Re: [funsec] Autoupdaters are the best security tool since Diffie-Hellman...
Remarkably tricky to do well, though. On Sun, Dec 23, 2012 at 4:19 PM, Jeffrey Walton noloa...@gmail.com wrote: Came across this recently: Autoupdaters are the best security tool since Diffie-Hellman (http://www.slideshare.net/jserv/brief-tour-about-android-security). I could not agree more, and I will be lifting that quote. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Autoupdaters are the best security tool since Diffie-Hellman...
On Mon, Dec 24, 2012 at 3:54 AM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Dec 24, 2012 at 5:49 AM, Dan Kaminsky d...@doxpara.com wrote: Remarkably tricky to do well, though. Do it like Apple: perform your updates over HTTP. Make it a feature so an organization trying to manage an non-organizational MacBook can provide DNS and the Update Service. And don't sign the catalogs (TAR balls fetched before the signed update). No problems ;) What I can't understand: when it was applied against in-App purchases (StoreKit), Apple cried foul. http://z6mag.com/technology/apple/free-apps-for-ipad-iphone-security-flaw-in-ios-goes-unfixed-by-apple-1612248.html It would be funny if it wasn't true: Apple has now added a 'unique identifier' field to receipts, and given developers tools so they could verify digital receipts on their own server. However, this only works if the developer runs the receipt through their server first. Apps that connect directly to the Apple App Store server are still vulnerable to the hack. Instead of taking advantage of the pre-exisiting relationship between the StoreKit API and Apple Servers by pinning the certificate (similar to SSH's StrictHostKeyCheck), Apple pushed it on developers. Amazing. Like I said: Remarkably tricky to do well Autoupdating third party apps is still an unsolved problem, save for the web where you redownload the client every time (a *wildly successful* approach, as it happens). iOS's third party app updating is a hilariously broken experience. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] In Defense of HTML5
Lets see here. Of the bad, iframe sandboxing is a straight up security technology, cross site scanning has been around since time began (img src=' http://1.2.3.4:8123/foo.jpg; onload=x onerror=y and then check millis in x and y), web notifications are a slightly more usable window.open, geolocation is consent based in the way geolocation of IP addresses is not and can never be, and...form tampering? In what universe can JavaScript not alter forms? On Tue, Dec 4, 2012 at 12:20 PM, Paul Ferguson fergdawgs...@gmail.comwrote: I'll let people make up their own minds, of course, but I predict it will be a security nightmare. A former colleague (and great friend) at Trend Micro, Bob McArdle, did a nice write-up of HTML5 called HTML5: The Good, The Bad, and The Ugly: http://blog.trendmicro.com/trendlabs-security-intelligence/html5-thegood/ http://blog.trendmicro.com/trendlabs-security-intelligence/html5-the-bad/ http://blog.trendmicro.com/trendlabs-security-intelligence/html5-the-ugly/ He wins my award for presenting this at the most number of conferences in 2012. :-) Also: HTML5 Overview: A look at HTML5 Attack Scenarios http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf All are worth reading. - ferg (not at Trend Micro anymore :-) On Tue, Dec 4, 2012 at 12:00 PM, Stephanie Daugherty sdaughe...@gmail.com wrote: As far as attack surface goes, the comparison between Flash and HTML5 really isn't a comparison. I'll take the HTML5 pain if it replaces the black box of paper thin glass that is Flash. On Tue, Dec 4, 2012 at 2:08 PM, Jeffrey Walton noloa...@gmail.com wrote: http://www.thesecuritypractice.com/the_security_practice/2012/11/in-defense-of-html5-1.html Many of the broad family of specifications commonly grouped under the “HTML5” umbrella are scheduled to be completed in 2013, and with the release of Internet Explorer 10, the users of every major web browser flavor can enjoy rich Web apps written on the open web platform, with no need for plugins. Lots of people are excited about HTML5, but one group I don’t see as particularly excited are security experts, or perhaps they’re only excited in a rather cynical fashion. Full employment! Browser botnets! A lifetime of conference talks! And the malediction against HTML5 isn’t just coming from folks with a product to sell or a slide deck to submit – HTML5 has become a common boogeyman representing out-of-control complexity and vast attack surface for some of the very best analysts and researchers in the field. So, although developers are racing to embrace it, CISOs, CIOs and enterprise security decision makers as a group seem wary. Frankly this puzzles and distresses me, because from my perspective, HTML5 is a key part – perhaps the most important part – in one of the greatest security success stories in the history of computing. The story of the web browser over the last decade is the story of something completely unprecedented – a tremendous increase in functionality and use that happened side-by-side with a tremendous decrease in vulnerability and attack surface. Don’t believe me? Let’s go back a decade… ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. -- Fergie, a.k.a. Paul Ferguson fergdawgster(at)gmail.com ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Sandy and BCP
Sent from my iPhone On Nov 6, 2012, at 10:28 AM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Nov 6, 2012 at 12:44 PM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: The flooding of New York City was, once again, an example of known threats not being addressed. http://www.economist.com/blogs/gulliver/2012/11/defending-new-york-floods It would have been too expensive to do anything about the issues. (Flood costs currently $50B and rising as more damage found.) Of course, nobody could have predicted Sandy, because this was a storm produced by changing conditions. Brought on by global warming/climate change. Which is another issue that is too expensive to address ... In the aftermath, I was thinking: boy a natural disaster did this on happen chance. What would be the result of a concerted effort by an intelligent group who are angry about socio-economic injustice and biased foreign policies in other regions of the world. Probably not as epic as a 870 mile long storm. Jeff ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Sandy and BCP
To be fair, if you exclude construction in all places that suffer disasters, you can't build anywhere, and most land will lie fallow. Meanwhile prices do not take into account significant disaster risk, and insurance may literally not be available. Taxes end up being a mechanism by which the resources of a country may still be used despite risk that is on a timeline greater than the market can comprehend. Sent from my iPhone On Nov 6, 2012, at 10:35 AM, Drsolly drsol...@drsolly.com wrote: There's an interesting issue here. If the imprudent Mr Piggy builds a straw house next to a place that floods, should I be taxed to build flood defences around his house? This is a problem we're getting in the UK, where far too many housing estates are being built on flood plains. On Tue, 6 Nov 2012, Rob, grandpa of Ryan, Trevor, Devon Hannah wrote: The flooding of New York City was, once again, an example of known threats not being addressed. http://www.economist.com/blogs/gulliver/2012/11/defending-new-york-floods It would have been too expensive to do anything about the issues. (Flood costs currently $50B and rising as more damage found.) Of course, nobody could have predicted Sandy, because this was a storm produced by changing conditions. Brought on by global warming/climate change. Which is another issue that is too expensive to address ... (Why do I have this old oil filter ad tagline running through my head? You can pay me now ... or pay me later ...) == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org Verba volant, scripta manent Spoken words fly away, while written words stay on victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] What's the yiddish for 'D'Oh!?
Oi veismere. Perhaps Oi gevalt. Sent from my iPhone On Aug 14, 2012, at 2:07 PM, Valdis Kletnieks valdis.kletni...@vt.edu wrote: http://www.npr.org/blogs/thetwo-way/2012/08/14/158773637/leader-of-anti-semitic-party-in-hungary-discovers-hes-jewish?ft=1f=1001 ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
It's gotten substantially worse. Sent from my iPhone On May 5, 2012, at 2:06 PM, Joel Esler jes...@sourcefire.com wrote: I wouldn't exactly call it new. -- Joel Esler On May 5, 2012, at 3:18 PM, Jeffrey Walton noloa...@gmail.com wrote: Seriously? The new threat of user-initiated drive by downloads? === Don’t Install Android Security Updates While Browsing the Web, http://www.gottabemobile.com/2012/05/04/dont-install-android-security-updates-while-browsing-the-web/ Surfing the web on Android is relatively safe, but a new threat tricks users into installing a trojan that calls itself a security update. Symantec discovered the Android.Notcompatible threat this week, calling attention to the new threat of user-initiated drive by downloads. Malware is a problem on Android smartphones, but it is typically reserved for infected fake games and apps found on third-party marketplaces. This new attack can happen on any infected webpage, and relies on tricking the user into installing the malware. ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
So what's your bet on whether AV detects it? On Sat, May 5, 2012 at 7:40 PM, michael.blanch...@emc.com wrote: I LOVE stuff like this Just because of the security professionals that come running out of the woodwork to us asking us ... Hey you see this new thing?!?! It's totaly OH-day and I'll bet A/V doesn't detect it too!!... I use it as a gauge of how much those folks actually know, and try to avoid them in the future It really sucks when it's folks that work with you too! Used to happen in another gig years ago... Would never happen where I a now! LOL Mike B - Original Message - From: Jeffrey Walton [mailto:noloa...@gmail.com] Sent: Saturday, May 05, 2012 03:18 PM To: FunSec List funsec@linuxbox.org Subject: [funsec] Seriously? Seriously? The new threat of user-initiated drive by downloads? === Don’t Install Android Security Updates While Browsing the Web, http://www.gottabemobile.com/2012/05/04/dont-install-android-security-updates-while-browsing-the-web/ Surfing the web on Android is relatively safe, but a new threat tricks users into installing a trojan that calls itself a security update. Symantec discovered the Android.Notcompatible threat this week, calling attention to the new threat of user-initiated drive by downloads. Malware is a problem on Android smartphones, but it is typically reserved for infected fake games and apps found on third-party marketplaces. This new attack can happen on any infected webpage, and relies on tricking the user into installing the malware. ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Aliens take over the Internet!
I'm not saying it's aliens... (The fact that they lean on search engines to goose this number unfortunately removes more credibility than it adds. Got greedy.) On Fri, Mar 16, 2012 at 12:40 AM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: http://www.theatlanticwire.com/technology/2012/03/non-humans-account-51-all- interent-traffic/49967/ Oh, sorry, when it said non-humans ... == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org Conceal a flaw, and the world will imagine the worst. - Marcus Valerius Martialis victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Issa Announces Oversight Hearing
On Mon, Jan 9, 2012 at 10:30 PM, valdis.kletni...@vt.edu wrote: On Mon, 09 Jan 2012 21:08:26 PST, Rob, grandpa of Ryan, Trevor, Devon Hannah said: http://j.mp/A9G3fG (U.S. House) House Committee on Oversight and Government Reform Chairman Darrell Issa (R-CA) today announced that the Full Committee will hold a hearing on January 18 to examine the potential impact of Domain Name Service (DNS) and search engine blocking on American cyber-security, jobs and the Internet community. Maybe he should have held the frikking hearings *before* he introduced the legislation? He didn't introduce the legislation. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Issa Announces Oversight Hearing
On Tue, Jan 10, 2012 at 5:25 AM, valdis.kletni...@vt.edu wrote: On Tue, 10 Jan 2012 05:09:45 PST, Dan Kaminsky said: Maybe he should have held the frikking hearings *before* he introduced the legislation? He didn't introduce the legislation. Wyden and Issa's OPEN bill was introduced back on Dec 8. http://wyden.senate.gov/newsroom/press/release/?id=76dc4001-9cb8-42be-9c39-ebdc748162fc Competing bill, much narrower focus, and executed with this fairly revolutionary public comment interface that drilled down to each section. Issa's been excellent. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Issa Announces Oversight Hearing
On Tue, Jan 10, 2012 at 5:28 AM, Dan Kaminsky d...@doxpara.com wrote: On Tue, Jan 10, 2012 at 5:25 AM, valdis.kletni...@vt.edu wrote: On Tue, 10 Jan 2012 05:09:45 PST, Dan Kaminsky said: Maybe he should have held the frikking hearings *before* he introduced the legislation? He didn't introduce the legislation. Wyden and Issa's OPEN bill was introduced back on Dec 8. http://wyden.senate.gov/newsroom/press/release/?id=76dc4001-9cb8-42be-9c39-ebdc748162fc Competing bill, much narrower focus, and executed with this fairly revolutionary public comment interface that drilled down to each section. Issa's been excellent. As of course has Wyden, who's really gone to the mat with this hold/filibuster in the Senate. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Best Way to Avoid Virus Infection? Update Your Software
Can anyone find the circular definition in this story? It's amusingly subtle. On Fri, Apr 15, 2011 at 4:48 AM, Jeffrey Walton noloa...@gmail.com wrote: “ Bradley Antis, vice president of technical strategy at Orange, Calif.-based M86 Security, [siad] the 15 software vulnerabilities that were most often exploited in the second half of 2010 could have been stopped dead in their tracks — all already had been patched by their vendors The vulnerabilities continued to spread only because countless PC users didn’t bother to update their software, leaving enough unpatched machines on the Internet to allow the exploits to thrive. http://www.securitynewsdaily.com/best-way-avoid-virus-infection-update-software-0685/ Apparently, Epsilon did not get the memo. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Best Way to Avoid Virus Infection? Update Your Software
Unpatched vulnerabilities are usually undetected. If they were detected, they'd probably be patched. On Fri, Apr 15, 2011 at 7:53 AM, Blue Boar blueb...@thievco.com wrote: Using unpatched vulns as justification for pushing patching? Ryan On 4/15/11 5:27 AM, Dan Kaminsky wrote: Can anyone find the circular definition in this story? It's amusingly subtle. On Fri, Apr 15, 2011 at 4:48 AM, Jeffrey Walton noloa...@gmail.com mailto:noloa...@gmail.com wrote: “ Bradley Antis, vice president of technical strategy at Orange, Calif.-based M86 Security, [siad] the 15 software vulnerabilities that were most often exploited in the second half of 2010 could have been stopped dead in their tracks — all already had been patched by their vendors The vulnerabilities continued to spread only because countless PC users didn’t bother to update their software, leaving enough unpatched machines on the Internet to allow the exploits to thrive. http://www.securitynewsdaily.com/best-way-avoid-virus-infection-update-software-0685/ Apparently, Epsilon did not get the memo. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] No solution on the market today can prevent the infinite number of AETs!
In what universe is evasion difficult? Sent from my iPhone On Dec 3, 2010, at 9:22 AM, David M Chess ch...@us.ibm.com wrote: Is there anyone legitmate behind www.antievasion.com, or is it just the usual amusing everyone previous to us was stupid, but now we have discovered that it's possible to create new attacks that won't be detected right away, maybe! sort of hype? DC ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Academic Cyberbully Is Sentenced to Jail in Dead Sea Scrolls Case
Sent from my iPhone On Nov 21, 2010, at 8:09 AM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Nov 19, 2010 at 10:03 AM, Shawn Merdinger shawn...@gmail.com wrote: http://chronicle.com/blogs/wiredcampus/academic-cyberbully-sentenced-to-jail-in-dead-sea-scrolls-case/28269 The Dead Sea Scrolls cyberbully is being sent to jail. A judge in New York State’s main trial court sentenced Raphael Golb, a lawyer, to six months in prison for using false online identities to harass and discredit academics in a debate over the origin of the Dead Sea Scrolls, the Associated Press reported. Wires look crossed here: Using someone else's SSN is not identify theft. But using someone else's name is. Keep in mind SSNs are unique, names are not. In this case, I assume the problem was a lack of a clear identity to attribute attacks to. The law has a long history of penalizing illegal behavior more when you visibly attempt to avoid consequences. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Colorado Supreme Court: Using a Stolen Social Security Number is Not Identity Theft
Here’s an amazing fact: some individual Social Security numbers are in use right now by up to 3,000 people and it isn’t at all unusual for a borrowed number to be used by 200-1,000 people at the same time . . . Well, that turned out a more nuanced answer than I expected. SSN's are nonrandom, but unique. Interestingly, that means, given a working SSN#, all the numbers nearby are working SSN#'s as well. In fact, technically, a random sequence of digits is 50% likely to be a working SSN#, actually of somebody born approximately at the same time and place as the first #. This argues fairly strongly that the number alone isn't an identity, and that the (number,name) is. In fact, that seems to be how businesses are setting up their databases. Thus making the ruling...right. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Colorado Supreme Court: Using a Stolen Social Security Number is Not Identity Theft
Did anyone actually read the ruling? They're basically saying a SSN# isn't an identity. Given that SSN#'s aren't actually unique in the population, they're, you know, right. On Wed, Nov 17, 2010 at 1:07 PM, Jeffrey Walton noloa...@gmail.com wrote: On Wed, Nov 17, 2010 at 3:55 PM, valdis.kletni...@vt.edu wrote: On Wed, 17 Nov 2010 11:52:03 PST, Tomas L. Byrnes said: While I would never advocate criminality, it would be poetic justice if the SSIDs of all the justices who voted in favor of this SSIDs were posted on some website used to sell such data to those looking for clean credit. After all, it is no big deal, according to them. My reading of it is that they didn't think it was no big deal, it was that the law *as written* didn't make it actually *illegal*. In cases like that, don't complain about the judge, complain about the legislative body that wrote the flawed law. Its funny how Judges will legislate from the bench when it suits them or their keepers (or fraternity brothers, or college buddies, or former law partners, or those making campaign contributions, etc) Jeff ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Colorado Supreme Court: Using a Stolen Social Security Number is Not Identity Theft
On Wed, Nov 17, 2010 at 4:04 PM, Jeffrey Walton noloa...@gmail.com wrote: On Wed, Nov 17, 2010 at 6:58 PM, Dan Kaminsky d...@doxpara.com wrote: Did anyone actually read the ruling? They're basically saying a SSN# isn't an identity. Given that SSN#'s aren't actually unique in the population, they're, you know, right. Expand, please. http://www.schneier.com/blog/archives/2009/07/social_security.html Information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals' SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration's Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums. === This is, of course, a direct consequence of (from Wikipedia/SocialSecurity.gov): The Social Security number is a nine-digit number in the format AAA-GG-. The number is divided into three parts. The Area Number, the first three digits, is assigned by the geographical region. Prior to 1973, cards were issued in local Social Security offices around the country and the Area Number represented the office code in which the card was issued. This did not necessarily have to be in the area where the applicant lived, since a person could apply for their card in any Social Security office. Since 1973, when SSA began assigning SSNs and issuing cards centrally from Baltimore, the area number assigned has been based on theZIP code in the mailing address provided on the application for the original Social Security card. The applicant's mailing address does not have to be the same as their place of residence. Thus, the Area Number does not necessarily represent the State of residence of the applicant, neither prior to 1973, nor since. Generally, numbers were assigned beginning in the northeast and moving south and westward, so that people on the east coast had the lowest numbers and those on the west coast had the highest numbers. As the areas assigned to a locality are exhausted, new areas from the pool are assigned, so some states have noncontiguous groups of numbers. Complete list of area number groups from the Social Security Administration The middle two digits are the group number. The group numbers range from 01 to 99. However, they are not assigned in consecutive order. For administrative reasons, group numbers are issued in the following order: ODD numbers from 01 through 09 EVEN numbers from 10 through 98 EVEN numbers from 02 through 08 ODD numbers from 11 through 99 As an example, group number 98 will be issued before 11. The last four digits are serial numbers. They represent a straight numerical sequence of digits from 0001- within the group. Information from http://www.socialsecurity.gov/history/ssn/geocard.html On June 25, 2011, SSA will change the SSN assignment process to SSN Randomization. SSN randomization will affect the SSN assignment process in the following ways: It will eliminate the geographical significance of the first three digits of the SSN, currently referred to as the area number, by no longer allocating the area numbers for assignment to individuals in specific states. It will eliminate the significance of the highest group number and, as a result, the High Group List will be frozen in time and can be used for validation of SSNs issued prior to the randomization implementation date. Previously unassigned area numbers will be introduced for assignment excluding area numbers 000, 666 and 900-999. === ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Colorado Supreme Court: Using a Stolen Social Security Number is Not Identity Theft
On Wed, Nov 17, 2010 at 4:08 PM, Dan Kaminsky d...@doxpara.com wrote: On Wed, Nov 17, 2010 at 4:04 PM, Jeffrey Walton noloa...@gmail.com wrote: On Wed, Nov 17, 2010 at 6:58 PM, Dan Kaminsky d...@doxpara.com wrote: Did anyone actually read the ruling? They're basically saying a SSN# isn't an identity. Given that SSN#'s aren't actually unique in the population, they're, you know, right. Expand, please. http://www.schneier.com/blog/archives/2009/07/social_security.html Information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals' SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration's Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums. === This is, of course, a direct consequence of (from Wikipedia/SocialSecurity.gov): The Social Security number is a nine-digit number in the format AAA-GG-. The number is divided into three parts. The Area Number, the first three digits, is assigned by the geographical region. Prior to 1973, cards were issued in local Social Security offices around the country and the Area Number represented the office code in which the card was issued. This did not necessarily have to be in the area where the applicant lived, since a person could apply for their card in any Social Security office. Since 1973, when SSA began assigning SSNs and issuing cards centrally from Baltimore, the area number assigned has been based on theZIP code in the mailing address provided on the application for the original Social Security card. The applicant's mailing address does not have to be the same as their place of residence. Thus, the Area Number does not necessarily represent the State of residence of the applicant, neither prior to 1973, nor since. Generally, numbers were assigned beginning in the northeast and moving south and westward, so that people on the east coast had the lowest numbers and those on the west coast had the highest numbers. As the areas assigned to a locality are exhausted, new areas from the pool are assigned, so some states have noncontiguous groups of numbers. Complete list of area number groups from the Social Security Administration The middle two digits are the group number. The group numbers range from 01 to 99. However, they are not assigned in consecutive order. For administrative reasons, group numbers are issued in the following order: ODD numbers from 01 through 09 EVEN numbers from 10 through 98 EVEN numbers from 02 through 08 ODD numbers from 11 through 99 As an example, group number 98 will be issued before 11. The last four digits are serial numbers. They represent a straight numerical sequence of digits from 0001- within the group. Information from http://www.socialsecurity.gov/history/ssn/geocard.html On June 25, 2011, SSA will change the SSN assignment process to SSN Randomization. SSN randomization will affect the SSN assignment process in the following ways: It will eliminate the geographical significance of the first three digits of the SSN, currently referred to as the area number, by no longer allocating the area numbers for assignment to individuals in specific states. It will eliminate the significance of the highest group number and, as a result, the High Group List will be frozen in time and can be used for validation of SSNs issued prior to the randomization implementation date. Previously unassigned area numbers will be introduced for assignment excluding area numbers 000, 666 and 900-999. === Actually, technically, the above doesn't *necessarily* make SSNs non-unique. It just means that they're not randomly assigned. They could still be uniquely assigned within a non-random space. So that's a fairly significant assumption on my part, especially with some evidence of being willing to use non-contiguous assignment to deal with exhausting of numbers. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Colorado Supreme Court: Using a Stolen Social Security Number is Not Identity Theft
On Wed, Nov 17, 2010 at 5:49 PM, Peter Evans pe...@ixp.jp wrote: On Wed, Nov 17, 2010 at 03:58:50PM -0800, Dan Kaminsky wrote: Did anyone actually read the ruling? They're basically saying a SSN# isn't an identity. Given that SSN#'s aren't actually unique in the population, they're, you know, right. They aren't? I thought they were supposed to be. Like passports and driver's licenses. Nawp, I was wrong. They're non-random, but unique. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Quantum system hacked in 'blinding' attack
Yeah, this keeps happening. See: http://www.scribd.com/doc/19003834 The general problem is that the quantum guys keep treating photons, and photon detectors, as systems that do only what they are specified. An equivalent might be a system that is only audited on TCP port 80, but unfortunately there's a few dozen more ports open. On IP networks, it's relatively easy to prove exclusive behavior. In quantum networks, the challenge is prove there are no photons or particles that will not expose undefined behavior. No offense, but good luck with that. On Thu, Sep 2, 2010 at 11:23 AM, Jeffrey Walton noloa...@gmail.com wrote: http://www.v3.co.uk/v3/news/2268908/quantum-system-hacked-blinding ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] To see why iris scanning can be a biometric ...
So there were actually a couple of *really* cool papers at SIGGRAPH this year: Normally, computers graphics is all about, given a material, determine the way light interacts with it. Lately, the field has been moving the other direction -- given an understanding of the way light interacts with a material, synthesize something with those properties: Physical Reproduction of Materials with Specified Subsurface Scattering http://www.cs.princeton.edu/gfx/pubs/Hasan_2010_PRO/index.php * *Fabricating Spatially-Varying Subsurface Scattering http://www.dongallen.com/project/fabscat/fabscat.htm (heh.) The general problem with biometrics is that they leak. We've already seen spoofing hit fingerprint scanners -- with gummi bears, no less. It's pretty clear that 3D printers are effectively becoming material replication engines. Ginning up a sufficienct ocular biometric is going to be an affordable proposition in an uncomfortably small period of time. We have much lower standards for biometrics than crypto ciphers. People _really_ want to be able to self-authenticate. That being said, security might be quantized, but it's not absolute. Once you start throwing in things like threats to family, not even duress phrases are a catch all (anything happens to us, your family is dead in a year). And there has never, in the history of man, been a security technology that has achieved complete success against repudiation. Just not how the world works. Last note -- my understanding is that iris entropy is pretty high -- not as high as blood vessels on the retina, but higher than fingerprints, and way higher than hand geometry. It also leaks less, in that fingerprints are just deposited everywhere. On Sat, Aug 21, 2010 at 11:51 PM, Tomas L. Byrnes t...@byrneit.net wrote: To rephrase in language of security; The requirement is a non-repudiable, non-forgeable, single identity token. The mooted solution is iris scanning, because it is unique, and supposedly hard to copy. The premise is that this can be used solely on the basis of “something you have or are” as opposed to the time-honored double verification of “something you have and something you know”. Applying basic logic, this means that the mooted solution is only valid if the token (the iris) is indeed cryptographically validly (meaning more complex than the equivalently acceptable crypto algorithm is to crack or spoof) non clonable/stealable for the required level of access. Since you can always kidnap someone or their family, and hold a gun to their head to make them scan their own real eye, and if there is no secondary authentication that could allow for a “I’ve been compromised” response, the whole concept of iris scanning as a single token is busted. The invalidity of just scanning an iris as a means of access control and authentication has nothing to do with the uniqueness of the iris, and everything to do with the ease of acquiring a particular iris with the access you require. Absent the ability to further authenticate the legitimacy of the access request, to include appropriate response to duress (don’t lock out, allow access and then interdict), any access control method fails the basic logic of defense against probable attack scenarios. *From:* funsec-boun...@linuxbox.org [mailto:funsec-boun...@linuxbox.org] *On Behalf Of *Dan Kaminsky *Sent:* Friday, August 06, 2010 4:27 PM *To:* rmsl...@shaw.ca *Cc:* funsec@linuxbox.org *Subject:* Re: [funsec] To see why iris scanning can be a biometric ... Anything can be a biometric. The problem is we leak the damn things all over the place. On Fri, Aug 6, 2010 at 8:18 PM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: http://www.photographyserved.com/Gallery/Your-beautiful-eyes/428809 == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org After the rush is over, I'm going to have a nervous breakdown. I've worked for it, I owe it to myself, and nobody is going to deprive me of it. victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] The ISC is the Microsoft of the DNS, BIND its Windows, ...
Jeffrey, It ain't the US that's leading the way in DNS based blocklists, now is it? Ultimately DNS is not the right layer to do general purpose filtering. There's no question that national blocklists slot very nicely into this proposal by Vixie, but really, for the threat you discuss we already live in that future. On Fri, Aug 6, 2010 at 2:12 PM, Jeffrey Walton noloa...@gmail.com wrote: Hi Paul, What happens when the US government comes-a-knocking, desiring to manipulate data while claiming some sort of purview under the gestapo legislation known as the PATRIOT Act (or insert legislation name here)? The hooks provided by the ISC and used by the domain operator will facilitate the DNS subversion nicely. Put another way, the ISC proposal has just made it easier for US government abuses, and abuses which can effect not only US citizens, but citizens of other countries. Perhaps the ISC should also divest DNS interests from the US so that more dns operators, immune from US control, are available to the community. Jeff On Fri, Aug 6, 2010 at 1:07 AM, Paul Vixie vi...@isc.org wrote: http://domainincite.com/vixie-declares-war-on-domain-name-crooks/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] To see why iris scanning can be a biometric ...
Anything can be a biometric. The problem is we leak the damn things all over the place. On Fri, Aug 6, 2010 at 8:18 PM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: http://www.photographyserved.com/Gallery/Your-beautiful-eyes/428809 == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org After the rush is over, I'm going to have a nervous breakdown. I've worked for it, I owe it to myself, and nobody is going to deprive me of it. victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Apple’s Antenna Design and Test Labs
More to the point, the security system (encasing every phone in a shell, so that nobody could steal the design when it was out and about) caused all the external testing to fail, doing more damage than if the phone design had actually been stolen. On Tue, Jul 20, 2010 at 10:02 PM, rac...@mcs.anl.gov wrote: I think the bottom line on this is best summed up with The difference between theory and practice is much bigger in practice than in theory. While they spent all that money on lab for testing, it certainly appears that they didn't actually have a person holding the phone while testing it. Works great in the lab. In the field... In dealing with things in a lab, many times you get into a routine. You make lots of tests, but don't realize there is a basic flaw in the way the person holds the phone that doesn't test how most people hold it. --Gene Juha-Matti Laurio made the following keystrokes: http://www.apple.com/antenna/testing-lab.html via Cryptome Apple has invested more than $100 million building its advanced antenna design and test labs. Juha-Matti ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Teens now getting high off 'digital drugs'
Man, I know there are people who want a drug war over MP3's, but this is ridiculous. (This stuff goes back, of course. I remember cn.exe , for Computer Narcotics. As effective as any form of meditation...perhaps we'll see SWAT raids on monks now?) On Jul 15, 2010, at 9:18 AM, Juha-Matti Laurio juha-matti.lau...@netti.fi wrote: Scary and dangerous: I-dosing on digital drugs is becoming an alarming new trend amongst teens. Web sites are luring kids with free downloads of digital drugs, which are audio files designed to induce drug-like effects. The sites claim it is a safe and legal way to get high, but parents fear it could lead to illegal drug use. Videos of teenagers trying digital drugs are all over YouTube, leaving parents, educators and law enforcement officials with the Oklahoma Bureau of Narcotics and Dangerous Drugs concerned. http://www.newson6.com/global/story.asp?s=12793977 Juha-Matti ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Apple's worst security breach: 114, 000 iPad owners exposed
On the one hand, privacy operates on a completely different wavelength (specifically, the worst _has_ happened, instead of the worst _could_ happen). On the other, people are pulling things out of their butt to justify an extreme *security* response to what is pretty obviously a low grade security vuln. Believe it or not, this is a good thing. After the ridiculous (ongoing!) overreaction to the Google wifi beacon capture bug, I was wondering if privacy overreactions had any limit. Apparently they do -- even the lamest reporter will respond to OMG MIKE BLOOMBERG HAS AN IPAD with ...so?. Sure, *we* get dragged into the mess, but heh. On Thu, Jun 10, 2010 at 7:26 AM, David Harley david.a.har...@gmail.comwrote: OTOH: Apple's worst security breach, or a great big hyperbole? http://www.sophos.com/blogs/duck/g/2010/06/10/apples-worst-security-breach/ -- David Harley BA CISSP FBCS CITP ESET Research Fellow -Original Message- From: funsec-boun...@linuxbox.org [mailto:funsec-boun...@linuxbox.org] On Behalf Of Juha-Matti Laurio Sent: 10 June 2010 11:34 To: funsec@linuxbox.org Subject: [funsec] Apple's worst security breach: 114, 000 iPad owners exposed Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They-and every other buyer of the cellular-enabled tablet-could be vulnerable to spam marketing and malicious hacking. The breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel's information was compromised. http://gawker.com/5559346/apples-worst-security-breach-114000- ipad-owners-exposed?skyline=trues=i Juha-Matti ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, here's a risk analysis question for you ...
I checked it, and while I'm able to reproduce the calculation, I'm not able to reproduce the numbers: my results are an order of magnitude and change larger. There could be any number of reasons for that: I might have botched the math, or a units conversion, or chosen significantly unrealistic values for some of the other parameters required (like viscosity or fluid velocity). Or my fluid mechanics may be rustier than I thought. But that's, I think, just one more reason why we should be dispensing with all these estimates in favor of a direct measurement: the Pitot tube method should yield a value for total fluid discharge accurate to better than 1%. Yup. It's an absolutely valid argument that the reason we're stuck with people pulling numbers out of their butt, is that there's really nowhere else to pull said numbers from. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, here's a risk analysis question for you ...
Anybody else wondering if the reason they're resisting is because they already sent a pitot tube down there, got the numbers, and realized that if the numbers were known, they'd be looking for a good criminal defense lawyer? Really, it's hard to see an upside to releasing the numbers for them. I think, when it's all said and done, one of the more interesting questions is going to become how the heck did we even get that video? ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] yeah, right.
On Sun, May 16, 2010 at 4:53 PM, Florian Weimer f...@deneb.enyo.de wrote: * Larry Seltzer: Actually, unless you dispute their factual claims about how it happened it seems perfectly plausible to me that it was a mistake. Apparently, gathering MAC addresses was no accident. Combined with location information from the car, wouldn't that allow tracing the whereabouts of mobile devices in some cases? It's been reported that the excess collection amounted to 600 GB over 3 years. To put this in perspective, I probably wouldn't notice if I retained 60 GB of unnecessary personal email (such as spam) during that time period. 8-/ Sometimes you get a beacon, sometimes you get data. Both have BSSIDs -- MAC addresses in the 802.11 space. There is effectively a 1 to 1 mapping between BSSIDs and SSIDs. The more frames you have -- of any type -- the easier it is determine the effective territory covered by a particular SSID. As anyone with even a lick of experience in radio knows, coverage maps are not simply n meters from antenna -- there are complex nonlinear reflections at play. You want lots of samples to build the bounding box. What likely happened here is that they were picking up all possible frames, just to get accurate data. They didn't scrub payloads because they weren't even thinking about payloads. Historically we've mostly cared about data release (thus why TCP log anonymizers aren't built into tcpdump but are external). There's been a bit of a bar move, which is fine, but mostly this is just Team NotGoogle making noise. Still not hearing anyone calling for WIGLE or Skyhook's head. --Dan ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Car hackers can kill brakes, engine, and more
On Fri, May 14, 2010 at 5:23 PM, valdis.kletni...@vt.edu wrote: On Sat, 15 May 2010 00:14:17 +0300, Juha-Matti Laurio said: He [Stefan Savage] and co-researcher Tadayoshi Kohno of the University of Washington, describe the real-world risk of any of the attacks they've worked out as extremely low. Unless you're the victim of a targeted attack. Wonder if the researchers have ever been through a nasty divorce... Oh, come off it. There are a billion ways to kill someone; one that requires the skills of a very small set of attackers is actually problematic as it greatly aids traceability of the attack. From the (dangerously addictive) Harry Potter and the Methods of Rationality fanfic: http://www.fanfiction.net/s/5782108/16/Harry_Potter_and_the_Methods_of_Rationality === Mr. Potter, all things have their accustomed uses. Give me ten unaccustomed uses of objects in this room for combat! For a moment Harry was rendered speechless by the sheer, raw shock of having been understood. And then the ideas started to pour out. There are desks which are heavy enough to be fatal if dropped from a great height. There are chairs with metal legs that could impale someone if driven hard enough. The air in this classroom would be deadly by its absence, since people die in vacuum, and it can serve as a carrier for poison gases. Harry had to stop briefly for breath, and into that pause Professor Quirrell said: That's three. You need ten. The rest of the class thinks that you've already used up the whole contents of the classroom. *Ha!* The floor can be removed to create a spike pit to fall into, the ceiling can be collapsed on someone, the walls can serve as raw material for Transfiguration into any number of deadly things - knives, say. That's six. But surely you're scraping the bottom of the barrel now? I haven't even started! Just look at all the people! Having a Gryffindor attack the enemy is an *ordinary* use, of course - I wouldn't have let you count that one. - but their blood can also be used to drown someone. Ravenclaws are known for their brains, but their internal organs could be sold on the black market for enough money to hire an assassin. Slytherins aren't just useful as assassins, they can also be thrown at sufficient velocity to crush an enemy. And Hufflepuffs, in addition to being hard workers, also contain bones that can be removed, sharpened, and used to stab someone. By now the rest of the class was staring at Harry in some horror. Even the Slytherins looked shocked. That's ten, though I'm being generous in counting the Ravenclaw one. Now, for extra credit, one point for each use of objects in this room which you have not already named. Professor Quirrell favored Harry with a companionable smile. The rest of the class thinks you're in trouble now, since you've named everything except the targets and you have no idea what can be done with those. Bah! I've named all the people, but not my robes, which can be used to suffocate an enemy if wrapped around their head enough times, or Hermione Granger's robes, which can be torn into strips and tied into a rope and used to hang someone, or Draco Malfoy's robes, which can be used to start a fire - Three points, said Professor Quirrell, no more clothing now. My wand can be pushed into an enemy's brain through their eye socket and someone made a horrified, strangling sound. Four points, no more wands. My wristwatch could suffocate someone if jammed down their throat - Five points, and enough. === ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] OK, here's a risk analysis question for you ...
p.s. I have noticed that BP has assiduously avoided making an accurate estimate of the actual volume per unit time. The press is still citing the long-obsolete, hastily-calculated 5000 bl/day figure, but it appears that multiple independent methods of estimating the rate all yield MUCH higher numbers, as in an order of magnitude higher: *shrugs* It's been amateur hour in the independent estimates, I think in an attempt to (in the long term) discredit the amateurs. For example, there's this piece: http://www.examiner.com/examiner/x-8199-Breakthrough-Energy-Examiner~y2010m5d13-A-volcano-of-oil-erupting ...which has fun things like a delusion that the pipe is five feet in diameter (it's 18 inches) and, of course: === What we are seeing now could be small compared to what may yet unfold if things break apart, as they can do under such circumstances. If this thing blew, it could be like the Yellowstone Calderahttp://en.wikipedia.org/wiki/Yellowstone_Caldera, except from below a mile of sea, with a 1/4-mile opening, with up to 150,000 psi of oil and natural gas behind it. === Dude goes on to discuss extinction level events, like Ixtoc never happened. Hint: We're still here (and that damn thing took 293 days to shut). Then there was the thing that hit CNN: === Wereley said he spent two hours Thursday analyzing the video using a technique called particle image velocimetry. He said there is a 20 percent margin of error, which means between 56,000 and 84,000 barrels could be leaking daily. You can't say with precision, but you can see there's definitely more coming out of that pipe than people thought, he said. It's definitely not 5,000 barrels a day. === I'm much more of a graphics/computer guy than you'd guess (I was into graphics long before I was into security), but two hours? Really? From a blurry, compressed, 30fps video? PIV is clearly a real discipline, but looking at the Wikipedia page ( http://en.wikipedia.org/wiki/Particle_image_velocimetry), it seems to generally involve lasers and tracer particles, not a crappy repurposed stream. Anyway, the best estimates I've seen came from a random Slashdot post, which actually cited some checkable mathematics ( http://slashdot.org/comments.pl?sid=1651510cid=32201876): === With the actual size of the pipe, however, you can get a pretty accurate flow rate by estimating the pressure differential between the reservoir and the head. The pressure on the reservoir should be about 15,000 psi (not 150,000, like the article states) - 5,000 feet of water plus 11,000 feet of granite. The pressure of the water column is about 2,000 psi, rough estimate. With a pressure differential of about 13,000 psi, an 11,000 foot length of pipe, an estimated density of about 900 kg/m3 (it could actually be anywhere from 750-950, 900 seems close to what other oil is in area), and assuming a smooth pipe, you get about 15.6 gallons per second, or 0.37 barrels per second. Worst case scenario you are looking at around 30,000 barrels per day. Since there are a lot of factors involved (like the amount of friction imposed on the oil as it seeps out of the reservoir rock), and all I have are estimations, it is almost certainly a lot less than that. 5,000 barrels is not an unlikely figure for what is actually flowing out of the pipe. It isn't likely to be more than that by much at all, either, as I used pretty ideal conditions for flow. It isn't really possible for much more to flow up. === Anyway, my personal suspicion is that we'll find out the flow rate was larger than 5,000bpd, but nowhere near these crazy ass numbers that are being pulled out of random engineer's asses. Sometimes, the right answer really is, I don't know. Not that the press quotes people who say that. I gotta say, there's a reason the rest of the engineering world looks down on software engineers. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Internet traffic keeps straying, and the chance of long-term fix is slim
BGP hasn't been fixed because we do not have the trust infrastructure to fix it. X.509 does not scale. We'll see what happens when DNSSEC fully spins up. On Tue, May 11, 2010 at 4:51 PM, Juha-Matti Laurio juha-matti.lau...@netti.fi wrote: http://www.latimes.com/technology/sns-ap-us-tec-fragile-internet,0,126956.story In 1998, a hacker told Congress that he could bring down the Internet in 30 minutes by exploiting a certain flaw that sometimes caused online outages by misdirecting data. In 2003, the Bush administration concluded that fixing this flaw was in the nation's vital interest. Fast forward to 2010, and very little has happened to improve the situation. The flaw still causes outages every year. Related: http://news.cnet.com/8301-10784_3-9878655-7.html (How Pakistan knocked YouTube offline) http://en.wikipedia.org/wiki/Peiter_Zatko Juha-Matti ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Guru is so Web 1.0.
ps, its new anime season here, so far; Well, it ain't Ghost In The Shell Stand Alone Complex, and if it ain't Ghost In The Shell Stand Alone Complex I don't give a rats ass. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs
Yes, because if there's one thing people love to do, it's develop exploits for patched vulnerabilities. On Mar 31, 2010, at 11:46 AM, Larry Seltzer la...@larryseltzer.com wrote: I have some problems with this scenario. First if Microsoft patches include unrelated silent patches then I would expect, as you say, people would diff the files and examine the updates to see what it is they are changing and develop POCs for them. I don't ever recall hearing of an exploit for a bug in Windows that turned out to have been silently patched. Microsoft provides detailed file information the updates (e.g. http://support.microsoft.com/kb/978251 ). Since we know exactly which files are being updated, any silent patch would have to be in a file that was being patched for some other reason, or at least closely related enough that it wouldn't arouse suspicion. This seems like an odd way to go about things, and to what end? It's been suggested to me that Microsoft might hide the fact that they are patching security vulnerabilities that they found themselves to avoid some sort of liability. I don't see why that works, especially when the alternative they chose would be to lie to the customers about what files are being updated for what purpose. The latter seems more likely to get you in legal trouble. -Original Message- From: disco jonny [mailto:discojo...@gmail.com] Sent: Wednesday, March 31, 2010 11:17 AM To: Larry Seltzer Cc: funsec@linuxbox.org Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs isnt this the point of what i said before? they do do in house security testing after a product has shipped, however they do not publically release the information for the security bugs they find and patch - they roll them out with the other patches. (or service pack) you can see this if you diff the patches and compare to the advisories. it doesnt happen every patch day. but it does happen. I am sure if you read my previous message about this then you will see that i ahve already said this. On 31 March 2010 13:20, Larry Seltzer la...@larryseltzer.com wrote: Can you point me to any disclosures for security vulnerabilities you found? Or were they patched silently? -Original Message- From: disco jonny [mailto:discojo...@gmail.com] Sent: Wednesday, March 31, 2010 8:14 AM To: Larry Seltzer Cc: funsec@linuxbox.org Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs Thats alright then. good to know i didnt look for or find any bugs. I wonder why they paid me. On 28 March 2010 23:45, Larry Seltzer la...@larryseltzer.com wrote: I know because I asked them and they gave me an actual response. In the last 18 months they found exactly 1 vulnerability themselves, and they found it ancillary to looking into the Kaminsky DNS bug after Dan Kaminsky reported that to them. Larry Seltzer Contributing Editor, PC Magazine http://blogs.pcmag.com/securitywatch/ Sent from my BlackBerry - Original Message - From: disco jonny discojo...@gmail.com To: Larry Seltzer Cc: funsec@linuxbox.org funsec@linuxbox.org Sent: Sun Mar 28 16:45:51 2010 Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs But once the product ships they stop looking. rubbish. I have worked there and seen that they do continual vuln assessment through out a products lifetime. [well for the products i worked on. (office 2k3 2k7)] They just dont beat their chest when they patch [they do it silently and push it out with the disclosed vulns] - reverse a few patches and see how many issues are fixed. You seem to often think how it is then state that it is like that - as a fact. it really annoys me. How do you know what ms does and doesnt do? On 27 March 2010 12:58, Larry Seltzer la...@larryseltzer.com wrote: I wrote about this myself a little while ago: http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vul ner.php Microsoft puts a lot of effort into security research for products under development. But once the product ships they stop looking. Alex Sotirov pointed out that Microsoft's customers, by paying iDefense and TippingPoint and the like, end up paying for research Microsoft should be doing. Perhaps Microsoft is also a customer of these companies, I don't know. LJS -Original Message- From: funsec-boun...@linuxbox.org [mailto:funsec- boun...@linuxbox.org] On Behalf Of Juha-Matti Laurio Sent: Saturday, March 27, 2010 7:24 AM To: funsec@linuxbox.org Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Appl e_Microsoft_to_find_their_own_bugs The only researcher to three-peat at the Pwn2Own hacking contest said
Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs
On Wed, Mar 31, 2010 at 12:10 PM, valdis.kletni...@vt.edu wrote: On Wed, 31 Mar 2010 12:02:41 EDT, Dan Kaminsky said: Yes, because if there's one thing people love to do, it's develop exploits for patched vulnerabilities. Said exploits work really great against unpatched machines, of which there are far too many. You know what *also* works really great against unpatched machines? Unpatched vulnerabilities. At the point you have the skill level to extract vulns from a binary diff, you arguably have the skill level (and the pocket vulns) to prefer not to. Of course this only applies to attack surfaces that have achieved predator satiation (enough bugs that an attacker doesn't need to desperately hunt down new ones -- aka the Cicada strategy). ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] [Infowarrior] - China's Great Firewall spreads overseas
On Mon, Mar 29, 2010 at 12:16 PM, RL Vaughn rl_vau...@baylor.edu wrote: On 3/29/10 9:53 AM, valdis.kletni...@vt.edu wrote: http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_spreads_overseas So was this a DNS or BGP issue? The reporter appears to be confused, or was it the Arbor Networks talking head? It was a DNS issue. One host in i-root was providing incorrect answers. The reason for those incorrect answers is unknown but the solution was to remove the responsible host from the i-root anycast. Anycast, of course, being a BGP technology that multihomes a single IP across multiple locations, exposing the fastest endpoint as per BGP calculations to any node on the net. So it's both DNS and BGP. The larger issue, which I guess nobody wants to talk about, is that the Internet is very much designed to be flat along certain dimensions. Anycast itself is a bit of a hack against that -- the same IP is not actually the same endpoint globally -- but at least presumably the backing organization behind the IP is supposed to be constant. Even enterprise level filtering does not violate this rule, because enterprises are *endpoints* and not *routing nodes* on the net. Scaling this sort of operation past the enterprise has scoping issues, that ultimately, predictably, and unfixably lead to network instability. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] FW: Facebook may get 'panic button'
Yes, because if there's one thing that's going to make the police stand up, it's a panic button on a website rather than a police report in their hand. On Fri, Mar 19, 2010 at 2:24 AM, Tomas L. Byrnes t...@byrneit.net wrote: While I don't think this is a good idea, the problem it solves is Early Warning. A less impressionable potential victim could draw attention to the predator. Kind of like if the San Diego PD had taken Candice Moncayo's report seriously, and processed the DNA that later led them to Gardner with more speed, Chelsea King might still be alive. -Original Message- From: funsec-boun...@linuxbox.org [mailto:funsec-boun...@linuxbox.org] On Behalf Of valdis.kletni...@vt.edu Sent: Thursday, March 18, 2010 3:05 PM To: Daniel Otis Cc: funsec@linuxbox.org Subject: Re: [funsec] FW: Facebook may get 'panic button' On Thu, 18 Mar 2010 12:11:35 MDT, Daniel Otis said: From the article the girl that started this rolling was 17. Nothing to do with pedophiles. In addition, the article says: The conviction of Peter Chapman for the murder of 17-year-old Ashleigh Hall led to renewed calls for a panic button. The convicted sex offender lured the teenager to her death using Facebook. So she went to meet the guy and ended up dead. Sad, but let's think for a moment - if it's somebody you're planning to meet, are you going to push that panic button? No, you're going to push it if it's somebody creepy that you *don't* want to meet anyhow. So what problem is the panic button actually solving? ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Using laser to fingerprint paper
So, it's actually really funny. All biometric hashes are roughly reversible. The reason why, is that they are similarity metrics: They describe a series of vectors in multidimensional space, and the input is distance-checked against those vectors. If the input is close enough to the hash, it's treated as a match. The thing is, the return value is not a binary match or no match, as you might get from a cryptographic hash. Instead, it's hot or cold -- and you can keep retrying, attempting to get hotter or colder. So, the way _all_ these biometric systems get broken, be they fingerprint or faceprint, is to generate a random input, and see how close you got. Then perturb randomly. Either you get hotter or colder. If colder, revert the change. If hotter, do more like that. Twenty or thirty thousand rounds later, you've got something that roughly looks like the fingerprint or faceprint. Now, the relevance to both of these document fingerprinters? Both are _very_ likely retrieving a fuzzy fingerprint of the target. An attacker with a fingerprinter and the document can retrieve the print, and start ginning up more and more samples to attempt to match. Those processes that lead to a similar substrate, he can duplicate, those that do not he can throw away. Now, things get interesting, because real matter is involved. Ginning up a million fake digital faces is easy, ginning up a million fake sheets of paper is not. If it's possible to perturb a surface, such that it can reversibly be made more or less like a given print, the game is lost. If however any modifications have effectively unpredictable effects on the print (possible!), then a security system could be developed. However, such a system would have to yield fairly radically different signatures across the range of the scanned surface. The upper right corner of the same page would have to yield a very different signature than the lower right. With the laser scanning system returning similar prints despite wettening, scorching, etc, I'm a little doubtful. But, *if* the system had that characteristic, then the problem would become matching a specific region of the document (with the material fingerprint) to the rest of the document. I suppose you could do this by hashing the fingerprint of a given region, with a dump of all the actionable bits on the page, signing that mash with a private key, and stamping the signature into a QR barcode on the page. So, ultimately, if the stuff works, we could actually use it to do cool things. But it depends pretty seriously on the nonlinearity of modifying a given material to match a particular signature. Most systems of this type have fallen, but there's loads of entropy at the micro scale of materials, far more than there is in your fingerprint or your face. So things are a little different here. Could be fun to play with! On Thu, Mar 18, 2010 at 7:10 PM, Wim Lewis w...@.org wrote: On Thu, 18 Mar 2010, Gadi Evron wrote: Now, this is cool: http://nanotechwire.com/news.asp?nid=2254 I was also impressed by this other research, since it requires no special equipment: http://citp.princeton.edu/paper/ (or doi:10.1109/SP.2009.7) ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] FW: Facebook may get 'panic button'
So what problem is the panic button actually solving? Here's the deal. Somebody died. We must do something. This is something. This is a guiding principal of human psychology. Most policy comes from redressing a death. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Viacom uploads *and* sues?
$20 says Viacom settles, rather than allowing the precedent to be set. On Fri, Mar 19, 2010 at 1:42 AM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: It would be fascinating to see the evidence on this ... http://youtube-global.blogspot.com/2010/03/broadcast-yourself.html == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org Anything a faculty member can learn, a student can easily. - Richard Wesley Hamming victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Digital: A Love Story
In case you haven't seen this: http://www.scoutshonour.com/digital/ This is all *kinds* of retro awesome. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Facebook glitch let some users see messages meant for other people
This obviously won't be acceptable if Facebook actually has hopes to become an email provider. Uh, entire generations use Facebook as their email provider :) On Thu, Feb 25, 2010 at 11:30 AM, Juha-Matti Laurio juha-matti.lau...@netti.fi wrote: http://www.businessinsider.com/facebook-has-securityprivacy-glitch-as-users-report-receiving-random-messages-meant-for-other-people-2010-2 A Facebook rep tells us, During our regular code push earlier this evening, a bug caused some misrouting to a small number of users for a short period of time. Our engineers diagnosed the problem moments after it began and are working to get everything back in its rightful place. While they fix the issue, affected users will not be able to access the site. Good to know that only a small number of users were affected, but still embarrassing. This obviously won't be acceptable if Facebook actually has hopes to become an email provider. --clip-- Last week Hotmail had similar issues: Microsoft is investigating reports of a limited number of instances in which Windows Live customers may have access to other customers' accounts when accessing their account through mobile Web browser, the company said in a statement Tuesday. http://news.cnet.com/8301-13860_3-10454741-56.html Juha-Matti ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 95% of User Generated Content is spam or malicious
Is it in $VENDOR's interest to stop spammers? Absolutely not. If effective and coordinated action was taken to stop (let's say) the top 100 spammers, then spam levels would plunge dramatically and there would be much less demand for $VENDOR's products. (I picked 100, because according to Spamhaus, 100 known operations account for 80% of spam.) What would you suggest a vendor do against a spammer? Sue? Bribe? Assault? I will admit that Xe Antispam Solutions has quite the ring to it. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 95% of User Generated Content is spam or malicious
Well, I'll differ with you here. The only -- and I mean the *only* -- thing that I've seen which stops spammers (as opposed to merely stopping spam, which anyone who can follow a simple cookbook can do) -- is the refusal to grant privileges to known abusers. Do we know what Postini and Google are doing? If not, do we really have any idea what works? If not, can't we just say We don't know what works, obviously something does but we don't know what it is? ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 95% of User Generated Content is spam or malicious
An entire industry has grown up around the flawed assumption that it is feasible to seperate the wheat from the chaff in our mail flows by inspecting every grain (message). There are two groups which benefit from the acceptance of this myth: the vendors who sell A/S and A/V products, and the bad guys who have already figured out how to get around every one of these products. *shrugs* All I know is that I have a couple of email accounts that get negligible amounts of spam. Oh, they're *sent* huge amounts, but they receive almost none. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 95% of User Generated Content is spam or malicious
On Mon, Feb 22, 2010 at 6:55 AM, Rich Kulawiec r...@gsp.org wrote: [ Please do not send redundant copies of on-list traffic. ] On Mon, Feb 22, 2010 at 12:15:43AM -0500, Dan Kaminsky wrote: My sense is that SPAM filtering is ghettoizing, i.e. there's a very small community of extraordinarily miserable people whose job it now is to deal with SPAM for the rest of their users. They've been so successful, even at 98%, that now users have NO tolerance for SPAM. In other words, the SPAM war appears to be won, nobody seems to know it's still being fought. First, the correct term is spam, never SPAM. The former refers to unsolicited bulk email, the latter refers to a Hormel product. Correct. My apologies to Hormel. Second, 99% of the people doing anti-spam work are quite incompetent. This is true. That's why I expect everybody to outsource to the few people who aren't incompetent -- Postini, Google, etc. There are a few organizations that can do competent spam filtering in-house, but users are now spoiled with their zero-spam public email folders. It's better now than it was, even though the war is nastier and more expensive. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 95% of User Generated Content is spam or malicious
On Mon, Feb 22, 2010 at 8:23 AM, Rich Kulawiec r...@gsp.org wrote: On Mon, Feb 22, 2010 at 07:34:56AM -0500, Dan Kaminsky wrote: All I know is that I have a couple of email accounts that get negligible amounts of spam. Oh, they're *sent* huge amounts, but they receive almost none. But this is not the only metric with which to evaluate mail defenses. I disagree. This is the only metric that matters: In 2007, I got a lot of spam. In 2010, I get a few messages *a month*. A MONTH! Anyway, one of the direct consequences of this reality is that testing methodologies need to be very carefully constructed. Anyone who just plugs boxes from vendors X Y and Z into their network and does a head-to-head comparison is not going to get a true picture of how those systems really compare: they're only going to get a limited picture of how those systems compare at the moment on their network(s) on their ASN(s) with their domain(s). Spam fighting as a product seems to be having problems. Spam fighting as a service is doing extremely well. Who knows. Maybe the bad guys are reverse engineering all the products, but can't do the same to the services. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] 95% of User Generated Content is spam or malicious
My sense is that SPAM filtering is ghettoizing, i.e. there's a very small community of extraordinarily miserable people whose job it now is to deal with SPAM for the rest of their users. They've been so successful, even at 98%, that now users have NO tolerance for SPAM. In other words, the SPAM war appears to be won, nobody seems to know it's still being fought. On Wed, Feb 10, 2010 at 2:55 PM, Drsolly drsol...@drsolly.com wrote: Yes, I'm currently seeing about 98% spam. At what percentage does email become useless? On Wed, 10 Feb 2010, Robert Portvliet wrote: It's sad that we are unable to even make a dent in solving this problem. Added together, the bandwidth capacity wasted by all this junk must be staggering. On Wed, Feb 10, 2010 at 8:28 AM, Rich Kulawiec r...@gsp.org wrote: On Sun, Feb 07, 2010 at 05:57:45PM -0500, Robert Portvliet wrote: According the Websense Security Labs 'state of Internet security report' 95% of User Generated Content is spam or malicious 85% of all email is spam. 85% is way too low. Plausible numbers are in the 96-98% range. ---Rsk ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] big brother at school
In loco parentis tends to be pretty powerful, but you know what's even stronger? Castle doctrine. It wasn't just the kid that got violated, it wasn't even particularly the kid that got hit. The school dropped a camera into the parent's home. It's OK, I was just trying to secretly take pictures of your kid in his bedroom isn't exactly the greatest defense the world has ever seen. On Thu, Feb 18, 2010 at 3:05 PM, Benjamin Brown optik...@gmail.com wrote: Just something to chew on: A number of court decisions (press me harder and I can search for the titles) rule in favor of the administration of public schools in cases that would have otherwise been seen a pure violation of a student's rights. These cases often invoke an argument of In loco parentis for the administration. Though in every case I have read the rulings concerned actions taken on school grounds or within close proximity. This case involves school property (the laptop), but occurs at the students home. I am curious how this shakes out and what the court ruling (and inevitable appeal ruling) will say. My 2 dinars =) -Ben On Thu, Feb 18, 2010 at 2:35 PM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: Date sent: Thu, 18 Feb 2010 10:28:13 -0600 From: RandallM randa...@fidmail.com http://www.boingboing.net/2010/02/17/school-used-student.html and http://www.courthousenews.com/2010/02/18/24789.htm A federal class action claims a suburban school district has been spying on students and families through the indiscriminant use of and ability to remotely activate the webcams incorporated into each laptop issued to students, without the knowledge or consent of students or parents. The named plaintiffs say they learned that Big Brother was in their home when an assistant principal told their son that the school district knew he `was engaged in improper behavior in his home, and cited as evidence a photograph from the webcam embedded in minor plaintiff's personal laptop issued by the school district.' Always possible that the allegations are wrong or overstated, but, on the face of it, sounds like this school district could be in very serious trouble ... (Cue comments about protecting children, and being willing to give up personal freedoms for a worthy cause, etc ... ) == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org What you ... call a poor signal-to-noise ratio is the 'glue' that holds a community together, that lets us recognize one another as people rather than roles. - Anton Aylward victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Death porn, media, and socmedia
On Feb 15, 2010, at 3:33 PM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: Date sent: Sat, 13 Feb 2010 23:06:03 -0500 From: Dan Kaminsky d...@doxpara.com Interesting article, where the Own The Podium link is pretty much admitted, BUT (and this is rather important) it's claimed this is a problem in Luge,and winter sports, *in general*. http://www.ctvolympics.ca/news-centre/newsid=8935.html I'm not a big fan of Own the Podium in any case, but I don't think it can be a factor here: http://www.vancouversun.com/sports/2010wintergames/Georgian+president+Thank s+caring+Canada/2566138/story.html In fact, it turns out Friday's fatal run was Kumaritashvili's 26th time down the track. His first nine, last November, were uneventful. They were all from the novice, junior or women's start location. In 16 of his next 17 runs, he took on the full men's run, and Friday's crash was his fourth -- three of them on the same Corner 16 that was the beginning of the end. Lugers from overseas were training on the track a year ago. Own the Podium is on the record saying they need to limit how many runs foreigners get, specifically to maximize Canadian chances to win. So they're definitely restricting access. Or do you think it's a coincidence that this guy's first serious runs were mere days before the event opened up? The real question is if a large number of nonfatal crashes might have been enough to cause alterations to the track to compensate. Hard to know the answer to that. I will say it's worth looking at the statistics for luge to see the difference this advantage profers. Interestingly, the fact that all runs are now being done from the women's start, which reduces the speed by about 10km/h, is prompting complaints from some who are saying the slower track gives an advantage ... (etc) One more death and the event would be cancelled entirely. Don't think they didn't consider it. == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org First we thought the PC was a calculator. Then we found how to turn numbers into letters with ASCII -- and we thought it was a typewriter. Then we discovered graphics, and we thought it was a television. With the World Wide Web, we've realized it's a brochure. --Douglas Adams victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/ index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Death porn, media, and socmedia
Denying visiting athletes access to any such course in favour of the 'home team' is very dangerous, should be investigated immediately the responsible parties prosecuted. I have seen before what happens when athletes attempt to navigate a course at full speed without having every nuance memorised, it usually ends badly.. How many sports follow this policy, versus follow the home team advantage policy? Is there a pattern between Summer vs. Winter sports? ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] bomb implants
Rico of the “Madagascar Penguins” can probably regurgitate one on command. TOTALLY off topic, but I was utterly shocked how well written this show is. Also really subversive, like, one notch below Invader Zim subversive. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Death porn, media, and socmedia
On Sat, Feb 13, 2010 at 6:25 PM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: The big Olympic news of the moment, of course, is the death of luger Nodar Kumaritashvili in practice. http://www.cbc.ca/olympics/luge/story/2010/02/12/spo-luge-georgian-alert.html http://www.vancouversun.com/news/Olympic+tragedy+Death+porn+sharing+news/ 2557992/story.html http://communities.canada.com/vancouversun/blogs/techsense/default.aspx You can already search for this on Youtube. Most of the videos are tributes, but actual footage of the crash is available. Of the ones I found this morning, two require that you log on to the site (in order to prove your age). One has been taken down because it is the property of the IOC. This is because all of the footage is the same CTV footage (CTV being the official provider). CTV showed it on the news last night, just after the opening ceremonies. The anchor earnestly assured us that the video was graphic, but necessary to illustrate some aspects of the story. The aspect that was illustrated was that someone died. He came off the track like a human being out of control, and fell off the stanchion like a rag doll. I've got enough medical background to know when I see someone die, right there. Couple of thoughts. One is that the media has now collected and reported all the comments about the track being dangerous. Had this death not occurred, the luge story for the games would have been the world record times, and the comments would have been from those who said that it was a hot, sweet track. Second is that skeleton (the head first version) was first done as an Olmpic sport in Turin, and Canada one. Cam Cole (who did a lovely piece combining the ceremony and Kumaritashvili's death: http://www.canada.com/sports/2010wintergames/Games+begin+with+emotional+tri butes+Georgian+luger/2561175/story.html ) did a piece on it, and I've kept a quote from it in my file ever since: [N]o one goes downhill head-first on a cafeteria tray better than Canadians ... If you've got something really dangerous and not terribly smart planned for an Olympic sport, the sort of thing that two guys out drinking heavily one night at the top of the bobsled run probably thought up, we're in. - Cam Cole, Vancouver Sun, 20060218 Kumaritashvili was not highly ranked, and not very experienced. Luge involves some skill; Gloria noted that Kumaritashvili was lifting his head a lot during the run, so he was not sure of himself; this is not something anyone can do, but it is something you can do if you've got more guts than brains. The Olympics is increasingly involving extreme sports: exhilarating, not necessarily skilled, and dangerous. This is actually a fairly offensive series of thoughts. Couple things: 1) Luge has been part of the Olympics for almost 50 years. This isn't increasingly extreme, this is just one of the things they do. And before it was Luge, it was indeed Skeleton. This is nothing new. 2) First you say that Kumaritashvili wasn't very skilled. Then you say the sport of Luge doesn't require much skill. Well, that would make him eminently qualified, wouldn't it? Anyway, at the last championship, the guy came in 44th. Top 50 in the world at anything ain't nothing to sneeze at. And the sport is intensely physical, requiring managing up to 7G's of force, and intensely strategic, as speed must constantly be balanced against stability in the short term to manage the long term average rate of travel. Not necessarily skilled? How well would you come in? Have you ever raced anything? Even a gas powered go cart? 3) The Canadians didn't invent Skeleton or Luge, the Swiss did. And you know, I'm not a very good snowboarder, but I sure enjoy trying to be. Last time I went out, I got quite the concussion. It happens. Look, if you want to complain about something, complain about the fact that so few eyes were allowed to be placed on the track -- as part of the genuinely offensive Own The Podium scheme -- that consensus couldn't be developed to do something about the risk of someone flying off the track and hitting the pole. Hell, of course Kumaritashvili was lifting his head, this was a new track for him! And why was it a new track? Own the Podium. To be utterly fair, Own The Podium wasn't about killing the competition. But, man, this is an astonishingly ugly side effect of access restriction. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Death porn, media, and socmedia
Look, if you want to complain about something, complain about the fact that so few eyes were allowed to be placed on the track -- as part of the genuinely offensive Own The Podium scheme -- that consensus couldn't be developed to do something about the risk of someone flying off the track and hitting the pole. Hell, of course Kumaritashvili was lifting his head, this was a new track for him! And why was it a new track? Own the Podium. Interesting article, where the Own The Podium link is pretty much admitted, BUT (and this is rather important) it's claimed this is a problem in Luge,and winter sports, *in general*. http://www.ctvolympics.ca/news-centre/newsid=8935.html === In some instances, VANOC and the sports federations have increased access. The new track at the Whistler Sliding Centre - home to bobsled, luge and skeleton - is so fast and technical, extra training weeks have been added, said Priestner Allinger. That didn't happen prior to the 2006 Olympics in Turin, Italy, said Jeff Christie, a luge athlete from Vancouver. At the Olympics in Italy we had zero extra,'' said Christie. They actually gave us less than exactly what we were supposed to get. They didn't have any qualms about it because they gave their home team the advantage. In a sport like luge, that's the way it goes. I go onto other tracks in the world, a lot of the German tracks, where I get six runs before a World Cup event and they train on it their whole lives.'' Priestner Allinger said management at the Pacific Coliseum, home to figure skating and short-track speedskating, has offered ice to other countries on a pay-as-you-go basis. So far, most countries have not taken the arena up on its offer, she said. Other host nations have also played it close to the vest on the issue of Olympic venue access. Peter Judge, chief executive officer for the Canadian Freestyle Ski Association, remembers the World Cup events hosted by the U.S. team prior to the 2002 Salt Lake City Olympics. Their mogul course builder built the course differently for all the World Cups that led up to the Games, but for their home-field advantage training camp, built it the way it was going to be for the Olympic Games,'' said Judge. Priestner Allinger said the Turin organizing committee also played some tricks. I can tell you the Canadian short-track team and the figure skating teams did not get on the ice once in Turin prior to the Olympic Games,'' she said. They chose to hold a sport event that was the European championships, so it excluded America.'' Gartner thought he had an agreement in place for Canadians skiers to train with the Italian team on the Olympic course prior to Turin. They played all sorts of games,'' he said. We ended up getting no training.'' === Rob, I still think the sport is much more honorable than you let on, but it looks like some off the field play has been going on for quite some time. It finally killed someone. For those who don't think this has anything to do with Funsec -- watch what happens when people die. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] bomb implants
On Wed, Feb 3, 2010 at 2:36 PM, ch...@blask.org wrote: --- On Wed, 2/3/10, Aryeh Goretsky (home) goret...@gmail.com wrote: Hello, Also appears as a plot device in the movie Escape from New York. I believe this meme has appeared in other science fiction works as well. A little help please, SF-Hackers? Neal Stephenson - Diamond Age Pocket-nuke in a femur. Hard to beat that one. It's not a femur ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] bomb implants
On Wed, Feb 3, 2010 at 11:39 PM, ch...@blask.org wrote: --- On Wed, 2/3/10, Dan Kaminsky d...@doxpara.com wrote: On Wed, Feb 3, 2010 at 2:36 PM, ch...@blask.org Neal Stephenson - Diamond Age Pocket-nuke in a femur. Hard to beat that one. It's not a femur Damn! I was a solid 50% on that guess! Where was the Boer woman carrying the nuke? Somebody is not familiar with the full oeuvre of Arnold Schwarzenegger movies. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] bomb implants
On Tue, Feb 2, 2010 at 1:34 PM, Larry Seltzer la...@larryseltzer.comwrote: Jihadists plan attack with bombs inside their bodies, to foil new airport scanners http://www.jihadwatch.org/2010/01/jihadists-plan-attack-with-bombs-insid e-their-bodies-to-foil-new-airport-scanners.htmlhttp://www.jihadwatch.org/2010/01/jihadists-plan-attack-with-bombs-insid%0Ae-their-bodies-to-foil-new-airport-scanners.html Not too long ago some suicide bomber tried to kill a Saudi Prince with a bomb up his ass. http://www.cbsnews.com/stories/2009/09/28/eveningnews/main5347847.shtml There are problems with this approach. His body absorbed quite a bit of the explosion. And it had been anticipated: http://www.strategypage.com/downloads/iedsrectalcavities.pdf See also Dark Knight Larry Seltzer Contributing Editor, PC Magazine larry_selt...@ziffdavis.com http://blogs.pcmag.com/securitywatch/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Apple has a new toy
What's the bright line? On Feb 2, 2010, at 10:30 AM, Joel Esler esl...@gmail.com wrote: But Windows 7, despite what MSFT is trying to do, is not a touch OS. The iPhone OS is a touch OS. J On Thu, Jan 28, 2010 at 6:23 PM, Dragos Ruiu d...@kyx.net wrote: On 28-Jan-10, at 3:06 PM, Hubbard, Dan wrote: The gOOglePAD will have flash support, but it most likely will be a fake codec. The Nokia minilaptop, which I just finally saw/held a real version of, is at about the same price point as the iPad, runs Win7 and has a 3G connection but has real kb. They are in the same weight range and I would argue are competing for the same usage/market. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada March 22-26 http://cansecwest.com Amsterdam, Netherlands June 16/17 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp -- Joel Esler ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Apple has a new toy
Hahahahahahahaha On Feb 2, 2010, at 5:56 PM, Joel Esler esl...@gmail.com wrote: Flash is dead. HTML5 will render it obsolete. Heck, you can even use youtube via html5 now and it's far superior. www.youtube.com/html5 J On Tue, Feb 2, 2010 at 5:45 PM, Alex Eckelberry al...@sunbelt-software.com wrote: I agree with your points. I’m not an Apple guy (at all). But I’m dammed impressed with this Ipad. (Yeah, the Flash things sucks, but whatever, it’s what it is.) Alex From: funsec-boun...@linuxbox.org [mailto:funsec- boun...@linuxbox.org] On Behalf Of Joel Esler Sent: Tuesday, February 02, 2010 11:24 AM To: Dan Kaminsky Cc: funsec@linuxbox.org Subject: Re: [funsec] Apple has a new toy My point in saying that was that Windows 7, with touch controls is not a touch OS. If you've tried to use Windows 7 with your finger, it's essentially a mouse pointer under your finger. It's inelegant, it's imprecise, and hard to use. Apple took the time to figure out how people would use an OS that is touch, and they invented the iPhone and the iPod touch and continually refine it. Make no bones about it, I'm an Apple guy, and apologist. I've used Windows Vista and Windows 7 with touch enabled on a touch device, and it's not even close to the experience that you get on an iPhone or any of the future Apple devices that will be touch enabled (not just the iPad, but the Macbooks). A touch OS is different from a regular OS. A regular OS you navigate with a keyboard and mouse, a touch OS you navigate with your finger, (or several fingers). You can do things in a touch OS that you can't do in a regular OS and Microsoft has not figured that out. yet. Even if you use natural devices like ink (a pen based device to navigate your OS), it's still a mouse pointer. Not saying they won't. But they will. We are on the edge of OS development. We are going away from the folder file icon type of OS and computers that you navigate with your keyboard and mouse into a whole new field of OSes and devices. On Tue, Feb 2, 2010 at 11:13 AM, Dan Kaminsky d...@doxpara.com wrote: What's the bright line? On Feb 2, 2010, at 10:30 AM, Joel Esler esl...@gmail.com wrote: But Windows 7, despite what MSFT is trying to do, is not a touch OS. The iPhone OS is a touch OS. J On Thu, Jan 28, 2010 at 6:23 PM, Dragos Ruiu d...@kyx.net wrote: On 28-Jan-10, at 3:06 PM, Hubbard, Dan wrote: The gOOglePAD will have flash support, but it most likely will be a fake codec. The Nokia minilaptop, which I just finally saw/held a real version of, is at about the same price point as the iPad, runs Win7 and has a 3G connection but has real kb. They are in the same weight range and I would argue are competing for the same usage/market. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada March 22-26 http://cansecwest.com Amsterdam, Netherlands June 16/17 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp -- Joel Esler ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. -- Joel Esler -- Joel Esler ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Apple has a new toy
*laughs* All y'all who hate on Flash really need to play with it through HaXe. It's really much nicer once you abandon that IDE. On Tue, Feb 2, 2010 at 8:49 PM, Joel Esler esl...@gmail.com wrote: Oh come on Dan, let me live in my fantasy, you know, the one where it all works out in the end... J On Tue, Feb 2, 2010 at 7:15 PM, Dan Kaminsky d...@doxpara.com wrote: Hahahahahahahaha On Feb 2, 2010, at 5:56 PM, Joel Esler esl...@gmail.com wrote: Flash is dead. HTML5 will render it obsolete. Heck, you can even use youtube via html5 now and it's far superior. http://www.youtube.com/html5www.youtube.com/html5 J On Tue, Feb 2, 2010 at 5:45 PM, Alex Eckelberry al...@sunbelt-software.com al...@sunbelt-software.com wrote: I agree with your points. I’m not an Apple guy (at all). But I’m dammed impressed with this Ipad. (Yeah, the Flash things sucks, but whatever, it’s what it is.) Alex *From:* funsec-boun...@linuxbox.orgfunsec-boun...@linuxbox.org[mailto:funsec-boun...@linuxbox.org funsec-boun...@linuxbox.org] *On Behalf Of *Joel Esler *Sent:* Tuesday, February 02, 2010 11:24 AM *To:* Dan Kaminsky *Cc:* funsec@linuxbox.orgfunsec@linuxbox.org *Subject:* Re: [funsec] Apple has a new toy My point in saying that was that Windows 7, with touch controls is not a touch OS. If you've tried to use Windows 7 with your finger, it's essentially a mouse pointer under your finger. It's inelegant, it's imprecise, and hard to use. Apple took the time to figure out how people would use an OS that is touch, and they invented the iPhone and the iPod touch and continually refine it. Make no bones about it, I'm an Apple guy, and apologist. I've used Windows Vista and Windows 7 with touch enabled on a touch device, and it's not even close to the experience that you get on an iPhone or any of the future Apple devices that will be touch enabled (not just the iPad, but the Macbooks). A touch OS is different from a regular OS. A regular OS you navigate with a keyboard and mouse, a touch OS you navigate with your finger, (or several fingers). You can do things in a touch OS that you can't do in a regular OS and Microsoft has not figured that out. yet. Even if you use natural devices like ink (a pen based device to navigate your OS), it's still a mouse pointer. Not saying they won't. But they will. We are on the edge of OS development. We are going away from the folder file icon type of OS and computers that you navigate with your keyboard and mouse into a whole new field of OSes and devices. On Tue, Feb 2, 2010 at 11:13 AM, Dan Kaminsky d...@doxpara.com d...@doxpara.com wrote: What's the bright line? On Feb 2, 2010, at 10:30 AM, Joel Esler esl...@gmail.com esl...@gmail.com wrote: But Windows 7, despite what MSFT is trying to do, is not a touch OS. The iPhone OS *is* a touch OS. J On Thu, Jan 28, 2010 at 6:23 PM, Dragos Ruiu d...@kyx.netd...@kyx.net wrote: On 28-Jan-10, at 3:06 PM, Hubbard, Dan wrote: The gOOglePAD will have flash support, but it most likely will be a fake codec. The Nokia minilaptop, which I just finally saw/held a real version of, is at about the same price point as the iPad, runs Win7 and has a 3G connection but has real kb. They are in the same weight range and I would argue are competing for the same usage/market. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada March 22-26 http://cansecwest.com http://cansecwest.com Amsterdam, Netherlands June 16/17 http://eusecwest.com http://eusecwest.com pgpkey http://dragos.com/http://dragos.com/ kyxpgp -- Joel Esler ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. -- Joel Esler -- Joel Esler -- Joel Esler ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] large hadron collider and nessus
On Sat, Jan 23, 2010 at 7:02 AM, Gadi Evron g...@linuxbox.org wrote: Saw this somewhere else: http://www.controlenguk.com/article.aspx?ArticleID=31000 WAIT! You mean it's connected to the interwebz? Suddenly I don't feel so safe. all networks are connected, it's just a question of bandwidth ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] fog of cyberwar
IE should not be used anymore? What took you so long? Anybody still using IE doesn't deserve any help, any sympathy, any support. They are deliberately setting themselves on fire -- so let them burn. So which browser exactly is the secure one? ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] fog of cyberwar
Actually, against telnet you just push the console echo attacks and kill the session. On Fri, Jan 22, 2010 at 8:03 PM, Vaughn, Randal L. rl_vau...@baylor.edu wrote: telnet? On Jan 22, 2010, at 9:45 AM, Dan Kaminsky wrote: IE should not be used anymore? What took you so long? Anybody still using IE doesn't deserve any help, any sympathy, any support. They are deliberately setting themselves on fire -- so let them burn. So which browser exactly is the secure one? ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] fog of cyberwar
On Fri, Jan 22, 2010 at 10:10 PM, steve pirk [egrep] st...@pirk.com wrote: On Fri, Jan 22, 2010 at 10:56, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: Date sent: Fri, 22 Jan 2010 16:45:03 +0100 From: Dan Kaminsky d...@doxpara.com So which browser exactly is the secure one? Lynx telnet servername 80 GET / HTTP/1.1 Host: servername cr Copy/paste the results into a text file and use text tool of you choice [the more primitive the better ;-] Yes, and this is vulnerable to command injection into your terminal. Anyway, I rest my case. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] fog of cyberwar
On Fri, Jan 22, 2010 at 11:51 PM, Gadi Evron g...@linuxbox.org wrote: On 1/22/10 9:15 PM, Dan Kaminsky wrote: Actually, against telnet you just push the console echo attacks and kill the session. Raw sockets. malicious server floods you with the terminal echo attacks, then sends a RST, which kills netcat :) ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Facebook Image Privacy
On Tue, Jan 19, 2010 at 5:17 PM, valdis.kletni...@vt.edu wrote: On Mon, 18 Jan 2010 23:12:17 +0100, Dan Kaminsky said: I can quantify this with the rate of change of complexity of a system. Well, if you're talking *rate* of change... If you add one kilobyte of complexity to Windows (consuming literally 8192 bits extra space on the DVD), you have not done much to the difficulty of breaking Windows. If you add one kilobyte of complexity to an RSA key (literally, adding another 4096 bits to p and q respectively), you most assuredly have done much to to the difficulty of breaking this particular RSA key. Adding 8K to the acres of bits of already on the DVD is proportionally smaller than adding even 1 bit to a 4096-bit RSA key. Fine. Double the number of bits on the DVD. And I'll submit the notion that if it's the *right* 8192 bits, it can add immensely to the difficulty. I'd have to go back and check, but the stack address randomization bits added to the Linux kernel were actually quite tiny, but added a lot to the difficulty. Yes, but the fact that it *matters* which bits are changed is the whole point. cryptotangent If you look inside any credible cryptographic function, you'll almost never see constructs where the internal grammar of the cipher changes with the key. It's not that it's technically infeasible: One could certainly build a Context Free Grammar in which incoming bits randomly shuffled cryptographic primitives in ways that remain reversible given the key. But you don't see this, outside of really awful Dan Brown novels. Why*? Because *systems* have constraints that *keys* must not. A cryptosystem is still a system, one that defends against cryptanalysis, chosen plaintext, and so on. In a valid cryptosystem, all keys after a known filtering stage are equally secure. If you are changing the system, then some keys will emit safer systems than others. An attacker will thus attempt to keep poking your cipher until it inevitably hits an unsafe mode. Windows is a system. Linux is a system. Some bit patterns do interesting things. Others crash. The point of secrecy is to *isolate* the unknown data *from* the stuff that must not only be partially known, but must meet constraints. The point of obscurity is that the known data is somehow so complicated, that the constraints are so obtuse, that it could never be understood. And then some Bulgarian shows up... /cryptotangent --Dan * OK, it's also pretty annoying to implement in hardware. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Facebook Image Privacy
On Mon, Jan 18, 2010 at 8:39 PM, Blue Boar blueb...@thievco.com wrote: Dan Kaminsky wrote: Obscurity is not secrecy. They're the same thing, just different degrees. Used to think the same, actually. But if you look at what obscurity is always used to refer, it's this ordered system has *so much structure* nobody could ever figure it all out. That's a very different argumentory path than there is nothing to figure out, they simply mathematically have to know this secret or brute force. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Facebook Image Privacy
Used to think the same, actually. But if you look at what obscurity is always used to refer, it's this ordered system has *so much structure* nobody could ever figure it all out. That's a very different argumentory path than there is nothing to figure out, they simply mathematically have to know this secret or brute force. You have chosen I elect to play by attempting a definition for which there can be no agreement. I am saying operating systems are not like passwords. I don't think this exactly controversial. Your question: What's the difference between secret and obscure? Could you quantify this, say, with a particular number of bits of entropy? I can quantify this with the rate of change of complexity of a system. If you add one kilobyte of complexity to Windows (consuming literally 8192 bits extra space on the DVD), you have not done much to the difficulty of breaking Windows. If you add one kilobyte of complexity to an RSA key (literally, adding another 4096 bits to p and q respectively), you most assuredly have done much to to the difficulty of breaking this particular RSA key. I will grant that we could use better words than obscure and secret to represent the difference. But I consider obscure fundamentally different than utterly unknown. An obscure band is not a secret band. An obscure illness is not a secret illness. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Facebook Image Privacy
On Mon, Jan 18, 2010 at 11:58 PM, Blue Boar blueb...@thievco.com wrote: Dan Kaminsky wrote: I am saying operating systems are not like passwords. I don't think this exactly controversial. Who was talking about operating systems? That smells like at attempt to redefine the argument. We were talking about secret URLs, keys passwords and the like. I think that makes a much better playing fields for the moment. Larry was _specifically_ stating maybe security through obscurity works after all. That is _specifically_ an argument regarding operating systems and other designed systems. I was saying that, no, the fact that secrecy works pretty well with passcodes (including the passcode in Facebook's URL) doesn't mean at all that obscurity works well in the rest of secure design. Since it seems you dropped this context, we can end the argument here. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Facebook Image Privacy
On Tue, Jan 19, 2010 at 12:26 AM, Blue Boar blueb...@thievco.com wrote: Dan Kaminsky wrote: Larry was _specifically_ stating maybe security through obscurity works after all. That is _specifically_ an argument regarding operating systems and other designed systems. Where? Here's what I have from Larry in this thread: A Facebook employee entered a comment that said that only the user who posted the image gets that URL from them, so therefore it’s private... I’ve often thought that security through obscurity gets a bad rap. Perhaps this is one of those cases. And what are the other cases in which security through obscurity gets a bad rap? Is there somewhere we actually disagree? ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Facebook Image Privacy
On Sun, Jan 17, 2010 at 7:45 PM, Imri Goldberg lorgan...@gmail.com wrote: On Sun, Jan 17, 2010 at 5:02 PM, Larry Seltzer la...@larryseltzer.comwrote: The URL may not be obvious, but it’s on a publically-accessible site so it’s at least a little cheesy to call it private. What do you think? If it's publicly available, it ain't private. And a computer that isn't at the bottom of the Mariana Trench ain't secure. Unguessable tokens have a long history of use in our field (CSRF tokens, etc) and having one lock access to an image is relatively legitimate. If there was a way to guess the token, we'd say there was an issue. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Facebook Image Privacy
On Sun, Jan 17, 2010 at 8:16 PM, Imri Goldberg lorgan...@gmail.com wrote: On Sun, Jan 17, 2010 at 9:08 PM, Dan Kaminsky d...@doxpara.com wrote: And a computer that isn't at the bottom of the Mariana Trench ain't secure. Unguessable tokens have a long history of use in our field (CSRF tokens, etc) and having one lock access to an image is relatively legitimate. If there was a way to guess the token, we'd say there was an issue. I think the difference is how long you expect that token to be kept. The link given, afaict, is a permanent one, unlike csrf tokens or various change password tokens. It's a password to a single asset, which is retrieved in its entirety. If you allow omg, somebody could share the link to be considered a security hole, then I can see the stories now... OMG! Save Picture! OMG! Print Screen! OMG! SOMEBODY COULD TAKE A PHOTO OF THEIR SCREEN! :) ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Facebook Image Privacy
On Sun, Jan 17, 2010 at 8:47 PM, Larry Seltzer la...@larryseltzer.comwrote: It's a password to a single asset, which is retrieved in its entirety. If you allow omg, somebody could share the link to be considered a security hole, then I can see the stories now... I’ve often thought that security through obscurity gets a bad rap. Perhaps this is one of those cases. Obscurity is not secrecy. A password is secret. So are prime numbers at the heart of RSA private keys. The difference is that analysis by an attacker will yield progress against an obscure system, but not a well chosen secret. Or, put another way, *systems* have to do things, so they're behavior can't be as random as a password or a private key. My real problem with it is that I’ve marked it for “Only Me.” Why do they need to provide this link? And they only do it for images, not for plain text posts or videos where you mark it as “Only Me.” Clearly users wanted to know how to take a photo that was for only me and share it with a few others, out of band. As long as the photo isn't showing up in open galleries, I think it's pretty clear that user intent is actually being scrupulously respected. Larry Seltzer Contributing Editor, PC Magazine larry_selt...@ziffdavis.com http://blogs.pcmag.com/securitywatch/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Facebook Image Privacy
On Mon, Jan 18, 2010 at 1:37 AM, Peter Evans pe...@ixp.jp wrote: On Sun, Jan 17, 2010 at 08:38:20PM +0100, Dan Kaminsky wrote: OMG! Save Picture! OMG! Print Screen! OMG! SOMEBODY COULD TAKE A PHOTO OF THEIR SCREEN! :) Forget the smily, I've seen people getting bent about this. I believe probix (or whatever its called now) some sort of secure pdf thing, could protect against the first two, but the third one cause a panic to some japanese users. And yes, this is why it's so very important to not let people try to defend false security boundaries. You can expend an infinite amount of effort for no security gain. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] predictions
On Jan 15, 2010, at 7:28 AM, Nick FitzGerald n...@virus- l.demon.co.uk wrote: Larry Seltzer wrote: I forget exactly who, but I remember one of the security predictions for 2010 I heard was that large corporations would be attacked from China. Wow, that was really prescient! To the extent that predicting more of the same is prescient, yes... Nobody is surprised by the attack. Everybody is surprised by there actually being consequences -- against a state interest, no less. Regards, Nick FitzGerald ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] predictions
On Jan 15, 2010, at 6:14 PM, Nick FitzGerald n...@virus- l.demon.co.uk wrote: Dan Kaminsky to me: To the extent that predicting more of the same is prescient, yes... Nobody is surprised by the attack. Everybody is surprised by there actually being consequences -- against a state interest, no less. That's funny -- everybody... Oh,wait, I see -- you were making your post relevant to the list charter! Of course there were consequences and no-one worth knowing would be surprised by any of this. The only thing I find at all surprising is that anyone actually thinks this is particularly newsworthy -- such attacks by the Chinese are far from new and anyone worth knowing already knows how generally incompetent corporate and government institutions are at (proactive) IT security... What do you mean, of course there were consequences? This is The Internet, The Land Without Consequences! Major corporations under attack? Of course. Chinese hackers? Sure, why not. Consequences? Against a state interest? With the Secretary of State of the United States of America backing up those consequences? WOT?! Show me a single 2010 prediction list *that* showed up on. Certainly wasn't on mine (unless you want to count it as an 'old and hoary prediction', but that's cheating). Regards, Nick FitzGerald ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] predictions
On Jan 15, 2010, at 8:33 PM, Larry Seltzer la...@larryseltzer.com wrote: Major corporations under attack? Of course. Chinese hackers? Sure, why not. Consequences? Against a state interest? With the Secretary of State of the United States of America backing up those consequences? I'm fairly certain that the US government won't seriously inconvenience itself on behalf of Google or any human rights activists as a result of this. They would much prefer not even to have had to make a statement of support for Google But they did. Didn't see that coming. What if Google actually follows through on their no-censorship threat? They did. Google.cn dropped the censorship. The Chinese can't let them get away with it, so I have to think Google will at least lose some business there. That's a consequence. But plenty of other companies will take their place. All the more interesting things went down like this. Larry Seltzer Contributing Editor, PC Magazine larry_selt...@ziffdavis.com http://blogs.pcmag.com/securitywatch/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] predictions
On Jan 15, 2010, at 9:39 PM, Nick FitzGerald n...@virus- l.demon.co.uk wrote: Larry Seltzer wrote: What if Google actually follows through on their no-censorship threat? The Chinese can't let them get away with it, so I have to think Google will at least lose some business there. That's a consequence. But plenty of other companies will take their place. I saw some stats on this on CNN (or BBC ?) the other day. Google is a distant not-first in .cn search. IIRC, Baidu has nearly 60% of that market and Google has about a third of the rest (I think in third pace behind another .cn provider). This lowly marketshare (by Google's standards/expectations) means that their advertising revenue is even more heavily affected because revenue per impression, etc depends on marketshare. The commentator suggested that therefore the market loss for Google pulling out of .cn, as a result of the expected intolerance of the Chinese government to Google's non-filtering move, may be smaller than the up-tick in intangibles (feelgood factor, etc) in Google's other markets and with EU legislators, etc, with whom Google is starting to have some, ummm, difficulties. Or perhaps Google will not be kicked out, and will enjoy a competitive advantage for not filtering. Regards, Nick FitzGerald ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Adobe investigates sophisticatic corporate networksecurity issue
On Thu, Jan 14, 2010 at 2:18 PM, Rich Kulawiec r...@gsp.org wrote: On Wed, Jan 13, 2010 at 03:05:19PM -0800, Paul M. Moriarty wrote: Or put another way, expecting end users to change their behavior and start doing all the things they should be doing is futile. Any approach based on this premise will fail. Absolutely true. Educating users is listed as one of Marcus Ranum's six dumbest ideas in security, and it really is. Spammers and phishers, among others, prove it millions of times a day. A few years back, Jason Larsen explained to me the great irony of USB sticks. We've had networking for how many years? But if you've got ten people sitting around a conference room table, from three different companies, and all of them need a slide show, guess what? They're not using network file sharing to share that file. The odds that they'll all be able to get on the same network are quite low. See, it's always assumed by IT that in general, the only people who need access work from the company, and those people outside have bad untested insecure horrors of laptops. So those bad untested insecure horrible outsiders bring in USB 3G networking and USB sticks. And those sticks get passed around, so people can get their slides and business can be done. How does security react? By banning USB sticks. And what will people thus use? Gmail. Watch. The war after USB sticks is 3G networking. Because we've stopped being good at saying, yes, we have a solution for you. But we're damn good at saying, HOLY CRAP YOU FOUND A SOLUTION, WE MUST SUPPRESS IT. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Adobe investigates sophisticatic corporate networksecurity issue
There is pretty clear evidence that someone (more than one someone, apparently) opened an attachment they shouldn't have, as described here: http://www.f-secure.com/weblog/archives/1854.html True story: Back when the ILoveYou virus was going around, I personally heard an exasperated admin exclaim, utterly without irony: Stupid users, thinking people love them. Listen. You are Jane in HR. It is your job to read PDF's from the Internet. Some asshole in IT whines that you should be careful, what the hell, IT IS YOUR JOB TO READ PDFS FROM THE INTERNET. In fact, YOU PROBABLY HIRED THAT GUY WHEN HE SENT YOU HIS RESUME AS A PDF -- that is, if he didn't send you a doc! This blaming the victim stuff has to stop. --Dan ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Adobe investigates sophisticatic corporate networksecurity issue
On Thu, Jan 14, 2010 at 12:05 AM, Paul M. Moriarty p...@igtc.com wrote: On Jan 13, 2010, at 12:13 PM, Dan Kaminsky wrote: [...] This blaming the victim stuff has to stop. --Dan Or put another way, expecting end users to change their behavior and start doing all the things they should be doing is futile. Any approach based on this premise will fail. - Paul - I dislike this formulation, because it implies that users are too stupid to do what they're told. They're doing exactly what they're told -- by their actual bosses, who pay them. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Spin of the Week: Uganda Child Sacrificle and Witch Doctors
I was pretty weirded out by this whole thing. It felt like a throwback to another era of old school yellow journalism a la 'Did you hear those SAVAGES in AFRICA kill their OWN CHILDREN to appease their PAGAN GODS?!?' Super creepy. Then I remember a few months back, we were hearing about that Ugandan law to kill the gays and jail anyone who had a problem with that. I ain't saying there's a relationship between the two events, but there's certainly been a lot of strange talk about Uganda as of late. On Jan 10, 2010, at 10:08 AM, Gadi Evron g...@linuxbox.org wrote: The spin of the week catch goes to Brandon K. Thorp, on the James Randi Educational Foundation blog in an article titled Child Sacrifice in Uganda, where he discusses the recent outrage in regard to claims of witch doctors sacrificing children in Uganda. The post is built of three sections, claiming: 1. That by merely writing on it and repeating it in a few publications, it has now become truth. 2. That evidence is seriously lacking, and what facts are known are questioned. 3. That there are consequences to scaring people about witches, namely, witch hunts. He ties it all together by discussing the bad journalistic work performed here, from the assumptions made by the reporters who later insinuate them as evidence, to why the evidence actually provided is unlikely to hold any water when scrutinized. He asks to see what children had actually been murdered, as the claims made about numbers, even if witch doctors do ritually sacrifice children, are ridiculous. A great work of skepticism, writing and argumentation! I definitely recommend reading it: http://www.randi.org/site/index.php/swift-blog/829-child-sacrifice-in-uganda.html Gadi ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Former Seagate engineer: Company destroyed evidence
The funny thing is I remember seeing Seagate drives with Lifetime warranty and thinking, Wow! They must have really gotten their reliability shit together! Nope. Just aping what a company with a good product would do, leaving the cleanup to the next guy. Short term thinking like this is a real, REAL problem. On Jan 3, 2010, at 9:19 PM, Tomas L. Byrnes t...@byrneit.net wrote: The evil is the deny, divert, annoy in response to well documented failures. Who cares how cheap a drive is if it trashes a month of data? In my experience, over the last 12 months; 2 WD failures, 3 year old drives that have experienced god-awful heavy duty (the primary ThreatSTOP servers) on power cycles. Raid 10 and Raid 5 on 3Ware, no data loss. 13 Seagate failures (more AS than ES, but 2 ES bricked as well, at the same time, which is what caused the data loss and corrupted the 1TB RAID 5), totally random, all drives less than a year old. Single spindle, Raid 0, Raid 10, Raid 5EE; USB/Sata; Sata, Sataraid; Nvidia, Intel, Adaptec. Nearly a Terabyte of corrupted data, 50GB (approx) data loss. 0 Hitachi (have several in multiple machines). The Seagates all had to go through multiple RMA cycles until I finally got 7200.12s, which seem to be stable. SMART provides no warning, because the problem isn't with the drive or the drive controller. The only indication of impending failure is ever increasing Aborted commands on the SATA interface, because the problem is Seagate has a lousy (don't know if it's cheap hardware or buggy software, and don't care which) SATA interface, which has nothing to do with AS or ES, and everything to do with bad management. Seagate: Yet another example of how the race to the bottom strategy ruined yet another once-great American Business (GM, Citigroup, GE, US Steel, etc.). Can we PLEASE put pre-teens in charge of US companies instead of Harvard MBAs? http://articles.moneycentral.msn.com/learn-how-to-invest/are-you-a-smart er-investor-than-a-5th-grader.aspx -Original Message- From: funsec-boun...@linuxbox.org [mailto:funsec- boun...@linuxbox.org] On Behalf Of Peter Evans Sent: Sunday, January 03, 2010 3:33 PM To: funsec@linuxbox.org Subject: Re: [funsec] Former Seagate engineer: Company destroyed evidence On Sun, Jan 03, 2010 at 02:32:46PM -0800, Tomas L. Byrnes wrote: I've had a 50% failure rate of 7200.11s in Desktops (ICH10 and Nvidia MCP55 RAID 10) and low use servers (Adaptec RAID 5EE), leading to serious data loss. They're all evil, just some are more evil than others. Hitachi, for example, has a high suicide // drop dead rate. Strangely enough, I had a spate of weird arse failures with drives in raid 1 on ICH10 boards. In one case, the cause was actually reproducible running just the disk test and the root issue was memory. (burnin test pro from passmark, they fixed it for me too![1]) We have about 500 80/160g drives deployed all over fukuoka, over the past 1y9m about 5 have failed. (I have them at the ofis, I can check what models if people care.) The drives are a mix of WD (early 80g boxes going out) and hitachi/seagate. With probably half being hitachi. seagate 500g are my current drive of choice for ofis boxes, because they cost about the same as 10 boxes of cereal, or so. P [1] release 1017 is entirely my fault. excellent support guys there! ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] GSMA statement on media reports relating to the breaking of GSM encryption
Pay no attention to the relatively large number of open source GSM base stations in development and preliminary deployment. On Fri, Jan 1, 2010 at 8:46 PM, Les Bell lesb...@lesbell.com.au wrote: Juha-Matti Laurio juha-matti.lau...@netti.fi wrote: GSM Association has posted their statement From the statement: So far, this aspect of the methodology has not been explained in any detail and we strongly suspect that the teams attempting to develop an intercept capability have underestimated its practical complexity. So, it's business as usual for the telecommunications industry, then: security by obscurity. Yep, that'll work. Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144 ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] When are we going to start profiling? WAS RE: Don't spend too much time in the bathroom...PLEASE
*laughs* God, we're dense sometimes. Epic trolling. gg On Dec 30, 2009, at 7:18 AM, Tomas L. Byrnes t...@byrneit.net wrote: Hogs are used to find truffles due to their excellent sense of smell. I'm sure we can use trained pigs to sniff out particularly devout Muslims pretty effectively. -Original Message- From: Larry Seltzer [mailto:la...@larryseltzer.com] Sent: Tuesday, December 29, 2009 5:42 PM To: Drsolly; Tomas L. Byrnes Cc: funsec@linuxbox.org; RandallM Subject: RE: [funsec] When are we going to start profiling? WAS RE: Don't spend too much time in the bathroom...PLEASE How will you detect muslims? It's true, installation of full-body Muslim-detectors in US airports is behind schedule, but increased funding should move the program along. Larry Seltzer Contributing Editor, PC Magazine larry_selt...@ziffdavis.com http://blogs.pcmag.com/securitywatch/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] When are we going to start profiling? WAS RE: Don't spend too much time in the bathroom...PLEASE
What an amazing coincidence that you will never wake up tomorrow matching all of these traits, despite matching at least two (male, western educated especially in Engineering), likely a third (18-35), possibly even a fourth (devout). I dare say, by your own metrics, you might arguably be majority terrorist. Please bend over. The only elephant in the room is that out of ten billion passenger- flights in the last decade, and even more over the last thirty years, only a couple dozen passengers have actually been the bad guys we need to stop. Building a discriminator that can find one terrorist out of two hundred million passengers is like building a machine that can win the lottery. Good luck. Of course, you can decrease those odds by increasing the number of terrorists, perhaps with...full body cavity searches executed repeatedly against the people you identify most likely to attack you? Brilliant On Dec 29, 2009, at 6:52 PM, Tomas L. Byrnes t...@byrneit.net wrote: The overall absurdity of this thread just continues to prove the point that engaging in security theater and making everyone miserable doesn’t work, wastes lots of time and $, and is inconvenie ncing the mass of travelers in order to not offend a tiny minority. No-one has a RIGHT to get on an airplane (or to enter an airport, for that matter). While not all Muslim males aged 18-35 are suicidal terrorists, virtually ALL suicidal terrorists and airplane hijackers in the last 40 years have been Muslim males aged 18-35. Therefore, being a lot more stringent in screening Muslim males aged 18-35 is more likely to catch a would be terrorist than randomly selecting those to be more deeply screened. There should still be some random selection of the rest of the population, but, given the profile of the latest attacker, and the profiles of the 9-11 hijackers, just about everyone who fits the following profile: Male Muslim Devout Western Educated, especially in Engineering Should have a full body cavity search before being allowed on an airplane. If that offends them, then maybe they (and realistically, it is only the Islamic world that can end the scourge of Islamic terrorism) will do something about the funding of radicalizing Madrassas and firebrand clerics that are at the root of the whole problem. This “Equality and non-discrimination” garbage is ignoring the elephant in the room, and like the rest of the left’s agenda, makes everyone equally miserable, without accomplishing its stated goal. From: funsec-boun...@linuxbox.org [mailto:funsec- boun...@linuxbox.org] On Behalf Of RandallM Sent: Tuesday, December 29, 2009 9:05 AM To: funsec@linuxbox.org Subject: Re: [funsec] Don't spend too much time in the bathroom...PLEASE Can we change the subject field? This is also kinda of a personal matter with me. Yes, I do take medication. On Tue, Dec 29, 2009 at 8:07 AM, funsec-requ...@linuxbox.org wrote: Send funsec mailing list submissions to funsec@linuxbox.org -- Message: 7 Date: Tue, 29 Dec 2009 16:07:33 +0200 (EET) From: Juha-Matti Laurio juha-matti.lau...@netti.fi Subject: Re: [funsec] Don't spend too much time in the bathroom... To: david.a.har...@gmail.com, funsec@linuxbox.org Message-ID: 6268799.2427381262095653967.javamail.juha-matti.lau...@netti.fi Content-Type: text/plain; Charset=iso-8859-1; Format=Flowed Here: http://www.nydailynews.com/news/national/2009/12/26/2009-12-26_foiled_terror_plot_aboard_northwest_flight_253_sparks_strict_security_rules_for_.html Juha-Matti -- -- been great, thanks RandyM a.k.a System ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Image forensics
I don't necessarily disagree with your assertions, Neal -- or, I at least think you're well within your rights as an author to take your particular position. However, as an independent reviewer, I see a really small sample size for your findings, and no ground truth analysis. In other words, if I hand you 100 photos, approximately 50 of which are photoshopped and approximately 50 of which aren't, what percentage will your tools be better than chance at picking out the altered photos, and determining the alterations? As you yourself admit, natural features can trigger your tool. How often *do* they? As you intriguingly point out, not always. This is good. However. Forensics aren't a game. People live and die over the determinations we make. There have...been issues, with bite mark analysis, and with arson determination, that have thoroughly destroyed lives, up to and including the death penalty. This stuff is really important, way more than anything on this list. What I would like to do is actually give you the hundred images as described, and receive: A) The raw output from your tool (identical settings for all files -- if you need multiple settings, multiply them out across all files). B) Your interpretation of the output I will then unmask the originals, and changes, and we can calculate the relative effectiveness of your various approaches. I've always liked your work, Neal. I mean that, I was a graphics geek before I was a security geek, and you've done amazing work at the intersection. I just think some numbers would make it infinitely stronger. What do you think? On Dec 28, 2009, at 6:13 PM, Dr. Neal Krawetz h...@hackerfactor.com wrote: On 27 Dec 2009, Rob, grandpa of Ryan, Trevor, Devon Hannah wrote: An interesting analysis of a graphic recently used by Victoria's Secret in their advertising. This gives chapter and verse of the techniques used, and results obtained, demonstrating the ability to determine if an image has been altered, and even which parts of an image have been modified, and how. http://www.hackerfactor.com/blog/index.php?/archives/322-Body-By-Victoria.html [snip] Thanks for the compliments. (I'm just catching up on my emails...) Re: Dan Kaminsky Neal's code is neat and pretty, but chapter and verse is no substitute for open code and side by side checks. A LOT of his output bears a strong resemblence to edge detection (really, look for high frequency signal, it'll show up in every test). Edges can show up for many reasons. - The edge may be a high frequency region (as you stated) that appears. - With algorithms like ELA and LG, high contrast edges (like stripes on a zebra) can be at a higher error level or strong gradient than the rest of the image. However, it will not be significantly stronger. (If ELA has a black background, then the high contrast edge may be grayish, but not white.) - Artists usually make changes at edges to reduce visual detection. Think about it: if you are going to cut out or mask something, you are going to do it along the edge. In the VS example, her outline is visible, but inside edges are not. If the algorithms were only picking up edges, then all edges (inside, outside, and outline) should be at the same level. They are not. As a counter example to your edge theory, consider: http://www.hackerfactor.com/blog/index.php?/archives/338-Id-Rather-Wear-Photoshop.html (If you get a 503 server error, just reload. GoDaddy's server is having trouble with the concurrent connection load right now. This will be fixed in January.) In the Error Level Analysis, the halo totally disappears, even though it is a high contrast and high frequency element (white on dark). If the algorithm was measuring edges, then the halo should still be visible at least to some degree. Second, with regards to open code, I strongly disagree with your assumption. You seem to assume that releasing the code will allow people to validate the methods. - If I release my own tool, then they will just use it and look at the results. This does not validate the code nor the methods. - If I don't release my own tools, but describe the algorithms, then people will create their own and perform a more scientific comparison. If you create your own tool that implements a variation of the algorithm(s) and you cannot generate the same kind of results, then there is either something wrong with your code or with mine. Now we can do a proper comparison. We have a hypothesis and multiple tools to test it. As an example, I have implemented my own PCA, DCT, and wavelet libraries. (I couldn't use any of the public ones due to GPL issues.) To validate my libraries, I compared the results with GSL and other public libraries. Since GSL and the other public libraries generate the same output as my own
Re: [funsec] Safeway Stores Left Unlocked
Pssh. Think of all the stabbings that don't happen around the dinner table every night. I mean, everyone's armed! On Sun, Dec 27, 2009 at 9:11 AM, Danny McPherson da...@tcb.net wrote: http://www.kcra.com/news/22062763/detail.html I'm not sure I buy this, if for no reason other than the fact that people don't have cash anymore to leave on the counter :-) -danny ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Image forensics
Neal's code is neat and pretty, but chapter and verse is no substitute for open code and side by side checks. A LOT of his output bears a strong resemblence to edge detection (really, look for high frequency signal, it'll show up in every test). I want to be clear, I have no doubt whatsoever that he's using the techniques as described. I also dont doubt the fundamental thesis that some manipulation can be detected (especially in a trivial case like 'was this image downsized' or 'was this saved by Photoshop instead of a Canon camera', which is obvious from quantization tables if not from the raw EXIF). But some of these techniques feel a little interpret-y. More samples would be great. On Dec 28, 2009, at 3:21 AM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: An interesting analysis of a graphic recently used by Victoria's Secret in their advertising. This gives chapter and verse of the techniques used, and results obtained, demonstrating the ability to determine if an image has been altered, and even which parts of an image have been modified, and how. http://www.hackerfactor.com/blog/index.php?/archives/322-Body-By-Victoria.html I find this particularly interesting because of the apparently widely held belief that steganography is undetectable without comparision to the original image. Most of the Photoshop disasters are glaringly obvious to the naked eye. As this demonstrates, analysis and detection of modification is easily accomplished, even when the differences are not apparent to the human eye. (Well, except for the straps. That was pretty stupid ...) == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org I live in my own little world, but it's OK, they know me here. victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/ index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] HP computers are racist
Extremely bright LEDs, in somewhat long IR, should overflow even a pretty good bandpass filter without being visible to the human visual system. So you could conceivably walk around as a CCTV-proof person. The best thing would be using a macrovision-like duty cycle, such that you aren't so much overflowing the thing as confusing its AGC. On Thu, Dec 24, 2009 at 11:35 AM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: http://www.youtube.com/watch?v=t4DT3tQqgRM Oh, there's got to be a security tie-in for this. How about: using this type of software for CCTV tracking needs to be universally applicable? Or: test your software/systems before they do you this kind of reputational damage? Or: silly but fun videos and social networking sites can waste your network bandwidth. (By the way, I just bought a netbook with a webcam built into it for the first time, and I have *no* idea at all what to do with it. Any suggestions as to [Windows] software [preferably free] that will take pictures or video with it, even if only to test it out?) == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org Don't confuse fame with success. Madonna is one; Helen Keller is the other.- Erma Bombeck victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] FBI: More Guns == Less Crime
I was pretty pro gun control until I had to debate it competitively in high school. Yikes. The data, oh god, the data. The UK pulled all guns in the 90's. Violent crime quadrupled. On Dec 24, 2009, at 6:14 PM, Gadi Evron g...@linuxbox.org wrote: In respect for funsec gun debate history, here is an interesting link: http://www.csmonitor.com/USA/Society/2009/1223/More-guns-equal-more-crime-Not-in-2009-FBI-crime-report-shows . Also check out this older story: http://www.adamsmith.org/blog/justice-and-civil-liberties/crime-reduction-200911044387/ Gadi. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Fox new John Stossel
Uh, what does this have to do with security? :) On Thu, Dec 10, 2009 at 5:08 PM, RandallM randa...@fidmail.com wrote: John is having a Climate special on Fox right now. your thoughts? -- been great, thanks a.k.a System ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] climate gate and programming bugs
On Wed, Dec 9, 2009 at 12:25 AM, Robert Graham robert_david_gra...@yahoo.com wrote: From: Dan Kaminsky d...@doxpara.com Took a look. There are mild issues but nothing I'm seeing yet that causes clear error. Maybe the 1% error from the nonspherical nature of the planet could yield something interesting, but thus far I'm not impressed that a statistically significant fault has been found. Nor would you find anything like that. The situation is like security vulnerabilities in code. Those who write the code are motivated not to see the bugs because they want to believe there are none. At the same time, vuln researchers are motivated to figure out how to make any minor bug into something major they can exploit. The same is true of this code. I see lots of problems, such as failure to sanitize inputs, failure to sanity check results, and table of arbitrary values that adjust the final result with no documentation as to why they are there. For example, look at line 47 of cru-code/linux/mod/homogeneity.f90. In any case, the issue isn't accidental bugs so much as intentional ones. I agree with the assertion that the bugs described thus far are *precisely* like security vulnerabilities in code. Specifically, most vulnerabilities...aren't. A long time ago, I knew nothing of attacking integer overflows. I asked a friend of mine, So the integer wraps. How could that be exploited? And I got a good lesson in how (for example) the following construct: char *foo = malloc(count * sizeof(bar)); ...would lead to pain, since an attacker controlled count would cause malloc to wrap around to zero, while the system still assumed *foo pointed to some ungodly amount of RAM. So, first thing I did was search everything I could find for mallocs that included a multiply within their arguments. I was so excited! Look at all these bugs! Then I started realizing, heh. Wait. Can an attacker actually set count? Is count bounded by, for example, it being a char or a short, or being read in from a 32 bit field in the original file format? Do I ever get sufficient control of how *foo is used, to be able to corrupt much of RAM interestingly? Do I already have to have code execution as root, in order to alter this input file format in the first place? Grep is not exactly a wonderful static analysis engine, it turns out. Where we are now is this exact sort of fairly naive analysis of the Climate code. There's no findings yet -- that sort of rigor hasn't shown up yet, and who knows if it ever will -- but oh, how people are grepping for badness that could, maybe possibly cause issues. The irony that people are complaining about lack of rigor, while having none themselves, should not be lost on anyone. Look, the code could have issues. Both the 1% error in the spherical nature of the earth, and the failure to correctly account for the wrapping nature of the globe, could cause problems in the data. But, you know, do they? Or, are they like most things in both statistical analysis and security auditing -- interesting in isolation, but swept aside by greater forces in the deployed system? It's not enough for there to be constants and correction tables. These are normal, though the tables need to be documented. It's not enough for there to be insufficient comments. Comments are very rarely sufficient, and what's there is almost always the grumbling of an angry programmer. It's not enough for the code to be ugly. The world runs on ugly code. See www.thedailywtf.com . And frankly, of course the code has miserable sanity checking. Only secure code sanity checks, and the climate modeling code is not expected to parse untrusted input! The environment isn't going to raise some sector of the ocean to 2^32-1 degrees Celsius just to overflow the climate modeler. Finally, intent is a loaded word. Certainly we know from security that backdoors (even including vendor maintenance passwords) are far rarer than unintended vulnerabilities. Consequences exist for the former, not for the latter. I really don't see some climate scientist cackling as he fails to account for the slightly nonspherical nature of the earth. To be clear, I'm not saying the code is perfect. It could very well have bugs. But after hearing about how uncasted transforms between reals and integers in Fortran are a very effective random number generator, only to find out they aren't, after seeing two vaguely promising statistical errors get publicized without testing, and after an ungodly amount of whining that the code was not in fact passed down from the heavens, pristine, well commented, and utterly bug free, I gotta say to the CRU code deniers, just like developers say to me: Show me the inputs that cause this code to return statistically significant error. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec
Re: [funsec] climate gate and programming bugs
On Wed, Dec 9, 2009 at 1:17 PM, Larry Seltzer la...@larryseltzer.comwrote: since these scientists do not release their code. We are supposed to believe the priests who say Earth is at the center of the universe, but we are not allowed to see either their data or method they used to arrive at that conclusion. This isn't the production code, although it's related. CRU has promised to release both the code and the raw data. At that point, us coders can start the process of replicating the results, and looking for statistically significant errors. I agree this is the key point. I also think it's fair to state that without the leaked e-mails and documents they would not have agreed to release their data and code. I'll go one step further: No science is settled if nobody has even had the opportunity to replicate the work. Sure, sounds great in theory. In practice, do you have any idea how little code and data is open? Maybe you don't. Here's the reality. Academia is publish or perish. Publish is defined as getting papers into conferences. It is not defined as releasing the raw data behind your paper or releasing even rough code that barely compiles or especially releasing production code that other people can use on their own data. If you spend your time doing the latter, you might get cited a bit more (since people use your stuff) but if it costs you a few papers, you're going to perish. That's even before the whole IP thing gets involved. The reality is that for a whole bunch of reasons, a lot of stuff just isn't available. If you want it, if you want to reimplement it, you get documentation in the form of a paper showing how to achieve what is claimed. Is the paper enough? Sometimes it is, yeah. But always? Even often? No, not at all. Of course, there's a revolution going on, because the *cost* of releasing code and data is plummeting. Expectations may change. But I see it just as likely that IP will take over, going so far as to delay and degrade the papers themselves. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] climate gate and programming bugs
On Wed, Dec 9, 2009 at 1:39 PM, Larry Seltzer la...@larryseltzer.comwrote: The reality is that for a whole bunch of reasons, a lot of stuff just isn't available. If you want it, if you want to reimplement it, you get documentation in the form of a paper showing how to achieve what is claimed. Is the paper enough? Sometimes it is, yeah. But always? Even often? No, not at all. That’s as may be. If we’re expected to impose massive taxes and regulations on the economy based on this supposedly settled science we need to expect more in the way of proof. It's a talking point. Delay, delay, delay, ignore reality when it's inconvenient. The scientific consensus around climate change is *overwhelming*. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] climate gate and programming bugs
Any actual bugs yet? On Dec 8, 2009, at 6:34 PM, Gadi Evron g...@linuxbox.org wrote: http://newsbusters.org/people/john-graham-cumming A segment on the Dec. 3 broadcast of BBC's Newsnight, showed the implications of the story behind the so-called ClimateGate scandal are more than just e-mails concealing data, but an incompetence analyzing the data by way of faulty computer code. John Graham-Cumming, a British programmer known for the open source POPFile email filtering program explained how the University of East Anglia's Climatic Research Unit (CRU) had wholesale problems with its computer programming analyzing climate change data, with billion, if not even trillions of dollars, on the line. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] climate gate and programming bugs
Took a look. There are mild issues but nothing I'm seeing yet that causes clear error. Maybe the 1% error from the nonspherical nature of the planet could yield something interesting, but thus far I'm not impressed that a statistically significant fault has been found. On Dec 8, 2009, at 9:16 PM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Dan Kaminsky wrote: Any actual bugs yet? You've not been following that closely, have you... Again, referring to the actual BBC video of John Graham-Cumming: http://news.bbc.co.uk/2/hi/programmes/newsnight/8395514.stm ...at about 2:45. And John has found some other bugs in the CRU code that he's mentioned in his blog: http://www.jgc.org/blog/ From the general commentary on the quality of the code (and from the comments in/on the code by its current, ummm maintainer) I'd not be surprised if there are others, but it's not really something I've been following. Regards, Nick FitzGerald ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] simple question
On Sun, Dec 6, 2009 at 8:46 PM, Tomas L. Byrnes t...@byrneit.net wrote: I used unconverted assignments on Digital Research f77 under CCP/M 3.1d on iAPx 286 chipsets with regularity, and effect, in the early ‘80s. And after that, I was thankful to never use Fortran again. The bigger point is that the code is garbage, the data not much better (at least according to the comments, because we can’t see the data), and the researchers have clearly been actively hiding the facts from public view. It’s high time for the Open Source and Free Software ethos to dominate something on which so much of the future of mankind rests. I, for one, donated lots of CPU time to the BBC climate modeling BOINC project. I think the idea that there isn’t enough computing, never mind brain, power out there to do this right is complete bunk. Let the science produce the result it will, whatever that may be, but let it at least be proper science, with the best current practices in all relevant fields being applied. Then, after the climate models are as near to unimpeachable as can be (and models can do pretty well, as the auto makers have shown), we can have the debate about the costs of various courses of action relative to their benefits and risks. Until we have a model that would pass muster for simulating the Coefficient of Drag of an automobile (and as far as I can see the CRU climate model doesn’t), how can we base any major public policy decisions on it? OK, reality check: 1) Most code is crap. Most commercial code is crap. Most open source is crap. People don't really die from bad code (far more people are killed crashing through windows than by crashing windows) and that's pretty much the only thing that drives engineering standards. 2) The fewer people are expected to run code, the crappier it is. Doesn't matter how important it is. 3) Crappy, inelegant code runs the world. 4) Security is changing 1-3, but very slowly, and only in places where there's attack surface being actively exploited. 5) Your one piece of concrete judgement on this code was (to be generous) an untested assertion, which has been handily dismissed. Do you have a concrete complaint remaining? 6) There's a revolution in data sharing going on in science right now. That we can expect for data to be made available really is quite new. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.