Security quotes of the week

[Posted March 10, 2021 by jake]

Somehow, the threat actor either knew that the exploits would soon become worthless or simply guessed that they would. So, in late February, the attacker changed strategy. Instead of simply exploiting targeted Exchange servers, the attackers stepped up their pace considerably by targeting tens of thousands of servers to install the web shell, an exploit that allows attackers to have remote access to a system. Microsoft then released the patch with very little warning on Mar. 2, at which point the attacker simply sought to compromise almost every vulnerable Exchange server on the Internet. The result? Virtually every vulnerable mail server received the web shell as a backdoor for further exploitation, making the patch effectively useless against the Chinese attackers; almost all of the vulnerable systems were exploited before they were patched.
This is a rational strategy for any actor who doesn’t care about consequences. When a zero-day is confidential and undiscovered, the attacker tries to be careful, only using it on attackers of sufficient value. But if the attacker knows or has reason to believe their vulnerabilities may be patched, they will increase the pace of exploits and, once a patch is released, there is no reason to not try to exploit everything possible.

— Nicholas Weaver

We know that Microsoft shares advance information about updates with some organizations. I have long believed that they give the NSA a few weeks’ notice to do basically what the Chinese did: use the exploit widely, because you don’t have to worry about losing the capability.

— Bruce Schneier

In theory cookies should have been very pro-privacy. After all, they're putting data on end user computers where they have control over them. Users can delete those cookies or block them from being placed. In theory. The reality, though, is that deleting or blocking cookies takes a lot of effort, and while there are some services that help you out, they're not always great. In an ideal world, we would have built tools that made it clearer to end users what information cookies were tracking, and what was being done with that information -- as well as consumer-friendly tools to adjust things. But that's not the world we ended up in. Instead, we ended up in a world where the hamfisted use of 3rd party cookies is generally just kinda creepy. In the past, I've referred to it as the uncanny valley of advertising: where the advertising is not so well targeted as to be useful, but just targeted enough to be creepy and annoying by reminding you that you're being tracked.

— Mike Masnick

to post comments

Security quotes of the week

Posted Mar 12, 2021 19:58 UTC (Fri) by ratfactor (guest, #132367) [Link] (4 responses)

Mike Masnick is spot-on about the tragedy of browser cookies. They're a useful tool and one that is entirely under user control...in theory. Sadly, the browser vendors chose to not make cookie control more visible and accessible. Now we have the EU "Cookie Law" essentially pushing the interface requirements to the website, which is a predictably crummy experience for everyone.

I do draw the line at 3rd party cookies, though. I don't consider Internet-wide targeted advertising "useful" at all. It's not merely creepy, it's wrong.

I voluntarily shop on Amazon.com and they track my purchases. The website suggests things I might like. It's often correct. This is entirely appropriate.

I voluntarily use the Instagram service and its targeted advertising has gotten so accurate about my likes/dislikes that I've actually (gasp) purchased things it showed me. This is all voluntary.

But as soon as I leave Amazon.com or the Instagram walled-garden, I expect to no longer be watched by those organizations. There is no legitimate reason for 95% of the websites I visit without a login to be using cookies at all. It is not "providing a better experience" for me and they darn well know it.

Security quotes of the week

Posted Mar 12, 2021 22:09 UTC (Fri) by Wol (subscriber, #4433) [Link] (3 responses)

> I voluntarily shop on Amazon.com and they track my purchases. The website suggests things I might like. It's often correct. This is entirely appropriate.

The website suggests things I might like. It's usually infuriatingly wrong. I'd rather just disable the entire experience. No I do NOT know whether my niece would like something to go with the present I bought her. I have a Nikon system camera - no I do NOT want to buy a load of Canon gear, etc etc.

Cheers,
Wol

Security quotes of the week

Posted Mar 15, 2021 15:09 UTC (Mon) by nix (subscriber, #2304) [Link] (2 responses)

Amazon would, for me, be right almost all the time *except* that when I'm buying gifts for people and the gift interface is not available (which is often: e.g. third-party sellers), Amazon has no way to tell it "no, this was bought for someone else" even if subtle hints like using a totally different delivery address and the product not clustering remotely close to anything anyone like me would ever buy for themselves are both present.

Which is why I'm constantly being spammed with suggestions for Barbies on Amazon now.

Security quotes of the week

Posted Mar 15, 2021 15:39 UTC (Mon) by excors (subscriber, #95769) [Link]

I think you can go to "Your Recommendations" -> "Improve Your Recommendations" to see a list of purchased items, then "I prefer not to use this for recommendations" if you feel ashamed by your growing Barbie collection and want to pretend they weren't really for you. You can also remove looked-at items from "Your Browsing History" to avoid being shown related items. It would be nice if the algorithm was smarter, but at least it allows some manual control if you want to guide it when it gets confused.

Security quotes of the week

Posted Mar 16, 2021 9:10 UTC (Tue) by anselm (subscriber, #2796) [Link]

Which is why I'm constantly being spammed with suggestions for Barbies on Amazon now.

I've found that after I bought a washing machine on Amazon, Amazon seems to believe that it makes sense to display ads for more washing machines.

Apparently in the experience of Amazon, kings of big data, people who have just purchased a large, expensive, and usually fairly long-lived household appliance are actively interested in buying another one of the same kind to a point where it makes sense to waste their attention span on washing-machine ads when they could just as easily be shown ads for detergent or drying racks. Go figure.