Was coming around to make this point that in the cybersecurity world the word "breach" can have a very particular meaning with legal implications. As a cybersecurity professional, we are trained not to refer to anything as a breach while communicating findings of investigations or alerting organizations to activities that we see unless that has already been legally established.
There is plenty concerning about their response to this situation, and this phrasing can be confusing, but from my POV in the industry this choice of words is understandable.
And if by subsidizing other people's internet they have better access to higher quality connections then it will be a net benefit for your community, which will in turn improve your life while interacting with and in that community.
The infosec community at large is well aware of how unreliable just using md5 checksums to identify malware is. If anything it is the absolute first line of defense for identifying malware, in that it is easy to implement quickly and has a decent enough chance of filtering out low hanging fruit. The biggest use for the checksums between malware researchers is for identifying if they have the same strain of malware as someone else. Identification is mostly not based on checksums, but rather things like YARA rules where different identifying factors of malware are outlined to be compared against binaries. This isn't foolproof either, but there is a rather large ecosystem of malware researchers out there constantly taking samples and releasing rules. I follow a lot of these folks on Twitter and the majority of what they post are their findings on the bajillionth strain of whatever malware is in vogue at the moment. This sort of stuff is going to catch the majority of what will be coming at most people and anything that slips by the first lines of detection usually gets picked up somewhere along the way and passed on to researchers who do an exceptional job of reversing and identifying new malware or strains of old ones. But of course the reliability of that whole ecosystem depends on sensible organization security policy to start with.
In short, md5 sums and signatures are there to protect against the low hanging fruit, spray and pray type malware that's pretty common. If someone wants to target you with uniquely signatured malware they can. Identifying it isn't going to be what stops it, but proper opsec can.
And that's what I don't understand! You say it "has a decent enough chance of filtering", and I believe you -- but this just seems so strange.
It seems to me like it trivial to create a webserver which says "serve the same binary, but put a random ASCII string in bytes 40-48". Or make malware installer which says, "write out the executable file to disk, but put a random value in bytes 80-88". Sure, it won't help against good YARA rule, but it seems really easy to do, and it will frustrate researchers, and even defeat some endpoint protection software, like [0] and [1].
Its like scam/phishing e-mails with typos in them. Most widescale hacking is lowest effort looking for lowest hanging fruit. If you hack enough servers for your purposes without worrying about checksum randomization then worrying about it is just wasted effort. And you want targets with excessively shitty security postures or else you might actually get tracked down and busted.
Actually not as easy as you’d think to do that, criminals don’t upload malware payloads to their own servers, they use hacked websites (old Wordpress installs, etc) to spread the binaries.
Could they do this? Sure, but it would be a lot more complex than the current method of just finding any target where they can upload files, and the payloads do change very often anyway (sometimes daily) so there is no real need for them to change dynamically
I don't think this comes from them being lazy. I think this comes from them not being aware of (1) the defense; and (2) the mitigation. It's an example of security through obscurity.
Or even if they know about the defense and the mitigation, it is additional work. In my work in the formal economy I rarely get to ship the technically best and most complete solution but instead a compromise 'MVP' that'll receive more work only if the problem proves to demand it. I expect the same holds true in the informal economy.
> I follow a lot of these folks on Twitter and the majority of what they post are their findings on the bajillionth strain of whatever malware is in vogue at the moment.
Yes. Except that in Russia this works a little bit different. You need a permission (not approbation) from the authorities for any political gatherings. Otherwise, everyone gathering risks spending 15 days in jail (or $500 fines, median monthly salary after tax $300) for gathering illegally.
Usually they forbid them, so that was an exception.
That's not how it works. You don't need permission to rally. You notify local government about the date and preferred place and number of people. If the place is available - you rally there if not you're given an alternative place.
First, you don't always get an alternative place, lately local authorities started just denying the permission. Second, even if they propose an alternative, it's somewhere on the outskirts and/or at extremely inconvenient time. You can find a big bunch of examples of both at [1] (in Russian).
"everyone gathering risks spending 15 days in jail"
Another Russian here.
