Domain: infosecisland.com
Stories and comments across the archive that link to infosecisland.com.
Comments · 21
-
Re:Complex Passwords
-
First? My ass...
2008: http://citeseerx.ist.psu.edu/v...
2009: https://en.wikipedia.org/wiki/...
2010: https://nakedsecurity.sophos.c...
Look what some moron said about the same subject back in 2011:
http://www.developers.slashdot...2012: https://www.intego.com/mac-sec...
2012: http://www.zdnet.com/article/c...
2012: http://www.infosecisland.com/b...
etc., etc.
-
Re:Why the emphasis on Lets Encrypt?
I personally would like to have everything encrypted, such as what I read on Slashdot or on Wikipedia.
IPSec was supposed to do that. But appearance of SSL nipped IPSec' spread in the bud. And the revanche attempts by IPv6 are so far faltering.
-
Re:Why perl?
No one cares about ruby. It's a dying little niche language. It had a good run, but that's all in the past now. To me, ruby never really felt complete. (It didn't even get a step method to its range class until 1.8.7) There was always some absurd limitation you had to work around or some needlessly obscure feature or rule to learn before you can do something obvious in just about every other language (What's up with things like this? 10.times { |i| puts i } madness!)
Python, well, python enjoys some popularity, but I just don't think it's likely to hang-on like perl. Probably because of the whitespace issue and the big 2.x 3.x split. Perl filled a particular niche really well, and was a good fill-in in a few others (remember when it powered your website's counter and guestbook?). Python never really found a home as there isn't any particular area where it really stands out -- or is even arguably a good fit. You'll find a lot of "it can be used for
..." but not a lot of "It's really great for ..."As for readability, well, I can't say that it's a terribly readable language. I get that everyone is forced to indent their code (apparently, the whole world forgot about pretty printers) but that's not all there is to readability. Neither is readability all there is to maintainability. (You could even argue that the whitespace rules actually hurt readability, as it takes away otherwise helpful cues.)
Let's not forget that you don't have to write illegible perl code. Really, it's not required!
COBOL's staying power was due to much more than "sunk costs". It was, and still remains, the best tool for the job. You'll find tons of failed COBOL to Java conversion projects from the late 1990's as a testament to that. It's really hard to beat COBOL on performance and even harder to find a language that's as easy to read and maintain. (Not that there isn't lots of room for improvement. It was designed to be readable, however, and it shows.) In short: It's easy to learn, easy to read and maintain, and lightning fast.
Anyhow, to answer your question: Manipulating strings is a strength that is not shared by many other languages to any significant degree, and this makes it a great fit for a broad range of applications to which python and ruby just aren't as well suited. (Working with strings in python 2.x is terrible -- even just outputting them can be troublesome due to the bizarre default behavior of 'print'. This has improved, but not much, in 3.x) I would argue that PHP is popular due in no small part to that as well (I've always thought of it as a simpler version of perl. A related note: PHP was originally written in perl.)
-
Re:Do NOT skip layer 2.
And how does that differ from a properly configured port not allowing VLAN hopping?
You are making it sound harder than it is.
I'm approaching this from the angle that you don't learn much about layer 2, as you suggested earlier. If you don't learn much about it, how are you supposed to know to watch for this (among other layer 2 security issues) to begin with? And if you don't know to watch for this, then how are you supposed to learn go configure it as well?
Fuck you. I'm done. You are wrong. And you are lying. I never said someone should ignore layer 2. If you are going to lie to make your points, I can't think of any response short of "fuck you".
Well the parent post to yours said "don't worry about layer 2," and you seemed to agree with it. Sorry if you don't like that interpretation, but "don't worry about it" and "ignore it" aren't that different from one another.
The reality is that, unless you quote a post where I said "You should ignore layer 2" then you are a lying troll who is lying to be rude to prove some point that nobody but you cares about. Layer 2 is easy. 802.1x solved everything you are talking about, and I first deployed that 15+ years ago, long before it was turned into a wireless security mechanism (I pointed out that the reception area was unsecured and anyone could walk up and plug into the LAN to justify the cost to secure it). I'm sure you do a good job of making money inflating the risks of layer 2 issues. But the simple reality is that you generally trust your ports enough that none of it matters. If they have access to a port, they are an employee. VLAN hopping is so much harder than the other ways a trusted employee could cause trouble. It's like robbing the cashier at the police station. You'd have to be a dumbass to bother when you are already a valid user, and if you aren't, then you don't have physical security, so someone could compromise your networks in lots of other ways.
No, they don't have to be employees. Try a passenger being able to bring down a 747 through a mix of vlan hopping and IP spoofing:
http://www.infosecisland.com/blogview/16696-FACT-CHECK-SCADA-Systems-Are-Online-Now.html
That just goes to show you how important looking at every aspect of the network is. There was also an incident where a bank's network systems were broken into, and VLAN hopping was one of the exploits they used, with no employees involved.
And honestly I am not going to inflate anything to make money off of it. If I was doing that, I would be more interested in keeping that knowledge to myself, and then offering a fix when somebody desperately needs it that only I (and few others) can provide. Instead though I am telling people like you about the importance of learning about layer 2.
-
Re:It's Possible
You do understand that even private keys can require a passphrase don't you? Mere possession of someone's private key does not automatically get you in.
That would only be in very primitive systems unsuitable for this type of work. By the time you are talking about a voting system the private key should be stored in a hardware device and not even the owner of the key should have access to it. In systems where the private key is opened up with a passphrase, attacks would be trivial. My attacks were aimed at more advanced scenarios where you can't rely on direct key compromise and have to compromise the user interface which accesses the key. These types of systems would typically use combinations of codes and biometrics for key access.
Further, when the constituent logs in, and finds that his opinion has already been registered, its his clue that he has been compromised, and further, since its merely an expression of his opinion, he can change it.
I covered this when I said:
; you can check your vote and it can show you a different one.
In other words, when he logged in, it would show him the vote he thinks he's cast. Please note, though, that your security mechanism is actually making the vote buying attack much worse. Now the vote buyer can come back at any time and demand to see the constituent's vote; not just during the voting. Instead of having to visit every vote you buy, you just threaten to visit later and actually go to a small percentage of them. You can now buy hundreds of votes for the effort of visiting just a few voters.
You would want constituents to be able to change their opinion right up to the time the floor vote was to take place.
(Note: I'm totally glossing over the statement "Apparently most private computers are infected/compromised.", for which you haven't presented a shred of evidence. Microsoft stats indicate 4 PCs per 1,000 for Windows 7, less for 64bit. Simply having some bad actors in your cookies does not constitute a compromise that would allow grabbing ones private key and the password thereto.)
These are hard to come by numbers. Almost nobody wants to admit to being infected. Microsoft obviously has a horse in the race, so their opinion is worth even less than it usually is. Rate's given on the first places turning up in Google range from about 35% (Germany) through 58% (USA) up to 98% (Iran). See for example infosec island. Look around and most people claim approx 50%.
-
Re:And who were the attackers?
Ok, I'll stop being afraid of unlikely events.
Since the events linked in my post have all actually occurred or are ongoing right now, and are easily provable to any reasonable person who takes an objective look at reality and the known doctrinal Chinese cyber warfare strategies advocated by the PLA's senior leadership, I suggest we respond and defend appropriately.
That, or continue pretending they don't exist, or that when they do it's all a secret US government plot to oppress its citizens. Yeah, I'm sure that's somehow the better option.
-
Re:No one see's a problem with this?
My pleasure.
http://infosecisland.com/blogview/20203-US-Confirms-Iran-Did-Not-Hack-RQ-170-Stealth-Drone.html
Really, did anyone believe the Iranian claim?
-
Some background - 747s and online SCADA systems
Some extra info popped up online just a few days ago - a SCADA consultant posted this a few days ago. It's slightly terrifying, though someone with more SCADA experience than me would have to verify its accuracy:
For those who do not know, 747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.
The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed. For those who engage in Pen Testing and know what a shoveled shell is... I need not say more.
More here: https://www.infosecisland.com/blogview/16696-FACT-CHECK-SCADA-Systems-Are-Online-Now.html
-
Telnet
Let's hope it doesn't have unfirewalled telnet access like the 747. (See half way across that page)
-
LulzSec.com is down, Chicken vom home to roostFor about 25 mins LulzSec.com is down, and one self-proclaimed white hat hacker "th3j35t3r" posted enough information on pastebin for the FBI to identify another core member of the LulzSec - http://pastebin.com/76TsPHeU.
Proof again you can break into FBI or CIA, or you can talk about it, but you cant do both for very long.
This here explains it in some more words: https://www.infosecisland.com/blogview/14706-LulzSec-How-Not-to-Run-an-Insurgency.html#.TgNxjyifa2A.twitter
-
Re:Black hat not White
The work was being done for a government agency. White Hat.
:-)By that definition the Chinese hackers that were involved in Operation NightDragon were probably also "Wiite hats"
To the Chinese yes they'd be the White Hats. To the rest of the world they'd be something else.
-
Re:Black hat not White
The work was being done for a government agency. White Hat.
:-)By that definition the Chinese hackers that were involved in Operation NightDragon were probably also "Wiite hats"
-
Re:doh
{sarcasm}
Given that the well-known CIA/FBI mole and General Proponent of Big Government known as Moxie Marlinspike has stated "Shane and Sarah are easily two of my favorite people in the world." in reference to two of the three hikers, I bet you are exactly right with those assumptions you're making there...
{/sarcasm}
;) -
Re:The N900.
N900 is a wet dream for any sys admin.
Also, N900 is a very good weapon - you can do wonders just with sms:
https://www.infosecisland.com/blogview/5640-Weaponizing-the-Nokia-N900-Part-1.html
https://www.infosecisland.com/blogview/8056-Weaponizing-the-Nokia-N900-Part-2.html
https://www.infosecisland.com/blogview/9921-Weaponizing-the-Nokia-N900-Part-3.html -
Re:The N900.
N900 is a wet dream for any sys admin.
Also, N900 is a very good weapon - you can do wonders just with sms:
https://www.infosecisland.com/blogview/5640-Weaponizing-the-Nokia-N900-Part-1.html
https://www.infosecisland.com/blogview/8056-Weaponizing-the-Nokia-N900-Part-2.html
https://www.infosecisland.com/blogview/9921-Weaponizing-the-Nokia-N900-Part-3.html -
Re:The N900.
N900 is a wet dream for any sys admin.
Also, N900 is a very good weapon - you can do wonders just with sms:
https://www.infosecisland.com/blogview/5640-Weaponizing-the-Nokia-N900-Part-1.html
https://www.infosecisland.com/blogview/8056-Weaponizing-the-Nokia-N900-Part-2.html
https://www.infosecisland.com/blogview/9921-Weaponizing-the-Nokia-N900-Part-3.html -
Insurance file?That "th3j35t3" guy appears to be a major idiot, admitting to various DDoS attacks and being very public about his actions and convictions.
He's even gone so far as to develop his own pretty DoS tool with green fonts on black background with twitter integration that exploits uber-secret knowledge, like opening many connections that slowly feed http headers to apache, thereby using up all available children.
What will be interesting, though, is his own encrypted insurance file, that supposedly contains various information about the people behind wikileaks, although - like the wikileaks insurance file - you can't really prove it contains anything but random garbage. I rather choose to believe that the guy is a bored, stupid teen who read too many articles about the fantasy anarcho-hacking world of the 90s...
-
Re:Summary Fail
Try as I might, I see ZERO MENTION of the jester being arrested in the linked article. Here's the real article, pulled from the original submission:
http://www.thinq.co.uk/2010/12/1/wikileaks-hacker-raided-cops/
Interestingly enough, thinq.co.uk seems to be one of only a few, if more than one, reporting on the subject. A few quick google searches turned up nothing regarding his arrest..
Reply posted on the link you provided above: "UPDATES: Reports of the raid and confiscation of equipment are most likely a hoax or an elaborate social engineering scheme to capitalize on current news events: https://www.infosecisland.com/blogview/9916-Hacker-The-Jester-Reports-Raid-By-Law-Enforcement.html "
-
Re:Summary Fail
Not only that, but other sites reporting on the subject are already retracting:
UPDATES: Reports of the raid and confiscation of equipment are most likely a hoax or an elaborate social engineering scheme to capitalize on current news events.
Details are still few, and sympathizers should exercise caution before donating funds allegedly for "attorney fees". The original text requesting donations, as quoted below, and the corresponding link have been deleted from the "new" site.
https://www.infosecisland.com/blogview/9916-Hacker-The-Jester-Reports-Raid-By-Law-Enforcement.html
-
Re:I'm not worried about those hacks
Low chance of that getting hacked maybe... BUT totally likely that OnStar would fuck up and accidentally shut off all moving cars on the road. Or lock them. Even a disgruntled employee could do it.... https://www.infosecisland.com/blogview/3389-Big-Brother-Has-the-Power-to-Turn-Off-Your-Car.html