有个足球雷竞技app网络世界不安全情结

网络中立性的丧失：告别一个自由和开放的互联网

汤姆·亨德森 — 2018年5月17日星期四09:31:00 -0700

Update May 17, 2018

Following the U.S. Senate’s 52-47 vote to reinstate net neutrality rules, U.S. Rep. Mike Doyle (D-Pa.) announced the House of Representatives will attempt to also force a vote on the issue under the Congressional Review Act (CRA).

“I have introduced a companion CRA in the House,” Doyle said during a press conference yesterday, “but I’m also going to begin a discharge petition, which we will have open for signature tomorrow morning. And I urge every member who supports a free and open internet to join me and sign this petition, so we can bring this legislation to the floor.”

To force a vote in the House, the petition needs 218 signatures. The Democrats hold only 193 seats there, so they need 25 Republicans to switch sides.

To read this article in full, please click here

英特尔卖给你了

汤姆·亨德森 — 星期一，2017年5月8日09:38:00 -0700

There should be prizes for this. Let’s call them The Oopsies. The most bafflingly easy servers to hijack, turn out to be those running Intel’s Active Management Technology (AMT).

People warned me about this, and I pooh-pooh’d it. Please hand me a scraper so that I can wipe the egg off my face. The servers are so wickedly simple to jack that a third-grader can log into them and merrily do essentially root damage.

+ Also on Network World: The insecurities list: 10 ways to improve cybersecurity +

That the largest server CPU provider on earth doesn’t fall all over itself in sincere apologies (United Airlines gone wrong?) doesn’t surprise me. No one falls on their sword anymore. No one takes product managers out behind the cafeteria and strips the access key fob from the management toy room. It’s all just jolly. Oops. Sorry, folks

To read this article in full, please click here

网络中立性是纯新的收入

汤姆·亨德森 — 星期三，2017年5月3日11:31:00 -0700

There is no goal in stifling net neutrality other than profits for telcos and broadband providers and their media empires. The current stink about having your favorite data communications pathway classified under Title II is this: No preferential treatment is given for data transport paths, and they’ll tend to seek the shortest, lowest-cost routing in various ways.

Perhaps you forgot these following paradoxes:

Xfinity owns NBC/Universal, but it believes that the FCC’s designation (by Wheeler and the FCC Commissioners in their prior regime) as a Title II Carrier is wrong, while at the same time it believes themselves to be in favor of net neutrality.
Verizon owns AOL (along with the Huffington Post and perhaps bits of what we once knew as Yahoo!) and believes the very same paradox.
AT&T owns a lot of turf as well, including the Dish Network for both data and consumer video entertainment.

Each provider, in this case, has something to gain by letting its own stuff ride on its own transport for cheap, to the detriment of other services on the internet.

To read this article in full, please click here

安全证书出错

汤姆·亨德森 — Tue, 25 Apr 2017 11:50:00 -0700

Security certificates are designed to authenticate hosts. Browsers have become pretty good about understanding chains of authorities, and making users accept the risk when websites can’t prove the chain of authorities needed to verify they are who they say they are.

Sites masquerading as legitimate sites, however, employ sad little tricks, such as “punycode”—URL links embedded in otherwise official-looking phishing emails. These tricks are malicious. There are also sites that should be well-administrated but are not.

Then there are sites, important sites, that botch their own security with certificates ostensibly granted by places such as the U.S. Department of Homeland Security (DHS).

To read this article in full, please click here

虚拟助理什么都能听到，所以说话要小心。我不是在开玩笑

汤姆·亨德森 — 星期一，2017年4月17日11:38:00 -0700

The law of unintended consequences is once again rearing it’s ugly head: Google, Apple, Amazon and others now make virtual assitants that respond to commands, and recordings can trigger them.

Burger King found out how, via a radio commercial, it could get Google’s attention. It produced an ad designed to trigger Google Home to advertise the Whopper. The ad featured a Burger King employee saying, “OK, Google. What is the Whopper burger?” The Google Home device would then read the Wikipedia definition of a Whopper. The trigger stopped working a few hours after the ad launched.

To read this article in full, please click here

砖块的物联网:有人在砌砖不安全的物联网设备

汤姆·亨德森 — 2017年4月10日星期一03:45:00 -0700

<文章> <节类=“网页”>

我不能证明的治安维持，但有人砌体脆弱的IoT设备。我思考这一切的道德。这就是所谓的 BrickerBot 。它发现可疑的安全物联网设备，简单地砖/禁用它们。

不安全的洗碗机，茶壶，冰箱，安防摄像机，全部庞大的僵尸网络的一部分变。僵尸网络可以做很多事情，我们已经看到他们成为历史上最大的互联网攻击背后的军队。如何清洁这些设备已成为许多哭声的症结，包括在该空间中众多的。要在充分阅读这篇文章，请点击这里

后隐私时代互联网的10个实用隐私提示

汤姆·亨德森 — 周四，二〇一七年三月三十〇日十一时54分〇〇秒-0700

ISPs and providers can now sell your data and browser histories. The U.S. Congress sold you out. If you had any browsing dignity, you don’t now. Too bad you couldn’t pay the legislators as much as the data wolves.

You should have been doing these things all along, but now it’s time to decide just how much dignity you have. Most of you won’t bother. This isn’t for you. Click away, and go surf.

For those remaining, take these privacy tips seriously.

1. Educate yourself about cookies and clean them out regularly

For some of you, this means a daily cleanout. What you DO NOT clean out (will cause you hassles) are cookies associated with financial institutions. They will put you through a drill when they don’t find the cookie that they like. Scrape them. Every browser has the ability to do this, with Chrome being the most difficult. But we’re not surprised because it’s from Google—the company whose very life depends on knowing information about you.

To read this article in full, please click here

不安全性清单：提高网络安全的10种方法

汤姆·亨德森 — 星期二，2017年3月28日10:56:00 -0700

A friend asked me to list all of the cybersecurity things that bug me and what he should be diligent about regarding user security. We talked about access control lists, MAC layer spoofing, and a bunch of other topics and why they mattered. You should come up with a list of head-desk things.

After a bit of thought, here’s a list. It’s by NO means comprehensive, and it’s not an organized best practices document. Instead, these are marbles that roll around in my head and bother me a lot.

1. Ban and route to null t.co, bit.ly, and other URL shorteners

Why? Especially in phishing emails, a user has no idea where the link is going, what’s behind that link, or what kind of benevolent or conversely malicious payload is going to load in the default browser. Sure, your anti-malware or antivirus tool, or even the browser’s own instinct, might prevent a page load that opens a back door into your network. Maybe.

To read this article in full, please click here

PWN2OWN 2017：你的东西是mincemeat

汤姆·亨德森 — 周一，2017年3月20日8点52分00秒-0700

<本文> <节课=“页面”>

从他们来到英里周围开展了神圣的，长达十年之久的使命：吃你的午餐。

The security researchers assembled at the Pwn2Own 2017 hacking competition, sponsored by Trend Micro, and occasionally grouped together, then performed essentially zero-day exploits (at least by the rules, heretofore unknown) on your favorite stuff, such as Windows, MacOS and Linux. Smoldering pits in the screen were left, as teams collected cash prizes and creds.

For giggles and grins, a Type 2 Hypervisor, VMWare Workstation was also left for shrapnel, one of the first times a hypervisor has been penetrated by a virtual machine in this way. It wasn’t a cascade effect, but rather a shot across the bow. I suspect there are more ways to penetrate a foundational hypervisor, too, but they haven’t been seen in captivity to my knowledge.

To read this article in full, please click here

维基解密事件后：什么也不做

汤姆·亨德森 — 星期四，2017年3月9日12:03:00 -0800

<本文> <节课=“页面”>

您在这里第一次听到它。不要做一个该死的东西响应维基解密倾倒，你没有这样做。不要坐以待毙，要提高警惕，保持你的眼睛上的目标。因为这已不是什么新闻。

什么？不是什么新闻？！？的

没有。这三个字母的机构之间，如果他们想要你，他们中有你。他们会找到办法的。这是一个时间问题。但他们在很大程度上提前懒人井。You should expect this.

+ Also on Network World: Apple, Cisco, Microsoft and Samsung react to CIA targeting their products +

If hardware and device makers gasp that their stuff is crackable, it’s only time to snicker. Nothing is foolproof because 1) fools are so ingenious and 2) with a big enough hammer you can crack anything. Even you. You are not impregnable. It’s a matter of degree—and if you can detect the breach quickly.
To read this article in full, please click here

选择小型云主机或ISP的清单

汤姆·亨德森 — 周一，2017年3月6日9时32分零零秒-0800
<本文> <节课=“页面”>
我已经通过一些托管公司了。我的NOC是权宜在印第安纳波利斯（卡梅尔）。他们对我的测试需要做大量的工作。They have a large, well-designed facility, lots of power and, most important, they know what they’re doing and do it 24/7.
In my role as someone who knows the difference between UDP and TCP, I get asked a lot to recommend an ISP or cloud host for purposes of web and mail hosting for small businesses, organizations and even generic civilians. Over the years, I’ve found some common difficulties that can mean the difference between enjoyable experiences and long, drawn-out support problems with incumbent frustration.
To read this article in full, please click here

2017年世界移动大会：移动怪物

汤姆·亨德森 — 星期二，2017年2月28日13:20:00 -0800

At Mobile World Congress (MWC) in Barcelona, there are eight huge halls, not to mention the vendor-decked hallways, plus another sub-convention center to visit. Mobile World Domination is a better word for the event. I’m reminded of the old days of CeBIT where 800,000 people made it to Hannover, Germany, in the late 1990s and early 2000s.
No more.
The GSMA has adroitly herded all things mobile to Barcelona instead. The recognizable big guns are here, minus a large Microsoft presence, and Apple is the invisible 800-pound gorilla.
To read this article in full, please click here

475美元的钥匙

汤姆·亨德森 — 星期二，2017年1月31日12时十四分00秒-0800

I have a Macbook Air, purchased from the Apple Refurb store about two years ago. It now has a dead key. It’s the S key.
After cleaning it with compressed air, it worked badly for a while and is now dead. A query to the local Apple repair shop indicates it’s fixable for about $380. One look at the iFixit repair PDF, and it’s easy to see that it’s very labor intensive. For. One. Key.
I obtained an appointment at the area Apple Store Genius Bar. After about 40 minutes, it was determined that Apple could repair my MacBook Air. The price would be $475, but that would include other refurbishments as determined at the time, perhaps including a new battery or whatever else was found “wrong” with the machine.
To read this article in full, please click here

伟大的互联网长城的先声到达

汤姆·亨德森 — 周一，2017年1月30日12时45分00秒-0800
<文章> <节类= “网页”>
通过总统公告，non-U.S. citizens' data is in jeopardy.
An executive order by President Trump could hurt a data transfer framework that allows EU citizens’ personal information to be transmitted to the U.S. for processing with the promise that the data would have the same privacy protection in the U.S. as it has in the EU.
That’s because a section of the order says, “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
To read this article in full, please click here

最新的数据库攻击：冰山的提示

汤姆·亨德森 — 星期一，2017年1月23日12:43:00 -0800

MongoDB wasn’t the first database hit by ransomware, just a rich target for attacks. Now, ElasticSearch and Hadoop have become ransomware targets. They won’t be the last. Were these three database products insanely simple to secure? Yes. Were they secured by their installers? Statistics and BitCoin sales would indicate otherwise.
And no, they won’t be the last. Every hour of every day, websites get pounded with probes. A few are for actual research. When the probe is a fake logon, like the dozens of hourly WordPress admin fails I get on my various websites, you have some idea that the sender isn’t friendly.
To read this article in full, please click here

