Websites offering self hosted, static advertising isn't so much of a problem as random bits of javascript and tracking cookies loaded from god knows where every time you load a page. Harder to block, the advertiser needs to pass their content through the hoster which assures some level of quality and relevance, and some level of privacy for the end viewers.
Probably a lot of sources, depends how well connected you are.
The biggest one is just routing information and rDNS hosts which give away a lot of the information required anyway. If you were really thrifty you would make agreements with services (or use services you run yourself) that have users supply their location information and use that to construct a more granular database. I suspect this already happens to a degree, some of the fake information I give out has ended up in at least one IP address database.
I strongly considered doing this at one point but lacked the connections to pull it off properly (not enough sources of data I could get without approaching random people, basically). A secondary concept would just be to crowd source it and have the information freely available, but I was never sure how to deal with people poisoning the database or just honestly supplying conflicting information.
> DEFINITELY NOT FINANCIAL ADVICE: Personally, I think $2.80/0.01 XBT is low and I would not be in a rush to sell at this price. But, I do understand if you're bearish and you wanted to dump in to the bulls ahead of everyone else.
That's so financial advice, coming from the CEO of the Kraken exchange.
And bad financial advice at that, as the price is quite predictably half that at this moment and probably going much lower. There has to be a shakeout period in the price, no matter what.
But as far as Ethereum itself being a scam... They raised money to produce a product and they've produced it. It's real. It exists. They've done what they said they would do. Whether it was worth the amount raised or not is fairly irrelevant at this point. They've delivered on what they promised.
Is there any evidence that it actually does what it promised? There's a online blockchain to follow, and we can see that digital currency is changing hands, but that's like every other altcoin out there. The selling point of Ethereum seemed to be its "digital contracts" but has anyone made any significant contracts yet?
The other day, there was a post on HN about a 'simple' example Ethereum contract, but it turned out to rely on lots of validators and oracles that 'would exist in the future'.
So, it's not clear to me that they've delivered on their grandiose promises yet.
That's been fairly clear from the start. Almost anything actually useful needs an oracle, and then you get back to the problem of wait, didn't Bitcoin already solve this problem half a decade ago? Once you get past the marketing you've got a rather faulty and expensive clone of Bitcoin with a fairly sketchy history.
Money buys a lot of commits. Give me a few million dollars and we'll get together a group of people that will build an entire computer from discrete transistors. People involved and amount of work doesn't make something worthwhile, reasonable, or viable, it just means that people work for money.
Just giving the benefit of the doubt here, a lot of the time it's unclear if your disclosure even made it to the right people in a company or not. No response is the norm for security disclosures, as is claims of "we didn't get this", even if you have a receipt for their ticketing system that says they did. I've sometimes spent far longer attempting to contact a company than doing research into something that seems to be a problem.
It's easy to prove. Just go look at the number of iOS and OSX security fixes attributed to him. Or you can go do a simple search on any reputable site posting security info and you'll see him all over it.
"Public wifi", not "your own connection". You have two options for who you decide to trust:
1) A VPN company, who you've had the opportunity to research, who's primary business and reputation is based on handling your traffic.
2) Each and every WAP you connect to, in many cases with no real means to verify it's actually e.g. the official WAP of the hotel you're staying at, for something that likely costs the owners money rather than being seen as a profit center in and of itself. Their primary business and reputation is staked on something completely different than their handling of your traffic (be it their coffee, their accommodations, whatever.)
If you trust #2, statistics eventually comes into play - you will trust someone who shouldn't have been trusted. This also ignores that "public wifi" frequently performs MITM attacks for the... not entirely unreasonable purpose of providing login gateways, terms of use, etc. when you initially open up your web browser. But if you're already MITM traffic, it's not as big a stretch to substitute your own (poorly vetted) advertisements and affiliate links for a little extra revenue. Even if you don't do that, there's no guarantees your MITM tech isn't accidentally weakening security ala Superfish.
I think you put far too much trust in one of thousands of clone VPN services. There's no reputation to taint, there's stock standard scripts running on commodity VPS boxes they rented from somewhere else. I would be shocked if at least some of the most commonly used ones weren't run by people looking to sniff credentials. You're paying to pipe all of your sensitive information through some random persons box, which is just ludicrous.
you should trust your end points. assuming you trust the machine you are using, the other end of the tunnel should be just as trustworthy. that's great if you trust a company; but what incentive do you have to trust them?
It's likely too late for panic, everyone is probably owned already. It has the best infection vector ever, unauthenticated, unsolicited messaging with an easily discoverable addressing method. What more could a worm want?
>It's likely too late for panic, everyone is probably owned already
That seems unlikely given that the researcher hasn't publicly released the details of the hack, and he says that "he does not believe that hackers out in the wild are exploiting it".
There are tens of thousands of extremely skilled hackers selling exploits on the order of $10K to $100K. I'm fairly certain someone has been exploiting it. Not everyone is a good guy in the world.
If you're taking advantage of the law of large numbers, then it's only fair to use it in reverse: There's literally tens of thousands of iphones used by security researchers. One of them would have received a version if this if it was used on such a wide scale..
That's absolutely not true, your certainty is based on a fundamental misunderstanding of exploits and the amount of time and energy required to find them.
I don't see what's "not true" about it. A worm vector of this scale is certainly worth the R&D investment to find exploits, and it is indeed correct to assume that the vulnerability has been found before.
Whether it has actually been used, given the value of the bug, is a different story. But it should absolutely be treated as "in active use" already, especially by state or state-sanctioned actors (like Hacking Team).
What's not true is that this isn't in the wild. Period. You can make all the points about urgency you want and I will agree completely, but this is not currently in the wild, as far as anyone knows. Saying it actually is being actively used would be factually inaccurate based on the information known right now.
But that's the point: as far as anyone knows - more specifically, as far as anyone has admitted.
We do not have a 100% reliable way to determine whether an exploit is known by others (and likely never will have), and as such there is only one reasonable assumption left to make: assume that it is out in the wild and known by others.
This isn't a new concept - threat modelling requires that you assume every worst-case possibility is reality, so that you can guard against it. This was formalized in the 19th century as Kerckhoff's Principle[1], and undoubtedly existed before that in military circles. This applies equally to software security.
So given that we simply don't and can't know whether it is out in the wild, the most 'correct' assumption is that it is - because that lets us protect ourselves against that worst-case scenario, which may or may not be the case.
If you think I'm arguing against the idea of treating the vulnerability like it's in the wild, then you are mistaken. I'm simply stating the fact that no one has any evidence that this is being actively used in the wild.
Are you refuting that fact, or are you not refuting that fact?
The most standout part of this attack (to me) is that it can be 100% silent. The fact that the bug hits before the text notification is fired means that an exploit could potentially stop the notification, delete the message, and go on tramping throughout your phone doing whatever it wants leaving absolutely no indication to you the user that you've been hacked.
Except if the MMS went to an iPhone or other device not affected. Unless you can determine Android/iPhone from just a #, apple/blackberry/MS phones would be full of corrupted MMS messages.
Why would it be corrupted? Just because it contains a malicious payload doesn't mean it has to be unviewable normally. Could even just tack onto all outgoing MMS by default and never raise anybodies suspicions.
Is there a way to see if one is "owned"? Could we run a command or view a menu that would list an extra binary? Could we try to exploit ourselves in some way, like visiting a special website?
We know about the vulnerability, not the payload delivered through it. There could be thousands of them with wildly varying characteristics. There could be none.
Some of them could be rootkits, and have patched filesystem and process explorers to hide themselves. Some could be called virus.exe.
But no, you will never know that you haven't been compromised. In the coming weeks, we may learn about some of the specific malware that spreads this way, and you may be able to test your phone for it, but finding nothing does not mean you haven't been owned by something more exotic.
I don't see where superuser2 said what you attributed to them.
Did they edit their comment between the time you quoted it and the time I posted this comment? Or did HN's quirky rules regarding newlines (gotta put two if you want to display one) change the meaning of your comment?
I occasionally get picture or video messages from iPhones on my Android phone which just crash the default Messaging app. When this happens, it's not possible to even delete them as the app crashes immediately upon displaying that message. The only recovery I've found is to delete ALL messages. Interestingly this has never occurred when using Hangouts as the messaging app, but the fact that a presumably legit (these were received from known senders) MMS message could crash the app indicates that there are flaws in the programming.
There would be a lot of side-effects being noticed if it were being exploited as widely as you suggest. For example, carriers would notice lots of unusual activity; MMS step-change at a minimum.
