Domain: rtfm.com
Stories and comments across the archive that link to rtfm.com.
Comments · 14
-
Re:Encryption?
Several:
Any SSL accelerator can do it , given the private key.
An example is the Radware CT100/Appaccel, but most load balancing companies have this capability.
SSLDump is an OSS app that does the same thing.
If you have an in-line device, you can break any session, and proxy the connection both ways. Some Examples:
SCIP
Finjan
Blue Coat
Breach Security also provides an SSL Inspection plugin and appliance that is OEMed by various IDS vendors.
A Google search for SSL Proxy traffic Monitor returns a number of interesting responses. If you can proxy the service, you can do transparent man in the middle attacks on it.
Full Disclosure: I have worked for both Radware and Breach security on these products, and did a SANS tooltalk on the topic (login required). -
Eric Rescorla has written a fine book...
...SSL and TLS, which includes an introductory that has a nice overview of encryption concepts and techniques.
The explanation of stream vs block ciphers is especially good, with nice examples showing how each technique works. -
Hash function attack roundup at Educated Guesswork
More info on the implications at Educated Guesswork. (It isn't my work, so anonymously it is.)
-
Act now to stop BPI/Sonny Bono in Europe.
The BPI (British Phonographic Industry) are currently lobying to increase the length of music copyright in europe from 50 years to 75 years.
According to the BBC.....
"A campaign is under way to protect music copyrights due to expire on 50-year-old records by Elvis Presley and other rock legends.
The UK music industry has begun the fight over a legal loophole on royalty payments.
Starting on 1 January 2005, copies of songs can be issued in Europe 50 years after their release without the need for payments to copyright owners.
It could affect records by Chuck Berry, James Brown - and by 2013, The Beatles.
The British Phonographic Industry (BPI) is spearheading the campaign.
Landmark rock 'n' roll recordings such as Presley's That's All Right and Shake, Rattle and Roll by Bill Haley and his Comets come out of copyright in Europe in January.
Prized catalogue
Over the next few years major hits by acts such as Little Richard, Johnny Cash, Bo Diddley and Fats Domino will also come into the public domain.
The Beatles' catalogue would begin to become freely available from 1 January 2013, with their first single Love Me Do. The band's entire repertoire - the most prized catalogue in rock music - would follow over the next eight years.
Recordings by other key British acts such as Cliff Richard, The Shadows, Tommy Steele and Lonnie Donegan are also at the centre of the campaign.
The Beatles
The Beatles' first single comes into the public domain in 2013
Once out of copyright, the BPI fears such potentially lucrative recordings could be exploited without recompense to the performers or the copyright holders.
Unlike Europe, copyright protection exists in the US for 95 years after the recording was made. Australia and Brazil have 70-year terms, and India 60 years. Composers and writers also enjoy 70 years' protection.
Peter Jamieson, the BPI's executive chairman, said less favourable copyright terms could put the UK's record industry at a commercial disadvantage to the US.
He said it was unfair to performers and investors to fail to get a return for a "free-for-all" in Europe - often within the artist's lifetime.
Record labels argue that their ability to invest in new talent often depends on money generated by their back catalogue.
The BPI is leading about 20 recording bodies including the Association of Independent Music (Aim) in lobbying the government over its concerns."
According to me....
Love, Love me do, there's a hole in me shoe, and you ain't nothing but a hound dog, just a crying all the time.
A large number of musical recordings from such people as The Beatles and Elvis Presley have become part of the National, European and World Wide culture. Most everybody in the west knows the songs, young musicians practice them with desires of making it great, and you can hear people singing the songs in pubs, bars, restaurants and homes on any night, up and down the country.
Despite all this I could still be breaking copyright if I had extended my opening sentence. It has come to something when a piece of material more than 50 years old, that everyone can knows and can probably do a simple reproduction of, either by whistling, humming, strumming or singing, can be owned, not by the original artist, but by the music distribution companies.
Don't act like a small child in the playground. Let the music go, let it be free, give it to the people, let them feel the music.
-
Re:ext3 to reiser4 ?
