I live in Germany, and two of my credit cards have a monthly fee of EUR 0.00. One of them even has zero fees for foreign currency transactions and ATM withdrawals, which is why I got that particular one. There are good cards available in Germany if you look around.
Currently, there is no straightforward way of checking Ubuntu package versions against CVEs. Debian provides this through debsecan[1], but this tool is pretty much broken on Ubuntu[2].
This looks interesting. I have been looking for a solution to this problem without any clear conclusions so far. Nessus and Qualys have new agent-based scanners now, but I have not tested them because they both only support Red Hat-based Linux distros.
It sounds like for most software you are using the Ubuntu package management system to check for vulnerable versions. Is that correct? And are you planning to add detection for binaries that live outside of the distro package manager? I am thinking of stuff like custom-compiled Nginx binaries for example. I realize it would be non-trivial to implement this but would consider it highly useful at least for a certain set of common software components.
If you can solve this people will throw boatloads of money at you.
Unfortunately it's not easy -- even writing scripts to detect running processes across all our servers to identify Java, Apache, Tomcat, etc etc has proven difficult to get right. Sometimes you can get enough info from extended process list info, sometimes not.
My dad bought me a Commodore 16 after I had been nagging him for months about wanting my own computer. The little time I had been allowed to spend on my dad's CP/M and DOS machines and on our neighbour's Apple II just was not enough for me anymore.
I wanted a Commodore 64, of course, so when I got that grey instead of beige box it was immediately clear to me that it was not "the real thing". In retrospect, though, I am immensely grateful for my dad's choice. There being almost no software for the C16, and in particular the complete lack of games, meant that the only thing I could really do with it was to start programming with the built-in BASIC. So, I learnt that... and it did not take long until my dad stopped being the person I could ask about how to do things on a computer...
First experiencing a computer as something you program instead of something you use to run programs written by other people was one of the coolest things that could have happened to me at that time.
Later, I got a Commodore 128. I did some interesting stuff on it, for example, it is the only machine I ever really programmed in assembler. But to be honest, most its uptime was spent in the C64 mode running games.
Interesting article, but more details on how the attack succeeded would have been worth reading. Was it a problem with password reset in the Harvard email system, i.e. was publicly available information used to answer a verification question in combination with an arbitrary email address? Or was it a social engineering attack, i.e. did the attacker convince somebody at Harvard to initiate a password reset using this information?
From the article "Itz very simple sir… Im hacked your account in 2 min… Im learned ur boi (bio) from internet… and create gmail account like yours then I fill the submit form with my email and Harvard send mail the Password change link.. That it…"
So I don't quite understand that... Trying to piece it together.
Perhaps the Harvard email system will allow you to send a Reset Password link to an arbitrary (?) email address if you correctly identify some "identity verification" questions, and this guy was able to glean the answers to those questions from reading the article author's bio?
That is what I got from On the day it happened, I figured out he got in by taking over my Harvard alumni email and then requesting that a new password from Facebook be sent there.
Gaining control of email accounts is how other accounts are typically captured when multi-factor auth is not enabled, of course. The question is how exactly the attacker got into Thurston's email account at Harvard. The reset instructions read like answering a verification question is all that is needed to change the password without knowing the original password. That would mean two lessons:
1. Harvard should add at least one additional step to this procedure, such as requiring confirmation through a secondary email address.
2. Nobody should ever use publicly available information as answers for password reset "security" questions.
(Both not exactly surprising insights here, of course...)
What still doesn't add up is the part about the attacker "creating gmail account like yours".
optile is a Munich-based B2B company that offers its customers a distributed scalable system to accept 100+ payment methods and process payments worldwide. We are expanding and are looking for an Infrastructure Scalability Architect as soon as possible as full-time employee. The role involves coordinating, defining and maintaining our payments processing infrastructure, where scalability, high availability, security (PCI-DSS) and performance are mission critical.
We expect:
* good understanding of web, middle and data tier scaling concepts (Java application servers, MongoDB, MySQL)
* good understanding of network scaling concepts (e. g. load balancing)
* experience with cloud providers and technologies (public and private)
* strong knowledge of Linux (preferably Ubuntu / Debian)
* experience with our base technology stack and preferably also some of our research technologies
Edit: EUR 0.00 annual fee, of course.