ThothTech

How to fool SSL/TLS in your workplace

2012-02-07T20:36:00.000-08:00

Read: http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html

SSL/TLS scheme have proven itself to be ineffective at protecting data confidentiality and authenticity of client/servers anymore. It is time something changed.

UEFI Being Unfriendly

2012-01-13T16:44:00.000-08:00

Read: http://www.osnews.com/story/25507/Microsoft_Forces_OEMs_To_Lock_Devices_Into_Windows_8_Using_UEFI

This is a very good reason to NOT SUPPORT Microsoft and those OEMs who have been blackmailed by Microsoft to do their dirty tricks.

REFUSE and REJECT OEMs who use UEFI to lock everyone into Microsoft-only environments.

Lesser Java Dependency

2012-01-12T22:02:00.000-08:00

Read: http://www.javaworld.com/javaworld/jw-01-2012/120110-oracle-fields-java-community-complaints.html

Time for Java devs to think through deeply and have some backup language instead of purely just Java.

Hack and be hacked

2012-01-09T20:53:00.000-08:00

Read: http://arstechnica.com/tech-policy/news/2012/01/top-german-cop-uses-spyware-on-daughter-gets-hacked-in-retaliation.ars

Morale of story is simple .... if you hack others, prepare for your weaknesses to be discovered and exploited too....

What a dumb retarded idiot the dad is !!

Encrypting your files

2011-10-19T04:02:00.000-07:00

Encrypting your file system is a good way to prevent attacks from attacking the content of the file system externally where the contents are in encrypted form in the physical devices. The big trouble comes when your file system is decrypted at the moment when you are using the file system itself.

Below are some scenarios that would represent possible scenarios that I have mentioned.

Running your Operating System (OS) while some trojans managed to sneak into your OS. In such a case, even if you have a highly secure encrypted file system, the trojans present an insider threat as they exists within your file system and hide among your protected contents. No matter how strong your file system encryption is, these trojans existing inside your OS could simply grab your files (when you are using the OS, your file system is being decrypted and thus open to attack) that have been decrypted and send them to their owners.

Another scenario is when a user is being coerced into decrypted their entire file system for aggressors to obtain the plain form of the file system contents. File systems that have strategy to partition and trick aggressors via anonymity of ownership of the content (i.e. Rubberhose File System) could address such a problem.

As you can see, file system encryptions have the limitations of preventing people outside from looking into your file system content. I would not wholly ignore or condemn file system encryption as they are to me an external defensive wall.

I would recommend the use of "internal defense" by encrypting the files sitting inside your file system or devices that you think are important so in the events that a trojan slips in to harvest data on you, it would have a hard time decoding the "internally" encrypted files sitting in your file system.

It would be better if you can encrypt your files on creation so that copies or temporary files and metadata of the contents will have lesser chances of fragmenting and being copied all over your file system as buffer data or simply to sit there for no reason.

Ultimately, these defensive techniques are to delay aggressors or to make it extremely hard for most aggressors to know the truth of your contents. Forceful coercion, human errors, key and screen logging to to detect the password you type into your file encryption program to decrypt those individually encrypted files are part of the arsenal that could defeat the encryption you have placed on your file system and each important files.

The best security is to simply not have it around at all but it is nearly impossible.

To summarise this short article, do not solely rely on encrypting your file system and devices. Encrypt the files inside the file system and devices that you think are important in an event your file system or OS is breached. There is no "ultimate security" for now.

Opera and security scandal

2011-10-19T02:43:00.000-07:00

Read:

Such a scandal makes it hard for users to trust or to continue trusting either the researcher who disclosed the vulnerabilities or Opera themselves.

The best way to prevent such scandals is the publication of truthful conversation logs and archives to prove the point and provide valid evidences.

Such a scandal would simply put a dent anyway to either or both sides and it's not something good in the long run I guess.

Crime Sourcing and Crime as a Service

2011-10-17T06:49:00.000-07:00

Read:

http://www.forbes.com/sites/oreillymedia/2011/10/03/the-rise-of-crime-sourcing

Watch:

Criminal outsourcing and Crime as a Service (CaaS) have been developed unknowingly by criminal groups and organisations. These materials are very useful for Cyber Forensics investigators and students and Security researchers.

Why your web profiles aren't safe

2011-10-14T23:42:00.000-07:00

Read:

http://www.h-online.com/security/news/item/US-government-continues-to-target-WikiLeaks-volunteer-1358656.html

This should give you something to ponder about the reaches of the US government and their relentless appetite for more power and the ability to "subdue" (kill off) adversaries or oppositions of any sort. A tyrant indeed. There are much more cases out there that you can search for.

For those who love the online lifestyle, you have to simply be careful of what you put up there (no GPS or personal information that would be too obvious). Few actually respects privacy of themselves and others in this age.

SSH + HTML 5

2011-10-14T19:07:00.000-07:00

Read:

http://h-online.com/-1361377

Source Code:

https://github.com/liftoff/GateOne (GitHub)

Cool stuff. Imagine you can do SSH over HTML 5 via web browsers. Despite there are existing implementations, each of these implementations improves on the other. I have not tried it but the concept is good. The only problem is how much are you willing to trust that web browser and computer you are on ? The server-end running Python codes also makes it easier to handle.

Reacting to a hacked email account

2011-10-11T08:45:00.000-07:00

In an event your email account or your friend's email account security have been breached, I have some ideas below that might help.

The reason I am writing all these is I have seen many people's accounts being used to send spam (because their accounts are hacked) and no one tells their friends about the breach so the correct reaction could not be taken and probably be deleted or sent to the spam mail or trash. Another reason is no one bothers about their accounts being hacked and be used for spam because their emails are not important to them. The huge mistake is, the usage of their hacked emails as "robots" or "zombies" to control, the person who is in control of the accounts (puppet master) can use these accounts for other malicious deeds and harm others. It becomes a chain reaction and may snowball into something big.

So enough of the talk and let's get into the topic.

My friend's email have been hacked !!!
Yes, you can tell your friend's email have been hacked. He/she sends you suspicious links (so don't click on "juicy" or obviously dangerous links). Another trend to note is the "To" list of people who would be receiving the malicious spam mail. The list of people in the "To" field (whoever that would receive the malicious spam mail) would be alphabetical. Who would ever be so careful to include people into the "To" list of receivers of an email in a very neat and well thought out alphabetical fashion other than a computer program ?

To summarise, you would notice a weird link in the email or some attachment that makes no sense and the list of "To" people (which would include your own email address) would be so neatly adjusted in an alphabetical fashion.

So how do you react ? Firstly, take a screenshot and forward back the link as an evidence to your friend's email (hoping he/she can still access his/her account). Contact your friend via a channel they usually would and tell them to change the password to something else that's not some default passwords people usually use (good password selection policy). Also advise your friend to change all other accounts that he had used that compromised account to register as well. The notion is that the intruder might have used the email account to request for password resets or some emails might contain passwords from account registrations that people might refuse or forget to change. Finally, if it's possible, ask your friend to alert the email provider of a possible breach so that the email provider can investigate their own security measures and carry out some security audits to ensure other users are safe.

My email have been hacked !!!
Ok, do not panic. Attempt to change the password in the email account and the other accounts linked to that email account that have been compromised. If you are locked out of your own accounts of any sorts, then notify the service provider (email or account provider) while they investigate into the matter. Notify your friends to be careful of the compromised accounts. The best way is to ask your friends to alert you any time when they suspect a spam from your account (this arrangement can be done without any event from happening yet as a safety precaution and a good security practise). All you need to do after you have warned the necessary people is to wait for the investigation to take it's course. There is nothing much you can do unless you would consider making yourself a new email account (and secure it safely with a new well-designed password).

Some additional measures to ensure security
Always use HTTPS (secure and encrypted) if the email or website provides one. If there is a setting in the website or email provider's options to turn on HTTPS, use it as the default instead of HTTP (insecure and unencrypted). Change passwords at least once every few months if possible and do not use the same password across multiple accounts. It makes predicting passwords so much easier. Use a password manager like KeePass (http://keepass.info/), KeePassX (http://www.keepassx.org/) or PasswordSafe (http://passwordsafe.sourceforge.net/) that have the capabilities to use strong encryption to store your personal information and passwords. Obviously, use a pretty strong password which you can easily remember to protect your password manager as the login password and DO NOT SHARE PASSWORDS !!

Conclusion
Overall, it is hard to deal with email account breaches as you might not be the owner of the email server. You are usually using a web-based email service someone provides you (Hotmail, Yahoo, Gmail...etc...) which you have very little control over. The above practises are thought out to reduce the damages a compromised account can do by acting responsibly. Do not forget, you might think that your email account is insignificant but it can be used to create bigger threats.

