if you have control of the domain you can get a domain validated certificate. EFF's Let's Encrypt certificates use the ACME protocol to verify you have control of a domain: https://letsencrypt.org/docs/c...
I remember seeing some documentary interview with a career break & enter guy. He said he learned pretty quick to rob rich neighbourhoods; they had much better stuff to steal. The interviewer asked if he was worried about house alarms, and he said that the vast majority of houses he robbed had alarms not switched on or otherwise inoperable. He'd just try break in, if he didn't hear a siren he'd be in and out in a few minutes.
Someone steals my identity (from cards in a wallet robbed from my house) - signs up a bunch of cell phones in my name, then steps out on the bill. The police get me to fill out a form, and I spend hours dealing with 3 different cell companies, and debt collection agency.
Do you think the police checked any cell tower data to find the perpetrator?
Apple announce "You won't be able to write native apps, just do everything in a browser!". They must've known they were buidling at app store at that time!
The 3rd party would only ever get the intersection of "do not mail" and their own marketing list. And emails wouldn't be sitting around in clear text in a database / filesystem..
Here's what 'supercookies' actually are (from the horse's mouth: http://cyberlaw.stanford.edu/node/6715) * you hit a page which includes a wlHelper.js script * wlHelper.js is served with header that tell your browser - cache this forever * wlHelper.js contains code something like this:
var unique_id = 'RANDOM_LOOKING_STRING_JUST_FOR_YOU'
if MUID cookie doesn't already exist
set MUID cookie to unique_id
You delete your MUID cookie - but next time you hit a page that contains wlHelper.js the cached version is pulled form your browser. unique_id is there in the cached code, so the cookie gets set again.
Split up the audio into 5 min pieces. Set up a template on Amazon Turk for'workers' to grab the 5 min mp3 files, and pay them $2 for each file translated.
Could be "call back" spam, i.e. I look at my phone and see "missed call from 555-1234". I swear I didn't hear that ring, but I call the number back anyways - and I get a recorded message selling some crap. So I generally google / don't call numbers I don't recognise now. If someone has something important to tell me they'll leave a message.
I'm surprised a nasty worm hasn't propagated via torrent client exploits. Get a list of IPs from a tracker AND the client/version they are using. Not only that: all the users would've opened the port on their router..
Can you easily implicate people by registering their IP address with a tracker? From the article:
...requests to BitTorrent trackers can also use CoralCDN, as these are simply HTTP GETs with a client's relevant information encoded in the tracker URL's query string, e.g., http://denis.stalker.h3q.com.6969.nyud.net/announce?info_hash=(hash)&peer_id=(name)&port=52864&uploaded=231374848&downloaded=2227372596&left=0&corrupt=0&key=E0591124&numwant=200&compact=1&no_peer_id=1.
Notice that the HTTP request includes a peer's unique name (a long random string) and a port number, but notably does not include an IP address for that client. It's an optional parameter in the specification that many BitTorrent clients don't include. (In fact, even if the request includes this IP parameter, some trackers ignore it.) Instead, the tracker records the network-level IP address from where the HTTP request originated (the other end of the TCP connection), together with the supplied port, as the peer's network address.
In this case CoralCDN was effectively acting as a proxy - the IP address wasn't being falsified. Although these guys did appear to have some luck with falsified IP addresses: Why My Printer Received a DMCA Takedown Notice.
Slashdot Mirror
if you have control of the domain you can get a domain validated certificate. EFF's Let's Encrypt certificates use the ACME protocol to verify you have control of a domain: https://letsencrypt.org/docs/c...
Their salary should be zero.
email addresses and plain-text passwords, separated by a colon
Always have a colon in your passwords!
I remember seeing some documentary interview with a career break & enter guy. He said he learned pretty quick to rob rich neighbourhoods; they had much better stuff to steal. The interviewer asked if he was worried about house alarms, and he said that the vast majority of houses he robbed had alarms not switched on or otherwise inoperable. He'd just try break in, if he didn't hear a siren he'd be in and out in a few minutes.
..and this appeared in an Australian newspaper just yesterday "'Right to silence' law changed" http://www.smh.com.au/nsw/right-to-silence-law-changed-20120814-2462p.html
or to extort facebook? "pay for our botnet protection, as we wouldn't want to see your advertisers getting poor value for money".
Some was arrested in Japan for this recently: http://yro.slashdot.org/story/12/07/05/135230/japanese-13-year-old-arrested-for-virus-creation
Someone steals my identity (from cards in a wallet robbed from my house) - signs up a bunch of cell phones in my name, then steps out on the bill. The police get me to fill out a form, and I spend hours dealing with 3 different cell companies, and debt collection agency.
Do you think the police checked any cell tower data to find the perpetrator?
Here's a quick mock-up of how it will look: http://i.imgur.com/2aA3Z.jpg
Anyone remember this? http://www.engadget.com/2007/06/11/apple-announces-third-party-software-details-for-iphone/
Apple announce "You won't be able to write native apps, just do everything in a browser!". They must've known they were buidling at app store at that time!
The onion has covered this :) Fast foward to 2:21, the mockup phone always makes me laugh http://i.imgur.com/KO0Xg.jpg
I wish i had some mod points for you
Hey, you forgot to include a link!
http://www.socialloot.com/?ref=Monkier21EC2020-3AEA-1069-A2DD-08002B30309D
Which is a much better position than "Let's pretend there's no bugs, and hush up anyone who says there is". Nice one, Google...
S3 is just storage. Someone still needs to pay the bandwidth on the server that streams that content. Cloudfront can do streaming from your S3 store.
So the gap is "the secret key must be kept secret"? I don't see that as a digital certificate failing. It's also the reason we have revocation lists.
The 3rd party would only ever get the intersection of "do not mail" and their own marketing list. And emails wouldn't be sitting around in clear text in a database / filesystem..
Here's what 'supercookies' actually are (from the horse's mouth: http://cyberlaw.stanford.edu/node/6715)
* you hit a page which includes a wlHelper.js script
* wlHelper.js is served with header that tell your browser - cache this forever
* wlHelper.js contains code something like this:
var unique_id = 'RANDOM_LOOKING_STRING_JUST_FOR_YOU'
if MUID cookie doesn't already exist
set MUID cookie to unique_id
You delete your MUID cookie - but next time you hit a page that contains wlHelper.js the cached version is pulled form your browser. unique_id is there in the cached code, so the cookie gets set again.
Combine centralized and "multi-factor"? Build more PCs with smart card readers?
I'd like to see google offer some form of multifactor on their openid provider. A keyring token generator, or maybe a smartphone app?
Here's someone who has already done it..
http://waxy.org/2008/09/audio_transcription_with_mechanical_turk/
Split up the audio into 5 min pieces.
Set up a template on Amazon Turk for'workers' to grab the 5 min mp3 files, and pay them $2 for each file translated.
More info in the comments. http://www.audiobookcutter.com/ is capable of chopping up the file at the silences for you.
Could be "call back" spam, i.e. I look at my phone and see "missed call from 555-1234". I swear I didn't hear that ring, but I call the number back anyways - and I get a recorded message selling some crap. So I generally google / don't call numbers I don't recognise now. If someone has something important to tell me they'll leave a message.
I'm surprised a nasty worm hasn't propagated via torrent client exploits. Get a list of IPs from a tracker AND the client/version they are using. Not only that: all the users would've opened the port on their router..
X-files has gone off TV?
...requests to BitTorrent trackers can also use CoralCDN, as these are simply HTTP GETs with a client's relevant information encoded in the tracker URL's query string, e.g., http://denis.stalker.h3q.com.6969.nyud.net/announce?info_hash=(hash)&peer_id=(name)&port=52864&uploaded=231374848&downloaded=2227372596&left=0&corrupt=0&key=E0591124&numwant=200&compact=1&no_peer_id=1. Notice that the HTTP request includes a peer's unique name (a long random string) and a port number, but notably does not include an IP address for that client. It's an optional parameter in the specification that many BitTorrent clients don't include. (In fact, even if the request includes this IP parameter, some trackers ignore it.) Instead, the tracker records the network-level IP address from where the HTTP request originated (the other end of the TCP connection), together with the supplied port, as the peer's network address.
In this case CoralCDN was effectively acting as a proxy - the IP address wasn't being falsified. Although these guys did appear to have some luck with falsified IP addresses: Why My Printer Received a DMCA Takedown Notice.
Two more strikes and Google gets their internet connection cut? Oh, no!