23 posts • joined Friday 31st July 2009 16:26 GMT
Re: Its the people, not the computer
Some people are unscrupulous, and some people are gullible, and no amount of technology is going to change that.
It's not necessary to understand how to build a car in order to drive one, and I don't suppose anyone thinks mechanical engineering should be part of the driving test, so what happens? You take your car in for service and the garage tries it on by saying "your brake disks are under tolerance, you need new ones to be safe" which, if you have any sense, you politely decline. This happened to me a few years ago and I took the same car back to the same garage a year later and, for laughs, said "can you be sure to check out the brakes please?" and they came back and said "your brakes are fine, but we need to do [this other expensive work]". This was not a backstreet operation, it was a main dealer for a prestige brand, incidentally.
Perhaps what we need to do is stop wringing our hands about bad people using the Internet and just deal with it. You don't trust everyone you meet face-to-face, so don't trust people you "meet" on the Internet.
It's NOT a login [Re: There is a very clear risk]
The "auth" stands for "authorisation", not for "authentication". The authorised service never had your password in the first place, so it is entirely irrelevant whether your password is changed or not. What you want to do its revoke the authorizations, not change your authentication credentials.
I Don't Think You've Quite Understood This...
Let's see, the point of OAuth is that you can authorise services to access your Twitter account without needing your password. Logically, I don't see any reason that this should change just because you change your password; you might change your password every month for security reasons (yeah, right!) but that shouldn't mean you've stopped trusting the services you said you trusted before.
There's some wrong-headed thinking here, that "change my password" should be the same thing as "reset all the security decisions I've ever made". If you think your account may have been breached, there are several other things you should do (like checking what spam has been posted in your name) as well as changing your password and revoking any inappropriate authorizations.
Re: There's always google of course.
Fair play, "BEGIN RSA PRIVATE KEY" site:github.com returns 29,100 results, and "Proc-Type: 4,ENCRYPTED" site:github.com returns 5,200 results, so it does look like the majority of them are in plain, which is pretty dumb.
More detail is needed
Before I believe this is a major security cock-up, I want to know how many of those private key files were actually password protected. While it's still inadvisable to post your private keys publicly, even if they're encrypted, there's a world of difference between that and posting just the plan key. All the formats found by the sample searches quoted can, and should be, password protected.
> looked at the identity of an application
How's it do that then?
In case anyone doubts that they shamelessly used a fatal disaster to plug their anti-virus product, I was amazed to find the video still online here: http://www.smobilesystems.com/fox-news-interview-with-rick-roscitt/
I suppose this is the part of Juniper that used to be SMobile. Frankly I don't believe a word they say. Why does the headline bear no relationship to the content of the article? Did they find ANY apps that SECRETLY make calls and use the camera? I think not. I still remember the time when an SMobile executive went on local TV in the US after a bridge collapse saying, yes, wasn't it terrible that people died, but think how much worse it would have been if the emergency services had malware on their smartphones. WTF?
> They're probably about to ****ing buy some washing powder anyway.
Yes, but the supermarket knows which brand you normally buy, and now has the opportunity to influence you to buy a different brand that's more profitable for them. *That's* why they would do it on a mobile (tied to a specific person and their buying habits) and not on a TV screen; also if you normally buy the profitable brand anyway then they can save money by not offering you the discount.
You're just not thinking evil enough.
What About the Security?
Rendering the HTML on a server means breaking the end-to-end security model of SSL/TLS browsing. Opera Mini is great and I use it a lot for reading public web sites, but I'd never do any payment transactions with it. Even if you trust Opera/Nokia/whoever-else, what happens when they get hacked?
Where are they going to get the cribs?
To use a Turing Bombe to crack an Enigma message, you require a "crib" (some known plaintext of the message). Are they going to add a fixed preamble to every message to provide that crib, then? (e.g. "Cheltenham Science Fair: ...") I think it's only fair to disclose that, as otherwise the educational point is missed, i.e. that the Bombes weren't magic and weren't even computers, they just tested all the possible rotor orders and positions.
This is not news
Symbian was working on this 5 or 6 years ago. The cost of the SoC is the only problem.
re "any app updates can't ask for more permissions in the future"
Assuming we're talking about Android, then yes, they can. The difference is that if you don't ask for more permissions then the update can happen invisibly in the background, but if you do then the user has to explictly permit the update. Seems like a reasonable model.
"go back to symbian" Re: Winds me up this corporate bullshit...
To be fair, Symbian OS doesn't allow you to selectively grant permissions either. I think there are other reasons for preferring Symbian over Android, but I'm afraid the permissions model isn't one of them (Symbian's implementation is arguably better but the design is essentially the same, app gets all permissions at install time or it doesn't get installed).
Encrypted, so what?
It doesn't matter that it was encrypted, it doesn't even matter much how it was encrypted, what really matters is, where were the encryption keys and how were *they* protected?
> As a soon to be Android owner, what am I missing here?
The original malware (downloaded from the legitimate Android Market) rooted the device, and was able to install other software from places other than the Android Market. Google can remove the original malware, but not any of the other software it may or may not have installed in the meantime.
Pioneer, yes, but Inventor?
I have nothing against Whit, who is a friend-of-a-friend and by all accounts a very affable gentleman and deserving of his place in the history of computer security, but he doesn't have exclusive claim to inventing public key cryptography. James Ellis et al. in the UK reportedly got there first (although it was classified at the time) and Diffie and Hellman's work was apparently based on Ralph Merkle's.