Dell installs self-signed root certificate on laptops, endangering users’ privacy

Dell laptops are coming preloaded with a self-signed root digital certificate that lets attackers spy on traffic to any secure website.The reports first surfaced on Reddit and were soon confirmed by other users and security experts on Twitter and blogs. The root certificate, which has the power of a certificate authority on the laptops it's installed on, comes bundled with its corresponding private key, making the situation worse.With the private key, which is now available online, anyone can generate a certificate for any website that will be trusted by browsers such as Internet Explorer and Google Chrome that use the Windows certificate store on affected laptops. Security experts have already generated proof-of-concept certificates for *.google.com and bankofamerica.com.To read this article in full or to leave a comment, please click here

Peak Fibre Channel

There have been several articles talking about the death of Fibre Channel. This isn’t one of them. However, it is an article about “peak Fibre Channel”. I think, as a technology, Fibre Channel is in the process of (if it hasn’t already) peaking.

There’s a lot of technology in IT that doesn’t simply die. Instead, it grows, peaks, then slowly (or perhaps very slowly) fades. Consider Unix/RISC. The Unix/RISC market right now is a caretaker platform. Very few new projects are built on Unix/RISC. Typically a new Unix server is purchased to replace an existing but no-longer-supported Unix server to run an older application that we can’t or won’t move onto a more modern platform. The Unix market has been shrinking for over a decade (2004 was probably the year of Peak Unix), yet the market is still a multi-billion dollar revenue market. It’s just a (slowly) shrinking one.

I think that is what is happening to Fibre Channel, and it may have already started. It will become (or already is) a caretaker platform. It will run the workloads of yesterday (or rather the workloads that were designed yesterday), while the workloads of today and tomorrow have a vastly different set of Continue reading

Dell computers shipping with potentially dangerous root certificate authority

At least some Dell laptops are shipping with a trusted root certificate authority pre-installed, something that those who discovered the CA are comparing to the Superfish adware installed on Lenovo machines that left them open to man-in the-middle attacks. Called eDellRoot, the trusted root CA comes as part of the standard software load on new Dell machines. A Reddit contributor who uses rotocowboy for a screen name says the implications could be dire. “For those that are unfamiliar with how this works,” he writes, “a network attacker could use this CA to sign his or her own fake certificates for use on real websites and an affected Dell user would be none the wiser unless they happened to check the website's certificate chain. This CA could also be used to sign code to run on people's machines, but I haven't tested this out yet.”To read this article in full or to leave a comment, please click here

Some notes on the eDellRoot key

It was discovered this weekend that new Dell computers, as well as old ones with updates, come with a CA certificate ("eDellRoot") that includes the private key. This means hackers can eavesdrop on the SSL communications of Dell computers. I explain how in this blog post, just replace the "ca.key" with "eDellRoot.key".

If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications. I suggest "international first class", because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.

I point this out in order to describe the severity of Dell's mistake. It's not a simple bug that needs to be fixed, it's a drop-everything and panic sort of bug. Dell needs to panic. Dell's corporate customers need to panic.

Note that Dell's spinning of this issue has started, saying that they aren't like Lenovo, because they didn't install bloatware like Superfish. This doesn't matter. The problem with Superfish wasn't the software, but the private key. In this respect, Dell's error is exactly as bad as the Superfish error.

Microsoft CEO takes a collaborative approach to cybersecurity

Satya Nadella will have you know that cybersecurity takes a village.The Microsoft CEO took to the stage this week in the nation's capital to describe a new, collaborative approach the company is taking as it deals with an evolving set of digital threats targeting an increasingly distributed tangle of users, devices and systems.[ Related: CISOs learn 5 tough lessons about conveying security risks ]Nadella positions the cyber challenge as the latest entry on a continuum of threats that have emerged with new methods of communication, recalling the emergence of mail fraud and wire fraud, and calling cyber "one of the most pressing issues of [our] time."To read this article in full or to leave a comment, please click here

Adware program Vonteera blocks security products with simple Windows UAC trick

A well-known adware program is preventing users from installing antivirus products by leveraging a Windows feature that was designed for security.The program, known as Vonteera, abuses the digital signature check performed by the Windows User Access Control (UAC) for executable files.UAC prompts users for confirmation whenever a program wants to make a system change that requires administrator-level privileges. It therefore prevents malware from silently gaining full system access if executed from a limited user account.Depending on whether an executed file is digitally signed by a trusted publisher, the UAC displays confirmation prompts indicating different levels of risk. For example, if the file is unsigned, or is signed with a self-generated certificate that Windows can't link back to a trusted certificate authority, the UAC prompt will have a yellow exclamation mark.To read this article in full or to leave a comment, please click here

FAA to drone owners: Get ready to register to fly

While an actual rule could be months away, drones weighing about 9 ounces or more will apparently need to be registered with the Federal Aviation Administration going forward.The registration requirement and other details came form the government’s UAS Task Force which was created by the FAA in last month and featured all manner of associates from Google, the Academy of Model Aeronautics and Air Line Pilots Association to Walmart, GoPro and Amazon.+More on Network World: Hot stuff: The coolest drones+Other proposed requirements were to offer a simple, free online registration system and a requirement that unmanned aircraft would need to fly with an visible registration number tying the aircraft to the owner.To read this article in full or to leave a comment, please click here

How Wistia Handles Millions of Requests Per Hour and Processes Rich Video Analytics

This is a guest repost from Christophe Limpalair of his interview with Max Schnur, Web Developer at  Wistia.

Wistia is video hosting for business. They offer video analytics like heatmaps, and they give you the ability to add calls to action, for example. I was really interested in learning how all the different components work and how they’re able to stream so much video content, so that’s what this episode focuses on.

What does Wistia’s stack look like?

As you will see, Wistia is made up of different parts. Here are some of the technologies powering these different parts:

What scale are you running at?

Worth Reading: God-like powers

In short, the intersection of the real world and the virtual one is constant, powerful and dangerous. Equipped with the latest in phones smarter than we are, we have all become the media. But we lack the common sense to sort through what we’ve learned. We’re going to uncover every flaw of one another – probably with accompanying video. Let’s just hope we learn to forgive … and forget. via townhall

The post Worth Reading: God-like powers appeared first on 'net work.

Using Raspberry Pi for holiday light shows

Depending upon your line of work, you might be looking at a long holiday weekend. If you like to tinker with code and hardware, and also like holiday light shows, then instead of purchasing some pre-made kit, you might consider LightShow Pi.To read this article in full or to leave a comment, please click here

Passenger puts black powder in checked bag: How’d that decision play out?

Let’s say for the sake of discussion that the guy – anyone think it’s a woman? – did not place the 10 tubes of black powder in his checked luggage as part of a terrorist plot or amateur sting operation against TSA screeners. The TSA mentions neither in its blog post that notes the incident.Instead, this adult human being awakened one morning recently, began packing for a trip, realized he needed to transport 10 tubes of an explosive from his home in Utah through Salt Lake City International Airport, and decided the best way to do that would be to place the tubes in his suitcase alongside his shaving kit and underwear.To read this article in full or to leave a comment, please click here

Worth Reading Roundup: Security and Privacy

“If I haven’t done anything wrong, then I don’t have anything to hide.” This is one of those bits of nonsense that never seems to lose it’s power regardless of how many times it’s been proven wrong in history. Privacy is one of the most important freedoms we enjoy — the privacy to try, the privacy to work things out among friends, and even the privacy to fail.

So what does the ‘net say about privacy this week?

One of the most disturbing things is the growing tendency to engineer people for greater efficiency. This trend started more than a hundred years ago — remember this?

But there is something fundamentally dehumanizing about people like machines out of whom you can squeeze infinite amounts of bandwidth — but it seems to be something we’re pushing towards almost as fast as we can, in both the corporate world and in government.

Digging into personal information in order to manipulate the environment for greater profit and productivity just seems a bit slimy. And I used the word manipulate (and slimy) on purpose. fistful of talent

Many countries are in the throes of a debate about the amount of surveillance a government Continue reading

1 3,092 3,093 3,094 3,095 3,096 3,696