Please create an account to participate in the Slashdot moderation system


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment DNS blockchain (Score 1) 64

The issue with DNS is that it's a centralizing service. As the world moves more towards a decentralized, distributed Internet, the first piece that moves in that direction should be DNS services.

It could be done right now using a similar blockchain to the one bitcoin uses. In fact, you could also tie in SSL into the platform, to prevent centralizing services like Verasign from being a weak point. The design is already in my head - just need to build it. Anyone have some free time?

Comment how many bitcoins (Score 1) 64

did the attackers ask for to stop the attack?

Here's an actual letter sent to my company when we we're attacked earlier this year. By the way, they didn't breach us in any way, shape or form. They just hit us with traffic. The letter makes it sound like they had more, but nope, they didn't have shit.

Hello Support,

We are a team of highly skilled independent security consultants. One of your competitors hired us to take your site offline for an entire month (which we have the resources to do but don't like the contact and might be able to work together instead) and I must say that we have seen ALOT of miss-configured sites with security issues but it took our DB expert less then 30 minutes to dump your sql database without setting off your IDS system.

We want to disclose some of the flaws we found with you and have already put a significant amount of time in researching, exploiting and then documenting the vulnerabilities we found. Unfortunately, most site owners don't give a shit and would rather wait for more malicious hackers to come along. We are going to stop that from happening.

We are taking your site offline until we here from you. Our initial consultation will cost 1 BTC. That price will go up half a btc for every 12 hours we have to keep your site offline. I want to personally assure you that we have the power to keep your site down for an indefinite amount of time. We are the ones who took down xbox live all week (testing ONE of our new servers). In addition to letting your site up and giving you a report of what we found and how to fix it we will also let you know the ONLY way to stop a DDos attack the size we are capable of launching. We will also add you to a blacklist so no one else fucks with you.

The BTC can be sent to the following address :

I know that you are going to try to mitigate but in the end that is only going to cost you a lot more money. You make enough from betting and advertising alone that just an hour of downtime wont justify the cost. Our team also understands that you will try to mitigate but nothing will stop the attack except my command. Your hosting provider will not be able to help, the authorities wont be able to help you, your firewall is easily bypassed and any ddos service you try to bring in we can bring down (we have done this for a long time). believe it or not we are not the masked assholes stealing credit card numbers. Most of us have families and can't find legitimate jobs in our fields right now and have families to feed.



Comment I live and work in silicon valley (Score 1) 36

and see google bubble cars and lexus wagon vehicles from google everyday. i drive between palo alto and santa clara on central everyday and that's where they're testing these things. i'm always tempted to get close to one to see how it reacts. i'm sure the safety measures are dialed up pretty high.

Comment Re:Raspberry Pi & OSMC (Score 1) 226

I second Kodi (used to be called XBMC).

While I did try it on a raspberry pi, I found it was just too slow. Get an old laptop with HDMI out. Wire it up to your file server and you're ready to rock. I've looked at getting a remote, but I opted instead for a backlit wireless keyboard (with a touchpad on it).

Also, if you have those Phillips Hue lights, you can easily get Kodi talking with it; mood lighting with certain kinds of movies is truly amazing.

Comment This isn't new (Score 1) 32

I work for a high-use API site, and I've been seeing these kinds of attacks regularly now for 6 months or more.

Basically, it's a barrage of user/pass attempts coming from hundreds, sometimes thousands of different IP addresses. I wrote custom filters to specifically identify these requests and black-hole them in the nginx proxy. Luckily, we require that 2FA is enabled on all accounts, so nothing seriously at risk,

I urge everyone to use 2FA on all sensitive sites where available. These kinds of attacks are going to become more commonplace.

Comment Re:SMS was never true 2-factor (Score 2) 86

> SMS was never true 2-factor

Sure it is. Two factor is something you know and something you have. Your ATM card is two factor: to use, supply a PIN (what you know) and the card itself (what you have).

SMS (what you have) combined with a password (what you know) is a perfectly valid two factor authentication system.

Comment Here's how it works (Score 1) 65

There are hundreds of millions of username/password combinations, stolen from lots of different websites that have been breached over the years. A person(s) or group(s) with this collection decides to target teamviewer users, especially after learning that teamviewer doesn't require their users to enable 2FA. Of course, 99.99% of all the accounts in the huge list will fail (user doesn't exist, wrong password, etc.). But, it doesn't cost any money to continually bang on teamviewer servers looking for username/password combos that work - this part is automated and being done from thousands of computers all at the same time (essentially a botnet). They take the list of successful user/pass combos and give it to a group of people determined to transfer paypal, buy gift cards, anything that will let them infiltrate money by taking control of that user account.
Who is at fault? Teamviewer doesn't deserve to walk from this completely free of blame. They should have required 2FA for accounts that allow for remote session activity. In addition, they should have noticed huge spikes of bad user/pass combos being tried on their servers.
Unfortunately, the majority of the blame lay with poor security decisions made by users. Any critical account (like remote access or anything related to money) should be protected by a unique strong password and 2FA (when available).
This is just the beginning folks. We're going to see more and more of these types of attacks.

Slashdot Top Deals

A computer without COBOL and Fortran is like a piece of chocolate cake without ketchup and mustard.