I hate to say it, but there are a hell of a lot of "sysadmins" out there who couldn't admin their way out of a paper bag. I've cleared up the mess left behind by one or two.
Not only do I believe these attacks will have a certain degree of success, I also believe the consequences for the sysadmins who fall for them won't be that severe. If they're stupid enough to fall for them I'd be astonished if they're running a tight enough ship for anyone to notice one more hole.
On the not so bright side, this won't stop the police from turning your life upside down if you happen to be unlucky enough to match someone else in their database - and I speculate that much of what you describe is not terribly well known to the lay person, which would mean that without a hell of a good alibi it could still be enough to get you convicted.
If you think this is going to reduce IT expenditure requirements, you have barely worked a minute in IT. When you outsource, you are simply paying someone else to do your job, plus profit, plus a gaggle of negotiators in middle management collecting their kickbacks, plus downtime costs because your business is less important to them than your business is to you (if you have enterprise e-mail and it has been down more than, say, GMail, you have done something very wrong)...
I've worked in IT for... a few years. And I agree with the GP.
See, the thing is that while huge organisations will continue to require significant IT infrastructure (either managed inhouse or managed by an outside firm), huge organisations do not provide the majority of jobs in this world. The great majority of jobs are provided by SMBs. The really small SMBs have been outsourcing their IT for years - though "outsourcing their IT" probably translates to "get Dave's son to do it, he knows about computers".
Slightly larger SMBs have been outsourcing their IT to some little company who thought they could earn easy money doing installation and support. Look in the yellow pages, you'll find hundreds of little companies offering services like this. Few of these little outsourcing companies are making serious money - there's simply too much competition in the market.
Larger still SMBs (think medium rather than small, 40-200 employees) may have historically had a full-time IT person. But today there are dozens of companies offering outsourced Exchange, or you can sign up for Google for Domains and the price is so cheap that there is no way a single full-time IT person (even if you ignore their salary) can compete economically - never mind offering four or five nines uptime and spam filtering which doesn't leave people crying. Meanwhile, the cost of a single desktop PC is now so low that it's cheaper to have a spares cupboard containing enough spare PCs to re-equip an entire team at a moment's notice than it is to keep someone on staff to maintain them. Sure, they won't be particularly elegantly managed (there may not be a domain, antivirus may be totally forgotten about, they certainly won't have a standardised build) but let's be honest here - how many non-techies ever display any sign of caring about any of that? And business-specific niche software is frequently sold with a support contract anyway.
Seriously - while anyone who takes careers advice from a stranger on/. probably needs their brains looking at, I'd say if you want steady employment with minimal risk of finding that not only are you redundant from your current post, supply and demand has made you worth considerably less since you last were jobhunting - get yourself a job in the public sector or get the hell out of IT.
I didn't mention Zimbabwe on purpose - largely because it seems a very complicated situation. If what we hear in the West is anything to go by, it is an absolute mystery to me how Mugabe is still in power. I can only assume he's paying his bodyguards in something other than Zimbabwean Dollars.
Go back a couple of hundred years and you can find monographs written saying what a wonderful thing black slavery was.
More recently, apartheid in South Africa provoked similar views - plenty of white South Africans didn't really see a problem with denying 80% of the population all sorts of rights.
This is just another example of someone saying "I'm rich and the status quo works in my favour. I am therefore going to defend the status quo, even if that means spouting on about how wonderful it is that all these poor people live in such terrible conditions".
Anyway, this just shows you that piracy has always been a problem for Ubisoft and other software publishers. Piracy is what ultimately killed the Atari ST and Commodore Amiga.
I disagree. The Atari ST remained popular in niches it had carved out long after it had more-or-less died elsewhere. The problem was (and remains) that carving out a lucrative niche with computing is damn difficult, and if you're doing it on non-commodity hardware, someone whose product works on a bog-standard PC can add "Doesn't require you to invest in some unusual computer which costs $$$ and has precious real benefit other than running one piece of software" to their list of selling points.
Sooner or later that becomes an attractive selling point, and when it does the software developer who until now was basically providing the only reason for anyone to buy your hardware will port their product. Case in point: Sibelius.
Which of course forces one to ask: if there was an analog to this in the PC world - some hardware DRM you could put on your machine and be done with the various software based disc checked and network activated schemes once and for all - would you install it?
Such items have existed for years - they're normally called dongles or hardware keys, and they still exist for some very niche applications.
Of course, the problem is that you're still running the application on a general-purpose computer so it's usually quite possible to defeat them - AIUI very few applications take the next step and actually have some vital bit of code executed on the dongle.
It would not necessarily require modifying the binary, just opening it up in a debugger and viewing the encryption process. The binary could be left completely untouched and a server created to pass the clients authentication.
How is the server going to present an SSL certificate which will probably have to be signed by Ubisoft's own internal CA?
In many cars with power steering, the steering is a lot heavier when the engine's cut, even when you're moving. It takes quite a bit of extra force to overcome the power steering pump, which obviously is a non-issue on a car without power steering.
All this means is that international lobbying doesn't have a nice easy single point they can go to in order to get similar laws to be enacted in all EU member states.
Being as there is no EU-wide proposal to explicitly ban member states from imposing internet disconnection, it follows that the lobbyists will talk to individual countries instead.
PermitRootLogin without-password forces root logins to be authenticated using keypairs rather than a password - though the manpage isn't terribly clear on this point. It's actually more secure than PermitRootLogin yes (which allows both keypair and password auth).
If you're going to permit root login remotely at all (rather than using sudo), it's the best way to do it.
And Linux (or, more accurately, X plus your desktop environment) allows you to specify precisely how you want everything rendered in excruciating detail.
There is precisely one person on the planet who cares about this. Everyone else complains that the font rendering looks like arse. Which it does because no effort has been made to ensure that when in doubt, sensible defaults are used. The author didn't bother because - well, what's the point when the user is obviously going to configure it to their liking anyway?
Would redeveloping chip & pin to solve the known issues and rolling out new terminals cost significantly more than the anticipated losses through fraudulent chip & pin transactions? Because as far as the bank is concerned, if the losses they have to eat are £100,000 per annum but the extra cost is in the millions, it'll be a long time before they can justify the investment.
Because it's a lot easier to believe a figure you have mentally associated with authority than it is to research and find out for yourself.
Having said that, one could argue that environmentalists are taking the word of a few eco nutjobs but why should they believe you as a random/.'er that nuclear power is the way to go? What sources did you use to reach that conclusion and why should anyone trust that these sources cover the most pressing aspects?
Sit down, QuantumShift. There's something important to tell you.
If you think the school is paying anywhere near the retail price on those macbooks - and there is no nice way to say this - if you really think the school is paying anywhere near retail price your brain has almost certainly turned to cream cheese.
Trojans have moved on a bit since a couple of years ago.
You no longer need to be an utter moron or surfing to some dodgy websites to get infected. It's not unknown for rooted webservers to be serving up a side order of drive-by download (I have actually seen this happen on a respectable retailer's website).
It no longer sticks out like a sore thumb - you won't, for instance, find that attempting to point your web browser at www.symantec.com mysteriously doesn't work.
Your PC doesn't slow down to a total crawl.
You don't find something which looks a little bit like your bank's login page on an unsecured website registered in China. Instead, a keylogger takes the details from your keyboard when you visit the real website and ships them on.
Even if you have up to date AV software, it doesn't necessarily detect the trojan.
In short, the malware authors have upped their game considerably and the security industry is playing catch-up.
Sure, but its a -lot- easier to prove that John Smith working at the bank got your PIN and made a withdraw of $XXX on X day.
Even if you have good reason to believe John Smith knows your PIN, proving it is going to be next to impossible.
First you have to persuade the bank that someone else knows your PIN through no fault of your own. How do you prove this to the satisfaction of a huge organisation which is set up at every level to assume that this is physically impossible?
Next you have to convince them that not only did someone else find your PIN, that someone was one of their staff. As opposed to, say, the postman who's on a low wage and sees credit cards and PINs in his bag every day.
Next you have to persuade them to do one of the following:
Admit that their systems are not perfect - there is a possibility that John Smith could indeed have got the PIN.
Give you sufficient access to determine this for yourself.
Next you have to get somebody sufficiently high-up in the bank to read what you have to say and take it seriously. Though by this point the bank has already either refunded your money or asked the police to investigate what they perceive as you attempting to defraud them of the money.
I seriously doubt Symantec are only counting "concerted attacks from a single original with a specific target in mind". More likely they mean "opportunistic attacks".
So, to/., I say:
Raise your hand if your company consists of more than a handful of people.
Keep your hand up if your company has an internet connection.
Keep your hand up if you roll out managed AV software to all desktops and monitor it religiously (including checking for PCs which haven't been seen in a while).
Keep your hand up if every PC and every server has a full-blown firewall running locally which blocks all incoming traffic except for what you know for a fact you need.
Keep your hand up if you filter spam (either yourself or through a third-party service).
Keep your hand up if your filter successfully excluded 100% of all phishing and trojan-link-spreading emails over the last year.
Keep your hand up if your web access is filtered on a default-deny basis (ie. staff can only access pre-approved sites).
Keep your hand up if your web access is through a proxy which blocks the download of executables, ActiveX, Adobe PDFs, encrypted files (who knows what's in them?) and JavaScript.
Keep your hand up if you update all your PCs (including laptops, even if offsite) within 24 hours of the discovery of any security flaws in client software.
Keep your hand up if your switches only allow connections from pre-allowed MAC addresses.
Keep your hand up if you have done all of the above and still your staff are happy with the service you provide and don't try and work around you at every opportunity.
Those of you who still have your hand up, well done. You've done just about all that is possible to secure your network short of giving everyone dumb terminals and your internal customers are delighted with everything you do.
Everyone else will see an attack from time to time. The whole point of a of security is you have several layers so any attack won't get far.
Transparent proxies can break some things - but any half-competent firewall admin could easily disable all outgoing traffic except that from approved servers - and the web proxy would be allowed out on port 80. The only problem is SSL.
Let me just say, I agree that third-party browsers need to support group policies before big businesses will take them seriously but if the business depends upon...
Ability to specify proxy servers and prevent users from modifying them?
to guarantee people only get on the web using the Approved Method, they're Doing It Wrong.
- Run an application at login. - Leave applications running when they log out. - Set up an application to run every X minutes. - Have an application dig through their data looking for juicy tidbits (such as online banking details) - Email a random address with such tidbits - in fact, there's usually an application installed which makes this trivial to script with no visual clues of it being done.
The security achieved by not running as root simply makes it harder for malware to screw around with system files. But you can do all the above without running as root, so all a malware author would need is to find a suitably exploitable bug in Firefox and away they go. Once they've got their own code running, they can look for local privilege-escalation exploits to get root access but for much of what they may want to do it's simply unnecessary.
Slashdot Mirror
I hate to say it, but there are a hell of a lot of "sysadmins" out there who couldn't admin their way out of a paper bag. I've cleared up the mess left behind by one or two.
Not only do I believe these attacks will have a certain degree of success, I also believe the consequences for the sysadmins who fall for them won't be that severe. If they're stupid enough to fall for them I'd be astonished if they're running a tight enough ship for anyone to notice one more hole.
On the not so bright side, this won't stop the police from turning your life upside down if you happen to be unlucky enough to match someone else in their database - and I speculate that much of what you describe is not terribly well known to the lay person, which would mean that without a hell of a good alibi it could still be enough to get you convicted.
If you think this is going to reduce IT expenditure requirements, you have barely worked a minute in IT. When you outsource, you are simply paying someone else to do your job, plus profit, plus a gaggle of negotiators in middle management collecting their kickbacks, plus downtime costs because your business is less important to them than your business is to you (if you have enterprise e-mail and it has been down more than, say, GMail, you have done something very wrong)...
I've worked in IT for... a few years. And I agree with the GP.
See, the thing is that while huge organisations will continue to require significant IT infrastructure (either managed inhouse or managed by an outside firm), huge organisations do not provide the majority of jobs in this world. The great majority of jobs are provided by SMBs. The really small SMBs have been outsourcing their IT for years - though "outsourcing their IT" probably translates to "get Dave's son to do it, he knows about computers".
Slightly larger SMBs have been outsourcing their IT to some little company who thought they could earn easy money doing installation and support. Look in the yellow pages, you'll find hundreds of little companies offering services like this. Few of these little outsourcing companies are making serious money - there's simply too much competition in the market.
Larger still SMBs (think medium rather than small, 40-200 employees) may have historically had a full-time IT person. But today there are dozens of companies offering outsourced Exchange, or you can sign up for Google for Domains and the price is so cheap that there is no way a single full-time IT person (even if you ignore their salary) can compete economically - never mind offering four or five nines uptime and spam filtering which doesn't leave people crying. Meanwhile, the cost of a single desktop PC is now so low that it's cheaper to have a spares cupboard containing enough spare PCs to re-equip an entire team at a moment's notice than it is to keep someone on staff to maintain them. Sure, they won't be particularly elegantly managed (there may not be a domain, antivirus may be totally forgotten about, they certainly won't have a standardised build) but let's be honest here - how many non-techies ever display any sign of caring about any of that? And business-specific niche software is frequently sold with a support contract anyway.
Seriously - while anyone who takes careers advice from a stranger on /. probably needs their brains looking at, I'd say if you want steady employment with minimal risk of finding that not only are you redundant from your current post, supply and demand has made you worth considerably less since you last were jobhunting - get yourself a job in the public sector or get the hell out of IT.
I didn't mention Zimbabwe on purpose - largely because it seems a very complicated situation. If what we hear in the West is anything to go by, it is an absolute mystery to me how Mugabe is still in power. I can only assume he's paying his bodyguards in something other than Zimbabwean Dollars.
Go back a couple of hundred years and you can find monographs written saying what a wonderful thing black slavery was.
More recently, apartheid in South Africa provoked similar views - plenty of white South Africans didn't really see a problem with denying 80% of the population all sorts of rights.
This is just another example of someone saying "I'm rich and the status quo works in my favour. I am therefore going to defend the status quo, even if that means spouting on about how wonderful it is that all these poor people live in such terrible conditions".
Anyway, this just shows you that piracy has always been a problem for Ubisoft and other software publishers. Piracy is what ultimately killed the Atari ST and Commodore Amiga.
I disagree. The Atari ST remained popular in niches it had carved out long after it had more-or-less died elsewhere. The problem was (and remains) that carving out a lucrative niche with computing is damn difficult, and if you're doing it on non-commodity hardware, someone whose product works on a bog-standard PC can add "Doesn't require you to invest in some unusual computer which costs $$$ and has precious real benefit other than running one piece of software" to their list of selling points.
Sooner or later that becomes an attractive selling point, and when it does the software developer who until now was basically providing the only reason for anyone to buy your hardware will port their product. Case in point: Sibelius.
Then it isn't an unmodified binary, which is the whole point of the post I was replying to.
Which of course forces one to ask: if there was an analog to this in the PC world - some hardware DRM you could put on your machine and be done with the various software based disc checked and network activated schemes once and for all - would you install it?
Such items have existed for years - they're normally called dongles or hardware keys, and they still exist for some very niche applications.
Of course, the problem is that you're still running the application on a general-purpose computer so it's usually quite possible to defeat them - AIUI very few applications take the next step and actually have some vital bit of code executed on the dongle.
It would not necessarily require modifying the binary, just opening it up in a debugger and viewing the encryption process. The binary could be left completely untouched and a server created to pass the clients authentication.
How is the server going to present an SSL certificate which will probably have to be signed by Ubisoft's own internal CA?
In many cars with power steering, the steering is a lot heavier when the engine's cut, even when you're moving. It takes quite a bit of extra force to overcome the power steering pump, which obviously is a non-issue on a car without power steering.
All this means is that international lobbying doesn't have a nice easy single point they can go to in order to get similar laws to be enacted in all EU member states.
Being as there is no EU-wide proposal to explicitly ban member states from imposing internet disconnection, it follows that the lobbyists will talk to individual countries instead.
To keep other things things similar, let's compare to a Mac. Why is the ipad less maintenance-heavy than a Macbook with same exact usage model?
Perhaps because it runs a totally different OS which is utterly locked down from the factory?
PermitRootLogin without-password forces root logins to be authenticated using keypairs rather than a password - though the manpage isn't terribly clear on this point. It's actually more secure than PermitRootLogin yes (which allows both keypair and password auth).
If you're going to permit root login remotely at all (rather than using sudo), it's the best way to do it.
and Linux?
And Linux (or, more accurately, X plus your desktop environment) allows you to specify precisely how you want everything rendered in excruciating detail.
There is precisely one person on the planet who cares about this. Everyone else complains that the font rendering looks like arse. Which it does because no effort has been made to ensure that when in doubt, sensible defaults are used. The author didn't bother because - well, what's the point when the user is obviously going to configure it to their liking anyway?
Would redeveloping chip & pin to solve the known issues and rolling out new terminals cost significantly more than the anticipated losses through fraudulent chip & pin transactions? Because as far as the bank is concerned, if the losses they have to eat are £100,000 per annum but the extra cost is in the millions, it'll be a long time before they can justify the investment.
And we're worried about Nuclear? Why exactly?
Same reason people vote expecting change.
Because it's a lot easier to believe a figure you have mentally associated with authority than it is to research and find out for yourself.
Having said that, one could argue that environmentalists are taking the word of a few eco nutjobs but why should they believe you as a random /.'er that nuclear power is the way to go? What sources did you use to reach that conclusion and why should anyone trust that these sources cover the most pressing aspects?
Sit down, QuantumShift. There's something important to tell you.
If you think the school is paying anywhere near the retail price on those macbooks - and there is no nice way to say this - if you really think the school is paying anywhere near retail price your brain has almost certainly turned to cream cheese.
Wow, what an amazing and original idea. You should sell it to Mastercard - you'd make a fortune.
Oh, wait...
Trojans have moved on a bit since a couple of years ago.
You no longer need to be an utter moron or surfing to some dodgy websites to get infected. It's not unknown for rooted webservers to be serving up a side order of drive-by download (I have actually seen this happen on a respectable retailer's website).
It no longer sticks out like a sore thumb - you won't, for instance, find that attempting to point your web browser at www.symantec.com mysteriously doesn't work.
Your PC doesn't slow down to a total crawl.
You don't find something which looks a little bit like your bank's login page on an unsecured website registered in China. Instead, a keylogger takes the details from your keyboard when you visit the real website and ships them on.
Even if you have up to date AV software, it doesn't necessarily detect the trojan.
In short, the malware authors have upped their game considerably and the security industry is playing catch-up.
Sure, but its a -lot- easier to prove that John Smith working at the bank got your PIN and made a withdraw of $XXX on X day.
Even if you have good reason to believe John Smith knows your PIN, proving it is going to be next to impossible.
First you have to persuade the bank that someone else knows your PIN through no fault of your own. How do you prove this to the satisfaction of a huge organisation which is set up at every level to assume that this is physically impossible?
Next you have to convince them that not only did someone else find your PIN, that someone was one of their staff. As opposed to, say, the postman who's on a low wage and sees credit cards and PINs in his bag every day.
Next you have to persuade them to do one of the following:
Next you have to get somebody sufficiently high-up in the bank to read what you have to say and take it seriously. Though by this point the bank has already either refunded your money or asked the police to investigate what they perceive as you attempting to defraud them of the money.
I seriously doubt Symantec are only counting "concerted attacks from a single original with a specific target in mind". More likely they mean "opportunistic attacks".
So, to /., I say:
Those of you who still have your hand up, well done. You've done just about all that is possible to secure your network short of giving everyone dumb terminals and your internal customers are delighted with everything you do.
Everyone else will see an attack from time to time. The whole point of a of security is you have several layers so any attack won't get far.
Or you have a proxy which demands authentication and applies a different policy based on who logs in.
Transparent proxies can break some things - but any half-competent firewall admin could easily disable all outgoing traffic except that from approved servers - and the web proxy would be allowed out on port 80. The only problem is SSL.
Like it or not, for big IT, these are must haves:
Let me just say, I agree that third-party browsers need to support group policies before big businesses will take them seriously but if the business depends upon...
Ability to specify proxy servers and prevent users from modifying them?
to guarantee people only get on the web using the Approved Method, they're Doing It Wrong.
In Linux, any user can:
- Run an application at login.
- Leave applications running when they log out.
- Set up an application to run every X minutes.
- Have an application dig through their data looking for juicy tidbits (such as online banking details)
- Email a random address with such tidbits - in fact, there's usually an application installed which makes this trivial to script with no visual clues of it being done.
The security achieved by not running as root simply makes it harder for malware to screw around with system files. But you can do all the above without running as root, so all a malware author would need is to find a suitably exploitable bug in Firefox and away they go. Once they've got their own code running, they can look for local privilege-escalation exploits to get root access but for much of what they may want to do it's simply unnecessary.