Oh, and I get it now, duh. The idea is that if GRC's server sees the same fingerprint you do, then you're good. Nice hack, and something you could do yourself with your own cloud server.
But what if it doesn't, and the reason is that Google is using different certificates for different regions?
What you describe is perfectly possible and in active use. Use this wonderful site to detect such cases: https://www.grc.com/fingerprints.htm Preferably print the page out and keep it in your pocket.
Well okay, but someone could build a *much* better version of that. And mirror it out to other sites. How do you know you can trust the certificate of grc.com?
But as a proof of concept for what all secure site operators and their Certificate Authorities should already be doing, yeah.
Google should post, in a permanent, obvious location, a list of the SSL Certificates they are using along with the certificate fingerprints.
This list should be mirrored by other parties and the issuing CA to prevent the problem where someone with a forged cert can post their own list. They could also mirror the list in DNS TXT records.
This should be standard for every well-known site that uses SSL, and it should be a service provided automatically by every Certificate Authority.
I'm sick to death on non-transparent CAs. Publish the certs you sign. Publish your revocation lists. Stop assuming that no one understands what you do or that you don't have a responsibility beyond lining your own pockets.
I was in my early 20s when Myst came out. The visual design turned me off, it looked like someone's coked-out New Age fantasy come to life. Like a wine bar on steroids, all brass rail and ferns and bubbling water. No thanks.
Now, "The Neverhood", on the other hand... that was like being dropped into the middle of a Gumby adventure. That game rocked. http://en.wikipedia.org/wiki/The_Neverhood
I know, off-topic since not an open world game. But it was puzzle-solving and on CD-ROM, so...
Layman's answer: It's trolling when the party seeking to enforce their patent rights has no intention of selling an actual working implementation on the open market.
If the purpose of your company is to make money by licensing an idea, rather than selling a product or service that incorporates that idea, then you're a troll. The system shouldn't allow you to feed on other companies and individuals that are using that idea in their own products or services.
Nobody cares if an inventor sells a patent to a manufacturer or a service provider who will actually use it, that's how the system is supposed to work. But holding companies and the builders of defensive portfolios should have no place at the table.
Also, just because business has been conducted a certain way up till now, doesn't mean that's the best way to conduct business. Thomas Edison wasn't a saint, he ruthlessly exploited the inspiration and perspiration of everyone who worked for him and went to great lengths to crush his competitors. WE CAN DO BETTER, is the point.
Newsflash: If you run servers in Amazon's cloud, you have to trust Amazon.
There's no flaw in AWS that enables this hack by untrusted parties. You have to have access to the AWS account in order to clone a volume, just like you'd have to have physical access to a physical server to clone a volume.
The only interesting point here is that an Amazon employee could do this without you knowing it. But come on, how obvious is that? Their sysadmins could do a lot more than just clone your hard drive and change the password, you know.
A real fix to this problem would let me download the js and html and whatnot once, as a signed archive, and use your application from a file:// url on my computer.
In other words, the only thing that would come from a server from session to session is the encrypted data file. No application code. No HTML. Just the data.
It's a lot more like a traditional application, except that it runs in the browser and the source code is right there for me to look at.
It takes a lot of light--A LOT of light--to grow big, healthy plants.
LEDs are great for growing seedlings, and also lettuces and strawberries and other "low" crops. But when it comes to corn or tomatoes or other things that get tall, you need 4x-6x the lights in order to cover the mature plant. It's a big investment.
Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.
ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.
I hate to break it to you, but the entire browser is nothing but a device for storing (and then parsing!) arbitrary attacker-provided strings....
This is not a security vulnerability, it's the design of the system in which there was never a requirement to ensure that a client could visit a server multiple times without the server knowing (or inferring) that it was the same client.
Yep. Bingo.
Safest solution is to write your own "browser" in PHP or something and keep the request headers limited to just GET and Host:, and don't download any linked stylesheets, scripts, images, favicons, objects, or embeds. Have fun with that!
It *would* be nice if there was a paranoid mode in Firefox or Chrome that prevented cross-domain resources from being loaded. But that would break a bunch of sites, too, where some yokels bought the argument that speed is everything and spread their frontends over a bunch of different subdomains and third-party CDNs.
HOW if they do not have a physical access to the major routers?
1) Let's say you had a rootkit-like patch for a popular model of carrier-grade fiber optic switch. Now let's say that you control one or more key employees of an engineering company that installs carrier-grade networking equipment in various parts of the world. Gives it to universities for free. Operates popular chains of internet cafes.
2) Let's say you deploy large numbers of compromised TOR routers in all of your embassies and consulates. Or as a botnet.
3) Let's say you have a team of skilled malware writers that work on creating network sniffing botnets. Let's say the malware is also able to install a sniffer on several popular models of wi-fi access point, with known (and unknown) firmware issues, backdoors, or simply default passwords.
4) Let's say you have massive arrays of wi-fi and cellular antennas installed in all of your embassies and consulates, and 60 years of experience isolating and processing signals from distant enemy transmitters.
Those are four possible scenarios. I'm sure if you think about it you can come up with others.
We all know that the Internet is inherently insecure, and that software is exploitable. Given enough storage to capture everything in real time so they can apply map-reduce to it, the NSA (and presumably other spy agencies) have their work cut out for them.
+1 - unlike most states, California could actually pull secession off. Big population, lots of industry, geographically diverse and geographically isolated. Great trade connections. Plus most of the rest of the US wishes they'd fall off the edge of the continent already.
Good luck getting much water out of the Colorado river post secession, but that's been drying up anyway.
If California were to secede, I would move back in a heartbeat.
So Congress could theoretically declare that the spacecraft we abandoned on the Moon are a National Park, but they have no jurisdiction over the areas around them that were explored by astronauts.
This isn't about who owns the Moon, because obviously no one does.
The more interesting question is, does the USA own the sites where our astronauts landed? And it seems to me that, absent any other legal precedent, we do. Or we would at least have a better claim to those sites than anyone else not currently inhabiting them.
I'm a little surprised that Congress, in 1969, didn't declare the Moon (or parts of the Moon) to be official U.S. territory, annexed by whatever means we used to annex a bunch of islands in the Pacific, and a big slice of Antarctica. Perhaps there is a residency requirement, but there are at least a few island territories that have no permanent inhabitants.
Anyway, I don't mean to troll -- we came in peace for all mankind, etc. But obviously there are analogous cases on Earth that could be used to define a protocol and legal framework for claiming non-contiguous, unoccupied land as a territory belonging to a nation-state. And if we didn't do it right during the Apollo missions, then that sounds like a damn fine reasons to haul our asses back there and stake a proper claim.
How many mails have you received that were official and digitally signed (not a signature)? I work in a company where people are pretty security savy, but email somehow is an exception.. When I ask how they know the mail came from John Doe, they tell it is sure because the email address is John.Doe@example.com.
Quickest way around that: send out a few emails as the company CEO, and set the Reply-to address to a random colleague.
Loads of fun, and all you need is a command line on a server somewhere.
Don't blame me if you lose your job, blame RFC 822...
Yep. I'm a long-time web developer, and I do a lot of thinking about security and the sorry state of it on the Internets.
Any time you decide to include third-party code in your pages, you are asking for trouble. The list of hijinx that a third-party script can cause (even with strong cross-domain protection) is limited only by the imagination of the attacker. For instance, even if they can't get at your precious session cookie or local storage data, an attacker can modify the DOM, right? And show a big, window-filling DIV that looks exactly like your login screen, complete with your own assets. Good fun.
I cringe when I see big, commercial sites that ought to no better include trackers and other code from services they do not control -- in many cases poorly-funded startups that could fold or be bought out overnight. And if someone unscrupulous gets ahold of the company, or just the domain? Boom, code injection across your entire site.
Because that's exactly what we're talking about: remote code injection as a best practice. It's the most ridiculous head-in-the-sand way to deploy software ever invented. You would never stand for this kind of thing on your desktop (running an unsigned executable over http) but for some reason it's how things are done on web pages. Sure, your browser provides a sandbox, but everything inside that sandbox (your web app!) can still get arbitrarily hacked.
