Trying my best to enable secure partying.
Really amazing work by the New York Times on this. But seriously, the NSA, CIA, White House and Israeli Intelligence need to root through and find the sources of these leaks. Unless this is some sort of re-election campaign tactic and implicitly or directly authorized by the President, these details comprise an enormous breach of security.
Seriously. What kind of secret agents talk to the fucking New York Times? Shitty ones.
Bravo, Microsoft! Now *that’s* what a company does when they think about its customers first. Google would never do this because the user of Chrome is not Google’s customer: the advertisers are.
It will take more time for computer security researchers around the world to discover more. Flame contains 20 times more code than Stuxnet and is much more widespread than Duqu. Researchers at Kaspersky Lab said they have detected Flame on hundreds of computers and predict that the total number of infections could be more than a thousand.
gonna listen to ween all day i think
Ween - Pollo Asado
“For me it’s a closed book. In life sometimes, in the universe, you have to close some doors to have others open” - Gene Ween, announcing that Ween was over.
I first heard Ween in 1990 or 1991. We were doing our public access video show, and were scrounging for any videos anyone would send us. The first video we ever played was Shonen Knife (song: “Redd Kross”). The next was from this band Ween - a video for Pollo Asado - that Kramer of Shimmy disc sent us on VHS tape. The video was as wacked out as the song. But we were smitten. Still are.
I never would have imagined this five years ago.
The 20 Most Valuable Tech Companies
- The total market cap of the top 20 companies is $2.22 trillion
- Apple makes up 23.6% of that
- Apple is worth more than Google and Microsoft combined. You could even add Cisco on top of that, and it still wouldn’t be enough.
N.B. Facebook isn’t on this list as it is not yet included in the list of technology companies on Google Finance. Facebook’s current market cap is $61.66 billion, which would put it in 12th position.
I have to respectfully disagree with ZDNet’s Tom Foremski and ShortFormBlog. You can get pageviews with original reporting and good analysis, or you can succumb to the temptations of dreck, linkbait, and drama. Every publication has the same choice to make, Business Insider just chose dreck.
You can also choose to not play the pageview game and look for advertisers and revenue models that are more conducive to operating like a respectable publication.
The problem with the current state of journalism is that publications like Business Insider—and plenty others like it, such as Gawker—are allowed to operate without mediation, conscience, training, and, perhaps most importantly, consequence.
(via chartier)
(via chartier)
Danny Sullivan:
Back when Google was an upstart search engine, one way it distinguished itself was to fight against a pay-to-play business model called “paid inclusion.” Indeed, paid inclusion was one of the original sins Google listed as part of its “Don’t Be Evil” creed. But these days, Google seems comfortable with paid inclusion, raising potential concerns for publishers and searchers alike.
“Evil” is fluid, it seems.
SSL is Broken (still)
Yup, it’s true. I know most people aren’t freaking out and, yes, I still do my online shopping and trust that all is okay. There’s no reason to panic.
But recent CA attacks (read back a few posts on this blog for a bit of info) and other vulnerabilities in the whole “PKI” system are popping up with greater frequency.
So this latest Yahoo! screwup (in a long series of screwups), in which they managed to package their web extension with a copy of the private certificate, is just another example of why SSL is broken.
But you know what: it was always “broken”:
Security is a chain; it's only as strong as the weakest link. The security of any CA-based system is based on many links and they're not all cryptographic. People are involved. -- Carl Ellison and Bruce Schneier
This latest Yahoo! issue is the result of people not doing the right thing. And doing the right thing is the whole basis of a trust-based system like SSL.
When was the last time you or your organization checked into the root CAs and sub CAs on your systems and decided whether or not you trusted these organizations? Never? Ya. That's about right. You are trusting Microsoft or Apple to do that for you. But do you know the criteria for trust? Do they tell you what tests an organization must pass to get into your Keychain? Oh, actually, they do. Did you follow?
Towards An Easily Achievable Improved Security State for Home Users
Hi everybody!
Wow. It has been busy here at the Security Party — but you wouldn’t thing so by the lack of posts.
I’ve been toying with a series of posts which will teach people a few basic steps to achieve a more acceptable state of the security and privacy of their personal computing.
But the trick is, I want this to be for people who are basically not interested in information security at all. I want to publish a set of simple instructions that anyone could do and that have a big impact on security. These could include: changing OS defaults; browser settings; simple practices; free tools to install.
I will probably write this over the summer — maybe immediately after the new Mac OS comes out. So, in the meantime, I’d love for you to send me tips. You can message me here or on Twitter if you have any ideas, and I will most certainly credit your suggestions in the relevant articles.
I’d love to see some debate on this, too. For example, I run the tool Ghostery on my browsers and I love it. Ghostery, for those who do not know, is a tool that watches your web surfing and ferrets out the insidious little tracking bugs and privacy bombs from the sites you visit.
But for the average person, Ghostery is a little complicated. If you put Ghostery into blocking mode, it breaks things like Disqus, Facebook Connect and many other popular services. So our topic of debate would be: what is reasonable? How involved can we expect people get in their personal infosec?
Sound cool?
Thank you.
People Unclear on the Concept
How can it be, during the Great Rise of the Monkey-in-the-Middle Attack (MiTM) on SSL and nascent Era of the Compromised Certificate Authority, a company could have so little in the way of security assessments that they allow something like this to go into production?
Not to be alarmist or anything, but SSL is broken. A single compromised CA installed as a trusted root or chained to a trusted root in your operating system can successfully impersonate any website, regardless of how many times you have visited the site in the past.
My initial thoughts on this is that there should be a tool to allow the immediate disabling of ALL root CAs for your client computers. The tool should alert a central security assessment team whenever a user requires the use of a secure communication channel to a system. The first time this happens, the user should get redirected to a website that says something like “this website has not yet been assessed by our security staff. We will notify you as soon as this occurs.”
The assessment is tougher, though. What are the criteria for approving a trusted chains? How can an organization assess the security of a different organization? How in depth should one go? Certainly it’s impossible to guarantee secure communication even after a security team enables a root CA.
But the Big WIN here would be that CAs that are never required would be gone, thereby reducing the attack surface significantly.
And obviously security groups should add periodic assessment of all trusted CAs into their regular program of risk analysis.
Fun times swinging the digital hammer, no?
Cars in the Cloud: Trackable and Time-Stamped
When an aircraft crashes, investigators are able to retrieve useful information about what went wrong from the flight data recorder, more commonly known as the black box. (The data recorder itself is actually not black, not until it’s retrieved from charred remains.) Statistically speaking, plane crashes are rare occurrences compared to car crashes, so why not install a black box for cars?
That’s exactly what Japanese telemetrics company Crew Systems developed: a driving data recorder for cars and trucks. A big market exists for these in Japan, since businesses with more than five vehicles are required by law to produce daily reports on the driving habits of their drivers.
Full Story: Wired
Macworld’s excellent reporting on the recent Mac-oriented Flashback trojan. The attack exploits a vulnerability in Java, which isn’t installed by default on Macs running Snow Leopard. However, many Macs still run Java, and most are probably still vulnerable due to the fact that Apple has only recently released the required patch for Java.
One takeaway:
Apple clearly needs to start patching software that’s known to be vulnerable more quickly. After the success of Flashback, we can only assume the bad guys will move more quickly the next time they are given this window of opportunity
Better passwords for better security.
The Wired piece about the NSA’s new data centre in Utah is making the rounds. Especially interesting to security people is the following quote, which, to me, is probably the really meaty topic here, but not really delved into at all by the reporter:
According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.”
ORLY??!?!
So far, I haven’t seen anybody mention much more than sophisticated attacks against specific, buggy, implementations of algorithms or, perhaps, attacks against encryption using shorter keys.
I am about as far from a crypto analyst or a cryptographer as one can get — I stopped at Calculus II in University — but this is a about as meaty of a nugget as one could imagine being dropped casually in the dog bowl.
Avi Rubin’s TEDxMidAtlantic talk on academic hack highlights. Interesting!
