Two years. Not "several", although there's been link-rot in the news-blog since then, not unique to Facebook. In my own timeline, the first FB post I ever made was in October 2007, and I believe that's actually correct; I was tagged in a couple photos posted before that, and I have some backdated "Life Event"s before that, but if it was exactly two years maybe it was just a backup script that had a bug, or something, and it might have affected some other users as well but no one else noticed and bothered to complain.
Yes, there's a whole RFC series for Unicode labels in domain names, including advice to registrars for how to mitigate that problem. The ".com" domain itself is managed by Verisign, and they have a policy to address exactly that problem.
I've been in the habit of cross-posting stuff to FB and G+. I don't think this "breach" would have affected me, as my profile is already public. I also have a ham license, and at least one domain without "privacy" service on the WHOIS data, and listed my real home address as my registered address last time I ran for office, and use my real name as my Wikipedia handle, with my birth year listed on my user page.
There's probably a way to subscribe to some of the stuff I was following on G+ by direct push, or on FB. I have other contacts who had been active on G+ in the past but have already gone dark there, I haven't figured out where they moved to (if anywhere) yet.
There's a change.org petition asking for Google to keep G+ open, if anyone agrees they should.
Maybe I'm missing something specific about Georgia's government structure, but in Michigan, it's fairly common for the incumbent Secretary of State to be running for Secretary of State (for reelection after the first term), or for a statewide office like Governor or Senator (in the second term; Michigan has term limits), with no public outcry. The path into Secretary of State is highly political, because the candidates are nominated by state party conventions (not a primary). In the current election, both candidates campaigned on, among other things, being the right person to keep voting "fair" (for their definition of "fair").
Different OS. If you're using "cifsmount" for/home/user or something similar you might be vulnerable. If the lock-screen gets you to a desktop that can only run SSH, VNC over SSH, or a locked-down HTTPS-only browser, not so much. Then again, the attack described in that article isn't just a USB thing... someone could probably build a male RJ45 dongle that runs the same attack.
Looks like the link to the original report (not in the Guardian article, but posted a couple times in the comments) might be Slashdotted. I found an archived copy at Internet Archive. It was posted last April and updated last May.
If you're asking about the file domains.txt, that's not the "bad" domains, that's the "legitimate" advertisers who were victimized by the scheme. The whitepaper doesn't have full technical detail, but it sounds like the bot-farms used hosts files or private DNS to serve pages that seemed to be within those domains, without ever hitting the origin servers or even a public CDN. The list of "bad" actors, by IP address range, is the file IPs-CIDR.txt.
Over the years I've bought a few items from a mail-order vendor that uses Yahoo! for their checkout/payment. Nothing since the breach in question, though... their deals haven't been that good recently.
Yahoo! also offers "premium" mail service, no ads, IMAP access may be a premium-only feature.
The exact procedure for appointing electors varies by state, but in most (all?) states the electors are nominated by a party. For example, in Michigan, the Republican electors were nominated at the state convention in late August. The people voting at the convention were county delegates; county delegates were chosen by vote at a county convention a few weeks before; the people at the county convention were precinct delegates and incumbent elected officials; the precinct delegates were elected back in May. The elector from my district is a 70ish retired white guy from Oakland County who has never held elected office other than precinct and convention delegate. It sounded from the remarks of his supporters like he came from a blue-collar background and had been apolitical for much of his younger life, but had been a tireless volunteer since becoming politically active.
If Trump does something sufficiently heinous and notorious between now and mid-December, or if he's actually dead, it's possible that some, most or all of the Republican electors could defect, but if they do so, they're more likely to vote for some other Republican than for any Democrat. If not all agree, that could pass the election to the House. There again, a Republican-controlled House is unlikely to choose Clinton; although it's possible as some sort of brokered deal (maybe keep Clinton as president but with Pence or Ryan as vice-president, for example).
vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.
The vDOS database, obtained by KrebsOnSecurity.com at the end of July 2016, points to two young men in Israel as the principal owners and masterminds of the attack service, with support services coming from several young hackers in the United States. [...]
