Who at CBS and Paramount is trying so avidly to destroy the Star Trek canon? After all, they released rights to J J Abrams and crew for their completely disruptive "reboot" of the franchise (complete with lens flares). And now that the creators of that canon have decided to try and continue the tradition of Gene Roddenberry, they decide to file suit. Clearly, Dr. Watson the game is a foot.
I noticed this a few months ago when I built a system and had it scanned for compliance and was getting hit with a several year old hole in Java. I was confused because I knew I upgraded Java on the system. Then I realized that the old version was still there. Truth be said, if I build a machine and I don't absolutely need Java on it, it doesn't get loaded. Same goes for Flash.
"We have stressed that cyber security needs to be based on mutual respect. We believe it is not constructive to make groundless accusations or speculation." Then why do you keep doing it? Respect is earned, not given. Isn't it interesting that the brand new stealth fighter introduced by China looks an awful lot like the F-35 strike fighter produced by the US? And that the release was a short time after the release of the F-35.. which took decades to design?
First, let's see if Apple lets this go through their App Store approval process. Memory serves, custom API's are something that gets strict scrutiny. Likewise, if Mozilla can't get their own engine through with Firefox, what makes you think that Microsoft will be able to replace the Siri functionality? Second, Apple, who wrote the iOS platform, who integrated Siri, who dedicates a ton of resources to stopping jailbreakers (more so than any other security team in the company it seems) has had bugs where Siri was used to bypass protection measures. What makes anyone think that Microsoft will do any better? No thank you, I just assume have as little Microsoft code running on my iOS devices as possible.
"but this attack crosses the crucial line between research and endangering innocent users"... There is a fine line between protecting the anonymity of Internet users from political oppression and aiding and abetting in a crime. Comments like this don't do well to keep that line clear.
https://threatpost.com/writing...
I appreciate the obligatory, and perhaps it'll be mod'ed to funny. But there's some truth in the statement, but not for reasons people believe. Mac's are not really any more secure than any other OS. They do have better security models in the creation of their OS's than say Windows, but they aren't invulnerable. The biggest threat to Mac's is complacency. The article from threatpost above breaks this down very well. I'm actually happy to see the flatworm concept attacking the thunderbolt firmware because it shows that simple file heuristics on Mac's is insufficient to detecting adverse threats on the platform. Perhaps we'll start seeing better threat detection techniques for the OSX platform (or ANY threat detection on the iOS platform).
Why does/. even bother posting Microsoft stories? It just brings out the cynical doomsayers who still live like it's 1995.
As a Microsoft Doomsayer, I'm not immune from jumping on this article to predict the future of how new zero day's will result in the mass pwning of Grandma's computers everywhere. That being said, I'm not blind to the fact that Apple is gaining an increased market share and that as time goes on, they will become an increasingly targeted platform as the profitability (be it in information or money) increases. Microsoft does have what appears to be a more responsive patch process than Apple. Apple is very slow at responding to reported exploits (albeit, Microsoft has been known to half-ass patch and to sit on patches as well). In any case, my biggest issue with this report is I'm curious how much community involvement Microsoft had with the development of this new protocol. In the past, they just create crap in-house without the involvement of industry partners (sometimes even closing them out of those conversations). The problem with this is there is less industry oversight on potential weaknesses and less input on modifications that can strengthen the underlying protocol. Protocols in particular are not something that needs to be developed by a small team of engineers without support of the industry as a whole, less you get protocols like SMTP (who's author is on record of apologizing profusely for not building in security). So, as a Microsoft doomsayer, I shall sit back and wait with my "I told you so" in my back pocket. In the meantime, IE/Edge/whatever the hell they want to call it can stay off my computer thank you very much.
With every major Nation in the world trying to glean intelligence from Tor, every major law enforcement agency trying to track down child porn and drugs, and several very high profile leaks involving highly classified information that have caused extreme harm to several western countries (the US not being the only one), and with several academic professors intrigued; does it not surprise us that the protocol of Tor (to include Bridges and Hidden Services) would be analyzed and profiled to the tiniest of details to determine areas of exploitation of the protocol?
The problem with this idea is that as TPB migrates to additional domains, it leaves open a few possibilities. First, sites opposed to TPB will create malicious sites to try and spoof TPD to collect data, spread malware, and otherwise degrade the services that TPB offers. Second, while rapid DNS techniques are well implemented in malware like botnets, it's not a capability that the average Joe can keep track of, so without some form of front end that can track and change with the rotating DNS entries, people will get frustrated and stop using the service. And this is exactly what the opposition wants. It's time that many of these types of technologies go through redesign again. And they must be redesigned from the protocol level. TPB succeeded where Napster didn't because the content being traded was not hosted with TPB. But they are still centrally located for the purpose of search and front end to the users. Anytime a bellybutton can be poked, it will be. So the protocol must be designed to prevent ANY centralized management. Next, any protection mechanisms (trust models, etc) that are built into the protocols used must be extremely well thought out. When analyzing for protocol weakness, rules matter. If only certain nodes are allowed to be "trusted",then you can better bet that those wishing to exploit it will design a node to be trusted. Protocols must also be non-differential at all levels, from the handshake of the SSL layer down to the initial HELO to the transmission characteristics of how it sends data. If the protocol can be differentiated, it can be blocked, tracked, hacked, or otherwise interfered with. Simply wrapping it in Tor isn't going to work. There are ample talks out there on how Tor traffic can be characterized and interfered with.
Minecraft Mods are an excellent way. My youngest latched onto those with no issues. Ironically, I tried to teach my 13 year old Apple's Swift language and he was totally uninterested, but mu youngest is latching right onto it, finding ways to modify our test game we're working on, and reciting back to me what objects, methods, and attributes are. I think he even understands inheritance and method overrides. He's got the tree structure of nodes in SKNodeKit down as well. And he's 9. And to think, the 13 year old was the one who expressed a desire to learn how to write games. To each his own...
Cash payments, while really nice for the drivers, would open them up to attack. In markets like DC. Uber drivers have to have clear signage indicating they are driving for Uber (see how many you can spot on the street corner sometime). But if they have this signage, there's nothing saying they can't be carjacked or mugged.
It somehow doesn't surprise me that Apple is still hosting the exploited CA cert. They released patches to a number of openssl (which OSX does use) that supposedly fix the high level vulnerabilities of late (Security Update 2015-3?) But at the same time, the version that's running is 1.0.1g... and there have been several high level vulnerabilities such as the down channel exportable encryption bug that still haven't been addressed. Thinking Apple needs to step up their game!
While I like Apple just as much as any other Mac fan and have been known to be ding as a troll when commenting on Microsoft posts, I have to ask my self one good question about all the litigation between Apple and the world. When will this litigation cross the threshold of aggressiveness and open up Apple to review by regulators as acting in a monopolistic fashion? (dread the thought! I have zero desire to run Internet Explorer on my iPhone.)
So, does this mean that when this "smashed" asteroid's new trajectory causes it to hit another planet with sentient life that we will at fault? How does that law suit work?
Clearly some lawyer has some teenaged kids he's looking to put through school. But food for thought here. Having just gotten into analysing the ECMs in my car and figuring out how to analyse the performance characteristics of my car, I appreciate the ability to figure out what's going on with the vehicle without paying $1000's to the mechanic. That being said, I have serious doubts that a public/private key cryptographic authentication mechanism on the vehicle ECM would be shared with the consumer that purchased said vehicle and would ultimately eliminate the ability of people to work on their vehicles.
So Some cell providers in the US provide "x" amount of GB's of data on a rate plan and when that data is used up, they turn off access to the Internet (blocking) and other providers will allow you to use "x" amount of data and then throttle back your remaining data (throttling) to dial up modem speeds (EVDO or less). Since these rules prohibit blocking and throttling, what will Net Neutrality do to cell phone plans?
And would the same trade-sanctions be applied to France, Russia, China, North Korea, Canada, South Korea, Germany, Spain, Iran, Norway, Sweden, South Africa, Australia, Egypt, Israel, Syria, and the Federated States of Micronesia? (ok, took some liberties on that last one).
Whether or not the use of this technology is a violation of Constitutional Rights is really up to a Judge to determine. And as for "the people need to know", that's really pointless. The people are powerless to prevent the use of such technologies if their elected officials aren't doing anything to prevent the use of such technologies. The nature of globally connected communications in this era leaves open the avenue for exploitation of technology across vast distances. Cell phone intercepts, such as the ones in the article, firmware exploits such as the ones published last week, and any other manner of exploits are going to define the new normal. Unless laws are passed (and with the Patriot Act, I have sever doubts) that prohibit not only average citizens from engaging in these activities, but law enforcement as well, then we just need to suck it up and deal with it. For professionals in our field though, this does present us an opportunity to review our standards and identify logical risks associated with them and then to redefine them to take privacy and security in mind. Encryption designers need to up the bar and create stronger and more secure algorithms. Right now, there are only a small handful of manufacturers looking at this level (black phone?) but even they aren't digging deep enough.
Slashdot Mirror
Who at CBS and Paramount is trying so avidly to destroy the Star Trek canon? After all, they released rights to J J Abrams and crew for their completely disruptive "reboot" of the franchise (complete with lens flares). And now that the creators of that canon have decided to try and continue the tradition of Gene Roddenberry, they decide to file suit. Clearly, Dr. Watson the game is a foot.
I noticed this a few months ago when I built a system and had it scanned for compliance and was getting hit with a several year old hole in Java. I was confused because I knew I upgraded Java on the system. Then I realized that the old version was still there. Truth be said, if I build a machine and I don't absolutely need Java on it, it doesn't get loaded. Same goes for Flash.
"We have stressed that cyber security needs to be based on mutual respect. We believe it is not constructive to make groundless accusations or speculation." Then why do you keep doing it? Respect is earned, not given. Isn't it interesting that the brand new stealth fighter introduced by China looks an awful lot like the F-35 strike fighter produced by the US? And that the release was a short time after the release of the F-35.. which took decades to design?
First, let's see if Apple lets this go through their App Store approval process. Memory serves, custom API's are something that gets strict scrutiny. Likewise, if Mozilla can't get their own engine through with Firefox, what makes you think that Microsoft will be able to replace the Siri functionality? Second, Apple, who wrote the iOS platform, who integrated Siri, who dedicates a ton of resources to stopping jailbreakers (more so than any other security team in the company it seems) has had bugs where Siri was used to bypass protection measures. What makes anyone think that Microsoft will do any better? No thank you, I just assume have as little Microsoft code running on my iOS devices as possible.
"but this attack crosses the crucial line between research and endangering innocent users" ... There is a fine line between protecting the anonymity of Internet users from political oppression and aiding and abetting in a crime. Comments like this don't do well to keep that line clear.
This is starting to sound like the plot line to a mid nineties Hollywood movie.
I'm waiting for their Green formula.
https://threatpost.com/writing... I appreciate the obligatory, and perhaps it'll be mod'ed to funny. But there's some truth in the statement, but not for reasons people believe. Mac's are not really any more secure than any other OS. They do have better security models in the creation of their OS's than say Windows, but they aren't invulnerable. The biggest threat to Mac's is complacency. The article from threatpost above breaks this down very well. I'm actually happy to see the flatworm concept attacking the thunderbolt firmware because it shows that simple file heuristics on Mac's is insufficient to detecting adverse threats on the platform. Perhaps we'll start seeing better threat detection techniques for the OSX platform (or ANY threat detection on the iOS platform).
Why does /. even bother posting Microsoft stories? It just brings out the cynical doomsayers who still live like it's 1995.
As a Microsoft Doomsayer, I'm not immune from jumping on this article to predict the future of how new zero day's will result in the mass pwning of Grandma's computers everywhere. That being said, I'm not blind to the fact that Apple is gaining an increased market share and that as time goes on, they will become an increasingly targeted platform as the profitability (be it in information or money) increases. Microsoft does have what appears to be a more responsive patch process than Apple. Apple is very slow at responding to reported exploits (albeit, Microsoft has been known to half-ass patch and to sit on patches as well). In any case, my biggest issue with this report is I'm curious how much community involvement Microsoft had with the development of this new protocol. In the past, they just create crap in-house without the involvement of industry partners (sometimes even closing them out of those conversations). The problem with this is there is less industry oversight on potential weaknesses and less input on modifications that can strengthen the underlying protocol. Protocols in particular are not something that needs to be developed by a small team of engineers without support of the industry as a whole, less you get protocols like SMTP (who's author is on record of apologizing profusely for not building in security). So, as a Microsoft doomsayer, I shall sit back and wait with my "I told you so" in my back pocket. In the meantime, IE/Edge/whatever the hell they want to call it can stay off my computer thank you very much.
With every major Nation in the world trying to glean intelligence from Tor, every major law enforcement agency trying to track down child porn and drugs, and several very high profile leaks involving highly classified information that have caused extreme harm to several western countries (the US not being the only one), and with several academic professors intrigued; does it not surprise us that the protocol of Tor (to include Bridges and Hidden Services) would be analyzed and profiled to the tiniest of details to determine areas of exploitation of the protocol?
The problem with this idea is that as TPB migrates to additional domains, it leaves open a few possibilities. First, sites opposed to TPB will create malicious sites to try and spoof TPD to collect data, spread malware, and otherwise degrade the services that TPB offers. Second, while rapid DNS techniques are well implemented in malware like botnets, it's not a capability that the average Joe can keep track of, so without some form of front end that can track and change with the rotating DNS entries, people will get frustrated and stop using the service. And this is exactly what the opposition wants. It's time that many of these types of technologies go through redesign again. And they must be redesigned from the protocol level. TPB succeeded where Napster didn't because the content being traded was not hosted with TPB. But they are still centrally located for the purpose of search and front end to the users. Anytime a bellybutton can be poked, it will be. So the protocol must be designed to prevent ANY centralized management. Next, any protection mechanisms (trust models, etc) that are built into the protocols used must be extremely well thought out. When analyzing for protocol weakness, rules matter. If only certain nodes are allowed to be "trusted" ,then you can better bet that those wishing to exploit it will design a node to be trusted. Protocols must also be non-differential at all levels, from the handshake of the SSL layer down to the initial HELO to the transmission characteristics of how it sends data. If the protocol can be differentiated, it can be blocked, tracked, hacked, or otherwise interfered with. Simply wrapping it in Tor isn't going to work. There are ample talks out there on how Tor traffic can be characterized and interfered with.
Um, no. Keep your filthy Microsoft hands off of my system. Security! Security! Security!
When are we going to do something about the price and make it more competitive to driving?
Minecraft Mods are an excellent way. My youngest latched onto those with no issues. Ironically, I tried to teach my 13 year old Apple's Swift language and he was totally uninterested, but mu youngest is latching right onto it, finding ways to modify our test game we're working on, and reciting back to me what objects, methods, and attributes are. I think he even understands inheritance and method overrides. He's got the tree structure of nodes in SKNodeKit down as well. And he's 9. And to think, the 13 year old was the one who expressed a desire to learn how to write games. To each his own...
Cash payments, while really nice for the drivers, would open them up to attack. In markets like DC. Uber drivers have to have clear signage indicating they are driving for Uber (see how many you can spot on the street corner sometime). But if they have this signage, there's nothing saying they can't be carjacked or mugged.
It somehow doesn't surprise me that Apple is still hosting the exploited CA cert. They released patches to a number of openssl (which OSX does use) that supposedly fix the high level vulnerabilities of late (Security Update 2015-3?) But at the same time, the version that's running is 1.0.1g ... and there have been several high level vulnerabilities such as the down channel exportable encryption bug that still haven't been addressed. Thinking Apple needs to step up their game!
While I like Apple just as much as any other Mac fan and have been known to be ding as a troll when commenting on Microsoft posts, I have to ask my self one good question about all the litigation between Apple and the world. When will this litigation cross the threshold of aggressiveness and open up Apple to review by regulators as acting in a monopolistic fashion? (dread the thought! I have zero desire to run Internet Explorer on my iPhone.)
So, does this mean that when this "smashed" asteroid's new trajectory causes it to hit another planet with sentient life that we will at fault? How does that law suit work?
Mental note, no making out in a Hertz Rental car...
Clearly some lawyer has some teenaged kids he's looking to put through school. But food for thought here. Having just gotten into analysing the ECMs in my car and figuring out how to analyse the performance characteristics of my car, I appreciate the ability to figure out what's going on with the vehicle without paying $1000's to the mechanic. That being said, I have serious doubts that a public/private key cryptographic authentication mechanism on the vehicle ECM would be shared with the consumer that purchased said vehicle and would ultimately eliminate the ability of people to work on their vehicles.
So Some cell providers in the US provide "x" amount of GB's of data on a rate plan and when that data is used up, they turn off access to the Internet (blocking) and other providers will allow you to use "x" amount of data and then throttle back your remaining data (throttling) to dial up modem speeds (EVDO or less). Since these rules prohibit blocking and throttling, what will Net Neutrality do to cell phone plans?
Gemalto is also a major supplier of US Government Common Access Cards (CAC's).
And would the same trade-sanctions be applied to France, Russia, China, North Korea, Canada, South Korea, Germany, Spain, Iran, Norway, Sweden, South Africa, Australia, Egypt, Israel, Syria, and the Federated States of Micronesia? (ok, took some liberties on that last one).
Oh, let us not be delusional here. New SIM Cards with new keys will be available with the new Galaxy S6 and new iPhone 6s's. Problem solved.
Whether or not the use of this technology is a violation of Constitutional Rights is really up to a Judge to determine. And as for "the people need to know", that's really pointless. The people are powerless to prevent the use of such technologies if their elected officials aren't doing anything to prevent the use of such technologies. The nature of globally connected communications in this era leaves open the avenue for exploitation of technology across vast distances. Cell phone intercepts, such as the ones in the article, firmware exploits such as the ones published last week, and any other manner of exploits are going to define the new normal. Unless laws are passed (and with the Patriot Act, I have sever doubts) that prohibit not only average citizens from engaging in these activities, but law enforcement as well, then we just need to suck it up and deal with it. For professionals in our field though, this does present us an opportunity to review our standards and identify logical risks associated with them and then to redefine them to take privacy and security in mind. Encryption designers need to up the bar and create stronger and more secure algorithms. Right now, there are only a small handful of manufacturers looking at this level (black phone?) but even they aren't digging deep enough.