Wait till your corporations trade secrets are leaked because the FBI's collector was insecure.
So the scenario is a someone is selling hard drugs / distributing child porn / etc from a corporate VPN? Wouldn't the FBI just ask the company to provide the logs and wouldn't the company gladly comply?
I don't think corporate VPNs will be much affected/troubled by this.. Only the VPNs that market themselves as hiding internet users are likely to be affected I would say.
Not saying whether that's good or bad, I've not got enough info to know. I would be interested to know why they don't want to give any details in these cases, since I can't think why it should be any more or less private than a regular wiretap (not "hack" as the title misleadingly states).
(It's 2015 and I still need to put <br/> for newlines.. Come on guys.)
I don't think this is / will be specifically aimed at Hollywood (we Australian's do have a small film industry).. I think that was just a rabble-rousing association made by someone who wants to whip up opposition.
That you're a content creator who wants his work protected and you oppose it because of an implication it's for Hollywood shows how effective this tactic is.
FYI I am also a content creator (software dev), but since I write business software that isn't distributed and my personal software is open-source, I do appreciate the benefits of the status-quot (though the proposal isn't particularly hard-line anyway), I don't have strong views on this. I just wouldn't get too foamy at the mouth about an implied association.
You'd need to exploit the browser in such a way that you can POST to the modem with a custom user agent set, that'd be a pretty serious exploit, and I'd be more worried about that. You could then use the modem to try and trick around with DNS to get on other machines, but it'd be hard to do transparently. It would all have to be pretty well tailored.
Anyway I'm not saying this isn't a security hole that needs to be fixed, but that the idea that this shows the need for increased regulation is nonsense.
I'd be more worried about your level of reading comprehension being recorded for posterity.. "If you have a serious amount of money riding on your $100 modem/router/wifi being secure from within your own network then no amount of legislation is going to help you."
This bug is only exploitable if you enable WAN administration
All internet traffic involving money / confidential data should be (and pretty much always is) encrypted
If you are sending important unencrypted data over the wire you can just listen to the wire
Do you really want to pay for the routers you buy to go through a bureaucratic process to establish whether the software (including third party software) has been thoroughly tested? Should that include the component parts like the processors, thttpd, linux? What would that legislation look like? How would it be enforced for overseas companies?
You'd probably get equally indignant if such legislation actually passed based on your knee-jerk reaction and US router prices shot up. ("But what about the starving family with only $100 budgeted for their router?")
And even if they could access his router you would hope confidential business info would be encrypted anyway.. If he was transmitting commercially valuable info unencrypted via his modem and his competitors resorted to spying they could just listen in on the cable leaving the building.
From d-link.com executive team page: "Born in 1952, Roger Kao graduated from Tamkang University with a degree in Electrical Engineering. He went on to earn his Master’s Degree in Electrical Engineering and Computer Science from National Chiao Tung University where he also served as an Associate Professor."
Really though if you don't know whether third party software embedded in a few of your huge range of products contains a hidden backdoor when a rarely used feature is activated what kind of CEO are you?
Oh yeah, hell hath no fury like a D-Link customer scorned; when they find out their cheap disposable routers have a flaw in them they'll need to send in the army.
Yes government should get involved in the design of routers, and write laws about software code vetting. After all the huge extra costs would be absorbed by the shareholders, not us.
If you have a serious amount of money riding on your $100 modem/router/wifi being secure from within your own network then no amount of legislation is going to help you.
Then again since anyone can be a tor node, and there are never enough tor nodes, and tor nodes are more likely to be used for shady activity, it just takes a decent percentage of tor nodes to be compromised and you can pretty quickly build a picture of who common clients are and who they are talking to. For a server it can't be too difficult, with government resources, to track someone down through tor nodes. I'd say with a decent sized botnet and enough time you'd be able to chip away at anonymity without much difficulty.
Far more lives were affected by the lockdown than by the bombing itself. Who are these hypothetical "someone"s you speak of? The victims' families?
I meant affected in a non-trivial way. My life has been "affected" by reading about it, and someone who was advised to stay indoors while they caught the suspects was "affected", but to say your life has been affected by it in a way that can be counted against someone who had a leg blown off is an insult.
Civil panic would be a horrible way to "honor" the death of one of my loved ones.
Civil panic being "Please stay indoors while we finish chasing down the other person who did this to your loved ones" ? I guess in that situation you would probably have places you need to be though, and who cares if having everyone moving around while an armed chase plays out makes casualties/hostage taking/escape more likely?
170 marathon runners / spectators were wounded and children were killed in this attack intended to kill/maim as many innocent people as possible.
What does this have to do with neighborhood gun crime, or car crime, or whatever? If those gunmen had indiscriminately opened fire on a crowd of people, just because they wanted to maximize the damage, and 170 people were maimed and children were killed, I am sure you would get a similar response. (And presumably there would be people saying "that's nothing: in the neighborhood I live in people have got stabbed and mugged before and there was no lockdown then! this is becoming some kind of fascist state!"
It is so embarrassing seeing people in this discussion saying how few people were killed, what a terrible thing it is that Boston was locked down for a day, and how could the police do that.. I just cringe at the thought of someone who's life was affected reading some of the comments in this discussion.
If they ever get 20 guys again like 9/11 and they all just get rifles and randomly start shooting people all over the country like the Washington sniper did this countries going to become a police state if the police react like this.
Right; more people are killed by car accidents every day than by 20 snipers taking out people at random across the country. I say in that situation the police should ignore the snipers and go look for drunk drivers and speeding!
Frankly until terrorists are killing more people within the US than cancer and heart disease put together, I don't see much point going after it.
It becomes normal to do what some community colleges in my area are doing, which is to have an active shooter drill once a year in which adult college students are locked in a dark room for 30 minutes and told they can't leave. (This passive response is, BTW, not at all in line with what experts recommend in such a situation.)
Awwww.. did that 30 minute emergency drill ruin your day?
And I thought the people whos limbs were blown off and children were killed had it bad.. We need to realign our priorities!
A couple of people execute a plan to blow hundreds of innocent athlete/spectators' limbs off,
The police use technology to work with the public to catch/kill them in a matter of days with no additional casualties,
Some Americans then go wallow in self-hatred over either
How scared they are of the police intruding on their freedom,
Or how easily scared they are.
I can't believe people are saying to the effect of "only three people died, less than the deaths caused by normal crime." Surely there is a difference between those looking to maim hundreds of innocent people and the sum of everyday crime?
How can people be so wishy-washy about this? A couple of complete assholes have just ruined hundreds of peoples' lives, and people feel conflicted about the manhunt that ended in their death and arrest?
And I'm sure if Forbes wrote "Bitcoin is a fantastic idea, I fully support it" you would be saying "oh he is just taking the contrary position because he knows reverse psychology blah blah blah" ?
Maybe (just.. maybe) he says he doesn't think Bitcoin is money because he doesn't think Bitcoin is money?
Slashdot Mirror
Wait till your corporations trade secrets are leaked because the FBI's collector was insecure.
So the scenario is a someone is selling hard drugs / distributing child porn / etc from a corporate VPN? Wouldn't the FBI just ask the company to provide the logs and wouldn't the company gladly comply?
/> for newlines.. Come on guys.)
I don't think corporate VPNs will be much affected/troubled by this.. Only the VPNs that market themselves as hiding internet users are likely to be affected I would say.
Not saying whether that's good or bad, I've not got enough info to know. I would be interested to know why they don't want to give any details in these cases, since I can't think why it should be any more or less private than a regular wiretap (not "hack" as the title misleadingly states).
(It's 2015 and I still need to put <br
* (we Australians do have a small film industry)
.. content creators (a.k.a. Hollywood)
I don't think this is / will be specifically aimed at Hollywood (we Australian's do have a small film industry).. I think that was just a rabble-rousing association made by someone who wants to whip up opposition.
That you're a content creator who wants his work protected and you oppose it because of an implication it's for Hollywood shows how effective this tactic is.
FYI I am also a content creator (software dev), but since I write business software that isn't distributed and my personal software is open-source, I do appreciate the benefits of the status-quot (though the proposal isn't particularly hard-line anyway), I don't have strong views on this. I just wouldn't get too foamy at the mouth about an implied association.
You'd need to exploit the browser in such a way that you can POST to the modem with a custom user agent set, that'd be a pretty serious exploit, and I'd be more worried about that. You could then use the modem to try and trick around with DNS to get on other machines, but it'd be hard to do transparently. It would all have to be pretty well tailored.
Anyway I'm not saying this isn't a security hole that needs to be fixed, but that the idea that this shows the need for increased regulation is nonsense.
How about this one from a month ago?
You can also compare Apple's 2095 vulnerabilities for 97 products to D-Link's 43 vulnerabilities for 40 products.
You'd probably get equally indignant if such legislation actually passed based on your knee-jerk reaction and US router prices shot up. ("But what about the starving family with only $100 budgeted for their router?")
Yup Apple's wifi kit would never allow unfiltered IPv6 traffic into your internal network by default, or expose filenames of attached disk drives to unauthenticated users.
You should definitely be feeling pretty smug.
