Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.
It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
...
But wait, it gets worse. From the main page of the Equifax.com.ar employee portal was a listing of some 715 pages worth of complaints and disputes filed by Argentinians who had at one point over the past decade contacted Equifax via fax, phone or email to dispute issues with their credit reports. The site also lists each person’s DNI — the Argentinian equivalent of the Social Security number — again, in plain text. All told, this section of the employee portal included more than 14,000 such records.
In the past, the largest unit of measurement for a security fuckup used to be the "Sony".
An "Equifax" is easily two or three orders of magnitude larger than a "Sony".
That's it, I'm done. Every single serior chucklefuck running this company needs to be in jail. They are being willfully negligent with people's PII.
Hereing that it was that bad there also convinces me that we need some sort of federal oversight over how companies that possess people's personal data protect it. I mean pop in visits to examine their security akin to an OSHA inspector stopping by a worksite.
Really there is no reason that the same regulations we use to protect people's medical data shouldn't be applied to any kind of sensitive personal information.
+8
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Really there is no reason that the same regulations we use to protect people's medical data shouldn't be applied to any kind of sensitive personal information.
This also applies to information such as that Google or Facebook has on us.
Really there is no reason that the same regulations we use to protect people's medical data shouldn't be applied to any kind of sensitive personal information.
This also applies to information such as that Google or Facebook has on us.
While I agree with you, I think there is also this to consider:
Google and Facebook don't actually know a lot of this information. Google has never asked for my social security number. It only knows my credit card number because I wanted to buy stuff with them and their services are perfectly usable without ever giving them a card number. Google doesn't know anything about my bank accounts.
I do think that companies like Google should be held to data protection standards, but it's less important than for companies like Equifax whose entire business model revolves around information sensitive enough to destroy someone's life.
Really there is no reason that the same regulations we use to protect people's medical data shouldn't be applied to any kind of sensitive personal information.
I seem to recall people being up-in-arms about 8-10 years ago about some issues at the VA regarding security of medical records. And yet, this shit still happens.
HIPAA and HITECH basically only require "best efforts" for securing data.
Which Equifax probably was at least using (HTTPS in this case).
Equifax's problem was using unpatched software, which allowed exploitation. If they didn't patch it because they didn't want to invest the huge amount of resources to do so, that is a HIPAA violation.
If they didn't patch it because they didn't know it was patched yet, then HIPAA really has no teeth there.
I'm going to level with you guys, 2 months isn't really a big time frame for unpatched software either. This is actually the first time I'm hearing of this struts bug from apache, and I'm usually on top of shit (like heartbleed). So there's a good chance it wasn't really a hugely publicized thing, and likely not their fault.
bowen on
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
+1
Options
HeatwaveCome, now, and walk the path of explosions with me!Registered Userregular
I have about 80 days left of my Kaspersky Internet Security subscription. Looking at other paid alternatives.
I'd honestly prefer to remain with this product as it's been pretty easy to use and served its purpose, but there's been a lot of discussions about it potentially being compromised.
After comparing them on Av-test.org, I'm currently leaning toward Avira and Bitdefender.
Last year I encountered a really infected PC and the only free software that worked was Avira free, so I have some experience with them. I remember it not being as easy to use though, but this was only the free version.
All these security standards like CIS, PCI, and HIPAA are meaningless without continuous enforcement and you actually have to have management commitment for that. It's a level of diligence very few people want to do because it's about as close as you can get to paranoia, and of course, it's expensive to maintain that level. Even if you do maintain that level of commitment, you can STILL get hacked through zero-day exploits or insider threats. There is no guarantee. So it should be no surprise that lax security and unpatched software is the rule, not the exception.
I've assisted with writing policies for my agency that lay out these kinds of standards, but it's depressing because I know we will never have that kind of executive buy-in. Sure, we got a policy that says that we will retire products when they fall out of support. Doesn't mean we actually do it. It's simply not enforced by anyone with any sort of authority. We have people in supervisory positions who are openly defiant towards security standards, so they're certainly not going to direct their staff to make security a priority.
One of the main things I see, at least in my state is that we have security officers. I work under the security officer for my agency, and we have a security officer for the state. But they simply have no authority. I did hear of one state that made their CISO have authority over the entire state IT services, but I forget which state it was and I have no idea how it's working out for them.
I remember seeing a bunch of Apache struts entries in the US-CERT vulnerability bulletins I subscribe to, but since we don't use it, it's off my radar screen. Those vulnerability summaries are super valuable to me since it's where I learn about most of our vulnerabilities, getting people to patch the ones I'm not responsible for, that's another story.
As you say, if you can afford it, having something like a Qualys appliance in-house that can run continuous automated vulnerability scans on everything for you would be pretty nice.
Just remember that half the people you meet are below average intelligence.
Kaspersky: Good? Bad? The company was in the news because people thought their anti virus program was data mining for Russia. I use their program myself and find it satisfactory.
I really don't want to stop using their anti-virus, but I was wondering if you guys thought they were actually collecting data for Russia or not.
0
Options
NEO|PhyteThey follow the stars, bound together.Strands in a braid till the end.Registered Userregular
As I understand it, the problem isn't that they have been, but that there is functionally nothing they can do if Russia tells them to start.
It was that somehow, from within the derelict-horror, they had learned a way to see inside an ugly, broken thing... And take away its pain.
Warframe/Steam: NFyt
+2
Options
ShadowfireVermont, in the middle of nowhereRegistered Userregular
edited September 2017
Yeah. For personal use I mostly didn't like it because it became so bloated with crap that could negatively impact your ability to go to legitimate websites like, you know, Google. Safe Money is the big offender here. Also the way they force installed their VPN software and then tried to get people to pay for it after with scare messages was pretty bullshit.
Kaspersky: Good? Bad? The company was in the news because people thought their anti virus program was data mining for Russia. I use their program myself and find it satisfactory.
I really don't want to stop using their anti-virus, but I was wondering if you guys thought they were actually collecting data for Russia or not.
I'm definitely not an expert, but I believe no more than T-Mobile is collecting my cell phone usage for the United States. Which in retrospect...is not a great sign, is it?
That aside, I find it fine: mostly I like how insanely, ridiculously comprehensive the threat exclusion, containment, memory and CPU usage, and protocol settings are, even if they are very intimidating at first. Also weirdly some AV clients are missing the "Shut off when done" option--Kaspersky lost it a version ago, then brought it back. I don't use any of their internet browsing or connection software options, though their firewall is pretty non-intrusive for everything that wasn't World of Warships.
I've never encountered a threat missed--if anything, I'd say it's overzealous, which can get you acquainted to the exclusion system--but that's assuming I'm competent enough to realize if it did miss a threat (for my level of risk, I feel I am). Were something ESET not twice the price, I would switch over to that if I had any second thoughts...but KIS is consistently a lot cheaper, which does matter when Windows 10 has a widely-used free option available.
EDIT: Checking now, I have 188 days left on my subscription--I don't plan to stop using it as it stands, though I could be proven wrong (likewise, I'm sure T-Mobile or Charter could convince me to stop using them with certain news). Come to think of it, I remember reading on Ars Technica about Kaspersky surrendering information to the FBI at its behest, so I'm not super bullish about them either in that area.
Kaspersky: Good? Bad? The company was in the news because people thought their anti virus program was data mining for Russia. I use their program myself and find it satisfactory.
I really don't want to stop using their anti-virus, but I was wondering if you guys thought they were actually collecting data for Russia or not.
I'm definitely not an expert, but I believe no more than T-Mobile is collecting my cell phone usage for the United States. Which in retrospect...is not a great sign, is it?
That aside, I find it fine: mostly I like how insanely, ridiculously comprehensive the threat exclusion, containment, memory and CPU usage, and protocol settings are, even if they are very intimidating at first. Also weirdly some AV clients are missing the "Shut off when done" option--Kaspersky lost it a version ago, then brought it back. I don't use any of their internet browsing or connection software options, though their firewall is pretty non-intrusive for everything that wasn't World of Warships.
I've never encountered a threat missed--if anything, I'd say it's overzealous, which can get you acquainted to the exclusion system--but that's assuming I'm competent enough to realize if it did miss a threat (for my level of risk, I feel I am). Were something ESET not twice the price, I would switch over to that if I had any second thoughts...but KIS is consistently a lot cheaper, which does matter when Windows 10 has a widely-used free option available.
EDIT: Checking now, I have 188 days left on my subscription--I don't plan to stop using it as it stands, though I could be proven wrong (likewise, I'm sure T-Mobile or Charter could convince me to stop using them with certain news). Come to think of it, I remember reading on Ars Technica about Kaspersky surrendering information to the FBI at its behest, so I'm not super bullish about them either in that area.
Wasn't there actually an FBI raid?
I'm sort of in the same boat. I'm using it and like it, and would prefer to not have to drop it since I renewed a multi-year license not too long ago.
0
Options
HeatwaveCome, now, and walk the path of explosions with me!Registered Userregular
Kaspersky seems perform a bit better than Avira and Bitdefender according the last tests on Av-test.org (May/June).
I still have about 78 days left of my KIS subscription so I'm in no hurry to change.
Kaspersky: Good? Bad? The company was in the news because people thought their anti virus program was data mining for Russia. I use their program myself and find it satisfactory.
I really don't want to stop using their anti-virus, but I was wondering if you guys thought they were actually collecting data for Russia or not.
I'm definitely not an expert, but I believe no more than T-Mobile is collecting my cell phone usage for the United States. Which in retrospect...is not a great sign, is it?
That aside, I find it fine: mostly I like how insanely, ridiculously comprehensive the threat exclusion, containment, memory and CPU usage, and protocol settings are, even if they are very intimidating at first. Also weirdly some AV clients are missing the "Shut off when done" option--Kaspersky lost it a version ago, then brought it back. I don't use any of their internet browsing or connection software options, though their firewall is pretty non-intrusive for everything that wasn't World of Warships.
I've never encountered a threat missed--if anything, I'd say it's overzealous, which can get you acquainted to the exclusion system--but that's assuming I'm competent enough to realize if it did miss a threat (for my level of risk, I feel I am). Were something ESET not twice the price, I would switch over to that if I had any second thoughts...but KIS is consistently a lot cheaper, which does matter when Windows 10 has a widely-used free option available.
EDIT: Checking now, I have 188 days left on my subscription--I don't plan to stop using it as it stands, though I could be proven wrong (likewise, I'm sure T-Mobile or Charter could convince me to stop using them with certain news). Come to think of it, I remember reading on Ars Technica about Kaspersky surrendering information to the FBI at its behest, so I'm not super bullish about them either in that area.
Wasn't there actually an FBI raid?
I'm sort of in the same boat. I'm using it and like it, and would prefer to not have to drop it since I renewed a multi-year license not too long ago.
I think I would remember an FBI raid--emphasis on think, if only because those are pretty distinct words. Or I completely missed it. Checking it out, I'm pretty sure what I was thinking of was an Ars Technica article that mentioned the company furnishing the FBI with their information on a botnet as an explanation as why a Kaspersky tech, Ruslan Stoyanov, was arrested along with two FSB personnel on suspicions of treason. Ars Technica's theory sounds rather dumb, but a world less dumb than the aluminum foil-hat grade theory that Stoyanov was somehow revealing how the Russian government hacked voting machines in November that apparently also gained traction at the time. I've often said that American news is famously incompetent in its purely-foreign affairs coverage, and no offense to Ars Technica, I still read them, but the US media has had some really stupid explanations for criminal prosecution of well-known corporations in Russia (see back when the Presidential Office publicly scolded Roskosmos for wasteful mismanagement and corruption--over here, media companies framed it as "Government fundamentalists hope to dismantle brave scientific institution", Christ). Editorial bullshit gets passed off as fact because it happened far away--that's a international news complaint, not a software security complaint though (guess which one I have a lot more experience with).
