The security hole is likely end users. The software being "tweaked" is probably Word documents pushing Dyreza malware. The issue they face is that if they want to allow Office documents with embedded VBA macros (this is probably heavily embedded in their office workflows), it doesn't matter that they've identified the security hole, they can't close it without making massive changes to how they do business (or significantly change their IT security policies for desktop endpoint use).
Based on the mincemeat the Office macro payloads have been making of everyone's security lately, this is probably all it is. There's probably no targeted hacking going on at all; just a failure to keep up with the latest generic malware attacks, like with almost everyone else. Of course, since the attackers probably realize by this point where they've gotten into, they're going to ensure they stay there by using the same methods.
That said, it could be just about anyone else employing APT methods too -- wouldn't be all that difficult; just more difficult than deploying the already common crimeware packages you can get on the darknet at a discount.
The fun thing is, I don't really mind being called a damage control operative, unlike the real ones:) The reason it sounds like I'm deliberately trying to downplay it is because it's not the issue many are making it out to be. I'm all for exploring what *could* happen (my post history will attest to that) but at the end of the day, it's not really much of an issue.
There *is* malware out there that actively exploits known VMs (mostly VMWare, but also VirtualBox) and escapes the VM by knowing where it hooks the host. The nasty part about these is that since they're exploiting the VM, they effectively act like a rootkit once they hit the host; you're not likely to notice what they're actually doing until it's too late.
On the other side, most malware can either be contained by a VM, or in many cases, will have AntiVM code baked-in, so it won't even run if it notices it's in a VM. If you add a few code analysis tools to your VM, any moderately complex malware will think it is running on a malware analyst's system and immediately shut down, or do something useful instead of something malicious.
So yeah; running in a VM adds protection in a few different ways.
I also notice that we don't have a bunch of articles about how snipers can kill you while you cross the street -- ANY STREET. The truth is that the HD angle isn't really news, beyond being a novel bootkit variant. There are sites trying to spin it into something bigger, but they generally don't understand what's happening in the first place.
Oh, and you can also be infected via the BIOS, and even on UEFI devices during the initial stages of hardware negotiation (which is likely where this stuff sneaks in anyway). Once again, this isn't news, no matter how many sites want to make it news to get ad impressions.
So I hope the GP stops trying to spin harder than the psyops he's sure are trying to silence this -- nobody's really interested once they understand the details.
It doesn't take government operatives... At this point, it's a dupe. I already raised both the issue of all current manufacturers being affected and the fact that not enough actual information was released. It's not a conspiracy in this case, it's just bad reporting being moderated as such.
If someone submits the Kaspersky article, maybe it'll get more traction. Instead, we keep getting submissions that are all hype and no substance, filled with editorialization and almost zero facts. People have tried to spin "custom targeted spyware inserted into firmware of targeted computers, regardless of drive manufacturer" into "firmware from all hardware vendors comes pre-loaded with spyware that reports back to the NSA"
A few things here: 1) you talk about operational security, but then mention that the only reason you re-flashed was that it wouldn't boot. Did you BUY it unbootable (indicating that it was likely stolen and killed), or did it die on you (indicating that you were running the previous firmware for some amount of time prior to reflashing)? Either way doesn't sound like good security. 2) Prepay on flashed firmware on a non-mobile phone is definitely the way to go. However, some firmware also enables a remote "listen-in" mode -- have you done anything to verify that this is not the case here?
My point was that while you think you rooted the phone and replaced the firmware (but not all the other components), you replaced the firmware with another untrusted firmware. And this says nothing about whether you can trust all the other components (which you can't). So you haven't really added anything here that contradicts the original AC's point, being that you can never really trust your phone, no matter what you attempt to do to it.
...and so you've effectively replaced one call-home firmware with another unverified firmware that could be calling home to multiple agencies, neither of which have anything to do with all the other non-firmware tracking going on in the device.
However, the answer is likely that it was an easy way to unlock phones sold in the N. American market. Every time Apple releases a new phone, a bunch are bought up on the west coast by people who jailbreak them, unlock them, and then sell them in Hong Kong, Taiwan, and mainland China. This likely accounts for both the large number of jailbroken devices and for the decline, as a larger and larger number of legit devices are sold directly into the Chinese market.
And yet, the majority of iPhones in Asia are jailbroken. Why? Because they care about replacing the existing software because it doesn't let them do all the things they want?
I worked on the code for Medusa back in the 90's. I believe this eventually found its way into Plesk via Zope (which had Medusa at its core). There's lots of stuff out there using Python as a server; it's also trivial to create any sort of server (but especially an HTTP/HTML server) with a Perl interpreter. The modules are all sitting on CPAN.
Java has both Swing and AWT... and JavaScript has Chrome (and for that matter, the other Chrome along with every other current browser). You can easily make a GUI in JavaScript -- people have even made complete OS emulators in JavaScript.
Oh, but it requires extra software to actually display the GUI you say?
Frankly we are all lost in time and space it is just that most of us don't know it. If you don't believe that please name one citizen of the Etruscan Empire. Or how about one citizen from the Chaldean Empire?
As already mentioned, the Etruscan state didn't have an empire; the Chaldean Empire didn't really measure up by today's standards either -- and yet, many people today know about Ur -- he had a major town named after him that a rather famous individual was from.
So yeah; maybe if we had better records for some of the other areas of history, they'd be influencing modern culture and knowledge more than they currently are -- but it seems like lineage plays a bigger role than records keeping in what humanity studies from the past.
I'll add: NoScript (stops most of the baddies, just turn on what you need, when you need it) Ghostery (clean up what AdBlock Plus and NoScript miss) FireSSH (because FTP's inherently insecure) Leet Key (great for transforming all sorts of text) gTranslate (in-context automatic language translation!) Tree Style Tab (if you use lots of tabs)
Why do they use monkeys for this experiment? Aren't there plenty of homos around?
Homo Habilus is dead already Homo Erectus is also dead. Homo Sapiens is long gone Homo Sapiens Sapiens is still hanging on....
But why not try it on Homo Milk?
Thanks, but I think Rhesus monkeys and Bonobos are probably better bets for now. Pigs and rats would also be decent contenders for some tests, but not others.
THANK you. There are so many people I hear say stuff like "Oh, cancer has already been cured, they're just holding the vaccine back from us" or "I'm waiting for the cancer pill to come out".
About as bright as waiting for the pill to stop death.
Oh, there's all sorts of solutions to stop death. They're all rather permanent however.
But yeah; Cancer is a description of a process, not an actual disease. I'd think that after so many decades of cancer awareness campaigns, people would get this. Cancer is basically about cells replicating in an unregulated manner. The CAUSE for this depends on what's actually wrong. Finding a cure for cancer is like finding a cure for headaches -- the problem isn't the headache (which kind?) but the process that is causing the biofeedback in the first place.
And yeah; Lymphoma all by itself probably has got as much press and research over the past two decades as HIV (yeah; AIDS isn't a disease either; it -- again -- is a descrpition of a biological state).
I think we already have the answer to that question in the form of companies like Elsevier. Or was that not the peer review process you were talking about?
Thesis defense style would break down pretty quickly, as people tend to like to get work done instead of spending every day on a review panel.
There's something else that comes into play here too -- this would be brokered under Section 706, and they'd be held accountable to it. HOWEVER, they're also going to be accountable to Title II pretty soon, which will lay down an entirely different set of regulations they'll be required to follow, and (hopefully) last longer than 5 years. As such CPUC would be forcing them to open up the last mile while the FCC is also requiring them to stay net neutral (among other things). The combination of these two strategies doesn't give them too many ways to rake in the easy money -- they're going to have to work for it if they take the agreement. Smart move on CPUC's part! They can draft an agreement that by itself looks very innocent and somewhat reasonable, but paired with the other decisions coming down the pipe closes many of the loopholes in the short term, while giving communities time to start projects that won't be rescinded after 5 years (because when does that ever happen).
