Logjam: How Diffie-Hellman Fails in Practice

Posted on May 20, 2015 by mea

We have published a technical report, Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, which has specifics on these attacks, details on how we broke the most common 512-bit Diffie-Hellman group, and measurements of who is affected. We have also published several proof of concept demos and a Guide to Deploying Diffie-Hellman for TLS.

Source: Logjam: How Diffie-Hellman Fails in Practice

What should I do?

If you run a server…

If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. We have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.

Prosecutors suspect man hacked lottery computers to score winning ticket

Posted on April 14, 2015 by mea

In court documents filed last week, prosecutors said there is evidence to support the theory Tipton used his privileged position inside the lottery association to enter a locked room that housed the random number generating computers and infect them with software that allowed him to control the winning numbers. The room was enclosed in glass, could only be entered by two people at a time, and was monitored by a video camera. To prevent outside attacks, the computers aren’t connected to the Internet. Prosecutors said Tipton entered the so-called draw room on November 20, 2010, ostensibly to change the time on the computers. The cameras on that date recorded only one second per minute rather than running continuously like normal.

via Prosecutors suspect man hacked lottery computers to score winning ticket | Ars Technica.

Introducing WinSCP

Posted on January 24, 2015 by mea

WinSCP is an open source free SFTP client, FTP client, WebDAV client and SCP client for Windows. Its main function is file transfer between a local and a remote computer. Beyond this, WinSCP offers scripting and basic file manager functionality.

via Introducing WinSCP :: WinSCP.

This is a very useful program to get files off a PC and onto a Linux server which supports these services out of the box. I find Samba to be too clunky, unreliable, and very noisy on an open network by broadcasting packets to everyone. Only now did I have a need for something like this and SCP solves my problem and is more secure and easier to use than standard ftp. I still map drives using Samba on my closed network but I may try out the windows version of sshfs sometime in the future. The user interface on this tool is very intuitive and works well.

IBM Introduces z13, a Mainframe for the Smartphone Economy

Posted on January 15, 2015 by mea

These real-time applications, according to Donna Dillenberger, a distinguished engineer at IBM’s Watson lab, can be done in a mainframe environment. They are not yet possible on clusters of smaller, industry-standard computers, she said. But there are several open-source software projects, like Apache Spark, that focus on real-time data processing across large numbers of computers.

via IBM Introduces z13, a Mainframe for the Smartphone Economy – NYTimes.com.

He estimates the total cost of ownership including hardware, software and labor will be 50 percent less with a mainframe than on his “sprawling server farm,” given the growing complexity of managing hardware and software from several suppliers.

Touring A Carnival Cruise Simulator: 210 Degrees Of GeForce-Powered Projection Systems

Posted on December 16, 2014 by mea

Overall, this was a fascinating example of how improvements in GPU hardware have allowed companies to build simulation centers that weren’t really possible before. Shipping companies and airlines have used some type of simulation for decades, but the type and nature of the environments those simulations can include is rapidly expanding — and such improvements at the industrial scale inevitably trickle down to consumer hardware and applications.

via Touring A Carnival Cruise Simulator: 210 Degrees Of GeForce-Powered Projection Systems.

Weather.com Moves to Drupal

Posted on November 23, 2014 by mea

When the new Weather.com launches it will be the highest trafficked Drupal site in existence with over 1 billion page views per month.

via Mediacurrent | Weather.com Moves to Drupal.

On the technical side, our approach was to increase cache efficiency by utilizing Javascript and Edge Side Includes (ESI) for client side rendering as well as optimizing calls made to their content delivery network (CDN), Akamai.

Top Open-Source Static Site Generators

Posted on November 2, 2014 by mea

The typical CMS driven website works by building each page on-demand, fetching content from a database and running it through a template engine. This means each page is assembled from templates and content on each request to the server.

For most sites this is completely unnecessary overhead and only ads complexity, performance problems and security issues. After all, by far the most websites only change when the content authors or their design team makes changes.

A Static Site Generator takes a different approach and generate all the pages of the website once when there’s actually changes to the site. This means there’s no moving parts in the deployed website. Caching gets much easier, performance goes up and static sites are far more secure.

via Top Open-Source Static Site Generators – StaticGen.

Web app open source alternatives

Posted on October 15, 2014 by mea

You can replace a number of popular web apps with solid open source alternatives. If you want to embrace your inner geek, you can even run many of them on your own web server. Or, you can use hosted versions of those apps which will only set you back a few dollars a month.

Let’s take a look at 5 open source alternatives to some popular web apps.

via Web app open source alternatives | Opensource.com.

I have been pleased with Owncloud which he lists as one of the five. Its install was straightforward and it works allowing for easy file sync with my android tablet using their app as a client and their software on a specified server.

Here’s another one of the five I hadn’t heard before which prompted me to repost this article here:

ownStaGram is a self hosted replacement for Instagram. All you need is a web server that runs PHP and mySQL, and you can install it in a few minutes. From there, you can upload photos from your computer to your instance of ownStaGram. Or, you can use the Android app (which includes several of those hackneyed Instagram-like filters).

I will give ownStaGram a try and post my thoughts soon.

Update: I ran ownStaGram on a Fedora 19 build running php 5.5 and a warning message popped up about a deprecated mysql connect method. This is clearly a problem that hasn’t been fixed in quite awhile. Tried to download their app from Google Play but couldn’t find it. Some of the comments on the web version of Google Play suggested it was a buggy app which may be why it got pulled.

ownStaGram is a good concept. I’d love to be able to snap a pic and have it automatically upload onto my local “cloud” device connected only to the local wifi.

How a new HTML element will make the Web faster

Posted on September 7, 2014 by mea

When the browser encounters a Picture element, it first evaluates any rules that the Web developer might specify. (Opera’s developer site has a good article on all the possibilities Picture offers.) Then, after evaluating the various rules, the browser picks the best image based on its own criteria.

via How a new HTML element will make the Web faster | Ars Technica.

Critical vulnerabilities in web-based password managers found

Posted on July 14, 2014 by mea

The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword, and they did it to evaluate their security in practice, and to provide pointers to “guide the design of current and future password managers.”

“Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop,” they pointed out, and are advocating a defense-in-depth approach.

via Critical vulnerabilities in web-based password managers found.

Bucktown Bell

Cut to the chase.

Category Archives: Servers