Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Thad]

Meanwhile, at pretty much the opposite end of the spectrum from LinkedIn's too-stupid-to-salt-their-fucking-passwords embarrassment, Flame used a sophisticated-as-fuck collision attack to spoof a legit MS signing cert.  As in, the people who designed it are literally some of the best cryptographers in the world.

Course, the most obvious takeaway is that nobody should be using MD5 hashes for anything important, which we already knew a damn decade ago.  BAD MS.  BAD.

[Mongrel]

I used a bullshit password for LinkedIn that I only use for trashy accounts

So you're saying they have your brontoforumus password?

...Actually no, because my bullshit throwaway password is fewer characters than the Brontoforums allows. LOL.

[JDigital]

At this point in the Internet, everyone should probably change their password for EVERYTHING.

Assuming that there's not already a keylogger on your PC by now. In which case, set up two-step authentication so you can at least get your accounts back when they're inevitably stolen.

[Mongrel]

Say, there's a few questions I've always had about keyloggers.

- How do they track mouse input?
- Can they track clipboard data (i.e. cut & paste)
- What about autosuggest entries in your browser? (for instance, I often just type "br" in the url bar to come here).

I try to keep this box clean clean (NoScript has saved me a couple times), but I've always wondered those things since I rarely input full information to navigate.

[Brentai]

It's telling that the only service I use that utilizes a per-session external authentication key is a video game.

[Thad]

Flame code found in Stuxnet, confirming a common dev (which everybody pretty much already suspected).  Meaning that the wunderkinds who (apparently) broke MD5 are Our Guys, or Israel's.

Which I guess is something of a relief.  God knows I don't trust our government (or Israel's) and its various surveillance efforts, but it's moderately less alarming than if Russia or China were out there with this kind of malware.

I'm sure they will be soon, of course -- that's the other thing; shit like this creates an arms race.

I guess the good news is it's hammered home that MD5 is not secure.  Which, again, we've been aware of for most of this century, but what the hell, this should at least be a kick in the ass to the industry.

[Thad]

Scientists crack some RSA keyfobs.  Doesn't mean that RSA is broken or any sky-is-falling hyperbole like that; it's just one more step in the arms race and a signal that it's time for the next round of tweaks, patches, and upgrades.

[McDohl]

That article cites the RSA 800, and I use an RSA 700.  I can only assume that the architecture is similar.

[Thad]

Ubisoft DRM even more horrible than previously thought, installs browser plugin that lets Ubi run arbitrary code but does not actually check to make sure it's really Ubi doing it.

Pirates, as always, are unaffected.

[Brentai]

SO FUCKING RELIEVED that I decided to skip buying the Prince of Persia pack over DRM concerns.  Actually, let me see...

Yep yep Forgotten Sands has that shit in it holy fuck.  I feel like a bullet just struck the wall next to my head.  That is TERRIFYING.

T GAME INDUSTRY please beat up Ubisoft until I stop feeling like playing video games is like navigating a fucking minefield, thanks.

[Thad]

Ubi claims to have pushed a patch that fixes it.

If this is true, then we can at least applaud Ubi for putting out a fix REALLY, REALLY QUICKLY after discovery.

For some reason I am not inclined to trust Ubi on this one until it is verified by a third party.

[Brentai]

Even if it is true, that opens up the question of "Did you guys really take less than ten hours to develop, test, and deploy a fix to a problem you were unaware of?"  Because I've done flaming hot fixes before and brother, that's a pretty tight schedule.

So the idea that they might have been perfectly ready for this to happen is not helping my feeling of complete horror.

[Thad]

The thought had crossed my mind, but if I'm to give them just a teensy bit of benefit of the doubt, a key exchange is not a difficult thing to implement.

Of course, giving them benefit of the doubt on how easy the fix was pretty much means pointing out how completely fucking stupid it was not to do it right in the first damn place.

[Brentai]

I suppose it's much easier to hang them on what they definitely DID do wrong rather than what I am deeply suspicious of them doing.  Still and all, I feel nervous about letting that company continue to touch PCs at all.  It's not like a massive potential worm vector doesn't affect people who aren't infected with it.

Also the key exchange doesn't exactly solve the problem, it just makes it less trivial to capitalize on.

[Thad]

Well, yes, agreed on all counts.

[Smiler]

I think the best part of this is that they didn't have the horrible rootkit drm on all of their games. Specifically, Rayman and Anno 2070 are both recent enough and updated, so I don't know why it wouldn't have it.

[Thad]

Ah hell, Rayman Origins is Ubi?  Guess I'll have to check out the Xbox version.

[Thad]

MS-CHAPv2 pretty much broken.

Researchers have devised an attack against a Microsoft-developed authentication scheme that makes it trivial to break the encryption used by hundreds of anonymity and security services, including the iPredator virtual private network offered to users of The Pirate Bay.

The attack, unveiled by Moxie Marlinspike and David Hulton, takes on average just 12 hours to recover the secret key that iPredator and more than 100 other VPN and wireless products use to encrypt sensitive data. The technique, which has been folded into Marlinspike's CloudCracker service, exploits weaknesses in version 2 of a Microsoft technology known as MS-CHAP, short for Microsoft challenge-handshake authentication protocol. It's widely used to log users into VPN and WPA2 networks and is built into a variety of operating systems, including Windows and Ubuntu.

"We hope that by making this service available, we can effectively end the use of MS-CHAPv2 on the Internet once and for all," the researchers wrote in a blog post published over the weekend.

[sei]

Chalk another one up for Moxie.

[Mongrel]

Inside the takedown of one of the worlds biggest spam networks.

CnC Virus Factory