Web security is a huge freaking mess, and it's going to take us a generation to undo the standard procedures and move to a place where security and privacy are more than just buzzwords.
Moderating his own comments is just basic engineering fail.
THIS. Does he weed out his own spam, too?
But also, deleting comments you don't like shows a critical failure of imagination. There are better ways to handle trolls, and better things to do with one's time.
Put a "flag for moderation" button on guest posts. Every time a trusted user clicks it, the post's font size becomes smaller.
So who cares? Me, and everyone even remotely versed in security.
Exactly - an exploit that has user level access can impersonate you until it is discovered and wiped out. An exploit that has admin access can patch your keyboard firmware and impersonate you (and everyone else who uses your computer) forever.
Its a privileged escalation vulnerability... your machine has to already be compromised for this to be abused in the wild.
Unless your machine is used by multiple users, most of whom do not have admin rights. Think Windows Server, or a laptop that has been locked down for guests or kids to use. Or if you're one of those smart/paranoid people who doesn't give their day-to-day user account admin rights, in order to protect themselves.
Many of of assume that our machines are already compromised out of the box. The compromises just haven't been found or disclosed, yet.
You do realize you have to write it on entry and exit forms, and hand it over for scanning at border crossings, right?
Sometimes, you're even required to surrender your passport to a foreign embassy for a few days so that they can wipe their noses with it before they return it to you with a visa affixed, and god knows what RFIDs or chemical tracers embedded.
Your passport number is essentially public. Get over it.
Finally, a reason to love the conservative vilification of Hollywood! (Brought to you by... Hollywood! but I digress.)
The business model for cable television relies on bundling, where a portion of your monthly cable bill goes to all those channels that you have access to but don't watch. If this bill passes (FAT CHANCE) it will utterly change what cable looks like.
Fictional example: The Dogfood Channel gets 1 cent per month for every subscriber. But because Dogfood's parent company Viacom requires any cable operator that carries MTV to also carry Dogfood, the 200 million cable subscribers with access to MTV mean a revenue stream of $2,000,000 *monthly* for Dogfood. Most of which is shared back to Viacom, which spends maybe $10,000,000 *annually* to produce the warmed-over reality advertorials on the channel. That's $14 million in profit for Viacom on just one channel.
The big TV producers have a huge incentive to invent new channels full of cheap fluff, and force cable operators to carry them.
Cable companies, by the way, will likely be in favor of this legislation, because if subscribers only pay for what they want, and the operators charge overhead on each selection, then they stand to make more money then they currently do. At any rate, a larger percentage of what subscribers pay will stay with the cable company, rather than going to access fees on all those channels they didn't want to carry in the first place because nobody watches them.
It will also make the local advertising that they sell worth more because there will be way less inventory, and the ads will reach a much more targeted demographic.
On the other hand, if I can get a la carte channel service via the cable company, why not just skip the middleman and order my channels directly from the producer, via internet streaming?
This bill will never pass, but only because it destroys the business model of a handful of big, powerful TV production companies. Consumers and cable companies would both benefit, at least in the short run.
Seen widespread manufacturing defects with LED crosswalk signals in New York City, too. The most common mode of failure is that the walk signal would stay lit when the don't walk signal turned on. Some would flicker, instead.
I just assumed the city ordered RoHS-compliant gear that ended up suffering from tin whiskers, but since they all failed in similar ways it was probably something much more banal.
Slashdot Mirror
SSL certs would have battled against this. They cert wouldn't match when visiting the spoofed site.
Except for the part where if you control the domain registration you can have a new SSL cert issued within minutes.
Oh, and I get it now, duh. The idea is that if GRC's server sees the same fingerprint you do, then you're good. Nice hack, and something you could do yourself with your own cloud server.
But what if it doesn't, and the reason is that Google is using different certificates for different regions?
What you describe is perfectly possible and in active use. Use this wonderful site to detect such cases: https://www.grc.com/fingerprints.htm Preferably print the page out and keep it in your pocket.
Well okay, but someone could build a *much* better version of that. And mirror it out to other sites. How do you know you can trust the certificate of grc.com?
But as a proof of concept for what all secure site operators and their Certificate Authorities should already be doing, yeah.
Yes, there is a simple solution.
Google should post, in a permanent, obvious location, a list of the SSL Certificates they are using along with the certificate fingerprints.
This list should be mirrored by other parties and the issuing CA to prevent the problem where someone with a forged cert can post their own list. They could also mirror the list in DNS TXT records.
This should be standard for every well-known site that uses SSL, and it should be a service provided automatically by every Certificate Authority.
I'm sick to death on non-transparent CAs. Publish the certs you sign. Publish your revocation lists. Stop assuming that no one understands what you do or that you don't have a responsibility beyond lining your own pockets.
I was in my early 20s when Myst came out. The visual design turned me off, it looked like someone's coked-out New Age fantasy come to life. Like a wine bar on steroids, all brass rail and ferns and bubbling water. No thanks.
Now, "The Neverhood", on the other hand... that was like being dropped into the middle of a Gumby adventure. That game rocked.
http://en.wikipedia.org/wiki/The_Neverhood
I know, off-topic since not an open world game. But it was puzzle-solving and on CD-ROM, so...
Layman's answer:
It's trolling when the party seeking to enforce their patent rights has no intention of selling an actual working implementation on the open market.
If the purpose of your company is to make money by licensing an idea, rather than selling a product or service that incorporates that idea, then you're a troll. The system shouldn't allow you to feed on other companies and individuals that are using that idea in their own products or services.
Nobody cares if an inventor sells a patent to a manufacturer or a service provider who will actually use it, that's how the system is supposed to work. But holding companies and the builders of defensive portfolios should have no place at the table.
Also, just because business has been conducted a certain way up till now, doesn't mean that's the best way to conduct business. Thomas Edison wasn't a saint, he ruthlessly exploited the inspiration and perspiration of everyone who worked for him and went to great lengths to crush his competitors. WE CAN DO BETTER, is the point.
Newsflash: If you run servers in Amazon's cloud, you have to trust Amazon.
There's no flaw in AWS that enables this hack by untrusted parties. You have to have access to the AWS account in order to clone a volume, just like you'd have to have physical access to a physical server to clone a volume.
The only interesting point here is that an Amazon employee could do this without you knowing it. But come on, how obvious is that? Their sysadmins could do a lot more than just clone your hard drive and change the password, you know.
Thanks for updating chntwp, though.
Or the code comes from a known-good set of files on your local drive, and only the encrypted data is transferred to and from the cloud.
HTML + CSS + JavaScript files == open source. As long as you load them using a file:// URL you can know what exactly you're getting.
This is preferable to an extension which is a) compiled and b) could access every page my browser visits.
A real fix to this problem would let me download the js and html and whatnot once, as a signed archive, and use your application from a file:// url on my computer.
In other words, the only thing that would come from a server from session to session is the encrypted data file. No application code. No HTML. Just the data.
It's a lot more like a traditional application, except that it runs in the browser and the source code is right there for me to look at.
It takes a lot of light--A LOT of light--to grow big, healthy plants.
LEDs are great for growing seedlings, and also lettuces and strawberries and other "low" crops. But when it comes to corn or tomatoes or other things that get tall, you need 4x-6x the lights in order to cover the mature plant. It's a big investment.
Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.
Cmd-Shift-Delete on a Mac.
Nice shortcut, thanks!
I hate to break it to you, but the entire browser is nothing but a device for storing (and then parsing!) arbitrary attacker-provided strings....
This is not a security vulnerability, it's the design of the system in which there was never a requirement to ensure that a client could visit a server multiple times without the server knowing (or inferring) that it was the same client.
Yep. Bingo.
Safest solution is to write your own "browser" in PHP or something and keep the request headers limited to just GET and Host:, and don't download any linked stylesheets, scripts, images, favicons, objects, or embeds. Have fun with that!
It *would* be nice if there was a paranoid mode in Firefox or Chrome that prevented cross-domain resources from being loaded. But that would break a bunch of sites, too, where some yokels bought the argument that speed is everything and spread their frontends over a bunch of different subdomains and third-party CDNs.
