Re: The New York Times Plays with Fire

[Mohammad Hosein <mhtajik () gmail com>]

C,
many openid & openotp solutions are out there offering various eye catching
e-identity authenticity management solutions and essentially software
providers with the magic of SMS or hardware dudes with a shiny RSA style
dongle and  i do not think passwords or some high tech bio-id , or whatever
else that is in fashion , is going to help an average citizen not getting
rubbed or mugged ( read : blue screen asking a liberty reserve pay or wipe
) . passwords in essence are not really the security issue . no matter what
is being considered as a key or an element of it , assuming we assign a
fuzzy meaning to the concept of "key" and accept all sorts of Quantum
universe goodness one can get offered , at some point "they will do you"
whether you are a GCHQ/MI6 transvestite Math wizard , a security fella
using typical silent 21-years-old-comodohackered-SSL connection for emails
or a grandpa in U.S with made in china nice OTP dongle to go a normal
banking . point is , the city is insecure with weapons of all strips , and
with any conceptual police , your business is going to get Aramcoed real
easy . what helps a fellow dd reader from getting Fcked is having the
chance of owning bits of more intelligent genes and lesser habits of
ignorance and a critical "soul" . sorry for the speech and i am no member
of a password advocacy or lobby firm out there . just dont see the point in
so much focus on the technical part of our electronic experience while i
have seen much more "Human Factor"s involved in e-security . btw , i recall
dave twitted about the book a while back . its phenomenal . get your copy
and read it , it does good , and the money goes to children of the dead
soldiers

D,
i am following some works get out of senate CRS and various , mostly
chatter-type , signals from house CFA . there is an amazing pattern from
2006 up until now to build up mind games gear and political tools to
produce an unsafe foggy wall around china acting like a determinant dark
cloud on the east's possible supremacy . fun stuff are available for all to
read under Open Government Act and where U.S wants to be standing at 2025 .
younger folks : go for .pdf inurl:2025-strategy site:*.gov . i do not and
can not know details of stories like this NYT thing , but i am as certain
as i can reach to that WP post and NYT and a whole other dozens of media
out there are not doing "Journalism" or "Research" . they do contract work
and owned by like 5 power entity . so the story might be simply pure
bullshit , a project , a gig for a pay -- or we've got a bunch of retard
employees of a media outlet and some single digit IQ Chinese hackers.

meanwhile , Haaretz a news outlet close to powerful elements in .il
recently pwned and i have read many interesting content in leaked emails ,
their headers , etc . that is what i call a story .

Peace
M.



On Mon, Feb 4, 2013 at 7:06 PM, Charisse Castagnoli
<charisse () charissec com>wrote:

> Dave -
>
> I agree NYT was playing with fire - but they stuck to their journalistic
> mission.
> Maybe they have factored in the risk of being a continuous target of the
> countries and organizations they report on.
>
> The password problem, on the other hand, is really frustrating.
> Why Why Why with mobile phones, tiny dongles etc. are we STILL using
> passwords everywhere.
> I used to be able to get by with 3-5 passwords, now I have to have a
> different password on every account.
> (Thank goodness for keeper)
>
> We really have come to the point of absurdity with passwords. So, on that
> topic, does anyone in this esteemed group have an opinion about OpenID
> providers?
> I'm looking to pay for my OpenID, I don't want to be dependent on a google
> or aol.
>
>
>
>  Charisse Castagnoli
> charisse () charissec com
>
>
>
>
>
>
> On Feb 1, 2013, at 4:19 PM, Dave Aitel wrote:
>
> So one thing I think is interesting is that New York Times story.
>
> Here's how it goes, in bullet points:
> 1. NYT knows it's ruffling feathers, so it hires AT&T (??) to "watch
> their network"
> 2. AT&T sees something, so NYT calls in Mandiant
> 3. Mandiant and NYT let the Chinese hack things and watch them while
> they penetrate into the domain controller and lots of other machines.
> 4. Article about this comes out on NYT.com, calling out the Chinese.
>
> So, as far as I can tell from their article, the Chinese have all the
> passwords for every NYT employee. This sounds like something that is not
> good for NYT employees who may reuse their passwords elsewhere, even if
> they're changed now.
>
> Likewise, it seems like at any time the Chinese could have turned off
> the domain controller. That would probably have had significant
> downsides for NYT, to say the least. Here's why they didn't: Their
> policy did not let them. But that doesn't ameliorate all the risk, as
> even hackers make typos...
>
> In other words, playing games with hackers on your network for a story
> is a fundamentally bad idea. Because at some point, you're going to find
> a contractor who screws up and doesn't follow their own policy (or can't
> type) and it's going to take down your whole business.
>
> -dave
>
> --
> INFILTRATE - the world's best offensive information security conference.
> April 2013 in Miami Beach
> www.infiltratecon.com
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave