While they did work to take down some botnets, they could only take out the criminals where they had jurisdiction - which is in the USA. Yes they work with Interpol and have made some symbolic arrests overseas. By and large, the botherders and real criminals continue to operate from countries with internet access combined with a dysfunctional or non-existent legal system (think Russia, Nigeria, Brazil), or simply where the computer crime laws have yet to catch up with the technology (think Spain, Portugal). Countries such as Russia, Brazil are high up on that list of professional criminals that are able to afford the bribes necessary to stay in business.
So my DRM is being upgraded? Should I be excited? The worst thing Microsoft has ever done was put Mickey Mouse in charge of kernel development. Letting Hollywood dictate the kernel design will prove to be the undoing of the Windows platform.
Sorry, I didn't make that clear enough... That is what I told him to say to Qwest, or rather, what he should say to Qwest. This was not a retelling of anything he did say. What I do know is Qwest acquiesced without resorting to anything so much as a raised voice.
I worked for Cisco Systems in the late 90's and through the dot-com bust. Starting in 1995, there was a MASSIVE undertaking to lay out fiber across the nation and throughout the world. When they pulled fiber, they didn't just pull one strand. Fiber is cheap, it is the manual labor that is incredibly expensive to bury the cables and hook them up, certify them, etc. When they buried the cables, they ran 128 pair, 256 pair. TO THIS DAY, we have MORE DARK FIBER than we have lit fiber. There is enough fiber spanning this planet to support a quintupling of bandwidth and we'll STILL have dark fiber to spare.
Why are they 'warning' of impending bandwidth crisis? It's pretty simple.
I was just at a customer site last week (a city government). They had a DS3 and were going to get a second one. I asked him why on earth he was getting a DS3 which is OLD telco technology. I went up to his demarc point and showed him that Qwest had a fiber cable coming into their facility that provided 100mb to the net, that they then fed into a Fujitsu FL4100, then passed it off to a DS3 mux and passed off to the customer as a copper coax connection. They had a wall filled with equipment JUST TO SLOW DOWN THE CONNECTION to a DS3 speed. Oh, and the City was paying for the electricity for all the telco equipment.
I told him to call up Qwest and tell them to come get their crap out of his server room, take the fiber and plug it directly into his switch. And he was only going to pay $2000 a month for the 100mb connection to the internet or else good luck ever getting a permit to dig up another sidewalk in this town.
It worked. He didn't even have to resort to the threats. Qwest knows that they NEED TO CREATE A PROBLEM IN ORDER TO CHARGE FOR THE SOLUTION. In 100% of the cases I've dealt with telco's, I've told them what the speed and feed was that I wanted, and what I was going to pay for it. Never have I had an issue. Now, I do live in the Twin Cities Metro Area, where there is plenty of bandwidth to go around, and I'm not demanding that they give me priority QoS all the way to their tier 1 core backbone, but this game they're playing is ridiculous.
Another customer was paying $12,000 per month to get a 200mb connection to the net. I got on the horn with Qwest and told them to give us a gig connection for $10,000 per month or they can come get their gear because we weren't going to pay for the electricity for them any more. They gave us a gig connection.
It costs $100 to provision a 10mb connection port. Heck fiber optic modules are CHEAP. Want to know how much it costs to reconfigure that link for 100mb? Same Price. It is also the same price to bring it up to a gig connection.
They will bring in equipment for the sake of bringing in equipment, they will spend tens of thousands of dollars in gear just to slow your connection down, just so they can charge to speed it up.
True, problem solved. Delete the cookie, no problem. My point is that any trust PayPal had was destroyed the moment they redirected my browser... What else are they doing with my financial information?
PayPal has a "Virtual Debit Card" that you can use to access your PayPal account. Prior to downloading the software, you're asked to verify your system requirements. If everything checks out, you can then download and install the software.
Here's the rub - when you click on the "Download Now" button, it actually sends you to DoubleClick.net site. Then the DoubleClick.net site redirects you back to the PayPal site and starts downloading the application. If you have DoubleClick.net blocked in your hosts file, like I do, then you can't download the software.
Why?
It is so that DoubleClick.net can plant a first-party cookie, spy on your activities, direct advertisements to you... PayPal has just submitted ALL your information AND the fact that you use PayPal, AND the fact that you purchase stuff online, AND, AND, AND... Then DoubleClick.net can target you for highly targeted advertisements.
This is just unconscionable. PayPal deserves all the flame they're gonna get over this one.
Conversely; With Coal fired plants, the byproducts of the combustion are, for the most part, released into the atmosphere. We filter and scrub out as many pollutants as we can, but once it is released, we have no idea where those pollutants end up. On the other hand, we have nuclear energy were we know precisely where every single molecule of waste is moved, stored, recycled, repurposed, retired, and ultimately stored away. We know exactly were 100% of the pollutants end up.