The law that Snyder signed in 2014, Public Act 345 of 2014, codified as section 445.1574 Prohibited conduct by manufacturer, has a lot of detailed regulations about how manufacturers may treat dealers. The requirement that manufacturers only sell through dealers is terse, and buried in the middle of it:
(1) A manufacturer shall not do any of the following: [...] (h) Directly or indirectly own, operate, or control a new motor vehicle dealer, including, but not limited to, a new motor vehicle dealer engaged primarily in performing warranty repair services on motor vehicles under the manufacturer's warranty, or a used motor vehicle dealer. This subdivision does not apply to any of the following: [...] (i) Sell any new motor vehicle directly to a retail customer other than through franchised dealers, unless the retail customer is a nonprofit organization or a federal, state, or local government or agency. [...]
(There are several exceptions, some are grandfather clauses for pre-2000 manufacturer-owned dealers, the others don't appear to apply to Tesla.) Subsections (h) and (i) were present in the prior version of the law, so I'm not sure how old some form of that requirement is. The bill changed the tail end of subsection (i) from a reference to "the manufacturer's" dealers to "franchised" dealers, but the substantiative changes to the law were a new subsection (y) "Prevent, attempt to prevent, prohibit, coerce, or attempt to coerce a new motor vehicle dealer from charging a consumer any documentary preparation fee allowed to be charged by the dealer under the laws of this state" and a new section (3) "This section applies to a manufacturer that sells, services, displays, or advertises its new motor vehicles in this state".
That's one thing I thought of after I saw the announcement, but I doubt that's the primary reason. Probably the main reason is just that they want to avoid the service getting eaten up by people who don't even understand what the "quality" and "resolution" settings on their cameras or other camera-enabled devices mean. Even with Google's compression, I imagine it's not too hard to use steganography to fit the Constitution, or a chunk of the Bible, or most of 1984, or the Kama Sutra, or the technical plans for a planet-destroying battle station in an image.
If a service like Google, Amazon, Facebook, or Yahoo! resizes and recompresses the image data, that's one thing. If they start stripping iTXt chunks that contain copyright or attribution information, that could be a serious legal problem; likewise if they reduce quality so much that it obscures a watermark containing a copyright or trademark notice.
The first time, he makes a big deal about the address in question not being really his, but one he did use for WHOIS registration. I know there are people who have legitimate reasons for hiding their personal address when operating a controversial website, but the solution for that isn't to give a totally bogus address. Or maybe the CSA saw that it had been used as a "private" registration (not knowing it had been subsequently revealed) and assumed it was a relevant secret on that basis? And how is it's Amazon's fault if the address was used to cause the sending of a replacement credit card? Did the scammer rent a room at said hotel and request that the card be sent there?
The second time, he complains about the disclosure of the last purchased item and the shipping address. I'd say that the majority of the time when there's fraud, if the real customer calls in, he'd like to know where the item is actually going so he can include that in his police report. In spite of the scammer's attempt, the agent really didn't give out any useful information about the credit card.
The third time, we don't have a the transcript, so it's possible that the agent read off all the addresses, the AWS username, and all credit-card numbers ever associated with the account. More likely, the agent said, "I'm sorry, I can't give you that information. I can send a copy of your invoice to your e-mail address on file."
Even the last-purchased item is arguably sensitive. What if it's a bulk-pack of condoms, for example? Or (back to Amazon's roots) a book on the list of banned books? I'd encourage Amazon to close that hole, but I'm not sure I have a good solution.
but there are actually a few phone numbers that I remember, and can type on a telephone keypad (or the numbers-only widget on a smartphone) quicker than I can look them up (even with type-ahead on the person's name). They're also harder make data-entry errors with than a written-out e-mail address, or, worse, someone's Facebook or Google+ name.
The path and domain are not authenticated to make sure site A does not set a cookie fraudulently for site B.
These are called "third-party cookies", and browsers (for example, Firefox) already have knobs to disable them. That's not the real issue here, however.
Another problem seems to be, the browsers present all the values associated with the name to the web site, even the cookies not set by that site.
Not only that, a site could get cookies set by "parent" and "child" sites. Furthermore, a lot of web-programming languages (including PHP, ASP.NET, Classic ASP, and GWT) expose the cookies as a key-value store where the key is simply the name of the cookie, and don't document which cookie they use if the browser sends multiple ones with the same key. (Java is a bit better, it just exposes a bucket, but that's harder to work with.)
