I find the "consume less power" claim a but surprising, given that vacuum tubes work by heating a piece of metal to white hot until it starts flinging off electrons. Sure, they're talking about making them very small, but the Apple A8 processor in my smartphone has 2 billion transistors. The heat from that many tiny vacuum tubes would add up.
Here's what the letters asked Yahoo! to hand over:
Subscriber name and related subscriber information
Account number(s)
Date the account opened or closed
Physical and or postal addresses associated with the account
Subscriber day/evening telephone numbers
Screen names or other on-line names associated with the account
All billing and method of payment related to the account including
alternative billed numbers or calling cards
All e-mail addresses associated with the account to include any and all
of the above information for any secondary or additional e-mail addresses
and or user names identified by you as belonging to the targeted account
in this letter
Internet Protocol (IP) addresses assigned to thi3 account and related
e-mail accounts
Uniform Resource Locator (URL) assigned to the account
Plain old telephone
The names of any and all upstream and downstream providers facilitating
this account's communications
The above-listed information from "inception of the targeted account to
the present" if this request cannot be processed as presently written
We are not directing you to provide, nor should you provide, information
pursuant to this letter that would disclose the content of any electronic
communication. Title 18 United States Code 2510(8) defines content
as "any information concerning the substance, purport, or meaning of"
a communication. Subject lines of e-mails are content information and
should not be provided pursuant to this letter.
Yes and no. I would not advocate changing operating systems simply because they "stopped being supported by the vendor more than a decade ago". After all, if your needs have been met for decades by something like MS-DOS 6.1 or Windows 3.11, what "support" would you looking for from Microsoft today?
Physical devices are a completely different issue, however. Floppy drives and floppy disks WILL wear out and fail. Maybe these agencies have a stockpile of spares, or maybe someone is still manufacturing 8" floppies to sell to the government for an arm and a leg, but barring that, good luck sourcing replacements for your antique computer hardware when it fails.
I met Fyodor at a CanSecWest years ago. Wound up giving him a ride to Vancouver International airport. Had pleasant conversation and found him to be humble, intelligent, and likeable.
Songwriters, music publishers, recording artists and record companies are all eligible to receive private copying payments.
While songwriters and music publishers are eligible regardless of nationality, only Canadian recording artists and record
companies may receive payments under current law.
So the answer is, if you're a songwriter or music publisher in the US, you may receive payments. If you're a recording artist or a record company in the US, then no.
Canadian content laws have nothing to do with NF. They come into play when a company wants to acquire an OTA broadcasting licence, for example, where a limited number of stations can exist within a given spectrum. No such limitations exist on content delivered over the Internet.
The four main features in Outlook are Mail, Contacts, Calendar, and Notes, but for some reason apps like this don't support Notes. It's the same on my iPhone 6 Plus, I have to use a 3rd party app to sync Notes with Exchange.
I was a bit surprised to see this researcher has published complete details of how to exploit this, such as a sample XML file for launching cmd.exe. I don't see any indication that Casey Smith attempted to report this in a responsible way, or to give the vendor a chance to respond. This kind of disclosure could potentially do a lot of harm.
Unlike humans, animals don't all depend as heavily on their sense of sight to interpret the world around them. Witness that wild animals will attack a decoy that is not at all realistic-looking. I suspect that a live bear being confronted with a realistic CG bear would be more confused by the lack of smell than by any visual imperfections.
I don't have the specifications for a MBR memorized, but I suspect that by knowing what information should be at specific offsets, (or by experimenting with possible values), the person was able to perform something similar to a known-plaintext attack to extract the key. In any case, bravo!
I don't do a bunch of stupid shit, either. I don't let random web sites run javascript. I don't run "HotBabe.jpg.exe". In fact, I've never even run Windows on an internet connected computer...
When you're done patting yourself on the back, take a moment to consider that none of the things you mention address the issues of backdoors in hardware or weaknesses in prevalent encryption protocols.
...earlier today we got a Japanese AI that almost won a literary prize...
I quickly glanced at that Japanese AI story. I got as far as reading that the AI "co-authored" the work. YAWN. Get back to me when the AI does it on its own.
p>Your user's endpoints aren't secure. Locky and company work inside a user's context and do not need admin privs. Backup is the only thing that will save you.
THIS is absolutely correct. I have personally helped mop up after ransomware incidents on four occasions. Three of them were at the same company. You can moan all you want about users being clueless, but spear-phishing and similar tactics are becoming increasingly sophisticated and it is extremely hard to prevent ransomware attacks in some environments.
Kaspersky Endpoint Security includes a component named System Watch that can detect and stop ransomware behaviour, but that component doesn't get installed on server versions of Windows yet so it's no good for Remote Desktop servers. Not sure about other brands of AV.
I thought you were linking to some sort of security-related bugs. But these are just plain bugs.
You're making an interesting distinction. When the folks at OpenBSD, (renowned for proactive security), audit their code, they intentionally avoid this distinction:
During our ongoing auditing process we find many bugs, and endeavor to fix them even though exploitability is not proven. We fix the bug, and we move on to find other bugs to fix. We have fixed many simple and obvious careless programming errors in code and only months later discovered that the problems were in fact exploitable.
Slashdot Mirror
As someone who doesn't use any features of a "Smart TV", I'm curious what the attack vector is?
"OK, I found this on the web for 'call an ambulance'. Take a look:"
Try again.
"given that vacuum tubes work by heating a piece of metal to red hot"
Does that make you feel better?
