Re: [funsec] Risk analysis
On Sat, 11 May 2013 19:04:03 -0400, Jeffrey Walton said: > When I lived in Georgia in the 1990s, one of its counties passed an > ordnance requiring all citizens own a gun. Around the same time, a > county in Chicago passed a ordinance banning guns. Do you want to take > a guess at which county experienced an increase in crime, and which > experienced a decrease? Multiple studies have shows that access to guns is only one very small part of what drives the *reported* crime rate. Economic and educational conditions in the area, and the resident's relationship with the police, have a much higher impact on how many crimes get committed, and how many get reported. > Anyway, the debate is not a religion to me as long as I can own one to > rise against the government if needed. Oh, bother. If more of the "rise against the government if needed" crowd was realistic about that, we could actually have rational discussions about gun control. OK. Everybody's got guns. They got a supply of ammo? They had recent marksmanship training, including shooting from behind cover, not just standing there at the range? They got a supply line? They got a leadership cadre? They got training in small-unit tactics? There's a whole lot more to doing an effective resistance than just "I have a gun". But except for some militia groups that actually train, none of the "rise against the government" crowd want to admit it. Remember - if it comes to that, you're going against people who do that shit day in day out for a living. And yet, mandating a tour in the National Guard so people have seen it and learned it *before* the bullets start flying doesn't go over very well with the gun-rights crew (who see any sort of mandatory training requirement as an infringement). pgpsR0W1gs5lR.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Risk analysis
dOn Sun, 12 May 2013 09:09:10 -0700, "Steve Allison" said: > The military and law enforcement may end up having an horrifying dilemma. > When they took the oath of enlistment (military and law enforcement), as I > did, they swore to "support and defend the Constitution of the United States > against all enemies, foreign and domestic; that I will bear true faith and > allegiance to the same." But in the next breath, we had to say, "I will obey > the orders of the President of the United States and the officers appointed > above me." Could be a terrible dichotomy for our military. What it *actually* says: "and that I will obey the orders of the President of the United States and the orders of the officers appointed over me, according to regulations and the Uniform Code of Military Justice" http://www.army.mil/values/oath.html I do believe that the Uniform Code clearly states that you have both the right and the obligation to refuse an illegal order. So not much dichotomy there. pgptmQQClJdDs.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] "1984" sales spike
On Tue, 11 Jun 2013 15:32:15 -0400, Conrad Constantine said: > On 6/11/2013 3:25 PM, Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote: > > In other news, the NSA now knows the names of everyone who bought "1984" in > > the past three months ... > > Is anyone else feeling the urge to go buy a copy of Catcher In The Rye.. > y'know.. even though you already have 8 copies of it at home? No, what you *want* to do is have a sudden noticable spike in sales of something apparently innocuous, like a new edition of Hamlet or an annotated collection of the works of Lewis Carrol. pgpaiDRD_3mGh.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] "1984" sales spike
On Fri, 14 Jun 2013 17:51:35 -, "Blanchard, Michael (InfoSec)" said: > But it's THEIR country to deal with but more so, You know... my grandfather left Latvia because doing so was a lot easier than staying there and trying to avoid being either shot or sent to Siberia, because there really wasn't much he could actually do to get rid of Stalin and his armies an KGB agents. (And yes, the KGB *was* actively looking for my grandfather) Are you suggesting he should have stayed there and "dealt with it"? Saying it's their country to deal with overlooks the very real fact that often, the only realistic choices are exile and martyrdom. pgpsdprkECWx6.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Former DOJ Prosecutor Files $3 Billion Suit Against Obama, Holder, NSA, Verizon Over PRISM
On Sat, 15 Jun 2013 20:55:25 -0400, Jeffrey Walton said: > https://www.google.com/#q=Larry+Klayman+lawsuit+prism > > All the references are non-mainstream (Washington Post, NY Times, and > other mainstream outlets have not picked up the story yet). This will almost certainly go nowhere, for the exact same reason that most of the lawsuits about warrantless spying went nowhere - nobody can show proof they were actually spied on and therefor have standing to sue as "plaintiff who was spied on". Every single one of the warrantless spying cases went bye-bye except for one law firm that got hold of an accidentally released document showing that they were in fact targeted. pgpkgyYmdFhhV.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] The ultimate illegible PowerPoint slide!
On Thu, 20 Jun 2013 11:49:46 -0700, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > http://www.gartner.com/technology/research/digital-marketing/transit-map.jsp Am I the only one bothered by the fact there's a Pink Line that's unidentified? pgpd_6LqLi2u6.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] The ultimate illegible PowerPoint slide!
On Thu, 20 Jun 2013 17:51:36 -0500, RL Vaughn said: > >> http://www.gartner.com/technology/research/digital-marketing/transit-map.jsp > I am color blind. Are you talking about the pink line labeled > "Commerce" or the pink line labeled "MKTG MGMT"? I mean the one that *would* be 'Ad Technology' if it was wired up correctly and not permanently greyed out... (at least it is in Firefox). pgpbJ18kvZTRy.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Mailer Software that inserts "X-NSCC" header?
On Tue, 25 Jun 2013 05:54:59 -0400, Rich Kulawiec said: > a) Inserting headers into the canned meat products of the Hormel Corporation > would be a very neat trick. How do you know that Hormel isn't already doing that? Consider what they *do* put in there.. :) pgpQ_j3IJHaYl.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] We know where you are. And where you've been ...
On Thu, 18 Jul 2013 16:49:09 -0400, Joel Esler said: > License plates are not private information. Yes. But does the location of the car they're attached to count as private info? Is it legitimate to use massive amounts of cameras to end-run the court cases where a warrant was required to use a GPS tracker? How is using cameras instead of a GPS different? pgpBG2F6OeoZa.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Huawei
On Mon, 22 Jul 2013 18:47:33 -0600, Bruce Ediger said: > On Mon, 22 Jul 2013, Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote: > > > "Huawei Is a Security Threat and There's Proof, Says Hayden" > > > > However, they are not going to tell you what the proof is. > > I assumed that because it was Hayden, that was just more "Let's keep > the Cyberwar Boogieman going, because otherwise, how will we keep the > pig's trough with taxpayer dollars?" Either that, or he simply didn't get the memo? http://www.propublica.org/article/nsa-says-it-cant-search-own-emails pgpkN1UvPT6se.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] How *NOT* to handle incorrect passwords ...
On Thu, 25 Jul 2013 10:59:55 -0700, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > https://twitter.com/cjcheshire/status/360326695137468416/photo/1 > > Virgin Atlantic feels that it is a good idea to provide the failed password, > in plain > text, in the URL when you try for a reset ... Just be glad it isn't the correct password, helpfully provided for your second attempt. pgpqguD2PKNxE.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Encryption is less secure than we thought
On Fri, 16 Aug 2013 21:58:10 +0200, "Daniël W. Crompton" said: > http://www.mit.edu/newsoffice/2013/encryption-is-less-secure-than-we-thought-0814.html > > What do you think? It's an interesting result, but not likely to make much real difference. Basically, they're pointing out that most estimates of a crypto system's strength assume that keys are basically white noise, while in practice they're usually a colored noise, and you can leverage the difference to make it a bit easier to crack. Of course, this is basically what password cracking programs have been doing for decades now, when they apply heuristics to what passwords and variations to try first. pgpUN05KZixg4.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Explosive breast implants
On Tue, 20 Aug 2013 09:53:52 -0400, Stephanie Daugherty said: > And the real reason airliners aren't being attacked anymore probably has > more to do with the passengers than the added security. Post 9/11, the > passengers will beat someone to a pulp before they can even think about > doing anything funny... Bruce Schneier says that attitude change and hardening the cockpit doors are the only two effective aircraft security changes we've had post-9/11. pgpTBD47ftNPS.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] It's ... SUPER-USER!
