The biggest iPhone security risk could be connecting one to a computer

Posted on August 14, 2014 by mea

Apple issues developer certificates to those who want to do internal distributions of their own applications. Those certificates can be used to self-sign an application and provision it.

Wang’s team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn’t see a warning.

That would allow for a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones.

via The biggest iPhone security risk could be connecting one to a computer – Computerworld.

Red tape ties up private space.

Posted on August 12, 2014 by mea

Three House members—Mike Coffman (R-Colo.), Mo Brooks (R-Ala.), and Cory Gardner (R-Colo.)—have sent a memo to NASA demanding that the agency investigate what they call “an epidemic of anomalies” with SpaceX missions.

via Congress and SpaceX: Red tape ties up private space..

That’s why this whole thing looks to me to be a transparent attempt from members of our Congress to hinder a privately owned company that threatens their own interests.

‘Unparticles’ May Hold The Key To Superconductivity, Say Physicists

Posted on August 10, 2014 by mea

In very simple terms, when that happens, material properties such as resistance no longer depend on the length scales involved. So if electrons move without resistance on a tiny scale, they should also move without resistance on much larger scales too. Hence the phenomenon of superconductivity.

“We have described how it is possible for unparticles in strongly correlated matter to mediate superconductivity,” say LeBlanc and Grushin.

via ‘Unparticles’ May Hold The Key To Superconductivity, Say Physicists — The Physics arXiv Blog — Medium.

Over a Billion Passwords Stolen?

Posted on August 8, 2014 by mea

As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before either. The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.

via Schneier on Security: Over a Billion Passwords Stolen?.

From: Krebs on Security in an article entitled Q&A on the Reported Theft of 1.2B Email Accounts

These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.

Overall Krebs trusts some researcher who claims to have seen this data first hand. According to Krebs:

I’ve known Hold Security’s Founder Alex Holden for nearly seven years.

and

Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real.

Wikipedia’s monkey selfie ruling is a travesty for the world’s monkey artists

Posted on August 7, 2014 by mea

The “monkey selfie” in question is a diamond in the mud: a truly remarkable portrait, perfectly focused and strategically positioned to capture a mischievous yet vulnerable smile. If that macaque had an Instagram account she’d have, like, a million followers.

But she doesn’t, and the sorry state of our copyright law – as interpreted by the Copyright Office and exploited by Wikipedia – is to blame. Due to the backwards treatment of animal creators everywhere, monkey art (and monkey photography in particular) continues to languish. How is an aspiring monkey photographer supposed to make it if she can’t stop the rampant internet piracy of monkey works?

via Wikipedia’s monkey selfie ruling is a travesty for the world’s monkey artists | Sarah Jeong | Comment is free | theguardian.com.

It is an incontrovertible fact that a society with more monkey selfies is better than a society with none, so, as long as monkeys are denied copyright, we all lose.

Rosetta arrives at comet destination

Posted on August 6, 2014 by mea

“After ten years, five months and four days travelling towards our destination, looping around the Sun five times and clocking up 6.4 billion kilometres, we are delighted to announce finally ‘we are here’,” says Jean-Jacques Dordain, ESA’s Director General.

“Europe’s Rosetta is now the first spacecraft in history to rendezvous with a comet, a major highlight in exploring our origins. Discoveries can start.”

via Rosetta arrives at comet destination / Rosetta / Space Science / Our Activities / ESA.

From: Re-Live the excitement

For those of you who couldn’t follow the live streamed event this morning, here’s a short summary of what happened here at ESA’s European Space Operations Centre in Darmstadt at the Rosetta Rendezvous event. A full replay of the livestream can be found here.

A couple of pics here.

Previous coverage of it waking up here and of it having its software upgraded here.

SynoLocker demands 0.6 Bitcoin to decrypt Synology NAS devices

Posted on August 5, 2014 by mea

It’s not clear yet how SynoLocker’s operators installed the malware, for example, if they had exploited a vulnerability in Synology devices. CSO Australia has asked Synology for comment and will update the story if it receives one.

According to the victim, Synology’s support team are interested in hearing from victims who have not reinstalled its Linux-based DiskStation Manager NAS operating system. Synology’s NAS devices were hit late last year by scammers looking to use their compute power to mine several cryptocurrencies, including Bitcoin.

via SynoLocker demands 0.6 Bitcoin to decrypt Synology NAS devices – CSO | The Resource for Data Security Executives.

Having proper backups would thwart this attack. Simply wipe the box and rebuild the NAS.

Ed, man! !man ed

Posted on August 3, 2014 by mea

When I log into my Xenix system with my 110 baud teletype, both vi and Emacs are just too damn slow. They print useless messages like, ‘C-h for help’ and ‘“foo” File is read only’. So I use the editor that doesn’t waste my VALUABLE time.

Ed, man! !man ed

via Ed, man! !man ed- GNU Project – Free Software Foundation (FSF).

When IBM, in its ever-present omnipotence, needed to base their “edlin” on a Unix standard, did they mimic vi? No. Emacs? Surely you jest. They chose the most karmic editor of all. The standard.

Ed is for those who can remember what they are working on. If you are an idiot, you should use Emacs. If you are an Emacs, you should not be vi. If you use ED, you are on THE PATH TO REDEMPTION. THE SO-CALLED “VISUAL” EDITORS HAVE BEEN PLACED HERE BY ED TO TEMPT THE FAITHLESS. DO NOT GIVE IN!!! THE MIGHTY ED HAS SPOKEN!!!

Create an Army of Raspberry Pi Honeypots on a Budget

Posted on August 2, 2014 by mea

Organizations typically focus on monitoring inbound and outbound network traffic via firewalls, yet ignore internal network traffic due to the complexity involved. In the scenario above, a firewall will not protect or alert us.

By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor. Since there isn’t a good reason to interact with it (since it doesn’t do anything), activity on the Raspberry Pi is usually indicative of something roaming around our network and a possible security breach.

via Create an Army of Raspberry Pi Honeypots on a Budget | ThreatStream.

Bucktown Bell

Cut to the chase.