REBloomfield - Slashdot User

Submission + - Researchers use MD5 collision to break SSL (cnet.com)

Submitted by Anonymous Coward on Tuesday December 30, 2008 @12:26PM

An anonymous reader writes: CNET (and others) are reporting that a team of researchers has just announced at the 25th Chaos Communications Conference in Berlin that they have "broken" SSL. More precisely, they have further developed and exploited previously known weaknesses in MD5 to generate a rouge "certificate authority" SSL certificate which appears valid to browsers. Using this, they can sign new other certificates in any name they choose, opening up serious man-in-the-middle attacks on secure sites.

Note that this is not likely to be a problem in practice, because the exploit is technically difficult to duplicate and they are not releasing full details, nor the rogue CA cert. However — they broke SSL!

CNET story

Technical details

Submission + - CCC Hackers break the internet creating a CA cert

Submitted by Petar on Tuesday December 30, 2008 @11:49AM

Petar writes: Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger broke the internet today by creating a rogue CA certificate that all major browser trust and can create ssl certificates for any site on the internet. To see the certificate first change your date to august 2004 and than visit I broke the internet and all I got was this t-shirt and examine the certificate (it's exipired so if it leaks nobody can use it). They also published their full research. As a side note the cluster was 200 playstations.

Submission + - CCC Create a rogue CA certificate (win.tue.nl)

Submitted by

t3rmin4t0r

on Tuesday December 30, 2008 @11:48AM

t3rmin4t0r writes: "Just when you were breathing easy about Kaminsky, DNS and the word hijacking, by repeating the word SSL in your head, the hackers at CCC were busy at work making a hash of SSL certificate security. Here's the scoop on how they set up their own rouge CA, by (from what I can figure) reversing the hash and engineering a collision up in MD5 space. Until now, md5 collisions have been ignored because nobody would put in that much effort to create a useful dummy file, but a CA certificate for phishing seems juicy enough to be fodder for the botnets now."

Submission + - How to clear my name? 3

Submitted by VoiceofDoom on Wednesday September 12, 2007 @06:48AM

VoiceofDoom writes: A while ago I parted company with a client over their refusal to pay for the IT support service that I had been providing for them. I wrote them off as a bad debt and asked that they remove my name and details from all their IT systems, since I no longer wanted to have anything to do with them, and wasn't interested in their marketing emails.

A quick check of Google for my name recently, revealed that the company has falsified a testimonial from me, glowing with praise for their services. Now my name and email address are plastered all over their site, and they have ignored repeated requests from me that they remove both my personal details and the fake testimonial.

As they haven't infringed on trademarks or copyright, I am not really sure what recourse is available to me to get this personal info and made-up testimonial removed from their website. Can any law-savvy Slashdotters help? FYI — both I and the offending company are UK-based.

Submission + - Splitting dynamic and static parts of webpages?

Submitted by

LaurensVH

on Monday June 11, 2007 @02:22PM

LaurensVH writes: "While recently philosophising on how cool mod_parrot would be, I suddenly realised it would be even cooler if we took the idea one step further.

If anything, I'd say some of the most exciting stuff to happen in web development recently is all based on splitting up different tasks. First, markup was separated almost entirely from design through the wonders of CSS, used in combination with (X)HTML. I think we can safely say we're all glad we've managed to get rid of tablular page layouts. CSS implementations in some browsers (and especially non-browsers) are still a bit lacking (most notably ACID2 gets royally messed up). At any rate, they differ. Enough to force web designers (or developers, in cases where they overlap) into restorting to ugly kludges to get their shiny stylesheet to render a webpage correctly in most common browsers. For now, it's the best we have.

The second big advancement came with the dawn of the MVC model. MVC stands for "model, view, controller", a design paradigm applicable to dynamic web pages and their development. While CSS and (X)HTML separated markup from design, MVC separates the data model, the code that operates on the data model, and the way the content gets displayed (or, more accurately, gets passed to the HTML markup, where it eventually gets prettied up by CSS).

However, I feel there's room for even more improvement. Or, at the very least, there's plenty of interesting development still left to be done.

There are a number of really cool lightweight web servers out there, such as lighttpd (pronounced: "lighty"), fnord, and gatling. Those last two, besides both living at fefe.de, focus on delivering static content. A lot of static content, blazingly fast, while keeping server load minimal.

Most of you are probably thinking: "Well, obviously... But static content is so boring. Sure, we can put our images and even dynamically generated front pages made static (think lazy caching), but what's new?" right now. Well, if this is all you're going to be doing with it, yes, you're right, it ends here.

Imagine, however, that you combine this with the already existing technology of AJAX (well, more or less AJAX). Imagine all relevant static data, including information on how to get the dynamic data, beings erved by an extremely fast and efficient static web server.

The client then executes the javascript code that gets the dynamic data from a specialized "web" server. I'm not sure that's the correct term, because, in theory, it should never display any web pages. It simply returns JSON (or whatever object format is handiest in your particular setup) objects that the Javascript code uses to fill in the website content.

The most obvious downside is the Javascript requirement. It's the only feasible technology I'm aware of. It would be really cool if we could do this in arbitrary scripting languages. You could do this using XUL, but that isn't nearly as availible or commonplace as Javascript is, unfortunately.

The first person I told this said that superfluous AJAX usage has dramatic influences on website responsiveness, but that's in cases were you're fetching pieces of web page somewhere in the middle of user interaction with it. What I'm suggesting is doing it in on_load, meaning more or less the same amount of data has to be transferred.

Another issue is that it's hard to develop pages like this here and now, mainly because there are no specialized servers that only return objects at the time of writing. I'm not here to impress people with cool existing technology, I'm just trying to see what could be done with it in the future. Regarding the "hard to develop" argument, I can only imagine that very, very good toolkits will emerge if this idea is good enough.

So, in closing, dear Slashdotters, I'd like to ask you: do you think this would work? Am I on to something? Is the end of Apache nigh? Or should I go and get started on mod_parrot? ;-)

Thanks for listening.
Laurens Van Houtven (lvh \at\ laurensvh \dot\ be"

Submission + - How do I deal with a client that won't pay?

Submitted by datapharmer on Thursday June 07, 2007 @12:49AM

datapharmer writes: In February I did a network installation for a bookstore that is part of a very large chain. The work was subcontracted out to me by contingent.net under the terms net 60. This was mutually agreed upon and I have dealt with these terms before without problem. Unfortunately contingent is the exception, and after sending multiple invoices and making several calls which have gone unreturned I am out of patience. My next step is to go to court, but I would prefer to avoid this if possible. Slashdotters — have you ever had an out of state client that wouldn't pay? What did you do?

Submission + - Legal password hacking?

Submitted by Anonymous Coward on Wednesday June 06, 2007 @09:51PM

An anonymous reader writes: I work for a company that hosts an application for one of the US Federal multi letter government agencies. I've just been asked to run "John the Ripper" against the Active Directory (Please no Windows jokes, K?) accounts we setup for them. Not just one or two accounts, but ALL the accounts which are made up of Federal Employee's.

Why? To see if any account is using a weak password. Now mind you we have followed or exceeded all the guidelines they have set before us (password length, complexity, history, age, etc.). The agency is rather paranoid with all the recent leaks of personal information.

When I was asked to do this, warning sirens went off in my head. Can they make me do this? What are the legal ramifications of doing this? Can I be held accountable? My gut is saying "What-ever you do, DON'T DO IT! These are federal employee accounts!". 10 years ago I wouldn't have thought twice about doing this, but with all the new laws that have been passed I'm no sure.

Does anyone have good reference material backing my stance of not doing this. Or am I stuck hacking the accounts?

P.S. I will be calling my attorney in the morning for guidance. They just dropped this on me on my way out the door for the night.

Submission + - Open Source solutions for Situation Rooms?

Submitted by

riffer

on Tuesday June 05, 2007 @11:07AM

riffer writes: "In my team at work we're looking to put together a Situation Room for dealing with IT security. We want something that allows multiple video inputs from different computers to go to one or two large screen displays (probably plasmas), with the ability to resize, zoom and move the sub-displays around. There are various commercial solutions but I'm hoping an open source application could be used. I've looked at MythTV and it seems to offer much of what we'd need, but it's oriented towards TV watching and recording, and our video inputs would not be from cable TV or video cameras. We want this to look and feel professional, for acceptance by fairly conservative (and not very geeky) upper-management. Any suggestions?"

Submission + - How to handle massive email loss?

Submitted by sherriw on Monday June 04, 2007 @02:40PM

sherriw writes: How do you recover from a massive loss of old emails?

My growing wariness of Gmail and the fact that they archive your email forever prompted me to start moving away from Gmail to my own self-hosted webmail. So I started by deleting all my gmail that was older than 2006. But I typed 2008 by mistake, went blindly ahead and POOF all my gmail messages gone. Yes, I even emptied my trash.

My begging for help email to the Gmail support center has not been answered yet. So I'm faced with this permanent loss. How do you mentally handle the loss of thousands of emails, many of them part of ongoing "things to do" lists, and others with very important reference information and business related discussions? Email that ranks a 10 on the importance and relevance to my life scale. And yes... I will be using my own email accounts and backing it up on my PC from now on (my PC of course has backups), shame on me.

Does anyone have their own email or data loss horror stories?

Submission + - Converting old e-mail archives to a common format?

Submitted by enormouse on Saturday June 02, 2007 @09:34AM

enormouse writes: I have decades of email stored in various formats: various unix, VAX mail, Lotus Notes/Domino, PROFS, one-off formats, and several PC mail programs, etc. Some I want to keep, some I need to keep. Nothing new, right? Keeping the original applications around isn't a practicable option at this time, and neither is clearing a forest to print it all out. I want to be able to search them, preserve most of the ( html/rich-text) formatting, and obviously attachments. I can cook up converters, but I don't really want to write and maintain an archive system. I am thinking along the lines of an OSS mail or doc management system that I can run in a VM for 5-8 years before I have to move it again. Experiences and suggestions from folks who have gone through this?

Submission + - Do private companies have to keep their email?

Submitted by on Friday June 01, 2007 @06:29PM

An anonymous reader writes: So I'm an IT intern at a medium-sized manufacturing business. In short, my superiors have asked me to research if privately-held corporations have to archive all of their email.

Have any laws pertaining to archiving/backing up emails been recently passed or proposed in light of any headline corporate scandals?

Or, more simply put, is it legally ok for employees and administrators at private companies to permanently delete their emails?

Submission + - Can forensics software detect Linux LiveCD usage?

Submitted by Scruffynerf on Friday June 01, 2007 @06:42AM

Scruffynerf writes: Regarding the recent thread today on /. regarding forensics software, and with the advent of online document storage systems, such as private Yahoo or MSN groups etc (or even GMail's systems), I'm wondering if forensics software can detect the use of LiveCD's to access illegal content that exists online. I guess that i'm wondering if forensics tools could detect evidence of illegal actions from the following situation: Laptop with a native XP (or Vista (with bitlocker on)) installation. User uses a sufficiently developed LiveDVD or LiveCD (say, Knoppix/Whoppix/Helix or even Ubuntu Ultimate) to access content online piggybacking across unsecured, or minimally secured wireless networks. How would/could investigators firstly locate the malicious user, and secondly that he may have been doing illegal activities? cheers Scruffy

Submission + - Does IT-Sec 'need' to employ Hackers?

Submitted by ghostcorps on Wednesday May 23, 2007 @12:46AM

ghostcorps writes: .

I am writting an assignment for Uni, and have chosen the topic:

"To win the fight against e-crime, partnerships are not only needed between law enforcement and the private sector, but also with Hackers."

Obviously (IMO) the answer is the question. But, can anyone detail some specific 'employ a hacker' policies that worked or that did not work? Preferably in spectacular fashion.

If there are any employers of 'White-hats' reading this, could you please give a quick explanation of why the decision was made to employ a 'Hacker' and what, if any, precautions were taken to sooth the concerns of the 'powers that be'.

How well do the IT-sec professionals and the Hackers work together? Do their skills compliment or clash?

Opinions and anecdotes are appreciated and expected.

Submission + - External access to school surveillance cameras

Submitted by butabozuhi on Tuesday May 22, 2007 @11:29AM

butabozuhi writes: After the highly publicized school shootings, there's a lot of activity in education to improve security. I'm sure having access to in-school cameras would really assist in handling the situation, but what kind of potential for mischief (i.e. tapping into systems) is this creating? Will we have school terrorists destroying cameras — or using them to increase their publicity/notoriety?
http://denver.yourhub.com/CastleRock/Stories/News/ Law/Story~311308.aspx

Submission + - BBC Reported WTC7 Collapse Before it Happened.

Submitted by

zero_jd

on Tuesday February 27, 2007 @05:57AM

zero_jd writes: "A video was recently posted to Google which originally aired on BBC world between 16:54 and 17:36 EST on September 11th, 2001. In the video, a report came in that the Salomon Smith Barney building (aka: World Trade Center 7) had just collapsed due to a weakened structure. The report, however, had come in some twenty minutes prior to the actual collapse of the building. The video then cuts to a live correspondent in New York speaking with downtown Manhattan in the background. While she is discussing the collapse with the news anchor, WTC7 is clearly still standing in the background behind her. Then, just minutes before the building actually collapsed, her feed was abruptly cut. Despite Google Video containing numerous copyrighted BBC documentaries, another embarassing BBC moment (the taxi driver incident), and 9/11 conspiracy videos, several copies of this particular video were removed within 24 hours. New copies are curretly continuing to appear, but it seems abundantly clear that someone wants them taken away. The conclusions to be drawn are left to the reader, of course."

Slashdot Top Deals