
Re: Bribe developers with tee-shorts
Tee-shorts for penetration testers...and what line of business were they in again?? :-O
436 publicly visible posts • joined 2 Mar 2007
@gazthejourno:
Except we all know that that's Fantasy Capitalism (tm) Gaz. Otherwise we wouldn't have had the Comodo or DigiNotar hacks, the RSA hack, the endless list of (often Blue Chip) companies threatening infosec researchers with legal action rather than engaging in public interest disclosure and fixing their "premium" crapware, an so on ad nauseum.
On the contrary while Open Source is no more free of security flaws there are far fewer of the commercial imperatives to behave badly when these are discovered. So no, it's not hard, when you disengage your prejudices and use your brain.
Yes you're completely right - but not in the way you think you are. Both are headline-grabbing and both can be made to sound far more serious than they really are, especially the GnuTLS non-issue.
The TLS issue is clearly not widely exploitable. However in the case of GnuTLS, this package is almost universally replaced by OpenSSL on all sensible Linux distros. The only people that use GnuTLS are extremist "free" software nuts for whom the fact that OpenSSL is open source but has an Apache-style license means that it's not really free software.
Oh, and even GnuTLS was patched within hours of the vulnerability's discovery.
@NightFox: indeed - except the site fails at the usual password hurdle of confusing complex (i.e. unmemorable) passwords with strong passwords. Hence the password checker states that single words that include a number and a capital like Gr4ndmas is good whereas a multiword password like "eggs grandma teach and suck" (thanks Rono666) is weak.
So with this advice we end up with important things like online banking sites requiring complex unmemorable passwords which leads to users creating relatively short (machine-crackable) passwords and re-using them on multiple sites. Password safes I hear you say? Good advice but how many non-geeks do you know that use password safes?
You, sir, are a dangerous communist and should probably join the People's Assembly Against Austerity!
Were you thinking that the law is there to protect ordinary citizens? That's the window dressing. The law is there primarily to protect private property (i.e. of corporations - your house, car, etc. are small beer) and the accumulation of capital.
So a company like Experian that provides personal data to other corporations to allow them to better profit from you the ordinary citizen is deemed legal and proper. And yeah I think it sucks too.
@Noel and Jim:
(i) it's the Windows version that is very tricky to compile from source - and there are both benign and suspicious explanations for this;
(ii) Matthew Green has a good reputation technically and ethically - it doesn't seem likely that he would be involved in some game to pretend to audit TrueCrypt (unless you take the completely unworkable "trust no-one" tin-foil hat position).
As the article suggests, the Foxacid operations are more targetted, partially by NSA analysts and partially by automated means (browser user agent, etc.) and so what's delivered will vary: anything from known exploits up to 0-days for premium targets. Therefore these may or may not be detected by regular security software.
Inevitably the "tools" the NSA use will become public (in the sense that they will become known vulnerabilities, not that we will necessarily know that the NSA were using them) and fixed sooner or later. However given the size of the NSA's bugdet you can be sure that the "tools" they are using are constantly evolving and new ones coming on stream regularly.
As such I doubt the NSA would have much interest in forcing US-based AV vendors to compromise their products - whatever one thinks of the NSA (and I tend to with "nasty dangerous bastards") they have a remit in protecting US business and infrastructure and would be unlikely to compromise that role so generally by specifically weakening US commercial security products.
The police and security services are very good at: (i) lobbying for new powers that they insist will only ever be used in very specific and limited circumstances, and then (ii) being extremely creative in applying such new powers to as wide a set of circumtances as possible, to the point of testing the credulity of even the dullest of politicians and regulators. Never mind the circumstances in which they covertly break the law due to the lack of adequate oversight (plenty of coverage of this kind of thing here and in the Guardian recently re. the Snowden revelations).
This action by PIPCU (and elaborated in the post above) is an excellent example as are the well-documented misuses of RIPA and our extensive "anti-terror" legistlation. What makes it all the more worrying are the most recent revelations about the NSA & GCHQ subverting TOR and covertly compromising net users simply because they seek to protect thier privacy on-line.
Not a good idea - the max. speed limit is only 130kmh after all, check out them damned Dutch from Delft again!
Canonical have not chosen to go with Mir as replacement for X for technical reasons - they want to have their cake and eat it with the development and commecialisation of Mir. On the one had Canonical want community contributions to help develop the software and on the other they want to cash in on Ubuntu/Mir in the mobile/hand-held/embedded markets.
To this end Canonical have imposed a Contributor License Agreement that gives them the right to relicense any and all code as they see fit. This gets around the inconvenient fact that, as they are using community code, they are not the sole copyright holder and thus effectively allows them to block other developers from modifying (or even supporting) Ubuntu/Mir in the markets they seek to exploit.
For a full and more eloquent explanation see Matthew Garrett's posting.
@PyLETS: yes, agreed. But Canonical are not forking Wayland with Mir. The way Canonical are requiring contributors to Mir to agree to grant Canonical the ability to relicense their code in any way they see fit makes it pretty clear they have no intention of creating anything that can be fed back into the broader ecosystem in any positive way.
@cyborg: no, Canonical don't have work with the rest of the Linux community - but it smacks of the arrogance and short-termism of a multi-millionaire VC to fail to see the huge benefits (to Ubuntu as well as other distros) of developing for Linux generally rather than just Ubuntu.
@Pete 2: I think you're missing the point slightly - X, Wayland and Mir are not the stuff of UI eye candy - that's stuff built into desktop environments like Unity, Cinnamon and Gnome 3. And the problem with Canonical is not that they've spent too much time on the UI eye candy. It's much deeper than that: they're developing solely for Ubuntu without regard for the rest of the community.
This was bad enough with Unity but at least that is just a DE, what they're doing with Mir is more fundamental and much worse. A large independent distro like Mint might be able to fork Gnome 3 to escape the Gnome 3/Unity nightmare but they won't have anything like the resources required to fork a display server to replace X. If Canonical had instead committed to Wayland as a replacement for X then it would probably be reaching several distros now or soon. Not that's it's any surprise: Canonical's form goes way back beyong Unity, for example going with Upstart for sys init rather than Systemd like the majority of the community.
Incidentally there was a nice article on H-Online about this behaviour, before the site sadly closed in July this year.
Cast your mind back to the spectacular Anonymous hack of HBGary Federal in early 2011. Aaron "Fail" Barr shot his mouth off about how clever his social media scraping software was at tracking down Anons by graphing public social media connections. This was all part of bigging-up himself and HB Gary Federal to get fat FBI contracts as well as all sorts of other questionable deals with corporations and govt. agencies wanting to snoop on US and other citizens.
Of course that particular episode had (at least partially) a happy ending as he was very publicly handed his own sorry butt by Anonymous. The story is well-documented on Ars Technica .
This just is not how it actually works in the real world: a great deal of the "security" banks implement is designed to exonerate them of any responsibiltiy and "prove" that the user was either irresponsible (divulged PIN, lent card to friend, etc.) or attempting to defraud the bank. Browsing the banking security posts a Cambridge Computer Lab's Light Blue Touchpaper blog demonstrates that.
On the main topic it's no surprise the Get Safe Online campaign didn't take off: their advice is at best incomplete and full of platitudes and often just plain wrong, e.g. advising complicated hard to remember passwords.
And if this report is correct Mr Lyons isn't getting any cleverer: "attacks on computer networks could soon threaten critical infrastructure" (the usual security terror scare stories), "wearable technologies...will be...hacked" (oooh...bears/woods/pooh??), "Techniques developed to beat biology-based authentication systems, such as fingerprint recognition, will also be a major headache" (wow...no-one saw that coming...oh wait, 2002 is calling, a gummi bear wants the Chaos Computer Club to check if you have any significant brain function).
Until we have some real security people leading these initiatives rather than govt./business friendly PR wonks like Lyons we will get nowhere.
Dear Mr G E
With regard to your recent request allow me to express the sympathies of the Agency over the passing of your dear friend Mr Wiggly.
However you will appreciate that with the appointment of the Civil Liberties & Privacy Officer the Agency are making increased efforts to protect the rights of individuals to freedom from intrusive state surveillance. As such, while I can neither confirm nor deny the existence of any photographs of Mr Wiggly in the Agency's data warehouses, I can assure you that we would never breach his privacy without prior consent.
I understand this may present you with a minor problem in obtaining any such consent from beyond the grave. However our colleagues at DARPA are working on one or two things that may help with this and I will keep you posted (on the QT naturally!) as to any developments in this area. In the meantime please make sure that Mr Wiggly is NOT defrosted as this may impair any future efforts.
Respectfully,
Lt. Gen. K. Alexander
Director NSA
For sixty notes and a spec like that they can probably come to the party any time they like. The killer will be the true meaning of the words (from their web page linked in the article): "Hudl comes with easy access to the Tesco world and your favourite Google Apps."
If that means "we've encrypted and locked the bootloader, saddled you with Tesco shopping apps you can't remove and given you access only to a limited set of apps via Tesco Play" then it will be less good. Let's wait and see!
Or alternatively in Apple pitched the 5C in such way as to make the fruity fanbois think: "Oh my gawd, I don't wanna be stuck with a 5C, I GOTTA have a 5S to be a successful & stylish thinkfluencing barista!" Not that Apple would really do anything to ramp hysteria among the (not so) poor fashion victim community. No no. Not never. As if!
</tinfoil-conspiracy-fandroid-wanker>
Whilst I wouldn't rejoice at anyone losing their job to redundancy, especially in the current climate, the burgeoning managment culture (at the expense of those who actually have to deliver) is a big problem in sectors with semi-monopolies and some parts of the public sector. It has certainly had a signicant role in the recent debacles at places like the BBC, the Mid Staffs NHS Trust and the generally poor performance of our privatised utilities.
Will this help improve Virgin Media? Well it's better than sacking the few remaining decent UK-based support and engineering staff! Fingers crossed...
What this research demonstrates (and it's fairly readable and not too long - go for it) is that an avdersary with ISP-level network resources can deanonymise users in a statistically predictable time period - some shorter and some longer but a lot shorter and more predictable than previous analyses have shown.
But, and it's quite a big but, it seems obvious from the paper that they are analyzing the bulk or Tor use (i.e. for which Tor is probably the only anonymity tool in use) rather than Tor plus anonymous proxies, encryption and the like. That work is yet to be done but it is likely that someone more technically competent than your average BitTorrent freetard attempting to avoid the RIAssA would take a lot longer to identify even with state-level resources.
That said Tor is clearly of interest right now to some big player or other as recently reported by Ars Technica. This will be interesting to follow in the coming months in light of the ongoing Snowden NSA/GCHQ revelations.
More to the point, security researchers have been flagging-up these vulnerabilities for several years (e.g. Jerome Radcliffe and his Medtronic insulin pump) with the uniform response from device manufacturers: "Nothing to see here, this isn't a problem (and if it becomes a problem we may sue you for making it public)".
Given this attitude by device manufacturers (and the likelihood that the DHS's intervention is more to do with self-publicity/funding than genuine human welfare/security) the suggestions above that they will simply use this as an opportunity to inflate profits by producing "secure" devices (any bets on an "unhackable/terrorist-proof" wifi insulin pump "protected" by WEP?) seem all too likely.
</cynic>
@Mark .: you may be right about the Samsung alternatives but as Tony points out in the review the (Asus) Nexus 7 whips this tab's butt - as it has been doing most wannabe tabs since its launch.
And the more new 7-8" tabs are launched the more I think that Google shipped the Nexus 7 at little more than cost - smart move as Android tabs are now outselling iPhads and I still feel like I have the best one on the market seven months on.
</smug>
It seems to me that Tony Blair was just another self-serving unprincipled shit who operated with the same arrogant sense of entitlement and impunity that infects the vast majority of ruling elites and their cronies everywhere.
There, I fixed it for you.
When what we already know about and have some real evidence for is really bad there is no need to invent more bad stuff which is entirely speculative.
Back on topic: in addition to all the other stuff mentioned above about Palantir, the fact that they had a significant association with HBGary Federal up until the point that it was revealed very publicly that HBGary Federal were astroturfing, smearing, snooping on behalf of corporations and government agencies and to the detriment of ordinary people simply trying to protect their jobs, privacy, environment, etc., demonstrates that they are not a very nice corporation. It doesn't prove that Prism == PRISM but that doesn't really matter: it's already clear enough that one should be extremely wary of Palantir.
@Corinne: check out BBC Radio 4 - you get the full gamut of shapes, sizes and looks in male and female presenters, journalists, comedians, etc. - IMHO two of the most talented people on R4, Eddie Mair and Jane Garvey, do not conform to the media-imposed norms of physical beauty.
Not that R4 is perfect - they have a significant London-centric middle class Oxbridge bias (again the two people above don't fit all those categories). And you are right that the media in general are far harsher on women over their appearance than men.
Actually, unlike Linux, Android is not vastly more secure than the alternatives for three obvious reasons:
(i) all software has vulnerabilities and the more complex, the more vulnerabilities;
(ii) Android is very popular and by definition very connected and therefore very valuable to criminal malware coders;
(iii) as stated above in detail, device manaufaturers are essentially negligent in their provision of timely updates to fix known Android vulnerabilities.
As for the idea that malware could not possibly gain root access without manual user intervention, that's just plain not true. One of the main ways of rooting a good number of Android devices involved exploiting a vulnerability in the OS. All the user would notice if this were malware would probably be the device rebooting unexpectedly - hardly an unknown occurrence with quite a lot of mobile devices.
Don't get me wrong - I love Android, it rocks compared to everything else widely available at the moment, but let's get real. And likewise I have no remit for the AV companies, especially when they make such obvious "BUY ME!" releases like this one from Kaspersky.
@Andy Fletcher: I think you're missing the point made by grammarpolice. The way I read it is that if Google had been more underhand in breaking the grip of H.264 and worried less about marginal current income then we would have had a better chance of video content not being encumbered with patented codecs, i.e. "best for the user."
There are no good guys and bad guys when it comes to major corporations, rather the interests of certain coportations occasionally coalesce around something good for the majority of users and on those occasions we should put our weight behind them.
And to be fair to Mr. Fry he is touching on a piece of computer science esoterica - I still have nightmares about ploughing through Minsky's "Computation: Finite & Infinite Machines" as an undergrad.
There does seem to be an unhealthy backlash against Turing's legacy because there is a dispute over the matter of his persecution by the British state. The fact is that he that he stands out as a very bright light in a pantheon not short on bright lights in the theory of computation. And if Stephen Fry slightly misunderstands the technicalia in aiding the well deserved recoginition of Turing we should not really care.
It's different in that Gamma International will almost certainly have a cosy relationship with the British and German security services who are so keen to snoop on their own citizens with the sanction of their respective political classes...***WHHOOOOSSSSHHHHHH***...hey did you hear that? The sound of Tory & Lib Dem politicians who had previously opposed Labour's GHCQ mega-snoop legislation swiftly changing their position when they entered Downing Street. Who knew?!
As a long standing domestic VM customer this is no surprise. Standard practice is:
(i) Don't admit to anything on the service status page if at all possible;
(ii) Direct support calls to overseas call centres who are not provided with relevant information about outages;
(iii) Tell customer that the problem will be investigated and they will be called back but fail to do so;
(iv) Fill the forums with employee sock puppets who tell users how great the service is.
Most of the time the service is good but on the occasions that it isn't there is a total failure to give a shit at VM.
Some analyst sitting on a pile of Apple stock that has fallen by 30% in the past five months is worrying about how he will confinue to fund the condo, kids private education *and* his coke habit? "Hey! Let's roll out the hackneyed Android Fragmentation scare story - there's plenty of tired tech journos out there to spread some FUD!"
</cynical_wanker>
So in an open free-market ecosystem some companies make crap? *yawn* bears-trees-poop, meh.
When you can get a good SIM-free ICS smartphone (e.g. Huawei Ascend G300) and a good 7" JB tablet (e.g. Storage Options Scroll Evoke) for a little over £200 it's bleedin' obvious to all those who aren't supping the Cupertino/Redmond kool aid that Android fragmentation ain't the problem it's cracked up to be.
On and just how much quality smartphone+tablet hardware and software can you get for less than 250 notes from Apple or a Windows source?
</smug>
You don't have to provide Google with a phone number, doing so simply provides one method of enabling two-factor authentication and one method of regaining access to your account in the case of lost credentials. The former can be done via the Authenticator Android app (verified by a single-use activation code) and the latter via another e-mail account or single-use login codes.
Too right, Google are no angels and I doubt they really give a stuff about our privacy, but for the vast majority of people who use the net for significant aspects of their life an e-mail account is almost certainly the most important attack vector for the bad guys to pinch your identity and your money.
It's all very well to take a privacy holier than thou (or worse a lazy "it's a pain to use all the time") attitude but balancing minor privacy and inconvenience issues against your life being in the hands of some anonymous criminal is a no-brainer and that's how we should be educating lay users.
DAMN! I am fed up of some commenters here generating hysteria around use of the word "expect"!
"Veber should have expected this response" =/= "It is perfectly OK for a small minority of idiots in the Python community to send abusive e-mails and make abusive phone calls"
Jamie Jones and others: those of us who used the word "expect" simply EXPECTED that you had the intelligence to see that we were merely pointing out that anyone with a modicum of net savvy could have seen this coming, not that it is in any way justified.
Let me guess: you're applying for a position at the Daily Wail?
</pointless_rant>
@dotdavid: how many of us had heard of Veber before they pulled this stupid stunt? Maybe Veber is not doing so well and some bright spark there says: "Hey I have this brilliant idea to get us some free publicity! You know we own that domain python.co.uk....?" etc.
There is no proof of this but at best Poultney is being disingenuous:
Poultney claims he’s only interested in the trademark on the servers. “We are not interested in the trademark on the language,” Poultney told The Reg.
Well, Mr Poultney, your IPO filing (linked to by a cynic writes... above) says otherwise. And if you want a friendly chat with PSF about this why send your lawyers to talk to them?
Frankly Poultney/Veber's behaviour has been crass and probably dishonest and he should have known better than to expose his staff to the inevitable response generated by his cynical stunt.
And on my 32GB Nexus 7 I have even more free space than a 32GB iPad. And it's 3G. And it's half the price of and iPad. And it's a third of the price of a Surface Pro. And it flies like hot shit off a shovel.
</smug>
If I work hard I can see that some people for whom budget is less of an issue can justify an iPad. Surface Pro? Less so.
@AC 18:44: it may have escaped your notice but Google actually only create a few apps for Android, the overwhelming majority are 3rd party creations. Should Google compel every developer who understandably wants to create apps for Android also make a version WinPho? Oh yeah...that's gonna happen!