Anywhere that you have connectivity combined with the absence of a functioning judicial system; you will breed crime. It doesn't matter what that connectivity is, or how you measure that connectivity - whether it is in paved roads, running water, electricity - each of these factors contributes to both the reach of commerce and the reach of criminals. The two cannot be divorced from each other. If you have a rapid expansion of transportation, without an equal expansion of police power, criminals will exploit that weakness. In the wild west, outlaws would rob trains as they crossed the nation, knowing that they'd be vulnerable and there was little chance of being caught.
Let's look at Russia. Back in the cold war era, there were technology export restrictions in place. With the fall of the Iron Curtain, those restrictions were relaxed. By the time we in the United States started going online en-masse in 1995, upgrading our computer systems to Pentium machines running Windows 95 - our old computer systems didn't go into the garbage, they were sold into the huge technological vacuum of the former Soviet Union.
Who are the early adopters of technology? Kids of course! And Russia was no exception. Like a 16-year-old with a hot rod, the youths started souping up computers that we considered garbage. They got on to the internet using whatever they could, and once they connected to our information flows, they started teaching themselves programming. Because they were learning to program on outdated equipment, this forced them to become very, very good. There was no such thing as code bloat. Then you add 5 years to the calendar and what do you have? Little Ivan is no longer 15, he is 20 and has 5 years experience - and therein lies the rub - Ivan cannot go out and get a job in information technology, there is no economy to support his skill set. So, he goes about earning a living any way he can. I call it "N0 RUL3Z, JU5T WR1T3". Ivan sets about writing spam software, creating Trojan horses, worms... this is where we see the emergence of the botnet.
Brazil wasn't far behind. In 2004-2005 we saw an uptick in the botnet wars arms race with Russia being one-upped by Brazil with the Beagle/Bagle, Mydoom and Sasser botnet pissing contest.
There is a tide shift taking place. Putin has implemented a 12% flat tax which is bringing revenues flowing into the Russian economy for the first time in 15 years. They are reviving their legal system because they want to attract the Foreign Direct Investment dollars which will never come if they have no legal system which can enforce a legal contract. Along with the civil justice and FDI dollars, criminal justice must reign in corruption otherwise the FDI dollars will quickly disappear. So, Russia is growing out of the script kiddie phase and reemerging onto the world scene. Its good to have Mother Russia back.
I could go on providing details of history and economics, but I will leave that for the book I'm writing. But I will pose this question for you to think about: What do you think the outcome of One Laptop Per Child will have on the future of cybercrime? If connectivity absent a legal system is the breeding ground for crime, what do you think will happen as the bottom billion in Africa gets online?
Computer security is all about dealing with the unintended consequences. Every computer and every system that was ever built was first done to share information, not secure it. Security only came after we got everything connected, then had the collective "awww crap!" moment.
In a study of the seven leading industrialized nations, the United States scored dead last in mathematics. However, the students involved in the study ranked first place in how confident they FELT about their mathematic skills.
They keep lowering the educational standards in order to keep kids passing through the system. This system, however, keeps focusing on making sure the kids feel good without ever having them accomplish anything. Compounding the problem is that everyone gets an award, so the ninth place trophy winner is just as good as the first place trophy winner. You take the kids that really do have talent and try hard and tell them that they're just as much a no-talent bozo as the kids who ride the short bus to school. They learn nothing, but damn if they don't feel good about themselves. The education system's modern bubble-wrap mentality of no losing, no disappointments, no harsh reality checks has provided a surplus of of girls who think dressing like a slut somehow empowers them, guys who have been beaten down into spineless wimps and that the whole world stops if any of them are ever offended.
I'm seeing these kids enter into college where their brains are mush. They're not stupid - they've just never been challenged. They expect to get a C grade for simply turning in the assignment, and an A for effort.
This was an announcement of a vulnerability that was discovered in Adobe Acrobat. There is nothing 0day about it, and it will not ever and can not ever be a 0day. Period.
The defining characteristic of 0day is the day an EXPLOIT is RELEASED, where such exploit also serves as the ONLY vendor notification of a bug being discovered. Every adult on this list understands the definition, but the kids can't seem to grasp the not-so-subtle nuance between a 0day and the discovery of a bug in someone else's code.
This supposedly serious disclosure referred to in the article is a non-event, there was a "press release" about a supposedly serious flaw in PDF, there were no details, so therefore it doesn't even count as disclosure of a vulnerability as a whole.
Okay, I just spent $10 to answer this question, so this post had better get modded UP!:)
I went to TransUnion, logged in, provided my buddy's credit card number (with his consent, I gave him $10 cash) and bought my credit report that they previously would not give me for free!
They already have my CC information on file... I just click SUBMIT and it charges the card. They can SEE the money they're turning away, and they block the transaction.
In the past, prior to applying for a home loan, I had subscribed to credit reporting services at each of the 3 credit reporting agencies. I have had my user accounts set up for over 5 years with each of them. I quit paying for the services once the free AnnualCreditReport.com went up. Now I have been checking my credit annually. Apparently I wasn't the only one who quit paying for services they should be getting for free because they started scamming the consumers.
This year, I went to go pull my report from all 3 bureaus and none of them will let me see it - apparently because they "cannot adequately verify my identity", even though I've logged in with my same account information I've had with them for years. I enter my info; they'll ask me 3 questions about my credit past, which I correctly answer... then tell me I need to send my request via snail-mail.
HOWEVER
If I login and agree to pay $10, then they'll grant me access to the information, no questions asked.
Because bandwidth and server maintenance are free.
The already have the infrastructure built up to provide the content, yet they charge for the content. If you pay the price, you still get to see the ads. Eliminate the fee, you increase the ad revenue. The incremental costs of increased bandwidth are negligible, actually it is a much desired consequence because that means more revenue coming in from page views.
I'd be willing to bet vital body parts that Media Defender did not make a DIME profit. The AG might cover costs such as installing a T1, or special case-related tools that will directly benefit their investigation, but that is normal job costs. Paying Media Defender turns them into a PAID informant which then calls the credibility of the evidence into question. (Granted, with the revelation of their phone calls, everything they've done is now worthless.)
The likely scenario is that Media Defender went to great lengths to download and sample every torrent available, essentially to provide an inverted Nielsen's rating on the popularity of 'pirated content'. In doing so, they came across illegal porn. Understand that the files aren't labeled as "6_month_old_being_raped.torrent", but rather labeled harmless names such as "Celebrity_deathmatch:_Korn_vs_slipknot.torrent". So what are they to do, nothing?
The one thing I have never come across, and God willing, I hope to never come across is child porn. I've heard about it, and I've seen stuff that I consider beyond borderline that the very sight of put me into a rage... and that was before I had kids of my own. I applaud the work done by Media Defender, I thank them for doing a job I could not, and would not willingly do. I am disappointed that this leak has pulled the rug out from what appeared to be a huge investigation to bring these despicable criminals to justice. I also do not see a problem with them seeding invalid torrents on behalf of media companies. I think it's stupid, I wish Hollywood would wake up to reality, but I can understand how Media Defender was trying to stem the tide - I hope they made a lot of money off the Hollywood boneheads.
I do not, however, support in any way the railroading of random internet users by the RIAA. The mass lawsuits are disgusting and the RIAA deserves everything they have coming to them: a long, slow, suicide.
You aren't paid for your incident reports are you?
If a company wants me to investigate an incident and write up a report, yes, I charge for that. I'm also a paid expert witness... no problem with any of it.
When I see a crime, I report it. For free... can you imagine the lunacy of being paid for each crime you report?
The outsourcing of police work to a private entity is seriously f****d up.
99% of the police work done on the internet is carried out by individuals, not the police. I'm not a cop, but I've busted up spam networks, cybercrime, phishing scams, and everything in between. This isn't outsourcing, it is being a good netizen.
There aren't enough cops to police the internet, so it is left to the 'vigilantes' to take down phishing sites and all these things.
It is up to each of us to police our own neighborhood.
Could I get your name and address for this incident report?:)
...the word on the street is simply that one of their staff signed up to a torrent site from one of MediaDefender's IPs with the same gmail address as username and password as he used for his gmail account where all these e-mails had been archived.
Heh, they all but went out of their way to provide access to the hackers. The top brass had his emails being forwarded to his Gmail account, bypassing any and all security they had set up on the corporate network.
Then the hackers got the usernames and passwords and gained internal access to the network, establishing admin access on the domain. They apparently set up packet captures, or if MediaDefender were the ones capturing packets, they found them and this is where they captured the VoIP calls.
"Keyloggers, we don't need no stinking keyloggers!" The worst infections to get rid of are those who have admin access to the network and who maintain their access using normal everyday network admin utilities (From my experience, the French are especially good at this). I have worked with sites that have been hacked where the intruders have obtained an administrator level password, then gone in and set up RPC over HTTPS on the domain servers, then the hackers have set up their own 2003 server, added it to the domain, promoted it to domain controller and had the hacked company's Domain Controller perform an outbound sync (using the RPC over HTTPS) to the hackers 2003 server. Any password changes the users make on the home network will be replicated to their off site "guest host" malicious server.
The hackers later added Distributed File Shares or DFS, and used it to replicate file shares (i.e. user folders) information to their hacked domain controller. The hackers basically set themselves up as a run-of-the-mill remote office that synchronizes over a low-speed wan link.
This company was totally Pwn3d... I wouldn't be surprised to see the same thing happened here with the amount of information they collected.