© 2011 Thotheolh / ThothTech. Part or whole of this article can be reproduced or quoted if their meanings are not distorted, else link them to this article.

Killing Freedom

2011-10-05T03:51:00.000-07:00

Read:

http://www.arstechnica.com/tech-policy/news/2011/10/us-signs-international-anti-piracy-accord.ars

What a shame for countries who sign such a restricting agreement and join in the ranks to try and grab the favours of a failing country whom cannot protect her own country's freedom like the USA. It is obvious that the USA created such an agreement for their own greed and motives and those who signed it played into the hands of the USA and their desires in an attempt to gain benefits from a country who has been owing the World Bank in trillions of US Dollars of loan.

Quality of Java installers

2011-10-04T01:43:00.000-07:00

Hi decided to get a 64 bit "bin" extension installer for Linux installation of JDK 6 u 27 and when I executed it, this is what it gave ...........

Unpacking...
Checksumming...
Extracting...
./install.sfx.9113: 1: ELF : not found
./install.sfx.9113: 2: Syntax error: ")" unexpected
Failed to extract the files. Please refer to the Troubleshooting section of
the Installation Instructions on the download page for more information.

And a file Java installer generated .....

What is that messed up file above that the Java installer generated !!??

This is the quality of Java from Oracle. Oracle have been screwing up Java badly for so many steps since it took over Java by "eating up" Sun Microsystem.

Oracle..... HOW THE HELL ARE YOU GONNA EXPECT US JAVA DEVELOPERS TO DEVELOP JAVA !!??

Broken Java installers for JDK 6u27 (64 bit), screwed up Java 7 features and possibly Java 8, undemocratic on the JCP board....

Oracle.... HOW ELSE DO YOU EXPECT US JAVA DEVS TO USE JAVA YOU PROVIDE !!??

A Cohesive Linux Desktop Required

2011-08-10T18:15:00.000-07:00

Read:

http://h-online.com/-1318177

Agreed with that article. Many tried and failed to bring Desktop Linux into popularity because of the lack of a unified framework or consensus on the Desktop Linux. Linux Foundation could anchor such a unified project and set a single standard and get all the other Desktop makers like Gnome, KDE, XFCE ... to follow it through. OEMs and companies need to cooperate and not be blinded by personal profits and sabotage the community or others. The spat between Ubuntu and Gnome on their flagship Desktop (Unity and Gnome 3) was an example of inter-sabotage where it simply weakens the Desktop Linux as a whole instead of unify it.

Recently, Linus Torvalds have shunned KDE and Gnome whom are the two major Desktop makers for Linux for a good reason. Their applications and desktop are simply irritating to operate. I have been using Ubuntu 9.10 based desktop theme and refused to upgrade to the Gnome 3 or Unity Shell for the reason that both of these desktop themes are not going to be friendly and I would have to relearn them for a while. Despite me upgrading the Operating System to Ubuntu 10.10, I simply refuse to upgrade or change the desktop itself and am very hesitant as I am concerned about the breaking of applications using the new themes.

Linus Torvalds could spearhead the Desktop Linux and under his banner and Linux Foundation's I am pretty sure many people and companies would gather together and create a unified framework for Desktop Linux and make Desktop Linux a lesser pain in the near future and promote Desktop Linux.

Linus Torvalds and Linux Foundation have the influence and reach to create this change and unify the Desktop Linux together. They should start making it happen.

Never Trust the Web

2011-08-09T22:58:00.000-07:00

Read:

http://www.h-online.com/security/news/item/Google-also-passes-on-European-data-to-US-authorities-1319434.html

Hopefully this would reiterate the point that....

ALL YOUR ONLINE DATA IS NOT YOURS AND ARE NOT SECURE AT ALL !!!

STOP DAYDREAMING !!!

Doomed for Insecurity

2011-08-07T03:49:00.000-07:00

I was attempting to explain the importance of computer security and the use of password managers instead of writing down passwords. I made a password manager called PasswordStore with the aim of simplifying usually complex password managers to become easy to use.

PasswordStore is actually really simple and mostly self sufficient and the setup procedures are near to none except stating your username and password you prefer on the first use.

No matter how I try to convince others the use of NOT WRITING DOWN PASSWORDS ON PAPER AND LEAVE IT IN PLAIN SIGHT, there are always people who would always want to write down their passwords and NOT PROPERLY PROTECT THEIR PASSWORD PAPER.

Besides the password cases, there are always people who are ignorant to security despite warnings. A few of the examples are listed below:

Leaving computers not locked (lock screen) when going to somewhere else.
Sharing / lending passwords for sensitive accounts (e.g. emails, web portals ...etc).
Installing suspicious looking programs despite warnings.
Willing to leak personal information on social sites.
Belittle the consequences of their accounts being compromised.

Above are the few scenarios I met of people who are hard-headed in their ways towards computer security. I believe most people bare the same attitude to a good extend. If such attitudes are applied into a larger context (organisations and companies), it would invite attention from hackers. The "ordinary" people who would love to persist in such attitudes of continuing their ignorance to security would also invite troubles from hackers and law enforcement agencies (when the hacker implanted a backdoor into their computers and have "zombied" their computers to attack or help attack someone else).

Such whom are ignorant and continue to be ignorant to security truely deserves the doom and trouble they have asked for by their ignorant attitudes.

Killing Freedom: No Tether

2011-08-06T19:30:00.000-07:00

Read:

http://www.readwriteweb.com/archives/verizon_blocks_hotspot_tethering_for_jailbroken_de.php

I believe this is not the first article I wrote against the restriction of tethering implemented by carriers, some possible phone makers and Google. The idea of most people is, I paid for the 3G / 4G connectivity and why couldn't I use the money I spent for my 3G / 4G connectivity to browse the Web better by linking it to a machine like a laptop that have more functionalities and a bigger screen than a pathetic small screen of my Android phone ?

Why should a users NOT be able to use the 3G / 4G plan he signed up for at his own disposal as long as he paid his bills dutifully and on time ? After all, he signed up for the data plan with his own hard-earned money.

One conclusion I can think of for the carriers is that they want more money thus they would love to force people to sign up for more data plans and restrict tethering to provide connectivity. The manufacturers and Google wanted to have a good relationship with the providers and keep their friendship, thus allow themselves to be subjugated to the whims and wills of carriers.

How open is Android ? Open to a good amount but many parts of Android are NOT OPEN.

Note: My definition of "open" meant that users have absolute control of what they want to do out of the box. To be considered "open", the user must be able to root and tether without much problems and restrictions. The use of hacking as a way to bypass restrictions to tether or root with the fear of consequences is NOT OPEN.

Rethinking Bad Perceptions of Java Speed for Financial Trading

2011-08-06T04:38:00.000-07:00

Read:

http://java.dzone.com/articles/c-or-java-which-faster-high

Interesting article. This should kick start people's views and curiosity to rethink the "C/C++ is better and faster than Java for finance critical engines" prejudice. Such prejudice have existed but the truth is Java had always been showing consistent results of matching the speed of C/C++ or even better than C/C++ itself.

The idea that a cross platform language that uses classes and byte codes as being slower than the "bare metal C/C++" for speed because they are closer to the native interfaces and systems can sometimes be flawed.

Please THINK THRICE AGAIN before commenting about the C/C++ vs. Java speed competition.

All About Perception

2011-08-05T18:46:00.000-07:00

Read:

http://www.xkcd.com/932/

To make it easier so, I have linked the XKCD image here via it's URL.

It's true that different people perceive different things. It's really all about how people perceive and draw their views from a single message.

Java Governance in Shambles

2011-08-05T00:39:00.000-07:00

Read:

http://www.javaworld.com/javaworld/jw-08-2011/110804-fatal-exception.html?page=1

It is sad to see Oracle misusing, abusing and not even giving Java a second thought and shipped a Java 7 out of their doors knowing of a major bug in it.

The governance of Java in the hands of Oracles only causes JAVA TO FALL INTO SHAMBLES !!!

As a developer using mainly Java, I am sad to see how Java is treated. Oracle refused to give-in and heed the community and soon Java simply becomes more badly governed and more troubles would arise from it.

A good backup for any developer / programmer is to have a backup language in an event your main language simply sucks (Java for my case.... and I am now learning abit of other languages to pick a backup language to move over abit).

Civilian Spy Drones

2011-08-04T19:33:00.000-07:00

Read:

http://www.geekosystem.com/hacker-drone/

This is cool but what would the implications be ?

Proprietary Madness

2011-08-04T08:32:00.000-07:00

Read:

http://www.h-online.com/open/news/item/Swiss-proprietary-companies-block-government-open-source-release-1317032.html

The state's attempt to help the people got intercepted in the name of market and proprietary, individualistic, selfish interests.

