jm + security   247

SolarCapture Packet Capture Software
Interesting product line -- I didn't know this existed, but it makes good sense as a "network flight recorder". Big in finance.
SolarCapture is powerful packet capture product family that can transform every server into a precision network monitoring device, increasing network visibility, network instrumentation, and performance analysis. SolarCapture products optimize network monitoring and security, while eliminating the need for specialized appliances, expensive adapters relying on exotic protocols, proprietary hardware, and dedicated networking equipment.


See also Corvil (based in Dublin!): 'I'm using a Corvil at the moment and it's awesome- nanosecond precision latency measurements on the wire.'

(via mechanical sympathy list)
corvil  timing  metrics  measurement  latency  network  solarcapture  packet-capture  financial  performance  security  network-monitoring 
10 days ago by jm
DRUG PUMP’S SECURITY FLAW LETS HACKERS RAISE DOSE LIMITS
The Hospira drug pump vulnerabilities described here sound pretty horrific
drugs  drug-pumps  hospira  exploits  vulnerabilities  security  root  dosage  limits 
20 days ago by jm
How the NSA Converts Spoken Words Into Searchable Text - The Intercept
This hits the nail on the head, IMO:
To Phillip Rogaway, a professor of computer science at the University of California, Davis, keyword-search is probably the “least of our problems.” In an email to The Intercept, Rogaway warned that “When the NSA identifies someone as ‘interesting’ based on contemporary NLP methods, it might be that there is no human-understandable explanation as to why beyond: ‘his corpus of discourse resembles those of others whom we thought interesting'; or the conceptual opposite: ‘his discourse looks or sounds different from most people’s.' If the algorithms NSA computers use to identify threats are too complex for humans to understand, it will be impossible to understand the contours of the surveillance apparatus by which one is judged.  All that people will be able to do is to try your best to behave just like everyone else.”
privacy  security  gchq  nsa  surveillance  machine-learning  liberty  future  speech  nlp  pattern-analysis  cs 
23 days ago by jm
s3.amazonaws.com "certificate verification failed" errors due to crappy Verisign certs and overzealous curl policies
Seth Vargo is correct. Its not the bit length of the key which is at issue, its the signature algorithm. The entire keychain for the s3.awsamazon.com key is signed with SHA1withRSA:

https://www.ssllabs.com/ssltest/analyze.html?d=s3.amazonaws.com&s=54.231.244.0&hideResults=on

At issue is that the root verisign key has been marked as weak because of SHA1 and taken out of the curl bundle which is widely popular, and this issue will continue to cause more and more issues going forwards as that bundle makes it way into shipping o/s distributions and aws certification verification breaks.


'This is still happening and curl is now failing on my machine causing all sorts of fun issues (including breaking CocoaPods that are using S3 for storage).' -- @jmhodges

This may be a contributory factor to the issue @nelson saw: https://nelsonslog.wordpress.com/2015/04/28/cyberduck-is-responsible-for-my-bad-ssl-certificate/

Curl's ca-certs bundle is also used by Node: https://github.com/joyent/node/issues/8894 and doubtless many other apps and packages.

Here's a mailing list thread discussing the issue: http://curl.haxx.se/mail/archive-2014-10/0066.html -- looks like the curl team aren't too bothered about it.
curl  s3  amazon  aws  ssl  tls  certs  sha1  rsa  key-length  security  cacerts 
29 days ago by jm
Vault
HashiCorp's take on the secrets-storage system. looks good
hashicorp  deployment  security  secrets  authentication  vault  storage  keys  key-rotation 
4 weeks ago by jm
Google Online Security Blog: A Javascript-based DDoS Attack [the Greatfire DDoS] as seen by Safe Browsing
We hope this report helps to round out the overall facts known about this attack. It also demonstrates that collectively there is a lot of visibility into what happens on the web. At the HTTP level seen by Safe Browsing, we cannot confidently attribute this attack to anyone. However, it makes it clear that hiding such attacks from detailed analysis after the fact is difficult.

Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication. Unfortunately, defending against such an attack is not easy for website operators. In this case, the attack Javascript requests web resources sequentially and slowing down responses might have helped with reducing the overall attack traffic. Another hope is that the external visibility of this attack will serve as a deterrent in the future.


Via Nelson.
google  security  via:nelson  ddos  javascript  tls  ssl  safe-browsing  networking  china  greatfire 
4 weeks ago by jm
OWASP KeyBox
a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users.

Administrators can login using two-factor authentication with FreeOTP or Google Authenticator . From there they can create and manage public SSH keys or connect to their assigned systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.
keybox  owasp  security  ssh  tls  ssl  ops 
4 weeks ago by jm
Meet the e-voting machine so easy to hack, it will take your breath away | Ars Technica
The AVS WinVote system -- mind-bogglingly shitty security.
If an election was held using the AVS WinVote, and it wasn’t hacked, it was only because no one tried. The vulnerabilities were so severe, and so trivial to exploit, that anyone with even a modicum of training could have succeeded. They didn’t need to be in the polling place—within a few hundred feet (e.g., in the parking lot) is easy, and within a half mile with a rudimentary antenna built using a Pringles can. Further, there are no logs or other records that would indicate if such a thing ever happened, so if an election was hacked any time in the past, we will never know. I’ve been in the security field for 30 years, and it takes a lot to surprise me. But the VITA report really shocked me—as bad as I thought the problems were likely to be, VITA’s five-page report showed that they were far worse. And the WinVote system was so fragile that it hardly took any effort. While the report does not state how much effort went into the investigation, my estimation based on the description is that it was less than a person week.
security  voting  via:johnke  winvote  avs  shoup  wep  wifi  windows 
5 weeks ago by jm
attacks using U+202E - RIGHT-TO-LEFT OVERRIDE
Security implications of in-band signalling strikes again, 43 years after the "Blue Box" hit the mainstream.

Jamie McCarthy on Twitter: ".@cmdrtaco - Remember when we had to block the U+202E code point in Slashdot comments to stop siht ekil stnemmoc? https://t.co/TcHxKkx9Oo"

See also http://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/ -- GMail was vulnerable too; and http://en.wikipedia.org/wiki/Unicode_control_characters for more inline control chars.

http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing has some official recommendations from the Unicode consortium on dealing with bidi override chars.
security  attacks  rlo  unicode  control-characters  codepoints  bidi  text  gmail  slashdot  sanitization  input 
5 weeks ago by jm
credstash
'CredStash is a very simple, easy to use credential management and distribution system that uses AWS Key Management System (KMS) for key wrapping and master-key storage, and DynamoDB for credential storage and sharing.'
aws  credstash  python  security  keys  key-management  secrets  kms 
5 weeks ago by jm
The missing MtGox bitcoins
Most or all of the missing bitcoins were stolen straight out of the MtGox hot wallet over time, beginning in late 2011. As a result, MtGox operated at fractional reserve for years (knowingly or not), and was practically depleted of bitcoins by 2013. A significant number of stolen bitcoins were deposited onto various exchanges, including MtGox itself, and probably sold for cash (which at the bitcoin prices of the day would have been substantially less than the hundreds of millions of dollars they were worth at the time of MtGox's collapse).

MtGox' bitcoins continuously went missing over time, but at a decreasing pace. Again by the middle of 2013, the curve goes more or less flat, matching the hypothesis that by that time there may not have been any more bitcoins left to lose. The rate of loss otherwise seems unusually smooth and at the same time not strictly relative to any readily available factors such as remaining BTC holdings, transaction volumes or the BTC price. Worth pointing out is that, thanks to having matched up most of the deposit/withdrawal log earlier, we can at this point at least rule out the possibility of any large-scale fake deposits — the bitcoins going into MtGox were real, meaning the discrepancy was likely rather caused by bitcoins leaving MtGox without going through valid withdrawals.
mtgox  bitcoin  security  fail  currency  theft  crime  btc 
5 weeks ago by jm
SCADA systems online, and a horror story about a non-airgapped Boeing 747 engine management system
747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.

The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed.


(via Paddy Benson)
air-gap  planes  boeing  security  747  solaris  unix 
5 weeks ago by jm
HACKERS COULD COMMANDEER NEW PLANES THROUGH PASSENGER WI-FI
Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircraft, have Wi-Fi passenger networks that use the same network as the avionics systems of the planes


What the fucking fuck. Air-gap or gtfo
air-gap  security  planes  boeing  a380  a350  dreamliner  networking  firewalls  avionics 
5 weeks ago by jm
Keeping Your Car Safe From Electronic Thieves - NYTimes.com
In a normal scenario, when you walk up to a car with a keyless entry and try the door handle, the car wirelessly calls out for your key so you don’t have to press any buttons to get inside. If the key calls back, the door unlocks. But the keyless system is capable of searching for a key only within a couple of feet. Mr. Danev said that when the teenage girl turned on her device, it amplified the distance that the car can search, which then allowed my car to talk to my key, which happened to be sitting about 50 feet away, on the kitchen counter. And just like that, open sesame.


What the hell -- who designed a system that would auto-unlock based on signal strength alone?!!
security  fail  cars  keys  signal  proximity  keyless-entry  prius  toyota  crime  amplification  power-amplifiers  3db  keyless 
6 weeks ago by jm
Keywhiz
'a secret management and distribution service [from Square] that is now available for everyone. Keywhiz helps us with infrastructure secrets, including TLS certificates and keys, GPG keyrings, symmetric keys, database credentials, API tokens, and SSH keys for external services — and even some non-secrets like TLS trust stores. Automation with Keywhiz allows us to seamlessly distribute and generate the necessary secrets for our services, which provides a consistent and secure environment, and ultimately helps us ship faster. [...]

Keywhiz has been extremely useful to Square. It’s supported both widespread internal use of cryptography and a dynamic microservice architecture. Initially, Keywhiz use decoupled many amalgamations of configuration from secret content, which made secrets more secure and configuration more accessible. Over time, improvements have led to engineers not even realizing Keywhiz is there. It just works. Please check it out.'
square  security  ops  keys  pki  key-distribution  key-rotation  fuse  linux  deployment  secrets  keywhiz 
6 weeks ago by jm
China’s Great Cannon
Conducting such a widespread attack clearly demonstrates the weaponization of the Chinese Internet to co-opt arbitrary computers across the web and outside of China to achieve China’s policy ends.  The repurposing of the devices of unwitting users in foreign jurisdictions for covert attacks in the interests of one country’s national priorities is a dangerous precedent — contrary to international norms and in violation of widespread domestic laws prohibiting the unauthorized use of computing and networked systems.
censorship  ddos  internet  security  china  great-cannon  citizen-lab  reports  web 
6 weeks ago by jm
Privacy Security Talk in TOG – 22nd April @ 7pm – FREE
Dublin is lucky enough to have great speakers pass through town on occasion and on Wednesday the 22nd April 2015, Runa A. Sandvik (@runasand) and Per Thorsheim (@thorsheim) have kindly offered to speak in TOG from 7pm. The format for the evening is a general meet and greet, but both speakers have offered to give a presentation on a topic of their choice. Anyone one interested in privacy, security, journalism, Tor and/or has previously attended a CryptoParty would be wise to attend. Doors are from 7pm and bring any projects with you you would like to share with other attendees. This is a free event, open to the public and no need to book. See you Wednesday.

Runa A. Sandvik is an independent privacy and security researcher, working at the intersection of technology, law and policy. She contributes to The Tor Project, writes for Forbes, and is a technical advisor to both the Freedom of the Press Foundation and the TrueCrypt Audit project.

