Re: Am confused
But isn't this encouraging others to have a go as you can get a $14M payout for nothing?
233 posts • joined 10 Nov 2010
I agree with you, I loved Notes. Outlook annoys me to this day that it can't do the basics.
But the problem was familiarity, everyone knows Outlook, Notes was different, very different. If you had a technical inquisitive mind you'd learn to love it, but that was the very small minority of staff. Notes was a nuisance that got in the way from doing their job, another thing to learn...
I worked for IBM supporting Notes about 15 years ago.
Everyone hated it, 99.9% of the staff wanted to use Outlook because that's what they knew from their previous jobs, but technically Notes was better and had better features. There was so many features in Notes not in Outlook that I remember thinking, god help whoever has to migrate this in the future.
I would have just thrown my hands up in the air and said, we are not migrating this. Here's your new system, we will keep the old system as an archive read only for the next few years.
I agree this is akin to planting a bug or a wire tap.
In other articles I've read about this they said they couldn't decode the signal if they had sniffed it in transmission, therefore this proves they didn't get the data in transit. I believe this is sound logic.
Police need to be able to investigate crimes, plant bugs etc. I have an issue with mass surveillance, but at an individual level getting a warrant to bug a specific person because you think they have committed a crime is what I think most people would agree should happen.
The bigger implications of this though is that they planted an updated firmware to EVERYONE who had one of these phones. This was mass surveillance by the backdoor. Maybe in this case it's true that the vast majority of people were using these phones for crime, but I'd like that to go to a judge beforehand to approve the mass surveillance, and I'd expect the bar of evidence to be extremely high before approving this. Plus instructions from the judge on destroying data of any non criminal behaviour captured for innocents caught up the in the mass trawl.
Then you have the issue of which country approves this... Should French courts be authorising hacking of other English citizens phones?
You've hit the nail on the head. The scale of this hack cannot be understated and it's going to be practically impossible to confirm you've eliminated all the backdoors into your network they have planted.
From now on you will just have to assume they have access and be constantly trying to find it. Probably not a bad approach to security anyway and a lot like our COVID safety protocols, just assume you have the virus and take precautions.
Yes, you'd expect a more detailed response from a company like this. Clearly they have decided to hide that information, why? Is it embarrassing?
I am highly suspicious of claims of state sponsored actors being the culprits. It's the ideal excuse. Only the best of the best could beat us we are so great...
Where's your evidence that it was a state sponsored actor? Hmm you've decided not to provide that information, why?
My spidey sense is tingling.
I doubt these were system admins, just 1st line support. They probably pretended to be their IT and got them to let them remotely login to their computers to fix something, including inputting any 2FA required.
There's no easy solution, more training on phishing calls, including internal phishing attempts to catch those who fall for them. Maybe a change in process so it requires more than one person to fall victim to make changes.
Every old person I have spoke to said it is an overreaction and they don't see themselves as high risk.
I think you summed it up though. Old people, ask yourself, would I call an ambulance and take up a bed if I was dieing from it? If yes, then self isolate and take it seriously.
Back to the IT angle. I had a customer who had random files go missing on Windows Shares intermittently (breaking our software). I suggested they turn on windows auditing so we could see what/which account was deleting them. The MD replied, I will get my IT to do this and sack the person responsible once we find out who it is! I couldn't believe he was so quick to jump to thinking it was some employee doing it out of malice. In my mind I thought the most likely reason was some overzealous antivirus.
I really struggle to understand which businesses they are aiming at with this as it's only going to work for everyday convenience items. All the larger retail stores wouldn't touch it with a barge pole for obvious reasons, leaving only the little guy running a corner store. But everyone knows the corner shops main way of making profit is by not declaring all the cash they receive so they won't want all these digital records.
Maybe they are aiming it at the landlords of all the empty retail stores?
The fact Samsung has its own repair centre's is actually a selling point for me. It's the only flagship phone manufacturer that provides genuine replacement batteries at a reasonable price. If you buy a 2nd hand battery anywhere else it will be fake and have nowhere near the storage capacity of a genuine one (you might as well have stuck with the dud one). I used to repair phones myself and gave up on genuine replacement batteries bought from third parties.
I recently had my Samsung S8+ battery replaced in the Kingston store for £50 all inclusive. It's made my phone like the day I bought it. Looks like I'll get another couple of years out of it now, which is quite clearly why other manufacturers don't want to sell replacement batteries.
This is a really valid point. We don't think it's the case, but who's to say for sure?
Also, what if they have been issued a secret subpoena requiring them access to all the DNS logs?
Alternatively just targeting their network data which I've read can be fingerprinted to identify lookups. A massive project, but certain people have big pockets and by putting all your eggs in one basket it means they have less networks to target. Cloudflare/Google DNS being the main ones.
Anyway, 99.9999% of people don't know what DNS Sec is, so I think Fierfox have done the right thing for today. In a years time there might be a better option. If you're a techie you can change it in the options, if you aren't you would have no idea and noprotection anyway, so something is better than nothing.
It's the reason the Republican party is what it is, and people are willing to vote for this criminal idiot.
It's clear Brexit happened because of tabloids blaming Europe for everything. We have started down this path, if we let them destroy the BBC we will be much further down the the same route as the US.
"If Microsoft want more developers using C#, they need to drop their enterprise-style pricing and make Visual Studio much more attractive. I know that there's a Community Edition, but the cost of the jump from free to non-free is incredibly high, it's no wonder everyone just goes off and uses something else..."
It's the same as travelling in business class. Way too expensive, but you don't care as you're not the one paying it.
I'd like to see the super rich like Bezos fund security research into anything they use day to day. We'd all benefit from it if he had a team looking into WhatsApp security finding bugs and alerting WhatsApp. Apparently this breach cost him his marriage and a $38 billion settlement with his wife, whatever it costs it's going to be a drop in the ocean compared to that.
I definitely think Trump Tower is fishy, but just to play devils advocate this does happen with bigger constructions.
Here's an example. WWF UK Headquarters (The panda one, not wrestling!) WWF knew they needed a new site for their head quarters in the UK, they asked around the different councils to see who would subsidise their new building the most. Woking won by offering to pay for the building for them, in return they got the prestige of having WWF UK Headquarters in Woking putting them on the map, and presumably more jobs... You can argue whether that was a good deal, but it shows that it makes sense to get the subsidies in place first before deciding on location. Even on a smaller scale when doing a house extension, you first sort out with the bank how much money you've got before you start the plans and construction.
I don't think this classifies as a vulnerability, this is a feature which allows you to run a command on the server from the client. I don't see any way this could be accidental, it's bizarre. It's either a deliberate backdoor or some development code that got into release by accident? The development code part doesn't make any sense either though, why would anyone add remote code execution into a development build?
Perhaps snail mail with a code, then a visit to an approved ID checker, such as a bank or post office with that code.
There's an opportunity here for someone to set this service up and sign up the ID checkers and the companies who want to prove identity.
Although this just proves a person is who they say they are, not that they own that particular login name, so it's only part of the puzzle.
It is GDPR's fault. The reason GDPR exists is because we know most companies have piss poor data protection controls. Therefore in the design of it they need to force companies to ensure they protect our personal data. Let's hope they add protocols that have to be followed into GDPR v2.
In the mean time this is great news for companies, they now have an excuse not to deal with GDPR requests, let them get stuck in the red tape of proving who they are.
Absolutely agree. I think a big issue with IPv6 is that it may be better on paper, but the human element hasn't been given enough weight. We have all grown up with IPv4 and on the surface it's pretty simple, people are lazy and don't like something that different and looks complicated.
I'd like to see a response from Raj about the authors comments. Can he explain why they are wrong?
“The network is mapping modeled stress changes to aftershocks, and this mapping will be entirely different for the example in the training data set and the example in the testing data sets, although they overlap geographically," the pair said.
"There’s no information in the training data set that would help the network before well on the testing data set - instead, the network is being asked in the testing data set to explain the same aftershocks that it has seen in the training data set, but with a different mainshocks. If anything, this would hurt [the] performance on the testing data set,” DeVries and Meade, wrote back to Shah.
That was a really good read. I have more questions.
How did they find the server in Iceland using the admins account? What was the security failure here, surely there was an encrypted reverse proxy?
How did they find connections from San Francisco to the server? Wasn't he using a VPN?
I'm all for increased security, so I went to their website, changed my password to a random generated one (I have no idea what it is) and saved it in my password manager Blur. Then I went to see if they had a 2FA option. There is yay! But only via sms/phone call, boo! But wait, after enabling SMS 2FA, I can then enable a backup 2FA via an Authenticator App, but you cannot remove the SMS 2FA.
I signed in on my mobile and it sent me an SMS rather than using the authenticator app.
They are nearly there, but they need to push to use the authenticator app as the first choice and give the option to remove SMS as 2FA (in fact encourage it), sim swapping is incredibly easy to do, use of it to take over accounts has exploded recently. SMS 2FA cannot be trusted anymore.
I've removed SMS 2FA from my google account, name cheap and anywhere else that gives me the option.
Sharefile is probably the most important account I have, I use it to transfer customer data. That thing needs to be secure. They should up their game with regards to 2FA.
I can't get over the fact you have to manually copy the password file to your device. I get that it's more secure, but it sounds really annoying. What if you sign up on your PC to a service then want to login with the accompanying app on your phone? You have to copy the file first.
Just seems like a lot of hassle, last pass sounds like a good compromise on security/ease of use unless I am missing something.
You're just paranoid until it happens. Do you cover your house in CCTV and alarms, or do you wait to be burgled before installing them?
Getting secure in IT is just such a ball ache. It requires an incredible amount of work, for something that might never happen. Personally I try to do half of it, but I'd be screwed if targeted.
I turn off WiFi on the train as it is next to useless. With my free time I dream up personal windows suction mounted antennas, tethered to your phone somehow that you can use to boost your signal. I have yet to figure out the details on how that would actually work. Maybe I need another train journey to continue the dream.
When I looked into registrars a couple of years ago, everyone seemed to say they were the best. They were one of the first to implement 2FA which was one of the reasons I moved to them from GoDaddy.
I haven't any issues, but would be interesting to see what Google's Service is like.
I am that hoarder, but it's not because I want every email, it's just that I can't be bothered to sort them out. I have two types of email, read one and unread ones.
I am thinking I should really delete all my work ones (>10 years) as I was once told at an Oil & Gas firm that we should delete everything after 3 years of the project ending so that our own email records couldn't be used to sue us in the future.
I switched to qBitorrent (qBit) yesterday after reading recommendations on reddit. I was a bit reluctant as there has been so many features added to utorrent that other torrent programs didn't have such as the remote downloading, automatic seed ending, move completed downloads to another folder. But it turns out qBit has all the same features as far as I can see except the annoying adverts. It looks a lot like utorrent did before it went ad crazy. I should have switched ages ago.
Combined with Transdroid on your android phone for remote downloading and torrent searching, it's a perfect combination.
He even admitted he was stupid to put the logos on the CD. He should be convicted as he technically committed the crime, but it should be taken into account that there is zero cost to Microsoft from doing this, he copied something which can be obtained for free and he gains very little from this copyright infringement himself (there is some as people are more likely to buy the old PC if it comes with a legitimate looking restore disc)
There shouldn't be any prison sentence, make him destroy the discs, give him a small fine at worst.
Although he gives a good reality check, I think there is a lot of innovation that come come out of this, so it is a worthwhile exercise. The tech companies have money to burn like he says, so they might as well put it into something like this.
Some of my greatest successes have been when I started something that I had no idea how complicated it would actually be thankfully, otherwise I never would have started.
Biting the hand that feeds IT © 1998–2021