The requirements for a issuing a warrant are much less stringent, than for a court conviction —
No argument, and that was not the point. The point was/is that there is a minimum bar for getting a warrant, and unless there is something life threatening a judge would not issue a warrant on something like here-say. Doing so would clearly bring up 4th amendment issues. From a Law enforcement standpoint, premature warrants inhibits (and often prevent) searching for other criminal activities. So not only will they risk losing a case because of a lack of evidence, they let alleged criminals know that they are being watched.
The above does not even include the previously mentioned issue regarding the landlord with the keys problem.
But in either case — be it landlord or e-mail service provider — a judge may issue a warrant if he agrees with the police, that probable cause exists, even if they all remain reasonably doubtful.
No argument with that either, I will however reinforce what I started with. Here-say is not enough to get a warrant in the majority of cases where a warrant is being sought.
In the US "investigation" is not something the judge (or the jury) does. Police investigate and then present whatever they found.
A judge can refuse a warrant and provide grounds required for law enforcement to obtain a warrant. If I implied that the judge would have to go out and see things for himself, my apologies. A judge is fully within their rights to say "You lack evidence and will need to provide more to get a warrant". Good judges do just this thing, and can provide details. "If you want a warrant for searching for drugs you need more than here-say."
Oh, but they are consistent. The e-mail provider finds (what appears to be) criminal material and forwards it to police — the "tip" mentioned in the headline. Police take the material to a judge, who issues a warrant for a search (in Google's case [businessinsider.com]) or arrest (in Microsoft's case [bbc.co.uk]). Police arrest the subject and get him to incriminate himself (in Microsoft case) or search the suspect's possessions and find more criminal material.
Assuming the suspect has a lawyer, and the only evidence presented is from either Google or Microsoft, I would tell the client not to plea and demand a trial. With no additional evidence, the trial would never be able to convict the person. End of case, and a whole lot of people just wasted a lot of time.
Now _IF_ there is additional evidence (and it seems like there is) then Microsoft and Google did not cause the person to get arrested. That is just a publicity statement. Good police work is what caused the people to get arrested.
The last point is this: If what the headlines said is true, then any lawyer worth their salt would be able to have the criminal out and free without much difficulty. If it's not true, then what is the point in making such a false claim? In that regard I'm probably a bit too cynical, but nobody in their right mind should be trusting any of these large companies services. There is a whole lot of disinformation and questionable activity here.
Read TFA and this one. If you believe that "science" has become altruistic and above corruption, you simply have not been paying attention to science. Sure, there is some good science, but there are always crap programs as well. Many of which are performed at the direction of our Government. You know, the same people that won't fund NASA but can waste money trying to figure out if you are a sociopath by your tweets (and that's not the worst waste of science funding, just an easy target).
Exactly zero, which is the technicality you are trying to argue makes it okay for us to spy on everyone. You can try as many of those as you want to, and my answer will be the same. The spirit of the Constitution is to limit Government powers. Why not go read how many amendments actually refer to "citizens" as opposed to people. After that, go re-read those that do not mention citizens and realize that those amendments cover _ALL_ people including non-citizens.
Excellent points, and thanks for the courteous dialogue that is often lacking here!! I'm going to re-arrange your comments a bit, no offense intended.
That's right. However, if the cops use the landlord's testimony to get a warrant to search your office — and find drugs there — then that would be perfectly admissible evidence...
As mentioned, I am not a lawyer, so it's possible that a judge would provide a warrant on something like this. I find it doubtful however, because there is a single source making a claim.
Law enforcement should surely investigate, but unless there is something life threatening a judge would be foolish to give a warrant for here-say accusation. Obviously a kidnapping (as well as other crimes) may impel a judge to issue a warrant without an investigation, but those circumstances are certainly rare because they may not hold up in court as Constitutional.
This is how things normally work in Law enforcement. Someone reports a crime, police begin to investigate, if something is found the suspect is apprehended and arrested.
The last was not to be sarcastic, I realize this is common knowledge and you are most likely well aware of how things should work. The point is to emphasize that if they went from "report" directly to "arrested" we would have a tremendous amount of innocent people in jail (much more than we currently do). Skipping those two center steps appears to be what Microsoft did, and _is_ what Google did.
I see, that's good to know. However, in these cases, the third party-provided evidence was used not in court, but to get a warrant to search elsewhere.
