Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
What's the story with these ads on Slashdot? Check out our new blog post to find out. ×

Comment C-Level Executive of course (Score 1) 154

Corporate level risk decisions like this the final decision has to rest with a C-Level executive. If he is a good manager of course he will get input from other people first then make the decision. The eventuality that the corporation cloud service is hacked or compromised ... they will have to answer to the owners or the shareholders anyways.

Personally, I would be extremely wary of allowing any corporate data to be "housed" in a cloud unless they have deep pockets are can be held liable for damages caused by a major breach.

Comment Re:What you are missing (Score 1) 303

To be classified it does not need to be stamped "classified" -- it is automatically classified by the fact of the source information at the top.

Often in the foreign service you communicate things that would not necessarily be classified - such as talks or communications in confidence with others in power etc. (off the record) -- and this lack of taking security seriously put both them and their lives at risk in some cases. What this teaches the world is that the US cannot be trusted with confidential or classified material and they should stop co-operating with the US on or off the record.

Comment Re:Better link (Score 4, Insightful) 127

NO, you miss the point....

"On Monday, researchers from anti-malware firm Malwarebytes said a new malicious installer is exploiting the vulnerability to surreptitiously infect Macs with several types of adware including VSearch, a variant of the Genieo package, and the MacKeeper junkware. Malwarebytes researcher Adam Thomas stumbled on the exploit after finding the installer modified the sudoers configuration file."

The installer itself has been granted privileges by the operator to install the application to all users. It cannot install itself directly from the browser. It has to be downloaded (and potentially auto-opened) for installation. It either has to be installed maliciously into an application (which is unlikely to be a signed developer).

Subsequent to that installation of the malicious malware, that user that installed the application has been given effective root access WITHOUT requiring passwords on subsequent actions. But until that file is modified, that user does not have sufficient rights, nor do any 3rd party applications have sufficient rights to make changes to that file without user intervention.

The vulnerability is that the installer can make changes to the /etc/sudoers file during installation by use of the DYND_PRINT_TO_FILE.

It is highly unlikely an application that is from a certified/signed developer is going to contain malware in the installer -- possible but not likely. This means social engineering to get the user to download unsigned applications - then go into security settings and allow that installer an exception to start the installation.

http://arstechnica.co.uk/secur...
Read the code that is being executed by the installer

Comment Re:Privlege escalation exploit change looks like t (Score 1) 127

"On Monday, researchers from anti-malware firm Malwarebytes said a new malicious installer is exploiting the vulnerability to surreptitiously infect Macs with several types of adware including VSearch, a variant of the Genieo package, and the MacKeeper junkware. Malwarebytes researcher Adam Thomas stumbled on the exploit after finding the installer modified the sudoers configuration file."

The installer itself has been granted privileges by the operator to install the application to all users. It cannot install itself directly from the browser. It has to be downloaded (and potentially auto-opened) for installation. It either has to be installed maliciously into an application (which is unlikely to be a signed developer) -- or a developer would have to link in external packages into their application that could potentially have the exploit.

Comment Re:Privlege escalation exploit change looks like t (Score 1) 127

/etc/sudoers is already read only by root/wheel..... which of course is no problem to change if you are root (which is what you have to give access to to make the changes in the first place) -- and that requires user intervention to install the malware.

Comment Re:Better link (Score 1, Insightful) 127

NO, Code execution in a browser CANNOT escalate privileges.... none of those applications have sufficient rights to change the /etc/sudoer file. The user would have to download and install an application from an unknown developer - which is blocked by default. You would then have to go into security settings and say - open up that installer for the application anyways. That installer application would then have sufficient privileges to make changes to the file and give that user root access with no asking of the password in the future. It takes a fair amount of social engineering of stupid users to get to that point.

Most unix admins don't allow anyone root access or the ability to install applications. It only exists in OS X to be user friendly. The exploit is closed in 10.10.5 (currently in beta)
.
In El Capitan the security will be rootless by default.

Comment Privlege escalation exploit change looks like this (Score 4, Informative) 127

if run "sudo cat /etc/sudoers" it will print out the file in question. The section normally looks like:

# User privilege specification
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL


If it has been changed to include a new user or make changes at the end of any of the lines to add "NOPASSWD:ALL" then you have been affected:

eg.
username ALL=(ALL) NOPASSWD:ALL

Comment Both sides of argument conveniently slanting... (Score 1) 528

200 ft (2/3 the way down the football field if he shot straight up - 280ft+ if he shot at a 45deg angle).... with birdshot... and downing it.... not likely..... very unlikely... possible? maybe - but the probability is the altitude claimed is false.

No one should be flying drones over other people's property. period. If you think it is ok to fly a drone over other people's property (potentially with cameras with zoom lenses)... may you have children that are spied on by pedaphiles...

Now, if flying a drone over other people's property is not allowed -- shooting over other people's property (unlikely the birdshot will obey property boundaries).... but firing up at a target is highly unlikely to be dangerous to anyone on the ground (see Mythbusters) -- wind resistance would make it annoying at best if hit.

If shooting a drone out of the sky and having it fall on someone is dangerous.... then just flying the drone and potentially crashing it (without shooting it out of the sky) is also dangerous....

If you fine the shooter for shooting it down, then the flyer should also pay a fine as well..... and forget about damages... since he should not have been flying it there anyways.

Comment Re:Democracy (Score 1) 431

Democracy is not designed to produce better governance.... just hopefully one that more people have a vested interest and where bloody coups are not needed to change the government when they have become too corrupted to continue. Voters vote for collapsing their economies all the time, and sometimes the government actually co-operate....

Comment Never again.... Standard of living not great.... (Score 1) 410

London is a great place to visit.... but I would never want to live there again.

You arrive and you do all the tourist stuff in the first few weeks (musicals, theatre, dining out).... but after that it just is not worth it.... prices are high, living standards low (small cramped expensive apartments, going out expensive, etc.). I lived there for 1 year and 1 day. I harped that it was not a place that I wanted to live forever... and my PM a proud brit took exception to it to a certain extent. Only when he visited his counterpart in Texas did he actually get what we were talking about (his place was 20% the size and no cool cars in the driveway etc.)... and he was completely thrown.... I hear that he finally made the move to Australia.... something he originally thought he would never do.

I would never return to live... only to visit.

Comment Re:Objective-C is now legacy - but not quite dead (Score 1) 337

This mixing of C and Objective-C for the sake of making a point is ridiculous.

Objective-C IS NOT C. Darwin the operating system kernel underneath the UI is written in C, C++..... not Objective-C.

The UI APIs and Objective-C are what we are talking about... So no, Objective-C to continue being used going forward is not in the same league.

To downgrade the human mind is bad theology. - C. K. Chesterton

Working...