>What ID brings to the table is a new reexamination of facts.
No it doesnt, all it does is help overly religious people handle their cognitive dissonance. The scientific community does fine attacking each other's theories without a bizarre insertion of characters advocating young earth and magic. The idea that we need the religious to keep science honest is so ridiculous on its face, I will grant you an A+ on internet trolling for ID.
I dont think so. I think once the phone calls start involving transfers of money and other stuff that sets off the alarm bells in people's minds then there's going to an escalation or at least some kind of authorization. Sure, not all the time, but weird stuff like "put your pee in a cup and bring it downstairs" most people just say screw it and do it, but once you start involving credit cards, IDs, and cash they start to get suspicious.
I suspect pranknet's success was largly based on the bizarreness of the requests. The ones that werent bizarre were presented as emergencies (gas leak), so people took the voice on the phone as an authority out of fear. I doubt they are able to do much more than that. While social engineering is always going to be an effective attack, especially against low level service personnel, I doubt that SE alone can do that much damage as the employees themselves have very limited powers.
What I find interesting about all of this is that its like the Milgram experiment from the 60s with a modern spin. We see the corporate guy on the phone or the emergency guy on the phone as a real authority and pretty much do what he wants, even if it sounds 100% crazy. Perhaps this is a side-effect of what happens when an economy moves towards a service job model. Regardless, Im sure many companies are reviewing their policies.
Frankly, its always bugged me that we have such a double standard with telephones. If I want to set off a command in a computer system I can expect at least one level of security, say username/password. On the phone we can use our social skills and say things like "Its Joe from corporate and I need you to do this ASAP" or "The boss wants this done now or someone is getting fired." I think phone calls should have some level of authentication, be it callerID or passwords. The way we do it now is straight from the 20s and 30s and is pretty ridiculous.
What do you really expect from low level near minimum wage service personnel? No one wants these jobs so only the desperate take them. Would you want to answer the phone to complaints at a hotel at 3am?
I dislike how the mention of pranknet brings up generalizations on how stupid people are, which is a belief that kept the pranknet people motivated. There are a lot of smart and clever people, and guess what, they're smart enough to not get stuck as front line service personnel.
>And I disagree with you that there's nothing wrong with an ATM running Windows. In fact, I don't really know where to begin a response to that statement.
Embedded windows isnt exactly a copy of unpatched XP. While I would like to see something a bit more hardened for ATM machines, lets not get hysterical. Bank policies what they are, most ATM problems are the bank's fault. Theyre really only hurting themselves if insecure machines, thus they have quite an incentive to lock them down. Not to mention most ATM hacks are little card readers glued to the front. No need for high tech solutions when low tech ones work just fine.
>On the other hand, if I put passwords to my important online services there (such as my bank account, 401K, etc.) I could find those assets gone forever.
Dont put what they are for or the usernames on that sheet. Just make a crib sheet of your passwords. Knowing your password is "
Heck, I dont even write them down just the variations or hints to myself like (wife + weight + dog). That sheet will be meaningless to them, but not to you.
>The United States' banking system is horribly insecure at pretty much every level
Heh, you must not travel much. I love how naive people here think the US is the worst thing ever in all things. I was just in a country where the credit rating is so poor that you cant wire money to any civilized country, so travelers carry large amounts of cash on their person to the airport. Thanks, but Id rather get my debit card stolen in the US then beaten to death by a crowbar elsewhere because I look like I might be carrying cash to the airport. Not to mention, in many countries people dont even own their own computers they just go to the local net cafe which is full of keyloggers. I wont go into stuff like death sentences for drug mules or places that treat women like animals. Keep up the anti-US hate. Its hilarious!
>d DON'T plan on using a wireless mouse or keyboard - those things are so range-crippled now that unless you are within a couple of feet of the receiver (and I mean that literally: less than 4 feet!) they won't work (and that's not some no-name keyboard: that's a Logitech).
I have an el cheapo Microsoft wireless keyboard that gives me over 6 feet. At work I bought the IOGEAR long range wireless mouse/keyboard combo. Gets at least 20 feet, probably a lot more but I never bothered to check. Costs around the same price as a cheap wireless keyboard too.
>What about Bittorrent's "stealth" firefox add-on?
Or the quicktime add-on that screws over the MIME settings?
I really wish slashdot was a more even keeled place. Its anti-MS all the time, which takes away time from other offenders, many of which are much more serious.
Part of the problem, if not the larger problem, is the ability to install extensions in FF without being able to remove them. Thats a FF feature. Why is it even there? The MS devs saw it and chose it because they probably didnt want end users screwing up.net too easily. If you want the power to do an easy GUI-based uninstall you need to tell the Firefox people to do so. That will stop further abuse of this feature.
Or use a real switch with a port mirroring option. Or use wireshark installed locally. Regardless, this is remote support so he'll probably have to use some local options and the linksys log, netstat, etc. If he can manage a capture with wireshark then he's 99% of the way there.
Youre doing it wrong. Set your users to be users, not administrators. Give them permissions to exactly what they need and whatever special permission the applications they run need. Sure, it takes time at first, but once you figure it out then you're good for the rest.
Or you can take the lazy man's approach and set them as power users, which is almost like an administrator, but selectively remove modify/write permission from c:\windows, c:\program files, and other critical areas. Less secure but a bazillion more times secure than just running as admin.
Its typical slashdot two minutes of hate. I remember this issue being big news here and no where else with XP on boot camp. Apple updated some driver in boot camp the the issue went away. Considering 7 isnt even officially out yet, perhaps the haters should wait for some updates.
Exactly. Considering awful user-hostile UIs are the hallmark of OSS, its funny to hear people complain about the ribbon. Sure, all the stuff youve memorized doesnt apply anymore, but for the novice its a very visual way of learning the software. Turns out that most computer users never get past the novice stage. I wouldnt be surprised to see more ribbon-like interfaces soon. Its really just a better way to get at all the feaures than text menus within text menus within text menus.
As much as I respect OSS developers, I feel that UI takes the backseat and UI changes are seen with a nerd-like sneer of RTFM. This is one of the main reasons why we're seeing such a lack of OSS projects taken seriously. Hopefully this will change in the future and I'm anxious to see OO's take on this as OO really looks and acts like an office suite from 1995. Its ugliness and user unfriendliness hurts its adoption rate.
This is good advice. Considering that every marriage or LTR is unique it might be counter-productive to follow some set of "the rules." Whatever has worked for you two before marriage will continue to work after. I think getting hung up on whats popular in the self-help section will build a picture of marriage that probably doesnt apply to you, regardless if its tailored for geeks or not.
Slowly steered? I hate this idealizing the past fallacy. People like to assume things were better when they were children or before they started taking political things seriously. Its always been like this.
A war between the N and South would completely destabilize Asia. It would destroy or at least seriously damage the markets, thus at least putting your job and future into jeopardy. The US will immediately support the South, as it should, which will at least cost you tax dollars or if things get real bad, cost you being drafted.
On top of that, a nuclear NKorea is destabilizing in itself. Its already turned itself into a nuclear bully, demanding aid and cash or else. Im sure they are on the fast track to be able to hit the west coast with a nuke in a few years.
>I should be afraid of a country that's technologically so far inferior to mine that even OUR military can blow the snot out of them?
No military is going to defeat NKorea without massive damage and death to Seoul and the potential for a nuclear weapon to go off. I dont care where you live or who you are, thats bad for everyone.
I disagree. BSD is much more open and public domain is the most open of them all. Cheerleading the GPL gets you mod points around here, but youre still wrong.
The idea with conficker was that it would generate thousands of websites and contact them for payload instructions. The security community registered a lot of these sites in advance, so it may be the case that these things are always trying to phone home but no one is answering.
I also imagine that ISPs are blocking connections to servers they have identified as conficker controllers.
My understanding is that theres some p2p aspect too, but it may not be operational. Heck, getting legitimate p2p working on a residential connection is a pain, let alone a known illegitimate one. Again, Im guessing most ISPs are blocking this somehow.
So the botnet may be up and running, but it cannot contact its masters. Eventually these PCs will be replaced or reimaged and conficker will be a statistical blimp a year from now.
I think you nailed it. As technology its awesome and after spending an afternoon with one I was really impressed, but I still have a bitter taste in my mouth from all the crazy PR and hype on its release date. Everything was 'segway this' or 'segway that.' There was no intelligent discussion about the device, just marketing morons and tv personalities selling us on a few scripted marketing bullet points. Considering geeks dont want to be spoonfed media bullshit, it really meant that the people who were most likely to buy this thing and sing its praises were the most repulsed.
I think the marketers didnt care, they assumed they could sidestep the geeky first adopters and move straight into municipal purchasers and the "I own a bmw and a lexus already why not get this too" crowd. Turns out things dont work this way. Their pricing also reflects this. Now its just a novelty like riding a blimp or a unicycle. Perhaps we'll see some kind of competitor when the patents expire. A modular, hackable segway at a good price point might sell.
No, we are not neglecting it. Considering its 500 million per launch, we need that money to pay for the new rocket. So if we dont launch for a couple of years, then the money we normally spend on the shuttle pays for the new program. Unless you have a few billion to donate, that is.
I doubt the NSA cares. Their public websites arent hosted or even maintained by the people who do their cracking. The probably have a hosting service and if the site gets defaced or goes down, its no big deal. Its not exactly sitting on some high security LAN.
Websites are the low hanging fruit in the hacker community. Its like spray painting my garage. You can be a jerk if you want to, its just not worth it to obsess over protecting said garage.
Yes, but which ones? Trojans just set to run in userspace? Is this any different than just running a million.exe's and not really infecting anyone or emulating a real infection vector?
I dont see how, say, conficker would infect these machines. The RPC exploit doesnt exist in wine.
Slashdot Mirror
Soon teachers will be required to wear this t-shirt:
http://controversy.wearscience.com/design/devil/
>What ID brings to the table is a new reexamination of facts.
No it doesnt, all it does is help overly religious people handle their cognitive dissonance. The scientific community does fine attacking each other's theories without a bizarre insertion of characters advocating young earth and magic. The idea that we need the religious to keep science honest is so ridiculous on its face, I will grant you an A+ on internet trolling for ID.
I dont think so. I think once the phone calls start involving transfers of money and other stuff that sets off the alarm bells in people's minds then there's going to an escalation or at least some kind of authorization. Sure, not all the time, but weird stuff like "put your pee in a cup and bring it downstairs" most people just say screw it and do it, but once you start involving credit cards, IDs, and cash they start to get suspicious.
I suspect pranknet's success was largly based on the bizarreness of the requests. The ones that werent bizarre were presented as emergencies (gas leak), so people took the voice on the phone as an authority out of fear. I doubt they are able to do much more than that. While social engineering is always going to be an effective attack, especially against low level service personnel, I doubt that SE alone can do that much damage as the employees themselves have very limited powers.
What I find interesting about all of this is that its like the Milgram experiment from the 60s with a modern spin. We see the corporate guy on the phone or the emergency guy on the phone as a real authority and pretty much do what he wants, even if it sounds 100% crazy. Perhaps this is a side-effect of what happens when an economy moves towards a service job model. Regardless, Im sure many companies are reviewing their policies.
Frankly, its always bugged me that we have such a double standard with telephones. If I want to set off a command in a computer system I can expect at least one level of security, say username/password. On the phone we can use our social skills and say things like "Its Joe from corporate and I need you to do this ASAP" or "The boss wants this done now or someone is getting fired." I think phone calls should have some level of authentication, be it callerID or passwords. The way we do it now is straight from the 20s and 30s and is pretty ridiculous.
What do you really expect from low level near minimum wage service personnel? No one wants these jobs so only the desperate take them. Would you want to answer the phone to complaints at a hotel at 3am?
I dislike how the mention of pranknet brings up generalizations on how stupid people are, which is a belief that kept the pranknet people motivated. There are a lot of smart and clever people, and guess what, they're smart enough to not get stuck as front line service personnel.
>And I disagree with you that there's nothing wrong with an ATM running Windows. In fact, I don't really know where to begin a response to that statement.
Embedded windows isnt exactly a copy of unpatched XP. While I would like to see something a bit more hardened for ATM machines, lets not get hysterical. Bank policies what they are, most ATM problems are the bank's fault. Theyre really only hurting themselves if insecure machines, thus they have quite an incentive to lock them down. Not to mention most ATM hacks are little card readers glued to the front. No need for high tech solutions when low tech ones work just fine.
>On the other hand, if I put passwords to my important online services there (such as my bank account, 401K, etc.) I could find those assets gone forever.
Dont put what they are for or the usernames on that sheet. Just make a crib sheet of your passwords. Knowing your password is "
Heck, I dont even write them down just the variations or hints to myself like (wife + weight + dog). That sheet will be meaningless to them, but not to you.
>The United States' banking system is horribly insecure at pretty much every level
Heh, you must not travel much. I love how naive people here think the US is the worst thing ever in all things. I was just in a country where the credit rating is so poor that you cant wire money to any civilized country, so travelers carry large amounts of cash on their person to the airport. Thanks, but Id rather get my debit card stolen in the US then beaten to death by a crowbar elsewhere because I look like I might be carrying cash to the airport. Not to mention, in many countries people dont even own their own computers they just go to the local net cafe which is full of keyloggers. I wont go into stuff like death sentences for drug mules or places that treat women like animals. Keep up the anti-US hate. Its hilarious!
>d DON'T plan on using a wireless mouse or keyboard - those things are so range-crippled now that unless you are within a couple of feet of the receiver (and I mean that literally: less than 4 feet!) they won't work (and that's not some no-name keyboard: that's a Logitech).
I have an el cheapo Microsoft wireless keyboard that gives me over 6 feet. At work I bought the IOGEAR long range wireless mouse/keyboard combo. Gets at least 20 feet, probably a lot more but I never bothered to check. Costs around the same price as a cheap wireless keyboard too.
http://www.iogear.com/product/GKM541R/
>What about Bittorrent's "stealth" firefox add-on?
Or the quicktime add-on that screws over the MIME settings?
I really wish slashdot was a more even keeled place. Its anti-MS all the time, which takes away time from other offenders, many of which are much more serious.
Part of the problem, if not the larger problem, is the ability to install extensions in FF without being able to remove them. Thats a FF feature. Why is it even there? The MS devs saw it and chose it because they probably didnt want end users screwing up .net too easily. If you want the power to do an easy GUI-based uninstall you need to tell the Firefox people to do so. That will stop further abuse of this feature.
Or use a real switch with a port mirroring option. Or use wireshark installed locally. Regardless, this is remote support so he'll probably have to use some local options and the linksys log, netstat, etc. If he can manage a capture with wireshark then he's 99% of the way there.
Youre doing it wrong. Set your users to be users, not administrators. Give them permissions to exactly what they need and whatever special permission the applications they run need. Sure, it takes time at first, but once you figure it out then you're good for the rest.
Or you can take the lazy man's approach and set them as power users, which is almost like an administrator, but selectively remove modify/write permission from c:\windows, c:\program files, and other critical areas. Less secure but a bazillion more times secure than just running as admin.
Its typical slashdot two minutes of hate. I remember this issue being big news here and no where else with XP on boot camp. Apple updated some driver in boot camp the the issue went away. Considering 7 isnt even officially out yet, perhaps the haters should wait for some updates.
Exactly. Considering awful user-hostile UIs are the hallmark of OSS, its funny to hear people complain about the ribbon. Sure, all the stuff youve memorized doesnt apply anymore, but for the novice its a very visual way of learning the software. Turns out that most computer users never get past the novice stage. I wouldnt be surprised to see more ribbon-like interfaces soon. Its really just a better way to get at all the feaures than text menus within text menus within text menus.
As much as I respect OSS developers, I feel that UI takes the backseat and UI changes are seen with a nerd-like sneer of RTFM. This is one of the main reasons why we're seeing such a lack of OSS projects taken seriously. Hopefully this will change in the future and I'm anxious to see OO's take on this as OO really looks and acts like an office suite from 1995. Its ugliness and user unfriendliness hurts its adoption rate.
