Wednesday, June 29, 2011

Don't trust a device


Any thumbdrive / USB flash drive / USB flash stick you found is not automatically danger-proof. There are known incidents whereby the manufacturers themselves have faulty systems that introduce the malware / viruses ... into the thumbdrive / USB flash drive / USB flash stick during the time of manufacturing the product. Treat all devices with suspicion. Disable the auto-run feature and always scan the device before using if it's not a device you trust and own. For more paranoid measures, regardless of any device, simply scan them (even your own trusted devices).

Tuesday, June 28, 2011

LulzSec Goodness


I agree that LulzSec's attacks shouldn't be taken into view in a one sided manner. It has the good points of exposing many of the "supposedly security and unbreakable" notions we have. It's a good and much appreciated wake-up call LulzSec have done. Only fools would simply deny it and be afraid of the truth.

Flash to HTML5 Converter


Apparently, Google just released a Flash to HTML5 Converter for test, called Swiffy. Smokescreen, a Flash to HTML5 Converter existed for a while before Swiffy existed. It wouldn't be a surprise to see more Flash to HTML5 Converters to spring out to attempt to allow Flash objects to be accessible on non-Flash supporting platforms (e.g. Apple iOS) in a HTML5 form.

Facebook kill KDE uploads


Relying on Facebook is not only a huge security flaw in itself, Facebook is not trustworthy in it's services because they can go around playing with your photo uploads as and when they like.

Monday, June 27, 2011

Spying on Skype


As always, do not trust others until you have confirmed it is secure. I have never simply trusted something and including Skype. Legal intercept is simply a good excuse. It's the same as key escrows and we have already known from history, it's easier to have a backdoor than to try and fight a protocol itself. Another new item to distrust completely, Skype. Because it's closed sourced, it's a walled garden and now the owner wants to add eavesdropping for "legal" uses. Who knows which employee would have some fun sitting behind their desktops and making jokes on intercepted Skype conversations and posting funny calls on the Youtube for all to have fun and merry ?

Friday, June 24, 2011

Tech vs Recording


This is going to be a rather rough battle as high tech investors and industries battle it out with the recording and movies industry to debate on their the PROTECT-IP bill that is suppose to "protect" their rights. Seems like the US Government is determined to 'kowtow' to the recording and movies industry.

Thursday, June 23, 2011

Dropbox Fatal Error


The above would cause the following:
  1. Reduced Confidence
    1. In Dropbox security management
    2. In Dropbox service as a whole / Integrity of Service
  2. Possible Lawsuits Against Dropbox
  3. Less users
  4. Opportunity for rivals
Honestly, I have never trusted Dropbox security as a whole. There has been a lot of complains out there and no matter how much Dropbox tries, security on the Cloud is still in it's early stages and there are room for improvements. A lot of room for improvements and also a lot of room for errors. If I want to get something to someone or store something online, I WOULD ALWAYS ENCRYPT MY DATA FIRST and not wait for Dropbox or some service.

What's the use of double layered encryption / protection ? In this context, if the provider is not trusted, you can save yourself a ton of trouble with the encryption / protection you have done on your own. If the provider of service is really that good, then you are extra safe.

Do not think that no one would get at your data. Recent hacks into email servers and consequently leaks of huge chunks of compromised email servers shows us one thing, even within a private environment, there needs to be some sort of safety measure to take into consideration the possibility of compromised servers and machines and consequently leaks. If the data are well protected... truely well protected with really good security done on it, then, the risks of leaking data are far lower.

So how do you protect yourself, use a file encryption program to encrypt the files you want to put onto Dropbox. If you want your files to be portable across different platforms using Dropbox (including mobile platforms), you may want to employ the help of creating an encrypted compressed archive (e.g. AES encrypted ZIP via WinRAR or 7zip) and install some zip program on your mobile platforms which can handle the encrypted compressed archives.

Wednesday, June 22, 2011

Apple vs Amahi

Absurd for Apple to try to pick on Amahi. Wonder what the true motive is ? By making this move, Apple is actually trying to give an impression it may not want, which is, Apple is targeting the Open Source community (by picking on Amahi) which can be an accidental impression.

Apple needs to trod on this issue carefully or it would find itself isolated and flamed by the Open Source Community.

Tuesday, June 21, 2011

Sloppy Firefox 5 Usage

I decided to download Firefox 5 for my Ubuntu and test it's beta out after hearing the features despite it's horrendous history of crashing (especially with Flash plugin) and non-backwards compatibility of some plugins I wanted to preserve for use.

I extracted the downloaded "tar.gz" compressed file into a "firefox-5" folder and tried to run the "" and "firefox" shellscript but both failed to load Firefox 5. I checked the README and thought I was missing something out and lo and behold .. the README was CRAP... below is the entire readme text:

For information about installing, running and configuring Firefox
including a list of known issues and troubleshooting information,
refer to:
This is unbelievably sloppy of Mozilla team. I have long wanted to migrate away from Firefox to some open source browser like Google Chrome or maybe Chromium browser (hopefully without much of Google's reach inside it) and would be looking forward to moving away from Firefox for good.
Firefox have always left a bad after taste and I would say that my short experiences with IE 8 was surprisingly pleasant and far better than Firefox despite IE 8 is one of the most hated browsers out there. 

Firefox is slowly slipping to become the IE 6 and probably if IE continues to work well on open standards, adopt a robust WebGL, beef it's security, probably open source itself and release a Linux version, I would consider it for some test.

