safety – Family with kids driving from Marrakesh to Fez – any threat of danger for daytime driving?

We are two parents with three children, a blonde, a red head and one brunette, ages 8,9,and 12 years. Why do I write that? because we look very American which may not be such a good thing in Morocco. I love everything I read about the adventure, history and beauty of Morocco and it may be ignorance, but I am afraid of driving cross country and have a fear of being pulled over by machine gun toting rebels kidnapping my children. Feels awful to say it and this is very ignorant on my part but as a mother I wonder if I am jeopardizing my children?? We have planned driving trips through many European countries and Mexico, when it was safe. We love to drive and gain our freedom and it is also economical for a family of 5. All I have read say that Morocco is safe and the people are kind to Americans. We are well traveled and enjoy simple living and immersion into the culture. My route would take us from Marrakesh over the mountains to the Kasbahs, Falls, Atlas Film Studio with a drive toward Merzouga and an overnight camel trip to the Sahara and then a drive to Fez. I want to figure out how to put Essouira into the mix as well. I know bad things can happen anywhere in the world I just don’t want to fly my family into a place where I shouldn’t. I am becoming more educated that this would be a safe journey. Please respond.

programming – Why do security-sensitive APIs prefer char[] over String when handling pass-phrases even in Java? What threat are they protecting against?

I note that in Java, the String type is immutable and safe, yet using char() for password handling is pretty common.

Two concrete examples are:

I mean, look at this code, (taken from the JAAS tutorial) … mostly avoidable if PasswordCallback#getPassword() would just return a String.

        callbackHandler.handle(callbacks);
        char() tmpPassword = ((PasswordCallback)callbacks(1)).getPassword();
        if (tmpPassword == null) {
            // treat a NULL password as an empty password
            tmpPassword = new char(0);
        }
        password = new char(tmpPassword.length);
        System.arraycopy(tmpPassword, 0,
                    password, 0, tmpPassword.length);
        ((PasswordCallback)callbacks(1)).clearPassword();

I feel like I’m missing why smart system-programmers go to such trouble (at least, they did in the late 90’s, in the infancy of Java). I suppose the above hoo-hah might achieve the characters comprising the secret from sitting next to each other on the heap. They’ve just been moved from one char() on the heap to another char() that’s presently only on the stack? (I’m not sure enough of my JVM primitive arrays to really be sure of this).

Is this:

  • just a habit brought across from C/C++ where an improperly terminated string could cause a buffer-overflow
  • a way to force programmers to avoid string literals that would be ‘interned’ by the compiler when testing for ‘does the input match the hard-coded-secret’ (which isn’t going to happen except in throwaway code anyway)
  • a strong and reasonable commitment to ensuring that ‘insofar as it depends on me’, clear-text secrets are kept clear in memory for the absolute shortest amount of time, in case of an attacker with permissions to inspect memory? (That degree of access by an attacker is basically game-over anyway: sure, we can make it just that little bit more hard for them, but really, this is called doubting the integrity of your execution environment, and that’s … a really heavy burden for an application!)

What design force am I not seeing?

What are the threat models that using a VPN for mobile data can mitigate?

Stack Exchange Network


Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

security – Threat probability? 1 state controls >70% of miners. Other states go to war with them

This is almost certainly a silly question, but there are a lot of new bitcoin owners like me and a specific threat was made today which sounds credible to those of us who lack deep knowledge of bitcoin.

The specific threat is this one:

1: China controls 70% of the miners. SOURCE

2: They are using Hydroelectric and Nuclear Power reactors to do this. SOURCE

3: The United States (and allies) are seeking to destroy bitcoin in a war with China.

4: Bitcoin will go to 0 and US regulated coins will survive. SOURCE

So it’s kind of 2 threats rolled into 1 and I’m trying to come up with a “probability of threat number” to determine if I should even devote time to considering this.

My guess is that the probability is less than 1% but it’s just a guess and I have a high amount of uncertainty due to my current depth of knowledge.

Again, please forgive the silliness of the question, but any assistance to help improve my confidence that the threat is not to be taken seriously would be appreciated.

Threat Modeling and Risk Assessment Effort Estimation

is there any way to have a good effort time estimation of a Threat Modeling and Risk Assessment activity for an internal infrastructure (about 30 active nodes)?

In general, is it possible to find a “best practice” to estimate effort time for an activity that detects threats by using Threat Modelling and estimate the risk of threats by following a standard template, such as OWASP Risk Rating score?

Or, according to your experience, is it better to have a “time material” approach for this type of activities?
Thank you in advance

internet – How big threat if I’ll use Windows 7 these days, but visit only trusted sites?

Stack Exchange Network


Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

threat mitigation – What is the difference between ATT&CK and CAPEC?

My question is on Cyber Threat Intelligence (CTI). I want to know the difference between Attack Patterns (as in MITRE CAPEC) and Tactics, Techniques and Procedures (as in MITRE ATT&CK). They both seem to describe the behaviour and modus operandi of the adversary, so what is the difference really?

What is the difference between Tactics, Techniques and Procedures in the first place? I have heard that techniques and tactics don’t belong to the same Threat Intelligence type. Technical CTI is at the same level as indicators of compromise (IoC) for example, whereas Tactical CTI refer to an higher analysis level, the “attack phase” (whatever it means). But then why do we only see “techniques” on MITRE ATT&CK webpage? Why is it called Tactics, Techniques and Procedures if there are only Techniques? And what are Procedures?

threat mitigation – Difference between ATT&CK and CAPEC

My question is on Cyber Threat Intelligence (CTI). I want to know the difference between Attack Patterns (as in MITRE CAPEC) and Tactics, Techniques and Procedures (as in MITRE ATT&CK). They both seem to describe the behaviour and modus operandi of the adversary, so what is the difference really?

What is the difference between Tactics, Techniques and Procedures in the first place? I have heard that techniques and tactics don’t belong to the same Threat Intelligence type. Technical CTI is at the same level as indicators of compromise (IoC) for example, whereas Tactical CTI refer to an higher analysis level, the “attack phase” (whatever it means). But then why do we only see “techniques” on MITRE ATT&CK webpage? Why is it called Tactics, Techniques and Procedures if there are only Techniques? And what are Procedures?

Thank you for your help.

malware – Aren’t these “new” self-programmable gaming mouses a new security threat?

I have recently bought one of the recent “best” USB gaming mouses out there. The thing that is bothering that the marketing material says it contains a self-programmable computer embedded in the mouse, which is able to save the lightning, sensitivity and other settings.

On my Windows machine the mouse gets accepted as a HID-conform mouse and two times as a keyboard. On my Linux machine it gets accepted as a Tablet(!) and a mouse.

  • Can this somehow get exploited?

  • Has there been a recent BadUSB variant for gaming mouses or something similar?

  • Is this a real upcoming issue, since the gaming industry is currently booming and it seems it’s not going to stop booming in the near future?

  • Since most of such USB gaming mouse are attached to the USB port at boot, is there a danger of messing with the boot?

  • How do you minimize the danger of possible USB sniffing in this context?

threat modeling – Is there anyone that provide live cyber attacks happening using API?

There are alot of vendors that provide live cyber attacks happening with the attack geolocation I.e Kaspersky, fireeye, sonicwall and etc… but I couldn’t find either of these to have an API to provide threats happening with its geolocation.

Basically, I want to make a GET request and in response I should get a list of cyber attacks that just happened.