+ Post New Thread
Page 4 of 4 FirstFirst 1234
Results 46 to 53 of 53
General Chat Thread, [News] UEFI and Secure Boot - The Linux users are not happy! in General; ...
  1. #46

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,911
    Thank Post
    596
    Thanked 2,165 Times in 990 Posts
    Blog Entries
    23
    Rep Power
    628
    Quote Originally Posted by Arthur View Post
    There's actually a higher chance of getting infected with malware by visiting primary school websites than there is from going to a porn or gambling site.

    Malware injected into legitimate JavaScript code on legitimate websites « Naked Security

    Actually being at the sharp end of something like this way back, it mainly boils down to the centrally hosted nature of primary school websites. It only requires one undetected breach to make many dozens of site malware centric. As with privately hosted primary sites. Often those who set them up will have a very poor idea of security and keeping their systems patched as well as having complex passwords in place for admin accounts. High schools fare better due to the higher level of technical expertise on hand when it comes to their sites security issues.

  2. #47


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    8,870
    Thank Post
    226
    Thanked 2,666 Times in 1,965 Posts
    Rep Power
    785
    Quote Originally Posted by SYNACK View Post
    all this is because it is MS, everyone else has been getting away with it for years now with no action at all.
    +1. It's one rule for Microsoft, and another for Apple, Google and Co.

    Google's Wi-Fi sniffing to result in $7 million fine
    ... in 2010, Google discovered that enterprising engineer Marius Milner had written code that captured not only the location of open WiFi hotspots, but also some of the traffic, on the basis that “it might be useful”. The data had been captured for three years before the sniffing was "discovered".

    Investigations were launched in a number of countries, with varying outcomes. Or example, Britain eventually decided to clear Google, Australia attacked it with a wet lettuce, and France imposed a fine of €100,000.

    Consumer Watchdog is upset at the rumoured deal, calling the $US7 million settlement "measly": "Once again it looks like Google, the serial privacy violator, is buying it's way out of a jam with what for the Internet giant is pocket change", its John Simpson wrote. (Source)
    Google and Opera behind Microsoft's $730-million EU antitrust fine, says FT
    A report from the Financial Times claims that Google and Opera "informally provided the tip-off" that led to the EU fining Microsoft over $730 million yesterday. The fine was levied because Microsoft failed to include a "browser ballot" screen that let European users choose what browser to use when setting up their Windows PC. The Financial Times cites "several people familiar with the case" as confirming that Microsoft's browser-making rivals were behind the tip, and claims that both companies also helped the EU throughout the investigation. (Source)
    The European Commission announcement of the fine said Microsoft's mistake meant 15 million European users of Windows did not see the browser choice screen. (Source)
    Capturing data from unencrypted wireless networks seems just as bad as (if not worse than) not showing the browser ballot screen on Windows 7 SP1 PCs.

  3. #48


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    8,870
    Thank Post
    226
    Thanked 2,666 Times in 1,965 Posts
    Rep Power
    785
    Quote Originally Posted by Dos_Box View Post
    Often those who set them up will have a very poor idea of security and keeping their systems patched as well as having complex passwords in place for admin accounts.
    Unfortunately that has been my experience too. If primary schools do not have someone who can keep their website software patched, they would be better off with hosted solutions such as Wordpress.com, Squarespace etc.

  4. #49

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,143
    Thank Post
    863
    Thanked 2,695 Times in 2,285 Posts
    Blog Entries
    9
    Rep Power
    772
    Quote Originally Posted by Arthur View Post
    Unfortunately that has been my experience too. If primary schools do not have someone who can keep their website software patched, they would be better off with hosted solutions such as Wordpress.com, Squarespace etc.
    Hey don't tar all the Primary Schools with the same brush, lack of skill can be anywhere and I have encountered my fair share of it in High Schools too. To be fair a lot of the frameworks that seem to be the favourites are also turned to Swiss cheese every few months or so thanks to their popularity and the double edged sword of OSS, people can easily fix it but people can also easily crack it open and use the exact same skills to find holes and exploit them instead. Updates, checking and backups are all requirements when dealing with a website, a CMS especially.

    I have to say also that some of the prevalence of the hacks in school sites is spear fishing, if your going to find an overtaxed system to exploit that people probably won't report that also has access to a bunch of other machines internally a school is a good target. Many teachers also seem to be an easy target for them as they seem to implicitly trust and click anything that mentions free teaching resources. I have lost count of how many reports I have had of weird stuff tracked back to the user being at this 'great free education resource site' and clicking anything and everything till they get stung with the latest malware. This is one of the many reasons I hate java - as the vector for many of these attacks but they of course require it to use the one in three educational resources that are not actually hidden malware.
    Last edited by SYNACK; 1st April 2013 at 01:47 PM.

  5. #50
    markwilfan's Avatar
    Join Date
    Feb 2009
    Posts
    165
    Thank Post
    34
    Thanked 20 Times in 16 Posts
    Rep Power
    15
    Quote Originally Posted by SYNACK View Post
    They make diesel cars that only run diesel, and petrol cars that only run petrol.
    I know what you are saying but If I were to buy a diesel car I could if I wanted to change the engine to a petrol if i wanted in theory.

    I don't buy apple products, or blackberry because you are "not allowed" to monkey around with them. I know this, that's why I don't buy them. Being geeky I can't help it so just avoid them.

    I know you are playing devil's advocate Synack but that's my opinion and will never change. I've been taking things apart and breaking them since I could use a screwdriver. Look's like I'm just going to have to be more careful before buying new hardware.

  6. #51


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    8,870
    Thank Post
    226
    Thanked 2,666 Times in 1,965 Posts
    Rep Power
    785
    Quote Originally Posted by markwilfan View Post
    I don't buy Apple products, or Blackberry because you are "not allowed" to monkey around with them. I know this, that's why I don't buy them.
    The fact that the Acer W510's (and other 'Clover Trail' tablets) only support Windows 8 would have been a deal breaker for me. As you say, research is very important (probably more so than ever).


  7. #52
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,478
    Thank Post
    515
    Thanked 287 Times in 263 Posts
    Rep Power
    81
    I dont know if any of you have IBM Flex Series or x3500 series servers but they take an age to get past the post screen, It's really annoying as on some of out blade servers UEFI is enabled with legacy mode. Some versions of Linux want Legacy only so this means you have to go all the way back to the BIOS to change the settings - It's annoying and takes longer to build a system.

  8. #53


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    8,870
    Thank Post
    226
    Thanked 2,666 Times in 1,965 Posts
    Rep Power
    785
    Motherboard manufacturer Jetway has done something really stupid. They put their UEFI private signing key on a publicly accessible FTP server along with the source code for their latest American Megatrends (AMI) firmware.

    Security Done Wrong: Leaky FTP Server « Adam Caudill

    By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated & installed for the vendor’s products that use this ‘Ivy Bridge’ firmware. If the vendor used this same key for other products - the impact could be even worse. Even with a quick reaction, odds are users will be unprotected for some time. As users often don't install firmware updates unless they are having issues - I expect this one to be around for a while.

    This kind of leak is a dream come true for advanced corporate espionage or intelligence operations. The ability to create a nearly undetectable, permanent hole in a system’s security is an ideal scenario for covert information collection.

    This vendor’s lax (non-existent?) security could have much broader repercussions though. For AMI, they now have a major piece of intellectual property freely available for download by competitors. For users, this code could now be subject to new scrutiny - if a security issue is found in the firmware, it could potentially impact all users whose firmware is based on the leaked code.

SHARE:
+ Post New Thread
Page 4 of 4 FirstFirst 1234

Similar Threads

  1. Replies: 3
    Last Post: 12th January 2011, 12:23 PM
  2. Replies: 39
    Last Post: 28th October 2009, 09:32 PM
  3. moodle - new users are not receiving confirmation email
    By amccanny in forum Virtual Learning Platforms
    Replies: 2
    Last Post: 29th September 2009, 09:42 PM
  4. Replies: 22
    Last Post: 15th May 2006, 10:50 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •