Posts by Mike Cardwell
100 posts • joined Saturday 16th June 2007 10:50 GMT
OTR
"it is also possible to download private chat logs for the compromised account" - This is why people should use OTR. If your IM provider doesn't have your chat logs, they can't leak them.
You're missing the point
Shared hosting? Privilege escalation? Even if there were no MySQL installations in existance with an Internet facing network interface, this would still be a massive problem.
Macbook vs Thinkpad
I had two IBM Thinkpads, then a Macbook, and now a Lenovo Thinkpad (T420). I haven't noticed any difference in quality between the Thinkpads. They've all been great pieces of reliable kit. The Macbook on the other hand had numerous hardware failures in the 3 years I had it. The power supply died, the battery died, the hard drive died, and the plastic casing started flaking off.
Solutions
HTTPS and SPDY both solve this problem. Personally, all of the Internet traffic leaving my mobile phone goes over a VPN to my server, so I get a clean connection.
Posted in Iomega TV with Boxee
Privacy?
Boxee's pretty good. As long as you don't mind sending them data about everything you watch and when you watch it - https://grepular.com/Boxee_TV_Helps_Its_Self_To_Your_Viewing_Habits
No conspiracy theory here
As the author of the post, I'd just like to say something. All I described was what I saw, and how I got around it. I compared its "technical" behaviour to that of Chinas firewall, because both use spoofed RST packets to disrupt connections. I didn't provide any commentary on my opinions of why they were doing the blocking, or whether or not they should. I don't consider it a "news piece", rather a simple technical description of a problem and a solution, for people to learn from. A lot of people have twisted what I wrote to make it sound like I'm describing some sort of conspiracy. If that's what you think, read my article again. To be fair, TheRegister has probably twisted it the least amount. Compare it to the boingboing.net interpretation for a laugh.
SSL vs TLS
SSL v1.0 was never released to the public, SSL v1.1 and v1.2 never existed. I think you mean TLS. There's a really good summary of the history of SSL and TLS on Wikipedia:
https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security#History_and_development
TLS 1.0, otherwise known as SSL 3.1, came after SSL 3.0.
Irrelevant
Most sites don't check to make sure that the request was a POST rather than a GET. This is unimportant anyway, because creating cross-site POSTs is almost as easy as creating cross-site GETs:
<form method="post" action="https://target.site.example.com/changepassword.cgi">
<input type="hidden" name="newpassword" value="foo">
<input type="submit" id="submit" value="submit">
</form>
<script type="text/javascript">document.getElementById('submit').click();
There are defenses against this attack, but 99% of sites don't use them. And before you go off on one about sites requiring you to enter your old password as well, stop attacking the particular example, and think about the "class" of attacks that are available.
"That's a choice."
"That's a choice."
I know that you *can* enable certificate verification. I've done it myself in Exim. That only happens in very limited and minor cases though. Where the two communicating systems know each other and the administrators of both systems have a reason to want to enforce it.
I'd bet at least 99.9999% of SMTP traffic is either not encrypted, or encrypted without certificate verification.
No
In this attack, the cookies aren't being read using JavaScript. HttpOnly doesn't help.
"How does your browser know that a request from another tab to the same site should be blocked?"
It doesn't need to block anything. The "secure tab" gets its own cookie store. When you log into a site inside that secure tab, the secure tabs cookie store contains your session cookie. Any other tab that tries to launch an attack against the site, will be launching it against a site which it isn't logged into.
This would also allow people with multiple accounts at the same site to log in multiple times from different secure tabs.
I'm not convinced that the attack will *require* javascript to work. Will have to wait and see when it's demonstrated on Friday. If all it requires is lots of slightly different cross site requests, it can probably be initiated by injecting lots of hidden img tags or similar into the launch page, rather than injecting javascript.
He will only be susceptible to this attack if he visits other sites at the same time as being logged into the bank website. You shouldn't be doing this anyway because of the prevalence of XSS and CSRF vulnerabilities. This attack just gives you another reason.
SMTP can already be trivally MITMd
SMTP can already be trivially MITM'd because SMTP servers don't do any sort of certificate verification. Basically the majority of SMTP is unencrypted, and even that which is protected by TLS is "protected" by self signed certificates that aren't even checked/verified.
SMTP TLS is good for defending against passive observers opportunistically, but if somebody can intercept the connection, on either the sending *or* receiving side, you're screwed.
You misunderstood the attack
The javascript is being slipped into a http response from a site other than the target https site.
The trouble is, people visit https and http sites at the same time. If the target is logged into a https page, and then visits a http page on a different site. You can inject stuff into that http page that will initiate requests against the target site.
