Feeds

* Posts by mike acker

51 posts • joined 1 Jul 2012

Page:

Torvalds rails at Linux developer: 'I'm f*cking tired of your code'

mike acker

Re: Odd timing

you forgot John McAffee

1
0

Security guru Bruce Schneier to leave employer BT

mike acker

favorite terms

one of my favorite terms is "sophisticated attack". it seems to be a favorite of the media.

and when you get info on the issue they always seem to be the same old crap. after a while one would begin to think this stuff is just so much propaganda: some elements of the industry want us to think security is not possible. that would indeed be propaganda. has anything Bruce has written dispelled this concept?

articles around the net late last week and this morning report that google yanked the app control feature out of their android. yeah, go figure.

1
0

Europe, SAVE US! Patriot Act author begs for help to curb NSA spying

mike acker

commercial at the start

they call it 'market research'. market research is gathering information about customers so that marketing campaigns can be conducted. these are more successful when they are directed to a selected or 'target' audience.

any type of communication that you participate in can be used to facilitate this 'market research' -- Web, e/mail, social nets, phone systems, ...

an article offered by Bruce Schneier recently suggests that the NSA isn't the real villian but rather has simply started to participate in the process.

1
0

Lavabit, secure email? Hardly, says infosec wizard Moxie Marlinspike

mike acker

no need to build - learn to use pgp

there is no need for anyone to build anything. for secure mail what you want is already available,-- for free.

start by switching to Linux,-- I recommend MINT

read and follow instructions regarding maintenance: stick to the official software store.

switch your e/mail to a commercial supplier -- not one of the free ones like Hotmail, Google, or Yahoo. I use Charter, and CoreComm services.

next switch your e/mail onto the THUNDERBIRD client -- that comes with Linux/MINT (also Ubuntu if you prefer ). spend a little time learning to use Thunderbird. it uses IMAP servers -- so you can share mail on your iphone (that isn't encrypted) .

activate the ENIGMAIL plugin on Thunderbird. this uses the GnuPG version of PGP.

use the OpenPGP dialog on Thunderbird to generate your PGP keypair. set 1 year expiration date; load your public key to the keyserver. be sure to generate and save the key revoke certificate (JIC).

locate, dowload, and read Phil Zimmerman's essay on PGP, paying particular attention to the section on protecting public keys from tampering. learn what the Trust Model is -- and how to control it.

find a pardner to begin exchanging PGP mail with

remember there are 3 main advantages to PGP (ENIGMAIL) mail

+authentication

+integrity

+security

authentication allows you to ascertain with reasonable certainty that an e/mail is from the party which clains to have sent it. without this i can send you an e/mail and mark it from anyone i want -- your boss -- or Nixon or Kruschev

integrity allows you to be reasonably sure that you have a correct copy of a message; that the message has not been modified in-transit by someone using (e.g.) a "Man in the Middle" attack. This is CRITICAL for software distributions and financial transactions .

security allows you to encrypt messages so that you can be reasonbly sure only the intended recipient can read them . this is a lot better than putting a disclaimer in your signature block saying something to the effect "if you weren't supposed to get this please cover for me, thanks"

NSA can still apply a traffic analysis on you: ascertain who you are talking to and this won't ever go away on public networks -- switched circuit -- or packet switched . but to get the messages now they have to hit YOU with a subpoena. hitting your ISP won't help: Your ISPcouldn't read your traffic in any reasonable timeframe or at any reasonable cost -- no matter how much they wanted to .

remember though you are subject to the AUP you signed with you ISP. the government could tell ISPs that PGP mail traffic must not be allowed. in which case we'll come up with a new Plan .

3
0

Have you reinstalled Windows yet? No, I just want to PRINT THIS DAMN PAGE

mike acker

ok

in the first place a computer is not a printing system

disconnect the printer and take it to the recycling center. now that you have that done you can also junk the fax machine. use computer output fax for those who are still mired in paper base systems .

now: (1) install dual monitors so you don't need to print documents that you need to reference while working;

(2) get a nice tab so you can review dox while away from your desk.

i've known more that one person who felt they had to print out an e/mail in order to read it.

