tag:blogger.com,1999:blog-108677782011-04-21T18:44:31.103-05:00Random stuff about data (in)security.Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.comBlogger431100tag:blogger.com,1999:blog-10867778.post-1140147468199476182006-02-16T21:33:00.000-06:002006-02-16T21:38:09.556-06:00

As if there weren't already too many three leter acronyms, Secure Computing goes and invents a new, apparently meaningless, TLA:Secure Computing Releases Zero-hour Attack Protection (ZAP) Technology16 February 2006A major challenge facing the security industry today is defending against new zero-hour attacks and rapidly emerging attack variants that are continually released before patches or

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com1tag:blogger.com,1999:blog-10867778.post-1138944238123181082006-02-02T11:54:00.000-06:002006-02-02T23:31:42.066-06:00

I found great wisdom in this post by Patrick M. Hausento firewall-wizards:They prevent intrusions, don't they? No, I'm not blaming any CEO for not knowing better - with the notable exception of the CEOs of companies selling IT security products or services. Even VPs of IT or whatever they may be called need not know much technical detail if the company is big enough to justify several levels of

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1137218908266449842006-01-14T00:05:00.000-06:002006-01-14T00:08:28.280-06:00

Slashdot posted to WMF Vulnerability is an Intentional Backdoor? as Napoleon Bonaparte? or Robert J. Hanlon?(:Quoth uncle moleNever ascribe to malice that which is adequately explained by incompetence. Napoleon Bonaparte This is most commonly referred to as Hanlon's Razor, and a direct attribution to Napoleon has yet to be discovered.And then there is "Marshall's Axiom": :Never ascribe to

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1128499254643811952005-10-05T02:57:00.000-05:002005-10-05T03:00:54.650-05:00

The original article, isn't bad, but was easily slashdotted.Slashdot posted to When to Leave That First Tech Job as :TheOriginalRevdoc writes Take advice number one: "don't work in a cubicle". You'll be looking a long time for a job that comes with its own office. Most corporations, especially, make sure that offices only go to managers above a certain rank. That's just how it is.I'd suggest

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1127933677147532452005-09-28T01:49:00.000-05:002005-09-28T14:03:05.756-05:00

On 9/27/05, jrdld2 wrote:A month or two back I heard that SC were planning to drop squid. For myself, I'd rather they wouldn't.Secure sent the official EOL notice for Squid in late August, I have faint hope they will change their mind.Squid support in Sidewinder has always been marginal at best, and the functionality of the Squid proxy is crippled by TE. For example, cache_peer queries fail

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com1tag:blogger.com,1999:blog-10867778.post-1128411787207541732005-09-18T02:30:00.000-05:002005-10-04T02:43:07.213-05:00

Toshiba announced further fuel cell prototypes, including versions built into MP3 players. This is similar to the prototype they showed just over a year ago.These are filled with 195-proof methanol, diluting it down to just 20 proof (ten percent) in the reaction chamber. In traditional fuel cells, methanol delivers power most efficiently when it is mixed with water in a 3 to 6% methanol

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1126685421647928532005-09-14T02:28:00.000-05:002005-09-14T03:10:21.656-05:00

OpenBSD 3.8 is now available for pre-order.Among other changes, ifstated is now official, DVD Fileystems can be read, and the broken USB thumb drive support is unbroken.That, and I expect a kick-ass release song.

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1126148520802631932005-09-07T21:49:00.000-05:002005-09-07T22:02:00.806-05:00

shek has an interesting observation on the Enteprise Year (EY).EY explains so many things, including most Dilbert strips.In my opinion, the ratio of EY to Calendar Years is directly proportional to the number of layers of management.By the same formula, the EY for a sole proprietorship is a tiny fraction of a human year. Sort of like a mayfly.

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1122960071266270892005-08-02T00:19:00.000-05:002005-11-09T00:00:51.846-06:00

Posted to Techdirt:What if they developed security software that was programmed to increased its security and complexity with every attempt to break into it? What if Cisco had did this and that they could go throught the Streisand effect and actually end up with a more formidable product intentionally? Maybe with every break-in, the code would change and build upon itself from the last attempt?

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1120971865924001982005-07-10T00:06:00.000-05:002005-07-10T00:04:25.930-05:00

Slashdot posted to Tear Down the Firewall as Re:Too smart for their own good:My suggestion was that if you finds yourself slacking with regards to security procedures, you've effectively eliminated the inner wall. If the outer wall is breached, so is the inner one, by virtue of the fact that you're slacking. If the benefits of slacking (with respect to productivity, convenience, etc.) are

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1120972645053004622005-06-26T03:44:00.000-05:002005-07-10T00:17:38.993-05:00

Slashdot posted to How to keep track of passwords? as Re:SecurID :jtshaw writes: I carry my password on my keychain... it changes every 60 seconds. Of course... there are a few more numbers that aren't on the keychain.. but remembering that is no worse then a ATM pin. The next step in security is the SecurID "PINpad", this looks like the credit-card form SecurID product, but has twelve "buttons".

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1118031529703998162005-06-02T22:58:00.000-05:002005-06-05T23:18:49.706-05:00

The Proxy Automatic Configuration URL feature, as implemented in Safari, is broken.Instead of one HTTP request for the PAC file at the start of a session, Safari 2.0(412) makes a HTTP request to the PAC server once for each object requested -- for each HTTP request out to the internet, a corresponding request is made for the PAC.This leads to one host generating PAC request rates exceeding 57

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com2tag:blogger.com,1999:blog-10867778.post-1117088612126128732005-05-26T09:12:00.000-05:002005-05-26T01:23:53.910-05:00

Regarding putting passwords on paper, there is a way to eliminate the additional risks of writing down passwords instead of simply keeping your passwords in your head --- write down a list of passwords on paper, but when you actually create/use the password online, add an extra word to the end, like so:Your paper sheet:gKr5guhi8uH5!ivL%,Upp5naxok$0iO4l7#&Jq>hThe actual passwords:gKr5guhinow8uH5!

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com1tag:blogger.com,1999:blog-10867778.post-1117087712051344332005-05-26T01:02:00.000-05:002005-05-26T01:08:32.203-05:00

I just ran across Passwords and Security along with the other articles about how Microsoft says it's okay to put passwords on paper.The one thing missing in all this discussion about how to choose and store reusable passwords is their fatal flaw -- reusability.The problem with passwords isn't that somebody might write them down, it's that they are static, unchanging for days, weeks, months, years

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com1tag:blogger.com,1999:blog-10867778.post-1116749097850936252005-05-21T23:50:00.000-05:002005-05-22T03:04:57.856-05:00

Amazing. Not just one, but two articles on the release of OpenBSD 3.7, plus one about TOR.Oddly, the second OpenBSD article isn't tagged as a BSD article.

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1120972376272583352005-05-20T00:38:00.000-05:002005-07-10T00:14:57.460-05:00

Slashdot posted to OpenBSD 3.7 Released as Disco Stu doesn't advertise:xbsd wrote: ...compare against the testimonies in the OpenBSD website. http://www.openbsd.org/users.htmlExcept that perhaps many of the largest users of an OS designed as "proactively secure" might maybe be paranoid enough about security not to announce their choice on a public web page?

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com1tag:blogger.com,1999:blog-10867778.post-1118038736725282622005-05-17T23:16:00.000-05:002005-06-06T01:18:56.730-05:00

Found on comp.risks, an interesting new risk of bluetooth:Subject: Car breakins using bluetoothFrom: Andrew Nicholson I recently lost our rental car in one of the huge parking lots of Disney World. ...Here's the interesting part: every break-in in the past month had involved a laptop with internal bluetooth. Apparently if you just suspend the laptop the bluetooth device will still acknowledge

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1116221573091887552005-05-15T23:35:00.000-05:002005-05-17T01:13:17.190-05:00

Bruce Schneier's Cryptogram is updated on the 15th of the month.Contents include Bruce's predictable fear-mongering about REAL ID, the "Combating Spam" rant that he published on his blog weeks ago, and a ton of self promotion (or Counterpane promotion, I don't know which is worse).Overall, I found the comments from readers more interesting than what Mr. Schneier has to say. I suppose that's the

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1116022538996551592005-05-13T17:09:00.000-05:002005-05-13T17:15:39.003-05:00

Ran across "Post-Exploitation on Windows using ActiveX Controls, linked from Slashdot.Boiled down to the most basic principles, it reads as "we're all screwed":When exploiting software vulnerabilities it is sometimes impossible to build direct communication channels between a target machine and an attacker's machine due to restrictive outbound filters that may be in place on the target machine's

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1115939121518197762005-05-10T15:58:00.000-05:002005-05-12T18:17:56.060-05:00

Just because OpenBSD is a "secure" platform is not an excuse not to harden it further by taking advantage of strong authentication. It is possible to integrate SecurID with OpenBSD even though RSA has not seen fit to release a binary version of their ACE libraries for any OpenBSD hardware platform.I normally use S/Key with RMD160 as a one-time-password solution for access to OpenBSD. This has

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1115350235786482262005-05-05T20:13:00.000-05:002005-05-05T22:35:10.326-05:00

Websense is one of the most well-known and widely deployed "corporate" URL filtering products, but it doesn't receive much scrutiny. For example, Peacefire's most recent WebSENSE examination dates back to 2001!"Websense Enterprise" is normally deployed in a "sniffer" type setup, where the "Network Agent" tries to inspect web requests as they flow by (either directly to the Internet, or as

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1115253468922094872005-05-04T19:33:00.000-05:002005-05-04T19:37:48.926-05:00

I just recently noticed that RealPlayer V10 actually has support for using Proxy Automatic Configuration (PAC) scripts.Not just the usual "support" by virtue of embedding Internet Explorer into the player for displaying HTML content, but actual options to select a PNA or RTSP proxy server through a PAC script.If this actually works, it'll be cool.But that's a very big if.

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1115349563189128152005-05-01T22:01:00.000-05:002005-05-05T22:20:00.706-05:00

Time to re-evaluate deploying web censorship tools. Specifically, the free (dansguardian), the expensive (websense, and the obscure (smartfilter.To test for false-positives, I have a Perl script with http client behavior which will read a file of URLs and attempt each one with realistic client-like headers, then examine the result to see if the request was successful or blocked.If you have a

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1115253063032327562005-03-31T17:04:00.000-06:002005-05-04T19:31:03.036-05:00

Slashdot posted to Passport Chip Could Attract High-Tech Muggers as Re:Why include the info on the chip at all? :They don't have to share all the data. They can set it up on a virtual network connected to the US computers. They send the information for only the specific passport requested. Thus no foreign place would have more information than the current procedure. This does open up the

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108535916607762232005-02-16T00:27:00.000-06:002005-02-16T00:38:36.610-06:00

Bruce Schneier writes "SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.".Previous rumors about SHA problems this past August were less critical, there were also reports of hash collisions in MD4, MD5, HAVAL-128 and RIPEMD in August; this new paper seems to be from some of the same researchers.Time to move everything into RIPEMD-160?

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108532083365100652005-02-15T23:31:00.000-06:002005-02-15T23:34:43.366-06:00

Bruce Schneier's Cryptogram is updated on the 15th of the month.Lately all he ever seems to write about is airport security, seems to lack the insight displayed in previous issues.

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108624372494786882005-01-26T17:48:00.000-06:002005-02-17T01:18:41.800-06:00

Slashdot posted to Easy Remote Access?as Blocking GoToMyPC: Were I a system administrator, I would null route all of these services at the firewall, and would log any attempt to access them from within my network and kill the connection of the PC that attempted them - then proceed to LART the user that did so in a fashion that would make the BOFH wince. Their main purpose is to allow stupid

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com1tag:blogger.com,1999:blog-10867778.post-1108623985567387042004-12-25T23:51:00.000-06:002005-02-17T01:09:01.170-06:00

Slashdot posted to Banks Begin To Use RSA Keys as Open source securid-like tokens:Tracy Reed writes: Around 5 years ago I was looking for a way to have a secure-id sort of solution without having to buy the proprietary software and hardware without any success. The first "open" standard for authentication tokens was part of ANSI X9.9, and was broken (and subsequently retracted) back in 1999. The

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108627091637467852004-10-27T10:55:00.000-05:002005-02-17T01:58:11.640-06:00

Slashdot posted to The Return of the Sun Workstation, With AMD's Help as Elegant sun hardware :Obsolyte has a great archive of Sun hardware pictures.http://www.obsolyte.com/sunPICS/The SparcStation 20 is my favorite example, though several later products (in particular, the E450) exhibit similar design sensibilities.

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108625798815590932004-09-29T16:54:00.000-05:002005-02-17T01:36:38.820-06:00

Slashdot posted to OpenBSD 3.6 Song Releasedas Darren Reed and the OpenBSD song: The author of ipf (Darren Reed) is regularly on the openbsd mailing lists, and quite often it's just gripe. This whole issue has become quite personal, jugding from the posts. Yeah, what's up with that? His contributions vary from sardonic to the merely sarcastic. Darren is clearly a bright guy, his criticism could

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108623601612884472004-09-14T11:34:00.000-05:002005-02-17T01:01:13.256-06:00

Slashdot posted to Banks Begin To Use RSA Keys as Challenge-response vs response-only: Challenge-response isn't inherently more secure than an auto-updating number based on time. Both are basically implementations of a pseudo-random function. With the auto-updater, the current time is essentially the challenge. And not having to type/scan in an explicit challenge is a lot more usable Good point.

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108626805064708652004-09-12T16:27:00.000-05:002005-02-17T01:53:25.066-06:00

Slashdot posted to Home Defense, Geek Style? |as Petty theft deterrants:l0ungeb0y writes: Sorry for being so blunt, but unless she's able to park the car in a secure area such as a garage, there's basically nothing that you can do beyond a car alarm to deter a break in. Too true. Crooks are deterred by well-lighted areas and cameras, anything that can get them caught (by cops or a car owner with

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108627566662252132004-09-03T21:51:00.000-05:002005-02-17T02:07:11.250-06:00

Slashdot posted to Make Money Fastas Public Key Currency:The tinfoil hat crowd has long suggested that the mylar filament in bills is a remotely readable RFID tag.... That last problem is the worst--it's a lot like the DVD CSS encryption scheme problem. It works find until ONE INSTANCE of the private key gets broken, and then everybody has the key to every single banknote in circulation. And then

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108627863194030532004-06-22T11:35:00.000-05:002005-02-17T02:11:03.196-06:00

Slashdot posted to Farb-Rausch Releases PC Demo Creation Softwareas Old demo coders become new virus coders?: I tried disassembling one once first thing it did was copy code to the old specky print buffer delete this loader code move everything down a bit and then proceeded to unfold itself up the memory incredible. pretty good to watch too as the primitive hardware started doing things which

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108628034627941282004-06-08T00:51:00.000-05:002005-02-17T02:13:54.630-06:00

Slashdot posted to Old Toy Modding?as Oh, the toys you will be forbidden to mod by DMCA: Believe it or not it's illegal to play non-Teddy-Ruxpin tapes in a Teddy Ruxpin bear, because by doing so you're creating a derivative "audiovisual work comprising animated plush toy bear with unique voice." IANAL, however I see this claim made about the Teddy Ruxpin cases (Worlds of Wonder v. Veritel

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108628264487516072004-06-04T13:37:00.000-05:002005-02-17T02:17:44.490-06:00

Slashdot posted to Do PS2-to-USB Keyboard Adapters Work?as Just bought a bunch of IOGear adapters:I just bought a bunch of these USB adapters so I could connect Mac workstations (USB only) to older (PS/2 only) Raritan KVM switches, and have had zero problems using them on Mac or on Windows machines.We use the IOGear GUC100KM.These are both larger and more expensive (List price $50) than the

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108628541463981322004-04-20T20:12:00.000-05:002005-02-17T02:22:21.466-06:00

Slashdot posted to Seven Color LED Mousepadas Re: Control of colours via USB: Since the pad draws power from a USB connection, it would be cool if the colours could be controlled via the USB port as well. Actually, I've been looking for some time now, and have not been able to find products with USB controlled brightness.It appears many people would pay a fair price for a USB RGB LED light with

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108628926631828162004-02-18T10:20:00.000-06:002005-02-17T02:28:46.633-06:00

Slashdot posted to Working Around Bad Luck on the Resume? as OT:Diamonds do glow in the dark: ... my resume glows in the dark like a diamond.What do you mean diamonds don't glow in the dark? Actually, some diamonds do glow in the dark... there was a recent news article confirming that the Hope diamond glows in the dark.OK, OK. Radioactive diamonds, or something.It's more likely a type of

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108629186215674602004-02-05T23:16:00.000-06:002005-02-17T02:33:06.220-06:00

Slashdot posted to Remotely Crash OpenBSD as panic("bogons in the VM system!");: A crash means you killed, not just a task, but the whole system. In a system as robust as BSD this usually means that the code that was corrupted by the exploit was running at a kernel permission level. So if you can take it over you can get it to give you any permission you want. You make a good point.However, keep

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108629423276127942004-01-27T11:20:00.000-06:002005-02-17T02:37:03.280-06:00

Slashdot posted to Removing Site from Spam Filters and ISP Blocks? as Re:As far as censorware go, fuggedaboutit:I agree that the site in question will get the most benefit from moving their "clean" content to a new IP address, leave the porn content on the old IP. The way that censorware works is that it blocks IP's, not domains. This is not absolutely true -- while nearly all web filters have a

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108629738897835622004-01-11T04:17:00.000-06:002005-02-17T02:42:18.900-06:00

Slashdot posted to USAF Wants To Find Steganographic Content as Strong crypto should look not unlike random noise : Maybe statistical analysis can determine if a given image or other medium is possibly hiding information. But if that information is encrypted, doesn't it look like random data without the key? Yes. One quick-and-dirty test of the strength of a cryptographic algorithm or hash

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108630121266435182003-12-04T10:37:00.000-06:002005-02-17T02:48:41.266-06:00

Slashdot posted to The Most Incorrect Assumptions In Computing? as Re:PacMan : Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music.- Kristin Wilson, Nintendo, Inc., 1989. While Kristin claims having originated this joke, so does Marcus Brigstocke, and others

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com0tag:blogger.com,1999:blog-10867778.post-1108625036104430192001-09-14T11:46:00.000-05:002005-02-17T01:23:56.106-06:00

Slashdot posted to my Journal I don't know anybody who was directly harmed by the events of this past Tuesday, or even anybody who lost a family member. I fly quite often for business and vacations, and in fact I had very nearly taken a business trip to the East coast just last week, a trip that would have taken me through Pittsburg.After the initial shock was over, I felt that these

Nonesuchhttp://www.blogger.com/profile/08643025861448340451noreply@blogger.com