Wednesday, October 19, 2011

Encrypting your files

Encrypting your file system is a good way to prevent attacks from attacking the content of the file system externally where the contents are in encrypted form in the physical devices. The big trouble comes when your file system is decrypted at the moment when you are using the file system itself.

Below are some scenarios that would represent possible scenarios that I have mentioned.

Running your Operating System (OS) while some trojans managed to sneak into your OS. In such a case, even if you have a highly secure encrypted file system, the trojans present an insider threat as they exists within your file system and hide among your protected contents. No matter how strong your file system encryption is, these trojans existing inside your OS could simply grab your files (when you are using the OS, your file system is being decrypted and thus open to attack) that have been decrypted and send them to their owners.

Another scenario is when a user is being coerced into decrypted their entire file system for aggressors to obtain the plain form of the file system contents. File systems that have strategy to partition and trick aggressors via anonymity of ownership of the content (i.e. Rubberhose File System) could address such a problem.

As you can see, file system encryptions have the limitations of preventing people outside from looking into your file system content. I would not wholly ignore or condemn file system encryption as they are to me an external defensive wall.

I would recommend the use of "internal defense" by encrypting the files sitting inside your file system or devices that you think are important so in the events that a trojan slips in to harvest data on you, it would have a hard time decoding the "internally" encrypted files sitting in your file system. 

It would be better if you can encrypt your files on creation so that copies or temporary files and metadata of the contents will have lesser chances of fragmenting and being copied all over your file system as buffer data or simply to sit there for no reason.

Ultimately, these defensive techniques are to delay aggressors or to make it extremely hard for most aggressors to know the truth of your contents. Forceful coercion, human errors, key and screen logging to to detect the password you type into your file encryption program to decrypt those individually encrypted files are part of the arsenal that could defeat the encryption you have placed on your file system and each important files.

The best security is to simply not have it around at all but it is nearly impossible.

To summarise this short article, do not solely rely on encrypting your file system and devices. Encrypt the files inside the file system and devices that you think are important in an event your file system or OS is breached. There is no "ultimate security" for now.

Opera and security scandal

Such a scandal makes it hard for users to trust or to continue trusting either the researcher who disclosed the vulnerabilities or Opera themselves.

The best way to prevent such scandals is the publication of truthful conversation logs and archives to prove the point and provide valid evidences.

Such a scandal would simply put a dent anyway to either or both sides and it's not something good in the long run I guess.

Monday, October 17, 2011

Crime Sourcing and Crime as a Service



Criminal outsourcing and Crime as a Service (CaaS) have been developed unknowingly by criminal groups and organisations. These materials are very useful for Cyber Forensics investigators and students and Security researchers.

Friday, October 14, 2011

Why your web profiles aren't safe


This should give you something to ponder about the reaches of the US government and their relentless appetite for more power and the ability to "subdue" (kill off) adversaries or oppositions of any sort. A tyrant indeed. There are much more cases out there that you can search for.

For those who love the online lifestyle, you have to simply be careful of what you put up there (no GPS or personal information that would be too obvious). Few actually respects privacy of themselves and others in this age.



Source Code:
Cool stuff. Imagine you can do SSH over HTML 5 via web browsers. Despite there are existing implementations, each of these implementations improves on the other. I have not tried it but the concept is good. The only problem is how much are you willing to trust that web browser and computer you are on ? The server-end running Python codes also makes it easier to handle.

Tuesday, October 11, 2011

Reacting to a hacked email account

In an event your email account or your friend's email account security have been breached, I have some ideas below that might help.

The reason I am writing all these is I have seen many people's accounts being used to send spam (because their accounts are hacked) and no one tells their friends about the breach so the correct reaction could not be taken and probably be deleted or sent to the spam mail or trash. Another reason is no one bothers about their accounts being hacked and be used for spam because their emails are not important to them. The huge mistake is, the usage of their hacked emails as "robots" or "zombies" to control, the person who is in control of the accounts (puppet master) can use these accounts for other malicious deeds and harm others. It becomes a chain reaction and may snowball into something big.

So enough of the talk and let's get into the topic.

My friend's email have been hacked !!!
Yes, you can tell your friend's email have been hacked. He/she sends you suspicious links (so don't click on "juicy" or obviously dangerous links). Another trend to note is the "To" list of people who would be receiving the malicious spam mail. The list of people in the "To" field (whoever that would receive the malicious spam mail) would be alphabetical. Who would ever be so careful to include people into the "To" list of receivers of an email in a very neat and well thought out alphabetical fashion other than a computer program ?

To summarise, you would notice a weird link in the email or some attachment that makes no sense and the list of "To" people (which would include your own email address) would be so neatly adjusted in an alphabetical fashion.

So how do you react ? Firstly, take a screenshot and forward back the link as an evidence to your friend's email (hoping he/she can still access his/her account). Contact your friend via a channel they usually would and tell them to change the password to something else that's not some default passwords people usually use (good password selection policy). Also advise your friend to change all other accounts that he had used that compromised account to register as well. The notion is that the intruder might have used the email account to request for password resets or some emails might contain passwords from account registrations that people might refuse or forget to change. Finally, if it's possible, ask your friend to alert the email provider of a possible breach so that the email provider can investigate their own security measures and carry out some security audits to ensure other users are safe.

My email have been hacked !!!
Ok, do not panic. Attempt to change the password in the email account and the other accounts linked to that email account that have been compromised. If you are locked out of your own accounts of any sorts, then notify the service provider (email or account provider) while they investigate into the matter. Notify your friends to be careful of the compromised accounts. The best way is to ask your friends to alert you any time when they suspect a spam from your account (this arrangement can be done without any event from happening yet as a safety precaution and a good security practise). All you need to do after you have warned the necessary people is to wait for the investigation to take it's course. There is nothing much you can do unless you would consider making yourself a new email account (and secure it safely with a new well-designed password).

Some additional measures to ensure security
Always use HTTPS (secure and encrypted) if the email or website provides one. If there is a setting in the website or email provider's options to turn on HTTPS, use it as the default instead of HTTP (insecure and unencrypted). Change passwords at least once every few months if possible and do not use the same password across multiple accounts. It makes predicting passwords so much easier. Use a password manager like KeePass (, KeePassX ( or PasswordSafe ( that have the capabilities to use strong encryption to store your personal information and passwords. Obviously, use a pretty strong password which you can easily remember to protect your password manager as the login password and DO NOT SHARE PASSWORDS !!

Overall, it is hard to deal with email account breaches as you might not be the owner of the email server. You are usually using a web-based email service someone provides you (Hotmail, Yahoo, Gmail...etc...) which you have very little control over. The above practises are thought out to reduce the damages a compromised account can do by acting responsibly. Do not forget, you might think that your email account is insignificant but it can be used to create bigger threats.

© 2011 Thotheolh / ThothTech. Part or whole of this article can be reproduced or quoted if their meanings are not distorted, else link them to this article.

Wednesday, October 5, 2011

Killing Freedom

What a shame for countries who sign such a restricting agreement and join in the ranks to try and grab the favours of a failing country whom cannot protect her own country's freedom like the USA. It is obvious that the USA created such an agreement for their own greed and motives and those who signed it played into the hands of the USA and their desires in an attempt to gain benefits from a country who has been owing the World Bank in trillions of US Dollars of loan.

Tuesday, October 4, 2011

Quality of Java installers

Hi decided to get a 64 bit "bin" extension installer for Linux installation of JDK 6 u 27 and when I executed it, this is what it gave ...........

./install.sfx.9113: 1: ELF : not found
./install.sfx.9113: 2: Syntax error: ")" unexpected
Failed to extract the files.  Please refer to the Troubleshooting section of
the Installation Instructions on the download page for more information.

And a file Java installer generated .....

What is that messed up file above that the Java installer generated !!??

This is the quality of Java from Oracle. Oracle have been screwing up Java badly for so many steps since it took over Java by "eating up" Sun Microsystem.


Broken Java installers for JDK 6u27 (64 bit), screwed up Java 7 features and possibly Java 8, undemocratic on the JCP board....


