| |
| Current Topic: Computer Security |
|
T hacking exposes a deeper clash |
|
|
|---|
| Topic: Computer Security |
1:18 pm EDT, Aug 18, 2008 |
Front page, above-the-fold, of today's Boston Globe: Where agency sees attack, MIT students talk of constructive exploration
This article doesn't really break any news, particularly for those who were at DEFCON or who followed the recent threads. But they did make room for this explanation: "I've always been interested in electronics," said Anderson, who grew up scouring alleyways for discarded machines. "Ever since I was a little kid, I would take things apart to see how they work." These days, he proudly calls himself a hacker. "If a lot of people think hacker, they think of someone who illegally breaks into systems," he said. "I don't at all think that's what hacker means. I think hacking is a culture of curiosity and exploration and learning and building and creating new things."
From the archive: The Craftsman continues an argument begun in the 19th century, when writers such as John Ruskin and William Morris extolled the crafts remembered in our surnames (Smith, Cartwright, Thatcher, Mason, Fletcher) while lamenting the mind-numbing and soul-destroying labour of the industrial process which was replacing them. A long line of thinkers, from Hegel and Marx to Sennett’s teacher Hannah Arendt, have sympathised with the argument. But Sennett does not think that craftsmanship has vanished from our world. On the contrary: it has merely migrated to other regions of human enterprise, so that the delicate form of skilled cooperation that once produced a cathedral now produces the Linux software system. Linux, for Sennett, is the work of a community of craftsmen “who embody some of the elements first celebrated in the (Homeric) Hymn to Hephaestus”.
The spread of Enterprise Systems has resulted in a declining emphasis on creativity and ingenuity of workers, and the destruction of a sense of community in the workplace by the ceaseless reengineering of the way businesses operate. The concept of a career has become increasingly meaningless in a setting in which employees have neither skills of which they might be proud nor an audience of independently minded fellow workers that might recognize their value. The evidence suggests that from an executive perspective, the most desirable employees may no longer necessarily be those with proven ability and judgment, but those who can be counted on to follow orders and be good "team players."
T hacking exposes a deeper clash |
|
Georgian president's Web site moves to Atlanta |
|
|
|---|
| Topic: Computer Security |
9:12 am EDT, Aug 12, 2008 |
Atlanta is just as hosed as Georgia. The Web site of the president of Georgia, the small nation that is battling Russian forces over a breakaway enclave, was moved to a US hosting facility this weekend after allegedly being attacked by Russian hackers.
Georgian president's Web site moves to Atlanta |
|
Black Hat Talk on Apple Encryption Flaw Pulled |
|
|
|---|
| Topic: Computer Security |
7:30 am EDT, Aug 6, 2008 |
A security researcher who was set to speak at Black Hat next week on a previously undiscovered flaw in FileVault has canceled his talk, citing confidentiality agreements. Charles Edge had been slated to discuss his research on a weakness that could be used to defeat FileVault. But sometime last week, Black Hat organizers pulled his name and presentation listing from its schedule of talks. ... Update: Looks like yet another talk about Apple security will be canceled at Black Hat this year. Apple has pulled its security engineering team out of a planned public discussion on the company's security practices.
See also: Leave Steve Jobs Alone!!! (pnsfw audio) From the archive: Border searches of laptops; seizure Unlocking FileVault Laptop border searches OK'd Faster PwninG Assured: Cracking Crypto with FPGAs
Circumventing Automated JavaScript Analysis Tools DOMinatrix - The JavaScript SQL Injector Richard Clarke leveled the harshest language on the Bush administration. "The Bush administration has systematically reduced the work to secure cyberspace." Hacker Pranks at Defcon and Black Hat in Las Vegas Emphasize Computer Security, Abaddon causing a ruckus at Black Hat, and Mike Lynn's Glorious Escapades HID Global statement on IOActive withdrawing their Black Hat presentation
Crime is sport in the US. All the way back to the black hat wearing cowboy to OJ and Scott Peterson, we have a love affair with criminals, and are addicted to punishment. It makes us feel tough and reinforces other false ideals in our culture (morality, justice for all, bravery, etc.).
Black Hat Talk on Apple Encryption Flaw Pulled |
|
How Crypto Won the DVD War | Threat Level from Wired.com |
|
|
|---|
| Topic: Computer Security |
6:23 am EST, Feb 27, 2008 |
Support from studios has been widely cited as the reason for Blu-ray's victory, but few consumers know that the studios were likely won over by the presence of a digital lock on movies called BD+, a far more sophisticated and resilient digital rights management, or DRM, system than that offered by HD DVD.
This is very interesting. How Crypto Won the DVD War | Threat Level from Wired.com |
|
Security Data Visualization: Graphical Techniques for Network Analysis |
|
|
|---|
| Topic: Computer Security |
3:35 pm EST, Jan 25, 2008 |
Greg Conti published a book last October!Information overload. If you're responsible for maintaining your network's security, you're living with it every day. Logs, alerts, packet captures, and even binary files take time and effort to analyze using text-based tools - and once your analysis is complete, the picture isn't always clear, or timely. And time is of the essence. Information visualization is a branch of computer science concerned with modeling complex data using interactive images. When applied to network data, these interactive graphics allow administrators to quickly analyze, understand, and respond to emerging threats and vulnerabilities. Security Data Visualization is a well-researched and richly illustrated introduction to the field. Greg Conti, creator of the network and security visualization tool RUMINT, shows you how to graph and display network data using a variety of tools so that you can understand complex datasets at a glance. And once you've seen what a network attack looks like, you'll have a better understanding of its low-level behavior - like how vulnerabilities are exploited and how worms and viruses propagate. You'll learn how to use visualization techniques to: # Audit your network for vulnerabilities using free visualization tools, such as AfterGlow and RUMINT
# See the underlying structure of a text file and explore the faulty security behavior of a Microsoft Word document
# Gain insight into large amounts of low-level packet data
# Identify and dissect port scans, Nessus vulnerability assessments, and Metasploit attacks
# View the global spread of the Sony rootkit, analyze antivirus effectiveness, and monitor widespread network attacks
# View and analyze firewall and intrusion detection system (IDS) logs Security visualization systems display data in ways that are illuminating to both professionals and amateurs. Once you've finished reading this book, you'll understand how visualization can make your response to security threats faster and more effective
You can download Chapter 5, "One Night on my ISP", from the publisher. Security Data Visualization: Graphical Techniques for Network Analysis |
|
An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants |
|
|
|---|
| Topic: Computer Security |
6:42 am EST, Dec 6, 2007 |
This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from “hacking for fun” to “hacking for profit” has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.
An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants |
|
WEIS 2008 - The Seventh Workshop on the Economics of Information Security |
|
|
|---|
| Topic: Computer Security |
6:49 am EDT, Nov 2, 2007 |
Information security requires not only technology, but a clear understanding of risks, decision-making behaviors and metrics for evaluating business and policy options. How much should we spend on security? What incentives really drive privacy decisions? What are the trade-offs that individuals, firms, and governments face when allocating resources to protect data assets? Are there good ways to distribute risks and align goals when securing information systems? While organizations and individuals face new and evolving technical challenges, we know that security and privacy threats rarely have purely technical causes. Economic, behavioral, and legal factors often contribute as much as technology to the dependability of information and information systems. The application of economic analysis to these problems has proven to be an exciting and fruitful area of research.
WEIS 2008 - The Seventh Workshop on the Economics of Information Security |
|
|
|---|
| Topic: Computer Security |
5:25 pm EDT, Aug 30, 2007 |
Ross Anderson gave a TechTalk last week. Computer security has recently imported a lot of ideas from economics, psychology and sociology, leading to fresh insights and new tools. I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities. Evildoers online divide roughly into two categories - those who don't want their websites to be found, such as phishermen, and those who do. The latter category runs from fake escrow sites through dodgy stores to postmodern Ponzi schemes. A few of them buy ads, but many set up fake communities in the hope of having victims driven to their sites for free. How can these reputation thieves be detected? Some of our work in security economics and social networking may give an insight into the practical effects of network topology. These tie up in various ways with traffic analysis, long used by the signals intelligence agencies which trawl the airwaves and networks looking for interesting targets. I'll describe a number of dubious business enterprises we've unearthed. Recent advances in algorithms, such as Newman's modularity matrix, have increased the robustness of covert community detection. But much scope remains for wrongdoers to hide themselves better as they become topologically aware; we can expect attack and defence to go through several rounds of coevolution. I'll therefore end up by talking about some strategic issues, such as the extent to which search engines and other service providers could, or should, share information in the interests of wickedness detection.
Searching For Evil |
|
Microsoft Forges 'Pact' With Cyberwarriors Worldwide |
|
|
|---|
| Topic: Computer Security |
6:19 am EDT, Aug 7, 2007 |
Multinational corporations have foreign policies, and the "home" country doesn't necessarily get special treatment: In an effort to curb distrust, in 2003 Microsoft signed a pact with China, Russia, the United Kingdom, NATO and other nations to let them see the Windows source code.
A few thoughts: 1) Possession of source code has limited defensive value unless you actually build your software from that source. Based on press reports the agreement does not facilitate local compilation.
2) Is it really feasible for a third party to audit the Vista source? The people involved seem to think so, or are at least making a show of it. I am dubious.
3) The utility of this 'pact' would seem to be substantially offensive. Consider: Microsoft has reportedly signed a new government security program source code agreement with China Information Technology Security Certification Center, allowing CNITSEC and other approved institutions to look over the source code and relevant technical data of Microsoft's products, including Windows Vista ,so as to improve their evaluation on the security of Microsoft products. The agreement is an important part of the MOU signed between National Development and Reform Commission and Microsoft in April 2006. Microsoft's Government Security Program helps government departments and international organizations evaluate the security of Microsoft products. CNITSEC previously signed an agreement with Microsoft on security source code in February 2003 and was authorized to check over the company's major source code and technical data.
From 2003: According to sources at the software company, China is the eighteenth nation to sign such an agreement to view Microsoft's proprietary source code.
Surely the number has grown since then. Craig Mundie's doublespeak: This program is an integral element of our efforts to help address the unique security requirements of governments.
Microsoft Forges 'Pact' With Cyberwarriors Worldwide |
|
flayer - Taint analysis and flow alteration tool |
|
|
|---|
| Topic: Computer Security |
8:41 pm EDT, Aug 6, 2007 |
This is the Google project that was presented at WOOT. Flayer is a Valgrind tool which provides bit-precise dynamic taint analysis of input to a target application. In addition, it allows this flow to be altered irrespective of content through the modification of conditional jump (if clauses) and function call behavior. In addition, a small, Python wrapper library, LibFlayer, is included. It provides an easy interface for automation. This is a proof of concept implementation, but it is fully functional. Please check it out!
flayer - Taint analysis and flow alteration tool |
|
