Well, they also put your name on their "thank you" page and sent you a nice email! What else could you possibly want?
It might be a multi-million dollar business, but it's not like these hacks can actually cost them millions of dollars. Verizon has had employees giving out personal details to people on the phone for years, and they're still happy to do it even for the director of the CIA: https://www.schneier.com/blog/archives/2015/10/the_doxing_tr...
I think Schneier is arguing that if companies were liable for their disregard of even minimal security standards, they might pay you more to help finding vulnerabilities.
I would also add to this statement that this shouldn't be user's problem, but service problem.
By forcing setting strange passwords services transfer their problem to secure passwords to user's shoulders.
Instead of following shitty password rules in forms, it's better to make it very hard or expensive to brute-force these passwords. So any heuristics to identify ubnormal/dangerous activity and take an action by decreasing attacker chances like rate limiting/captchas and so on.
* If you see one IP trying to login with incorrect creds with really high rate - then it's probably attack.
* If you see really lots of IPs trying to crack specific user account at the same time - then it's probably attack.
Instead of that I can see the opposite practice: service set draconian password politics, but just allow requests with incorrect credentials without any limits: "30req/sec? You're welcome, buddy! Need an API maybe?"
I can suspect something like this happened before:
"It looks like a lot of work with rate limiting and all the stuff, let's just force our users to set 10+ character passwords with one+ capital letter, one+ number, one+ special character".
Oh, and in these examples there is usually cherry on cake like:
- Dev1: "Let's not allow 2 same characters or 3 characters of same type"
- Dev2: "Let's also force our users to change their passwords every 3 months"
- CEO: "Brilliant ideas! We're secure now!"
These surprises are up to every developer's/another genius infosec imagination :)
So, my conclusion is that best security systems should be almost invisible to normal users and let attackers screaming.
This is just one of those examples where experienced freelancer will see flag "avoid!" for such kind of clients.
The truth is that places like odesk/up work/anything is just big market. There are clients willing to hire low-rate developers and micro-manage them, but at the same time there are clients who want to hire top talents from the marketplace to deal with complex tasks and get really top solutions.
Somehow I could find really interesting work in high-load startups with 4M visits/m, OpenSource or even Y-combinator startups with good culture.
To be clear, during ~10 years of experience I was at both sides of barricades: hiring developers/designers/marketeers and being software developer/freelancer myself.
So it's just experience grew into skill when you had all that shit like non-paying/rude/time wasting clients and feel how to avoid that.
Officially Ukrainian govt call that Civil War happening in the country as "Anti-Terror Operation". To be clear, rebels occupy territory of 15K square kilometers with population 4M people.
Closing the air space would look like sign of loosing control over situation in country from the official govt side.
So this looks like not "too busy with other things", but more like miserable politics.
Actually, the airspace was closed. Up to 20,000ft, that is. The cruising lanes (10km, 30,000ft) were still open because up to then, the rebels did not have surface-to-air missiles with that range.
Which, of course, is why Russia have been spinning this since day 1. Where did the missile system come from, and who operated it? On that day, both the Russian News and the rebels' twitter account reported downing a (what they thought military) plane. Both items were quickly redacted afterwards.
>the rebels did not have surface-to-air missiles with that range.
they had it since end of June when Donetsk BUK battery was captured. Using those BUKs during the first half of July before the MH-17 the rebels dawned 2 Ukrainian AN-26 transport planes which were flying at about 7km height, much beyond the reach of MANPADs. The MH-17 was flying much north of the civil corridor and the rebels thought that they got another AN-26.
thanks for those links, although I can't read the Russian ones. Have any of those hits been confirmed? I believe I read somewhere that the first Antonovs were downed using ATA missiles (read: fighter planes), and only the latest AN26 (the 14th of July) using STA missiles.
>the first Antonovs were downed using ATA missiles (read: fighter planes),
no, rebels had never had such capability, i.e. planes and Russia didn't ventured the planes in.
>although I can't read them
There are also some tweets in English down on the twitter page i linked. Also you can Google translate it. The capture of the BUK systems was well communicated on both sides - in Russian and Ukrainian news at the time, before the MH-17. There was also another Ukrainian BUK battery captured in Luhansk, though there weren't much traces of it after that.
This is BBC http://www.bbc.com/news/world-europe-28299334 on the second AN-26. I remember how in those days we were amuzed at the stupid propagandist version put forward by Ukraine that it was a SAM from Russian territory - it would have needed at least a C-300/400 missile which would be recorded by all the NATO radars/satellites.
If you don't mind me picking your brain about this, here is what I've been able to find from the DSB report (page 183):
"On 6 June 2014, [..] an Antonov An-30B had been downed using a MANPADS at an altitude of less than 4,500 metres near Slavyansk. On 14 June 2014, [..] a Ukrainian Air Force Ilyushin 76MD had been downed during landing at Luhansk [using a MANPADS]. During the weeks that followed, other incidents occurred in which a helicopter (Mil Mi-8TV, 24 June 2014) and fighter aeroplanes were shot down. On 1 July an attempt was made to down a Su-25 UB and on 2 July 2014 a Su-24 was shot at. Both were allegedly targeted by a MANPADS."
Would you say this information is a fairly complete summary, or have there been more (unconfirmed) shootings?
"On 14 July, three days prior to the crash of flight MH17, a Ukrainian Air Force transport aeroplane, an Antonov An-26, was downed in the Luhansk region, [..] was flying at an altitude of 6,500 metres when it was hit [..] according to the Ukrainian authorities the aircraft must have been hit by a ‘more powerful weapon’ than a MANPADS.
The Ukrainian government assumed two possibilities: a modern anti-aircraft system ‘Pantsir’ or an ‘X-24 Air-to-air missile’. The authorities assumed that it was a weapon fired from the Russian Federation, because the armed groups would not have such weapons."
I'm curious about the Ukrainian response here. Did they not consider the possibility that the rebel forces would be able to operate their BUK, or was it willfully ignored?
>Would you say this information is a fairly complete summary, or have there been more (unconfirmed) shootings?
the list is a bit short, and if you look at page 182 of the report (or wikipedia https://en.wikipedia.org/wiki/List_of_Ukrainian_aircraft_los...) you'll see 2 su-25 shot down on July 16. One of them was shot down at 6-8 km altitude. This time Ukraine blamed a Russian plane (which was never sighted nor attacked anything else nor had any other traces left nor there were any other signs of Russian planes in other situations/places. To compare - we know that Russia helped rebels with tanks and soldiers as there is ample evidence of this. You can't hide planes in the age of smartphones/YouTube/twitter/etc - all the aspects of this war are very well documented there).
>I'm curious about the Ukrainian response here. Did they not consider the possibility that the rebel forces would be able to operate their BUK, or was it willfully ignored?
it was the issue of propaganda and responsibility (imagine yourself an officer in the chain of command related to the captured BUKs). 2/3 of their Navy switched allegiance to Russia. Other regular forces also didn't have much enthusiasm for fighting. Ukraine claimed that the captured BUK systems were made un-operational before being captured. Which as far as i know - my general understanding of the situation and various sources i've read - is just not true.
Exactly. To the date of accident with Malaysian MH17, rebels shot a few Ukrainian military airplanes with shoulder-launched man-portable air-defense like SA-18 Grouse and SA-14 Gremlin. Ukrainian government did not expect Russia to provide rebels a "Buk" (SA-11 Gadfly), which is totally different thing: a battery of vehicles including standalone target acquisition radar, rocket laucher, transporter/erector, and command vehicle. Obviously "Buk" has a higher range.
But it should work well even for small startups/companies.
Own infrastructure as code, where you can control everything and tie together Monitoring/Configuration management/Issue creation/ChatOps/Auto-remediation - is really powerful thing.
I've worked with multiple services in multiple teams where upstream fixes take a while and meanwhile devs and ops people get paged like crazy for a diagonized and remediable problem. Agreed that logrotate config needs to be fixed for this case but it is only a simple demo for auto-remediation. For years, Cassandra dead node replacement is a 6 step manual process. You'd think upstream should be fixed but unfortunately not. So StackStorm fills the gap between what is ideal and what is running in production. Usually, there is a gap. See http://docs.datastax.com/en/cassandra/2.0/cassandra/operatio... vs https://stackstorm.com/2015/09/22/auto-remediating-bad-hosts.... That is just another example.
It's not only about that, - cleaning logs is just simple example. The main big thing is about IF-Then-Else and it's up to you to choose what you put after that IF.
Things like:
* Building fully automated and really complex CI/CD workflows from several tools
* Do something with your AWS or RackSpace clusters based on monitoring event from NewRelic, Sensu, Nagios
* Automatic node replacement in cluster, migrating MySQL master (sleep well!)
* Security automation, based on detecting erroneous events and automatically freezing account/activity and then notifying human about the incident
* Create JIRA issue as part of Workflow, kind of detailed report after some action being done
* Listen for new events/changes in Trello/Kafka/GitHub/RabbitMQ/anything even Twitter and trigger an action
* Folks even using it for Smart Home Automation
* ChatOps thing: obtain info about your infrastructure from Chat or trigger your favorite CM tool: Puppet, Chef, Ansible, Salt.
Most probably anyone can imagine lots of use cases with their favorite DevOps tools, how to tie them together.
let's scrutinize. And please do challenge and point out what still feels wrong.
* first, a library of scripts (actions), a shared one. each action is atomic, linux style, doing one thing well. A common pattern in ops. now with CLI, API and UI. Feels right so far?
* second, combine these actions, building blocks,into workflows (workflow is action comprising actions). why not script? a) transparency of state (it ran 3 steps and failed on 4th) b) reliability, like 'restart workflow from a point of failure' c) carrying data - scripts pipe strings, workflows pipe JSON.
* Add chatops. Any of these actions or workflows exposed in any chat with couple lines of meta. And any events sent to chat with rules
Good things begin to happen here, even before wiring events with actions. Shared context, integrations, quickly building more actions from existing actions, full audit...
* now, add IFTTT - firing these actions on events. Quite a lot of cases fall into this.
It's a challenge to single-out on one use case. A trivialized example, as log-file delete, is dismissed as "baidaid". Complex examples are domain specific and harder to grasp. We think we are on something here. We think it's not a bandaid, it's a glue. Needed in many cases.
There is an extension to override/inject CSS for specific domains: https://addons.mozilla.org/en-US/firefox/addon/stylish/
Old styles can be grabbed from the: https://github.com/rreusser/the-old-github-font/blob/master/...
After applying the following config: http://i.imgur.com/hGffN8I.png GitHub look is back to normal.