Tag Archives: Security

Inertial Measurement Units

Posted on by
Reply

Happily, a few decades from now a GPS signal might not be required at all for many things. If atomic clocks get cheaper, then they could be built into everything that needs accurate time. And eventually you’ll be able to navigate without any external signals, thanks to devices called “inertial measurement units”, which track your movements from a known start point. Today, these IMUs use gyroscopes to measure orientation, plus accelerometers to tell how fast it is accelerating. Using this information, plus time, the acceleration is converted into speed and distance to reveal relative location.
David Hambling’s NewScientist article “GPS chaos: How a $30 box can jam your life

I bet it’s a lot sooner than “a few decades”.

The article was a real eye opener for me on our dependency on GPS, and how fragile the technology is.

The Inners of a Small Computer Security Firm

Posted on by
3 
From: Greg
To: Jussi
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can you drop open up
firewall and allow ssh through port 59022 or something vague?
and is our root password still 88j4bb3rw0cky88 or did we change to
88Scr3am3r88 ?
thanks
From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
hi, do you have public ip? or should i just drop fw?
and it is w0cky - tho no remote root access allowed
From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
no i dont have the public ip with me at the moment because im ready
for a small meeting and im in a rush.
if anything just reset my password to changeme123 and give me public
ip and ill ssh in and reset my pw.
From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
ok,
it should now accept from anywhere to 47152 as ssh. i am doing
testing so that it works for sure.
your password is changeme123

i am online so just shoot me if you need something.

in europe, but not in finland? :-) 

_jussi
...

I stayed up much too late last night reading the fascinating Anonymous vs Aaron Bar, HGary, HBGary Federal, Greg Hoglund, rootkit.com well researched and written articles on Ars Technica, mostly by Nate Anderson. (Fascinating at least to a software developer, particularly web developer.)

Start with “How one man tracked down Anonymous—and paid a heavy price“, then read “Anonymous speaks: the inside story of the HBGary hack” by Peter Bright. If you still want more also read “Spy games: Inside the convoluted plot to bring down WikiLeaks“, “Black ops: how HBGary wrote backdoors for the government” and take a look at Joseph Bonneau’s “Measuring password re-use empirically“.

Some high (or lowlights depending on how you see it) technical elements include:

  • An email admin with an 8 letter all lower and number password used on many other sites.
  • Custom CMS on two sites with unsalted password hashes.
  • Custom CMS with non-complex SQL injection.
  • Classic computer system access social engineering.

This is negligence at any company with sensitive customer data, but at a computer security firm this is dereliction of duty.

There there is the unsubstantiated public accusations that could result in severe USA federal criminal charges for the accused, and down right criminal behavior by a white hat security firm.

Aaron Bar for all his arrogance, ego and unethical behavior still comes across to me as the fall guy for a whole (small) computer security firm that had failed to take care of its own security, and has lost its moral compass.

Everything In Our Power

Posted on by
Reply

WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys. I’m not clairvoyant and I can’t predict what schemes spammers, hackers, crackers, and tricksters will come up with with in the future to harm your blog, but I do know for certain that as long as WordPress is around we’ll do everything in our power to make sure the software is safe. We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other.

Matt Mullenweg, September 5, 2009, “How to Keep WordPress Secure“,

Do read the rest of the potent post — articulate, insightful, and honest.

WARNING: The following packages cannot be authenticated!

Posted on by
1

Today, when I tried to <code>aptitude install</code> a package on Ubuntu the response was “WARNING: The following packages cannot be authenticated!”

I received a similar warning when I tried to use Synaptic Package Manager.

I checked and made sure that the software was trying to install from the official repository.

I’m not really sure of the cause, or when it started happening, but I have seemed to have fixed this by cleaning out most of the keys.

Continue reading