Trying to intimidate a federal judge is both a criminal act and a VERY bad idea.
Depends... would you have any qualms about doxing a federal judge from North Korea? I bet there's some guys from Serbia (or North Korea for that matter) who feel similarly about doxing a federal judge from the USA. Of course, the difference is that a federal US judge has the power to get you pretty much wherever you live in the world, thanks to close relations with the other branches of the US government.
when profits drop to reasonable levels for music and movies, they'll get made / created by people with a love for the art
So everybody is going to sing? Instead of just listening to recordings of a few people singing?
Why does anything at all have to change for that to happen?
Because people follow the path of least resistance. Recorded audio and video give people the impression that they're interacting with others without forcing them to actually do so. Same with Facebook. That said, if people spent more time in the shower, they'd probably have a richer musical experience, assuming *some* exposure to the music of others.
I'd add that there's a possibility of people in this demographic being actively against reporting anything to "the man" than they have to -- they are all likely to be acutely aware of the power of data mining. In this case, that wouldn't indicate actual vaccination levels, but *reported* vaccination levels. After all, the data is retrieved from a form that the parents might refuse to fill in with anything but the bare minimum information.
It doesn't make it smart, but it does present another hypothesis.
Not to mention, Oracle's commitment to VirtualBox doesn't appear to be on the same level as their commitment to SPARC -- which means both virtualization ON SPARC and virtualization OF SPARC is questionable, with the tools, while great, needing a bit more love by paid programmers than they're getting, as well as some sort of LTS commitment.
Slashdot Mirror
The security hole is likely end users. The software being "tweaked" is probably Word documents pushing Dyreza malware. The issue they face is that if they want to allow Office documents with embedded VBA macros (this is probably heavily embedded in their office workflows), it doesn't matter that they've identified the security hole, they can't close it without making massive changes to how they do business (or significantly change their IT security policies for desktop endpoint use).
Based on the mincemeat the Office macro payloads have been making of everyone's security lately, this is probably all it is. There's probably no targeted hacking going on at all; just a failure to keep up with the latest generic malware attacks, like with almost everyone else. Of course, since the attackers probably realize by this point where they've gotten into, they're going to ensure they stay there by using the same methods.
That said, it could be just about anyone else employing APT methods too -- wouldn't be all that difficult; just more difficult than deploying the already common crimeware packages you can get on the darknet at a discount.
The fun thing is, I don't really mind being called a damage control operative, unlike the real ones :) The reason it sounds like I'm deliberately trying to downplay it is because it's not the issue many are making it out to be. I'm all for exploring what *could* happen (my post history will attest to that) but at the end of the day, it's not really much of an issue.
There *is* malware out there that actively exploits known VMs (mostly VMWare, but also VirtualBox) and escapes the VM by knowing where it hooks the host. The nasty part about these is that since they're exploiting the VM, they effectively act like a rootkit once they hit the host; you're not likely to notice what they're actually doing until it's too late.
On the other side, most malware can either be contained by a VM, or in many cases, will have AntiVM code baked-in, so it won't even run if it notices it's in a VM. If you add a few code analysis tools to your VM, any moderately complex malware will think it is running on a malware analyst's system and immediately shut down, or do something useful instead of something malicious.
So yeah; running in a VM adds protection in a few different ways.
I also notice that we don't have a bunch of articles about how snipers can kill you while you cross the street -- ANY STREET. The truth is that the HD angle isn't really news, beyond being a novel bootkit variant. There are sites trying to spin it into something bigger, but they generally don't understand what's happening in the first place.
Oh, and you can also be infected via the BIOS, and even on UEFI devices during the initial stages of hardware negotiation (which is likely where this stuff sneaks in anyway). Once again, this isn't news, no matter how many sites want to make it news to get ad impressions.
So I hope the GP stops trying to spin harder than the psyops he's sure are trying to silence this -- nobody's really interested once they understand the details.
It doesn't take government operatives... At this point, it's a dupe. I already raised both the issue of all current manufacturers being affected and the fact that not enough actual information was released. It's not a conspiracy in this case, it's just bad reporting being moderated as such.
If someone submits the Kaspersky article, maybe it'll get more traction. Instead, we keep getting submissions that are all hype and no substance, filled with editorialization and almost zero facts. People have tried to spin "custom targeted spyware inserted into firmware of targeted computers, regardless of drive manufacturer" into "firmware from all hardware vendors comes pre-loaded with spyware that reports back to the NSA"
A few things here:
1) you talk about operational security, but then mention that the only reason you re-flashed was that it wouldn't boot. Did you BUY it unbootable (indicating that it was likely stolen and killed), or did it die on you (indicating that you were running the previous firmware for some amount of time prior to reflashing)? Either way doesn't sound like good security.
2) Prepay on flashed firmware on a non-mobile phone is definitely the way to go. However, some firmware also enables a remote "listen-in" mode -- have you done anything to verify that this is not the case here?
My point was that while you think you rooted the phone and replaced the firmware (but not all the other components), you replaced the firmware with another untrusted firmware. And this says nothing about whether you can trust all the other components (which you can't). So you haven't really added anything here that contradicts the original AC's point, being that you can never really trust your phone, no matter what you attempt to do to it.
...and so you've effectively replaced one call-home firmware with another unverified firmware that could be calling home to multiple agencies, neither of which have anything to do with all the other non-firmware tracking going on in the device.
And THEN you start installing apps....
https://duckduckgo.com/l/?kh=-...
Looks like I was looking at older data.
However, the answer is likely that it was an easy way to unlock phones sold in the N. American market. Every time Apple releases a new phone, a bunch are bought up on the west coast by people who jailbreak them, unlock them, and then sell them in Hong Kong, Taiwan, and mainland China. This likely accounts for both the large number of jailbroken devices and for the decline, as a larger and larger number of legit devices are sold directly into the Chinese market.
And yet, the majority of iPhones in Asia are jailbroken. Why? Because they care about replacing the existing software because it doesn't let them do all the things they want?
I worked on the code for Medusa back in the 90's. I believe this eventually found its way into Plesk via Zope (which had Medusa at its core). There's lots of stuff out there using Python as a server; it's also trivial to create any sort of server (but especially an HTTP/HTML server) with a Perl interpreter. The modules are all sitting on CPAN.
Java has both Swing and AWT... and JavaScript has Chrome (and for that matter, the other Chrome along with every other current browser). You can easily make a GUI in JavaScript -- people have even made complete OS emulators in JavaScript.
Oh, but it requires extra software to actually display the GUI you say?
What did you think Swing and AWT were???
Frankly we are all lost in time and space it is just that most of us don't know it. If you don't believe that please name one citizen of the Etruscan Empire. Or how about one citizen from the Chaldean Empire?
As already mentioned, the Etruscan state didn't have an empire; the Chaldean Empire didn't really measure up by today's standards either -- and yet, many people today know about Ur -- he had a major town named after him that a rather famous individual was from.
So yeah; maybe if we had better records for some of the other areas of history, they'd be influencing modern culture and knowledge more than they currently are -- but it seems like lineage plays a bigger role than records keeping in what humanity studies from the past.
I'll add:
NoScript (stops most of the baddies, just turn on what you need, when you need it)
Ghostery (clean up what AdBlock Plus and NoScript miss)
FireSSH (because FTP's inherently insecure)
Leet Key (great for transforming all sorts of text)
gTranslate (in-context automatic language translation!)
Tree Style Tab (if you use lots of tabs)
Why do they use monkeys for this experiment? Aren't there plenty of homos around?
Homo Habilus is dead already
Homo Erectus is also dead.
Homo Sapiens is long gone
Homo Sapiens Sapiens is still hanging on....
But why not try it on Homo Milk?
