Real-Time Keyloggers 205
The NY Times has a story and a blog backgrounder focusing on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. The capability came to light in a court filing (PDF) by Project Honey Pot against "John Doe" thieves. The case was filed in order to compel the banks — which are almost as secretive as the cyber-crooks — to reveal information such as IP addresses that could lead back to the miscreants. Or at least allow victims to be notified. Real-time keyloggers were first discovered in the wild last year, but the court filing and the Times article should bring new attention to the threat. The technique menaces the 2-factor authentication that some banks have instituted: "By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA's SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula. If [your] computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can't see."
Real Time? (Score:5, Funny)
My Windoze apps at work don't even respond in real time. Maybe the trojan provides a free performance boost?
Re: (Score:2)
Go into Task Manager.
Select program you want to run in real time
Right click and "go to process"
Right click and "set priority"
Choose real time.
Easy. I do this for Windows Media Player since it eliminates annoying lags while watching the pro....er, downloaded movies.
Re:Real Time? (Score:5, Funny)
I understand, it's embarrassing to admit to watching professional wrestling...
Re: (Score:2)
Well, lubrication does often make things go faster...
Re: (Score:2)
and *synthetic* lubrication has the reputation the make things go even faster...
Ribbed (Score:4, Funny)
Thwarted by properly designed online banking (Score:5, Informative)
Again, a proper banking system like my bank uses
- a one time pad for logging on
- another set of codes, from which one is picked randomly, to confirm transfers
The one time pad means they can't open a second session. Even if they could hijack the session I've opened they can't transfer money without my explicitly authorizing each transfer by entering the second code.
Re: (Score:2)
Re: (Score:3, Insightful)
Nobody can expect good security if the user doesn't watch out and double checks what's happening. The attack you're talking of could very well be done to a poor old lady paying her bills for the month i
Re:Thwarted by properly designed online banking (Score:4, Interesting)
The one time pad means they can't open a second session.
RSA secure-id keys are single-use too. They roll every minute but they also roll on every successful use.
Re: (Score:2)
For starters, I don't think they roll on success (how would the device know, by the way?). -- Disclaimer: I'm holding one in my hand right now, so I'm pretty sure. ;-)
But even if they would: the legitimate user would not be able to know the difference between a failure due to making a typo and a failure due to some hacker beating him to the line. So he'd assume the former and simply try again, not understanding that someone else is active at the same time. Providing such a false sense of security, doesn't
Re:Thwarted by properly designed online banking (Score:5, Informative)
For starters, I don't think they roll on success (how would the device know, by the way?).
The server enforces it. You can't authenticate multiple times with the same token. The server returns an "an already used" code if it was recently used. I know this because I've written software that uses RSA's secure-id toolkit.
But even if they would: the legitimate user would not be able to know the difference between a failure due to making a typo and a failure due to some hacker beating him to the line.
Again, see the point out about return values from the server-side. The application may choose to report this information directly to the user or simply flag it for the security team to investigate further. I prefer the later because false positives are going to be pretty rare unless the client software is broken in other ways.
Re:Thwarted by properly designed online banking (Score:5, Insightful)
I work for RSA and you are absolutely correct. Attempting to authenticate twice with the same tokencode will automatically yield a rejection.
I believe the idea of this "real-time application" is that they see you typing in your passcode and zap that code into the authentication system before you do. The success of this hack is predicated on the notion that they are watching with baited anticipation, ready to spring into action the exact moment you sign into your online bank.
The chance of this actually occurring is highly remote, to say the least. The technique of racing ahead of a potential 2-factor authentication is compelling in theory, but of little practical use. If they're going to get into your bank, it has nothing to do with "defeating" Securid (or any other one-time display mechanism).
Suffice to say, this story is bunk.
Re: (Score:2)
The success of this hack is predicated on the notion that they are watching with baited anticipation, ready to spring into action the exact moment you sign into your online bank. The chance of this actually occurring is highly remote, to say the least.
(Emphasis mine).
Well, if a background process would be waiting with baited anticipation, and would create a valid login and then sit back, the hacker would have 20 minutes (or whatever the server-side determined session timeout) to get to his terminal and use the open, authenticated session.
Where I think this totally fails, is that my bank uses two-factor authentication for logging in as well as for doing an actual transfer. This is where the hack fails for such systems: it depends on letting the user creat
Re: (Score:2)
Or have an automated system waiting to do the same. It's not hard to automate logging in to a website and clicking "transfer funds".
Re: (Score:2, Interesting)
An alternative used by at least one bank in Australia is that when you request a transaction they send ans sms to your pre-authenticated mobile number detailing the transaction, i.e who to and how much, and giving an authorisation code that you then enter. That code only authorises that specific transaction.
No need to carry a one-time pad around or a special code generator
Re:Thwarted by properly designed online banking (Score:4, Interesting)
An alternative used by at least one bank in Australia is that when you request a transaction they send ans sms to your pre-authenticated mobile number detailing the transaction, i.e who to and how much, and giving an authorisation code that you then enter. That code only authorises that specific transaction.
That's common in Europe too. But the result has been that hacking sms in various [softpedia.com] ways has become of great interest to thieves. If they don't already exist, you can count on seeing java trojans for cells phones that silently forward SMS too.
Re: (Score:2)
Not that easy to do silently as in Australia and Europe SMS's cost the sender not the receiver. At AU$0.25 per SMS this will be noticed easily by even the dumbest of phone users. It will take one case in front of the TIO (Telecommunications Industry Ombudsmen) for Telco's to block SMS forwarding all together, despite the fact the telco will likely win in front of the TIO (virus is on the client
Re: (Score:2)
A properly designed security system fails gracefully by limiting the knowledge available at *every* step of the game.
Let's make a few assumptions:
1) The bank has a password generator. It's a simple key/value randomizer. It's very, very secure.
2) The end user has a cell phone. It may or may not be hacked.
3) The end user is attempting to get money or do something with the bank. It might be on a computer, or it might be a credit payment machine at a grocery store. The device can be reliably tracked (EG: IP add
Re:Thwarted by properly designed online banking (Score:5, Informative)
The article focuses on RSA's SecurID, but one of the main drawbacks of RSA's SecurID is that it is only time based. Other companies also use event-counters, which means that you can't actually replay the attack.
The parent is right (and I should now, I deploy these solutions), most serious banks will use OTPs (One Time Passwords) for the initial log-on, but then require Challenge-Responses to sign the transactions (website provides a challenge, which can be a completely random number, or based on a number of variables: amount, target account, etc; this challenge is provided to the token (stupidly named "gadget" in the summary), and it spits out a response.) This can be verified by the server.
OTPs have always had this flaw, and this really isn't any news. I've heard of attacks were real-time keyloggers would interrupt the network connection (wifi, ethernet, whatever) on a software/OS level temporarily (I assume by refreshing the DHCP bumf) as to allow the attacker to use the OTP.
However, this can be easily thwarted.
Any good Authentication Server will provide the option to use seeded authentication, and even though this doesn't apply to OTPs (most OTP algorithms actually include clock counter (and event counter if it is implemented, not RSA's case) related information in the OTP, hence the whole OTP is required for authentication), it does apply to Memorable Data. For example, 2nd and 8th character of your secret passcode. Or for example, even better: multiply the 4th digit of your OTP with the 6th digit of your secret passcode. (OTP still required to be input completely). Yeah sure, given sufficient time, the attacker should be able to know what your passcode is, but heck, that's going to require quite some effort.
Wikipedia has a bit of a section about the MITM attacks vulnerabilities of OTPs (even though it is right in SecurID's article [wikipedia.org], it doesn't apply to them alone, but to the concept as a whole). The main issue, however, with RSA's implementation isn't necessarily the MITM attack, but quite simply, stealing the token. It doesn't have a PIN code, heck, it even just shows the code the whole time (last one I checked did this), and I could read the number right off my friend's keychain.
Also, let us not forget that a one-time attack (which again, shouldn't be much of an issue if banks have a good solution that requires CRs for each transaction) on an account really isn't a big deal. It's a One-Time Password. It's only valid once. After he's visited the account, and seen the balance, that's about as far as he's going to go.
Nothing to see here, please move along. If anything, this is just going to drive our business a bit.
Re: (Score:2)
I can only speak to the RSA authentication I use, but once a 6-digit password has been used, it cannot be used a second time. This feature is enforced server-side and is especially annoying if you need to authenticate multiple times because each remote application (email, timecard, etc.) requires a separate authentication.
Moreover, at least in this instance, the SecurID password must be combin
Re: (Score:2, Insightful)
Also, I never intended to say that Authentication Servers implementing SecurID weren't able to counter replay-attacks (this is a base functionality), I was merely stating that it didn't use event-counters to calculate the OTP. Other vendors provide this functionnality, and this enhances security, as instead of havi
Re: (Score:2, Informative)
Re: (Score:3, Funny)
Re: (Score:2)
You have to have the money in your account in the first place.... Most banks are pretty good at making sure that requirement is upheld. Sorry if it messes up your plans.
Re: (Score:2)
The one time pad means they can't open a second session.
No, it means you can't open a second session. You never posted your login, because they control the vertical and the horizontal. Although the transfer confirmation code should stop 'em, one hopes.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Pff, that's nothing. My bank system is much safer.
It demands a password.
It demands the code from a one time pad.
It demands a confirmation of the full detailed transaction.
As the transaction surpasses a certain amount it asks you to physically go to the bank.
You then get to the bank, to assure the bank director you do want to make the payment.
From that point, the information required depends on your skill convincing the bank director that you actually do want to buy diamonds through "THA INTARWEBS!" and that
Re: (Score:2)
Did you even read the summary? They are intercepting authentication attempts and using the one time password (not "pad," you ninny).
I'm not feeling the menace (Score:2)
The technique menaces the 2-factor authentication that some banks have instituted:
Sure, they could intercept my login, but that would get them nothing. A new token is required for each and every transaction once logged in. I suppose they could try to add an emulation layer of sorts for the entire bank site, but that starts to become a lot of work with a lot of opportunity to notice something strange going on.
And? (Score:2)
Does it really matter? If they have access to your PC, why on Earth is this an issue anyway? Two-factor authentication or not, they have *ACCESS* to your Visa numbers, Amazon account, bank details (if you pay some bills online by direct transfer etc.). What the things *do* once they are on your machine is irrelevant. How they got there and finding them is infinitely more important.
Time for a secured endpoint like IBM's ZTIC? (Score:3, Interesting)
I wonder if the next step will be a dedicated hardware device such as IBM's ZTIC, where one does their transaction confirming on a closed secure device. This way, even though the consumer's PC may be compromised, an attacker trying to run transactions would be stopped when there is no device confirming the transaction.
Of course, there are always issues like spamming the user with bogus transactions, or compromise the hardware device. However, it is a lot harder to compromise a hardware device than a generic PC which has to parse/execute/render untrusted code from the Internet on a common basis.
Exactly right. (Score:3, Insightful)
How many of these stories do we have to see before people wake up and realize that the login and security method is irrelevant if the OS itself is compromised?
Re: (Score:2)
I already do this basically. I have an encrypted OS on a USB key that I boot from when I want to do online banking, and in that OS image I do ONLY banking, no other websites of any kind. It's linux and it's firewall is on, auto-updates/etc are off. Nothing short of a full BIOS virus running a VM emulator can get at me, that or a hardware key logger. And that's unlikely, because I generally use a dis-used PC at work that has no hdd/os (spare in the corner of the equipment room), or a spare system at home
Re: (Score:3, Insightful)
Long term, what comes to my mind for secure transactions would be placing a hypervisor at the BIOS level, and having a hardened OS dedicated for banking and other items. Then having an OS in another VM for general stuff (gaming, /., etc.)
Of course, there are five issues with putting hypervisors in every PC out there:
1: The hypervisor needs to be hardened. By default, these have a smaller attack surface than an OS, but there are ways to get around its protection. If malware in an untrusted partition is a
Run a Virtual Machine (Score:2)
And browse / log in using the VM. Done.
