John Pescatore, Gartner: Reports say Larry Ellison, Oracle's CEO, spent $100M or more to have his sailboat be slightly faster than New Zealand's sailboat. Wouldn't a similar investment in making Java security a non-oxymoron feel as good? [in SANS NewsBites, Vol. 15, Num. 083 (Oct. 18, 2013)] Context: Oracle has released fixes for more than 50 vulnerabilities in Java. http://krebsonsecurity.com/2013/10/java-update-plugs-51-security-holes/
"There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time." -- George Orwell, "1984"
Security actively flies in the face of the "web 2.0" business model which is *BUILT ON* surveillance of as many people as possible.
> As Robert Morris used to say, the three laws of computer security > > 1) Don't have a computer so far so good > 2) If you have a computer, don't turn it on how do you know it hasn't turned itself on? > 3) If you turn it on, don't use it you may not be using it, but it could be watching you
Orwell wegen Verharmlosung aus dem Lehrplan streichen; er hat den Kommerz und die Freiwilligkeit heillos unterschätzt. http://www.taz.de/Die-Woche/%21133634/
The problem this runs into is that in the embedded world security is job #9, after reliability/availability, reliability/availability, reliability/availability, reliability/availability, reliability/availability, reliability/availability, reliability/availability, and reliability/availability. http://www.metzdowd.com/pipermail/cryptography/2014-March/020348.html
> You can easily solve this problem by obtaining a certificate > that verifies in almost all browsers for a few bucks per year, And the neat thing is that any bad guy can buy a cert from the same CA you bought your one from (or any other commercial CA of their choice), set up a dummy server, and all your friends will connect thinking it's the real thing. The false sense of security created by the cert will make things much easier for them.
In short, as I've noted time and again, if you are counting on your antivirus to save you or your co-workers from the latest threats, you may be in for a rude awakening down the road. http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus/
"Unsere umfangreichen Vorerhebungen haben greifbare Tatsachen dafür erbracht, dass unbekannte Angehörige US-amerikanischer Nachrichtendienste ein Mobiltelefon der Bundeskanzlerin Dr. Angela Merkel ausgespäht haben." http://www.tagesschau.de/inland/generalbundesanwalt-nsa114.html
"Illegal Spying Below" Inschrift auf einem Luftschiff, das EFF und Greenpeace über dem NSA-Hauptquartier schweben ließen.http://heise.de/-2242718
"Another expert said that s/he believed that this leak may come from a second source, not Edward Snowden, as s/he had not seen this in the original Snowden docs; and had seen other revelations that also appeared independent of the Snowden materials. If that's true, it's big news, as Snowden was the first person to ever leak docs from the NSA. The existence of a potential second source means that Snowden may have inspired some of his former colleagues to take a long, hard look at the agency's cavalier attitude to the law and decency."securitycurrent.com
USB stands for "universal serial bus." The key words are "bus" and "universal." It is a very powerful and fundamental extension of the computer. Anything attached to it, is part of the computer. We did not need this presentation to tell us that. Neither should it come as a surprise that Moore's Law applies to the things that can attach to it. When I was small, and first left the house by myself, my mother told me never to take USBs from strangers. When I was a little older, my daddy told me never to put my USB in someone else's machine. When my sister went out, she was told never to let anyone put their USB in her machine. It was called "practicing safe computing" or "good hygiene." Fortunately for us, most, but not all, of the USB ports and devices in the world are sterile. This is a large fundamental vulnerability with a relatively small threat; a low risk.sans.org
As it says in reference [1], quoting none other than Frank Rowlett, "in the long run it is more important to secure one's own communications than to exploit those of the enemy." Alas the NSA seems to get this wrong again and again and again. [1] Thomas R. Johnson "American Cryptology during the Cold War; 1945-1989" Center For Cryptologic History / National Security Agency (1998) http://www.nsa.gov/public_info/_files/cryptologic_histories/cold_war_iii.pdf
It is *impossible* for browser makers to whack all the moles. Their efforts at shoring up the sandbox and improving code quality, though beneficial, just amount to rearranging deck chairs on the Titanic.
"So quick were they at decoding the messages between Adolf Hitler and his generals, it is said that by 1945, it would have been easier for Himmler or Guering[sic] to ring Bletchley Park to obtain the Fuhrer's orders than wait for them to be deciphered at their own headquarters."