Nowhere do they point fingers at the Chinese government. They merely pointed out source of the attack was based in a certain Chinese city. It is the Chinese who interpreted that as pointing at the Chinese govt. Why would the Chinese do that unless they are aware of the attack being carried out by their army/govt. They could've just said they will investigate further the origin and trace the attackers. No, instead they went into this defensive spin. Shows the Chinese govt is guilty (al though Google didn't accuse them).
Information = Signal - noise. Why try to destroy the signal when it is easier to add noise to the point that information obtained is useless. In plain speak, add lots of random information associated with your name on different social networking and other sites. Result is that anyone looking for you will get such diverse and nonsensical information that they will abandon the pursuit and profile.
Look around. There are countries like Singapore, Dubai, Brunei where the state is all powerful and people are happy because crime is low, livelihood is plenty and life is easy. No one gives two hoots there about democracy or privacy. Economic freedom matters a gazillion times more to most people that political.
I am a HAM operator too and have been in and out of the hobby. While my initial reaction was the same - this hobby is dying out but now I understand that the hobby appeals to a certain demographic because there isn't a lot of instant gratification on the air waves like a lot of computer/internet technologies. I am out for now, but I clearly see myself getting back to HAM radio after a certain age.
The popularity factor aside, HAM radio is essential when centralized infrastructure collapses during an emergency situation. It truly is a distributed / peer-to-peer network that can with stand pretty much all attacks except a nuclear EMP perhaps. HAM radio is emergency communication in the hands of the people vs being in the hands of the government and very much reflects some of the basic tenets that found this nation.
Here in Northern California, HAMs have a busy summer every year when the region is lit up with wild fires. Recently, during the uprising in Egypt when phones and internet were completely shut-off, news was still getting out thanks to morse code and HAM radio. So I am voting for HAM radio by renewing my ARRL membership:)
The website says "Individual file sanitization techniques, all of which failed and left at least 10MB of a 1000MB file." Does not say what happens when you do a full disk wipe. #Fail.
Exactly my sentiments. It is shenanigans like these that made me stop buying Sony products. Anyways, most of their products are crappy and over priced. The cameras look interesting but again, I boycott Sony on principle. Plenty of choice out there to avoid Sony.
Why hide or delete personal information? Instead, fill all those fields with rubbish. Each one these sites that ask for all sorts of personal information like DoB, Schools, Work places, IM handles, Blog URLs, Home town, home address etc. Fill out each profile on every site in as much detail as you can. Only use your real name. Everything else should be borrowed. Next time a marketer buy *your* profile information, they will get junk. Anyone who Google's you will get five different people with your name who actually do not exist (if you fill out all info on five different sites like FB, flickr, MySpace etc). Make sure you fill out different information on each site. Spread the information geographically as much as possible so like you were born in Ethiopia, studied in Russia, worked in France and now live in Japan. For work places, pick companies that are now bankrupt and liquidated.
"In chapter 1, the authors note that a smart grid is not a single device, application, system network, or even idea. And that there is no single authoritative definition for what a smart grid is. With that, the initial chapter sets and defines the various aspects to smart grid."
Read - we took generic security concepts and replaced "computer network" with "smart grid" in the text.
As someone who has worked for a successful smart grid company, there is very little known outside of these start-ups about how smart grids work. Most talks you see around *smart grid* security at blackhat or defcon are centered around decade old meters and technology. Those are ancient!
1. Attack Amazon's infrastructure from their home computer
2. Post about it on twitter
3. Make videos of the attack and blog
4. Try to recruit sidekicks
5. Brag about it on IRC and the interwebs
You do any or all of the above, and you are not a vigilante or a cracker. You are just another idiot you got his/her paws on a computer.
To be precise, airport security in India is not handled by Indian Military. The organization in-charge for security at airports is CISF or Central Industrial Security Force. They are trained and equipped more like a para-military force and are trusted with guarding civilian commercial installations like airports, civilian nuclear sites, power plants or other government owned critical infrastructure. Local police also have some presence at airports but that is on the periphery like making sure traffic around airports is maintained, taxis queue up properly and any arrests are processed by the police.
http://en.wikipedia.org/wiki/Central_Industrial_Security_Force
First, as an Indian, I am least shocked at what the government is trying to do. This is what bureaucrats in India do best, that is, fleece money from businesses by pulling up arcane/useless laws and regulations. Behind closed doors, RIM must have bribed dozens of bureaucrats in at least half a dozen government departments. My father worked for an Indian company and was in charge of setting up a power generation plant. He said he had to bribe a dozen different ministries just to get the paperwork moving on prospecting for the site.
