Goglu - Slashdot User

Comment Re:I think it's fair (Score 1) 178

by Goglu on Sunday September 11, 2016 @05:01PM (#52867441) Attached to: When Your Boss Is An Algorithm

We're a software company, not a taxi company.

Actually, Uber accepted to become a taxi company (and get a taxi licence) in Québec. So THEY ARE a taxi company (that also has a software division).

Comment Re: Protecting financials to the detriment of cult (Score 3, Informative) 118

by Goglu on Sunday December 20, 2015 @10:57AM (#51153781) Attached to: UK Police Busts Karaoke 'Gang' For Sharing Songs You Can't Buy

... Most DVD-Rom drives allow you to change the region DRM only 2-5 times. In other words, you must buy specific equipment by region. Most people will just give up and satisfy themselves with Disney crap, giving up on broadening their culture.

In the end, I did the illegal thing: bought a cheap DVD player with a region hack and... hacked it!

Comment Protecting financials to the detriment of culture (Score 4, Insightful) 118

by Goglu on Sunday December 20, 2015 @10:13AM (#51153637) Attached to: UK Police Busts Karaoke 'Gang' For Sharing Songs You Can't Buy

This shows again how copyright laws are a nuisance to the spreading of culture. (Although I could hear the argument of those who claim that karaoke soundtracks are not the richest cultural expression.)

When I emigrated, I wanted to bring some DVDs from home (Europe) to my new land (America), but then I couldn't play them on local equipment because of region-DRM, once again meant to protect "copyrights" for products THAT WERE NOT AVAILABLE anyways in America!

These laws must be rebalanced in order to allow dissemination of culture across country borders. Diversity enriches the whole community, whereas those laws are made to enrich just a few.

Comment Re:Mail Consolidation IMAP (Score 1) 177

by Goglu on Tuesday December 15, 2015 @07:09PM (#51125883) Attached to: Ask Slashdot: Best (or Better) Ways To Archive Email?

After trying to consolidate all my emails on Outlook and then losing a couple of years of archives because of a file corruption, in 2007, I did just that: set up an IMAP server (Dovecot), using MailDir format (which saves each e-mail in its own file). A regular job rsync's everything to another machine for simple backups.

Everything's was then migrated on a Plug Computer (low performance, but excellent power consumption).

The whole setup, from installing Debian to having the server running took less than 4 hours, using online guides.

Comment Re:Canada (Score 2) 278

by Goglu on Monday October 05, 2015 @11:37AM (#50661747) Attached to: Trans-Pacific Partnership Trade Deal Is Reached

Whether or not Canada signs is depends greatly upon which party wins.

No matter which party wins, it will be signed. Libs, NDP or Conservatives will all bow down to banks and big money.

Comment Should this "testing mode" be enabled by default? (Score 1) 618

by Goglu on Thursday September 24, 2015 @11:20AM (#50589613) Attached to: How Did Volkswagen Cheat Emissions Tests, and Who Authorized It?

It sounds like Volkswagen DOES have the technology to be clean. So why wouldn't they enable this clean consumption mode by default???

Comment Re:Interesting take on this... (Score 1) 728

by Goglu on Saturday August 29, 2015 @04:30PM (#50417345) Attached to: Germany Wants Facebook To Obey Its Rules About Holocaust Denial

Libraries don't PUSH Mein Kampf, people BORROW books. Still, the library is criminally liable (in Germany) if they make the copy of Mein Kampf available.

Comment Should corporations be above national law? (Score 1, Troll) 728

by Goglu on Saturday August 29, 2015 @04:28PM (#50417333) Attached to: Germany Wants Facebook To Obey Its Rules About Holocaust Denial

This is really the question that applies...

Should corporations (a.k.a "moral persons") have more rights than national citizens? Should they be allowed to ignore laws they don't like and replace them with "our corporate policies"? Or, should there be a new international framework to regulate internet communication, rather than trust self-regulation?

Managers of Facebook consider holocaust deniers to have higher morals than women breast-feeding. This is a typical example of what self-regulation will bring.

Facebook managers should face the same legal consequences than the publisher of a German newspaper publishing the same posts. Unless, of course, the answer to the initial question is Yes, in which case there is no reason to forbid sales of drugs through Internet...

Comment Best feature (Score 5, Insightful) 276

by Goglu on Saturday April 18, 2015 @04:37PM (#49501397) Attached to: Ask Slashdot: What Features Would You Like In a Search Engine?

Confidentiality

Submission + - Duo Security iOS App Vulnerability

Submitted by dajjhman on Monday April 13, 2015 @06:00PM

dajjhman writes: Duo Security put out a PSA today informing users that their iOS application has not been checking the validity of SSL certificate domain names.
For those unfamiliar, Duo Security provides a 2 factor authentication system known for its implementation of push notifications to approve login requests. It is found in numerous applications, ranging from personal use to large enterprises
The vulnerability, identified as DUO-PSA-2015-002, allows attackers to use a Man in the Middle attack to see all of the network data. This was caused by a bug in a 3rd party library they used, and the announcement came along with an update to the App Store.
Duo says that due to the nature of their client-server communications, there was little risk an attacker could activate a push request as there is a client key. The PSA has not been posted to their blog at the time of this writing, but it is reproduced below.
The advisory is signed with the Duo Security PSIRT security@duosecurity.com PGP key which is available from their security contact page.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Duo Product Security Advisory
=============================

Advisory ID: DUO-PSA-2015-002
Publication Date: 2015-04-06
Revision Date: 2015-04-13
Status: Fixed
Document Revision: 2

Overview
========

Duo Security has identified an issue in recent versions of Duo Mobile for iOS that could allow attackers to perform a successful Man-in-the-Middle (MITM) attack against the app's TLS connections, if they can otherwise manipulate the network traffic exchanged between the mobile app and Duo's cloud service.

This issue has been fixed in Duo Mobile 3.7.1; all iOS users should update as soon as possible.

Description
===========

On the iOS platform, Duo Mobile leverages AFNetworking — a widely-used third-party HTTP client library — to communicate with Duo's cloud service. Recently, it was determined that AFNetworking did not validate digital certificates against server hostnames by default. As a result, Duo Mobile would e.g. consider a digital certificate for "www.example.com" as valid for "api-XXXXXXXX.duosecurity.com" when establishing a TLS tunnel.

This behavior makes it possible for an attacker to perform a successful Man-in-the-Middle (MITM) attack against TLS connections from affected versions of Duo Mobile, if he can otherwise manipulate the network traffic exchanged between the mobile app and Duo's cloud service. This might be a risk, for example, when using Duo Mobile while connected to untrusted wi-fi networks.

However, in addition to TLS, Duo Mobile uses application-level signatures to ensure the integrity and authenticity of requests sent from Duo Mobile to Duo's service. Becauses of this mechanism, a MITM attack would still not generally allow an attacker to e.g. approve a fraudulent Duo Push authentication request.

Note: A different vulnerability was introduced into AFNetworking in version 2.5.1, and recently gained widespread attention (http://blog.mindedsecurity.com/2015/03/ssl-mitm-attack-in-afnetworking-251-do.html). Duo Mobile currently uses AFNetworking version 2.3.1, and was therefore not affected by that particular vulnerability. This is a separate — if very similar — issue.

Impact
======

An attacker can perform a successful Man-in-the-Middle (MITM) attack against Duo Mobile's TLS connections if he can otherwise manipulate the network traffic exchanged between the mobile app and Duo's cloud service. Duo's application-level signing mechanism still generally prevents the attacker from e.g. approving fraudulent Duo Push authentication requests. However, there are some limitations to this technique:

* Duo Mobile cannot use application-level signatures when setting up a new account, because — at this point — the app has not yet negotiated a key-pair with Duo's service. If an attacker intercepted traffic from Duo Mobile during this process, he could gain the ability to generate valid one-time passcodes and exert full control over subsequent Duo Push authentication requests intended for the targeted device.

* Requests from Duo Mobile to Duo's service have application-level signatures, but responses from the service do not. It may therefore be feasible for an attacker to manipulate details of a fraudulent authentication request such that it appears legitimate, thereby tricking a user into approving it.

Affected Product(s)
===================

* Duo Mobile for iOS, versions 3.4 — 3.7

Solution
========

Duo Mobile 3.7.1 was published to the iTunes App Store on April 6, 2015. This version ensures that certificate domain-name validation is performed for all TLS connections.

Users should upgrade to this version immediately to prevent the issues described above. Note that administrators can audit their users' Duo Mobile app versions in the "phones" section of the Duo administrative interface.

As noted above, there is a small risk that users' Duo Mobile credentials could be compromised, if an attacker captured network traffic from Duo Mobile during account setup. After users have upgraded, administrators may choose to forcibly invalidate any existing credentials by re-activating users' Duo Mobile accounts in the administrative interface.

Vulnerability Metrics
=====================

Vulnerability Class: Improper Certificate Validation (CWE-295)
Remotely Exploitable: Yes
Authentication Required: No
Severity: High
CVSSv2 Overall Score: 5.8
CVSSv2 Group Scores: Base: 6.8, Temporal: 5.9, Environmental: 5.8
CVSSv2 Vector: (AV:A/AC:L/Au:N/C:C/I:P/A:N/E:H/RL:OF/RC:C/CDP:MH/TD:M/CR:M/IR:H/AR:M)

References
==========

* CWE-295: Improper Certificate Validation — https://cwe.mitre.org/data/def...
* AFNetworking issue #2619 — https://github.com/AFNetworkin...
* Heartbleed Defense-in-Depth Part #2: Don't Trust SSL — https://www.duosecurity.com/bl...

