Well, this is how insecure zippers are. They were not made for security in the first place.
Saturday, July 30, 2011
Friday, July 29, 2011
Tuesday, July 26, 2011
Another dent in Oracle's Java Suit
Read:
- http://www.osnews.com/story/24989/Sun_CEO_Explicitly_Endorsed_Android_s_Use_of_Java
- http://www.groklaw.net/article.php?story=20110723095928839
There goes another dent in Oracl'es Java patent trolling....
Sunday, July 24, 2011
A Phone of A PC
Read:
The distinction between a mobile / cell phone and a PC blurs. Now you can run a Windows 7 Home Premium in 32 bits on a phone and you can switch into phone mode with a push of a button. What's next ?
Saturday, July 23, 2011
Google going for the $$$$
Read:
Closing down Google Labs just for profits? Pretty shortsighted I guess.
JVMLanguageOverflowException
Read:
- http://www.h-online.com/open/news/item/JetBrains-produces-another-Java-alternative-1284309.html
- http://confluence.jetbrains.net/display/Kotlin/Welcome
There is simply really too much alternative JVM languages to choose from... to the point people like me who is interested in learning an alternative JVM language have great difficulties figuring out which to start first. Therefore, my decision currently would be to completely ignore learning anymore new JVM languages and simply stick to my usual Ruby (currently learning) and Java language I currently know.
The decision to stick to Ruby is because JVM supports JRuby and Ruby is rather well known nowadays. Ruby's syntax is interesting to me as well.
Knowledge is Illegal
Read:
- http://science.slashdot.org/story/11/07/22/2254204/Release-of-33GiB-of-Scientific-Publications
- http://yro.slashdot.org/story/11/07/19/1839237/Aaron-Swartz-Indicted-in-Attempted-Piracy-of-Four-Million-Documents
- http://blog.demandprogress.org/2011/07/federal-government-indicts-former-demand-progress-executive-director-for-downloading-too-many-journal-articles/
- http://bits.blogs.nytimes.com/2011/07/19/reddit-co-founder-charged-with-data-theft/
- http://www.theregister.co.uk/2011/07/19/harvard_fellow_indicted/
- http://www.osnews.com/story/24968/Internet_Activist_Charged_in_MIT_Data_Theft
- http://arstechnica.com/tech-policy/news/2011/07/swartz-supporter-dumps-18592-jstor-docs-on-the-pirate-bay.ars
- http://arstechnica.com/tech-policy/news/2011/07/reddit-founder-arrested-for-excessive-jstor-downloads.ars
- http://thepiratebay.org/torrent/6554331
Knowledge is dangerous... knowing too much... is bad. That is the view point of those who want to preserve their exclusive rights to knowledge and none other.
Paypal joins the Justice League
Read:
- http://arstechnica.com/tech-policy/news/2011/07/paypal-joins-london-police-bid-to-financially-starve-illegal-websites.ars
- http://www.ifpi.com//content/section_news/20110721.html
It wouldn't be a surprise to me that Paypal would join up with the other "Justice League" members in an attempt to weed out "baddies". Hypocrisy is rampant. Supposed "Justice" and "fighting baddies" is a denial of the reality of the situation and to only use a narrow and shortsighted.
Websites need to be free from control. Such an arrogance to "starving the baddies till they snuff out".
Thursday, July 14, 2011
Ban common password for security
Read:
Hotmail's idea isn't really a bad idea but the problem is with the users after all. If the user wants to be careless, there isn't anything to stop them being careless. Banning common passwords would simply add a bit more security only and is nothing radical enough to push security levels up another notch.
Monday, July 11, 2011
A Loser's Whining
Read:
- http://www.bloomberg.com/news/2011-07-11/apple-files-new-trade-complaint-against-htc-over-devices.html
- http://www.osnews.com/story/24935/Apple_Whines_about_Software_Patents_Some_More
Losers are always losers. When they fail, they simply pull out stupid stuns to attempt to even up the game. Little do they know of the word "INNOVATION". Apple did well innovating the iPhone in the beginning but when Google's Android showed them that they can beat Apple, Apple whine about and pull patent threats at manufacturers like HTC. They lost their innovation along time ago and could only cry about with patent battles.
If you see a competitor doing better, find a way to beat the competitor's products like a real man.
Those who exploit VLC
Read:
- http://www.osnews.com/story/24934/VLC_Suffers_from_Companies_Spreading_Malware_Bundled_with_VLC
- http://blog.l0cal.com/2011/07/07/these-companies-that-mislead-our-users/
Beware of the below companies who exploit VLC for their own gains and possibly violating the GPL license VLC is released under from http://blog.l0cal.com/2011/07/07/these-companies-that-mislead-our-users/.