I wouldn't be interested in Firefox 5 any sooner after this horrendous experience. By the way, I went to the webpage as specified in the README and I simply got totally confused by the amount of data the webpage has. 

Another problem is Ubuntu doesn't push down a Firefox 4 upgrade and simply upgrades the Firefox 3.6 variant. If Ubuntu pushed a Firefox 4 upgrade (I am using Ubuntu 10.10 as I am skeptical of 11.04) and Firefox were to fix backward compatibility of plugins, I would seriously consider using Firefox.

Good bye, Firefox 4 and 5.

Edit: I realized the version of Firefox 5 I downloaded was the final version. It seems like Mozilla simply pushed out Firefox 5 after 4 just within 3 months. I wonder why they are in a rush to skip from version 4 to version 5 ?

Crypto Hash Lifecycles

Interesting view on how people usually react to cryptographic hashes that are about to be broken or broken.

Sunday, June 19, 2011

Thursday, June 16, 2011

Bitcoin Wallet Heist

I am not a Bitcoin user but I have been contemplating on getting one for a long time. Upon hearing this virtual currency heist, I felt that Bitcoin could make do better with physical data files security that are hosted in a user's computers besides network based security and transaction integrity.
A suggestion would be always maintaining a password protected wallet file (wallet.dat) that contains important cryptographic keys and information about a user. The wallet.dat should always be encrypted in all scenarios and the data from the wallet.dat should only exist in decrypted form in the memory when the file is read to memory for computational uses (the user must manually enter a password to decrypt the wallet.dat for all instances of use to provide more security despite inconveniences). At all times, the wallet.dat should exist as encrypted form on disk.

To step up security by another level, the wallet.dat could enjoy heightened security by using the BMICS (Project SECFILE) protocol to securely protect the data files on disk. In an event a hacker managed to gain access to the user's computers, the BMICS protected data file on the disk (strong encryption and proper procedures must be applied) would add another layer of protection to the wallet.dat besides simply encrypting the file as fake data can be planted into BMICS file formats to confuse attackers without knowledge of the actual keys and algorithms.

Apple's Anti-Camera Technology

Restrictions always comes with more problems and more complex issues. What if, a malicious user were to misuse the technology Apple developed to disable cameras on iPhones and other possible iDevices for their own benefits and managed to compromise the iOS via some compromised coded messages in the laser ?

Extradition to US for Copyrights without Guilt

This is totally ABSURD in all sense. What is the EU and the British Government doing to protect their own citizens from being abused by Big Bro trolling around asking for extradition to the USA ? The EU and British Government should protect their citizens from Big Bro's bullying and trolling. 

Stand up against these tyranny !!!

Wednesday, June 15, 2011

Android Insecurity

It's not surprising that any platform have vulnerabilities. The more famous a platform is, the more scrutinized and the more vulnerabilities it has. The problem is not with the open source nature of Android which enables the vulnerabilities as malicious developers could easily get their hands on Android's source codes and write malicious applications.

The problem has many complications in my opinion. Firstly, there is no known incentive for hunting bugs like what Google Chrome browser has. Despite the sandboxing and permissions that Android have, people simply don't even know anything about permissions and they simply agree to allow all required permissions for the app they wanted to install regardless of the consequences. Google needs to make the permissions much simpler for lay people.

We have no idea about the actual working situation when a piece of application is submitted for review before uploading to the Market Place but from the current situations, there are tainted applications that have made it pass to the point it gets uploaded onto the Market Place successfully and pass inspections by Google.

The fragmentation of the Android Market Place is another huge problem. Other Market Places may have less stringent to no checks on the applications and some Market Places may not be safe at all and have other unknown motives. Google need to address this issue by releasing an official API to access it's Market Place, set known standards for checking of applications and to approve each Market Place as being standard compliant to it's standards. Releasing a Google Market Place API would appease the user's frustration of not being able to write applications to access the Market Place for other device platforms and therefore, may slow down the amount of new and inexperienced (and even potentially dangerous) Market Places from appearing.

There are many more problems, known or unknown. The above are some well known problems that I have touched on.

Saturday, June 11, 2011

RSA Shot In The Head


Seems like RSA's SecurID and systems are compromised and not trusted anymore. A better, more resistant system, needs to be in placed to handle such situations. It took RSA a long time to acknowledge their mistakes. 

Anti Freedom


That's a sad and obvious case of pure hypo-criticism that we are facing these days.

Engineers Who Lie

If you are going to create a system and pretend it's secure when it isn't, you would simply be better off without any security since it's as good as insecure. Always make sure, very damn sure, that your system is really that secure before you call it secure.

For hosting or distributing secure software in countries that do not permit, you are better off using torrents with seeds in permissible countries or direct downloads in permissible countries with laws protecting freedom and rights of secure software usage.

Loving LulzSec

LulzSec simply lifted up the rugs of Sony and there we are, finding so much holes in their "secure" system.

Wednesday, June 1, 2011

Giving up OpenOffice

Finally Oracle saw some light and decided that OpenOffice could not be continued to be under their governance and had to be given to the community (by handing it over to Apache Foundation). That's one good move but it's way too late. Better late then never.

Edit: Curious, why didn't Oracle simply hand over the rest of OpenOffice to The Document Foundation which already have huge community support and have been working on LibreOffice fork for a long time, whereas, Apache hadn't done much on OpenOffice ?