While I think the idea is largely stupid, it will allow people to play when they shouldn't be playing. A browser-based flash game would make it so you can do your gold-farming in a background tab at work or school all day, then go home at night and fire up the 3D client for some immersive vampire-slaying.
I wouldn't play it, but if it turns out being any good, that's what people are going to do.
Considering that professional attackers generally have a toolbox of exploits that aren't even 0-day yet, it is entirely feasible that they could get past the firewall, NAT, proxy, and even evade the IDS in the process.
Granted, those exploits aren't exactly a dime a dozen, but any attacker above the level of 'script kiddie' has at least a handful of them.
Even in your fantasy world of 'fully-patched-everything', you can't protect against that. You can avoid the attack completely by not telling the world how to attack you.
That is an interesting, arbitrary definition of what a hacker does. You have no idea what you are talking about.
You have a fixed target. Hackers do not.
Hackers often have fixed targets- or do you not consider Kevin Mitnick or in recent news, Gary McKinnon to be hackers?
The really good hackers- the ones that you should be scared of, absolutely do attack specific systems. Of course, a random script kiddie probably won't search for forum posts, but if you're a large company, hopefully those aren't the people that you are concerned about.
You are being paid to waste time. Hackers are not.
This is neither true nor relevant
You (probably) are not lazy. Hackers are lazy.
Put that next to your later quote:
What you're saying is that the online postings SPED UP the process
As you yourself stated, "real" hackers are lazy and pressed for time, which means they want to crack the system as quickly as possible... which means that reading the developers' forum posts provides a fantastic tradeoff, as evidenced by my own example.
Pick up any basic book on security, and the first chapter is usually about footprinting- finding as much information about a target as possible. "Real" hackers read these books. Googling your target is standard procedure for attackers on both sides of the law. I have seen enough vulnerable systems, and done forensics and damage control on compromised systems, to know that the most damaging attacks are the targeted ones.
This is all disregarding the fact that you have a very narrow and ill-informed view of what a "real" attacker is. Let's talk about that now.
A large company has a lot of vulnerable surface area. Payment applications, databases full of customer information, backup procedures, development systems, and much more. They also have lots of enemies- bored kids looking to make a name for themselves, corporate spies, people looking for lists of credit card numbers, disgruntled customers, disgruntled employees, friendly and unfriendly government agents. You simply cannot throw all of those into 3 categories, and developing a security plan based on those flawed assumptions is equally stupid.
There are many ways that your systems can be attacked, and every attacker has a different goal, motivation and resources. Naturally, there will be a wide variety of results and methodologies.
Since you don't have any idea how you will be attacked, (and given enough time, you probably will get hit by everything), it doesn't make sense to hand out information about your systems.
What does make sense is to develop a security plan that doesn't address specific threats. This means you need to carefully control the exposure of seemingly benign data.
Would you, as a developer, be willing the accept the tradeoff of having your app slightly more secure if you can NEVER ask for help online developing it?
As the developer, maybe- maybe not. That decision isn't usually up to the developer though. Most companies have security policies in place, developed by the management along with security specialists. It is rare that these policies don't have something like "Employees must not use company resources to post publicly accessible messages or posts" and "System users must not reveal any information about company clients, employees, business practices, technology, schedules, or any other information not already publicly available without the express permission from their supervisor."
These decisions aren't be up to the developer, they are the responsibility of management, whose job it is to understand the value of the resources they are supposed to be managing.
I hope so. As soon as a version comes out with added privacy features (I have no doubt that Google will be profiling people's web browsing), I'll give it a shot.
Nerds are people too, and this is definitely news for people.
Besides,/. knows their market, and knows that these articles will get a lot of traffic and activity. Taglines be damned- they're a business and a media outlet like any other.
They've invested significant money into RFID research. They don't want to see the public suddenly get scared of this newfangled RFID tech that they've never heard of before.
It actually makes sense, and I actually don't blame them. RFID, done right, can be secure, and the fact that they don't want people to fear the technology doesn't necessarily mean that their implementation isn't.
Unless the clip was posted by someone other than the copyright holder, I don't see any way it could be "legitimately" removed
The clip is from the Last Hope, the video is that filmed by the event organizers, and while I can't find a link to reference, I understand the license on that video is extremely permissive.
Do you know why insider attacks are so damaging? It's because they have something called insider knowledge of the system. You know, things like network configuration, applications in use, etc... The same stuff that I was saying you shouldn't post on public forums.
Regardless, your logic is wrong. Taken to the extreme, you are saying "most security problems come from insiders, so I don't have to protect from outsiders".
There is a difference between open-sourcing a crypto algorithm and publishing your company's network specifications. The first is likely to be analyzed by many professionals in the industry and flaws will be found quickly. The second isn't likely to be analyzed by anybody who isn't trying to hurt you.
Smart cryptographers don't use a particular algorithm for a non-trivial application until it has gone through years of scrutiny and has had centuries of processor time thrown at it.
Compared to the complexity of an entire network, crypto algorithms are incredibly simple- just a few mathematical operations. And we still manage to break them all the time.
I didn't say he was wrong, and I didn't say it works very well.
As I said, I am a big fan of Schneier (bordering on fanboy), but many people quote him without understanding a word of what he says.
If an attacker wants to own your network, don't tell him what software, services and configuration it is running. Make him work for that information, possibly tripping a few alarms in the process.
This is precisely my point. It is impossible to completely secure your systems, and it is impossible to know how your systems are going to change in the future.
New classes of exploits come out all the time, and there is absolutely no way that you can account for them. In addition, everybody here knows how quickly a project can go from well-designed theory to poorly implemented pwnage-bait.
Lets say you have your theoretical Linux server locked down completely, following all the industry best practices and performing daily log audits. In the real world, this will never happen, but let's pretend...
Would your server have stood up to the root exploit that came out last February? Maybe, maybe not. Would it have been compromised by the Debian OpenSSL fuckup? How about Kaminsky's DNS exploit? the BGP exploit? Maybe, maybe not. Will it stand up to the thousands of other unpublished exploits that are traded and sold on daily basis? Highly doubtful.
The only thing you have protecting you is the fact that the people who will do the attacking don't know what valuable data is on that server, nor what configuration it is running. Don't be a dumbass and post that information on public forums.
The odds of running into a malicious hacker when looking for technical help are nearly nil. Hackers simply don't work this way.
It's called Google, and hackers absolutely do work this way. I should know.
Let me tell you a little story.
I am a penetration tester by trade. I was tasked to look into a particular company's custom-built project-management app, which I had no prior knowledge of, access to, or even IP addresses for.
After a bit of googling, I came up with the names and email addresses of a few developers (some of whom no longer worked for the company). Googling those email addies, I found posts on various forums for MsSQL administration, ASP coding, and cisco routers. Within only a few minutes, I knew the hardware that the system was running, the firmware version on the router, the technology in use, and even had some code samples pulled straight from the app.
I located and compromised that application with no prior knowledge in less than an hour.
Having other people "check your work" is a GOOD thing and it's how IT security is actually improved in practice
Yes. Having Project Managers, your programming peers, and a security auditor with an NDA check your work is a good thing. Having some random guy on a forum check your work, and publish the results where they will be archived, index and searchable forever, is an extremely stupid idea.
I'm a huge fan of open source, and from a macro-perspective, it has done wonders to help the security community.
That still doesn't mean you should publish the details on what software you are running. From an individual perspective, that is absolutely stupid.
As a penetration tester and web app auditor, I have broken into countless sites by looking at the badge at the bottom of the site ("Powered by WeakTemplates 1.2.4"), downloading a copy of that specific version, and finding an unpublished hole in it.
Yes, it's security through obscurity, and I'm as big a fan of Schneier as anybody, but that is still no reason to give out information.
It's no secret that with enough knowledge of the system, any system can be hacked. That alone is reason to not make knowledge of the system public information.
To some extent, security through obscurity is absolutely necessary.
It's off topic, but please tell me more about your IT infrastructure. I promise to to do anything bad with it.
I am constantly amazed at how willing people are to tell you how to attack their own systems, particularly on Slashdot, where simply implying somebody is doing poorly will practically get you full description, network maps, and vulnerability reports.
Similarly, I was talking to a friend in the Army the other day about IT security, and he told me that he didn't think I could attack his unit's systems, then went into a long discussion about what protections are in place. Out of curiosity, I decided to find out what I could learn. He only clammed up when I started probing for specifics about password policies on a particular device.
People: please don't tell anybody about your IT configuration. At least not on a public forum like/. Admittedly, a lot of it is easy to find out other ways, but that's no reason to give that information out.
Slashdot Mirror
While I think the idea is largely stupid, it will allow people to play when they shouldn't be playing. A browser-based flash game would make it so you can do your gold-farming in a background tab at work or school all day, then go home at night and fire up the 3D client for some immersive vampire-slaying.
I wouldn't play it, but if it turns out being any good, that's what people are going to do.
Spelling, too.
Why is this troll modded funny? It's not.