It's a "chinese restaurant" among the marketplace, too.
A few years ago I set up seller accounts on three of them. One of those marketplaces bought out the other two, so now I have one account (luckily they allowed me to merge the accounts, with some loss of history).
As long as we're linking to official announcements of business-targeted e-mail systems, I should mention IBM Verse. (disclaimer: I work for IBM. I do not speak for IBM.)
Since 2002, the STARTTLS extension to SMTP, RFC 3207, has been a standard. In this particular case, the vendor's domain appears to be hosted on Google Sites, so if the OP has a gmail account the message won't even leave Google's network until he picks up the message via HTTPS or SSL-secured IMAP.
Well, technically he still hasn't suspended deportations (or otherwise changed immigration policy) through an executive order. His "My fellow americans..." speech last Thursday was explaining a policy that the Department of Justice had told the Department of Homeland Security it could follow. He's taking credit for it for the purpose of arguing with Congress, and he would certainly veto anything that actively undoes it ("let's deport people by a random lottery", "let's deport everyone who has an anchor baby and is not yet a citizen", "let's deport everyone, Citizen or not, with a Muslim-sounding first name or an Irish-sounding last name"), but he hasn't done anything that the next President couldn't undo.
Difference in clause (i):
@@ -1,7 +1,8 @@
(i) Sell any new motor vehicle directly to a retail customer other than
-through its franchised dealers, unless the retail customer is a nonprofit
+through franchised dealers, unless the retail customer is a nonprofit
organization or a federal, state, or local government or agency. This
-subdivision does not prohibit a manufacturer from providing information to
-a consumer for the purpose of marketing or facilitating the sale of new
-motor vehicles or from establishing a program to sell or offer to sell
-new motor vehicles through the manufacturer's new motor vehicle dealers.
+subdivision does not prohibit a manufacturer from providing information
+to a consumer for the purpose of marketing or facilitating the sale of
+new motor vehicles or from establishing a program to sell or offer to
+sell new motor vehicles through franchised new motor vehicle dealers
+that sell and service new motor vehicles produced by the manufacturer.
No, they're not allowing gmail accounts to use non-ASCII local parts yet. However, mail to/from other domains can have non-ASCII local part and domain name. If that other domain allows a random user to create an account "róót", that's about the extent of the possible phishing.
There is value. If the creator wrote it on his free time after working 30 years in a probably thankless job he couldn't tell his family about, there's hope for me to do something similar, or at least I should advise my sons to get a good education and a stable job. On the other hand, if he was a 15-year-old kid who flunked most classes in school and spent the majority of his nights playing video games, I'd better get my sons each a latest-model gaming rig, because that ship has sailed for me.
My GMail (and Yahoo! as well) username is (first name)(middle name)(last name), all fairly common [in fact at my current employer there are multiple matches of (first name)(last name), and my father has the same (first name)(last name) as well], and I have not had this problem with either service. Perhaps using initials instead of full names is part of it; or your last-name may have different demographic connotations.
I did, however, recently have that problem with a Comcast account. When the tech visited our home for installation, he created an account (first name)(last name)@comcast.net . I didn't actually give it out anywhere, yet within a few months it was filled with a hundred or so messages for someone in another state. I did try responding to one item that seemed moderately important, and whoever got the response [the help-desk of some organization] didn't seem to grasp that I had no connection with the intended recipient. Since I hadn't advertised it anywhere, it was easy to change the username, to (my first initial)(wife's first initial)(my last initial)(wife's last initial)(string of digits)@comcast.net. While this address appears to have been reused, apparently Comcast no longer allows address reuse; I tried using a previous ID that I had used a long time ago, and it was not available.
Since you ask for advice, I recommend two courses of action:
1. As long as you still have access to that address, when you receive anything that is clearly misdirected and potentially of high value, deal with it politely. Don't use a "form response", instead personalize the response to the content of the message. CC the intended recipient on the response, if you are able to divine who it is. Once you've dealt with the matter, delete the whole thread. For newsletters, try following an "unsubscribe" action, if that's not available mark as spam.
2. Consider an exit strategy from your current e-mail address, no matter how much is attached to it. See the Google help posting "Change your username". For the new address, try a long nickname or full first name instead of first initial; or maybe add a string of numbers, a city your contacts will recognize, or a title. Give your important contacts plenty of advance notice, post the new address with the reasons you're switching [perhaps with a list of the confusing other identities as well] on your "old" Google+ profile. After a reasonable time (say six months or a year), delete your old account. Make sure you change your address at all the "various sites" you've registered at before doing so, in case you need to use a password reset function.
Slashdot Mirror
Two years. Not "several", although there's been link-rot in the news-blog since then, not unique to Facebook. In my own timeline, the first FB post I ever made was in October 2007, and I believe that's actually correct; I was tagged in a couple photos posted before that, and I have some backdated "Life Event"s before that, but if it was exactly two years maybe it was just a backup script that had a bug, or something, and it might have affected some other users as well but no one else noticed and bothered to complain.
Yes, there's a whole RFC series for Unicode labels in domain names, including advice to registrars for how to mitigate that problem. The ".com" domain itself is managed by Verisign, and they have a policy to address exactly that problem.
I've been in the habit of cross-posting stuff to FB and G+. I don't think this "breach" would have affected me, as my profile is already public. I also have a ham license, and at least one domain without "privacy" service on the WHOIS data, and listed my real home address as my registered address last time I ran for office, and use my real name as my Wikipedia handle, with my birth year listed on my user page.
There's probably a way to subscribe to some of the stuff I was following on G+ by direct push, or on FB. I have other contacts who had been active on G+ in the past but have already gone dark there, I haven't figured out where they moved to (if anywhere) yet.
There's a change.org petition asking for Google to keep G+ open, if anyone agrees they should.
Maybe I'm missing something specific about Georgia's government structure, but in Michigan, it's fairly common for the incumbent Secretary of State to be running for Secretary of State (for reelection after the first term), or for a statewide office like Governor or Senator (in the second term; Michigan has term limits), with no public outcry. The path into Secretary of State is highly political, because the candidates are nominated by state party conventions (not a primary). In the current election, both candidates campaigned on, among other things, being the right person to keep voting "fair" (for their definition of "fair").
Different OS. If you're using "cifsmount" for /home/ user or something similar you might be vulnerable. If the lock-screen gets you to a desktop that can only run SSH, VNC over SSH, or a locked-down HTTPS-only browser, not so much. Then again, the attack described in that article isn't just a USB thing... someone could probably build a male RJ45 dongle that runs the same attack.
Looks like the link to the original report (not in the Guardian article, but posted a couple times in the comments) might be Slashdotted. I found an archived copy at Internet Archive. It was posted last April and updated last May.
If you're asking about the file domains.txt , that's not the "bad" domains, that's the "legitimate" advertisers who were victimized by the scheme. The whitepaper doesn't have full technical detail, but it sounds like the bot-farms used hosts files or private DNS to serve pages that seemed to be within those domains, without ever hitting the origin servers or even a public CDN. The list of "bad" actors, by IP address range, is the file IPs-CIDR.txt .
Over the years I've bought a few items from a mail-order vendor that uses Yahoo! for their checkout/payment. Nothing since the breach in question, though... their deals haven't been that good recently.
Yahoo! also offers "premium" mail service, no ads, IMAP access may be a premium-only feature.
The exact procedure for appointing electors varies by state, but in most (all?) states the electors are nominated by a party. For example, in Michigan, the Republican electors were nominated at the state convention in late August. The people voting at the convention were county delegates; county delegates were chosen by vote at a county convention a few weeks before; the people at the county convention were precinct delegates and incumbent elected officials; the precinct delegates were elected back in May. The elector from my district is a 70ish retired white guy from Oakland County who has never held elected office other than precinct and convention delegate. It sounded from the remarks of his supporters like he came from a blue-collar background and had been apolitical for much of his younger life, but had been a tireless volunteer since becoming politically active.
If Trump does something sufficiently heinous and notorious between now and mid-December, or if he's actually dead, it's possible that some, most or all of the Republican electors could defect, but if they do so, they're more likely to vote for some other Republican than for any Democrat. If not all agree, that could pass the election to the House. There again, a Republican-controlled House is unlikely to choose Clinton; although it's possible as some sort of brokered deal (maybe keep Clinton as president but with Pence or Ryan as vice-president, for example).
Since it'll be offline for a while, perhaps... Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years.
The law that Snyder signed in 2014, Public Act 345 of 2014, codified as section 445.1574 Prohibited conduct by manufacturer, has a lot of detailed regulations about how manufacturers may treat dealers. The requirement that manufacturers only sell through dealers is terse, and buried in the middle of it:
(There are several exceptions, some are grandfather clauses for pre-2000 manufacturer-owned dealers, the others don't appear to apply to Tesla.) Subsections (h) and (i) were present in the prior version of the law, so I'm not sure how old some form of that requirement is. The bill changed the tail end of subsection (i) from a reference to "the manufacturer's" dealers to "franchised" dealers, but the substantiative changes to the law were a new subsection (y) "Prevent, attempt to prevent, prohibit, coerce, or attempt to coerce a new motor vehicle dealer from charging a consumer any documentary preparation fee allowed to be charged by the dealer under the laws of this state" and a new section (3) "This section applies to a manufacturer that sells, services, displays, or advertises its new motor vehicles in this state".
That's one thing I thought of after I saw the announcement, but I doubt that's the primary reason. Probably the main reason is just that they want to avoid the service getting eaten up by people who don't even understand what the "quality" and "resolution" settings on their cameras or other camera-enabled devices mean. Even with Google's compression, I imagine it's not too hard to use steganography to fit the Constitution, or a chunk of the Bible, or most of 1984, or the Kama Sutra, or the technical plans for a planet-destroying battle station in an image.
If a service like Google, Amazon, Facebook, or Yahoo! resizes and recompresses the image data, that's one thing. If they start stripping iTXt chunks that contain copyright or attribution information, that could be a serious legal problem; likewise if they reduce quality so much that it obscures a watermark containing a copyright or trademark notice.
The first time, he makes a big deal about the address in question not being really his, but one he did use for WHOIS registration. I know there are people who have legitimate reasons for hiding their personal address when operating a controversial website, but the solution for that isn't to give a totally bogus address. Or maybe the CSA saw that it had been used as a "private" registration (not knowing it had been subsequently revealed) and assumed it was a relevant secret on that basis? And how is it's Amazon's fault if the address was used to cause the sending of a replacement credit card? Did the scammer rent a room at said hotel and request that the card be sent there?
The second time, he complains about the disclosure of the last purchased item and the shipping address. I'd say that the majority of the time when there's fraud, if the real customer calls in, he'd like to know where the item is actually going so he can include that in his police report. In spite of the scammer's attempt, the agent really didn't give out any useful information about the credit card.
The third time, we don't have a the transcript, so it's possible that the agent read off all the addresses, the AWS username, and all credit-card numbers ever associated with the account. More likely, the agent said, "I'm sorry, I can't give you that information. I can send a copy of your invoice to your e-mail address on file."
Even the last-purchased item is arguably sensitive. What if it's a bulk-pack of condoms, for example? Or (back to Amazon's roots) a book on the list of banned books? I'd encourage Amazon to close that hole, but I'm not sure I have a good solution.
but there are actually a few phone numbers that I remember, and can type on a telephone keypad (or the numbers-only widget on a smartphone) quicker than I can look them up (even with type-ahead on the person's name). They're also harder make data-entry errors with than a written-out e-mail address, or, worse, someone's Facebook or Google+ name.
The path and domain are not authenticated to make sure site A does not set a cookie fraudulently for site B.
These are called "third-party cookies", and browsers (for example, Firefox) already have knobs to disable them. That's not the real issue here, however.
Another problem seems to be, the browsers present all the values associated with the name to the web site, even the cookies not set by that site.
Not only that, a site could get cookies set by "parent" and "child" sites. Furthermore, a lot of web-programming languages (including PHP, ASP.NET, Classic ASP, and GWT) expose the cookies as a key-value store where the key is simply the name of the cookie, and don't document which cookie they use if the browser sends multiple ones with the same key. (Java is a bit better, it just exposes a bucket, but that's harder to work with.)
It's a "chinese restaurant" among the marketplace, too.
A few years ago I set up seller accounts on three of them. One of those marketplaces bought out the other two, so now I have one account (luckily they allowed me to merge the accounts, with some loss of history).
As long as we're linking to official announcements of business-targeted e-mail systems, I should mention IBM Verse. (disclaimer: I work for IBM. I do not speak for IBM.)
Bluetooth is not supported for printing on ChromeBook.
There is an Android app that allows printing via "Wi-Fi or Bluetooth", but it appears not to have been ported to ChromeOS.
Since 2002, the STARTTLS extension to SMTP, RFC 3207, has been a standard. In this particular case, the vendor's domain appears to be hosted on Google Sites, so if the OP has a gmail account the message won't even leave Google's network until he picks up the message via HTTPS or SSL-secured IMAP.
Wish I would have heard about this during the comment period, the article says it ended Friday. Anyway, the case is RM-11737 in FCC's ECFS.
Well, technically he still hasn't suspended deportations (or otherwise changed immigration policy) through an executive order. His "My fellow americans..." speech last Thursday was explaining a policy that the Department of Justice had told the Department of Homeland Security it could follow. He's taking credit for it for the purpose of arguing with Congress, and he would certainly veto anything that actively undoes it ("let's deport people by a random lottery", "let's deport everyone who has an anchor baby and is not yet a citizen", "let's deport everyone, Citizen or not, with a Muslim-sounding first name or an Irish-sounding last name"), but he hasn't done anything that the next President couldn't undo.
1981 version
2014 version
Difference in clause (i):
@@ -1,7 +1,8 @@
(i) Sell any new motor vehicle directly to a retail customer other than
-through its franchised dealers, unless the retail customer is a nonprofit
+through franchised dealers, unless the retail customer is a nonprofit
organization or a federal, state, or local government or agency. This
-subdivision does not prohibit a manufacturer from providing information to
-a consumer for the purpose of marketing or facilitating the sale of new
-motor vehicles or from establishing a program to sell or offer to sell
-new motor vehicles through the manufacturer's new motor vehicle dealers.
+subdivision does not prohibit a manufacturer from providing information
+to a consumer for the purpose of marketing or facilitating the sale of
+new motor vehicles or from establishing a program to sell or offer to
+sell new motor vehicles through franchised new motor vehicle dealers
+that sell and service new motor vehicles produced by the manufacturer.
No, they're not allowing gmail accounts to use non-ASCII local parts yet. However, mail to/from other domains can have non-ASCII local part and domain name. If that other domain allows a random user to create an account "róót", that's about the extent of the possible phishing.
There is value. If the creator wrote it on his free time after working 30 years in a probably thankless job he couldn't tell his family about, there's hope for me to do something similar, or at least I should advise my sons to get a good education and a stable job. On the other hand, if he was a 15-year-old kid who flunked most classes in school and spent the majority of his nights playing video games, I'd better get my sons each a latest-model gaming rig, because that ship has sailed for me.
My GMail (and Yahoo! as well) username is (first name)(middle name)(last name), all fairly common [in fact at my current employer there are multiple matches of (first name)(last name), and my father has the same (first name)(last name) as well], and I have not had this problem with either service. Perhaps using initials instead of full names is part of it; or your last-name may have different demographic connotations.
I did, however, recently have that problem with a Comcast account. When the tech visited our home for installation, he created an account (first name)(last name) @comcast.net . I didn't actually give it out anywhere, yet within a few months it was filled with a hundred or so messages for someone in another state. I did try responding to one item that seemed moderately important, and whoever got the response [the help-desk of some organization] didn't seem to grasp that I had no connection with the intended recipient. Since I hadn't advertised it anywhere, it was easy to change the username, to (my first initial)(wife's first initial)(my last initial)(wife's last initial)(string of digits) @comcast.net. While this address appears to have been reused, apparently Comcast no longer allows address reuse; I tried using a previous ID that I had used a long time ago, and it was not available.
Since you ask for advice, I recommend two courses of action: