there is a mac fan/blogger out there who owes some serious apologies to the security community. apple has finally released the patches and details about the flaw. In an attempt to cover it’s A the company states “For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.” Good call, thanks for fueling countless debates and then silently releasing this.
How bad is it? According to the recently released advisory, bad. real bad.
“Impact: Attackers on the wireless network may cause arbitrary code execution”
According to a news report “Christopher Soghoian, a 25-year-old doctoral student in Bloomington, had said the boarding pass generator he created was intended to illustrate flaws in airport security.
The FBI investigated and determined there were no federal violations, said Wendy Osborne, a spokeswoman for the FBI’s Indianapolis office.”
I’ll have more to say about this later but for now let’s just say that it is good that
1) He received his equipment back. The early days of FBI raiding hackers meant 5 years before equipment was returned
2) The politician who called for his arrest recanted
3) This security researchers name has been cleared
I’m helping put together an event this Friday as well called Digital Disobedience! It is an event on Cyberactivism and Culture Jamming this Friday where we’ll explore the interplay between digital technologies, activism, and the ability to modify and critique cultural institutions.
Digital Disobedience
Cyberactivism and Culture Jamming
Fri., Dec 1, 6pm
Science Center 110, Harvard University
The format will be interactive. We’ll first have short presentations from each of the speakers, then we’ll break up into groups that will discuss ideas, issues, and projects with each of the presenters. We may even venture off to do some culture jamming ourselves afterwards.
While figuring out just how I will securely install wireless in my apt I came up with an idea. I wanted to blog it so I couldn’t weasel out of it later. The idea I had was based on some suggestions from Dragorn (the guy who wrote Kismet) which is to allow open access to the wifi and halt traffic at an internal firewall. Once you get to the internal firewall vpn is used to grant access to the internet and other internal machines.
the WF PSA project I came up with was simple. Set up a fake daemon to answer all the requests I will inevitably get on pop3 and imap when users try to check their email over my WiFi. The daemon would accept the user and pass and tell them there is one message in their mailbox. The message would have their username and password in it along with a warning that sending such things in cleartext on other peoples WiFi is not a good idea. Maybe some links to FAQs about these things. other possible protocols include IM or anything else requiring a password.
I’m looking into Karma and madwifi as basic building blocks for this project and building on an ancient P133 desktop I have.
Full of turkey (or unTurkey) and want to get out and meet other infosec professionals? I confirmed with our awesome host the Enormous Room that we have use of the upstairs area November 29th from 6pm – 9pm. So please come out and meet up with other infosec professionals in the Boston area. If you came out on the 15th please let me know and the first beer/whatever is on me.
Due to unforeseen circumstances the third ever BeanSec! event is going to be moved to a later date. Likely sometime this month. Stay tuned while Chris, Chris, and I come up with a new plan!
The Software may not be disassembled, decompiled, reverse-assembled, or otherwise translated (except to the extent required to obtain interoperability with other independently created software).
found in a software license agreement with the University.
Everyone’s favorite Boston Security event is coming back to the Enormous Room on November 15th. That’s Wednesday from 6pm to sometime around 9pm or so. This event is also doubling as a birthday party for yours truly and I will likely stay late into the night. (Dave G, this is the one you should come to Boston for!)
I have been helping out with a research project by Berkman fellow Derek Bambauer and Phil Malone on the extent to which US law and security research interact. One of the elements the paper needed was a worst case scenario where using the law to cover up a product flaw would harm society at large. The general consensus was that the Diebold scandel was perhaps the best known example to date. And for those who doubt this claim I provide the following video.
note: I am not a fan of embedding media in my blog and this is a one time event. Don’t get used to it :)
