FBI anti-terror official calls on tech firms to ‘prevent encryption above all else’

Posted on June 5, 2015 by mea

“When a company, a communications company or a ISP or social media company elects to build in its software encryption, end-to-end encryption, and leaves no ability for even the company to access that, we don’t have the means by which to see the content”, he added.

“When we intercept it, we intercept encrypted communications. So that’s the challenge: working with those companies to build technological solutions to prevent encryption above all else.

Source: FBI anti-terror official calls on tech firms to ‘prevent encryption above all else’ | Technology | The Guardian

Steinbach insisted that he wasn’t asking for a “back door” to be built into encryption products, telling legislators that “we’re not looking at going through a back door or being nefarious.”

He proposes using the side door, the door no one else knows about, instead.

Slashdot burying stories about Slashdot Media owned SourceForge

Posted on June 1, 2015 by mea

If you’ve followed any tech news aggregator in the past week, you’ve probably seen the story about how SourceForge is taking over admin accounts for existing projects and injecting adware in installers for packages like GIMP. For anyone not following the story, SourceForge has a long history of adware laden installers, but they used to be opt-in. It appears that the process is now mandatory for many projects.

Source: Slashdot burying stories about Slashdot Media owned SourceForge

How is it possible that someone, somewhere, thinks that censoring SourceForge’s adware bundling on Slashdot is a net positive for Slashdot Media, the holding company that owns Slashdot and SourceForge? A quick search on either Google or Google News shows that the story has already made it to a number of major tech publications, making the value of suppressing the story nearly zero in the best case.

I find this entire situation incredible. Sourceforge was my go to site for FOSS and I have been using them for as long as I can remember.

Ever since the Linux world has moved to repositories where a simple yum install or apt-get loads up the entire package it has been awhile since I perused Sourceforge. I have a set of FOSS utilities for PCs that I always download from the site that produced the software, not Sourceforge. Many of those sites are listed on the sidebar under Tools.

All this started on Sourceforge a couple of years ago but people seem to be upset that it has recently hit the popular photo editor GIMP for Windows. On Linux it’s just:

sudo yum install gimp

… and that’s all there is to it. No adware, malware, nothing to worry about … so far.

As for FileZilla, the ftp program Sourceforge began making custom installers for a couple years ago, I prefer WinSCP on my Windows boxes nowadays although I have used FileZilla for many many years. Always download from the source site of the software and you shouldn’t have any problems. Sourceforge was the last one standing and now they have gone the route taken by CNET and Download.com many many years ago.

Here’s a Reddit thread posted a year ago about FileZilla and Sourceforge so this story isn’t something new.

That’s really deceptive. Filezilla for example, the big green DOWNLOAD button that is the correct way for downloading a file says the file name. Yet when you click it, you are taken to a page that offers you a different file name.Someone also pointed out that it’s signed by ASK.com and reporting back in with ASK.com for data. I never want ask.com associated with anything I do.

Source: Sourceforge starts using “enhanced” (adware) installers : technology

Rosetta team propose ending mission by landing on comet

Posted on May 31, 2015 by mea

The mission is currently set to end in December 2015, after which Rosetta could simply be switched off as it continues to orbit the comet, and the mission team disperse to work on new projects. But for several months now a plan has been quietly hatched to see the craft go out with a bang by being brought down to a collision with 67P.

Source: Rosetta team propose ending mission by landing on comet – Sen.com

It would see the spacecraft brought gradually closer to the comet in a slowly spiralling orbit that would allow its cameras and instruments to gain ever more detailed views and measurements of the twin-lobed icy body. Then eventually—probably in September 2016—it would collide with the comet, bringing the mission to an end.

Computer chips made of wood promise greener electronics

Posted on May 28, 2015 by mea

The researchers used a cellulose material for the substrate of the chip, which is the part that supports the active semiconductor layer. Taken from cellulose, a naturally abundant substance used to make paper, cellulose nanofibril (CNF) is a flexible, transparent and sturdy material with suitable electrical properties.

Source: Computer chips made of wood promise greener electronics

In a conventional chip, the support substrate is made of the same material as the active layer, but in the CNF chip, only the active layer is semiconductor material

DEF CON SOHOpelessly Broken Router Hacking Contest

Posted on May 26, 2015 by mea

Young said the routers largely lacked any form of authentication happening on the server, instead the routers were doing password authentication on the browser. Compromising password hashes weren’t much a barrier for the contestants, and for hackers in the wild as well.

Source: DEF CON SOHOpelessly Broken Router Hacking Contest | Threatpost | The first stop for security news

Young said he would download the firmware from the respective vendor, extract it using tools such as Firmware Mod Kit to explore its design and eventually learn which files house administrative passwords and how the web server logic works with the router. Some models such as Netgear, TrendNet and others will return the password when submitted with the proper request.

This is why admin access to a SOHO router should only be accessible from the LAN side and not the WAN side. Making admin changes should happen rarely. One of the biggest things a malicious actor can do is point DNS requests to their malicious server allowing them to divert all LAN traffic to wherever they want. Devices typically get a DNS address when they obtain an IP address from the router via DHCP.

Kicking the SOHO router seems to be a hot topic today. From: The Moose is loose: Linux-based worm turns routers into social network bots | Ars Technica

The malware, dubbed “Linux/Moose” by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.

Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015

Posted on May 25, 2015 by mea

You can read the paper here.

This paper is the last artifact of my work at Mozilla, since I left employment there at the beginning of April. I believe that Mozilla can make progress in privacy, but leadership needs to recognize that current advertising practices that enable “free” content are in direct conflict with security, privacy, stability, and performance concerns — and that Firefox is first and foremost a user-agent, not an industry-agent.

Source: Monica at Mozilla: Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015

Mars Rover’s ChemCam Instrument gets sharper vision

Posted on May 24, 2015 by mea

Likewise, the laser analyses were done at nine different focus settings to obtain one good set of data. In the meantime, the team went back to the drawing board. They figured out that if they discarded a lot of the old code on board their distant subject, they could make room for software that could command the instrument to take the nine images on its own and analyze them on-board to find the best focus.

Source: Mars Rover’s ChemCam Instrument gets sharper vision

The program to run the whole instrument is only 40 kilobytes. The first tests on Mars were completed earlier this week.

ExifTool by Phil Harvey

Posted on May 23, 2015 by mea

ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. ExifTool supports many different metadata formats including EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3, as well as the maker notes of many digital cameras by Canon, Casio, FLIR, FujiFilm, GE, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Nintendo, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Phase One, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon and Sony.

Source: ExifTool by Phil Harvey

Expanding Magnets Have Potential to Energize the World

Posted on May 22, 2015 by mea

Because these new magnets also have energy efficient characteristics, they can be used to create a new generation of sensors and actuators with vanishingly small heat signatures, said the researchers. These magnets could also find applications in efficient energy harvesting devices; compact micro-actuators for aerospace, automobile, biomedical, space and robotics applications; and ultra-low thermal signature actuators for sonars and defense applications.

Since these new magnets are composed of alloys that are free of rare-earth elements, they could replace existing rare-earth based magnetostriction alloys, which are expensive and feature inferior mechanical properties, said researchers.

Source: Expanding Magnets Have Potential to Energize the World | UMD Right Now :: University of Maryland

Logjam: How Diffie-Hellman Fails in Practice

Posted on May 20, 2015 by mea

We have published a technical report, Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, which has specifics on these attacks, details on how we broke the most common 512-bit Diffie-Hellman group, and measurements of who is affected. We have also published several proof of concept demos and a Guide to Deploying Diffie-Hellman for TLS.

Source: Logjam: How Diffie-Hellman Fails in Practice

What should I do?

If you run a server…

If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. We have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.

Bucktown Bell

Cut to the chase.

Author Archives: mea