Eg, you could stick this bit of code in the http page if the target site is vulnerable to CSRF:
<img src="https://target.site.example.com/changepassword.cgi?newpassword=foo">
And if the target site doesn't use Strict-Transport-Security, and hasn't set the Secure flag on their cookie, you can cause the browser to initiate a non-ssl http request against the target to leak their cookie by simply slipping this into some unrelated http request to a different site:
<img src="http://target.site.example.com/">
You'll notice how both of those attacks work against browsers that have javascript disabled. This is why I use the Firefox addon RequestPolicy alongside NoScript.
This is incorrect
My understanding of the attack is that the attacker MITM's a random non secure http response body, and injects javascript into it, which initiates cross site requests from the target browser to the target https page. The attacker then watches the https traffic and can learn interesting information from it.
The fact that your bank has javascript in their pages doesn't help or hinder the attack.
As I use the Firefox addon RequestPolicy, I should be immune from this attack. The attacker wont be able to initiate the cross site requests unless I tell RequestPolicy to allow them.
Posted in Go SMS Pro
Encrypted SMS
I prefer TextSecure by http://whispersys.com/. Allows you to send/receive encrypted SMS, and also uses public key cryptograhpy to encrypt SMS on your device.
PGP Email
Also, to use PGP on Android install APG (Android Privacy Guard). Then to use PGP with email install K-9. It's much better than the standard email client anyway, but it also plugs in to APG.
SO?
The sort of kooks who write articles like this give a bad name to people who have legitimate concerns about data being stored which shouldn't be stored.
Of course the emergency services keep a record of who calls them! What the hell is wrong with that? I'm surprised they've kept the data for as long as 12 years, but still, it's not that big a deal...
TextSecure
People with Android phones. Use TextSecure from Whisper Systems. It's a drop in replacement for the standard SMS app, and works almost exactly the same. It uses public key encryption so your SMS are automatically encrypted, and to view them you have to enter the password for your private key. It also uses public key encryption to encrypt messages over the air between two TextSecure users.
Of course, the police can always go to the network providers who will have a log of all SMS transmitted, but messages encrypted over the air are safe from content inspection.
And of course, if you're in the UK, the police can simply throw you in jail for not handing over the password :( US users are safe from that shit though.
Registered porn viewers?
I wonder how long it would take before an unencrypted copy of one of these registered porn viewer lists gets left on a usb stick on a bus.
Erm.
"As servers with hundreds of gigabytes of memory have become the norm"
When did that happen?
Posted in Opera Mobile pops up on Android
Not for G1's
Runs dog slow on my G1. Keeps crashing, and doesn't seem to ever finish loading any pages. Didn't have problems like this with Opera Mini. Opera Mini was only very slow, not dog slow, and didn't render lots of pages correctly.
Posted in Opera Mobile pops up on Android
Excellent
Great. Opera Mini is crap, but I don't want to use the bundled browser because I'm one of the two thirds of Android users who are still on <=2.1, ie running a trivally exploitable default browser. Hopefully this version is better than Mini at rendering websites.
Posted in Researcher outs Android exploit code
Opera Mini
I don't like Opera Mini, but I've just set it to be my G1's default browser. Bah.
Posted in Scroogle busted again after Google tweak
New owners?
Daniel doesn't sound very keen about keeping this service running anymore. I wonder if somebody else would be willing to take it over. A trusted authority like the EFF maybe?
Interestingly, DDG no longer seems to require JavaScript. I might try them out now:
https://duckduckgo.com/
Their privacy policy is superb: https://duckduckgo.com/privacy.html - They don't log IP addresses or User Agents, they have a Tor onion address, and they even go out of their way to prevent search terms leaking to the destination site via referers...
Unclear? Really?
"it's unclear whether the comment was meant as a joke."
I can see how that would be unclear to a baffoon yes. To a thinking person, it's pretty clear it was a joke, so suggesting otherwise is disingenuous.
I'm not commenting on the tastefulness of the joke.
DDG
DuckDuckGo addressed a similar problem with information leakage through HTTP headers a few months back:
https://secure.grepular.com/DuckDuckGo_Searches_Are_Not_Anonymous
Solutions
"Or rather, no sign-up is needed. After all, every time you use a search engine (ANY search engine AFAIK), you give away data for free that ad agencies will use to slam targeted ads in your face."
https://ssl.scroogle.org/
https://duckduckgo.com/
"If you're on the Internet, they probably know all about you already"
https://www.torproject.org/
Firefox + AdBlock + Beef Taco + Flash Block + HTTPS Everywhere + NoScript
Solved problem
No Script + Flash Block + Better Privacy + Cookie Monster + AdBlock + Ghostery + Beef TACO
Hmmm...