Windows 10偷窥：微软无法理解哗然

汤姆·亨德森 — 2017年1月18日星期三09:06:00-0800

I’ve been covering Microsoft Windows since the 1980s. There have been several regime changes, each with its own distinct ego. Some regimes listened eagerly, some didn’t. This one is failing, but I believe the current fingers-in-the-ears stance are related more to revenue than to ideology.
Microsoft wants data about you. To do so, Windows 10 is riddled with phone-home messaging. Some sites document dozens of IP addresses and add even more DNS calls for your machine’s data.
We’re told that the data isn’t personally identifiable and that it’s used to improve QA. No one said Microsoft didn’t need QA. New versions of Windows have always had holes big enough to fly airliners through, but Microsoft finally got some sense when in Windows XP SP2 and Vista, they demoted user space. Finally.
To read this article in full, please click here

额定不安全：仿猫6电缆在亚马逊上出售

汤姆·亨德森 — 星期四，2017年1月12日7点13分零零秒-0800

Many of you are on Wi-Fi, but this is salient to you.
Amazon’s enormous sales site is marketing Cat 5 and Cat 6 Ethernet cable with aluminum conductors, as well as “plenum-rated” cable that bears no UL markings and is likely fraudulent. This comes after a run of apparently bogus Apple chargers and cables.
Why do you care? Several reasons:

Some of the Ethernet cable sold uses either copper-coated or copper-mixed aluminum. Numerous specs call for the conductors to be solid copper. Why? Copper meets conductivity specs and won’t heat up under load.

Organizations using Power-over-Ethernet (PoE) to power remote Wi-Fi access points (quite common these days) risk having the cable catch fire due to overheating, or just melt and short—especially on long cable runs.

Plenum-rated cables are self-extinguishing. This means if you put a nail through one (we hope accidentally), then a jacket surrounding the cable prevents setting something in the surrounding area on fire.

If you add the two factors together, cable that heats up and jackets that don’t extinguish a possible flame, then the sprinklers turn on. We hope.

Whilst perusing the listings, I came across numerous enticing examples. Why enticing? Because their cost is perhaps half, even less, of products that do meet the specifications.
To read this article in full, please click here

在作为一个全天候的组织和2016年闰秒

汤姆·亨德森 — 星期一，2016年12月19日10:54:00 -0800

If the cloud is real, software important, and system reliability paramount, then non-stop computing, computing across time zones, and invisibly short repair times ought to be mandatory, wouldn’t you think?
Of many requirements lain in litigation, regulatory compliance, and other “best practices,” there is one that doesn’t seem to make the checklists.
Let me lay it out for you:
Can you get support 24/7/365.25?
You get bonus points for knowing leap seconds are coming. Why? Because among other things, Kerberos time synchronization mandates pretty accurate timing. We’re about to insert a leap second into your life on western New Year’s Day. You may have zones that celebrate other years, but to be in sync with the time standards in the United States, there will be an extra second. The earth is slowing down.
To read this article in full, please click here

禅宗和安全的艺术

汤姆·亨德森 — 2016年12月13日星期二06:57:00-0800

I’m a Zen heretic, and so also is my sense of systems security.
A very cogent citation describes the folly of it all. The people who install toolbars, click on random stuff and feel like they won something when they downloaded the free app are too plentiful, and security is too tough to understand—even PGP.
Bringing up the bottom is as important as extending the top. We don’t ritualize security because that would be too tough, to impolite to do. Your mother did not teach you to use complex passwords and to change them as frequently as your underwear. Given some people I know, it’s a wonder they passed the “p@55w0rd” rubric they were trained to use.
To read this article in full, please click here

展望2017:不仅仅是企业安全

汤姆·亨德森 — Fri，09年12月08日08:33:00 -0800

IoT, rotten home AP firmware, freaking Wi-Fi cameras: They’re all eating your lunch. Here’s an Advanced Persistent Threat notice: EVERYTHING AROUND YOU can give you a miserable day.
It’s now entirely myopic, and hence irresponsible, to think there is such a topic as enterprise security because sadly video cams in Macedonia can give your hosting environment a DDoS headache.
Poor TLS handshakes crack browsers open like an egg.
Your router vendor had all of the hardening of a “fairy tap.” Remember those when you were a kid? A fairy tap was a gentle touch, designed to invade your space but do no damage. Now the damage is pOwn1ng your infrastructure. Or you business partner’s infrastructure.
To read this article in full, please click here

2016：系统安全灾难

汤姆·亨德森 — 星期二，2016年11月29日04:30:00 -0800
<本文> <节课=“页面”>
这可能会令你生气。这让我铁青。
It’s a report, 34 pages long, from the Identity Theft Resource Center of the known systems breaches just this year.
Read it and rage.
It does not include the San Francisco Metro Transit Authority (SFMTA) hack from Thanksgiving weekend, where the SFMTA had to let passengers go free through the gates.
To read this article in full, please click here

10个理由离婚云

汤姆·亨德森 — 2016年11月21日星期一03:30:00 -0800

For some companies, using cloud services isn’t what they hoped or expected it to be. Reason’s like these might be enough to make them leave.
1. Your costs went out of the control.
This can be significant. Prices go up and go down. A new product gets introduced that might be more financially attractive—but only if you started from that point and not if you include the added cost of migration (documentation, security and other audit) not to mention re-budgeting and rate of return over the lifecycle of the data flows.
2. Security was tougher than you thought.
You were probably smart and already had extensive key control, but perhaps your cloud vendor wanted it done their way. Asset control, the cost of embedding security control planes and audit infrastructure that duplicates data center standards created a duopoly of security infrastructure—perhaps both equal but not the same—adding to costs of control, training, documentation, audit and more.
To read this article in full, please click here

您的安全“海市蜃楼”

汤姆·亨德森 — 星期一，2016年11月14日11:12:00 -0800

Yes, I was hit last week. Forensics are in progress. I got doxxed, too.
It has made me realize that most of systems security is an illusion. Here are my favorite alternate realities:
1. Everything is safe behind the firewall.
Ever heard of UBFWI—as in User’s Been Fooling With It? While IPD/IPS and firewall networked-technology has improved so vastly, there’s nothing like a user with an infected laptop to bring in a lulu.
2. Obscure operating systems never get hit. Hackers only go for the gold with Windows.
Here, let me laugh out loud and roll on the floor. Mine was an obscure server version on an obscure branch of an obscure BSD limb. Listen to the sound of lunch getting eaten: mine. Chomp, chomp, burp.
To read this article in full, please click here

当DR失败

汤姆·亨德森 — 星期一，07年11月2016 11:21:00 -0800
<文章> <节类=“网页”>
有人侵入我的主要服务器。我有一个小的组织，而服务器是老苹果的Xserve 10.6.7选择，因为它不是一般的主机。现在是时候划伤安全透过朦胧关闭列表。
因此，让我们做一个初步的恢复。取证将不得不等待。
我去了一家托管公司，以旋转起来httpd和邮件。他们已经是我注册商。Pretty big organization.
And they don’t have 24/7 support.
Since this happened on a Saturday, I was already in trouble. I chose one of their hosting plans. It costs a rudimentary $60 for a web server plus mail. It uses the famous CPanel hosting.
To read this article in full, please click here

提高IT安全性：从以下10个主题开始

汤姆·亨德森 — 星期一，2016年10月31日13:3900 -0700

You want to be more responsible about IT security in your organization, but where do you start? May I suggest your first step be understanding these topics more thoroughly. This is list isn’t exhaustive. It’s only a beginning:
1. DNS and DNSSEC: The biggest games in cyber war are hitting DNS providers. DNS can be compromised in many simple ways, but Domain Name System Security Extensions (DNSSEC) thwarts these—at the cost of understanding how it works, how to deploy it and how it’s maintained. There are ways to understand if your own organization is threatened with DDoS attacks. Study them.
To read this article in full, please click here

墨菲定律:安全版

汤姆·亨德森 — 2016年10月19日星期三04:00:00 -0700
<本文> <节课=“页面”>
由于第一个月，我听到同事和其他人汇报各10个安全的变体与墨菲法则如下。墨菲不仅活着，但已经转世。
It’s worth reminding the gentle reader of various famous last words:
1. All documents will be out of date or simply missing
Documents will not be maintained. Documents will have pages missing. And authors shall be unavailable for any reason (deployed to Mt. Everest is preferred). No documents shall be in an understandable language, be edited, collated, or have referring URLs that do not 404, 401 or 5XX. Any good documentation shall be the only copy on a laptop that was stolen whilst unencrypted.
To read this article in full, please click here

单独违规意味着责任

汤姆·亨德森 — 星期二，2016年10月11日04:00:00 -0700
<文章> <节类= “网页”>
富Santalesa，程序员接通作家及律师，事件带来的一个有趣的转向，上周我的注意。We need to pay heed:
A litigant can have standing in a U.S. Federal breach case where no personal fraud or identity theft has yet occurred.
Usually, a litigant has to have suffered injury—a breech caused them identity theft or other fraudulent activity based upon information released in a security breach.
This means if you’re cracked, you can be liable if personally identifiable information is released, exfiltrated, absconded, whatever. It also means that should you believe the axiom that currently most of us are hacked, we’re in for a litigious treat.
To read this article in full, please click here

IOT：我们是Serfs和Pawns

汤姆·亨德森 — 周一，2016年10月3日12点11分00秒-0700
<本文> <节课=“页面”>
有与物联网（IOT）的丑互联网一个巨大的问题。Many IoT thingies have the security of wet tissue paper, and they’re being used in large swarms and masses to wreak havoc.
A colleague of mine, Stephen Satchell, says misbehaving IoT devices should bear the full front of the Consumer Product Safety Commission and be recalled, every last one of them.
Recalled.
Why won’t this happen? Let me speculate.
It’s because our own government, that is to say the more covert parts of the U.S. government, has its own cadre of botnets and control vectors that allows them interesting windows into foreign lands.
To read this article in full, please click here

物联网是铀

汤姆·亨德森 — 星期一，2016年9月26日10:40:00 -0700

Update: It was reported Sept. 27 that a near terabyte/sec attack was foisted on hosts of Minecraft servers in the first thermonuclear attack on U.S. servers. Who's next?
----------------------------------------------------------
Does the thought of 600 Gbps-plus of traffic hitting your URLs excite you? Do you get tingles up and down your spine thinking about watching your line of business apps frying? Perhaps that wonderful text, where an alert from your financial processor says “We’ve gone black, again, and expect to be back online perhaps maybe possibly tonight” thrills you.
To read this article in full, please click here

云值的许多维度

汤姆·亨德森 — 星期一，2016年9月19日11:25:00 -0700
<本文> <节课=“页面”>
你听到了光栅云服务提供商之间的价值冲突的声音？这是企图分化的声音，因此你买星巴克，而不是邓肯甜甜圈，皮特的或许蒂姆·霍顿的酿造。品牌思想家想要我们选择我们喜欢的，因为他们知道，一旦我们这样做，我们会留下一些东西。我们是习惯的动物。我们不喜欢选择咖啡新的供应商的资格审查程序，以及IT设备和服务。
大部分的营销重点将逐步转向增量服务包，使一个云供应商似乎，或实际上，好过另一种产品。
Determine the value of the cloud services you need

The first smoke cloud that obscures actual value of cloud services is the dizzying value calculator. This device, when present (and it’s often missing), allows you to plug in what you predict (you can predict, can’t you?) your ongoing costs will be for a particular set of data processing needs.
To read this article in full, please click here