Wednesday, August 10, 2011

A Cohesive Linux Desktop Required


Agreed with that article. Many tried and failed to bring Desktop Linux into popularity because of the lack of a unified framework or consensus on the Desktop Linux. Linux Foundation could anchor such a unified project and set a single standard and get all the other Desktop makers like Gnome, KDE, XFCE ... to follow it through. OEMs and companies need to cooperate and not be blinded by personal profits and sabotage the community or others. The spat between Ubuntu and Gnome on their flagship Desktop (Unity and Gnome 3) was an example of inter-sabotage where it simply weakens the Desktop Linux as a whole instead of unify it.

Recently, Linus Torvalds have shunned KDE and Gnome whom are the two major Desktop makers for Linux for a good reason. Their applications and desktop are simply irritating to operate. I have been using Ubuntu 9.10 based desktop theme and refused to upgrade to the Gnome 3 or Unity Shell for the reason that both of these desktop themes are not going to be friendly and I would have to relearn them for a while. Despite me upgrading the Operating System to Ubuntu 10.10, I simply refuse to upgrade or change the desktop itself and am very hesitant as I am concerned about the breaking of applications using the new themes.

Linus Torvalds could spearhead the Desktop Linux and under his banner and Linux Foundation's I am pretty sure many people and companies would gather together and create a unified framework for Desktop Linux and make Desktop Linux a lesser pain in the near future and promote Desktop Linux.

Linus Torvalds and Linux Foundation have the influence and reach to create this change and unify the Desktop Linux together. They should start making it happen.

Tuesday, August 9, 2011

Sunday, August 7, 2011

Doomed for Insecurity

I was attempting to explain the importance of computer security and the use of password managers instead of writing down passwords. I made a password manager called PasswordStore with the aim of simplifying usually complex password managers to become easy to use. 

PasswordStore is actually really simple and mostly self sufficient and the setup procedures are near to none except stating your username and password you prefer on the first use.

No matter how I try to convince others the use of NOT WRITING DOWN PASSWORDS ON PAPER AND LEAVE IT IN PLAIN SIGHT, there are always people who would always want to write down their passwords and NOT PROPERLY PROTECT THEIR PASSWORD PAPER.

Besides the password cases, there are always people who are ignorant to security despite warnings. A few of the examples are listed below:

  • Leaving computers not locked (lock screen) when going to somewhere else.
  • Sharing / lending passwords for sensitive accounts (e.g. emails, web portals ...etc).
  • Installing suspicious looking programs despite warnings.
  • Willing to leak personal information on social sites.
  • Belittle the consequences of their accounts being compromised.
Above are the few scenarios I met of people who are hard-headed in their ways towards computer security. I believe most people bare the same attitude to a good extend. If such attitudes are applied into a larger context (organisations and companies), it would invite attention from hackers. The "ordinary" people who would love to persist in such attitudes of continuing their ignorance to security would also invite troubles from hackers and law enforcement agencies (when the hacker implanted a backdoor into their computers and have "zombied" their computers to attack or help attack someone else).

Such whom are ignorant and continue to be ignorant to security truely deserves the doom and trouble they have asked for by their ignorant attitudes.

Saturday, August 6, 2011

Killing Freedom: No Tether


I believe this is not the first article I wrote against the restriction of tethering implemented by carriers, some possible phone makers and Google. The idea of most people is, I paid for the 3G / 4G connectivity and why couldn't I use the money I spent for my 3G / 4G connectivity to browse the Web better by linking it to a machine like a laptop that have more functionalities and a bigger screen than a pathetic small screen of my Android phone ?

Why should a users NOT be able to use the 3G / 4G plan he signed up for at his own disposal as long as he paid his bills dutifully and on time ? After all, he signed up for the data plan with his own hard-earned money.

One conclusion I can think of for the carriers is that they want more money thus they would love to force people to sign up for more data plans and restrict tethering to provide connectivity. The manufacturers and Google wanted to have a good relationship with the providers and keep their friendship, thus allow themselves to be subjugated to the whims and wills of carriers.

How open is Android ? Open to a good amount but many parts of Android are NOT OPEN

Note: My definition of "open" meant that users have absolute control of what they want to do out of the box. To be considered "open", the user must be able to root and tether without much problems and restrictions. The use of hacking as a way to bypass restrictions to tether or root with the fear of consequences is NOT OPEN.

Rethinking Bad Perceptions of Java Speed for Financial Trading


Interesting article. This should kick start people's views and curiosity to rethink the "C/C++ is better and faster than Java for finance critical engines" prejudice. Such prejudice have existed but the truth is Java had always been showing consistent results of matching the speed of C/C++ or even better than C/C++ itself.

The idea that a cross platform language that uses classes and byte codes as being slower than the "bare metal C/C++" for speed because they are closer to the native interfaces and systems can sometimes be flawed.

Please THINK THRICE AGAIN before commenting about the C/C++ vs. Java speed competition.

Friday, August 5, 2011

All About Perception


To make it easier so, I have linked the XKCD image here via it's URL.

It's true that different people perceive different things. It's really all about how people perceive and draw their views from a single message.

Java Governance in Shambles


It is sad to see Oracle misusing, abusing and not even giving Java a second thought and shipped a Java 7 out of their doors knowing of a major bug in it.

The governance of Java in the hands of Oracles only causes JAVA TO FALL INTO SHAMBLES !!!

As a developer using mainly Java, I am sad to see how Java is treated. Oracle refused to give-in and heed the community and soon Java simply becomes more badly governed and more troubles would arise from it.

A good backup for any developer / programmer is to have a backup language in an event your main language simply sucks (Java for my case.... and I am now learning abit of other languages to pick a backup language to move over abit).

Thursday, August 4, 2011

Civilian Spy Drones


This is cool but what would the implications be ?

Proprietary Madness


The state's attempt to help the people got intercepted in the name of market and proprietary, individualistic, selfish interests.

When you are famous


You get that when you are too famous. Who wouldn't pass a chance to stoop so low ?

Real Names Online


There are people who do not mine their names and privacy be exposed to everyone else in the public but there are people who value privacy more than those who don't. Give those who value privacy, a thought for them. Protect their identities.

One thing I never liked nor understood about social media technologies like Google+, Twitter, Facebook, LinkedIn...etc... they simply DO NOT RESPECT YOUR PRIVACY AND COMPROMISE THEM INSTEAD. They do not protect their databases sufficiently as we have seen many leaked user credentials from compromised social media website databases. You may not mind your accounts becoming compromised but you would inevitably allow your compromised accounts become stepping stones that leads to compromising other accounts and systems (think of password reuse as an example).

Quoting Randi Zuckerburg saying:
I think anonymity on the Internet has to go away. People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.
I don't think that's a good way though. Why not remove login functions, remove security protocols and just let people in ? That's the same idea. We need some privacy. We need some locks to secure ourselves and our assets. We want to protect ourselves. Names can and have been forged. People have used other's name to create accounts for malicious users to frame and shame their victims. It's inevitable that the use of "real names" is flawed from the start unless some international mechanism is assigned and ensured each individual is who they are (and assuming the design have not a single technical flaw - which is impossible). 

If privacy and security are not respected and properly implemented and something happens, it's really hard to tell what exactly happened.

Therefore concluding....


Wednesday, August 3, 2011

DBS iBanking Weak Crypto

I noticed that DBS Bank uses the 3DES_EDE_CBC encryption algorithm for their Internet Banking web portal. 3DES / Triple DES / TDEA effectively only use a 112 bit key and this is a very weak key. 

3DES is simply three DES put together to lengthen it's key (Wikipedia). The EDE mode stands for Encrypt-Decrypt-Encrypt mode to be backwards compatible with systems only supporting normal DES. In the EDE mode, encryption would be done to the data, then the encrypted data would be decrypted again and finally encrypted one last time. This meant that the first encrypt and decrypt would simply be nothing as they already encrypted and decrypted each other. Only the final single encrypt had it's effect. Now, thinking back on EDE, isn't it as good as a DES (not 3DES) encryption since it is made compatible to normal DES but with probably a longer key only ?

Recently John the Ripper found a way to reduce the time taken to handle a DES encryption / decryption by 17% in their news email ( which meant that the time taken to crack DES would also be 17% shorter.

DES have been designated as a very weak encryption algorithm not good for protecting any sensitive information as it could be easily cracked with the computing powers of modern computers and improvement in the algorithm by the John the Ripper team.

All in all, 3DES is a weak encryption algorithm which can be fairly easy to crack and the 112 bits key length is rather short.

For a renown bank to use 112 bits 3DES_EDE_CBC is a very bad option simply for the weak algorithm, short key length and EDE mode. At least a 128 bit key length should be appropriate for basic security and for banking and financial institutions that require high security, a 256 bit key length is the least they could offer. An AES 256 bit algorithm for SSL is commonly in used these days and they are common. Camilla 256, IDEA, RC 4 and many other better algorithm than simply a weak 112 bits 3DES_EDE_CBC

Below is the screen shot image to proof my point.

At least use a stronger and more decent algorithm, DBS bank.

Sunday, July 24, 2011

Saturday, July 23, 2011

Google going for the $$$$


Closing down Google Labs just for profits? Pretty shortsighted I guess. 



There is simply really too much alternative JVM languages to choose from... to the point people like me who is interested in learning an alternative JVM language have great difficulties figuring out which to start first. Therefore, my decision currently would be to completely ignore learning anymore new JVM languages and simply stick to my usual Ruby (currently learning) and Java language I currently know.

The decision to stick to Ruby is because JVM supports JRuby and Ruby is rather well known nowadays. Ruby's syntax is interesting to me as well.

Knowledge is Illegal


Knowledge is dangerous... knowing too much... is bad. That is the view point of those who want to preserve their exclusive rights to knowledge and none other.

Paypal joins the Justice League


It wouldn't be a surprise to me that Paypal would join up with the other "Justice League" members in an attempt to weed out "baddies". Hypocrisy is rampant. Supposed "Justice" and "fighting baddies" is a denial of the reality of the situation and to only use a narrow and shortsighted. 

Websites need to be free from control. Such an arrogance to "starving the baddies till they snuff out".

Thursday, July 14, 2011

Ban common password for security


Hotmail's idea isn't really a bad idea but the problem is with the users after all. If the user wants to be careless, there isn't anything to stop them being careless. Banning common passwords would simply add a bit more security only and is nothing radical enough to push security levels up another notch.

Monday, July 11, 2011

A Loser's Whining


Losers are always losers. When they fail, they simply pull out stupid stuns to attempt to even up the game. Little do they know of the word "INNOVATION". Apple did well innovating the iPhone in the beginning but when Google's Android showed them that they can beat Apple, Apple whine about and pull patent threats at manufacturers like HTC. They lost their innovation along time ago and could only cry about with patent battles.

If you see a competitor doing better, find a way to beat the competitor's products like a real man.

Those who exploit VLC


Beware of the below companies who exploit VLC for their own gains and possibly violating the GPL license VLC is released under from
  •  (WORST !!!)
  •  (WORST !!!)
  •  (WORST !!!)
Such behaviours are very underhanded, cheap and possibly illegal. They only spoil VLC's good name and reputations.

Sunday, July 10, 2011

Secure Internet's Faltering Dreams


Many of the insecurities are human errors rather than computer errors. You could only engineer a system to a certain level for security and the rest of the system depends on the human operator for it's security.

Let's take for an you are accessing a website that runs over HTTPS and is secured with 256 bit Camilla or AES or whichever you fancy as the most secure algorithm with a SHA1 checksum (supposedly the most common secure algorithm for message digest). There is a small form to win an electronic prize and you decide to enter your credentials into that form on a secure page. A few days later, you noticed your email box is not yours anymore and "visits" from telemarketing people become more irritatingly frequent. Who do you blame ? Usually people would blame that "secure website is insecure". The reason the website is "insecure" is because you have decided to betray yourself and reveal your personal credentials to some unknown form you have no idea if it's secure or not.

Creating a second secure internet would be very expensive on anyone's resource without a doubt. The main problem is human errors and issues which computers could not replace and a computer solution is intended to solve fundamental human problems (e.g. willingly accessing insecure webpages) which the computer have no final say over it.

The main solution for Government networks and computers is to really really test and ensure the worst cases could be handled, segregated roles and trust levels using Mandatory Access Control in a very well designed way whereby a breach in a particular level would not affect everyone. Frequent planned live penetration testing (including surprise checks) should be taken into serious consideration and carried out.

