Risky Business #388 — Cyber shrinkery, IoT shenanigans and guest Troy Hunt

This week's feature interview is with Troy Hunt of HaveIBeenPwned.com. And he's noticing something pretty weird. It's common for people to deface websites for bragging rights, and yeah, it's not new that data dumps are the new bragging fodder. But it seems like these days attackers are seeing Troy's site as the definitive place to get cred. Now they'll steal a bunch of data and Troy is their first stop.

Life is strange on the internets. That's this week's feature interview.

read more

Apple wages battle to keep App Store malware-free

Apple is facing growing challenges keeping suspicious mobile applications out of its App Store marketplace. Over the last two months, researchers have found thousands of apps that could have potentially stolen data from iOS devices. While the apps were not stealing data, security experts said it would have been trivial for attackers to configure them to do so.  Apple has removed some of affected apps since it was alerted by security companies. But the problems threaten to taint the App Store's years-long reputation as being high quality and malware free. Apple officials didn't have an immediate comment.To read this article in full or to leave a comment, please click here

Apple wages battle to keep App Store malware-free

Apple is facing growing challenges keeping suspicious mobile applications out of its App Store marketplace.Over the last two months, researchers have found thousands of apps that could have potentially stolen data from iOS devices.While the apps were not stealing data, security experts said it would have been trivial for attackers to configure them to do so. Apple has removed some of affected apps since it was alerted by security companies. But the problems threaten to taint the App Store's years-long reputation as being high quality and malware free. Apple officials didn't have an immediate comment.To read this article in full or to leave a comment, please click here

Microsoft follows Mozilla in considering early ban on SHA-1 certificates

Microsoft is considering advancing the blocking of the SHA-1 hashing algorithm on Windows to as early as June next year, taking a cue from a similar decision by Mozilla. The Redmond-based software maker had earlier said that Windows would block SHA-1 signed TLS (Transport Layer Security) certificates from Jan. 1, 2017, but is now mulling moving up the date in view of recent advances in attacks on the SHA-1 algorithm, a cryptographic hash function designed by the U.S. National Security Agency. There have been concerns about the security of the algorithm, which led Microsoft, Google and Mozilla to announce that their browsers would stop accepting SHA-1 SSL (Secure Sockets Layer) certificates.To read this article in full or to leave a comment, please click here

We should all follow Linus’s example

Yet another Linus rant has hit the news, where he complains about how "your shit code is fucking brain damaged". Many have complained about his rudeness, how it's unprofessional, and part of the culture of harassment in tech. They are wrong. Linus Torvalds is the nicest guy in tech. We should all try to be more like him.

The problem in tech isn't bad language ("your shit code"), but personal attacks ("you are shit").

A good example is Brendan Eich, who was fired from his position as Mozilla CEO because people disagreed with his political opinions. Another example is Nobel prize winner Tim Hunt who was fired because people took his pro-feminist comments out of context and painted him as a misogynist. Another example is Pax Dickinson, who was fired as CTO of Business Insider because of jokes he made before founding the company. A programmer named Curtis Yavin* was booted from a tech conference because he's some sort of monarchist. Yet more examples are the doxing and bomb threats that censor both sides of the GamerGate fiasco. The entire gamer community is a toxic cesspool of personal attacks. We have another class of people, the "SJW"s, Continue reading

Wi-Fi Alliance touts survey numbers as LTE-U showdown looms

The Wi-Fi Alliance, an industry group that certifies Wi-Fi products for interoperability, has highlighted the importance of the technology to the daily lives of Americans ahead of a testing summit that will try to shed some light on potential conflicts between Wi-Fi and a carrier technology called LTE-U. LTE-U is a technology that some U.S. wireless carriers want to use to take the pressure off their networks – using the same unlicensed spectrum as Wi-Fi networks. While LTE-U proponents insist that the coexistence features built into the technology will avoid any conflicts, critics aren’t convinced, arguing that LTE-U could disrupt Wi-Fi networks.To read this article in full or to leave a comment, please click here

What’s behind the odd couple Microsoft-Red Hat partnership

No, hell has not frozen over, but yes Microsoft and Red Hat have announced a major partnership today.In a collaboration that would have been unthinkable just a few years ago, Microsoft – the purveyor of the mainstream and proprietary Windows OS – has partnered with Red Hat, the champion of an enterprise-class iteration of Linux. And analysts say the move is good for both companies.+MORE AT NETWORK WORLD: You built a cloud and now they want containers? | Microsoft pumps up Azure ahead of Amazon’s big cloud conference +To read this article in full or to leave a comment, please click here

What does Donald Trump have to say about technology? Not much

Donald Trump isn't much of a technophile. The surprise frontrunner for the Republican nomination in the 2016 U.S. Presidential election said he hadn't adopted email as late as 2007, and was only using it "very rarely" by 2013, according to The New York Times, which published these admissions among many other revealing statements Trump has made under oath in depositions over the past decade.Trump still reads hard-copy news and magazine articles, and even dictates his oft-controversial Tweets to a team of PR underlings who send them out on his account, according to The Washington Post.To read this article in full or to leave a comment, please click here

Federal prison system wants anti-drone technology

Looking to counter the threat unmanned aircraft might bring to Federal prison guards and prisoners, the Federal Bureau of Prisons is looking at what types of technology could be used to defeat the drones.The group, which is an agency of the Department of Justice issued a Request for Information specifically targeting what it called a fully integrated systems that will allow for the detection, tracking, interdiction, engagement and neutralization of small -- less the 55lb -- unmanned aerial system.+More on Network World: The International Space Station: Reveling at 15+To read this article in full or to leave a comment, please click here

The Godwin fallacy

As Wikipedia says:
Godwin's law and its corollaries would not apply to discussions covering known mainstays of Nazi Germany such as genocide, eugenics, or racial superiority, nor to a discussion of other totalitarian regimes or ideologies, if that was the explicit topic of conversation, because a Nazi comparison in those circumstances may be appropriate, in effect committing the fallacist's fallacy, or inferring that an argument containing a fallacy must necessarily come to incorrect conclusions.
An example is a discussion whether waving the Confederate flags was "hate speech" or "fighting words", and hence undeserving of First Amendment protections.

Well, consider the famous march by the American Nazi party through Skokie, Illinois, displaying the Swastika flag, where 1 in 6 residents was a survivor of the Holocaust. The Supreme Court ruled that this was free-speech, that the Nazi's had a right to march.

Citing the Skokie incident isn't Godwin's Law. It's exactly the precedent every court will cite when deciding whether waving a Confederate flag is free-speech.

I frequently discuss totalitarianism, as it's something that cyberspace can both enable and defeat. Comparisons with other totalitarian regimes, notably Soviet Russia and Nazi Germany, are inevitable. They aren't Godwin hyperbole, they are on point. Continue reading

Trojanized Android apps flood third-party stores, compromise phones

Attackers are creating rogue versions of popular Android applications that compromise the security of devices and are extremely hard to remove.Researchers from mobile security firm Lookout have found more than 20,000 samples of such trojanized apps. They're typically fully functional copies of top Android applications like Candy Crush, Facebook, Google Now, NYTimes, Okta, SnapChat, Twitter or WhatsApp, but with malicious code added to them.The goal of these rogue apps is to aggressively display advertisements on devices. A scary development though is that, unlike traditional adware, they root the devices where they get installed in order to prevent users from removing them.To read this article in full or to leave a comment, please click here

Strategy: Avoid Lots of Little Files

I've been bitten by this one. It happens when you quite naturally use the file system as a quick and dirty database. A directory is a lot like a table and a file name looks a lot like a key. You can store many-to-one relationships via subdirectories. And the path to a file makes a handy quick lookup key. 

The problem is a file system isn't a database. That realization doesn't hit until you reach a threshold where there are actually lots of files. Everything works perfectly until then.

When the threshold is hit iterating a directory becomes very slow because most file system directory data structures are not optimized for the lots of small files case. And even opening a file becomes slow.

According to Steve Gibson on Security Now (@16:10) LastPass ran into this problem. LastPass stored every item in their vault in an individual file. This allowed standard file syncing technology to be used to update only the changed files. Updating a password changes just one file so only that file is synced.

Steve thinks this is a design mistake, but this approach makes perfect sense. It's simple and robust, which is good design given, what I assume, Continue reading

1 3,191 3,192 3,193 3,194 3,195 3,773