This is good advice. Considering that every marriage or LTR is unique it might be counter-productive to follow some set of "the rules." Whatever has worked for you two before marriage will continue to work after. I think getting hung up on whats popular in the self-help section will build a picture of marriage that probably doesnt apply to you, regardless if its tailored for geeks or not.
Slowly steered? I hate this idealizing the past fallacy. People like to assume things were better when they were children or before they started taking political things seriously. Its always been like this.
A war between the N and South would completely destabilize Asia. It would destroy or at least seriously damage the markets, thus at least putting your job and future into jeopardy. The US will immediately support the South, as it should, which will at least cost you tax dollars or if things get real bad, cost you being drafted.
On top of that, a nuclear NKorea is destabilizing in itself. Its already turned itself into a nuclear bully, demanding aid and cash or else. Im sure they are on the fast track to be able to hit the west coast with a nuke in a few years.
>I should be afraid of a country that's technologically so far inferior to mine that even OUR military can blow the snot out of them?
No military is going to defeat NKorea without massive damage and death to Seoul and the potential for a nuclear weapon to go off. I dont care where you live or who you are, thats bad for everyone.
I disagree. BSD is much more open and public domain is the most open of them all. Cheerleading the GPL gets you mod points around here, but youre still wrong.
The idea with conficker was that it would generate thousands of websites and contact them for payload instructions. The security community registered a lot of these sites in advance, so it may be the case that these things are always trying to phone home but no one is answering.
I also imagine that ISPs are blocking connections to servers they have identified as conficker controllers.
My understanding is that theres some p2p aspect too, but it may not be operational. Heck, getting legitimate p2p working on a residential connection is a pain, let alone a known illegitimate one. Again, Im guessing most ISPs are blocking this somehow.
So the botnet may be up and running, but it cannot contact its masters. Eventually these PCs will be replaced or reimaged and conficker will be a statistical blimp a year from now.
I think you nailed it. As technology its awesome and after spending an afternoon with one I was really impressed, but I still have a bitter taste in my mouth from all the crazy PR and hype on its release date. Everything was 'segway this' or 'segway that.' There was no intelligent discussion about the device, just marketing morons and tv personalities selling us on a few scripted marketing bullet points. Considering geeks dont want to be spoonfed media bullshit, it really meant that the people who were most likely to buy this thing and sing its praises were the most repulsed.
I think the marketers didnt care, they assumed they could sidestep the geeky first adopters and move straight into municipal purchasers and the "I own a bmw and a lexus already why not get this too" crowd. Turns out things dont work this way. Their pricing also reflects this. Now its just a novelty like riding a blimp or a unicycle. Perhaps we'll see some kind of competitor when the patents expire. A modular, hackable segway at a good price point might sell.
Yes, everyone knows where they are, but now you dont know whats on the roof. Counter snipers? SAMs?
>Well, this is a rational stance to take towards sunk costs ... if you have a time machine.
Even NASA, on their fucking website, lists that price. Id rather go with their method than some random pedant nerd on the internet, thanks.
No, we are not neglecting it. Considering its 500 million per launch, we need that money to pay for the new rocket. So if we dont launch for a couple of years, then the money we normally spend on the shuttle pays for the new program. Unless you have a few billion to donate, that is.
Who cares? Taxpayers are paying an average of 450 million per launch. Whether this goes for fuel or for a promotion doesnt matter.
Sure, you can massage the numbers all you like, but money taken from the tax payers and given to NASA is how we should be looking at it.
I doubt the NSA cares. Their public websites arent hosted or even maintained by the people who do their cracking. The probably have a hosting service and if the site gets defaced or goes down, its no big deal. Its not exactly sitting on some high security LAN.
Websites are the low hanging fruit in the hacker community. Its like spray painting my garage. You can be a jerk if you want to, its just not worth it to obsess over protecting said garage.
Yes, but which ones? Trojans just set to run in userspace? Is this any different than just running a million .exe's and not really infecting anyone or emulating a real infection vector?
I dont see how, say, conficker would infect these machines. The RPC exploit doesnt exist in wine.