Slashdot Mirror

My bad, page 11 of https://www.rsaconference.com/... outlines 20+ ways that "Project Zero" has identified to break into a Mac's external safety nets.

I was curious as well, so I read through their presentation slides and their press release.

The gist of the attack is that they've crafted a malicious SSL cert that can cause strange behavior in apps and the OS itself, including the possibility of initiating a crash-reboot-get malicious SSL cert-crash cycle. Once you get stuck in that cycle, there's no way to turn off WiFi, hence why they said that offline mode would not remedy the issue. That said, offline mode can indeed keep you from getting stuck in that cycle to begin with, and the researchers even recommended it as one of the ways to avoid the problem entirely. Alternatively, if it's already too late for you and you're in the crash loop, simply leaving the area will fix the issue for you, since you'll be able to pull down valid SSL certs and reboot as normal.

Which is to say, the summary has it wrong, since the attack cannot cause you to enter the crash loop while you're in offline mode, but you won't be able to enter offline mode once you're in the crash loop, so offline mode cannot save you at that point. Only leaving the area will work.

The actual presentation is much worse than just passwords.

Really pathetic that "chip and sign" won't do much to fix these issues. Disappointed that they didn't shame the manufacturer, although there are really only 3 left now among the majors.

(And sadly, the link to that presentation's directory is "writeable." Sometimes even security specialists get it wrong...)

Many many professionals long ago abandoned Flash as it became easier to make "pretty" websites with useful dynamic content without it. It was always a nasty piece of technology to work with.
So why does the reviewer mention it? Maybe because he's hardly an expert in this field himself?
Take this quote: "You will likely find the sites you intuitively return to coincidentally happened to be those very sites that have done it right and have the content you want. "...no shit Sherlock. As if we weren't saying this 15 years ago.

Truth is Ben Rothke writes anodyne book reviews as evidenced by:

http://www.rsaconference.com/blogs/465/rothke/job-reconnaissance-using-hacking-skills-to-win-the-job-hunt-game
"...a great resource to help you get there."
http://www.rsaconference.com/blogs/451/rothke/digital-forensics-processing-and-procedures-meeting-the-requirements-of-iso-17020-iso-17025-iso-27001-and-best-practice-requirements
"...will prove to be an invaluable resource."
http://www.rsaconference.com/blogs/449/rothke/information-security-governance-simplified-from-the-boardroom-to-the-keyboard
"...a great resource."
http://www.rsaconference.com/blogs/444/rothke/fisma-compliance-handbook
"...a great resource to use."

I might write some half-conceived ideas and submit them for review and maybe I too can have a "great resource" of my very own?
(P.S. Ben - the SEO boost here is free! But I am making it possible to Google for "Ben Rothke underwear scandal" in return)

Many many professionals long ago abandoned Flash as it became easier to make "pretty" websites with useful dynamic content without it. It was always a nasty piece of technology to work with.
So why does the reviewer mention it? Maybe because he's hardly an expert in this field himself?
Take this quote: "You will likely find the sites you intuitively return to coincidentally happened to be those very sites that have done it right and have the content you want. "...no shit Sherlock. As if we weren't saying this 15 years ago.

Truth is Ben Rothke writes anodyne book reviews as evidenced by:

http://www.rsaconference.com/blogs/465/rothke/job-reconnaissance-using-hacking-skills-to-win-the-job-hunt-game
"...a great resource to help you get there."
http://www.rsaconference.com/blogs/451/rothke/digital-forensics-processing-and-procedures-meeting-the-requirements-of-iso-17020-iso-17025-iso-27001-and-best-practice-requirements
"...will prove to be an invaluable resource."
http://www.rsaconference.com/blogs/449/rothke/information-security-governance-simplified-from-the-boardroom-to-the-keyboard
"...a great resource."
http://www.rsaconference.com/blogs/444/rothke/fisma-compliance-handbook
"...a great resource to use."

I might write some half-conceived ideas and submit them for review and maybe I too can have a "great resource" of my very own?
(P.S. Ben - the SEO boost here is free! But I am making it possible to Google for "Ben Rothke underwear scandal" in return)

Many many professionals long ago abandoned Flash as it became easier to make "pretty" websites with useful dynamic content without it. It was always a nasty piece of technology to work with.
So why does the reviewer mention it? Maybe because he's hardly an expert in this field himself?
Take this quote: "You will likely find the sites you intuitively return to coincidentally happened to be those very sites that have done it right and have the content you want. "...no shit Sherlock. As if we weren't saying this 15 years ago.

Truth is Ben Rothke writes anodyne book reviews as evidenced by:

http://www.rsaconference.com/blogs/465/rothke/job-reconnaissance-using-hacking-skills-to-win-the-job-hunt-game
"...a great resource to help you get there."
http://www.rsaconference.com/blogs/451/rothke/digital-forensics-processing-and-procedures-meeting-the-requirements-of-iso-17020-iso-17025-iso-27001-and-best-practice-requirements
"...will prove to be an invaluable resource."
http://www.rsaconference.com/blogs/449/rothke/information-security-governance-simplified-from-the-boardroom-to-the-keyboard
"...a great resource."
http://www.rsaconference.com/blogs/444/rothke/fisma-compliance-handbook
"...a great resource to use."

I might write some half-conceived ideas and submit them for review and maybe I too can have a "great resource" of my very own?
(P.S. Ben - the SEO boost here is free! But I am making it possible to Google for "Ben Rothke underwear scandal" in return)

Many many professionals long ago abandoned Flash as it became easier to make "pretty" websites with useful dynamic content without it. It was always a nasty piece of technology to work with.
So why does the reviewer mention it? Maybe because he's hardly an expert in this field himself?
Take this quote: "You will likely find the sites you intuitively return to coincidentally happened to be those very sites that have done it right and have the content you want. "...no shit Sherlock. As if we weren't saying this 15 years ago.

Truth is Ben Rothke writes anodyne book reviews as evidenced by:

http://www.rsaconference.com/blogs/465/rothke/job-reconnaissance-using-hacking-skills-to-win-the-job-hunt-game
"...a great resource to help you get there."
http://www.rsaconference.com/blogs/451/rothke/digital-forensics-processing-and-procedures-meeting-the-requirements-of-iso-17020-iso-17025-iso-27001-and-best-practice-requirements
"...will prove to be an invaluable resource."
http://www.rsaconference.com/blogs/449/rothke/information-security-governance-simplified-from-the-boardroom-to-the-keyboard
"...a great resource."
http://www.rsaconference.com/blogs/444/rothke/fisma-compliance-handbook
"...a great resource to use."

I might write some half-conceived ideas and submit them for review and maybe I too can have a "great resource" of my very own?
(P.S. Ben - the SEO boost here is free! But I am making it possible to Google for "Ben Rothke underwear scandal" in return)

here

Wait, also here

it's been cross-posted and advertised on the reviewer's twitter account.

the review really is a shameful piece of work and it's not just spelling and grammar. he gives no solid reason whatsoever why this book is better (or even significantly different from) the 1996 edition of applied cryptography, which he mentions in the introduction. here are the topics he presents: historical ciphers; modern symmetric/asymmetric encryption; key management; and a few applications shoved into the last chapter.

apart from the applications, none of these things have fundamentally changed since 1996. sure, the book might have more up-to-date details but, oh, that's right, the review doesn't mention it either way. there are supposedly-difficult (note: this is completely subjective) questions, and some "mathematics" in an appendix (not a good sign). there is no comment on technical details at all.

And never mind the similarity between this and the Schneier book Practical Cryptography (which would seem like a much more relevant comparison...)

it's been cross-posted and advertised on the reviewer's twitter account.

the review really is a shameful piece of work and it's not just spelling and grammar. he gives no solid reason whatsoever why this book is better (or even significantly different from) the 1996 edition of applied cryptography, which he mentions in the introduction. here are the topics he presents: historical ciphers; modern symmetric/asymmetric encryption; key management; and a few applications shoved into the last chapter.

apart from the applications, none of these things have fundamentally changed since 1996. sure, the book might have more up-to-date details but, oh, that's right, the review doesn't mention it either way. there are supposedly-difficult (note: this is completely subjective) questions, and some "mathematics" in an appendix (not a good sign). there is no comment on technical details at all.

"About eight out of every 10 Web browsers run by consumers are vulnerable to attack [CC] by exploits of already-patched bugs, a security expert said Thursday.

The venue is worth a mention: RSA Conference 2011 - San Francisco

This not a second-tier event.

Speakers include former President Bill Clinton, General Keith B. Alexander, Commander, U.S. Cyber Command, William Lynn III, Deputy Secretary of Defense...

In Open Source from Qualys:

BlindElephant Web Application Fingerprinter

Wondering how Arron Barr's presentation on Social Network went... Though I might post as "Anonymous Coward", but don't feel like having my door kicked in by the Fed's today.

Searched the RSA11 sessions: his presentation is nowhere to be found.

Saw Hugh at the RSA conference, where he told this story and talked about a new internet talk show that he's hosting. Don't know that it's for everyone, but the slashdot crowd should dig it.

Last year's winner was not HDMore, it was Ralf Hoelzer.

http://2006.rsaconference.com/us/media/news.aspx

You forgot the most important line item of all: mountain dew!

And yes, I was drinking dew for the finals:

http://www.rsaconference.com/2007/US/press/photos/ feb8/images/2007-02-08_12-41-10.jpg (hiding behind the monitor)

Funny you should mention that! One of their people is speaking at RSA.. Oh look and on stopping phishing!

Security for Real People
Phillip Hallam-Baker
"Security must be end-to-end." "A system is only as secure as its weakest link." "Bad security is worse than no security." Many Internet security experts repeat this sage advice. Unfortunately, none of it is true. This presentation will examine and expose the fashionable nonsense that is the real cause of Internet insecurity.

Anyone want to pay $1895 to go ask awkward questions??

Funny you should mention that! One of their people is speaking at RSA.. Oh look and on stopping phishing!

Security for Real People
Phillip Hallam-Baker
"Security must be end-to-end." "A system is only as secure as its weakest link." "Bad security is worse than no security." Many Internet security experts repeat this sage advice. Unfortunately, none of it is true. This presentation will examine and expose the fashionable nonsense that is the real cause of Internet insecurity.

Anyone want to pay $1895 to go ask awkward questions??

Scenario: you are an IT manager type. Your division is about to take on two new missions. You go to the trade show; in one place and in a relatively short amount of time - typically 2-5 days - you get to see the major players in relevant markets exhibiting their wares. You can compare features and prices and tinker with hardware, often speaking to marketing, sales, and even technical folks in the space of ten minutes. You can also make a ridiculous number of contacts. Yes, you are paying to receive marketing, but if you have the need (as in the scenario) you get at at least as much out of the exchange as you give.

That sounds like good bang-for-the-buck, yes?

PS Disclaimer-thingie: I generally think of the RSA Security Conference when I think of trade shows. YMMV with smaller expos.

I am posting this from a public terminal at the RSA2000 Conference, where Ian Goldberg (Zero Knowledge's chief scientist) is scheduled to talk tomorrow.

I've got his session scheduled... I plan to grab some of the "best" questions from this thread on Slashdot and corner Ian afterwards and see what he's got to say. I'll post the results of my quest here tomorrow after the session, if anyone is interested.

---------
Question: How do I leverage the power of the internet?