One of the main principals of a crypto message is that it can't be reversed, and no part of the enciphered message should be able to be able to be guessed without the secret key. As shown in this (https://appliance.cloudshark.org/blog/packet-capture-of-heartbleed-in-action/) post about heartbleed, we can tell what heartbeat message type was chosen, but we can't identify how many bytes the payload was unless we decrypt the data.
So my question is, without having man in the middled all the sessions, or had the decryption keys. How are these researchers making this statement?
The issue line was:
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
How can they differentiate between payload/padding after it's been sent across the wire?
I'm a big fan of the Head First series and I recently used the Head First C# book to learn. It's great but requires a Windows OS/VM to use so maybe not the best for you. The upside is it's centered around building games, which would greatly interest a kid.
I've been eyeing the Head First Java book for a while now, and for your purpose I just pulled up a comment from the headfirst site:
"My thirteen year old son who is new to programming started writing Java programs after reading this book.He had so much fun writing a battleship game after reading this book!"
I'm a fan of Where's James. It's free, has motion detection, works with night vision cameras, etc. Just plug in a good webcam and your good to go. It can upload to FTP incase they lift your security system. It's neat.
At Defcon this year an instructor in computer forensics for law enforcement gave a very interesting talk on how they remotely exploit machines, mount drives read only, and copy hard disks off for analysis, without warrents. This is obviously the US side but the UK could be similar:
http://www.youtube.com/watch?v=PTYYlHYBF0Q
That's not one of the 999 ways that banks rip you off!
Seriously, I used to work for a credit card center, both credit cards and debit cards are protected by Visa regulations. Most banks write off anything under $35 dollars and never even care which is AOL. Anything over goes to a dispute representative who fights with the company (AOL) over the charge. Ultimately though this is all useless because the way most banks designed their credit card and debit card systems is that they cant block charges from specific vendors, only from charge banks (ie gas stations, adult entertainment). This was a specification in EDI and systems were built to specification.
Now to the way banks ARE ripping you off:
When AOL puts a charge through they get a 4 digit auth code. Every time they charge you after the initial charge they put the charge through with the auth code, automatically making it so the charge wont be denied. This is a convenience incase the card went lost/stolen or the card expired. This auth code is supposed to expire at some point, but I've yet to find a bank that implimented that part. The above would make sense on reoccuring charges, except that the bank has no way to stop the AOL charges. If you lost/stolen the card the number changes but the auth code will still charge to the new account. The only way to stop the charges is to get AOL to stop (haha) or to close the entire account out and open a new one. With debit card you can close your checking account fairly easy and open a new one (at a different bank or they link). With a credit card though it's more likely that the card holder cant pay off the debt, and as such cant close the account. Banks profit on this by either getting more debt piled on every month because people eventually stop complaining and just take the charge as a lesson to their stupidity, or they do a balance transfer to a different bank, and the other bank makes a fortune because balance transfers always screw the customer in the end (fine print).
Glad I quit that job.
Since when is it criminal to hack? It's potentially criminal, but I hack my systems all the time to make sure no security holes are present. The government has been really good lately on not calling all hackers criminals, but I'm worried this article is a step in the wrong direction. The government should be happy that ethical hackers exist otherwise most of those pesky software/OS exploits would still not be patched. Also, can you imagine having to train a hacker from scratch?
I haven't ranted on this for about 5 years, and was hoping never to have to again. It's like saying driving a car is criminal because some people cause vehicular manslaughter.
It's been a while since I read the books, but wasnt 42 the address of the bar that they all died in when they went back to earth and it was destroyed? Thus them just discovering the answer to the question seconds before the earth was destroyed?
a) who gives people science degrees
b) who publishes this dribble (the enquirer I presume?)
c) do they make money off of it? (I AM greedy...)
Honestly, what's with the doomsday people getting publicity nowdays?
You dont need to use cross site scripting, it sends the user's entire email list, telephone numbers, alt emails, etc right after login for the googletalk applet. Run a packet dump, they turn off the encryption and then send all of the private data (negating userid/password). I sent in two support tickets on this in January but only received the generic autoreplies. To keep up with security news find a local hacker group.
Slashdot Mirror
One of the main principals of a crypto message is that it can't be reversed, and no part of the enciphered message should be able to be able to be guessed without the secret key. As shown in this (https://appliance.cloudshark.org/blog/packet-capture-of-heartbleed-in-action/) post about heartbleed, we can tell what heartbeat message type was chosen, but we can't identify how many bytes the payload was unless we decrypt the data. So my question is, without having man in the middled all the sessions, or had the decryption keys. How are these researchers making this statement? The issue line was: buffer = OPENSSL_malloc(1 + 2 + payload + padding); How can they differentiate between payload/padding after it's been sent across the wire?
I'm a big fan of the Head First series and I recently used the Head First C# book to learn. It's great but requires a Windows OS/VM to use so maybe not the best for you. The upside is it's centered around building games, which would greatly interest a kid. I've been eyeing the Head First Java book for a while now, and for your purpose I just pulled up a comment from the headfirst site: "My thirteen year old son who is new to programming started writing Java programs after reading this book.He had so much fun writing a battleship game after reading this book!"
I'm a fan of Where's James. It's free, has motion detection, works with night vision cameras, etc. Just plug in a good webcam and your good to go. It can upload to FTP incase they lift your security system. It's neat.
At Defcon this year an instructor in computer forensics for law enforcement gave a very interesting talk on how they remotely exploit machines, mount drives read only, and copy hard disks off for analysis, without warrents. This is obviously the US side but the UK could be similar: http://www.youtube.com/watch?v=PTYYlHYBF0Q
I was just logging in to challenge that all 228 people a) believed in souls and b) that (if souls exist) all 228 people had one.
I like the Openfire server with Spark client myself.
That's not one of the 999 ways that banks rip you off! Seriously, I used to work for a credit card center, both credit cards and debit cards are protected by Visa regulations. Most banks write off anything under $35 dollars and never even care which is AOL. Anything over goes to a dispute representative who fights with the company (AOL) over the charge. Ultimately though this is all useless because the way most banks designed their credit card and debit card systems is that they cant block charges from specific vendors, only from charge banks (ie gas stations, adult entertainment). This was a specification in EDI and systems were built to specification. Now to the way banks ARE ripping you off: When AOL puts a charge through they get a 4 digit auth code. Every time they charge you after the initial charge they put the charge through with the auth code, automatically making it so the charge wont be denied. This is a convenience incase the card went lost/stolen or the card expired. This auth code is supposed to expire at some point, but I've yet to find a bank that implimented that part. The above would make sense on reoccuring charges, except that the bank has no way to stop the AOL charges. If you lost/stolen the card the number changes but the auth code will still charge to the new account. The only way to stop the charges is to get AOL to stop (haha) or to close the entire account out and open a new one. With debit card you can close your checking account fairly easy and open a new one (at a different bank or they link). With a credit card though it's more likely that the card holder cant pay off the debt, and as such cant close the account. Banks profit on this by either getting more debt piled on every month because people eventually stop complaining and just take the charge as a lesson to their stupidity, or they do a balance transfer to a different bank, and the other bank makes a fortune because balance transfers always screw the customer in the end (fine print). Glad I quit that job.
Data disposal has gotten much better in recent years so let's see how commited Google is to user privacy...
Something tells me the guarantee has limits, otherwise I'm going to set my 380lb arse on one and get my money back.
Microsoft forgot to sudo me into non-existance!
(changes his system passwords)
Since when is it criminal to hack? It's potentially criminal, but I hack my systems all the time to make sure no security holes are present. The government has been really good lately on not calling all hackers criminals, but I'm worried this article is a step in the wrong direction. The government should be happy that ethical hackers exist otherwise most of those pesky software/OS exploits would still not be patched. Also, can you imagine having to train a hacker from scratch?
I haven't ranted on this for about 5 years, and was hoping never to have to again. It's like saying driving a car is criminal because some people cause vehicular manslaughter.
It's been a while since I read the books, but wasnt 42 the address of the bar that they all died in when they went back to earth and it was destroyed? Thus them just discovering the answer to the question seconds before the earth was destroyed?
Three cheers for less spam!
(Shocked that Microsoft did something responsible)
a) who gives people science degrees b) who publishes this dribble (the enquirer I presume?) c) do they make money off of it? (I AM greedy...) Honestly, what's with the doomsday people getting publicity nowdays?
I hope the Sys Admin doesn't suffer from claustrophobia or motion sickness...
You dont need to use cross site scripting, it sends the user's entire email list, telephone numbers, alt emails, etc right after login for the googletalk applet. Run a packet dump, they turn off the encryption and then send all of the private data (negating userid/password). I sent in two support tickets on this in January but only received the generic autoreplies. To keep up with security news find a local hacker group.