I agree with you on 2 and am pretty sure 4 is true since someone previous posted an example of www.example.www.example.com being stripped to example.example.com instead of example.www.example.com. I hope how it is displayed does not affect how the URL is actually used so I hope 1, 5, and 6 are not true.
I don't believe 3 will be an issue due to the changes they've been making in how they indicate secure connections. They got rid of the "Secure" text on https sites and just display the padlock but they explicitly say "Not secure" on all http sites so if a user is paying attention at all to the chip just a few pixels to the left of the URL, they will immediately be able to tell if they are on an insecure site. Eventually the plan is to warn on all insecure sites so eventually everything that is insecure will give a gigantic full page warning about being insecure and the default can be trusted, at least in terms of being encrypted to the other end of the connection.
If you actually read the first link in the article, you would see that this "Advanced Protection Program" is actually about disabling the ability to use SMS as the second factor and instead requiring a not-easily-spoofable security key.
To do that, you would first need to make sure that the programs could be built with deterministic compilation. I don't believe that many projects have put in the time necessary to do that. That also ignores any optimizations or other features different compilers may use on the source code when compiling it.
The lawsuit says the seller of the hoverboard listed online, "W-Deals," is a sham organization that is registered to an apartment in New York City that has not responded to requests from lawyers in the case.
combines with this:
It says Tennessee product liability law holds a seller responsible if the manufacturer cannot be found.
to make liability for Amazon. They still wouldn't be the seller, just because the original seller can't be found. It sounds like they should still be trying to go after "W-Deals".
Krebs also reports that vDOS's DNS addresses were hijacked by the firm BackConnect Security to get out from under a sustained DDOS attack
According to the article it was a BGP (ie IP address) hijacking not a DNS hijacking. DNS isn't even mentioned at all in the article aside from a phone number in a domain registration found to match one obtained from the hack.
In order to redirect HTTPS traffic to a login page you would need a valid certificate for wherever the user was trying to get to in the first place. Giving random wifi hotspot operators those kinds of certs would be very bad for security and very impractical.
Most operating systems I've seen recently test if they can get to the internet themselves and if they are redirected to a captive portal they then automatically open a browser window to where the portal redirected them to (usually a login page). This avoids the issue of trying to MitM attack whatever site the user was trying to get to. You can still make the login page you get redirected to secure with proper certificates. The following are examples of the different things companies use in detecting if they can connect to the internet:
It's not security theater to reset the password to someone's Spotify account when they use that same password on another site that had their passwords leaked. Even a poor password caused by changing it too often is more secure than a known compromised one.
If you read the article, you would see it's not a flaw in TCP in general but in RFC 5961, which only Linux has implemented so far and thus why it's the only one that's vulnerable. It also does not require you to be in the middle of the connection. Even with TLS you can still create a denial of service using this attack.
All they need is enough packets generated by the playback of iPlayer content of various, known and non-standard sizes being transmitted to show that the user is watching it. It would be one thing if they just used a few packets, but if say 1000 packets of specific preset sizes were detected in a specific order and the sizes when translated into ASCII said "I am watching iPlayer, I love the BBC..." it would be pretty clear.
For LinkedIn, the problem with the credentials that were leaked by hackers is that they were not stored securely with proper salt. Within a few days of starting on it, security researchers cracked 78% of the passwords resulting in almost 50 million unique passwords. Attackers undoubtedly did the same over the years since the breach. This gave attackers millions of actual passwords to use in future attacks. As for how Netflix and Facebook can tell you are using the same password, they could get the list of cracked passwords that users are using from the breaches, matching them with email addresses of their own users then hash the password using the algorithm they use along with the salt for that user and compare it to the user's current password hash.
Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
uBlock Origin is open source. It has worked fairly well for me and is supported in most browsers. What it blocks though, like most programs, is based on the blocklists you load into it so you may have to find some to your liking if the defaults don't block enough for you. I haven't noticed any problems with the defaults lists in terms of advertisements getting through and I think it should be fairly effective when combined with Ghostery.
The problem is the reason for the bandwidth caps to begin with was that the last mile was the weak link (cable being shared, your heavy usage affected your neighbors, thus the cap to get you to limit yourself). Now they want to put data from their service over that same link, causing the same congestion problems but not counting it towards the cap. This limits the spread of competing services that might use enough bandwidth to hit the cap.
Either congestion on the last mile is a problem requiring caps or it isn't. It shouldn't matter what's in the data packets or where they're from.
As far as I know WPA/WPA2 isn't broken, only WPS's PIN mode (enter an easy 8 digit number instead of a complicated alphanumeric passphrase). Granted you can still bruteforce the PSK itself instead of the PIN but then you've just got the same problem of weak passwords that many other things do.
Slashdot Mirror
Except that certificate pinning is being deprecated in Chrome:
Certification Authority Authorization (CAA) seems to be the replacement for preventing misissuance.
I agree with you on 2 and am pretty sure 4 is true since someone previous posted an example of www.example.www.example.com being stripped to example.example.com instead of example.www.example.com. I hope how it is displayed does not affect how the URL is actually used so I hope 1, 5, and 6 are not true.
I don't believe 3 will be an issue due to the changes they've been making in how they indicate secure connections. They got rid of the "Secure" text on https sites and just display the padlock but they explicitly say "Not secure" on all http sites so if a user is paying attention at all to the chip just a few pixels to the left of the URL, they will immediately be able to tell if they are on an insecure site. Eventually the plan is to warn on all insecure sites so eventually everything that is insecure will give a gigantic full page warning about being insecure and the default can be trusted, at least in terms of being encrypted to the other end of the connection.
If you actually read the first link in the article, you would see that this "Advanced Protection Program" is actually about disabling the ability to use SMS as the second factor and instead requiring a not-easily-spoofable security key.
To do that, you would first need to make sure that the programs could be built with deterministic compilation. I don't believe that many projects have put in the time necessary to do that. That also ignores any optimizations or other features different compilers may use on the source code when compiling it.
https://en.wikipedia.org/wiki/Deterministic_compilation
The lawsuit says the seller of the hoverboard listed online, "W-Deals," is a sham organization that is registered to an apartment in New York City that has not responded to requests from lawyers in the case.
combines with this:
It says Tennessee product liability law holds a seller responsible if the manufacturer cannot be found.
to make liability for Amazon. They still wouldn't be the seller, just because the original seller can't be found. It sounds like they should still be trying to go after "W-Deals".
Krebs also reports that vDOS's DNS addresses were hijacked by the firm BackConnect Security to get out from under a sustained DDOS attack
According to the article it was a BGP (ie IP address) hijacking not a DNS hijacking. DNS isn't even mentioned at all in the article aside from a phone number in a domain registration found to match one obtained from the hack.
In order to redirect HTTPS traffic to a login page you would need a valid certificate for wherever the user was trying to get to in the first place. Giving random wifi hotspot operators those kinds of certs would be very bad for security and very impractical.
Most operating systems I've seen recently test if they can get to the internet themselves and if they are redirected to a captive portal they then automatically open a browser window to where the portal redirected them to (usually a login page). This avoids the issue of trying to MitM attack whatever site the user was trying to get to. You can still make the login page you get redirected to secure with proper certificates. The following are examples of the different things companies use in detecting if they can connect to the internet:
Apple:
http://captive.apple.com/hotsp...
Google:
http://clients3.google.com/gen...
Microsoft:
http://www.msftncsi.com/ncsi.t...
It's not security theater to reset the password to someone's Spotify account when they use that same password on another site that had their passwords leaked. Even a poor password caused by changing it too often is more secure than a known compromised one.
If you read the article, you would see it's not a flaw in TCP in general but in RFC 5961, which only Linux has implemented so far and thus why it's the only one that's vulnerable. It also does not require you to be in the middle of the connection. Even with TLS you can still create a denial of service using this attack.
All they need is enough packets generated by the playback of iPlayer content of various, known and non-standard sizes being transmitted to show that the user is watching it. It would be one thing if they just used a few packets, but if say 1000 packets of specific preset sizes were detected in a specific order and the sizes when translated into ASCII said "I am watching iPlayer, I love the BBC..." it would be pretty clear.
There were at least a couple lawsuits against Boeing for just that:
http://www.nytimes.com/2003/09...
http://blog.al.com/wire/2013/0...
Gun manufacturers actually have a law limiting their liability though:
Protection of Lawful Commerce in Arms Act
For LinkedIn, the problem with the credentials that were leaked by hackers is that they were not stored securely with proper salt. Within a few days of starting on it, security researchers cracked 78% of the passwords resulting in almost 50 million unique passwords. Attackers undoubtedly did the same over the years since the breach. This gave attackers millions of actual passwords to use in future attacks. As for how Netflix and Facebook can tell you are using the same password, they could get the list of cracked passwords that users are using from the breaches, matching them with email addresses of their own users then hash the password using the algorithm they use along with the salt for that user and compare it to the user's current password hash.
Here's a blog post about the cracking effort:
https://blog.korelogic.com/blog/2016/05/19/linkedin_passwords_2016
And here's an article about why this is so bad:
http://arstechnica.com/security/2016/06/how-linkedins-password-sloppiness-hurts-us-all/
From the TorrentFreak article:
Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
In before someone points out I used the wrong "they're".
Their making up for it in other ways such as their $15,000 donation to Buildbot:
Their award will be used to remove the term "slave" from all documentation, APIs and tests
Mozilla is working on that:
https://blog.mozilla.org/secur...
uBlock Origin is open source. It has worked fairly well for me and is supported in most browsers. What it blocks though, like most programs, is based on the blocklists you load into it so you may have to find some to your liking if the defaults don't block enough for you. I haven't noticed any problems with the defaults lists in terms of advertisements getting through and I think it should be fairly effective when combined with Ghostery.
Google Keep, maybe?
It doesn't have tags but it seems made for short amounts of text and you can use tagging (labels) to create categories.
Did you install update KB3035583?
That's the one that does it.
You should be able to simply uninstall it.
Be sure to hide it after uninstalling it so it doesn't just reinstall it again.
Your knowledge of VMware is a bit out of date.
VMware player can create virtual machines (and has for some time) and it is still free. It works well on Windows and Linux hosts.
1 It's just making it convenient to do what users can already do with their DVRs anyways.
If you don't want advertising, go buy the DVD boxes which don't have them.
2. It isn't always the case that there aren't ads in the DVDs. Some are quite annoying playing before the menus and after each episode ends.
Cleanfeed
The problem is the reason for the bandwidth caps to begin with was that the last mile was the weak link (cable being shared, your heavy usage affected your neighbors, thus the cap to get you to limit yourself). Now they want to put data from their service over that same link, causing the same congestion problems but not counting it towards the cap. This limits the spread of competing services that might use enough bandwidth to hit the cap.
Either congestion on the last mile is a problem requiring caps or it isn't. It shouldn't matter what's in the data packets or where they're from.
As far as I know WPA/WPA2 isn't broken, only WPS's PIN mode (enter an easy 8 digit number instead of a complicated alphanumeric passphrase). Granted you can still bruteforce the PSK itself instead of the PIN but then you've just got the same problem of weak passwords that many other things do.