I really don't remember and FBI raid as such. But I do remember when the FBI started interviewing Kaspersky employees in the lead up to this rejection order--does that count? Even if it doesn't, that doesn't really upend the very clear stance the US government has taken against the company. I mean, I certainly trust the the United States government to act in its own interest, at least in the area of security--I just don't see my own security concerns being all that equivalent to the United States government. In a way, whatever privacy concerns I might have are probably a lot more relevant to America than Russia seeing how I'm a foreign national living approximately 8000 kilometers from Russian territory in American territory. And I don't imagine that's all that relevant to people without family overseas or who do have a world of security concerns I'd have trouble imagining. Maybe dropping Kapersky is the way to go, though from a malware, adware and virus standpoint, it seems a little late. I'd say a better reason would be that you don't think it's worth the $15 when Windows Defender is free, were the expiration coming up. That's why I don't spend the $40 for ESET, despite how much superior it's supposed to be.
If I did have anything to hide, I certainly wouldn't contact family overseas via any American company, by virtue of having read a newspaper in the last 5 years.
Kaspersky seems perform a bit better than Avira and Bitdefender according the last tests on Av-test.org (May/June).
I still have about 78 days left of my KIS subscription so I'm in no hurry to change.
Interesting results--in June for Windows 10 anyway, they were very bullish on Kaspersky next to Windows Defender. I got KIS back in Windows 8.1 when the PA Computer Security thread was generally down on MSE (as it was still called back then) and wanted a cheaper alternative to ESET Nod32, and people spoke very highly of Kaspersky (which I barely knew about). I just kept using them since then, as their UI gradually got less infuriating, and their performance became a lot better overall for gaming--I've never had Kaspersky slow down performance while running yet. Though there was a while where it would literally take +10 hours for Kaspersky to scan a 4 TB drive full of drive images and back up data and still not finish. They fixed that at some point at least.
0
Options
thatassemblyguyJanitor of Technical Debt.Registered Userregular
According to Talos (Cisco) some recent versions of CCleaner have been compromised:
In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018.
According to Talos (Cisco) some recent versions of CCleaner have been compromised:
In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018.
....son of a bitch. I have that release installed (except the 64-bit version). I don't have the registry entries that the malware compares time too (at least, I don't see them), or stores your system information.
All the same, damn it.
0
Options
HeatwaveCome, now, and walk the path of explosions with me!Registered Userregular
I full scanned my computer using KIS earlier today. Didn't didn't notice if it removed any malware. A bit worried now as I use occasionally use CCleaner
I've been only 64-bit for CCleaner for a while now--and the malware seems exclusive to the 32-bit, which is something you sometimes see. Maybe I got narrowly dodged this one.
It's gotten to the point where it seems we have to scan or check every installer we download, even if it came from a legit source.
3ds: 4983-4935-4575
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Holy shit, this malware was distributed by legit servers to previously installed versions.
Like, this isn't a case of someone downloading a rogue executable from a misleading website, or a software repository website being compromised. This is literally "click update, get infected".
That's kind of terrifying.
With all the gaps and holes in server software that's come to light recently, as well as all the negligence associated with server upkeep, I have to wonder if CCleaner is the only software at risk here.
It's gotten to the point where it seems we have to scan or check every installer we download, even if it came from a legit source.
While I do check hashes on downloads, if the actual source providing the installer bundled the malware deliberately or through oversight, even verifying the hash isn't going to help since it's there on purpose.
Yeah, even as a layperson I can recall times where malicious code/malware/whatever got into an open source database for some period--long enough to do damage, sometimes.
You just needed the right combination of popularity, simplicity of initial software (and the alteration), and something that is generally trusted. Sure it'll get corrected--so will this CCleaner mess--but the damage is already done.
I mean, yes, but now imagine it sits unnoticed for several months and then suddenly all your shit gets exposed because a private company thought they were too good to patch something.
not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
Holy shit, this malware was distributed by legit servers to previously installed versions.
Like, this isn't a case of someone downloading a rogue executable from a misleading website, or a software repository website being compromised. This is literally "click update, get infected".
That's kind of terrifying.
With all the gaps and holes in server software that's come to light recently, as well as all the negligence associated with server upkeep, I have to wonder if CCleaner is the only software at risk here.
It's absolutely not. Earlier this year there was one of the bigger repository sites that was compromised and a lot of the stuff they distributed was malicious until it was caught.
It's gotten to the point where it seems we have to scan or check every installer we download, even if it came from a legit source.
While I do check hashes on downloads, if the actual source providing the installer bundled the malware deliberately or through oversight, even verifying the hash isn't going to help since it's there on purpose.
Not just the hash, using an anti-virus scan (on Windows at least). This even happened to Arch Linux I believe and some freeware bit torrent client which I forget the name of now, Transmission?
Would backup, sync, and off-site cloud storage be under the purview of the security thread? I didn't find any other threads on the topic.
For the interested:
I'm looking to get a cloud backup service. I haven't gotten one before, so I'm wondering what kinds of systems people have set up for different needs. In list form:
I'm backing up a few large projects (mainly 2d game projects)
But it's mostly documents, photos, Steam saves, and smaller web dev projects. Nothing huge like movies.
I don't currently need to back up my wife's computer (she mostly has her stuff backed up on github), but having the option without needing an account upgrade would be helpful
I have a few files I would like to sync between devices (like OBS settings)
File versioning is not necessary, but it would be a big plus.
My target is a 5USD / month backup solution supplemented with whatever free solutions I need, but I could consider up to 10USD / month for a more convenient all-in-one system.
I'm assuming the best arrangement would be to have a local backup from our laptops and other devices to the HTPC, then use something like Backblaze to take the off-site backup of those folders.
Edit: mega bonus points for clients that can handle cloud backup, sync, and local backup all in one.
Thoughts? Recommendations?
I touch on some of the companies in the spoiler.
Since crashplan is pulling out of the consumer market, either BackBlaze or Carbonite.
Similarities:
Both will encrypt locally and transmit.
Both do 'cloud' back-up and sync from a single node really well.
Both are about USD$4.50 to USD$5.00 per month.
Both provide a decent UX on the local node, and at their website.
Neither of these companies provides a local syncing platform because their business model is per-node. You'll have to set cron jobs or scheduled tasks, or use some open source data sync'er, to move the data off of the laptops and other devices to the HTPC.
Differences (these are ones that I think are important, your needs might not align with mine):
Encrpytion
To provide cloud access through their websites, the private key (used to encrypt locally before transmitting) is stored on their server, as well as on the node. This means that the private key was transmitted at some point during setup. This is a point of failure for any of the services that want to let you access your data on their remote server as it creates a chance for a bad actor to siphon your key when it is transmitted.
The difference is in how they let you take control of the key management process:
Carbonite will give you the option to manage your keys locally. Meaning they're not transmitted to the Carbonite servers. The downside is that if you lose this key, there is literally nothing, short of a catastrophic breach of the encryption algorithm, that Carbonite can do to decrypt your data. This is helpful with minimizing the impact of well funded actors from getting your stuff.
Backblaze lets you enter a passphrase (password) that is then used to encrypt the key. This is less ideal because you still have to transmit something across the internet. In this case, you're transmitting two things so the odds go down, but it's likely not going to be as secure as just not transmitting the key at all.
Back-Up Defaults
BackBlaze will back-up everything with a few pre-defined exclusions. This is great if you don't want to always manage the folders that get backed up. However it means you'll have to manage the folders you don't want backed up (e.g., the telemetry data that windows 10 generates in AppData/Local, AppData/Roaming, Program Data/, or other caches; think firefox browsing caches, even when in private-mode).
Carbonite seems to take the opposite approach and only backup folders that were selected for backup. This is great if you won't want unintentional usage data about you existing on yet another server, but it's very sad if you forgot to white list a folder or folders from an application you just installed.
As always, none of these back-up services are doing data corruption detection/correction - these services are only for catastrophic device failure. If you're paranoid about bit-rot of your files, you'll need to have yet another piece of software that, at a minimum, runs bit-flip detection (checksum) so you can be warned early enough to restore a corrupted file from back-up before the corrupted file becomes the only backed up copy.
Yeah, I had heard about CrashPlan withdrawing, but that was the number one on basically every list, so I'm grateful to hear about the others.
If I understand you correctly, are you saying that they don't do local backups as well as cloud backups? That's a bummer, I think that was one of the big positives for CrashPlan.
It seems like with their exit, my situation now is to assemble three different software suites: data sync (Google Drive), LAN backup (Windows Backup & Restore), and cloud backup (Backblaze). Does that sound about right?
What about cases in which a hard drive fails, will a service like Backblaze or Carbonite start sending nonsense or even deleting old data? Will it notify me? Can I roll it back and restore it like a source control system?
I think I'm going to give Google's new Backup And Sync a try. They have a $2/mo for 100GB plan, and the new application can back up folders outside the primary Google Drive sync folder.
I mean, yes, but now imagine it sits unnoticed for several months and then suddenly all your shit gets exposed because a private company thought they were too good to patch something.
Wasn't that basically what happened with the Juniper hack last year? Except hardware instead of software.
Posts
It's more like ten or twenty orders of magnitude. Not even the same universe level of magnitude.
That's it, I'm done. Every single serior chucklefuck running this company needs to be in jail. They are being willfully negligent with people's PII.
Hereing that it was that bad there also convinces me that we need some sort of federal oversight over how companies that possess people's personal data protect it. I mean pop in visits to examine their security akin to an OSHA inspector stopping by a worksite.
This also applies to information such as that Google or Facebook has on us.
While I agree with you, I think there is also this to consider:
Google and Facebook don't actually know a lot of this information. Google has never asked for my social security number. It only knows my credit card number because I wanted to buy stuff with them and their services are perfectly usable without ever giving them a card number. Google doesn't know anything about my bank accounts.
I do think that companies like Google should be held to data protection standards, but it's less important than for companies like Equifax whose entire business model revolves around information sensitive enough to destroy someone's life.
I seem to recall people being up-in-arms about 8-10 years ago about some issues at the VA regarding security of medical records. And yet, this shit still happens.
Which Equifax probably was at least using (HTTPS in this case).
Equifax's problem was using unpatched software, which allowed exploitation. If they didn't patch it because they didn't want to invest the huge amount of resources to do so, that is a HIPAA violation.
If they didn't patch it because they didn't know it was patched yet, then HIPAA really has no teeth there.
I'm going to level with you guys, 2 months isn't really a big time frame for unpatched software either. This is actually the first time I'm hearing of this struts bug from apache, and I'm usually on top of shit (like heartbleed). So there's a good chance it wasn't really a hugely publicized thing, and likely not their fault.
I'd honestly prefer to remain with this product as it's been pretty easy to use and served its purpose, but there's been a lot of discussions about it potentially being compromised.
After comparing them on Av-test.org, I'm currently leaning toward Avira and Bitdefender.
Last year I encountered a really infected PC and the only free software that worked was Avira free, so I have some experience with them. I remember it not being as easy to use though, but this was only the free version.
Haven't tried Bitdefender.
Steam / Origin & Wii U: Heatwave111 / FC: 4227-1965-3206 / Battle.net: Heatwave#11356
I've assisted with writing policies for my agency that lay out these kinds of standards, but it's depressing because I know we will never have that kind of executive buy-in. Sure, we got a policy that says that we will retire products when they fall out of support. Doesn't mean we actually do it. It's simply not enforced by anyone with any sort of authority. We have people in supervisory positions who are openly defiant towards security standards, so they're certainly not going to direct their staff to make security a priority.
One of the main things I see, at least in my state is that we have security officers. I work under the security officer for my agency, and we have a security officer for the state. But they simply have no authority. I did hear of one state that made their CISO have authority over the entire state IT services, but I forget which state it was and I have no idea how it's working out for them.
I remember seeing a bunch of Apache struts entries in the US-CERT vulnerability bulletins I subscribe to, but since we don't use it, it's off my radar screen. Those vulnerability summaries are super valuable to me since it's where I learn about most of our vulnerabilities, getting people to patch the ones I'm not responsible for, that's another story.
Enlist in Star Citizen! Citizenship must be earned!
I really don't want to stop using their anti-virus, but I was wondering if you guys thought they were actually collecting data for Russia or not.
Warframe/Steam: NFyt
I'd recommend just using MSE in windows, with MBAM.
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
I'm definitely not an expert, but I believe no more than T-Mobile is collecting my cell phone usage for the United States. Which in retrospect...is not a great sign, is it?
That aside, I find it fine: mostly I like how insanely, ridiculously comprehensive the threat exclusion, containment, memory and CPU usage, and protocol settings are, even if they are very intimidating at first. Also weirdly some AV clients are missing the "Shut off when done" option--Kaspersky lost it a version ago, then brought it back. I don't use any of their internet browsing or connection software options, though their firewall is pretty non-intrusive for everything that wasn't World of Warships.
I've never encountered a threat missed--if anything, I'd say it's overzealous, which can get you acquainted to the exclusion system--but that's assuming I'm competent enough to realize if it did miss a threat (for my level of risk, I feel I am). Were something ESET not twice the price, I would switch over to that if I had any second thoughts...but KIS is consistently a lot cheaper, which does matter when Windows 10 has a widely-used free option available.
EDIT: Checking now, I have 188 days left on my subscription--I don't plan to stop using it as it stands, though I could be proven wrong (likewise, I'm sure T-Mobile or Charter could convince me to stop using them with certain news). Come to think of it, I remember reading on Ars Technica about Kaspersky surrendering information to the FBI at its behest, so I'm not super bullish about them either in that area.
Wasn't there actually an FBI raid?
I'm sort of in the same boat. I'm using it and like it, and would prefer to not have to drop it since I renewed a multi-year license not too long ago.
I still have about 78 days left of my KIS subscription so I'm in no hurry to change.
Steam / Origin & Wii U: Heatwave111 / FC: 4227-1965-3206 / Battle.net: Heatwave#11356
I think I would remember an FBI raid--emphasis on think, if only because those are pretty distinct words. Or I completely missed it. Checking it out, I'm pretty sure what I was thinking of was an Ars Technica article that mentioned the company furnishing the FBI with their information on a botnet as an explanation as why a Kaspersky tech, Ruslan Stoyanov, was arrested along with two FSB personnel on suspicions of treason. Ars Technica's theory sounds rather dumb, but a world less dumb than the aluminum foil-hat grade theory that Stoyanov was somehow revealing how the Russian government hacked voting machines in November that apparently also gained traction at the time. I've often said that American news is famously incompetent in its purely-foreign affairs coverage, and no offense to Ars Technica, I still read them, but the US media has had some really stupid explanations for criminal prosecution of well-known corporations in Russia (see back when the Presidential Office publicly scolded Roskosmos for wasteful mismanagement and corruption--over here, media companies framed it as "Government fundamentalists hope to dismantle brave scientific institution", Christ). Editorial bullshit gets passed off as fact because it happened far away--that's a international news complaint, not a software security complaint though (guess which one I have a lot more experience with).
I really don't remember and FBI raid as such. But I do remember when the FBI started interviewing Kaspersky employees in the lead up to this rejection order--does that count? Even if it doesn't, that doesn't really upend the very clear stance the US government has taken against the company. I mean, I certainly trust the the United States government to act in its own interest, at least in the area of security--I just don't see my own security concerns being all that equivalent to the United States government. In a way, whatever privacy concerns I might have are probably a lot more relevant to America than Russia seeing how I'm a foreign national living approximately 8000 kilometers from Russian territory in American territory. And I don't imagine that's all that relevant to people without family overseas or who do have a world of security concerns I'd have trouble imagining. Maybe dropping Kapersky is the way to go, though from a malware, adware and virus standpoint, it seems a little late. I'd say a better reason would be that you don't think it's worth the $15 when Windows Defender is free, were the expiration coming up. That's why I don't spend the $40 for ESET, despite how much superior it's supposed to be.
If I did have anything to hide, I certainly wouldn't contact family overseas via any American company, by virtue of having read a newspaper in the last 5 years.
Good thing I don't.
Time to update my FB status!
Interesting results--in June for Windows 10 anyway, they were very bullish on Kaspersky next to Windows Defender. I got KIS back in Windows 8.1 when the PA Computer Security thread was generally down on MSE (as it was still called back then) and wanted a cheaper alternative to ESET Nod32, and people spoke very highly of Kaspersky (which I barely knew about). I just kept using them since then, as their UI gradually got less infuriating, and their performance became a lot better overall for gaming--I've never had Kaspersky slow down performance while running yet. Though there was a while where it would literally take +10 hours for Kaspersky to scan a 4 TB drive full of drive images and back up data and still not finish. They fixed that at some point at least.
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
....son of a bitch. I have that release installed (except the 64-bit version). I don't have the registry entries that the malware compares time too (at least, I don't see them), or stores your system information.
All the same, damn it.
Steam / Origin & Wii U: Heatwave111 / FC: 4227-1965-3206 / Battle.net: Heatwave#11356
Like, this isn't a case of someone downloading a rogue executable from a misleading website, or a software repository website being compromised. This is literally "click update, get infected".
That's kind of terrifying.
With all the gaps and holes in server software that's come to light recently, as well as all the negligence associated with server upkeep, I have to wonder if CCleaner is the only software at risk here.
While I do check hashes on downloads, if the actual source providing the installer bundled the malware deliberately or through oversight, even verifying the hash isn't going to help since it's there on purpose.
Way too much is hidden behind the scenes.
An open source antivirus would likely be exploitable in different ways though, but at least the anti-virus wouldn't target you to distribute malware.
I've got some bad news for your Bowen:
https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
Granted, it's not 100% the same thing.
You just needed the right combination of popularity, simplicity of initial software (and the alteration), and something that is generally trusted. Sure it'll get corrected--so will this CCleaner mess--but the damage is already done.
I mean, yes, but now imagine it sits unnoticed for several months and then suddenly all your shit gets exposed because a private company thought they were too good to patch something.
It's absolutely not. Earlier this year there was one of the bigger repository sites that was compromised and a lot of the stuff they distributed was malicious until it was caught.
Not just the hash, using an anti-virus scan (on Windows at least). This even happened to Arch Linux I believe and some freeware bit torrent client which I forget the name of now, Transmission?
I think I'm going to give Google's new Backup And Sync a try. They have a $2/mo for 100GB plan, and the new application can back up folders outside the primary Google Drive sync folder.
https://lifehacker.com/google-drive-is-dead-heres-what-you-need-to-know-1802109518
Wasn't that basically what happened with the Juniper hack last year? Except hardware instead of software.
It's certainly what happened to Equifax!