[09:04] First i was curious to how far something like this would actually spread, i think what most people were unaware of is the fact it IS a worm and every phone that got infected with it was spreading it (I initially only infected 3 phones when I woke up i checked google and found out a fair few people were hit with it)
what usually happens: * you request a cert common-name=serverbox.mydomain.com from a Certificate Authority (CA) * CA determines you are authorized to make this request on behalf of mydomain.com * serverbox.mydomain.com serves down the signed cert, your browser makes sure website == common-name == serverbox.mydomain.com
what these clever guys discovered: * you can request a cert common-name=paypal.com\0.mydomain.com * CA determines you are authorized to make this request on behalf of mydomain.com * man-in-the-middle sits in between you and paypal.com, serves down this cert, victim's browser makes sure website == common-name == paypal.com (whoops!) * victim sees paypal.com in their browser with that reassuring padlock
Have the firmware for the baseband & the OS all readily available and modifiable and use only off the shelf commodity components, no questionable 'black box' transceiver IC's
Openmoko hardware aspires to the term open source hardware although in various areas the availability of cell phone components and law requirements prevent full conformance to this term.
yes.. I've seen a handful of sites that have www.website.com & website.com pointed to the same IP address - but are serving SSL with a cert cn=www.website.com. oh - oops, we've always been testing it with "www.website.com".
can anyone point me to a simple doc explaining how p2p encryption prevents man-in-the-middle?
when I connect to https://www.amazon.com/ - i get served a signed cert saying I am defn connecting to who I think I'm connecting to. but in the world of p2p I have no idea who i'm connecting to..
okay's there's a couple of caveats to this comment.. 1. it relies on my failing memory. 2. it mentions something i don't really condone (and has probably already been fixed). 3. its anecdotal evidence to support your possibility 2 - totally anecdotal.
I swear that i recall an article on engadget that said you can bypass the transaction fees on a coinstar machine machine by: depositing your coins, reaching around an unplugging the phoneline at the back, and selecting 'itunes gift card'. the machine gets confused, and dispenses your cash without subtracting any transaction fees. so why would they machine need a phoneline if the card is totally hash based.
caveat 4. the phonecall is a fake or a 'future feature'?? 5. itunes gift cards operate differently in china.
Could this be coupled with a movie/book/song - so after you've paid the small 1 time leasing fee, you are required to take a pill to forget the movie/book/song. Don't want any unlicensed memories 'stealing' from artists!
dd-wrt is an open source firmware replacement for lots of routers. all versions of dd-wrt (except Micro) come with SSHD. i choose dd-wrt because it has a good web-ui to set-up this stuff - there are other linux based firmware replacements around.
So in a couple of months all the l33t slashdotters a going to be smuggly waking thru border checks, with their hidden linux partions, truecrypt archives.. And the friendly TSA worker is going to pull out a USB key that checks for all the helpful suggestions posted in these comments.
TSA worker asks you 'are there any pirate movies / mp3s on your laptop?'.. are you going to lie? how many people on the flight saw you watching 'big momma's house 3'? can you afford to be without your laptop for a couple of months?
reminds me of a story: i worked somewhere where the 'send out mailing list emails' was a script u hit in your browser, something like: http://website.com/domailinglist to send out all the emails..
turns out every night the webstats package would go thru the server logs and GET every page to find the title tag.. do'h
If you want to point someone at something more authoritative:
* Use GET if:
o The interaction is more like a question (i.e., it is a safe operation such as a query, read operation, or lookup).
* Use POST if:
o The interaction is more like an order, or
o The interaction changes the state of the resource in a way that the user would perceive (e.g., a subscription to a service), or
o The user be held accountable for the results of the interaction.
for some reason Creationism was taught in my science class (1991 sydney, australia) - about all I remember from the class was dating the Earth by tracing the number of generations in the bible. the science teacher probably not happy about this addition to the curriculum protested the best way he could: teaching a lesson on critical thinking and "what qualifies as science?" (falsifiable claims, etc) the day before.
do these websites screenscrape the ryanair site? i take it they aren't in any business partnership with ryanair - so ryanair are getting exactly the same amount of money as they would get if someone came straight to their site.
possible ryanair don't like their prices being displayed on a website that makes it easy to pick the cheapest fare?
are they screenscraping the entire booking process? this would prevent ryanair from being able to display upsell products in the booking. and would allow the 3rd party to include their own additional fee. two pretty good reasons for ryanair to get upset.
it's not really the mystery the summary is making out..
Slashdot Mirror
whoops: (i was in the process of RTFA)
[09:04] First i was curious to how far something like this would actually spread, i think what most people were unaware of is the fact it IS a worm and every phone that got infected with it was spreading it (I initially only infected 3 phones when I woke up i checked google and found out a fair few people were hit with it)
I get the impression it doesn't. Just connects SSH, and sends some commands to change your desktop.
No self propagation = not really a worm.
what usually happens:
* you request a cert common-name=serverbox.mydomain.com from a Certificate Authority (CA)
* CA determines you are authorized to make this request on behalf of mydomain.com
* serverbox.mydomain.com serves down the signed cert, your browser makes sure website == common-name == serverbox.mydomain.com
what these clever guys discovered:
* you can request a cert common-name=paypal.com\0.mydomain.com
* CA determines you are authorized to make this request on behalf of mydomain.com
* man-in-the-middle sits in between you and paypal.com, serves down this cert, victim's browser makes sure website == common-name == paypal.com (whoops!)
