> Most vulernabilities are flaws with the applications, architectures, systems and protocols themselves.
Considering that the social engineering attack has been around since society started, as opposed to software and protocol vulnerabilities which are rather recent developments, I'd have to say that I think you're dead wrong (I assume, based on context, that your use of "system" didn't include society).
This is in addition to the added argument that fixing software or protocol vulnerabilities on a society-wide basis is rather straightforward, whereas "fixing" social engineering attacks is mainly based on individual education (e.g., teaching people not to fall for particular attacks, or changing people's mindsets), or societal change (e.g., making biometric info an essential part of personal identification) which is not straightforward at all.
Yes, something like that, but designed for malicious overloading. But as I said, it would have to be enforced at the hardware modem level or the ISP level for it to be effective. Along with similar measures against packets with forged headers (so the replies actually return to the abuser).
What if a "you're DoS-ing me" reply packet was added to TCP/IP, which could be picked up at the ISP level and would (ideally) cause the ISP to throttle that user's bandwidth to the site in question for a short period of time?
The problem with this kind of hacked-on solution is that it often causes other vulnerabilities --- in this case, what if the botnet was set up to spread faked "you're DoS-ing me" packets? One could hope that ISPs would filter such outgoing packets (from their home users), but given the general lack of cooperation of the ISPs against network hacking (or has this changed? Have any ISPs finally implemented egress filters for packets with faked headers nowadays?) I wouldn't hold my breath...
> wouldn't it be worth setting up an internal mirror / patch distribution > server so you only need to pull the data down your internet pipe once?
To mirror the entire Ubuntu update repository would probably be pretty wasteful unless his office is quite extraordinary. And just mirroring the files needed by one computer will not necessarily be OK for all the other ones, unless he's very careful to install packages only on an office-wide basis. I think a better solution for him would be to use a proxy (like Squid) to cache the update files.
Quantum encryption technology provided by the Swiss company Id Quantique was used in the Swiss canton (state) of Geneva to transmit ballot results to the capitol in the national election occurring on Oct. 21, 2007.[8]
In 2004, the world's first bank transfer using quantum cryptography was carried in Vienna. An important cheque, which needed absolute security, was transmitted from the Mayor of the city to an Austrian bank.[9]
Both of these look like special uses set up for publicity by vendors.
The sexy part is that if there is a third party who tries to eavesdrop, the attempt will both fail and can be detected by the two communicating parties, and that the security of quantum cryptography has nothing to do with the lack of ability to factor large numbers, but is instead based on physical principles (quantum mechanics). Of course, the sensitivity to eavesdropping means that the system is probably vulnerable to a denial of service attack, depending on how the two communicating parties relate to eavesdropping.
Otherwise, you are perfectly correct. Many cryptographers, including Bruce Schneier, believe that quantum cryptography is a solution to the wrong problem. Nowadays, most probably, the least secure part of your communication system isn't in your key distribution scheme, but is somewhere else --- like in social engineering, or the computer systems which deal with the decrypted cleartext.
No, he might referring to the fact that in many European countries, one service possibility is that your phone provider gives you a GSM sim, and you are able to stick into any standard GSM phone. So he might even be using a ten-year-old phone (if such a monster exists) or a phone which someone else gave him for free (e.g., after buying a better one).
OTOH,
> It sounds more likely that these contracts exist in at least some parts of Europe. > Is this the case?
Yes. In addition to the other possibilities (of which "provide your own phone " is one) which seem to be lacking in the States.
> hundreds of dollars?
Where I live I can buy a totally-no-frills new GSM phone for the equivalent of $70.
From my experience reading Slashdot: it's always better to use explicit <sarcasm> tags; with so many readers, someone isn't going to get it if it's subtle.
Oh, and you might need to type < (or gt) to get the tag delimiters to display OK.
> XP/Vista/Slackware and Mandriva.... and the odds of none > of the 4 seeing something odd are just as slim.
You're telling me that from each of those 4 OS's you run virus/malware scans on the other 3? I'm impressed at that setup. It's the dual situation to the following widely-posted-on-Slashdot xkcd comic.
When do you have time to do real work / play with them?
