I.T. Security and Linux Administration


April 30, 2014  9:36 PM

Strong Push to Pure-SSL?

Eric Hansen Eric Hansen Profile: Eric Hansen

http://www.wired.com/2014/04/https/

Should the entire Internet be encrypted?  No.  I don’t see the point of encrypting a website about my neighbor’s dog, for example.  Do I think it should be enforced/mandated for sites that hold sensitive information?  Most definitely.

I think this heartbleed thing has blown things out of control a little too much.  We need to fix the issues we have now before we mandate a whole new list of rules.

April 30, 2014  9:29 PM

Reddit censors things?!

Eric Hansen Eric Hansen Profile: Eric Hansen

http://www.bbc.com/news/technology-27100773

The company that owns Reddit doesn’t, but the mods who run (ran?) the technology community removed posts silently that included certain words.

This is done most likely by a “bot” someone made to check for new posts and delete all posts that had any words in a blacklist.

Ultimately this won’t stop me from visiting the site but since people think censorship is a major thing still, why not offer an opinion?


April 30, 2014  9:14 PM

BitCoins for Donations

Eric Hansen Eric Hansen Profile: Eric Hansen

http://money.cnn.com/2014/04/22/technology/bitcoin-political-contributions/index.html

So again people are trying to push the BitCoin rave to be for governmental donations.  With the recent movements towards people accepting it as a valid form of currency, I wouldn’t be surprised if it gets approved.  But, even if it does, who will use it?

Currently no physical stores (that I’m aware of) accept it, and even to get a BitCoin it tends to be rather expensive time-wise.  Would it be worth it to spend that on a political donation?


April 30, 2014  9:07 PM

DarkNet, meet DarkMarket

Eric Hansen Eric Hansen Profile: Eric Hansen

http://www.wired.com/2014/04/darkmarket/

Truthfully I’m shocked it took this long, especially with BitCoin being around for a long while now.  But, then again, BitCoin (BTC) is finally being considered a legitimate form of currency, so hey.

While I have no intention of using DarkMarket, it makes me think of DarkNet, which is essentially another Internet that is only accessible via Tor.  This might be worth keeping an eye out, though.  Even if this doesn’t take off, the code is open sourced which can make it pretty viable in the future.


April 30, 2014  8:53 PM

AOL Talks Breach

Eric Hansen Eric Hansen Profile: Eric Hansen

http://www.theregister.co.uk/2014/04/28/aol_confirms_security_breach_from_spam_attack/

AOL still exists?

But, seriously, this is interesting to say the least.  The idea of spam itself causing a security breach is intriguing.  Changing security measures by sending out a mass amount of email full of viagra…genius.

I use AOL only for the instant messenger portion these days.  Not sure if this is going to make me be concerned or not, though.


April 30, 2014  8:47 PM

Bug Bounty Program Critique

Eric Hansen Eric Hansen Profile: Eric Hansen

Bug bounty programs have really become a popular tourist attraction for IT security pros.  The premise is that a company will pay $x for finding an exploit, based on various criteria like severity, impact, etc…

However, it seems more often than not, people are reporting exploits that should be paid for, and getting refused for whatever reason the bounty head wants to claim.  It feels more like hiring a pen-tester to test the network, getting a report and never paying them for the services.

I’m not saying to pay for every XSS exploit found (these days XSS doesn’t even seem to be a threat), but how is this not worthy of at least something?


April 30, 2014  8:32 PM

Should the Government Release Info?

Eric Hansen Eric Hansen Profile: Eric Hansen

http://www.cnet.com/news/after-heartbleed-nsa-reveals-some-flaws-are-kept-secret/

This is a big article that can be boiled down to this: “the American government (specifically NSA) won’t always disclose information.”

Some people might get in an uproar about this, but why?  Because we’re not told everything?  Because the government is withholding information?

Around Easter a couple of weeks ago I was watching a documentary on catching the Boston Bombers.  Now, what is real and fabricated in that is left up to the imagination as far as I’m concerned, it did mention a major detail.  The FBI felt it was in the best interest to not disclose information about the bombers.

While this ultimately lead to the capture of one and death of the other, we were still withheld information until the FBI had their backs against the wall.  Yet, no one gets in a fuss about our lives possibly being in danger.

I don’t condone what happened, but I also feel like we shouldn’t shake our finger at one person and tip the hat to the other for doing the same thing.


April 30, 2014  8:26 PM

Hackers hack traffic lights

Eric Hansen Eric Hansen Profile: Eric Hansen

http://www.wired.com/2014/04/traffic-lights-hacking/

This one is interesting.  When I first saw the title it brought me back to the golden days when I would hack Coke and Pepsi machines (it was cool to get to the debug menu).  I then also read on how to hack those light signs that construction workers place, though I did nothing with the information.  Overall the idea of it this even being possible doesn’t shock me the slightest.

A lot of the content in this article though is theoretical.  It doesn’t discuss anything that actually happened, just that a contractor that works for a IT consulting firm tested these wireless sensors.  The end result was that even the most basic of security practices weren’t being followed (i.e.: no encryption with data), and these are placed in some major US cities like Washington D.C. and San Francisco.


March 31, 2014  7:39 AM

Dropbox & DMCA

Eric Hansen Eric Hansen Profile: Eric Hansen

An article was posted recently about Dropbox and its relation to DMCA.  In short, if you share a file publicly, and its been flagged as a violation to DMCA (either under your account or another’s), it will be blocked from the share.  So far this doesn’t mean its deleted from your account, just that you can’t share it publicly.

I like how Dropbox functions on this, but I can see one issue.  Dropbox does this by checking the hash of a file, and comparing it against a database of known infridged files, similar to how a lot of AV systems check for viruses.  I haven’t done a lot of research on the algorithm used, but lets say its SHA-2 to make it actually useful.

While the possibility of this happening is very small, what if a collision happened between a music video file of Metallica and a picture of my wife’s newest kittens?  Two completely different files, but they end up with the same hash.  Would you allow the music video to be shared too or block the kittens from harvesting me my sweet Reddit karma?

Now, Dropbox also uses the hashing system to save on bandwidth and disk space (if a file on the server already exists with the same hash, it just shares that exact file with both accounts instead of uploading the same file twice).  As you can possibly imagine, the same issue occurs and Dropship has tried to exploit this but Dropbox has worked to stop it from happening.


March 31, 2014  7:28 AM

Invader Microsoft

Eric Hansen Eric Hansen Profile: Eric Hansen

Earlier this month a big report broke out that Microsoft was spying on a former employee who was leaking IP (Windows 8 code) to a blogger.  Since, the leaker has been arrested but a lot of people are in an uproar about it because of privacy concerns.

When you’re using a third-party to deal with any type of service, especially if they are hosting the content for you, expect the provider to be able to read/peek/view anything of yours at any time any where they please.

You’re using their systems, their space, their bandwidth and their electricity.  Its like being invited over to a friend’s house and getting pissed when they take your glass away, dump whatever was in it, then give it back to you with a fresh drink.

At the same time I know its not a similar comparison, but the idea is there.  You put all your faith that a provider isn’t going to see what their space is being used for, you are pretty naive.  Everyone does it, from big to small companies.  Its just like working at a company who monitors your network habits.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: