Category Archives: Current Events

Obama: Treat broadband—including mobile—as a utility

Posted on by

In a plan released today, Obama said, “The time has come for the FCC to recognize that broadband service is of the same importance [as the traditional telephone system] and must carry the same obligations as so many of the other vital services do. To do that, I believe the FCC should reclassify consumer broadband service under Title II of the Telecommunications Act—while at the same time forbearing from rate regulation and other provisions less relevant to broadband services. This is a basic acknowledgment of the services ISPs provide to American homes and businesses, and the straightforward obligations necessary to ensure the network works for everyone—not just one or two companies.”

via Obama: Treat broadband—including mobile—as a utility | Ars Technica.

Reclassification of broadband service is almost certain to bring lawsuits from the telecommunications industry.

The Internet Dodges Another Bullet With Wget Flaw

Posted on by

“It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP,” developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment. –

via The Internet Dodges Another Bullet With Wget Flaw.

Wget is a linux command that allows a shell script to download a web page and store it to a file.  This bug pertains to using a URL to do File Transfer Protocol (FTP) and not HTTP which is what wget was designed for.  Here are a couple more snippets of this bug.

“Random bug found by accident, but the implication is that the FTP server can overwrite your entire filesystem,” Moore tweeted to eWEEK.

Don’t use wget for ftp.  Don’t run wget with root permissions.

So just to recap here, Wget is on nearly every Linux server in the world, and it had a flaw that could have enabled anyone to overwrite directories on a server. That’s very serious.

You should only use wget for http downloads.  This doesn’t sound like one of those Internet Dodges a Bullet problems.

The Horror of a ‘Secure Golden Key’

Posted on by

A “golden key” is just another, more pleasant, word for a backdoor—something that allows people access to your data without going through you directly. This backdoor would, by design, allow Apple and Google to view your password-protected files if they received a subpoena or some other government directive. You’d pick your own password for when you needed your data, but the companies would also get one, of their choosing. With it, they could open any of your docs: your photos, your messages, your diary, whatever.

via The Horror of a ‘Secure Golden Key’.

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

Posted on by

What is it? A vulnerability in a command interpreter found on the vast majority of Linux and UNIX systems, including web servers, development machines, routers, firewalls, etc. The vulnerability could allow an anonymous attacker to execute arbitrary commands remotely, and to obtain the results of these commands via their browser. The security community has nicknamed the vulnerability “shellshock” since it affects computer command interpreters known as shells.

via Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild – Slashdot.

This is a very confusing issue.  I found the above comment to be the most informative right now as this issue unfolds.

How bad could it be? Very, very bad. The vulnerability may exist on the vast majority of Linux and UNIX systems shipped over the last 20 years, including web servers, development machines, routers, firewalls, other network appliances, printers, Mac OSX computers, Android phones, and possibly iPhones (note: It has yet to be established that smartphones are affected, but given that Android and iOS are variants of Linus and UNIX, respectively, it would be premature to exclude them). Furthermore, many such systems have web-based administrative interfaces: While many of these machines do not provide a “web server” in the sense of a server providing content of interest to the casual or “normal” user, many do provide web-based interfaces for diagnotics and administration. Any such system that provides dynamic content using system utilities may be vulnerable.

Notes on the Celebrity Data Theft

Posted on by

After this story broke I spent some time immersed in the crazy, obsessive subculture of celebrity nudes and revenge porn trying to work out what they were doing, how they were doing it and what could be learned from it.

1. What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public. The networks are broken down horizontally with specific people carrying out specific roles, loosely organized across a large number of sites (both clearnet and darknet) with most organization and communication taking place in private (email, IM).

via New Web Order > Nik Cubrilovic – – » Notes on the Celebrity Data Theft.

Why would Chinese hackers want hospital patient data?

Posted on by

people without health insurance can potentially get treatment by using medical data of one of the hacking victims.Halamka, who also runs the “Life as a healthcare CIO” blog, said a medical record can be worth between US$50 and $250 to the right customer — many times more than the amount typically paid for a credit card number, or the cents paid for a user name and password.

via Why would Chinese hackers want hospital patient data? | ITworld.

Red tape ties up private space.

Posted on by

Three House members—Mike Coffman (R-Colo.), Mo Brooks (R-Ala.), and Cory Gardner (R-Colo.)—have sent a memo to NASA demanding that the agency investigate what they call “an epidemic of anomalies” with SpaceX missions.

via Congress and SpaceX: Red tape ties up private space..

That’s why this whole thing looks to me to be a transparent attempt from members of our Congress to hinder a privately owned company that threatens their own interests.

Over a Billion Passwords Stolen?

Posted on by

As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before either. The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.

via Schneier on Security: Over a Billion Passwords Stolen?.

From: Krebs on Security in an article entitled Q&A on the Reported Theft of 1.2B Email Accounts

These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.

Overall Krebs trusts some researcher who claims to have seen this data first hand.  According to Krebs:

I’ve known Hold Security’s Founder Alex Holden for nearly seven years.

and

Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real.