Thanks, but I think Rhesus monkeys and Bonobos are probably better bets for now. Pigs and rats would also be decent contenders for some tests, but not others.
THANK you. There are so many people I hear say stuff like "Oh, cancer has already been cured, they're just holding the vaccine back from us" or "I'm waiting for the cancer pill to come out".
About as bright as waiting for the pill to stop death.
Oh, there's all sorts of solutions to stop death. They're all rather permanent however.
But yeah; Cancer is a description of a process, not an actual disease. I'd think that after so many decades of cancer awareness campaigns, people would get this. Cancer is basically about cells replicating in an unregulated manner. The CAUSE for this depends on what's actually wrong. Finding a cure for cancer is like finding a cure for headaches -- the problem isn't the headache (which kind?) but the process that is causing the biofeedback in the first place.
And yeah; Lymphoma all by itself probably has got as much press and research over the past two decades as HIV (yeah; AIDS isn't a disease either; it -- again -- is a descrpition of a biological state).
The question is, could those 300,000,000 datacenters all employ the same person, controlling a horde of robots?
I think we already have the answer to that question in the form of companies like Elsevier. Or was that not the peer review process you were talking about?
Thesis defense style would break down pretty quickly, as people tend to like to get work done instead of spending every day on a review panel.
There's something else that comes into play here too -- this would be brokered under Section 706, and they'd be held accountable to it. HOWEVER, they're also going to be accountable to Title II pretty soon, which will lay down an entirely different set of regulations they'll be required to follow, and (hopefully) last longer than 5 years. As such CPUC would be forcing them to open up the last mile while the FCC is also requiring them to stay net neutral (among other things). The combination of these two strategies doesn't give them too many ways to rake in the easy money -- they're going to have to work for it if they take the agreement. Smart move on CPUC's part! They can draft an agreement that by itself looks very innocent and somewhat reasonable, but paired with the other decisions coming down the pipe closes many of the loopholes in the short term, while giving communities time to start projects that won't be rescinded after 5 years (because when does that ever happen).
Hopefully other states follow suit.
Trying to intimidate a federal judge is both a criminal act and a VERY bad idea.
Depends... would you have any qualms about doxing a federal judge from North Korea?
I bet there's some guys from Serbia (or North Korea for that matter) who feel similarly about doxing a federal judge from the USA. Of course, the difference is that a federal US judge has the power to get you pretty much wherever you live in the world, thanks to close relations with the other branches of the US government.
So everybody is going to sing? Instead of just listening to recordings of a few people singing?
Why does anything at all have to change for that to happen?
Because people follow the path of least resistance. Recorded audio and video give people the impression that they're interacting with others without forcing them to actually do so. Same with Facebook. That said, if people spent more time in the shower, they'd probably have a richer musical experience, assuming *some* exposure to the music of others.
http://www.theguardian.com/med...
As content is worth less and less, they need to do something to prop up the profit structure.
Sad thing is, if the content being infringed is worth less and less, why are people getting stiffer and stiffer penalties for infringing?
And Stingray devices are inherently mobile -- you aren't going to see one fixed-mounted like this.
Has anyone checked for this regarding the Stingray cell data collection program? Since "FBI Says All Public Records Requests For Stingray Documents Must Be Routed Through It," you'd think that these should also have a privacy report -- right?
I'd add that there's a possibility of people in this demographic being actively against reporting anything to "the man" than they have to -- they are all likely to be acutely aware of the power of data mining. In this case, that wouldn't indicate actual vaccination levels, but *reported* vaccination levels. After all, the data is retrieved from a form that the parents might refuse to fill in with anything but the bare minimum information.
It doesn't make it smart, but it does present another hypothesis.
Not to mention, Oracle's commitment to VirtualBox doesn't appear to be on the same level as their commitment to SPARC -- which means both virtualization ON SPARC and virtualization OF SPARC is questionable, with the tools, while great, needing a bit more love by paid programmers than they're getting, as well as some sort of LTS commitment.