Archive for February, 2009
Dalai Lama
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
“Be kind whenever possible. It is always possible.”
NSA helps name most dangerous programming mistakes
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
A group of more than 30 computer organizations has taken what some are calling a big step toward making software more secure.
Hamas' Other War
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Via FDD -
Palestinian civilians continue to be murdered in cold blood – several dozen just last weekend. Many of the victims were gunned down inside hospitals and schools.
If you’ve been following the latest Middle East conflict, this will not surprise you. What might: The fact that the assailants were Palestinians — Hamas members targeting those affiliated with the rival Fatah organization.
Only scattered and buried mentions of these attacks have appeared in such newspapers as The New York Times and the Washington Post. There’s been little or nothing on television.
But Khaled Abu Toameh – the brave and distinguished correspondent for The Jerusalem Post (and, incidentally, an Arab) – has reported that 35 Fatah activists have been summarily executed, while more than twice that number have been shot in the legs or had their hands broken.
This is the other war, the war ignored by most media, academics, diplomats and human rights groups, the war between Hamas – a militant Islamist terrorist group strongly backed by Iran – and Fatah, an organization that is difficult to describe accurately in few words.
Founded by Yasir Arafat, Fatah is not so much moderate as sporadically pragmatic. It disavows terrorism but hasn’t kicked the habit completely. It has a reputation for corruption but its defenders claim it’s cleaning up its act. Fatah – Arabic for “conquest,” an ideal not much celebrated in Western circles these days — is secular, though it has a decidedly Islamist faction, the al-Aqsa Martyrs Brigades.
Three years ago, Hamas won a surprise victory over Fatah in legislative elections. But for Hamas leaders, this initiation into the democratic experience was not life-changing. So, in June 2007, they launched a military coup against Fatah and the Palestinian Authority in Gaza.
Within four days, “Hamas gunmen clad in black ski masks controlled the dusty streets,” writes Jonathan Schanzer in his new book, Hamas vs. Fatah: The Struggle for Palestine. “It would not be long before the fall of the [Palestinian Authority's] fortress-like security compound, al-Suraya. Indeed, Hamas fighters had burrowed a tunnel beneath the building, detonated deadly explosives, and breached it.” Hamas fighters also threw several of their Fatah opponents off the roofs of high-rise buildings. In European and Arab capitals, demonstrations did not break out.
As Schanzer explains, the violence “was a clear and outward manifestation of a civil war” that began in 1987. As recent events reveal, it isn’t over yet. Hamas doubtless understands that Israel’s military mission in Gaza could end with the restoration of Fatah’s position in Gaza. In fact, it is difficult to imagine how Fatah could do this absent Israeli intervention. Fatah is not strong enough to challenge Hamas through force of arms. Nor can Fatah regain power at the ballot box: Hamas would win or, were that in question, Hamas would not permit a fair vote.
Of course, the outcome of the current battle between Hamas and Israel remains uncertain. Hamas continues to launch missiles at Israeli villages – even as its spokesmen and supporters decry a growing humanitarian crisis in Gaza. In other words, Hamas believes that by simultaneously displaying defiance and exploiting Palestinian suffering it can score a victory in the media and in international forums – which is at least as valuable as winning on the ground.
But should Hamas leaders be wrong, should their best, brightest and most brutal be killed, and should their organization emerge from this conflict crippled, Fatah will be a major beneficiary.
What are the alternatives? Few Israelis have the stomach for a re-occupation of Gaza at this point. The Egyptians, who controlled the territory from 1949 to 1967, have shown no interest in taking responsibility again, not even on an interim basis.
Does this imply that Fatah members are secretly hoping – maybe even helping — Israel to prevail over Hamas? Possibly, though even if that’s true it doesn’t mean Fatah will henceforth show good will and a spirit of compromise toward Israel.
In the Middle East, the enemy of my enemy can be useful – but that doesn’t make him my friend.
Game Developer Confronts iPhone Software Cracker
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Via TorrentFreak -
Whack ‘em All is a newish game for iPhone and iPod Touch, based on the ‘Whack-a-Mole’ idea. The creators are married couple Constance and James Bossert, who together form Fairlady Media.
James told TorrentFreak “We decided to develop a game for the iPhone while driving one evening and over the next couple of months put Whack ‘em All together in our spare time. Altogether, its taken us about 250 hours to develop the game with about 100 hours worth of graphics work and 150 hours worth of development, bug testing and submitting the app to Apple.”
The game is available for purchase via the iTunes App Store and has steadily been achieving around 10 sales a day. It’s pretty cheap, at just 99 cents.
On January 4th, Fairlady Media got all excited. Suddenly they discovered they had over 400 brand new users in a day, but after checking with iTunes, disappointment set in. Only 12 people had actually purchased the game. It turned out that the surge was down to pirates – someone had cracked the game and offered it for free on the web. While mildly encouraged that there is demand for the game, James told us he decided to confront the person responsible to “try and figure out why there was such a strong market for pirated apps.”
“I’m the developer for Whack ‘em All. I noticed you’re being given credit for cracking Whack ‘em All and making it generally available for free,” he said in his opening email to the cracker. “We (just my wife and I) haven’t even made enough money off of this to pay for the iPhone we had to buy to develop it on. Just yesterday 40 times more people got your version of the app than bought it off the app store!” James told the cracker he was curious about his motives. Surprisingly, the cracker responded:
“As many iPhone and iPod touch owners have discovered, Apple’s iTunes App Store has many flaws which render it useless to the common user,” he replied. “Apple has chosen to allow a multitude of ridiculous, worthless, poorly-represented applications through its ’strict’ screening process, nearly all written by mediocre programmers with a dream of getting rich quick. Many of these programmers game the reviews system, misrepresent their application in the description, and generally try to swindle the honest buyer.”
The cracker, known as most_uniQue, went on to say that people are fed up with wasting money on these type of applications, so they simply stopped buying them. He then went on to offer a solution. “Apple could quite easily solve this problem by implementing a sort of trial period for each application, but they do not. The user is forced to buy blindly without ever getting to try the application first.”
most_uniQue told James that he became motivated to crack iPhone games after he bought a few that didn’t live up to their marketing hype, feeling he could help others ‘try before they buy’. “To solve this problem either talk to Apple to allow trials,” he said, “or you can release your game on Cydia with ads.”
James told TorrentFreak that he was happy with the extra exposure generated by the cracked copy of the game, while hoping this would translate into cash to be invested in the development of future projects.
The outcome of this exchange? “My goal would be to get a response from Apple about this,” he told us, while going on to reveal that a free, ad-supported version of the game (and future games) is in the planning.
———————————-
Like this hacker or not…but he is right. Apple should have a try before you buy policy, as many people are abusing the AppleStore with floods of fake (5 star) comments….so much that looking at the ranking is almost useless at this point.
Al-Qaida's Zawahiri Issues Orders to “Strike Everywhere” in Revenge For Gaza
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Via NEFA Foundation -
The NEFA Foundation has obtained and translated a new audio recording from Al-Qaida Deputy Commander Dr. Ayman al-Zawahiri released on January 6 and titled, “The Massacre of Gaza and the Siege of the Traitors.” During his address, Dr. al-Zawahiri condemned the ongoing Israeli raids in Gaza and blamed the actions of Israel on Egyptian President Hosni Mubarak and incoming U.S. President Barack Obama: “These attacks are the gift of Obama to you, before he shall receive his position… this is Obama, whom the American machinery of lies attempted to portray before the world as the deliverer, who would change the policy of the U.S. He is killing your brothers and sisters in Gaza without any mercy or compassion.” As a consequence of the U.S. role in the events in Gaza, al-Zawahiri called upon Al-Qaida supporters around the world to carry out indiscriminate revenge attacks on American and Israeli interests: “O’ Muslims everywhere, fight against the Zionist-Christian campaign, and strike its interests wherever you encounter them… attack the Zionist-Christian alliance and its interests. O’ lions of Islam everywhere, the leaders of the Muslim lands are the protectors of the interests of the Americans and Zionists… so thwart the efforts of these traitors by striking the interests of the enemies of Islam—namely, the Christians and the Jews—wherever and by whatever means you can.”
———————————–
See the full translated transcript of the original audio recording in the following PDF…
http://www.nefafoundation.org/miscellaneous/FeaturedDocs/nefazawahiri0109.pdf
New Details on the National Cyber Range
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Via IntelFusion -
DARPA has announced its Phase I awards to six competing companies for the design and creation of the National Cyber Range:
- BAE Systems$3.3 million
- General Dynamics $1.9 million
- Johns Hopkins University $7.3 million
- Lockheed Martin $5.3 million
- Northrop Grumman $344,097
- Science Applications International Corp. $2.8 million
- Sparta $8.6 million
Aviation Week explains DARPA’s intentions for project:
The range is intended to become the premier U.S. cyber test facility, according to DARPA officials. The products will be unbiased and quantitative assessments of information assurance and survivability tools. The laboratory is to replicate complex, large-scale, heterogeneous networks for current and future Defense Department weapons and operations.
The capabilities to be tested are host-security systems, local-area-network security tools and suites, wide-area network systems operating on unusual bandwidths, tactical networks including the problematic mobile ad hoc networks, and new protocol stacks. Innovations are expected to include development of advanced automated test ranges and the testing of revolutionary cyber-research programs.
The competing companies will eventually be asked to build working prototypes of the range that can perform the following tasks:
- demonstration of packet capture, event log collection, malware event collection and automated attacks
- Responsive traffic generators will have to drive office software products, browsers, media players and e-mail clients
- Traffic generation systems will involve incoming/outgoing e-mail, port scanning and automated attacks
By phase 3, the candidate system will have to reconstitute test nodes within 15 minutes, reconfigure the range within one hour, create a 10,000-node test from DARPA-provided requirement within two hours and perform time synchronization across all machines to within 1 millisecond, and demonstrate human-level behavior on 80 percent of traffic-generated events.
Star Wars toy lets anyone ‘use the force’
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
There’s a few toys for kids that we are stupidly jealous of, but the latest Star Wars ‘Force Trainer’ could just about take the biscuit.
The Force Trainer – an officially licensed Star Wars toy – allows kids to train up their mental powers and manipulate a sphere within a clear tower.
Brain waves
It does this with a headset that, much as the recent computer games control tech did, allows you to use your brain to send electronic impulses.
“It’s been a fantasy everyone has had, using The Force,” Howard Roffman, President of Lucas Licensing told USA Today.
The force is strong with this one, but don’t expect it to be the only mind-control toy arriving in the coming year.
We’ve not heard anything on UK arrival or pricing, but when we do we’ll make sure that you know about it. After we’ve gone out and bought a few for review purposes obviously.
From CES 2009.
 |
 |
The pain of OLPC
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
The OLPC is an amazing little device. Unfortunately, the altruists who are running the project haven???t gotten far enough, and they???re laying off staff (although they have managed to get 500,000 laptops to the third world).
I admit to being completely baffled by the organization???s model. They practically refuse to sell these machines to the public ??? a public that really wants them. The only way to get one was to buy one off eBay (overpriced) or to do a give-one, get-one deal at $400.
It???s just bizarre to me that they wouldn???t sell these ??? think of all the parents who might get these little things for their kids as their first computer; or the people who simply want to experiment and play with a cheap, high-quality open-source device. The decisions by OLPC show an incredible arrogance and ignorance of basic economics.
Hey, OLPC: Get off your high-horse and do something that the business world learned a long time ago: When a customer wants to buy something, LET THEM BUY IT.
Then, maybe, you can get enough funds to actually do what you want to do.
Alex Eckelberry
Browser Security Fail, MD5 broken, CA gone rogue
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
A group of security researchers (Alex Sotriov, Jacob Appelbaum, Mark Stevens, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne De Weger) have identified a vulnerability in the public key infrastructure used to issue digital certificates for secure websites. As a proof of concept they have shown they can perform an attack scenario that creates a rogue Certificate Authority (CA) that is trusted by all common browsers. This allows one to impersonate any website on the Internet, including banking and other transaction based sites secured with HTTPS protocol (SSL) (here) with details (here)
A short summary of our result is that we have come in possession of a “rogue” Certification Authority whose certificate will be accepted by default by most browsers. Thus we are able to issue SSL certificates to any website we like, including rogue websites claiming to be legitimate ones.
This has been possible by exploiting the following weaknesses:
- an efficient method to construct “chosen-prefix collisions” for the MD5 hash function,
- there is at least one commercial Certification Authority that:
- issues certificates with a signature created using the MD5 hash function,
- processes online requests for certificates in an automated way,
- does not check for anomalous requests,
- allows predicting with reasonable probability of success a valid combination of serial number and validity period,
- has no technically enforced limit on the length of a chain of certificates.
Any website, whether it is secure (i.e. uses SSL) or not, whether it has an MD5-based, SHA-1-based, SHA-256-based, or any other type of certificate, irrespective of which Certification Authority issued the certificate, can be impersonated, in particular not only genuine websites that have an MD5-based certificate are vulnerable.
Also…
the computations needed for our work were done on a cluster of about 200 PlayStation 3 game consoles in the cryptanalytic lab at EPFL.
That is cool!
This was a fairly sophisticated attack scenario and requires a level of dedication by the attacker that will probably result in limited exploit, unfortunately there is little the average user can do to prevent exploitation except to remain diligent and assume that all your personal and confidential information is known by everybody and act accordingly to monitor sensitive accounts and information for misuse.
There is however a list of suggestions (here) for the Certificate Authorities – stop using MD5 altogether, browser and OS vendors – provide warnings when encountering M5 hashes and pressure CA’s to stop using them, and website owners – pressure CA’s to stop using MD5
Bottom Line: Just like with Kaminskygate the Internet is still here in all its glory and fail. This does however highlight the importance of independent security research and its effectiveness in providing information on how to better implement security controls that affect most, if not all, of us. Thierry Zoeller said it best “Academic research + hacker ingenuity at it’s finest. We need more of it. Awesome.”
Additional analysis (here), (here), (here), (here), (here), (here), (here), (here) and (here)
Weak Password Brings ‘Happiness’ To Twitter Hacker
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
4/5 Cain & Abel Cisco IOS Configuration File Buffer Overflow (Secunia Vulnerabilities)
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Researchers poke holes in Intel’s anti-tampering tech (The Register)
February 7th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)