@jospoortvliet said in Happy new year! Time to update Nextcloud. And congratulate ownCloud with 7 years 😉:

I also did a private blog with some nice embarrassing pictures and details from back then 😉

Looks like that hotel needs a warning sign "So close to the Bay, you'll be IN it!"

@Romo said in Extortionists competing to get paid for the same databases!:

Explanation of the vulnerability

Understanding the hack

The hack itself is alarmingly simple. In versions >= 2.6.0, MongoDB includes a default configuration file that binds MongoDB to 127.0.0.1 by default. As a result, the database will only listen to local connections.

Before version 2.6.0, that wasn’t true. By default, MongoDB was left open to remote connections. Authentication is also not required by default, which means that out of the box installs of MongoDB before version 2.6.0 happily accept unauthenticated remote connections.

Users could still restrict access to local connections if they took the time to configure the install but that meant manually adding a line to their mongodb.conf file. Since that wasn’t the default configuration, many existing installs never included this critical step.

Making matters worse is that it’s easy to identify potential MongoDB attack candidates. MongoDB’s default port is 27017. Using a search engine such as ZoomEye, you can query for MongoDB installs, see what port they’re available over, and find around 100,000 vulnerable candidates.

The vulnerability itself is hardly new. The issue was first raised back in 2012 and released somewhere around 2015. Also, in early 2015, John Matherly made some noise when he reported finding around 30,000 insecure installs of MongoDB. In other words, this is something that everyone could have known about for a while.

That's not a vulnerability, that is STILL a half configured system AND no firewall on the server. And MongoDB 2.6 is relatively old, we are on 3.3 these days. This is a database cluster component, not a complete database piece on its own. Whatever "security" professional is writing this piece clearly isn't aware of what they are writing about. What they write is half true, 27017 is listening on 0.0.0.0, but it does so for a reason and is only vulnerable in places where someone did not finish setting up their database AND their server. It's not a vulnerability in the product.

@coliver said in EU scheduling legislation for AI laws:

@scottalanmiller said in EU scheduling legislation for AI laws:

@DustinB3403 said in EU scheduling legislation for AI laws:

@Dashrender The pyramid power platform would disappear rather quickly as everything becomes automated.

No further need to have "leaders" etc.

That's not true at all. AI can automate production to an extreme degree, but it isn't likely to have any useful place in automating leadership.

I'm not sure it will replace it but I think it could go a long way to informing it. Using some of the same techniques we use for big data analytics could be a boon for informed leadership.

That's a totally different concept, though, not related to what we are discussing here and is something that they've had for a very, very long time already.

@Dashrender said in Amazing Echo Orders From Television Comments:

@scottalanmiller said in Amazing Echo Orders From Television Comments:

@Dashrender said in Amazing Echo Orders From Television Comments:

@JaredBusch said in Amazing Echo Orders From Television Comments:

@scottalanmiller said in Amazing Echo Orders From Television Comments:

I wonder how long before they add voice identification. Knowing who is placing orders is pretty important.

There is a voice training that can be done. I have not tried it yet. That may help with recognition.

I don't think it's about training to a voice, it's more for just better understanding you specifically.

Isn't that two ways of stating the same thing?

huh.. yeah I guess I hear what you are saying - but I more specifically meant to say I don't believe that Amazon is trying to lock onto a specific voice from a specific user, at least not yet. I think the training you provide to the Echo would be applied globally to their entire network of Echos - making you easier to understand at any Echo you talk to in the world, but not with the intent (today) of allowing your echo in your home to only allow purchases from your voice.

Oh, I see. I didn't think that it was doing that, but it might be.

@Danp said in Microsoft Announces PowerApps:

Just ran across this again. Any actually do anything with PowerApps?

We've not touched it.

We recently had to set up an L2TP tunnel for our apple devices, since the last iOS 10 update took PPTP out of the picture. It was a huge PITA too, because I didn't figure out for a while that the secondary tunnel wouldn't let me reuse existing user accounts in our Watchguard.... that was some fun trial and error. And the WG how-tos never specified anything about needing different user accounts. It sucks to do all the steps right and then get login errors... makes ya feel like an amateur.

@Grey I actually helped with the transition from VoiceStream to T-Mobile. NTG was the north east contractor for moving the stores over from one to the other!

I really wonder what took so long, at least for cellular - the wifi I can sorta understand.. and that's definitely cool!

There has been a placeholder for it for a while.

Things get smaller everyday 🙂

0_1483639120329_worlds-smallest-battery.jpg

Agree. In addition, I have my Hue Lights connected and when I come home at night, I can simply tell Alexa before I turn into my driveway to turn on the lights. Hue has a geo fence that isn't very reliable.

@Dashrender said in News Ideas for City Driving:

@Son-of-Jor-El said in News Ideas for City Driving:

Charges while driving?

Why don't you support charging while driving?

Fuel discrimination?

The idea is to cut down on emissions, eventually I'm fully expecting that oil based fuels will be completely banned from transportation devices.

A few countries have that on the books already.

@travisdh1 said in Amazon Patents a Flying Warehouse:

Balloons, even those with propulsion of some sort, are still slow. I'm guessing that's why they are also doing the drone thing. The big balloon thing in the sky has all the things, while the smaller/faster drones actually deliver things.

Well the entire airship isn't going to dock at your house to deliver a toothbrush. That would be crazy. Even if it moved twice as fast as a normal drone it wouldn't work.

@Dashrender said in French Get Right to Disconnect:

@scottalanmiller said in French Get Right to Disconnect:

@Dashrender said in French Get Right to Disconnect:

I'm completely onboard with emails being blocked to your account while you are on vacation - that part I completely agree with for the reasons you mentioned - it also ensure that your boss is taking care of things that are emergent while you are away.

I think that that is what they mean by deleted.

lol the use of the term deleted just seems weird. Deleted to me means that it came in and was then removed.

Well, it kinda is. It exists in transit, and then is dropped. So it's deleted from memory and the server, but there was never deliver to the end user in the first place. So it's a little odd, but it's accurate. Any email that is refused deliver is deleted in a sense.

@fuznutz04 said in OpenShot 2.2 Released:

@scottalanmiller

Nice! Any idea how this compares with Resolve? https://www.blackmagicdesign.com/products/davinciresolve

No idea, haven't used Resolve.

This is IMHO the most interesting OSS project since many years to date, very nice work!
Can't wait to use the 1.2 in production.

@IRJ said in Android malware bites back in the real world.:

@travisdh1 said in Android malware bites back in the real world.:

@scottalanmiller said in Android malware bites back in the real world.:

@travisdh1 said in Android malware bites back in the real world.:

@scottalanmiller said in Android malware bites back in the real world.:

Android seems like a really bad choice for high security applications, like military. Custom Raspberry Pis with super locked down Linux general purpose OSes would make more sense.

Any consumer cellular devices period, I can easily triangulate a cell phone with very little hardware investment.

Do we know that they were consumer phones? I didn't look into it. You can put Android on non-phones, too.

True. I was assuming because the malware was able to stay in contact somehow. Might have been on a dedicated military network with just 1 connection to the outside.

Very interesting article...

You don't have to hack hundreds of phones. Have 3-5 important android devices may be enough to nearly paint a full picture.

And one might attack another.