Thursday, September 25, 2014

GNU bash bug in Mac OS X and Linux could be 'bigger than Heartbleed'

The bash bug, as implied by its name, is a vulnerability that allows unscrupulous users to take control of Bourne Again Shell (bash), the software used to control the Unix command prompt on some Unix-like systems. This means that systems running Mac OS X and Linux are all potentially susceptible.
Current bash versions use an environment
variable named by the function name, and a function definition
starting with “() {” in the variable value to propagate function
definitions through the environment.  The vulnerability occurs because
bash does not stop after processing the function definition; it
continues to parse and execute shell commands following the function
Dubbed "Shell Shock", the bug was found by the 38 year-old Frenchman on the morning of September 12. It was disclosed this week so it could be patched. It was a bug that lurked in software found on hundreds of millions of devices for 21 years, leaving them vulnerable to hackers, who may have known of its existence.
Commenting on the flaw, Professor Alan Woodward from the University of Surrey said, "What many do not realise is that over 50 percent of active web sites run on a web server called Apache which runs on Unix, and hence is potentially vulnerable.
A test on Mac OS X 10.9.4 ("Mavericks") by Ars showed that it also has a vulnerable version of Bash. Apple has not yet patched Bash, though it just issued an update to "command line tools."

"Analysing the malware sample in a sandbox, we saw that the malware has conducted a massive scan on the United States Department of Defence Internet Protocol address range on port 23 TCP or Telnet for brute force attack purposes,"
99% BAD HARDWARE WEEK: Who would believe this ?

But even with all the current patches applied, you can still do this: Cookie: () { echo "Hello world"; } ...and witness a callable function dubbed HTTP_COOKIE() materialize in the context of subshells spawned by Apache; of course, the name will be always prefixed with HTTP_*, so it's unlikely to clash with anything or be called by incident - but intuitively, it's a pretty scary outcome.
In the same vein, doing this will also have an unexpected result:

The Google Empire Strikes Back

"The fact of the matter is, Julian is very paranoid about things. Google never collaborated with the NSA and in fact, we've fought very hard against what they did... We have taken all of our data, all of our exchanges... we fully encrypted them so no one can get them, especially the government."
 99% BAD HARDWARE WEEK: Yes, Google  fought hard against what NSA did WITHOUT ENCRYPTION in Android ! Only now encryption is mandatory. When billion Google users gave all their metadata to SOMEONE ?? Google never heard of only paranoid surives ?

Wednesday, September 24, 2014

Assange: Google should be of concern to people all over the world

 On September 15, 2014, Wikileaks-founder Julian Assange told the Italian newspaper L'Espresso that he now wants to warn against Google: "They believe they are doing good, but they are now aligned with US foreign policy. This means that Google can intervene on behalf of US interests, for example, it can end up compromising the privacy of billions of people, it can use its advertising power for propaganda". 
Google has massive technical capabilities for user data retention, metadata collection, telecommunications monitoring, localization, mapping and imaging, all which could allow it to act as an intelligence agency. The main difference is that Google has a different goal (commercial) than an intelligence agency, but this also makes that Google gathers far more data than an intelligence agency is legally allowed to do.

How long is user data kept on Google's servers? What kind of user data is shared with law enforcement agencies or intelligence services around the world? How does Google prevent its employees to access their users personal data or location? How is the data you gave Google secured against hackers or from intelligence services malicious attacks?

Monday, September 22, 2014

Where's the Silicon in Silicon Valley?


Tuesday, August 26, 2014

NSA Announces Secure Guidance Program - FPGAs

 This program works to develop Secure Implementation Guides (SIGs) to help explain the unique implementation of the numerous Security Features within each vendor’s product family.

The Microsemi SmartFusion2 SoC and IGLOO2 FPGA product families have completed the U.S. National Security Agency (NSA) Information Assurance Directorate (IAD) Secure Implementation Guidelines (SIG) document.
SmartFusion2 SoC FPGAs integrate flash-based FPGA fabric, a 166 MHz ARM Cortex-M3 processor, advanced security processing accelerators, DSP blocks, SRAM, eNVM and industry-required high performance communication interfaces on one chip.

Friday, August 22, 2014

How to use OpenPGP to encrypt your email messages and files in the cloud

 While OpenPGP isn’t quite “set it and forget it” technology, it is very effective—so effective, in fact, that instead of trying to crack the encryption, some government agencies have resorted to issuing subpoenas for private keys and passwords.
While this tutorial doesn’t provide you with an NSA-defeating level of protection (you still have much to learn, grasshopper), you now have the basics for keeping your information private from most casual attacks.
99% BAD HARDWARE WEEK: What use of  weak encryption at all ?

Wednesday, August 20, 2014

USB 3.0 Promoter Group Announces USB Type-C Connector

The USB Type-C connector is a major breakthrough that combines 10 Gbps high-speed
communication with charging capability scalable upto 100W, while consolidating numerous
cables into one robust, unique cable with reversible plug orientation and cable direction that
significantly improves the user experience

99% BAD HARDWARE WEEK: Apple's patent on July 24, 2014 is given here.

Saturday, August 16, 2014

FBI's Meta errors

 "We found that the FBI's corrective measures have not completely eliminated potential intelligence violations resulting from typographical errors in the identification of a telephone number, email address, or social security number in an NSL," the report reads. "These typographical errors cause the FBI to request and, in some instances receive, the information of someone other than the intended target of the NSL."

Black Hat: More Internet-Scale Bugs Are Likely Lurking

A survey of software libraries used in many companies’ products suggests we may see more incidents like the Heartbleed bug.

Free: This tool can make 15nm mask for your chip

Free: This tool can make 15nm mask for your chip
They issued FreePDK45 in 2007 to facilitate design at the 45 nm scale. That software was used for educational purposes at hundreds of institutions, and was cited in more than 200 scholarly papers.

This page is powered by Blogger. Isn't yours?