- http://pinballcorp.com (WORST !!!)
- http://eorezo.com (WORST !!!)
- http://tuto4pc.com (WORST !!!)
- http://vlc.us.com
- http://www.eorezo.com/cgi-bin/download/direct/index?c_software=vlc
- http://www.vlcdownload.org
- http://www.softwaredownload.cc/?gclid=CMyGhoHrwJ8CFcpb4wodNHnJzg
- http://www.iogiciel.com/l/index.php?option=com_content&view=article&id=53&Itemid=61
- http://vlcplayer.2010-fr.com
- http://www.mediaplayers-gratuits.com
- http://www.durable.com/telecharger/telecharger_vlc-media-player_11341?gclid=CJ6j9eyqiKACFVRm4wodoUL6MQ
- http://www.downloadvlcplayer.net
- http://vlc-media-player-blog.com
- http://www.softesdown.com/fr/vlcmediaplayer/
- http://www.getyoursoft.com/download/name/vlc-media-player/id_soft/18
- http://supertelech.info
- http://www.descargarvclmediaplayergratis.com
- http://www.oficial-es.org/es
- http://todotusoft.com/Video/Reproductor-Multimedia/1158/VLC-Media-Player.html
- http://galleries.secure-softwaremanager.com/804e9dc7b4/854190c2bc1e
- http://www.clickdownloadsoftware.com/player/
Sunday, July 10, 2011
Secure Internet's Faltering Dreams
Read:
- http://www.popsci.com/technology/article/2011-07/former-cia-chief-dot-secure-domain-could-curb-cyber-threats
- http://www.nextgov.com/nextgov/ng_20110706_1137.php?oref=topnews
Many of the insecurities are human errors rather than computer errors. You could only engineer a system to a certain level for security and the rest of the system depends on the human operator for it's security.
Let's take for an you are accessing a website that runs over HTTPS and is secured with 256 bit Camilla or AES or whichever you fancy as the most secure algorithm with a SHA1 checksum (supposedly the most common secure algorithm for message digest). There is a small form to win an electronic prize and you decide to enter your credentials into that form on a secure page. A few days later, you noticed your email box is not yours anymore and "visits" from telemarketing people become more irritatingly frequent. Who do you blame ? Usually people would blame that "secure website is insecure". The reason the website is "insecure" is because you have decided to betray yourself and reveal your personal credentials to some unknown form you have no idea if it's secure or not.
Let's take for an you are accessing a website that runs over HTTPS and is secured with 256 bit Camilla or AES or whichever you fancy as the most secure algorithm with a SHA1 checksum (supposedly the most common secure algorithm for message digest). There is a small form to win an electronic prize and you decide to enter your credentials into that form on a secure page. A few days later, you noticed your email box is not yours anymore and "visits" from telemarketing people become more irritatingly frequent. Who do you blame ? Usually people would blame that "secure website is insecure". The reason the website is "insecure" is because you have decided to betray yourself and reveal your personal credentials to some unknown form you have no idea if it's secure or not.
Creating a second secure internet would be very expensive on anyone's resource without a doubt. The main problem is human errors and issues which computers could not replace and a computer solution is intended to solve fundamental human problems (e.g. willingly accessing insecure webpages) which the computer have no final say over it.
The main solution for Government networks and computers is to really really test and ensure the worst cases could be handled, segregated roles and trust levels using Mandatory Access Control in a very well designed way whereby a breach in a particular level would not affect everyone. Frequent planned live penetration testing (including surprise checks) should be taken into serious consideration and carried out.
The main solution for Government networks and computers is to really really test and ensure the worst cases could be handled, segregated roles and trust levels using Mandatory Access Control in a very well designed way whereby a breach in a particular level would not affect everyone. Frequent planned live penetration testing (including surprise checks) should be taken into serious consideration and carried out.
Contractors to National Defense and Security related should be accessed thoroughly and to be tested frequently to ensure meeting of agreed National Standards and ensure those contractors know what they are talking about and could meet the agreements and contracts they have agreed upon to deliver or punishments to be handed out to them according to the Law and contracts they have signed.
The total removal of rights to have privacy would meant that operators of the secure domains are equally susceptible to such terms and users could turn around and want to proof the operator of the domains.
Many of the cyber crimes are committed because users simply trusts all websites and the huge problem is with server side security. You can have a secure HTTPS or SSH connection but your servers cannot proof themselves and have weak or no security at all. RSA's hack is a very good example of an insecure database where attackers could waltz in and claim what they want. HBGary's hack is another classic example of an insecure mail server. The major problems are with the server side, not the client side. The client side have always been subjected to scrutiny by IDS, IPS, Firewalls ...etc... it is time for the server to prove themselves as well. Most users would not really notice "http://www.blogger.com" and "http://www.b1ogger.com". The "l" was replaced by a "1". It looks the same but the ASCII value is different and thus, the traffic would go to a probably malicious domain.
Everyone needs privacy and it's a basic need of everyone. If these basic needs are not meant, the walled garden of a secure domain would have little visitors and more insecurity as more people prefer to go by the "insecure" route if they could avoid being searched electronically. This would spike up the number of cyber attacks on users and the resources spent on building those walled garden with the intend to provide safe haven would not be used and thus a waste of resource.
The Internet was not designed with security in mind during the beginning phases and it's a fact we must live with. It is better to have our own freedom then to be submitted to some absurd electronic pat down or checkpoints and to surrender all our freedom.
Whoever proposed this idea had the same absurd Security Theater implemented on the US checkpoints and US Defense and Security. Security Theater WILL NOT WORK unless properly implemented.
Oh ... did I forget to mention the TSA officer who stole electronic gadgets from passengers ? How can anyone trust the officials these days when they are not upright themselves ?
Friday, July 8, 2011
IM Statuses and You
Read:
Interesting article on the behaviors and etiquette of IM statuses. I always find it irritating if I can't exactly know a person's IM status to contact them at the right moment.
Wallets And Cash Exists In 2015
Read:
- http://www.winbeta.org/?q=content/paypal-predicts-end-wallet-2015
- https://www.thepaypalblog.com/2011/06/paypal-crosses-first-100-million-active-accounts-4/
- http://mashable.com/2011/07/08/the-future-of-mobile-payments-infographic/
I wouldn't trust my mobile device or computer to handle every single monetary decisions for me. I want to control my own money, not the computers and devices. We have seen enough of iPhones being broken, keys from the iPhones being discovered, Android phones susceptible to malware, Governments trying to have a sneaky hand in all things ....
Remember Paypal rejected payment and donations for Wikileaks ?
What if you put all your eggs in a single basket (rely on bringing out your smartphone as a wallet) and something happens to that smartphone ? It's OS crashes and hangs ? It ran out of battery ? Accounts got hacked big time ? How are you going to pay after you had your meals in a restaurant if your phone had those crazy things happening ?
I would rather bring some cash along. Putting your money in one place is asking for trouble. When systems and things break, you are left with nothing on hand to help you out.
Smartphones as wallets by 2015 ? NO WAY !!!! I don't trust the technology. I don't trust the company and people. I don't trust putting all the eggs in a single basket. I trust myself more than them.
Don't forget, Paypal's spreading this myth to encourage more people joining them and giving them money because they are in the electronic money transfer business and if everyone uses only a smartphone as a wallet, they would have lots of businesses to do (not just them). This is simply a money making ploy.
Trust Not The TSA
Read:
Now does anyone trust TSA anymore ? It's just one of the many cases.
Failed Amazon Patent Trolling
Read:
Another failed patent trolling and this time it's Amazon. One-click payment is very common these days so don't bother to patent it as we can see, Amazon tried and failed to patent it. Good job for the EPO.
Thursday, July 7, 2011
Handling Searches By Authorities
Read:
- http://lifehacker.com/5818751/your-cheatsheet-for-talking-to-the-police
- https://www.eff.org/wp/know-your-rights
Very useful tips for protecting yourself against unreasonable searches and coercion to contradict your privacy and confidentiality.
Cincinnati Bell Provides Android Update
Read:
Glad to heat that a cell phone carrier is self-motivated enough to do it's customer's a favor by pushing down an Android custom ROM update when Motorola doesn't seem to care about their customers at all. Well done Cincinnati !!! :D
Wednesday, July 6, 2011
Google Internet Cenorship
Read:
- http://digitizor.com/2011/07/06/google-removes-cc-domains/
- http://www.digitaltrends.com/web/google-search-police-strike-again-send-cc-co-domains-into-oblivion/
For such practices and acts, the FCC and EFF should look into and investigate the actions of Google. If such acts violates the rights of the people, Google should be brought to justice and charged with the appropriate charges and face federal punishments. Such acts of censorship is against the spirit of Freedom of Speech and is an act of controlling people's search information.
More anti-trust probes should be launched at Google to ensure it is operating within legal limits and not overstepping it's boundaries.
Microsoft Demands Samsung to Pay for Android
Read:
- http://www.reuters.com/article/2011/07/06/us-samsung-microsoft-idUSTRE7651DB20110706
- http://www.osnews.com/story/24924/Microsoft_Demands_15_for_Every_Samsung_Android_Phone_Sold
Microsoft could not do well in their Windows Phone business and now they start to collect protection fees. This is some behavior of a gangster, mafia or mobster gang in legal disguise attempting to not hide hypocrisy.
