Slashdot Mirror

← Back to Domains

Domain: paritynews.com

Stories and comments across the archive that link to paritynews.com.

Comments · 14

  1. Re:security by Anonymous Coward · · Score: 5, Informative · on Feature-Rich FreeBSD 10 Alpha Released

    As much as I love freebsd I have stopped using it after their servers got 'served' with the use of 'legitimate' ssh keys. http://www.paritynews.com/2012/11/19/487/two-freebsd-project-servers-hacked/

    Given that Freebsd never released a good audit report after that hack I can only be worried more.

    Add to that, we now that we know the NSA had access to the certs from diginotar and might had done or paid for the diginotar hack I think one might as well use windows. I hate to say it, but the complete codebase from freebsd needs to be checked. Again and again. Preferable with the help from openbsd.

    Maybe you should read over the report from freebsd.org: http://www.freebsd.org/news/2012-compromise.html

    1) It was a single ssh-key that was leaked.
    2) The accompanying user rights allowed access to two build server nodes which they took offline and they compared the data to a known good offline copy.
    3) They pulled the 9.1-RELEASE packages they couldnt verify.
    4) The compromised user only had access to the build system for binary packages. The BUILD system (and third party at that). NO access to the source repositories (except checking out, like you and me).
    5) If you didn't use the 3rd party binary packages you weren't affected at all. (and who uses binary packages with freebsd anyway?)

    I don't know how the infrastructure is organized in your company, but usually there is a user management on a server if you hand out ssh-keys and only a few if any are allowed to sudo su. IF there is sudo at all. That isn't a desktop box where every user added gets an entry in sudoers to su.

  2. security by santax · · Score: 2, Insightful · on Feature-Rich FreeBSD 10 Alpha Released

    As much as I love freebsd I have stopped using it after their servers got 'served' with the use of 'legitimate' ssh keys. http://www.paritynews.com/2012/11/19/487/two-freebsd-project-servers-hacked/ Given that Freebsd never released a good audit report after that hack I can only be worried more. Add to that, we now that we know the NSA had access to the certs from diginotar and might had done or paid for the diginotar hack I think one might as well use windows. I hate to say it, but the complete codebase from freebsd needs to be checked. Again and again. Preferable with the help from openbsd.

  3. Re:Do you trust your exit node? by hacker · · Score: 1 · on Schneier: The US Government Has Betrayed the Internet, We Need To Take It Back

    Do you trust your exit node or proxy? Defcon had a recent talk on setting up proxy servers as a very quick way to find people who have something to hide. Now you have their IP address and their destination.

    It's not just about exit nodes anymore. The NSA can, and regularly does, de-anonymize users within the Tor network, with or without compromised or 'baddie-controlled' exit nodes.

    Tor works only as long as exit nodes are not in the bad guy's control.

    Correction: Tor only works (in its current implementation) when there isn't a single bad node in the entire network. IOW, not going to happen.

    Let's also keep in mind that 60+% of the funding for Tor, comes directly from the Department of Defense (DoD).

    Concerned yet? You should be.

  4. Guess who is funding Tor? by hypnosec · · Score: 5, Interesting · on Most Tor Keys May Be Vulnerable To NSA Cracking

    According to consolidated financial statements and reports of the Tor Project for the year ending December 2012, US Federal agencies are responsible for nearly sixty percent of funds received by the project. Tor has taken a defensive stand against this, but who knows?

  5. No. by Camael · · Score: 1 · on New EU Rules Require ISPs, Telcos To Come Clean Within 24 Hours of Data Breaches

    For good measure, again No.

    From the last paragraph of TFA :-

    There are a few exceptions though – companies will not be required to pass on the data in cases where there are "justified national security reasons"

    This provision is likely useless against the NSA.

  6. Re:To be fair by TheP4st · · Score: 1 · on German Court Rejects Apple's Privacy Policy

    do they think Apple is made of money?

    What is wrong with thinking that? http://paritynews.com/business/item/847-moody-apples-cash-reserve-to-cross-$170-billion-by-2013

  7. Re:But is it practical? by stephanruby · · Score: 1 · on Smartphone For the Blind Invented In India

    These things already exist.

    Yes, they do, and I've even tried two different models at Google I/O, but they're not the same as this thing. This Indian device promises to be a thousand times better and cooler. See pictures here and here.

    Unfortunately, it seems to be a concept-only device right now. No outsider was given the actual prototype to try in real life, and no one was even shown a demo in real life. So to me, that means it's a concept-only device.

    I generally do not trust picture mockups and PR people, especially from a company that I've never heard of before (the company could be legit, but honestly, I just don't know that either way). So one hopes that this device does work and does behave as described, and that it will come out soon. Because for all we know, this could be just another flying car concept: a very cool and attractive concept, but one that doesn't really work as originally advertised or as originally promised.

  8. It's a good thing they're blind... by Anonymous Coward · · Score: 0 · on Smartphone For the Blind Invented In India

    because this looks kind of horrifying.

  9. Not an actual exploitable vulnerability by itself? by dgharmon · · Score: 1 · on Hacker Bypasses Windows 7/8 Address Space Layout Randomization

    "This is an ASLR bypass technique, not an actual exploitable vulnerability by itself. The attacker still needs an exploitable memory corruotion vulnerability to start the attack. ASLR+DEP is designed to make it much harder for an attack to gain foothold in the face of such an attack", benjymouse

    "KingCope .. has detailed a mechanism through which the ASLR of Windows 7, Windows 8 and probably other operating systems can be bypassed to load a DLL file with malicious instructions to a known address space". 'Once done, the rest of the memory, which was filled up earlier, can be freed and known exploit methods of spraying the heap and heap corruption can be used to exploit the system '

  10. Re:We, the FSF, like Secure Boot by Anonymous Coward · · Score: 0 · on Free Software Foundation Campaigning To Stop UEFI SecureBoot

    Seriously, Joshua, why do you think posts as this might be misleading?
    The FSF literally posted a piece that has this headline: The Free Software Foundation Campaigning to Stop UEFI SecureBoot
    That's why you now need to state "We think Secure Boot is OK" (under certain conditions).

  11. not just Android by chowdahhead · · Score: 2 · on FBI Issues Android Virus Warning
    It's a problem for mobile platforms in general.

    FinFisher spyware made by U.K.-based Gamma Group can take control of a range of mobile devices, including Apple Inc. (AAPL)’s iPhone and Research in Motion Ltd. (RIM)’s BlackBerry, an analysis of presumed samples of the software shows...“When FinSpy Mobile is installed on a mobile phone it can be remotely controlled and monitored no matter where in the world the Target is located,” a FinSpy brochure published by WikiLeaks says. Systems that can be targeted include Microsoft Corp. (MSFT)’s Windows Mobile, the Apple iPhone’s iOS and BlackBerry and Google Inc. (GOOG)’s Android, according to the company’s literature. Today’s report says the malware can also infect phones running Symbian, an operating system made by Nokia Oyj (NOK1V), and that it appears the program targeting iOS will run on iPad tablets.

    source

  12. Re:When will this get hacked? by hypnosec · · Score: 1 · on FinSpy Commercial Spyware Abused By Governments

    Well it seems that one of their servers has been hacked. I guess it has started already!!!

  13. Re:other? by idontgno · · Score: 2 · on Mastercard Denies Plans For BitCoin Credit Card

    You would have had to read TFA in the original story, but all indications were explicit that it would be a Mastercard debit card.

    Besides, "a major international bank" is not mutually exclusive of "Mastercard." Banks issue Mastercards. Both are needed. (It's not a debit card unless it's backed by a bank, and it's not a Mastercard if Mastercard doesn't say it's a Mastercard.)

    So Mastercard saying "hell no" is actually a little bit of a roadblock.

  14. Strange cookie behavior in linked site by manu0601 · · Score: 2 · on iOS 6 Beta 3 Jailbroken Already

    There is something wierd in linked site: http://paritynews.com/software/item/66-ios-6-beta-3-jailbroken-already

    It displays a warning at the bottom of the page telling site experience is better with cookies enabled. There are two buttons to allow for this site or allow for all, both linking to "#" without javascript onclick. Probably harmless, but weird.