It is now possible to generate a bitstream that matches a given MD5 hash. It's recent news too...
Some postings can be found here, and google is your friend :-).
--Eamon -
MD5 not *quite* broken yet, but maybe close....For those who are seriously following this, you've probably seen the paper claiming to break MD5. I immediately started playing with confirming their results, but failed. There was some seriously strange stuff going on.
Eventually I gave up trying to reproduce the hashes, and went to looking online. I found a good summary explaining the mistake the authors made (endianness problems, mostly) at this website.
The end result is that they didn't break MD5 -- yet. But their result can probably be modified to break the real MD5. Looks like we have a few more days till the world ends.
;) -
Re:Security guy?
Actually, I think that reinforces my point. I spend most of my day working with security systems (see here) and so I absolutely know better than to send mail without checking the response line and yet I made that sort of boneheaded mistake anyway. This is exactly why software is riddled with bugs and why it seems unlikely we'll be able to patch them out of existence--people make mistakes.
-
Security guy?I'm confused about this guy. He claims to be a security consultant, but to quote his blog,
"I replied to the mail and didn't check the recipients lines and my mailer helpfully sent a copy of my credit card # to everyone who had gotten the original message. Outstanding."
Really. I didn't make that up, check the link! Who is this guy, and why is he giving me software security advice?! -
Re:"Sniffing" for HTTP
Sniffing will also not get you anywhere if you are trying to see what happening on a https stream as all you'll see is the encrypted traffic.
That's generally true, but not entirely so. If web developers have the server's private key, they can indeed decrypt HTTPS streams. I once had to do it for a heisenbug on a secure website. You can use the tool ssldump from Eric Rescorla. If you're this deep into SSL, you should certainly buy his book SSL and TLS, which is very helpful. -
For SSL encrypted traffic..
ssldump: http://www.rtfm.com/ssldump/
Pass it the right key file and it will decrypt the traffic to plaintext on the fly - very useful for tracing SMTP/POP3/IMAP over SSL, etc.
It can also debug the handshake process to help you find those weird SSL errors.
Uses libpcap so the filtering syntax is immediately familiar.
-
Re:SSL aware apps?
If you understand how SSL works, and just need an introduction to using OpenSSL in your programs, have a read of Eric Rescorla's OpenSSL Introduction. PDFs available at http://www.rtfm.com/openssl-examples/.
For more information, buy his book!
-
Re:Never patch a running system ;-)It could be something in that, given that Unix has a large market share on the server side.
However, we should be very careful about bragging about it, because as it turns out UNIX admins are not that fast either. A study of an OpenSSL vulnerability and the subsequent release of the Slapper worm shows that many admins need some fire before they get moving.
-
Re:Including non-free?
Before asking questions about the linux flavour you decide on, you might want to have a look here, first.
-
Last F.Y.I.
Under some circumstances, an intruder who is able to observe an SSL-encrypted session, and subsequently interrogate the server involved in the session, may be able to recover the session key used in that session, and then recover the encrypted data from that session.
The vulnerability can only be exploited if the intruder is able to make repeated session-establishment attempts to the same vulnerable web server which was involved in the original session. In addition, the server must return error messages that distinguish between several modes of failure. Although the number of session-establishment requests is large, it is significantly more efficient than a brute-force attack against the session key. Note that, although web servers comprise the majority of vulnerable servers, other PKCS#1-enabled servers may be vulnerable.
Note that the server's public and private key are not at risk from this vulnerability, and that an intruder is only able to recover data from a single session per attack. Compromising a single session does not give an intruder any additional ability to compromise subsequent sessions. Further, as mentioned above, this vulnerability does not affect all PKCS#1-enabled products.
Snipped from CERT advisory CA-98.07.PKCS
Here is an OpenSSL issue
OpenSSL bypassing
Last but not least there is ssldump, an SSLv3/TLS network protocol analyzer which identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
Someone said they'd never heard of issues with SSL made me want to get the info on this so apologies for making a redundant post if it seems this way. This does not include issues with Mozilla, Netscape and IE and SSL since it would've taken a lot more space... ./shrugs
home sweet home