* victim sees paypal.com in their browser with that reassuring padlock
How does the company paying commission make money off this? Redirecting your browser to their spammy search engine, pop up ads?
In the USA? I googled around for this and found this article: http://www.rietta.com/blog/2009/08/authentication-without-encryption-for.html
The FCC regulations for amateur radio, part 97, rule that encryption cannot be used to obscure the meaning of communications.
Have the firmware for the baseband & the OS all readily available and modifiable and use only off the shelf commodity components, no questionable 'black box' transceiver IC's
So how open is the Openmoko hardware? The best reference I could find was wikipedia's entry: http://en.wikipedia.org/wiki/Openmoko#Openmoko_hardware
Openmoko hardware aspires to the term open source hardware although in various areas the availability of cell phone components and law requirements prevent full conformance to this term.
This does exist as a browser plugin for Google Calendar: http://www.ibm.com/developerworks/web/library/wa-googlecal/
yes.. I've seen a handful of sites that have www.website.com & website.com pointed to the same IP address - but are serving SSL with a cert cn=www.website.com. oh - oops, we've always been testing it with "www.website.com".
can anyone point me to a simple doc explaining how p2p encryption prevents man-in-the-middle?
when I connect to https://www.amazon.com/ - i get served a signed cert saying I am defn connecting to who I think I'm connecting to. but in the world of p2p I have no idea who i'm connecting to..
okay's there's a couple of caveats to this comment.. 1. it relies on my failing memory. 2. it mentions something i don't really condone (and has probably already been fixed). 3. its anecdotal evidence to support your possibility 2 - totally anecdotal.
I swear that i recall an article on engadget that said you can bypass the transaction fees on a coinstar machine machine by: depositing your coins, reaching around an unplugging the phoneline at the back, and selecting 'itunes gift card'. the machine gets confused, and dispenses your cash without subtracting any transaction fees. so why would they machine need a phoneline if the card is totally hash based.
caveat 4. the phonecall is a fake or a 'future feature'?? 5. itunes gift cards operate differently in china.
this could be article i'm thinking of: http://www.engadget.com/2007/08/07/hacking-a-coinstar-machine-to-bypass-transaction-fees/ - which has since been 'corrected'.
Could this be coupled with a movie/book/song - so after you've paid the small 1 time leasing fee, you are required to take a pill to forget the movie/book/song. Don't want any unlicensed memories 'stealing' from artists!
I think you left out a word:
Good thing we're not *done* destroying our environment so discoveries like this can continue to be made.
we can trace their vectors backwards to an intersection point--the point of the event theorized to be the Big Bang. The true center of the universe.
I just pictured someone 100s of generations from now taking their offspring to a really boring tacky gift shop at "The true center of the universe".
dd-wrt is an open source firmware replacement for lots of routers. all versions of dd-wrt (except Micro) come with SSHD. i choose dd-wrt because it has a good web-ui to set-up this stuff - there are other linux based firmware replacements around.
or a DD-WRT style router
You can also skip the 'running PC' bit, and have putty connect to the SSHD running on a dd-wrt style router.
So in a couple of months all the l33t slashdotters a going to be smuggly waking thru border checks, with their hidden linux partions, truecrypt archives.. And the friendly TSA worker is going to pull out a USB key that checks for all the helpful suggestions posted in these comments.
TSA worker asks you 'are there any pirate movies / mp3s on your laptop?'.. are you going to lie? how many people on the flight saw you watching 'big momma's house 3'? can you afford to be without your laptop for a couple of months?
reminds me of a story: i worked somewhere where the 'send out mailing list emails' was a script u hit in your browser, something like: http://website.com/domailinglist to send out all the emails..
turns out every night the webstats package would go thru the server logs and GET every page to find the title tag.. do'h
If you want to point someone at something more authoritative:
* Use GET if:
o The interaction is more like a question (i.e., it is a safe operation such as a query, read operation, or lookup).
* Use POST if:
o The interaction is more like an order, or
o The interaction changes the state of the resource in a way that the user would perceive (e.g., a subscription to a service), or
o The user be held accountable for the results of the interaction.
http://www.w3.org/2001/tag/doc/whenToUseGet.html#checklist
for some reason Creationism was taught in my science class (1991 sydney, australia) - about all I remember from the class was dating the Earth by tracing the number of generations in the bible.
the science teacher probably not happy about this addition to the curriculum protested the best way he could: teaching a lesson on critical thinking and "what qualifies as science?" (falsifiable claims, etc) the day before.
Is it true only "a few generations behind" processors are available in China?
do these websites screenscrape the ryanair site? i take it they aren't in any business partnership with ryanair - so ryanair are getting exactly the same amount of money as they would get if someone came straight to their site.
possible ryanair don't like their prices being displayed on a website that makes it easy to pick the cheapest fare?
are they screenscraping the entire booking process? this would prevent ryanair from being able to display upsell products in the booking. and would allow the 3rd party to include their own additional fee. two pretty good reasons for ryanair to get upset.
it's not really the mystery the summary is making out..
Listen to a BBC documentary comparison of health care in the UK and Massachusetts: http://www.bbc.co.uk/worldservice/documentaries/2008/07/080715_better_health.shtml
Some stats prison populations: http://www.kcl.ac.uk/depsta/law/research/icps/worldbrief/wpb_stats.php
Well put!
* Nowhere in the article does it say they are going to release these worms on the internet.
* Nor does it say it will spread via exploits.
"Worm" is probably a very bad definition for what they are doing.
There's a very lengthy explanation in this PDF: Sampling Strategies for Epidemic-Style Information Dissemination