So question to AC - what social standard to follow? Is there one that guaranteed to never offend arbitrary large number of people of diverse cultural backgrounds and random levels of unreasonableness?
Yes, chances of lynch mob happening to you are rather slim. So are chances of getting run over while crossing the street, yet we still look both ways.
I still disagree. The fact that "that incident" initiated outside of social media and only progressed via it changes nothing. Fundamentally, you have to deal with a) lack of control over your audience b) "internet never forgets" c) disproportionate response with arbitrary social standards.
For example - you have different standards of acceptable behavior - a) in a sports bar with your friend b) at the funereal of your friend's mother. While in a) jokes about your friend's mother are entirely acceptable, if someone were to bring them up during b) it would cause you major social embarrassment regardless of acceptability in initial context/settings.
I avoid non-professional use of social media, and I am sure as a result I am on some-or-another list of deranged killers to be watched full time.
This does create superficial social problems, but people that want to get instantly in touch with me can still use their always-connected smartphones to place ISDN call.
>>> the thought police haven't descended from their black helicopters yet.
What about *-ism Internet lynch mob that would make you unemployable by disproportionally and retroactively applying arbitrary social standards? Make sure to never make any jokes that could be misunderstood, especially about forking builds and dongles. What about political views? I am sure you agree with every political creed, from tree-hugging hippies to anarcho-libertarian conservatives and nobody would ever take an offense. What about your asshole boss that would use a picture of you legally and responsibly consuming legal substances as an evidence of substance abuse and discriminate against you at your workplace? What about deranged stalkers?
Yes, because keeping safe from black helicopters is why people value their privacy.
Yes, a smartphone is a hack-job idea, but it did take off because not-the-phone part of a smartphone was in demand. People want portable computing-entertainment device with an internet connection. It happens that that functionality got strapped to a phone, because phone already had "portable technology" aspect solidified in people's minds. It could have easily been a smartcalculator or smartcar-keys and it would have been used in exactly same way as a smartphone. Too bad for people that still want a cellphone because they need to call on the road, because most smartphones actually suck at calling part and require mic-headphones plug-in addon to be any good at it.
Sadly browser wars turned into the race to rebuild AOL. Why so much bloat? Browser should do one, and only one thing well - render web pages. Native client? Web Payments? Why not throw in TurboTax, because more the merrier, right?
They attempted polymorphism with they key change. Fireeye blog stated: "this 4-byte key is present at offset 0 and changes with each subsequent beacon.". I have no idea how effective this would be, but my guess is that it would defeat all off-the-shelf detectors. If you use static key AV vendors simply add a rule to signature detection. Cryptographically speaking, exploit authors are not 'encrypting' this to keep data secret, or they wouldn't use 4-byte key.
Re:" Copy of the code and exploit" You have exploit and you have payload. Exploit is always there in pcaps and whatever website that got compromised and serving this, so it is very difficult to completely hide it. Not sure if "memory only" makes it any more difficult for forensic analysis, since payload (trojan) is still there. Attacker wouldn't be uploading such 'red flag' payload if they wanted to keep intrusion hard to detect. This tells me it was likely a smash and grab job.
In this specific case XOR with the short key appears to be used as a method to avoid heuristic detection. If left in plaintext things like kernel32.WriteProcessMemory will trip exploit detectors even if you have Zero-Day.
Disappears on reboot is a limitation, not a feature. If you get root you could always remove payload, if it disappears on its own then it is likely limitation of specific sandbox bypass method. If I had to guess, Zero-Day is related to ElevationPolicy fix for CVE-2013-3186.
APT is the new buzzword in IT security, like Web 2.0 for web developers or Cloud for the server guys. APT means bad guys of moderate sophistication all the way to government agencies, so everyone but script kiddies running standard exploit kits.
>>>Twitter can determine when, where, and from what IP address an account is created.
I expect./ crowd to at least understand that IP is not a reliable identifier. Twitter can only reliably determine when, everything else they know only if bot creator did not bother to spoof it. Behavior-based detection is also problematic - you can easily scrape existing activity, filter out swearing and specific identities, substitute location identifiers for something local and have 100% undetectable bot.
Example: Scrape small-town phone book, run permutation algorithm on second name and street # to avoid collision with real people (but keep everything else intact), add random gender-appropriate picture and follow a random set of big news and artists at creation. Pipe this through TOR, stagger your account creation to avoid tripping volume detection and mind timezones for posting and registering. Proceed to post random scraped tweets that are filtered for positive-biased sentiment.
/. crowd is getting older, and older you get more likely are you to become/identify conservative. There is actual research backing this up, but I am too lazy to look it up for you. I think this is why we see a lot of TP nuttery appearing over here and not because paid shills and PR firms.
With Silicon Valley so bent on "frictionless" experience for the mobile and "grown now, monetize later" there is no practical way to secure any of the existing social networks. One only need to reverse engineer mobile API, rip the keys and you are good-to-go creating fake accounts based on the phone book via TOR or rented botnet. Not everyone can do this, but we are getting close to where tools like Dalvik emulators and smali will let moderately talented skript kiddies to pull it off.
What I described above will not kill Twitter, spam is expected and humans did tolerate a lot of it with email without giving up on the platform. For now it is still possible to detect crude tweet scraping and attribution-less reposing with creative use of geolocation, sentiment analysis and so on. So if spam volume goes up, then you can throw resources at keeping it down.
What will kill Twitter is the first hack that manages to integrate natural language algorithm with tweeter bots. I can't think of a way to counter this without draconian clamp-down on account creation.
Sure, but they chose to make it a bit harder. So what? The article did no demonstrate that it was unreasonably difficult, just whined that some kid failed it (probably author's).
I disagree with the premise that just because the question is difficult, it is bad question and should be removed.
Exactly, if nearly every child gets nearly 100% on every test, then these tests are useless. You test to measure both ability and familiarity with the material. Otherwise why not just assign grades solely based on attendance?
Yes, and time matches on. You are now expected to know more and earlier. Expecting to know 5+1 = 6 is not outrageous requirement for a 5 year old, nether is basic interpretation skills.
Today's society is mainly intellectual, no longer strong backs and soft minds have any useful place. We have machines to run production lines and mine coal. If we as a nation don't shape up other nations will take our place.
As much as I dislike MS, having Google that is in business of collecting and aggregating information about us ALSO be default office tools provider is even worse.
How long would it take to have mandatory Google+ integration to use it? Thanks, but no thanks.
There is nothing wrong with these test, if little Johnny isn't the sharpest knife in the drawer - then he shouldn't be getting As in math. On other hand if teachers don't get such basic logic questions they have no place teaching math.
Culture of "everyone passes regardless of merit" does no favors to our nation.
Slashdot Mirror
So question to AC - what social standard to follow? Is there one that guaranteed to never offend arbitrary large number of people of diverse cultural backgrounds and random levels of unreasonableness?
Yes, chances of lynch mob happening to you are rather slim. So are chances of getting run over while crossing the street, yet we still look both ways.
I still disagree. The fact that "that incident" initiated outside of social media and only progressed via it changes nothing. Fundamentally, you have to deal with a) lack of control over your audience b) "internet never forgets" c) disproportionate response with arbitrary social standards.
For example - you have different standards of acceptable behavior - a) in a sports bar with your friend b) at the funereal of your friend's mother. While in a) jokes about your friend's mother are entirely acceptable, if someone were to bring them up during b) it would cause you major social embarrassment regardless of acceptability in initial context/settings.
I avoid non-professional use of social media, and I am sure as a result I am on some-or-another list of deranged killers to be watched full time.
This does create superficial social problems, but people that want to get instantly in touch with me can still use their always-connected smartphones to place ISDN call.
>>> the thought police haven't descended from their black helicopters yet.
What about *-ism Internet lynch mob that would make you unemployable by disproportionally and retroactively applying arbitrary social standards? Make sure to never make any jokes that could be misunderstood, especially about forking builds and dongles. What about political views? I am sure you agree with every political creed, from tree-hugging hippies to anarcho-libertarian conservatives and nobody would ever take an offense. What about your asshole boss that would use a picture of you legally and responsibly consuming legal substances as an evidence of substance abuse and discriminate against you at your workplace? What about deranged stalkers?
Yes, because keeping safe from black helicopters is why people value their privacy.
Yes, a smartphone is a hack-job idea, but it did take off because not-the-phone part of a smartphone was in demand. People want portable computing-entertainment device with an internet connection. It happens that that functionality got strapped to a phone, because phone already had "portable technology" aspect solidified in people's minds. It could have easily been a smartcalculator or smartcar-keys and it would have been used in exactly same way as a smartphone. Too bad for people that still want a cellphone because they need to call on the road, because most smartphones actually suck at calling part and require mic-headphones plug-in addon to be any good at it.
Sadly browser wars turned into the race to rebuild AOL. Why so much bloat? Browser should do one, and only one thing well - render web pages. Native client? Web Payments? Why not throw in TurboTax, because more the merrier, right?
^^^ Mod parent up please.
To answer your question - one is controlled entirely by exploit/malware authors and other is not.
They attempted polymorphism with they key change. Fireeye blog stated: "this 4-byte key is present at offset 0 and changes with each subsequent beacon.". I have no idea how effective this would be, but my guess is that it would defeat all off-the-shelf detectors. If you use static key AV vendors simply add a rule to signature detection. Cryptographically speaking, exploit authors are not 'encrypting' this to keep data secret, or they wouldn't use 4-byte key.
Re:" Copy of the code and exploit"
You have exploit and you have payload. Exploit is always there in pcaps and whatever website that got compromised and serving this, so it is very difficult to completely hide it. Not sure if "memory only" makes it any more difficult for forensic analysis, since payload (trojan) is still there. Attacker wouldn't be uploading such 'red flag' payload if they wanted to keep intrusion hard to detect. This tells me it was likely a smash and grab job.
In this specific case XOR with the short key appears to be used as a method to avoid heuristic detection. If left in plaintext things like kernel32.WriteProcessMemory will trip exploit detectors even if you have Zero-Day.
Disappears on reboot is a limitation, not a feature. If you get root you could always remove payload, if it disappears on its own then it is likely limitation of specific sandbox bypass method. If I had to guess, Zero-Day is related to ElevationPolicy fix for CVE-2013-3186.
APT is the new buzzword in IT security, like Web 2.0 for web developers or Cloud for the server guys. APT means bad guys of moderate sophistication all the way to government agencies, so everyone but script kiddies running standard exploit kits.
Problem with captchas is that they are impossible on mobile devices. Unless you are willing to lock mobile user creation captchas cannot be used.
>>>Twitter can determine when, where, and from what IP address an account is created.
./ crowd to at least understand that IP is not a reliable identifier. Twitter can only reliably determine when, everything else they know only if bot creator did not bother to spoof it. Behavior-based detection is also problematic - you can easily scrape existing activity, filter out swearing and specific identities, substitute location identifiers for something local and have 100% undetectable bot.
I expect
Example: Scrape small-town phone book, run permutation algorithm on second name and street # to avoid collision with real people (but keep everything else intact), add random gender-appropriate picture and follow a random set of big news and artists at creation. Pipe this through TOR, stagger your account creation to avoid tripping volume detection and mind timezones for posting and registering. Proceed to post random scraped tweets that are filtered for positive-biased sentiment.
/. crowd is getting older, and older you get more likely are you to become/identify conservative. There is actual research backing this up, but I am too lazy to look it up for you. I think this is why we see a lot of TP nuttery appearing over here and not because paid shills and PR firms.
I spent my reward on ALE and WHORES!
With Silicon Valley so bent on "frictionless" experience for the mobile and "grown now, monetize later" there is no practical way to secure any of the existing social networks. One only need to reverse engineer mobile API, rip the keys and you are good-to-go creating fake accounts based on the phone book via TOR or rented botnet. Not everyone can do this, but we are getting close to where tools like Dalvik emulators and smali will let moderately talented skript kiddies to pull it off.
What I described above will not kill Twitter, spam is expected and humans did tolerate a lot of it with email without giving up on the platform. For now it is still possible to detect crude tweet scraping and attribution-less reposing with creative use of geolocation, sentiment analysis and so on. So if spam volume goes up, then you can throw resources at keeping it down.
What will kill Twitter is the first hack that manages to integrate natural language algorithm with tweeter bots. I can't think of a way to counter this without draconian clamp-down on account creation.
Sure, but they chose to make it a bit harder. So what? The article did no demonstrate that it was unreasonably difficult, just whined that some kid failed it (probably author's).
I disagree with the premise that just because the question is difficult, it is bad question and should be removed.
Exactly, if nearly every child gets nearly 100% on every test, then these tests are useless. You test to measure both ability and familiarity with the material. Otherwise why not just assign grades solely based on attendance?
Yes, and time matches on. You are now expected to know more and earlier. Expecting to know 5+1 = 6 is not outrageous requirement for a 5 year old, nether is basic interpretation skills.
Today's society is mainly intellectual, no longer strong backs and soft minds have any useful place. We have machines to run production lines and mine coal. If we as a nation don't shape up other nations will take our place.
As much as I dislike MS, having Google that is in business of collecting and aggregating information about us ALSO be default office tools provider is even worse.
How long would it take to have mandatory Google+ integration to use it? Thanks, but no thanks.
There is nothing wrong with these test, if little Johnny isn't the sharpest knife in the drawer - then he shouldn't be getting As in math. On other hand if teachers don't get such basic logic questions they have no place teaching math.
Culture of "everyone passes regardless of merit" does no favors to our nation.
No, you again misunderstand the problem. Defense was bypassed not penetrated.
Here is car analogy to help you understand - you have a perfect car alarm, but you car can still get towed away in a sound-proof truck.
Can someone explain this with a car analogy?
Get auto shut off power outlet. It will turn itself off.