Comment "gaps in the security of digital certificates" (Score 2) 34
So the gap is "the secret key must be kept secret"? I don't see that as a digital certificate failing. It's also the reason we have revocation lists.
So the gap is "the secret key must be kept secret"? I don't see that as a digital certificate failing. It's also the reason we have revocation lists.
The 3rd party would only ever get the intersection of "do not mail" and their own marketing list. And emails wouldn't be sitting around in clear text in a database / filesystem..
Here's what 'supercookies' actually are (from the horse's mouth: http://cyberlaw.stanford.edu/node/6715)
* you hit a page which includes a wlHelper.js script
* wlHelper.js is served with header that tell your browser - cache this forever
* wlHelper.js contains code something like this:
var unique_id = 'RANDOM_LOOKING_STRING_JUST_FOR_YOU'
if MUID cookie doesn't already exist
set MUID cookie to unique_id
You delete your MUID cookie - but next time you hit a page that contains wlHelper.js the cached version is pulled form your browser. unique_id is there in the cached code, so the cookie gets set again.
Combine centralized and "multi-factor"? Build more PCs with smart card readers?
I'd like to see google offer some form of multifactor on their openid provider. A keyring token generator, or maybe a smartphone app?
Here's someone who has already done it..
http://waxy.org/2008/09/audio_transcription_with_mechanical_turk/
Split up the audio into 5 min pieces.
Set up a template on Amazon Turk for'workers' to grab the 5 min mp3 files, and pay them $2 for each file translated.
More info in the comments. http://www.audiobookcutter.com/ is capable of chopping up the file at the silences for you.
Could be "call back" spam, i.e. I look at my phone and see "missed call from 555-1234". I swear I didn't hear that ring, but I call the number back anyways - and I get a recorded message selling some crap. So I generally google / don't call numbers I don't recognise now. If someone has something important to tell me they'll leave a message.
I'm surprised a nasty worm hasn't propagated via torrent client exploits. Get a list of IPs from a tracker AND the client/version they are using. Not only that: all the users would've opened the port on their router..
X-files has gone off TV?
...requests to BitTorrent trackers can also use CoralCDN, as these are simply HTTP GETs with a client's relevant information encoded in the tracker URL's query string, e.g., http://denis.stalker.h3q.com.6969.nyud.net/announce?info_hash=(hash)&peer_id=(name)&port=52864&uploaded=231374848&downloaded=2227372596&left=0&corrupt=0&key=E0591124&numwant=200&compact=1&no_peer_id=1. Notice that the HTTP request includes a peer's unique name (a long random string) and a port number, but notably does not include an IP address for that client. It's an optional parameter in the specification that many BitTorrent clients don't include. (In fact, even if the request includes this IP parameter, some trackers ignore it.) Instead, the tracker records the network-level IP address from where the HTTP request originated (the other end of the TCP connection), together with the supplied port, as the peer's network address.
In this case CoralCDN was effectively acting as a proxy - the IP address wasn't being falsified. Although these guys did appear to have some luck with falsified IP addresses: Why My Printer Received a DMCA Takedown Notice.
Two more strikes and Google gets their internet connection cut? Oh, no!
whoops: (i was in the process of RTFA)
[09:04] First i was curious to how far something like this would actually spread, i think what most people were unaware of is the fact it IS a worm and every phone that got infected with it was spreading it (I initially only infected 3 phones when I woke up i checked google and found out a fair few people were hit with it)
I get the impression it doesn't. Just connects SSH, and sends some commands to change your desktop.
No self propagation = not really a worm.
what usually happens:
* you request a cert common-name=serverbox.mydomain.com from a Certificate Authority (CA)
* CA determines you are authorized to make this request on behalf of mydomain.com
* serverbox.mydomain.com serves down the signed cert, your browser makes sure website == common-name == serverbox.mydomain.com
what these clever guys discovered:
* you can request a cert common-name=paypal.com\0.mydomain.com
* CA determines you are authorized to make this request on behalf of mydomain.com
* man-in-the-middle sits in between you and paypal.com, serves down this cert, victim's browser makes sure website == common-name == paypal.com (whoops!)
* victim sees paypal.com in their browser with that reassuring padlock
How does the company paying commission make money off this? Redirecting your browser to their spammy search engine, pop up ads?
FORTRAN is not a flower but a weed -- it is hardy, occasionally blooms, and grows in every computer. -- A.J. Perlis