Vulnerabilities

politeruin · July 6, 2022, 9:25pm

I was wondering why it was so quiet over on the Tor blog and today it was taking me to a WordPress login page, now it just goes to their newsletter signup.

BakaNeko · July 7, 2022, 10:46am

BakaNeko · July 23, 2022, 9:32pm

Simon_Clift · July 25, 2022, 1:31pm

I remain unhappy with DNS.

RickMycroft · July 25, 2022, 1:51pm

They don’t even have full IP rights to their database, since they scraped most of it off of the Internet.

RickMycroft · July 25, 2022, 2:17pm

Different cause from the Rogers Canada outage, but same results: They didn’t/couldn’t shutdown their wireless network, which would have freed phones to make emergency calls via any available provider. (It’s possible to do that with a dive into the phone configuration, or yank the SIM, but who wants to do that in an emergency?)

Simon_Clift · July 25, 2022, 2:39pm

I’m waiting with bated breath for the leak that lets us know what really happened at Rogers.

Edit: Not that reasonably well informed speculation doesn’t exist. cough BGP uk-fup cough

The un-redacted parts of Rogers’ explanation does point to BGP.

Rogers said coding from the update deleted a routing filter that “allowed for all possible routes to the Internet to pass through the routers,”

The House of Commons Industry Committee is meeting on the topic today (July 25), if you have the patience for the high level waffling and political posturing.

BakaNeko · July 27, 2022, 5:47pm

FGD135 · July 27, 2022, 7:55pm

Apple’s internet traffic took an unwelcome detour through Russian networking equipment for about twelve hours between July 26 and July 27.

[…]

BakaNeko · August 4, 2022, 6:06pm

RickMycroft · August 6, 2022, 4:53pm

These people need many solid hits from a LART or Wouff-Hong.

BakaNeko · August 10, 2022, 11:42pm

BakaNeko · August 15, 2022, 8:01pm

FGD135 · August 17, 2022, 9:06pm

A developer says he was able to run his own software on his car infotainment hardware after discovering the vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.

[…]

“The script hinted at RSA signing being used, but unfortunately the key used for that was not in the source code,” Feldman explained in a blog post back in May that was brought to our attention by a reader this week.

“Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF],” he added.

[…]

RickMycroft · August 17, 2022, 9:21pm

Ha! Someone put the sample key in to get the app running, but didn’t put an #IF DEBUG block around it to keep it out of the release code.

Simon_Clift · August 18, 2022, 2:58pm

tl;dr: 1,900 Signal accounts hacked via registration mechanism and SMS, 3 actual targets, no personal data revealed thanks to good design, all affected have been notified. Turn on Settings → Accounts → Registration Lock.

RickMycroft · August 19, 2022, 1:03am

In this case, a feature!

BakaNeko · August 19, 2022, 4:39pm

FGD135 · August 24, 2022, 5:27pm

BakaNeko · August 24, 2022, 11:56pm

Topic		Replies	Views
Lavabit Redux? links	5	990	February 18, 2017
UK Snooper's Charter "would put an invisible landmine under every security researcher" boing	3	1100	November 16, 2015
Vulnerability in recorders used by 70+ CCTV systems has been known since 2014 boing	13	1672	March 29, 2016
New Vpnfilter analysis: modules attack router owners and target industrial control systems; reinfection still possible, more routers vulnerable boing	14	1169	June 11, 2018
Today only: take an extra 15% off all of the VPNs in the Boing Boing Store boing	4	868	December 1, 2015

Related Topics