3.14.2007

Star Wars, Noobs, and Hackaz

LOL! Enjoy. :) Star Wars, Noobs, and Hackaz

Human Computation, Captcha, and ESP

I was trying to do some work when I stumbled upon this link. Needless to say, my work got put off until the video was over. This is a really kickass presentation on Human Computation. The presentation is by Luis von Ahn who is an assistant Professor at Carnegie Mellon University. Pre-interview he looks nervous and bit squirrely. Needless to say, he did an awesome job. He starts off discussing the pros and cons of captchas. He moves on to cover human computation and how he has applied it to his ESP game.

3.09.2007

Wordpress server compromised

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Long explanation...

No Good. Circle with da slash. I have a few wordpress installs. Even though they are not a few days old... I upgraded anyway. I suggest everyone running wordpress to do the same. I'm just wondering if MU was affected. I guess we will find out soon enough.

TLD DNS DDoS fact sheet released

Back in February, there was a rather large DDoS attack on the Internet's root DNS servers (TLD). There really wasn't many details on the attack, except for rumors that it originated somewhere in the Asia-Pacific region. Well now we have something to sink our teeth into. ICANN has released an official fact sheet with more information on the attack. There are still some unanswered questions, but this fact sheet is very concise and well put together. It covers details on the root server infrastructure including Anycast, DDoS, Zombies, and other aspects relevant to the attack.

ICANN TLD DNS DDoS attack fact sheet

3.08.2007

The Buzz about the OpenPGP Bug


Published: 2007-03-06,
Last Updated: 2007-03-07 12:39:48 UTC
by Arrigo Triulzi (Version: 1)

The latest GnuPG security advisory is, in the specific case of GnuPG, more of a "Human-Computer Interaction" than a security hole proper. The flaw is not in the encryption but in the way in which OpenPGP, a standard way of transmitting PGP-encrypted data, is interpreted by GnuPG "helpers" such as Enigmail and mail programs such as Evolution, KMail, etc.

An OpenPGP-compliant message can be made up of multiple sections, not all of which need to be signed or encrypted. The "helpers" and mail software do not use the GnuPG API correctly to interpret where the sections start and end leading to something called "injection" which is a fancy name for "adding untrusted data which is undetectable from trusted data".

Translated: you see the pretty icon telling you that the whole message is encrypted and signed whereas there is a section of it (text, image, binary, whatever) which isn't.

What if you use GnuPG "raw"? Well, the visual cues are insufficient even for an advanced user and this is why a new release of GnuPG is being distributed and relevant CVE numbers were issued.

To give you an idea of the extent of the issue here are the CVE numbers:
  • CVE-2007-1263 - for the visual distinction issues in GnuPG itself, all 4 attacks.
  • CVE-2007-1264 - Enigmail improper use of --status-fd
  • CVE-2007-1265 - KMail improper or non-existing use of --status-fd
  • CVE-2007-1266 - Evolution improper or non-existing use of --status-fd
  • CVE-2007-1267 - Sylpheed improper or non-existing use of --status-fd
  • CVE-2007-1268 - Mutt improper or non-existing use of --status-fd
  • CVE-2007-1269 - GNUMail improper or non-existing use of --status-fd

3.07.2007

Check Point SecurePlatform Hardware Compatibility

Check Point's Secureplatform(SPLAT) and hardware do not always play nicely together. In the past, I have experienced many issues with SPLAT not supporting newer system hardware. I have bumped my head on the unsupported network interface card many times. The following link is their official hardware compatibility page. However, I just recently discovered they have released a Secureplatform hardware compatibility testing tool. It's somewhat useful if you have the hardware available, but then again if you got the hardware...why not just try a SPLAT install. It could be handy if you don't want to blow away the current system. *Shrug* I guess its a step in the right direction.