0
2

'Microsoft Word is a tyrant of the imagination'

mike acker

right on

Word is a "pita"

fortunately msft strong-armed the ISO into adopting their ooxml standards for the new iso open document standards.

i note that LibreOffice v.4 is now better at compatibility with the hated ms/word . hopefully others e.g. Google Docs will join in breaking this nasty ms/word monopoly like a punkin after Halloween

0
0

MS Word deserves DEATH says Brit SciFi author Charles Stross

mike acker

untergang ss redmond

actually the whole mess known as msft, aka ss redmond -- needs to go under. i think it's well on its way: from a security standpoint -- which is a requirement for online computing -- ms windows os is simply un-acceptable.

3
2

Snowden's email provider gave crypto keys to FBI – on paper printouts

mike acker

alternate decryption key (ADK)

ladar's error is in having an alternate decryption key.

of course you would have to wonder: if he was using x.509 certificates and SSL -- rather than real PGP -- what was he thinking

evidently that was the problem: he wasn't thinking .

0
0

IETF floats plan to PRISM-proof the Internet

mike acker

Two step process

becomming snoop proof is a 2 step process

1. clean up the end-points.

this requires that the end-point be subjected to a software intentory and audit to insure that all and only the desired software is present. open source o/s preferred

you cannot have a meaningful discussion about encryption until you have satisfied (1) (above) .

2. use GnuPG -- again open source -- to authenticate and secure communication links. this is a task that each user will have to learn and practice . the current practice of thransmitting masses of x.509 certificates authenticated by massive "Certificate Authorities" -- has been compromised on occasion and has ben the subject of significant inquiries by good COMSEC folks.

1
0

Silicon Valley slurped millions of NSA cash for PRISM participation

mike acker

how long havn't you know that?

0
0

Torvalds frustrated at missing simultaneous release

mike acker

you mean make it like msft/windows? FT

if you do design an improved micro kernel os you need to make use of ring 1-2 as wellas just 0,3 so that kernel related processes -- which are privileged programs -- run protected.

1
0

Ubuntu puts forums back online, reveals autopsy of a brag hacker

mike acker

not back to normal

they now force user to use a "Single Signon" to access both their Ubuntu1 drop-box as well as the BBS

this is not regarded as a "best practice" : anything of a sensitive nature -- should have a separate password. and your drop-box may be sensitive -- depending on what you use it for

1
0

'It's GOOD we stopped selling the iPhone'

mike acker

I guess we all need to learn to cuss in Finnish!!

seriously Heaven forbid we were without Linus. I personally think LINUX may be capable of correcting some of the extreemly bad thinking that has been incorporated into some software -- which now causes a LOT of Security Trouble

1
0

US gov SMASHES UP TVs and MICE to nuke tiny malware outbreak

mike acker

that's because there are no certification tools available to test for un-authorized programming. Wolfgang Stiller (Stiller Research) taught us how to do it with his Integrity Master product

you boot from a separate read-only media and make a list of all the software on the subject machine. include CRC, date, and size of modules. check this list against what is supposed to be there. if you have what you're suppose to have, not of it changed, and nothing extra you are good to go.

it will take an FTC rule to force the industry to adopt this practice. a better practice is to stop using vulnerable operating software

1
0

Americans attempt to throw off oppressive, unresponsive rulers on 4th of July

mike acker

Thomas Jefferson, 1821: "...when all government... in little as in great things, shall be drawn to Washington as the centre of all power, it will render powerless the checks provided of one government on another and will become as venal and oppressive as the government from which we separated."

17
1

What's the most secure desktop operating system?

mike acker

one of the Critical Questions that is missed by security systems is: WHICH PROGRAM DO YOU WANT TO USE FOR THAT?

when you LOG ONTO your system you are given access to files based on WHO you are and the Ownership of any file you want to open

you might want to review this

for example, if you are running a web page do you really want your browser to be able toaccess anything you have access to ?? remember, it's you AND the web-page running your browser...

to control this you need AppArmor,-- or RACF

3
0
mike acker

if you were interested in computer security you would study the methods used by attackers. The question for the hacker is : get code execution.

code execution could be a root kit or just a macro running in a word document or java running off a web page. no matter, it's important to ask: what can that code access, exfiltrate or manipulate?

now that we have polymorphic virus programs and millions of new samples appearing each year the virus scan is less effective that it needs to be . we have to monitor and limit program behavior.

I'm running Linux now, with my browser confined using AppArmor. It's a good package. Sadly, it's not for everyone.

2
0

Facebook's first data center DRENCHED by ACTUAL CLOUD

mike acker

idiots

you circulate the chilled water to heat exchangers inside the buiding

unless you want to take a bath

1
0

Copyright troll Prenda Law accused of seeding own torrents

mike acker

steele better check and see where mcaffee is hiding out these days

1
0

PayPal security boss: OBLITERATE passwords from THE PLANET

mike acker

look deeper

this is an effort to get rid of anoniminity

not everyone on ehte internet is a Good Guy so it is important to maintain you anonimity when you are online

there is nothing wrong with passwords -- when properly implemented

and if a hacker can get in via sql injection fingerprints or other scans are not going to help. if he gets in via sql injection he just takes what he wants

4
1

Microsoft: All RIGHT, you can have your Start button back

mike acker

looking deeper

looking deeper, if the smart-phone user interface is un-acceptable then it's possible the PC ain't dead after all

we face a nasty backlog of badly written software that only runs on a specific version of an o/s which is making it difficult to dump XP . and Win8 ain't gonna help none .

in a very real sense an o/s IS a "hardware abstraction layer" . the o/s honors the system calls that an app needs in order to "do its thing"

i think Linux has made usable progress on this issue in Torvalds First Rule of kernel coding: don't break the system calls.

hopefully much of the obsoleted software can be ported to Linux.

8
0

Apple debuts two-step verification for Apple IDs

mike acker

Second Deadbolt on the Front Door

two factor authentication is like adding a second deadbolt to the Front Door while the Back Door is left flapping in the breeze. "Two Factor" -- is solving the wrong problem: hackers don't generally attack that way:

they are using infecged apps, or application program faults -- to install malware into their victimes. this has NOTHING to do with uder id's and passwords.

0
1
mike acker

no effect

sa called "two factor" identification will have no effect on hacking: hackers use the owners keys to install malware into the owners computer

for mobil devices this is often via an infected "app"

after the malware is into the owners computer then the owner is "pwned" and his\her computer does whatever the attacker wants it to do

using the owner's credentials

0
2

Facebook devs HACKED in 'sophisticated' Java zero-day attack

mike acker

"sophisticated" ? lol

every hack report i see claims the attack was "sophisticated" . and then I find out it was via some crappy old bug the hackers use all the time .

3
0

Worst broadband notspots in the UK named and shamed

mike acker

replace streaming with buffering

it's time to eliminate the streaming protocol and replace it with buffering . all this means if you want to look at a long running stream you wait while the first 20% or so buffers to you rlocal device . with the speeds we have now this shouldn't matter mich and theres no reason video fanbois should expect to pig the net .

0
2

Browser makers rush to block fake Google.com security cert

mike acker

Glossing over a Critical Security Requirement

as I have noted in the past: the fundamental error here is that HTTPS bypasses the requirement for users to authenticate keys

this requirement is carefully detailed by Phil Zimmerman in his original PGP documentation in the section "Protecting keys from tampering"

HTTPS did not follow his requiremnts and got what they deserved

anyone using PGP ( or by extension x.509 certificates ) should generate their own keypair and sign any certificate that is used in a critical system. it should be noted that MSFT already does this for critical security bulletins .

the IT industry again is guilty of glossing over a critical requirement in favor of convenience

getting hacked ain't gonna be convenient

1
1

Three little words stall UN's 'bid for INTERNET DOMINATION'

mike acker

remember what Geo Orwell taught us:

