crazylazy.info

txt

Clowns at work ;)

Advertisement in IT from IT

A market can advertise itself. In the past we've been a small crowd of Nerds, interested in deeper IT security. We delivered facts and made real and cool stuff - without much noise. And some stuff stayed in the darkness.
We researched honestly, and when we found something, we disclosed. Freely. Open. Available for everyone - but science. That's rapidly changing: IT security guys sell themselves: but badly.
In case of TCP now - many vulnerabilities are well known. TCP is a big shit. But it's RFC. Old. Well in case of sock-stress - outsmarted by Window "0" - a case not reflected in RFC, when combined with SYN spoofing. Okay. But that's on 1996 bugtracker - before my time. I didn't know that. Again: great hype about nothing (in the end), but it affected me somehow. ;)

The concept of a market is: You don't need to believe the advertisement. So there's to differ between guys, making loud commercial approaches and those, being silent and honestly competent in a neutral way. The security circus - has great artists, too. But they enjoy publicity very much - without being able to communicate their stuff because it's still scientific. But press follows them, asking. And the answers are, that we all are gonna die, and the internet will break and the moon will explode and:

Hell yeahr!

When I've to reconstruct attacks, that are happening, or happened - I'm steps behind the attacker. I can just follow. That's unbelievable stupid, because you've to be much smarter than the attacker. Knowing what he did, and how you can figure it out in today's complex technology.
When there's no disclosure, how can you expect an attack? If it's just known to the bad guys, who have got the "Layer 8" on their side? - You can't.
If you want IT security market to have future: sell yourself openly. Care about all the people, who can understand you. Those aren't many. That's the problem.

More fee/real stuff!

Mobile forensics. An upcoming federal topic. Just look through the contacts while arresting someone to determine whether he's dangerous? - Sounds totally stupid. But that's going to happen. If your GSM doesn't get into an IMSI catcher or an USRP. Privacy? Why?

pauldotcom SIM card forensics! Wget this:

www.pauldotcom.com/SimcardTechSegment.swf

The power to hype, but no power to build stuff: Chrome sucks!

Google is a search engine, nothing more!

http://www.zdnet.com.au/news/software/soa/CIOs-not-testing-Chrome/0,1300...

Quantum cryptography broken?

By a crypto-analytic viewpoint the "Trust Me, I'm Physics" stuff is a farce. I mean, random. If I make some radioactive stuff being a random-trigger, or if I make a Silicium kernel trigger circuits... It seems there's an interesting analytic approach finally to mess with physics: look here.

The attack is brilliant in its elegance. They essentially jam the receiver. A bright pulse of laser light is sent and it blinds the receiver, which allows the eavesdropper, Eve, to decode the same photons that Alice and Bob are decoding, and thus get their key. The paper is only two pages, too, which is even better.

NoScript is useful

rvdh discovers a new flaw:

Strictly speaking HTML's multimedia features allow the OBJECT HTML to include images, iframes, applets, and other rich content like Flash and movie clips. Previously HTML did allow content to be fetched from an applet as well. To embed another document, whether local or remote, we can utilize the IFRAME, the FRAMESET, EMBED or the OBJECT.

It's patched now.

New Hex

Life distributions I regularly use are Hex and DAVIX, because they're innovative. Hex now is available in a new version:

1. FreeBSD 7 Stable
2. Unionfs
3. NSM Console updates
4. Tons of analysis alias and scripts
5. Tons of NSM tools' signatures
6. Firefox - Useful websites bookmark
7. Liferea - Security rss feeds

Grap it!!


Have fun,
wishi