SDS

all the ssl blacklists are updates. we can return to thinking we are safe. Apple included the patches in a Security Update, Firefox updated to 6.0.2. Jailbroken iOS users can update or install “sslfix” in Cydia to get the protections that apple has yet to release.

After watching Moxie’s BlackHat talk, we seriously need to fix SSL. It is holding up too many technologies to be this insecure.

In the mist of  #antisec and on the heels of the Vegas Hacker/Security conferences, another CA (DigiNotar) was hacked.  This time the hackers got Google’s security certificates.   With that criminals could use a technique known as a Man in the Middle attack to impersonate google and nothing can stop them.  Personally i have heard @ioerror rant about the fundamental flaws of our present SSL system.  Perhaps this will help bring about a change more quickly but for now we can blacklist the offending certificates.  here is how (on a mac)

To protect Safari, the solution is, apparently, to run Applications/Utilities/Keychain Access, click on “System Root” on the upper-left, and “All items” on the lower-left, then type “DigiNotar” into the upper-right searchbox, then doubleclick on all the certs that show up (you may only have one), open the “Trust” detail area, and change “When using this certificate” to “Never Trust”, then close the dialog box.

For Firefox users, go to Firefox’s Preferences, click on Advanced, then the Encryption tab, then click on “View Certificates”, click on the “Authorities” tab, scroll down to DigiNotar, click on “DigiNotar Root or CA”, then click on “Delete…” or “Delete or Distrust…” below (depends on your version).

Read more here:
http://www.computerworld.com/s/article/9219606/Hackers_stole_Google_SSL_certificate_Dutch_firm_admits?taxonomyId=85

Their recents exploits include hacking FBI affiliate Infragard (Atlanta Chapter).  They defaced the website, stole account information, and messed with their users.  Particularly Karim Hijazi of Unveillance.  LulzSec alleges that Karim (in a chat on IRC) offered them money and information to hack and his competition in the security industry.  This kind hypocritical behavior is specifically deplored by hackers.  Hijazi’s company email was posted online and in LulzSec’s official statement they threaten the release of his personal email as well.  LulSec started taking donations with BitCoin.  They used some of the money to pay for servers and their “lulzsecurity.com” domain which appears at present to be down.

After 3 straight years of pwn2own invincibility, someone finally bested all of chrome’s mighty security to downloaded and run code. French security research firm @vupen used two exploits to bypass ASLR, DEP, and leave the sandbox to run a calculator (in this demo). The calculator might be innocuous, but method is quite significant. Impressive work by the good guys.

I didn’t get to see The Imaginarium of Doctor Parnassus, but i did complete my home security system and another unnamed Top Secret project.

I woke this morning to find that many of my contact’s info such as phone numbers or email address had simply vanished. good thing i keep regular backups. This marks the most recent pitfall in a VERY bumpy MobileMe history.

with a snazzy new interface, hulu integration and a set top box from dlink slated for June! (less then $200)

sign up and download today! boxee.tv

I have finally sorted out the majority of my website issues! Somethingdotsomething.com is ready for general consumption. now all I need is content. That is the easy part, I just need to go off on a rant or two. enjoy.

http://stewdio.org/pong/