The count of comments and the comment data themselves are cached at different times. It's quite possible immediately following an article being published, to see a difference between the count and the actual.
In NYC they don't want us calling 911.
They want us calling 1-888-NYC-SAFE or 311.
I saw something odd walking down the street a few months back. I called 311, who talked to me about what I was seeing for about 30 seconds and then said, "ok, i'm going to bring in a 911 officer now and they will handle this".
I wasn't sure if what I was seeing was benign or not, which is why I would never have called 911 to report it.
I got called back later about the situation from a detective. It's a good thing I felt comfortable enough to dial 311.
Looks both very useful and a bit scary; opt-out needs some attention on this front!
"This is going to make shopping from your phone much, much easier." (And scarier, IMO.)
Gods man. Can't you just keep your opinions to yourself and try to act like a reporter.
It's no different than Google checking URL's for malware and warning you when you click a URL hosted on any of the Googleservices.
even if they are HTTPS URLs and contain account information
that makes no sense. First, why would HTTPS be some sort of exception? It's not like SSL'ing a website is all that difficult.
Second, why would you supposedly go through the trouble of using a 'secure' HTTP address if you are then going to pass in account credentials in the URL?
I know the whole communication is encrypted, but why would you pass "https://user:email@example.com/something?foo=bar" via a Skype message if it was really the intention to be secure ( putting aside the absurdity of leaving credentials in the URL ).
Long story short, this looks like Skype looking out for the 99% of the internet, and the 1% are crying foul. I'd rather every link my family sends each other via Skype be threat checked.
Only new technical implementation is via the Torrent link, you can download his database which has the responses for different Ports. With a simple query of his DB, you can tell the vulnerability of an IP address...
Takes the guess work out of it really... That's something new, in the sense that the every day script kiddie didn't have this prior to this research release.
He uploaded a binary to 'insecure' devices, to run his code and build his own 'ethical' botnet.
This isn't just checking ports and default logins and reporting back.
This wasn't a simple port scan. I RTFA, so let me help you out.
He ( there is no They or We, read the end of the article ) compromised devices and uploaded his own code. He was 'nice' about it, in the sense he set the priority to 'NICE' and he put in some watchdogs and throttled bandwidth usage. He then used those compromised devices to further utilize other devices to do even more work ( like using your Router HTTP interface to execute Traceroute on his behalf, possibly inside your network ).
For the vast majority of the IP's he just NMAP/ICMP sure, that's nothing these days. For the half a million devices he turned into his own bot net.... that's illegal.
Also, he then released all the data. You could say that's good, or you can say that as a script kiddie, all I have to do is d/l that torrent to get a list IP's that run a version/flavor that I have a 0day on. No more need to scan the net myself.
This is going to accelerate bot net growth. That may be good, maybe we'll finally figure out some way to detach/block IP's that fail to patch.
They didn't force the reboot. So they don't need to calculate for lost uptime.
But they do concede what bandwidth they used and processing time. You could argue they used extra energy, CPU load, and bandwidth, and that equates to money.
What they really got 'lucky' on, is that they didn't code in a fatal flaw and accidentally create something that had a race condition that resulted in distributed DOS to every IP on the network. We've seen things come close to that in the past with worms. I put quotes around lucky, because I think these guys did their homework, and specifically validated their experiment in a limited environment before releasing it.
That said, your test environment is rarely a perfect simulacrum for the real world.
It's a very scary grey hat project. I thought this finding was interesting though:
So, how big is the Internet?
That depends on how you count. 420 Million pingable IPs + 36 Million more that had one or more ports open, making 450 Million that were definitely in use and reachable from the rest of the Internet. 141 Million IPs were firewalled, so they could count as "in use". Together this would be 591 Million used IPs. 729 Million more IPs just had reverse DNS records. If you added those, it would make for a total of 1.3 Billion used IP addresses. The other 2.3 Billion addresses showed no sign of usage.
Based in their rather thorough analysis, only about half the IPV4 address space is being actively used.
I kind of feel this is a little akin to working with scientific research that comes from morally grey or even black experiments...
Another thing to consider about this, is based on the platform they built, they could go for the Black Knight approach, and rescue all the flawed devices without their consent. You could easily see taking this project and saying "How do we patch the devices in a way that causes the least amount of harm, and adds the most amount of security".....
Inoculation can kill though...
Fine line... very fine line. End of the day, these guys hacked and compromised systems with their own binaries, and then used them to compromise other devices. They'd go to jail if they were discovered. Simple truth.
First off, the whole reason these guys got whacked by the judge is because they did the standard script-kid thing and went onto IRC and boasted about it, and talk about how they were going to take down AT&T, and make a name for their security company ( Goatse Security, obvious play on goat sex troll )
He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.
By that rationale, any request on a web server via the HTTP GET or POST that could escalate privilege or divulge private data should go unpunished. You realize the number of vulnerabilities accessible via a well crafted GET URL? XSS, SQL Injection, tons of stuff. Ignore the fact HTTP is even involved here. This is no different than finding a weakness at any other level of the OSI model, the fact people can easily understand HTTP GET's doesn't make them any less serious and dangerous to an attacker.
Honestly, this has been argued over the Ping of Death back in the day. I mean, your simply sending an ICMP packet via a ping command, it's not like your hacking.
In the end it's about context. Exploiting a weakness is by definition hacking. Just because the hack isn't enigmatic, doesn't mean it's not a hack. Look at Jon Draper and a plastic whistle that happened to hit 2600hz easily.
"But it's just a guy blowing a whistle into a phone, it's not hacking".
These guys crafted a specific HTTP GET request that returned private data. The key in this request was generated by them based off a known flaw in ATT's systems (using ICC-ID as a semi private key). Then they shared that data with a news organization.
Sure, those of us in the industry can shake our head at how stupid AT&T was, but at the same time most of us recognize the line these two guys crossed. It's one thing to send an e-mail to AT&T and copy a security mailing list with a simple example, it's another to write a program and automate the extraction of over 120k e-mails and then package the data and send it to Gawker, while boasting about it on IRC channels.
Auernheimer likened his actions to walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft.
I could make the same argument for randomly trying passwords against accounts. "I'm just checking to see if this key happens to work in this door...."
I'm pretty confused as well, and I read the whole thing.
I think it might be a slash ad for some site we all are supposed to know ( never heard of propublica ) hiring new devs, or taking old ones that google doesn't want...
honestly, i know I've only had a sip of coffee so far today, but this makes no sense to me.
They are. You are getting all shares cashed in for 13.65 a share.
I'm so with this guy, i gave up mod'ing him up just to give credence to his point.
Seriously? We're going to keep playing this game? OMG, my Samsung Galaxy has more power than then entire processing power of every satellite in orbit. THIS MEANS SOMETHING, I SWEAR IT DOES...
it means nothing
good day sir