Can the Apple code be misused?

This post will respond to the tweet by Orin Kerr:

The government is right that the software must be signed by Apple and made to only work on Farook's phone, but the situation is more complicated than that.

The basic flaw in this picture is jailbreaks. This is a process of finding some hack that gets around Apple's "signing" security layer. Jailbreaks are popular in the user community, especially China, when people want to run software not approved by Apple. When the government says "intact security", it means "non-jailbroken".

Each new version of iOS requires the discovery of some new hack to enable jailbreaking. Hacking teams compete to see who can ship a new jailbreak to users, and other companies sell jailbreaks to intelligence agencies. Once jailbroken, the signing is bypassed, as is the second technique of locking the software specifically to Farook's phone.

Details are more complicated than this. Each jailbreak is different, and many won't allow this secret Apple software to be run. Some will. The point Continue reading

Code is expressive. Full Stop. (FBIvApple)

I write code. More than a $billion of products have been sold where my code is the key component. I've written more than a million lines of it. I point this out because I want to address this FBIvApple fight from the perspective of a coder -- from the perspective of somebody who the FBI proposes to conscript into building morally offensive code. Specifically, I want to address the First Amendment issue, whether code is expressive speech.


Consider Chris Valasek (@NudeHabasher), most recently famous for his car-hacking stunt of hacking into a Jeep from the Internet (along with Charlie Miller @CharlieMiller).

As Chris tells the story, he was on an airplane without WiFi writing code for his "CANbus-hack" tool that would hack the car. Without the Internet, he didn't have access to reference information, such as for strtok(). But he did remember from years earlier working on my (closed-source) code, and used the ideas he remembered to solve his immediate problem. No, he didn't remember the specifics of the code itself, and in any case, his CANbus-hack was unrelated to that code. Instead, it was the ideas expressed my code that he remembered.

What he came up with was this:



Continue reading

dt_aclcheck – Find a match in extended access list.

Some ACLs are short, some ACLs are really long!



Patch closes security hole in messaging encryption tool

A software component for encrypting instant messaging clients has a flaw that could let attackers take over users' machines, but there's now a patch for the vulnerability.The vulnerability is contained in libotr, short for OTR Messaging Library and Toolkit. The up-to-date version is now 4.1.1.OTR stands for Off-the-Record Messaging. It's a a cryptographic protocol that scrambles messages sent through clients including Pidgin, ChatSecure and Adium.The integer overflow flaw was found by Markus Vervier of the German company X41 D-Sec, which released an advisory. To read this article in full or to leave a comment, please click here

Junos Space – checking processes are running

After two miserable nights trying to upgrade Space 13.1R1.6 to 14.1R1.9,  I finally called up JTAC for some assistance.  For some reason the upgrade started, but never finished – the GUI remaining in ‘maintenance mode’ for several hours.

What they did:

Checked the services – all were showing as down:

service jmp-watchdog status
service jboss status
service jboss-dc status

Tried to start jboss-dc, but it complained that it couldn’t write or create /var/log/jboss.

Did the following to change ownership from root:root on the /var/log directory:

chown jboss:root /var/log

Did this:

service jboss-dc start
service jboss start

At this point the GUI started showing ‘Junos space is preparing to start  up’, and after 20 minutes it changed to say the applications were deploying.


PHPBB and website integration

I needed to integrate a website login with a phpBB3 forum recently, and this blog post came in really useful:  http://www.3cc.org/blog/2010/03/integrating-your-existing-site-into-phpbb3/

The only issue with it was the logout section – it uses $_GET, but when I implement this I get a message saying that this is an ‘illegal use of $_GET’.

Instead, the logout code that worked for me was this – it uses request_var() instead:

<?php
$cp = request_var('cp', '');
if ($cp == "logout") {
$user->session_kill();
$user->session_begin();
echo "Logged out";
}
?>

Squiggly lines: The future of smartphone security?

If PINs, passwords and biometrics just aren't making you feel secure about your smartphone contents, researchers at Rutgers University might have a new alternative: free-form gestures.They've conducted a study of such doodling for smartphone security in the field  (initially with Android phones...sorry iPhone fans) and will formally publish this paper on "Free-Form Gesture Authentication in the Wild" in May. The system, which involved installing software on study participants'phones, enabled users to doodle using any number of fingers.To read this article in full or to leave a comment, please click here

Going to CiscoLive US 2016? Don’t Forget Your Kilt!

I don’t recall the exact details of how “#KiltedMonday” started last year at CiscoLive US 2015.

I just know

ucgod_kiltkiltedmonday

 

  • I’m SO joining this year!  — Just ordered my kilt.

speaker

 

  • Scott (@ScottMorrisCCIE) is not only planning on joining this year… but he is hoping it falls on the day he will be presenting scott

 

 

 

 

Captain America Civil War — it’s us

The next Marvel movie is Captain America: Winter Soldier. The plot is this: after the Avengers keep blowing things up, there is pushback demanding accountability. Government should be in control when to call in the Avengers, and superhumans should be forced to register with the government. Ironman is pro-accountability, as you've seen his story arc evolve toward this point in the movies. Captain America is anti-accountability.

This story arc is us, in cybersecurity. Last year, Charlie Miller and Chris Valasek proved they could, through the "Internet", remotely control a car driving down the freeway. In the video, we see a frightened reporter as the engine stalls in freeway traffic. Should researchers be able to probe cars, medical equipment, and IoT devices accountable to nobody but themselves? Or should they be accountable to the public, and rules setup by government?

This story is about us personally, too. In cyberspace, many of us have superhuman powers. Should we be free to do whatever we want, without accountability, or should be be forced to register with teh government, so they can watch us? For example, I scan the Internet (the entire Internet) with relative impunity. This is what I tweeted when creating my Continue reading

Emergency Flash Player patch fixes actively exploited vulnerability

Adobe Systems released new versions of Flash Player in order to fix 18 critical vulnerabilities that could be exploited to take over computers, including one flaw that's already targeted by attackers."Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks," the company said in a security advisory. The flaw stems from a heap overflow condition and was reported to Adobe by researchers from antivirus firm Kaspersky Lab.Kaspersky Lab did not immediately respond to an inquiry seeking more details about the targeted attacks in which the vulnerability is being exploited.To read this article in full or to leave a comment, please click here

FCC wants ISPs to get customer permission before sharing personal data

Broadband providers would often be required to get customer permission to use and share personal data they collect under regulations proposed by the U.S. Federal Communications Commission. Broadband providers have an unrivaled ability to track customers and collect personal data, and there currently are no specific rules covering broadband providers and customer privacy, FCC officials said Thursday. The goal of the rules is to give broadband customers notice, choice and control over their personal data, FCC officials said during a press briefing. "Your ISP handles all of your network traffic," FCC Chairman Tom Wheeler wrote in the Huffington Post. "That means it has a broad view of all of your unencrypted online activity -- when you are online, the websites you visit, and the apps you use."To read this article in full or to leave a comment, please click here

Kicked out of PCs, Blu-ray drives are revived in data centers

Blu-ray and DVD drives are being kicked out of PCs but finding a new life in data centers as storage that can retain data for up to 100 years.A massive new system from Sony called Everspan is a collection of optical drives that can store up to 181 petabytes of data. The system can expand to 55 feet in length and have hundreds of Blu-ray-like drives.The system will be used for long-term storage of data that isn't modified often, or information that businesses feel need to be retained for specific reasons. Everspan was announced and shown for the first time at the Open Compute Project (OCP) U.S. Summit 2016 this week, and will start shipping to customers in July.To read this article in full or to leave a comment, please click here

Research ‘net: The TEMPEST edition

When I was in the US Air Force, as part of the 438th Communications Group, we had a Group Readiness Center that contained a large board with the airfield equipment status, a safe with various drawers with different classification levels, a couple of encrypted communication systems, and… a couple of strange looking Z200 computers. The screen on these computers were covered with a fine mesh, and the power cables ran through a special cleaning box. What was the point of all this fanciness?research-net

TEMPEST. The ability to gather information about what’s on a computer’s screen by examining the signals transmitted (unintentionally) from the monitor screen, power cable, and other electronics. This might seem odd, but essentially any wire is an antenna that can (and will) carry information from a computer; at some range, these signals can be detected and deciphered in a way that allows you to determine what the computer is processing. Screens are more fruitful, as the older style Cathode Ray Tube (CRT) displays essentially shoot a stream of electrons onto a piece of glass, some of which must leak, and hence can be picked up and decoded to see what’s on the screen from quite a distance Continue reading

It’s Buddy Week

It’s ecosystem partnership week. And data center stalwart Mellanox, SDN start-up Plexxi and Cisco partner vArmour have all delivered.Mellanox buddied up with Cumulus Networks to add Cumulus Linux NOS to its new Spectrum 10/25, 40/50, and 100 Gbps Ethernet switches. Mellanox itself has made multiple contributions of 10/25, 40/50, & 100G Ethernet switch and Open Compute Platform (OCP) adapter designs.Cumulus Linux has been chosen by several hardware and software vendors as a NOS option when opening up switches to support multiple NOSes. In addition to Cumulus Linux, the Mellanox Spectrum switches can now run OpenSwitch, Metaswitch IP Routing, and Mellanox MLNX-OS through the OCP Switch Abstraction Interface and Linux Switchdev.To read this article in full or to leave a comment, please click here

It’s Buddy Week

It’s ecosystem partnership week. And data center stalwart Mellanox, SDN start-up Plexxi and Cisco partner vArmour have all delivered.Mellanox buddied up with Cumulus Networks to add Cumulus Linux NOS to its new Spectrum 10/25, 40/50, and 100 Gbps Ethernet switches. Mellanox itself has made multiple contributions of 10/25, 40/50, & 100G Ethernet switch and Open Compute Platform (OCP) adapter designs.Cumulus Linux has been chosen by several hardware and software vendors as a NOS option when opening up switches to support multiple NOSes. In addition to Cumulus Linux, the Mellanox Spectrum switches can now run OpenSwitch, Metaswitch IP Routing, and Mellanox MLNX-OS through the OCP Switch Abstraction Interface and Linux Switchdev.To read this article in full or to leave a comment, please click here

1 3,106 3,107 3,108 3,109 3,110 3,848