An anonymous reader quotes a report from Reuters: The U.S. Senate Commerce Committee on Wednesday unanimously approved a bill to speed self-driving cars to market without human controls and bar states from imposing regulatory road blocks. The bill still must be approved by the full Senate. The U.S. House passed a similar version last month unanimously. General Motors Co, Alphabet Inc, Ford Motor Co and others have lobbied for the landmark legislation. Despite some complaints from Republicans, the Senate bill does not speed approval of self-driving technology for large commercial trucks after labor unions raised safety and employment concerns. The measure, the first significant federal legislation aimed at speeding self-driving cars to market, would allow automakers to win exemptions from current safety rules that prohibit vehicles without human controls. States could still set rules on registration, licensing, liability, insurance and safety inspections, but not performance standards.

Read more of this story at Slashdot.

If you want to download MySQL for the Mac, here's the direct download link. They really try to upsell you to Oracle and get you to create an account. Meh.

Remember how Yahoo was hacked back in 2013? And how, in December 2016, the company said that 1 billion accounts had been compromised? Well, that turns out to have been an understatement. Yahoo is now admitting that every single one of the company’s 3 billion accounts was hacked. Word on the street is that the best response isn’t to delete your account, since it will eventually be recycled and could potentially be used against you. Instead, it’s better to change your password to something unique and enable two-factor authentication (which Yahoo calls Account Key). And if you ever used your Yahoo password on other Web sites, be sure to give them new, unique passwords too!

 

Read the full article at TidBITS, the oldest continuously published technology publication on the Internet. To get a full-text RSS feed, help support our work and become a TidBITS member! Members also enjoy an ad-free version of our Web site, email delivery of individual articles, the ability to make long comments with live links, and discounts on Take Control orders and other Apple-related products.

LinkedIn co-founder Reid Hoffman joined other tech moguls in voicing concern about artificial intelligence on Wednesday. From a report: "It has great potential, but we need to steer carefully," Hoffman said on Halftime Report. Hoffman stressed corporate transparency when asked what happens if companies use AI to attack nation-states. The possibility of manipulating how people consume information remains an unanswered question. During last year's U.S. presidential election, Facebook advertisements linked to Russia mainly focused on the states of Michigan and Wisconsin, and Hoffman says information battles are "in the very early days." AI must be improved, Hoffman says, to "[hold] corporations accountable" when nation-states are using the technology to attack. "Corporations normally deal with other corporations, not with governments," Hoffman said. The "ultimate" solution, he says, is "having more kinds of functions and features within AI that show abhorrent patterns." That way patterns raise a red flag for humans to investigate, Hoffman noted.

Read more of this story at Slashdot.

How do you get to your critical systems if the network is down? There are a number of different technologies that are used in this case. Often, they involve some kind of terminal server that is connected to the system via a serial terminal (yes... there are still some of them around), or via an IP based KVM switch. The terminal server itself may be reachable via a backup network connection, or maybe someone even has a dial-in setup around for them. But no matter the exact technology you are using to implement this, a "backup connection", or "out of band connection" often bypasses a lot of security controls. This is done by design to ensure that the backup connection can be used even if these security devices do not respond. Often, these connections are also used to manage security devices.

The problem with this approach, from a security point of view, is that there is often little logging and auditing controls around these systems. I will look here at two specific devices and see how they can be "hardened".

SuperMicro IPMI Access

Many security professionals will grinch if I mention accessing systems via IPMI. IPMI implementations have shown to be vulnerable many times over. Patching them can be difficult (if patches are available). But in reality, IPMI is often used and indispensable when it comes to remote access in case the server can not be reached. There are a couple of meaningful steps you can take to better secure these setups. I am using Supermicro's implementation as an example, as I am familiar with it. From limited experience, I know that other implementations offer similar features.

Obscurity isn't security, but it helps:

Do not add IPMI servers to DNS. Instead, use a good old host file for them. Only a handful of people should have access anyway, so it is not too hard to use hosts files. Also, move the IPMI server to a non-standard port.

Logging and Alerting

Define an e-mail address to receive alerts. Depending on your architecture, this may be an e-mail address at a different domain/site then your primary organization's e-mail address. Remember you can't receive alerts at @company.com if Company is down. Sadly, I usually do not see any good logging for local access to the console.

SSL Security

SSL options are usually very limited. But upload a valid certificate. One signed by an internal CA should be fine, and may even be preferred unless you are planning to advertise your IPMI system via certificate transparency. With some older systems, it may also not be possible to use a certificate that matches current CA requirements (for example SHA2 signatures may not be supported)

User Configuration

Each admin with access to the system should have a personalized account. Avoid generic "Admin" accounts. You can often configure remote authentication via LDAP/Active Directory/RADIUS, but keep in mind that you need a backup in case the LDAP server is down, and any logging provided by these systems will only apply to users authenticating via them. Network authentication has, of course, its own challenges.

Network Configuration

Limit IPMI to respond only on one of your network cards, preferably one connected to a management network. In some versions, you can also setup firewall rules that will allow you to whitelist specific IP addresses for access.

Access Logging

Let me know if you find anything great in that respect. None of the systems I remember had a Syslog, or even an SNMP trap option to send alerts about log-ins. I found it best to log access on the network level (bro/snort...) . A simple snort signature that will hit whenever someone connects to an IPMI server is usually the only thing you can do.

Now another option is serial consoles. Just like IPMI, these devices tend to be not the most secure and not all that easy to maintain. I have used products from Cyclades and others. My minimum requirement is always SSH access. But even with SSH, there are often old ciphers being used. A first step should be simple "ssh hygiene":

• do not allow root logins
• move the ssh server to an odd port
• limit access via network and host-based firewalls.

On the good side, I found that these products usually are able to do remote logging via Syslog, and since they typically have some more or less "regular" Linux, configuration is a bit more flexbile. But be careful after firmware updates as they often undo a lot of the less standard configuration changes. 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

For the last few years, October has been "Security Awareness Month", with various organizations using it to promote security awareness. We have done a few "themed" diaries around security awareness in past years, but for the most part, there isn't that much new to say for our core audience. Security awareness is however still a big issue for the rest of humanity, and if you are looking for advice to help friends and family become more security-aware, then the SANS Securing the Human project has a nice newsletter for you.

This month's "Ouch!" newsletter focuses on "Helping Others Secure Themselves". You can find a copy of it, as well as past newsletters, here: https://securingthehuman.sans.org/resources/newsletters/ouch/2017 

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Philip Blenkinsop, reporting for Reuters: The European Commission said on Wednesday it was taking Ireland to the European Court of Justice for its failure to recover up to 13 billion euros ($15.3 billion) of tax due from Apple, a move labeled as "regrettable" by Dublin. The Commission ordered the U.S. tech giant in August 2016 to pay the unpaid taxes as it ruled the firm had received illegal state aid, one of a number of deals the EU has targeted between multinationals and usually smaller EU states. "More than one year after the Commission adopted this decision, Ireland has still not recovered the money," EU Competition Commissioner Margrethe Vestager said, adding that Dublin had not even sought a portion of the sum.

Read more of this story at Slashdot.

Process GDS2 files

Version-agnostic representation of an IP address

Podcast: It shouldn't be that easy for one person to shoot 600.