I find the "consume less power" claim a but surprising, given that vacuum tubes work by heating a piece of metal to white hot until it starts flinging off electrons. Sure, they're talking about making them very small, but the Apple A8 processor in my smartphone has 2 billion transistors. The heat from that many tiny vacuum tubes would add up.
... you can do things like add two numbers together.
You mean like I was doing with /bin/sh 25 years ago?
Here's what the letters asked Yahoo! to hand over:
We are not directing you to provide, nor should you provide, information pursuant to this letter that would disclose the content of any electronic communication. Title 18 United States Code 2510(8) defines content as "any information concerning the substance, purport, or meaning of" a communication. Subject lines of e-mails are content information and should not be provided pursuant to this letter.
Yes and no. I would not advocate changing operating systems simply because they "stopped being supported by the vendor more than a decade ago". After all, if your needs have been met for decades by something like MS-DOS 6.1 or Windows 3.11, what "support" would you looking for from Microsoft today?
Physical devices are a completely different issue, however. Floppy drives and floppy disks WILL wear out and fail. Maybe these agencies have a stockpile of spares, or maybe someone is still manufacturing 8" floppies to sell to the government for an arm and a leg, but barring that, good luck sourcing replacements for your antique computer hardware when it fails.
Fly that geek flag proudly brother :)
... he said anonymously.
I met Fyodor at a CanSecWest years ago. Wound up giving him a ride to Vancouver International airport. Had pleasant conversation and found him to be humble, intelligent, and likeable.
How much of the black media tax goes to artists in the US?
That is an excellent question. The organization in charge of distributing fees is The Canadian Private Copying Collective. Quoting from their Distribution FAQ (PDF):
Songwriters, music publishers, recording artists and record companies are all eligible to receive private copying payments. While songwriters and music publishers are eligible regardless of nationality, only Canadian recording artists and record companies may receive payments under current law.
So the answer is, if you're a songwriter or music publisher in the US, you may receive payments. If you're a recording artist or a record company in the US, then no.
Canadian content laws have nothing to do with NF. They come into play when a company wants to acquire an OTA broadcasting licence, for example, where a limited number of stations can exist within a given spectrum. No such limitations exist on content delivered over the Internet.
Yes, yes. OneNote to rule them all.
Then I should upload them all to The Cloud, right?
The four main features in Outlook are Mail, Contacts, Calendar, and Notes, but for some reason apps like this don't support Notes. It's the same on my iPhone 6 Plus, I have to use a 3rd party app to sync Notes with Exchange.
I was a bit surprised to see this researcher has published complete details of how to exploit this, such as a sample XML file for launching cmd.exe. I don't see any indication that Casey Smith attempted to report this in a responsible way, or to give the vendor a chance to respond. This kind of disclosure could potentially do a lot of harm.
yanked my Vizio's ethernet cable...
You could have stopped right there.
... hardcoded it's Wi-Fi network address to 169.254.something, and added its MAC addr to my router's banlist.
Unlike humans, animals don't all depend as heavily on their sense of sight to interpret the world around them. Witness that wild animals will attack a decoy that is not at all realistic-looking. I suspect that a live bear being confronted with a realistic CG bear would be more confused by the lack of smell than by any visual imperfections.
I don't have the specifications for a MBR memorized, but I suspect that by knowing what information should be at specific offsets, (or by experimenting with possible values), the person was able to perform something similar to a known-plaintext attack to extract the key. In any case, bravo!
It's a cable modem.
I don't do a bunch of stupid shit, either. I don't let random web sites run javascript. I don't run "HotBabe.jpg.exe". In fact, I've never even run Windows on an internet connected computer...
When you're done patting yourself on the back, take a moment to consider that none of the things you mention address the issues of backdoors in hardware or weaknesses in prevalent encryption protocols.
have had precisely zero security problems...
That you're aware of.
You had to install completely disconnected, disable a bunch of services, and then try to connect and download patches as quickly as you could...
Or you could perform the installation from behind a firewall that blocks inbound connections like a sane person.
...earlier today we got a Japanese AI that almost won a literary prize...
I quickly glanced at that Japanese AI story. I got as far as reading that the AI "co-authored" the work. YAWN. Get back to me when the AI does it on its own.
p>Your user's endpoints aren't secure. Locky and company work inside a user's context and do not need admin privs. Backup is the only thing that will save you.
THIS is absolutely correct. I have personally helped mop up after ransomware incidents on four occasions. Three of them were at the same company. You can moan all you want about users being clueless, but spear-phishing and similar tactics are becoming increasingly sophisticated and it is extremely hard to prevent ransomware attacks in some environments.
Kaspersky Endpoint Security includes a component named System Watch that can detect and stop ransomware behaviour, but that component doesn't get installed on server versions of Windows yet so it's no good for Remote Desktop servers. Not sure about other brands of AV.
I thought you were linking to some sort of security-related bugs. But these are just plain bugs.
You're making an interesting distinction. When the folks at OpenBSD, (renowned for proactive security), audit their code, they intentionally avoid this distinction:
During our ongoing auditing process we find many bugs, and endeavor to fix them even though exploitability is not proven. We fix the bug, and we move on to find other bugs to fix. We have fixed many simple and obvious careless programming errors in code and only months later discovered that the problems were in fact exploitable.
You don't know what you're talking about. I have personally seen Windows 10 installed where a computer was left unattended. Nobody manually agreed to anything, and the EULA prompt was displayed AFTER Windows 10 was installed.