BTW, I wouldn't be so sure that your scanners are going to pick up everything. Anything which is specially targeted has a fairly good chance of slipping under the wire, the scanners mainly pick up "mass infection" tools and attacks. Of course, unless there is something special about your computers (like being in an especially interesting IP address block) you probably won't get specially targeted.
Yes, I use them all the time, but what does that really mean? After I temporarily enable Flash/JS malware for a badly designed site which is just not viewable without them, I'm not going to get temporarily "pwned". It's already "game over".
Except for times like this, if the choice is enabling JS/Flash, or not getting information I was interested in, my thirst for information wins, all other things being equal (i.e., the URL looks like a legitimate one, etc.)
I never enable JS or Flash in order to see sites which I get to through advertisements, however.
I think he assumes that most of the XO laptops will be used just like ordinary kids use computers. This is "cool" in that the kids involved ordinarily wouldn't have the opportunity, but it's not "cool" in the geeky-cool sense.
Eventually, we'll also be hearing about some of those kids doing geeky-cool stuff with their XO, but AFAIK no story like that has hit Slashdot.
Actually, I'd say that if the hypervisor is cracked enough to allow Linux access to 3D, then it's also probably cracked enough that it could be subverted for use as a tool to bypass the DRM on ordinary PS3 games, or assuming it's responsible for the DRM in the first place, cracking the hypervisor would probably mean you're already finished.
Perusing the info IBM supplies, I come to the conclusion that if the hypervisor is cracked by discovering the "Hardware Root of Secrecy" which is a kind of master key embedded in the PS3's CPU, then it's "game over" for DRM on the PS3.
One possible way of finding that key requires a lot of work with an electron microscope, I'd guess. There are others, but they also require a lot of exotic hardware, know-how, and hard work.
When you compare the DRM on the PS3 and on MS consoles, it kind of puts the STI initiative which invented the Cell CPU used in the PS3 in perspective: Sony gets good DRM by picking IBM's brain, and IBM gets a powerful CPU whose development is backed by a popular consumer device by "picking" Sony's market share.
There is no such thing as irrefutable in science. In fact, some people attempt to define science as the pursuit of knowledge which can be corroborated and refuted using the "scientific method" (to preempt a lot of comments: I said "attempt to define", because this definition rapidly becomes circular unless you are very careful, and it is not clear that defining the "scientific method" is easier than defining science itself).
OTOH, I rather doubt that the scientists themselves claimed irrefutability here. The journalists are probably to blame.
It might have been a suggestion that the poster play a lot of Ultimate over the weekend so he/she would have a better chance at doing a fancy Mid-Air Correction on the disc?
And you think it would have been funnier if it had been made with standard MTV production values?
Sometime being bad is the point. It's called camp.
But perhaps you have to be someone who watched Batman on television as a child and later saw it as an adult in order to understand...
OMG, not even one funny mod?
on
I Will Derive
·
· Score: 1
OK, your comment wasn't orders of magnitude more funny than the video, but I just can't believe no one modded you Funny rather than Insightful (although I admit that your post is funny because of the contrast between the sarcastic insight vs. the sudden switchover to vulgarity at the end).
Anyway, personally I found your post funnier than the video (which itself wasn't bad, well, at least not unintentionally bad) --- thanks!
The article says that MS is transferring control of the scanning hardware to the participating institutions, so that they can continue to scan, and persumably, do whatever they want with the data.
I wonder if that includes donating it to Google Books. It seems so! (but I'm in an optimistic mood today)
We are also removing our contractual restrictions placed on the digitized library content and making the scanning equipment available to our digitization partners and libraries to continue digitization programs.
I find it more ironic that your telling us that probably leaks out some of your private information, assuming that you are not taking positive measures to prevent Google from accumulating a search profile. And even if you are, the info would tell us something about the searches associated with your IP address.
Personally, I get much more geek points, my ads were for:
* Optical System Design - ZEMACS * The Theory of Everything * Spectral Products : Fiber/LED/tunable light sources
I first read the title expecting to see some kind of uber-social-engineering against an existing defense hub. I'd wonder if the ambiguous use of "set up" was actually intentional, but yes, I'm familiar with Hanlon's Razor.
Slashdot Mirror
> Most vulernabilities are flaws with the applications, architectures, systems and protocols themselves.
Considering that the social engineering attack has been around since society started, as opposed to software and protocol vulnerabilities which are rather recent developments, I'd have to say that I think you're dead wrong (I assume, based on context, that your use of "system" didn't include society).
This is in addition to the added argument that fixing software or protocol vulnerabilities on a society-wide basis is rather straightforward, whereas "fixing" social engineering attacks is mainly based on individual education (e.g., teaching people not to fall for particular attacks, or changing people's mindsets), or societal change (e.g., making biometric info an essential part of personal identification) which is not straightforward at all.
Thanks for the info!
Yes, something like that, but designed for malicious overloading. But as I said, it would have to be enforced at the hardware modem level or the ISP level for it to be effective. Along with similar measures against packets with forged headers (so the replies actually return to the abuser).
Maybe someday!
> Stopping DDoS attacks is even MORE important.
What if a "you're DoS-ing me" reply packet was added to TCP/IP, which could be picked up at the ISP level and would (ideally) cause the ISP to throttle that user's bandwidth to the site in question for a short period of time?
The problem with this kind of hacked-on solution is that it often causes other vulnerabilities --- in this case, what if the botnet was set up to spread faked "you're DoS-ing me" packets? One could hope that ISPs would filter such outgoing packets (from their home users), but given the general lack of cooperation of the ISPs against network hacking (or has this changed? Have any ISPs finally implemented egress filters for packets with faked headers nowadays?) I wouldn't hold my breath...
> wouldn't it be worth setting up an internal mirror / patch distribution
> server so you only need to pull the data down your internet pipe once?
To mirror the entire Ubuntu update repository would probably be pretty wasteful unless his office is quite extraordinary. And just mirroring the files needed by one computer will not necessarily be OK for all the other ones, unless he's very careful to install packages only on an office-wide basis. I think a better solution for him would be to use a proxy (like Squid) to cache the update files.
The sexy part is that if there is a third party who tries to eavesdrop, the attempt will both fail and can be detected by the two communicating parties, and that the security of quantum cryptography has nothing to do with the lack of ability to factor large numbers, but is instead based on physical principles (quantum mechanics). Of course, the sensitivity to eavesdropping means that the system is probably vulnerable to a denial of service attack, depending on how the two communicating parties relate to eavesdropping.
Otherwise, you are perfectly correct. Many cryptographers, including Bruce Schneier, believe that quantum cryptography is a solution to the wrong problem. Nowadays, most probably, the least secure part of your communication system isn't in your key distribution scheme, but is somewhere else --- like in social engineering, or the computer systems which deal with the decrypted cleartext.
Looking at the last sequence of three posts in this thread, it seems obvious whose blood is boiling. LOL
> Check out my blog post Nightmare on Core Street ....
There, fixed that (IMNSHO) for you...
No, he might referring to the fact that in many European countries, one service possibility is that your phone provider gives you a GSM sim, and you are able to stick into any standard GSM phone. So he might even be using a ten-year-old phone (if such a monster exists) or a phone which someone else gave him for free (e.g., after buying a better one).
OTOH,
> It sounds more likely that these contracts exist in at least some parts of Europe.
> Is this the case?
Yes. In addition to the other possibilities (of which "provide your own phone " is one) which seem to be lacking in the States.
> hundreds of dollars?
Where I live I can buy a totally-no-frills new GSM phone for the equivalent of $70.
From my experience reading Slashdot: it's always better to use explicit <sarcasm> tags; with so many readers, someone isn't going to get it if it's subtle.
Oh, and you might need to type < (or gt) to get the tag delimiters to display OK.
Bart's universe has an Edit button...
Not that I particularly like only being able to watch edited versions of creative works, mind you.
> XP/Vista/Slackware and Mandriva .... and the odds of none
> of the 4 seeing something odd are just as slim.
You're telling me that from each of those 4 OS's you run virus/malware scans on the other 3? I'm impressed at that setup. It's the dual situation to the following widely-posted-on-Slashdot xkcd comic.
When do you have time to do real work / play with them?
BTW, I wouldn't be so sure that your scanners are going to pick up everything. Anything which is specially targeted has a fairly good chance of slipping under the wire, the scanners mainly pick up "mass infection" tools and attacks. Of course, unless there is something special about your computers (like being in an especially interesting IP address block) you probably won't get specially targeted.
> That's what temporary permissions are for.
Yes, I use them all the time, but what does that really mean? After I temporarily enable Flash/JS malware for a badly designed site which is just not viewable without them, I'm not going to get temporarily "pwned". It's already "game over".
Except for times like this, if the choice is enabling JS/Flash, or not getting information I was interested in, my thirst for information wins, all other things being equal (i.e., the URL looks like a legitimate one, etc.)
I never enable JS or Flash in order to see sites which I get to through advertisements, however.
Not quite sure if your comment is serious or just an attempt to wring out a few Funny mods, but anyway:
> then the statement is not science by your own definition.
You're right, it's not. It's a philosophical statement about the meaning of the word "science".
I think he assumes that most of the XO laptops will be used just like ordinary kids use computers. This is "cool" in that the kids involved ordinarily wouldn't have the opportunity, but it's not "cool" in the geeky-cool sense.
Eventually, we'll also be hearing about some of those kids doing geeky-cool stuff with their XO, but AFAIK no story like that has hit Slashdot.
Actually, I'd say that if the hypervisor is cracked enough to allow Linux access to 3D, then it's also probably cracked enough that it could be subverted for use as a tool to bypass the DRM on ordinary PS3 games, or assuming it's responsible for the DRM in the first place, cracking the hypervisor would probably mean you're already finished.
Perusing the info IBM supplies, I come to the conclusion that if the hypervisor is cracked by discovering the "Hardware Root of Secrecy" which is a kind of master key embedded in the PS3's CPU, then it's "game over" for DRM on the PS3.
One possible way of finding that key requires a lot of work with an electron microscope, I'd guess. There are others, but they also require a lot of exotic hardware, know-how, and hard work.
When you compare the DRM on the PS3 and on MS consoles, it kind of puts the STI initiative which invented the Cell CPU used in the PS3 in perspective: Sony gets good DRM by picking IBM's brain, and IBM gets a powerful CPU whose development is backed by a popular consumer device by "picking" Sony's market share.
There is no such thing as irrefutable in science. In fact, some people attempt to define science as the pursuit of knowledge which can be corroborated and refuted using the "scientific method" (to preempt a lot of comments: I said "attempt to define", because this definition rapidly becomes circular unless you are very careful, and it is not clear that defining the "scientific method" is easier than defining science itself).
OTOH, I rather doubt that the scientists themselves claimed irrefutability here. The journalists are probably to blame.
It might have been a suggestion that the poster play a lot of Ultimate over the weekend so he/she would have a better chance at doing a fancy Mid-Air Correction on the disc?
Considering the number of Slashdotters who must have had experiences being in failed startups, I rather doubt you're the only one.
But if you still need to hang on to that feeling of uniqueness, don't worry --- I personally didn't read it that way!
And you think it would have been funnier if it had been made with standard MTV production values?
Sometime being bad is the point. It's called camp.
But perhaps you have to be someone who watched Batman on television as a child and later saw it as an adult in order to understand...
OK, your comment wasn't orders of magnitude more funny than the video, but I just can't believe no one modded you Funny rather than Insightful (although I admit that your post is funny because of the contrast between the sarcastic insight vs. the sudden switchover to vulgarity at the end).
Anyway, personally I found your post funnier than the video (which itself wasn't bad, well, at least not unintentionally bad) --- thanks!
I wonder if that includes donating it to Google Books. It seems so! (but I'm in an optimistic mood today)
I find it more ironic that your telling us that probably leaks out some of your private information, assuming that you are not taking positive measures to prevent Google from accumulating a search profile. And even if you are, the info would tell us something about the searches associated with your IP address.
Personally, I get much more geek points, my ads were for:
* Optical System Design - ZEMACS
* The Theory of Everything
* Spectral Products : Fiber/LED/tunable light sources
I first read the title expecting to see some kind of uber-social-engineering against an existing defense hub. I'd wonder if the ambiguous use of "set up" was actually intentional, but yes, I'm familiar with Hanlon's Razor.
The bad version could only generate 2^16 unique keys for each length of key. The only source of entropy for those keys was the process ID.