Contractors to National Defense and Security related should be accessed thoroughly and to be tested frequently to ensure meeting of agreed National Standards and ensure those contractors know what they are talking about and could meet the agreements and contracts they have agreed upon to deliver or punishments to be handed out to them according to the Law and contracts they have signed.

The total removal of rights to have privacy would meant that operators of the secure domains are equally susceptible to such terms and users could turn around and want to proof the operator of the domains. 

Many of the cyber crimes are committed because users simply trusts all websites and the huge problem is with server side security. You can have a secure HTTPS or SSH connection but your servers cannot proof themselves and have weak or no security at all. RSA's hack is a very good example of an insecure database where attackers could waltz in and claim what they want. HBGary's hack is another classic example of an insecure mail server. The major problems are with the server side, not the client side. The client side have always been subjected to scrutiny by IDS, IPS, Firewalls ...etc... it is time for the server to prove themselves as well. Most users would not really notice "" and "". The "l" was replaced by a "1". It looks the same but the ASCII value is different and thus, the traffic would go to a probably malicious domain.

Everyone needs privacy and it's a basic need of everyone. If these basic needs are not meant, the walled garden of a secure domain would have little visitors and more insecurity as more people prefer to go by the "insecure" route if they could avoid being searched electronically. This would spike up the number of cyber attacks on users and the resources spent on building those walled garden with the intend to provide safe haven would not be used and thus a waste of resource.

The Internet was not designed with security in mind during the beginning phases and it's a fact we must live with. It is better to have our own freedom then to be submitted to some absurd electronic pat down or checkpoints and to surrender all our freedom.

Whoever proposed this idea had the same absurd Security Theater implemented on the US checkpoints and US Defense and Security. Security Theater WILL NOT WORK unless properly implemented.

Oh ... did I forget to mention the TSA officer who stole electronic gadgets from passengers ? How can anyone trust the officials these days when they are not upright themselves ?

Friday, July 8, 2011

IM Statuses and You

Interesting article on the behaviors and etiquette of IM statuses. I always find it irritating if I can't exactly know a person's IM status to contact them at the right moment.

Wallets And Cash Exists In 2015


I wouldn't trust my mobile device or computer to handle every single monetary decisions for me. I want to control my own money, not the computers and devices. We have seen enough of iPhones being broken, keys from the iPhones being discovered, Android phones susceptible to malware, Governments trying to have a sneaky hand in all things .... 

Remember Paypal rejected payment and donations for Wikileaks ?

What if you put all your eggs in a single basket (rely on bringing out your smartphone as a wallet) and something happens to that smartphone ? It's OS crashes and hangs ? It ran out of battery ? Accounts got hacked big time ? How are you going to pay after you had your meals in a restaurant if your phone had those crazy things happening ?

I would rather bring some cash along. Putting your money in one place is asking for trouble. When systems and things break, you are left with nothing on hand to help you out.

Smartphones as wallets by 2015 ? NO WAY !!!! I don't trust the technology. I don't trust the company and people. I don't trust putting all the eggs in a single basket. I trust myself more than them.

Don't forget, Paypal's spreading this myth to encourage more people joining them and giving them money because they are in the electronic money transfer business and if everyone uses only a smartphone as a wallet, they would have lots of businesses to do (not just them). This is simply a money making ploy.

Trust Not The TSA


Now does anyone trust TSA anymore ? It's just one of the many cases. 

Failed Amazon Patent Trolling


Another failed patent trolling and this time it's Amazon. One-click payment is very common these days so don't bother to patent it as we can see, Amazon tried and failed to patent it. Good job for the EPO.

Thursday, July 7, 2011

Handling Searches By Authorities


Very useful tips for protecting yourself against unreasonable searches and coercion to contradict your privacy and confidentiality.

Cincinnati Bell Provides Android Update


Glad to heat that a cell phone carrier is self-motivated enough to do it's customer's a favor by pushing down an Android custom  ROM update when Motorola doesn't seem to care about their customers at all. Well done Cincinnati !!! :D

Wednesday, July 6, 2011

Google Internet Cenorship


For such practices and acts, the FCC and EFF should look into and investigate the actions of Google. If such acts violates the rights of the people, Google should be brought to justice and charged with the appropriate charges and face federal punishments. Such acts of censorship is against the spirit of Freedom of  Speech and is an act of controlling people's search information.

More anti-trust probes should be launched at Google to ensure it is operating within legal limits and not overstepping it's boundaries.

Microsoft Demands Samsung to Pay for Android


Microsoft could not do well in their Windows Phone business and now they start to collect protection fees. This is some behavior of a gangster, mafia or mobster gang in legal disguise attempting to not hide hypocrisy.

Tuesday, July 5, 2011

Do Not DES


DES and 3DES SHOULD NOT be used in these days as we all know that DES is simply not going to provide a very strong encryption algorithm these days. With this improvement to John the Ripper, I think that DES and 3DES should not be touched anymore and left to some Cryptology museum or some education on history of Cryptology and designs of early computer encryption standards.

AES (especially 256 version), Serpent, Twofish and if the situation is really really constrainted, you may use Blowfish (not advisable these days). These algorithms are known standards. Camilla algorithm is another one you may consider and it is currently gaining popularity and a growing community.

Monday, July 4, 2011

VSFTPD Backdoored


This is a very bad security mismanagement on the source code part. How did a backdoor slip into the master branch of the source codes ? No clues were given for now.

The main lesson for the day, always check the GPG signature file. ALWAYS !!!

Oracle's Patents Invalidated


It's interesting to note that the USPTO had to invalidate so many patent claims (24 of them) from Oracle. Why wasn't the patent application rejected before being approved ? If the patent vetting processes were carefully controlled, USPTO would not need to invalidate so many patents and the dispute between Oracle and Google may not have had any ground to begin with in the first place.

How efficient is the USPTO's patent vetting process, now we have seen some light of our own.

For Google, it would be great news that the 24 patent claims hold no grounds anymore as the USPTO invalidated all 24 of them.

Oracle would definitely be very upset and may try it's best to blow things up and make things worse as Oracle lost all 24 patent claims in one go and which corporation would sit back and allow all 24 patent claims it is using in a patent dispute lawsuit to be invalidated ?

The battle between Google and Oracle would be more heated and interesting to watch and for now, Google have the definite advantage on it's side.

Who are pirates


Seems to me like the real pirates are the US and UK government who think that they can continue with their tyranny across the globe, trying to subjugate other governments to extradite people not within their jurisdiction and not within sound policies or reasons.

What the World needs right now is an open world that is devoid of such tyranny of a handful of bullies on the international stage. Websites or online resources that are clearly not within their jurisdiction of care, the US and UK government would by all means try to interrupt via politics and foreign affairs coercion of other nations.

From the above article, it's safe to say that US servers and hosting are guaranteed not safe anymore (US was considered a safe haven for hosting but isn't anymore). People should simply move their server hostings and resource hosting out of US to other countries that respect freedom of rights and obviously to encrypt and properly protect their servers.

The current internet structure that relies on centralized Domain Name Servers that are mostly within the controls of the US government is a huge mistake. 


A Distributed DNS should be pushed out as soon as it's stable and ready for use to break off dependencies from centralized DNS Servers controlled by tyrannical regimes like the US, UK and France - whom do not respect the basic rights of all humans that the UN just declared (UN declared the free access to the Internt as a basic rights).

Friday, July 1, 2011

SecurID and new pseudo security


Anyone can invent any new methodology or technology to provide protection and security. For SecurID's case, it's the compromised servers that is the root of the issue instead of the SecurID authentication itself. You can create some new authentication or whatever protection mechanism but it relies on a server. All it needs is the server to be compromised yet again to see the same issues re-surfacing.

What RSA and SecurID inventor should do is to really look into securing the backend first as the main issue have always been insecure servers holding really important information in a highly insecure and careless way.

Ensure proper administration, C2 auditing enabled and reviewing of logs , encryption of information on all servers, assignment of rights and roles, seperated domains so that if a small domain of secured data gets compromised, it won't spread the impact across and finally re-evaluate your servers and staff efficiency frequently and conduct frequent penetration testing.

Data encrypted on databases on the backend should usually be done whereby an encryption secret key is responsible for a small small group of data it needs to be secured. So in an event of an attack, a compromised key would not compromise other keys (if the keys are secure de-linked and made unpredictable from one another).

The master key for encryption should be made up of more than 2 person's encryption secret key (bosses holds the secret keys). Imagine it's like a nuclear launch silo where you need many keys to be turned together to launch a nuclear missile. This would give more security. The master keys should be seperated from each other whereby if one key is compromised, it doesn't affect the others and can be regenerated

Last but not least, make sure the roles and administrative privileges are properly administered whereby power is not consolidated in one person's hand.

Wednesday, June 29, 2011

Don't trust a device


Any thumbdrive / USB flash drive / USB flash stick you found is not automatically danger-proof. There are known incidents whereby the manufacturers themselves have faulty systems that introduce the malware / viruses ... into the thumbdrive / USB flash drive / USB flash stick during the time of manufacturing the product. Treat all devices with suspicion. Disable the auto-run feature and always scan the device before using if it's not a device you trust and own. For more paranoid measures, regardless of any device, simply scan them (even your own trusted devices).

Tuesday, June 28, 2011

LulzSec Goodness


I agree that LulzSec's attacks shouldn't be taken into view in a one sided manner. It has the good points of exposing many of the "supposedly security and unbreakable" notions we have. It's a good and much appreciated wake-up call LulzSec have done. Only fools would simply deny it and be afraid of the truth.

Flash to HTML5 Converter


Apparently, Google just released a Flash to HTML5 Converter for test, called Swiffy. Smokescreen, a Flash to HTML5 Converter existed for a while before Swiffy existed. It wouldn't be a surprise to see more Flash to HTML5 Converters to spring out to attempt to allow Flash objects to be accessible on non-Flash supporting platforms (e.g. Apple iOS) in a HTML5 form.

Facebook kill KDE uploads


Relying on Facebook is not only a huge security flaw in itself, Facebook is not trustworthy in it's services because they can go around playing with your photo uploads as and when they like.

Monday, June 27, 2011

Spying on Skype


As always, do not trust others until you have confirmed it is secure. I have never simply trusted something and including Skype. Legal intercept is simply a good excuse. It's the same as key escrows and we have already known from history, it's easier to have a backdoor than to try and fight a protocol itself. Another new item to distrust completely, Skype. Because it's closed sourced, it's a walled garden and now the owner wants to add eavesdropping for "legal" uses. Who knows which employee would have some fun sitting behind their desktops and making jokes on intercepted Skype conversations and posting funny calls on the Youtube for all to have fun and merry ?

Friday, June 24, 2011

Tech vs Recording


This is going to be a rather rough battle as high tech investors and industries battle it out with the recording and movies industry to debate on their the PROTECT-IP bill that is suppose to "protect" their rights. Seems like the US Government is determined to 'kowtow' to the recording and movies industry.

Thursday, June 23, 2011

Dropbox Fatal Error


The above would cause the following:
  1. Reduced Confidence
    1. In Dropbox security management
    2. In Dropbox service as a whole / Integrity of Service
  2. Possible Lawsuits Against Dropbox
  3. Less users
  4. Opportunity for rivals
Honestly, I have never trusted Dropbox security as a whole. There has been a lot of complains out there and no matter how much Dropbox tries, security on the Cloud is still in it's early stages and there are room for improvements. A lot of room for improvements and also a lot of room for errors. If I want to get something to someone or store something online, I WOULD ALWAYS ENCRYPT MY DATA FIRST and not wait for Dropbox or some service.

What's the use of double layered encryption / protection ? In this context, if the provider is not trusted, you can save yourself a ton of trouble with the encryption / protection you have done on your own. If the provider of service is really that good, then you are extra safe.

Do not think that no one would get at your data. Recent hacks into email servers and consequently leaks of huge chunks of compromised email servers shows us one thing, even within a private environment, there needs to be some sort of safety measure to take into consideration the possibility of compromised servers and machines and consequently leaks. If the data are well protected... truely well protected with really good security done on it, then, the risks of leaking data are far lower.

So how do you protect yourself, use a file encryption program to encrypt the files you want to put onto Dropbox. If you want your files to be portable across different platforms using Dropbox (including mobile platforms), you may want to employ the help of creating an encrypted compressed archive (e.g. AES encrypted ZIP via WinRAR or 7zip) and install some zip program on your mobile platforms which can handle the encrypted compressed archives.