On Fri, 30 Aug 2013 15:20:52 -0700, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > According to the NSA, "NOBODY could stop Snowden he was A SYSADMIN!" If they were using SELinux with the MLS policies, even as sysadmin he couldn't have done that stuff without being detected, because the sysadmin user and the audit/security user are two separate roles, and sysadmin can't touch the audit logs nor can they su to 'audit'. Maybe they should go talk to the people who developed SELinux. Oh wait... pgpIY0XETFmKB.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Invitation to connect on LinkedIn
On Wed, 08 Jan 2014 18:38:19 -0500, Jeffrey Walton said: > Thanks kind of interesting, considering the officers control and steer > the organization. Have you been following this (trying to remove an > NSA co-chair due to the surreptitious sabotaging of standards): > > "NSA co-chair claimed sabotage on CFRG list/group", > http://lists.randombit.net/pipermail/cryptography/2014-January/006136.html > and "ECC patent FUD revisited", > http://lists.randombit.net/pipermail/cryptography/2014-January/006108.html. OK.. I took a sick day, and I'm insuffiently caffeinated, but I'm missing the ISC2 connection there? pgpSXNa8Md9hw.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Job Security!!!!
On Wed, 29 Jan 2014 09:00:23 -0800, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > Apparently the new Cisco annual security report for 2014 says that some time > this year the industry will be short more than a million security > professionals. > > (I'd break out the champagne, except that I recall a Gartner report from a > decade > ago that said the US alone would need a quarter million CISSPs as of that > time. Apples, Oranges. Security professionals, CISSPs. pgphLhKtI6_FE.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Obfuscation = cryptography?
On Mon, 03 Feb 2014 16:28:28 -0800, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > OK, I'll admit that the math in this type of paper is completely beyond me. > > http://www.wired.com/wiredscience/2014/02/cryptography-breakthrough/ > > But, hasn't he, or any of his friends, paid any attention to malware in the > past two > decades? There is plenty of obfuscation out there. (Most of it does what his > program does: turn little programs into bloated monsters.) The guy's an academic. He's focusing on what's theoretically possible, not what makes sense out in the real world. Two main reasons it will never fly: 1) The performance hit. It will *by definition* be excessive for production use - because if it was cheap (say, a 2X to 10X hit), it would be easy to reverse engineer (note that we *can* RE the current class of obfuscated malware). 2) The debugging hit. It's hard enough to figure out why software crapped out - this would make it even harder. pgpHzu5CNp16Z.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Interesting twist on intellectual property law
On Sat, 22 Mar 2014 12:53:36 -0700, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > The trick can't be protected, but the performance can. [2] > [2] - Normally I'm not on the side of IP protection, but I find this an > intriguing legal argument. That's been baked into US copyright law since the beginning - an idea can't be copyrighted, but an instantiation or performance can. The murky part is deciding if a claimed infringement is based on an idea or on a specific instance of it - you can rack up a lot of billable hours deciding whether a story is based on a trope like "young girl treated horribly by wicked stepmother until saved by prince", or whether you've included too many story elements from Disney's version of Cinderella. Similarly, you're allowed to draw pictures of "young boy with animated stuffed animal", but if it looks too much like Calvin and Hobbes or either the AA Milne or Disney versions of Winnie the Pooh, you may want legal advice pgplsy19YzQZr.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] I made Obama's BlackBerry
On Wed, 28 May 2014 06:59:10 -0400, Rich Kulawiec said: > [1] Please. No whining. Steve Miller once rhymed "Texas" and "facts is". The dude also thinks that "pompetus" is a word. pgporFhMtWLg0.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] We're in for it now ...
On Wed, 28 May 2014 16:59:41 -0700, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > http://www.sciencedaily.com/releases/2014/05/140528163739.htm > > "People with high levels of cynical distrust may be more likely to develop > dementia. So being a realist makes you eventually go crazy? :) pgpBsS4_7ZeN8.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] "LinkedIn to face customer lawsuit over email addresses" -- itnews.com.au
On Mon, 16 Jun 2014 10:17:32 -0700, Steve Pirk said: > I keep putting off deleting my LinkedIn account. If they can blow off any > security concerns with this app, then they are quite clueless or evil, take > your pick. I posit that anybody who hasn't already made up their minds regarding PlinkedIn's cluelessness or evilness is probably best described by either the phrase "total noob" or "paid apologist". pgp7dQq6GeYCx.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Crap. Why didn't I think of that?
Oy. Vey. "Study done by Carnegie Mellon University examine the cost for an attacker to pay users to execute arbitrary code - potentially malware. User at home are asked to download and run an exe without being told what it did and without any way of knowing it was harmless. Each week they increase the payment. Study observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran the executable. Once increased to $1.00, this proportion increased to 43%. As the price increased, more and more users who understood the risks ultimately ran the code. They conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience." http://www.spywarenews.org/easiest-way-to-get-people-to-install-malicious-software-is-to-pay-them/ pgpzfdv_hTQua.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Computing student jailed after failing to hand over crypto keys
On Thu, 10 Jul 2014 02:03:43 -, "Blanchard, Michael (InfoSec)" said: > So, just for debate... > > The 5th protects us from handing over passwords. So they ask for decrypted > data to be handed over. >Wouldn't that be a 5th amendment violation as well? Keep in mind that the story is from England, which doesn't have a 5th Amendment (or a 4th, for that matter). And a lot of the current fuss in US case law on the subject actually does revolve around whether requiring somebody to cough up a password is more akin to producing a physical key for a padlock and covered by the 4th, or whether it's compelling a statement and thus covered by the 5th. (The problem is that the ground rules for a DA to force a statement and force production of a key are quite different) pgpFAB7HMZpmV.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] US capitol not in US, according to TSA
On Thu, 17 Jul 2014 23:23:37 -0400, Bill Terwilliger said: > The comment about smart people being involved is a bit presumptive. > Geography knowledge may or may not be an indicator of intelligence but I > somehow doubt that lack of it is an indicator of stupidity. OK. I admit *I* don't know what a DC driver's license looks like either. But give me a *break*: When Gray handed the man his driver's license the agent demanded to see Gray's passport. Gray told the agent he wasn't carrying his passport and asked why he needed it. The agent said he didn't recognize the license. Gray said he asked the agent if he knew what the District of Columbia is, and after a brief conversation Gray realized the man did not know. OK? The TSA guy *did not understand that DC is part of the US*. Which means the TSA's vetting process for employees is so weak that they'll hire *people who don't know where the fuck the capital of their own country is*. Now think *real* hard - would *you* hire a security guard who didn't even understand that Washington DC is our nation's capital? pgpNPG2Mwj6Tb.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] US capitol not in US, according to TSA
On Fri, 18 Jul 2014 11:29:16 -0400, Jeffrey Walton said: > Potomac. Maybe he was hoping it swallowed all the assholes in > Washington and reverted back to the swamp ;) And you thought the marshes near Chernobyl were a toxic waste site. pgpY1NTTq24H0.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Driverless cars could be lethal - FBI
On Sat, 19 Jul 2014 15:44:45 -0700, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > http://www.bbc.com/news/technology-28344219 > > Seems to me that nobody in the FBI is reading the traffic fatality statistics > obtained on cars driven by humans. > > (OK, yes, the feebies seem to be concerned about automated cars that allow the > passenger to shoot back at you. But isn't that already happening anyway?) "And, under the heading "Multitasking", the FBI said that "bad actors will be able to conduct tasks that require use of both hands or taking one's eyes off the road which would be impossible today". That raised the prospect that suspected criminals would be able to fire weapons at pursuing police cars." Drivers are apparently already quite capable of applying lipstick, shaving, and updating spreadsheets in rush-hour traffic, I'm not seeing any new threats here? pgpV8Ur6t0CtV.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Chip based on human brain
On Fri, 08 Aug 2014 12:07:37 -0800, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > Is programming these things going to be more akin to psychoanalysis? Debugging large server clusters is already halfway there. pgpxBovPzNtzm.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Weather forecasts XOR wind power ...
