Vulnerabilities

I was wondering why it was so quiet over on the Tor blog and today it was taking me to a WordPress login page, now it just goes to their newsletter signup.

2 Likes
4 Likes
5 Likes

I remain unhappy with DNS.

2 Likes

They don’t even have full IP rights to their database, since they scraped most of it off of the Internet.

1 Like

Different cause from the Rogers Canada outage, but same results: They didn’t/couldn’t shutdown their wireless network, which would have freed phones to make emergency calls via any available provider. (It’s possible to do that with a dive into the phone configuration, or yank the SIM, but who wants to do that in an emergency?)

2 Likes

I’m waiting with bated breath for the leak that lets us know what really happened at Rogers.


Edit: Not that reasonably well informed speculation doesn’t exist. cough BGP uk-fup cough

The un-redacted parts of Rogers’ explanation does point to BGP.

Rogers said coding from the update deleted a routing filter that “allowed for all possible routes to the Internet to pass through the routers,”

The :canada: House of Commons Industry Committee is meeting on the topic today (July 25), if you have the patience for the high level waffling and political posturing.

2 Likes
3 Likes

Apple’s internet traffic took an unwelcome detour through Russian networking equipment for about twelve hours between July 26 and July 27.

[…]

2 Likes
3 Likes

These people need many solid hits from a LART or Wouff-Hong.

5 Likes
5 Likes
8 Likes

A developer says he was able to run his own software on his car infotainment hardware after discovering the vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.

[…]

“The script hinted at RSA signing being used, but unfortunately the key used for that was not in the source code,” Feldman explained in a blog post back in May that was brought to our attention by a reader this week.

“Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF],” he added.

[…]

7 Likes

Ha! Someone put the sample key in to get the app running, but didn’t put an #IF DEBUG block around it to keep it out of the release code.

8 Likes

tl;dr: 1,900 Signal accounts hacked via registration mechanism and SMS, 3 actual targets, no personal data revealed thanks to good design, all affected have been notified. Turn on Settings → Accounts → Registration Lock.

3 Likes

In this case, a feature!

4 Likes
5 Likes
2 Likes
2 Likes