What's the value of Indian law enforcement agencies being able to tap into RIM? Zilch, squat, none, nada, nil, shunya! After all the circus around this issue, what brain-dead criminal will use blackberry to cover up tracks? This will mostly be used by politicians to settle scores, dig up dirt on each other and sell trade secrets of one business to other or harass them. As any Android or iPhone owner will know, just go to Android market place or iTunes store and there are dozens of apps for encrypting text messages and files. Not happy with closed source apps? Use openssl, gpg or half a dozen other opensource tools to encrypt communications such that no law enforcement agency can crack it in a timely manner to help with an investigation. Much less Indian law enforcement agencies that can barely use computers much less have access to super computers to do any cracking.
As for Indians, they are mostly pro-government on this issue. Why? Because RIM acceded to similar demands by UAE and Saudi Arabia so now their national pride is hurt when a foreign company complies with laws of tiny Emirates but not their mighty nation. People in India are tired of a non-functional government that does not take foreign corporations to task for even mass murder (read Bhopal Gas leak). So when they see a government department screw a foreign corporation, they cheer like this will somehow help. It WON'T!!!
Here's how iris scanners can help fend off an attack. When attacked:
1. Throw an iris scanner real hard at the attacker. Don't worry if you miss, there are plenty more around you.
2. Offer an iris scanner to the attacker (should sell well on ebay)
3. Point iris scanner at the attacker and threaten to vapourize them.
4. Quickly hack into the iris database, delete attacker's identity. This will lead the attacker to question his existence and the attacker will simply implode.
5. Run! of course, iris scanner plays no role here.
Why are these radical muslims watching South Park? I thought watching television was prohibited for them. So by watching South Park they committed heresy and should now kill themselves! Right?
I am a 32 year old Ham Operator (from India), live in the SF Bay Area (large urban area with a big geek population) and I am a member of some of the biggest radio clubs around here - PAARA, SFARC, FARC. I call BS on this idea that ham radio is still growing. Yes, it might be growing but amongst the retirees not young people. Every visit to any of the club meetings, field events or local nets shows only old retirees. I will be more specific - old white men. With so much ethnic diversity in the SF Bay Area one would expect to see asians, hispanics, blacks etc. None!! Go to the local HRO and it's all old people including the sales staff. This hobby is headed for death. Why? Because not many young people are joining it and the old members aren't very welcoming of the new/younger ones. It feels more like an exclusive club. Ask some old guy a question and you get the look did-you-not-know-this-from-birth or i-cant-believe-you-are-asking-such-a-stupid-question.
"As The Times noted in January of last year, the government demanded that the scientists fill out questionnaires on their personal lives and waive the privacy of their financial, medical and psychiatric records. The government also wanted permission to gather information about them by interviewing third parties. At one point, JPL's internal website posted an "issue characterization chart" -- since taken down -- that indicated the snoops would be looking for a "pattern of irresponsibility as reflected in credit history... sodomy... incest... abusive language... unlawful assembly." It also said homosexuality could be a security issue under some circumstances."
The report in the linked article from networkworld is not accurate. Quote from the article "The stink stems from HSPD #12 which is in part aimed at gathering information to develop a common identification standard that ensures that people are who they say they are, so government facilities and sensitive information stored in networks remains protected."
A close friend is one of the Caltech (technically, he is a contractor at JPL) employees who sued the Federal government. Caltech manages the JPL labs for the federal government. After 9/11, the Bush administration passed this directive to subject federal employees and contractors, working on sensitive and non-sensitive matters to the same invasive background checks. These background checks do not have a set standard or criteria for evaluation, are not disclosed and can affect your employment (read termination). This means that if someone who knows you, when interviewed, says he/she thinks you did pot, that's it, you can be terminated.
To subject federal employees and contractors who are working on confidential/sensitive projects is one thing although still not fair but it is completely unfair to subject employees or contractors working on non-sensitive projects to such arbitrary background checks.
As they say, devil lies in the details. The presidential directive itself does not require background checks. What is requires is that all employees and contracts, irrespective of the nature of work, have to be issued a standard identification card for entering federal facilities. Sounds fair, right? The rub is that to be issued this card, you must pass the background check. So by mandating a standard identification card, the government has mandated all employees and contractors be subjected to background checks. And this is what this group of 30 or so JPL/Caltech scientists are protesting.
