I was thinking this as well, but for a different reason. I, for one, would never enter the YC program. $15,000 (especially for that much equity) just doesn't work for most people. The only demographic that can really make that work are 20ish year olds coming right out of school. They haven't started real life yet, and have minimal obligations. Anyone else competent/qualified is probably quitting a job and has various bills and debts, and if they made the decision to do a startup, they already have some bootstrap money or a bit of revenue from a side gig, so that $15k isn't going to make or break them. For 150k however, this changes things entirely. YC can now attract a far more diverse pool of aspiring startups.
It's been called many things. Security people have self-esteem problems, so if they see something being praised, they start convulsing at the sight of this injustice and must immediately blog about it and argue on forums.
As someone who has actually read the code, my opinion is that yes it was special, but not because it was brilliant. It took a lot of resources, and although there was clearly a relatively high degree of skill involved for at least parts of it (finding 0days), there were not really any new techniques. So, I personally find it impressive because of the sheer amount of work that went into it.
I think it is more the principal of it that is noteworthy - if someone tried to make a movie plot about that a few years ago, we would have scoffed.
The reason that it was obviously a nation-state is because the number of people that worked on it, the amount of time they spent on it, and what the group would stand to gain (nothing), would not have been funded by any other entity. I won't go so far as to say it would be impossible to do by someone else, but that is improbable and really would not make much sense at all. Combine that with various external clues, and it is really obvious.
Easy, the one that dumped perl a decade ago. It is truly archaic and has no place in a production environment anymore. The only people still using it are resisting change to a more productive and useful language.
Changing my vote. I think the guy is nuts and/or running away. Stuff doesn't add up.
-He claims a particular LEO is after him for pro-western views. This is the hardest hit to his credibility. If he said that botnet authors came after him for outing them, that might be plausible. The Belgian government does not hunt and 'disappear' pro-western people.
-There is no stego in this image like some have suggested. If it was in a letter, there is no data to be read. If it did not come from a latter, it was taken recently, according to the metadata. Also, if he is making direct accusations, he is not hiding information. Either the whole message would be cryptic, or none of it. If he isn't afraid to name the guy, he wouldn't be afraid to plainly state that he found a recording device or whatever else.
-He acts like the image has a smoking gun, and it does not.
-He has never had a real, credible job in the industry. See his LinkedIn: http://nl.linkedin.com/in/danchodanchev
It's either blogging, or "secret companies". And astalavista, which was warez/script kid forums and stuff.
-His blog is completely full of "cyber jihad" research and discussion of "cyber terrorist" nonsense. http://ddanchev.blogspot.com/
The rest of what you said makes sense, and it is possible that this is a script kid trying to make a name for himself - I would be very weary about making that assumption though without more serious evidence.
Nobody who does software security professionally would suggest Dancho is a "script kid". Your first tip-off might have been the article, where you'd learn that his disappearance was featured in the ZDNet security blog, where he is a contributor.
I don't do software security professionally, or have any other way of validating Dancho's legitimacy. It's not that I don't trust ZDNet - I was simply ceding the possibility that the parent was right on that point since I had no "proof" to the contrary. I apologize if it came across as me lending credence to the idea that Dancho may be a hack, I meant it in the sense that I was unable to positively confirm his reputation in the field (since I am not in it) but I should have been more clear :)
Yeah, sorry, I knew it was Bulgaria...just read an unrelated headline about the Belgian government and typed that instead.
I agree, it is worth looking into until there is real evidence either way. Hopefully he will come forward. Someone on twitter did say they heard from him on Dec 15th and he was fine.
My experience with these "independent security professionals" who are heavy on certification alphabet soup/government acronyms, and lacking in real credible work history, is that they are mostly playing "fake it until you make it". This especially applies to bloggers and those who heavily use terms like "cyber warfare" and "cyber terrorism". InfoSec is full of insecure charlatans who are broke or homeless and always making up outrageous nonsense.
No, the only thing that wasn't known was how he dumped metldr. This is a relatively insignificant part of the whole thing and wasn't what fail0verflow was focusing on in their research (as seen in the video).
The only reason that he was able to do anything with his dump was because of all of fail0verflow's work. See the twitter feed of marcan42 for clarification.
Actually, since the beginning, geohot's ps3 trick was just him copying what fail0verflow had done on the wii (glitching the address bus). He didn't give them credit for that either.
A hosting company that doesn't actively inform customers of outages? Unprofessional. Nobody is going to read a status blog every day to see if an outage might happen at some point in the future. Passive notification isn't acceptable, imo.
I'm sort of mixed. On one hand, you're right: it's a little ridiculous that users who are known to be affected wouldn't be alerted in advance.
On the other hand, it is great that Linode had alerts posted on the status blog in advance, and worthy of note that every host will have downtime. Having a backup solution in place should be a responsibility that lies in the hands of the customer, but you're right: without verified notification it's a little hard to plan ahead.
I have to say though, having switched to Linode from a more crowded, oversold host (BurstNET), the difference is amazing.
Short answer: the acceptable password hashes are bcrypt, scrypt, or PBKDF2. In all likelihood, anything that isn't one of those three gets you in the news for losing passwords when your site gets hacked.
That's kind of liking saying quinces are preferable to hoop skirts.
HMAC is a construction that takes a hash (like SHA1), data, and a secret key (like "ff79f2fbe108a68c34a66004058fcfdb988dbc43") and applies the hash twice, each with a special tweak, to create a digest that only someone who knows the key can recreate from the same data. It's how two parties who share a key can prove to each other that their messages haven't been tampered with.
Hash+salt is a construction that takes a hash (like SHA1), a password (like "gobears") and a random public value (like "$4jdle$") and creates a password hash out of it that can't be precomputed.
People do (ab)use HMAC as a password hash. Those people should know that HMAC is as easy to precompute as naked SHA1 is; you can "rainbow-table" HMAC. People who have misunderstood HMAC tend to stick up for it by saying "yeah, but people will have to find my secret key first", to which a response that ends that silly argument is "once they get your key, they can attack all your hashes in parallel and that's bad".
All of these schemes are demonstrably inferior to any adaptive hashing scheme, like bcrypt or scrypt or PBKDF2, all of which can be tuned so that a single password attempt takes 500ms (or any other time); they in effect require password crackers to complete a "proof of work" that can't be sped up without a breakthrough in cryptanalysis.
This. I think most people "get it" by now, but I roll my eyes every time someone tries to say that those who exploit software or break into computers are "crackers". No, they aren't.
yes. seems like everyone is co-opting the definition based on what they WANT it to mean, and thus being intolerant of the fact that everyone has their own pre/mis-conceived notion of "hacker". hence, knots in the panties from the "that's not a knife; this is a knife" crowd.