When you are famous

2011-08-04T08:18:00.001-07:00

Read:

You get that when you are too famous. Who wouldn't pass a chance to stoop so low ?

Real Names Online

2011-08-04T01:09:00.000-07:00

Read:

There are people who do not mine their names and privacy be exposed to everyone else in the public but there are people who value privacy more than those who don't. Give those who value privacy, a thought for them. Protect their identities.

One thing I never liked nor understood about social media technologies like Google+, Twitter, Facebook, LinkedIn...etc... they simply DO NOT RESPECT YOUR PRIVACY AND COMPROMISE THEM INSTEAD. They do not protect their databases sufficiently as we have seen many leaked user credentials from compromised social media website databases. You may not mind your accounts becoming compromised but you would inevitably allow your compromised accounts become stepping stones that leads to compromising other accounts and systems (think of password reuse as an example).

Quoting Randi Zuckerburg saying:

I think anonymity on the Internet has to go away. People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.

I don't think that's a good way though. Why not remove login functions, remove security protocols and just let people in ? That's the same idea. We need some privacy. We need some locks to secure ourselves and our assets. We want to protect ourselves. Names can and have been forged. People have used other's name to create accounts for malicious users to frame and shame their victims. It's inevitable that the use of "real names" is flawed from the start unless some international mechanism is assigned and ensured each individual is who they are (and assuming the design have not a single technical flaw - which is impossible).

If privacy and security are not respected and properly implemented and something happens, it's really hard to tell what exactly happened.

Therefore concluding....

PRIVACY MUST BE RESPECTED !!!

DBS iBanking Weak Crypto

2011-08-03T07:21:00.000-07:00

I noticed that DBS Bank uses the 3DES_EDE_CBC encryption algorithm for their Internet Banking web portal. 3DES / Triple DES / TDEA effectively only use a 112 bit key and this is a very weak key.

3DES is simply three DES put together to lengthen it's key (Wikipedia). The EDE mode stands for Encrypt-Decrypt-Encrypt mode to be backwards compatible with systems only supporting normal DES. In the EDE mode, encryption would be done to the data, then the encrypted data would be decrypted again and finally encrypted one last time. This meant that the first encrypt and decrypt would simply be nothing as they already encrypted and decrypted each other. Only the final single encrypt had it's effect. Now, thinking back on EDE, isn't it as good as a DES (not 3DES) encryption since it is made compatible to normal DES but with probably a longer key only ?

Recently John the Ripper found a way to reduce the time taken to handle a DES encryption / decryption by 17% in their news email (http://www.openwall.com/lists/john-users/2011/06/22/1) which meant that the time taken to crack DES would also be 17% shorter.

DES have been designated as a very weak encryption algorithm not good for protecting any sensitive information as it could be easily cracked with the computing powers of modern computers and improvement in the algorithm by the John the Ripper team.

All in all, 3DES is a weak encryption algorithm which can be fairly easy to crack and the 112 bits key length is rather short.

For a renown bank to use 112 bits 3DES_EDE_CBC is a very bad option simply for the weak algorithm, short key length and EDE mode. At least a 128 bit key length should be appropriate for basic security and for banking and financial institutions that require high security, a 256 bit key length is the least they could offer. An AES 256 bit algorithm for SSL is commonly in used these days and they are common. Camilla 256, IDEA, RC 4 and many other better algorithm than simply a weak 112 bits 3DES_EDE_CBC.

Below is the screen shot image to proof my point.

At least use a stronger and more decent algorithm, DBS bank.

Apple Pwnz by 19 Yr Old

2011-08-01T19:23:00.000-07:00

Read:

http://blogs.forbes.com/andygreenberg/2011/08/01/meet-comex-the-iphone-uber-hacker-who-keeps-outsmarting-apple/

Apple really needs to consider it's "security" via obscurity and who knows what they have installed that only seems secure.

Zipper Hack

2011-07-30T19:34:00.001-07:00

Read:

http://kipkay.com/videos/just-for-fun/is-your-luggage-safe-from-airport-security/

Well, this is how insecure zippers are. They were not made for security in the first place.

ShareMeNot

2011-07-29T01:50:00.000-07:00

Read:

Interesting feature to prevent tracking until someone activates it.

Duplicate a key at a distance

2011-07-26T18:09:00.001-07:00

Read:

http://fabbaloo.com/blog/2011/7/13/sneakey-captures-your-keys.html

Cool ! But can it always be that accurate ?

Another dent in Oracle's Java Suit

2011-07-26T08:05:00.000-07:00

Read:

There goes another dent in Oracl'es Java patent trolling....

Lodsys the Fat Troll

2011-07-24T01:55:00.000-07:00

Read:

http://www.engadget.com/2011/07/22/lodsys-adds-rovio-atari-ea-and-others-to-patent-suit-makes-bi/

Really shameful patent troll... Lodsys....

A Phone of A PC

2011-07-24T01:52:00.003-07:00

Read:

http://www.fujitsu.com/global/news/pr/archives/month/2011/20110721-01.html

The distinction between a mobile / cell phone and a PC blurs. Now you can run a Windows 7 Home Premium in 32 bits on a phone and you can switch into phone mode with a push of a button. What's next ?

Google going for the $$$$

2011-07-23T22:56:00.001-07:00

Read:

http://www.javaworld.com/javaworld/jw-07-2011/110721-tech-watch.html

Closing down Google Labs just for profits? Pretty shortsighted I guess.

JVMLanguageOverflowException

2011-07-23T21:27:00.000-07:00

Read:

There is simply really too much alternative JVM languages to choose from... to the point people like me who is interested in learning an alternative JVM language have great difficulties figuring out which to start first. Therefore, my decision currently would be to completely ignore learning anymore new JVM languages and simply stick to my usual Ruby (currently learning) and Java language I currently know.

The decision to stick to Ruby is because JVM supports JRuby and Ruby is rather well known nowadays. Ruby's syntax is interesting to me as well.

Knowledge is Illegal

2011-07-23T03:46:00.000-07:00

Read:

Knowledge is dangerous... knowing too much... is bad. That is the view point of those who want to preserve their exclusive rights to knowledge and none other.

Paypal joins the Justice League

2011-07-23T02:59:00.000-07:00

Read:

It wouldn't be a surprise to me that Paypal would join up with the other "Justice League" members in an attempt to weed out "baddies". Hypocrisy is rampant. Supposed "Justice" and "fighting baddies" is a denial of the reality of the situation and to only use a narrow and shortsighted.

Websites need to be free from control. Such an arrogance to "starving the baddies till they snuff out".

Ban common password for security

2011-07-14T19:57:00.000-07:00

Read:

http://arstechnica.com/microsoft/news/2011/07/hotmail-banning-common-passwords-to-beef-up-security.ars

Hotmail's idea isn't really a bad idea but the problem is with the users after all. If the user wants to be careless, there isn't anything to stop them being careless. Banning common passwords would simply add a bit more security only and is nothing radical enough to push security levels up another notch.

A Loser's Whining

2011-07-11T23:04:00.000-07:00

Read:

Losers are always losers. When they fail, they simply pull out stupid stuns to attempt to even up the game. Little do they know of the word "INNOVATION". Apple did well innovating the iPhone in the beginning but when Google's Android showed them that they can beat Apple, Apple whine about and pull patent threats at manufacturers like HTC. They lost their innovation along time ago and could only cry about with patent battles.

If you see a competitor doing better, find a way to beat the competitor's products like a real man.

Those who exploit VLC

2011-07-11T22:58:00.000-07:00

Read:

Beware of the below companies who exploit VLC for their own gains and possibly violating the GPL license VLC is released under from http://blog.l0cal.com/2011/07/07/these-companies-that-mislead-our-users/.

http://pinballcorp.com (WORST !!!)
http://eorezo.com (WORST !!!)
http://tuto4pc.com (WORST !!!)
http://vlc.us.com
http://www.eorezo.com/cgi-bin/download/direct/index?c_software=vlc
http://www.vlcdownload.org
http://www.softwaredownload.cc/?gclid=CMyGhoHrwJ8CFcpb4wodNHnJzg
http://www.iogiciel.com/l/index.php?option=com_content&view=article&id=53&Itemid=61
http://vlcplayer.2010-fr.com
http://www.mediaplayers-gratuits.com
http://www.durable.com/telecharger/telecharger_vlc-media-player_11341?gclid=CJ6j9eyqiKACFVRm4wodoUL6MQ
http://www.downloadvlcplayer.net
http://vlc-media-player-blog.com
http://www.softesdown.com/fr/vlcmediaplayer/
http://www.getyoursoft.com/download/name/vlc-media-player/id_soft/18
http://supertelech.info
http://www.descargarvclmediaplayergratis.com
http://www.oficial-es.org/es
http://todotusoft.com/Video/Reproductor-Multimedia/1158/VLC-Media-Player.html
http://galleries.secure-softwaremanager.com/804e9dc7b4/854190c2bc1e
http://www.clickdownloadsoftware.com/player/

Such behaviours are very underhanded, cheap and possibly illegal. They only spoil VLC's good name and reputations.

Secure Internet's Faltering Dreams

2011-07-10T19:27:00.000-07:00

Read:

Many of the insecurities are human errors rather than computer errors. You could only engineer a system to a certain level for security and the rest of the system depends on the human operator for it's security.

Let's take for an you are accessing a website that runs over HTTPS and is secured with 256 bit Camilla or AES or whichever you fancy as the most secure algorithm with a SHA1 checksum (supposedly the most common secure algorithm for message digest). There is a small form to win an electronic prize and you decide to enter your credentials into that form on a secure page. A few days later, you noticed your email box is not yours anymore and "visits" from telemarketing people become more irritatingly frequent. Who do you blame ? Usually people would blame that "secure website is insecure". The reason the website is "insecure" is because you have decided to betray yourself and reveal your personal credentials to some unknown form you have no idea if it's secure or not.

Creating a second secure internet would be very expensive on anyone's resource without a doubt. The main problem is human errors and issues which computers could not replace and a computer solution is intended to solve fundamental human problems (e.g. willingly accessing insecure webpages) which the computer have no final say over it.

The main solution for Government networks and computers is to really really test and ensure the worst cases could be handled, segregated roles and trust levels using Mandatory Access Control in a very well designed way whereby a breach in a particular level would not affect everyone. Frequent planned live penetration testing (including surprise checks) should be taken into serious consideration and carried out.

Contractors to National Defense and Security related should be accessed thoroughly and to be tested frequently to ensure meeting of agreed National Standards and ensure those contractors know what they are talking about and could meet the agreements and contracts they have agreed upon to deliver or punishments to be handed out to them according to the Law and contracts they have signed.

The total removal of rights to have privacy would meant that operators of the secure domains are equally susceptible to such terms and users could turn around and want to proof the operator of the domains.

Many of the cyber crimes are committed because users simply trusts all websites and the huge problem is with server side security. You can have a secure HTTPS or SSH connection but your servers cannot proof themselves and have weak or no security at all. RSA's hack is a very good example of an insecure database where attackers could waltz in and claim what they want. HBGary's hack is another classic example of an insecure mail server. The major problems are with the server side, not the client side. The client side have always been subjected to scrutiny by IDS, IPS, Firewalls ...etc... it is time for the server to prove themselves as well. Most users would not really notice "http://www.blogger.com" and "http://www.b1ogger.com". The "l" was replaced by a "1". It looks the same but the ASCII value is different and thus, the traffic would go to a probably malicious domain.

Everyone needs privacy and it's a basic need of everyone. If these basic needs are not meant, the walled garden of a secure domain would have little visitors and more insecurity as more people prefer to go by the "insecure" route if they could avoid being searched electronically. This would spike up the number of cyber attacks on users and the resources spent on building those walled garden with the intend to provide safe haven would not be used and thus a waste of resource.

The Internet was not designed with security in mind during the beginning phases and it's a fact we must live with. It is better to have our own freedom then to be submitted to some absurd electronic pat down or checkpoints and to surrender all our freedom.

Whoever proposed this idea had the same absurd Security Theater implemented on the US checkpoints and US Defense and Security. Security Theater WILL NOT WORK unless properly implemented.

Oh ... did I forget to mention the TSA officer who stole electronic gadgets from passengers ? How can anyone trust the officials these days when they are not upright themselves ?

IM Statuses and You

2011-07-08T23:31:00.000-07:00

Read:

http://lifehacker.com/5819017/im-status-how-should-you-use-it

Interesting article on the behaviors and etiquette of IM statuses. I always find it irritating if I can't exactly know a person's IM status to contact them at the right moment.

Wallets And Cash Exists In 2015

2011-07-08T19:11:00.000-07:00

Read:

I wouldn't trust my mobile device or computer to handle every single monetary decisions for me. I want to control my own money, not the computers and devices. We have seen enough of iPhones being broken, keys from the iPhones being discovered, Android phones susceptible to malware, Governments trying to have a sneaky hand in all things ....

Remember Paypal rejected payment and donations for Wikileaks ?

What if you put all your eggs in a single basket (rely on bringing out your smartphone as a wallet) and something happens to that smartphone ? It's OS crashes and hangs ? It ran out of battery ? Accounts got hacked big time ? How are you going to pay after you had your meals in a restaurant if your phone had those crazy things happening ?

I would rather bring some cash along. Putting your money in one place is asking for trouble. When systems and things break, you are left with nothing on hand to help you out.

Smartphones as wallets by 2015 ? NO WAY !!!! I don't trust the technology. I don't trust the company and people. I don't trust putting all the eggs in a single basket. I trust myself more than them.

Don't forget, Paypal's spreading this myth to encourage more people joining them and giving them money because they are in the electronic money transfer business and if everyone uses only a smartphone as a wallet, they would have lots of businesses to do (not just them). This is simply a money making ploy.

Trust Not The TSA

2011-07-08T18:53:00.000-07:00

Read:

http://edition.cnn.com/2011/TRAVEL/07/07/florida.tsa.employee.theft/

Now does anyone trust TSA anymore ? It's just one of the many cases.

Failed Amazon Patent Trolling

2011-07-08T02:47:00.000-07:00

Read:

http://www.theregister.co.uk/2011/07/07/european_patent_office_says_amazon_oneclick_payment_too_obvious_to_patent/

Another failed patent trolling and this time it's Amazon. One-click payment is very common these days so don't bother to patent it as we can see, Amazon tried and failed to patent it. Good job for the EPO.

Handling Searches By Authorities

2011-07-07T08:18:00.000-07:00

Read:

Very useful tips for protecting yourself against unreasonable searches and coercion to contradict your privacy and confidentiality.

Cincinnati Bell Provides Android Update

2011-07-07T04:41:00.000-07:00

Read:

http://www.h-online.com/open/news/item/Cell-phone-carrier-provides-its-own-Android-update-1275306.html

Glad to heat that a cell phone carrier is self-motivated enough to do it's customer's a favor by pushing down an Android custom ROM update when Motorola doesn't seem to care about their customers at all. Well done Cincinnati !!! :D

Google Internet Cenorship

2011-07-06T20:06:00.000-07:00

Read:

For such practices and acts, the FCC and EFF should look into and investigate the actions of Google. If such acts violates the rights of the people, Google should be brought to justice and charged with the appropriate charges and face federal punishments. Such acts of censorship is against the spirit of Freedom of Speech and is an act of controlling people's search information.

More anti-trust probes should be launched at Google to ensure it is operating within legal limits and not overstepping it's boundaries.

Microsoft Demands Samsung to Pay for Android

2011-07-06T07:46:00.000-07:00

Read:

Microsoft could not do well in their Windows Phone business and now they start to collect protection fees. This is some behavior of a gangster, mafia or mobster gang in legal disguise attempting to not hide hypocrisy.

Do Not DES

2011-07-05T20:24:00.000-07:00

Read:

DES and 3DES SHOULD NOT be used in these days as we all know that DES is simply not going to provide a very strong encryption algorithm these days. With this improvement to John the Ripper, I think that DES and 3DES should not be touched anymore and left to some Cryptology museum or some education on history of Cryptology and designs of early computer encryption standards.

AES (especially 256 version), Serpent, Twofish and if the situation is really really constrainted, you may use Blowfish (not advisable these days). These algorithms are known standards. Camilla algorithm is another one you may consider and it is currently gaining popularity and a growing community.

VSFTPD Backdoored

2011-07-04T21:46:00.000-07:00

Read:

This is a very bad security mismanagement on the source code part. How did a backdoor slip into the master branch of the source codes ? No clues were given for now.

The main lesson for the day, always check the GPG signature file. ALWAYS !!!

Oracle's Patents Invalidated

2011-07-04T21:39:00.000-07:00

Read:

http://www.h-online.com/open/news/item/Another-problem-for-Oracle-s-patents-1273038.html

It's interesting to note that the USPTO had to invalidate so many patent claims (24 of them) from Oracle. Why wasn't the patent application rejected before being approved ? If the patent vetting processes were carefully controlled, USPTO would not need to invalidate so many patents and the dispute between Oracle and Google may not have had any ground to begin with in the first place.

How efficient is the USPTO's patent vetting process, now we have seen some light of our own.

For Google, it would be great news that the 24 patent claims hold no grounds anymore as the USPTO invalidated all 24 of them.

Oracle would definitely be very upset and may try it's best to blow things up and make things worse as Oracle lost all 24 patent claims in one go and which corporation would sit back and allow all 24 patent claims it is using in a patent dispute lawsuit to be invalidated ?

The battle between Google and Oracle would be more heated and interesting to watch and for now, Google have the definite advantage on it's side.

Who are pirates

2011-07-04T18:01:00.000-07:00

Read:

http://www.pcpro.co.uk/news/368437/lawyer-no-hiding-place-from-us-for-web-pirates

Seems to me like the real pirates are the US and UK government who think that they can continue with their tyranny across the globe, trying to subjugate other governments to extradite people not within their jurisdiction and not within sound policies or reasons.

What the World needs right now is an open world that is devoid of such tyranny of a handful of bullies on the international stage. Websites or online resources that are clearly not within their jurisdiction of care, the US and UK government would by all means try to interrupt via politics and foreign affairs coercion of other nations.

From the above article, it's safe to say that US servers and hosting are guaranteed not safe anymore (US was considered a safe haven for hosting but isn't anymore). People should simply move their server hostings and resource hosting out of US to other countries that respect freedom of rights and obviously to encrypt and properly protect their servers.

The current internet structure that relies on centralized Domain Name Servers that are mostly within the controls of the US government is a huge mistake.

NO ONE SHOULD CONTROL THE INTERNET !!!

A Distributed DNS should be pushed out as soon as it's stable and ready for use to break off dependencies from centralized DNS Servers controlled by tyrannical regimes like the US, UK and France - whom do not respect the basic rights of all humans that the UN just declared (UN declared the free access to the Internt as a basic rights).

SecurID and new pseudo security

2011-07-01T21:17:00.000-07:00

Read:

http://www.networkworld.com/news/2011/062911-kenneth-weiss-securid.html?t51hb&hpg1=mp

Anyone can invent any new methodology or technology to provide protection and security. For SecurID's case, it's the compromised servers that is the root of the issue instead of the SecurID authentication itself. You can create some new authentication or whatever protection mechanism but it relies on a server. All it needs is the server to be compromised yet again to see the same issues re-surfacing.

What RSA and SecurID inventor should do is to really look into securing the backend first as the main issue have always been insecure servers holding really important information in a highly insecure and careless way.

Ensure proper administration, C2 auditing enabled and reviewing of logs , encryption of information on all servers, assignment of rights and roles, seperated domains so that if a small domain of secured data gets compromised, it won't spread the impact across and finally re-evaluate your servers and staff efficiency frequently and conduct frequent penetration testing.

Data encrypted on databases on the backend should usually be done whereby an encryption secret key is responsible for a small small group of data it needs to be secured. So in an event of an attack, a compromised key would not compromise other keys (if the keys are secure de-linked and made unpredictable from one another).

The master key for encryption should be made up of more than 2 person's encryption secret key (bosses holds the secret keys). Imagine it's like a nuclear launch silo where you need many keys to be turned together to launch a nuclear missile. This would give more security. The master keys should be seperated from each other whereby if one key is compromised, it doesn't affect the others and can be regenerated

Last but not least, make sure the roles and administrative privileges are properly administered whereby power is not consolidated in one person's hand.

Don't trust a device

2011-06-29T07:44:00.000-07:00

Read:

http://www.schneier.com/blog/archives/2011/06/yet_another_peo.html

Any thumbdrive / USB flash drive / USB flash stick you found is not automatically danger-proof. There are known incidents whereby the manufacturers themselves have faulty systems that introduce the malware / viruses ... into the thumbdrive / USB flash drive / USB flash stick during the time of manufacturing the product. Treat all devices with suspicion. Disable the auto-run feature and always scan the device before using if it's not a device you trust and own. For more paranoid measures, regardless of any device, simply scan them (even your own trusted devices).

LulzSec Goodness

2011-06-28T23:10:00.000-07:00

Read:

http://www.net-security.org/secworld.php?id=11231

I agree that LulzSec's attacks shouldn't be taken into view in a one sided manner. It has the good points of exposing many of the "supposedly security and unbreakable" notions we have. It's a good and much appreciated wake-up call LulzSec have done. Only fools would simply deny it and be afraid of the truth.

Flash to HTML5 Converter

2011-06-28T20:43:00.001-07:00

Read:

http://swiffy.googlelabs.com/

Apparently, Google just released a Flash to HTML5 Converter for test, called Swiffy. Smokescreen, a Flash to HTML5 Converter existed for a while before Swiffy existed. It wouldn't be a surprise to see more Flash to HTML5 Converters to spring out to attempt to allow Flash objects to be accessible on non-Flash supporting platforms (e.g. Apple iOS) in a HTML5 form.

Facebook kill KDE uploads

2011-06-28T02:56:00.000-07:00

Read:

Relying on Facebook is not only a huge security flaw in itself, Facebook is not trustworthy in it's services because they can go around playing with your photo uploads as and when they like.

Spying on Skype

2011-06-27T21:20:00.000-07:00

Read:

As always, do not trust others until you have confirmed it is secure. I have never simply trusted something and including Skype. Legal intercept is simply a good excuse. It's the same as key escrows and we have already known from history, it's easier to have a backdoor than to try and fight a protocol itself. Another new item to distrust completely, Skype. Because it's closed sourced, it's a walled garden and now the owner wants to add eavesdropping for "legal" uses. Who knows which employee would have some fun sitting behind their desktops and making jokes on intercepted Skype conversations and posting funny calls on the Youtube for all to have fun and merry ?

Tech vs Recording

2011-06-24T20:19:00.000-07:00

Read:

http://arstechnica.com/tech-policy/news/2011/06/high-tech-investors-blast-internet-censorship-billhigh-tech-investors-slam-hollywood-blast-internet-censorship-bill.ars

This is going to be a rather rough battle as high tech investors and industries battle it out with the recording and movies industry to debate on their the PROTECT-IP bill that is suppose to "protect" their rights. Seems like the US Government is determined to 'kowtow' to the recording and movies industry.

Dropbox Fatal Error

2011-06-23T04:35:00.000-07:00

Read:

The above would cause the following:

Reduced Confidence

In Dropbox security management
In Dropbox service as a whole / Integrity of Service

Possible Lawsuits Against Dropbox
Less users
Opportunity for rivals

Honestly, I have never trusted Dropbox security as a whole. There has been a lot of complains out there and no matter how much Dropbox tries, security on the Cloud is still in it's early stages and there are room for improvements. A lot of room for improvements and also a lot of room for errors. If I want to get something to someone or store something online, I WOULD ALWAYS ENCRYPT MY DATA FIRST and not wait for Dropbox or some service.

What's the use of double layered encryption / protection ? In this context, if the provider is not trusted, you can save yourself a ton of trouble with the encryption / protection you have done on your own. If the provider of service is really that good, then you are extra safe.

Do not think that no one would get at your data. Recent hacks into email servers and consequently leaks of huge chunks of compromised email servers shows us one thing, even within a private environment, there needs to be some sort of safety measure to take into consideration the possibility of compromised servers and machines and consequently leaks. If the data are well protected... truely well protected with really good security done on it, then, the risks of leaking data are far lower.

So how do you protect yourself, use a file encryption program to encrypt the files you want to put onto Dropbox. If you want your files to be portable across different platforms using Dropbox (including mobile platforms), you may want to employ the help of creating an encrypted compressed archive (e.g. AES encrypted ZIP via WinRAR or 7zip) and install some zip program on your mobile platforms which can handle the encrypted compressed archives.

Apple vs Amahi

2011-06-22T08:24:00.000-07:00

Read:

http://blog.amahi.org/2011/06/21/apple-hits-amahi-with-a-cease-and-desist-wait-what/

Absurd for Apple to try to pick on Amahi. Wonder what the true motive is ? By making this move, Apple is actually trying to give an impression it may not want, which is, Apple is targeting the Open Source community (by picking on Amahi) which can be an accidental impression.

Apple needs to trod on this issue carefully or it would find itself isolated and flamed by the Open Source Community.

Sloppy Firefox 5 Usage

2011-06-21T22:13:00.000-07:00

I decided to download Firefox 5 for my Ubuntu and test it's beta out after hearing the features despite it's horrendous history of crashing (especially with Flash plugin) and non-backwards compatibility of some plugins I wanted to preserve for use.

I extracted the downloaded "tar.gz" compressed file into a "firefox-5" folder and tried to run the "run-mozilla.sh" and "firefox" shellscript but both failed to load Firefox 5. I checked the README and thought I was missing something out and lo and behold .. the README was CRAP... below is the entire readme text:

For information about installing, running and configuring Firefox
including a list of known issues and troubleshooting information,
refer to: http://getfirefox.com/releases/

This is unbelievably sloppy of Mozilla team. I have long wanted to migrate away from Firefox to some open source browser like Google Chrome or maybe Chromium browser (hopefully without much of Google's reach inside it) and would be looking forward to moving away from Firefox for good.

Firefox have always left a bad after taste and I would say that my short experiences with IE 8 was surprisingly pleasant and far better than Firefox despite IE 8 is one of the most hated browsers out there.

Firefox is slowly slipping to become the IE 6 and probably if IE continues to work well on open standards, adopt a robust WebGL, beef it's security, probably open source itself and release a Linux version, I would consider it for some test.

I wouldn't be interested in Firefox 5 any sooner after this horrendous experience. By the way, I went to the webpage as specified in the README and I simply got totally confused by the amount of data the webpage has.

Another problem is Ubuntu doesn't push down a Firefox 4 upgrade and simply upgrades the Firefox 3.6 variant. If Ubuntu pushed a Firefox 4 upgrade (I am using Ubuntu 10.10 as I am skeptical of 11.04) and Firefox were to fix backward compatibility of plugins, I would seriously consider using Firefox.

Good bye, Firefox 4 and 5.

Edit: I realized the version of Firefox 5 I downloaded was the final version. It seems like Mozilla simply pushed out Firefox 5 after 4 just within 3 months. I wonder why they are in a rush to skip from version 4 to version 5 ?

Crypto Hash Lifecycles

2011-06-21T21:26:00.000-07:00

Enjoy:

http://valerieaurora.org/hash.html

Interesting view on how people usually react to cryptographic hashes that are about to be broken or broken.

BitTorrent patent craziness

2011-06-19T19:53:00.000-07:00

Read:

Totally absurd. For those who want to mount a patent battle to fight it out, please prepare yourself very very carefully before you decide to sue the pants out of someone to make money for your own by claiming they stole your patents.

Bitcoin Wallet Heist

2011-06-16T21:03:00.000-07:00

Read:

http://www.pcworld.com/article/230377/worlds_first_virtual_heist_bitcoin_user_loses_500000.html

I am not a Bitcoin user but I have been contemplating on getting one for a long time. Upon hearing this virtual currency heist, I felt that Bitcoin could make do better with physical data files security that are hosted in a user's computers besides network based security and transaction integrity.

A suggestion would be always maintaining a password protected wallet file (wallet.dat) that contains important cryptographic keys and information about a user. The wallet.dat should always be encrypted in all scenarios and the data from the wallet.dat should only exist in decrypted form in the memory when the file is read to memory for computational uses (the user must manually enter a password to decrypt the wallet.dat for all instances of use to provide more security despite inconveniences). At all times, the wallet.dat should exist as encrypted form on disk.

To step up security by another level, the wallet.dat could enjoy heightened security by using the BMICS (Project SECFILE) protocol to securely protect the data files on disk. In an event a hacker managed to gain access to the user's computers, the BMICS protected data file on the disk (strong encryption and proper procedures must be applied) would add another layer of protection to the wallet.dat besides simply encrypting the file as fake data can be planted into BMICS file formats to confuse attackers without knowledge of the actual keys and algorithms.

Apple's Anti-Camera Technology

2011-06-16T20:46:00.000-07:00

Read:

http://www.foxnews.com/scitech/2011/06/16/new-apple-technology-stops-iphones-from-filming-live-events/?test=latestnews

Restrictions always comes with more problems and more complex issues. What if, a malicious user were to misuse the technology Apple developed to disable cameras on iPhones and other possible iDevices for their own benefits and managed to compromise the iOS via some compromised coded messages in the laser ?

Extradition to US for Copyrights without Guilt

2011-06-16T20:20:00.000-07:00

Read:

http://www.theinquirer.net/inquirer/news/2079590/british-student-extradition-copyright-infringement

This is totally ABSURD in all sense. What is the EU and the British Government doing to protect their own citizens from being abused by Big Bro trolling around asking for extradition to the USA ? The EU and British Government should protect their citizens from Big Bro's bullying and trolling.

Stand up against these tyranny !!!

Android Insecurity

2011-06-15T23:59:00.000-07:00

Read:

http://www.theregister.co.uk/2011/06/13/android_market_still_insecure/

It's not surprising that any platform have vulnerabilities. The more famous a platform is, the more scrutinized and the more vulnerabilities it has. The problem is not with the open source nature of Android which enables the vulnerabilities as malicious developers could easily get their hands on Android's source codes and write malicious applications.

The problem has many complications in my opinion. Firstly, there is no known incentive for hunting bugs like what Google Chrome browser has. Despite the sandboxing and permissions that Android have, people simply don't even know anything about permissions and they simply agree to allow all required permissions for the app they wanted to install regardless of the consequences. Google needs to make the permissions much simpler for lay people.

We have no idea about the actual working situation when a piece of application is submitted for review before uploading to the Market Place but from the current situations, there are tainted applications that have made it pass to the point it gets uploaded onto the Market Place successfully and pass inspections by Google.

The fragmentation of the Android Market Place is another huge problem. Other Market Places may have less stringent to no checks on the applications and some Market Places may not be safe at all and have other unknown motives. Google need to address this issue by releasing an official API to access it's Market Place, set known standards for checking of applications and to approve each Market Place as being standard compliant to it's standards. Releasing a Google Market Place API would appease the user's frustration of not being able to write applications to access the Market Place for other device platforms and therefore, may slow down the amount of new and inexperienced (and even potentially dangerous) Market Places from appearing.

There are many more problems, known or unknown. The above are some well known problems that I have touched on.

Difficulty of tracing cyber attacks

2011-06-13T07:15:00.000-07:00

Read:

You can imagine how hard it is to do a proper cyber forensics investigation on networked computer.

RSA Shot In The Head

2011-06-11T08:20:00.000-07:00

Read:

http://www.net-security.org/secworld.php?id=11122

Seems like RSA's SecurID and systems are compromised and not trusted anymore. A better, more resistant system, needs to be in placed to handle such situations. It took RSA a long time to acknowledge their mistakes.

Anti Freedom

2011-06-11T08:01:00.000-07:00

Read:

http://www.osnews.com/story/24837/US_France_UK_Declare_War_on_Freedom_of_the_Web

That's a sad and obvious case of pure hypo-criticism that we are facing these days.

Engineers Who Lie

2011-06-11T03:00:00.000-07:00

Read:

http://www.cringely.com/2011/06/when-engineers-lie/

If you are going to create a system and pretend it's secure when it isn't, you would simply be better off without any security since it's as good as insecure. Always make sure, very damn sure, that your system is really that secure before you call it secure.

For hosting or distributing secure software in countries that do not permit, you are better off using torrents with seeds in permissible countries or direct downloads in permissible countries with laws protecting freedom and rights of secure software usage.

Loving LulzSec

2011-06-11T02:53:00.000-07:00

Read:

http://risky.biz/lulzsec

LulzSec simply lifted up the rugs of Sony and there we are, finding so much holes in their "secure" system.

Nukes for Hackers

2011-06-04T03:03:00.001-07:00

Read:

http://www.independent.co.uk/news/world/americas/pentagon-warns-that-cyberattacks-will-be-seen-as-acts-of-war-2292001.html

This is absolutely absurd. What is wrong with them ?

Giving up OpenOffice

2011-06-01T21:32:00.000-07:00

Read:

Finally Oracle saw some light and decided that OpenOffice could not be continued to be under their governance and had to be given to the community (by handing it over to Apache Foundation). That's one good move but it's way too late. Better late then never.

Edit: Curious, why didn't Oracle simply hand over the rest of OpenOffice to The Document Foundation which already have huge community support and have been working on LibreOffice fork for a long time, whereas, Apache hadn't done much on OpenOffice ?

Sins of Ubuntu or Accusers ?

2011-05-30T18:58:00.000-07:00

Read:

http://www.osnews.com/story/24803/The_Sins_of_Ubuntu

Empirical facts, rather than hear say fictions are critical in the age of misinformation. Good article by OSNews to dispel the much crazy criticism that we hear. It's not just criticising Ubuntu, but Linux as a whole. Indeed, Linux have it's weaknesses, but much of the misunderstanding caused by unscrupulous Marketing and PR Departments of certain twisted organisations whom only wants to restrict people and their choices and milk their money, are getting in the way.

Revolution on Software Installation

2011-05-24T21:06:00.000-07:00

Read:

Revolution on software installation ? Nope. We already have Java Webstart but Webstart can be nasty to setup ? Isn't 0install the same as Java for all supported major platforms with the exception of some goodies like, not needing admin rights to install ? There is too many languages out there across the various platforms.

There needs to be a powerful recognized world standard to unify them all without constraining creativity.

Sickening Powers that Be

2011-05-24T20:39:00.001-07:00

Read:

Click on the "Comments" button at the right side of that Google Support discussion and read it.

Didn't Google talk about openness and open source ? What is all these lock down going on onto rooted devices ? Maybe it's an error or bug ? Or maybe there's something really wrong about the "openness" Google sees and something we misinterpreted ?

Mozilla shrugs off DHS requests

2011-05-06T20:21:00.000-07:00

Read:

Good job for Mozilla to stand up against rampant bullies by people who think they have authority to misuse it as they will. People should not simply follow some stupid and audacious requests unless a lawful court order given by a sound court decision is presented.

Anonymity of Voting in Singapore

2011-05-05T19:50:00.000-07:00

Watch:

http://www.youtube.com/watch?v=jDeIFUw1K1o

How secret is our vote that we are promised ? From the video, we know that our identity are linked to a serial number for the vote and the voting paper contains our serial number. Therefore, when we cast a vote using the paper, it is extremely likely there would be much idea of and the ability to be most accurately know who voted for who by tracing the serial number of the voting paper which is linked to each individual.

Is this an anonymous voting pracise they promised ? NO !!!! You DO NOT NEED our serial number on the voting paper slip. This would improve anonymity.

Sony's investigation of PSN hack

2011-05-04T17:59:00.000-07:00

Read:

We know that Sony have digged up server logs after the hacks. How was it done ? Why didn't they turn up for the hearing they are being summoned to ? Why weren't FBI and known authorities being called to the crime scene to do "post mortem" instead of some "forensic team" they have ? What was the procedure, chain of custody of evidences for the evidences they found ? And for the worse, no details yet provided to FBI or known authorities ? How do they confirm identify of the Anonymous group just by a single document ?

There is a lot of fishy feeling in this event - from Sony. They seem to have a lot to hide.

Smartphone Widgets

2011-04-23T20:44:00.000-07:00

Like the desktop widgets you commonly see on desktops these days, I personally feel that smartphone widgets should be equally important. Why is that so ? We would analyse through deeper into this blog post.

Benefits:

Quick accessing of data and information. (Weather, Currency, News...etc)
General simplicity of use.
Summarised information that is otherwise bulky.
Quick access to other apps or applets.

Cons:

Waste space on the screen.
Looks ugly. (if badly designed)
Leeches additional CPU and Memory (and possibly Network) to continue feeding users with updated information.

The list of Pros and Cons could go on but the above are the general and common Pros and Cons. It really depends on what your aim is and your vision of the smartphone "desktop".

I personally see the smartphone "desktop" or home screens as similar to your desktop "desktop" and therefore, gadgets and widgets providing only the important information should be loaded onto the desktop of smartphones. It is obviously unwise to litter the desktop screens of smartphones with so many widgets that it clutters your desktop space and resource usage (which generates bad user experiences).

Keypair Keyboard

2011-04-22T01:52:00.000-07:00

I have recently been frustrated with the small keys a soft keyboard presents itself on iPhone, Android ... BlackBerry's incredibly tiny keypad ... and all the really small key keyboard.

Here, I would present a keyboard I designed called the Keypair Keyboard. It works like the old school cell / mobile phone keypad where you have to hit a key a couple of times to permutate the letters to the ones you wanted. Keypair is different as it has only 2 permutations per key... thus saving you the hassle of multiple permutations. It also have the ability of a full keyboard by allowing you to Cap Lock it on.

If you have additional keys you want, it has multiple soft keypads where you could interchange by sliding or swapping the keypads in between.

The general dimension of the keypads are 6 blocks of key columns and 4 rows. An additional dictionary-enabled word/phrase prediction can be added to the top of the keypad.

These concepts are thought and made by me and no one else helped me. I simply get inspired to create them.

The Keypair Keyboard is a non-patentable, free-for-all, public domain innovation and anyone who wants can use it as long as they don't patent it (thus inhibiting others from using this keyboard).

The concept of Keypair Keyboard is to have a larger and fewer keys so that users would not mis-type their letters. It supports many keypads so you can switch between keypads. For example, one keypad would handle the alphabets of "A" to "Z", while the other keypad would handle "0" to "9" and some basic common symbols". The other keypad would handle the rest of the less commonly used symbols. It should allow users to add keypads and symbols programmatically or through some ways of user interaction.

Below are the two images and I would explain them and their workings.

The above variant of Keypair Keyboard is the "Swipe" variant. What "Swipe" meant is that, to change between different keypads, the users swipe left and right of the current keypad to get access to the next keypad.

The above Swipe variant of Keypair is in the Alphabet keypad. You can see a huge downward pointing arrow on the lowest left of the keypad. The downward pointing arrow is to indicate that the current letters of the alphabet are in capitals and the user could use the downward pointing arrow to down-case it to lower case letters.

The left and right or forward and backward letter selection allow users to select the previous or next possible letter to edit or change. A dictionary-supported word prediction utility is supported to predict words users may want to use.

An example to use any variant of the Keypair Keyboard - type "query". For typing the word "query", I have to tap on the "Q/W" - once, "G/U" - twice, "E/R" - once, wait for a while, then proceed with "E/R" - twice, "T/Y" - twice.

This above is the next variant Keypair Keyboard called the "Plain" keyboard. It does not support swiping actions to change keyboard so it is "plain". You would notice that there is a key on the lowest left side that have two arrows pointing at opposite directions. This key is used to switch between keyboards. This picture contains an error where the Caps lock key is being replaced by the Tabs key.

These concepts are thought and made by me and no one else helped me. I simply get inspired to create them.

The Keypair Keyboard is a non-patentable, free-for-all, public domain innovation and anyone who wants can use it as long as they don't patent it (thus inhibiting others from using this keyboard).

Please respect my creations and in doubts, contact me via my email in my profile.

Apple silently logs user data

2011-04-20T08:04:00.000-07:00

Read:

http://www.guardian.co.uk/technology/2011/apr/20/iphone-tracking-prompts-privacy-fears
http://petewarden.github.com/iPhoneTracker/ (Includes software for use)

From day 1, we should always doubt our private data in third party hands. But now, it is clear that our personal devices are betraying us big time.

OOo truely liberated

2011-04-17T21:56:00.000-07:00

Read:

http://arstechnica.com/open-source/news/2011/04/oracle-gives-up-on-ooo-after-community-forks-the-project.ars

OpenOffice.org is now truely liberated from the hands of Oracle and passed onto the LibreOffice / The Document Foundation. Power of the Open Source and Community is always amazing and powerful.

Credibility of Stop Forum Spam

2011-04-14T17:49:00.000-07:00

About the topic

Below is a screenshot from the page to add an IP address for blocking spam:

As you can see, the fields are so little and there is only a text box to allow you some flimsy evidence of forum spamming. Do note that computer forensics is a mammoth task and a pain. How would a small text box for evidence justify or proof wrong doing ?

We know that IP addresses are dynamic and have no credibility at identifying individual users and chances of proxies, secret proxies, accounts compromised .. etc... are very high. Email addresses can be re-made and can be spoofed.

How do you call to credibility of this architecture of preventing forum spams by Stop Forum Spam ?

The operators of Stop Forum Spam wouldn't check anyway, as it would be a trouble to wade through every case to vet... so they would simply just let all pass.

Possible Routes of Attack

A vector of attack on Stop Forum Spam would be using proxies and gateways privately or quietly hosted or maybe through Tor as well. Fake accounts made with Stop Forum Spam could be created and used. The flimsy way to add "spammers" as shown above, could be falsified and no one would know how true it is.

How would any staff at Stop Forum Spam verify the accused ? The so called admin of a forum (who is in fact an attacker who falsify his identity), could falsify computer logs and even metadata to show that the accused is really the spammer.

Making The Attack a Step Up

Now, let's apply to real world scenario with a malicious twist. Most forum do not protect themselves with the minimal form of protection via the flawed SSL/TLS connection (by the way, SSL/TLS is already broken), sniffing of passwords and login credentials could be done - especially to forum admin accounts.

With the login credentials of Super Users of the forums, the attacker could do a database dump of the members credentials and IP addresses and maybe use an automated script to post all the credentials to Stop Forum Spam with some variation of evidences. It is possible that the mass upload of credentials would cause suspicion and the attacker may have already figured that out, so an artificial intelligence in the script could regulate the amount of loaded credentials and falsified evidences.

The attacker may register with different accounts user of the Stop Forum Spam and subsequently, could upload more credentials.

Finally, to inconvenience the forum admins that he have attacked, he could have placed all the forum admins credentials onto Stop Forum Spam too and fully lock out the owners and admins of the targeted forum they own.

Conclusion

The model used by Stop Forum Spam is extremely flawed and not trust worthy because of the nature of the Internet. It is a broken model in an attempt to fix something but fails very badly at doing so.

