"One iPhone app, Pumpkin Maker (a pumpkin-carving game), transmits location to an ad network without asking permission."
That is flat out impossible. I am an iPhone developer; there is no way for an application to obtain user location without the user being prompted if that is OK.
It makes the rest of the conclusions very suspect to me. Just how would an app get age and gender? Again I cannot think of a way that is even possible on an iPhone without being asked; no-where on my iPhone is my birthday or age stored.
Instead of disabling CRL's, you should publish them to a directory, rather than an HTTP server. In the case of MSAD, the CRL will be replicated to every domain controller in the domain. The CRL can specify a ldap:///path_to_crl.crl CRL which will allow a client to lookup the CRL from any domain controller which is up.
There could be more to this story. But unfortunately, there really isn't.
The simple truth is that Dan is a top notch security guy, who had a prestigious position as lead penetration tester within an investment bank. He is also well known in the app-sec community, and his contributions to OWASP have been fundamental to the widespread success of that organization.
He was working overtime on New Year's Eve, alone in the office, during a time when most people were already well into their third or fourth pint.
During the course of a sanctioned pen-test he saw a banner ad for Tsunami relief and followed it. He then proceeded to make a donation for £30 which failed to return any confirmation of success. Those of you who read http://it.slashdot.org/comments.pl?sid=164612&cid= 13741471 can see that the construction, legal organization, registration, and execution of the site are suspect.
Yes -- in the course of his work part of his regular duties were to identify phishing sites. So by this point something definitely appeared amiss. A quick../ against a sloppily constructed phishing site could easily reveal a webroot of vhosts like ebay.com, paypal.com, hsbc.co.uk, etc. etc. And as a fellow penetration tester myself I can attest that in the days prior to his arrest, few in the security community would think twice before traversing directories. How could a valid URI that's RFC compliant be a violation of law?
Come on now. We all know what an attempt is at unauthorized access. Brute forcing an auth form overnight -- yes, that's certainly a (noisy and ridiculous) attempt at gaining unauthorized access. Checking for SQL injection (my name is John O'Callaghan, really!)ok sure. But "../" ?? Christ. What is this world coming to?
And now -- with respect to the judge coming down on Dan hard because he allegedly "lied" about his story, I would ask you to refrain from comment because it has not been established that Dan materially changed his story between the time of his initial police interview and when he took the stand to testify. At the time of his initial interview he may not even have remembered doing anything even remotely out of the ordinary (remember,../ is something we all do from time to time, even if it's just to avoid hitting the *back* button on the browser!)
So before you all throw him under the bus I suggest you try and imagine what it would be like to be a professional, law abiding, upstanding member of the community, and then to have the cops bust into your workplace, cuff you, and then carry you out for questioning -- informing you that your residence is being searched, and your computers seized. I ask you if you would be cool and composed and have your facts recollected as perfectly as you would after 9+ months of time to think about it.
Anyway -- I think that this case represents a serious lack of understanding on the part of the legal system. An inability to understand the *technical* difference between a malicious attack (aimed at gaining unauthorized access), and the actions of a computer savvy philanthrope who wanted to verify that the donation he had just made wasn't on its way to a.ru bank account.
Only time (and perhaps an appeal) can heal the wounds that Britain's legal system, as well as its information technology security industry experienced yesterday.
Back a couple of years ago I was responsible for supporting Checkpoint FW1 on a bunch of Redhat 6.2 IBM xSeries servers. I ran Debian on all my personal servers, and found the Redhat package management abysmal. However, Checkpoint would NOT support FW1 on any other Linux besides RH6.2 (and indeed I had quite a difficult time getting the FW1 kernel modules to load on any other distro.) In the end I sucked it up, let my friends rag on me for running Redhat, and proposed a migration to Solaris for the firewall platform (the only other platform iirc that was supported by FW1 at the time besides NT [gasp!])
I think that if you introduce an unsupported distro into a corporate environment you're asking for trouble. In a fluid start-up environment, your team will be geeky enough to manage. But in an "office space" type environment you're just asking for trouble.
Slashdot Mirror
"One iPhone app, Pumpkin Maker (a pumpkin-carving game), transmits location to an ad network without asking permission."
That is flat out impossible. I am an iPhone developer; there is no way for an application to obtain user location without the user being prompted if that is OK.
It makes the rest of the conclusions very suspect to me. Just how would an app get age and gender? Again I cannot think of a way that is even possible on an iPhone without being asked; no-where on my iPhone is my birthday or age stored.
Impossible? Anything's possible. http://blogs.wsj.com/digits/2010/12/19/how-one-apps-sees-location-without-asking/
Instead of disabling CRL's, you should publish them to a directory, rather than an HTTP server. In the case of MSAD, the CRL will be replicated to every domain controller in the domain. The CRL can specify a ldap:///path_to_crl.crl CRL which will allow a client to lookup the CRL from any domain controller which is up.
There could be more to this story. But unfortunately, there really isn't.
= 13741471 can see that the construction, legal organization, registration, and execution of the site are suspect.
../ against a sloppily constructed phishing site could easily reveal a webroot of vhosts like ebay.com, paypal.com, hsbc.co.uk, etc. etc. And as a fellow penetration tester myself I can attest that in the days prior to his arrest, few in the security community would think twice before traversing directories. How could a valid URI that's RFC compliant be a violation of law?
../ is something we all do from time to time, even if it's just to avoid hitting the *back* button on the browser!)
.ru bank account.
The simple truth is that Dan is a top notch security guy, who had a prestigious position as lead penetration tester within an investment bank. He is also well known in the app-sec community, and his contributions to OWASP have been fundamental to the widespread success of that organization.
He was working overtime on New Year's Eve, alone in the office, during a time when most people were already well into their third or fourth pint.
During the course of a sanctioned pen-test he saw a banner ad for Tsunami relief and followed it. He then proceeded to make a donation for £30 which failed to return any confirmation of success. Those of you who read http://it.slashdot.org/comments.pl?sid=164612&cid
Yes -- in the course of his work part of his regular duties were to identify phishing sites. So by this point something definitely appeared amiss. A quick
Come on now. We all know what an attempt is at unauthorized access. Brute forcing an auth form overnight -- yes, that's certainly a (noisy and ridiculous) attempt at gaining unauthorized access. Checking for SQL injection (my name is John O'Callaghan, really!)ok sure. But "../" ?? Christ. What is this world coming to?
And now -- with respect to the judge coming down on Dan hard because he allegedly "lied" about his story, I would ask you to refrain from comment because it has not been established that Dan materially changed his story between the time of his initial police interview and when he took the stand to testify. At the time of his initial interview he may not even have remembered doing anything even remotely out of the ordinary (remember,
So before you all throw him under the bus I suggest you try and imagine what it would be like to be a professional, law abiding, upstanding member of the community, and then to have the cops bust into your workplace, cuff you, and then carry you out for questioning -- informing you that your residence is being searched, and your computers seized. I ask you if you would be cool and composed and have your facts recollected as perfectly as you would after 9+ months of time to think about it.
Anyway -- I think that this case represents a serious lack of understanding on the part of the legal system. An inability to understand the *technical* difference between a malicious attack (aimed at gaining unauthorized access), and the actions of a computer savvy philanthrope who wanted to verify that the donation he had just made wasn't on its way to a
Only time (and perhaps an appeal) can heal the wounds that Britain's legal system, as well as its information technology security industry experienced yesterday.
I think that if you introduce an unsupported distro into a corporate environment you're asking for trouble. In a fluid start-up environment, your team will be geeky enough to manage. But in an "office space" type environment you're just asking for trouble.