You are misinformed. The law threatens you with 15 days in jail if you injure somebody or damage property. Likewise, the fines are reserved for things like being drunk or inciting violence.
That's of course a lie. Both from practical standpoint (police will invent stuff out of whole cloth if needed with courts rubber-stamping it) and from legal one, too. КоАП РФ [1] article 20.2 6.1, "unsanctioned gatherings leading to interruption of… pedestrian flow… up to 15 days of detention" (do I need to explain that any gathering is in practice an "interruption"?). Moreover, УК РФ 212.1 [2] says that breaking the previous one twice in a half year is punishable by up to 8 years in jail. I'd also like to remind you about the case of Ildar Dadin [3], who got thrown in jail for 3 years for one-person pickets. Sure, he was released when the case got widely publicised, but the laws and court system that did it are still in place.
I reckon you have a very… optimistic and cursory knowledge of Russian laws in that area.
According to [1], you are right and this article is used as you described against targeted political activists.
At the same time, it is not how it is used in general case [2].
Moreover, if you look, for example, at the preceding article (20.1 - disorderly conduct in public places) [3] you must conclude that in Russia people are jailed for 15 days for saying 'fuck you' to somebody in a public place. Which, of course, is not happening because the degree of punishment, while at the judge's discretion, has to be proportional.
I would not suggest people try to waste scammers time, or do anything but hang up on them. A lot of calls that just hang up on you are putting out the feelers for phone numbers that have humans answering on the other line so that they know that's a viable target for attempting to scam. Showing any sign that your phone number belongs to an actual human just ups the chances that you're going to get an increased amount of phone spam, regardless of if you got the chance to waste someone's time or not. Also, people should be wary of saying anything at all the these suspicious phone calls, some of them try to get recordings of you saying some key words to make it easier to steal your identity. For instance, if someone asks if you are who you are by name and you say yes, then they've got decent confirmation that they've got a recording of a particular person saying "yes" which can be used against you in stealing your identity or credit card fraud.
To avoid "yes" recordings, I answer the phone with "<indistinct garble> speaking!" When I hear a human I adopt a creaky old-person voice. This old person tends to give their credit card information slowly, and remember that they're using the wrong card after about 14 digits.
Eventually I change back and tell the person that they're working for a fraudulent business and should worry about whether they're going to get paid, and should strongly consider getting a new job.
> A lot of calls that just hang up on you are putting out the feelers for phone numbers that have humans answering on the other line so that they know that's a viable target for attempting to scam.
I also thought that might be the case but have performed the comparison between a number which never answers them and a number which always answers them. Several years now of experience suggests otherwise: they get the same number of spam calls.
> that they've got a recording of a particular person saying "yes"
Again, this sounds highly speculative. Do you have any citation for it? It isn't like any bank or service is comparing your voice. And if all they needed was a yes, unfortunately, there are too many ways of getting a yes from someone.
Obviously when talking to any of these scammers my 'identity' is entirely fictional.
When they used to be more responsive I had a lot of fun trying to convince them that my routing number was "1" and that my account number was "1"... Or that my name was some absurd 40 character compound name like "Jim
Klenersmithvelazquezouishawexlereconomou". A friend once kept a caller from "windows" on the line for an enormous amount of time while they "restored" their system via a recovery disk after it "crashed" several times attempting to "install" their malware.
I wonder if the rise of gig-economy type work has dirtied the employment data pool? If you're out of work and looking for a employment, yet you're still scraping by a few bucks every week due to Uber or Lyft or something similar, and you're a part of a significant percentage of people doing the same then unemployment numbers probably aren't as pretty as some would like us to believe.
But labor force participation rates are still very, very low. If you'd like a job but don't have one, you don't get counted in any unemployment stats except the aggregate labor force participation.
This caught my attention so I looked for a source. Looks like this rate is the number of people who are Employed (60.7%) or have been actively seeking work in the last week (4%) out of the total population of people who are 16 years or older, not institutionalized, and not active military.
The source I found doesn't break down the remaining 35.3% of the population much, except to pull out about 2% as marginally attached or discouraged. Basically, people who have given up looking for work. I tried figuring out the makeup of the remaining 33%, but without much luck. How many 16 and older students are out there not working because they are full time committed to schooling? Hard to figure out, because so many students have part time jobs or are at least actively looking for part time jobs. Then, how many people are retired by choice, versus retired because there's no more work for them? How many homemakers are staying home with kids because they can't earn enough to significantly exceed childcare expenses versus those who stay home because they don't need or want to work?
I think you'd still be faced with a lack of truck-driver-to-research-scientist pipeline. There are already a lot of people that are qualified, or if not they're close to qualified, to be in these research roles so that if a lot more funding went toward these areas it'd still be hard for someone making the move from much more unrelated industries and educations at later points in their lives would still be at a disadvantage. The children of these people, given a good education along with having easier access to higher education, might have an easier time getting into these positions. But it seems like there'd be a labor shortage gap for those that aren't remotely qualified for a research position now.
This also seems to ignore that research science itself is increasingly becoming automated, and such positions that are less efficient on the dollar per fundamental insight scale may disappear at around the same time as our hypothetical truck driver's.
Personally, I think that we as a culture need to change our thought processes on the necessity of everyone doing work. So what if some people just end up in the sitting around watching Netflix all the time category? Not everyone's going to do that, there are a ton of different outlets I would pursue if I didn't have to worry about working or money. And they're mostly things that I'm only money limited on because if I didn't work and pursued these things then I wouldn't be able to eat or have a place to sleep.
Work on giving people quality educations and the open-ended opportunities to explore, play, and pursue, and I think we'd all be surprised at what people will end up doing with their time.
>it seems like there'd be a labor shortage gap for those that aren't remotely qualified for a research position now.
If you are already willing to pay someone's living expenses for the rest of their life, then there's no such thing as a gap due to not being remotely qualified. No how many years it takes for them to learn how to do research, if you are willing to pay the UBI, you are willing to pay their stipend for this time.
>such positions that are less efficient on the dollar per fundamental insight scale may disappear at around the same time as our hypothetical truck driver's
I think this rests on an incorrect view of human nature. People aren't born with a list of jobs that they can fit in to, they just have aptitudes for various things. In a purely capitalistic society, the aptitudes translate into a list of jobs because profit-seeking enterprises will not pay you more to do something than the net dollars you bring in - which is itself determined by your aptitude at that specific task. However, once we're talking about the UBI, this vanishes.
There does not exist a person that is capable of exactly washing beakers and driving trucks. This only appears to be the case because there do exist people who are capable exactly of turning a profit while washing beakers or driving trucks. There is a disturbing view of human capabilities running though this thread, that some people are just truck drivers "by nature," and that like the trucks themselves they must be retired if we no longer need their services. However, this "fact" is only a result of the financial realities that are specifically overturned by the UBI.
While the author of this post focuses on the idea of a flat earth conspiracy leading to their conclusion that people believing in conspiracy theories don't have much influence over our everyday lives and that they're "fun", I can't help but disagree with an example that he even mentions shortly in the post: Anti-vaccination. The WHO has named anti-vaccination as a top 10 global health threat. Right now in Clark County Oregon there's an evolving problem with the spread of measles. I can understand the author's attempts to reconcile his parents' weird beliefs, but I can't agree with his conclusion that they're mostly fun and harmless. People who deny climate change enact that belief in the way they vote and in their every day consumption. That's not just a fun point to argue with. It's affecting everyone's lives.
What you're saying and the conclusions of the study are one in the same. Though I would disagree that their questions were like presenting 1+2=68445788. I would suggest they're more like 1 is 32119592 and 2 is 36326196 thus 1+2=68445788. 1 and 2 are not those numbers, but to be premised such a way formally the results of the logic check out.
Regardless of whether it's revealing or not it's a good thing to work towards establishing these sorts of conclusions through studies so that someday we can hope to have fewer terrible premises.
There is plenty concerning about their response to this situation, and this phrasing can be confusing, but from my POV in the industry this choice of words is understandable.