Friday, April 18, 2014
Who is anonymous Heartbleed informer ?
Friday, March 21 or before - Neel Mehta of Google Security discovers Heartbleed vulnerability.
Friday, March 21 10.23 - Bodo Moeller and Adam Langley of Google commit a patch for the flaw (This is according to the timestamp on the patch file Google created and later sent to OpenSSL, which OpenSSL forwarded to Red Hat and others). The patch is then progressively applied to Google services/servers across the globe.
99% BAD HARDWARE WEEK: Here are some new security kids on the block.
Snowden used TAILS.
- TAILS: $22,351.05
- LEAP Encryption Access Project: $17,665.12
- Tor Project: $19,632.20
- SecureDrop: $14,403.08
- Open WhisperSystems: $19,149.49
Thursday, April 17, 2014
Internet sites by size
99% BAD HARDWARE WEEK: There are only few supernovas: Google, Facebook, Yahoo
Wednesday, April 16, 2014
Internet of NSA things: Open SSL is not the only case
Polar SSL still uses weakened Intel's random generator.
99% BAD HARDWARE WEEK: And it is used in some 25 system files.
CTR_DRBG based on AES-256 (NIST SP 800-90). As you know Polar SSL is intended for embeded and IoT connected things !, with the minimum complete TLS stack requiring under 60KB of program space and under 64KB of RAM
LATEST: Heartbleed exploits have begun ! Even 19 years old could do it, why not NSA ?
Luckily latest impact report from National Cyber Awareness System finds that thanks gods, clay tablets are not impacted at all !
CVSS Severity (version 2.0): CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N) (legend)
BULLRUN: INDOCTRINATION REQUIRED
Open SSL spring cleaning
Changes so far to OpenSSL 1.0.1g since the 11th include:
- Splitting up libcrypto and libssl build directories
- Fixing a use-after-free bug
- Removal of ancient MacOS, Netware, OS/2, VMS and Windows build junk
- Removal of “bugs” directory, benchmarks, INSTALL files, and shared library goo for lame platforms
- Removal of most (all?) backend engines, some of which didn’t even have appropriate licensing
- Ripping out some windows-specific cruft
- Removal of various wrappers for things like sockets, snprintf, opendir, etc. to actually expose real return values
- KNF of most C files
- Removal of weak entropy additions
- Removal of all heartbeat functionality which resulted in Heartbleed SINCE MARCH 2012
99% BAD HARDWARE WEEK: No problem if you change your Open SSL passwords now. All remained stored in OUR servers. Hehehe. What about added entropy and opened passwords at open SSL ? Well, nice confidence catch.
Here is a brief history of Intel's randomness.
SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web.
Friday, April 11, 2014
Facebook's Heartbleed security hole affected Cisco Mobile Experiences
Cisco Connected Mobile ExperiencesConnected Mobile Experiences (CMX) is a Wi-Fi platform that can help organizations deliver customized, location-based mobile services to end users. The CMX license on the Cisco MSE includes:
- CMX Connect to provide a venue-specific, location-based mobile guest access experience
- CMX Analytics to gain insight into end-user behavior while inside their venue
- CMX for Facebook Wi-Fi to support a transparent guest Wi-Fi sign-on experience and to analyze guest profiles using the Cisco and Facebook Wi-Fi platforms
- CMX Dashboard to build and manage the CMX user journey
Cisco AnyConnect Secure Mobility Client for iOS [CSCuo17488]
Cisco Desktop Collaboration Experience DX650
Cisco Unified 7800 series IP Phones
Cisco Unified 8961 IP Phone
Cisco Unified 9951 IP Phone
Cisco Unified 9971 IP Phone
Cisco TelePresence Video Communication Server (VCS) [CSCuo16472]
Cisco IOS XE [CSCuo19730]
Cisco Unified Communication Manager (UCM) 10.0
Cisco Universal Small Cell 5000 Series running V3.4.2.x software
Cisco Universal Small Cell 7000 Series running V3.4.2.x software
Small Cell factory recovery root filesystem V2.99.4 or later
Cisco MS200X Ethernet Access Switch
Cisco Mobility Service Engine (MSE)
Cisco TelePresence Conductor
Cisco WebEx Meetings Server versions 2.x
99% BAD HARDWARE WEEK: That is why Facebook was informed before anyone else ! WHo might be behind ? Let me guess. Open SSL with Heartbleed security hole was applied at Cisco without any control ?? YES, NSA used it !
Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers, according to a person briefed on the matter.
See below Yahoo login and password, easily extracted though being heavily SSL encrypted !
Thursday, April 10, 2014
Hot entertainment: Boeing 747 catched fire (again)
Staff on the flight to Heathrow from Dallas/Fort Worth with 274 passengers on board smelt an “acrid, electrical burning smell” about two hours from London.
Last year frightened passengers on board a British Airways flight told how they heard their pilot making a Mayday distress call 36,000ft above the Atlantic on November 14.
The captain radioed for help when smoke filled the cockpit of the Boeing 777 plane carrying 220 passengers - and accidentally turned on the public address system.
After putting on oxygen masks the crew immediately contacted air traffic control. They switched on the cabin address system, and the start of their Mayday call was heard by passengers.
Passengers were told there had been an electrical fault. It is believed the smoke was caused by a fan in the cockpit which overheated.
99% BAD HARDWARE WEEK: Fire after two hours ! Malaysian airlines could catch it in 20 minutes. Imagine driving airplane with only one working engine trying to return home
in complete darkness, and you are in MH 370. What if closed engine had on power generator ? Then even your radio will not funtion.
US Exaflops supercomputer in year 2023
99% BAD HARDWARE WEEK: Probably immersed in cooling fluid. It will draw no less than 20 MW of power. Applications will run only in 2024.
Wednesday, April 09, 2014
MH 370 flight cover : How Inmarsat detected pings at the places even don't get covered with satellite beams ??
99% BAD HARDWARE WEEK:
Last irregular ping happened when MH370 missed Cocos (Keeling) island !
Monday, April 07, 2014
Apple in Holy war with Google
From: Steve Jobs
Date: October 24, 2010 6:12:41 PM PDT
- 2011: Holy War with Google
- all the ways we will compete with them
- Apple is in danger of hanging on to old paradigm too long (innovator’s dilemma)
- Google and Microsoft are further along on the technology, but haven’t quite figured it out yet
- tie all of our products together, so we further lock customers into our ecosystem
- 2015: new campus
99% BAD HARDWARE WEEK: But who are the muslims in this Holy war ? Why Facebook isn't mentioned ? Probably because certain religious orientation. :)