Infosecurity

Asher Langton – Google+

I fail to understand how reasonable knowledgable people can think that there’s some way of delivering information to a person without actually “Delivering the Information”! If you’re providing me with the video/music/text, in whatever format, in whatever encryption, and then you provide me with a key and/or player program, you ARE PROVIDING ME WITH THAT DATA!

The “security” around my content can be broke, it will be broke and there’s no way in hell that anything built under this logic is unbreakable. Because you’re not trying to keep the information safe from me, you’re just trying to control how i can access it. So you’re forced to surrender a way of rendering it “readable” but then you try to control when or how i can read it. Does any of this seem any logic to anyone?

“Hey, here’s my encrypted book, and here’s a key for decrypting it, but be advised you may only read it at daytime.”

What will stop me from reading it at night? Even if the letters in the decryption key or book were only visible at daytime due to some magic ink, why couldn’t i just make a copy of it at daytime and read it at night? If this kind of reasoning and problem thinking seems ridiculous to you, congratulations, you’re a giant step ahead than the entire Media Industry executives, worldwide. (( And some software executives as well. Specially the Gaming executives… ))

Everyone that has given this two minutes of serious thinking will tell you that the only way to curb piracy is to offer a good service and value for money. Or simply abandon the current line of business and try to make your revenue in other related service line such as Support or Merchandising. It strikes me as unbelievable stupid that this kind of “unbreakable security” myth lives on and is relied upon.

Securelist

Microsoft: Screwing up security and best-practices since, basically, ever!

I assume there’s nothing wrong with the water up there in Redmond, so why do MS keeps doing this kind of stupid things and just not giving an jota about security? Or Standards? Or just good engineering?

Another good example is this one:

@bphogan: Example of NIH: Microsoft PowerShell: “New-item foo.txt -type file” instead of ” touch foo.txt”

Microsoft could just have implemented some sort of POSIX compliant shell (( bash, zshell, and endless others )) all freely available, all standards compliant and all widely used in every other OS in the world. Instead they have to go and reinvent the wheel and do some half-baked effort, that probably is way more limited, way more insecure and always halfway but never there.

Update: To answer the original poster, apparently is the last one, MS has always only stored the first 16 characters of your password and simply ignored all the remaining ones.

The Register

Either this is some sort of plot & honeypot by the French Intelligence or these are the dumbest business owners on Earth. (( I would say the first option but every time i’ve said “nobody is that dumb!” i’ve been proven wrong. ))

“And, so far, the military has been unable to stop the virus/keylogger on a widespread scale. Repeated attempts to remove the malware from Creech’s computers have only proven temporarily successful, if that. As a kind of last resort, military network specialists have resorted to full drive wipes to combat the persistent infection. They have been using a tool called BCWipe to completely erase the hard drives’ data before rebuilding the drives’ contents back from nothing.

“We keep wiping it off, and it keeps coming back,” said an anonymous source to Shachtman. “We think it’s benign. But we just don’t know.””

PCMag.com

You’ve got to be kidding. How is any virus/keylogger that can’t be eradicated benign?

I can just see it. The white-hat hacker spending endless nights in front of his machine, coding, tweaking, making redundant features so it can’t be erased, and in the end he writes the payload:

Imagine there’s no Heaven;
It’s easy if you try;
No hell below us;
Above us only sky;
[…]

Yep. It makes perfect sense. And what’s great about it is that it just spread to the control of armed with precision explosives flying autonomous vehicles. No harm can come from there right?

And if you have any problems with the keylogger virus, just unleash Skynet on it. I’m sure “she” can quell that nuisance for you.

When you thought you couldn’t see anything stranger (and dumber) than fiction, then comes reality…

Sustainable Softworks Blog

Yes. The one approach fits all is in itself a security risk as more and more users and apps opt-out of the Mac App Store (MAS) entirely or circumvent its restrictions. Add to this the updated delay for security bugs most apps have – comparing with the non-app versions – this might blow up in Apple’s face. But read the full post at the source to get a better view of what’s being criticized

I usually just try to use the non-MAS versions for these reasons as well. And i find the all “download dmg file -> open it -> drag the app to where you want it” not that cumbersome, but then again, i’m not the usual Mac user so my view is skewed.

But Apple needs to seriously consider the criticism being stated all around the developer’s internet. Switching Preference Panes for a Menu Bar icon is, on the long run, a dumb idea. What happens when people have more than 10 apps that require this “hack”? Stop buying apps at the MAS entirely?

One of my biggest complaints and pet-hates are the Install Packages many developers feel they must include. (( I always have the impression they’re just Windows developers that transitioned to the Mac without fully understanding it. ))

The problem is that Install Packages are a security and abuse issue waiting to happen. You are required to go back to the “dark ways” and just mindlessly click “next, next, insert password, next…”

to go through screens of useless information while the installer package can simply be wiping out your home folder and installing a key logger on a system level and you will never even know what it did.

A possible solution to this is a Quicklook plugin called “Suspicious Package“, a very apt name i must add. With it you can simply invoke Quicklook (( through pressing the space bar on finder or right-clicking it and selecting on “Quick Look filename” )) on a Install Package and see what its contents are.

You will now see where the installer will install files, if it haves any install scripts (and you can look through these if you understand them) or if they require an Admin password or a full System Restart to install. All without even executing the file once.

A QuickLook on the MAMP install package.

The installation of the plugin itself is very simple and you just need to drag the plugin to your Quicklook folder on YourUserFolder/Library/Quicklook . If no such folder exists just create it with the exact name of “Quicklook”.

It should be noted that although Mac OS X is a very secure system, it is no more secure than any other when it comes to the user allowing suspicious applications to run with the elevated privileges of a Administrator. If an application has that privilege, because you gave them to it by typing your admin password, then the app can do as it pleases with your system. So, always go for the paranoid side of things, specially the ones that you are not fully sure of its character. Better safe than sorry…

About Security Update 2011-005

Apple finally corrects the DigiNotar mess that everyone else had already corrected. 10 days after it went public and another 4 or 5 after everyone else had already corrected it. Including Microsoft. Can’t say it’s a stellar record in rapid response to security threats by Apple.

So in case you didn’t read this post regarding how to clean up this mess by hand, please run “Software Update” in your Mac as soon as possible. It involves a system reboot though.

“We’ve been made aware of a security issue caused by the Netherlands-based CA DigiNotar, who mistakenly issued a valid SSL wildcard certificate for google.com. The existence of this certificate, coupled with the implied lack of proper verification at DigiNotar, means that we consider it inappropriate that our systems continue to trust DigiNotar to issue SSL certificates.”

Coriolis Systems Blog

Apparently there is a rogue Google security Certificate being used somewhere out there on the Internet.

This is a major flaw, as this is the way your computer knows when “he” is actually talking to Google.com or Gmail or any other site belonging to Google, probably including Google Checkout as well.

Recommendation is that you should disable any security certificate from DigiNotar and the post tells you how to do it.

As warning, although i do believe this is a safe practice to do and i currently think that you should do it, i’m not completely sure of it. So decide for your own and do your research before.

The only apparent downside is that you may find some sort of “this website security certificate can’t be trusted” on other sites than Google. But if Google certificate got hijacked how safe do you think that website you’re apparently visiting is?

Update: Apparently Microsoft is also recommending removing DigiNotar Certificates from your computer, so never mind my initial objections.