Comments for comp527

Comment on Jailbroken IPhone Security by yuliyp

yuliyp — Mon, 09 Nov 2009 19:19:54 +0000

And today someone in Australia wrote a worm to rickroll people with the default SSH password. Here's Sophos's take on this.

Comment on Vulnerability in SSL Protocol. by yuliyp

yuliyp — Sat, 07 Nov 2009 10:29:13 +0000

Well actually this vulnerability does not allow eavesdropping, only tampering with the initial portion of a session. The problem is that SSL renegotiation is designed to allow for switching the security, and then continuing without requiring the streams to be reopened. However, due to this style of MITM attack, the streams should be considered to come from different sources potentially.

Also, this vulnerability affects many other protocols routed over TCP (such as SMTP over TLS)

Comment on Vulnerability in SSL Protocol. by as44

as44 — Fri, 06 Nov 2009 22:31:12 +0000

This was indeed a surprise! Check this out too: http://arstechnica.com/security/news/2009/11/https-ssl-attack-vector-discovered-fix-is-on-the-way.ars

And when you check online your account balance tonight, think that someone may be eavesdropping >:)

Comment on Smartphone Security by cjenkins

cjenkins — Tue, 27 Oct 2009 05:16:20 +0000

I agree, though it’s creative, nonetheless. The greater potential threat is certainly in the Internet-enabled functionality or in simple things like not password-protecting your phone then losing it. It might not be impenetrable, but it’s at least a deterrent to the not-so-sophisticated thief.

Comment on Smartphone Security by xzl

xzl — Tue, 27 Oct 2009 03:35:15 +0000

IMHO, the risk of virus infection via Bluetooth is overstated.

Bluetooth of most cell phones is off by default;
The sender needs the receiver to pair before sending any data – this is a feature of Bluetooth protocol;
The connection is unstable;
Mobile platform is highly heterogeneous;…

That’s why there is not so many viruses on your cell phone.

Comment on Tor is blocked in China recently by xzl

xzl — Sun, 25 Oct 2009 20:27:20 +0000

Two or three years ago, I knew the government set up many fake Tor servers to disturb the service…

Comment on Egyptian Presidency & Defense Ministy websites got hacked! by dwallach

dwallach — Thu, 01 Oct 2009 05:04:10 +0000

Awesome.

Needless to say, this isn’t normally something you’d consider when doing a threat analysis on the presidency’s web site. On the other hand, in Egypt I’ll bet fewer people depend on those web sites being up and available.

(Thought experiment: if whitehouse.gov was down for a month, would that really be a catastrophe, or just more of an embarrassment to the commander in chief?)

Comment on Rice Thresher Today by dwallach

dwallach — Fri, 18 Sep 2009 17:15:18 +0000

I think military “red team” analysts have tried exactly this: launching standard scam emails (with permission) against their own personnel to see how bad the response rate is.

The broad problem of “usable security” is really in its infancy. I’ve done some work on this, in the context of electronic voting, so I’ve begun to appreciate just how hard it is to design something to be secure in the hands of users who don’t necessary know or care to do things “properly.”

Comment on How NOT to practice Responsible Disclosure by dwallach

dwallach — Mon, 14 Sep 2009 18:35:34 +0000

Microsoft tends to speed up their patch process if/when it turns out a vulnerability is being actively (and embarassingly) exploited in the wild.

Comment on Japan’s Cell Phones May Get DRM, At Music Industry Behest by dwallach

dwallach — Mon, 14 Sep 2009 18:34:39 +0000

We know that Americans are increasingly hostile to this sort of thing. How will the Japanese react?