Easily one of the best technical talks I have ever seen; how timing attacks can be used to break the same origin policy and read the contents of a frame. This talk included demo's of an attacker site loading up a target site in a frame and reading the contents to grab the CSRF token. It was awesome.
http://contextis.co.uk/files/Browser_Timing_Attacks.pdf
In my experience, the most popular dating sites (listed as type 1 in the article, like OKCupid and Match) are like giant bars. The women are hounded from all directions by men, and the men seem to have to fight to distinguish themselves. Every good friend I know that is female and on one of these sites is constantly bombarded and things quickly devolve into shallow initial impressions. I'm willing to bet most relationships started at bars are often shaky when things get real as well.
I see this and think the word "Hacked" gets thrown around a bit too easily. This is an example of non-persistent (also referred to as reflected) cross site scripting. This means that in order to take advantage of it, they have to convince a target to visit their specially crafted link. To me, "Hacked" sort of implies "They got in!" or "Data was breached!" or other such bad things and that simply isn't the case here.
So what does this type of XSS do? Mostly embarass people because defacement examples are posted to "look what I can do" forums (which is basically what happened). Think about the attack vector here, they have to get a victim to visit their specific url that includes their attack. How is that done? Malicious email, posting the link to some website or forum and hoping they find it and visit, embedding the link in other sites that have been hacked or something like a banner ad, or whatever. All of these involve the target going out of their way to visit this maliciously crafted url. When you consider that they could still do all these things without XSS and simply host malicious code themselves, all this reflected XSS is doing is making it a bit harder for an end user to spot that this is something non-standard and dangerous.
Think of it this way, "With reflected XSS, I can send them a link, and if they visit it, I can do bad things to their computer!" but then again, you can do that without XSS too, it just isn't quite as effective. How many users are taking the time to carefully look at a link before clicking on it, checking to make sure it contains the domain name they expect and not just an IP address, or a domain name that is similar, but not quite right, etc. A user who is doing this sort of thing will more likely fall victim to this XSS attack, but most users, who don't scrutinize things at that level, were just as susceptible to a classic phishing/malicious linking attack anyways.
Re:Major Plotholes ... Spoiler Alert
on
Batman Discussion
·
· Score: 1
Your second plothole isn't a plothole at all. Joker was taunting them, "I was here, clearly I couldn't have done this" while making it plain that he was responsible/involved. His "What time is it?" comment is followed by something about depending on the time they would be in one place or several. It's a very clear threat that they are in danger and time is sensitive. I think you are reading more into that scene then is actually there.
Re:Why didn't they just kill the lawyer?
on
Batman Discussion
·
· Score: 1
Are you serious? It's a larger moral question there, what sort of control do we give away when we decide as a government and a people to kill someone in that situation? What if the Joker then says "I still have the bombs in place, now kill ten people?"
Also, there were obviously several people who *did* want to kill the lawyer, random citizens shooting at him through the window or trying to plow into the car he is being held in, etc. So you thought it was a plot hole that the police didn't take the official stance of "Yeah, we should definitely just kill the guy?"
I don't agree. Yes, the joker often lies, but typically to further mess with people. His ultimate goal there seemed to be showing Batman that people have evil in them, and he would much rather have the people that made the choice to kill live and struggle with their own guilt while serving as examples of his point.
His lie and switch of the locations on the other hand makes total sense, because he wants to bring batman down, test his resolve and his absolute moral code. By switching the locations, he knew that Batman would determine who he most wanted to save, and then would be denied that person.
I disagree with this, most often a film is a story, but I would say instead that ultimately a film is an experience. I look at movies like No Country For Old Men, Lost In Translation, and Once as examples of movies where it's not really the story that makes the movie enjoyable, but the portrayal of something, the presentation of an aspect of life.
Take the scene in No Country For Old Men when the antagonist is in the gas station and flips a coin to decide whether to let the station attendant live. That's the story in that scene, but that statement doesn't come close to doing justice to the intensity of that scene, the skill with which that scene was portrayed, etc.
Personally, I found myself riveted by the Joker and everyone's attempt to deal with/understand him. That alone made the film for me. You obviously didn't have the same reaction, but to each there own.
I think people ask for examples of tackiness, rushing, and clumsiness because they never felt it, and genuinely want to know what set off those flags for you. I thought that batman's snarling was a bit over the top and distracting, for example, but for me and as others have pointed out, this was more of a joker movie then a batman movie, and I enjoyed it thoroughly.
One would think that it would be simple enough, after finishing whatever touch-ups that you want to perform, that you use this technique to calculate where the light sources should be, and then correct the minute details that would give it away as an altered image. Sounds like the kind of thing that would be a simple photoshop plugin actually, once you are all done you just run the "make undetectable from light source detection analysis" tool and call it a day.
By the time an attacker has the hashes, the game is essentially over! Do you think a 10 character password is really going to be that much weaker then a 14 character password in the situation where an attacker does *not* have hashes? (And simple controls such as account lockout features are enabled?)
I think Tippet would prefer passwords to be only complicated enough that they aren't susceptible to brute forcing when account lockout features are in place. His point is that anything past that is not netting you any practical security gain, and I think he's dead on.
I've heard the speech that this article is referring to and I have to tell you, it's pretty interesting. He talks a lot about trying to take a more practical approach to security, especially security research. Asking questions like "in a given environment, which controls result in an appreciable difference in security?" "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?" Putting aside how you answer such questions (it's not an impossible task) I have to admit that the answers themselves are relevant!
One of Tippet's messages he stresses in this talk is that the security industry does things differently then other industries and it doesn't make sense. He draws a lot of comparisons to the medical industry because he is a medical doctor as well. In medicine, when we want to know how effective something is, we study it, we design trials, we examine the effects in the field. In security, we tend to go straight from the theoretical realm, debating ideals and their implications, straight to hard and fast rules, without the testing in between. We do ourselves a disservice by doing so. Straight from thinking "Antivirus updates are important and need to take place daily" to a general believe that "if you don't update daily, you are stupid, and insecure" without the in between step of asking "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?"
Ok, the best you could possibly do is try and reconstruct when the computer was turned on or logged into. At best, you can say that; since the laptop had been taken, it had not been logged into. Even then, that is no assurance that the data was not copied, since the drive could have been taking out and copied.
There is no reliable forensic technique to determine beyond doubt that data has not been read. Imagine if you had left a page with notes in a public, high traffic area. When you found that page a day later, how would you go about determining if anyone had looked at it?
If they are accepting credit cards, then they must be affiliated with a merchant bank. It is not possible to accept a credit card without this affiliation. If they are considered a Level 1 merchant by Visa, then they have to go through an annual independent PCI compliance review.
A level 1 merchant is defined as the following: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.
Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Any merchant identified by any other payment card brand as Level 1.
The PCI Data Security Standard consists of twelve basic requirements and is actually very similar to what is regulated at most banks as per FFIEC guidelines. Every Level 1 merchant must have the following: Annual On-site PCI Data Security Assessment performed by QDSPs that are working for a QDSC (individuals that have been certified to perform the review that are working for companies that have qualified to attest to the compliance to the standards) Quarterly Network Scan by a qualified scanning vendor. The qualified scanning vendors are screened by Mastercard and are only able to qualify by scanning a controlled environment and producing results that meet the standard that has been established.
Finally, if there are any doubts, PayPal-Verisign is on the published list of qualified service providers, indicating that they have complied with the standard I mentioned before as a service provider, not just a merchant.
This hardly seems fair, if Microsoft's established SDL identifies and fixes a vulnerability in the development process, then it's not going to have a patch released for it to begin with. Before eEye gets there hands on this product, it's already been run through the MS ringer. Who knows how many thousands of things MS has fixed before that point.
In a product as complicated as Windows, geared towards an audience as general, varied, and uneducated, there are going to be problems! This is an unavoidable fact of life, so what we can do is introduce controls to mitigate those problems. What we can do is design products that address issues in general, so that even if something does slip through the cracks, other items are in place to pick up the slack and minimize the input.
I have do disagree with the general statement that this was just a bunch of HR tripe, it couldn't be further from the truth. Ok, I can acknowledge that he touts the SDL as a panacea to all MS security woes, but he also makes some excellent points and mentions some changes that really will make a difference. Specifically, talking about minimizing the number of services, what those services do, and what context those service run under is HUGE. Further, creating an environment that is friendly towards people operating their system in a non privileged mode is also huge.
Further,... what do you expect? We're dealing with thousands and thousands of developers and product lines here. Educating those developers, holding people accountable to a standard, and putting controls in place is all that really can be done. I guess that's all, on with the accusations of being a mindless MS zealot;)
It seems like your show is contingent on a specific kind of myth; things that can be recreated in a (somewhat) controlled environment. Certain cultural myths and origin stories are right out, for example, because they don't lend themselves to much other then diligent research. As you continue to produce the shows, how do you find more myths that are suitable to your format? Do you feel the strain of "been there, done that" yet?
Like most things in this world, general statements aren't going to cut it. The statement that "there is no point in getting certifications..." is correct in some situations, and decidedly incorrect in others. Some certifications are a bit more meaningful then others, surely this doesn't come as a surprise to anyone. The idea that an A+ certification and a CCIE certifcation are equally worthless is crazy. Do you have any idea what it takes to get a CCIE? I guess what I'm saying is that this is not a simple question, some certifications are worth while, some are not.
Another point that people may not realize is that there are a lot of jobs that require certifications. For example, good luck signing off on any sort of opinion if you are not a CPA. Is the CPA useless? I don't think so. Another example, Visa is now requiring card processors do undergo an accreditation process. This process includes having a certified vendor perform a Visa audit. Guess what, you can *not* perform that Visa audit until you have received Visa training. You know what else? You can *not* receive Visa training unless you have one of a handful of certifications, including the CISSP and CISA certifications. Not convinced? Let's move on.
There is yet another reason that certifications serve some purpose. They are a statement on at least some level of the competence of an individual. Yes, I know that there are some losers with certifications that are not competent, but think of this from a different light. You are a manager tasked with hiring a person (or company) to perform services for you. Think of how you are going to look if this person or company fails, and hurts your company as a result. At that point, being the one that made the decision, are you going to want to have chosen someone who (however shallow it may be) had some form of legitimacy? I can guarantee that your "certifications are worthless" argument is going to sound a bit feeble when explaining the failure of the project to your boss. If you are a candidate for a job, and on paper and through interviews you are relatively equal, but he has the appropriate certifications and you do not, guess who is going to get the job. This is a particularly true if you are hiring for a position that you yourself are not particularly proficient at.
Finally, as a person in a hiring position, I do not consider them at all, and am definitely prejudiced against someone who puts them on their resume. Are you kidding me? "Yes, Sir, I know that our latest Network Administrator, the one that I hired, has cost us thousands due to incompetence, but see, they were the only one *without* their MCSE, so it's not like I had much of a choice." Good luck with that.
So in conclusion,... yes, certifications are worth while. Some are certainly worth more while then others, and some are arguable worthless, but certifications, in general, are worth while.
Ah, but therein lies the problem. If it truely is a great game, a game of the ages that is universally fun and entertaining and all that good stuff so that it can sell oodles on its own, imagine the revenue it can generate from having adds in it.
The problem will be when people make games that were good enough to make profit the old way realize that they can make more profit this new way. From a business sense, a lot of people would rather take a hit to their overall sales if the resulting add revenue significantly outweighs the loss.
The game pits American forces against vaguely terrorist middle-eastern stereotypes, in a topical tie-in to today's headlines.
...
The sequel to Battlefield 1942 and Battlefield Vietnam stays very close to the source material. So close, in fact, that it's hard to point to any fundamental change in the gameplay mechanics.
So what you are telling me is that this is the same game that has been hitting the shelfs with different developers names on it for the past 3 years, except they didn't really change anything. Gee, I'm convinced.
Good luck figuring it out -- especially if you signed a (now practically standard) agreement allowing your employer to snoop through your work emails at will.
There are reasons those agreements are in place, and it's not always because your employer is evil, it's because they are doing what they have to. Yes, if you want to screw your employer you will figure out a way, USB flash drive, ssh tunnel over the one port they allow outbound, hell, just taking the harddrive home one night, you name it. But imagine a breach does happen, and it is something as simple as email being sent out. If the company did *not* have these policies, they would be grossly negligent when it came to their due diligence in protecting that data. That's a world of shit that you don't want to be in. Just because they have the policy stating that they have the right to monitor your email, that doesn't mean they are, but even if they are, that doesn't make them evil; it just depends on the circumstances. As a part of standard IT audits, and reviews of policies and procedures, if we do not see these terms in there, then that's a finding, (translated, a documented deficiency in their environment that will be reported to the board of directors, or whoever it happens to be for that industry.)
Taking the other mentioned examples into account (like using a USB flash drive). If you found out that all of your personal information was compromised due to an employee stealing it with a USB key and then also found out that at no point was that employee told or required to sign a contract in regards to his handling of your personal information, what would you think?
The funny thing is... well, not so much funny as it is disturbing, signing an employment contract.
It seems that everyone is always quick to jump on the damn the man bandwagon. Think of employment as an investment. Of course you are going to have to sign an employment contract, how do you expect this to work? Want to pay someone for their time, possibly invest money in training that person, and provide that person equipment and an environment in which they will excel and then not expect anything out of it? This isn't disturbing, it's business as usual. If you are disturbed by the idea that a company investing in you is going to expect to have rights to what you produce, then find different investors or bootstrap it yourself.
Can anyone with legal experience enlighten me on this one? Do the bastards have the right to do so, provided that one doesn't sign a document that explicitly states "you can read my email" but instead contains a fine version of "all your bases, off lunch hours, belongs to us?
Actually, the odds are that included in that stack of papers that you have signed is a micro-computer use policy that includes sections on Internet and Email acceptable use. If you look at these you will most likely see, in no uncertain terms, that persuant to gaining access to the company resources such as an internet connection and an email account, you must agree to certain terms, one of which is their right to monitor your email messages with or without informing you. Especially if you are working in a regulated industry (which thanks to Sarbanes-Oxley now can mean "any publicly traded company) then they most likely have something a lot more detailed then "all your bases, off lunch hours, belongs to us?" Not only that, but it also roughly translates to "all your base, period, belongs to us"
Guess what, they have to do this. If they are not, then they are negligent in their duties to verify that their sensitive information is protected, which, depending on the type of company, is a regulatory requirement.
Also, to the poster that mentioned going to https://www.gmail.com as opposed to http://www.gmail.com/ not only will this not work in an environment that has been set up by people who know what they are going (which I know is rare) it may be in direct violation of that afforementioned computer use policy. You know, the one with your signature on it, the one that states you will not use third party email systems, the one that says that violation of said policies could result in termination... yeah, that one.
I think, apart from ignorance of the prevalence of encryption technologies in computers, the judge is conflating cryptology with steganography. Encrypting the files would make them more obvious, and couldn't account for the fact that they are not to be found.
This is only true if he was using PGP to individually encrypt the files. If he instead had a PGP disk, then there is no telling what is on that disk, just how big the disk is. It could be 100 megs of encrypted empty space, but then again, it could be thousands of pictures of child pornography, but all you see is a single flat file, disk.pgd
Something tells me that if he was trying to hide his tracks, he wouldn't have files like kiddieporn.jpg.pgp laying around.
The problem is that if the hacking were accurate, it simply wouldn't be that exciting. "Oh look, he ran metasploit" somehow doesn't have that 'it factor' that they are most likely looking for.
"You mean it's not accurate to say 'I'm gonna drop a hydra and pop their firewall?' Eh, it still sounds good, so screw it"
"We can't image enhance the picture taken with this cell phone to accurately read that liscense plate off the car that was driving 80 miles an hour? Too bad, keep it in."
Something tells me that hollywood execs realize they are sensationalizing, and that their techniques, interfaces, and terminology isn't quite accurate, but they don't care. The same is true in a lot of things. I can't even watch movies involving the military with my Dad because he was in the service for 26 years and has a hernia pointing out all the things they get wrong. Guess what, I don't care because I'm not a military person just like a lot of their target market doesn't care about the failed geekspeak because they aren't geeks.
It's great that bugs are fixed, but how about investing more in user education, so that people at least realize that they could have every patch imaginable installed but still be owned by SQL injection, a problem with whoever wrote their webpage or app that interfaces with the SQL server and not the SQL server it self.
MySQL is a lot better about it then MSSQL due to the lack of comments, but disastrous things can still be done with this.
For those that are curious, more info on SQL injection can be found here and here.
Mocking people for being clueless does not actually make them smarter, nor does it impress them with your 31337 Haxor Skillz.
The difference here is that we aren't mocking grandma, we are mocking the person that told grandma what's what. This person was potentially speaking from a position of perceived authority and his information is not only wrong, it's harmful. While it does serve as fodder for the more informed to make jokes, it also perpetuates the incorrect notions of those unfortunate uninformed that happen to take him seriously.
It's true that mocking him doesn't accomplish anything, but let's at least be honest about who we are talking about.
For all the above reasons as well as several others, I can think of no more effective way that Michael Robertson could have made me refuse to take him and any products that he is responsible for seriously. We are talking about fundamental, basic security concepts that are obviously flying over Mr. Robertson's head.
Since when do we have the right to a free internet connection? Not only that, but the right to do whatever the heck we want on a connection that is by no means ours. Come on, that's taking it a bit far. I'm all for individual's rights, and not letting the man go too far, but it seems like people are quick to cry unconstitutional sometimes, which is a shame, becuase it dilutes the impact of similar, legitimate claims.
Slashdot Mirror
Easily one of the best technical talks I have ever seen; how timing attacks can be used to break the same origin policy and read the contents of a frame. This talk included demo's of an attacker site loading up a target site in a frame and reading the contents to grab the CSRF token. It was awesome. http://contextis.co.uk/files/Browser_Timing_Attacks.pdf
In my experience, the most popular dating sites (listed as type 1 in the article, like OKCupid and Match) are like giant bars. The women are hounded from all directions by men, and the men seem to have to fight to distinguish themselves. Every good friend I know that is female and on one of these sites is constantly bombarded and things quickly devolve into shallow initial impressions. I'm willing to bet most relationships started at bars are often shaky when things get real as well.
I see this and think the word "Hacked" gets thrown around a bit too easily. This is an example of non-persistent (also referred to as reflected) cross site scripting. This means that in order to take advantage of it, they have to convince a target to visit their specially crafted link. To me, "Hacked" sort of implies "They got in!" or "Data was breached!" or other such bad things and that simply isn't the case here.
So what does this type of XSS do? Mostly embarass people because defacement examples are posted to "look what I can do" forums (which is basically what happened). Think about the attack vector here, they have to get a victim to visit their specific url that includes their attack. How is that done? Malicious email, posting the link to some website or forum and hoping they find it and visit, embedding the link in other sites that have been hacked or something like a banner ad, or whatever. All of these involve the target going out of their way to visit this maliciously crafted url. When you consider that they could still do all these things without XSS and simply host malicious code themselves, all this reflected XSS is doing is making it a bit harder for an end user to spot that this is something non-standard and dangerous.
Think of it this way, "With reflected XSS, I can send them a link, and if they visit it, I can do bad things to their computer!" but then again, you can do that without XSS too, it just isn't quite as effective. How many users are taking the time to carefully look at a link before clicking on it, checking to make sure it contains the domain name they expect and not just an IP address, or a domain name that is similar, but not quite right, etc. A user who is doing this sort of thing will more likely fall victim to this XSS attack, but most users, who don't scrutinize things at that level, were just as susceptible to a classic phishing/malicious linking attack anyways.
Your second plothole isn't a plothole at all. Joker was taunting them, "I was here, clearly I couldn't have done this" while making it plain that he was responsible/involved. His "What time is it?" comment is followed by something about depending on the time they would be in one place or several. It's a very clear threat that they are in danger and time is sensitive. I think you are reading more into that scene then is actually there.
Are you serious? It's a larger moral question there, what sort of control do we give away when we decide as a government and a people to kill someone in that situation? What if the Joker then says "I still have the bombs in place, now kill ten people?"
Also, there were obviously several people who *did* want to kill the lawyer, random citizens shooting at him through the window or trying to plow into the car he is being held in, etc. So you thought it was a plot hole that the police didn't take the official stance of "Yeah, we should definitely just kill the guy?"
Scary.
I don't agree. Yes, the joker often lies, but typically to further mess with people. His ultimate goal there seemed to be showing Batman that people have evil in them, and he would much rather have the people that made the choice to kill live and struggle with their own guilt while serving as examples of his point.
His lie and switch of the locations on the other hand makes total sense, because he wants to bring batman down, test his resolve and his absolute moral code. By switching the locations, he knew that Batman would determine who he most wanted to save, and then would be denied that person.
Well, ultimately a film is a story.
I disagree with this, most often a film is a story, but I would say instead that ultimately a film is an experience. I look at movies like No Country For Old Men, Lost In Translation, and Once as examples of movies where it's not really the story that makes the movie enjoyable, but the portrayal of something, the presentation of an aspect of life.
Take the scene in No Country For Old Men when the antagonist is in the gas station and flips a coin to decide whether to let the station attendant live. That's the story in that scene, but that statement doesn't come close to doing justice to the intensity of that scene, the skill with which that scene was portrayed, etc.
Personally, I found myself riveted by the Joker and everyone's attempt to deal with/understand him. That alone made the film for me. You obviously didn't have the same reaction, but to each there own.
I think people ask for examples of tackiness, rushing, and clumsiness because they never felt it, and genuinely want to know what set off those flags for you. I thought that batman's snarling was a bit over the top and distracting, for example, but for me and as others have pointed out, this was more of a joker movie then a batman movie, and I enjoyed it thoroughly.
One would think that it would be simple enough, after finishing whatever touch-ups that you want to perform, that you use this technique to calculate where the light sources should be, and then correct the minute details that would give it away as an altered image. Sounds like the kind of thing that would be a simple photoshop plugin actually, once you are all done you just run the "make undetectable from light source detection analysis" tool and call it a day.
You are proving his point!
By the time an attacker has the hashes, the game is essentially over! Do you think a 10 character password is really going to be that much weaker then a 14 character password in the situation where an attacker does *not* have hashes? (And simple controls such as account lockout features are enabled?)
I think Tippet would prefer passwords to be only complicated enough that they aren't susceptible to brute forcing when account lockout features are in place. His point is that anything past that is not netting you any practical security gain, and I think he's dead on.
I've heard the speech that this article is referring to and I have to tell you, it's pretty interesting. He talks a lot about trying to take a more practical approach to security, especially security research. Asking questions like "in a given environment, which controls result in an appreciable difference in security?" "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?" Putting aside how you answer such questions (it's not an impossible task) I have to admit that the answers themselves are relevant!
One of Tippet's messages he stresses in this talk is that the security industry does things differently then other industries and it doesn't make sense. He draws a lot of comparisons to the medical industry because he is a medical doctor as well. In medicine, when we want to know how effective something is, we study it, we design trials, we examine the effects in the field. In security, we tend to go straight from the theoretical realm, debating ideals and their implications, straight to hard and fast rules, without the testing in between. We do ourselves a disservice by doing so. Straight from thinking "Antivirus updates are important and need to take place daily" to a general believe that "if you don't update daily, you are stupid, and insecure" without the in between step of asking "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?"
Ok, the best you could possibly do is try and reconstruct when the computer was turned on or logged into. At best, you can say that; since the laptop had been taken, it had not been logged into. Even then, that is no assurance that the data was not copied, since the drive could have been taking out and copied.
There is no reliable forensic technique to determine beyond doubt that data has not been read. Imagine if you had left a page with notes in a public, high traffic area. When you found that page a day later, how would you go about determining if anyone had looked at it?
If they are accepting credit cards, then they must be affiliated with a merchant bank. It is not possible to accept a credit card without this affiliation. If they are considered a Level 1 merchant by Visa, then they have to go through an annual independent PCI compliance review.
A level 1 merchant is defined as the following:
Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year.
Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Any merchant identified by any other payment card brand as Level 1.
The PCI Data Security Standard consists of twelve basic requirements and is actually very similar to what is regulated at most banks as per FFIEC guidelines. Every Level 1 merchant must have the following:
Annual On-site PCI Data Security Assessment performed by QDSPs that are working for a QDSC (individuals that have been certified to perform the review that are working for companies that have qualified to attest to the compliance to the standards)
Quarterly Network Scan by a qualified scanning vendor. The qualified scanning vendors are screened by Mastercard and are only able to qualify by scanning a controlled environment and producing results that meet the standard that has been established.
Finally, if there are any doubts, PayPal-Verisign is on the published list of qualified service providers, indicating that they have complied with the standard I mentioned before as a service provider, not just a merchant.
This hardly seems fair, if Microsoft's established SDL identifies and fixes a vulnerability in the development process, then it's not going to have a patch released for it to begin with. Before eEye gets there hands on this product, it's already been run through the MS ringer. Who knows how many thousands of things MS has fixed before that point.
... what do you expect? We're dealing with thousands and thousands of developers and product lines here. Educating those developers, holding people accountable to a standard, and putting controls in place is all that really can be done. I guess that's all, on with the accusations of being a mindless MS zealot ;)
In a product as complicated as Windows, geared towards an audience as general, varied, and uneducated, there are going to be problems! This is an unavoidable fact of life, so what we can do is introduce controls to mitigate those problems. What we can do is design products that address issues in general, so that even if something does slip through the cracks, other items are in place to pick up the slack and minimize the input.
I have do disagree with the general statement that this was just a bunch of HR tripe, it couldn't be further from the truth. Ok, I can acknowledge that he touts the SDL as a panacea to all MS security woes, but he also makes some excellent points and mentions some changes that really will make a difference. Specifically, talking about minimizing the number of services, what those services do, and what context those service run under is HUGE. Further, creating an environment that is friendly towards people operating their system in a non privileged mode is also huge.
Further,
It seems like your show is contingent on a specific kind of myth; things that can be recreated in a (somewhat) controlled environment. Certain cultural myths and origin stories are right out, for example, because they don't lend themselves to much other then diligent research. As you continue to produce the shows, how do you find more myths that are suitable to your format? Do you feel the strain of "been there, done that" yet?
Like most things in this world, general statements aren't going to cut it. The statement that "there is no point in getting certifications ..." is correct in some situations, and decidedly incorrect in others. Some certifications are a bit more meaningful then others, surely this doesn't come as a surprise to anyone. The idea that an A+ certification and a CCIE certifcation are equally worthless is crazy. Do you have any idea what it takes to get a CCIE? I guess what I'm saying is that this is not a simple question, some certifications are worth while, some are not.
... yes, certifications are worth while. Some are certainly worth more while then others, and some are arguable worthless, but certifications, in general, are worth while.
Another point that people may not realize is that there are a lot of jobs that require certifications. For example, good luck signing off on any sort of opinion if you are not a CPA. Is the CPA useless? I don't think so. Another example, Visa is now requiring card processors do undergo an accreditation process. This process includes having a certified vendor perform a Visa audit. Guess what, you can *not* perform that Visa audit until you have received Visa training. You know what else? You can *not* receive Visa training unless you have one of a handful of certifications, including the CISSP and CISA certifications. Not convinced? Let's move on.
There is yet another reason that certifications serve some purpose. They are a statement on at least some level of the competence of an individual. Yes, I know that there are some losers with certifications that are not competent, but think of this from a different light. You are a manager tasked with hiring a person (or company) to perform services for you. Think of how you are going to look if this person or company fails, and hurts your company as a result. At that point, being the one that made the decision, are you going to want to have chosen someone who (however shallow it may be) had some form of legitimacy? I can guarantee that your "certifications are worthless" argument is going to sound a bit feeble when explaining the failure of the project to your boss. If you are a candidate for a job, and on paper and through interviews you are relatively equal, but he has the appropriate certifications and you do not, guess who is going to get the job. This is a particularly true if you are hiring for a position that you yourself are not particularly proficient at.
Finally, as a person in a hiring position, I do not consider them at all, and am definitely prejudiced against someone who puts them on their resume. Are you kidding me? "Yes, Sir, I know that our latest Network Administrator, the one that I hired, has cost us thousands due to incompetence, but see, they were the only one *without* their MCSE, so it's not like I had much of a choice." Good luck with that.
So in conclusion,
Ah, but therein lies the problem. If it truely is a great game, a game of the ages that is universally fun and entertaining and all that good stuff so that it can sell oodles on its own, imagine the revenue it can generate from having adds in it.
The problem will be when people make games that were good enough to make profit the old way realize that they can make more profit this new way. From a business sense, a lot of people would rather take a hit to their overall sales if the resulting add revenue significantly outweighs the loss.
Ok, so let's see here ....
The game pits American forces against vaguely terrorist middle-eastern stereotypes, in a topical tie-in to today's headlines.
...
The sequel to Battlefield 1942 and Battlefield Vietnam stays very close to the source material. So close, in fact, that it's hard to point to any fundamental change in the gameplay mechanics.
So what you are telling me is that this is the same game that has been hitting the shelfs with different developers names on it for the past 3 years, except they didn't really change anything. Gee, I'm convinced.
Good luck figuring it out -- especially if you signed a (now practically standard) agreement allowing your employer to snoop through your work emails at will.
There are reasons those agreements are in place, and it's not always because your employer is evil, it's because they are doing what they have to. Yes, if you want to screw your employer you will figure out a way, USB flash drive, ssh tunnel over the one port they allow outbound, hell, just taking the harddrive home one night, you name it. But imagine a breach does happen, and it is something as simple as email being sent out. If the company did *not* have these policies, they would be grossly negligent when it came to their due diligence in protecting that data. That's a world of shit that you don't want to be in. Just because they have the policy stating that they have the right to monitor your email, that doesn't mean they are, but even if they are, that doesn't make them evil; it just depends on the circumstances. As a part of standard IT audits, and reviews of policies and procedures, if we do not see these terms in there, then that's a finding, (translated, a documented deficiency in their environment that will be reported to the board of directors, or whoever it happens to be for that industry.)
Taking the other mentioned examples into account (like using a USB flash drive). If you found out that all of your personal information was compromised due to an employee stealing it with a USB key and then also found out that at no point was that employee told or required to sign a contract in regards to his handling of your personal information, what would you think?
The funny thing is... well, not so much funny as it is disturbing, signing an employment contract.
It seems that everyone is always quick to jump on the damn the man bandwagon. Think of employment as an investment. Of course you are going to have to sign an employment contract, how do you expect this to work? Want to pay someone for their time, possibly invest money in training that person, and provide that person equipment and an environment in which they will excel and then not expect anything out of it? This isn't disturbing, it's business as usual. If you are disturbed by the idea that a company investing in you is going to expect to have rights to what you produce, then find different investors or bootstrap it yourself.
Can anyone with legal experience enlighten me on this one? Do the bastards have the right to do so, provided that one doesn't sign a document that explicitly states "you can read my email" but instead contains a fine version of "all your bases, off lunch hours, belongs to us?
... yeah, that one.
Actually, the odds are that included in that stack of papers that you have signed is a micro-computer use policy that includes sections on Internet and Email acceptable use. If you look at these you will most likely see, in no uncertain terms, that persuant to gaining access to the company resources such as an internet connection and an email account, you must agree to certain terms, one of which is their right to monitor your email messages with or without informing you. Especially if you are working in a regulated industry (which thanks to Sarbanes-Oxley now can mean "any publicly traded company) then they most likely have something a lot more detailed then "all your bases, off lunch hours, belongs to us?" Not only that, but it also roughly translates to "all your base, period, belongs to us"
Guess what, they have to do this. If they are not, then they are negligent in their duties to verify that their sensitive information is protected, which, depending on the type of company, is a regulatory requirement.
Also, to the poster that mentioned going to https://www.gmail.com as opposed to http://www.gmail.com/ not only will this not work in an environment that has been set up by people who know what they are going (which I know is rare) it may be in direct violation of that afforementioned computer use policy. You know, the one with your signature on it, the one that states you will not use third party email systems, the one that says that violation of said policies could result in termination
I think, apart from ignorance of the prevalence of encryption technologies in computers, the judge is conflating cryptology with steganography. Encrypting the files would make them more obvious, and couldn't account for the fact that they are not to be found.
This is only true if he was using PGP to individually encrypt the files. If he instead had a PGP disk, then there is no telling what is on that disk, just how big the disk is. It could be 100 megs of encrypted empty space, but then again, it could be thousands of pictures of child pornography, but all you see is a single flat file, disk.pgd
Something tells me that if he was trying to hide his tracks, he wouldn't have files like kiddieporn.jpg.pgp laying around.
The problem is that if the hacking were accurate, it simply wouldn't be that exciting. "Oh look, he ran metasploit" somehow doesn't have that 'it factor' that they are most likely looking for.
"You mean it's not accurate to say 'I'm gonna drop a hydra and pop their firewall?' Eh, it still sounds good, so screw it"
"We can't image enhance the picture taken with this cell phone to accurately read that liscense plate off the car that was driving 80 miles an hour? Too bad, keep it in."
Something tells me that hollywood execs realize they are sensationalizing, and that their techniques, interfaces, and terminology isn't quite accurate, but they don't care. The same is true in a lot of things. I can't even watch movies involving the military with my Dad because he was in the service for 26 years and has a hernia pointing out all the things they get wrong. Guess what, I don't care because I'm not a military person just like a lot of their target market doesn't care about the failed geekspeak because they aren't geeks.
It's great that bugs are fixed, but how about investing more in user education, so that people at least realize that they could have every patch imaginable installed but still be owned by SQL injection, a problem with whoever wrote their webpage or app that interfaces with the SQL server and not the SQL server it self.
MySQL is a lot better about it then MSSQL due to the lack of comments, but disastrous things can still be done with this.
For those that are curious, more info on SQL injection can be found here and here.
Mocking people for being clueless does not actually make them smarter, nor does it impress them with your 31337 Haxor Skillz.
The difference here is that we aren't mocking grandma, we are mocking the person that told grandma what's what. This person was potentially speaking from a position of perceived authority and his information is not only wrong, it's harmful. While it does serve as fodder for the more informed to make jokes, it also perpetuates the incorrect notions of those unfortunate uninformed that happen to take him seriously.
It's true that mocking him doesn't accomplish anything, but let's at least be honest about who we are talking about.
For all the above reasons as well as several others, I can think of no more effective way that Michael Robertson could have made me refuse to take him and any products that he is responsible for seriously. We are talking about fundamental, basic security concepts that are obviously flying over Mr. Robertson's head.
Sounds both wasteful and unconstitutional.
Since when do we have the right to a free internet connection? Not only that, but the right to do whatever the heck we want on a connection that is by no means ours. Come on, that's taking it a bit far. I'm all for individual's rights, and not letting the man go too far, but it seems like people are quick to cry unconstitutional sometimes, which is a shame, becuase it dilutes the impact of similar, legitimate claims.