SCADA systems and their ilk simply aren’t designed for security. You do ont want these systems to be acessible by the internet…it is just too easy to take control of them. Get ALL infrastructure systems completely OFF the Internet.
Second water utility reportedly hit by hack attack • The Register.
In a statement, Facebook spokesman Andrew Noyes acknowledged that the site was the target of a coordinated spam attack and explained how it went down.
“During this spam attack, users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content,” he said. “Our engineers have been working diligently on this self-XSS vulnerability in the browser.”
via Facebook finds cause of porn, violent images in NewsFeeds – latimes.com.
Read the earlier article i posted about this. It is not a Facebook issue but the ease of which browsers can be comprised.
Facebook explained in a statement that the spam attack was the result of a browser vulnerability that tricked users into running malicious script and sharing the content on their own profiles.
The images on the site are so disturbing that some users say they are threatening to leave the site. Users have reported seeing images of dead animals and altered images of celebrities in explicit situations.
“I am so close to just deactivating my facebook account because of these hackers,” wrote one Twitter user, just one of many who have threatened to leave the network because of the attacks.
via Facebook confirms investigation of graphic images – The Washington Post.
Graham Cluely, a senior technology consultant from Internet security firm Sophos, said it was not yet clear how the malicious content was being spread, but added that the website could face long term consequences.”Its precisely this kind of problem which is likely to drive people away from the site,” he wrote in a company blog. “Facebook needs to get a handle on this problem quickly, and prevent it from happening on such a scale again.”
Mr Cluely has it wrong. Because FB and others of its ilk are browser based this is going to get worse….why? It is childishly easy to compromise a browser. Even the mighty Google Chrome with it’s sandboxing is no longer immune. Once you compromise the browser you now have access to everything the user does at the users level of access at that site. If you are an admin at a site so is the other person in your system. As long as your browser is going(or sometimes even after you shut the browser down) the other person has the same level of control at all of your websites you do.
Cloud computing…especially in it’s browser form…is a huge danger to the user, the sites the user access, and everything they all touch. It’s time to scale this insanity back. It’s time to change behaviors. The cloud is never the place to put anything critical or private…it WILL get compromised…that’s a guarantee. ”Cloud Computing” has a place…but don’t put any trust into it.
via Facebook Flooded With Porn And Violent Images, Company Warns | Fox News.
I currently have two virtualization projects going. One is to convert 3 physical server to hyper-v and one is to convert 3 physical servers to KVM. Unfortunately p2v on a domain controller is not only not recommended, it doesn’t work well. Also there is no supported upgrade path from server foundation to anything but standard. I have foundation and enterprise. So I am firing up a new enterprise vm and then will manually mount the vhd from foundation backup to grab the files. It’ll be a permissions nightmare for a bit but i’m used to that..:) Once i get my AD domain migrated then it is time for Astaro. Then i decom two boxes saving myself 200 watts of continuous draw. The draw goes down to about 60 watts. Keep watching for the KVM conversion. That one is going to be easier.
The so-called PROTECT IP act, sequel to the much-criticized COICA, is under fire again as it enters the process of becoming law. We’ve talked about it on this blog before and no doubt the discussion will continue after it passes or is rejected, but it’s important at this critical moment that everyone concerned weigh in and make an unambiguous statement regarding the quality of this bill. So then: PROTECT IP is a lunatic proposal, penned by a dinosauric industry concerned solely with the preservation of its own profits. It will do nothing to curb piracy while at the same time eroding fundamental freedoms of the internet.
The only people who can possibly be in favor of this bill are either ignorant of its implications or stand to gain by its passage. This desperate power grab by a diminishing elite fails to even comprehend the problems it aims to solve, and its blunt force methods are wide open for abuse, and very possibly unconstitutional. Make no mistake about it: this is a kill switch, and if it’s passed, it will revisit us for years to come in ways we never suspected possible. If you think that’s an overstatement, think about it again next time you’re posing naked for the TSA, and ask yourself how that came about.
The design geniuses at Apple, who are yet to come up with an iPhone 4 which did not have some serious design flaws, are scratching their heads about the latest problem which has hit the cargo cults latest toy.Apple recently released the iPhone 4S which was an iPhone 4 with some software that only Americans could use and the stupid antenna design abandoned. While it was a clever idea to make users pay for something that many manufacturers would be morally bound to recall, it turns out that the iPhone 4S has a design problem all of its own.For some reason the iPhone 4S loses battery faster than its users can charge it. Normally this is not a problem. The iPhone only has to be charged long enough for its users to attempt to convert other people to the Apple cult. It is not as if they use it to call their friends. But it seems that the iPhone 4S cant even manage this task.With normal use, it dropped 19 percent in 50 minutes and sometimes the battery dropped away at an even faster rate than that. Battery life has been dropping ten per cent an hour even when the optional location settings have been switched off.Since the only thing different about the iPhone 4S and the iPhone 4 is the chip, the fault has been narrowed down to the operating system that was also installed on the phone. It turns out that the iOS 5 cant really handle the new hardware.After shedloads of complaints on Apple bulletin boards and lots of suggested fixes an Apple store staff member was able finally to fix the problem.He claimed it was because the OSs location services was constantly checking location especially for the Time Zone.He was able to solve the problem by switching everything off in the Location Services > System Services menu except for Cell Network Search. His phone now lasts “pretty much the whole day”.While the fault has been causing frustration for users, Apple has done its usual “refusing to comment” thing. To admit there is a fault, means that the iPhone 4S is not as perfect as Apple says it is, and that would create a religious paradox.However, behind the scenes, the outfits engineers have been contacting some iPhone 4S owners who have complained of battery life issues individually and asked them to install a monitoring program on their phones to try to diagnose the problem.But the Sydney Morning Herald has found another serious software fault affecting battery life on the iPhone 4SMathew Peterson, who runs the Australian app development company TheLittleAppFactory, said he found that another problem affecting the iPhone 4S battery life was the iCloud contacts syncing code, which crashes repeatedly when it hit corrupt contacts in a loop.This harms those who have upgraded from previous iPhone models and causes the phones processor to work extra hard. The result is that the phone runs “noticeably warm” and it causes “the battery to drop 20-30 percent in 10-15 minutes”.It can be fixed by disabling contacts in iCloud or restarting the device. Peterson said that you really have to install the entire OS and then copy the contacts back on.
via Iphone 4S drains battery like a vampire – Turns users into Zombies | TechEye.
Business consultants…..nough said. I have a client that has been scammed into going all cloud. This consultant believe in no servers, no central logins and no local storage of anything. I know this “practice management” company is totally based in the cloud. They use purely a web based interface to do everything. This provider also no backup local access for WHEN there is a loss of connectivity between themselves and the client. It is only a matter of time before her entire practice is compromised. Considering that “the cloud” is based on the broken concept of third part trust(just google diginotar or you can look here) it is a given that it will work for a bit. What happens when the cloud goes down? What happens if this provider is crap(like her last cloud vendor is) and there’s no standards based way to export her practice’s data? She’s going to face that migrating from one cloud provider to the new one. I wish her luck. She’s going to need it.
The upside of using a public cloud service is easy to understand. No need for expensive local storage, no need for local servers, a reduction in power and cooling expenses … and a reduction in IT staffing. When all you need to do is click around on a self-service portal to spin up new server instances with your provider, you don’t need to worry about racking boxes or even managing your own VMs. You let “them” handle all of that. What could be better?
Good question. In large part, the answer depends on data speeds, latency, and availability. These days, many more urban locations have fiber out the wazoo, and you can get 100Mb and even gigabit data circuits for less than what a T1 costs. With the expansion and interconnection of these networks, latency between offices and service providers may be just slightly higher than between local LAN segments, making the cloud provider seem to be present in your building, not 500 miles away. That’s the core value propostion: A public cloud service has to look and feel like a local resource to succeed.
But guess what? Those high-end pipes aren’t available everywhere, and without them, the value prop begins to erode.
Then there’s the vastly more important question of availability. Sure, the latency between your offices and your cloud provider may be just 10ms or so, but what happens when some jackass with a backhoe in the next state makes that latency infinite? Suddenly you may have hundreds of employees with literally nothing to do. Today, loss of Internet connectivity still allows employees to work on local servers, access files on local storage, or in some cases, continue using virtual desktops served by a virtualization cluster in the backroom. If all of those services are on the other end of a severed fiber link, then everything comes crashing to a halt.
(snip)
How many business customers that have ceded their IT infrastructure to a cloud provider could survive a month or more without access to their data, inventory, bookkeeping, and possibly even manufacturing control systems? What good is a call center that can neither answer calls or even look up customer records?
The time will come when a major cloud provider takes it in the shorts — and that localized disaster ripples down to thousands of customers, wreaking chaos that surpasses the destruction of even the largest hurricane. Imagine companies in Boise going out of business because of a major earthquake in California. Or Virginia.
Cloud computing is enticing — but it also represents a more radical departue than most people acknowledge. We either do it the right (and more expensive) way or we risk distributing localized problems far and wide. After all, if you decide to go “all in” with the cloud, you’re not just trusting your cloud providers with your data, you’re trusting them with the future of your company.
via The cloud hazard no one talks about | Data Center – InfoWorld.
Current ssl secured traffic relies on “third Party” trust. Frankly I think it is stupid. You are going to put your trust in security in a central location and tell others that that third party is better at your security than you are? NO thanks. I only use self-signed certs. Watch below for a good explanation of how the current online security model of third party certificates is fundamentally broken.
