securityfocus.com · Domains · Slashdot Mirror

Re:Wow! by TripMaster+Monkey · 2008-12-02 06:32 · Score: 3, Informative · on European Police Plan to Remote-Search Hard Drives

If you don't care for that analysis, here's another.

Re:use norton by Conor+Turton · 2008-12-01 22:48 · Score: 0 · on New Massive Botnet Building On Windows Hole

Not to worry, Linux kernel has had a massive hole all of its own found this week as well.

If you're feeling left out, here's 31 pages of vulnerabilities for Ubuntu . Just select Ubuntu as the vendor and Ubuntu Linux as the title. You can do it for other distros if you're using them. Results will be similar for most distributions

Re:PJ does have her moments by Raenex · 2008-11-30 15:38 · Score: 2, Insightful · on Groklaw Summarizes the Lori Drew Verdict

There's a million ways to be anonymous from open WiFi (even the retards should have that one figured out) to misconfigured proxies, mixmaster networks, freenet, TOR, JAP and a host of other possibilities for anyone that wants real anonymity.

It's funny that you mention JAP. Do you know that it was compromised by law enforcement in 2003? And how about the poor sap that got busted for breaking into Palin's email. He used a proxy that stated: "Because government subpenoa could require us to hand over our server access logs, access logs are regularly deleted to protect your privacy. In short, we value your browsing experience as well as your anonymity, and would not do anything to break your trust in us."

This guy gladly handed over the logs to the feds.

You can be anonymous, but it's not trivial and easy to screw up or get compromised.

Responsible disclosure? by Cow+Jones · 2008-11-22 20:41 · Score: 1, Insightful · on Zimbra Desktop Vulnerable to Man-in-the-Middle Attack

First of all, I don't see any reason why this would be on the Slashdot front page. Many vulnerabilities like this one are discovered every day, and many are more critical and interesting, and concern products that are more widely used than Zimbra. Just take a look at Bugtraq to see a few samples.

More importantly, we shouldn't promote any random blogger who posts about security vulnerabilities to get t-shirts from Yahoo:

For anyone from Yahoo! reading this, I'm still waiting for the shirt I was promised from the first time I reported a vulnerability, but its all good :)

There's such a thing as responsible disclosure, and that's not blogging happily about everything you find, on a Friday no less, and then mentioning in passing that "At the time of the writing Yahoo! security has been notified." You have to give the vendor at least a chance to get the bug fixed.

CJ

This is good. by Surreal+Puppet · 2008-11-18 18:16 · Score: 4, Insightful · on Court Slams Door On Sale of Spyware

But it's stuff like this we're really after: http://en.wikipedia.org/wiki/MPack_(software). People who code professional-grade malware generally do so to profit off of it. It's well known that in the existing ecosystem of digital crime the malicious hackers themselves rarely act as attackers in large-scale id/credit card theft; instead they sell it to people who do. Quoting this extremely enlightening interview: http://www.securityfocus.com/news/11476

"The project is not so profitable compared to other activities on the Internet. It's just a business. While it makes income, we will work on it, and while we are interested in it, it will live. Of course, some of our customers make huge profits. So in some ways, MPack could be looked at as a brand-name establishment project."

This particular piece of spyware is amateur stuff, aimed at paranoid spouses/bosses, but if we can hit the business of selling spyware (probably requiring the cooperation of the international banking system, as well as the governments of china and russia) it would totally cripple large-scale internet crime as we know it. It's a pipe dream, of course. But one can always dream.

Re:n/t by Kjella · 2008-11-18 10:26 · Score: 5, Insightful · on Secure OS Gets Highest NSA Rating, Goes Commercial

So basically it costs money to get EAL verified, and the farther up the scale you go, the more money it costs to run the testing.

Uh, yes? The more specific the documentation, the more work has to be done to verify it. I'm not sure how many million LOCs are in the Linux kernel but if I had to go through EAL6+ semi-formal proofs for all of them I'd charge a bundle too. Are you really trying to imply that NSA issue this sham certification because they're short on funding? Stop trying to pretend that all the "experimental support" that goes into Linux could or should pass certification, because it damn well shouldn't. Certainly not on based on a casual "it's probably capable" that's quite frankly pulled out of your nethers with no documentation to back it up. Here for example are THREE security exploits in the kernel in the last two months:

1 Linux Kernel VDSO Unspecified Privilege Escalation Vulnerability (Vulnerabilities) Rank: 820
Last modified on: 2008-11-04 00:00:00 MST
URL: http://www.securityfocus.com/bid/32099
2 Linux Kernel LDT Selector Local Privilege Escalation and Denial of Service Vulnerability (Vulnerabilities) Rank: 820
Last modified on: 2008-10-03 00:00:00 MDT
URL: http://www.securityfocus.com/bid/31565
3 Linux Kernel 'generic_file_splice_write()' Local Privilege Escalation Vulnerability (Vulnerabilities) Rank: 820
Last modified on: 2008-10-03 00:00:00 MDT
URL: http://www.securityfocus.com/bid/31567

Don't get me wrong, Linux is a great system and all but I wouldn't want to nuclear launch control on it, sorry.