Quotw This was the week when legendary security mailing list Full Disclosure closed down after 12 years when admin John Cartwright threw in the towel in utter exasperation. The service where security researchers could post details of exploits and vulnerabilities is closing after Cartwright reached the end of his tether with running the list. He said in a post to the list:
When Len [Rose] and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise.
However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.
I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself.
However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.
I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.
I'm suspending service indefinitely. Thanks for playing.
In other security news, researchers at antivirus firm ESET, the Swedish National Infrastructure for Computing and other agencies have uncovered a cybercrime operation they believe has been running for around three years, named Operation Windigo.
Operation Windigo is an attack by hackers using a Trojan to seize control of over 25,000 Unix servers around the world to create a spam and malware distribution platform.
ESET security researcher Marc-Étienne Léveillé said:
Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control. Over 35 million spam messages are being sent every day to innocent users' accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements.
And Facebook's chief security officer Joe Sullivan has spoken to The Reg about the reports leaked by NSA whistleblower Edward Snowden. He said:
I don’t think anyone who focuses on security has been surprised by the specific things that we've seen.
As security people, we're paranoid, so we assume all of these things are happening, but when you actually see concrete evidence of an implementation, that moves it from paranoia to professional security advice.
He added that the social network was looking at ways to plug any data leaks it might have:
We're looking at literally every point in the movement of data and analysing the risks. If data is going through a building or a cable that someone else controls we need to assume the worst, in the same way that we assume the worst about every one of our employees.
I trust everyone I work with, but also assume that they can get malware on their laptop or they might have their spouse held hostage. Everything can go wrong and it's not about trusting people, it's about removing the risk.
Over in Japan, beleaguered Bitcoin exchange MtGox has allowed its thousands of customers to view their balances in the digital currency online, although they're not able to withdraw any of the stuff from the bankrupt firm. The exchange said:
Please be aware that confirming the balance on this site does not constitute a filing of rehabilitation claims under the civil rehabilitation procedure and note that the balance amounts shown on this site should also not be considered an acknowledgment by MtGox Co Ltd. of the amount of any rehabilitation claims of users.
Also this week, billionaire entrepreneur Elon Musk has slammed New Jersey's leaders for letting the state become the third after Texas and Arizona to enact a rule banning auto manufacturers from selling cars directly to customers, rather than selling them through franchise dealerships. In a blog post "to the people of New Jersey", Musk fumed:
The evidence is clear: when has an American startup auto company ever succeeded by selling through auto dealers? The last successful American car company was Chrysler, which was founded almost a century ago, and even they went bankrupt a few years ago, along with General Motors.
The rationale given for the regulation change that requires auto companies to sell through dealers is that it ensures 'consumer protection'. If you believe this, Gov. Christie has a bridge closure he wants to sell you! Unless they are referring to the mafia version of 'protection', this is obviously untrue.
Musk also claimed that a number of surveys showed that Tesla customers were happy with the way things were and hinted that the law was only there to stop outfits like Tesla from threatening the big automakers and dealerships:
Democracy is supposed to reflect the will of the people. When a politician acts in a manner so radically opposed to the will of the people who elected him, the only explanation is that there are other factors at play.
At the TED Conference in Vancouver, Edward Snowden made an appearance via remote-controlled robotic screen and chatted onstage with Sir Tim Berners-Lee. He said:
I grew up not just thinking about the internet but in the internet, and while I never thought I'd grow up to defend it in such a direct and practical manner, I think there's something poetic about one of the sons of the internet has become close to the internet as a result of political expression.
I believe a Magna Carta for the internet is exactly what we need. We need to encode our values not just in writing but in the structure of the internet.
He also said that the NSA secret-spillings were far from over:
There are absolutely more revelations to come. I don’t think there's any question that some of the most important reporting to be done is yet to come.
Later in the week, Google co-founder Larry Page did a bit at the conference that also mentioned the NSA. Page said he was "disappointed" with the US government:
It is disappointing that the government secretly did this stuff and didn't tell us about it. It is not possible to have a democracy if we have to protect our users from the government. The government has done itself a tremendous disservice and we need to have a debate about it.
But he doesn't too much of a backlash over privacy issues:
I’m worried about throwing the baby out with the bathwater. When I lost my voice I thought, wouldn’t it be amazing if everyone’s medical conditions were available anonymously to medical doctors? You could see what doctors accessed it and why, and learn more about conditions you have.
I was scared to share this voice stuff, but Sergey persuaded me, and it’s been really positive. I got all this information, I got a survey done, got medical conditions from people with similar issues. We’re not thinking about the tremendous good that could come from sharing the right information with the right people in the right ways.
And he talked about where Google wanted to take recent acquisition DeepMind, a British AI firm:
Voice recognition is important. Right now even state-of-the-art speech recognition is not very good. It doesn’t understand you.
So we ran machine learning on YouTube, and DeepMind discovered cats on its own. DeepMind started playing video games and learning automatically. The same program can play all these games [like Battlezone, Pong, Demon Attack] with superhuman performance. Imagine if this kind of intelligence were thrown at your schedule, your information needs. That’s what I’m excited about.
And finally, a team of astrophysicists has sighted gravitational waves, formed in the first trillionth of a trillionth of a trillionth of a second after the Universe winked into existence and supporting the inflationary version of the Big Bang theory. The waves were first predicted by Albert Einstein as a key part of his Theory of General Relativity nearly a hundred years ago.
Marc Kamionkowski, professor of physics and astronomy at Johns Hopkins University, said:
This is something that's not just a home run, but a grand slam. It's the smoking gun for [the universe's] inflation and it's the first detection of gravitational waves.
But he joked that the boffins wouldn't be mentally polishing their Nobels just yet:
As Carl Sagan said, extraordinary results require extraordinary scrutiny and these results are as extraordinary as they get, and will require the most extraordinary scrutiny.
We must therefore wait before buying any tickets to Stockholm until these results are vetted by the community. If these results hold up then we've learned that inflation has sent us a telegram coded in gravitational waves and transcribed on the cosmic microwave background sky. ®