I also wonder though, how much of that was brought on by the corporate culture. My boss doesn't know what SSH is, so him asking about it would be a red flag to me. But executives at HBGary may have used it all the time. And maybe the required root access frequently. All it takes is one previous time of Jussi refusing to pass that info out and resulting in a "we pay your ass, do it when I tell you to!" reprimand, and Jussi will have been changed by the corporate environment to jump when the COO or CEO says to via email.
Poor security practices, definitely. But often corporate culture leads to these poor practices. Everyone tries to start out doing the right thing, but often push it aside in favor of "the easy way".
I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security). And the poor admin who gave out root, dropped firewalls, and gave up the correct username all via email- that's a bummer. I bet that will be among his "worse day ever" collection. As for shared passwords, I'm sure a lot of us work at guilty companies. Hell, active directory exists partially to address the need for multiple passwords. In all, I enjoyed reading how it was done- quick, efficient work.
But this was expected to be a loss from the start- they were purchasing the copyrighted materials with this money but essentially withholding payment. So, as far as it goes, the money was "spent". However, they made interest on this money while waiting to finally pay the bill- making it a gain.
There's nothing that says PayPal couldn't have joined in with Anonymous and DDoS themselves... all it would take is a network admin to join the attack and watch the packets. All of a sudden, he becomes and "investigator"- making it sound like PayPal has their own black ops team, working hand-in-hand with the FBI. Of course, the FBI could do the same, or be wiretapping the data center without a warrant, and claim it was PayPal that gathered the info.
If all porn site are forced to use.xxx, it won't be hard- the ISP could probably get away with just blocking DNS requests to it's servers for the.xxx domains. Of course, if I were British, I'd use a VPN.
Microsoft Security Essentials. It may be from Microsoft, but it's a good piece of software. Licensed for home users and businesses with 10 or less computers- it's what I've been pushing my small business customers to lately. It's lightweight, unobtrusive, and performs checks well.
Why can't this be a cell phone? Of course, now that this has been discovered, someone from the future will travel back in time to stop this from happening...
It reminds me of an occurrence one night while I was working as a hospital security officer on nights. A man came in breathless to our office, and asked to speak to Sergeant D* (I don't recall the full last name). We told him he didn't work with us. The man said that the Sergeant was supposed to be there, he was running from the CIA, and had to speak to him. We responded that Sergeant didn't exist. The man then bolted and ran away from us. It kind of shook my world, and I can't stop thinking... did I just ensure the destruction of mankind, by running this guy off?
Exchange is not Office- it's in Microsoft's server product category (different products in different categories for volume licensing). AD is also Servers (and is part of Windows Servers). Developer's tools- doubtful. You get macros w/ Office Professional.
How about pass savings to a customer? If you are getting paid 120 per inquiry, then those subscribers are becoming a revenue stream for your ISP. Knock off some percentage of their bill for a while, to encourage their staying with your service. Hell, next time they are accused of infringing, you get 120! Since people don't like change, even if they wanted to change ISPs after you shared their data, they will be getting a discount, so they are less likely to move.
I attended a 2-year technical school for a networking degree (plus another 1 yr. towards programming). Did it help? Hell yes, I learned a lot. Did the degree get me a job? Nope, but I came onboard with a technology company as in intern my last semester, and was hired full-time about 4 months later. I probably didn't need a degree for the job (but the school knowledge helps), but I sure wouldn't have been offered an internship with my employee either.
That's exactly what my two school-age kids (1 and 2 grades) have to do. They learn a 6-digit pin, and that is used to deduct funds from their lunch account. In turn, my wife and I put money in the account when funds get low. This claim is similar to saying McDonald's tracks your credit card number, to determine what you eat, so they can "suggestively sell" that Big Mac you crave.
No cameras? That made me think- convenience store cameras are generally pointed at the cash register, where employees work. Same with banks. Since the employees have a right to privacy, does that mean c-store or bank robberies cannot be taped?
This seems absurd... all my mail servers log employees' email every day. Even worse, my spam filters read the entire message to make sure it is acceptable- before allowing delivery to the employee. These privacy measures may sound great on paper, but not all will work. If IT cannot log emails, how do we troubleshoot email delivery problems? Of course, I may be taking this to the next level, completely ignoring the actual wording of the proposed law.
We're talking about the organization that got the SWAT team to take back a stolen iPhone... if they can do that, the fines will probably exceed damages. I can't get an school police officer to look at me with a straight face when I tell them my daughter's Hannah Montana Disney MP3 player was taken on the playground.
Springfield, Missouri had red-light cameras. They were also caught shortening yellow-light times at the intersections (original articles now gone, but here is a copy- http://blog.motorists.org/6-cities-that-were-caught-shortening-yellow-light-times-for-profit. The lights had been up and running for a few years, with no successful challengers. However, a former State Trooper took the argument that the way the tickets are prosecuted was unconstitutional. The City used an "administrative process" for the tickets, which resulted in no reporting to the driver's insurance company or the State. However, this also eliminated any chance for appeal outside of the City. The former Trooper argued that the process is criminal, not civil, and beat the city in the State supreme court. http://www.news-leader.com/article/20100303/NEWS01/3030498/Missouri-Supreme-Court-puts-brakes-on-Springfield-s-red-light-cameras
What about users with Quicken or Microsoft Money? Or even GnuCash? With a live CD, I can't store my financial software on that CD. And making the Live OS capable of writing the downloaded transactions to a computer is more trouble than most users will want. LiveCD is a great idea for *looking* at stuff, but it won't accomplish much else.
Read the article... law enforcement is specifically exempt. This is because the technology is too unreliable for defense / offense, and sometimes people don't have time to enter a PIN or may need to shoot with their other hand. This is for you and me, so we're no longer effective at defending ourselves.
Here, we have what is literally "black-box" hardware getting installed in a museum or other type on art collection, and given a active internet connection. It even uses DHCP- so you need it on your LAN, or a DMZ that hand's out DHCP. On top of all that, it checks what is essentially a command-and-control server every 10 minutes. The "artist" is responsible for applying updates to the software. So, the C&C server maintains that the artist can access the "art" at anytime, anywhere. This black box will probably be installed on a LAN with other systems (after all, he's an artist, not a cracker). The people who purchase this will probably not even consider security of the network with this device, and the artist will most likely not agree with reasonable requests to audit his "art's" function.
There is no potential misuse of this item here. Since it probably runs Linux, it most likely already has the software necessary to sniff the network, and a package like nmap will help him ID targets in the network. Then, when his work is done, offer the item for auction on eBay... and find the next sucker with a network and collection.
On the Auction site (here), the "Terms of Sale" were written by a lawyer in NYC (U.S.), and the seller/artist is a US Citizen. The agreement even states that it is governed by the laws of the State of New York. This may have been reported by a UK news source, but it's an US work.
However, I think it is also ridiculous- Here is the Artist's response about First Sale Doctrine (on the eBay link):
Q: Doesn't the first sale doctrine prevent you from collecting further payment past the initial sale of the item?
A: In order to be recognized as a work of art the contract must be adhered to, and regards of who owns it and who buys it the contract remains between the artist and the purchaser, not between buyer and seller.
So, if you don't want to follow the agreement, apparently it is no longer "art".
I worked for a national healthcare system which offered a Dell employee purchase program. My wife wanted a pink laptop, and I quickly found out I could get a better deal on a regular "sale" from Dell than the "12% employee purchase program discount" could ever give me. They're scams, which attempt to con people into thinking they are getting a deal.
I went to their website (Google for bluehippo), and when I clicked "Purchase" I was taken to a login screen.. where my username is my SSN, and password is my mother's maiden name. Yeah, I'll give them some more personal info after I enter that...
I use Clamwin at work, but I would never recommend it to the users. I'm smart enough to watch where I browse, scan suspicious files before opening, etc. But the users aren't... they click on everything, and need a real-time scanner to watch what they do. Clamwin doesn't offer that (yet), but the moment it's available I'd roll it out to everyone.
Slashdot Mirror
I also wonder though, how much of that was brought on by the corporate culture. My boss doesn't know what SSH is, so him asking about it would be a red flag to me. But executives at HBGary may have used it all the time. And maybe the required root access frequently. All it takes is one previous time of Jussi refusing to pass that info out and resulting in a "we pay your ass, do it when I tell you to!" reprimand, and Jussi will have been changed by the corporate environment to jump when the COO or CEO says to via email. Poor security practices, definitely. But often corporate culture leads to these poor practices. Everyone tries to start out doing the right thing, but often push it aside in favor of "the easy way".
I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security). And the poor admin who gave out root, dropped firewalls, and gave up the correct username all via email- that's a bummer. I bet that will be among his "worse day ever" collection. As for shared passwords, I'm sure a lot of us work at guilty companies. Hell, active directory exists partially to address the need for multiple passwords. In all, I enjoyed reading how it was done- quick, efficient work.
But this was expected to be a loss from the start- they were purchasing the copyrighted materials with this money but essentially withholding payment. So, as far as it goes, the money was "spent". However, they made interest on this money while waiting to finally pay the bill- making it a gain.
There's nothing that says PayPal couldn't have joined in with Anonymous and DDoS themselves... all it would take is a network admin to join the attack and watch the packets. All of a sudden, he becomes and "investigator"- making it sound like PayPal has their own black ops team, working hand-in-hand with the FBI. Of course, the FBI could do the same, or be wiretapping the data center without a warrant, and claim it was PayPal that gathered the info.
If all porn site are forced to use .xxx, it won't be hard- the ISP could probably get away with just blocking DNS requests to it's servers for the .xxx domains. Of course, if I were British, I'd use a VPN.
Microsoft Security Essentials. It may be from Microsoft, but it's a good piece of software. Licensed for home users and businesses with 10 or less computers- it's what I've been pushing my small business customers to lately. It's lightweight, unobtrusive, and performs checks well.
But why? The world already knows we can launch ICBMs from submarines.
It reminds me of an occurrence one night while I was working as a hospital security officer on nights. A man came in breathless to our office, and asked to speak to Sergeant D* (I don't recall the full last name). We told him he didn't work with us. The man said that the Sergeant was supposed to be there, he was running from the CIA, and had to speak to him. We responded that Sergeant didn't exist. The man then bolted and ran away from us. It kind of shook my world, and I can't stop thinking... did I just ensure the destruction of mankind, by running this guy off?
Exchange is not Office- it's in Microsoft's server product category (different products in different categories for volume licensing). AD is also Servers (and is part of Windows Servers). Developer's tools- doubtful. You get macros w/ Office Professional.
How about pass savings to a customer? If you are getting paid 120 per inquiry, then those subscribers are becoming a revenue stream for your ISP. Knock off some percentage of their bill for a while, to encourage their staying with your service. Hell, next time they are accused of infringing, you get 120! Since people don't like change, even if they wanted to change ISPs after you shared their data, they will be getting a discount, so they are less likely to move.
I attended a 2-year technical school for a networking degree (plus another 1 yr. towards programming). Did it help? Hell yes, I learned a lot. Did the degree get me a job? Nope, but I came onboard with a technology company as in intern my last semester, and was hired full-time about 4 months later. I probably didn't need a degree for the job (but the school knowledge helps), but I sure wouldn't have been offered an internship with my employee either.
Let's not forget about the Lenovo U1 tablet
You know, maybe I need to patent that process.
No cameras? That made me think- convenience store cameras are generally pointed at the cash register, where employees work. Same with banks. Since the employees have a right to privacy, does that mean c-store or bank robberies cannot be taped?
This seems absurd... all my mail servers log employees' email every day. Even worse, my spam filters read the entire message to make sure it is acceptable- before allowing delivery to the employee. These privacy measures may sound great on paper, but not all will work. If IT cannot log emails, how do we troubleshoot email delivery problems? Of course, I may be taking this to the next level, completely ignoring the actual wording of the proposed law.
We're talking about the organization that got the SWAT team to take back a stolen iPhone... if they can do that, the fines will probably exceed damages. I can't get an school police officer to look at me with a straight face when I tell them my daughter's Hannah Montana Disney MP3 player was taken on the playground.
Springfield, Missouri had red-light cameras. They were also caught shortening yellow-light times at the intersections (original articles now gone, but here is a copy- http://blog.motorists.org/6-cities-that-were-caught-shortening-yellow-light-times-for-profit. The lights had been up and running for a few years, with no successful challengers. However, a former State Trooper took the argument that the way the tickets are prosecuted was unconstitutional. The City used an "administrative process" for the tickets, which resulted in no reporting to the driver's insurance company or the State. However, this also eliminated any chance for appeal outside of the City. The former Trooper argued that the process is criminal, not civil, and beat the city in the State supreme court. http://www.news-leader.com/article/20100303/NEWS01/3030498/Missouri-Supreme-Court-puts-brakes-on-Springfield-s-red-light-cameras
What about users with Quicken or Microsoft Money? Or even GnuCash? With a live CD, I can't store my financial software on that CD. And making the Live OS capable of writing the downloaded transactions to a computer is more trouble than most users will want. LiveCD is a great idea for *looking* at stuff, but it won't accomplish much else.
Read the article... law enforcement is specifically exempt. This is because the technology is too unreliable for defense / offense, and sometimes people don't have time to enter a PIN or may need to shoot with their other hand. This is for you and me, so we're no longer effective at defending ourselves.
There is no potential misuse of this item here. Since it probably runs Linux, it most likely already has the software necessary to sniff the network, and a package like nmap will help him ID targets in the network. Then, when his work is done, offer the item for auction on eBay... and find the next sucker with a network and collection.
On the Auction site (here), the "Terms of Sale" were written by a lawyer in NYC (U.S.), and the seller/artist is a US Citizen. The agreement even states that it is governed by the laws of the State of New York. This may have been reported by a UK news source, but it's an US work. However, I think it is also ridiculous- Here is the Artist's response about First Sale Doctrine (on the eBay link): Q: Doesn't the first sale doctrine prevent you from collecting further payment past the initial sale of the item? A: In order to be recognized as a work of art the contract must be adhered to, and regards of who owns it and who buys it the contract remains between the artist and the purchaser, not between buyer and seller. So, if you don't want to follow the agreement, apparently it is no longer "art".
I worked for a national healthcare system which offered a Dell employee purchase program. My wife wanted a pink laptop, and I quickly found out I could get a better deal on a regular "sale" from Dell than the "12% employee purchase program discount" could ever give me. They're scams, which attempt to con people into thinking they are getting a deal.
and I get to smoke in my own house, while browsing the Internet (for porn)
I went to their website (Google for bluehippo), and when I clicked "Purchase" I was taken to a login screen.. where my username is my SSN, and password is my mother's maiden name. Yeah, I'll give them some more personal info after I enter that...
I use Clamwin at work, but I would never recommend it to the users. I'm smart enough to watch where I browse, scan suspicious files before opening, etc. But the users aren't... they click on everything, and need a real-time scanner to watch what they do. Clamwin doesn't offer that (yet), but the moment it's available I'd roll it out to everyone.