Skip to main content

Posts

More Fun With PCI

I received a notification from a large security auditing firm that of the ciphers currently available, only RC4 ciphers will be considered PCI compliant. My assumption based on the notification is that this move is intended as a rejection of CBC (Cipher Block Chaining). Well, that's fine as far as I am concerned. CBC has some serious issues as implemented in SSL v3 / TLS v1.0. In a nutshell, you can time responses for applications using the block cipher to get ranges of possible data in SSLv3 and partial payload decryption in TLS. So-called "stream" ciphers like RC4 are immune to this particular attack vector. You don't get private keys from the attack, its by no means a fast attack (minimum of three hours), and you need access to monitor the session . Further, patches for CBC exist to over-ride the timing exploit (for example the NSS libraries used by Mozilla have been patched). I will save debunking the man in the middle hysteria for a later post. What frustrate

A Modest Proposal

We're all grown ups here. Can we agree to never say "app" in polite conversation ever again? I have trouble conceiving of another term that is more likely to make you look like a buffoon ("Social Media Guru" is a close second). Let's all have a bit of dignity and speak like we were taught to do so in schools and not marketing meetings. ლ(ಠ益ಠლ)

Disable Display_Errors in Production

Its a simple message, but worth repeating. Yesterday I came across the website of a major internet security firm making a few first-day-on-the-job mistakes. While I am not going to "out" them before contacting them directly, what they did is silly enough that it warrants a bit of discussion in the abstract. Display_errors was enabled in their web server's php.ini. As a result, a few helpful messages were displayed briefly at the top of several of pages on the site 1. The name of the database 2. The name of the table in use by that page 3. A list of every column in that table 4. An error indicating that the table is exceeding its maximum allowable size of 4GB The site collects information about its users - IP address, browser info, referrer, etc, and stores that information to a table in a MySQL database - we know from the error itself that database is running on a server using a 32 bit operating system. With the structure of the database, we have everything we

Activating Windows Server 2012 GUI after Installing Server Core Only

[This article deals with issues with installing the 2012 GUI from Server Core. Do you need help with activating your license key? If so, try this article instead. ] Update: James Stephan, currently Senior Analyst with Dell Health Services, was kind enough to point out to me that I had neglected to mention this procedure will only function with fully licensed versions of Windows Server 2012. If you have downloaded and installed the free edition of Windows 2012 Server Core, you cannot activate the GUI. For quite a bit of detailed information specific to the free edition of 2012 Server Core, follow  this link to James' blog . So I just started playing with Server 2012. Right out of the gate, I encountered issues on installing to a hard drive with a pre-existing Windows 7 installation. I nuked the partitions during the install, however when trying to install the full server GUI, I got a "Windows component cannot be found" error. I believe this was the result of the instal

Kaspersky, I Hardly Knew Ye

A few months ago, Noah Shachtman of Wired published an in-depth series of interviews with Eugene Kaspersky, owner of Kaspersky Lab. I realize this is an older issue, but its still worth checking out.  Schneir was late to the party, too, so I don't feel bad. First off, read the Wired article: Russia’s Top Cyber Sleuth Foils US Spies, Helps Kremlin Pals Then give Eugene's response a quick read: http://eugene.kaspersky.com/2012/07/25/what-wired-is-not-telling-you-a-response-to-noah-shachtmans-article-in-wired-magazine/ Then read the response to the response: http://www.wired.com/dangerroom/2012/07/kaspersky-indy/ How do you feel about your computers being owned by the Kremlin? Is it a refreshing change of pace from having your computers owned by the Pentagon/Home Office/Mossad?

Lol, Equity

Is anyone else scratching their heads about this HostGator / EIG acquisition? Accel-KKR has nice credit but $225 million feels like .com money, even for an established middle market. Maybe it makes sense for all the useless hardware that comes with it, I don't know. If anyone wants to enlighten a financial n00b shoot me an email.