Timeline
========

2015-04-02
* Engineers at Duo internally discover that Duo Mobile for iOS does not correctly validate server certificates.
* Duo develops a fix and submits an updated Duo Mobile 3.7.1 to the iTunes App Store.

2015-04-03
* Duo Mobile for iOS version 3.7.1 is approved by Apple

2015-04-06
* Duo completes testing on Duo Mobile for iOS 3.7.1 and releases it to end users.
* Duo drafts advisory and shares it with affected Enterprise and Business customers.

2015-04-13
* Duo updates advisory and shares it with all remaining customers.

Credits/Contact
===============

Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2015-002" in the subject.

Other feedback regarding this issue can be sent to security@duosecurity.com.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJVJD/IAAoJEEcOFkS+z+1x0q4QAIsyyybXIUV5/kui63aSzPrY
AT1GcSK0WGQzaH2T8gSBwMZl7QUPBJQERLm65F7hFXzDgzbFUrb9rnMvMPOdqYFK
mc0EIfwsoWH8M02JfHZvS476Yi56MAvY+DEOtVI/z23481ScT+fK5AyHvAyjfb2M
NFJJGjTfF6JOTdufY3D22RpCbpK68ITL8wVS+eCC9CR2xf6MlgITBRqdzyo3Qc34
1nRxnRc7xqPnkjSrtcT/lf8D5Q7j/yNv0qryRokY9neYxrogLXqqIkP/JhdhzFvH
DN8TPOMrRDfEPCdUDAdWBaGY0+gpVBIV+2gBzG+8/d+fEh5inTiEkBmjE11M722W
X3JGorP7DJ9TNoQM+TP1Y/r7khr/X5trk/X6RDeDKVLEaCx9KPTr7tSzy83/F2MI
c+kUwEsnrhxNPuLGWb38Exb0DQ7SmQJ6xvTx6EFcBcQDssDvfKPc6tIADSvMqw3t
ZxXkcqXJncq+M6Cvyxm+A6kb0FBcUAbmdyL6lhBhUTIimhg+i4QLBqkO42RaHogn
nY9WQhVZYAKCdGXcteSlez/2HFtE9+OoP23NK1UK+OoHJjCVg/qBKuBwyzY1JA2y
lBz1VGdWIVNqD3bEdHNLSnSa0hqXJ/mLgffogK/hj4COSI0f5CZaiSaZwCgpMPC+
kP6aGmqdITXzdgag6VHy
=16Yr
-----END PGP SIGNATURE-----

Comment Re: Lifestyle - Canada (Score 1) 332

by Goglu on Sunday April 12, 2015 @02:40PM (#49458313) Attached to: California Looks To the Sea For a Drink of Water

The statistics are about "total water withdrawal", where "some portion may be returned for further use downstream". I guess that the water used to produce hydro-electriciy could be counted as water withdrawn.

In that case, since Canada is producing a lot of hydro-electric power, it could impact the statistics.

Tar sands, on the other hand, although an important source of water pollution, seems to come up to approximately 10 m3/capita/year. In this case, not the culprit...

Comment Re:Idle threats (Score 2) 182

by Goglu on Tuesday May 13, 2014 @09:02AM (#46988511) Attached to: Oil Man Proposes Increase In Oklahoma Oil-and-Gas Tax

Society is not a restaurant.

Comment Why use drone for recon only??? (Score 1) 397

by Goglu on Monday March 24, 2014 @12:22PM (#46564605) Attached to: Drone-Assisted Hunting To Be Illegal In Alaska

If I was going to buy a drone, then I'd weaponize it and hunt with it directly!!!

No need to walk needlessly in dirty forests or swamps. All done from my cosy armchair, watching the TV and controlling the drone with my wii-mote.

Comment Re:Sorry For The Blunt Language... (Score 1) 389

by Goglu on Tuesday February 18, 2014 @02:42PM (#46278205) Attached to: Windows 8 Metro: The Good Kind of Market Segmentation?

I never thought I would miss Clippy's explanations so much...

Comment Re:Actually, it's called entropy (Score 1) 683

by Goglu on Sunday January 26, 2014 @10:57AM (#46072675) Attached to: VC Likens Google Bus Backlash To Nazi Rampage

Repartition of wealth is not a game of dice.

Humans have will, intelligence and tools that can bias probabilities in one direction or another.

Entropy is a law of physics. Economics is driven by humans and their greed, not by physics.

Slashdot Top Deals