But in professional, corporate email communications such a tone has about as much justification as surfing porn at work.
And to that point - it is their JOB to surf porn at work, to seek out child porn and notify the DoJ and the New York Attorney General's office of the material so that the AG could pursue the offender as part of their own investigation.
Yet, I do agree that the use of profanity does show a lack of professionalism. Much like the theory that you can tell a lot about a man by the way he treats his waitress. These emails reveal that they have an air of arrogant superiority about themselves, that they operate above the law, and that they are immune from "teh bad d00dz". They are convinced of their moral authority and moral superiority.
To wit: I have a fair level of certainty that they got themselves infected with spyware, adware, trojans. They surf sites in the dark corners of the 'intertoob' seeking out nefarious content, evil trackers and child predators. In going there, they are in the stomping grounds of the best of the worst when it comes to infecting computers using the most current 0day exploits.
(Side note -- Stick with me here) I personally do not run anti-virus. I deal with malicious content all the time. I know what is running on my machine at all times. If I were to run an AntiVirus, it would delete half the files on my hard drive that was gathered as evidence in investigations, or malicious tool kits used to exploit systems that I use in teaching classes.
Whenever I venture to evil sites, I start up a virtual machine, I have two - they are called "Hindenburg" and "Titanic" that are not current on their patches and run no anti-virus. I purposely seek out infections and malware on these machines so I can analyze the machines postmortem. I have a tremendous amount of respect and even admiration for my opponents. They are VERY good at their game. As such, I am careful not to let my guard down.
(My point) I'll bet that what they've done is get a real machine infected, one that was not sandboxed, connected to the internal domain, and the user was running with not just local admin privileges, but with full domain admin privileges. OOPS! This infected machine reported back to the hackers, who then connected back in to their hacked box and set up user accounts on the network and also rooted the boxes.
At this point, no amount of changing passwords or firewalls or IDS will get the intruders out. They need to rebuild every box on their network, from scratch. They need to stop thinking of themselves as an "academic institution" that needs full access to the internet (no outbound restrictions on the firewall) and where proper security practices "don't apply to them".
Proper security and safety protocols were not followed. The arrogant attitude of "we're security folks, policies don't apply to us" is what let this happen.
I have kids and I couldn't have survived their teething without those things. It is a homeopathic remedy that works. My son is now teething and when he starts fussing, you put them in his mouth and he goes right back from cranky to happy baby. They sell them everywhere you can buy baby formula. Does the Placebo Effect work on 6 month old infants too?
Scientists will call those results anecdotal.
In the real world, the plural of anecdotal is called evidence.
Studies either confirm common sense, or they are wrong. This is complete BS press release that clearly came from Diebold. Just like when Microsoft funds studies of the costs of Linux...
DES 56 has been broken, brute forced. It uses a single 56 bit key to encrypt data. You get the key, you get the data.
3DES 168 encryption is still, in my opinion, unbreakable. The people who laugh at that statement need to read this.
3DES uses TWO Separate 56 bit DES keys. The first key is used to encrypt the data, just like standard DES. Then the second key is used to re-encrypt the data. Finally the first key is used again to encrypt the data yet a third time. As you can see, it isn't simply using a 168 bit key.
You now have your data triple-encrypted, thereby giving you 168bit encryption.
Brute forcing a key is simply trying every possible numeric combination until you land upon the key that unlocks your data. Even if you guessed correctly the first DES56 key on the very first try, you wouldn't know it because the data you're looking at is still encrypted garbage. With 3DES, you need to guess the first key, then after every single guess, brute force the second key, then try the first key AGAIN and see if you come back with readable data.
And to further confound things, the DES 168 bit standard does not specify whether the second key is used to encrypt or decrypt the data on the second pass. If you have data, encrypt it once, and look at it, you have unreadable garbage. If you then decrypt it using the wrong key, you will end up with different-looking garbage. So, the DES 168 standard only states that you have two keys, and they be used to Encrypt, Encrypt, Encrypt - OR - to Encrypt, Decrypt, Encrypt, but it leaves that choice up to the vendor.
SO, to summarize, you can have: DES 168 EEE DES 168 EDE
Now, back to my brute forcing, after I guess the first key, then immediately try to guess the second key. And with that 2nd key, do I try encrypting the data again or decrypting it before I try the first key again to see if I wind up with readable data?
This EEE vs. EDE was infuriating as an administrator, as the VPN vendors would each implement their own method of EDE, or EEE, or DED, or DDD, and this is why you could have a Cisco VPN concentrator using 100% standards compliant DES168 encryption, but you could NOT connect to it using the Nortel VPN client, or the Microsoft client, or any other client besides Cisco's client.
It was the LOOSE standards that obsoleted DES168, not its relative key-length weakness.
I seriously doubt that DES168 could ever be broken.
