+ Reply to Thread
Page 6 of 14 FirstFirst ... 4 5 6 7 8 ... LastLast
Results 101 to 120 of 268

Thread: Wikileaks / Vault 7     submit to reddit submit to twitter

  1. #101
    Sea Torques
    Join Date
    Oct 2006
    Posts
    673
    BG Level
    5
    FFXI Server
    Carbuncle

    For how long though? How long should a company be legally required to update firmware/software on a device? 3 years? 5 years? 20 years after they've stopped producing that model?

  2. #102
    Atheist Douchebag.
    Pony Slayer of the House of Weave

    Join Date
    Oct 2006
    Posts
    21,387
    BG Level
    10
    FFXIV Character
    Zetanio Breaux
    FFXIV Server
    Gilgamesh
    FFXI Server
    Odin

    Quote Originally Posted by Bardicrune View Post
    For how long though? How long should a company be legally required to update firmware/software on a device? 3 years? 5 years? 20 years after they've stopped producing that model?
    Zero months.

    EDIT: Unless it's there is a service contract in place of course.

  3. #103
    Ridill
    Join Date
    Oct 2006
    Posts
    18,451
    BG Level
    9
    FFXIV Character
    Sath Fenrir
    FFXIV Server
    Cactuar
    FFXI Server
    Fenrir

    Quote Originally Posted by Bardicrune View Post
    For how long though? How long should a company be legally required to update firmware/software on a device? 3 years? 5 years? 20 years after they've stopped producing that model?
    What's the "statute of limitations" on car manufacturers calling for recalls?

  4. #104
    Sea Torques
    Join Date
    Oct 2006
    Posts
    673
    BG Level
    5
    FFXI Server
    Carbuncle

    Public safety is one thing, but what about something that interfaces with a vehicle. A next gen thermostat that turns on the A/C when it receives a signal from your car stating that you are on your way home. If a security flaw is discovered that allows it to install a rootkit on the vehicle, is the thermostat manufacturer legally bound to develop and issue a fix for the thermostat? (Bad example I know, as the vehicle is at fault for allowing the thermostat to install the rootkit.)

  5. #105
    Ridill
    Join Date
    Oct 2006
    Posts
    18,451
    BG Level
    9
    FFXIV Character
    Sath Fenrir
    FFXIV Server
    Cactuar
    FFXI Server
    Fenrir

    Quote Originally Posted by Bardicrune View Post
    Public safety is one thing, but what about something that interfaces with a vehicle. A next gen thermostat that turns on the A/C when it receives a signal from your car stating that you are on your way home. If a security flaw is discovered that allows it to install a rootkit on the vehicle, is the thermostat manufacturer legally bound to develop and issue a fix for the thermostat? (Bad example I know, as the vehicle is at fault for allowing the thermostat to install the rootkit.)
    To be fair, car recalls are also a bad example.

    My actual feelings on it are that I don't think the manufacturer should be bound to provided unlimited firmware updates to prevent lawsuits, but in exchange for that money saving feature they should be forced to allow users more freedom in updates / modification of OS.

    Which is a pipe dream but yeah.

  6. #106

    Quote Originally Posted by Byrthnoth View Post
    Honestly, shouldn't the companies just be legally (and thus financially) responsible for putting out insecure products?

    We need a secret court so that when our government finds zero days, it can sue the companies for negligence while also keeping the zero day secret.
    You can only hold them to that to a certain extent, things that are secure today might be broken in a week or month from now due to some super obscure bug. Look at some of the vulnerabilities just last year where they just found stuff in code that is 15+ years old or more. There are a lot of lines of code to sift through and fuzz and it might only be exploitable given a perfect circumstance that sometimes people find just by chance. Now if you're talking about products like some of the IoT devices that come with like 4 webservers built in, all running without letting you know that in any manual and all configured with stuff like "admin/admin" then yeah, there needs to be some responsibility. However if a company can show they actually took steps and effort to securing something, what else can you do?

    However, it also shouldn't come with a firmware/OS that can't be or isn't updated and has known vulnerabilities
    Everything can be updated for security patches for the most part, wether they are or not is another story and that falls both on you the user, and keeping up to date with the fucking massive amount of security patch information out there, or relying on a company like Microsoft to be able to assess and patch them correctly WITHOUT opening up new avenues of attack, which sometimes happens. Again...there is a shit ton of stuff going on under the hood and every little piece can be exploited in some way using it in some fashion it was not intended to be used it, but it is literally impossible to see everything.

    That is why we have threat analysis, you patch up the big holes and hope that's enough and mitigate the rest through other means, sometimes just saying "yup we'll get to that hopefully"

  7. #107

    Just kinda some context; but I see a lot of people(outside this thread), shocked at all this access.

    It's common knowledge to computer scientists that any device in which an attacker has physical access to is always 100% insecure, encryption doesn't matter when you have physical access to the device because all electronics not operating at absolute zero(aka none), leak data in some way that allows you to either retrieve the data or break the encryption.

    This s why the FBI stuff was hilarious, because it showed how immensely incompetent they are given the above. So incompetent they'd rather change the law than do the work.

  8. #108
    Black Belt
    Join Date
    Aug 2005
    Posts
    5,907
    BG Level
    8
    FFXI Server
    Quetzalcoatl

    Quote Originally Posted by Darus Grey View Post
    Just kinda some context; but I see a lot of people(outside this thread), shocked at all this access.

    It's common knowledge to computer scientists that any device in which an attacker has physical access to is always 100% insecure, encryption doesn't matter when you have physical access to the device because all electronics not operating at absolute zero(aka none), leak data in some way that allows you to either retrieve the data or break the encryption.

    This s why the FBI stuff was hilarious, because it showed how immensely incompetent they are given the above. So incompetent they'd rather change the law than do the work.
    I fully agree with this. I often get questions from customers asking what they can do to be 100% safe if the government was to target them. The answer is always the same, they can't, unless they stop using electronics altogether. Even then, given enough money, they probably still would be able to find you.

    The notion of forcing tech companies to be fully responsible and foresee any possible exploit is ridiculous. It can't be done. A lot of companies hire security companies for an independent audit to find exploits and weaknesses, but even then it's hard to find all exploits. As long as they do their very best to find exploits that's good enough..

    The CIA has spent millions if not billions to find some of these exploits. And some of them aren't even an exploit as much as it is physical tampering. They literally have a program which pretends to run an anti-virus scan while they gather data. How is that an "exploit"?

    If you want to stay safe online, you always need to take extra precautions yourself. And common sense goes a long way.

    A much more worrying and damming leak is how they use the Frankfurt US embassy as a European HQ, and issue their hackers with diplomatic passports to travel in Europe. That's certain to hurt US operations and diplomacy.

  9. #109
    IMPERIAL CONCUBINE OF ME
    Coolest Monkey In The Jungle

    Join Date
    Sep 2007
    Posts
    21,547
    BG Level
    10

    Why would they do all that and go to Germany? Are they circumventing US laws or what?

  10. #110
    Black Belt
    Join Date
    Aug 2005
    Posts
    5,907
    BG Level
    8
    FFXI Server
    Quetzalcoatl

    Because Frankfurt is in the heart of Europe and allows you to travel to 22 other countries without having to show a passport. Frankfurt is also an important Internet exchange point, why would you not want to place hackers near that? It's a great strategically position for everything cyber related.

    As a matter of fact, Frankfurt's DE-CIX is the world's largest. The question is not why would they, it is why would they not place hackers Frankfurt? It's hard to find a better strategical position in Europe.

    It's not at all a surprise they have hackers there. What's surprising is that the leak states they do, where, and how they get there, as well as the covers they use.

    That part of the leak seem to be one that most people for whatever reason overlook in lieu of "OMG my TV", even though I'd consider it one of the most important parts of the leak.

  11. #111

    Quote Originally Posted by Darus Grey View Post
    Just kinda some context; but I see a lot of people(outside this thread), shocked at all this access.

    It's common knowledge to computer scientists that any device in which an attacker has physical access to is always 100% insecure, encryption doesn't matter when you have physical access to the device because all electronics not operating at absolute zero(aka none), leak data in some way that allows you to either retrieve the data or break the encryption.