"The Greate Enemy of Clear Language is INSINCERITY

0
0

EU joins Google, hippies, Uncle T Cobbleigh in fight against ITU

mike acker

lookup the International Covenant on Civil and Political Rights

Freedom of expression is subject to the following restrictions:

these shall only be such as are provided by law and are necessary:

1. For respect of the rights or reputations of others;

2. For the protection of national security or of public order (ordre public), or of public health or morals

it is obviously easy for a tyrant to bend the meaning of the above

0
0

The GPL self-destruct mechanism that is killing Linux

mike acker

as far as MSFT v Linus goes MSFT is its own enemy while Linus has an unlimited pool of allies generating Open Source Software.

The result: MSFT attempting to cram their style onto us (and make us pay for their stuff); Linus offering Freedom as the alternative at n/c

how will this play?

I think MSFT is retreating to the mobil and gaming area, leaving the desk workstations to Linus -- which various versions of Linux have already won the field for servers

as MSFT pushes into the mobil/gaming field they will face Google and Android on their other flank though...

"Half a league, Half a League, Half a League, onward ...

7
3

Android, heal thyself

mike acker

AppArmor

the thing Android needs is AppArmor for every App.

put an end to apps messing around where they should not be messing.

0
0

Mayer wants Yahoo! to be the world's mobile portal of habit

mike acker

she faces the Fundamental Internet Battle head on: Privacy v Advertising and Market Research

Google and Amazon have good models. social is a bad model and will soon be generally disdained

0
0

Salesforce CEO Benioff: Win 8 is 'the end of Windows'

mike acker

Fragments: Entertainment | Industry

IMHO ( which is free ) the industry is fragmenting,-- with the entertainment and business sectors going separate ways.

Win8 is going into the entertainment & Gaming business.

Canonical/Linux will pick up business computing.

why?

Windows is a hacker's paradise that is beyond repair.

0
0

Not so fast, T-Mobile: Sprint may bid for MetroPCS

mike acker

NEXTEL Refugee

as a NEXTEL refugee we looked at Sprint and then switched to T-Mobil. Sprint basically bought up NEXTEL -- and then wrecked it. The NEXTEL phones were better and so was the old iDEN net.

0
0

Firefox's birthday present to us: Teaching tech titans about DIY upstarts

mike acker

understanding the "cloud"

=" Music and other content are easier to move, but still painful."

ah, --understanding!! the "cloud" wants to own your entertainment properties and just lease the use of them to you

cloud must be resisted at every juncture.

cloud ain't "whats happening" it is a method of control that the industry is attempting to foist upon consumers

1
0

Windows 8: Never mind Office, it's for GAMING

mike acker
Linux

Bad decisions trace back to the 5150

MSFT has been built on decisions that can be traced back to the IBM 5150. The 5150 was intended to compete with Atari, PDP8s, 11s, Comedores, Vic 20s. A different line of development, these machines were intended to be easy to modify. and they succeeded in that and no one can deny that that has resulted in a lot of program development

but to use such machines for sensitive applications -- which deal with money or sensitive information -- you need a machine for which you can assert exclusive control. that was not a design objective with the early toy computers. the issue wasn't addressed at MSFT until 1-15/2002 when Gates wrote his now famous letter re. security to be Job 1.

the makers of android are facing this problem today having learned nothing from the debauch of windows...

we may well be poised upon a new doorway where we will recognize that it important to have 2 types of computers: one type for play -- another for use with commercial or sensitive information requirements. The later will not be a derivitive of the 5150/Windows line: it'sd too late to correct them.

0
1

The iPHONE 5 UNDERMINES western DEMOCRACY: 5 reasons why

mike acker
Pirate

iDIOT pHONE

iDIOT pHONE

who needs one?

1
4

Why is the iPhone so successful? 'Cause people love 'em

mike acker
Flame

anti aapl

theres gonna be more of us as a result of aapl having become a patent troll

1
1

You'll be on a list 3 hrs after you start downloading from pirates - study

mike acker

new music and video model

notes

it seems there are elements of the 'net that would love to inventory every computer attached to the 'net

particularly MUSIC and VIDEO libraries

it appears this business is in a state of flux,... it appears the New Model is: you don't own any copies. Copies are to be kept in Cloud Libraries operated by licensed vendors. when you establish an account your will be placed on the Access List and given access to those assets you have paid the access fee for...

in this model if you have any titles on YOUR computer you are ipso facto a pirate

think about it

i only noticed this recently when Amazon changed their download procedures...

0
0

Why Java would still stink even if it weren't security swiss cheese

mike acker

Computers: a market research tool

unfortunately there are a lot of folks working with computers today that see computers as the ultimate market research and advertising tool. for this they assert their ability to run their programs on your computer.

preventing this means controlling what their programs are allowed to do -- on your computer. My suggestion is: switch to Linux. I have a Ubuntu box working now.

the interesting thing about Linux is: Security. You can create a user account just for e/mail and browsing. By default -- working from that logon -- you -- or any program you are running -- hence an intruder -- can only modify files in the home directory associated with that user.

you still need to take care however: If you share a directory out from your browser user account and then extract an html document from that shared directory -- you are pulling a copy of the intruders java with that document . You could of course open the document with LibreOffice and then save it as text -- before you remove it from the shared directory.

just depends on whether tin foil is enough or if you need a helmet

0
0

1 MILLION accounts leaked in megahack on banks, websites

mike acker

SQL Injection

SQL Injection is an old, known attack. the defense is (1) use only stored procedures and (2) sanitize input data.

getting hacked via SQL Injection is simple negligence on the part of the system operations staff. they should incur the $$$ liability for this.

9
4

Phone-flingers flock to Finland for World Championships

mike acker

hopefully they also have a contract burning bonfire

0
0

IEEE admits its MS-DOS history revisionist is in Microsoft's pay

mike acker

Re: QDOS vs CP/M

="The limit came from the address pins because there were only 20 of them."

the decision to use 20 rather than 24 address lines was taken during the design phase of the chip.

1
0
mike acker

Re: QDOS vs CP/M

it is important to remember that at the time of the 5150 IBM did not want the 5150 to have enough guts to threaten its regular business products. that is why CP/M was NOT authorized for the 5150. Rather the junk O/S was scrounged up from experimenters. too you'll remember the segment offset was carefully limited to 4 bits -- limiting the 5150 and derivitives to 1MB memory

3
1

Gabe Newell: Windows 8 is a 'catastrophe' for PC biz

mike acker

Re: thank you and goodbye

Wir sehen den Beginn des Untergangs von microsoft

0
0
mike acker

Re: I see what you did there!

yep, i have no interest in games

but i do have a great interest in security and Linux makes windows look like a festival of fools

4
0

Anonymous vows to wipe web clean of child abuse scum

mike acker

Anon Computer Group

this morning I'm playing some Joan Baez music and have renamed my file for the Anon Computer Group

0
0

Shuttleworth: Why Windows 8 made us ditch GPL Linux loader

mike acker

UEFI

this is a critical move and a very good one. if we can design a mechanism that can verify the initial load of the o/s then the o/s should be able to check itself as it finishes loading.

the danger remains in the attacker possibly being able to flash the bios or somehow modify the firmware used in the initial process. attackers have always preferred to inject their un-authorized programming into the system at the lowest level

of course if the O/S is secure -- and it receives a BIOS update signed by the OEM -- then it would be expected that it would be safe to accept the update. but if the O/S were compromised, uuuugh

all of which goes back to the note that security is like a balloon: 1 pin-prick and POP! it's gone.

0
0

Facebook: Our phone app DID seize your email

mike acker

bug?

yeah, whatever

0
0

ITC denies Apple an emergency ban on ALL HTC PHONES

mike acker

my i 305 did that

a patent that allows folks to isolate data such as phone numbers in emails and then call the number.

??

my i 305 does that and i've had it for 5 years

0
0
mike acker

a patent that allows folks to isolate data such as phone numbers in emails and then call the number.

??

my i305 does that and I've had it for 5 years

0
0

Page: