Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment: Silent Circle response part 1 (Score 5, Informative) 46

by mrkoot (#47642843) Attached to: Silent Circle's Blackphone Exploited at Def Con
Silent Circle's response part 1:

Blackphone rooted at DefconâS -- Part 1

Greetings from Def Con! Thus far Team Blackphone has been having a very positive Con. We have been receiving a lot of positive feedback and praise for taking on the flag of building and maintaining a secure and private smartphone system. This was a challenge that we knew full well would not be easy, but if it were easy then anyone could do it.

The researcher @TeamAndIRC was a little miffed at our initial response to his inquiry and I understand his point. In response, he had a t-shirt made that stated he rooted the Blackphone at Def Con. The ironic part to this is I would have absolutely gone over and made that t-shirt for him myself once the full vulnerability was explained. @TeamAndIRC and I had a chat here at Def Con. I would like to thank him for not blowing the issue out of proportion and going back to the twittersphere for a little more transparency by explaining that direct user interaction is required and that we had already patched one of the vulnerabilities through the OTA update.

According to @TeamAndIRC there were three issues discovered. The first one is that he was able to get ADB turned on. Turning ADB on is not a vulnerability as this is part of the Android operating system. We turned ADB off because it causes a software bug and potentially impacts the user experience, a patch is forthcoming. His second discovery is accurate and here is the point I want to stress to the community. We found this vulnerability on July 30, had the patch in QA on July 31, and the OTA update released on August 1. That is pretty fast, no?

When @TeamAndIRC details the third vulnerability today at Def Con around 2pm PST we will be on the floor. We will get the details, and feel confident that we will have the system patched just as fast as last time. That is our commitment to the community â" to close the threat window faster than any other OEM. So, for now stay tuned as we will have an update later today.

Sincerely,

Dan Ford, D.Sc. (@netsecrex)
Chief Security Officer
SGP Technologies

Comment: Nov. 1st 2014? CA/B doc mentions Nov.1st 2015 (Score 1) 92

by mrkoot (#47536903) Attached to: New SSL Server Rules Go Into Effect Nov. 1
The Slashdot article hints that a change would be effective per November 1st 2014. Does anyone know where that date originates from? The new CA/B Baseline Requirements 1.1.8 (.pdf) states:
  • 2015-11-01 Issuance of Certificates with Reserved IP Address or Internal Name prohibited.
  • 2016-10-01 All Certificates with Reserved IP Address or Internal Name must be revoked.

And:

As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name.

Nothing is stated about November 1st 2014?

Security

+ - 1 Million Domain DNS Zone Transfer Test->

Submitted by
mrkoot
mrkoot writes "Does your nameserver disallow zone transfer (AXFR) requests? A zone transfer test of one million Google-indexed domains showed 15 percent of domain names could be zone-transfered — sometimes showing internal hosts and often probably-not-intended-to-be-publicly-known-hosts. Among the 192509 transferable zones are nato.int, centcom.mil, hp.com, lycos.com and orange.at."
Link to Original Source
Privacy

+ - Google Profiles Exposes Millions of Usernames->

Submitted by
mrkoot
mrkoot writes "It is known since at least 2008 that Google exposes sitemaps that link to Google Profiles — 35 million in total. A while ago I checked ALL those links -my connection did NOT get blocked after any amount of connections- and found that ~40% of the Google Profiles expose their owner's username and hence their @gmail.com e-mail address. It totals to ~15 million exposed usernames or @gmail.com e-mail addresses. With no apparent download restriction in place and people disclosing their profession, employer, education, location, links to their Twitter account, Picasa photoalbums, LinkedIn accounts et cetera, is this spear phishing waiting to happen?"
Link to Original Source

Round Numbers are always false. -- Samuel Johnson

Working...