On top of all this, these background checks are labour intensive because they require federal agents to interview people who know you and collect personal information about you. Another friend who worked for PG&E waited 3 months to enter the facility he was supposed to work at because the feds could not finish his background check soon enough. Imagine if thousands of other employees or contractors are subjected to this new directive? The quality of these checks is directly proportional to the number of federal agents who do this work and we all know that the number of experienced federal agents is not going to quadruple overnight. So the end result is going to be dilution in the quality of these checks which then defeats the intent and purpose of these checks.
Phew!! My longest post on/. but no wonder that the government always screws up!!
With proper SSL certificates, savvy users might be able to avoid going to spoofed sites. Browsers like Firefox 3 will alert you of bad certs and all that.
This did occur to me earlier but seemed too simple.
Pick a few hundred ISP name servers. Craft packets with the the source address as that of your victim's name server's IP address and start sending them to the ISP name servers on your list.
Sooner or later, due to the non-randomized tracking number used by DNS requests, your false DNS replies will be accepted by one ISP nameserver. Because you set the TTL for the DNS record to be very high, the record will live in the ISP name server's cache for VERY long. Now all the ISP's customers will come to an IP address of your choosing when they type www.victim.com.
The internet is now 0wned.
What I was thinking is spraying the end users with spoofed DNS responses. Sooner or later, some would use your response to resolve the name but obviously poisoning an ISP name server is more profitable.
If this really is *the* attack then it was lame of the *researchers* to try and hide it. I am sure 1000s would've guessed it by now. The exploit is really simple with dozens of packet crafters out there
Here is hoping that the real vulnerability is a lot harder to exploit.
Slashdot Mirror
Read Google's blog post here:
http://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html
Nowhere do they point fingers at the Chinese government. They merely pointed out source of the attack was based in a certain Chinese city. It is the Chinese who interpreted that as pointing at the Chinese govt. Why would the Chinese do that unless they are aware of the attack being carried out by their army/govt. They could've just said they will investigate further the origin and trace the attackers. No, instead they went into this defensive spin. Shows the Chinese govt is guilty (al though Google didn't accuse them).
#Lame #Fail.
Information = Signal - noise. Why try to destroy the signal when it is easier to add noise to the point that information obtained is useless. In plain speak, add lots of random information associated with your name on different social networking and other sites. Result is that anyone looking for you will get such diverse and nonsensical information that they will abandon the pursuit and profile.
Look around. There are countries like Singapore, Dubai, Brunei where the state is all powerful and people are happy because crime is low, livelihood is plenty and life is easy. No one gives two hoots there about democracy or privacy. Economic freedom matters a gazillion times more to most people that political.
I am a HAM operator too and have been in and out of the hobby. While my initial reaction was the same - this hobby is dying out but now I understand that the hobby appeals to a certain demographic because there isn't a lot of instant gratification on the air waves like a lot of computer/internet technologies. I am out for now, but I clearly see myself getting back to HAM radio after a certain age.
:)
The popularity factor aside, HAM radio is essential when centralized infrastructure collapses during an emergency situation. It truly is a distributed / peer-to-peer network that can with stand pretty much all attacks except a nuclear EMP perhaps. HAM radio is emergency communication in the hands of the people vs being in the hands of the government and very much reflects some of the basic tenets that found this nation.
Here in Northern California, HAMs have a busy summer every year when the region is lit up with wild fires. Recently, during the uprising in Egypt when phones and internet were completely shut-off, news was still getting out thanks to morse code and HAM radio. So I am voting for HAM radio by renewing my ARRL membership
Ben - Is that you? You're fired.
AFAIK, they did not do whole disk wipe.
The website says "Individual file sanitization techniques, all of which failed and left at least 10MB of a 1000MB file." Does not say what happens when you do a full disk wipe. #Fail.
And, they are pouting, hands folded and all, till they get the goodies.
Exactly my sentiments. It is shenanigans like these that made me stop buying Sony products. Anyways, most of their products are crappy and over priced. The cameras look interesting but again, I boycott Sony on principle. Plenty of choice out there to avoid Sony.
Why hide or delete personal information? Instead, fill all those fields with rubbish. Each one these sites that ask for all sorts of personal information like DoB, Schools, Work places, IM handles, Blog URLs, Home town, home address etc. Fill out each profile on every site in as much detail as you can. Only use your real name. Everything else should be borrowed. Next time a marketer buy *your* profile information, they will get junk. Anyone who Google's you will get five different people with your name who actually do not exist (if you fill out all info on five different sites like FB, flickr, MySpace etc). Make sure you fill out different information on each site. Spread the information geographically as much as possible so like you were born in Ethiopia, studied in Russia, worked in France and now live in Japan. For work places, pick companies that are now bankrupt and liquidated.
"In chapter 1, the authors note that a smart grid is not a single device, application, system network, or even idea. And that there is no single authoritative definition for what a smart grid is. With that, the initial chapter sets and defines the various aspects to smart grid."
Read - we took generic security concepts and replaced "computer network" with "smart grid" in the text.
As someone who has worked for a successful smart grid company, there is very little known outside of these start-ups about how smart grids work. Most talks you see around *smart grid* security at blackhat or defcon are centered around decade old meters and technology. Those are ancient!
1. Attack Amazon's infrastructure from their home computer
2. Post about it on twitter
3. Make videos of the attack and blog
4. Try to recruit sidekicks
5. Brag about it on IRC and the interwebs
You do any or all of the above, and you are not a vigilante or a cracker. You are just another idiot you got his/her paws on a computer.
To be precise, airport security in India is not handled by Indian Military. The organization in-charge for security at airports is CISF or Central Industrial Security Force. They are trained and equipped more like a para-military force and are trusted with guarding civilian commercial installations like airports, civilian nuclear sites, power plants or other government owned critical infrastructure. Local police also have some presence at airports but that is on the periphery like making sure traffic around airports is maintained, taxis queue up properly and any arrests are processed by the police. http://en.wikipedia.org/wiki/Central_Industrial_Security_Force
How long before everyone is required to fly stark naked and without luggage on passenger planes? I know I have nothing to hide, do you?
Any term or word tagged with the prefix "cyber" reeks of ignorance and opportunism. So thanks but no thanks, for this book.
United States 4287 Brazil 2435 India 1430 United Kingdom 1343 France 1017 Germany 668 Italy 651 Spain 372 Australia 200
First, as an Indian, I am least shocked at what the government is trying to do. This is what bureaucrats in India do best, that is, fleece money from businesses by pulling up arcane/useless laws and regulations. Behind closed doors, RIM must have bribed dozens of bureaucrats in at least half a dozen government departments. My father worked for an Indian company and was in charge of setting up a power generation plant. He said he had to bribe a dozen different ministries just to get the paperwork moving on prospecting for the site. What's the value of Indian law enforcement agencies being able to tap into RIM? Zilch, squat, none, nada, nil, shunya! After all the circus around this issue, what brain-dead criminal will use blackberry to cover up tracks? This will mostly be used by politicians to settle scores, dig up dirt on each other and sell trade secrets of one business to other or harass them. As any Android or iPhone owner will know, just go to Android market place or iTunes store and there are dozens of apps for encrypting text messages and files. Not happy with closed source apps? Use openssl, gpg or half a dozen other opensource tools to encrypt communications such that no law enforcement agency can crack it in a timely manner to help with an investigation. Much less Indian law enforcement agencies that can barely use computers much less have access to super computers to do any cracking. As for Indians, they are mostly pro-government on this issue. Why? Because RIM acceded to similar demands by UAE and Saudi Arabia so now their national pride is hurt when a foreign company complies with laws of tiny Emirates but not their mighty nation. People in India are tired of a non-functional government that does not take foreign corporations to task for even mass murder (read Bhopal Gas leak). So when they see a government department screw a foreign corporation, they cheer like this will somehow help. It WON'T!!!
Here's how iris scanners can help fend off an attack. When attacked: 1. Throw an iris scanner real hard at the attacker. Don't worry if you miss, there are plenty more around you. 2. Offer an iris scanner to the attacker (should sell well on ebay) 3. Point iris scanner at the attacker and threaten to vapourize them. 4. Quickly hack into the iris database, delete attacker's identity. This will lead the attacker to question his existence and the attacker will simply implode. 5. Run! of course, iris scanner plays no role here.
Why are these radical muslims watching South Park? I thought watching television was prohibited for them. So by watching South Park they committed heresy and should now kill themselves! Right?
I am a 32 year old Ham Operator (from India), live in the SF Bay Area (large urban area with a big geek population) and I am a member of some of the biggest radio clubs around here - PAARA, SFARC, FARC. I call BS on this idea that ham radio is still growing. Yes, it might be growing but amongst the retirees not young people. Every visit to any of the club meetings, field events or local nets shows only old retirees. I will be more specific - old white men. With so much ethnic diversity in the SF Bay Area one would expect to see asians, hispanics, blacks etc. None!! Go to the local HRO and it's all old people including the sales staff. This hobby is headed for death. Why? Because not many young people are joining it and the old members aren't very welcoming of the new/younger ones. It feels more like an exclusive club. Ask some old guy a question and you get the look did-you-not-know-this-from-birth or i-cant-believe-you-are-asking-such-a-stupid-question.
http://www.latimes.com/news/printedition/opinion/la-oe-rutten6-2009jun06,0,7067783.column
... sodomy ... incest ... abusive language ... unlawful assembly." It also said homosexuality could be a security issue under some circumstances."
"As The Times noted in January of last year, the government demanded that the scientists fill out questionnaires on their personal lives and waive the privacy of their financial, medical and psychiatric records. The government also wanted permission to gather information about them by interviewing third parties. At one point, JPL's internal website posted an "issue characterization chart" -- since taken down -- that indicated the snoops would be looking for a "pattern of irresponsibility as reflected in credit history
http://www.latimes.com/news/printedition/opinion/la-oe-rutten6-2009jun06,0,7067783.column
The report in the linked article from networkworld is not accurate. Quote from the article "The stink stems from HSPD #12 which is in part aimed at gathering information to develop a common identification standard that ensures that people are who they say they are, so government facilities and sensitive information stored in networks remains protected."
/. but no wonder that the government always screws up!!
A close friend is one of the Caltech (technically, he is a contractor at JPL) employees who sued the Federal government. Caltech manages the JPL labs for the federal government. After 9/11, the Bush administration passed this directive to subject federal employees and contractors, working on sensitive and non-sensitive matters to the same invasive background checks. These background checks do not have a set standard or criteria for evaluation, are not disclosed and can affect your employment (read termination). This means that if someone who knows you, when interviewed, says he/she thinks you did pot, that's it, you can be terminated.
To subject federal employees and contractors who are working on confidential/sensitive projects is one thing although still not fair but it is completely unfair to subject employees or contractors working on non-sensitive projects to such arbitrary background checks.
As they say, devil lies in the details. The presidential directive itself does not require background checks. What is requires is that all employees and contracts, irrespective of the nature of work, have to be issued a standard identification card for entering federal facilities. Sounds fair, right? The rub is that to be issued this card, you must pass the background check. So by mandating a standard identification card, the government has mandated all employees and contractors be subjected to background checks. And this is what this group of 30 or so JPL/Caltech scientists are protesting.
On top of all this, these background checks are labour intensive because they require federal agents to interview people who know you and collect personal information about you. Another friend who worked for PG&E waited 3 months to enter the facility he was supposed to work at because the feds could not finish his background check soon enough. Imagine if thousands of other employees or contractors are subjected to this new directive? The quality of these checks is directly proportional to the number of federal agents who do this work and we all know that the number of experienced federal agents is not going to quadruple overnight. So the end result is going to be dilution in the quality of these checks which then defeats the intent and purpose of these checks.
Phew!! My longest post on
With proper SSL certificates, savvy users might be able to avoid going to spoofed sites. Browsers like Firefox 3 will alert you of bad certs and all that.
But think of email delivery to wrong MX records .
This did occur to me earlier but seemed too simple.
Pick a few hundred ISP name servers. Craft packets with the the source address as that of your victim's name server's IP address and start sending them to the ISP name servers on your list.
Sooner or later, due to the non-randomized tracking number used by DNS requests, your false DNS replies will be accepted by one ISP nameserver. Because you set the TTL for the DNS record to be very high, the record will live in the ISP name server's cache for VERY long. Now all the ISP's customers will come to an IP address of your choosing when they type www.victim.com.
The internet is now 0wned.
What I was thinking is spraying the end users with spoofed DNS responses. Sooner or later, some would use your response to resolve the name but obviously poisoning an ISP name server is more profitable.
If this really is *the* attack then it was lame of the *researchers* to try and hide it. I am sure 1000s would've guessed it by now. The exploit is really simple with dozens of packet crafters out there
Here is hoping that the real vulnerability is a lot harder to exploit.
Let them gather all the information they want. I use adblock so I see no ads targeted or otherwise. Problem solved.