::: My Tools & Stuff :::
::: Cratine Savagedheals Enfine Zoewrangle Demoder :: Solitron Demotionform :: IRC Demoder Savagedlight :::
::: AOItems :: Blog :: CIDB :: HelpBot :: ItemsBot :: PlanetMap Viewer :: Tower Wars :: Twitter :::
So.. again, -how- did you expect to log into the AO chat without providing name and password? (o.O)
Do you know how VHA-chat is handling security? do you know how the AO client is handling security? What about Facebook or that funny link you just followed.. (do you dare clicking them?)
You will NEVER be sure about something being secure, unless you read through the sourcecode yourself and are a competent programmer.
But at least expect to provide some kind of identification (username and password) to be able to log into a chatserver
Kind Regards
-Ariensky
PS. You can always change the password..
So you can launch the program.
If it does not work, then change the password.
If it does work, then it is someone dedicated enough to make an AO chat relay and likely not a thief.
and if it is a thief, we will be able to backtrack it.
Humankind can not gain anything, without first giving something in return.
To obtain; something of equal value must be lost.
That is the 1st law of equivalent exchange
Rubi-Ka needs: a nickel statue of an astronaut pointing at the sky
With the description / plate saying:
When the stars burn out and I find I lack the strength to continue...one of YOU wil pick up the flag and carry it forward.
This really isn't a corporate product anymore...it belongs to all of us. Where it goes it up to us.
Actually not true, I am not exactly a competent programmer. However I can spot any form of malware a mile away. Executables and .Dll's are always the heads of the snake. Truth be told, I have not ran security on my computer in somewhere around 7 years and believe me, I have been to questionable websites that can test your metal to know what is secure and whats not. The only other secondary problem is not being aware of your plugin's such as applets. As far as anything else, like WPA2,GSM,802.11N's, and all other intercept frequencies/encryptions are all fail, anyone who wants to truly get you, will get you. Unless you built my theoretical security system, which has so many trip wires, load balancers, sandboxes, vm honeypots, darknets, and even other theoretically devised encrypted procedures that would slow the heck out of your network, but would turn an Elite into a woolly mammoth stuck in tar.
However... Doom and gloom statement incoming. computer security classes should be mandatory in high school, I guess you would call it secondary school or something similar in Europe. There is a pretty insane menace of technological intellects out on the web, you can sight some of that to China. I personally think loosing the internet as we know it now is inevitable. There are those with the knowledge and resources to break through any technological lock that has ever been devised. It will eventually be a bad guy. I personally think its a joke that people are allowed to bank of their computers without knowing the security risk that go into doing it. All that it takes is some sort of Conficker botnet that works like a rootkit and instantly rebuilds itself through 95% of security defenses today. The internet will take a nose dive.
Ps. Only run sophisticated security programs if you truly have something to lose. No real hacker would try to break into your computer to steal your Justin Beiber Mp3 collection.
Very well put
But it requires knowledge to be able to do that.
And having it as a mandatory class.. in the future maybe.
I have problems getting engineers to take computer security classes, they are of the opinion that "some program" will take care of that..
Even more people in highschool are not interested..
In the end it comes down to trust:
In the real world you trust a person sitting in a bank. You trust the company to not hire people that are bad and you know you can backtrack the person.
In the digital world we have certificates for that.
Most do not know what it is though.. (it is the same, a 3rd person you trust, verifying that a website/program is who/what it says it is.)
A competent person can find holes in everything given enough time.
The trick is to have such a huge timedelay that it is not worth it...
Remember to look for cameras in your theoretical "safe-heaven", one of the easier ways to get passwords other than a hardware keylocker (though we would know how to avoid a USB keylogger)
You seem competent in computer security, but you can hide a lot of things in obfuscated code.
A paranoid person would check, but in day to day I, like you, can spot most malware, but I must admit that I can not spot the well made stuff.. again if something can steal the bank accounts of 30% of the population that is fine enough for the thiefs, then they do not need mine also.
The easiest way still is to persuade people to give you money, if that is clicking a link and downloading, or sending people a letter claiming they owe you money.
So why read through the first 196 pages of the WPA manual, when you can just do that
But true, the governments probably have 0-day attacks like Stuxnet they keep to themselves, just as military projects have always been run.
Where were we?
oh yes: be careful of what you download.
The interesting question is, how are you careful..
it requires some training. Just like a firewall is no use, if you do not know how to use it..
Kind Regards
-Ariensky
PS. Wouldn't encrypting the Justin Beiber Mp3 collection be that honey-pot you talked about?
PSS. I know several engineers, even some software engineers, that, from what I can read from you, knows less about security than you do.. sad but true.. they know how to program, but not how vulnerable it is.
What is more sad is when they work on government projects, spending your and my money on something that is crap, and/or take wrong desiccations in the design phase costing millions later.
People that -know- they are right.. sadly reality comes later to show they were not..
Humankind can not gain anything, without first giving something in return.
To obtain; something of equal value must be lost.
That is the 1st law of equivalent exchange
Rubi-Ka needs: a nickel statue of an astronaut pointing at the sky
With the description / plate saying:
When the stars burn out and I find I lack the strength to continue...one of YOU wil pick up the flag and carry it forward.
This really isn't a corporate product anymore...it belongs to all of us. Where it goes it up to us.
Isn't it absolutely ironic though, Antivirus's are signature based detection. That means someone has to get infected first before a cure is developed, and by the time you patch for that cure, its kind of pointless, because the attacker has already escalated the attack vector through another source.
I personally think my knowledge should become common knowledge, that is not to say I think people should be me, however they should defiantly become aware of the world around them.
Example.
http://hackedgadgets.com/2008/01/24/...polish-trains/
A 14 year old kid derailed 4 trains by controlling them like model trains.
When SCADA mass transit systems become vulnerable to 14 year old children then we have a problem that is a societal issue.
http://voices.washingtonpost.com/sec...op_source.html
Another SCADA report.
For those who don't know.
SCADA stands for supervisory control and data acquisition. It generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes
That means mass transit systems, and more.
The lions, the tigers and bears oh my...
Oh and one piece of free software that I recommend, is the security task manager, it views every nook and cranny in your system down to the drivers that are running. However to view those, you gotta pay for the service, beyond that. It's an excellent piece of reconnaissance software to make sure your system is bug free. It comes with a Danger rating service as well, a file is flagged through multiple users who report differing degree's of danger, you can also check on vital code that is running inside of the processes too. It is just about the best tool in anyone's security arsenal you could possibly want.
It is like the imunesystem: it needs to have a sample, to make a cure.
secondly most attacks are due to unpatched software, in essence known vulnerabilities that have been fixed, but people have not updated or are unaware of it.
Today with morphing software, Antivirus based on fingerprinting no longer works. It had it's time, but everyone knows how to circumvent it now..
Security should always rely on principles, as simple as possible, not patch on patch. That article with the pacemaker hack is a good example.
FDA has given a blanket approval for Bluetooth in medical devices before 2.1.. meaning we have medical equipment out there ready to hijack..
The article gived some good ideas: "vibrate when establishing contact", "short range broadcast"(sound/vibrations.. Bluetooth can be picked up 2 km away with the yagi-uda antenna, it is -not- limited to 10 meters)
You should think what security you need, and way to many people make bad choices, because they do not know the possibilities.
Some still send encryption keys by secure currier, because they were/are unaware of the asymmetric key possibilities..
I am not a fan of security by obscurity (that only leads to children controling trains with a TV-remote), but the whole world using the same WiFi, GSM and bluetooth technologies, for EVERYTHING, then 1 error found there would be catastrophic..
So I like when I see a safety critical feature being developed by two independent teams, running each on their own OS/hardware setup and then the two systems have to agree, to authorise.. (EBI Lock 950, speaking of trains..)
Expensive: yes sir, but reliable and hacker-resistant as -purgatory-
I agree that everyone using their computer for banking should know the system and risks, but I also know that people are different, and to some fashion is of more importance.
On the surface computer security is about trust.
How you get it, is the technical part. And all that technical stuff should just make either a green or a red light shine..
Trusted third party, Diffie-Hellman, SHA3.. people do not have to know all that, just what the green/red light means.
Problems arise when the green light is triggered by a SHA1 approved certificate..
Why? well as MD5 (see funny link 3) and DES, they are not considered to be trustworthy; they are too easy to fake.. (padding, collisions rainbowtables)
Then the industry should revoke all the old certificates.. but it did not.. again they will time out, so in the end the security risk will be dealt with.
But false security is worse than no security, hence when you check a file you have downloaded's MD5 or SHA1 hash, you -should- know how easy it is to pad up a file to match it..
Checking the two numbers will give a little extra security from people not knowing to fake a hash, but for those that do, which I assume is most malicious people, it means nothing..
Kind Regards
-Ariensky
Thank you for the nice conversation Vurtuoso
Humankind can not gain anything, without first giving something in return.
To obtain; something of equal value must be lost.
That is the 1st law of equivalent exchange
Rubi-Ka needs: a nickel statue of an astronaut pointing at the sky
With the description / plate saying:
When the stars burn out and I find I lack the strength to continue...one of YOU wil pick up the flag and carry it forward.
This really isn't a corporate product anymore...it belongs to all of us. Where it goes it up to us.
OMG, you win teh internets! I totally was going to talk about the defib machine before I remembered and saw you already brought it up, on a lighter note I listen to a security podcast and they were talking jokingly about bluetooth being used for dual prosthetic limbs, and the said appendage to be hacked to function the kick command to kick a husband or wife out of bed. ;P
But yeah I am glad you understand, Rainbow tables, nice touch. Ever heard of a wifi pineapple? lol. http://www.youtube.com/watch?v=yr5upPHqhlA Free internet here! Seriously...It's nice to see someone who shares the same passion and understanding. I think general technology, people do not understand, or have not adapted to catch up with. The pursuit of faster and more convenient has provided no true boons overall, consistent upgrades required, instantly outdated processes, ADHD style programing for flashy graphics and lesser more secure efficient systems. Oh and yeah, good stuff on the CSRF stuff.
Nokia 3310 ftw.
Renowned jester of the double AS Tigress
MP in sneak eNSDed me and did about 20k damage in 10-12 seconds
pffff, i still got a back up nokia 3210 :P
hope FC and the rest of the players here had a good party
Freedom or death!
Anything then being an Omni Tek Corporate slave!
Created 2005-11-16 (paid main that's all mine )
Created 2005-02-03 (froobie)
Created 2007-10-11 (second paid account because i wanted a freaking shade :P)
Renowned jester of the double AS Tigress
MP in sneak eNSDed me and did about 20k damage in 10-12 seconds
-= Make the new engine look even better. Don't forget to post a screenshot! =-
Means, why hast thou forsaken us this week? We know your boxes are unpacked.
Renowned jester of the double AS Tigress
MP in sneak eNSDed me and did about 20k damage in 10-12 seconds
The key to happiness is self-delusion. Don't think of yourself as an organic pain collector racing toward oblivion. - Scott Adams
Programmer n. - An ingenious device that turns caffeine into code
Jesus paid for our sins - now let's get our money's worth
Last edited by jorricane; Jan 2nd, 2011 at 22:28:51. Reason: speeling
-= Make the new engine look even better. Don't forget to post a screenshot! =-
Thor Mastablasta Hammersmith - Level 220, AI 30, LE 70 Clan Atrox Nano Technician - Setup
The Red Brotherhood
I'm a Nano-Technician, don't ever expect me to fight unbuffed, alone or fair.
Means: about f'ing time :P
Satenia: heresy <3
Znore: Mastablasta <3
Kinkstaah: I have agro from many mobs ;(
Madarab: we are aoe class, we are supose to use pistols
Marxgorm: the NT toolset does not fit into my raiding tactics