Forgot your password?
typodupeerror

Comment: That's not how it works (Score 1) 301

by Shuntros (#46718367) Attached to: Theo De Raadt's Small Rant On OpenSSL
Certificate Authorities who operate on the scale absolutely do NOT keep private keys of the issuing intermediate available for harvest. That's what HSMs are for; devices which hold the private key material and perform signing operations on behalf of the CA. The CA can never retrieve the private key(s) so compromising the CA in that scenario should never result in private key disclosure.

Comment: Re:Security (Score 1) 139

by Shuntros (#45813503) Attached to: Cracking Atlanta Subway's Poorly-Encrypted RFID Smart Cards Is a Breeze
The main issue is that Oyster does do some level of cleverness. I only ever skimmed the paper so don't recall the details. The main issue in most use cases is that the spec says the token UID should be read-only. When you can buy tokens from China which completely disregard this and let you write sector 0 it's game over immediately for huge swathes of RFID installations which rely on UID alone.

My work ID does door access, printing, loads of stuff. Spoof the UID onto a blank token, remove the chip/antenna, place inside rear cover of watch. Super convenient, but alarmingly easy.

And you know that "tap and go" stuff your credit card has, distinct to the chip & pin functionality, for low-value purchases like a Double Whopper with cheese? Don't even get me started on that...

Comment: Re:Inevitable... (Score 3, Insightful) 139

by Shuntros (#45812647) Attached to: Cracking Atlanta Subway's Poorly-Encrypted RFID Smart Cards Is a Breeze
Well thanks Anonymous Coward (latin: buffoonus maximus), but that's a bit of a tenuous jump. I don't even use public transport, I'm just a guy who does a bit of NFC engineering for the day job and knows the difference between the wrong way to do it and the way I do it. The token security is weak, certainly, but it's easy to protect against with some very low-overhead crypto.

Comment: Re:And how utterly pointless it is... (Score 1) 195

by Shuntros (#45500819) Attached to: Project Free TV, YIFY, PrimeWire Blocked In the UK
Well someone got out the pedantic side of the bed this morning. And no, it's an allocation of my ISP's /16. If I'd got the range from RIPE I wouldn't need PTR delegation would I?

I don't actually need the whole block any more, it was something I was doing for a PhD project a few years back. A /27 would do me these days, but they don't seem in a hurry to have them back.

Comment: Re: And how utterly pointless it is... (Score 4, Informative) 195

by Shuntros (#45499797) Attached to: Project Free TV, YIFY, PrimeWire Blocked In the UK
Very well put. Getting a large ISP whose staff "follow the flowchart" to provide such things is not as easy as some make out. I have a number of non-catalogue products including bonded FTTC which has saved me a fortune on what I used to pay for dedicated hosting (I don't need 5 9's uptime). Instead of a call centre grunt giving a standard "We don't provide that service" response, I get a technically literate person on the end of the phone who understands what I'm asking for and says "Let me have a word, see what we can do". You pay for that kind of service, but for me it's worth it.

Comment: And how utterly pointless it is... (Score 4, Informative) 195

by Shuntros (#45499505) Attached to: Project Free TV, YIFY, PrimeWire Blocked In the UK
Personally I'm not a big user of these kind of services, but it's only a handful of the "big" ISPs who are doing the blocking. I prefer a more personal service so I use a small ISP which offers special geeky extras (full class C, reverse NS delegation etc) and they perform no such blocking. But even if I didn't it's trivial to bypass such blunt instruments.

Comment: Re:SSH? (Score 1) 607

by Shuntros (#44772453) Attached to: NSA Foils Much Internet Encryption
The proper way to do it is to have a 100% offline CA with its key material split over a number of smart cards so the CA can only be brought up periodically for signing purposes when a certain number of cards are present (say 3 of 5) and even then you use an HSM which performs all activities hence the private key is never accessible even if you wanted it to be. You store the cards in fireproof safes in geographically dispersed secure physical locations, cardholders travel by different modes of transport, at different times of day, stay at different hotels etc. For day-to-day certificate issuance and signing you have a subordinate CA sat in a networked HSM. That way there can only ever be a minuscule (I'd never use the word impossible) risk that the root CA can be compromised and you maintain the ability to revoke the day-to-day CA.

90% of a good PKI is process and governance, not the technology itself.

I suspect what's going on here is that the NSA has the ability to cut certs for things like *.google.com, *.facebook.com etc from a trusted commercial CA whose root is already installed in everybody's browser, hence they can man-in-the-middle the traffic without raising alarm. A few sneaky BGP advertisements and this would be surprisingly easy to do.

It's pretty shocking to read most of the comments on here and realise that very few people actually know how PKI works even at the most basic level.

Comment: To illustrate the technical idiocy... (Score 3, Funny) 227

by Shuntros (#42455209) Attached to: That Link You Just Posted Could Cost You 300 Euros
I decided, having had a couple of stiff ones (drinks) this evening, to drop them a line via the website in an attempt to contribute a tiny amount of sanity and/or education.

Unfortunately I was told my email could not contain anything other then [0-9|a-z] IN THE BODY and due to my use of punctuation I was not allowed to email them. I was going to "correct" my correspondence, but the I thought "fuck it, I've got work tomorrow", and I have a glass of wine and 2/3 of a frankly very good cigar to do in.
Security

+ - Critical Vulnerabilities found in Call of Duty:MW3, CryEngine 3->

Submitted by hypnosec
hypnosec (2231454) writes "Call of Duty: Modern Warfare 3 and CryEngine 3 graphics platform suffer from critical vulnerabilities, two security researchers have revealed. ReVuln security consultants Luigi Auriemma and Donato Ferrante presented results of their research at the Power of Community (POC2012) security conference in Seoul and said that not only hackers but also other online gaming companies can benefit by exploiting these vulnerabilities. The security researchers have revealed that online gaming companies can try and steal a competitor's players or shut down a competitor’s game completely."
Link to Original Source
Earth

+ - Ideas on protecting New York from future storms float to surface->

Submitted by SternisheFan
SternisheFan (2529412) writes "By Becky Bratu, NBC News: The killer storm that hit the East Coast last month and left the nation's largest city with a crippled transit system, widespread power outages and severe flooding has resurfaced the debate about how best to protect a city like New York against rising storm surges.
    In a 2011 report called "Vision 2020: New York City Comprehensive Waterfront Plan," NYC's Department of City Planning listed restoring degraded natural waterfront areas, protecting wetlands and building seawalls as some of the strategies to increase the city’s resilience to climate change and sea level rise.
"Hurricane Sandy is a wake-up call to all of us in this city and on Long Island," Malcolm Bowman, professor of physical oceanography at State University of New York at Stony Brook, told NBC News' Richard Engel. "That means designing and building storm-surge barriers like many cities in Europe already have."
    Some of the projects showcased at Rising Currents include: Ways to make the surfaces of the city more absorptive (through porous sidewalks) and more able to deal with water, whether coming from the sea or sky; Parks and freshwater and saltwater wetlands in Lower Manhattan; Artificial islands or reefs (including ones made of recycled glass) to make the shoreline more absorptive and break the waves."

Link to Original Source
Security

+ - Nike+ FuelBand: Possibly a Big Security Hole For Your Life->

Submitted by
MojoKid
MojoKid writes "Nike+ FuelBand, a $149 wristband with LED display that tracks your daily activity, tells you how many calories you've burned, lets you know how much fuel you have left in the tank, and basically keeps track of "every move you make." If you think that sounds like a privacy nightmare waiting to happen, it pretty much is. A source directly connected to Nike reported an amusing, albeit startling anecdote about a guy who got caught cheating on his girlfriend because of the Nike+ FuelBand. "They shared their activity between each other and she noticed he was active at 1-2AM, when he was supposed to be home." That's just one scenario. What if the wristband gets lost or stolen? How much data is actually stored on these sorts of devices? And remember, you're synching it to the cloud with an iOS or Android app."
Link to Original Source

Real Programmers don't write in FORTRAN. FORTRAN is for pipe stress freaks and crystallography weenies. FORTRAN is for wimp engineers who wear white socks.

Working...