Whilst I agree with his sentiment, provoking 4chan is not a good idea.
Worrying
Bugs are to be expected, but there's no reason to have things like XSS flaws and bad user input validation, even in "pre-alpha" software. That just suggests bad coding practice and generally sloppy programming.
Posted in Mobile phones for minimalists
SMS?
A lot of people have smartphones these days that barely last 24 hours before needing to be recharged. I would definitely buy one of these phones to take camping, on holiday and on weekends away along side my smartphone.
However, it doesn't mention SMS, and by the sounds of it, it doesn't support SMS. That rules it out for me. Like most people, I spend more time talking via SMS than via voice...
Missing information
"62 people, including 28 UK nationals or dual citizenship holders, have been extradited from the UK to the US"
Is this more or less or the same as it was before the changes in 2004?
Posted in Group Test: smartphone satnav apps
T-Mobile UK PAYG
"Android users on contract tariffs with bundled data, but will raise issues if you are on PAYG or roaming abroad. "
T-Mobile UK PAYG does a really good data deal. I pay 20 quid for a 6 month booster which gives me 1GB of allowance each month. That equates to £3.33/month. You don't get charged if you exceed that limit, but they will warn you about it. You're not going to hit 1GB a month unless you're downloading videos every day or doing a lot of tethering. Perfect for navigation+web browsing+email though.
I'm not associated with T-Mobile other than as a customer.
Posted in Android gets talk-tastic Froyo upgrade
American accents only
You forgot to mention that it's American English accents only at the moment. It doesn't cope with British accents yet.
Posted in New 'Tolpuddle Martyrs' demand £50 a day
"Unite's press release doesn't note how many hours the guides put in"
A pretty vital piece of missing information. You're journalists aren't you? Do some journalism and find out...
Re: T-Mobile
Is that enforced? Ie, do they block ports/ips to prevent you from doing it?
VOIP != Streaming Music
"I already drive around streaming spotify without issues...until I go out to the countryside that is."
Streaming music over 3G bares no resemblance to VOIP over 3G. If you're streaming music, latency isn't an issue because it can buffer the content. You can't buffer VOIP though, even a small amount of latency would cause gaps in the conversation. You need a constant, stable, low latency connection in order to have a reasonable quality conversation and 3G simply doesn't provide that in practice.
VOIP over 3G works, but it sucks badly. I don't know why anyone would choose to use it. In fact, I doubt anybody does. Does anyone here do it? Has anyone here tried it and then gave up because of how shit it is?
Re: Free?
> Is this "free" as in "uses data allowance" for those not on an unlimited contract?
I would assume so. I'm on T-Mobile UK PAYG and with their £20/six months Internet booster I get "unlimited" (1GB) of bandwidth each month for £3.33, which is practically free.
Posted in Opera Mini de-betas on Android
line-height?
My God. It still doesn't support line-height. What sort of a modern browser doesn't support line-height. It was in CSS version 1 ffs. Think I'll stick with the standard browser for now. At least it renders websites properly.
HTML5 - Local Storage
Is this really just for cookies? If so, it's a little short sited. Local storage in HTML5 anybody? Most adverts require JavaScript in order to work anyway, so there's nothing stopping the advertisers JavaScript from storing data locally in the web browser, and then fetching it later when another advert is loaded from JavaScript on the advertisers domain. All without using cookies.
Two?
If he is guilty of those crimes, then the two year maximum sentence is insane. I'd have thought at least ten years... Two years inside is an annoyance, ten years is punishment. The guy is clearly a deranged asshole.
Posted in Firefox comes over all cloudy
XMarks?
Why would you use this, when XMarks exists? http://www.xmarks.com/ - Synchornises your bookmarks between Firefox, Safari, Chrome and IE. Also supports password and tab syncing.
Bollocks
"Now, at least, the handset has a front-facing camera - present on most smartphones for video calls"
Present on "most smartphones"? That's a load of bull crap. *some* smartphones have front facing cameras, the vast vast majority don't. No Android phones have a front face camera for example...
JS not required
The flaw can be, and is, exploited without any javascript. It can be done entirely with css.
Hmm...
"British honeybees have survived the coldest winter in 31 years with losses of one in six hives - higher than the natural rate but a marked improvement over previous years."
Natural selection?
lol
The stupidity of the man hurts. It hurts so bad.
*sigh*
Inept.
That is all.