Tuesday, July 5, 2011
Do Not DES
Read:
- http://www.h-online.com/security/news/item/Cracking-DES-faster-with-John-the-Ripper-1273585.html
- http://www.openwall.com/press/20110622
DES and 3DES SHOULD NOT be used in these days as we all know that DES is simply not going to provide a very strong encryption algorithm these days. With this improvement to John the Ripper, I think that DES and 3DES should not be touched anymore and left to some Cryptology museum or some education on history of Cryptology and designs of early computer encryption standards.
AES (especially 256 version), Serpent, Twofish and if the situation is really really constrainted, you may use Blowfish (not advisable these days). These algorithms are known standards. Camilla algorithm is another one you may consider and it is currently gaining popularity and a growing community.
Monday, July 4, 2011
VSFTPD Backdoored
Read:
- http://www.h-online.com/open/news/item/Vsftpd-backdoor-discovered-in-source-code-1272310.html
- http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
This is a very bad security mismanagement on the source code part. How did a backdoor slip into the master branch of the source codes ? No clues were given for now.
The main lesson for the day, always check the GPG signature file. ALWAYS !!!
Oracle's Patents Invalidated
Read:
It's interesting to note that the USPTO had to invalidate so many patent claims (24 of them) from Oracle. Why wasn't the patent application rejected before being approved ? If the patent vetting processes were carefully controlled, USPTO would not need to invalidate so many patents and the dispute between Oracle and Google may not have had any ground to begin with in the first place.
How efficient is the USPTO's patent vetting process, now we have seen some light of our own.
For Google, it would be great news that the 24 patent claims hold no grounds anymore as the USPTO invalidated all 24 of them.
Oracle would definitely be very upset and may try it's best to blow things up and make things worse as Oracle lost all 24 patent claims in one go and which corporation would sit back and allow all 24 patent claims it is using in a patent dispute lawsuit to be invalidated ?
The battle between Google and Oracle would be more heated and interesting to watch and for now, Google have the definite advantage on it's side.
Who are pirates
Read:
Seems to me like the real pirates are the US and UK government who think that they can continue with their tyranny across the globe, trying to subjugate other governments to extradite people not within their jurisdiction and not within sound policies or reasons.
What the World needs right now is an open world that is devoid of such tyranny of a handful of bullies on the international stage. Websites or online resources that are clearly not within their jurisdiction of care, the US and UK government would by all means try to interrupt via politics and foreign affairs coercion of other nations.
From the above article, it's safe to say that US servers and hosting are guaranteed not safe anymore (US was considered a safe haven for hosting but isn't anymore). People should simply move their server hostings and resource hosting out of US to other countries that respect freedom of rights and obviously to encrypt and properly protect their servers.
The current internet structure that relies on centralized Domain Name Servers that are mostly within the controls of the US government is a huge mistake.
NO ONE SHOULD CONTROL THE INTERNET !!!
A Distributed DNS should be pushed out as soon as it's stable and ready for use to break off dependencies from centralized DNS Servers controlled by tyrannical regimes like the US, UK and France - whom do not respect the basic rights of all humans that the UN just declared (UN declared the free access to the Internt as a basic rights).
Friday, July 1, 2011
SecurID and new pseudo security
Read:
Anyone can invent any new methodology or technology to provide protection and security. For SecurID's case, it's the compromised servers that is the root of the issue instead of the SecurID authentication itself. You can create some new authentication or whatever protection mechanism but it relies on a server. All it needs is the server to be compromised yet again to see the same issues re-surfacing.
What RSA and SecurID inventor should do is to really look into securing the backend first as the main issue have always been insecure servers holding really important information in a highly insecure and careless way.
Ensure proper administration, C2 auditing enabled and reviewing of logs , encryption of information on all servers, assignment of rights and roles, seperated domains so that if a small domain of secured data gets compromised, it won't spread the impact across and finally re-evaluate your servers and staff efficiency frequently and conduct frequent penetration testing.
Data encrypted on databases on the backend should usually be done whereby an encryption secret key is responsible for a small small group of data it needs to be secured. So in an event of an attack, a compromised key would not compromise other keys (if the keys are secure de-linked and made unpredictable from one another).
The master key for encryption should be made up of more than 2 person's encryption secret key (bosses holds the secret keys). Imagine it's like a nuclear launch silo where you need many keys to be turned together to launch a nuclear missile. This would give more security. The master keys should be seperated from each other whereby if one key is compromised, it doesn't affect the others and can be regenerated
Last but not least, make sure the roles and administrative privileges are properly administered whereby power is not consolidated in one person's hand.
Subscribe to:
Posts (Atom)