SoylentNews is people
SoylentNews
Security researchers at FireEye / Mandiant [say] "We identified the presence of a financially-motivated threat group that we track as FIN1, whose activity at the organisation dated back several years."
[...] "FIN1 used this malware to access the victim environment and steal cardholder data. The group, which may be located in Russia, is known for stealing data that is easily monetised from financial services organisations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies."
[...] The malware's installation location also means it will persist even after re-installing the operating system, widely considered the most effective way to eradicate malware.
Can we all agree that updating firmware should require the movement of a physical jumper?
(Score: 0, Interesting) by Anonymous Coward on Tuesday December 08 2015, @09:13PM
Can we all agree that updating firmware should require the movement of a physical jumper?
Sure, but that doesn't do squat. That's like saying "my thoughts and prayers are with the families of those who were so brutally murdered". That's all great and gives you a warm fuzzy in thinking that you are part of the solution but in reality, it doesn't do anything. In fact, you are part of the problem; by not tackling the problem, you only make it worse.
What is needed is advocacy, by which I mean educating, proper advocacy. Not the zealous "closed source is evil", "M$FT and AAPL are Teh 3v1L!" but real education of end users so that the pool of people who actually care about this grows from (right now) being mostly just us, techies to as many people as possible. This advocacy and education needs to be aimed outside of our closed 'tech' circles, towards people who would normally respond with "I don't really know a lot about computers" because they are in the majority.
Whether you like it or not, companies like MSFT and AAPL *do* listen to their customers, but only if money is on the line. Dare to inconvenience yourself by *not* buying the products of companies you don't agree with (and I know some of you *do indeed do that, but the majority of those here don't). So what if you can't have the latest and greatest android device or facebook or some app, ask yourself whether you really need it that much.
Here's how you go about in effecting that change: if each one of us can convince at least 3 other people of the value of privacy and IT security then we're at least a bit on our way. And make it so that at least one of these 3 people also becomes an advocate!
But we have to make people care about these things by making them realize how it impacts them today, instead of waving around with fancy hypotheticals and scare-scenarios. Unless you show them how it impacts them today, how it already, right this very moment, impacts them already, they won't change their behaviors because change is hard and people are lazy. (BTW, here is a good documentary to show people in order to get started on privacy: Terms and Conditions May Apply [imdb.com])
I have convinced 2 people already (so no, this isn't a "do as a say, not as I do", I actually am asking you to "do as I do") and am working on others as well. I educate people about privacy, freedom of speech, IT security, etc. to make sure they too spread that to at least three others and so we change the world... (one can dream)
(Score: 3, Informative) by Anonymous Coward on Tuesday December 08 2015, @09:30PM
It is nothing like that at all. It proposes an actual solution to a problem as opposed to wishy-washy statements. Putting a physical switch is an attempt to PREVENT such infections in the FUTURE. Similar to how Chromebooks have a similar switch. Yeah, you could own a Chromebook all the way down, but it is made a lot harder by having said physical switch.
(Score: 3, Interesting) by Nerdfest on Tuesday December 08 2015, @11:25PM
I'm pretty much at the point of disregarding nay comments from people that refer to companies by their stock symbols. For an interesting read, go back through old stories looking for comments where people do that.
(Score: 2) by Bill Evans on Wednesday December 09 2015, @01:55AM
Yeah, I've had it up to here with negativity as well.
(Score: 2) by Nerdfest on Wednesday December 09 2015, @02:33AM
You ought to be horse-whipped for trotting out a comment like that.
(Score: 2) by Fnord666 on Wednesday December 09 2015, @02:36AM
(Score: 1) by anubi on Wednesday December 09 2015, @04:43AM
I am building industrial Arduino-compatibles.
MODBUS (RTU) / SCADA compatible. Uses a graphical HMI. As well as all those nifty little Arduino I2C interfaces.
One thing I am extremely concerned with is that I do not allow the thing to get into programming mode until the jumper to force a reset at the appropriate time is in place.
The question I have for this forum is.... just how easy is it to pwn an Arduino if you are only allowed to talk to it via its serial port?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 4, Informative) by edIII on Tuesday December 08 2015, @11:38PM
I have no idea what you're on about, but it's nonsensical. Privacy advocacy on its own provides very little meaningful increases in security for the OS.