And even if they could access his router you would hope confidential business info would be encrypted anyway.. If he was transmitting commercially valuable info unencrypted via his modem and his competitors resorted to spying they could just listen in on the cable leaving the building.
From d-link.com executive team page: "Born in 1952, Roger Kao graduated from Tamkang University with a degree in Electrical Engineering. He went on to earn his Master’s Degree in Electrical Engineering and Computer Science from National Chiao Tung University where he also served as an Associate Professor."
Really though if you don't know whether third party software embedded in a few of your huge range of products contains a hidden backdoor when a rarely used feature is activated what kind of CEO are you?
Oh yeah, hell hath no fury like a D-Link customer scorned; when they find out their cheap disposable routers have a flaw in them they'll need to send in the army.
Yes government should get involved in the design of routers, and write laws about software code vetting. After all the huge extra costs would be absorbed by the shareholders, not us.
If you have a serious amount of money riding on your $100 modem/router/wifi being secure from within your own network then no amount of legislation is going to help you.
First step on the Moon was a gravely important mission, but it was easy for Neil Armstrong to do it...
Great point. You win.
Then again since anyone can be a tor node, and there are never enough tor nodes, and tor nodes are more likely to be used for shady activity, it just takes a decent percentage of tor nodes to be compromised and you can pretty quickly build a picture of who common clients are and who they are talking to. For a server it can't be too difficult, with government resources, to track someone down through tor nodes. I'd say with a decent sized botnet and enough time you'd be able to chip away at anonymity without much difficulty.
They probably just descramble the firewall....
I'd say it's a big sign of a certain OSS developer's immaturity.
I really hope people aren't taking that comment literally by the way..
Shutting down a city's public spaces destroys trust, [blah blah blah]. And to what end?
Catching the people who injured 170 people and killed 3 in a terrorist attack.
Far more lives were affected by the lockdown than by the bombing itself. Who are these hypothetical "someone"s you speak of? The victims' families?
I meant affected in a non-trivial way. My life has been "affected" by reading about it, and someone who was advised to stay indoors while they caught the suspects was "affected", but to say your life has been affected by it in a way that can be counted against someone who had a leg blown off is an insult.
Civil panic would be a horrible way to "honor" the death of one of my loved ones.
Civil panic being "Please stay indoors while we finish chasing down the other person who did this to your loved ones" ? I guess in that situation you would probably have places you need to be though, and who cares if having everyone moving around while an armed chase plays out makes casualties/hostage taking/escape more likely?
170 marathon runners / spectators were wounded and children were killed in this attack intended to kill/maim as many innocent people as possible.
What does this have to do with neighborhood gun crime, or car crime, or whatever? If those gunmen had indiscriminately opened fire on a crowd of people, just because they wanted to maximize the damage, and 170 people were maimed and children were killed, I am sure you would get a similar response. (And presumably there would be people saying "that's nothing: in the neighborhood I live in people have got stabbed and mugged before and there was no lockdown then! this is becoming some kind of fascist state!"
It is so embarrassing seeing people in this discussion saying how few people were killed, what a terrible thing it is that Boston was locked down for a day, and how could the police do that.. I just cringe at the thought of someone who's life was affected reading some of the comments in this discussion.
If they ever get 20 guys again like 9/11 and they all just get rifles and randomly start shooting people all over the country like the Washington sniper did this countries going to become a police state if the police react like this.
Right; more people are killed by car accidents every day than by 20 snipers taking out people at random across the country. I say in that situation the police should ignore the snipers and go look for drunk drivers and speeding!
Frankly until terrorists are killing more people within the US than cancer and heart disease put together, I don't see much point going after it.
It becomes normal to do what some community colleges in my area are doing, which is to have an active shooter drill once a year in which adult college students are locked in a dark room for 30 minutes and told they can't leave. (This passive response is, BTW, not at all in line with what experts recommend in such a situation.)
Awwww.. did that 30 minute emergency drill ruin your day?
And I thought the people whos limbs were blown off and children were killed had it bad.. We need to realign our priorities!
I can't believe people are saying to the effect of "only three people died, less than the deaths caused by normal crime." Surely there is a difference between those looking to maim hundreds of innocent people and the sum of everyday crime?
How can people be so wishy-washy about this? A couple of complete assholes have just ruined hundreds of peoples' lives, and people feel conflicted about the manhunt that ended in their death and arrest?
"Anonymous coward" and proud of it...
Don't give a damn, and indifferent about it...
And I'm sure if Forbes wrote "Bitcoin is a fantastic idea, I fully support it" you would be saying "oh he is just taking the contrary position because he knows reverse psychology blah blah blah" ?
Maybe (just.. maybe) he says he doesn't think Bitcoin is money because he doesn't think Bitcoin is money?