IBNeko's Journal-Nyo~!

Official news post here:
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/

General rundown of exactly _what_ is being affected:
http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/
http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html

Discussion forums of patches and such:
http://www.ruby-forum.com/topic/157034

Now, my question to you guys, is... has anyone patched their copy of ruby? Anyone have any pointers on patching/upgrading ruby on a production site? My partner, the one who set everything up, is off on his honeymoon and can't be reached. The wannabe security professional side of me understands what the vulnerabilities mean and would very much like to patch and upgrade ruby. But from what I've read on the discussion forum, the releases are said to break stuff, which would be Very Bad™ for a live site.

Looks like we're running:
"Ubuntu 7.10" codename gutsy
ruby 1.8.6 (2007-06-07 patchlevel 36) [x86_64-linux]

crossposted to the ruby_lang, rails_dev community...

(This news is now about 5 days old...)

...and encrypting+hiding data too large to store online.

Now that US customs agents have unfettered access to laptops and other electronic devices at borders, a coalition of travel groups, civil liberties advocates and technologists is calling on Congress to rein in the Department of Homeland Security's search and seizure practices. They're also providing practical advice on how to prevent trade secrets and other sensitive data from being breached.
In a letter dated Thursday, the group, which includes the Electronic Frontier Foundation (EFF), the American Civil Liberties Union and the Business Travel Coalition, called on the House Committee on Homeland Security to ensure searches aren't arbitrary or overly invasive. They also urged the passage of legislation outlawing abusive searches.

The letter comes 10 days after a US appeals court ruled Customs and Border Protection (CBP) agents have the right to rummage through electronic devices even if they have no reason to suspect the hardware holds illegal contents. Not only are they free to view the files during passage; they are also permitted to copy the entire contents of a device. There are no stated policies about what can and can't be done with the data.

-http://www.theregister.co.uk/2008/05/01/electronic_searches_at_us_borders/

I need to get TrueCrypt working. But I've heard some questionable, "things will crash and data will get lost" things about the initial mac release.

TrueCrypt, from what I've read, is supposed to let you encrypt things as well as hide them in harmless looking files. Pain in the ass though... At least I don't think I'm crossing the border anytime soon...

First: IT Security Warfare. A rather interesting read, at least for me.
http://mcwresearch.com/archives/496

Second: a presentation at the AAAS. Someday, I'll have the self-esteem and guys to stand up in front of a crowd and do that.
http://www.youtube.com/watch?v=yL_-1d9OSdk (via porsupah)

Third, from the interesting Geeketiquette blog, comes the Dresscodes: Geek vs. Non-Geek. Some of it is true, I suppose.
http://geeketiquette.com/archives/2007/06/27/dresscodes-geek-vs-non-geek/
(but potentially worth noting, if you're a geek like I am, and fail to pick up on normal social cues...)

Lastly, via metaquotes (and porsupah): the interaction between Christianity and Islam, if they're both kids....
http://community.livejournal.com/metaquotes/6156094.html?thread=113259582

And an odd mishmash of links that I need to visit/do/screw/whatnot:
OpenVPN, when on public, unsecured Wifi (project temporarily on hold; uiuc provides vpn that covers everything I need):
http://blog.2blocksaway.com/2006/12/11/building-a-cheap-secure-wireless-wlan-infrastructure-with-openvpn-and-linux-an-advanced-tutorial-of-openvpn/3/
http://openvpn.net/download_action.php?openvpn-2.0.9.zip
http://wiki.cacert.org/wiki/openVPN

Rails! Ruby! Arrrr?:
http://summerofrails.org/

Security:
http://www.priamos-project.com/
http://www.remote-exploit.org/backtrack.html
http://garrett.reid.org/backtrack/ (and why I need a MacBook /Pro)
http://insecurewebapp.sourceforge.net/main/index.html (download and try)

Wifi cracking:
http://kismac.de/_trac/wiki/DWL-G122 (need to locate and buy...?)

Japanese:
http://lrnj.com/ (learning japanese with RPG... something?)

Origami (via... kimoi):
http://www.geocities.com/foldingca/butterflyball.html

Instead of downloading a bigass rainbow table, now, maybe if this works, you can just google your MD5 hash.

http://www.nth-dimension.org.uk/utils/ghash.php
(they should add SHA-1! maybe? o.O And the other ways of encrypting passwords...)

Although it'd be more interesting if they actually created a wordlist with configuration 6*. And put that online. Looks like they're just doing a wordlist.

*see: http://www.antsight.com/zsl/rainbowcrack/ (rainbow tables - 64 GB XD)

They do note that it would take several years for just one computer to calculate that entire table... but for the Google Hash site, they calculate the number on the fly... so they would only have to generate (and store?) the original keys... not too bad?

(Hmmm.. I wonder if there's some way to trick Google into calculating the MD5 hases for us...)

[edit] No, there's another way to do this. Essentially, provide a list of characters - clicking on a character will add that to the current string that we hash. So it's kinda recursive...

I'll build an example this afternoon, when I finish lunch. This should be interesting. The only limit now, is how deep Google will crawl? And if Google crawls depth-first or breadth-first? And how much data would Google be willing to store from a simple site?

Hashes I want to do: maybe we'll start with MD5 first. Then SHA? And the windows password hashing method?

And a final question: Is this unethical? Because technically, the only real use for the last one would be to crack passwords... And I can't really think of any reason why you might need the other ones. Although I must say, I'm rather fond of the idea of creating information and making it searchable. I am a creature of information. Hear me roar? o.O Mew.

You were issued 150 points and you now have 150 points in total.

You now have over 100 points and can start assuring others.

=^^=v

Spiffy. For the record, I got the papers signed by a public notary over spring break, on the 23rd of March. They were mailed off to Australia (yep, Australia!) on the 26th. So that was about a two-week turnaround time. Whee!

If you know the password because you've changed it from the default, you're fine.

Otherwise, there's a new attack - Attackers use Javascript in your browser to change your router settings, so trying to access the banks online will redirect you to their site. There, they can steal your information when you enter it.

The well written analogy is:

I’ll start with a high-level real-world analogy of this attack. Imagine that whenever you wanted to go to your bank, you picked up your phone directory, looked up the bank’s address, and then went there. Our attack shows a simple way that attackers can replace the phone books in your house with one that they created. Now, when you pick up that rogue phone book to get your bank’s address, it’ll actually give you the wrong address. At this wrong address, the attackers will have set up a fake bank that looks just like your bank. When you do business with this fake bank, you’ll give up all your sensitive bank account information. However, you’ll never realize that you were at a fake bank since you trusted the address that you got from what you thought was your legitimate telephone book.

http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
(they also have a nice flash video that provides a graphical idea of how it works.)

No clue what I'm talking about? If you connect to the internet by way of a router (regardless of wired or wireless), you can check by following the following steps:
1. Access your router. Chances are, one of the following links will work:
http://192.168.0.1
http://192.168.1.1

2. If a username/password thing pops up, good. Try the following:
Netgear:
Username: admin
Password: password

Username: admin
Password: 1234

(username may be "Admin")

D-link:
Username: admin
Password: empty

Linksys:
Username: empty
Password: admin

3. Now change the password.
Netgear:
Navigate to Maintenance > Set Password. (Netgear support page)

D-link:
Navigate to Tools, then Admin (D-link support page)

Linksys:
Either click on "Administration", or "Password" (Linksys support page)

--
Other username/password combinations I've run across are:
admin/admin
admin/setup
admin/pass
admin/none

If step 2 fails, follow the instructions here to figure out where you need to go.

Month of Apple Bugs!
http://projects.info-pull.com/moab/

And a person who has announced he would try to create patches for vulnerabilities as they come out:
http://landonf.bikemonkey.org/code/macosx/

So much to learn, so little time!

Airport security chiefs and efficiency geeks will be able to keep close tabs on airport passengers by tagging them with a high powered radio chip developed at the University of Central London...
...People will be told to wear radio tags round their necks when they get to the airport. The tag would notify a computer system of their identity and whereabouts. The system would then track their activities in the airport using a network of high definition cameras...
[source:http://www.theregister.com/2006/10/12/airport_rfid/]

I'm not the only one disturbed by this, right?

Right, so ways around this:
-Swapping tags with other people in bathrooms
-->can be countered by adding restrictions: you're supposed to be flying out of this gate, then you have to exit via this gate with your own tag.

-Ditching your tag to do Bad Things™ like bombs, etc.
-Making your tag broadcast someone else's signal.
-Making your tag broadcast a scrambled or random signal.
-->Object counting software - we see people in area, but there's a person missing a tag
or /duplicate tags/unissued tag id being returned. Flag security and notify them. This is much harder, and requires a shitload of processing power, but it's doable.

via fbartho: http://www.oreillynet.com/pub/a/mac/2003/01/20/mail.html?page=1

It covers mail encryption and/or digital signing.

The link is actually a bit out of date though, but the process is pretty painless. Just head over here:
https://www.thawte.com/secure-email/personal-email-certificates/index.html
And then click on "Join".
You'll go through a process of e-mail verification, then information gathering (not that much personal stuff, but you'll need to give them 5 questions for later verification, should you lose/forget your password). Note that they don't gather a phone number, so you _should_ go back and add that in afterwards, so they can call you for lost-password retrieval.

Once that's complete, request a certificate, and if you're running in Safari and using Mail, it's very easy. As soon as your certificate is ready, they'll send you an e-mail. Click the "Fetch" button, and it'll download (an .exe file, yes, I know. Just click "Download"). Keychain Access will pop open. Select "Keys", and you should see a "Key from www.thawte.com". Double-click on the private key, and select the "Access Control" tab, then change it to "Confirm before allowing access" and check the "Ask for Keychain password". This way, if you lose control of your computer, people can't just sign e-mails with your key, without your keychain password. Which... should be ok, unless people get control of your keychain password.

Eh, well, so the last bit is actually up to you. Once it downloads, you're all set to send e-mails.

Mail me. :) I'm at ben.juang //at// comcast.net.

I need to update LiveJournal on my iBook and play around with it.. it's been a while since I've played with my installation. 'course, it's rather boring when there's no one else in it.. kinda like playing God without little critters to poke at and ask for opinions.

I should install some other blogging tools. Done it before, but meh.

Need to install Tripwire, Snort, and Nesses. Maybe Linux as well, on my Desktop box here.

Oh, and while I'm on security, this is pretty sad:
DHS Gets Another F in Computer Security

DHS, if you don't know, is our lovely "Department of Homeland Security". Somehow, I get the vaguest feeling that they just sorta sit there and get paid to look pretty.

"It turns out that the vast bulk of the federal information security money is spent on documenting these systems, not on securing or testing them against attacks," Paller said. "Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified."
:: sighs:: This is why, while I'm interested in security, I'm not too enthusiastic about working in the sector. Well, that, and there is SO MUCH I still need to learn.