Microsoft is releasing an out-of-band critical patch today to fix an 0day that's being actively exploited in the wild. Yowza.
23 October, 2008
21 October, 2008
Sniffing your WIRED keystrokes (from the next room)
Saw this story, pretty cool stuff. Some Swiss researchers have developed a few different ways to sniff your electromagnetic keystrokes from up to 20 meters away. Vid.
17 October, 2008
NVIDIA 177.80 driver breaks OpenGL
At least it breaks OpenGL for me and a bunch of other people according to a google search. The issue seems to be in the actual libGL.so library. It seems like this is a persistent issue in the 2.6.27 kernel as well, so I'm not sure why this is in Gentoo's portage. Maybe my system is just broken? If anyone reads this and has had success w/ the 177.80 driver with gtk+ working and using nvidia's opengl implementation... please let me know. For now, I'm putting this driver on the backburner.
16 October, 2008
Stopping SQL Injection and Building Secure WebApps
Here's a paper (PDF) from Oracle on writing "injection-proof PL/SQL."
Also a guide shown to me by a friend on building secure webapps (from OWASP).
It's all about risk and consequences
I just read Paperghost's post on trying to contact someone at eBay about 5000+ of their users' logins posted online. His post highlights a few things that are 'broken.' One that he calls out is the problem a 'normal guy' would have trying to get this through to someone. There's nobody helpful you can talk to, no point of contact that can provide any kind of clarity... just black holes. But why does eBay make it so hard to contact someone who can actually help? The truth is they don't care. Let me explain.
From the 'About eBay' page:
eBay is The World's Online Marketplace®, enabling trade on a local, national and international basis. With a diverse and passionate community of individuals and small businesses, eBay offers an online platform where millions of items are traded each day.
Their business is one of the most widely recognized and successful online marketplaces ever. Wow! eBay rocks! And yes, eBay does rock, but they also don't care. A lot of people use eBay for free -- they sign in and bid on items. eBay gets a small percentage of each sale as well as advertising revenue and additional features sellers can pay for (that's how I understand it, correct me if I'm wrong, pretty simplified). They work really hard to protect people's accounts since that ultimately hurts their bottom line (profit).
The reason they don't care is because they can't. If I have an online eBay business and my account credentials get stolen, whose fault is that? Probably not eBay's, nor is it their responsibility to really do anything at all in the event something does happen to my account. Their only real motivation is based on dings to their reputation as a business, and since eBay is _huge_ there's not a whole lot of difference the loss of my (or a few thousand) account will make. Of course eBay wants to keep accounts safe to uphold their reputation, but ultimately, if accounts get compromised, it's not their fault and there's very little they can do to stop it from happening right now.
I, of course, blame the user for this (stop clicking on pop-ups please!). I read an article recently on how you're pretty screwed if your GMail or Yahoo! Mail account credentials get jacked (can't find the article, ah well). Google can only do so much if your account gets compromised, just like eBay, and ultimately, you're just a drop in the bucket. While the information in your GMail account or your flawless seller's reputation on eBay may be important to you, it's not very important to those companies. So getting back to the original question 'Why do these companies make it so hard to contact someone useful if shit hits the fan?' the answer is 'Well, there's not a whole lot we can do, so you're pretty much on your own.' It's not really that they don't care, it's that they can't care. And of course there's the volume of these type of requests -- I'm guessing far too many to keep up with. There's also the issue of alternatives -- eBay and GMail are so big and so successful, and this problem is shared among ALL businesses in these industries, there's not a whole lot to lose.
The real problem is nothing new: authentication and identification. It's not even an online problem, just a problem in general. Ensuring authentication and identification is tough... REALLY tough. Much harder than I once thought. But the problem with authentication and identification (shortened to AuthI) is complicated with sites like eBay and GMail, where there is no real consequence to the companies if your account is compromised. That's why it's all about risk and consequences. The risk of compromise is high, the consequence of compromise is low, so that equals 'no sale.' For banks, this issue is taken a little less lightly. Account compromise is actually a liability since the bank is responsible to offer some kind of reimbursement or protection or credit monitoring, whatever, in the event your 'identity' (account) is stolen.
So what's the deal with AuthI? Two-factor auth is a good solution (here's a post that breaks it all down), but again, it all comes down to risk and consequence. For eBay, that's a big investment of capital to only (maybe) bring down your risk to medium. How do you fix something that's really hard, but a lot of people think is easy? Just because I have a Canadian passport doesn't mean I'm Canadian, but you can't expect a database of DNA samples for everyone to be feasible or very practical for most applications. How do you fix bad behavior? How do you stop illegal behavior?
Now I'm ranting and just got derailed so I'll end this post here.
01 October, 2008
Why ePassports are bad
From a convenience and 'coolness' perspective, ePassports are great. But when THC decides to break the security and create a fake one, that's a really bad thing. I'm sure there are ways of making a secure ePassport, and governments in support of using them need to review their methods and revise as needed.
Subscribe to:
Posts (Atom)
