OK, this is the sort of question that could be answered by RTFA, however when it's a 40-minute long video, I don't feel as bad.
When configuring Siri for voice activation, you go through some steps that give the impression that it's tuning the activation for your specific pattern of speech. Which presumably is to prevent false activation when somebody next to you is using the feature on their phone.
Assuming this is actually happening, would that prevent this sort of attack?
This is Twitter we're talking about. A DM means that it's not broadcast to the world. If people are surprised that Twitter has control of their Twitter messages, I don't even know where to begin.
Phones are different than computers, yet people still try to apply the computer mentality to it. You don't just buy a smartphone and sit back and use it until it breaks. Unlike Windows XP, your smartphone OS has a very limited window in which it will receive security and other software updates. For iPhones, it seems to be a few years. For Android, it is worse and generally always less than two years. For some of the discount Android phones on discount carriers, the phone may have been abandoned before you even made the purchase!
In what world do you buy a smartphone and use it for the rest of your life? An upgrade plan that includes Apple Care "bad for most"? Hint to the author: You can't extrapolate your personal opinion to apply to the rest of the world.
Yes, this is quite unfortunate. However: given a random selection of 30 million individuals, at what rate would suicides be observed? Make sure you know the answer to this question before jumping to conclusions.
Yeah, that helps for sure. The other option is to see if there's a 3rd-party firmware for the router. The firmwares that come with home equipment out of the box are often pretty poor. And are often abandoned after they are shipped. However, something like dd-wrt / openwrt / tomato is likely to be better supported.
When doing security testing of any system, one must consider the possibility of unforeseen consequences. That is, while you think that your test may be harmless, you'll really never know this for sure until you perform the test. And even then, you might not know of all possible damage that was done to the system.
Just as system architects and developers make certain assumptions that may introduce vulnerabilities, a security tester may make assumptions about the consequences of their actions. The problems happen when these assumptions don't map up to reality 100%.
Yes, airplanes' computer systems should receive security testing. But to perform any sort of testing without authorization and when there are potential safety (human life) consequences is inconceivably irresponsible. Regardless of whether or not the tester suspects any damage will occur.
The student observed the teacher's keyboard while the password was typed in. The student then used that observed password to unlawfully gain access to the system in question.
This has nothing to do with the wallpaper. The student leveraged unauthorized access to a system to do something.
Yes, ZFS is amazing. But my concern about FreeBSD in general is that from an exploit mitigation perspective, it's in the dark ages. Like, maybe close to Windows XP. http://networkfilter.blogspot....
For a file server, great. But for anything that's parsing untrusted data or is exposed to the internet, I'd be concerned.
The evidence that China was performing MITM attacks on Outlook.com was because of temporary use of an SSL certificate chain that wasn't signed by one of the hundreds of root CAs included with modern operating systems. (and therefore the software complained)
If the software people are using stops complaining about the SSL certificate chain, does that mean that they're not performing MITM anymore? Hell no. At the very least it means that they're just using an SSL certificate signed by one of the hundreds of trusted root CA certificates. You know, like CNNIC. The internet organization with ties to the Chinese government.
How do you teach a non-geek to find and recognize the canonical source for a software download? Is http://www.vlc.cc/ the official VLC site? Is http://www.7zipdownload.org/ the right place to get 7-zip? Is http://www.libtiff.org/ the place to get the latest LibTIFF? The answer to all of these is "No", but I'd like to hear the teaching technique that allows a non-geek to come to these conclusions.
Somebody: 1) Takes nude photos of themselves with an internet-connected device. 2) Has said photos of themselves synchronized with an internet service 3) Is surprised / outraged that said photos are accessed by somebody on the internet.
I'm not saying that those people are to blame, but rather that there is a significant disconnect between technology and users' expectations. And the companies involved aren't making things any better with their hand-waving "cloud" mumbo-jumbo.
Just because you don't know about vulnerabilities, that doesn't mean that they're not there. The vulnerabilities are present in the code before they are discovered.
Having said that, drawing conclusions from vulnerability counts is usually an exercise in futility. There are many factors that affect how many vulnerabilities are discovered and disclosed. Including availability of vulnerability-finding tools, discovery of novel attack techniques, or simply critical mass of interest in the security field.
Slashdot Mirror
OK, this is the sort of question that could be answered by RTFA, however when it's a 40-minute long video, I don't feel as bad.
When configuring Siri for voice activation, you go through some steps that give the impression that it's tuning the activation for your specific pattern of speech. Which presumably is to prevent false activation when somebody next to you is using the feature on their phone.
Assuming this is actually happening, would that prevent this sort of attack?
Add-ons will continue to work. This is talking about NPAPI plugins.
This is Twitter we're talking about. A DM means that it's not broadcast to the world. If people are surprised that Twitter has control of their Twitter messages, I don't even know where to begin.
Phones are different than computers, yet people still try to apply the computer mentality to it. You don't just buy a smartphone and sit back and use it until it breaks. Unlike Windows XP, your smartphone OS has a very limited window in which it will receive security and other software updates. For iPhones, it seems to be a few years. For Android, it is worse and generally always less than two years. For some of the discount Android phones on discount carriers, the phone may have been abandoned before you even made the purchase!
In what world do you buy a smartphone and use it for the rest of your life? An upgrade plan that includes Apple Care "bad for most"? Hint to the author: You can't extrapolate your personal opinion to apply to the rest of the world.
Yes, this is quite unfortunate. However: given a random selection of 30 million individuals, at what rate would suicides be observed? Make sure you know the answer to this question before jumping to conclusions.
I'm just going to put this right here:
https://en.wikipedia.org/wiki/...
Or for those who don't like to clicky:
"Any headline that ends in a question mark can be answered by the word no."
Yeah, that helps for sure. The other option is to see if there's a 3rd-party firmware for the router. The firmwares that come with home equipment out of the box are often pretty poor. And are often abandoned after they are shipped. However, something like dd-wrt / openwrt / tomato is likely to be better supported.
That's nice, but nothing that you describe helps protect against the vulnerability described.
When doing security testing of any system, one must consider the possibility of unforeseen consequences. That is, while you think that your test may be harmless, you'll really never know this for sure until you perform the test. And even then, you might not know of all possible damage that was done to the system.
Just as system architects and developers make certain assumptions that may introduce vulnerabilities, a security tester may make assumptions about the consequences of their actions. The problems happen when these assumptions don't map up to reality 100%.
Yes, airplanes' computer systems should receive security testing. But to perform any sort of testing without authorization and when there are potential safety (human life) consequences is inconceivably irresponsible. Regardless of whether or not the tester suspects any damage will occur.
The student observed the teacher's keyboard while the password was typed in. The student then used that observed password to unlawfully gain access to the system in question.
This has nothing to do with the wallpaper. The student leveraged unauthorized access to a system to do something.
One wonders how much snake oil flows through the app stores
If you've ever looked at an app store, you won't wonder.
Have you ever connected to a network that wasn't yours?
http://en.wikipedia.org/wiki/H...
I'll give you a multiple-choice question.
Security companies want to:
a) Keep you secure.
b) Make more money.
Just put your pencil down when you're done.
"Adware is malware with better lawyers"
said @axeexcess on the Twitter
Yes, ZFS is amazing. But my concern about FreeBSD in general is that from an exploit mitigation perspective, it's in the dark ages. Like, maybe close to Windows XP. http://networkfilter.blogspot....
For a file server, great. But for anything that's parsing untrusted data or is exposed to the internet, I'd be concerned.
What will folks do when drones get to be insect sized?
The evidence that China was performing MITM attacks on Outlook.com was because of temporary use of an SSL certificate chain that wasn't signed by one of the hundreds of root CAs included with modern operating systems. (and therefore the software complained)
If the software people are using stops complaining about the SSL certificate chain, does that mean that they're not performing MITM anymore? Hell no. At the very least it means that they're just using an SSL certificate signed by one of the hundreds of trusted root CA certificates. You know, like CNNIC. The internet organization with ties to the Chinese government.
This sort of thing happens every month. Microsoft, Oracle, Apple, etc. This is news?
How do you teach a non-geek to find and recognize the canonical source for a software download? Is http://www.vlc.cc/ the official VLC site? Is http://www.7zipdownload.org/ the right place to get 7-zip? Is http://www.libtiff.org/ the place to get the latest LibTIFF? The answer to all of these is "No", but I'd like to hear the teaching technique that allows a non-geek to come to these conclusions.
If so, pursue it. Don't do it because all your friends are becoming managers.
Be sure to check out Moxie Marlinspike's blog post about the topic.
http://www.thoughtcrime.org/bl...
Somebody:
1) Takes nude photos of themselves with an internet-connected device.
2) Has said photos of themselves synchronized with an internet service
3) Is surprised / outraged that said photos are accessed by somebody on the internet.
I'm not saying that those people are to blame, but rather that there is a significant disconnect between technology and users' expectations. And the companies involved aren't making things any better with their hand-waving "cloud" mumbo-jumbo.
Just because you don't know about vulnerabilities, that doesn't mean that they're not there. The vulnerabilities are present in the code before they are discovered.
Having said that, drawing conclusions from vulnerability counts is usually an exercise in futility. There are many factors that affect how many vulnerabilities are discovered and disclosed. Including availability of vulnerability-finding tools, discovery of novel attack techniques, or simply critical mass of interest in the security field.
I published a note about this approximately 8 years ago: http://www.kb.cert.org/vuls/id...