Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security

Submission + - Flickr's API (and many others) Signature Forgery V->

An anonymous reader writes: Flickr offers a fairly comprehensive web-service API that allows programmers to create applications that can perform almost any function a user on the Flickr site can do. Users should be authenticated using the Flickr Authentication API. Any applications wishing to use the Flickr Authentication API must have already obtained a Flickr's API Key. An 8-byte long 'shared secret' for the API Key is then issued by Flickr and cannot be changed by the users. This secret is used in the signing process, which is required for all API calls using an authentication token. This advisory describes a vulnerability in the signing process that allows an attacker to generate valid signatures without knowing the shared secret. By exploiting this vulnerability, an attacker can send valid arbitrary requests on behalf of any application using Flickr's API.
Link to Original Source
Security

Submission + - Flickr's API Signature Forgery Vulnerability->

thaidn writes: "Flickr offers a fairly comprehensive web-service API that allows programmers to create applications that can perform almost any function a user on the Flickr site can do. Users should be authenticated using the Flickr Authentication API. Any applications wishing to use the Flickr Authentication API must have already obtained a Flickr's API Key. An 8-byte long 'shared secret' for the API Key is then issued by Flickr and cannot be changed by the users. This secret is used in the signing process, which is required for all API calls using an authentication token. This advisory describes a vulnerability in the signing process that allows an attacker to generate valid signatures without knowing the shared secret. By exploiting this vulnerability, an attacker can send valid arbitrary requests on behalf of any application using Flickr's API."
Link to Original Source
Microsoft

Submission + - Free Linux CD in Windows Vista Day!

thaidn writes: Tomorrow 22/03/2007, Microsoft will hold something called Vietnam Windows Vista Day in Ho Chi Minh City. We think this is a very good chance to promote Linux so that we decide to deliver free Linux CD and documentation at that very fair. 300 "Gift from the Penguine" packages, each containing a free Ubuntu Linux and a quickstart manual in Vietnamese, will be delivered to students, programmers, developers and anyone else interested in Linux.
Security

Submission + - Damn Vulnerable Linux

Scott Ainslie Sutton writes: "Enterprise GNU/Linux Resource Linux.com have highlighted a newly created GNU/Linux distribution named Damn Vulnerable Linux, built upon Damn Small Linux. The distribution, headed by Thorsten Schneider, aims to deliver the Operating System in such a way that it allows Security Students first hand insight and hands on experience with Security issues within GNU/Linux in order to teach them protection and mitigation techniques The project's website describes the distribution as 'the most vulnerable, exploitable Operating System ever' and it's true, the developers have ensured that it contains outdated, ill-configured, flawed code and contains GNU/Linux 2.4 Kernel which is known to have many exploitable avenues in itself. Damn Vulnerable Linux's website can be viewed here."

In these matters the only certainty is that there is nothing certain. -- Pliny the Elder

Working...