Well, it is relevant to your earlier claim: "They are not a Law enforcement agency and have no right to read through customer data on their own accord". I suspect, they do have such a right — even if the results of their "reading through" are not usable at a trial.
The second quote goes to your first. I have not thoroughly investigated how things were handled, so could easily be confusing the Google case with the Microsoft case. If this was only an "investigation" resulting from evidence it would not meet the headline, but surely is plausible. I'll need to read more on these proceedings because there is surely a mismatch between your statement and the headline. No offense intended to you or the reporting agency in TFA, but I have to see actual court records. Misinterpretation is extremely common, and in fairness it's often unintentional.
And I say "your" because you at least appear to be shilling for someone and not actually individuals. I fully admit that is a speculation, but a fair one given that not a single person who defended the GP has been willing to debate my points.
So now you claim that the only way to have any knowledge is by working for a specific company, almost as good as your previous point. A person that understands math can look at a person claiming "I made 1+3=5" and say they are wrong. It does not take specific corporate knowledge to know that someone made an impossible claim, it takes knowledge of the subject matter.
Am I being pedantic? Perhaps a bit, but not entirely. That specific group still does not go away, they are there every day trying again from a new set of IPs (if not sooner). Google's ability to notice and react to the attacks is not the same thing as making them "go away" as GP stated.
I have no problem with people talking about their accomplishments, hell even a bit of embellishment every now and then is fine. False claims are in a different category in my opinion.
Really the issue is the inability to remember multiple passwords for the average person (or the inability to want to remember them).
Well, there is another statistics issue to consider then. Lets say you use math as your password, like "N=6*24/tan(lb)". Nice strong 14 character password right? If you changed N to I, you have changed your password enough to defeat a brute force attack and only changed 1 character of your password. It's not like a computer can brute force the last characters, or the first characters. The brute force crack needs to break the "Whole" password.
Extend the same statistics problem, and if you use "lb" for banking but replace that for "pp" for email you have 2 strong passwords that are similar enough for you to remember yet strong enough that brute force won't catch up.
Every couple years, you scrap that math problem and create a new one. Change the position of your bank/email markers, and you are staying pretty damn secure.
Sure, 1 lucky shot is all a hacker needs but a 14 character strong password has a 1 in 3.4e+38 chance of guessing.
IANAL, but I know enough that if third party is in the custody chain of evidence the evidence becomes inadmissible in court. Someone gave a good example in the Google discussion. Paraphrased: Your landlord with keys to your apartment, calls the cops and claims he found drugs in your apartment, opens the door for the cops and shows them where the drugs are. That will not hold up alone in court to convict anyone for having drugs. Even if the person had the drugs and the landlord did not plant them, the person charged has plausible deniability (sp?).
Whether Google or Microsoft have a EULA that claims they can snoop through your data as often as they want is not relevant. A jury must not have any reasonable doubt when issuing a verdict. The landlord with keys introduces doubt, so charges should never stick and cases should simply be tossed out by judges (and often are).
block logins with bulk-stolen passwords so successfully that they went away.
Maybe English is not your first language, but I doubt that to be true. That statement at least implies that Google no longer suffers from brute force attacks.
You then reinforce that same false claim in the post I'm commenting to now.
Google was able to stop these attacks so effectively the people behind them gave up
No, they didn't. You may have deterred a lot of them, but I'd bet a year salary that Google still experiences a measurable number of attacks every day.
Look, I freely admit that huge leaps can be made with security. I have worked in IT Security for a quarter century. Neither you nor Google can do what nobody else in the market can do and make hackers simply go away. The amount of attacks, even with exceptional security, will always be proportional to the size of your internet footprint, so Google is attacked a whole lot.
I'm not trying to knock you, or the progress Google made. I'm simply pointing out that the verbiage used is making a false claim. Reducing attacks by 99% is reasonable, reducing 100% is impossible. The only way to get 100% threat reduction is to isolate the host away from outside connectivity.
"Legal" activities in terms of a technicality, not "legal" in terms of the spirit of law (which includes the US Constitution). You really should learn the difference, because the former is why we are having such severe problems in the USA.
If there are changes need to the Constitution there is a process for changing it, very clearly defined in fact. Bypassing the law or ignoring the law because someone does not like the Constitution is illegal, period.
Looking at who benefits is always a worthwhile pursuit. A company benefits, selling what appears to be FUD. US Government benefits because they have recently been blaming everything on Russia.
What is not happening? Nobody is going to jail over computer espionage act (or any other law allegedly violated). In fact there is no criminal investigation at all mentioned. No facts available to verify the alleged "stolen credentials", and the only way to even glimpse said data is to provide your information to some company that is an unknown in the security community.
I'll have to dig later, but I'm curious who the owner of this company is and who they are tied to. Surely a coincidence, but this comes out right after former NSA Director claims he's worth a million a month in consulting, working on over a dozen "IT Security" patents, all for his brand new private business. That may not be a rat, but sure has that "rodent" like smell to it.
At best, this is a company trying to profit off other people's pain. No thanks, I'm not buying anything they are selling.
Anyway, long story short, we formed a team that built a full blown risk analysis system for every single login (Google has a bajillion logins per second thanks to mail clients that poll Gmail and have to log in each time) and after several years of work managed to block logins with bulk-stolen passwords so successfully that they went away.
Um, no you/they didn't. I work at an ISP, smaller than Google, and am constantly blocking various attacks. Every time one method gets blocked, we find new ones. Yes, this is for IMAP/POP over SSL just like Google (and I block numerous other attacks because we provide numerous services).
You may have stopped many of the attacks, or even most of the attacks, but not _all_ attacks. The most difficult to block are the attacks by Governments, and you can tell they are Governments by the complexity of attacks and amount of resources used in these attacks.
Script kiddies are easy to block, but real hackers are changing tactics as often as we find them and block them. If the real hackers find a method that works, the method will get eventually get migrated to the Script Kiddie toolkit.
Google and Microsoft are going through your private data because of power and control. They also receive Government incentives to do so, so gain cash as a side effect. Any claim of altruism is either a delusional fantasy or sock puppetry.
Just as I said about Google doing the same thing the other day, Microsoft is WRONG to do this. They are not a Law enforcement agency and have no right to read through customer data on their own accord. With a warrant from a court, different story, because that is the legal process. Further, it should not be a company/corporation reading through the data but law enforcement agents. This would help to ensure that evidence is handled properly.
A point to consider is that it has become trivial to inject files into your computer without your knowledge. With all of the back doors we know about, reports like this should be raising all kinds of alarms.
I'll warn you before you reply to save the "save the children" fallacies. I am willing to bet I have more knowledge than you in rhetoric.
Wait. Why would you need an AIX box or even permanent lockout? Answer: You don't need any such thing.
Native Unix LDAP supports time duration locking, it does not have to be permanent, and works with all NSS_LDAP libraries. I have run Servers of all types and Linux clients of all flavors (AIX, Solaris, HP-UX, RHEL, Ubuntu, etc..) and never had to permanently ban accounts for well over a dozen years (Early implementations were not as good as later, but still worked very well).
The majority of server side services (E.G. sshd) can idle for N seconds between auth attempts.
Assuming your servers are running like they should, permanent lockout is never really needed. On LDAP Servers I generally configure the policy to lockout an account for 30 minutes, not permanently.
You are never going to prevent all brute force attacks, and attempting to do so is idiocy. You want to deter them, which can be done in numerous ways. Stacking deterrence methods becomes extremely effective.
Do you really think a hacker is going to try for a 4th attempt, see that the account is locked, and keep trying after that? The answer to that is Hell no, the hacker will move to the next target and hope it's easier. He may come back tomorrow and try again, but after seeing account locks they will quickly move on to easier prey. Easier prey is everywhere...
Obviously deterrence won't fix everything, but there is no solution that is perfect. I can spoof biometric data as easy as brute force cracking passwords. I have found IPs trickling brute force attacks at extremely low rates, 1 every 4 hours for example. Your Auth subsystem does not find or fix these as much as having a good set of tools and admins that are monitoring what is happening in your environment.
Compared to what? Banned products, or products that the Chines government limits to ensure that Chinese companies are profitable? China is not a free market, so any claim that something is a number one seller is obviously skewed.
For decades the best selling car in China was made by a Chines company, but strangely looked exactly like a Buick which was being manufactured in China by GM.
Telling me that the best selling product is a home grown product in a controlled economy is useless, sorry.
Then the hype is spread to India, which has massive amounts of poverty. If the Chinese made phone is cheap, guess what phone Indian consumers will purchase (considering many people can't afford a phone at all, let alone a cell phone)? No big shock, the Chinese made phone.. *sigh*
I agree, and pointed out that it's a statistics issue. No system is perfect, but to have several "strong" passwords is more secure in my opinion than having all your eggs in a single (Google Auth) basket.
You don't need something like Google Authenticator to be secure. A strong 8 character password changed every 60 days would suffice. A hacker can know your account, but statistically speaking they would not be able to crack your password by the time you had a new password. Longer passwords are better, obviously, but should still be changed periodically to prevent a brute force attack from succeeding over time. It should go without saying that a Government would have additional processing power and could break it faster, but at the same time the majority of servers today rate throttle auth connections to reduce brute force attacks. The supercomputers help with a known hash, not necessarily when cracking into your bank account.
Where strong passwords tend to break down is in key loggers, phishing, and broken protocols.
For media, this too is also a solved problem. TrueCrypt, LUKS, BitLocker, and FileVault can mitigate the loss of a USB flash drive, an external hard disk, a laptop, or even drives out of a remote server (such as a RODC serving a branch office.)
A company called Intemedia has a "Securisync" product that uses both at rest and in transit encryption. So I agree the problem is solved, some much better than others, and even with "Cloud" storage. Cost is the obvious blocking factor in most cases.
That, and the loose use of numbers to make it look "skeery". Cracklib has a few million entries (add up all of the languages), and for years people have been accumulating pre-made hashes in numerous formats. I can hash "password" in CRYPT, MD5, SSHA, SSHA2, etc.. and now my 1 word has become at least 4 entries. The top 25 used passwords has now become "hundreds" of passwords. Surely that is an exaggeration, but it's not exactly a lie.
I block way more brute force attacks out of China and the Middle East than I do Russia, but in all cases it is the same tools and methods.
To claim that this is all the work of some mastermind criminal group in Russia is simply laughable propaganda, and ignores the fact that hackers have become global enterprises. It's easy for them to share data and tools, and they _do_ share data and tools. It's not like drug cartels that have to produce a commodity that requires land and manufacturing equipment (and people). There is more benefit for two hacking groups to share data than their is for two drug cartels to share turf. I'll guess that there are still some turf wars, but not nearly the same as with drug cartels.
The only part I can agree with in TFA is that people don't know how to make strong passwords, and often lack the incentive to change their passwords frequently enough to stay ahead of the hackers. That's not a problem with Russia, but I'm sure this can result in yet another round of sanctions.
Since the US media has become useless in terms of actual journalism, I don't think they care. TV based media simply ignores leaks, so the population that relies on TV media for news is just as clueless as if the leak never happened. Not a new tactic mind you, just lots easier with TV Propaganda^wNews today. They are probably betting that people will just forget. Happens all the time with Government and has for decades.
There are a few good radio stations that will talk about these issues, but none are nationally syndicated. Anything that receives lots of airtime gets bought out by Fox^wClearchannel and changed to a "Sports" station. Before you say it, Alex Jones sold out long ago and is now just a more extreme version of Rush Limbaugh (sometimes okay for scaring people awake to problems, but not often).
Newspapers? WTF is a Newspaper? Well, more seriously the few that are left are all controlled like Radio and TV.
I would be willing to bet that there are more leakers than just Snowden. If I was going to leak I may blame him since that might save me from a likely life term in "pound me up the ass prison". As long as Snowden is in Moscow he probably does not mind, it keeps him popular and relevant which I'm sure leads to a bit of income.
Having spent 10 years in the DOD I can tell you that security is possible (Not to brag, well maybe a little bit, I built the first NISPOM compliant secure networks off of a military installation). At at the time I left (8 years ago) they were trying to skimp and even offshore work. One of many reasons for me leaving mind you. Systems can be secured and audited, but it's expensive and everyone in the management and executive chain wants bigger bonus checks. Politicians want bigger kick backs, so the money train works against security as often as possible.
This shows that access control at the NSA is still thoroughly broken, no matter who the leak was.
I would have to agree, because you don't change a decade of shit security in a year. You would need to re-architect a decade worth of systems, and I'd bet a box of donuts that they just tried slapping bandaids on things.
The requirements for a issuing a warrant are much less stringent, than for a court conviction —
No argument, and that was not the point. The point was/is that there is a minimum bar for getting a warrant, and unless there is something life threatening a judge would not issue a warrant on something like here-say. Doing so would clearly bring up 4th amendment issues. From a Law enforcement standpoint, premature warrants inhibits (and often prevent) searching for other criminal activities. So not only will they risk losing a case because of a lack of evidence, they let alleged criminals know that they are being watched.
The above does not even include the previously mentioned issue regarding the landlord with the keys problem.
But in either case — be it landlord or e-mail service provider — a judge may issue a warrant if he agrees with the police, that probable cause exists, even if they all remain reasonably doubtful.
No argument with that either, I will however reinforce what I started with. Here-say is not enough to get a warrant in the majority of cases where a warrant is being sought.
In the US "investigation" is not something the judge (or the jury) does. Police investigate and then present whatever they found.
A judge can refuse a warrant and provide grounds required for law enforcement to obtain a warrant. If I implied that the judge would have to go out and see things for himself, my apologies. A judge is fully within their rights to say "You lack evidence and will need to provide more to get a warrant". Good judges do just this thing, and can provide details. "If you want a warrant for searching for drugs you need more than here-say."
Oh, but they are consistent. The e-mail provider finds (what appears to be) criminal material and forwards it to police — the "tip" mentioned in the headline. Police take the material to a judge, who issues a warrant for a search (in Google's case [businessinsider.com]) or arrest (in Microsoft's case [bbc.co.uk]). Police arrest the subject and get him to incriminate himself (in Microsoft case) or search the suspect's possessions and find more criminal material.
Assuming the suspect has a lawyer, and the only evidence presented is from either Google or Microsoft, I would tell the client not to plea and demand a trial. With no additional evidence, the trial would never be able to convict the person. End of case, and a whole lot of people just wasted a lot of time.
Now _IF_ there is additional evidence (and it seems like there is) then Microsoft and Google did not cause the person to get arrested. That is just a publicity statement. Good police work is what caused the people to get arrested.
The last point is this: If what the headlines said is true, then any lawyer worth their salt would be able to have the criminal out and free without much difficulty. If it's not true, then what is the point in making such a false claim? In that regard I'm probably a bit too cynical, but nobody in their right mind should be trusting any of these large companies services. There is a whole lot of disinformation and questionable activity here.
"In earlier times, they had no statistics, and so they had to fall back on lies". -- Stephen Leacock
"Statistics: the mathematical theory of ignorance." -- Morris Kline
"Facts are stubborn, but statistics are more pliable." - Mark Twain
"Torture numbers, and they'll confess to anything." - Gregg Easterbrook
And of course..
"42.7% of all statistics are made up on the spot." -- Steven Wright
I can't be a sociopath, I don't have a Twitter account.
Read TFA and this one. If you believe that "science" has become altruistic and above corruption, you simply have not been paying attention to science. Sure, there is some good science, but there are always crap programs as well. Many of which are performed at the direction of our Government. You know, the same people that won't fund NASA but can waste money trying to figure out if you are a sociopath by your tweets (and that's not the worst waste of science funding, just an easy target).
Exactly zero, which is the technicality you are trying to argue makes it okay for us to spy on everyone. You can try as many of those as you want to, and my answer will be the same. The spirit of the Constitution is to limit Government powers. Why not go read how many amendments actually refer to "citizens" as opposed to people. After that, go re-read those that do not mention citizens and realize that those amendments cover _ALL_ people including non-citizens.
It's really not a difficult thing to do.
Excellent points, and thanks for the courteous dialogue that is often lacking here!! I'm going to re-arrange your comments a bit, no offense intended.
That's right. However, if the cops use the landlord's testimony to get a warrant to search your office — and find drugs there — then that would be perfectly admissible evidence...
As mentioned, I am not a lawyer, so it's possible that a judge would provide a warrant on something like this. I find it doubtful however, because there is a single source making a claim.
Law enforcement should surely investigate, but unless there is something life threatening a judge would be foolish to give a warrant for here-say accusation. Obviously a kidnapping (as well as other crimes) may impel a judge to issue a warrant without an investigation, but those circumstances are certainly rare because they may not hold up in court as Constitutional.
This is how things normally work in Law enforcement. Someone reports a crime, police begin to investigate, if something is found the suspect is apprehended and arrested.
The last was not to be sarcastic, I realize this is common knowledge and you are most likely well aware of how things should work. The point is to emphasize that if they went from "report" directly to "arrested" we would have a tremendous amount of innocent people in jail (much more than we currently do). Skipping those two center steps appears to be what Microsoft did, and _is_ what Google did.
I see, that's good to know. However, in these cases, the third party-provided evidence was used not in court, but to get a warrant to search elsewhere.
Well, it is relevant to your earlier claim: "They are not a Law enforcement agency and have no right to read through customer data on their own accord". I suspect, they do have such a right — even if the results of their "reading through" are not usable at a trial.
The second quote goes to your first. I have not thoroughly investigated how things were handled, so could easily be confusing the Google case with the Microsoft case. If this was only an "investigation" resulting from evidence it would not meet the headline, but surely is plausible. I'll need to read more on these proceedings because there is surely a mismatch between your statement and the headline. No offense intended to you or the reporting agency in TFA, but I have to see actual court records. Misinterpretation is extremely common, and in fairness it's often unintentional.
And I say "your" because you at least appear to be shilling for someone and not actually individuals. I fully admit that is a speculation, but a fair one given that not a single person who defended the GP has been willing to debate my points.
So now you claim that the only way to have any knowledge is by working for a specific company, almost as good as your previous point. A person that understands math can look at a person claiming "I made 1+3=5" and say they are wrong. It does not take specific corporate knowledge to know that someone made an impossible claim, it takes knowledge of the subject matter.
Bravo, again!
Am I being pedantic? Perhaps a bit, but not entirely. That specific group still does not go away, they are there every day trying again from a new set of IPs (if not sooner). Google's ability to notice and react to the attacks is not the same thing as making them "go away" as GP stated.
I have no problem with people talking about their accomplishments, hell even a bit of embellishment every now and then is fine. False claims are in a different category in my opinion.
Claiming someone is incorrect is knocking them? Good job dude, glad to see that political correctness class in school did some work.
Really the issue is the inability to remember multiple passwords for the average person (or the inability to want to remember them).
Well, there is another statistics issue to consider then. Lets say you use math as your password, like "N=6*24/tan(lb)". Nice strong 14 character password right? If you changed N to I, you have changed your password enough to defeat a brute force attack and only changed 1 character of your password. It's not like a computer can brute force the last characters, or the first characters. The brute force crack needs to break the "Whole" password.
Extend the same statistics problem, and if you use "lb" for banking but replace that for "pp" for email you have 2 strong passwords that are similar enough for you to remember yet strong enough that brute force won't catch up.
Every couple years, you scrap that math problem and create a new one. Change the position of your bank/email markers, and you are staying pretty damn secure.
Sure, 1 lucky shot is all a hacker needs but a 14 character strong password has a 1 in 3.4e+38 chance of guessing.
IANAL, but I know enough that if third party is in the custody chain of evidence the evidence becomes inadmissible in court. Someone gave a good example in the Google discussion. Paraphrased: Your landlord with keys to your apartment, calls the cops and claims he found drugs in your apartment, opens the door for the cops and shows them where the drugs are. That will not hold up alone in court to convict anyone for having drugs. Even if the person had the drugs and the landlord did not plant them, the person charged has plausible deniability (sp?).
Whether Google or Microsoft have a EULA that claims they can snoop through your data as often as they want is not relevant. A jury must not have any reasonable doubt when issuing a verdict. The landlord with keys introduces doubt, so charges should never stick and cases should simply be tossed out by judges (and often are).
My point was that even with Gmail they could not have reduced 100% of the attacks.
block logins with bulk-stolen passwords so successfully that they went away.
Maybe English is not your first language, but I doubt that to be true. That statement at least implies that Google no longer suffers from brute force attacks.
You then reinforce that same false claim in the post I'm commenting to now.
Google was able to stop these attacks so effectively the people behind them gave up
No, they didn't. You may have deterred a lot of them, but I'd bet a year salary that Google still experiences a measurable number of attacks every day.
Look, I freely admit that huge leaps can be made with security. I have worked in IT Security for a quarter century. Neither you nor Google can do what nobody else in the market can do and make hackers simply go away. The amount of attacks, even with exceptional security, will always be proportional to the size of your internet footprint, so Google is attacked a whole lot.
I'm not trying to knock you, or the progress Google made. I'm simply pointing out that the verbiage used is making a false claim. Reducing attacks by 99% is reasonable, reducing 100% is impossible. The only way to get 100% threat reduction is to isolate the host away from outside connectivity.
"Legal" activities in terms of a technicality, not "legal" in terms of the spirit of law (which includes the US Constitution). You really should learn the difference, because the former is why we are having such severe problems in the USA.
If there are changes need to the Constitution there is a process for changing it, very clearly defined in fact. Bypassing the law or ignoring the law because someone does not like the Constitution is illegal, period.
Looking at who benefits is always a worthwhile pursuit. A company benefits, selling what appears to be FUD. US Government benefits because they have recently been blaming everything on Russia.
What is not happening? Nobody is going to jail over computer espionage act (or any other law allegedly violated). In fact there is no criminal investigation at all mentioned. No facts available to verify the alleged "stolen credentials", and the only way to even glimpse said data is to provide your information to some company that is an unknown in the security community.
I'll have to dig later, but I'm curious who the owner of this company is and who they are tied to. Surely a coincidence, but this comes out right after former NSA Director claims he's worth a million a month in consulting, working on over a dozen "IT Security" patents, all for his brand new private business. That may not be a rat, but sure has that "rodent" like smell to it.
At best, this is a company trying to profit off other people's pain. No thanks, I'm not buying anything they are selling.
Good write up, but you make a false claim.
Anyway, long story short, we formed a team that built a full blown risk analysis system for every single login (Google has a bajillion logins per second thanks to mail clients that poll Gmail and have to log in each time) and after several years of work managed to block logins with bulk-stolen passwords so successfully that they went away.
Um, no you/they didn't. I work at an ISP, smaller than Google, and am constantly blocking various attacks. Every time one method gets blocked, we find new ones. Yes, this is for IMAP/POP over SSL just like Google (and I block numerous other attacks because we provide numerous services).
You may have stopped many of the attacks, or even most of the attacks, but not _all_ attacks. The most difficult to block are the attacks by Governments, and you can tell they are Governments by the complexity of attacks and amount of resources used in these attacks.
Script kiddies are easy to block, but real hackers are changing tactics as often as we find them and block them. If the real hackers find a method that works, the method will get eventually get migrated to the Script Kiddie toolkit.
Google and Microsoft are going through your private data because of power and control. They also receive Government incentives to do so, so gain cash as a side effect. Any claim of altruism is either a delusional fantasy or sock puppetry.
Just as I said about Google doing the same thing the other day, Microsoft is WRONG to do this. They are not a Law enforcement agency and have no right to read through customer data on their own accord. With a warrant from a court, different story, because that is the legal process. Further, it should not be a company/corporation reading through the data but law enforcement agents. This would help to ensure that evidence is handled properly.
A point to consider is that it has become trivial to inject files into your computer without your knowledge. With all of the back doors we know about, reports like this should be raising all kinds of alarms.
I'll warn you before you reply to save the "save the children" fallacies. I am willing to bet I have more knowledge than you in rhetoric.
Wait. Why would you need an AIX box or even permanent lockout? Answer: You don't need any such thing.
Native Unix LDAP supports time duration locking, it does not have to be permanent, and works with all NSS_LDAP libraries. I have run Servers of all types and Linux clients of all flavors (AIX, Solaris, HP-UX, RHEL, Ubuntu, etc..) and never had to permanently ban accounts for well over a dozen years (Early implementations were not as good as later, but still worked very well).
The majority of server side services (E.G. sshd) can idle for N seconds between auth attempts.
Assuming your servers are running like they should, permanent lockout is never really needed. On LDAP Servers I generally configure the policy to lockout an account for 30 minutes, not permanently.
You are never going to prevent all brute force attacks, and attempting to do so is idiocy. You want to deter them, which can be done in numerous ways. Stacking deterrence methods becomes extremely effective.
Do you really think a hacker is going to try for a 4th attempt, see that the account is locked, and keep trying after that? The answer to that is Hell no, the hacker will move to the next target and hope it's easier. He may come back tomorrow and try again, but after seeing account locks they will quickly move on to easier prey. Easier prey is everywhere...
Obviously deterrence won't fix everything, but there is no solution that is perfect. I can spoof biometric data as easy as brute force cracking passwords. I have found IPs trickling brute force attacks at extremely low rates, 1 every 4 hours for example. Your Auth subsystem does not find or fix these as much as having a good set of tools and admins that are monitoring what is happening in your environment.
Compared to what? Banned products, or products that the Chines government limits to ensure that Chinese companies are profitable? China is not a free market, so any claim that something is a number one seller is obviously skewed.
For decades the best selling car in China was made by a Chines company, but strangely looked exactly like a Buick which was being manufactured in China by GM.
Telling me that the best selling product is a home grown product in a controlled economy is useless, sorry.
Then the hype is spread to India, which has massive amounts of poverty. If the Chinese made phone is cheap, guess what phone Indian consumers will purchase (considering many people can't afford a phone at all, let alone a cell phone)? No big shock, the Chinese made phone.. *sigh*
I agree, and pointed out that it's a statistics issue. No system is perfect, but to have several "strong" passwords is more secure in my opinion than having all your eggs in a single (Google Auth) basket.
You don't need something like Google Authenticator to be secure. A strong 8 character password changed every 60 days would suffice. A hacker can know your account, but statistically speaking they would not be able to crack your password by the time you had a new password. Longer passwords are better, obviously, but should still be changed periodically to prevent a brute force attack from succeeding over time. It should go without saying that a Government would have additional processing power and could break it faster, but at the same time the majority of servers today rate throttle auth connections to reduce brute force attacks. The supercomputers help with a known hash, not necessarily when cracking into your bank account.
Where strong passwords tend to break down is in key loggers, phishing, and broken protocols.
For media, this too is also a solved problem. TrueCrypt, LUKS, BitLocker, and FileVault can mitigate the loss of a USB flash drive, an external hard disk, a laptop, or even drives out of a remote server (such as a RODC serving a branch office.)
A company called Intemedia has a "Securisync" product that uses both at rest and in transit encryption. So I agree the problem is solved, some much better than others, and even with "Cloud" storage. Cost is the obvious blocking factor in most cases.
That, and the loose use of numbers to make it look "skeery". Cracklib has a few million entries (add up all of the languages), and for years people have been accumulating pre-made hashes in numerous formats. I can hash "password" in CRYPT, MD5, SSHA, SSHA2, etc.. and now my 1 word has become at least 4 entries. The top 25 used passwords has now become "hundreds" of passwords. Surely that is an exaggeration, but it's not exactly a lie.
I block way more brute force attacks out of China and the Middle East than I do Russia, but in all cases it is the same tools and methods.
To claim that this is all the work of some mastermind criminal group in Russia is simply laughable propaganda, and ignores the fact that hackers have become global enterprises. It's easy for them to share data and tools, and they _do_ share data and tools. It's not like drug cartels that have to produce a commodity that requires land and manufacturing equipment (and people). There is more benefit for two hacking groups to share data than their is for two drug cartels to share turf. I'll guess that there are still some turf wars, but not nearly the same as with drug cartels.
The only part I can agree with in TFA is that people don't know how to make strong passwords, and often lack the incentive to change their passwords frequently enough to stay ahead of the hackers. That's not a problem with Russia, but I'm sure this can result in yet another round of sanctions.
Since the US media has become useless in terms of actual journalism, I don't think they care. TV based media simply ignores leaks, so the population that relies on TV media for news is just as clueless as if the leak never happened. Not a new tactic mind you, just lots easier with TV Propaganda^wNews today. They are probably betting that people will just forget. Happens all the time with Government and has for decades.
There are a few good radio stations that will talk about these issues, but none are nationally syndicated. Anything that receives lots of airtime gets bought out by Fox^wClearchannel and changed to a "Sports" station. Before you say it, Alex Jones sold out long ago and is now just a more extreme version of Rush Limbaugh (sometimes okay for scaring people awake to problems, but not often).
Newspapers? WTF is a Newspaper? Well, more seriously the few that are left are all controlled like Radio and TV.
I would be willing to bet that there are more leakers than just Snowden. If I was going to leak I may blame him since that might save me from a likely life term in "pound me up the ass prison". As long as Snowden is in Moscow he probably does not mind, it keeps him popular and relevant which I'm sure leads to a bit of income.
Having spent 10 years in the DOD I can tell you that security is possible (Not to brag, well maybe a little bit, I built the first NISPOM compliant secure networks off of a military installation). At at the time I left (8 years ago) they were trying to skimp and even offshore work. One of many reasons for me leaving mind you. Systems can be secured and audited, but it's expensive and everyone in the management and executive chain wants bigger bonus checks. Politicians want bigger kick backs, so the money train works against security as often as possible.
This shows that access control at the NSA is still thoroughly broken, no matter who the leak was.
I would have to agree, because you don't change a decade of shit security in a year. You would need to re-architect a decade worth of systems, and I'd bet a box of donuts that they just tried slapping bandaids on things.