HOW if they do not have a physical access to the major routers?
1) Let's say you had a rootkit-like patch for a popular model of carrier-grade fiber optic switch. Now let's say that you control one or more key employees of an engineering company that installs carrier-grade networking equipment in various parts of the world. Gives it to universities for free. Operates popular chains of internet cafes.
2) Let's say you deploy large numbers of compromised TOR routers in all of your embassies and consulates. Or as a botnet.
3) Let's say you have a team of skilled malware writers that work on creating network sniffing botnets. Let's say the malware is also able to install a sniffer on several popular models of wi-fi access point, with known (and unknown) firmware issues, backdoors, or simply default passwords.
4) Let's say you have massive arrays of wi-fi and cellular antennas installed in all of your embassies and consulates, and 60 years of experience isolating and processing signals from distant enemy transmitters.
Those are four possible scenarios. I'm sure if you think about it you can come up with others.
We all know that the Internet is inherently insecure, and that software is exploitable. Given enough storage to capture everything in real time so they can apply map-reduce to it, the NSA (and presumably other spy agencies) have their work cut out for them.
+1 - unlike most states, California could actually pull secession off. Big population, lots of industry, geographically diverse and geographically isolated. Great trade connections. Plus most of the rest of the US wishes they'd fall off the edge of the continent already.
Good luck getting much water out of the Colorado river post secession, but that's been drying up anyway.
If California were to secede, I would move back in a heartbeat.
Some followup, via http://blog.foreignpolicy.com/posts/2013/07/09/can_the_us_create_a_national_park_on_the_moon:
The 1962 Declaration of Legal Principles Governing the Activities of States in the Exploration and Use of Outer Space prevents states from asserting claims over parts of outer space, including the Moon.
http://www.oosa.unvienna.org/oosa/SpaceLaw/gares/html/gares_18_1962.html
However, according to 18 USC 7, spacecraft in flight (that is, that haven't returned to Earth) are US Territories.
http://www.law.cornell.edu/uscode/text/18/7
So Congress could theoretically declare that the spacecraft we abandoned on the Moon are a National Park, but they have no jurisdiction over the areas around them that were explored by astronauts.
This isn't about who owns the Moon, because obviously no one does.
The more interesting question is, does the USA own the sites where our astronauts landed? And it seems to me that, absent any other legal precedent, we do. Or we would at least have a better claim to those sites than anyone else not currently inhabiting them.
I'm a little surprised that Congress, in 1969, didn't declare the Moon (or parts of the Moon) to be official U.S. territory, annexed by whatever means we used to annex a bunch of islands in the Pacific, and a big slice of Antarctica. Perhaps there is a residency requirement, but there are at least a few island territories that have no permanent inhabitants.
Anyway, I don't mean to troll -- we came in peace for all mankind, etc. But obviously there are analogous cases on Earth that could be used to define a protocol and legal framework for claiming non-contiguous, unoccupied land as a territory belonging to a nation-state. And if we didn't do it right during the Apollo missions, then that sounds like a damn fine reasons to haul our asses back there and stake a proper claim.
How many mails have you received that were official and digitally signed (not a signature)?
I work in a company where people are pretty security savy, but email somehow is an exception.. When I ask how they know the mail came from John Doe, they tell it is sure because the email address is John.Doe@example.com.
Quickest way around that: send out a few emails as the company CEO, and set the Reply-to address to a random colleague.
Loads of fun, and all you need is a command line on a server somewhere.
Don't blame me if you lose your job, blame RFC 822...
Yep. I'm a long-time web developer, and I do a lot of thinking about security and the sorry state of it on the Internets.
Any time you decide to include third-party code in your pages, you are asking for trouble. The list of hijinx that a third-party script can cause (even with strong cross-domain protection) is limited only by the imagination of the attacker. For instance, even if they can't get at your precious session cookie or local storage data, an attacker can modify the DOM, right? And show a big, window-filling DIV that looks exactly like your login screen, complete with your own assets. Good fun.
I cringe when I see big, commercial sites that ought to no better include trackers and other code from services they do not control -- in many cases poorly-funded startups that could fold or be bought out overnight. And if someone unscrupulous gets ahold of the company, or just the domain? Boom, code injection across your entire site.
Because that's exactly what we're talking about: remote code injection as a best practice. It's the most ridiculous head-in-the-sand way to deploy software ever invented. You would never stand for this kind of thing on your desktop (running an unsigned executable over http) but for some reason it's how things are done on web pages. Sure, your browser provides a sandbox, but everything inside that sandbox (your web app!) can still get arbitrarily hacked.
Web security is a huge freaking mess, and it's going to take us a generation to undo the standard procedures and move to a place where security and privacy are more than just buzzwords.
Moderating his own comments is just basic engineering fail.
THIS. Does he weed out his own spam, too?
But also, deleting comments you don't like shows a critical failure of imagination. There are better ways to handle trolls, and better things to do with one's time.
Put a "flag for moderation" button on guest posts. Every time a trusted user clicks it, the post's font size becomes smaller.
Slashdots moderator system is a form of censorship.
It's not censorship if anyone can still read the posts that have been modded down.
So who cares? Me, and everyone even remotely versed in security.
Exactly - an exploit that has user level access can impersonate you until it is discovered and wiped out. An exploit that has admin access can patch your keyboard firmware and impersonate you (and everyone else who uses your computer) forever.
Its a privileged escalation vulnerability... your machine has to already be compromised for this to be abused in the wild.
Unless your machine is used by multiple users, most of whom do not have admin rights. Think Windows Server, or a laptop that has been locked down for guests or kids to use. Or if you're one of those smart/paranoid people who doesn't give their day-to-day user account admin rights, in order to protect themselves.
Many of of assume that our machines are already compromised out of the box. The compromises just haven't been found or disclosed, yet.
Your passport number is a secret? No.
You do realize you have to write it on entry and exit forms, and hand it over for scanning at border crossings, right?
Sometimes, you're even required to surrender your passport to a foreign embassy for a few days so that they can wipe their noses with it before they return it to you with a visa affixed, and god knows what RFIDs or chemical tracers embedded.
Your passport number is essentially public. Get over it.
Finally, a reason to love the conservative vilification of Hollywood! (Brought to you by... Hollywood! but I digress.)
The business model for cable television relies on bundling, where a portion of your monthly cable bill goes to all those channels that you have access to but don't watch. If this bill passes (FAT CHANCE) it will utterly change what cable looks like.
Fictional example: The Dogfood Channel gets 1 cent per month for every subscriber. But because Dogfood's parent company Viacom requires any cable operator that carries MTV to also carry Dogfood, the 200 million cable subscribers with access to MTV mean a revenue stream of $2,000,000 *monthly* for Dogfood. Most of which is shared back to Viacom, which spends maybe $10,000,000 *annually* to produce the warmed-over reality advertorials on the channel. That's $14 million in profit for Viacom on just one channel.
The big TV producers have a huge incentive to invent new channels full of cheap fluff, and force cable operators to carry them.
Cable companies, by the way, will likely be in favor of this legislation, because if subscribers only pay for what they want, and the operators charge overhead on each selection, then they stand to make more money then they currently do. At any rate, a larger percentage of what subscribers pay will stay with the cable company, rather than going to access fees on all those channels they didn't want to carry in the first place because nobody watches them.
It will also make the local advertising that they sell worth more because there will be way less inventory, and the ads will reach a much more targeted demographic.
On the other hand, if I can get a la carte channel service via the cable company, why not just skip the middleman and order my channels directly from the producer, via internet streaming?
This bill will never pass, but only because it destroys the business model of a handful of big, powerful TV production companies. Consumers and cable companies would both benefit, at least in the short run.
Seen widespread manufacturing defects with LED crosswalk signals in New York City, too. The most common mode of failure is that the walk signal would stay lit when the don't walk signal turned on. Some would flicker, instead.
I just assumed the city ordered RoHS-compliant gear that ended up suffering from tin whiskers, but since they all failed in similar ways it was probably something much more banal.