Unless they're programmed by paper tape, they will, at some point, be connected to some other computer -- directly (serial, ethernet) or indirectly (floppy, usb stick)
Sure, 30 years ago one wrote their ladder-logic program on paper and keyed it into the PLC through a tiny keypad (that's only rarely attached to anything.) It was a major pain in the ass.
With a self-signed certificate, the browser emits a warning alerting the user to question what they're doing. You will get that warning each time unless you install it in your personal certificate store. If the cert is later changed, it will differ from the one stored and you'll start getting warnings again. The certificate has no trust until you say so.
With LetsEncrypt, the certificates are just as untrustworthy. The problem is, you don't know they're the idiots behind that lock. They're handed out like pez to anyone who can set a DNS record. Granted, they aren't the only ones with near zero vetting. Yet people are perfectly OK with LetsEncrypt's shenanigans. Let's see how OK things are when their bot is tricked into signing a cert for paypal or gmail. "Oh, it's only valid for 3 months", and "but we revoked it as soon as we knew about it"... how many lesser sites will be noticed and revoked?
I'm not saying every site on the internet should be making their own certificates. However, given the the absolute zero trust we can place in the whole CA web-of-trust, and browsers blindly accepting CAs that do nothing meaningful to ensure a certificate request is valid, maybe we should. People are too dumb to understand the closed green lock doesn't necessarily mean anything.
The JavaScript was silently injected into the traffic of sites that use an analytics service that China-based search engine Baidu makes available so website operators can track visitor statistics.
It was just yet another "bad ad" hitting people. They didn't man-in-the-middle anyone's traffic to slip their code in. They didn't hack into thousands of websites to slip in their code. The ad network operators already used decided to push out malware instead of, or in addition to, a normal ad. This ALREADY happens all the damn time, except this time it was the ad network itself doing it and not one of their crafty customers.
Someone rewriting traffic in transit is exceptionally rare. Because it's really hard to do.
Create your own self-signed certificate. If your users want SSL, they can accept that certificate. Most browsers make it fairly easy to install an otherwise unknown/untrusted certificate.
Right. Because a FREE, NON-VALIDATED certificate is 100% trustworthy. They are on par with a self-signed certificate. Only worse, because they won't trigger a warning from your browser. People who actually care about security do not trust their certificates.
In fact, any "domain validated" certificate should, as Clarkson would say, make some poo come out. If I have control of your DNS, then I can easily man-in-the-middle your site; SSL doesn't prevent anything here. Thanks to Let's Encrypt, I can now get a certificate I control for your domain that passes through my server without throwing up any flags.
(Yes. Slashdot is using their shit. And yes, my browser says "SITE NOT SECURE" Being slashdot, I don't care; in fact, a few days ago when they started using this crap, I had to add an exception. This site is the very definition of "does not merit encryption." How much money has Slashdot spent on crypto hardware or additional server capacity just to have a trendy "https" url?)
Actually, [i]EVERYTHING[/i] is pinned on #2. Unfortunately, the chain of trust for SSL certificates has been proven, over and over again, to be weak enough a toddler could toss a matchbox truck through it. The instant you get a browser to accept your certificate, the house of cards blows away.
The simple truth is very little of the internet actually needs to be "protected" by SSL. Very few web sites are interesting ("valuable") enough to be worth the effort to divert or otherwise intercept their traffic. All SSL does is [i]substantially[/i] increase the processing overhead for a site. (key generation is exceptionally expensive -- simple would be trivial to break.) And then there's the money expensive of buying a trusted certificate. (which only perpetuates the lie inherent with #2 -- very little, if any, validation is done)
99.9999999999999999999999999999999999999999% of "rewriting" attacks happen on the webserver itself -- i.e. hacks that insert crap into your swiss cheese wordpress blog. The remaining rounding error are the result of local malware on the web browsing PC -- i.e. the browser inserted that crap. I have yet to even hear of a nefarious operation inserting crap into live traffic. (yes, there have been ISPs with aggressive proxies that can (and did) insert/modify content. If you cannot trust your ISP, you have other problems that SSL won't always fix.)
Yes. Yes, I have ("do" - they're still alive.). And yes, they ARE actually African. For the record, some of them aren't "black". Being born in an African country is what makes you African. Being born in Africa and emigrating to the USA is what makes you an African-American. Your name and skin color have nothing to do with it.
Bullshit. It happens all the time, all over the place. And yes, it's a measurable source of damage. If the "utilities" (comcast and at&t aren't utilities) put their stuff where they're supposed to, AND MAINTAINED IT, there would be far less need to mess with their shit.
The entire reason for the complaints is to stack more red tape on Google's fiber expansion -- read: THE COMPETITION. And yes, they DO drag their feet on these requests.
That IS the point. How do you know who is being attacked? How do you trust that which is inherently untrustable? "Bob said he was under attack. I know Bob. Bob told me in person. And Bob never makes mistakes." Great. You trust Bob and are now filtering any attack traffic from your network. How do you get the other 7bil people on Earth to trust Bob (or you as proxy)? Coordination of the who's and where's is a MASSIVE issue. No amount of hand waving or snapping one's fingers will cause a solution to pop into existence. Any such system would be gamable as an attack vector itself.
Plus, as I've said elsewhere, we can't get people to turn on technology that's been in the hardware for 20 years -- one command; computationally "free" as it's built into the forwarding hardware. What makes you think even 10% of the networks in the world would play ball? We have the mess we have today because everyone is free to run their network(s) however they please.
I very highly doubt that. How many "youtube millionaires" are there? If youtube ads are generating that kind of cash for uploaders, it's making A LOT more for youtube. The only way they can be "breaking even" is by accounting tricks to hide money. (i.e. "buying" services from other parts of the company.)
And Bad Actors(tm) not inserting bogus hop data. At the end of the day, you cannot trust anything outside your own network. And you're suspicious of your own network.
MAC's don't cross routers -- they're local, ethernet node-to-node addresses. My ISP(s) have no idea what devices I have inside my network(s). All they see is the one MAC of my router. (also, because I'm only allowed one device on the cablemodem.) ISPs would have to push filters into the customer's network, which they very likely cannot control. Plus, the filters would have to be changed regularly based on data from a non-existent "DDOS reporting/coordination center". (If I'm under attack, how do I alert every ISP on the planet? How do you authenticate that report? How do you prevent hackers from using such a service to create a DDOS?)
NAT isn't the problem. STUPID PEOPLE are the problem... NAT'ing things that should be left isolated, and giving internet access to junk that doesn't even need to be connected privately. (and then there's the BS of UPNP. Sure, let's let any f'ing thing on the network make whatever holes it wants through the "firewall")
Not obsolete, per se, just ineffective. If you can get 100,000 devices to make 100 DNS queries per second, that's 10mil packets per second. There's little need to hide where they're coming from. Even if some of them get shutdown, there are plenty more out there. Too damned many things that have no reason to be "connected" are sitting on the internet. There's zero security in their design, zero security in their setup, zero security in their use, and no g** d*** reason for them to be talking to the rest of the internet. It's even better when you look at the shear volume of abandonware there is -- that cool networked thermostat [printer, coffee mug, etc] you bought last month? No longer the current model, and no longer supported (and never was.)
And sadly, it's just more junk no one will bother to turn on. PEIP is completely new technology that would have to built into routers, when we can't even get people to turn on what's been built into the hardware for 20 years!
I suspect your "customers" need to find better ISPs -- i.e. stop running their business via a residential service. 200 almost identical pdf attached emails all at once is certainly going to raise a flag. To a residential ISP, it's simply 200 all at once that triggers action. Either run your own mail server on a true business line (TWC-BC ain't it) or pay someone else to host your email, and never relay anything through the ISP server(s). That does mean having your own domain and looking like a real company instead of "burgerlord_bob@aol.com".
There are ISPs that do that. If they detect you sending SPAM (verified by a human), you get disconnected until you can prove the malware has been removed.
Except for tracking back the infected devices. Or put another way, being able to trace back where the traffic is coming from to place filters where they would be most effective. DDOS attacks tend to me far less distributed than the name implies. Also, ultimately removing the infestation from those source networks/machines.
and in contrast to the claims of these articles, are already widely deployed.
*sigh* Except THEY. AREN'T. The last time I checked (a few years ago), none of my providers limited the source of my traffic. Earthlink, TWC, VZB, TWTC (now L3),...
Slashdot Mirror
Unless they're programmed by paper tape, they will, at some point, be connected to some other computer -- directly (serial, ethernet) or indirectly (floppy, usb stick)
Sure, 30 years ago one wrote their ladder-logic program on paper and keyed it into the PLC through a tiny keypad (that's only rarely attached to anything.) It was a major pain in the ass.
With a self-signed certificate, the browser emits a warning alerting the user to question what they're doing. You will get that warning each time unless you install it in your personal certificate store. If the cert is later changed, it will differ from the one stored and you'll start getting warnings again. The certificate has no trust until you say so.
With LetsEncrypt, the certificates are just as untrustworthy. The problem is, you don't know they're the idiots behind that lock. They're handed out like pez to anyone who can set a DNS record. Granted, they aren't the only ones with near zero vetting. Yet people are perfectly OK with LetsEncrypt's shenanigans. Let's see how OK things are when their bot is tricked into signing a cert for paypal or gmail. "Oh, it's only valid for 3 months", and "but we revoked it as soon as we knew about it"... how many lesser sites will be noticed and revoked?
I'm not saying every site on the internet should be making their own certificates. However, given the the absolute zero trust we can place in the whole CA web-of-trust, and browsers blindly accepting CAs that do nothing meaningful to ensure a certificate request is valid, maybe we should. People are too dumb to understand the closed green lock doesn't necessarily mean anything.
The JavaScript was silently injected into the traffic of sites that use an analytics service that China-based search engine Baidu makes available so website operators can track visitor statistics.
It was just yet another "bad ad" hitting people. They didn't man-in-the-middle anyone's traffic to slip their code in. They didn't hack into thousands of websites to slip in their code. The ad network operators already used decided to push out malware instead of, or in addition to, a normal ad. This ALREADY happens all the damn time, except this time it was the ad network itself doing it and not one of their crafty customers.
Someone rewriting traffic in transit is exceptionally rare. Because it's really hard to do.
For those playing along at home, this falls into the bucket of "I CANNOT TRUST MY ISP".
Actually, they're WORSE. One script and you're set; run it from cron and your cert is always up-to-date.
And no, they didn't get any browser to accept them. They got some other idiot CA to sign their intermedia CA, and *poof* browsers accept them now.
Create your own self-signed certificate. If your users want SSL, they can accept that certificate. Most browsers make it fairly easy to install an otherwise unknown/untrusted certificate.
If you run chrome from that fresh linux install, they'll get exactly the same stats from you.
Right. Because a FREE, NON-VALIDATED certificate is 100% trustworthy. They are on par with a self-signed certificate. Only worse, because they won't trigger a warning from your browser. People who actually care about security do not trust their certificates.
In fact, any "domain validated" certificate should, as Clarkson would say, make some poo come out. If I have control of your DNS, then I can easily man-in-the-middle your site; SSL doesn't prevent anything here. Thanks to Let's Encrypt, I can now get a certificate I control for your domain that passes through my server without throwing up any flags.
(Yes. Slashdot is using their shit. And yes, my browser says "SITE NOT SECURE" Being slashdot, I don't care; in fact, a few days ago when they started using this crap, I had to add an exception. This site is the very definition of "does not merit encryption." How much money has Slashdot spent on crypto hardware or additional server capacity just to have a trendy "https" url?)
Actually, [i]EVERYTHING[/i] is pinned on #2. Unfortunately, the chain of trust for SSL certificates has been proven, over and over again, to be weak enough a toddler could toss a matchbox truck through it. The instant you get a browser to accept your certificate, the house of cards blows away.
The simple truth is very little of the internet actually needs to be "protected" by SSL. Very few web sites are interesting ("valuable") enough to be worth the effort to divert or otherwise intercept their traffic. All SSL does is [i]substantially[/i] increase the processing overhead for a site. (key generation is exceptionally expensive -- simple would be trivial to break.) And then there's the money expensive of buying a trusted certificate. (which only perpetuates the lie inherent with #2 -- very little, if any, validation is done)
99.9999999999999999999999999999999999999999% of "rewriting" attacks happen on the webserver itself -- i.e. hacks that insert crap into your swiss cheese wordpress blog. The remaining rounding error are the result of local malware on the web browsing PC -- i.e. the browser inserted that crap. I have yet to even hear of a nefarious operation inserting crap into live traffic. (yes, there have been ISPs with aggressive proxies that can (and did) insert/modify content. If you cannot trust your ISP, you have other problems that SSL won't always fix.)
Yes. Yes, I have ("do" - they're still alive.). And yes, they ARE actually African. For the record, some of them aren't "black". Being born in an African country is what makes you African. Being born in Africa and emigrating to the USA is what makes you an African-American. Your name and skin color have nothing to do with it.
Because you don't fuck with 911. He chose what number to "prank"; now the courts get to choose which orifice to rape.
Actually, it's an IRC channel. But whatever.
Bullshit. It happens all the time, all over the place. And yes, it's a measurable source of damage. If the "utilities" (comcast and at&t aren't utilities) put their stuff where they're supposed to, AND MAINTAINED IT, there would be far less need to mess with their shit.
The entire reason for the complaints is to stack more red tape on Google's fiber expansion -- read: THE COMPETITION. And yes, they DO drag their feet on these requests.
*cough*Google Datacenters*cough*
That IS the point. How do you know who is being attacked? How do you trust that which is inherently untrustable? "Bob said he was under attack. I know Bob. Bob told me in person. And Bob never makes mistakes." Great. You trust Bob and are now filtering any attack traffic from your network. How do you get the other 7bil people on Earth to trust Bob (or you as proxy)? Coordination of the who's and where's is a MASSIVE issue. No amount of hand waving or snapping one's fingers will cause a solution to pop into existence. Any such system would be gamable as an attack vector itself.
Plus, as I've said elsewhere, we can't get people to turn on technology that's been in the hardware for 20 years -- one command; computationally "free" as it's built into the forwarding hardware. What makes you think even 10% of the networks in the world would play ball? We have the mess we have today because everyone is free to run their network(s) however they please.
I very highly doubt that. How many "youtube millionaires" are there? If youtube ads are generating that kind of cash for uploaders, it's making A LOT more for youtube. The only way they can be "breaking even" is by accounting tricks to hide money. (i.e. "buying" services from other parts of the company.)
And Bad Actors(tm) not inserting bogus hop data. At the end of the day, you cannot trust anything outside your own network. And you're suspicious of your own network.
MAC's don't cross routers -- they're local, ethernet node-to-node addresses. My ISP(s) have no idea what devices I have inside my network(s). All they see is the one MAC of my router. (also, because I'm only allowed one device on the cablemodem.) ISPs would have to push filters into the customer's network, which they very likely cannot control. Plus, the filters would have to be changed regularly based on data from a non-existent "DDOS reporting/coordination center". (If I'm under attack, how do I alert every ISP on the planet? How do you authenticate that report? How do you prevent hackers from using such a service to create a DDOS?)
NAT isn't the problem. STUPID PEOPLE are the problem... NAT'ing things that should be left isolated, and giving internet access to junk that doesn't even need to be connected privately. (and then there's the BS of UPNP. Sure, let's let any f'ing thing on the network make whatever holes it wants through the "firewall")
Not obsolete, per se, just ineffective. If you can get 100,000 devices to make 100 DNS queries per second, that's 10mil packets per second. There's little need to hide where they're coming from. Even if some of them get shutdown, there are plenty more out there. Too damned many things that have no reason to be "connected" are sitting on the internet. There's zero security in their design, zero security in their setup, zero security in their use, and no g** d*** reason for them to be talking to the rest of the internet. It's even better when you look at the shear volume of abandonware there is -- that cool networked thermostat [printer, coffee mug, etc] you bought last month? No longer the current model, and no longer supported (and never was.)
And sadly, it's just more junk no one will bother to turn on. PEIP is completely new technology that would have to built into routers, when we can't even get people to turn on what's been built into the hardware for 20 years!
I suspect your "customers" need to find better ISPs -- i.e. stop running their business via a residential service. 200 almost identical pdf attached emails all at once is certainly going to raise a flag. To a residential ISP, it's simply 200 all at once that triggers action. Either run your own mail server on a true business line (TWC-BC ain't it) or pay someone else to host your email, and never relay anything through the ISP server(s). That does mean having your own domain and looking like a real company instead of "burgerlord_bob@aol.com".
There are ISPs that do that. If they detect you sending SPAM (verified by a human), you get disconnected until you can prove the malware has been removed.
Except for tracking back the infected devices. Or put another way, being able to trace back where the traffic is coming from to place filters where they would be most effective. DDOS attacks tend to me far less distributed than the name implies. Also, ultimately removing the infestation from those source networks/machines.
*sigh* Except THEY. AREN'T. The last time I checked (a few years ago), none of my providers limited the source of my traffic. Earthlink, TWC, VZB, TWTC (now L3), ...