Message boards :
Politics :
Computers & Technology 4
Message board moderation
Previous · 1 . . . 30 · 31 · 32 · 33 · 34 · 35 · Next
Author | Message |
---|---|
ML1 Send message Joined: 25 Nov 01 Posts: 20989 Credit: 7,508,002 RAC: 20 |
Millions of blinded eyeballs. Kernel.org hacked Thanks for that... But why now? That is all from very many years ago! ... A slow news week and clickbait?... Regarding that some of the kernel.org servers were some of the victims, the kernel code that was being served was unaffected. There are separate cryptographic hash checks securing that. Any tampering there would immediately get noticed. Further detail is given in these comments: Needleroozer wrote: As a clarifying point, this is not a supply-chain attack that modified the OpenSSH source code in the style of the recent attack on xz but rather a modification of OpenSSH config files and libraries to provide ongoing remote access once the attackers had gotten code execution via some other means. Rombobjörn wrote: ... This is the warning the victims "overlooked": SeanJW wrote: SSH rarely uses MFA? MFA is the most common form of authentication with SSH. It's just done with private keys and passwords attached to them, not with the password prompt. MFA is having the private key file (something you have) and the password that unlocks it (something you know). And they can be managed via hardware keys like Yubikeys (something they can do that basic FIDO2 keys don't do, so they're worth the cost there) Indeed, we've moved on since those older naive days... A good reminder, but that article is very old click bait for a quiet week. More of a question is how much people care (or not), and how much time people feel they have the time, to not to take insecure "short cuts"... IT is very much what we make it! Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30929 Credit: 53,134,872 RAC: 32 |
Indeed, we've moved on since those older naive days...The proof we have not moved on, dismissiveness. Just because one attacker wasn't interested in inserting an APT doesn't mean another won't. Just because there is a tool to detect something doesn't mean the tool is being used correctly, if at all, and means nothing if the tool can be compromised. The fact it went on for so long and it was hoisting red flags sending spam ... SMH. If I were a nation state I would have expended some significant resources on developing a tool that if deployed would become supervisory bare metal on whatever system it is deployed to and let the victim believe his OS is bare metal but it is actually a VM of the nation state's O/S. This is the ideal as you can read everything including all the cryptographic keys and generally prevent the victim from being able to discover they are a victim. After all any tool he runs in your VM will only report the VM's activity. By now I would expect more that one nation state has the signing keys for most every widely used O/S. If you work in a sandwich shop, you may not be interesting to a nation state. If you work at a utility or a manufacturing plant you are interesting. Any and everything they discover can be used in the traditional methods of spies to compromise you. Hence those wide scale attacks by nation states to exfiltrate databases of PII. Paranoia isn't enough. Security is what we allow. |
ML1 Send message Joined: 25 Nov 01 Posts: 20989 Credit: 7,508,002 RAC: 20 |
... Paranoia isn't enough. Agreed, there isn't enough healthy paranoia for good security. From my experiences, the lack of any useful security is all too often from "penny pinching" and outright ignorance of the Management. There is also the all-too-often used excuse of "nothing of interest here to be a target" or that of hopeful/dismissive "only ever happens to others"... And other lame excuses, and anything to avoid any immediate 'inconvenience'. I'm reminded of one workplace where the senior management didn't want to use passwords and were aghast at my insistence that passwords must be actually 'pass-phrases' of more than 16 mixed characters... Part of that problem was they had a complete lack of imagination and couldn't type anyhow! But also, they didn't want to pay the meager costs for using physical security keys (USB encryption keys)!! And that example is all too common in various ways. I've had the silly example of the head of a big department thinking that no one would ever guess that his password was indeed the word "password". The one occasion I passed off as silly. But then I hit the same silliness for a Director!!... Hey-ho... I've come to realize that lay-people find the mere thought of passwords, pass phrases, and PINs, all very high stress and scary, with a great fear from them that it is 'all too complicated'... Hence the present game that there is the assumption that everyone has a personal smartphone and that can be used as a personal MFA device... Even though that game is still all too insecure. Can we persuade everyone to adopt physical cryptographic security keys? Have such devices implanted under the skin just like an elaborate RFID tag??... IT security is very much how we make it... Martin MFA: Multi-Factor Authentication RFID: Radio Frequency [device} Identification See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
ML1 Send message Joined: 25 Nov 01 Posts: 20989 Credit: 7,508,002 RAC: 20 |
... Virtual Machines... VMs and the Cloud... That is a whole expanded insecure 'game' to be commented upon later! IT is what we make it... Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Scrooge McDuck Send message Joined: 26 Nov 99 Posts: 1068 Credit: 1,674,173 RAC: 54 |
VMs and the Cloud...Combine VMs and Cloud with "Meltdown" and "Spectre", the widespread CPU vulnerabilities (Intel and others) that enabled unauthorized memory access caused by speculative code execution. |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30929 Credit: 53,134,872 RAC: 32 |
Have such devices implanted under the skin just like an elaborate RFID tag??...An ordinary RFID is just a number, utterly no different than a password, but far less secure as readers are readily available. A hash function RFID could be secure, but every RFID chip would have to hash differently or it would be trivia to clone and of course there is a big juicy table of hash functions sitting on storage just waiting to be exfiltrated. A hash function RFID that also needed a PIN might work but the PIN would have to be random, humans are too predictable in picking numbers, this of course in addition to a pass phrase. Perhaps the left hand has a RFID that is the user ID, nice 8192 bit long random, the right hand has the hash RFID that needs the random 8 digit PIN to decode and the user needs to enter a human username and passphrase. That might be enough to at least make it less than trivia. Security is what we Allow. |
Wiggo Send message Joined: 24 Jan 00 Posts: 36360 Credit: 261,360,520 RAC: 489 |
Elon's X has just found out that the usual excuse is no longer valid with Meta next in the firing line. Musk's X can be liable for hate speech published on platform in landmark QCAT ruling. Social media company X, formerly Twitter, has lost a key fight over whether it's legally responsible for its activities in Australia.If they want a presence in other countries then they must adhere to those countries' laws. |
Scrooge McDuck Send message Joined: 26 Nov 99 Posts: 1068 Credit: 1,674,173 RAC: 54 |
If they want a presence in other countries then they must adhere to those countries' laws.This means censoring free speech in China, for example on Tibet and Xinjiang. |
Wiggo Send message Joined: 24 Jan 00 Posts: 36360 Credit: 261,360,520 RAC: 489 |
There's a huge difference between free speech and hate speech.If they want a presence in other countries then they must adhere to those countries' laws.This means censoring free speech in China, for example on Tibet and Xinjiang. |
Scrooge McDuck Send message Joined: 26 Nov 99 Posts: 1068 Credit: 1,674,173 RAC: 54 |
That's right. But in China they make no difference. There is only 'state-approved speech'. How should western companies handle this? Abandon your own principles in order to increase reach and revenue? Most of them do that. But Elon probably didn't buy Twitter to make money. |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30929 Credit: 53,134,872 RAC: 32 |
If you own ink and a press you are a terrorist. |
Dr Who Fan Send message Joined: 8 Jan 01 Posts: 3315 Credit: 715,342 RAC: 4 |
So, that's how you Google’s ‘AI Overviews’ advises adding glue to pizza sauce, lists ‘health benefits’ of tobacco for tweens Dubbed “AI Overviews,” the feature rolled out to all US users beginning last week and is expected to reach more than 1 billion users by the end of the year — despite continued flubs that have dinged the chatbot’s credibility. |
Sirius B Send message Joined: 26 Dec 00 Posts: 24905 Credit: 3,081,182 RAC: 7 |
...and some sad muppet will be dumb enough to actually try it. |
Dr Who Fan Send message Joined: 8 Jan 01 Posts: 3315 Credit: 715,342 RAC: 4 |
"The cat is out of the Google won’t comment on a potentially massive leak of its search algorithm |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30929 Credit: 53,134,872 RAC: 32 |
How did the millions of eyeballs miss this? https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux-vulnerability-being-actively-exploited/ The vulnerability, which affects Linux kernel versions 5.14 through 6.6 |
ML1 Send message Joined: 25 Nov 01 Posts: 20989 Credit: 7,508,002 RAC: 20 |
Wow! That's an old one!! Those kernel versions have had a very long series of updates or have long been discontinued since those days. So... The eyeballs long ago saw that one and long ago put in the fixes. As for why systems are left to languish for years with no updates?... IT is what we make it! Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30929 Credit: 53,134,872 RAC: 32 |
As for why systems are left to languish for years with no updates?...because updates break things |
Gary Charpentier Send message Joined: 25 Dec 00 Posts: 30929 Credit: 53,134,872 RAC: 32 |
|
Wiggo Send message Joined: 24 Jan 00 Posts: 36360 Credit: 261,360,520 RAC: 489 |
US sues Photoshop maker Adobe for hiding fees, making it difficult to cancel. The US government is suing Adobe, accusing the design software giant of "trapping" customers into year-long subscriptions through concealing hefty termination fees and making it difficult for members to cancel. |
ML1 Send message Joined: 25 Nov 01 Posts: 20989 Credit: 7,508,002 RAC: 20 |
Great positive fun! Apple's Macintosh 128K on a Pi Pico gets thumbs-up from Upton wrote: Just because you could definitely means you should And: Build your own handheld ZX Spectrum with Raspberry Pi Pico wrote: ... Reason number one ... better than the original ZX Spectrum: it exists in the now. Reason number two: it’s cuter because it’s smaller, meaning you can also use it as a handheld device and carry it around in your pocket. Reason number three: it’s built on Raspberry Pi Pico... Fantastic fun! Just because it can be done!! IT is very much what we make it! Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.