FreeBSD 9 release

FreeBSD has released production version 9,

http://www.freebsd.org/releases/9.0R/announce.html

Some of the highlights;

• High performance SSH
• PowerPC Playstation 3 support
• ZFS version 28

This made my day

http://blog.acrossecurity.com/2012/01/is-your-online-bank-vulnerable-to.html

Very simple concept, and it does not surprise me that people are using this and banks are seeing a loss on it.  If you work for a FI it’s time to try it out and see if you need to get on the phone.

By-passing Linux based screen locks

This gives the warm and fuzy’s.

http://seclists.org/oss-sec/2012/q1/200

The chain is pretty good, the point where the bug was introduced is identified.  From what I can tell this was an optional feature added in the past and recently re-added as a default setting.

Ta-Da!

How private is the private mode?

My next project is going to be comparing a set of five to six different browsers that provide a privacy mode and to see what kind of forensic residue is left behind by each.  Also, don’t worry about the challenge that we were working on last month I will get back to it, I just have been terribly busy with other commitments.

What I am trying to find is what is left by each, what you can piece back together from that then I hope to move on to remediation ideas to fill in the gaps for each.

So far the list is looking like Safari ( windows ), Chrome, IE 8, IE 9 and Firefox.

Should you be forced to decrypt your device?

That’s a huge question.  I am not a legal expert, and law is not a science either.

What I mean by that is you can ask ten courts the same question and get nine same answers but there is always the chance of that one that interprets it differently.

http://www.engadget.com/2012/01/24/judge-laptop-decryption-colorado-fifth-amendment/

In this case the defense is pulling in the 5th Amendment, arguing that divulging the password will be a case of self-incrimination.

First I think we should try and strip the technology off this problem.  Now is a encrypted data set a lock and key or a combo safe?

Now that is a good question, in my opinion it’s neither.

Those make a poor analogy to a encrypted disk.  What if we look at it as just cipher text?

From what I know the founders of the US used ciphered messages before and after, so what in law references that?

None that I can find.  I would really like to find the answer to this, I may have to ask around.

Now after all of that, there is some places that I have laws specific to key disclosure and I think our paper message would apply to that.  The basic idea of them is give us the key or go to jail for X, some was a few months to two years.  Now depending on the case it might be better to take the two years and have the primary case fall apart.

I doubt that this is done with.

Statistical analysis of elections

And the cool thing of the day award goes to,

http://arxiv.org/pdf/1201.3087v1.pdf

Not really IT related, and more then a little out of my element.

Hash Identifier

This is handy for any CTF games you may find your self in.

https://code.google.com/p/hash-identifier/

It might cut out a bunch of work for you.

Password analysis

Just stumbled on this,

http://thepasswordproject.com/rockyou_passpal_0.3_dump

Interesting, I have found many times that these dumps will dump vary extremely by what site it’s taken from the context.

News news news

Found a few things going on that got me fired up.

Megaupload head cheese has been denied bail, they assert that he is a flight risk.

http://www.bbc.co.uk/news/world-asia-16711416

I am totally on the fence on this one, I have seen a lot of legitimate material hosted on there.  The other material I have seen on there is peoples personal stuff, I really have not looked very hard on there of copy righted stuff and what I did look for was already down.  Which fits in with their story / policy of removing it.

I will be following this, I really want to see where all of the figures came from.

Another story is the MS security team has named a bot net creator that looks to have had a previous life at a AV company.

http://www.bbc.co.uk/news/technology-16700192

Another one to follow.

Tor Write Up, Kinda

What starts out as a Tor guide quickly goes technical with a wiff a tin foil.

http://cryptome.org/0005/tor-opsec.htm

( Not that I am discounting anything they are saying, none of it is made up. I personally have never thought of anyone going through that kind of effort for the kind of things I am up to.  If you are on the run from the fuzz or are up to general bad bad things I guess that kind of stuff would apply. )