news

ProCurve 1810G-8 setup

Technical wiki updates - 7 hours 41 min ago
ins.insert { background-color: #AFA; color: #080; text-decoration: inherit; } del.delete { background-color: #F88; color: #800; text-decoration: inherit; } ...The switch ships without DHCP enabled, so you must have an IP address on the 192.168.2.0/24 subnet defined. I manually define an additional IP address 192.168.2.12 on my Linux laptop when i want to do this.
Power up and cable the switch into your network.
... 3.5.4 on Windows,Windows and Epiphany 2.28.0 on Linux, but not with Firefox 3.0.17 or
There is no password by default, so just select login.
Navigate to Home -> Setup Network, select DHCP, and apply the settings. The switch will shortly be accessible on its new IP address. Connect to that address with your web browser.

ProCurve 1810G-8 setup

Technical wiki updates - 8 hours 34 min ago
ins.insert { background-color: #AFA; color: #080; text-decoration: inherit; } del.delete { background-color: #F88; color: #800; text-decoration: inherit; } ...Because we are using the switch with self-signed certificates, a browser warning should pop up. Allow the connection, but be sure not to save the certificate permanently (especially if you're using Firefox), because the self-signed certificate clashes with all other self-signed certificates from the same model of switch.
Set your password in Maintenance -> Password Manager.
Save the switch config in Maintenance -> Save configuration.
Relax - you're done!
Breathe a sigh of relief

Marc Rotenberg on Google's Italian Privacy Case

Bruce Schneier's Crypto-gram - 16 hours 38 min ago

Interesting commentary:

I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established in the United States.

The video at the center of this case was very popular in Italy and drove lots of users to the Google Video site. This boosted advertising and support for other Google services. As a consequence, Google actually had an incentive not to respond to the many requests it received before it actually took down the video.

Back in the U.S., here is the relevant history: after Brandeis and Warren published their famous article on the right to privacy in 1890, state courts struggled with its application. In a New York state case in 1902, a court rejected the newly proposed right. In a second case, a Georgia state court in 1905 endorsed it.

What is striking is that both cases involved the use of a person's image without their consent. In New York, it was a young girl, whose image was drawn and placed on an oatmeal box for advertising purposes. In Georgia, a man's image was placed in a newspaper, without his consent, to sell insurance.

Also important is the fact that the New York judge who rejected the privacy claim, suggested that the state assembly could simple pass a law to create the right. The New York legislature did exactly that and in 1903 New York enacted the first privacy law in the United States to protect a person's "name or likeness" for commercial use.

The whole thing is worth reading.

Categories: main

Guide to Microsoft Police Forensic Services

Bruce Schneier's Crypto-gram - Tue, 2010-03-09 22:59

The "Microsoft Online Services Global Criminal Compliance Handbook (U.S. Domestic Version)" (also can be found here, here, and here) outlines exactly what Microsoft will do upon police request. Here's a good summary of what's in it:

The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft's stored user information. It also provides sample language for subpoenas and diagrams on how to understand server logs.

I call it "quasi-comprehensive" because, at a mere 22 pages, it doesn't explore the nitty-gritty of Microsoft's systems; it's more like a data-hunting guide for dummies.

When it was first leaked, Microsoft tried to scrub it from the Internet. But they quickly realized that it was futile and relented.

Lots more information.

Categories: main

Google in <i>The Onion</i>

Bruce Schneier's Crypto-gram - Tue, 2010-03-09 06:24

Funny:

MOUNTAIN VIEW, CA—Responding to recent public outcries over its handling of private data, search giant Google offered a wide-ranging and eerily well-informed apology to its millions of users Monday.

"We would like to extend our deepest apologies to each and every one of you," announced CEO Eric Schmidt, speaking from the company's Googleplex headquarters. "Clearly there have been some privacy concerns as of late, and judging by some of the search terms we've seen, along with the tens of thousands of personal e-mail exchanges and Google Chat conversations we've carefully examined, it looks as though it might be a while before we regain your trust."

Google expressed regret to some of its third-generation Irish-American users on Smithwood between Barlow and Lake.

Added Schmidt, "Whether you're Michael Paulson who lives at 3425 Longview Terrace and makes $86,400 a year, or Jessica Goldblatt from Lynnwood, WA, who already has well-established trust issues, we at Google would just like to say how very, truly sorry we are."

Categories: main

Eating a Flash Drive

Bruce Schneier's Crypto-gram - Tue, 2010-03-09 03:00

How not to destroy evidence:

In a bold and bizarre attempt to destroy evidence seized during a federal raid, a New York City man grabbed a flash drive and swallowed the data storage device while in the custody of Secret Service agents, records show.

The article wasn't explicit about this -- odd, as it's the main question any reader would have -- but it seems that the man's digestive tract did not destroy the evidence.

Categories: main

De-Anonymizing Social Network Users

Bruce Schneier's Crypto-gram - Mon, 2010-03-08 22:13

Interesting paper: "A Practical Attack to De-Anonymize Social Network Users."

Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data.

In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user, or, at least, to significantly reduce the set of possible candidates. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors.

The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Our analysis suggests that about 42% of the users that use groups can be uniquely identified, while for 90%, we can reduce the candidate set to less than 2,912 persons. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable (although attacks would require more resources on the side of the attacker). An analysis of an additional five social networks indicates that they are also prone to our attack.

News article. Moral: anonymity is really, really hard -- but we knew that already.

Categories: main

Friday Squid Blogging: Squid Teapot

Bruce Schneier's Crypto-gram - Sat, 2010-03-06 08:32

Squid teapot. Could be squiddier.

Categories: main

Another Interview with Me

Bruce Schneier's Crypto-gram - Sat, 2010-03-06 04:53

I gave this one two days ago, at the RSA Conference.

Categories: main

New Crossover Release With Improved Compatibility

Slashdot Linux - Sat, 2010-03-06 01:44
solanum writes "On March 2nd Crossover 9.0 was released. CrossOver 9 features a new user interface that focuses on making installation of Windows software quicker and easier than previous versions. Another new feature is CrossOver's ability to download installation 'recipes' directly from CodeWeavers online Compatibility Database. 'If another CrossOver user has figured out how to use CrossOver to install a Windows application, they can upload that installation recipe to our database,' said Jeremy White, CodeWeavers chief executive officer. 'As we go forward, and build this online storehouse, CrossOver will begin to automatically install that same application for other users. This enables us to move closer to a world where CrossOver will begin to run the majority of Windows apps, and not just an officially supported subset. In other words, our diabolical plot for world domination is going exactly as planned,' he added. Early reviews and comments are positive, and my own experience is that many more Windows applications work in this new version than previously."

Read more of this story at Slashdot.


Mariposa Botnet Shut Down

Bruce Schneier's Crypto-gram - Fri, 2010-03-05 22:02

The Spanish police arrested three people in connection with the 13-million-computer Mariposa botnet.

Categories: main

Researchers Find Way To Zap RSA Algorithm

Slashdot Linux - Fri, 2010-03-05 06:02
alphadogg writes "Three University of Michigan computer scientists say they have found a way to exploit a weakness in RSA security technology used to protect everything from media players to smartphones and e-commerce servers. RSA authentication is susceptible, they say, to changes in the voltage supply to a private key holder. While guessing the 1,000-plus digits of binary code in a private key would take unfathomable hours, the researchers say that by varying electric current to a secured computer using an inexpensive purpose-built device they were able to stress out the computer and figure out the 1,024-bit private key in about 100 hours – all without leaving a trace. The researchers in their paper outline how they made the attack (PDF) on a SPARC system running Linux."

Read more of this story at Slashdot.


Comprehensive National Cybersecurity Initiative

Bruce Schneier's Crypto-gram - Fri, 2010-03-05 04:55

On Tuesday, the White House published an unclassified summary of its Comprehensive National Cybersecurity Initiative (CNCI). Howard Schmidt made the announcement at the RSA Conference. These are the 12 initiatives in the plan:

  • Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet.
  • Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
  • Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
  • Initiative #4: Coordinate and redirect research and development (R&D) efforts.
  • Initiative #5. Connect current cyber ops centers to enhance situational awareness.
  • Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
  • Initiative #7. Increase the security of our classified networks.
  • Initiative #8. Expand cyber education.
  • Initiative #9. Define and develop enduring "leap-ahead" technology, strategies, and programs.
  • Initiative #10. Define and develop enduring deterrence strategies and programs.
  • Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
  • Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains.

While this transparency is a good, in this sort of thing the devil is in the details -- and we don't have any details. We also don't have any information about the legal authority for cybersecurity, and how much the NSA is, and should be, involved. Good commentary on that here. EPIC is suing the NSA to learn more about its involvement.

Categories: main

IO Data Licenses Microsoft's "Linux Patents"

Slashdot Linux - Fri, 2010-03-05 04:29
eldavojohn writes "The Japanese computer manuracturer IO Data is the latest in line to license Microsoft's so-called 'Linux patents,' following the likes of Novell, Samsung, and Amazon. Yes, even the press releases use the word 'Linux' to describe these patents. From the press release: 'Specifically, the patent covenants apply to I-O Data's network-attached storage devices and its routers, which run Linux. Although the details of the agreement have not been disclosed, the parties indicated that Microsoft is being compensated by I-O Data.'"

Read more of this story at Slashdot.


Crypto Implementation Failure

Bruce Schneier's Crypto-gram - Thu, 2010-03-04 22:05

Look at this new AES-encrypted USB memory stick. You enter the key directly into the stick via the keypad, thereby bypassing any eavesdropping software on the computer.

The problem is that in order to get full 256-bit entropy in the key, you need to enter 77 decimal digits using the keypad. I can't imagine anyone doing that; they'll enter an eight- or ten-digit key and call it done. (Likely, the password encrypts a random key that encrypts the actual data: not that it matters.) And even if you wanted to, is it reasonable to expect someone to enter 77 digits without making an error?

Nice idea, complete implementation failure.

EDITED TO ADD (3/4): According to the manual, the drive locks for two minutes after five unsuccessful attempts. This delay is enough to make brute-force attacks infeasible, even with only ten-digit keys.

So, not nearly as bad as I thought it was. Better would be a much longer delay after 100 or so unsuccessful attempts. Yes, there's a denial-of-service attack against the thing, but stealing it is an even more effective denial-of-service attack.

Categories: main

North Korea's Own OS, Red Star

Slashdot Linux - Thu, 2010-03-04 08:00
klaasb writes "North Korea's self-developed computer operating system, named 'Red Star,' was brought to light for the first time by a Russian satellite broadcaster yesterday. North Korea's top IT experts began developing the Red Star in 2006, but its composition and operation mechanisms were unknown until the internet version of the Russia Today TV program featured the system, citing the blog of a Russian student who goes to the Kim Il-sung University in Pyongyang."

Read more of this story at Slashdot.


Ubuntu Desktop In the Cloud

Slashdot Linux - Thu, 2010-03-04 05:41
jimjimovich writes "One new feature in Ubuntu 10.04 that caught my attention is the Desktop in the Cloud project. Ubuntu already has great EC2 support, and it's getting even better. Now you can launch Ubuntu Desktop instances on EC2 and connect to them with an NX client."

Read more of this story at Slashdot.


Syndicate content