Per Thorsheim as founder/organizer of PasswordsCon.org, his topic of choice is of course passwords, but in a much bigger context than most people imagine. Passwords, pins, biometrics, 2-factor authentication, security/usability and all the way into surveillance and protecting your health, kids and life itself.
privacy  security  runa-sandvik  per-thorsheim  passwords  tor  truecrypt  tog  via:oisin  events  dublin 
6 weeks ago by jm
New South Wales Attacks Researchers Who Found Internet Voting Vulnerabilities | Electronic Frontier Foundation
'NSW officials seemed more interested in protecting their reputations than the integrity of elections. They sharply criticized Halderman and Teague, rather than commending them, for their discovery of the FREAK attack vulnerability. The Chief Information Officer of the Electoral Commission, Ian Brightwell, claimed Halderman and Teague’s discovery was part of efforts by “well-funded, well-managed anti-internet voting lobby groups,” an apparent reference to our friends at VerifiedVoting.org, where Halderman and Teague are voluntary Advisory Board members.1 Yet at the same time, Brightwell concluded that it was indeed possible that votes were manipulated.'
freak  security  vulnerabilities  exploits  nsw  australia  internet-voting  vvat  voting  online-voting  eff 
7 weeks ago by jm
(SEC307) Building a DDoS-Resilient Architecture with AWS
good slides on a "web application firewall" proxy service, deployable as an auto-scaling EC2 unit
ec2  aws  ddos  security  resilience  slides  reinvent  firewalls  http  elb 
7 weeks ago by jm
Google delist CNNIC certs
As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products.
cnnic  certs  ssl  tls  security  certificates  pki  chrome  google 
8 weeks ago by jm
Cassandra remote code execution hole (CVE-2015-0225)
Ah now lads.
Under its default configuration, Cassandra binds an unauthenticated
JMX/RMI interface to all network interfaces. As RMI is an API for the
transport and remote execution of serialized Java, anyone with access
to this interface can execute arbitrary code as the running user.
cassandra  jmx  rmi  java  ops  security 
8 weeks ago by jm
AllCrypt hacked, via PHP, Wordpress, and the marketing director's email
critical flaw: gaining access to the MySQL db let the attacker manipulate account balances. oh dear
security  fail  allcrypt  hacks  wordpress  php 
9 weeks ago by jm
Sony PSN hacking horror story
My account got hacked, running up over $600 in charges. Here's the conclusion after running through the Sony support gauntlet.
They can only refund up to $150.
I can dispute the charges with my bank, but that will result in my account being banned.
I cannot unban my account, and will thus lose my purchases ("but you only have the Last of Us and some of our free games, so it's not a big deal")
Whomever hacked my account deactivated my PS4, and activated their own. Customer support will only permit one activation every 6 months. I'm locked out of logging into my own account on my PS4 for six months.
games  sony  psn  playstation  fail  ps4  hacking  security  customer-support  horror-stories 
11 weeks ago by jm
Real World Crypto 2015: Password Hashing according to Facebook
Very interesting walkthrough of how Facebook hash user passwords, including years of accreted practices
facebook  passwords  authentication  legacy  web  security 
11 weeks ago by jm
Epsilon Interactive breach the Fukushima of the Email Industry (CAUCE)
Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs’ mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.

On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially.  Email lists of at least eight financial institutions were stolen. 

Thus far, puzzlingly, Epsilon has refused to release the names  of compromised clients. [...] The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing problem as critically serious as it could possibly be.
cauce  epsilon-interactive  esp  email  pii  data-protection  spear-phishing  phishing  identity-theft  security  ads 
11 weeks ago by jm
Anatomy of a Hack
Authy doesn't come off well here:

'Authy should have been harder to break. It's an app, like Authenticator, and it never left Davis' phone. But Eve simply reset the app on her phone using a mail.com address and a new confirmation code, again sent by a voice call. A few minutes after 3AM, the Authy account moved under Eve's control.'
authy  security  hacking  mfa  authentication  google  apps  exploits 
11 weeks ago by jm
ssls.com
"Cheap SSL certs from $4.99/yr" -- apparently recommended for cheap, low-end SSL certs
ssl  certs  security  https  ops 
february 2015 by jm
The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
Holy shit. Gemalto totally rooted.
With [Gemalto's] stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

[...] According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. We “believe we have their entire network,” the slide’s author boasted about the operation against Gemalto.
encryption  security  crypto  nsa  gchq  gemalto  smartcards  sim-cards  privacy  surveillance  spying 
february 2015 by jm
Extracting the SuperFish certificate
not exactly the most challenging reverse I've ever seen ;)
reverse-engineering  security  crypto  hacking  tls  ssl  superfish  lenovo 
february 2015 by jm
The Superfish certificate has been cracked, exposing Lenovo users to attack | The Verge
The cracked certificate exposes Lenovo users to man-in-the-middle attacks, similar to those opened up by Heartbleed. Armed with this password and the right software, a coffee shop owner could potentially spy on any Lenovo user on her network, collecting any passwords that were entered during the session. The evil barista could also insert malware into the data stream at will, disguised as a software update or a trusted site.


Amazingly stupid.
superfish  inept  ca  ssl  tls  lenovo  mitm  security 
february 2015 by jm
South Korea faces $1bn bill after hackers raid national ID database • The Register
Simon McGarr says: '80% of S.Korea's population have had their ID number stolen, crimewave ongoing. >> Turns out a pot of honey is sweet'
fail  south-korea  korea  security  id-cards  ssn  id-numbers  privacy 
february 2015 by jm
FreeBSD breaks its kernel RNG for 4 months
If you are running a current kernel r273872 or later, please upgrade
your kernel to r278907 or later immediately and regenerate keys.
I discovered an issue where the new framework code was not calling
randomdev_init_reader, which means that read_random(9) was not returning
good random data. This means most/all keys generated may be predictable and must be
regenerated.
crypto  freebsd  security  lols  rng  randomness  bsd 
february 2015 by jm
Duplicate SSH Keys Everywhere
Poor hardware imaging practices, basically:
It looks like all devices with the fingerprint are Dropbear SSH instances that have been deployed by Telefonica de Espana. It appears that some of their networking equipment comes setup with SSH by default, and the manufacturer decided to re-use the same operating system image across all devices.
crypto  ssh  security  telefonica  imaging  ops  shodan 
february 2015 by jm
How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
'"Equation Group" ran the most advanced hacking operation ever uncovered.' Mad stuff. The security industry totally failed here
nsa  privacy  security  surveillance  hacking  keyloggers  malware 
february 2015 by jm
"Man vs Machine: Practical Adversarial Detection of Malicious Crowdsourcing Workers" [paper]
"traditional ML techniques are accurate (95%–99%) in detection but can be highly vulnerable to adversarial attacks". ain't that the truth
security  adversarial-attacks  machine-learning  paper  crowdsourcing  via:kragen 
february 2015 by jm
Debunking The Dangerous “If You Have Nothing To Hide, You Have Nothing To Fear”
A great resource bookmark from Falkvinge.
There are at least four good reasons to reject this argument solidly and uncompromisingly: The rules may change, it’s not you who determine if you’re guilty, laws must be broken for society to progress, and privacy is a basic human need.
nsa  politics  privacy  security  surveillance  gchq  rick-falkvinge  society 
january 2015 by jm
Amazing comment from a random sysadmin who's been targeted by the NSA
'Here's a story for you.
I'm not a party to any of this. I've done nothing wrong, I've never been suspected of doing anything wrong, and I don't know anyone who has done anything wrong. I don't even mean that in the sense of "I pissed off the wrong people but technically haven't been charged." I mean that I am a vanilla, average, 9-5 working man of no interest to anybody. My geographical location is an accident of my birth. Even still, I wasn't accidentally born in a high-conflict area, and my government is not at war. I'm a sysadmin at a legitimate ISP and my job is to keep the internet up and running smoothly.
This agency has stalked me in my personal life, undermined my ability to trust my friends attempting to connect with me on LinkedIn, and infected my family's computer. They did this because they wanted to bypass legal channels and spy on a customer who pays for services from my employer. Wait, no, they wanted the ability to potentially spy on future customers. Actually, that is still not accurate - they wanted to spy on everybody in case there was a potentially bad person interacting with a customer.
After seeing their complete disregard for anybody else, their immense resources, and their extremely sophisticated exploits and backdoors - knowing they will stop at nothing, and knowing that I was personally targeted - I'll be damned if I can ever trust any electronic device I own ever again.
You all rationalize this by telling me that it "isn't surprising", and that I don't live in the [USA,UK] and therefore I have no rights.
I just have one question.
Are you people even human?'
nsa  via:ioerror  privacy  spying  surveillance  linkedin  sysadmins  gchq  security 
january 2015 by jm
Secure Secure Shell
How to secure SSH, disabling insecure ciphers etc. (via Padraig)
via:pixelbeat  crypto  security  ssh  ops 
january 2015 by jm
Use sshuttle to Keep Safe on Insecure Wi-Fi
I keep forgetting about sshuttle. It's by far the easiest way to get a cheapo IP-over-SSH VPN working with an OSX client, particularly since it's in homebrew
ssh  vpn  sshuttle  tunnelling  security  ip  wifi  networking  osx  homebrew 
december 2014 by jm
AN OFFER TO SONY FROM 2600
To demonstrate that hackers have no interest in suppressing speech, quashing controversy, or being intimidated by vague threats, we ask that Sony allow the hacker community to distribute "The Interview" for them on the 25th of December. Now, we're aware that Sony may refer to this distribution method as piracy, but in this particular case, it may well prove to be the salvation of the motion picture industry. By freely offering the film online, millions of people will get to see it and decide for themselves if it has any redeeming qualities whatsoever - as opposed to nobody seeing it and the studios writing it off as a total loss. Theaters would be free from panic as our servers would become the target of any future vague threats (and we believe Hollywood will be most impressed with how resilient peer-to-peer distribution can be in the face of attacks). Most importantly, we would be defying intimidation, something the motion picture industry doesn't quite have a handle on, which is surprising considering how much they've relied upon it in the past.
2600  funny  hackers  security  sony  north-korea  the-interview  movies  piracy 
december 2014 by jm
The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users | WIRED
Since Operation Torpedo [use of a Metasploit side project], there’s evidence the FBI’s anti-Tor capabilities have been rapidly advancing. Torpedo was in November 2012. In late July 2013, computer security experts detected a similar attack through Dark Net websites hosted by a shady ISP called Freedom Hosting—court records have since confirmed it was another FBI operation. For this one, the bureau used custom attack code that exploited a relatively fresh Firefox vulnerability—the hacking equivalent of moving from a bow-and-arrow to a 9-mm pistol. In addition to the IP address, which identifies a household, this code collected the MAC address of the particular computer that infected by the malware.

“In the course of nine months they went from off the shelf Flash techniques that simply took advantage of the lack of proxy protection, to custom-built browser exploits,” says Soghoian. “That’s a pretty amazing growth … The arms race is going to get really nasty, really fast.”
fbi  tor  police  flash  security  privacy  anonymity  darknet  wired  via:bruces 
december 2014 by jm
When data gets creepy: the secrets we don’t realise we’re giving away | Technology | The Guardian
Very good article around the privacy implications of derived and inferred aggregate metadata from Ben Goldacre.
We are entering an age – which we should welcome with open arms – when patients will finally have access to their own full medical records online. So suddenly we have a new problem. One day, you log in to your medical records, and there’s a new entry on your file: “Likely to die in the next year.” We spend a lot of time teaching medical students to be skilful around breaking bad news. A box ticked on your medical records is not empathic communication. Would we hide the box? Is that ethical? Or are “derived variables” such as these, on a medical record, something doctors should share like anything else?
advertising  ethics  privacy  security  law  data  aggregation  metadata  ben-goldacre 
december 2014 by jm
"Macaroons" for fine-grained secure database access
Macaroons are an excellent fit for NoSQL data storage for several reasons. First, they enable an application developer to enforce security policies at very fine granularity, per object. Gone are the clunky security policies based on the IP address of the client, or the per-table access controls of RDBMSs that force you to split up your data across many tables. Second, macaroons ensure that a client compromise does not lead to loss of the entire database. Third, macaroons are very flexible and expressive, able to incorporate information from external systems and third-party databases into authorization decisions. Finally, macaroons scale well and are incredibly efficient, because they avoid public-key cryptography and instead rely solely on fast hash functions.
security  macaroons  cookies  databases  nosql  case-studies  storage  authorization  hyperdex 
november 2014 by jm
Wired on "Regin"
The researchers have no doubt that Regin is a nation-state tool and are calling it the most sophisticated espionage machine uncovered to date—more complex even than the massive Flame platform, uncovered by Kaspersky and Symantec in 2012 and crafted by the same team who created Stuxnet.

“In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless,” writes Symantec in its report about Regin.

Though no one is willing to speculate on the record about Regin’s source, news reports about the Belgacom and Quisquater hacks pointed a finger at GCHQ and the NSA. Kaspersky confirms that Quisqater was infected with Regin, and other researchers familiar with the Belgacom attack have told WIRED that the description of Regin fits the malware that targeted the telecom, though the malicious files used in that attack were given a different name, based on something investigators found inside the platform’s main file.
regin  malware  security  hacking  exploits  nsa  gchq  symantec  espionage 
november 2014 by jm
How I created two images with the same MD5 hash
I found that I was able to run the algorithm in about 10 hours on an AWS large GPU instance bringing it in at about $0.65 plus tax.


Bottom line: MD5 is feasibly attackable by pretty much anyone now.
crypto  images  md5  security  hashing  collisions  ec2  via:hn 
november 2014 by jm
curl | sh
'People telling people to execute arbitrary code over the network. Run code from our servers as root. But HTTPS, so it’s no biggie.'