Solutions

The only solution that would make Stop Forum Spam, is for forum owners to register themselves and proof their ownership of the domain or website.

All forums need to have the use of SSL/TLS or better security to protect their accounts from attacks.

For the owner of a forum to report an incident to Stop Forum Spam, the owner MUST produce database files (yes... the physical database files as it contain metadata) while redacting the sensitive credentials of all users. A fully qualified computer forensics staff would do the job of proving or disproving the entry of an incident. Stop Forum Spam and the reporting owner of a domain MUST enter into a legal contract of not revealing any details of the database files and protect the database files with utmost security and when the investigation is completed, the database files must be encrypted as best as possible with the highest security.

ATTN! FORUM

2011-04-07T19:06:00.000-07:00

From the title, you might have guessed, it's trying to grab your attention using all caps lock on. That's what you see when desperate people who are also probably inconsiderate post them thinking they can push their way through crowds to get to the beginning of the line and shout out what they want because they are "more important".

That's disorderly and unruly in all sense. Regardless of what excuses you have, simply waltzing in and caps lock on to grab attention, is seriously overused, overrated and over-annoying.

Forum etiquette is, if you need help, give the appropriate title that shows what help you truely need and post your questions with clarity. If there is no answers for a week, bump them up once in a while but don't be an annoying ass.

Urgency does not mean that you can waltz around and be bossy. You still have to wait for someone to answer (probably because someone don't have the answers to your questions or simply, there are too many questions and it takes time to help everyone).

So PLEASE mind your etiquette and don't caps the words and be patient. Being unruly would probably piss others off and may get you kicked, banned or removed from membership.

Be nice to others, others would be nice to you.

Disorientating Blogger

2011-04-07T18:55:00.000-07:00

I was intending to post a blog post and I logged in, Blogger told me about some dynamic feed feature and I was curious and clicked the usual "Learn More" link. It brought me to some Google page that is disorientating because all the squeezed words sucks and makes reading harder.

Google, redesign it for goodness sake. Shorten the amount of words used and make it easier to read and easier on our eyes.

Below is a screenshot showing what I meant:

Unsuscribed - Wired

2011-03-29T09:24:00.000-07:00

Recently, Wired have been more of a gossip where it starts to be fond of talking about Private Bradley Manning's private life and personal relations (including rumours possibly unverifiable about him). I decided to unsuscribe from Wired because of the gossiping nature rather than the solid technology reporting nature it once had.

Too bad, Wired, if you want serious tech readers, you gotta be neutral and talk about tech (and not private lives of others like a gossiping newspaper).

How much do I trust android's openness

2011-03-25T08:41:00.000-07:00

Read:

http://arstechnica.com/open-source/news/2011/03/android-openness-withering-as-google-withhold-honeycomb-code.ars

Despite all the justification Andy Rubins can make about keeping Honeycomb's source codes under wraps (if the article is true), or even in the future or past, I don't really see how open Android is. I have been hoping Android would release the Market's SDK and allow those who do not have Market Place apps to at least have an API so users could officially connect into Market Place without the risk of third party apps libraries and cloned market places.

Although Android's source codes are open to the public via their public git repository, it's not like the Linux kernel or other open source projects where other parties could simply hop in and join in the development and contribute patches and suggestions.

Most developers could only face the truth of the "take it or leave it" scenario.

I am sure patience are wearing thin for the Android platform and for Google for being open and outright honest about their practises.

For Apple and Microsoft, both of you, don't bother laughing at Google's Android. Apple's iOS and Microsoft's Phone 7 OS is actually so much more close sourced and I would rather term them "Iron Curtain" then Android's "walled garden".

The terms of using the whole or any part of this article post is to properly cite and reference it, and you can use it.

How trustworthy is the CA model

2011-03-23T17:05:00.000-07:00

Read:

Recently a hacker with Iranian IP addresses managed to compromise a partner account at Comodo Group's CA and procured eight legitimate SSL cert for the following 6 respectable domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

Web browser makers frantically tried to update browsers to exclude the bogus certificates and Mozilla managed to plead with a famous security researcher, Jacob Appelbaum to withold information from public before patches are sent out.

How secure is the CA trust model after all ? Considering the use of TOR network instead of centralised CA ?

Sending sensitive emails

2011-03-22T18:13:00.000-07:00

Read:

http://lifehacker.com/#!5784478/how-can-i-securely-send-sensitive-tax-docs-to-my-tax-preparer

For all that has been mentioned in the article above, HTTPS, encrypted archives and files... encrypted file sharing services... there's one thing that's so famous and so well known and common it has forgotten and put to the back burner... PGP/GPG email encryption.

Yup, that's it.

You could sign your PGP/GPG email, encrypt it and voila.... it's secure. If your attachments need to be doubly secured, PGP/GPG could allow you to encrypt your files on your computer Desktop for you and then attach it to your email and encrypt your entire email, sign with a signature and send it out to your lawyer.

There are front ends and email plugins for your PGP/GPG tool and even standalone clients where you paste in a message and it encrypts the message for you and you paste it back into your email editor which does not have PGP/GPG capabilities.

Injustices of Geohotz

2011-03-17T04:11:00.001-07:00

Read:

http://arstechnica.com/gaming/news/2011/03/judge-gives-sony-access-to-ps3-hackers-paypal-records.ars

What does Sony want with Geohotz's PayPal account ? Make themselves more rich ? Probably.

Encrypted VOIP

2011-03-15T08:47:00.001-07:00

Read:

http://it.slashdot.org/story/11/03/15/1513257/Encrypted-VoIP-Meets-Traffic-Analysis

Top 10 best alternative OS

2011-03-14T18:39:00.000-07:00

Read:

http://www.techradar.com/news/software/operating-systems/10-best-alternative-operating-systems-934484

Besides the typical Windows, Mac, Linux trio group of typical OSes people use to some extend, the article contains interesting OSes that those who are daring could give it a try in a virtual machine (VirtualBox or VMware).

Flickr and Censorship

2011-03-12T22:02:00.000-08:00

Read:

Like many other famous community based tools like Facebook and Twitter, you do not trust them AT ALL. They have an agenda which is commercialisation. You are better off opening your own website or a Freenet site if you are afraid of censorship and have mirrors.

No Minimize and Maximize for Gnome 3

2011-03-07T18:49:00.000-08:00

Read:

Is it worth removing the minimize and maximize buttons. We would never know until it's in full production phase. If there is no minimize and maximize buttons, the functions that support minimize and maximize should be easy to use and not cumbersome and elegant.

Another Absurd Judicial Judgement

2011-03-07T18:44:00.000-08:00

Read:

http://www.wired.com/threatlevel/2011/03/geohot-site-unmasking/

Corporate America... where the System always supports the Corporations and kowtow-ing to them than protect the Rights of the People.

Oilrush for Linux

2011-03-07T08:12:00.000-08:00

Visit:

Looks not bad... hmmm... finally a good decent game with Linux in mind as a first class citizen unlike Blizzard and other many big game developers who can only see marketing potentials in Windows and Mac.

Linux actually has a huge potential for gaming but it has always been underdeveloped and undermined.

Android with Secure Hashing

2011-03-07T08:08:00.000-08:00

As we know, Android have a good amount of trouble with malwares and the primary reason is that the apps are taken from the unofficial marketplaces instead of Android's Marketplace.

Google should seek to quickly release it's protocols for accessing the official marketplace and make an app that anyone can download and install the official marketplace app. An example is the Android version of the Archos tablets where there is no access to official Android Marketplace but some other marketplaces.

Google should also see to provide SHA 256 and SHA 512 hash signatures for every application and provide a hashing tool that would show the users if their application's hash signatures matches.

Google should also consolidate and look over all Android marketplaces and may need to move in the direction like Apple's Appstore to establish a central final authority but Google should be like a benevolent dictator. This would solve most of the headaches of becoming splintered and allowing bogus apps or apps that have been deliberately modified from the original and pass off as a copy of the real app, to harm others, be nearly impossible with the use of a central authority.

Hosting hacking competitions and more open research and discussion that can be conveniently accessed by the general public would allow better discovery of bugs and exploits.

By following Linux kernel development's footstep which actively exposes it's development in real time and allowing the community a piece of the pie to research and contribute would really enhance Android.

The Android development team within Google would not be enough. Tapping into the power of community development and listening to the community would proof to be the wisest decisions.

In the end, Android's malware exploits are mostly caused by Google's own undoing for the above I have stated and partly caused by malicious minded people who are out to make a quick bug and harm others, not regarding the privacy and safety of others.

DOJ got something done right

2011-03-05T22:35:00.000-08:00

Read:

Finally the US DOJ got something decent on their hands to do and got something right after a series of mistakes by attempting to silence whistle blowers.