Slashdot Mirror
While they did work to take down some botnets, they could only take out the criminals where they had jurisdiction - which is in the USA. Yes they work with Interpol and have made some symbolic arrests overseas. By and large, the botherders and real criminals continue to operate from countries with internet access combined with a dysfunctional or non-existent legal system (think Russia, Nigeria, Brazil), or simply where the computer crime laws have yet to catch up with the technology (think Spain, Portugal). Countries such as Russia, Brazil are high up on that list of professional criminals that are able to afford the bribes necessary to stay in business.
So my DRM is being upgraded? Should I be excited?
The worst thing Microsoft has ever done was put Mickey Mouse in charge of kernel development. Letting Hollywood dictate the kernel design will prove to be the undoing of the Windows platform.
Sorry, I didn't make that clear enough... That is what I told him to say to Qwest, or rather, what he should say to Qwest.
This was not a retelling of anything he did say. What I do know is Qwest acquiesced without resorting to anything so much as a raised voice.
I worked for Cisco Systems in the late 90's and through the dot-com bust. Starting in 1995, there was a MASSIVE undertaking to lay out fiber across the nation and throughout the world. When they pulled fiber, they didn't just pull one strand. Fiber is cheap, it is the manual labor that is incredibly expensive to bury the cables and hook them up, certify them, etc. When they buried the cables, they ran 128 pair, 256 pair. TO THIS DAY, we have MORE DARK FIBER than we have lit fiber. There is enough fiber spanning this planet to support a quintupling of bandwidth and we'll STILL have dark fiber to spare.
Why are they 'warning' of impending bandwidth crisis? It's pretty simple.
I was just at a customer site last week (a city government). They had a DS3 and were going to get a second one. I asked him why on earth he was getting a DS3 which is OLD telco technology. I went up to his demarc point and showed him that Qwest had a fiber cable coming into their facility that provided 100mb to the net, that they then fed into a Fujitsu FL4100, then passed it off to a DS3 mux and passed off to the customer as a copper coax connection. They had a wall filled with equipment JUST TO SLOW DOWN THE CONNECTION to a DS3 speed. Oh, and the City was paying for the electricity for all the telco equipment.
I told him to call up Qwest and tell them to come get their crap out of his server room, take the fiber and plug it directly into his switch. And he was only going to pay $2000 a month for the 100mb connection to the internet or else good luck ever getting a permit to dig up another sidewalk in this town.
It worked. He didn't even have to resort to the threats. Qwest knows that they NEED TO CREATE A PROBLEM IN ORDER TO CHARGE FOR THE SOLUTION. In 100% of the cases I've dealt with telco's, I've told them what the speed and feed was that I wanted, and what I was going to pay for it. Never have I had an issue. Now, I do live in the Twin Cities Metro Area, where there is plenty of bandwidth to go around, and I'm not demanding that they give me priority QoS all the way to their tier 1 core backbone, but this game they're playing is ridiculous.
Another customer was paying $12,000 per month to get a 200mb connection to the net. I got on the horn with Qwest and told them to give us a gig connection for $10,000 per month or they can come get their gear because we weren't going to pay for the electricity for them any more. They gave us a gig connection.
It costs $100 to provision a 10mb connection port. Heck fiber optic modules are CHEAP. Want to know how much it costs to reconfigure that link for 100mb? Same Price. It is also the same price to bring it up to a gig connection.
They will bring in equipment for the sake of bringing in equipment, they will spend tens of thousands of dollars in gear just to slow your connection down, just so they can charge to speed it up.
Don't fall for it.
True, problem solved. Delete the cookie, no problem.
My point is that any trust PayPal had was destroyed the moment they redirected my browser... What else are they doing with my financial information?
PayPal has a "Virtual Debit Card" that you can use to access your PayPal account. Prior to downloading the software, you're asked to verify your system requirements. If everything checks out, you can then download and install the software.
Here's the rub - when you click on the "Download Now" button, it actually sends you to DoubleClick.net site. Then the DoubleClick.net site redirects you back to the PayPal site and starts downloading the application. If you have DoubleClick.net blocked in your hosts file, like I do, then you can't download the software.
Why?
It is so that DoubleClick.net can plant a first-party cookie, spy on your activities, direct advertisements to you... PayPal has just submitted ALL your information AND the fact that you use PayPal, AND the fact that you purchase stuff online, AND, AND, AND... Then DoubleClick.net can target you for highly targeted advertisements.
This is just unconscionable. PayPal deserves all the flame they're gonna get over this one.
Conversely; With Coal fired plants, the byproducts of the combustion are, for the most part, released into the atmosphere. We filter and scrub out as many pollutants as we can, but once it is released, we have no idea where those pollutants end up.
On the other hand, we have nuclear energy were we know precisely where every single molecule of waste is moved, stored, recycled, repurposed, retired, and ultimately stored away. We know exactly were 100% of the pollutants end up.
Anywhere that you have connectivity combined with the absence of a functioning judicial system; you will breed crime. It doesn't matter what that connectivity is, or how you measure that connectivity - whether it is in paved roads, running water, electricity - each of these factors contributes to both the reach of commerce and the reach of criminals. The two cannot be divorced from each other. If you have a rapid expansion of transportation, without an equal expansion of police power, criminals will exploit that weakness. In the wild west, outlaws would rob trains as they crossed the nation, knowing that they'd be vulnerable and there was little chance of being caught.
Let's look at Russia. Back in the cold war era, there were technology export restrictions in place. With the fall of the Iron Curtain, those restrictions were relaxed. By the time we in the United States started going online en-masse in 1995, upgrading our computer systems to Pentium machines running Windows 95 - our old computer systems didn't go into the garbage, they were sold into the huge technological vacuum of the former Soviet Union.
Who are the early adopters of technology? Kids of course! And Russia was no exception. Like a 16-year-old with a hot rod, the youths started souping up computers that we considered garbage. They got on to the internet using whatever they could, and once they connected to our information flows, they started teaching themselves programming. Because they were learning to program on outdated equipment, this forced them to become very, very good. There was no such thing as code bloat. Then you add 5 years to the calendar and what do you have? Little Ivan is no longer 15, he is 20 and has 5 years experience - and therein lies the rub - Ivan cannot go out and get a job in information technology, there is no economy to support his skill set. So, he goes about earning a living any way he can. I call it "N0 RUL3Z, JU5T WR1T3". Ivan sets about writing spam software, creating Trojan horses, worms... this is where we see the emergence of the botnet.
Brazil wasn't far behind. In 2004-2005 we saw an uptick in the botnet wars arms race with Russia being one-upped by Brazil with the Beagle/Bagle, Mydoom and Sasser botnet pissing contest.
There is a tide shift taking place. Putin has implemented a 12% flat tax which is bringing revenues flowing into the Russian economy for the first time in 15 years. They are reviving their legal system because they want to attract the Foreign Direct Investment dollars which will never come if they have no legal system which can enforce a legal contract. Along with the civil justice and FDI dollars, criminal justice must reign in corruption otherwise the FDI dollars will quickly disappear. So, Russia is growing out of the script kiddie phase and reemerging onto the world scene. Its good to have Mother Russia back.
I could go on providing details of history and economics, but I will leave that for the book I'm writing. But I will pose this question for you to think about: What do you think the outcome of One Laptop Per Child will have on the future of cybercrime? If connectivity absent a legal system is the breeding ground for crime, what do you think will happen as the bottom billion in Africa gets online?
Computer security is all about dealing with the unintended consequences. Every computer and every system that was ever built was first done to share information, not secure it. Security only came after we got everything connected, then had the collective "awww crap!" moment.
Regards,
Joel R. Helgeson
I always ask my dad "Do you remember the last time you were tested for Alzheimer's?"
It pisses him off...
In a study of the seven leading industrialized nations, the United States scored dead last in mathematics. However, the students involved in the study ranked first place in how confident they FELT about their mathematic skills.
They keep lowering the educational standards in order to keep kids passing through the system. This system, however, keeps focusing on making sure the kids feel good without ever having them accomplish anything. Compounding the problem is that everyone gets an award, so the ninth place trophy winner is just as good as the first place trophy winner. You take the kids that really do have talent and try hard and tell them that they're just as much a no-talent bozo as the kids who ride the short bus to school. They learn nothing, but damn if they don't feel good about themselves. The education system's modern bubble-wrap mentality of no losing, no disappointments, no harsh reality checks has provided a surplus of of girls who think dressing like a slut somehow empowers them, guys who have been beaten down into spineless wimps and that the whole world stops if any of them are ever offended.
I'm seeing these kids enter into college where their brains are mush. They're not stupid - they've just never been challenged. They expect to get a C grade for simply turning in the assignment, and an A for effort.
I do believe you can still get print versions of Playboy...
Yup, fixed
Not sure how that slipped past the editors.
Thanks
-joel
This was an announcement of a vulnerability that was discovered in Adobe Acrobat. There is nothing 0day about it, and it will not ever and can not ever be a 0day. Period.
The defining characteristic of 0day is the day an EXPLOIT is RELEASED, where such exploit also serves as the ONLY vendor notification of a bug being discovered. Every adult on this list understands the definition, but the kids can't seem to grasp the not-so-subtle nuance between a 0day and the discovery of a bug in someone else's code.
This supposedly serious disclosure referred to in the article is a non-event, there was a "press release" about a supposedly serious flaw in PDF, there were no details, so therefore it doesn't even count as disclosure of a vulnerability as a whole.