Doesn't work (Score:2)
VMs can break into their host machine.
Read the paper presented at the recent BlackHat Conference.
Re: (Score:2)
What's changed in that? If a Trojan can get into your host machine, it can get into your emulated machine (since it obviously has Internet connectivity), and vice versa. Doesn't really matter if it catches real or emulated key presses.
Re: (Score:2)
A VM can fall victim to the same vulnerability.
Virtual Keyboard (preferably a browser based one) is a better defence, still poor compared to stopping malware at the gateway before you infect your machine. If you don't trust\have the virtual keyboard just make one by writing out A-Z, 0-9 and all the special characters into a text editor and copy and paste each one as you need it. Yes this takes time but it is less vulnerable to key loggers.
Banks implementing two
For once I'm glad... (Score:2)
... that I'm still a Bank of America customer. I've grown to like their 2-factor authentication mechanism. You can set up your account so that whenever you try to log in they send a random 6-digit number to you via a text message to your phone. You then enter that number into the website as you're logging in. Since it's truly a one-time-use number sent out of band from the way you're logging in it's about as secure as you can get.
Re: (Score:2)
The problem is service provider sloppyness (Score:5, Interesting)
Bank of America used to have a good system for authenticating their site. At login, you input your ID, and the B of A site gave you back a photo of your own choosing to tell you that you were on the real Bank of America site. Only then did you input your password.
Last Friday, B of A broke this feature. I'm now getting a password prompt without seeing the photo I'd chosen. My first thought was that there's was a security problem. I checked the SSL cert info, which looked OK. I reinstalled Firefox. No change. I called Bank of America. They wanted me to remove Flash, which I did. No change. They advised me not to log in. Then they passed me off to tech support, which hasn't called back yet.
Then I took out a Linux-based Eee PC 2G Surf that had been unused for months, powered it up, plugged in an Ethernet cable, and saw the site doing exactly the same thing. So it's probably not a client side problem.
What I think happened is that someone at B of A did a partial site redesign and broke something. They introduced some Flash (something called "/sas/sas-docs/html/pmfso.swf") on the password page (a terrible idea, given Flash's history of security vulnerabilities) and along with that, broke some part of the login process.
If, in fact, they've had a break in on the server side, the main login of Bank of America has been compromised for at least three days now. I'm not seeing any indication of that, though; just general ineptitude.
(The page HTML is awful. It's clearly been modified over and over for years without a cleanup. It has Flash, Javascript, CSS, single-pixel GIFs for formatting, and comments like "July maintenance OLB timeout inactivity update starts". The "enter password" page has 966 lines of HTML and JavaScript, not including external files. That's too much flaky machinery for such a security-critical function.)
Re: (Score:2)
Re: (Score:2)
My credit union used this for a while, but stopped recently (or maybe not! *eerie music*). I don't see how it helps me verify that I'm really connecting to their site, though, since a middleman site can just as easily act as a proxy to the real si
Re: (Score:3, Insightful)
How does this provide any security? All the fake site needs to do is get the picture from the BoA site. (Heck a well written script could cause your machine to do it for them.) Once that happens you are no better off than you were before, and likely worse (Since you are training people to assume that "picture means legit", instead of other more secure methods.
You know you're being real-time keylogged when... (Score:2, Insightful)
...Your router's activity light blinks every time you press a key on the keyboard.
I assume it's trivial to detect this type of keylogging.
Put everything in Greasemonkey scripts (Score:2)
When the first part of the authentication is done by a Greasemonkey script, keyloggers don't see that. Or do they?
This may sound like a joke, but in fact I do have one part of the authentication scripted in Greasemonkey. That gets me directly to the next step with some sort of challenge-response system involving a calculator-like gadget with my bank card inserted in it.
Of course, if your bank requires nothing else than an account number and a password which you have in a GM script, I would be glad to borrow
Banks do not widely use 2-factor authentication (Score:2, Informative)
They use wish-it-was two-factor [thedailywtf.com]
Two-factor authentication is when authentication requires two different factors of authentication. Some possible factors of authentication are something you know (PIN numbers, passwords, usernames, secret answers to questions arranged in advanced), something you have (smart card, key fob, pass-card, a special piece of hardware, a SSL certificate loaded on a device that you can't read), something you are (biometric identification, facial, voice, fingerprint recognition,
!First Time !New (Score:2, Insightful)
Let me guess... (Score:3, Interesting)
"Made possible by Microsoft(TM)"
Right?
TFA says nothing about the OS involved, which usually means a Microsoft Windows PC. I suppose the NYT is able to sell more advertising if they keep it ambiguous.
Now, to be fair, Linux recently patched a root-privilege bug that went unnoticed for EIGHT years. But, to be just as fair, there are several orders of magnitude more compromises available courtesy Redmond, and due largely in part (as Djikstra quipped...) to their poor reinvention of UNIX.
I have family that use Windows. What am I supposed to do? This is getting ridiculous. Sure, they get the OS they deserve. Sure, my employer gets the security compromises they deserve. But some part of the blame has to be shared by the company which made all of this possible.
Programmers have always written buggy software. But it took Microsoft to create security flaws *by design* - that is, to deliberately architect software in an insecure an unreliable manner. It took Microsoft to disregard the lessons learned in UNIX, (as Djikstra would say) "To reinvent it poorly."
I know, I know, ./ers will say, "Don't use Windows". Okay, I don't. But you have to understand that not everyone is a geek. The folks at corporate *BUY* Windows licenses because they don't know any better. My relatives use it because it came with their computer, or, their department at the university uses word, or they want to play games, or they want something familiar.
What about them?
Is it really acceptable for us to ignore the needs of the average user? Is it really acceptable to blame the victims?
Or, should we hold Microsoft accountable to the same standards adhered to by everyone else in the industry?
Re: (Score:2)
due largely in part (as Djikstra quipped...) to their poor reinvention of UNIX.
That's a very odd spelling of Henry Spencer.
Is it really acceptable for us to ignore the needs of the average user? Is it really acceptable to blame the victims?
In this case, no. Let Microsoft clean up their own mess. The approach that Microsoft took to the internet in their Microsoft Windows 95 ("ActiveX" and auto executing stuff from across a wire or from removable media) had already been discredited for a decade.
If you really wish to reinvent something, you can at least do a decent job of it.
SecurID - Incorrect (Score:4, Interesting)
Re: (Score:3, Insightful)
If an attacker captures your passcode after you use it to successfully log in
That's the point of it being in real-time. The person on the other end of the keylogger has already logged in by the time your mom has gotten her hand back on the mouse, wiggled it around to find where the pointer is on the screen, moved the pointer to the login button and clicked on it. No, not that mouse button, the other mouse button.
She gets the usual useless error message and decides she must have mistyped something.
Re:OTP !! (Score:5, Insightful)
That doesn't stop them from blocking your login such that they are the only ones using the password/id. They log the keystrokes prior to it being sent over the wire to the bank, block the post to login.cgi, and login for themselves.
Re:OTP !! (Score:5, Insightful)
They log the keystrokes prior to it being sent over the wire to the bank, block the post to login.cgi, and login for themselves.
If they are smart they can even provide a fake error page once they've acquired the credentials that tells the user that the site is "experiencing technical difficulties" and that they should please try again in 15 minutes. 99.99% of users won't think a thing of it.
Re: (Score:2)
That's probably a really hard hack to pull off. But I doubt most users would notice anything if they got an RSA SecurID password wrong once -- they'd assume it's a typo.
(By the way, I don't see any information saying RSA SecurID only lets you use the token once. Sure it changes every 60 seconds, so that's as good as "once", but if two people happened to be racing to type in the same code at the same time, I don't see anything saying it would deny access.)
Re: (Score:2)
That feature is set on the RSA server. The first device to present your username and passcode gets the green light. The second device (VPN appliance, webserver, whatever) to present that same username and passcode
Re: (Score:2)
Re:Biometrics (Score:4, Informative)
RSA was good while it lasted. It's still better than nothing. Looks like we may need to invest in biometric laptops for the crew. What a pain.
Reread what they are doing, biometric laptops won't help. They could capture the biometric data as easily as the keyboard data.
Re: (Score:2)
Does anyone produce biometric sensors which digitally sign and timestamp your fingerprints?
Re:Biometrics (Score:5, Funny)
Anything to avoid a secure OS eh?
Re: (Score:3, Informative)
First of all, RSA SecurID has nothing to do with the algorithm RSA (besides being created by the same people).
Second, biometrics won't help at all since they can simply transmit the biometric data back and have *permanent* access to whatever system uses it.
Finally, RSA SecurID is actually *not* vulnerable because the passwords it generates are *one time* passwords. If the hacker tries to log in to the system using the same password the victim just did, he will be rejected since that password was already us
Re: (Score:2)
Finally, RSA SecurID is actually *not* vulnerable because the passwords it generates are *one time* passwords.
If the attacker has trojaned your machine, he just needs to arrange for his software to block your submission of the one-time password so that he can use it. If he gives you an error page, or even what looks like a functional page, then he can proceed to drain your bank account and leave you completely unsuspecting.
Re: (Score:2)
I think the assumption would have to be made that the trojan prevents the token from actually being transmitted to the bank, thus giving the thief its one login.
As I mention in my other post though, I still don't see it as an issue, since every actual transaction would require a freshly generated token (assuming a sane bank).
Re: (Score:2)
Except that the attacker can just return a "no, that's invalid, try logging in again" and the user will happily give them a second token which they can now use to do the transfer.
Re: (Score:2)
The calculator won't give you a new token for another 30-60 seconds (depending on configuration).
Of course, one could argue that people that won't notice anything odd with a forged site, also won't mind the usually instant "eeer, wrong!" taking a whole minute. But nothing will save the idiot from the persistent phisher, so at some point the line between security and convenience needs to be drawn.
Re: (Score:2)
Umm.. it's a banking website.. I dunno about your bank, but my bank takes 30+ seconds to log me in on a good day.
Oh, and blaming the user for a failure of technology is classic geek arrogance. The simple fact is, these token devices a part of the arms race and if you want to keep ahead, you've got to keep innovating. For example, most users don't even *need* wire transfer capabilities so they should be disabled by default, when they ask for it to be enabled the bank gets the opportunity to educate users t
Re: (Score:2)
Umm.. it's a banking website.. I dunno about your bank, but my bank takes 30+ seconds to log me in on a good day.
I covered that in my text. Ours are pretty much instant.
People will physically travel to other countries to give money to Nigeria scams, and you think any amount of technology will secure their online bank accounts? Now that's truly geek arrogance.
As with any thing else, there are no fool proof systems. You could shutdown online banking completely, and you'd just get more identity theft.
A bank having token based security today is somewhat like having a burglary alarm. It won't stop people from breaking in,
Re: (Score:2)
Re: (Score:2)
The cracker logs in. The guy who wrote the trojan may qualify as a (evil) hacker but the one using it is a mere cracker.
Execute them? No. Catch them. (Score:5, Insightful)
This applies to crime in general as well.
Re: (Score:2)
>>>Given the present one in 100 million risk of being caught...
And since our lazy leaders, who don't even bother to read the bills they pass, are unlikely to change this statistic, I'm going to go close my online bank account right now. The last thing I need is some asshole swiping my half-million life savings. I'll just drive to the bank instead.
Re: (Score:2)
And since our lazy leaders, who don't even bother to read the bills they pass
We could do real reform to the whole system if we sunset every law in effect now and require new laws to be read aloud in full before they are allowed to be voted on. That's supposed to be the law (at least in the Senate) ...
Re: (Score:2)
DEMOCRATS Speed-read Bill:
http://www.youtube.com/watch?v=_uxsAuY1AF4 [youtube.com]
This is not a solution. What needs to be done is to allow time for review of the bill in private - at least a month. Why rush lawmaking, especially when these laws last decades.
Re:Execute them? No. Catch them. (Score:4, Insightful)
We just need to catch them. Given a 50% risk of being caught a one year prison sentence would provide more than adequate deterrence.
Your post displays a lack of understanding of the criminal mind. Don't feel too bad though, because most people (especially lawmakers) have the same lack of understanding.
The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught. Career criminals believe that only idiots get caught, and since they're smarter than everyone else (thanks to the Dunning-Krueger effect), they won't be caught.
No single "criminal mind" (Score:3, Insightful)
Your post displays a lack of understanding of the criminal mind. [snip] The thing about criminal sentences is that they don't work as deterrents - because criminals don't believe they'll be caught.
There is no single "criminal mind."
True, many criminals grossly underestimate the chances of getting caught or suffering significant consequences.
Some, those who who protest against governments in violation of the law or who steal from the rich to give to the poor, do so for a real or imagined higher purpose.
Others are aware of the consequences but get some benefit out of it, such as the thrill of "getting away with it," the thrill of showing they are, at least this time, more powerful than their victim or
Re: (Score:2)
U.S. speed limits are also set artificially low.
How else can you explain an engineering report that lists 120mph as the designed maximum limit for an interstate, and an 85mph recommended limit for travel, but somehow gets signed at 65? The only reason I can conclude why politicians ignore engineers' recommendations is because the politicians view the twenty mph gap as an opportunity - to increase tax revenue.
And of course the Bernie Madoff-like scammers we call insurance companies also benefit because they
Learn some history (Score:3, Insightful)
The speed limit was set to 55mph in the mid-70s to conserve oil.
Even with today's fuel-efficient cars, going 65 saves money over going 85.
This is for at least two reasons:
* atmospheric drag
* engine efficiency
The former you can't do much about save driving with a tail-wind: You will get more drag at 85 than 65, and more drag at 65 than 45, more at 45 than 25, and more at 25 than at a dead stop.
The second is determined by the car's engineering. For cars sold in America, most have maximum engine efficiency s
Learn some history (Score:2)
The speed limit was set to 55mph in the mid-70s to conserve oil.
It was set there by Dick Nixon right after the election. Even the idiots at Wikipedia got it right.
And it was sold as "55 saves lives", not as a consumption reduction measure.
Get off my lawn!
(Barry-O's spiritual forefather was Dick Nixon, not Jimmy Carter)
Re: (Score:2)
*All* of the TV ads in 1973 related to that law were "55 saves lives" ones.
Read Nixon's own words (Score:3, Informative)
Richard Nixon, Statement on Signing the Emergency Highway Energy Conservation Act, January 2, 1974 [ucsb.edu]:
"I AM pleased to sign into law H.R. 11372, an act aimed principally at helping to reduce gasoline and diesel fuel consumption during the energy crisis."
I'm not saying you are wrong about the ads, I am saying the official reason for the change was to save energy. I am also saying that if some Wikipedia article is claiming otherwise, it needs to be reconciled with the two articles I mentioned above. Happy edit
Re: (Score:2)
>>>The speed limit was set to 55mph in the mid-70s to conserve oil.
By that reasoning the national speed limit should be set to 40mph, which is the *most* efficient speed for most cars (1900-2000 rpm is the engine's sweet spot). Obviously I think the "saves oil" argument is flawed, because while it may save oil, it defeats the purpose of having a car in the first place (to travel long distances in as short a period of possible). Now maybe for you an extra 15 minute per day commute is no big deal,
Re: (Score:2)
P.S.
>>>Speed limits need to be set on a case by case basis for each road segment, taking into account typical actual traffic patterns including typical actual speeds,
>>>
Which is not what happens. The State legislatures set an arbitrary maximum limit. Even if the engineers designed a new strip of road for 120mph (max) and 85 (recommended), the signs would still read 65 due to an arbitrary decision by out-ouf-touch politicians that 65 will be the max allowed across the whole state.
I think
Re: (Score:3, Insightful)
How else can you explain an engineering report that lists 120mph as the designed maximum limit for an interstate, and an 85mph recommended limit for travel, but somehow gets signed at 65? The only reason I can conclude why politicians ignore engineers' recommendations is because the politicians view the twenty mph gap as an opportunity - to increase tax revenue.
Something like that. For those of you young'uns who don't remember Dick, his administration flooded TV with advertisements that said "55 saves lives", then violated the 10th amendment to force states to comply with it.
Lowered speed limits had *nothing* to do with fuel efficiency. And for those of you who think that is the case ... get off my lawn!
Re: (Score:2)
Uh, do you live in the US? Every single person everywhere drives 5 MPH over the limit and that's almost always at least 10% over (40 in a 35 is 14% over). I have never known anyone anywhere to get a speeding ticket for 5 over.
Obviously you have never been to, or driven in California (USA). My home town hired its first motorcycle cop explicitly for ticketing things like this.
See if you can find some old ca.driving Usenet archives. That's probably the most central place you can go for details.
Re: (Score:2)
Since +5 mph falls within the error of the radar gun, that ticket would quickly be voided by the courts.
Re: (Score:2)
Research indicates otherwise.
75% of music pirates would stop if told to by their ISP. [bbc.co.uk]
Re:Well I agree but (Score:4, Insightful)
It's hard to motivate to your voters why you need to spend huge amounts of tax money chasing down cyber criminals that mostly operate abroad, thus not affecting your country in the slightest, when that money could go to catching criminals that do, or to education, health care, whatever.
Re: (Score:2)
Re: (Score:2)
I think that the guys who write the software qualify as hackers. Evil hackers, but hackers nonetheless.
Re: (Score:2, Interesting)
>>>The douchebags stealing info from banks aren't hackers... they are thieves and crackers.
You don't know your definitions son. For as long as I can remember, a hacker was someone who broke-into secured computers. I don't see how you can claim there's anything "good" about such a person. (shrug). And a "cracker" is someone who defeats copy-protection. Originally that applied to cracking floppies, but now it also applies to CDs, DVDs and downloaded media like MP3/AAC files.
So in other words t
Re: (Score:2)
Google says [google.com] it's "someone who plays golf poorly".
Re: (Score:2)
I've been using computers since the early 80s, and hacking very specifically meant someone doing things that the "authorities" would consider crimes - like phreaking to get free phone calls. Or wardialing to find computers to break into. Or just guessing people's passwords on BBSes so you can raise havoc. And of course cracking software so it could be copied freely amongst friends (aka piracy).
Adjusting settings hardly qualifies you as a "hacker" - that's just your average, ordinary computer "user" and n
Re: (Score:2)
I've been using computers since the early 80s, and hacking very specifically meant someone doing things that the "authorities" would consider crimes
Well, you're too young, kid.
a hacker is a member of the computer programmer subculture originated in the 1960s in the United States academia, in particular around the [...] (MIT)'s Tech Model Railroad Club (TMRC) and MIT Artificial Intelligence Laboratory. Nowadays, this subculture is mainly associated with the free software movement. [wikipedia.org]
You seem to refer to The mainstream media's current usage of the term [which] may be traced back to the early 1980s [wikipedia.org]
Re: (Score:2)
"Hackers follow a culture of anti-authoritarianism"
In other words they commit acts that the authorities consider crimes, like breaking-into secure computers, making free phonecalls, copying software without permission, et cetera. Just like I said previously. (Also it's worth nothing that wikipedia article is marked "unverified claims" so it's basically an invalid reference and proves nothing.)
Re: (Score:2)
If you were naive enough to get a trojan to begin with, almost certainly the best "software" (OS?) for you is going to be not going online at all.
Re: (Score:2)
And you say you are having lag issues. How curious...
Re: (Score:2)
Also, banks should be on the lookout for things like "he used his ATM card at home yesterday, he's in Eastern Europe today" and react accordingly.
I've had that happen to me s/Eastern Europe/Southeast Asia/ when I was buying my wife a Macbook after a looong plane flight. Most unpleasant, though I appreciated the thought.
Re: (Score:2)
This is what my bank does, and it annoys the hell out of me. I do a lot of foreign travel, and I also mainly live outside the country where my bank is based.
If my bank sees overseas transactions (including internet transactions with a source IP outside the bank's country), then they block the transaction and the card, until I call them to have the block re