On Wed, 13 Aug 2014 12:10:37 -0700, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > http://www.cbc.ca/news/technology/radar-software-may-fix-weather-forecast-issues-caused-by-wind-farms-1.2735138 Right up there with the mayfly blossom the other week that registered as a hailstorm on the radar. > Sorry, but I find this completely predictable. In fact I strongly suspect a > large > scale wind farm would modify the weather, since you are harvesting the energy > in > weather systems (albeit relatively close to the ground ...) Almost certainly *not* enough to make a significant difference. A single medium-sized thunderstorm can release 10^15 joules of energy, which works out to about 300 gigawatt-hours. Assuming a 2 hour lifespan, that's a power release of about 150 gigawatts. The biggest wind farms out there are about 1 gigawatt, and most large farms are closer to 300 megawatts. Somehow, I doubt that sucking out 0.2% of the energy is going to make a hill of beans difference. http://en.wikipedia.org/wiki/List_of_onshore_wind_farms pgpYF03NsaM1E.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Fake Cell Phone Towers Discovered Grabbing Signals
On Tue, 09 Sep 2014 09:23:53 +0200, PsychoBilly said: > "The fake towers force phones to slow down to 2G from 4G, so a sudden > decrease in download speed may be a clue that a phone is being tapped." > > That's f#ing hilarious statement... You'd be amazed what you can use to detect that somebody is trying something nefarious. Some co-workers of mine wrote code that was not only able to tell when a mobile device was being hit with an nmap scan or other attack, but identify what sort of nmap scan or attack it was... ... based on the drain pattern on the device battery. http://www.security.vt.edu/security_lab/publications.html and look at the "battery" stuff down towards the bottom. pgp4YrRE9DMV_.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Don't mess with Canadians carrying sticks ...
On Wed, 22 Oct 2014 17:02:14 -0400, Jeffrey Walton said: > Politicians are usually corrupt to the core. They are more than happy > to take money and peddle influence. I'd much rather see a politician > killed, and I'm not sure I would bestow honors on someone who stopped > it... Would you bestow honors on the guys who stopped John Hinkly Jr before he managed to get another bullet into Reagan? How about if somebody had stopped Lee Harvey Oswald or the guys who shot Ghandi and Benazir Bhutto? Yes, many of them *are* corrupt, but jumping from there to "Every single one of them is so corrupt that they don't deserve an attempt to stop an assassination" shows something pretty sad about you. If nothing else, remember that most of them have families that will grieve. Those politicians need to lose an election. Not a life. pgp5HH0PnMLWi.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Don't mess with Canadians carrying sticks ...
On Wed, 22 Oct 2014 21:36:16 -0400, Jeffrey Walton said: > Given that some politicians are more dangerous than terrorist, and we > kill terrorist, then what should be done with politicians who commit > crimes against the democracy and the citizens? They should either lose elections, or they should end up in a criminal court and given a fair trial, no matter *how* big a scum they are. Saying that it's OK for random vigilantes to shoot at them means you've basically given up the idea of the rule of law. pgpdj2WiCxj_S.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Copy of Sony's security audit performed by Pricewaterhouse Coopers?
On Sun, 14 Dec 2014 23:48:36 -0500, Jeffrey Walton said: > According to the original report > (http://recode.net/2014/12/12/sony-pictures-knew-of-gaps-in-computer-network-before-hack-attack/): > > The confidential report, dated Sept. 25, was among Sony > Pictures General Counsel Leah Weilâs email correspondence, > which hackers released to public file-sharing networks earlier > this week. It included recommendations for bolstering security. Oh.. Now this makes even more sense: http://gawker.com/sony-threatens-everyone-reporting-on-their-data-leak-1671012778 Of course, that's not going to work. :) pgpXOL1wel_vh.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Net-connected Barbie?
On Tue, 17 Feb 2015 14:57:04 -0800, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > Then what kind of algorithm is being used to "feed" jokes and games? There > wouldn't be *any* possibility that someone could tweak the agenda here, is > there? No possibility of propaganda aimed at the kids? Harry Harrison wrote "I always do what Teddy says" back in 1965. pgpmWHmnu8PyR.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Waste four and a half minutes of your time
On Fri, 27 Feb 2015 20:29:59 +,Sam Finnemore said: > It begs the question, how on *earth* did we make it to the top of the food > chain? We're the only species that can get "high speed chase" and "Yakkity Sax" into the same sentence. Because let's face it, we really don't have anything else going for us than the mental ability to make sentences like that pgpMFHof2jPvn.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Important Service Announcement
On Thu, 05 Mar 2015 20:31:50 +, "Kain, Rebecca (.)" said: > Back when I was young, we got our p0rn via uuencode and we liked it! Many moons ago, I got a trouble ticket about a user who had 2 complaints: 1) Their mail would take forever to send. 2) My Listserv server was rejecting even short messages with a "message too large" error. and lo and behold, where you'd expect a .sig block, there was: begin 644 qzdf.gif followed by lots of uuencoded data. When extracted, it depicted several people engaging in something that I'm *still* convinced is anatomically improbable. So I send the user a polite note to check their config carefully, as it appears that their .sig block was the cause of the problem. About 45 minutes later, I get a reply from the user, sans .sig block, saying just "Be right back - need to go kill the asshole roommate". pgprqc8MvGM7E.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Need job description, PDQ!
On Wed, 13 May 2009 20:54:55 -0800, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > The following was posted on a security job mailing list today: > > --- Forwarded message follows --- > Date sent:Wed, 13 May 2009 12:38:22 + > > Job Description: > [... general we-are-good-people-to-work-for bumpf ...] Spotted by my brother a few days ago: Akamai is looking for a project manager: http://jobs.myspace.com/a/ms-jobs/view/jobkey-5296.34855631/jp-1/hits-6 Additional requirements include: * Project management background or equivalent experience * Ability to work on multiple concurrent tasks, and to prioritize tasks to maximize productivity * Strong analytical and problem-solving skills * Well-honed motivational and communication skills * Ability to work independently * Firm understanding of the principles of feline herd dynamics :) pgp4fUAAa5w9n.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Israel's population registry leak
On Thu, 14 May 2009 13:59:22 EDT, "Young, Keith" said: > Actually, there was a prosecution 5 years ago where the screener was > traced via coding (aka a watermark) back to an individual: > http://www.msnbc.msn.com/id/4037016/ The only reason we don't see more of these prosecutions is because the MPAA would have to admit that the vast majority of movies pirated before the official DVD release aren't video copies from movie theaters, but insider jobs... pgpuvathDMLDs.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] U.S. Attorney's office tells employees not to log on to Drudge Report
On Fri, 15 May 2009 20:38:11 EDT, Larry Seltzer said: > But what really has me concerned here is that the Justice Department's > malware management technique is to tell their users not to surf to a > specific web site. That can't be an effective answer. They can't deal > with this at the gateway somehow? You gotta remember that DoJ's computer security stance is probably best described as "at least it doesn't suck as hard as Dept of Interior". pgp5QAsheCXTb.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] test
On Tue, 19 May 2009 09:30:13 CDT, Ron said: > Perhaps security is done. Or we all gave up in disgust. :) > The Internet is safe. It's as safe as the users deserve. ;) > What's the next challenge? Snowboarding without dislocating my shoulder. ;) pgpboE3iBcu6s.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Breaching the Great Firewall of China
Hilarity ensues. http://www.weirdasianews.com/2009/05/19/chinese-wall-breached-unusual-horse/ pgpHKVrPKxSOM.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Experts: GPS system 'close to breakdown'
On Thu, 28 May 2009 08:26:08 PDT, Benjamin April said: >> "US government officials are concerned that the quality of the Global >> Positioning System (GPS) could begin to deteriorate as early as next year, >> resulting in regular blackouts and failures â or even dishing out >> inaccurate directions to millions of people worldwide. > I call FUD. A sensible GPS should cease to give directions if the > current EPE (Estimated Position Error) exceeds a reasonable value. > Based on the position of the satellites detected and their relation > to the receiver it can calculate an approximate accuracy. > Lack of satellites could cause outages, it won't direct you to > Seattle when you are headed for Boston. Your GPS thinks you're heading north into Blacksburg from I-81 on the 460 Bypass highway. You need to take an off ramp on the right hand side, then bear right to get onto Transportation Research Drive, then a left onto Industrial Park Road to eventually get to my office. Unfortunately, if you were actually heading north on *Business* 460 a few hundred yards west, taking the right-handed off ramp at the same relative location, then bearing right, will land you on a ramp pointing you *back* south to I-81, and you won't have a chance to turn around for about 2 miles. http://maps.google.com/?ie=UTF8&ll=37.191194,-80.402327&spn=0.013829,0.022767&z=16 pgpZrLI6anbMZ.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Pirate software...