Okay, I just spent $10 to answer this question, so this post had better get modded UP! :)
I went to TransUnion, logged in, provided my buddy's credit card number (with his consent, I gave him $10 cash) and bought my credit report that they previously would not give me for free!
Any questions?
They already have my CC information on file... I just click SUBMIT and it charges the card.
They can SEE the money they're turning away, and they block the transaction.
In the past, prior to applying for a home loan, I had subscribed to credit reporting services at each of the 3 credit reporting agencies. I have had my user accounts set up for over 5 years with each of them. I quit paying for the services once the free AnnualCreditReport.com went up. Now I have been checking my credit annually. Apparently I wasn't the only one who quit paying for services they should be getting for free because they started scamming the consumers.
This year, I went to go pull my report from all 3 bureaus and none of them will let me see it - apparently because they "cannot adequately verify my identity", even though I've logged in with my same account information I've had with them for years. I enter my info; they'll ask me 3 questions about my credit past, which I correctly answer... then tell me I need to send my request via snail-mail.
HOWEVER
If I login and agree to pay $10, then they'll grant me access to the information, no questions asked.
This is a scam!
The already have the infrastructure built up to provide the content, yet they charge for the content. If you pay the price, you still get to see the ads. Eliminate the fee, you increase the ad revenue.
The incremental costs of increased bandwidth are negligible, actually it is a much desired consequence because that means more revenue coming in from page views.
It costs you nothing. You'll increase your ad generated revenue on people wanting to revisit this today's date one year ago.
Second thing is allow commenting on stories, but then you'll be flamed by the readers.
Heaven forbid the old gray lady figure out why people don't read her pages any more. We've been trying to clue her in for years now.
The likely scenario is that Media Defender went to great lengths to download and sample every torrent available, essentially to provide an inverted Nielsen's rating on the popularity of 'pirated content'. In doing so, they came across illegal porn. Understand that the files aren't labeled as "6_month_old_being_raped.torrent", but rather labeled harmless names such as "Celebrity_deathmatch:_Korn_vs_slipknot.torrent". So what are they to do, nothing?
The one thing I have never come across, and God willing, I hope to never come across is child porn. I've heard about it, and I've seen stuff that I consider beyond borderline that the very sight of put me into a rage... and that was before I had kids of my own. I applaud the work done by Media Defender, I thank them for doing a job I could not, and would not willingly do. I am disappointed that this leak has pulled the rug out from what appeared to be a huge investigation to bring these despicable criminals to justice. I also do not see a problem with them seeding invalid torrents on behalf of media companies. I think it's stupid, I wish Hollywood would wake up to reality, but I can understand how Media Defender was trying to stem the tide - I hope they made a lot of money off the Hollywood boneheads.
I do not, however, support in any way the railroading of random internet users by the RIAA. The mass lawsuits are disgusting and the RIAA deserves everything they have coming to them: a long, slow, suicide.
If a company wants me to investigate an incident and write up a report, yes, I charge for that. I'm also a paid expert witness... no problem with any of it.
When I see a crime, I report it. For free... can you imagine the lunacy of being paid for each crime you report?
When I see a crime
99% of the police work done on the internet is carried out by individuals, not the police. I'm not a cop, but I've busted up spam networks, cybercrime, phishing scams, and everything in between. This isn't outsourcing, it is being a good netizen.
There aren't enough cops to police the internet, so it is left to the 'vigilantes' to take down phishing sites and all these things.
It is up to each of us to police our own neighborhood.
Could I get your name and address for this incident report?
Heh, they all but went out of their way to provide access to the hackers. The top brass had his emails being forwarded to his Gmail account, bypassing any and all security they had set up on the corporate network.
Then the hackers got the usernames and passwords and gained internal access to the network, establishing admin access on the domain. They apparently set up packet captures, or if MediaDefender were the ones capturing packets, they found them and this is where they captured the VoIP calls.
"Keyloggers, we don't need no stinking keyloggers!"
The worst infections to get rid of are those who have admin access to the network and who maintain their access using normal everyday network admin utilities (From my experience, the French are especially good at this). I have worked with sites that have been hacked where the intruders have obtained an administrator level password, then gone in and set up RPC over HTTPS on the domain servers, then the hackers have set up their own 2003 server, added it to the domain, promoted it to domain controller and had the hacked company's Domain Controller perform an outbound sync (using the RPC over HTTPS) to the hackers 2003 server. Any password changes the users make on the home network will be replicated to their off site "guest host" malicious server.
The hackers later added Distributed File Shares or DFS, and used it to replicate file shares (i.e. user folders) information to their hacked domain controller. The hackers basically set themselves up as a run-of-the-mill remote office that synchronizes over a low-speed wan link.
This company was totally Pwn3d... I wouldn't be surprised to see the same thing happened here with the amount of information they collected.
And to that point - it is their JOB to surf porn at work, to seek out child porn and notify the DoJ and the New York Attorney General's office of the material so that the AG could pursue the offender as part of their own investigation.
Yet, I do agree that the use of profanity does show a lack of professionalism. Much like the theory that you can tell a lot about a man by the way he treats his waitress. These emails reveal that they have an air of arrogant superiority about themselves, that they operate above the law, and that they are immune from "teh bad d00dz". They are convinced of their moral authority and moral superiority.
To wit:
I have a fair level of certainty that they got themselves infected with spyware, adware, trojans. They surf sites in the dark corners of the 'intertoob' seeking out nefarious content, evil trackers and child predators. In going there, they are in the stomping grounds of the best of the worst when it comes to infecting computers using the most current 0day exploits.
(Side note -- Stick with me here)
I personally do not run anti-virus. I deal with malicious content all the time. I know what is running on my machine at all times. If I were to run an AntiVirus, it would delete half the files on my hard drive that was gathered as evidence in investigations, or malicious tool kits used to exploit systems that I use in teaching classes.
Whenever I venture to evil sites, I start up a virtual machine, I have two - they are called "Hindenburg" and "Titanic" that are not current on their patches and run no anti-virus. I purposely seek out infections and malware on these machines so I can analyze the machines postmortem. I have a tremendous amount of respect and even admiration for my opponents. They are VERY good at their game. As such, I am careful not to let my guard down.
(My point)
I'll bet that what they've done is get a real machine infected, one that was not sandboxed, connected to the internal domain, and the user was running with not just local admin privileges, but with full domain admin privileges. OOPS! This infected machine reported back to the hackers, who then connected back in to their hacked box and set up user accounts on the network and also rooted the boxes.
At this point, no amount of changing passwords or firewalls or IDS will get the intruders out. They need to rebuild every box on their network, from scratch. They need to stop thinking of themselves as an "academic institution" that needs full access to the internet (no outbound restrictions on the firewall) and where proper security practices "don't apply to them".
Proper security and safety protocols were not followed. The arrogant attitude of "we're security folks, policies don't apply to us" is what let this happen.
Further your affiant sayeth not,
Joel Helgeson
I have kids and I couldn't have survived their teething without those things. It is a homeopathic remedy that works. My son is now teething and when he starts fussing, you put them in his mouth and he goes right back from cranky to happy baby. They sell them everywhere you can buy baby formula. Does the Placebo Effect work on 6 month old infants too?
Scientists will call those results anecdotal.
In the real world, the plural of anecdotal is called evidence.
Studies either confirm common sense, or they are wrong. This is complete BS press release that clearly came from Diebold.
Just like when Microsoft funds studies of the costs of Linux...
DES 56 has been broken, brute forced. It uses a single 56 bit key to encrypt data.
You get the key, you get the data.
3DES 168 encryption is still, in my opinion, unbreakable. The people who laugh at that statement need to read this.
3DES uses TWO Separate 56 bit DES keys. The first key is used to encrypt the data, just like standard DES. Then the second key is used to re-encrypt the data. Finally the first key is used again to encrypt the data yet a third time. As you can see, it isn't simply using a 168 bit key.
You now have your data triple-encrypted, thereby giving you 168bit encryption.
Brute forcing a key is simply trying every possible numeric combination until you land upon the key that unlocks your data. Even if you guessed correctly the first DES56 key on the very first try, you wouldn't know it because the data you're looking at is still encrypted garbage. With 3DES, you need to guess the first key, then after every single guess, brute force the second key, then try the first key AGAIN and see if you come back with readable data.
And to further confound things, the DES 168 bit standard does not specify whether the second key is used to encrypt or decrypt the data on the second pass. If you have data, encrypt it once, and look at it, you have unreadable garbage. If you then decrypt it using the wrong key, you will end up with different-looking garbage. So, the DES 168 standard only states that you have two keys, and they be used to Encrypt, Encrypt, Encrypt - OR - to Encrypt, Decrypt, Encrypt, but it leaves that choice up to the vendor.
SO, to summarize, you can have:
DES 168 EEE
DES 168 EDE
Now, back to my brute forcing, after I guess the first key, then immediately try to guess the second key. And with that 2nd key, do I try encrypting the data again or decrypting it before I try the first key again to see if I wind up with readable data?
This EEE vs. EDE was infuriating as an administrator, as the VPN vendors would each implement their own method of EDE, or EEE, or DED, or DDD, and this is why you could have a Cisco VPN concentrator using 100% standards compliant DES168 encryption, but you could NOT connect to it using the Nortel VPN client, or the Microsoft client, or any other client besides Cisco's client.
It was the LOOSE standards that obsoleted DES168, not its relative key-length weakness.
I seriously doubt that DES168 could ever be broken.