Feeds

* Posts by Marcel

12 posts • joined 9 Apr 2012

Well done for flicking always-on crypto switch, Yahoo! Now here's what you SHOULD have done

Marcel

Re: Quite!

It's good for people to realize what is actually happening with their mail. Most don't and tech companies abuse this by giving us half solutions. Anyway, in my opinion, using TLS on all connections will at least make it much harder to do wholesale mass surveillance. It's pretty cheap to implement and pretty expensive to crack.

Anyway, meanwhile, people think of new alternatives such as Mailpile. Check it out.

https://www.mailpile.is/

3
0
Marcel

SMTP connections are (often) still unencrypted

Lately I have been trying to figure out whether the connection between Yahoo's mail servers and the recipient's mail server is encrypted. It seems that most of the cases it is not using TLS thus unencrypted a.k.a. plain text. I'm not quite sure what causes it to sometimes use TLS and sometimes not. It might be that no common cipher can be negotiated. Or that Yahoo has many servers which are not all configured in the same way.

You can test yourself by sending email to/from your Yahoo mail with another email account and then check the mail headers. How to view those depends on your mail client. In Yahoo mail you can do it by clicking on "More" below the email and then choose "View Full Header". In Outlook view the Message Options box. In Thunderbird press ctrl-U. Google for others.

You will see several "Received:" headers which will show the path of the nodes your email passed by (in reverse order). Now look for the top most (usually) "Received:" header where the mail is handed over from the Yahoo mail server to your ISP's mail server (or vice versa). There is will something like "with ESMTPS" or "with SMTP". The second S stands for secure. So ESMTP is good, SMTP is bad.

2
0

NSA gets burned by a sysadmin, decides to burn 90% of its sysadmins

Marcel
WTF?

Better solution

First he wanted to double the number to sys admins to make it more secure. Now he wants to get rid of 90% of them. I guess someone whispered in his ear that is would be cheaper.

Well, I have a even better solution: why don't you decrease your world-wide data vacuuming by 90% (and actually do what your agency is supposed to do). This has several advantages:

- cuts costs

- you don't break the law

- 90% less chance less of leaks

- you don't piss every on Earth off so much

44
1

Space boffins, oil giants, nuke plants 'raided' by MYSTERY code nasty

Marcel
FAIL

Install updates

It's beyond me why companies involved in top secret research and military don't update software that is used throughout all of their offices and has vulnerabilities that are rated "critical" or "severe" and contain words like "remote code execution".

So yeah, let's continue building multi-billion dollar/euro cyber armies and buy multi billion dollar/euro cyber security products, while all we need to do is:

- right click blinking icon in bottom right corner

- press Update Now

- press Next

- press Finish.

2
1

Phone, internet corps SNUB US government's cybersecurity ABCs

Marcel
Coat

Common sense

These 20 controls are common sense and obvious and should be required for ANY company or government to implement that is in any way connection to the internet. It worries me these telcos can't or won't implement it. Most likely it was just the legal department talking, to prevent litigation by customers for not implementing it. Anyway, they suck.

2
1

New class of industrial-scale super-phishing emails threatens biz

Marcel
Thumb Down

Re: super-phishing emails threatens biz

All the scary security news of last few years comes from marketing departments of security firms. Firms like Symantec and McAfee pump out these things on a daily basis. I think news sites should start to filter this kind of "news".

1
0
Marcel
Linux

Spearfishing?

Doesn't spearfishing imply it's a very targeted attack with personalised emails? Sending so many messages to so many companies sounds more like regular phishing.

Since we will never solve the problem of users being misled and tricked to click a link, when will there be software that doesn't cause your computer to be p0wned only by clicking on a link?

5
0

APT1, that scary cyber-Cold War gang: Not even China's best

Marcel
Stop

More critical reading is needed

The evidence linking hackers to a government or to a certain group is very thin or non-existent. What seems to be happening is that all of the thousands of hacks that happen every day are grouped into categories, then labeled as being from a common source.

All this is being done by governments with political agendas, soon-to-be-unemployed army generals looking for the next war and security vendors with gear/services to sell.

I take all this with a grain of salt. Meanwhile, all these companies moaning about being attacked are wise to teach their employees not to get caught in phishing attempts, install the latest patches on *all* of their equipment and start using encryption a little bit more (anyone using S/MIME or PGP?).

3
2

Chinese PLA soldiers 'mastermind cyber-espionage Cold War'

Marcel
FAIL

Not hard evidence

I have read the report and I don't see much hard evidence. There are a lot of facts in the report, but how they are linked together or where the facts come from stays a mystery. Not much substance and some dubious assumptions, in my humble opinion.

For example, how do they link the attacks to PLA's Unit 61398?

- They found that all attacks come from 4 /16 IPv4 net blocks (a total of 262k addresses), all owned by China Unicom. China Unicom is the 3rd largest telco in the world, with 273 million (!) customers in 2008.

- Then they link the netblocks to a city, Shanghai (the largest city in China, population of 23 million).

- Next they conclude that because the office of the Unicom engineer listed as contact person for the netblock is in the Pudong area

- The PLA Unit 61398 is also in the Pudong area

- Hence the IP addresses must belong to the PLA and is the source of the attack

Let me translate this into English:

- Suspect IP address belongs to a netblock owned by BT and is used in greater London area

- The BT engineer's office is in the centre of London according to whois

- MI6 is in the centre of London

- Hence the attack came from MI6.

4
0

Amazon, eBay, banks snub anti-fraud DNS tech, sniff securo bods

Marcel
Go

I had the same question

I have often wondered why there aren't any big sites using DNSSEC. Sure, it's a little complicated for the average Joe. But it's must be a piece of cake for big banks and e-tailer that already have large IT-departments and millions worth of infrastructure. They have the resources to have a guy or 2 or 3 devote themselves to DNSSEC and just implement it.

0
0

RIPE NCC handing out last European IPv4 addresses

Marcel
Black Helicopters

Why don't we just take Iran's IPv4 addresses?

An American lobby group, United Against Nuclear Iran (UANI), is seriously pressuring RIPE (and ICANN) into cutting Iran off the internet. That's also a way to get some more IPv4 addresses...

https://www.ripe.net/internet-coordination/news/ripe-ncc-receives-communication-from-united-against-nuclear-iran-uani

P.S. Cutting a whole country off internet because their government supposedly does naughty things, is a very bad idea in my humble opinion.

0
0

WTF is... UltraViolet

Marcel
FAIL

The End Of Owning

This UV is the mother of all DRM. It's it's meant to be the end of piracy for once and for all. You will have no more freedom. Want to watch a movie? Want to listen to music? Want to watch a tv show? Come to the content companies who thought of this and be their slave. You will never own any content again. You will rent rent rent, even though they make it sound otherwise. This is bad and must be stopped.

3
1