firehose

msm1267 writes "Metasploit's HD Moore says hackers sent a spoofed DNS change request via fax to Register.com that the registrar accepted, leading to a DNS hijacking attack against the Metasploit and Rapid7 websites. The two respective homepages were defaced with a message left by the same hacker collective that claimed responsibility for a similar DNS attack against Network Solutions. Rapid7 said the two sites' DNS records have been locked down and they are investigating."

Read more of this story at Slashdot.

In October 2010, a majority of Americans - 50 percent to 47 percent - said they would not fire all congressional members. But by August 2011, 54 percent said they would toss every lawmaker from office; in January 2012, 56 percent said that; and just three months ago, in July, it was 57 percent.

It’s a great concept, but one Zero Charisma doesn’t fully exploit. Instead of really exploring the differences and the similarities between Scott and Miles, the movie is content to just continually heap shit on Scott’s life with almost sadistic pleasure. Some are Scott’s fault — his assertion that The Matrix was based on a short story he wrote is particularly excruciating, and which Miles happily tears apart — but life is happy to join in, as his grandmother has a stoke, his negligent mother returns and effectively sells the house. How much of Scott’s inability to cope or interact with people is due to his mother abandoning him to his grandmother as a child is the most interesting question the movie raises. But that’s about it, unfortunately.

Seriously, Sir Patrick Stewart. Stop Tweeting these. It makes me question the very fabric of reality that people so wonderful as you and Sir Ian McKellen can exist. P.S.—No, don't stop. Never stop. You wonderful dorks. Previously in Patrick Stewart and Ian McKellen Being Better Humans That One Can Reasonably Be Expected To Be

• This New Picture of McKellen and Stewart In NYC Is Too Good to Be True
• Stewart and McKellen and Nimoy, Oh My!
• McKellen and Stewart Touring NYC

(via: Tumblr)

Andrew [Kreisberg] is such a Whovian, so if you were to say to him right now, ‘Number one guest star actor/actress, who would it be?’ Clearly it would be Matt Smith. I can tell you that if there was even the faintest chance that he is available, he would be hired immediately. They would probably hire him to take my job, they love Doctor Who so much. - Stephen Amell, star of the CW's Arrow. I knew it. The creators of Arrow have already organized a small Whovian reunion by hiring John Barrowman and Alex Kingston as recurring characters, but they've got a lot of work to do if they want to complete the whole set. They're in luck, though, as Matt Smith already has some experience playing another DC superhero. Previously in Arrow

Since I started working with Snowden's documents, I have been using a number of tools to try to stay secure from the NSA. The advice I shared included using Tor, preferring certain cryptography over others, and using public-domain encryption wherever possible.

I also recommended using an air gap, which physically isolates a computer or local network of computers from the Internet. (The name comes from the literal gap of air between the computer and the Internet; the word predates wireless networks.)

But this is more complicated than it sounds, and requires explanation.

Since we know that computers connected to the Internet are vulnerable to outside hacking, an air gap should protect against those attacks. There are a lot of systems that use -- or should use -- air gaps: classified military networks, nuclear power plant controls, medical equipment, avionics, and so on.

Osama Bin Laden used one. I hope human rights organizations in repressive countries are doing the same.

Air gaps might be conceptually simple, but they're hard to maintain in practice. The truth is that nobody wants a computer that never receives files from the Internet and never sends files out into the Internet. What they want is a computer that's not directly connected to the Internet, albeit with some secure way of moving files on and off.

But every time a file moves back or forth, there's the potential for attack.

And air gaps have been breached. Stuxnet was a US and Israeli military-grade piece of malware that attacked the Natanz nuclear plant in Iran. It successfully jumped the air gap and penetrated the Natanz network. Another piece of malware named agent.btz, probably Chinese in origin, successfully jumped the air gap protecting US military networks.

These attacks work by exploiting security vulnerabilities in the removable media used to transfer files on and off the air-gapped computers.

Since working with Snowden's NSA files, I have tried to maintain a single air-gapped computer. It turned out to be harder than I expected, and I have ten rules for anyone trying to do the same:

1. When you set up your computer, connect it to the Internet as little as possible. It's impossible to completely avoid connecting the computer to the Internet, but try to configure it all at once and as anonymously as possible. I purchased my computer off-the-shelf in a big box store, then went to a friend's network and downloaded everything I needed in a single session. (The ultra-paranoid way to do this is to buy two identical computers, configure one using the above method, upload the results to a cloud-based anti-virus checker, and transfer the results of that to the air gap machine using a one-way process.)

2. Install the minimum software set you need to do your job, and disable all operating system services that you won't need. The less software you install, the less an attacker has available to exploit. I downloaded and installed OpenOffice, a PDF reader, a text editor, TrueCrypt, and BleachBit. That's all. (No, I don't have any inside knowledge about TrueCrypt, and there's a lot about it that makes me suspicious. But for Windows full-disk encryption it's that, Microsoft's BitLocker, or Symantec's PGPDisk -- and I am more worried about large US corporations being pressured by the NSA than I am about TrueCrypt.)

3. Once you have your computer configured, never directly connect it to the Internet again. Consider physically disabling the wireless capability, so it doesn't get turned on by accident.

4. If you need to install new software, download it anonymously from a random network, put it on some removable media, and then manually transfer it to the air-gapped computer. This is by no means perfect, but it's an attempt to make it harder for the attacker to target your computer.

5. Turn off all autorun features. This should be standard practice for all the computers you own, but it's especially important for an air-gapped computer. Agent.btz used autorun to infect US military computers.

6. Minimize the amount of executable code you move onto the air-gapped computer. Text files are best. Microsoft Office files and PDFs are more dangerous, since they might have embedded macros. Turn off all macro capabilities you can on the air-gapped computer. Don't worry too much about patching your system; in general, the risk of the executable code is worse than the risk of not having your patches up to date. You're not on the Internet, after all.

7. Only use trusted media to move files on and off air-gapped computers. A USB stick you purchase from a store is safer than one given to you by someone you don't know -- or one you find in a parking lot.

8. For file transfer, a writable optical disk (CD or DVD) is safer than a USB stick. Malware can silently write data to a USB stick, but it can't spin the CD-R up to 1000 rpm without your noticing. This means that the malware can only write to the disk when you write to the disk. You can also verify how much data has been written to the CD by physically checking the back of it. If you've only written one file, but it looks like three-quarters of the CD was burned, you have a problem. Note: the first company to market a USB stick with a light that indicates a write operation -- not read or write; I've got one of those -- wins a prize.

9. When moving files on and off your air-gapped computer, use the absolute smallest storage device you can. And fill up the entire device with random files. If an air-gapped computer is compromised, the malware is going to try to sneak data off it using that media. While malware can easily hide stolen files from you, it can't break the laws of physics. So if you use a tiny transfer device, it can only steal a very small amount of data at a time. If you use a large device, it can take that much more. Business-card-sized mini-CDs can have capacity as low as 30 MB. I still see 1-GB USB sticks for sale.

10. Consider encrypting everything you move on and off the air-gapped computer. Sometimes you'll be moving public files and it won't matter, but sometimes you won't be, and it will. And if you're using optical media, those disks will be impossible to erase. Strong encryption solves these problems. And don't forget to encrypt the computer as well; whole-disk encryption is the best.

One thing I didn't do, although it's worth considering, is use a stateless operating system like Tails. You can configure Tails with a persistent volume to save your data, but no operating system changes are ever saved. Booting Tails from a read-only DVD -- you can keep your data on an encrypted USB stick -- is even more secure. Of course, this is not foolproof, but it greatly reduces the potential avenues for attack.

Yes, all this is advice for the paranoid. And it's probably impossible to enforce for any network more complicated than a single computer with a single user. But if you're thinking about setting up an air-gapped computer, you already believe that some very powerful attackers are after you personally. If you're going to use an air gap, use it properly.

Of course you can take things further. I have met people who have physically removed the camera, microphone, and wireless capability altogether. But that's too much paranoia for me right now.

This essay previously appeared on Wired.com.

EDITED TO ADD: Yes, I am ignoring TEMPEST attacks. I am also ignoring black bag attacks against my home.

I don't know why someone would ask Tom Hiddleston to do an impression of Owen Wilson as Loki in from The Avengers, but I do know the internet is a better place now because of it. By the gods, could this man get any more likable?

Read more...

Was George R.R. Martin really the first comic con attendee ever?! And how close did David Bowie's wife come to playing Wonder Woman and Black Widow? Find out this week!

nogyu:

God has spoken.

LITERALLY

NO HE HASN’T. IT’S A FORGERY.

BUT IT’S A GOOD FORGERY.

by letterstojen

Sirens of the lambs, Banksy in NY
More

The largest IPO in Europe in more than two years could have been even larger. The privatization of the Royal Mail, in which around two-thirds of the company’s shares began trading this morning, raised £1.7 billion ($2.7 billion) for the government.

Frenzied trading pushed the Royal Mail’s shares up by nearly 40% within minutes of the opening bell. This followed enormous demand for the initial allocation of shares, with the retail portion of the offering oversubscribed by seven times and institutional investors bidding for 20 times as many shares as they were allowed.

The pop in the share price immediately revived criticism that the government was flogging the 500-year-old company company far too cheaply. The gap between offering price and the current share price, if it holds, implies that the government underpriced the sale by roughly £660m, or just over $1 billion.

Of course, that conclusion depends on your theory of what the “right” price for an IPO is. In theory, the perfect IPO trades neither up nor down on the first day of trading, meaning the offer price was exactly what the market would have paid. In practice, most listings are underpriced (pdf), which is explained in a number of ways, one being that companies and their bankers want to reward early investors with a “pop” in the price of the shares they bought, creating goodwill towards management as the company embarks on its future as a listed firm. If the share price falls after the IPO—a certain giant social network comes to mind—most analysts consider it a flop.

But the opposite may be true when a government is the one doing the selling. For one thing, it’s getting out of the business, so shareholders’ goodwill towards it is irrelevant. For another, it has not only shareholders to consider, but taxpayers. There are far more British taxpayers than there are Royal Mail shareholders, so the proceeds denied to the public purse from the lowballed sale are a bigger sore point than a smaller group of shareholders’ first-day returns. An overvalued offering would also give the impression that the government has flipped the usual script and soaked the big financial institutions who hold the majority of the privatized group, which could go down well politically.

At any rate, the government will retain a stake in Royal Mail of around 30%. If the share price remains firm, it can offload these shares at a better valuation than the ones it sold today. Another possible silver lining is the windfall that investors will receive thanks to today’s trading (Royal Mail employees were given 10% of the company’s shares for free). On top of subsidized mortgages and bank fee refunds, recent government policies are doing their part to fatten the wallets of at least some British consumers—the ones more likely to vote for the incumbent Conservatives, at any rate.

Plus some other site business.

Politico

Tea Party calls Ted Cruz a hero; some others see disaster Reuters Fri Oct 11, 2013 10:17pm IST. * Senator Ted Cruz cheered at conservative gathering. * Some strategists call effort to kill Obamacare foolish. By Tim Reid. WASHINGTON, Oct 11 (Reuters) - Establishment Republicans in Congress such as John McCain are ... Senator Ted Cruz urges House Republicans to `stand strong' in fight over ...Boston.com Details Emerge From Ted Cruz's White House Meeting With ObamaMediaite Democrats send Ted Cruz gag gift thanking him for increasing Obamacare's ...Houston Chronicle (blog) all 239 news articles »

No, seriously. Chip Kelly ran a play against the Giants that looks exactly like the famous QB EAGLES designed run from Tecmo Super Bowl.

lapetitecole:

The Great Depression

Despite objections by the San Diego Chargers and concerns about public access to the waterfront, the California Coastal Commission on Thursday unanimously approved the $520 million expansion of the San Diego Convention Center, viewed as critical to keeping Comic-Con International in the city. While the blessing of the commission — it’s a state agency with [...]

kukashkin:

Official issue bag.

Urging the destruction of “an entire category” of unconventional weapons, the Norwegian Nobel Committee awarded its 2013 Peace Prize on Friday to a relatively modest and little-known United Nations-backed body that has drawn sudden attention with a mission to destroy Syria’s stocks of chemical arms.