This gives the warm and fuzy’s.
The chain is pretty good, the point where the bug was introduced is identified. From what I can tell this was an optional feature added in the past and recently re-added as a default setting.
My next project is going to be comparing a set of five to six different browsers that provide a privacy mode and to see what kind of forensic residue is left behind by each. Also, don’t worry about the challenge that we were working on last month I will get back to it, I just have been terribly busy with other commitments.
What I am trying to find is what is left by each, what you can piece back together from that then I hope to move on to remediation ideas to fill in the gaps for each.
So far the list is looking like Safari ( windows ), Chrome, IE 8, IE 9 and Firefox.
That’s a huge question. I am not a legal expert, and law is not a science either.
What I mean by that is you can ask ten courts the same question and get nine same answers but there is always the chance of that one that interprets it differently.
In this case the defense is pulling in the 5th Amendment, arguing that divulging the password will be a case of self-incrimination.
First I think we should try and strip the technology off this problem. Now is a encrypted data set a lock and key or a combo safe?
Now that is a good question, in my opinion it’s neither.
Those make a poor analogy to a encrypted disk. What if we look at it as just cipher text?
From what I know the founders of the US used ciphered messages before and after, so what in law references that?
None that I can find. I would really like to find the answer to this, I may have to ask around.
Now after all of that, there is some places that I have laws specific to key disclosure and I think our paper message would apply to that. The basic idea of them is give us the key or go to jail for X, some was a few months to two years. Now depending on the case it might be better to take the two years and have the primary case fall apart.
I doubt that this is done with.
And the cool thing of the day award goes to,
Not really IT related, and more then a little out of my element.
This is handy for any CTF games you may find your self in.
It might cut out a bunch of work for you.
Just stumbled on this,
Interesting, I have found many times that these dumps will dump vary extremely by what site it’s taken from the context.
Found a few things going on that got me fired up.
Megaupload head cheese has been denied bail, they assert that he is a flight risk.
I am totally on the fence on this one, I have seen a lot of legitimate material hosted on there. The other material I have seen on there is peoples personal stuff, I really have not looked very hard on there of copy righted stuff and what I did look for was already down. Which fits in with their story / policy of removing it.
I will be following this, I really want to see where all of the figures came from.
Another story is the MS security team has named a bot net creator that looks to have had a previous life at a AV company.
Another one to follow.
What starts out as a Tor guide quickly goes technical with a wiff a tin foil.
( Not that I am discounting anything they are saying, none of it is made up. I personally have never thought of anyone going through that kind of effort for the kind of things I am up to. If you are on the run from the fuzz or are up to general bad bad things I guess that kind of stuff would apply. )
I just want to wrap up my thoughts on this. This is not going to stop every type of attack, there are a few ways to get around this type of authentication method. The first one that comes to mind is using the authenticated session that the user has created for you already and not waiting to try and log in later. While saying that, something is better then nothing. This may not work against a determined targeted attack but at least you wont be low hanging fruit.
I tried to find a few FI’s that I could point you to that had OTP listed as a two factor method, but I just turned up a bunch of old white papers. I did find mention of FI’s in Germany that used paper for the OTP and various ones using SMS.
My personal choice would be a OTP ( One Time Pad ) setup.
The setup should be fairly simple;
- Create a system to create random sets of 8 ( or more ) character pads, they should be random but careful to make it easy for users to separate 0 and O. Maybe only upper and lower case with no numbers?
- These should not be guessable or form any sort of pattern, so maybe use a hashing function. Just don’t hash 1, 2, 3, 4.
- When creating the pad one copy is associated with the user and stored as part of the authentication system and the other is handed off.
- The system should know when a user is nearing the end of the current pad and prompt for the creation of the next.