A jumper works wonderfully if it works exactly as advertised. Meaning you can't possibly write to the firmware without the jumper being in place.
In this situation, pray tell, how do you physically short a jumper from a remote network? I can't figure out how, so I certainly can't figure out what you've been smoking :)
It's what we've needed for a very long time. A method by which we could install read-only firmware. Want to update? Short the jumper, insert the USB stick, restart the unit, wait for flash success, remove USB stick, unshort the jumper, and restart.
Very simple reason why manufacturers don't do this. They're lazy, don't care, and don't want it to be that hard to update firmware in the first place. It provides a very high barrier to entry, but one I think may eventually be absolutely necessary.
What makes very little sense is that people poo-poo the jumper, but endorse Secure Boot and UEFI (which makes running most Linux distros impossible). Encrypted keys are not nearly as secure as the jumper, and they actually provide a pretty contentious barrier to entry themselves. The jumper is the FOSS version of SecureBoot that doesn't require any encrypted keys.
Also quite puzzling, is your further diatribe on privacy. I think you're spot on, but you're overlooking the fact that the jumper can provide people what you want in the first place; Privacy & Security. Neither of which can come without absolute transparency (not one single blob/binary), and the ability to moderate secure boot loaders and firmwares you need to get your system up and running.
What you want most likely is a combination of a Purism product with a jumper secured read-only bios. The bios/firmwares themselves need not be written the motherboard at all, but held on a USB stick, or MicroSD. Pull it out, put in another system (dev), load your bios/firmwares and possibly bootloaders, put it back in the system, and restart. The USB stick by default could be read-only period in that setup, if we're okay with requiring a pair of systems.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by hemocyanin on Tuesday December 08 2015, @11:48PM
Gewg suggests a jumper (a dip switch would be fine too) that would require manual intentional activation in order to make a firmware change. You say that won't help, and suggest instead:
So, are you a PHB? Gewg's solution was an actual solution in that a person has to consciously and intentionally do something to allow a change to a machine's firmware. Yes, you could trick a few people to do this, but people who have trouble finding the "on" button are going to have a hell of a time opening up the computer case and finding a bank of dip switches inconveniently wedged under the power supply, and the savvy ones will be immediately appalled at the notion that some piece of software has to monkey with firmware. Gewg's idea would make this kind of malware infection so much harder. Your students would just be pissed off about it after they got infected.
(Score: 2) by DECbot on Tuesday December 08 2015, @11:48PM
I'll agree to your "talk to three people" challenge if you can direct me to the three people I need to converse with to implement a physical jumper in order to flash the bios.
cats~$ sudo chown -R us /home/base
(Score: 3, Informative) by anubi on Wednesday December 09 2015, @05:41AM
I do not think three people need to be involved.
Look for the "Write Protect" line in an EEPROM datasheet. Keep your boot code in an EEPROM.
You can read it as much as you want, but in order to write back to it, the Write Enable must be LOW. Pull it high with a resistor.
When you want to write new code into the chip, pull this line low first with a jumper to ground.
Then run your write code.
Anyway, that is what I am doing with my Arduino/Propeller stuff - when its my intention that only the possessor of the physical device should be able to program the thing.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by Joe Desertrat on Wednesday December 09 2015, @07:06PM
I have convinced 2 people already (so no, this isn't a "do as a say, not as I do", I actually am asking you to "do as I do") and am working on others as well. I educate people about privacy, freedom of speech, IT security, etc. to make sure they too spread that to at least three others and so we change the world... (one can dream)
You may be better at convincing people than me but in a world where people think things should be fixed in the time it takes to press a button it is a hard sell. Most people buy a Windows PC, after a while it gets slow and they either wipe it an reinstall or buy a whole new PC. They have grown up with the idea that is the normal thing to do. No matter how many times you tell them, no matter you can show them your PC and tell them you never have to do that, as soon as they have to take one extra step in their daily activities it becomes too much of a burden to them. Somehow ingrained in their minds losing all their data and having to start over is a better solution than having to extend any thought and effort into their daily activities.