Tag: security

Putin says Play-Time Is Over

this will be interesting to follow.

Putin abruptly changed the rules of the game. Previously, the game of international politics was played as follows: politicians made public pronouncements, for the sake of maintaining a pleasant fiction of national sovereignty, but they were strictly for show and had nothing to do with the substance of international politics; in the meantime, they engaged in secret back-room negotiations, in which the actual deals were hammered out. Previously, Putin tried to play this game, expecting only that Russia be treated as an equal. But these hopes have been dashed, and at this conference he declared the game to be over, explicitly violating Western taboo by speaking directly to the people over the heads of elite clans and political leaders.

Numerous Apple sandbox escapes

Our research seems to indicate that sandbox breakouts on OS X and iOS are an under-researched topic.

you don’t say.

All software needs to be evergreen

ALL operating systems need to be on a evergreen release schedule a la chrome: new releases every 6 weeks, plus ability to deploy fixes like this within 24h.

Monthly windows releases

I hope Microsoft doesn’t get cold feet, and indeed moves to monthly updates. Obsolete OS versions are holding things back across the industry, and the evergreen strategy has been extremely successful for browsers.

Microsoft will make monthly updates a mandatory part of participation in the upcoming Threshold technical preview. It’s expected to show users some of what’s new in the desktop experience and be limited to running on Intel-based PCs/devices.

What’s the matter with PGP?

If Will Smith looked like this when your cryptography was current, you need better cryptography. Poking through a modern OpenPGP implementation is like visiting a museum of 1990s crypto.

ISIS

vice reminds me of CNN, when they were actually good (in 1991). very impressive work.

VICE News reporter Medyan Dairieh spent 3 weeks embedded with the Islamic State, gaining unprecedented access to the group in Iraq and Syria as the first and only journalist to document its inner workings.

Gain of Function Research

i’m not one for moral panics, but this pathogen research is troubling:

The scientific benefit of making viruses more pathogenic is debatable: research tends to use old strains (may not be applicable to our current situation), there is a bias towards more spectacular and lethal virulence because it gets published and funded, there is no reason to think evolution will move in the same way (it is highly contingent, and hence what is learned may not help make vaccines or drugs), and the key experiment (doing it with humans) is unethical, and hence unfalsifiable. The ethics is also really problematic, since the rate of lab releases is not negligible and a flu outbreak can easily kill people – it has a skew distribution with a heavy tail.

Iphone self-owns

your jesusphone will naively try to connect to a computer and immediately sync data any time it is plugged into a USB port for charging, which of course can be exploited. the simplest solution is to get a device that doesn’t suck, or you can get some awkward “adapter”.

Antivirus is dead

Antivirus joins firewalls in the hall of security technology from another time

Put simply, a crypting service takes a bad guy’s piece of malware and scans it against all of the available antivirus tools on the market today — to see how many of them detect the code as malicious. The service then runs some custom encryption routines to obfuscate the malware so that it hardly resembles the piece of code that was detected as bad by most of the tools out there. And it repeats this scanning and crypting process in an iterative fashion until the malware is found to be completely undetectable by all of the antivirus tools on the market.

amazingly honest given how terrible “anti virus” software is.

Panda users had a bad hair day on Wednesday, after the Spanish security software firm released an update that classified components of its own technology as malign. As a result, enterprise PCs running the antivirus software tied themselves in something of a knot, leaving some systems either unstable or unable to access the internet.

err, no. “anti virus” has been snake oil since forever.

There was kind of an unspoken rule not to attack the security industry. But now they are ruining the last island of safety for all these organizations and companies, which is very alarming for us

OpenSSL

note lack of any tests for the change that added heartbeat support to openssl. the open source “quality” process has a long way to go.
2014-04-17:

No central architectural authority, 6740 goto statements, Inline assembly code, Multiple different coding styles, Obscure use of macro preprocessors, Inconsistent naming conventions, Far too many selections and options, Unexplained dead code, Misleading and incoherent comments: it became the default landfill for prototypes of cryptographic inventions

2014-05-20: good overview of how the cleanup of openssl progresses, 1 month in.
side note, is this the state of open source slide programs? static images without accessible text? oy