A computer program walks into a bar; the bartender shouts: "Hey! Get out! Your kind ain't welcome in here!" The program looks a bit startled and asks "what do you mean by my kind"? "You know," the bartender says, "PIRATE software." "But I'm not pirate software!" protests the program. "Yeah? Well then, what's that thing you've got covering your eye?" asks the bartender. "That's just my latest patch!" says the program. "Well, okay then, what about that peg leg thing you've got going on?" "Obviously I'm a crippled version," sighs the program. "You can't fool me," says the bartender, "what about that bird sitting on your shoulder?" "SQUAAAWK! Powers of eight!" shrieks the bird. "Oh don't worry about that," says the program, "that's just my parrotty bit ." pgpqtGKy1jBqW.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] British Television
On Tue, 02 Jun 2009 09:09:57 EDT, Mark said: > I can't believe Young Ones isn't in your list. One of the best ever. "Don't bother trying to crucify yourself, you can never get that last nail in" -- Niel. pgpPeNCiFuQYw.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] British Television
On Wed, 03 Jun 2009 20:35:05 +0300, Gadi Evron said: > I remember it as Folty's Hotel something.. It was that long ago. It was > cute but come on! "I'm sorry, but we appear to be all out of waldorfs." pgphxHxB1ylsu.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Rampant cluelessness...
>From a cow-orker: "In contrast, I'm not so sure Microsoft gets this whole IPv6 thing: % host -t ipv6.bing.com ipv6.bing.com has no record % host -t a ipv6.bing.com ipv6.bing.com has address 207.46.104.147 (Bing is Microsoft's new search engine, replacing Live Search.)" pgpXxmal8iDoI.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Dog sniffs illegal DVD's
On Fri, 05 Jun 2009 14:52:55 -0800, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > a) I can see the dog being able to sniff out plastics and such, but how does > it tell > which disks are pirated movies? This one's come up before. Apparently, there's one production technique used by the *big* duplicating houses that have to produce a million copies of Batman, and another different one used by the counterfeiters that have a press run of 35,000 pirated copies of Batman. The dogs are trained to recognize the scent of the small-press-run DVD blanks. Yes, this *can* false-positive for a legit duplicating house that runs off 20K copies of some limited-interest DVD like Ubuntu install disks or similar - but those almost always have attached labels saying "Ubuntu" rather than "Batman". Certainly a much saner approach than the MPAA/RIAA business model of treating the customer base like criminals... pgpwPjmm0A4FH.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Software analysis
On Wed, 10 Jun 2009 19:27:04 -0800, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > Anybody got a copy of "Green Dam" for analysis? I probably blinked and missed it - but what do they insist people do for non-Windows computers? pgp5BXoa3Rllo.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] How many nukes can reach your location?
On Fri, 03 Jul 2009 15:33:55 +1000, silky said: > It counts nukes from the country entered, which is a little weird. I'll posit that for many people living in a nuclear state (declared or not), the threat of being nuked by your own gone-batshit leadership trying to put down a rebellion/insurrection/invasion on their own territory is actually *higher* than being nuked by some other nuclear state. pgpYNYpReSlGA.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Using twitter as an outage notification
Seen on NANOG: On Sat, 04 Jul 2009 18:29:22 -1000, Michael Painter said: > "Bonnie Smalley has Internet bragging rights: She has been blocked by Twitter > for hand-typing too many tweets in an hour. They thought she was a computer > program made to spew spam. > Ms. Smalley, it turns out, is a 100 percent human customer service > representative for Comcast. She is one of 10 representatives who reach out to > customers through social networks, rather than waiting for them to find > Comcast's support site. > http://www.nytimes.com/2009/07/02/technology/personaltech/02basics.html?partner=rss&emc=rss > There's a Dilbert strip in there, fighting to get out.. ;) pgpAxsYlfaHTq.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] "As fortold by prophecy..." :)
"The chaos is coming, the haunter of universe, and the blind creator bless the dragon who sleeps. Cthulhu awakens like a storm from beyond as the crimson opens, howling from a distant space. A string of light from his house in R'lyeh... Behold! Hear the thunder roar as he enters the world. His world..." http://www.adn.com/2835/story/864687.html pgpUwg0cIpn8F.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] press trickery of the worst kind
On Thu, 16 Jul 2009 14:12:54 PDT, robert_mcmil...@idg.com said: > > > Am I a journalist? Well, a couple of decades ago, I did a lot of paid > > writing for PC magazines. But I haven't for a long time now. So, you > > decide. > > > > I think your answer speaks for itself. "Hi, I'm drsolly's answer, and I'd like to clarify that drsolly is not my authorized spokesman..." :) pgplJ036cGLCF.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Rage against spammers and telemarketers
On Wed, 22 Jul 2009 10:34:31 EDT, der Mouse said: > The real wonder, to me, is that more people who can relatively easily > flee the USA aren't. And go where? pgp7kxstXqxIN.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Rage against spammers and telemarketers
On Wed, 22 Jul 2009 11:35:23 PDT, "Tomas L. Byrnes" said: > The planners: Enarques, Oxbridge and Ivy Leaguers are taking over the > world, and will give us what they think we need, as opposed to what we > want. Note that giving the rabble what they say they want hasn't proven to be a brilliant success either. pgpfwzEzL2RZk.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Rage against spammers and telemarketers
On Thu, 23 Jul 2009 14:05:33 BST, Drsolly said: > No, God will just create another bunch of people. Hopefully he'll spend more than just a day or two designing the next model. The current one shows all the kludginess of an all-nighter design project. Everything from appendixes to neurons that have a common failure mode called "magical thinking". pgpJmkH374His.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Fwd: [Dataloss] Network Solutions was PCI compliant before breach
On Mon, 27 Jul 2009 11:26:40 PDT, Paul Ferguson said: > http://www.scmagazineus.com/Network-Solutions-was-PCI-compliant-before-brea > ch/article/140642/ > > Network Solutions was PCI compliant before breach > Angela Moscaritolo > July 27, 2009 > > Web hosting firm Network Solutions on Friday announced that, despite its > being PCI compliant, a breach had compromised approximately 573,928 > individuals' credit card information. > Approximately 4,343 /me spent approximately 9.34934 seconds wondering what these guys would classify as an "exact" number. pgpZr92OtcsZI.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Fwd: [Dataloss] Network Solutions was PCI compliant before breach
On Mon, 27 Jul 2009 13:35:06 PDT, ch...@blask.org said: > btw, how's the exobiology going? I work at a .edu, so it's easy to find samples in our user population who are clearly not of Earth origin. :) pgpqLflwt6xTI.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Fwd: [Dataloss] Network Solutions was PCI compliant before breach
On Mon, 27 Jul 2009 22:11:08 +0200, Alexandre Dulaunoy said: > On Mon, Jul 27, 2009 at 8:55 PM, Anton Chuvakin wrote: > > They probably were NOT, contrary to what their spokesperson seem to say. > > Network solutions is listed in the PCI DSS Validated Services Providers > starting > of October 31, 2008. The assessor was Payment Software Company (PSC). Note the vast difference between the following three things: 1) PSC says Network Solutions appears to be compliant, based on their canned checklist. 2) Network Solutions is actually compliant in both letter and spirit, including all the nooks and crannies that PSC didn't poke into. 3) Although "fully compliant" is *probably* more secure than "didn't even think about being compliant", "fully compliant" doesn't therefor imply "fully secure". pgprUrPx4UyuZ.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Thoughts on Bing
On Tue, 11 Aug 2009 08:28:32 CDT, rac...@mcs.anl.gov said: > Since Bing's advertising is all about giving you the answers you > want, not some random stuff that may be close, is it a more > valuable/trustworthy result? You're new here, aren't you? ;) Do you have *any* evidence that Bing is *more* about giving you the answers you want than Google is? (Hint: you may *not* reference any Microsoft propaganda in your answer). Given that, *why* is it more trustworthy? (Or are you trying to emulate Joe Sixpack's thinking here? ;) pgpfhaR2aUlN7.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Thoughts on Bing
On Tue, 11 Aug 2009 09:35:37 PDT, Paul M Moriarty said: > Would all the anti-Microsoft ranters please form an orderly, single- > file line to the right for immediate departure to posting on > Slashdot. Thank you. It isn't an "anti-Microsoft rant" - it's a serious question. Let's look at that paragraph again: > Since Bing's advertising is all about giving you the answers you > want, not some random stuff that may be close, is it a more > valuable/trustworthy result? This is basically an "If A (it's all about giving you), then B (more trustworthy)". Now what happens if A is in fact not true? Then you have no basis for determining B at all. And when A is phrased in nice fuzzy terms like "giving you the answer you want", it's pretty obvious that Marketing has come by and applied some spin. So, pro-Microsoft ranters - what's the actual story minus the Marketing spin? Got anything besides Microsoft PR to back up the thesis that Bing plans to do better at "the results you want" than other search engines? (Remember - Google isn't about "the results you want", it's about getting those sponsored ad links next to "the results you want" and they can make a living off the 3% of the time the sponsored ad link *is* the result you want) pgpSiMfPLurtz.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Report: Most Twitter Tweets 'Pointless Babble'
On Fri, 14 Aug 2009 09:23:53 +0300, Juha-Matti Laurio said: > "As if one were needed, a study revealed that most tweets on Twitter are > considered "pointless babble." "One of the things Ford Prefect had always found hardest to understand about humans was their habit of continually stating and repeating the very very obvious, as in It's a nice day, or You're very tall, or Oh dear you seem to have fallen down a thirty-foot well, are you all right?" "If human beings don't keep exercising their lips, he thought, their mouths probably seize up. After a few months' consideration and observation he abandoned this theory in favor of a new one. If they don't keep exercising their lips, he thought, their brains start working." pgpNOab9d1s4N.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Thoughts on Bing
On Tue, 11 Aug 2009 17:06:03 EDT, der Mouse said: > hasn't been true for a long time. The actual situation is that people > performing searches are the product and the advertisers are the > customers; the search results are just the coin in which the searchers > are paid for being part of the product. Amen to that. Consider this mail I got today: Subject: Fall for incredible back to school deals on Bing cashback! From: Bing cashback Date: Thu, 13 Aug 2009 14:09:12 -0700 (PDT) And I don't even *use* Bing - I got that because I set up an MSN account to IM with a relative (was easier than getting somebody on another continent connected to an IM service I was already on), and I apparently missed the "Don't spam me" checkbox along the way... pgpM9rvaIaD1W.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Report: Most Twitter Tweets 'Pointless Babble'
On Fri, 14 Aug 2009 15:23:02 EDT, David M Chess said: > twitter needs filtering!!11!". That's fixing the symptom. The root cause is that the gene pool needs a good shot of chlorine... Reported today by our help-desk manager: Help desk: Your new password is "hokie", all lower case letters User: I forget how to spell hokie.. is it two Os or one? The user is a VT alumnus. *facepalms*... (Just Google 'hokie' and ponder the list of results if you don't already get it. And yes, we should give them a better password, even if it's a one-shot-better-change-it-now throwaway. But if they can't even spell hokie, the better password is just going to result in another help desk call...) pgp59F1DNBTtk.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] All your database (and email) are belong to us ...
On Sat, 25 Jul 2009 17:45:43 PDT, "Ali, Saqib" said: > and up-to-date. It is simply about Reputational risk. Reputational > risk (damage to an organization through loss of its reputation or > standing), can arise as a consequence of operational failures. Every > company understands reputational risk, particularly businesses who > regard their brand as one of their most critical assets. Google is one > of them. They have a reputation to maintain. On the other hand, every company understands that TJX is still in business, and didn't take all *that* big a hit on their stock price. Reputational risk for computer security will start actually *mattering* once a well-known company takes a big enough hit on a security issue that they end up bankrupt. Till then, nobody *really* gives a flying #$#*& in a rolling donut about it. pgpPOSYsabvpt.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Microsoft in Web photo racism row
On Wed, 26 Aug 2009 18:34:56 +0300, Juha-Matti Laurio said: > And look into this: > But on the website of its Polish business unit the black man's head was > replaced > with a white face, although the colour of his hands was unchanged. Which got them a mention here: http://photoshopdisasters.blogspot.com/2009/08/microsoft-poland-at-least-they-left.html pgpzVXlA9kGfK.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] DON'T DO STUPID THINGS!
On Tue, 01 Sep 2009 09:13:05 CDT, Ned Fleming said: > Hotel bar fights: another reason to avoid New Zealand. Oh come on now, you know very well that the only time there's a row in a hotel bar in NZ is when there's a disagreement over who will pay the damages from the sheep stampede. pgpuOeMdJ7W6g.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] LHC redundant, world has ended, source code at 11 ...
On Wed, 02 Sep 2009 14:25:21 +0200, Martin Tomasek said: > I wouldn't use PHP in production environment. They are using #ifdefs > instead of functions in PHP sources. No wonder they have so many bugs. We have yet to devise a computer language that prevents programmers from doing stupid things and writing dangerous and ugly code. Although there's a lot of ugly PHP code out there, I haven't seen any innate broken-ness in the PHP design that makes it *impossible* for a skilled programmer to create good PHP code. Note that in the previous paragraph, you can replace PHP with Perl, Java, C++, COBOL, FORTRAN. I will however grant that Ada was fundamentally flawed. ;) pgpfRn1vHntfg.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OT: New England Lemmings and The Herd Mentality
On Mon, 07 Sep 2009 12:43:25 PDT, ch...@blask.org said: > Oh, I dunno. Having come from a place without Sonics and moved to one that > does I have to say that Sonic is the penultimate Krispy Kreme of burger > joints. "You keep using that word 'penultimate'. I do not think it means what you think it means..." -- Inigo Montoya "penultimate" - the one that's *next to last*. Or if you *did* use it correctly, what's the one that follows Sonic? Inquiring minds want to know ;) pgpW34Sav2iKu.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ruling: liability for providers who don't act on clients' illegal activities?
On Mon, 07 Sep 2009 15:08:55 PDT, Rob Thompson said: > Way to go...way to go after the _real_ criminal. > > This is akin to closing down a freaking bank, because they cashed a > fraudulent check. No, it's more akin to a landlord who knows that the tenants are running an illegal business, having been informed multiple times in documented detail what the tenants are up to, and who has the ability to terminate the lease but fails to do so. At some point, it gets egregious enough to qualify as "aiding and abetting". pgp0CkT6KRuaZ.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ruling: liability for providers who don't act on clients' illegal activities?
On Mon, 07 Sep 2009 23:14:48 PDT, Rob Thompson said: > this as sheer laziness and quite frankly it's rather pathetic. Passing > the buck isn't okay. We count on the schools to raise our kids and the > ISP to police the interwebs. Bullshit! It may come as a surprise to you - but a large number of people *do* count on the schools to do a large part of the educating and socializing of the young ones. There's an awful amount of stuff that kids learn in school that parents are *not* in a good position to teach - everything from Egyptian history to how to play well with others on a softball team. Might want to pick a better analogy - the days when we could all homeschool our kids are *long* gone, if they ever existed at all...) For that matter, our entire economic system only works because of passing the buck - every time you use a credit card, or write a check, you're passing the buck to somebody else. And even using cash rather than bickering and bartering how many goats that pair of shoes is worth is passing the buck... ;) Bottom line - unless you live off the grid, in a house you built with your own two hands using tools you manufactured yourself and material you gathered yourself, "passing the buck isn't okay" is just a tad hypocritical... pgp1sWC2PDNmV.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Hello. I live in Salem, and I believe in witches.
On Wed, 09 Sep 2009 10:55:46 -0800, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > However, reading the text as an educator, it comes across as pretty banal. > Is the > video up on YouTube yet? Maybe he does better in delivery ...) http://www.youtube.com/v/FJyJiGS7Zrk pgpD3Vr8KEGuR.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Hello. I live in Salem, and I believe in witches.
On Wed, 09 Sep 2009 13:27:55 EDT, "Adriel T. Desautels" said: > Witches are real... technical speaking And most Wiccan belief systems are more reality-based and have a higher chance of producing actual results than the majority religion around here... Kinda like how most people end up buying Microsoft even though there's better alternatives... pgpcTaRgEvULf.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Hello. I live in Salem, and I believe in witches.
On Thu, 10 Sep 2009 06:04:12 PDT, ch...@blask.org said: > This is not to be confused with a "Deather", though by and large they are the > same folks. Deathers believe that the effort to reform the US healthcare > system is a veiled effort to euthanize the elderly of America, reasoning (not > to stretch the meaning of the word) that - as happens in such socialist > hell-holes as the UK, Sweden and Canada - once The Guvernment is given > complete > and unquestioned control of healthcare they will choose to deny medicine to > old > people. I believe the theory is that this will endear the ruling party with > the younger voters who will then inherit Grandpa's old slippers. And to further illustrate just how batshit crazy some people here are - the actual proposal that set the Deathers off was *actually*: That the government-sponsored program should pay for counseling for terminally ill patients, to help write up things like "durable powers of attorney" (which are documents that state what should happen if you're not in any condition to manage your affairs anymore). So terminally people will be able to write a document that says "I know I have pancreatic cancer, and don't have long left, so if I'm in a coma, don't keep me on a respirator, and if I have a heart seizure, don't resuscitate me, just let me go" and avoid the circus that was Terry Schiavo. Of course, these same people feel threatened when the President wants to tell their kids to stay in school, work hard, and get good grades, because if their kids are well-educated, Something Evil will happen. Like the kids might actually start doing some fact-checking and thinking about what their parents say. pgpWoAK13zqOS.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Speed used to convey urgency; now we somehow think it means efficiency
On Sat, 12 Sep 2009 09:58:11 BST, Drsolly said: > I'm a bit busy, is there a 30 second version? tl;dr yr cmnt. pgppEu3Js5C4l.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Hello. I live in Salem, and I believe in witches.
On Sun, 13 Sep 2009 11:20:53 +1200, Nick FitzGerald said: > John Bambenek wrote: > > > The problem with the conservatives is that NO ONE is leading. So the > > nutjobs lead by default. > > Which is diffeent from the past eight years how? The past 8 years, Dick Cheney was leading. Now he's out of office... pgpyNefHjyJSP.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Hello. I live in Salem, and I believe in witches.
On Tue, 15 Sep 2009 09:28:16 +1200, Nick FitzGerald said: > > > > The problem with the conservatives is that NO ONE is leading. So the > > > > nutjobs lead by default. > > > > > > Which is diffeent from the past eight years how? > > > > The past 8 years, Dick Cheney was leading. Now he's out of office... > > ...though, based on some of his comments of late, there are clearly > some days he doesn't seem to remember that! > > Anyway, back to my main point -- do you really think Cheney was not a > top-flight nutjob? Yes, but he was a nutjob who was *elected* President(*), as opposed to the current leading-by-default nutjobs. ;) (*) OK - you got me there. Bush was elected Prez, and Cheney was elected Puppetmaster. ;) pgp7qcHUwwla5.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Firefox' privacy mode not so private
On Mon, 14 Sep 2009 22:13:54 CDT, Reed Loden said: > Yes, Mozilla is aware of this and is working with plugin vendors such as > Adobe to get them to use newly created APIs and to assist in developing > other needed APIs that allow Firefox to notify plugins that such objects > need to be deleted (such as when a user enters private browsing mode or > just wishes to clear all browsing history). Now *here* is a related question: Does anybody know of a Firefox extension that will allow the *selective* clearing of browsing history, or management of history expiration? For instance, I *usually* want a nice long expiration on the history (for a while, I had it up at 180 or even 365 days), so that the history bar auto-completer would be able to help me find "that posting on boing-boing that started with 'potatoes'), etc. However, I'd like to on occasion nuke all the damned Amazon links that have accumulated (or even better, have them auto-evaporate after only 15 days or something). This ring any bells? pgpvjvWqiY9v6.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Star Trek infosec
On Mon, 21 Sep 2009 17:18:10 PDT, ch...@blask.org said: > I just want to know that the transporter is encrypted and authenticated befor Checksumming. You want it. You *really* want it. Small numbers of single-bit errors are probably OK, we deal with cosmic-ray DNA damage amazingly well. Can probably model this as similar to low-level radiation sickness if the link is really noisy. But signal dropouts would *really* suck - I'd hate to get there and discover that a half-inch section of aorta didn't get transmitted. And it would suck if you got a bunch of line noise on the "forehead" section, and the ECC tries to salvage it but comes up with "penis" instead. Of course, we all know enough people that appears to have happened to already to know that's a tad less fatal than the aorta thing... pgppSOzG44uMA.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Presidential Internet Kill Switch
On Wed, 23 Sep 2009 12:59:35 EDT, Larry Seltzer said: > "2010"... Dude, its' too much to be a coincidence. > > I imagine most people figure there's some wire somewhere that could be > cut. Let's hope Al-Qaeda never finds it! Interestingly enough, Rick Forno's Infowarrior list had a posting yesterday where the Soviets actually did implement it: http://www.wired.com/politics/security/magazine/17-10/mf_deadhand?currentPage=all pgpanJGyH3lq6.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Presidential Internet Kill Switch
On Wed, 23 Sep 2009 12:51:43 EDT, Jon Kibler said: > If you have any hard numbers, I would love to see them published! Consider the (hopefully) attached .gif. Under what conditions is it funny? <> pgpGM9PFGVGMm.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] No AV? Shock, horror!
On Fri, 25 Sep 2009 11:52:29 -0800, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said: > PCI survey finds some merchants don't use antivirus software > > http://www.networkworld.com/news/2009/092309-pci-survey-finds-some-merchants.html?hpg1=bn > > > (But absolutely no surprise whatsoever ...) So tell me - what A/V software are we supposed to be running on our Solaris 10 servers, or our Linux servers, or those AIX boxes we have? pgprB892PwxSh.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] McAfee really DOES write new Malware! Wholey Moley!
On Fri, 02 Oct 2009 08:06:50 EDT, Rich Kulawiec said: > On Thu, Oct 01, 2009 at 01:06:29PM -0700, Dragos Ruiu wrote: > > Who's "we" white man? > > Is this the part where I pull out the old SNL sketch > featuring people who are very, very, extremely white? ;-) While you're at it, do you have a copy of the one with Chevy Chase and Richard Pryor doing word free-association? :) pgpwlw8NZ1kyO.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] mac is not unix [Re: What was that about hubris?]
On Fri, 02 Oct 2009 16:25:35 +0200, Gadi Evron said: > der Mouse wrote: > "An operating system" in general may or may not be [split into > core, GUI, and CLI]; indeed, plenty of operating systems do not > have anything at all that could reasonably be called a GUI, much > less structure like what you sketch. > >> 1) Either convince me that Cisco's IOS and Juniper's JunOS are in > >> fact *not* operating systems, or point out to me how they're split > >> into a core, a CLI, and a GUI. > > > > You don't need to go even that far. Just consider NetBSD (or Linux, or > > whatever) on hardware without a GUI-capable framebuffer - or, if that's > > not enough, on hardware which can't be given one (I've got a board from > > Mesanet on which it would be difficult-to-impossible to add GUI-capable > > hardware). > > We're talking about Mac here, right? No, the original quote was "an operating system is build of...", not "OSX is built of". pgpL2UpX3iMCK.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] New Technology to Make Digital Data Disappear, on Purpose
On Sun, 04 Oct 2009 22:08:08 PDT, "Ali, Saqib" said: > a good article about the technology and its implications: > http://www.physorg.com/news173556803.html Vanish has already been broken: http://www.physorg.com/news173450942.html (The editors at physorg need to be more careful - your link announcing Vanish is a repost that showed up the day *after* the 'vanish broken' link was posted there...) pgpFyjh0TKz2C.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] "File server blew up over the weekend. Over 1000 SQL backup job failures in the inbox this morning. "
On Mon, 05 Oct 2009 15:01:40 EDT, Robert Portvliet said: > I noticed that most of the bots I looked at don't seem to be following > anyone (or follow very few), but do average a couple hundred > followers.. are they getting followers via DMing people or what? Apparently, the bar for passing the Turing Test is a lot lower than we thought. pgpbinlAfvDIq.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] [Full-disclosure] when I grow up
On Tue, 06 Oct 2009 10:46:19 EDT, T Biehn said: > Can't you make a good hunk of low-risk cash by 'pretending' to be a > money mule? (Profile: 20s, looking for 'easy' work.) Stealing from the old Mafia wasn't so bad. If you got caught, it was usually "just business" and they dispatched you in the most economical way feasible. These days, the field is dominated by crazy and rutheless South American drug cartels, ruthless and crazy Asian Yakuza-like gangs, and *really* crazy, ruthless, psycopathic gangs from the Ukraine. Low risk? Hardly. pgpqdltIYjy8O.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Don’t lol – Cyberbullying is No Jok e in Congress
On Thu, 08 Oct 2009 20:56:59 PDT, "Ali, Saqib" said: > On September 30, the House Judiciary Committee heard testimony > concerning two bills aimed at combating cyberbullying. One bill, the > Megan Meier Cyber Bullying Prevention Act, would criminalize > cyberbullying, `(a) Whoever transmits in interstate or foreign commerce any communication, with the intent to coerce, intimidate, harass, or cause substantial emotional distress to a person, using electronic means to support severe, repeated, and hostile behavior, shall be fined under this title or imprisoned not more than two years, or both." Death of 4chan predicted. Film at 11. Seriously though - do we *really* want to pass a law that could potentially make a lot of us felons? As a thought experiment, take the gun-control flame war we had recently, and add this sort of DA to the mix: http://reason.com/blog/2009/09/28/hoosier-grandmother-arrested-f pgpzr6YPTDOiB.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] dumb. Comcast pop-ups
On Sun, 11 Oct 2009 14:26:33 -, Paul Vixie said: > malware has penetrated not just the skin, but the bones and DNA of > the internet economy. it's everywhere and it's not going away ever. > there will always be something infected, and in a race to the bottom > there will always be competitors willing to serve those infected > machines, and there will never be a regulator willing to say "don't > anybody serve them, so that there's no competitive disadvantage in > the not-serving." Let's face it guys, "abstinence education" doesn't work, no matter what field you're trying to apply it to... pgpkKYmEyhmjn.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] watch the lives of others, get cash prizes!
On Mon, 12 Oct 2009 09:33:18 EDT, Alex Eckelberry said: > Registered surfers will compete for up to £1,000 a month, collecting points > by watching a selection of anonymous cameras and clicking a button whenever > they see something suspicious. The click will send an SMS and a still image to > the camera operator, who decides whether to do anything about it. (You can > lose > points for sending a false alarm.) Says Morgan, who insists this is "not a > game > - these are not prizes, they're rewards for spotting crime", Internet Eyes > "could turn out to be the best crime-prevention weapon there's ever been". > What's not to love? Trolls hell. If you're planning a bank heist, buy some time on a botnet to false-click on several tens of thousands of innocent cameras that have *something* going on (it doesn't take much image recognition to tell the difference between "the alley is empty" and "the alley has something moving). Consider it a variant on the guy who posted on Craigslist for dozens of people dressed the same to cover up a real bank heist... pgpD4eCH7DVvW.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] *argh*. :)
http://dsc.discovery.com/technology/quizzes/computer-crimes-quiz.html The problem? The site doesn't work unless you accept Flash. >From mstories.vo.llnwd.net no less. I wonder how many people can score well on that test and not notice the cognitive dissonance (heck, I managed to get 3 wrong.. ;) pgpO44lxFnXW3.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Public Policy and Consumer ISP Hygiene (was Comcast pop-ups)
On Sun, 11 Oct 2009 23:31:08 CDT, Dan White said: > 1) Educating users on proper use of anti-virus and anti-malware tools - and > being ADHD about installing OS updates. No, you *don't* want them being ADHD about OS updates. You want them to be obsessive-compulsive about it. Somebody wit OCD will be going back and checking "Am I patched? Did I patch in the last hour? I better check again to be sure". Somebody with ADHD will end up visiting http://windowsupdate.microsohlookachicken.com > 2) Replacing SMTP with something sane and secure. SMTP has got to be IETF's > biggest failure. Actually, SMTP is probably the IETF's best example of "so frikking successful that everybody jumped on the bandwagon, moving the goalposts in the process". The fact that it works at *all* 27 years after RFC821 is a demonstration of how well-designed it was... > 3) Doing what we can to develop and increase our participation in a public > key infrastructure and IPSEC. Unfortunately, most of the problems we have would *not* be fixed with more crypto and IPSEC (with the exception of closing down unencrypted wireless and making the standard there WPA2 or a better follow-on). I mean, *seriously*, how often do you hear of successful sniffing attacks on copper or fiber, compared to the number of attacks where a keystroke logger or website hack got the unencrypted goods at the endpoint? You want to fix something - come up with a good way to enhance the trust for websites that load from multiple places. Go read Schneier's "Secrets and Lies", he has a good chapter on SSL snake oil, but to sum it up with a re-quote of an example from yesterday: If I'm on msnbc.msn.com, and click a link that takes me to discovery.com, what reason does my browser have to trust the Flash content that gets loaded from mstories.vo.llnwd.net? (Hint - your scheme has to work even if discovery.com is compromised - if the hacker can change the link, there's a good chance that if you depend on a digital signature of the page containing the link, he can re-sign the page as well. Probably not for discovery.com, which likely has separate devel and prod machines and the signing can happen on the devel boxes - but there's a *lot* of "update in place" websites that would almost certainly have the signing keys on the webserver. Bad idea, I know, but it's gonna happen. pgp7M1WKWgSBN.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Public Policy and Consumer ISP Hygiene (was Comcast pop-ups)
On Fri, 16 Oct 2009 12:04:08 CDT, Dan White said: > If I have a friend that gets caught up in a 100M+ zombie attack, then > I'll just suspend my trust with that friend until he gets his act together. > I'll probably get one SpAm from him, maybe two, before I get the idea. > > I should not be concerned about the other 99,999,999 other zombies. Let me rephrase that a bit for you: If I have a friend that gets caught up in a 100M+ flu epidemic, then I'll just avoid contact with him until he gets better. I'll probably get one cough from him, maybe two, before I get the idea. I should not be concerned about the other 99,999,999 other people with the flu. Still sound like a sane approach? pgpfVlEt21VzW.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Public Policy and Consumer ISP Hygiene (was Comcastpop-ups)
On Mon, 19 Oct 2009 03:19:57 PDT, ch...@blask.org said: > Oh, I doubt it. Spam's appeal as a topic of debate is that it is ubiquitous > and intractable. Oddly enough, for an "intractable" problem, most sites are managing to deliver a reasonably acceptable user experience. I have firmly concluded that "E-mail is about to become unusable" is another one on those things people say that will be repeatable 5 years from now. What worries me is what happens if the miscreants currently spamming find something that's less visible and trackable and has a higher profit margin... pgpl40bEPrsFE.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Public Policy and Consumer ISP Hygiene (was Comcastpop-ups)
On Mon, 19 Oct 2009 10:51:10 PDT, ch...@blask.org said: > -- On Mon, 10/19/09, valdis.kletni...@vt.edu wrote: > > > Oddly enough, for an "intractable" problem, most sites are > > managing to deliver a reasonably acceptable user experience. > > By the definition "not easily relieved or cured" it remains intractable for > providers, though most users can mostly ignore it today. For those who need > to/ > choose to try to actually *solve* the problem (iow - eliminate spam at the > root) Anybody who thinks they can "*solve* the problem" is taking some really good pharmaceuticals. I don't think there's a single police department out there that seriously think they will "solve crime and elimitate it at the root". So if police departments with thousands(*) of years of experience aren't able to eliminate meatspace crime, why do you think there's any realistic chance of of doing so with the cyberspace spam criminals? (*) Yes, thousands - I'm sure there's been a city guard to deal with pickpockets and the drunks coming out of taverns almost as long as there have been pockets for pilfering and taverns for the drunks to come out of... So back around Hammurabi or so... pgp9RBx13891Q.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Public Policy and Consumer ISP Hygiene (was Comcastpop-ups)
On Mon, 19 Oct 2009 15:03:24 EDT, der Mouse said: > I don't really know the structure of the top of the pyramid. My > impression is that the IANA and/or IAB would have to be the entity to > impose responsibility when it delegates authority, but ICBW - whom is > it the RIRs and domain registrars contract with to get their authority? The IAB has basically zero actual power - about the only thing they have any control over is the IETF. And the IETF doesn't have any power either - they just publish RFCs and hope the marketplace actually uses them. Proof of this: RFC2827 - everybody agrees that ingress/egress filtering is A Good Thing, but far too many sites don't do it... Address space assignments start at the IANA, but they basically farm out an entire /8 at a time to the regional RIR authorities (RIPE in Europe, APNIC in the Pacific Rim, and ARIN in US/North America), who then give out /16's or so to companies. However, they do *NOT*, repeat *NOT* do any sort of policing of what they get used for, other than to check your business plan to verify that yes, you really *will* burn through a /14 in the next 2 years. Something they explicitly do *not* do: Guarantee the space is actually routable. There's a fair amount that's in people's bogon filters from 5-6 years ago and never updated when the /8 was actually put into use, or it's scorched-earth address space that's blocked because it was abused by the previous owner. So you're not going to find any joy at IANA, and I don't expect the RIRs to be able to *do* much of anything either. Your best bet is to convince people to not accept BGP announcements from miscreants. Domain registrations derive from ICANN, which delegates to the registrars. All I'll say here is "these are the people who brought you domain tasting". pgpXpgErd7pY2.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Public Policy and Consumer ISP Hygiene(was Comcastpop-ups)
On Tue, 20 Oct 2009 08:29:53 EDT, "G. D. Fuego" said: > Am I naive in considering spoofed sender spam and true sender spam > (including stolen credentials) two separate problems requiring two > separate tactics. In both cases - spoofed and stolen creds - the mail isn't sent by the person it claims to be sent by. The only difference is the details. > Implementing an as of yet undefined solution to limit all emails to > the real domain infrastructure seems worthwhile to me even if it > dosent solve the stolen credential or incompetant admin problems. There are two easily implemented ways for the spammers to do it. You address one, and totally fail to fix the other. All this does is create a lot of work for a lot of people in order to shift the problem over to the other way, where they continue unabated. So why is it worthwhile? As has been pointed out, there's around 100M compromised boxes with credentials waiting to be abused. Anything that fails to account for that is simply not worth the effort, as it's broken as designed. pgpkBeNOjwIMi.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] "Russian Police And Internet Registry Accused OfAiding Cybercrime"
On Thu, 22 Oct 2009 13:49:59 PDT, ch...@blask.org said: > --- On Thu, 10/22/09, David Harley wrote: > > > I didn't realize John Cleese was on this list. ;-) > > That's not a silly walk! You'll walk that way too once the Russian police/mobsters get done with you... That is, if you're still able to walk. pgpsqdEBj7srr.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] truth is for Admins
On Fri, 23 Oct 2009 21:47:22 CDT, RandallM said: > truth is, stupid is stupid does. if my users are stupid then I am to > blame. Users are my best defense or worse enemy, depends on the > training I do Gee, I wish I had your job, where you get to pick and choose your users and get rid of the ones that are untrainable for whatever reason. Most of us get stuck with having to provide ISP service to any Joe Sixpack who pays the bill, or student who gets past the Admissions office, or idiot employee who makes it past HR. And there isn't much we can do about it. pgpkohWOCXaKl.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] truth is for Admins
On Sun, 25 Oct 2009 16:05:34 CDT, Fatherlaptop said: > > Most of us get stuck with having to provide ISP service to any Joe > > Sixpack > > who pays the bill, or student who gets past the Admissions office, or > > idiot employee who makes it past HR. And there isn't much we can do > > about it. > > get a Corp job! Tell it to Randall Schwartz, who ended up with a felony conviction for hacking mostly because when he ran Crack, it turned out that one of Intel's vice presidents used 'viceprez' as his password. Said VP got his nose out of joint and demanded blood... Seriously - if you find a corporate job where you can actually *do* something about a security-challenged VP or other highly-ranked person, let us know. Most of the time, unless you have the ear of the CIO or CISO, and those people outrank the idiot, you're the one that's going to end up as dog food if you get into a major pissing match... Or hell, it doesn't even need to be a VP - you know those security rule-bending things that you know *all* salesdroids do when they have 45 minutes till they make a big presentation at a customer site? Stop them from doing it just once, and have the presentation tank as a result, and let me know how much longer you get to work there... pgpe83lrv45O5.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] truth is for Admins
On Sun, 25 Oct 2009 19:23:30 CDT, RandallM said: > Now that I re-read you reply I see where we are not on the same > thought. I said "teach" not pick. Most users start out without > knowledge. If in my network I let them stay that way about safety on > the web I provide then its my fault. Today's user if careless usually > ends up without a usable computer. When I fix'em backup they are dumb > with what happen and soon are tired of it and wants to know how to > prevent it. Yes, that does work for *some* users. My point is that quite often you get users who *refuse* to play along with the security game, causing issues repeatedly. What you said: > truth is, stupid is stupid does. if my users are stupid then I am to > blame. Users are my best defense or worse enemy, depends on the > training I do Actually believing that statement is true 100% of the time will lead to several things: 1) Massive surprise when a trained-but-still-stupid user leaves the back door open and somebody takes advantage of it. 2) Much heavy drinking while you're still in the denial phase. It's been repeatedly shown that if you restrict yourself to the sort of training you can do and remain employed (no training at gunpoint, etc), you'll be lucky if half of the users retain a significant portion of your message. If you have a training program that actually works more than 90% of the time, let us know - the industry needs whatever secret sauce you're putting into it... pgp0k8Afh898Q.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] ICANN Approves Non-Latin Domain Name Characters
On Mon, 02 Nov 2009 12:49:52 GMT, Florian Weimer said: > * Rich Kulawiec: > > > So of course they're in favor of .mobi and .info and .pro and > > as many more variations as possible, because every time another > > one is launched, they get to do this all over again. > > But this whole thing only works if new TLDs are relatively rare. If > they aren't, the whole scheme breaks down. But now, they're going to add .foobar in ascii, and the cyrillic (possibbly different renderings if the word for 'foobar' is different in different countries - consider .truck and .lorry), and Mandarin, and kanji, and all hell breaks loose in India So we'll be adding them 20 or 30 at a shit... pgpElKiQ4xR60.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
