Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

Comment Re:NSA email (Score 1) 58

by Fnord666 (#45865495) Attached to: Snapchat Update Addresses Security Hole
Given what we have seen so far there are probably so many weaknesses in this application that the NSA barely even noticed the loss of this one. Since it didn't give them access to the content it was a minor exploit at best. A more likely response is:

To: security@snapchat.com
From: NSAops@nsa.gov

Subject: Latest Snapchat security update

Thanks for not really taking this seriously and just saying that you'll pay more attention next time when someone tells you that you have a issue. We were concerned that you might go back and find the really serious exploits we are using to capture all of the content that flows through your system. No worries then.

Thanks.

A Concerned NSA Analyst

Comment Re:Still one of the stupidest things of 2013. (Score 1) 58

by Fnord666 (#45865455) Attached to: Snapchat Update Addresses Security Hole

No, but it's correlation, not direct causation. The rapid development common to startups often leads to poor security. Approaches like "if someone can access our machines, we have much bigger problems" lead to storing passwords in plain text, sharing accounts, making the "root" password "root", storing mysql passwords on the monitoring server, and other unfortunate errors. Another month making a project secure, really reviewing the vulnerabilities and updating core components, is time to market being lost. So it's very rare in the early "get market growth first before someone else can outgrow us and capture the market" phase.

I agree, but the rapid development life-cycle is not solely responsible. Even in this day and age, most developers still don't have a good working knowledge of application security. I feel like this is a systemic issue with the education process. Across the teaching spectrum from post-secondary education to "teach yourself" books to boot camp instruction, application security is barely given a mention. Most of the developers that I have hired that did know something about it came from larger development shops that taught application security in house, sent their developers to additional training or they learned it from their mentor. At least with a basic understanding of application security you have a second "hat" that you can put on and look at the application design from a different perspective. You have to be able to look at your application and ask yourself how you could exploit or break it. If you can't, hire or contract someone who can.

Comment Re:Too bad its news... (Score 1) 58

by Fnord666 (#45865171) Attached to: Snapchat Update Addresses Security Hole

Why oh why must things like this be news? Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.

It was not the correct response. They just "hand waved" it off when they were informed of the issue, basically saying that they knew better than the researches that found the exploit. Turns out that they were wrong and paid the price.

Comment Oh sure (Score 1) 58

by Fnord666 (#45865147) Attached to: Snapchat Update Addresses Security Hole

"Snapchat also said researchers could email the firm at security@snapchat.com for any vulnerability discoveries. 'We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com,' Snapchat said."

I think it's a little too late to be closing the barn door now. The horses are all long gone. They had a major security breach and their chances of a sale or IPO have gone swirling down the toilet. The top Google search results will return news of this hack for years to come.

Unfortunately in this day and age of web application development the security aspects of many projects seem to be an afterthought if they are considered at all. Personally I hope that they and other developers learn from this and begin being more proactive in their security considerations, but I doubt it.

Comment Re:I hope they are... (Score 4, Insightful) 363

by Fnord666 (#45865079) Attached to: Senator Bernie Sanders Asks NSA If Agency Is Spying On Congress

Sometimes I wonder if I will one day be answering the question, "Where were you when the Constitution and Bill of Rights were permanently suspended?"

It's more of a "how do you boil a frog?" type of gradual decay. The question will be more of "Where were you when you realized that they had suspended the last of the Bill of Rights and the Constitution?". In either case the answer will likely be on the day that they come for you.

Comment Re:Well, uh... (Score 1) 363

by Fnord666 (#45865017) Attached to: Senator Bernie Sanders Asks NSA If Agency Is Spying On Congress

The FBI couldnt find their ass with both hands and a map
We need the FBI to complicate matters
If the NSA can rationalize what they do, the CIA can as well.
We could throw in a few other 3 letter agencies for a complete Keystone Cop scenario.
Keep em all busy.

Make them line item accountable to the GAO. That should royally screw them all.

Comment Re:OpenBSD (Score 2) 189

by Fnord666 (#45858409) Attached to: Backdoor Discovered In Netgear and Linkys Routers

Every tech company works with the NSA. I don't need proof, because it's the only safe assumption to make. If any tech company isn't happy about that, the onus is on them to prove that they don't.

And since you can't prove a negative, your self sustaining paranoia will remain steadfastly intact. Might want to loosen your tin foil hat a bit. It's cutting off circulation to one or more organs.

Submission + - AllThingsD co-founders launch new tech site, Re/code. (recode.net)

Submitted by Fnord666
Fnord666 writes: The founders of popular technology website AllThingsD have launched a new digital news and review website after parting ways with Dow Jones back in September.

The site, Re/code, was announced on Thursday by co-founders Kara Swisher and Walt Mossberg. The site and conference, which will be called Code, are to be managed by Revere Digital LLC, which received investments from the NBCUniversal News Group as well as Windsor Media, founded by former Yahoo chairman and CEO Terry Semel. The first conference under the new company will be held in late May outside Los Angeles.

Submission + - Online puzzle has world's codebreakers baffled (irishexaminer.com)

Submitted by cold fjord
cold fjord writes: The Irish Examiner reports, "In Jan 2012, an image appeared on ... 4chan that set the world’s best codebreakers ... to solve a highly complex and sophisticated puzzle. It was posted by a shadowy organisation ... Cicada 3301. The image of plain white text on a black background looked deceptively simple. It read: “Hello. We are looking for highly intelligent individuals. To find them, we have devised a test. There is a message hidden in this image. Find it, and it will lead you on the road to finding us. ... The hidden message in this case turned out to be a JPEG image file. Those puzzle solvers who succeeded in breaking the code to alter the image were initially disappointed, being rewarded with ... a picture of a rubber duck, and a message that read: “Woops, just decoys this way. Looks like you can’t guess how to get the message out.” ... Joel Eriksson, a 34-year-old computer analyst ... ran the duck’s teasing message through ... an encryption program, and discovered another hidden message ... Like peeling an onion, this led to more messages and clues that mutated hourly, ... a new riddle based on Mayan numerals. By this stage, Eriksson was hooked. ... Like Alice Through the Looking Glass ... cryptographers delved deeper ... discovering more clues ... GPS co-ordinates for locations in Warsaw, Paris, Seattle, Seoul, Arizona, California, New Orleans, Miami, Hawaii and Sydney. Amateur sleuths discovered lo-tech posters pasted to lamp posts in each location, all bearing a QR bar code ... When scanned ... the bar codes led to yet another web address. If nothing else it proved that this was the product of a well-funded global organisation of brilliant people on a quest.

Comment With any luck (Score 1) 572

"He's revealing how we acquire this information. It will take years, if not decades, for us to return to the position that we had prior to his disclosures."

Hopefully the revelations about what they have been up to will be enough to prevent them from ever being able to "eturn to the position that we had prior to his disclosures".

Comment Re:Salt (Score 1) 213

by Fnord666 (#45807617) Attached to: Encrypted PIN Data Taken In Target Breach
In this case it does because it makes PIN blocks encrypted using the same working key be completely different. This prevents someone from performing a chosen plaintext attack by setting their own PIN to be 0000 or 1234 and comparing the captured PIN block to others. More of a limited rainbow table I guess.

Comment Re:Why are they storing this data anyway? (Score 1) 213

by Fnord666 (#45802757) Attached to: Encrypted PIN Data Taken In Target Breach
Take a look at DUKPT, short for Derived Unique Key Per Transaction, to better understand how a PIN pad can be loaded with a set of keys that the merchant does not know. Similarly many PIN pads support remote key loading where asymmetric encryption is used to send a random 'working' 3DES key to the terminal. That key will be periodically replaced with a new one. Again the merchant has no idea what key is being used by the terminal at any given time.

Slashdot Top Deals

Saliva causes cancer, but only if swallowed in small amounts over a long period of time. -- George Carlin

Close