but its C&C system is really weak - only two nodes both of which are now offline. Most modern malware has much stronger C&C infrastructure than that. It can do P2P updates as well but that's got to be a slow and flaky way to update the virus. So it appears that the virus was created for a specific task and what happened after that wasn't a big concern.
Well. Let's ignore the problem of motive for now (there are far easier ways for criminals to turn a profit than this) - one has to wonder why Stuxnet is written as a traditional self-propagating virus.
Apparently it has some kind of self-kill logic which tries to ensure it doesn't spread after three "hops", which suggests whoever wrote it didn't want it to become a totally uncontrolled worldwide infection.
Presumably whoever wrote this knew they wouldn't be able to obtain actual physical access to the facility they wanted to damage, nor would they be able to insert an undercover agent, nor would they be able to compromise an existing employee. If you wanted to attack a high security facility and your intelligence agency wasn't able to penetrate it using more traditional techniques, creating a virus that spreads indiscriminately and hoping you get lucky seems like a pretty reasonable strategy.
The truth may be somewhere in the middle. The top candidates are the US and Israel based on "who dislikes Iran the most". Israeli intelligence has proven several times before they apparently don't care about being detected or involving other nations as collateral damage, see the recent UK passport forging that was a part of an assassination. A guy who used to be a director of anti-proliferation strategy for the US government has remarked that the style doesn't seem like a US operation given how much noise the approach would inevitably create, and the tremendous impact outside of the intended target.
Now obviously he is biased, but I'd tend to agree with him. It seems kind of unlikely the US would do something so dramatically non-covert. The way Stuxnet works practically guaranteed it would be eventually detected and subjected to intense scrutiny. The fact that there's so many clues and possible evidence trails lying around also suggests that whoever did it wasn't too concerned with being caught, eg, it's possible the stolen digital certs or the C&C servers will provide a trail that can be investigated.
So out of "countries that hate Iran" which of those is most likely to perform an operation that is very likely to be detected and very likely to piss off a large number of random other nations or organizations? If I had to pick an intelligence agency in the world that most resembled a criminal syndicate, the Mossad would be pretty high up the list. Speculation is fun isn't it.
So we're arguing about the definition whether the team was "small" or "large" then :-) Given that Stuxnet is around half a megabyte in size, I'd guess the code itself was written by a team of around 5 people, probably with each person owning an area of functionality. Say another 5 for project infrastructure, eg, building testing environments, finding the zero days and doing whatever was required to steal the digital certs.
I'm sure there is a fairly large supporting cast for this "Myrtus/Guava" project, but I'd wager a crisp benjamin the bulk of the work was done by less than 10 people. Now whether this sort of effort is "small" or "large" is a matter of perspective - for a state sponsored military project it'd be very small, for a computer virus project it'd be pretty large.
By the way, if the authors of Stuxnet are reading this - nice work, but I seriously hope you know what the hell you are doing. Remotely sabotaging industrial facilities in a part of the world that's on a political knife edge can go wrong in so many ways I don't even want to think about it.
Really? How big do you think the team that created Stuxnet is then? Or do you really think that one guy found 4 new zero days, wrote a P2P control mechanism, a custom kernel mode rootkit, a bunch of PLC code in an obscure form of assembly language and a shim DLL to hide the PLC infection from the operator?
The Stuxnet team is the closest thing to the Hollywood stereotype of a small team of omnipotent superhacker gods the world has seen.
The skills "reprogram industrial PLCs" and "find four new zero days in Windows" don't overlap a whole lot. Given what this virus does, it's very hard to believe it's the work of one or two guys. The whole thing smells strongly of a highly skilled and well financed team assembled for a specific reason. After all, it apparently is searching for a specific device or type of device and then tries to sabotage it - presumably this code was thoroughly tested, which means whoever wrote it is likely to have a small recreation of parts of the target factory somewhere. Not cheap or easy to set up.
In this case the USB hack appears to have been developed by pirates, judging from the firmware patch that it was used to install (hint: lots of stuff to do with "backups" in it). So I think this theory has been pretty much disproven. There probably isn't anything Sony could do about this type of thing except have the PS3 more aggressively auto update itself, like Chrome.
See HTML5s "ping" facility.
Hey,
I work on the Gmail team. What happened to you is not related to your use or purchase of an Android phone. In fact, the spammer that logged in to your account wasn't using a mobile phone at all. The reason the session shows up as from a mobile device in your recent activity console is that some popular spammer tools identify themselves to our servers as a mobile phone so that it is allowed to use the mobile HTML UI - presumably as it's easier for them to reverse engineer. But it's actually just a program running on a regular computer.
Passwords can be stolen through a variety of means. I suggest you read this post in the Gmail support forum for more information on how it might have happened. The top three ways are phishing, keylogger viruses and re-using your Gmail password at other websites that then get hacked (this is very common).
In other words, you shouldn't need the Android anti-virus product and can uninstall it if you want. I have never heard of somebody being infected with an Android virus - just make sure to read the list of requested permissions and you should be OK.
Hope that helps and sorry to hear about your experience, but happy to hear we managed to block it!
For what it's worth, selecting a random element from an array is a part of a larger problem I often ask candidates to solve. And if people can't remember the API I let them look it up. One guy I interviewed looked up the random function (seriously??) and still got it wrong.
By the way, senior candidates who were rude in interviews and refused to write basic code would be an immediate no hire for me. You just can't separate senior from junior (skill wise) based on what the candidate claims to me. No code, no hire.
Well, I suppose one could argue working with character encodings isn't universal, but I think it's pretty darn close. Any program that interacts with users outside the USA will have to deal with this at some point, even if you think all your users speak English people from the UK or EU can still cause issues with our funny currency symbols :-)
I can see that if you worked only on in house software for a US only firm, you could avoid dealing with it, in which case we run into the imprecision of language - what is "experience" anyway? I liked khasims post about how X years of doing the same thing might be one year of experience repeated X times rather than X years of experience - that seems like a good way to think about it.
He probably means that for the type of codebase they have, finding somebody who will be productive on it would cost them more than they can afford, so they keep getting to the "yes let's hire" stage and then have candidates leave because they can get more money elsewhere. At least, that'd be my guess.
Sony haven't lost. The Xbox 360 has suffered from similar attacks and demonstrated that online patching works. Very few people bothered to perform the hacks during the short time windows in which they worked and even fewer bothered to keep them hacked rather than upgrade or play new games (which require upgrades). The result is that actually finding an Xbox that is still attackable is a heck of a lot easier said than done.
Some people who follow tech news closely will choose to step off the PS3 train at this point and take the ability to play pirated games released up to this point over the online services, multiplayer and new games. Chances are, most people won't.
The JTAG hack doesn't work on Xboxs that have been upgraded past Summer 2009, and you have to upgrade to the latest software to be allowed on to XBL, and that hack doesn't allow you to do arbitrary cheating, so I kind of doubt that is the real issue. If you're completely convinced you're playing against cheaters, it might be modded controllers but it's unlikely to be a code-level compromise.
jaymzter didn't actually say his employers required a CCNA, he said that candidates who claimed to have one didn't have any networking skills. Not the same thing.
I see this as well when interviewing. Lots of candidates put down that they have, for instance, ten years of experience of Java. And maybe they do! But depressingly often they can't do trivial tasks, like select a random element from an array. Or they fail at understanding what happens under the hood, eg, they have no idea what garbage collection or a character encoding is.
The skills/requirements mismatch is a real issue, it's not simply a matter of evil CEOs wanting to smoke even fatter cigars at the workers expense.
What makes you think they aren't? You realize that a lot of these online pharma stores do in fact sell pharmaceuticals, right? Of course if you buy them you might get dosages too strong, too weak, or sold alongside other things that can kill you, but they do sell Viagra! One reason the "Canadian Pharmacy" is everywhere is because they have built up brand recognition amongst casual/recreational users of ED drugs, so they get repeat custom.
The website says that "generous individuals" have donated enough that he can do it full time. Given Gates' well known financial commitments to education it wouldn't surprise me at all if Gates has donated.
To a lesser extent I guess Google is also donating by hosting the projects infrastructure for free, notably YouTube but also AppEngine and other things.