The presentation on hacking the MBTA which was pulled from Defcon due to a court order… but not before the slide deck had been distributed.
I’ve always hated “Clear”, the pay-$100-to-skip-to-the-front-of-the-security-line card. Firstly, because it’s private enterprise falsely dressed as security, and secondly because it creates a class system at the airport line. So my socialist side is smug to see the bourgeoisie get its comeuppance. Have fun changing your biometrics, folks.
Filed under
:
clear
:
privacy
:
security
:
SFO
Windows password cracker. Has an interesting open-source business model: The cracker is GPL, and there are free (but limited) Rainbow tables. To get the full tables, you need to pay $99.
Open-source app which logs your laptop’s network location (and optionally a snapshot from the webcam) to a DHT distributed database at irregular intervals.
Filed under
:
download
:
free
:
oss
:
security
Excellent Unix tool which watches for attacks on ssh and blocks malicious hosts from connecting. I’ve only just found that it has a “synchronization” mode which shares the knowledge of evil hosts. Installed on all my servers.
Filed under
:
linux
:
security
:
ssh
More details on the Debian openssl patch farrago. Important point: Every sysadmin needs to scan their boxes (not just Debian users) to find any compromisable .authorized_keys
The Debian SSL fubar farrago - some light perspective
If you have a Debian or Ubuntu box and used it to generate an SSH key in the last couple of years, due to a rather heinous bug, there’s a high chance you have one of roughly 260,000 keys.
To put this in perspective, if your account was protected by a 4 lower-case-character password, it would be harder to brute-force access (264 = 456,976).
For the sake of the internet, follow the instructions to update the keys on your servers forthwith.
Pretty much inevitable — An app that asked for your GMail username & password was harvesting them. One point to the “Why we need OAuth” party.
The excellent TrueCrypt now runs on OS X, as well as Windows and Linux. I’ll definitely be shunting some of my files onto an encrypted thumbdrive later.
A consistent tactic for answering those stupid “What color was your first favourite pet?” type questions.
Analysis of the “Storm” worm. Cunningly designed to be as undetectable as possible, it’s a frightening vision of what modern malware can be.
Firefox extension to bring OpenID into the browser’s chrome. (Also, Verisign’s OpenID provider now support using their PayPal Security Keys as a second-factor for authentication)
“Yes, I know you’d love to have access to my address books and IM lists. But stop asking me for my login & password. Like to poke around my bank account while you’re at it? Take my wife out for naked tequila shots? How about just kicking me in the nuts a few times to show me who’s boss?”
“When writer Elena Lappin flew to LA, she dreamed of a sunkissed, laid-back city. But that was before airport officials decided to detain her as a threat to security”
Attackers could theoretically use DNS rebinding to use your computer to connect to anywhere — Even internal sites. I’m skeptical that this is a “big” problem — the hurdles that an attacker would have to leap are numerous — but it’s an interesting approach.
Filed under
:
dns
:
security
:
tcp/ip
The inevitable first iPhone security flaw announcement. Notable for how frankly *non* sensationalist it is.
Filed under
:
iPhone
:
security
Hooray for the TSA and their water-divining machinery.
Filed under
:
fuckwits
:
security
:
tsa
Spotted this SSID appear as an ad-hoc wifi network here at [RhymesWithNose]. Guessed it was some nasty malware — turns out to be “viral”, but not in that way!
The TJX credit-card hack originated from a poorly set-up wireless network at a Marshall’s store in Minnesota.
For $5, PayPal will give you a SecurID-type keyfob to make it much harder for anyone to penetrate your account. I’ve been carrying mine for a couple of months now.
I'm 