Yellow Dog Linux

[aguilarojo]

P. S.: Aaaaargh!!! And again, in the post above - a link seems to be removed!

Just go to that Slashdot link

I thought it would be useful to present a different argument regarding the PS3, the attacks on Sony, the threat and theft of personal financial data of Sony consumers, and remind participants in this thread that one of Sony's concerns was security after they changed management. Of course, it reasonable to debate whether Sony should have made the management and policy decisions but their stated concern regarding security was made public many years ago. It may be argued that they should have done things differently -- there is probably a lot of agreement there.

However, let's not get confused in assuming or believing that those engaged in cybercrimes are well-intended altruists who do no harm and target only corporate entities. Cybercriminals are targeting every consumer of any company and the financial standing of families who did nothing more than purchase a PS3 or other device are all not only under threat, their financial data has already been stolen and utilized for fraudulent purchases.

There exists a new means of attack which only a few are prepared to resist and that is the strategy currently increasing as a fad in cybercrime identity theft of consumers via their smartphones/smartcomputers by manipulating weaknesses of jailbroken computers. You can read more from a recognized security expert, Dave Jevans, discussing the problem here. Please read and consider the last sentence of that article carefully. Jailbroken systems whether they be smartphones, PS3s or something else become the new vectors of cybercrime which consumers cannot control because by definition the whole principle of jailbreaking means superceding the design parameters of the computer, which also means that essentially the consumer has now opened him/herself to become vulnerable to all aspects of cybercrime as well as volunteered his/her system to become either a vector or botnet infecting others who interact with those jailbroken systems.

I suggest that it is time to do some serious thinking regarding what a person is exposing themselves and their associates and their families to as well.

[Gogeden]

P. S.: Aaaaargh!!! And again, in the post above - a link seems to be removed!

Just go to that Slashdot link

I thought it would be useful to present a different argument regarding the PS3, the attacks on Sony, the threat and theft of personal financial data of Sony consumers, and remind participants in this thread that one of Sony's concerns was security after they changed management. Of course, it reasonable to debate whether Sony should have made the management and policy decisions but their stated concern regarding security was made public many years ago. It may be argued that they should have done things differently -- there is probably a lot of agreement there.

However, let's not get confused in assuming or believing that those engaged in cybercrimes are well-intended altruists who do no harm and target only corporate entities. Cybercriminals are targeting every consumer of any company and the financial standing of families who did nothing more than purchase a PS3 or other device are all not only under threat, their financial data has already been stolen and utilized for fraudulent purchases.

There exists a new means of attack which only a few are prepared to resist and that is the strategy currently increasing as a fad in cybercrime identity theft of consumers via their smartphones/smartcomputers by manipulating weaknesses of jailbroken computers. You can read more from a recognized security expert, Dave Jevans, discussing the problem here. Please read and consider the last sentence of that article carefully. Jailbroken systems whether they be smartphones, PS3s or something else become the new vectors of cybercrime which consumers cannot control because by definition the whole principle of jailbreaking means superceding the design parameters of the computer, which also means that essentially the consumer has now opened him/herself to become vulnerable to all aspects of cybercrime as well as volunteered his/her system to become either a vector or botnet infecting others who interact with those jailbroken systems.

I suggest that it is time to do some serious thinking regarding what a person is exposing themselves and their associates and their families to as well.

Yeah. I get that. But speaking for myself and only myself, I wanted to break my PS3 open to run Boinc. To use it as a mindless slave for crunching numbers. I find it foolish to even consider putting one's personal data such as credit card numbers into a system such as the Playstation 3. But what about the companies behind the hardware? Couldn't employees of no morale work their way in too? Most likely. I refuse to think that not ONE employee of Sony has never passed his way in without permission or even have thought of breaking into a PS3 to get some credit card information. Take it all with a pinch of salt. No such thing as perfect security nor shalt there ever exist such a thing.

[Gogeden]

P. S.: Aaaaargh!!! And again, in the post above - a link seems to be removed!

Just go to that Slashdot link

I thought it would be useful to present a different argument regarding the PS3, the attacks on Sony, the threat and theft of personal financial data of Sony consumers, and remind participants in this thread that one of Sony's concerns was security after they changed management. Of course, it reasonable to debate whether Sony should have made the management and policy decisions but their stated concern regarding security was made public many years ago. It may be argued that they should have done things differently -- there is probably a lot of agreement there.

However, let's not get confused in assuming or believing that those engaged in cybercrimes are well-intended altruists who do no harm and target only corporate entities. Cybercriminals are targeting every consumer of any company and the financial standing of families who did nothing more than purchase a PS3 or other device are all not only under threat, their financial data has already been stolen and utilized for fraudulent purchases.

There exists a new means of attack which only a few are prepared to resist and that is the strategy currently increasing as a fad in cybercrime identity theft of consumers via their smartphones/smartcomputers by manipulating weaknesses of jailbroken computers. You can read more from a recognized security expert, Dave Jevans, discussing the problem here. Please read and consider the last sentence of that article carefully. Jailbroken systems whether they be smartphones, PS3s or something else become the new vectors of cybercrime which consumers cannot control because by definition the whole principle of jailbreaking means superceding the design parameters of the computer, which also means that essentially the consumer has now opened him/herself to become vulnerable to all aspects of cybercrime as well as volunteered his/her system to become either a vector or botnet infecting others who interact with those jailbroken systems.

I suggest that it is time to do some serious thinking regarding what a person is exposing themselves and their associates and their families to as well.

Also, I stopped reading that article once it said "Consumers". Completely turned me off. I have ways to prevent my most valuable data from theft: Stand alone computer that is not hooked up to the network of my home, running FreeBSD

[aguilarojo]

...

Yeah. I get that. But speaking for myself and only myself, I wanted to break my PS3 open to run Boinc. To use it as a mindless slave for crunching numbers. I find it foolish to even consider putting one's personal data such as credit card numbers into a system such as the Playstation 3.

I understand your wish regarding running BOINC on the PS3, however the problem which has become well documented by cyber-security professionals is a little different than what you imagined. The difficulty is not that credit card numbers are being stored on the PS3 itself but because a PS3 or computer-smartphone has been jailbroken these devices are vulnerable to being manipulated by cybercriminals who exploit/take advantage of the weaknesses of the system which did not exist until the consumer/user jailbroke his/her own system such that when the user accesses their bank accounts or visits say amazon.com to make a purchase -- all that information can be utilized/stolen/copied to discover and determine not only who the individual is but their entire financial presence and activity -- no matter where it is or what they've done. Once this information is stolen it is usually sold online to other criminal enterprises for their own uses and your financial life or identity will never recover because you will be responsible for all purchases under your codes, passwords, etc. and you'd have to be working full-time for years just to prove that these fradulent purchases were not you. Likewise for your friends, associates and other contacts with whom you may send regular or occassional emails to or even tweet or instant message with; they also end up on the same lists of criminal nets for the same reason -- they knew or corresponded with your jailbroken system.

Jailbroken systems, unlike conventional systems cannot be protected because by definition they are functioning in ways the manufacturer never designed or intended. As a result, should financial losses result such that transactions are tracked down to you by government or financial agencies (banks, investment houses, etc.) with your name or a family member -- in some states and countries then you alone are liable for all transactions. There is another nasty side-effect to all this usually the person who jailbroke their system to say run BOINC or something else, usually doesn't have the skill to repair the damage to their system, find and remove root-kits, etc. Cybercriminals rely upon that weakness and utilize that fact to their advantage as well. Unfortunately, there are millions of victims all on the hook for criminal activity they may not have perhaps caused, but they cannot prove that they did not as their electronic signature( from their accounts) reveal them as the actual perpetrators.

But what about the companies behind the hardware? Couldn't employees of no morale work their way in too? Most likely.

It is true that companies have been vulnerable to the criminal activities engaged upon by their own employees. Companies have to engage upon reasonable defensive measures to protect their business and customers. Of course, it would be nice if human beings would just behave and cooperate in fair ways with their employers but while happily many people are decent history has demonstrated that not everyone is therefore different companies engage upon different internal security procedure to that purpose.

I refuse to think that not ONE employee of Sony has never passed his way in without permission or even have thought of breaking into a PS3 to get some credit card information. Take it all with a pinch of salt. No such thing as perfect security nor shalt there ever exist such a thing.

Again the credit or other financial information is rarely on the system itself, however every jailbroken system no longer behaves as designed by any manufacturer or designer. Jailbroken systems don't interact normally with any other software which the manufacturer designed in the same way, if at all. Root-kits, worms, trojans and other malware "step-in" to capture what messages are sent from the jailbroken system and feed it to botnets and other malware also listening to such data packets which no longer "make sense" to normal software or the jailbroken software communicates at a level which is below or underneath the operational limits of what "normal" software is supposed to share. Again in such a setting, the problem is what network is that jailbroken system on?

Here's a scenario: Let's say you got your PS3 working running BOINC. You know that YDL and other LInux systems also run wireless and bluetooth; let's say that it's not encrypted. You get a call on your iPhone or Android and start to chat. Let's say your smartphone is jailbroken to run some app you like. Here's what has happened to others in a very similar manner: The jailbroken phone not only communicates with you and your associate it also logs your respective identities by cross-referencing online botnets which also act to triangulate information regarding what you and your associate accessed/called or interacted with AND binds with any computer nearby (bluetooth and other unencrypted wireless communications being all so friendly) acquiring information queried by the botnet and so on. This all happens in picoseconds.

Again, your computer may be living on it's own, but you don't. You do use a cell/smartphone of some type? Well, then you've a nightmare of a problem, along with all the rest of us. Even if you had utilized military grade encryption say to defend your USB drive, or you utilize a drive which self-encrypts -- all of it becomes useless because you've jailbroken either your computer or/and your cell/smartphone.

[aguilarojo]

...
Also, I stopped reading that article once it said "Consumers". Completely turned me off.

Understood. I really didn't enjoy writing that information anyway. I know all too well that most people can't or won't do the work to defend themselves or others. Sad, but true. I posted what I could as my personal effort to educate YDL Board community members. I've had some amazing opportunities to work with different "flavors" of Unix, as a programmer/System Administrator, across the years since the 70's. I know how to "lock down" servers for large complex systems, and understand well the effort required to defend the system one is responsible for. It's interesting of course, but it isn't the kind of fun many would consider partaking of - just as there are those who wouldn't enjoy exploring the mathematics of fractals.

I have ways to prevent my most valuable data from theft: Stand alone computer that is not hooked up to the network of my home, running FreeBSD

As I explained by discussing a scenario which in fact has happened to very many people. I won't bother to refer to the published professional white-papers discussing the analysis of cybercrimes and vulnerabilities within VOIP, etc. This is not that venue. It is enough that you understand, given how smartcomputers/smartphones work that we are way past that stage where any computer is truly stand alone, unless your computer is an analog system. I came across an article which I shared within a link which I posted elsewhere on the YDL Board which may suggest vulnerabilities within BSD/FreeBSD as well. The problem is not simple as the Linux kernel in this scenario is the problem. You are on your own in drilling down to discover whether the Linux kernel used in BSD is a problem. Here's the link which I posted within the YDL Board, make sure to drill through the story to determine if your BSD system is affected. Apple's is, so your's could be as well.

Have fun.

[Gogeden]

...
Also, I stopped reading that article once it said "Consumers". Completely turned me off.

Understood. I really didn't enjoy writing that information anyway. I know all too well that most people can't or won't do the work to defend themselves or others. Sad, but true. I posted what I could as my personal effort to educate YDL Board community members. I've had some amazing opportunities to work with different "flavors" of Unix, as a programmer/System Administrator, across the years since the 70's. I know how to "lock down" servers for large complex systems, and understand well the effort required to defend the system one is responsible for. It's interesting of course, but it isn't the kind of fun many would consider partaking of - just as there are those who wouldn't enjoy exploring the mathematics of fractals.

I have ways to prevent my most valuable data from theft: Stand alone computer that is not hooked up to the network of my home, running FreeBSD

As I explained by discussing a scenario which in fact has happened to very many people. I won't bother to refer to the published professional white-papers discussing the analysis of cybercrimes and vulnerabilities within VOIP, etc. This is not that venue. It is enough that you understand, given how smartcomputers/smartphones work that we are way past that stage where any computer is truly stand alone, unless your computer is an analog system. I came across an article which I shared within a link which I posted elsewhere on the YDL Board which may suggest vulnerabilities within BSD/FreeBSD as well. The problem is not simple as the Linux kernel in this scenario is the problem. You are on your own in drilling down to discover whether the Linux kernel used in BSD is a problem. Here's the link which I posted within the YDL Board, make sure to drill through the story to determine if your BSD system is affected. Apple's is, so your's could be as well.

Have fun.

I spoke of that article in the link you posted Not what you typed.

[Gogeden]

Forgot to mention. I understand completely what you're getting at. I already had this in mind before I installed the Custom Firmware. I live out in the boonies so I guess that's a plus for security in a sense. I just set up our router for WPA2 encryption. I originally wanted to set up a machine that had pfSense on it and use it as a firewall. Unfortunately we have DSL so it's difficult to do.

Thank you for adding more to my knowledge. Your sharing is greatly appreciated to me

[aguilarojo]

Forgot to mention. I understand completely what you're getting at. I already had this in mind before I installed the Custom Firmware. I live out in the boonies so I guess that's a plus for security in a sense. I just set up our router for WPA2 encryption. I originally wanted to set up a machine that had pfSense on it and use it as a firewall. Unfortunately we have DSL so it's difficult to do.

Thank you for adding more to my knowledge. Your sharing is greatly appreciated to me

No problem. Given what's going on with the Internet, little of which is good with all the malware running throughout it -- anyone regardless of their experience can easily be caught unaware. We all have to keep flexible in our learning.

Unfortunately WPA2 encryption is getting rather old as a wireless defense protocol. If you follow the advice as posted by US-CERT (review their links) you should be relatively secure. Advice: don't rely on your distance from civilization to protect your data. Advice 2: don't use WEP at all. Software exists which can crack it very quickly as modern computers are more powerful than they used to be several years ago.

WPA2 makes things harder, but that will be quickly surpassed as publicly available CPU cores increase from 4 to 16+ cores. There are laptops which are available currently which have at least 6 cores. For simplicity it is reasonable to consider one core equivalent to one computer which existed perhaps several years ago. A one core CPU would take forever to crack WPA2; anyone can do the math to understand that at 4 and higher core CPU would make encryption systems which worked for one core systems irrelevant.

Remember also that the cybercriminals also have the same technology which means something a bit more threatening that everyone should consider. The PS3 has 8 cores, considering that newer Intel CPUs have 6+ cores the advantage the Cell had is fast disappearing as months pass.

The situation for everyone is just as wild as the Old Wild West ever was, modern weapons however are one's technical research skills and technical training across several scientific fields combined with the ability to comprehend technical work in other languages. Stiff requirements no matter who one is.

Oddly enough the best defense might be to acquire old PowerPC systems and/or continue to run your PS3 using YDL. The malware available in the wild cannot run on PowerPC systems because their executables are designed to run on Intel CPUs. Oddly as the community of PowerPC users get even smaller, their systems also become more difficult to penetrate because the knowledge set required to penetrate older PowerPCs becomes more esoteric. Strange, but true.

By the way, just as a means of pointing out another means of acquiring malware this time regardless whether one's system is jailbroken or not, there now also exists the means to infect your desktop/laptop/tablet and smartphone computer through your browser's search engine.

All the best...

[ppietro]

P. S. to the admins: You are deleting pretty much of the stuff (web addresses etc.) what other people are posting. Are you sure the United States (where this board is based) are still the land of the free? At least the freedom of speech seems to be totally down.

The United States also honors copyright law:

http://en.wikipedia.org/wiki/Copyright

Copyright is a set of exclusive rights granted to the author or creator of an original work, including the right to copy, distribute and adapt the work. In most jurisdictions copyright arises upon fixation and does not need to be registered. Copyright owners have the exclusive statutory right to exercise control over copying and other exploitation of the works for a specific period of time, after which the work is said to enter the public domain.

Basically - if I write something and obtain copyright, then only I can determine how that work is used, until the copyright expires.

Now - this was easy to understand in the days of printed books. You copy my book without asking me - you break my copyright - end of story. But - in this digital age, how do we interpret issues of copyright?

Well - for better or worse - the U.S. has established a law called the Digital Millennium Copyright Act - also known as the DMCA - to deal with digital copyright issues.

A discussion of the DMCA is beyond the scope of this forum - it is a very complex and far reaching law. However, a quick summary can be found here:

http://en.wikipedia.org/wiki/Digital_Mi ... yright_Act

As for why we proactively delete, the way it works is like this.

According to the US government, http://www.copyright.gov/title17/92chap12.html#1201

Violations Regarding Circumvention of Technological Measures. — (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title.

If we post any information that can be used to circumvent protected works, we can be held liable under the DMCA. The DMCA does provide a "safe harbor" exemption for websites hosted in the US, under the DMCA Title II. This is listed here:

http://en.wikipedia.org/wiki/Online_Cop ... tation_Act

Specifically:

Section 512(c) applies to OSPs that store infringing material. In addition to the two general requirements that OSPs comply with standard technical measures and remove repeat infringers, § 512(c) also requires that the OSP: 1) not receive a financial benefit directly attributable to the infringing activity, 2) not be aware of the presence of infringing material or know any facts or circumstances that would make infringing material apparent, and 3) upon receiving notice from copyright owners or their agents, act expeditiously to remove the purported infringing material.

It's number 2 that we're concerned with here. It is my understanding that we would be considered an OSP - an "online service provider".

I agree - we've been pretty proactive about deleting stuff. But based on the current legal climate of the United States right now, it's probably better for us to delete too much than not enough.

Also - one additional thing to consider is that, although billb and myself are the moderators you run into the most here, we're not the only moderators. Fixstars/TerraSoft Solutions is ultimately responsible for this board and may exercise their own editorial decisions, without notifying billb or myself.

Cheers,
Paul

[vesh]

Hey guys haven't posted here in a while and not bothered reading through the pages of long posts haha so I'll just ask a simple question. What's the latest with OtherOS situation and do the chances of it coming back look any better?

[billb]

Hey guys haven't posted here in a while and not bothered reading through the pages of long posts haha so I'll just ask a simple question. What's the latest with OtherOS situation and do the chances of it coming back look any better?

Officially? I don't think OtherOS will be coming back -- I'm sure Sony has their hands full at the moment.

Unofficially, I believe there currently may be a solution referred to as "OtherOS++" if your PS3 is at firmware 3.55 or earlier. There are reportedly some compatibility issues with certain models and the whole process appears somewhat complicated, so be careful.

[vesh]

Damn ah k thanks for the reply

[ppietro]

Hi everyone,

Well - I debated where to put this post - but I figured the most people are following this thread. Also, based on recent discussions here, it is appropriate - so here goes.

My credit card data has been hijacked.

I don't want to go into too much detail yet - at least until I talk to the local police, my bank and to Sony - but the card that I used on PSN/Qriocity has been compromised, my bank tagged it for fraud and contacted me, and I've shut it off before any real damage has occurred. (Hopefully - *crosses fingers*)

I will keep all of you posted - but based on what happened to me - I would suggest that if you've entered credit card information in PSN/Qriocity in the last few months - say to auto-fill your wallet - that you keep an eye on your bank statements and consider getting a replacement card.

One way to tell if you have a credit card at risk is by examining the e-mails Sony sends you when you fill your wallet. Look for e-mails with the subject "Funds have been added to your wallet" from an e-mail address "DoNotReply@ac.playstation.net"; in that e-mail will be the last four digits of the credit card that Sony has on file.

There's a possibility that it's an unrelated hijacking. There's been some pretty sophisticated credit card hacking up here in Seattle. See here: http://seattletimes.nwsource.com/html/l ... ud06m.html I can't say for certain how they got the info - but I am suspicious about the timing of this event.

So - yeah - there it is. Like I said - I'll keep you posted.

Cheers,
Paul

[aguilarojo]

...
My credit card data has been hijacked.

I don't want to go into too much detail yet - at least until I talk to the local police, my bank and to Sony - but the card that I used on PSN/Qriocity has been compromised, my bank tagged it for fraud and contacted me, and I've shut it off before any real damage has occurred. (Hopefully - *crosses fingers*)...

So - yeah - there it is. Like I said - I'll keep you posted.

Cheers,
Paul

I'm deeply sorry this attack happened to you, or anyone. I'm not familiar with all the particulars but there is a technological approach your bank can apply which would benefit you as their customer; you can read more about it here. The technology is offered to banks directly, so the best approach would be to inform the bank of this technological option which would benefit bank customers. I have no further details regarding this product other than the link I shared.

As for the damage done and what strategies you may be able to employ I already commented earlier one approach which you should investigate especially as you are now a victim. You removed the links on that discussion which I posted because it came too close to being an ad. Anyway you know who that other company is and can query them regarding their services as well as recommendations regarding how you should proceed.

I sincerely hope that a successful and speedy resolution is achieved for you and all the other victims.

By the way Sony is not helping you, there has been a third breach.

I'm sincerely sorry.

[STEFANOVIC]

Wow shocking news there indeed thanks for posting, this is the first incident Ive heard that could be related the the breach. Very worried now going to double check my statements etc just in case I missed anything minor.