Skip to main content

Posts

Independent Researcher Discovers Yawning Hole in GroupMe

Clever hacker and all around cool guy Dylan Saccomanni viciously pwn'd the popular messaging application GroupMe last week. The exploit allowed an attacker to signup for a new account while using the phone number of an existing user. The only verification required at that point was a four digit PIN that could be easily brute-forced. To their credit, GroupMe responded rapidly to Saccomanni's notice and the issue appears to have been resolved.

Australian Department of Human Services Releases an Auth Mechanism Called PLAID and it Stinks

Recently a division of the Australian Department of Human Services released an authentication mechanism to secure smart card transactions. They named their creation Protocol for Lightweight Authentication of Identity, or PLAID. The plan was to allow other Australian government agencies to use the auth protocol for free. Feeling very sure of themselves, Ozzy's DHS released the protocol for inspection. A group of cryptographers from two universities stepped up to do the deed. The Information Security Group of Royal Holloway, University of London was one such school. Representing the Continent was Cryptoplexity of Technische Universit├Ąt Darmstadt, Germany. And do the deed they did. As it turns out, PLAID is a lemon. It does just about everything wrong. It implements an RSA encryption function poorly, which is a bit suspicious given RSA's recent history with that Five Eyes Intelligence service from the Western hemisphere we all love to hate, the NSA. Beyond that, the function i

Systemd - The Hungriest Daemon

I'm not sure who made this but it's pretty funny.

Private Data vs Public Data

Five years ago, someone by the name of Hacker Croll acquired a large amount of sensitive internal corporate documents from Twitter employees . Hacker Croll took 310 of these documents and sent them to the website Techcrunch . Techcrunch decided to use the information, publishing a series of stories based on the documents and the reactions of Twitter and Techcrunch's readers to the release of the documents. The documents themselves were not all that terrible. Twitter, it seems, is not an internet Enron. The release of the documents did not result in any serious consequences for Twitter - no flight of investment, no investigations, no indictments. Techcrunch summarized the contents of the documents as: "executive meeting notes, partner agreements and financial projections to the meal preferences, calendars and phone logs." For a crooked company such documents would be an absolute disaster. But few outside of the Internet and journalism industries noticed what happened.

Programming in C - Before We Get Started

Requirements | Framework | POSIX Recently I have been spending quite a bit of time learning how to program in C. It has been quite a few years since I have had anything to do with C, spending most of my time in a very different OSI layer entirely. Even when I did come across it some time ago, I was never anything but barely competent - this ignorance on my part has always disturbed me, and so I have endeavored to do something about it. Currently I am taking a few computer science classes at Harvard University; it is my plan to summarize a portion of what I have taken from those classes concerning the C programming language here on my website for readers who are interested. For readers with an advanced knowledge of C, these readings could be viewed as refresher courses. The content, although filtered through my humble brain, will be entirely the result of knowledge acquired through Harvard, so my hope is that even for the experienced C hacker there may be something of interest.

Scratch from MIT & Back to School

As time goes on, having a knowing how to write in a programming language is becoming less of an odd and obscurantist lifestyle choice and more of a necessity for gainful employment. Already, anyone wanting to pursue a career in the hard scientists will be finding themselves either developing or working with custom applications. But even entry-level and intern positions frequently have a "please help us with our website / CMS / database" component to them. The trouble is, people are terrified of code; even very smart people. It looks like ancient greek. For students of ancient greek it looks like Farsi. For Persian students of the Asiatic classics it looks like, err, English, probably. My point is that going from using the internet for Facebook and using the internet for push requests on Github has a very steep learning curve. So steep that most people fall right the hell off the curve. Enter Scratch . Scratch is an object oriented programming language developed by the Sma

Massive Critical Security Patch Released by Oracle Impacting Most Versions of MySQL

Oracle has released a Critical Security Patch for a long list of Oracle products. For MySQL specifically, the patch purports to resolve a multitude of vulnerabilities that allow remote execution without authentication, and impact nearly all versions of the database software. Oracle provided the following Risk Matrix to their MySQL customers, which outlines the CVE numbers of stated vulnerabilities, the component used by the vulnerability and a number of other details. I've included a copy of that Matrix for readers to review below. As the reader can clearly see, the risk for unpatched MySQL users is huge. A total of 154 vulnerabilities are addressed with this update. Some of these vulnerabilities reach a forehead-slapping CVSS score of 9.0 (just one point beneath the score for  the recent Shellshock bash vulnerability ). 24 of the patches are for MySQL. I highly advise anyone using MySQL or any Oracle product, including Java, to  update their software immediately.