Safe Browsing At Home

13. May, 2011
The logo of Mozilla Firefox 3.5 and 3.6 from t...

Image via Wikipedia

If you’re worried about security while you’re browsing the web (and you probably should), here is a simple solution that might actually work (or at least raises the bar quite a bit): BitBox (German)

In a nutshell, it’s a secured Linux system running Firefox 4 inside of VirtualBox. The browser can only access the resources of the virtual PC.

So to infect your real system, the hacker must: Break Firefox on Linux (which is hard), break Linux (hard), break through the virtual PC layer (not that easy either) to be able to infect your real PC (as opposed to just infect your PC).

Leave a Comment » | Software | Tagged: , , , , , , | Permalink
Posted by digulla

AeroFS – A New Distributed File System

11. May, 2011

AeroFS is a new distributed file system (from their website):

Unlimited Storage

Using AeroFS, you can sync allthe data on your devices. No limits. No caps. You already have your storage, now use it!

Ultimate Privacy

AeroFS will never store your files in the cloud (unless you want to, of course ;-). Your files will only be shared with those who you invite.

Better Security

AeroFS encrypts your data end-to-end. This way, we are able to provide better security than most online storage services. Seriously.

  • Because AeroFS is completely distributed, even if we experience downtime,you won’t!
Sounds like an interesting solution. Especially since your data never leaves your country (unless you add foreign servers) and there are only very little cost for the company behind the service (you run all the involved servers).
With Dropbox and similar services, you can never be sure where your data ends up. They say it’s safe but that only holds true until a) the company goes bankrupt or b) some government agency knocks on their doors to hunt terrorists.

Leave a Comment » | Uncategorized | Tagged: , , , | Permalink
Posted by digulla

When Laziness Gets Expensive

9. May, 2011

According to heise online (German, video in English), Professor Dr. Eugene Spafford estimates the costs Sony‘s EPIC FAIL to secure their PSN servers to be 21 billion dollars.

Wow. 21 … fucking … BILLION … dollars. That’s 70’000’000 PS3s. 70 million PS3s. 36 million iPhone 4s. 700’000 cars at $30’000/each. They must be doing pretty well to be able to afford such a loss.

And it’s not that they didn’t see it coming. Sony knew for months that their servers were outdated and missing crucial security patches. Well, someone decided that it wasn’t worth to fix that. So: EPIC FAIL. Again. And again. Will they ever learn?

That feels like the same arrogance which led to the lawsuit against geohot and graf_chokolo.  Which probably made someone on the Internet so angry that they decided to give Sony this wedgy. Message to Sony: It’s not smart to be arrogant in the face of overwhelming odds.

You have, say, 1’000 people working to protect your assets. The world has a population of 7 billion (and you just lost 3 dollars to every and each of them) and the probability that one of them can kick you where it really hurts is about 1. At least.

Of course, the company is now using all its power to hunt down the little bastard. Sony, if you read this: Don’t be surprised if a 13-year old kid outwitted your whole security team.

Or rather the manager, who told the team not to fix those servers. But no, managers are never wrong. So the team must be punished. Fire them! All of them! Without supper! Serves them right! And don’t forget to sue the kid! Sue him to hell! Make sure he is not allowed to touch an electronic device ever again. EVER! It’s not your fault what happened! Try to create more DMCA-like laws! So you can sue more people! Get your engineering team to build a time traveling device so you can sue in advance! Force parents to divorce so they can’t breed anything threatening your revenue! Show the world who’s boss! Dictatorships never worked before but that should not stop you! It should rather encourage you! Grow by setting challenging goals!

See where the leads and why you can never win?

Making the world-wide security community hate you even more is your best bet! Trust me, I know at least as well as the guy who created this mess. And you trusted him, didn’t you?

Leave a Comment » | Comment, Fun | Tagged: , , , , , , | Permalink
Posted by digulla

What Sony Cares About

28. April, 2011

So Sony‘s PSN user database was hacked. It seems the credit card data was in a safe place elsewhere. Encrypted.

The user data wasn’t encrypted.

Which leads me to an interesting thought: Apparently, the money was more important to Sony than the gamers.

Or maybe the credit card companies told Sony in very clear terms how to handle the precious credit card numbers, so Sony complied to those rules and when it came to passwords, age, place where you live, they were economical. As with how they handled the situation. At least, we didn’t have to tell them that they were hacked.

Unlike, say, Apple, they did tell us that something was wrong and they apologized for what happened. We’re just left with the task to clean up the digital mess they created.

How valuable is this data? Well, if you do something sensitive over the phone, say, calling your bank. And they want to make sure it’s you. What do they ask? Well, the simple stuff: Birth date. Where you live.

With data like that, you can open an eBay account and so some online fraud. Good luck proving it wasn’t you. Sure, it won’t be a problem but it will be an ugly hassle.

Make sure you check your next credit card bill; just to make sure Sony didn’t mess that up without noticing.

1 Comment | Philosophy | Tagged: , , , | Permalink
Posted by digulla

Major Security Flaw in Dropbox on Windows

20. April, 2011

During the installation, Dropbox saves the login credentials in %APPDATA%\Dropbox\config.db

The problem: The file can be copied to another computer or account and this simple operation gives an attacker the same credentials as the victim.

Even worse: Changing the password doesn’t help since the credentials don’t depend on the password. So even after a password change, the attacker can still access the Dropbox account!

Kudos go to Derek Newton for finding this gaping hole.

Original article: Dropbox authentication: insecure by design

Leave a Comment » | Software | Tagged: , , | Permalink
Posted by digulla

PS3 was hacked

6. January, 2011
Tux, the Linux penguin

Image via Wikipedia

Like so many people, I was upset that Sony discontinued support for Linux. I understand that it was a security risk (people were dabbling with the encrypted hypervisor and the encryption) but no one really cared enough to actually invest the huge amount of time necessary to really break it. I also understand that supporting Linux was a cost issue for Sony while it didn’t bring that many customers. At the same time, I knew I could run Linux on my PS3 but never did.

So it wasn’t an actual issue for me either, it just upset me. I bought the PS3 for many reasons and being able to run Linux had been one of them. Not the major point but I still got mad when they took that from me.

At the 27C3, they showed how it was hacked but I was intrigued by short appearance of a guy who had analyzed the time it took to break a console and why it was hacked. While piracy is a side effect of hacking a console, it’s probably not the driving force. The statistics say that it took at most 12 months to hack a console make Linux run. The PS3 was unscathed for three years – until Sony stopped support for Linux. After that, the hackers really dug into it and – what surprise – they pwn3d it.

Made me wonder why Sony dropped support? As we know from the history of Microsoft, piracy is actually a major driving force for software sales. The calculation goes a bit like this: If you don’t want to pay for something, it’s hard to force you. But once you’re used to something, and you like it, you stick with it. A good example was Office 97. It wasn’t that great but companies were forced to buy it quickly because all people working at those companies had got free, time limited copies along with their PCs. I’ll let you assume how many people bought the product after the time was up.

The thing was: People took work home (good for the companies), work on it and then bring it back to work. Then, something happened: The “old” Office 95 did display a warning, about 90% the size of the screen “I can’t open this! You may lose your work! Help!” So suddenly, there was a strong pressure on the company to upgrade 95 to 97 – because everyone had got a free copy of Office 97!

The key here is to be able to balance sales with piracy. Microsoft knows the Spiel best: Really smack down on people selling pirate copies but leave the home users alone. C= (and the Amiga) couldn’t play it. In the end, piracy overtook sales and the platform died. The lesson we learn here: Piracy is something that must be managed carefully. No piracy and sales will be much lower than they could be; too much and you go bankrupt.

So here is my heretic thought: Maybe Sony didn’t have enough piracy. ^_^

References: Video of the 27C3 talk “”. Go to the documentation site and search the download links for “console_hacking_2010”. The statistics part is at 05:33.

2 Comments | Philosophy, Software | Tagged: , , , , , , , , , | Permalink
Posted by digulla

Identifying you

22. December, 2010

You have a firewall, NoScript, disabled cookies and everything. Do you think you’re surfing anonymously?

Think again: http://panopticlick.eff.org/index.php

1 Comment | Philosophy | Tagged: , , | Permalink
Posted by digulla

Security is nothing without trust and respect

17. December, 2010

Little Brother” got me thinking. When the DHS tries to make the city more safe and secure, they just make it worse. Why?

Because they ignore one of the most fundamental principles without which society cannot work: Trust and respect.

That doesn’t mean you need to trust someone completely or respect them in every way. It means: Know how much you can and should trust someone. Then treat them politely, without second thoughts. Surprise: Our brains have been trained for the millions of years before we had speech to read body language. And we’re really good at it.

You don’t have to be nice to a terrorist, bow your head to them or grovel. Not at all. But just imaging how kicking you around, killing your family, relatives, friends, would make you feel.

Now, I imagine that terrorists aren’t exactly lenient or forgiving. So if you would become mad at such a treatment, what will they do? Go on a killing spree? Gee, I think that’s exactly what they do. How surprising.

Which puts us into a delicate position. We can only be safe when we start treating everyone else on the planet with respect. Respect can mean to drive your car for another year, even if it sucks. Or to sell it to someone poor way under price because they deserve it — just as a human. It doesn’t mean we should all convert to the Islam or anything.

It just means that: Show some basic respect (as in polite).

It probably doesn’t mean to go to a poor country, “help” them fight against terrorism and then “suddenly” discover that there are billions of dollars buried in the ground. These people might not have spent a lot of time in school, but they spend an awful lot of time haggling at the bazaar. They see you lie.

Imagine if all the terrorists in the world believed that there were better ways to make them as happy as us. Wouldn’t that be better than strip searches at airports, constant fear of an attack, ever more complicated and even debasing security laws? What’s security without respect?

If we were 100% secure, no one could go anywhere (they might be infected), talk to anyone (they might spill secrets), do anything (they might make mistakes). In computer sciences, you learn early that a secure computer is one which is switched off, without any data or use. Secure but useless.

That’s why security measurements in companies work out so badly: If they were really enforced, the company couldn’t do business anymore. So you have to trust your workers. You have to treat them with respect or else you get the very problems that your dream of “security” pretended to solve.

Leave a Comment » | Philosophy | Tagged: , , , , , | Permalink
Posted by digulla

Little Brother

15. December, 2010
Little Brother (Cory Doctorow novel)

Little Brother (Cory Doctorow novel)

When I Write Like told me, I wrote like Cory Doctorow, I had to get one of his works: Little Brother.

Hm … no, I doubt that this was some clever marketing fad — there aren’t enough writers to make this worthwhile. Plus you can download the book.

Marcus is a teenager, going about his life, when he’s “caught up in the aftermath of a major terrorist attack on San Francisco.” What follows is funny, revolting, unsettling, witted, sometimes too realistic not to worry about. And it explains some of the more obscure and ever more relevant concepts of computer security. In a way even a non-geek can understand. And relate.

So if you want to read a few good arguments why it’s not safe to trust politicians and security experts with your security and safety, go get the book.

Recommendation: Buy.

1 Comment | Book, Philosophy | Tagged: , , , , | Permalink
Posted by digulla

What happened to “nothing to hide, nothing to fear”?

9. December, 2010

For years, states try to sell us their new security law “enhancements” with “nothing to hide, nothing to fear.” The argument is always the same: Since you’re a good guy, why should you care for a law that is meant to hurt only the bad guys?

Along came Wikileaks. Suddenly, all the same people suddenly cry out in anger.

Um … Do they have something to hide?

It shows once more that the world isn’t as simple as those politicians try to make us believe. The truth is that if the same politicians didn’t create an atmosphere of suppression and mistrust, we wouldn’t need those laws in the first place.

In a similar way, Wikileaks is just a symptom: It raises our attention to the sore spots of the “perfect” world we live in. Wikileaks didn’t kill people. It just shows without doubt that war is never a solution but rather another problem on top of all those we already had.

But didn’t the publication of the Wikileaks documents kill dissidents?

Did it? I’m not sure how well the Internet works where the Taliban live or whether they would use such a tool — surely they assume the Internet as the work of the devil. So unless you have hard fact that any dissidents were in fact killed, let’s use ‘endanger countless lives’ – as the US government did.

Next, choosing sides in a war is a pretty sure way to get you killed. And who started the war? On which grounds? Wasn’t the whole thing just one big lie? Can you prove to me that this was the sole option for the whole world to get rid of Saddam Hussein?

COSTOFWAR says that the US spent $745 billion so far in Iraq. No matter how corrupt the old Iraq government was, if that money had been spent in bribing them to stand down and enjoy the rest of their lives in some nice place or to treat their people better, I’m sure Wikileaks would have much less to spread.

Q: How do you know for sure a politician is lying to you? A: His lips are moving.

Leave a Comment » | Philosophy | Tagged: , , , , , , , | Permalink
Posted by digulla

« Previous Entries
Next Entries »