    This s why the FBI stuff was hilarious, because it showed how immensely incompetent they are given the above. So incompetent they'd rather change the law than do the work.
    FBI issue was different from what I remember, the phone was encrypted and I think via at 512bit RSA key at that. Even with physical access to that system it would take forever to break that encryption (literally, there's no way to break it before the sun dies out). Though with physical access they could do a bit to bit clone of the device and then attempt to figure out a back door or brute force it (brute forcing original device would have killed it after x amount of failed attempts I believe), or attempted some method of extracting the key from the device. That's basically what they wanted from Apple, just a back door into their encryption...which would have made it weak, once a backdoor is known it's just a matter of time until it's discovered in the wild and leveraged by everyone.

  12. #112

    I disagree Meresgi, no security is safe from physical access; case in point a security firm easily opened the San Bernardino phone in question.

    When you have physical access to the device the entire point is you don't *need* to brute force the encryption key. Electronic devices leak data in other ways(heat, sound, vibration, power draw, etc etc etc) that are all more viable than brute forcing the keys.

    Most don't even have to go that far, most professionals can figure out a key eventually with just an oscilloscope, because only the most hardened military devices protect their electrical paths.

    So imho the key never really entered the equation(again, a 3rd party embarrassed the FBI and unlocked it in a couple days). The FBI was simply incompetent and either wanted to push a political agenda, or would rather change the law than invest in the proper resources to do their job.

  13. #113
    Relic Horn
    Join Date
    Oct 2006
    Posts
    3,057
    BG Level
    7
    FFXI Server
    Cerberus
    WoW Realm
    Ravenholdt

    Quote Originally Posted by Darus Grey View Post
    Electronic devices leak data in other ways(heat, sound, vibration, power draw, etc etc etc) that are all more viable than brute forcing the keys.

    Most don't even have to go that far, most professionals can figure out a key eventually with just an oscilloscope, because only the most hardened military devices protect their electrical paths.
    Case in point, researchers broke RSA4096 by listening to a computer via a microphone. The US government has even commissioned sound-proof cases to defeat this type of attack, although I can't seem to find the link to the article for that one.

    https://www.extremetech.com/extreme/...-computers-cpu

    Seriously, if there's physical access to something, its not secure. Everything has to be maintained, and the sneaker net always wins.

  14. #114
    okay guy I guess
    Join Date
    Nov 2010
    Posts
    22,997
    BG Level
    10

    @jimsciutto
    10m

    BREAKING: US authorities have prepared charges to seek the arrest of @wikileaks founder Julian Assange, US officials tell CNN

  15. #115
    Ridill
    Join Date
    Aug 2008
    Posts
    12,451
    BG Level
    9
    FFXIV Character
    Satori Komeiji
    FFXIV Server
    Sargatanas
    FFXI Server
    Asura

    Assange only has himself to blame.

  16. #116
    RNGesus
    Sweaty Dick Punching Enthusiast

    Join Date
    Jan 2005
    Posts
    38,156
    BG Level
    10
    FFXIV Character
    Lenette Valkyr
    FFXIV Server
    Gilgamesh

    Maybe Trump can pardon him lol

  17. #117
    Black Belt
    Join Date
    Nov 2005
    Posts
    5,736
    BG Level
    8
    FFXI Server
    Siren
    WoW Realm
    Thrall

    For what exactly? Wouldn't his 1st Wikileaks dump a long time ago have warranted this?

  18. #118
    I'll change yer fuckin rate you derivative piece of shit
    Join Date
    Sep 2006
    Posts
    55,020
    BG Level
    10

    Guess he'll be hanging out in that Ecuadorian embassy for the rest of his life.

  19. #119
    Ridill
    Join Date
    Aug 2008
    Posts
    12,451
    BG Level
    9
    FFXIV Character
    Satori Komeiji
    FFXIV Server
    Sargatanas
    FFXI Server
    Asura

  20. #120
    BG Content
    Join Date
    Oct 2005
    Posts
    62,818
    BG Level
    10
    FFXIV Character
    Six Souls
    FFXIV Server
    Gilgamesh
    FFXI Server
    Quetzalcoatl
    WoW Realm
    Malorne
    Blog Entries
    9

    But London is still enforcing the warrant.

+ Reply to Thread
Page 6 of 14 FirstFirst ... 4 5 6 7 8 ... LastLast