<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Dave -<div><br></div><div>I agree NYT was playing with fire - but they stuck to their journalistic mission.</div><div>Maybe they have factored in the risk of being a continuous target of the countries and organizations they report on.</div><div><br></div><div>The password problem, on the other hand, is really frustrating.</div><div>Why Why Why with mobile phones, tiny dongles etc. are we STILL using passwords everywhere.</div><div>I used to be able to get by with 3-5 passwords, now I have to have a different password on every account.</div><div>(Thank goodness for keeper)</div><div><br></div><div>We really have come to the point of absurdity with passwords. So, on that topic, does anyone in this esteemed group have an opinion about OpenID providers?</div><div>I'm looking to pay for my OpenID, I don't want to be dependent on a google or aol.</div><div><br></div><div><br></div><div><br><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Charisse Castagnoli</div><div><a href="mailto:charisse@charissec.com">charisse@charissec.com</a></div><div><br></div><div><br></div><div><br></div></div></span><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline">
</div>
<br><div><div>On Feb 1, 2013, at 4:19 PM, Dave Aitel wrote:</div><br class="Apple-interchange-newline"><div>So one thing I think is interesting is that New York Times story.<br><br>Here's how it goes, in bullet points:<br>1. NYT knows it's ruffling feathers, so it hires AT&T (??) to "watch<br>their network"<br>2. AT&T sees something, so NYT calls in Mandiant<br>3. Mandiant and NYT let the Chinese hack things and watch them while<br>they penetrate into the domain controller and lots of other machines.<br>4. Article about this comes out on <a href="http://NYT.com">NYT.com</a>, calling out the Chinese.<br><br>So, as far as I can tell from their article, the Chinese have all the<br>passwords for every NYT employee. This sounds like something that is not<br>good for NYT employees who may reuse their passwords elsewhere, even if<br>they're changed now.<br><br>Likewise, it seems like at any time the Chinese could have turned off<br>the domain controller. That would probably have had significant<br>downsides for NYT, to say the least. Here's why they didn't: Their<br>policy did not let them. But that doesn't ameliorate all the risk, as<br>even hackers make typos...<br><br>In other words, playing games with hackers on your network for a story<br>is a fundamentally bad idea. Because at some point, you're going to find<br>a contractor who screws up and doesn't follow their own policy (or can't<br>type) and it's going to take down your whole business.<br><br>-dave<br><br>-- <br>INFILTRATE - the world's best offensive information security conference.<br>April 2013 in Miami Beach<br><a href="http://www.infiltratecon.com">www.infiltratecon.com</a><br><br><br>_______________________________________________<br>Dailydave mailing list<br>Dailydave@lists.immunityinc.com<br>https://lists.immunityinc.com/mailman/listinfo/dailydave<br></div></div><br></div></body></html>