YES.
humor  sysadmin  ops  security  curl  bash  npm  rvm  chef 
november 2014 by jm
Chip & PIN vs. Chip & Signature
Trust US banks to fuck up their attempts at security :( US "chip-and-signature" cards are still entirely forgeable because the banks fear that consumers are too stupid to use a PIN, basically.
BK: So, I guess we should all be grateful that banks and retailers in the United States are finally taking steps to move toward chip [and signature] cards, but it seems to me that as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data — even from chip cards.

Litan: Yes, that’s the key problem for the next few years. Once mag stripe goes away, chip-and-PIN will be a very strong solution. The estimates are now that by the end of 2015, 50 percent of the cards and terminals will be chip-enabled, but it’s going to be several years before we get closer to full compliance. So, we’re probably looking at about 2018 before we can start making plans to get rid of the magnetic stripe on these cards.
magstripe  banks  banking  chip-and-pin  security  brian-krebs  chip-and-signature 
october 2014 by jm
PSA: don't run 'strings' on untrusted files (CVE-2014-8485)
ffs.
Perhaps simply by the virtue of being a part of that bundle, the strings utility tries to leverage the common libbfd infrastructure to detect supported executable formats and "optimize" the process by extracting text only from specific sections of the file. Unfortunately, the underlying library can be hardly described as safe: a quick pass with afl (and probably with any other competent fuzzer) quickly reveals a range of troubling and likely exploitable out-of-bounds crashes due to very limited range checking
strings  libbfd  gnu  security  fuzzing  buffer-overflows 
october 2014 by jm
Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback
Today we are publishing details of a vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.


ouch.
ssl3  ssl  tls  security  exploits  google  crypto 
october 2014 by jm
Shellshock
An _extremely_ detailed resource about the bash bug
bash  hacking  security  shell  exploits  reference  shellshock 
october 2014 by jm
Mandos
'a system for allowing servers with encrypted root file systems to reboot unattended and/or remotely.' (via Tony Finch)
via:fanf  mandos  encryption  security  server  ops  sysadmin  linux 
october 2014 by jm
oss-sec: Re: CVE-2014-6271: remote code execution through bash
this is truly heinous. Given that any CGI which invokes popen()/system() on a Linux system where /bin/sh is a link to bash is vulnerable, there will be a lot of vulnerable services out there (via Elliot)
via:elliottucker  cgi  security  bash  sh  exploits  linux  popen  unix 
september 2014 by jm
Not Safe For Not Working On
Excellent post from Dan Kaminsky on concrete actions that cloud service providers like Apple and Google need to start taking.
*It's time to ban Password1*: [...] Defenders are using simple rules like “doesn’t have an uppercase letter” and “not enough punctuation” to block passwords while attackers are just straight up analyzing password dumps and figuring out the most likely passwords to attempt in any scenario.  Attackers are just way ahead.  That has to change.  Defenders have password dumps too now.  It’s time we start outright blocking passwords common enough that they can be online brute forced, and it’s time we admit we know what they are. [...]

*People use communication technologies for sexy times. Deal with it*: Just like browsers have porn mode for the personal consumption of private imagery, cell phones have applications that are significantly less likely to lead to anyone else but your special friends seeing your special bits. I personally advise Wickr, an instant messaging firm that develops secure software for iPhone and Android. What’s important about Wickr here isn’t just the deep crypto they’ve implemented, though it’s useful too. What’s important in this context is that with this code there’s just a lot fewer places to steal your data from. Photos and other content sent in Wickr don’t get backed up to your desktop, don’t get saved in any cloud, and by default get removed from your friend’s phone after an amount of time you control. Wickr is of course not the only company supporting what’s called “ephemeral messaging”; SnapChat also dramatically reduces the exposure of your private imagery. [...]


via Leonard.
icloud  apple  privacy  security  via:lhl  snapchat  wickr  dan-kaminsky  cloud-services  backup 
september 2014 by jm
Apple: Untrustable
Today, Apple announced their “Most Personal Device Ever”. They also announced Apple Pay (the only mentions of “security” and “privacy” in today’s event), and are rolling out health tracking and home automation in iOS 8.

Given their feckless track record [with cloud-service security], would you really trust Apple with (even more of) your digital life?
icloud  apple  fail  security  hacks  privacy 
september 2014 by jm
Comcast Wi-Fi serving self-promotional ads via JavaScript injection | Ars Technica
Comcast is adding data into the broadband packet stream. In 2007, it was packets serving up disconnection commands. Today, Comcast is inserting JavaScript that is serving up advertisements, according to [Robb] Topolski, who reviewed Singel's data. "It's the duty of the service provider to pull packets without treating them or modifying them or injecting stuff or forging packets. None of that should be in the province of the service provider," he said. "Imagine every Web page with a Comcast bug in the lower righthand corner. It's the antithesis of what a service provider is supposed to do. We want Internet access, not another version of cable TV."


The company appears to be called Front Porch: http://arstechnica.com/tech-policy/2014/09/meet-the-tech-company-performing-ad-injections-for-big-cable/
comcast  ads  injection  security  javascript  http  network-neutrality  isps 
september 2014 by jm
Nik Cubrilovic - Notes on the Celebrity Data Theft
tl;dr: a lot of people are spending a lot of time stealing nudie pics from celebrities. See also http://www.zdziarski.com/blog/?p=3783 for more details on the probable approaches used. Grim.
apple  privacy  security  celebrities  pics  hacking  iphone  ipad  ios  exploits  brute-force  passwords  2fa  mfa  find-my-iphone  icloud  backups 
september 2014 by jm
Two Factor Auth List
List of websites and whether or not they support 2FA.
Also see the list of 2FA providers and the platforms they support.
2fa  mfa  authentication  security  web-services  web 
september 2014 by jm
Google's new end-to-end key distribution proposal
'For End-To-End, our current approach to key distribution, is to use a model similar to Certificate Transparency, and use the email messages themselves as a gossip protocol, which allow the users themselves to keep the centralized authorities honest. This approach allows users to not have to know about keys, but at the same time, be able to make sure that the servers involved aren't doing anything malicious behind the users' back.'
end-to-end  encryption  google  security  email  crypto  key-distribution 
august 2014 by jm
"CryptoPhone" claims to detect IMSI catchers in operation
To show what the CryptoPhone can do that less expensive competitors cannot, he points me to a map that he and his customers have created, indicating 17 different phony cell towers known as “interceptors,” detected by the CryptoPhone 500 around the United States during the month of July alone.  Interceptors look to a typical phone like an ordinary tower.  Once the phone connects with the interceptor, a variety of “over-the-air” attacks become possible, from eavesdropping on calls and texts to pushing spyware to the device.

