|
|
On the failure to comprehend the definition of “secret”Posted by Synfinatic on July 22, 2008 at 12:13 pm in Security.This seems to be pretty basic and obvious, but a the first rule about keeping a secret is don’t tell people. Frankly, I think Dan should be pretty happy that the details about the DNS vulnerability he discovered took this long to emerge publicly. As he pointed out, 13 days are better then zero. Tags: dns, Kaminsky, Ptacek, secret, vulnerability
LGA: Security TheaterPosted by Synfinatic on July 30, 2007 at 11:22 pm in Photography, Rant, Security.So I was flying out of LaGuardia, NY (LGA) this morning on my way home to San Jose, Ca (SJC). After checking in, I was directed by the nice woman at American Airlines to take my checkin bags to the x-ray machine. There were a lot of bags piling up at the machine and 2-4 TSA agents processing the bags thru the x-ray machine and loading them onto the conveyer belt to the plane. What struck me odd though was that none of the TSA agents actually sat at the x-ray machine console to examine the x-ray images of the bags! I watched for about 10 minutes as the rest of my party went through the long lines to …
mytreo.net hacked or selling email addresses?Posted by Synfinatic on May 10, 2007 at 9:04 pm in Security.So just about every website/company I do business with that requires an email address, I use a unique email address. The email address takes a very simple form: <company name>@synfin.net. The most important rules is that these email address are never used anywhere. So when I noticed I started getting spam to the email address for www.mytreo.net (no I still won’t post it so that spam harvesters can get it, but you can probably guess what it is), it would appear one of two things have happend: The people behind www.mytreo.net sold my email address to someone and at some point it was given/sold to a spammer
Voting 2006Posted by Synfinatic on November 7, 2006 at 9:15 am in Politics, Security.So I just finished voting here in San Jose using one of those Sequoia machines (same as last year). My in person impression hasn’t improved any. 1. Having to check all your votes twice (once on the screen and again on the paper printer) is a pain in the ass. Between state, county and city offices, bonds and measures it’s not only tedious to check, but error prone- especially since I don’t memorize whom I’m going to vote for in each race. Ironically, the sample ballot that they mailed me was much simpler to use (just connect the arrow next to what/who you want to vote for), easy to verify, count and recount. And it takes a lot less …
DHS: So glad they’re on our side!Posted by Synfinatic on June 12, 2006 at 10:28 pm in Security.Let’s see, a guy walks into the DHS HQ with a fake Mexican ID which even if it was real wasn’t considered valid identification. So what do the rocket scientists for security do? Why they let him in of course! Now of course, the fake ID was really good. You’d have to be a real expert to pick up on subtle mistakes like stating Tijuana is in Brittish Columbia (B.C.), claiming to live on “123 Fraud Blvd.” and misspelling “Staton Island, N.Y.”. Yep, I can really understand how the crack DHS security force could let such an well forged ID through the front door. The good news? “DHS is following up on these allegations and …
RIAA puts profits over livesPosted by Synfinatic on March 9, 2006 at 9:26 am in Geek Law, Security.I dunno, I should be shocked (shocked I say!), but I’m not… Every so often, the US Copyright Office takes comments regarding the DMCA (the law which makes it a crime to use products you paid for in ways other then the creator intended). Most recently, Sony-BMG (a member of the RIAA) added DRM technology to music CD’s (actually, technically, they’re not a real music CD because of the DRM, hence they don’t carry the CD logo) which ended up creating a security hole on people’s computers. This security hole was then abused by other people (criminals to be precise) to break into those computers. In response, people like Ed Felton requested the the USCO grant an exception to the …
Will Tor have Extrusion Detection?Posted by Synfinatic on February 26, 2006 at 11:25 am in Security, Tech.Richard Bejtlich wonders in light of Tor being able to be used to anonymously attack other systems, will Tor add extrusion detection capabilities? I seriously doubt it. First, there are technical reasons for this, namely each exit node would need to have their own policy since some operators would want very strict polices and others more open policies. Pushing knowledge of that policy to the rest of the network to make routing decisions would be very complex and incurr high overhead on a system which is by it’s nature not very efficent. Secondly, adding additional monitoring to an anonymity system is just ass-backwards. The whole point of Tor is to allow people to be untraceable and …
SSL on the cheapPosted by Synfinatic on February 25, 2006 at 6:15 pm in Security, Tech.Well I finally got a real SSL certificate, signed by a trusted CA for www.synfin.net. For less then $20/yr no more annoying popups in webbrowsers, mail clients or my Treo. Anyways, overall I’ve got to say that GoDaddy made the process pretty painless and quick. So far I’ve tested Firefox and Safari and both seem to be happy with the cert. Two thumbs up. One thing to note, if you’re grabbing the tcpreplay source from SVN the SSL Certificate has changed. If anyone knows how to pass in a certificate chain file for svn let me know.
Moved to WordPressPosted by Synfinatic on December 26, 2005 at 8:13 pm in News, Security.Well I finally got sick of writing custom code/templates (I’ve used static files using templates/Makefiles as well as dynamic pages using Perl/HTML::Mason). While I’m quite proficent with Class::DBI and PostgreSQL, it just wasn’t worth the effort of writing all the administrator forms for managing content.
|
|