If it's not, it should be. I'm using it from now on.
And yet my bank thinks it is...
Considering that professional attackers generally have a toolbox of exploits that aren't even 0-day yet, it is entirely feasible that they could get past the firewall, NAT, proxy, and even evade the IDS in the process.
Granted, those exploits aren't exactly a dime a dozen, but any attacker above the level of 'script kiddie' has at least a handful of them.
Even in your fantasy world of 'fully-patched-everything', you can't protect against that. You can avoid the attack completely by not telling the world how to attack you.
That is an interesting, arbitrary definition of what a hacker does. You have no idea what you are talking about.
You have a fixed target. Hackers do not.
Hackers often have fixed targets- or do you not consider Kevin Mitnick or in recent news, Gary McKinnon to be hackers?
The really good hackers- the ones that you should be scared of, absolutely do attack specific systems. Of course, a random script kiddie probably won't search for forum posts, but if you're a large company, hopefully those aren't the people that you are concerned about.
You are being paid to waste time. Hackers are not.
This is neither true nor relevant
You (probably) are not lazy. Hackers are lazy.
Put that next to your later quote:
What you're saying is that the online postings SPED UP the process
As you yourself stated, "real" hackers are lazy and pressed for time, which means they want to crack the system as quickly as possible... which means that reading the developers' forum posts provides a fantastic tradeoff, as evidenced by my own example.
Pick up any basic book on security, and the first chapter is usually about footprinting- finding as much information about a target as possible. "Real" hackers read these books. Googling your target is standard procedure for attackers on both sides of the law. I have seen enough vulnerable systems, and done forensics and damage control on compromised systems, to know that the most damaging attacks are the targeted ones.
This is all disregarding the fact that you have a very narrow and ill-informed view of what a "real" attacker is. Let's talk about that now.
A large company has a lot of vulnerable surface area. Payment applications, databases full of customer information, backup procedures, development systems, and much more. They also have lots of enemies- bored kids looking to make a name for themselves, corporate spies, people looking for lists of credit card numbers, disgruntled customers, disgruntled employees, friendly and unfriendly government agents. You simply cannot throw all of those into 3 categories, and developing a security plan based on those flawed assumptions is equally stupid.
There are many ways that your systems can be attacked, and every attacker has a different goal, motivation and resources. Naturally, there will be a wide variety of results and methodologies.
Since you don't have any idea how you will be attacked, (and given enough time, you probably will get hit by everything), it doesn't make sense to hand out information about your systems.
What does make sense is to develop a security plan that doesn't address specific threats. This means you need to carefully control the exposure of seemingly benign data.
Would you, as a developer, be willing the accept the tradeoff of having your app slightly more secure if you can NEVER ask for help online developing it?
As the developer, maybe- maybe not. That decision isn't usually up to the developer though. Most companies have security policies in place, developed by the management along with security specialists. It is rare that these policies don't have something like "Employees must not use company resources to post publicly accessible messages or posts" and "System users must not reveal any information about company clients, employees, business practices, technology, schedules, or any other information not already publicly available without the express permission from their supervisor."
These decisions aren't be up to the developer, they are the responsibility of management, whose job it is to understand the value of the resources they are supposed to be managing.
Idiots often have money, and money is nice.
I hope so. As soon as a version comes out with added privacy features (I have no doubt that Google will be profiling people's web browsing), I'll give it a shot.
I hate Hillary as much as the next guy, but if you say you've never told a joke playing on a stereotype, you are full of shit.
It was actually refreshing to see a politician take their PC head out of their ass.
Out of curiosity, did you sit down to write a letter after posting that?
Nerds are people too, and this is definitely news for people.
Besides, /. knows their market, and knows that these articles will get a lot of traffic and activity. Taglines be damned- they're a business and a media outlet like any other.
They've invested significant money into RFID research. They don't want to see the public suddenly get scared of this newfangled RFID tech that they've never heard of before.
It actually makes sense, and I actually don't blame them. RFID, done right, can be secure, and the fact that they don't want people to fear the technology doesn't necessarily mean that their implementation isn't.
I've been doing anarchy signs for at least 5 years, smiley faces before that.
The funny thing is, when I was doing my mortgage paperwork, I accidentally through a few anarchy signs in there.
Unless the clip was posted by someone other than the copyright holder, I don't see any way it could be "legitimately" removed
The clip is from the Last Hope, the video is that filmed by the event organizers, and while I can't find a link to reference, I understand the license on that video is extremely permissive.
Most security problems arise from insiders
Do you know why insider attacks are so damaging? It's because they have something called insider knowledge of the system. You know, things like network configuration, applications in use, etc... The same stuff that I was saying you shouldn't post on public forums.
Regardless, your logic is wrong. Taken to the extreme, you are saying "most security problems come from insiders, so I don't have to protect from outsiders".
It's a question of scale.
There is a difference between open-sourcing a crypto algorithm and publishing your company's network specifications. The first is likely to be analyzed by many professionals in the industry and flaws will be found quickly. The second isn't likely to be analyzed by anybody who isn't trying to hurt you.
Smart cryptographers don't use a particular algorithm for a non-trivial application until it has gone through years of scrutiny and has had centuries of processor time thrown at it.
Compared to the complexity of an entire network, crypto algorithms are incredibly simple- just a few mathematical operations. And we still manage to break them all the time.
I didn't say he was wrong, and I didn't say it works very well.
As I said, I am a big fan of Schneier (bordering on fanboy), but many people quote him without understanding a word of what he says.
If an attacker wants to own your network, don't tell him what software, services and configuration it is running. Make him work for that information, possibly tripping a few alarms in the process.
Not if your systems are properly secured.
This is precisely my point. It is impossible to completely secure your systems, and it is impossible to know how your systems are going to change in the future.
New classes of exploits come out all the time, and there is absolutely no way that you can account for them. In addition, everybody here knows how quickly a project can go from well-designed theory to poorly implemented pwnage-bait.
Lets say you have your theoretical Linux server locked down completely, following all the industry best practices and performing daily log audits. In the real world, this will never happen, but let's pretend...
Would your server have stood up to the root exploit that came out last February? Maybe, maybe not. Would it have been compromised by the Debian OpenSSL fuckup? How about Kaminsky's DNS exploit? the BGP exploit? Maybe, maybe not. Will it stand up to the thousands of other unpublished exploits that are traded and sold on daily basis? Highly doubtful.
The only thing you have protecting you is the fact that the people who will do the attacking don't know what valuable data is on that server, nor what configuration it is running. Don't be a dumbass and post that information on public forums.
The odds of running into a malicious hacker when looking for technical help are nearly nil. Hackers simply don't work this way.
It's called Google, and hackers absolutely do work this way. I should know.
Let me tell you a little story.
I am a penetration tester by trade. I was tasked to look into a particular company's custom-built project-management app, which I had no prior knowledge of, access to, or even IP addresses for.
After a bit of googling, I came up with the names and email addresses of a few developers (some of whom no longer worked for the company). Googling those email addies, I found posts on various forums for MsSQL administration, ASP coding, and cisco routers. Within only a few minutes, I knew the hardware that the system was running, the firmware version on the router, the technology in use, and even had some code samples pulled straight from the app.
I located and compromised that application with no prior knowledge in less than an hour.
Having other people "check your work" is a GOOD thing and it's how IT security is actually improved in practice
Yes. Having Project Managers, your programming peers, and a security auditor with an NDA check your work is a good thing. Having some random guy on a forum check your work, and publish the results where they will be archived, index and searchable forever, is an extremely stupid idea.
I'm a huge fan of open source, and from a macro-perspective, it has done wonders to help the security community.
That still doesn't mean you should publish the details on what software you are running. From an individual perspective, that is absolutely stupid.
As a penetration tester and web app auditor, I have broken into countless sites by looking at the badge at the bottom of the site ("Powered by WeakTemplates 1.2.4"), downloading a copy of that specific version, and finding an unpublished hole in it.
Yes, it's security through obscurity, and I'm as big a fan of Schneier as anybody, but that is still no reason to give out information.
It's no secret that with enough knowledge of the system, any system can be hacked. That alone is reason to not make knowledge of the system public information.
To some extent, security through obscurity is absolutely necessary.
It's off topic, but please tell me more about your IT infrastructure. I promise to to do anything bad with it.
I am constantly amazed at how willing people are to tell you how to attack their own systems, particularly on Slashdot, where simply implying somebody is doing poorly will practically get you full description, network maps, and vulnerability reports.
Similarly, I was talking to a friend in the Army the other day about IT security, and he told me that he didn't think I could attack his unit's systems, then went into a long discussion about what protections are in place. Out of curiosity, I decided to find out what I could learn. He only clammed up when I started probing for specifics about password policies on a particular device.
People: please don't tell anybody about your IT configuration. At least not on a public forum like /. Admittedly, a lot of it is easy to find out other ways, but that's no reason to give that information out.
Wow. I've never seen a post so deserving of a 'redundant' mod.
However, I haven't heard of any animals who are serial murders
Now you have.