Re: Just goes to show that
Duocracy is just another word for damned if you do, damned if you don't.
704 publicly visible posts • joined 1 Feb 2015
"Are they going to try to push YouTube updates?"
Short answer: of course they will... along with many other chameleon-like variations--at varying degrees of effectiveness/deadliness.
But, getting down to fundamentals...
I keep pushing the view that technology didn't really bring us any new scams. It only changed the delivery methods for scams, made such delivery easier, and therefore increased the rate of delivery. After all, that's what technology does. But, when we hear that there's a "new" scam, all I see is just a new variation of a repackaged scam, delivered by a slicker, faster method.
Once we decided that users should be prompted to allow an update, we effectively created a procedural convention that could be leveraged by fakes.
The fundamental problem is making it impossible to fake an official notification. Basic rule of security: you can make things harder, slow the rate of compromise, and mitigate the risks/costs--but you can't make fakes impossible--just costlier.
And then, if you've bothered to read this far, there's that final unfortunate trade-off. Barriers to fakes usually make things harder on users (think TSA), so we don't build the best barriers in the hopes that users will tolerate and comply with the ones we put in place. It's a bit of a juggle.
Flash is just one of those pervasive things that should have died long ago. It's persistence is simply easily exploited. It's a bit of low-hanging fruit that should
The synergy between the two will become part of the evolutionary process that leads to humans and AI becoming intertwined. Insert whatever dystopian scifi future you find fitting here.
Meanwhile, social media and addictive consumerism is programming the next generation of humanity, with the expectation that the data analytics used in that will eventually be guided by AI (assuming that isn't already secretly the case). And, these marketing and psyops strategies are now increasingly employed by political parties. We are so doomed.
"There is no excuse in this day and age for AWS buckets to be left unsecured. Amazon provides tools for detecting and closing off inappropriately opened buckets..."
The thing is, I used to think this was missing. Well, maybe it once was. And, I suppose it could be better.
Yet more and more, it seems that there are too many out there throwing together projects at a level that is of the Dunning-Kruger variety.
AWS could well require a check box for a disclaimer form that would require acknowledgement that reasonable security scanners, development principles, and testing must be employed. But, we live in a click-through World.
That clarifies FIDO's claim nicely. Thank you. And, from a professional perspective, you're first point is well taken. Yet, my alter ego will be keeping an eye out for any emergent dysfunction. Funny how I end up supporting these things in the work place and railing against any emergent dysfunction elsewhere. Such is half a matter of professionalism and half a matter of having no choice but to support brands that I wouldn't have in my home due to their monopolistic control.
Thank you for answering my previous question. However, I fear your second point is in peril, given the list of sponsors that I found at the FIDO2 web site. This tends to cement what my spidy sense had warned of--that they fully intend to build an infrastructure controlled purely in the commercial space, leading to gawd knows what other kinds of evil. Oh wait, they're claiming not to be evil--even to prevent evil. Where have we heard that kind of thing before? I wonder if one might find a hint on their sponsor page.
Yes, some of us do have ways to manage passwords reasonably. If we don't get options, as some now offer, then this becomes a Harrison Bergeron issue. In fact, that would be another clue something fishy is going on, forcing everyone onto a platform designed for those who do a bad job of managing passwords.
Any commentary out there that is reasonably intelligent yet paranoid (short of the full-blown tin-foil hat variety) on this?
I've had a look at the sponsors of this project, and my spidy sense is tingling. The technology claims: "The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device."
Given the industry motivation for super cookies and other technologies designed to circumvent our efforts to not be tracked, I should wonder what kind of profiling might be in the future that would make their claim a blatant and utter lie.
They come and they go. I tolerate the ones that have the "skip ads" button, for the illusion that I seem to get to vote down the bad ads. It's the 5-second ones I despise, and I just close the tab for those--as if that somehow compensates for being abused. If they get bad, I'll start using an ad blocker.
As for Amazon Streaming, they started showing ads for every viewing--and most of them are horrid. So, I quit Amazon entirely. When I quit Amazon Prime, there was that warning of how many hundreds of dollars I had saved on shipping. I just laughed; I wasn't going to be paying for any more shipping with Amazon. They should have worried about how many thousands of dollars in revenue they were losing--because of abusively persistent advertising. Hah!
It would be nice if ad services could be held accountable for what sellers put into their services. That is, do ad services perform reasonable screening of the content coming from a seller, and can the ad service be liable for any resulting damages? Until that situation gets fixed, there are organizations in which ad services are blocked at the proxy--as a potential source of malware.
API management seems to be the term du jour, with Google's offering being Apigee (not that I know all that much about it). Web services would reasonably need all the traditional security tools that a web server on the Internet should have. But, these are being expanded and enhanced for web services (though, there are surely others more knowledgeable about this than I).
Come to think of it, https://www.natwest.com is the exact length of the shortened URL's--which makes https://natwest.com shorter than the shortened URL's.
I'm not going to bother to look, but I suppose they were either login, support, or announcement pages. Still, it would be so easy to launch a phishing campaign with shortened URL's for this incident. Why condition customers to think that such a practice is normal?
Heh, had to look... Whether or not that's really the bank that they threw up the temporary server issuing the 404, it gets a B's and C's for weak TLS settings (no TLS 1.2 but does do TLS 1.0, etc.)--in addition to the name mismatch--not that there's anything worth securing there. I guess it was more important to get that out there quickly then well. But, it shows what happens when you don't keep up with your renewals?
(To be fair, the other destinations came up A+ though.)
Wow, that really put a bizarre idea in my head. (Oh, and upvote on your point about validated statements.)
What if the voting app hacked your banking app to cause you to make a massive donation to the wrong candidate.
I'm glad it's Friday. I'm seriously going to need to get toasted this weekend.
You're not alone. But, I'd like to see a decent survey of how many actually selectively turn their blue tooth off. Here's a proposed survey:
Q: How much time do you leave your blue tooth off?
1. Oh, do I need to see a dentist?
2. I just leave everything at the default settings.
3. I put the phone in airplane mode when I'm not expecting calls.
4. I only turn it on when I need to make a call.
5. I refuse to use it all together.
6. I rooted the phone and ripped out the drivers so that some malware can enable it against my will.
My answer is 4.
"...they detailed it in their privacy policy."
Ya know, if this was really the way everything was supposed to work, then you'd see this sign at the entrance of every store: "By entering this store, you agree to the terms of service and privacy policy of this store. A copy of these policies can be obtained at the service desk within."
And, of course, products would also come boxed with this statement contained within: "By opening this box, you agree..." etc.
We're being sucked in to forfeiting our rights with hidden legalese. This can't go on like this forever.
Dunning Kruger is rampant in IT. There's an imbalance in how people learn. Some focus too much on hacking. Some spend a decade or more in only one job and think the whole World works that way. Or they've only worked with only one kind of hammer and everything is just the kind of nail that such a hammer is for. And, watch out for the ones with sledge hammers. And, then there are those with long strings of certs after their name--and still have to be told how things work.
Finally, if it happens that you are in fact competent and work for those who are not, how are they going to be able to recognize that competence?
"Code is super buggy these days..." That point is worthy of comment. Once upon a time, one would have hoped for some logarithmic leveling off of bug growth. But, today's code growth, in fact code library growth, does not appear to be linear. Big-O notation for it is likely a bit messy, either polynomial, exponential, or the product thereof. So, what does that say for bug growth? Anyone got any solid statistics for identifying a trend?
And, don't forget, DuckDuckGo has is own anti-tracking add-on, which I use alongside Ghostery, EEF Privacy Badger, No-Script, and a UTM stripper. And, the UTM stripper is important, because there are just so many sites wanting to optimize their Google ranking that they just can't help giving Google everything it wants.
Then on top of that, how would Google enforce it--if it actually did care? Manufacturers may well pull the same kind of sleezy data-slurping hackery that got us stuck with super cookies. If they're willing to hack a way for them to get around our tools to not get tracked, then they'll surely find similar sleeze code for bundled apps. {insert-my-usual-rant: we-consumers-need-our-own-DMCA-protection-from-corporations}
We already know that the top executives are leaving behind the "don't be evil" mantra. I mean, have already left it behind.
So, pre-installed apps that can't be uninstalled and have control over permissions isn't the real news. The real news is that they are overtly visible apps and not something hidden behind the scenes. So, now it's brazen evil.