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says.  “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip.  We even found one at South Point Casino in Las Vegas.”
imsi-catchers  security  cryptophone  phones  mobile  3g  4g  eavesdropping  surveillance 
august 2014 by jm
The poisoned NUL byte, 2014 edition
A successful exploit of Fedora glibc via a single NUL overflow (via Tony Finch)
via:fanf  buffer-overflows  security  nul  byte  exploits  google  project-zero 
august 2014 by jm
Nyms Identity Directory
The way that [problems with the PGP bootstrapping] are supposed to be resolved is with an authentication model called the Web of Trust where users sign keys of other users after verifying that they are who they say they are. In theory, if some due diligence is applied in signing other people’s keys and a sufficient number of people participate you’ll be able to follow a short chain of signatures from people you already know and trust to new untrusted keys you download from a key server. In practice this has never worked out very well as it burdens users with the task of manually finding people to sign their keys and even experts find the Web of Trust model difficult to reason about. This also reveals the social graph of certain communities which may place users at risk for their associations. Such signatures also reveal metadata about times and thus places for meetings for key signings.

The Nyms Identity Directory is a replacement for all of this. Keyservers are replaced with an identity directory that gives users full control over publication of their key information and web of trust is replaced with a distributed network of trusted notaries which validate user keys with an email verification protocol.
web-of-trust  directories  nyms  privacy  crypto  identity  trust  pgp  gpg  security  via:ioerror  keyservers  notaries 
august 2014 by jm
NTP's days are numbered for consumer devices
An accurate clock is required to negotiate SSL/TLS, so clock sync is important for internet-of-things usage. but:
Unfortunately for us, the traditional and most widespread method for clock synchronisation (NTP) has been caught up in a DDoS issue which has recently caused some ISPs to start blocking all NTP communication. [....] Because the DDoS attacks are so widespread, and the lack of obvious commercial pressure to fix the issue, it’s possible that the days of using NTP as a mechanism for setting clocks may well be numbered. Luckily for us there is a small but growing project that replaces it.

tlsdate was started by Jacob Appelbaum of the Tor project in 2012, making use of the SSL handshake in order to extract time from a remote server, and its usage is on the rise. [....] Since we started encountering these problems, we’ve incorporated tlsdate into an over-the-air update, and have successfully started using this in situations where NTP is blocked.
tlsdate  ntp  clocks  time  sync  iot  via:gwire  ddos  isps  internet  protocols  security 
august 2014 by jm
Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins | Threat Level | WIRED
'The attacker specifically targeted a collection of bitcoin mining “pools”–bitcoin-producing cooperatives in which users contribute their computers’ processing power and are rewarded with a cut of the resulting cryptocurrency the pool produces. The redirection technique tricked the pools’ participants into continuing to devote their processors to bitcoin mining while allowing the hacker to keep the proceeds. At its peak, according to the researchers’ measurements, the hacker’s scam was pocketing a flow of bitcoins and other digital currencies including dogecoin and worldcoin worth close to $9,000 a day. “With this kind of hijacking, you can quite easily grab a large collection of clients,” says Pat Litke, one of the Dell researchers. “It takes less than a minute, and you end up with a lot of mining traffic under your control.”'

'In total, Stewart and Litke were able to measure $83,000 worth of cryptocurrency stolen in the BGP attack [...] but the total haul could be larger'
bitcoin  mining  fraud  internet  bgp  routing  security  attacks  hacking 
august 2014 by jm
How to take over the computer of any JVM developer
To prove how easy [MITM attacking Mavencentral JARs] is to do, I wrote dilettante, a man-in-the-middle proxy that intercepts JARs from maven central and injects malicious code into them. Proxying HTTP traffic through dilettante will backdoor any JARs downloaded from maven central. The backdoored version will retain their functionality, but display a nice message to the user when they use the library.
jars  dependencies  java  build  clojure  security  mitm  http  proxies  backdoors  scala  maven  gradle 
july 2014 by jm
'Identifying Back Doors, Attack Points and Surveillance Mechanisms in iOS Devices'
lots of scary stuff in this presentation from this year's Hackers On Planet Earth conf. I'm mainly interested to find out that Jonathan "D-Spam" Zdziarski was also a jailbreak dev-team member until around iOS 4 ;)
d-spam  jonathan-zdziarski  security  apple  ios  iphone  surveillance  bugging 
july 2014 by jm
Tor exit node operator prosecuted in Austria
'The operator of an exit node is guilty of complicity, because he enabled others to transmit content of an illegal nature through the service.'

Via Tony Finch.
austria  tor  security  law  liability  internet  tunnelling  eu  via:fanf 
july 2014 by jm
'Robust De-anonymization of Large Sparse Datasets' [pdf]
paper by Arvind Narayanan and Vitaly Shmatikov, 2008.

'We present a new class of statistical de- anonymization attacks against high-dimensional micro-data, such as individual preferences, recommendations, transaction records and so on. Our techniques are robust to perturbation in the data and tolerate some mistakes in the adversary's background knowledge. We apply our de-anonymization methodology to the Netflix Prize dataset, which contains anonymous movie ratings of 500,000 subscribers of Netflix, the world's largest online movie rental service. We demonstrate that an adversary who knows only a little bit about an individual subscriber can easily identify this subscriber's record in the dataset. Using the Internet Movie Database as the source of background knowledge, we successfully identified the Netflix records of known users, uncovering their apparent political preferences and other potentially sensitive information.'
anonymisation  anonymization  sanitisation  databases  data-dumps  privacy  security  papers 
june 2014 by jm
Chef Vault
A way to securely store secrets (auth details, API keys, etc.) in Chef
chef  storage  knife  authorisation  api-keys  security  encryption 
june 2014 by jm
NYC generates hash-anonymised data dump, which gets reversed
There are about 1000*26**3 = 21952000 or 22M possible medallion numbers. So, by calculating the md5 hashes of all these numbers (only 24M!), one can completely deanonymise the entire data. Modern computers are fast: so fast that computing the 24M hashes took less than 2 minutes.


(via Bruce Schneier)

The better fix is a HMAC (see http://benlog.com/2008/06/19/dont-hash-secrets/ ), or just to assign opaque IDs instead of hashing.
hashing  sha1  md5  bruce-schneier  anonymization  deanonymization  security  new-york  nyc  taxis  data  big-data  hmac  keyed-hashing  salting 
june 2014 by jm
Code Spaces data and backups deleted by hackers
Rather scary story of an extortionist wiping out a company's AWS-based infrastructure. Turns out S3 supports MFA-required deletion as a feature, though, which would help against that.
ops  security  extortion  aws  ec2  s3  code-spaces  delete  mfa  two-factor-authentication  authentication  infrastructure 
june 2014 by jm
BPF - the forgotten bytecode
'In essence Tcpdump asks the kernel to execute a BPF program within the kernel context. This might sound risky, but actually isn't. Before executing the BPF bytecode kernel ensures that it's safe:

* All the jumps are only forward, which guarantees that there aren't any loops in the BPF program. Therefore it must terminate.
* All instructions, especially memory reads are valid and within range.
* The single BPF program has less than 4096 instructions.

All this guarantees that the BPF programs executed within kernel context will run fast and will never infinitely loop. That means the BPF programs are not Turing complete, but in practice they are expressive enough for the job and deal with packet filtering very well.'

Good example of a carefully-designed DSL allowing safe "programs" to be written and executed in a privileged context without security risk, or risk of running out of control.
coding  dsl  security  via:oisin  linux  tcpdump  bpf  bsd  kernel  turing-complete  configuration  languages 
may 2014 by jm
Minimum Viable Block Chain
Ilya Grigorik describes the design of the Bitcoin/altcoin block chain algorithm. Illuminating writeup
algorithms  bitcoin  security  crypto  blockchain  ilya-grigorik 
may 2014 by jm
All at sea: global shipping fleet exposed to hacking threat | Reuters
Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware that it took 19 days to make it seaworthy again; Somali pirates help choose their targets by viewing navigational data online, prompting ships to either turn off their navigational devices, or fake the data so it looks like they're somewhere else; and hackers infiltrated computers connected to the Belgian port of Antwerp, located specific containers, made off with their smuggled drugs and deleted the records.


(via Mikko Hypponen)
via:mikko  security  hacking  oilrigs  shipping  ships  maritime  antwerp  piracy  malware 
april 2014 by jm
Using AWS in the context of Australian Privacy Considerations
interesting new white paper from Amazon regarding recent strengthening of the Aussie privacy laws, particularly w.r.t. geographic location of data and access by overseas law enforcement agencies...
amazon  aws  security  law  privacy  data-protection  ec2  s3  nsa  gchq  five-eyes 
april 2014 by jm
« earlier      
per page:    204080120160

related tags

2fa  3db  3des  3dsecure  3g  4chan  4g  9-11  512-bit  a350  a380  abuse  accounts  accuracy  aclu  actel  ads  adversarial-attacks  advertising  aes  aggregation  air-gap  air-gaps  air-travel  airborne-zombies  aircrack  airport  akamai  alarm  alert  algorithms  allcrypt  amazon  america  amplification  android  anonymisation  anonymity  anonymization  anonymous  anti-phishing  anti-spam  antivirus  antwerp  apache  apache-harmony  api-keys  apis  apple  applets  appliances  apps  arab-spring  architecture  ars-technica  as-34109  asf  atm  attack  attacks  audits  australia  austria  authentication  authorisation  authorization  authy  auto-learning  automation  av  aviation  avionics  avs  aws  backbone  backdoors  backup  backups  banking  banks  bash  bbc  belkin  ben-goldacre  bernie  bgp  bidi  big-brother  big-data  bike  biometrics  bios  bitcoin  bitomat  blacklists  blockchain  bluetooth  boeing  books  botnet  bpf  brian-krebs  browsers  bruce-schneier  brute-force  bsafe  bsd  btc  buffer-overflows  buffer-overrun  bug-reports  bugging  bugs  bugzilla  build  byte  c  ca  cacerts  calibre  cao  card-present  cars  case-studies  cassandra  cauce  cb3rob  cbc  ccc  cctlds  celebrities  cellphones  cellxion  censorship  certificates  certs  cgi  chef  china  chip-and-pin  chip-and-signature  chipandpin  chips  chrome  chunked-encoding  cia  cipav  citizen-lab  cityhash  clampi  clocks  clojure  cloud-services  cloudflare  cnnic  code-spaces  codepad  codepoints  coding  coding-standards  colin-holder  collisions  comcast  comerica  communication  comodo  compartmentalisation  compliance  compression  concurrency  configuration  console  containerization  containers  contractors  control-characters  cookies  copying  corvil  cory-doctorow  courtventures  cpu  cracking  credit-cards  credstash  crime  crl  crls  crowdsourcing  crypto  crypto-ag  cryptography  cryptophone  cs  css  ctr  curl  currency  customer-care  customer-support  cycling  d-link  d-spam  dailywtf  dan-kaminsky  danger  darknet  data  data-breaches  data-dumps  data-privacy  data-protection  data-retention  database  databases  datamining  david-miranda  david-simon  ddos  deanonymization  death  debit-cards  defaults  delete  dependencies  deployment  des  desfire  design  desktop-sharing  dessid  development  dhs  diffie-hellman  digital-rights  directories  distraction  distribution  diy  djb  dkim  dmca  dns  dnsbls  docker  doh  domain-keys  domains  dos  dosage  dot-net  dpc  dreamliner  driving  drones  dropbox  drug-pumps  drugs  dsl  dual-use  dual_ec_drbg  dublin  dug-song  east-texas  eastern-europe  eavesdropping  ec2  ecb  ecc  ecdhe  ecommerce  eff  eircom  elb  elliptic-curve  elliptic-curves  email  embedded-systems  emergency  emv  encryption  end-to-end  entropy  epic-marketplace  epsilon-interactive  escaping  esp  espionage  ethics  eu  eurion  euro  events  experian  exploits  extortion  facebook  facebook-api  factorisation  fail  fail0verflow  false-positives  farebot  fastmail  fbi  fghack  filesharing  filtering  finance  financial  find-my-iphone  fine-gael  fingerprinting  fingerprints  firefox  firewall  firewalls  firmware  five-eyes  flame  flash  flight  floating-point  fpga  fraud  freak  freebsd  froyo  ftp  funding  funny  fuse  future  fuzzing  games  gandi  gartner  gchq  gemalto  gmail  gnu  google  goto  goto-fail  government  gpg  grades  gradle  great-cannon  great-firewall  greatfire  gsm  gsocgate  guardian  gwibber  hackers  hacking  hacks  hamachi  han  handshake  haproxy  hard-lattice-problem  hardware  hash  hashdos  hashes  hashicorp  hashing  hashmap  hbgary  health  heartbleed  hijacking  history  history-stealing  hmac  home  home-alarms  home-automation  homebrew  horror  horror-stories  hospira  house  html  http  https  humor  hvac  hyperdex  hypervisor  iam  icann  icloud  ics  id-cards  id-numbers  identity  identity-theft  idiots  ilya-grigorik  images  imaging  imei  immixgroup  imsi-catchers  india  inept  infrastructure  injection  input  install  insteon  insulin  intel  internet  internet-voting  ioactive  ioerror  ios  iot  ip  ipad  iphone  ipmi  ipsec  iran  irc  ireland  isec  isps  israel  jails  jamming  jars  java  javascript  jdk  jira  jmx  joe-stewart  jon-callas  jonathan-zdziarski  journalism  jtag  kaptoxa  karsten-nohl  kernel  kettles  key-distribution  key-length  key-lengths  key-management  key-rotation  keybox  keyed-hashing  keyless  keyless-entry  keyloggers  keys  keyservers  keywhiz  kids  kiss  kms  knife  korea  l2tp  languages  lastpass  latency  law  lawsuits  legacy  lenovo  liability  libbfd  liberty  libraries  limits  linkedin  linux  location  locks  logging  lols  london  lucid-intelligence  lxc  mac  macaroons  machine-learning  maciej  magstripe  mail  malware  mandos  maritime  mastercard  matt-blaze  matthew-green  maven  mcafee  md5  measurement  medicine  memcached  memory  memory-cards  metadata  metrics  mfa  michael-hayden  microsemi  microsoft  mifare  mig  mike-hearn  miniduke  mining  mitm  mobile  mobile-phones  money  moores-law  movies  mozilla  mtgox  mugging  murmurhash  muscular  mysore  nai  namespaces  neorouter  netbios  network  network-monitoring  network-neutrality  networking  new-york  newegg  nginx  nlp  nmap  node  north-korea  nosql  not-the-onion  notaries  npm  nsa  nsls  nsw  ntp  nul  nyc  nyms  nytimes  oauth  obfuscation  obscurity  ocsp  offshoring  oilrigs  omgwtfbbq  one-time-passwords  online  online-backup  online-shopping  online-storage  online-voting  open-source  openbsd  opensource  openssh  openssl  openwrt  opie  opportunistic  ops  opt-out  oracle  osx  ota  otp  owasp  p2p  packaging  packet-capture  packet-injection  packets  paper  papers  passwords  pastebin  patent-trolls  patents  pathetic  pattern-analysis  payment  pci  pci-dss  pdf  pea  peering  per-thorsheim  perfect-forward-secrecy  performance  pgp  phil-zimmermann  phish  phishing  phones  photos  photoshop  php  pics  pii  pin  pins  piracy  pki  plainscapital  planes  planex  playstation  plugins  point-of-sale  poisoning  police  policies  politics  popen  port-forwarding  pos  posram  post-its  poul-henning-kemp  power-amplifiers  power-management  prefetching  prism  prius  privacy  private-keys  prng  prngs  programming  project-zero  protocols  proxies  proximity  proxy  proxying  ps3  ps4  psn  public-key  pump  python  quakenet  radio  rails  rainbow-tables  ram-scrapers  ramnica-valcea  random  randomness  raspberry-pi  reddit  reference  regin  reinvent  remote  replication  reports  resilience  reverse-engineering  reversing  review  revocation  rf  rfid  rick-falkvinge  risk  risks  rlo  rmi  rng  rngs  road-safety  robin-xu  romania  root  ross-anderson  router  routers  routing  rsa  ruby  runa-sandvik  russia  rvm  s3  safe-browsing  safety  salting  samy-kamkar  sandbox  sanitisation  sanitization  satis  scala  scams  scanner  scanning  scareware  scary  schneier  science  screening  sd-cards  secrecy  secrets  securecode  secureworks  security  security-theatre  seizure  server  servers  setuid  sh  sha  sha1  sha256  shell  shellshock  shipping  ships  shodan  shopping  shoup  side-channels  siemens  sigint  signal  silent-circle  silentcircle  silicon  sim-cards  siphash  skey  skimmers  slashdot  slides  smartcards  smartphones  smb  smc8014  sms  snapchat  snes  sniffing  snooping  social-media  society  software  solarcapture  solaris  sony  source-code  south-africa  south-korea  spam  spamhaus  spear-phishing  speech  speed  spinvox  spoofing  spying  spyware  sql  square  ssh  sshd  sshuttle  ssl  ssl-labs  ssl3  ssn  standards  stingrays  stock-markets  storage  strings  stud  stuxnet  super-mario  superfish  superget  surveillance  svm  swpats  symantec  sync  sysadmin  sysadmins  systemd  tao  target  taxis  tcp  tcpcrypt  tcpdump  tech  technology  telefonica  tempest  terrorism  tesco  testing  text  the-guardian  the-interview  theft  thomas-ptacek  thunderbird  time  time-warner  timing  tips  tlds  tls  tlsdate  toasters  tog  tomato  tools  tor  torrents  toyota  transcription  transit  transparent-proxies  travel  trojan.posram  trojans  truecrypt  trust  trustwave  tsa  tunisia  tunneling  tunnelling  turing-complete  tv  tv5monde  twitter  two-factor-auth  two-factor-authentication  u-locks  ubuntu  uk  ukraine  unicode  unit-testing  unix  upd4t3  updates  urls  us-politics  usa  usertrust  varnish  vault  vbv  vc  verification  verified-by-visa  via:adamshostack  via:adulau  via:alec-muffet  via:boingboing  via:bruces  via:cscotta  via:elliottucker  via:fanf  via:filippo  via:gwire  via:hn  via:ioerror  via:irr  via:jgc  via:joe-feise  via:johnke  via:kragen  via:lhl  via:mikko  via:nelson  via:oisin  via:pixelbeat  via:pjakma  via:reddit  via:risks  via:tupp_ed  via:waxy  viruses  visa  vm  voting  vpn  vulnerabilities  vvat  walmart  war  warning  watchlists  web  web-of-trust  web-services  webdev  webkit  wemo  wep  whitelisting  whitfield-diffie  wickr  wifi  windows  winvote  wired  wireless  wordpress  worms  wow  wyoming  x-ray  xelerance  xl2tpd  xss 

Copy this bookmark:



description:


tags: